Update Hue Bridge security (#1912)

Author: Lord-Grey

.github/workflows/windows.yml

@@ -84,7 +84,7 @@ jobs:
       - name: 💾 Download OpenSSL 3.x
         uses: ethanjli/[email protected]
         with:
-          url: "https://slproweb.com/download/Win64${{ matrix.os.architecture == 'arm64' && 'ARM' || '' }}OpenSSL-3_5_2.exe"
+          url: "https://slproweb.com/download/Win64${{ matrix.os.architecture == 'arm64' && 'ARM' || '' }}OpenSSL-3_5_3.exe"
           destination: .\installer\openssl.exe
           cache-key: OpenSSL
 

CHANGELOG.md

@@ -8,17 +8,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### ⚠️ Breaking Changes
 
+- Align Hue Bridge processing to Philips' guidance on security, i.e. no self-signed certificates for orginal bridges
+
 ---
 
 ### ✨ Added
 
 - HTTPS support for homeassistant LED devices (#1886)
+- Hue Bridge - Use https and certificates for all API calls, support Bridge Pro (V3)
+- Hue Bridge - Alternate certificate support
 
 ---
 
-
 ### 🔧 Changed
 
+- Hue Bridge - Wizard updates to support bridge-ids, overall code refactoring
+
 - **Fixes:**
   - UI - Language is not selectable (#1877)
   - CEC-Handler is not stopped properly

assets/webconfig/i18n/en.json

@@ -668,6 +668,7 @@
     "edt_dev_spec_PBFiFo_title": "Pi-Blaster FiFo",
     "edt_dev_spec_baudrate_title": "Baudrate",
     "edt_dev_spec_blackLightsTimeout_title": "Signal detection timeout on black",
+    "edt_dev_spec_bridgeid_title": "Bridge-ID",
     "edt_dev_spec_brightnessFactor_title": "Brightness factor",
     "edt_dev_spec_brightnessMax_title": "Brightness maximum",
     "edt_dev_spec_brightnessMin_title": "Brightness minimum",
@@ -1179,6 +1180,7 @@
     "wiz_cololight_title": "Cololight Wizard",
     "wiz_guideyou": "The $1 will guide you through the settings. Just press the button!",
     "wiz_hue_blinkblue": "Let it light up",
+    "wiz_hue_bridge": "Bridge",
     "wiz_hue_clientkey": "Clientkey",
     "wiz_hue_create_user": "Create new User",
     "wiz_hue_desc1": "1. Hyperion searches automatically for a Hue-Bridge, in case it cannot find one you need to provide the hostname or IP-address and push the reload button. <br> 2. Provide a user ID, if you do not have one create a new one.",

assets/webconfig/js/wizards/LedDevice_philipshue.js

@@ -29,9 +29,10 @@ const philipshueWizard = (() => {
     if (hueIPs[hueIPsinc]) {
       const host = hueIPs[hueIPsinc].host;
       const port = hueIPs[hueIPsinc].port;
+      const bridgeid = hueIPs[hueIPsinc].bridgeid ? hueIPs[hueIPsinc].bridgeid.toUpperCase() : undefined;
 
       if (usr != '') {
-        getProperties(cb, decodeURIComponent(host), port, usr);
+        getProperties(cb, decodeURIComponent(host), port, bridgeid, usr);
       }
       else {
         cb(false, usr);
@@ -47,8 +48,9 @@ const philipshueWizard = (() => {
     if (reply) {
       //abort checking, first reachable result is used
       $('#wiz_hue_ipstate').html("");
-      $('#host').val(hueIPs[hueIPsinc].host)
-      $('#port').val(hueIPs[hueIPsinc].port)
+      $('#host').val(hueIPs[hueIPsinc].host);
+      $('#port').val(hueIPs[hueIPsinc].port);
+      $('#bridgeid').val(hueIPs[hueIPsinc].bridgeid);
 
       $('#usrcont').toggle(true);
 
@@ -289,22 +291,26 @@ const philipshueWizard = (() => {
           if (device) {
             let host;
             let port;
+            let bridgeid;
             if (discoveryMethod === "ssdp") {
-              if (device.hostname && device.domain) {
+              // Use hostname + domain, if available and not an IP address
+              if (device.hostname && device.domain && !(isValidIPv4(device.hostname) || isValidIPv6(device.hostname))) {
                 host = device.hostname + "." + device.domain;
                 port = device.port;
               } else {
                 host = device.ip;
                 port = device.port;
               }
+              bridgeid = device.other?.["hue-bridgeid"]?.toUpperCase();
             } else {
-              host = device.service;
-              port = device.port;
+                host = device.service;
+                port = device.port;
+                bridgeid = device.txt?.["bridgeid"]?.toUpperCase();
             }
-            if (host) {
 
+            if (host) {
               if (!hueIPs.some(item => item.host === host)) {
-                hueIPs.push({ host: host, port: port });
+                hueIPs.push({ host, port, bridgeid });
               }
             }
           }
@@ -313,19 +319,20 @@ const philipshueWizard = (() => {
         $('#wiz_hue_ipstate').html("");
         $('#host').val(hueIPs[hueIPsinc].host)
         $('#port').val(hueIPs[hueIPsinc].port)
+        $('#bridgeid').val(hueIPs[hueIPsinc].bridgeid)
 
         $('#hue_bridge_select').html("");
 
         for (const key in hueIPs) {
-          $('#hue_bridge_select').append(createSelOpt(key, hueIPs[key].host));
+          $('#hue_bridge_select').append(createSelOpt(key, hueIPs[key].bridgeid));
         }
 
         $('.hue_bridge_sel_watch').on("click", function () {
           hueIPsinc = $(this).val();
 
-          const name = $("#hue_bridge_select option:selected").text();
-          $('#host').val(name);
-          $('#port').val(hueIPs[hueIPsinc].port)
+          $('#host').val(hueIPs[hueIPsinc].host);
+          $('#port').val(hueIPs[hueIPsinc].port);
+          $('#bridgeid').val(hueIPs[hueIPsinc].bridgeid);
 
           const usr = $('#user').val();
           if (usr != "") {
@@ -361,8 +368,8 @@ const philipshueWizard = (() => {
       keyMap.set(username, ledDeviceProperties);
   }
 
-  async function getProperties(cb, hostAddress, port, username, resourceFilter) {
-    let params = { host: hostAddress, username: username, filter: resourceFilter };
+  async function getProperties(cb, hostAddress, port, bridgeid, username, resourceFilter) {
+    let params = { host: hostAddress, bridgeid, username, filter: resourceFilter };
     if (port !== 'undefined') {
       params.port = parseInt(port);
     }
@@ -403,12 +410,12 @@ const philipshueWizard = (() => {
     }
   }
 
-  async function identify(hostAddress, port, username, name, id, id_v1) {
+  async function identify(hostAddress, port, bridgeid, username, name, id, id_v1) {
     const disabled = $('#btn_wiz_save').is(':disabled');
     // Take care that new record cannot be save during background process
     $('#btn_wiz_save').prop('disabled', true);
 
-    let params = { host: decodeURIComponent(hostAddress), username: username, lightName: decodeURIComponent(name), lightId: id, lightId_v1: id_v1 };
+    let params = { host: decodeURIComponent(hostAddress), bridgeid, username, lightName: decodeURIComponent(name), lightId: id, lightId_v1: id_v1 };
 
     if (port !== 'undefined') {
       params.port = parseInt(port);
@@ -450,7 +457,11 @@ const philipshueWizard = (() => {
       else {
         $('#port').val('');
       }
-      hueIPs.push({ host: host, port: port });
+
+      const bridgeid = utils.eV("bridgeid");
+      $('#bridgeid').val(bridgeid);
+
+      hueIPs.push({ host, port, bridgeid });
 
       if (usr != "") {
         checkHueBridge(checkUserResult, usr);
@@ -460,17 +471,20 @@ const philipshueWizard = (() => {
     }
 
     $('#retry_bridge').off().on('click', function () {
+
       const host = $('#host').val();
       const port = parseInt($('#port').val());
+      const bridgeid = $('#bridgeid').val();
 
       if (host != "") {
-
-        const idx = hueIPs.findIndex(item => item.host === host && item.port === port);
+        const idx = hueIPs.findIndex(item => item.host === host);
         if (idx === -1) {
-          hueIPs.push({ host: host, port: port });
+          hueIPs.push({ host, port, bridgeid });
           hueIPsinc = hueIPs.length - 1;
         } else {
           hueIPsinc = idx;
+          hueIPs[hueIPsinc].port = port;
+          hueIPs[hueIPsinc].bridgeid = bridgeid;
         }
       }
       else {
@@ -584,6 +598,7 @@ const philipshueWizard = (() => {
       let d = {};
       d.host = $('#host').val();
       d.port = parseInt($('#port').val());
+      d.bridgeid = $('#bridgeid').val();
       d.username = $('#user').val();
       d.type = 'philipshue';
       d.colorOrder = 'rgb';
@@ -641,8 +656,9 @@ const philipshueWizard = (() => {
   function createHueUser() {
     const host = hueIPs[hueIPsinc].host;
     const port = hueIPs[hueIPsinc].port;
+    const bridgeid = hueIPs[hueIPsinc].bridgeid;
 
-    let params = { host: host };
+    let params = { host, bridgeid };
     if (port !== 'undefined') {
       params.port = parseInt(port);
     }
@@ -682,6 +698,7 @@ const philipshueWizard = (() => {
                 conf_editor.getEditor("root.specificOptions.username").setValue(username);
                 conf_editor.getEditor("root.specificOptions.host").setValue(host);
                 conf_editor.getEditor("root.specificOptions.port").setValue(port);
+                conf_editor.getEditor("root.specificOptions.bridgeid").setValue(bridgeid);
               }
 
               if (isEntertainmentReady) {
@@ -745,12 +762,13 @@ const philipshueWizard = (() => {
     $('#wizp2_body').on('click', '.btn-identify', function () {
       const hostname = $(this).data('hostname');
       const port = $(this).data('port');
+      const bridgeid = $(this).data('bridgeid');
       const user = $(this).data('user');
       const lightName = $(this).data('light-name');
       const lightId = $(this).data('light-id');
       const lightId_v1 = $(this).data('light-id-v1');
 
-      identify(hostname, port, user, lightName, lightId, lightId_v1);
+      identify(hostname, port, bridgeid, user, lightName, lightId, lightId_v1);
     });
   }
   function attachGroupButtonEvent() {
@@ -777,6 +795,7 @@ const philipshueWizard = (() => {
 
   function get_hue_lights(username) {
     const host = hueIPs[hueIPsinc].host;
+    const port = hueIPs[hueIPsinc].port;
 
     const ledProperties = getLedDeviceProperty('philipshue', host, username);
     if (ledProperties) {
@@ -867,7 +886,7 @@ const philipshueWizard = (() => {
           '<select id="hue_' + lightId + '" class="hue_sel_watch form-control">'
           + options
           + '</select>',
-          '<button class="btn btn-sm btn-primary btn-identify" data-hostname="' + encodeURIComponent($(" #host").val()) + '" data-port="' + $('#port').val() + '" data-user="' + $("#user").val() + '" data-light-name="' + encodeURIComponent(lightName) + '" data-light-id="' + lightId + '" data-light-id-v1="' + lightId_v1 + '">'
+          '<button class="btn btn-sm btn-primary btn-identify" data-hostname="' + encodeURIComponent(host) + '" data-port="' + port + '" data-bridgeid="' + $('#bridgeid').val() + '" data-user="' + $("#user").val() + '" data-light-name="' + encodeURIComponent(lightName) + '" data-light-id="' + lightId + '" data-light-id-v1="' + lightId_v1 + '">'
           + $.i18n('wiz_hue_blinkblue', id)
           + '</button>']));
         }
@@ -916,23 +935,36 @@ const philipshueWizard = (() => {
       $('#wizp2_body').html('<div id="wh_topcontainer"></div>');
 
       let topContainer_html = '<p class="text-left" style="font-weight:bold">' + $.i18n(hue_desc1) + '</p>' +
-        '<div class="row">' +
+        '<div class="row" style="display: flex; align-items: center; margin-bottom: 10px;">' +
         '<div class="col-md-2">' +
-        '  <p class="text-left">' + $.i18n('wiz_hue_ip') + '</p></div>' +
+        '  <p class="text-left" style="margin:0;">' + $.i18n('wiz_hue_bridge') + '</p></div>' +
         '  <div class="col-md-7"><div class="input-group">' +
         '    <span class="input-group-addon" id="retry_bridge" style="cursor:pointer"><i class="fa fa-refresh"></i></span>' +
         '    <select id="hue_bridge_select" class="hue_bridge_sel_watch form-control">' + '</select>' + '</div></div>' +
-        '  <div class="col-md-7"><div class="input-group">' +
-        '    <span class="input-group-addon"><i class="fa fa-arrow-right"></i></span>' +
-        '    <input type="text" class="input-group form-control" id="host" placeholder="' + $.i18n('wiz_hue_ip') + '"></div></div>';
+        '</div>';
+
+      if (storedAccess === 'expert') {
+        topContainer_html += '<div class="row" style="display: flex; align-items: center; margin-bottom: 10px; margin-top: 30px;">' +
+          '<div class="col-md-2"><p class="text-left" style="margin:0;">' + $.i18n('edt_dev_spec_bridgeid_title') + '</p></div>' +
+          '<div class="col-md-7"><div class="input-group">' +
+          '<span class="input-group-addon"><i class="fa fa-qrcode"></i></span>' +
+          '<input type="text" class="input-group form-control" id="bridgeid" placeholder="' + $.i18n('edt_dev_spec_bridgeid_title') + '"></div></div></div>';
+      }
+
+      topContainer_html += '<div class="row" style="display: flex; align-items: center; margin-bottom: 10px;">' +
+        '<div class="col-md-2"><p class="text-left" style="margin:0;">' + $.i18n('edt_dev_spec_targetIpHost_title') + '</p></div>' +
+        '<div class="col-md-7"><div class="input-group">' +
+        '<span class="input-group-addon"><i class="fa fa-arrow-right"></i></span>' +
+        '<input type="text" class="input-group form-control" id="host" placeholder="' + $.i18n('edt_dev_spec_targetIpHost_title') + '"></div></div>';
 
       if (storedAccess === 'expert') {
         topContainer_html += '<div class="col-md-3"><div class="input-group">' +
           '<span class="input-group-addon">:</span>' +
           '<input type="text" class="input-group form-control" id="port" placeholder="' + $.i18n('edt_conf_general_port_title') + '"></div></div>';
       }
+      topContainer_html += '</div><div class="row" style="margin-top: 15px;"><div text-center"><p><span style="font-weight:bold;color:red" id="wiz_hue_ipstate"></span><span style="font-weight:bold;" id="wiz_hue_discovered"></span></p></div></div>';
 
-      topContainer_html += '</div><p><span style="font-weight:bold;color:red" id="wiz_hue_ipstate"></span><span style="font-weight:bold;" id="wiz_hue_discovered"></span></p>';
+      // Hidden fields
       topContainer_html += '<div class="form-group" id="usrcont" style="display:none"></div>';
 
       $('#wh_topcontainer').append(topContainer_html);

libsrc/leddevice/LedDevice.cpp

@@ -28,7 +28,7 @@ namespace {
 	const char CONFIG_LATCH_TIME[] = "latchTime";
 	const char CONFIG_REWRITE_TIME[] = "rewriteTime";
 
-	int DEFAULT_LED_COUNT{ 1 };
+	const int DEFAULT_LED_COUNT{ 1 };
 	const char DEFAULT_COLOR_ORDER[]{ "RGB" };
 	const bool DEFAULT_IS_AUTOSTART{ true };