Add UniFi WLAN Password sensor

[brunohenriquy]

Proposed change

I have added a new sensor, WLAN Password, to the UniFi integration. This sensor (disabled by default) allow users to retrieve the password of a WLAN. This addition enhance the functionality of the UniFi integration by providing users with more control over their network configurations.

• Accessibility
  It's quite helpful for accessibility purposes. By integrating it into voice assistants like Alexa, users with visual impairments can simply ask for the WLAN password, and the assistant can speak it aloud. This makes accessing the network much easier for everyone, including blind individuals. Additionally, not everyone can scan the QR code at all times.
• Alternative method for accessing the password
  Sometimes, you may need the password to enter it manually on a laptop or other devices.
• Guest WLAN security
  Imagine an automation that resets the guest password (upcoming feature) every day and displays the new one along with the QR code on a TV in a small business. This setup would prevent people nearby from staying connected indefinitely and ensure that only daily clients use the WiFi.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• Link to documentation pull request: Adding UniFi WLAN Password sensor home-assistant.io#32078

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• Untested files have been added to .coveragerc.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @Kane610, mind taking a look at this pull request as it has been labeled with an integration (unifi) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of unifi can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign unifi Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the pull request.

[brunohenriquy]

@Kane610 sensors.py doesn't pass requires_admin=True, how can we make only this sensor requires admin? Maybe create a sensors_admin.py?

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[brunohenriquy]

@Kane610 sensors.py doesn't pass requires_admin=True, how can we make only this sensor requires admin? Maybe create a sensors_admin.py?

@Kane610 did you see this question?

[Kane610]

@Kane610 sensors.py doesn't pass requires_admin=True, how can we make only this sensor requires admin? Maybe create a sensors_admin.py?

@Kane610 did you see this question?

I'm thinking if you provide the supported method to see if x_passphrase is reported then you don't need the check. If that doesn't help then you could implement the allowed_fn

[Kane610]

Nice!

[bdraco]

This might have some attack vectors to consider if you can ask alexa/xyz to speak the wifi password.

[brunohenriquy]

This might have some attack vectors to consider if you can ask alexa/xyz to speak the wifi password.

This is up to the user to enable the functionality and configure the Alexa automation response.

[bdraco]

Many users will not understand the security implications here. I could see this might end up being classified as a vuln.

[Kane610]

Do we want to discuss this in the dev chat? We have a month to consider it

[Kane610]

We could also put it behind extra options flag

[brunohenriquy]

I understand your concern, but there are explicit steps outlined to make it available. Therefore, I don't believe someone would activate it inadvertently or without understanding the implications. If someone enables it, creates the necessary flow to obtain it, and utilizes a voice assistant, it is likely because they require it, especially in Guest lans.

However, if this is a matter to be evaluated by senior members or if there are precedents, please bring it to their attention. I am new here and unfamiliar with the protocol. I will completely understand if this feature gets blocked, but I genuinely need this functionality. That's why I developed it and thought it might also benefit others. Moreover, not keeping it solely within my fork is a relief, hehe.

[bdraco]

I think at the very least there should be a strongly worded warning in the docs about the risk of exposing the sensor to voice assistants since no authentication is required to obtain the password from them. There are many documented attack vectors to remotely activate a voice assistant, which is the reason specific device classes are excluded from them by default. Its also the reason google assistant and other require a pin or other method before opening/unlocking secure devices. We don't currently have a way to mark this type of sensor as a do not expose by default.

[Kane610]

After internal discussion we concluded to remove it due to security concerns, its a bit too open :)

#115929

Suggestion was "We can consider a service response value" so sorry about going back to the initial suggestion