MyFavMirrors
/
MeshCentral
mirror of https://github.com/Ylianst/MeshCentral.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
MeshCentral/webserver.js

3489 lines
234 KiB
JavaScript
Raw Normal View History

Initial main commit
2017-08-28 12:27:45 -04:00
/**
Fixed multi-tenancy DNS support
2018-01-04 15:15:21 -05:00
* @description MeshCentral web server
Initial main commit
2017-08-28 12:27:45 -04:00
* @author Ylian Saint-Hilaire
Changed copyrights headers for 2019.
2019-01-03 19:22:15 -05:00
* @copyright Intel Corporation 2018-2019
Fixed multi-tenancy DNS support
2018-01-04 15:15:21 -05:00
* @license Apache-2.0
Initial main commit
2017-08-28 12:27:45 -04:00
* @version v0.0.1
*/
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
/*jslint node: true */
/*jshint node: true */
/*jshint strict:false */
/*jshint -W097 */
/*jshint esversion: 6 */
"use strict";
Initial main commit
2017-08-28 12:27:45 -04:00
/*
class SerialTunnel extends require('stream').Duplex {
constructor(options) { super(options); this.forwardwrite = null; }
updateBuffer(chunk) { this.push(chunk); }
_write(chunk, encoding, callback) { if (this.forwardwrite != null) { this.forwardwrite(chunk); } else { console.err("Failed to fwd _write."); } if (callback) callback(); } // Pass data written to forward
_read(size) { } // Push nothing, anything to read should be pushed from updateBuffer()
}
*/
// Older NodeJS does not support the keyword "class", so we do without using this syntax
// TODO: Validate that it's the same as above and that it works.
function SerialTunnel(options) {
var obj = new require('stream').Duplex(options);
obj.forwardwrite = null;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.updateBuffer = function (chunk) { this.push(chunk); };
obj._write = function (chunk, encoding, callback) { if (obj.forwardwrite != null) { obj.forwardwrite(chunk); } else { console.err("Failed to fwd _write."); } if (callback) callback(); }; // Pass data written to forward
obj._read = function (size) { }; // Push nothing, anything to read should be pushed from updateBuffer()
Initial main commit
2017-08-28 12:27:45 -04:00
return obj;
}
// ExpressJS login sample
// https://github.com/expressjs/express/blob/master/examples/auth/index.js
// Polyfill startsWith/endsWith for older NodeJS
if (!String.prototype.startsWith) { String.prototype.startsWith = function (searchString, position) { position = position || 0; return this.substr(position, searchString.length) === searchString; }; }
if (!String.prototype.endsWith) { String.prototype.endsWith = function (searchString, position) { var subjectString = this.toString(); if (typeof position !== 'number' || !isFinite(position) || Math.floor(position) !== position || position > subjectString.length) { position = subjectString.length; } position -= searchString.length; var lastIndex = subjectString.lastIndexOf(searchString, position); return lastIndex !== -1 && lastIndex === position; }; }
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
// Construct a HTTP server object
Improved http session handling, new account page
2018-08-22 19:18:01 -04:00
module.exports.CreateWebServer = function (parent, db, args, certificates) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var obj = {}, i = 0;
Initial main commit
2017-08-28 12:27:45 -04:00
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
// Modules
Initial main commit
2017-08-28 12:27:45 -04:00
obj.fs = require('fs');
obj.net = require('net');
obj.tls = require('tls');
obj.path = require('path');
obj.bodyParser = require('body-parser');
Improved http session handling, new account page
2018-08-22 19:18:01 -04:00
obj.session = require('cookie-session');
Initial main commit
2017-08-28 12:27:45 -04:00
obj.exphbs = require('express-handlebars');
obj.crypto = require('crypto');
obj.common = require('./common.js');
obj.express = require('express');
obj.meshAgentHandler = require('./meshagent.js');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.meshRelayHandler = require('./meshrelay.js');
First server with working hard-coded server-side IDER support.
2019-04-24 14:38:28 -04:00
obj.meshIderHandler = require('./amt/amt-ider.js');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.meshUserHandler = require('./meshuser.js');
Initial main commit
2017-08-28 12:27:45 -04:00
obj.interceptor = require('./interceptor');
Fix for Node 11.10 deprecation of require('constants').
2019-02-26 18:49:44 -05:00
const constants = (obj.crypto.constants ? obj.crypto.constants : require('constants')); // require('constants') is deprecated in Node 11.10, use require('crypto').constants instead.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
More FIDO2 improvements, improved NPM install.
2019-03-23 16:28:17 -04:00
// Setup WebAuthn / FIDO2
Complete replacement of the WebAuthn 2 factor support.
2019-05-16 17:55:07 -04:00
obj.webauthn = require("./webauthn.js").CreateWebAuthnModule();
Started work on adding FIDO2 support.
2019-03-23 01:33:53 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Variables
obj.parent = parent;
obj.filespath = parent.filespath;
obj.db = db;
obj.app = obj.express();
obj.app.use(require('compression')());
obj.tlsServer = null;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.tcpServer = null;
Initial main commit
2017-08-28 12:27:45 -04:00
obj.certificates = certificates;
obj.args = args;
obj.users = {};
obj.meshes = {};
Added user IP filtering.
2017-09-27 15:43:20 -04:00
obj.userAllowedIp = args.userallowedip; // List of allowed IP addresses for users
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
obj.agentAllowedIp = args.agentallowedip; // List of allowed IP addresses for agents
obj.agentBlockedIp = args.agentblockedip; // List of blocked IP addresses for agents
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.tlsSniCredentials = null;
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
obj.dnsDomains = {};
Added relay session count.
2019-02-18 20:14:00 -05:00
obj.relaySessionCount = 0;
obj.relaySessionErrorCount = 0;
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
Added RDP ClickOnce support.
2017-10-23 17:09:58 -04:00
// Mesh Rights
const MESHRIGHT_EDITMESH = 1;
const MESHRIGHT_MANAGEUSERS = 2;
const MESHRIGHT_MANAGECOMPUTERS = 4;
const MESHRIGHT_REMOTECONTROL = 8;
const MESHRIGHT_AGENTCONSOLE = 16;
const MESHRIGHT_SERVERFILES = 32;
const MESHRIGHT_WAKEDEVICE = 64;
Added device notes support
2018-04-12 21:14:03 -04:00
const MESHRIGHT_SETNOTES = 128;
Added RDP ClickOnce support.
2017-10-23 17:09:58 -04:00
// Site rights
const SITERIGHT_SERVERBACKUP = 1;
const SITERIGHT_MANAGEUSERS = 2;
const SITERIGHT_SERVERRESTORE = 4;
const SITERIGHT_FILEACCESS = 8;
const SITERIGHT_SERVERUPDATE = 16;
Added support to lockout accounts
2018-04-13 18:26:57 -04:00
const SITERIGHT_LOCKED = 32;
Added RDP ClickOnce support.
2017-10-23 17:09:58 -04:00
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
// Setup SSPI authentication if needed
if ((obj.parent.platform == 'win32') && (obj.args.nousers != true) && (obj.parent.config != null) && (obj.parent.config.domains != null)) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
for (i in obj.parent.config.domains) { if (obj.parent.config.domains[i].auth == 'sspi') { var nodeSSPI = require('node-sspi'); obj.parent.config.domains[i].sspi = new nodeSSPI({ retrieveGroups: true, offerBasic: false }); } }
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Perform hash on web certificate and agent certificate
Fixed many TLS-SNI problems, updated agents
2018-11-30 19:42:58 -05:00
obj.webCertificateHash = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.web.cert);
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
obj.webCertificateHashs = { '': obj.webCertificateHash };
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
obj.webCertificateHashBase64 = Buffer.from(obj.webCertificateHash, 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
Fixed many TLS-SNI problems, updated agents
2018-11-30 19:42:58 -05:00
obj.webCertificateFullHash = parent.certificateOperations.getCertHashBinary(obj.certificates.web.cert);
obj.webCertificateFullHashs = { '': obj.webCertificateFullHash };
obj.agentCertificateHashHex = parent.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert);
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
obj.agentCertificateHashBase64 = Buffer.from(obj.agentCertificateHashHex, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
obj.agentCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.agent.cert))).getBytes();
Added web cert loading, useful for TLS offload.
2018-10-31 19:03:09 -04:00
// Compute the hash of all of the web certificates for each domain
for (var i in obj.parent.config.domains) {
if (obj.parent.config.domains[i].certhash != null) {
// If the web certificate hash is provided, use it.
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
obj.webCertificateHashs[i] = obj.webCertificateFullHashs[i] = Buffer.from(obj.parent.config.domains[i].certhash, 'hex').toString('binary');
if (obj.parent.config.domains[i].certkeyhash != null) { obj.webCertificateHashs[i] = Buffer.from(obj.parent.config.domains[i].certkeyhash, 'hex').toString('binary'); }
Added web cert loading, useful for TLS offload.
2018-10-31 19:03:09 -04:00
} else if ((obj.parent.config.domains[i].dns != null) && (obj.parent.config.domains[i].certs != null)) {
// If the domain has a different DNS name, use a different certificate hash.
Fixed many TLS-SNI problems, updated agents
2018-11-30 19:42:58 -05:00
// Hash the full certificate
obj.webCertificateFullHashs[i] = parent.certificateOperations.getCertHashBinary(obj.parent.config.domains[i].certs.cert);
Added web cert loading, useful for TLS offload.
2018-10-31 19:03:09 -04:00
try {
Fixed many TLS-SNI problems, updated agents
2018-11-30 19:42:58 -05:00
// Decode a RSA certificate and hash the public key.
obj.webCertificateHashs[i] = parent.certificateOperations.getPublicKeyHashBinary(obj.parent.config.domains[i].certs.cert);
Added web cert loading, useful for TLS offload.
2018-10-31 19:03:09 -04:00
} catch (ex) {
Fixed many TLS-SNI problems, updated agents
2018-11-30 19:42:58 -05:00
// This may be a ECDSA certificate, hash the entire cert.
obj.webCertificateHashs[i] = obj.webCertificateFullHashs[i];
Added web cert loading, useful for TLS offload.
2018-10-31 19:03:09 -04:00
}
Server fixes
2019-03-14 15:28:58 -04:00
} else if ((obj.parent.config.domains[i].dns != null) && (obj.certificates.dns[i] != null)) {
// If this domain has a DNS and a matching DNS cert, use it. This case works for wildcard certs.
obj.webCertificateFullHashs[i] = parent.certificateOperations.getCertHashBinary(obj.certificates.dns[i].cert);
obj.webCertificateHashs[i] = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.dns[i].cert);
Fixed exception when setting up domains without seperate dns name.
2019-04-04 17:47:52 -04:00
} else if (i != '') {
// For any other domain, use the default cert.
obj.webCertificateFullHashs[i] = obj.webCertificateFullHashs[''];
obj.webCertificateHashs[i] = obj.webCertificateHashs[''];
Added web cert loading, useful for TLS offload.
2018-10-31 19:03:09 -04:00
}
}
// If we are running the legacy swarm server, compute the hash for that certificate
Completed MeshCentralv1 migration code.
2017-11-07 20:05:22 -05:00
if (parent.certificates.swarmserver != null) {
obj.swarmCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.swarmserver.cert))).getBytes();
obj.swarmCertificateHash384 = parent.certificateOperations.forge.pki.getPublicKeyFingerprint(parent.certificateOperations.forge.pki.certificateFromPem(obj.certificates.swarmserver.cert).publicKey, { md: parent.certificateOperations.forge.md.sha384.create(), encoding: 'binary' });
obj.swarmCertificateHash256 = parent.certificateOperations.forge.pki.getPublicKeyFingerprint(parent.certificateOperations.forge.pki.certificateFromPem(obj.certificates.swarmserver.cert).publicKey, { md: parent.certificateOperations.forge.md.sha256.create(), encoding: 'binary' });
}
Initial main commit
2017-08-28 12:27:45 -04:00
Added web cert loading, useful for TLS offload.
2018-10-31 19:03:09 -04:00
// Main lists
Added server-side Intel AMT configuration options.
2019-02-07 18:00:10 -05:00
obj.wsagents = {}; // NodeId --> Agent
Added agent trouble detection on the server.
2019-01-22 22:34:55 -05:00
obj.wsagentsDisconnections = {};
obj.wsagentsDisconnectionsTimer = null;
Many bug fixes: Login screen, hw keys, relay domain and more.
2019-05-21 17:19:32 -04:00
obj.duplicateAgentsLog = {};
Fixed user IP filtering when using reverse-proxy + updated Let's Encrypt URLs.
2019-01-05 17:15:14 -05:00
obj.wssessions = {}; // UserId --> Array Of Sessions
obj.wssessions2 = {}; // "UserId + SessionRnd" --> Session (Note that the SessionId is the UserId + / + SessionRnd)
obj.wsPeerSessions = {}; // ServerId --> Array Of "UserId + SessionRnd"
obj.wsPeerSessions2 = {}; // "UserId + SessionRnd" --> ServerId
obj.wsPeerSessions3 = {}; // ServerId --> UserId --> [ SessionId ]
obj.sessionsCount = {}; // Merged session counters, used when doing server peering. UserId --> SessionCount
obj.wsrelays = {}; // Id -> Relay
obj.wsPeerRelays = {}; // Id -> { ServerId, Time }
var tlsSessionStore = {}; // Store TLS session information for quick resume.
var tlsSessionStoreCount = 0; // Number of cached TLS session information in store.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Setup randoms
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
obj.crypto.randomBytes(48, function (err, buf) { obj.httpAuthRandom = buf; });
Initial main commit
2017-08-28 12:27:45 -04:00
obj.crypto.randomBytes(16, function (err, buf) { obj.httpAuthRealm = buf.toString('hex'); });
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
obj.crypto.randomBytes(48, function (err, buf) { obj.relayRandom = buf; });
Initial main commit
2017-08-28 12:27:45 -04:00
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
// Setup DNS domain TLS SNI credentials
{
var dnscount = 0;
obj.tlsSniCredentials = {};
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
for (i in obj.certificates.dns) { if (obj.parent.config.domains[i].dns != null) { obj.dnsDomains[obj.parent.config.domains[i].dns.toLowerCase()] = obj.parent.config.domains[i]; obj.tlsSniCredentials[obj.parent.config.domains[i].dns] = obj.tls.createSecureContext(obj.certificates.dns[i]).context; dnscount++; } }
Added built-in Let's Encrypt support using GreenLock.
2018-01-15 00:01:06 -05:00
if (dnscount > 0) { obj.tlsSniCredentials[''] = obj.tls.createSecureContext({ cert: obj.certificates.web.cert, key: obj.certificates.web.key, ca: obj.certificates.web.ca }).context; } else { obj.tlsSniCredentials = null; }
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
}
ClickOnce Fix
2018-12-11 20:52:37 -05:00
function TlsSniCallback(name, cb) {
var c = obj.tlsSniCredentials[name];
if (c != null) {
cb(null, c);
} else {
cb(null, obj.tlsSniCredentials['']);
}
}
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
Added login password hint support
2017-09-08 14:37:37 -04:00
function EscapeHtml(x) { if (typeof x == "string") return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;'); if (typeof x == "boolean") return x; if (typeof x == "number") return x; }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
//function EscapeHtmlBreaks(x) { if (typeof x == "string") return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;').replace(/\r/g, '<br />').replace(/\n/g, '').replace(/\t/g, '&nbsp;&nbsp;'); if (typeof x == "boolean") return x; if (typeof x == "number") return x; }
Initial main commit
2017-08-28 12:27:45 -04:00
// Fetch all users from the database, keep this in memory
obj.db.GetAllType('user', function (err, docs) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var domainUserCount = {}, i = 0;
for (i in parent.config.domains) { domainUserCount[i] = 0; }
for (i in docs) { var u = obj.users[docs[i]._id] = docs[i]; domainUserCount[u.domain]++; }
for (i in parent.config.domains) {
Initial main commit
2017-08-28 12:27:45 -04:00
if (domainUserCount[i] == 0) {
Integrated MeshMessenger for user-to-user.
2018-12-02 02:41:57 -05:00
// If newaccounts is set to no new accounts, but no accounts exists, temporarly allow account creation.
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 16:42:54 -04:00
//if ((parent.config.domains[i].newaccounts === 0) || (parent.config.domains[i].newaccounts === false)) { parent.config.domains[i].newaccounts = 2; }
Initial main commit
2017-08-28 12:27:45 -04:00
console.log('Server ' + ((i == '') ? '' : (i + ' ')) + 'has no users, next new account will be site administrator.');
}
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Fetch all meshes from the database, keep this in memory
obj.db.GetAllType('mesh', function (err, docs) {
obj.common.unEscapeAllLinksFieldName(docs);
Database performance + mesh undelete.
2019-02-18 17:32:55 -05:00
for (var i in docs) {obj.meshes[docs[i]._id] = docs[i]; } // Get all meshes, including deleted ones.
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// We loaded the users and mesh state, start the server
serverStart();
});
});
Initial main commit
2017-08-28 12:27:45 -04:00
Added server instrumentation
2019-05-01 18:02:03 -04:00
// Return statistics about this web server
obj.getStats = function () {
return {
users: Object.keys(obj.users).length,
meshes: Object.keys(obj.meshes).length,
dnsDomains: Object.keys(obj.dnsDomains).length,
relaySessionCount: obj.relaySessionCount,
relaySessionErrorCount: obj.relaySessionErrorCount,
wsagents: Object.keys(obj.wsagents).length,
wsagentsDisconnections: Object.keys(obj.wsagentsDisconnections).length,
wsagentsDisconnectionsTimer: Object.keys(obj.wsagentsDisconnectionsTimer).length,
wssessions: Object.keys(obj.wssessions).length,
wssessions2: Object.keys(obj.wssessions2).length,
wsPeerSessions: Object.keys(obj.wsPeerSessions).length,
wsPeerSessions2: Object.keys(obj.wsPeerSessions2).length,
wsPeerSessions3: Object.keys(obj.wsPeerSessions3).length,
sessionsCount: Object.keys(obj.sessionsCount).length,
wsrelays: Object.keys(obj.wsrelays).length,
wsPeerRelays: Object.keys(obj.wsPeerRelays).length,
tlsSessionStore: Object.keys(tlsSessionStore).length
};
}
// Agent counters
obj.agentStats = {
createMeshAgentCount: 0,
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-24 18:11:00 -04:00
agentClose: 0,
agentBinaryUpdate: 0,
Added server instrumentation
2019-05-01 18:02:03 -04:00
coreIsStableCount: 0,
verifiedAgentConnectionCount: 0,
clearingCoreCount: 0,
updatingCoreCount: 0,
recoveryCoreIsStableCount: 0,
meshDoesNotExistCount: 0,
invalidPkcsSignatureCount: 0,
invalidRsaSignatureCount: 0,
invalidJsonCount: 0,
unknownAgentActionCount: 0,
agentBadWebCertHashCount: 0,
agentBadSignature1Count: 0,
agentBadSignature2Count: 0,
agentMaxSessionHoldCount: 0,
invalidDomainMeshCount: 0,
invalidMeshTypeCount: 0,
invalidDomainMesh2Count: 0,
invalidMeshType2Count: 0,
Added support fo domain MaxDevices limit
2019-06-05 18:24:07 -04:00
duplicateAgentCount: 0,
maxDomainDevicesReached: 0
Added server instrumentation
2019-05-01 18:02:03 -04:00
}
obj.getAgentStats = function () { return obj.agentStats; }
Initial main commit
2017-08-28 12:27:45 -04:00
// Authenticate the user
obj.authenticate = function (name, pass, domain, fn) {
Completed 2 step login support.
2019-01-15 21:21:03 -05:00
if ((typeof (name) != 'string') || (typeof (pass) != 'string') || (typeof (domain) != 'object')) { fn(new Error('invalid fields')); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
if (!module.parent) console.log('authenticating %s:%s:%s', domain.id, name, pass);
Added LDAP support.
2019-04-11 16:41:51 -04:00
if (domain.auth == 'ldap') {
LDAP fixes.
2019-04-11 17:52:23 -04:00
if (domain.ldapoptions.url == 'test') {
// Fake LDAP login
var xxuser = domain.ldapoptions[name.toLowerCase()];
if (xxuser == null) {
fn(new Error('invalid password'));
return;
Added LDAP support.
2019-04-11 16:41:51 -04:00
} else {
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
var username = xxuser['displayName'];
if (domain.ldapusername) { username = xxuser[domain.ldapusername]; }
LDAP fixes.
2019-04-11 17:52:23 -04:00
var shortname = null;
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
if (domain.ldapuserbinarykey) {
// Use a binary key as the userid
if (xxuser[domain.ldapuserbinarykey]) { shortname = Buffer.from(xxuser[domain.ldapuserbinarykey], 'binary').toString('hex'); }
} else if (domain.ldapuserkey) {
// Use a string key as the userid
if (xxuser[domain.ldapuserkey]) { shortname = xxuser[domain.ldapuserkey]; }
} else {
// Use the default key as the userid
if (xxuser.objectSid) { shortname = Buffer.from(xxuser.objectSid, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.objectGUID) { shortname = Buffer.from(xxuser.objectGUID, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.name) { shortname = xxuser.name; }
else if (xxuser.cn) { shortname = xxuser.cn; }
}
if (username == null) { fn(new Error('no user name')); return; }
if (shortname == null) { fn(new Error('no user identifier')); return; }
LDAP fixes.
2019-04-11 17:52:23 -04:00
var userid = 'user/' + domain.id + '/' + shortname;
var user = obj.users[userid];
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
LDAP fixes.
2019-04-11 17:52:23 -04:00
if (user == null) {
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
// Create a new user
var user = { type: 'user', _id: userid, name: username, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id };
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-12 22:14:24 -04:00
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; }
LDAP fixes.
2019-04-11 17:52:23 -04:00
var usercount = 0;
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 01:13:56 -04:00
if (usercount == 0) { user.siteadmin = 4294967295; /*if (domain.newaccounts === 2) { delete domain.newaccounts; }*/ } // If this is the first user, give the account site admin.
LDAP fixes.
2019-04-11 17:52:23 -04:00
obj.users[user._id] = user;
obj.db.SetUser(user);
Improved MongoDB change stream.
2019-05-29 17:36:14 -04:00
var event = { etype: 'user', userid: userid, username: username, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, name is ' + name, domain: domain.id };
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
LDAP fixes.
2019-04-11 17:52:23 -04:00
return fn(null, user._id);
} else {
// This is an existing user
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
// If the display username has changes, update it.
if (user.name != username) {
user.name = username;
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
obj.db.SetUser(user);
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: userid, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Changed account display name to ' + username, domain: domain.id };
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
}
// If user is locker out, block here.
LDAP fixes.
2019-04-11 17:52:23 -04:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
Added LDAP support.
2019-04-11 16:41:51 -04:00
}
LDAP fixes.
2019-04-11 17:52:23 -04:00
} else {
// LDAP login
var LdapAuth = require('ldapauth-fork');
var ldap = new LdapAuth(domain.ldapoptions);
ldap.authenticate(name, pass, function (err, xxuser) {
try { ldap.close(); } catch (ex) { console.log(ex); } // Close the LDAP object
if (err) { fn(new Error('invalid password')); return; }
var shortname = null;
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
var username = xxuser['displayName'];
if (domain.ldapusername) { username = xxuser[domain.ldapusername]; }
if (domain.ldapuserbinarykey) {
// Use a binary key as the userid
if (xxuser[domain.ldapuserbinarykey]) { shortname = Buffer.from(xxuser[domain.ldapuserbinarykey], 'binary').toString('hex').toLowerCase(); }
} else if (domain.ldapuserkey) {
// Use a string key as the userid
if (xxuser[domain.ldapuserkey]) { shortname = xxuser[domain.ldapuserkey]; }
} else {
// Use the default key as the userid
if (xxuser.objectSid) { shortname = Buffer.from(xxuser.objectSid, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.objectGUID) { shortname = Buffer.from(xxuser.objectGUID, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.name) { shortname = xxuser.name; }
else if (xxuser.cn) { shortname = xxuser.cn; }
}
if (username == null) { fn(new Error('no user name')); return; }
if (shortname == null) { fn(new Error('no user identifier')); return; }
LDAP fixes.
2019-04-11 17:52:23 -04:00
var userid = 'user/' + domain.id + '/' + shortname;
var user = obj.users[userid];
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
LDAP fixes.
2019-04-11 17:52:23 -04:00
if (user == null) {
// This user does not exist, create a new account.
var user = { type: 'user', _id: userid, name: shortname, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id };
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-12 22:14:24 -04:00
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; }
LDAP fixes.
2019-04-11 17:52:23 -04:00
var usercount = 0;
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 01:13:56 -04:00
if (usercount == 0) { user.siteadmin = 4294967295; /*if (domain.newaccounts === 2) { delete domain.newaccounts; }*/ } // If this is the first user, give the account site admin.
LDAP fixes.
2019-04-11 17:52:23 -04:00
obj.users[user._id] = user;
obj.db.SetUser(user);
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, name is ' + name, domain: domain.id };
Improved MongoDB change stream.
2019-05-29 17:36:14 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
LDAP fixes.
2019-04-11 17:52:23 -04:00
return fn(null, user._id);
} else {
// This is an existing user
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
// If the display username has changes, update it.
if (user.name != username) {
user.name = username;
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
obj.db.SetUser(user);
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Changed account display name to ' + username, domain: domain.id };
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Improved LDAP support and user groups.
2019-04-15 18:05:09 -04:00
}
// If user is locker out, block here.
LDAP fixes.
2019-04-11 17:52:23 -04:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
});
}
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Added LDAP support.
2019-04-11 16:41:51 -04:00
// Regular login
var user = obj.users['user/' + domain.id + '/' + name.toLowerCase()];
// Query the db for the given username
if (!user) { fn(new Error('cannot find user')); return; }
// Apply the same algorithm to the POSTed password, applying the hash against the pass / salt, if there is a match we found the user
if (user.salt == null) {
fn(new Error('invalid password'));
Add support for IIS account migration.
2017-11-02 21:44:27 -04:00
} else {
Added LDAP support.
2019-04-11 16:41:51 -04:00
if (user.passtype != null) {
// IIS default clear or weak password hashing (SHA-1)
require('./pass').iishash(user.passtype, pass, user.salt, function (err, hash) {
if (err) return fn(err);
if (hash == user.hash) {
// Update the password to the stronger format.
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(pass, function (err, salt, hash, tag) { if (err) throw err; user.salt = salt; user.hash = hash; delete user.passtype; obj.db.SetUser(user); }, 0);
Added LDAP support.
2019-04-11 16:41:51 -04:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
fn(new Error('invalid password'), null, user.passhint);
});
} else {
// Default strong password hashing (pbkdf2 SHA384)
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(pass, user.salt, function (err, hash, tag) {
Added LDAP support.
2019-04-11 16:41:51 -04:00
if (err) return fn(err);
if (hash == user.hash) {
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
fn(new Error('invalid password'), null, user.passhint);
Added batch account addition.
2019-05-14 17:39:26 -04:00
}, 0);
Added LDAP support.
2019-04-11 16:41:51 -04:00
}
Add support for IIS account migration.
2017-11-02 21:44:27 -04:00
}
Initial main commit
2017-08-28 12:27:45 -04:00
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Add support for IIS account migration.
2017-11-02 21:44:27 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
/*
obj.restrict = function (req, res, next) {
console.log('restrict', req.url);
var domain = getDomain(req);
if (req.session.userid) {
next();
} else {
req.session.error = 'Access denied!';
res.redirect(domain.url + 'login');
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Initial main commit
2017-08-28 12:27:45 -04:00
*/
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
// Check if the source IP address is in the IP list, return false if not.
function checkIpAddressEx(req, res, ipList, closeIfThis) {
Added user IP filtering.
2017-09-27 15:43:20 -04:00
try {
Fixed user IP filtering when using reverse-proxy + updated Let's Encrypt URLs.
2019-01-05 17:15:14 -05:00
var ip;
if (req.connection) { // HTTP(S) request
ip = req.ip;
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
if (ip) { for (var i = 0; i < ipList.length; i++) { if (require('ipcheck').match(ip, ipList[i])) { if (closeIfThis === true) { res.sendStatus(401); } return true; } } }
if (closeIfThis === false) { res.sendStatus(401); }
Fixed user IP filtering when using reverse-proxy + updated Let's Encrypt URLs.
2019-01-05 17:15:14 -05:00
} else if (req._socket) { // WebSocket request
ip = req._socket.remoteAddress;
// If a trusted reverse-proxy is sending us the remote IP address, use it.
// This is not done automatically for web socket like it's done for HTTP requests.
if ((obj.args.tlsoffload) && (res.headers['x-forwarded-for']) && ((obj.args.tlsoffload === true) || (obj.args.tlsoffload === ip) || (('::ffff:') + obj.args.tlsoffload === ip))) { ip = res.headers['x-forwarded-for']; }
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
if (ip) { for (var i = 0; i < ipList.length; i++) { if (require('ipcheck').match(ip, ipList[i])) { if (closeIfThis === true) { try { req.close(); } catch (e) { } } return true; } } }
if (closeIfThis === false) { try { req.close(); } catch (e) { } }
Fixed user IP filtering when using reverse-proxy + updated Let's Encrypt URLs.
2019-01-05 17:15:14 -05:00
}
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
} catch (e) { console.log(e); } // Should never happen
Added user IP filtering.
2017-09-27 15:43:20 -04:00
return false;
}
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
// Check if the source IP address is allowed, return domain if allowed
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
function checkUserIpAddress(req, res) {
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
if ((obj.userBlockedIp != null) && (checkIpAddressEx(req, res, obj.userBlockedIp, true) == true)) { return null; }
if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) == false)) { return null; }
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = (req.url ? getDomain(req) : getDomain(res));
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
if ((domain.userblockedip != null) && (checkIpAddressEx(req, res, domain.userblockedip, true) == true)) { return null; }
if ((domain.userallowedip != null) && (checkIpAddressEx(req, res, domain.userallowedip, false) == false)) { return null; }
return domain;
}
// Check if the source IP address is allowed, return domain if allowed
function checkAgentIpAddress(req, res) {
if ((obj.agentBlockedIp != null) && (checkIpAddressEx(req, res, obj.agentBlockedIp, null) == true)) { return null; }
if ((obj.agentAllowedIp != null) && (checkIpAddressEx(req, res, obj.agentAllowedIp, null) == false)) { return null; }
const domain = (req.url ? getDomain(req) : getDomain(res));
if ((domain.agentblockedip != null) && (checkIpAddressEx(req, res, domain.agentblockedip, null) == true)) { return null; }
if ((domain.agentallowedip != null) && (checkIpAddressEx(req, res, domain.agentallowedip, null) == false)) { return null; }
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
return domain;
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Return the current domain of the request
function getDomain(req) {
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
if (req.xdomain != null) { return req.xdomain; } // Domain already set for this request, return it.
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
if (req.headers.host != null) { var d = obj.dnsDomains[req.headers.host.toLowerCase()]; if (d != null) return d; } // If this is a DNS name domain, return it here.
Initial main commit
2017-08-28 12:27:45 -04:00
var x = req.url.split('/');
if (x.length < 2) return parent.config.domains[''];
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var y = parent.config.domains[x[1].toLowerCase()];
Added support for CIDR address checking in UserAllowedIP setting.
2019-01-04 18:29:27 -05:00
if ((y != null) && (y.dns == null)) { return parent.config.domains[x[1].toLowerCase()]; }
Initial main commit
2017-08-28 12:27:45 -04:00
return parent.config.domains[''];
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
function handleLogoutRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if ((domain == null) || (domain.auth == 'sspi')) { res.sendStatus(404); return; }
Improved user handling with domain auth, email validation.
2019-01-16 15:04:48 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' });
// Destroy the user's session to log them out will be re-created next request
if (req.session.userid) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var user = obj.users[req.session.userid];
Much improved event logs
2019-07-29 19:35:48 -04:00
if (user != null) { obj.parent.DispatchEvent(['*'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'logout', msg: 'Account logout', domain: domain.id }); }
Initial main commit
2017-08-28 12:27:45 -04:00
}
Improved http session handling, new account page
2018-08-22 19:18:01 -04:00
req.session = null;
res.redirect(domain.url);
Initial main commit
2017-08-28 12:27:45 -04:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
// Return true if this user has 2-step auth active
function checkUserOneTimePasswordRequired(domain, user) {
Improved charts, added no2factorauth switch
2019-03-26 17:11:51 -04:00
return ((parent.config.settings.no2factorauth !== true) && ((user.otpsecret != null) || ((user.otphkeys != null) && (user.otphkeys.length > 0))));
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
}
// Check the 2-step auth token
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
function checkUserOneTimePassword(req, domain, user, token, hwtoken, func) {
Improved charts, added no2factorauth switch
2019-03-26 17:11:51 -04:00
const twoStepLoginSupported = ((domain.auth != 'sspi') && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.nousers !== true) && (parent.config.settings.no2factorauth !== true));
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
if (twoStepLoginSupported == false) { func(true); return; };
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
First version that can do FIDO2/WebAuthn authentication.
2019-03-23 15:14:53 -04:00
// Check hardware key
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
if (user.otphkeys && (user.otphkeys.length > 0) && (typeof (hwtoken) == 'string') && (hwtoken.length > 0)) {
First version that can do FIDO2/WebAuthn authentication.
2019-03-23 15:14:53 -04:00
var authResponse = null;
try { authResponse = JSON.parse(hwtoken); } catch (ex) { }
Complete replacement of the WebAuthn 2 factor support.
2019-05-16 17:55:07 -04:00
if ((authResponse != null) && (authResponse.clientDataJSON)) {
// Get all WebAuthn keys
var webAuthnKeys = [];
for (var i = 0; i < user.otphkeys.length; i++) { if (user.otphkeys[i].type == 3) { webAuthnKeys.push(user.otphkeys[i]); } }
if (webAuthnKeys.length > 0) {
// Decode authentication response
var clientAssertionResponse = { response: {} };
clientAssertionResponse.id = authResponse.id;
clientAssertionResponse.rawId = Buffer.from(authResponse.id, 'base64');
clientAssertionResponse.response.authenticatorData = Buffer.from(authResponse.authenticatorData, 'base64');
clientAssertionResponse.response.clientDataJSON = Buffer.from(authResponse.clientDataJSON, 'base64');
clientAssertionResponse.response.signature = Buffer.from(authResponse.signature, 'base64');
clientAssertionResponse.response.userHandle = Buffer.from(authResponse.userHandle, 'base64');
// Look for the key with clientAssertionResponse.id
var webAuthnKey = null;
for (var i = 0; i < webAuthnKeys.length; i++) { if (webAuthnKeys[i].keyId == clientAssertionResponse.id) { webAuthnKey = webAuthnKeys[i]; } }
// If we found a valid key to use, let's validate the response
if (webAuthnKey != null) {
// Figure out the origin
var httpport = ((args.aliasport != null) ? args.aliasport : args.port);
var origin = "https://" + (domain.dns ? domain.dns : parent.certificates.CommonName);
if (httpport != 443) { origin += ':' + httpport; }
var assertionExpectations = {
challenge: req.session.u2fchallenge,
origin: origin,
factor: "either",
fmt: "fido-u2f",
publicKey: webAuthnKey.publicKey,
prevCounter: webAuthnKey.counter,
userHandle: Buffer(user._id, 'binary').toString('base64')
};
var webauthnResponse = null;
try { webauthnResponse = obj.webauthn.verifyAuthenticatorAssertionResponse(clientAssertionResponse.response, assertionExpectations); } catch (ex) { console.log(ex); }
if ((webauthnResponse != null) && (webauthnResponse.verified === true)) {
// Update the hardware key counter and accept the 2nd factor
webAuthnKey.counter = webauthnResponse.counter;
obj.db.SetUser(user);
func(true);
} else {
func(false);
More FIDO2 fixes.
2019-03-25 17:43:58 -04:00
}
First version that can do FIDO2/WebAuthn authentication.
2019-03-23 15:14:53 -04:00
return;
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
}
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
}
}
// Check Google Authenticator
const otplib = require('otplib')
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
otplib.authenticator.options = { window: 2 }; // Set +/- 1 minute window
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
if (user.otpsecret && (typeof (token) == 'string') && (token.length == 6) && (otplib.authenticator.check(token, user.otpsecret) == true)) { func(true); return; };
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
// Check written down keys
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
if ((user.otpkeys != null) && (user.otpkeys.keys != null) && (typeof (token) == 'string') && (token.length == 8)) {
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
var tokenNumber = parseInt(token);
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
for (var i = 0; i < user.otpkeys.keys.length; i++) { if ((tokenNumber === user.otpkeys.keys[i].p) && (user.otpkeys.keys[i].u === true)) { user.otpkeys.keys[i].u = false; func(true); return; } }
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
// Check OTP hardware key
Added missing dependencies
2019-02-08 17:46:07 -05:00
if ((domain.yubikey != null) && (domain.yubikey.id != null) && (domain.yubikey.secret != null) && (user.otphkeys != null) && (user.otphkeys.length > 0) && (typeof (token) == 'string') && (token.length == 44)) {
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
var keyId = token.substring(0, 12);
Session and account improvements.
2019-02-10 23:13:03 -05:00
// Find a matching OTP key
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
var match = false;
for (var i = 0; i < user.otphkeys.length; i++) { if ((user.otphkeys[i].type === 2) && (user.otphkeys[i].keyid === keyId)) { match = true; } }
// If we have a match, check the OTP
if (match === true) {
var yubikeyotp = require('yubikeyotp');
var request = { otp: token, id: domain.yubikey.id, key: domain.yubikey.secret, timestamp: true }
if (domain.yubikey.proxy) { request.requestParams = { proxy: domain.yubikey.proxy }; }
yubikeyotp.verifyOTP(request, function (err, results) { func(results.status == 'OK'); });
return;
}
}
func(false);
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
// Return a U2F hardware key challenge
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
function getHardwareKeyChallenge(req, domain, user, func) {
if (req.session.u2fchallenge) { delete req.session.u2fchallenge; };
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
if (user.otphkeys && (user.otphkeys.length > 0)) {
Started work on adding FIDO2 support.
2019-03-23 01:33:53 -04:00
// Get all WebAuthn keys
Complete replacement of the WebAuthn 2 factor support.
2019-05-16 17:55:07 -04:00
var webAuthnKeys = [];
for (var i = 0; i < user.otphkeys.length; i++) { if (user.otphkeys[i].type == 3) { webAuthnKeys.push(user.otphkeys[i]); } }
if (webAuthnKeys.length > 0) {
// Generate a Webauthn challenge, this is really easy, no need to call any modules to do this.
var authnOptions = { type: 'webAuthn', keyIds: [], timeout: 60000, challenge: obj.crypto.randomBytes(64).toString('base64') };
for (var i = 0; i < webAuthnKeys.length; i++) { authnOptions.keyIds.push(webAuthnKeys[i].keyId); }
req.session.u2fchallenge = authnOptions.challenge;
func(JSON.stringify(authnOptions));
Many bug fixes: Login screen, hw keys, relay domain and more.
2019-05-21 17:19:32 -04:00
return;
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
}
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
}
Many bug fixes: Login screen, hw keys, relay domain and more.
2019-05-21 17:19:32 -04:00
func('');
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
}
Initial main commit
2017-08-28 12:27:45 -04:00
function handleLoginRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Completed 2 step login support.
2019-01-15 21:21:03 -05:00
// Normally, use the body username/password. If this is a token, use the username/password in the session.
var xusername = req.body.username, xpassword = req.body.password;
if ((xusername == null) && (xpassword == null) && (req.body.token != null)) { xusername = req.session.tokenusername; xpassword = req.session.tokenpassword; }
// Authenticate the user
obj.authenticate(xusername, xpassword, domain, function (err, userid, passhint) {
Initial main commit
2017-08-28 12:27:45 -04:00
if (userid) {
var user = obj.users[userid];
Added loginToken support and improved way to embed page into other sites.
2017-12-13 17:52:57 -05:00
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
// Check if this user has 2-step login active
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
if ((req.session.loginmode != '6') && checkUserOneTimePasswordRequired(domain, user)) {
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result) {
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
if (result == false) {
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
var randomWaitTime = 0;
Added one time passwords for user 2-factor login.
2019-02-05 22:07:12 -05:00
// 2-step auth is required, but the token is not present or not valid.
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
if ((req.body.token != null) || (req.body.hwtoken != null)) {
randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds.
req.session.error = '<b style=color:#8C001A>Invalid token, try again.</b>';
}
// Wait and redirect the user
setTimeout(function () {
req.session.loginmode = '4';
req.session.tokenusername = xusername;
req.session.tokenpassword = xpassword;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
}, randomWaitTime);
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
} else {
// Login succesful
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword);
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
}
});
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
return;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
}
Added loginToken support and improved way to embed page into other sites.
2017-12-13 17:52:57 -05:00
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
// Login succesful
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword);
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
// Login failed, wait a random delay
setTimeout(function () {
// If the account is locked, display that.
if (err == 'locked') { req.session.error = '<b style=color:#8C001A>Account locked.</b>'; } else { req.session.error = '<b style=color:#8C001A>Login failed, check username and password.</b>'; }
// Clean up login mode and display password hint if present.
delete req.session.loginmode;
if ((passhint != null) && (passhint.length > 0)) {
req.session.passhint = passhint;
} else {
delete req.session.passhint;
}
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
}, 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095)); // Wait for 2 to ~6 seconds.
Initial main commit
2017-08-28 12:27:45 -04:00
}
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
function completeLoginRequest(req, res, domain, user, userid, xusername, xpassword) {
// Check if we need to change the password
if ((typeof user.passchange == 'number') && ((user.passchange == -1) || ((typeof domain.passwordrequirements == 'object') && (typeof domain.passwordrequirements.reset == 'number') && (user.passchange + (domain.passwordrequirements.reset * 86400) < Math.floor(Date.now() / 1000))))) {
// Request a password change
req.session.loginmode = '6';
req.session.error = '<b style=color:#8C001A>Password change requested.</b>';
req.session.resettokenusername = xusername;
req.session.resettokenpassword = xpassword;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
return;
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
// Save login time
user.login = Math.floor(Date.now() / 1000);
obj.db.SetUser(user);
User permission fixes, user list export feature.
2019-05-04 15:55:46 -04:00
// Notify account login
var targets = ['*', 'server-users'];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
Much improved event logs
2019-07-29 19:35:48 -04:00
obj.parent.DispatchEvent(targets, obj, { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msg: 'Account login', domain: domain.id });
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
// Regenerate session when signing in to prevent fixation
//req.session.regenerate(function () {
// Store the user's primary key in the session store to be retrieved, or in this case the entire user object
// req.session.success = 'Authenticated as ' + user.name + 'click to <a href="/logout">logout</a>. You may now access <a href="/restricted">/restricted</a>.';
delete req.session.loginmode;
delete req.session.tokenusername;
delete req.session.tokenpassword;
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
delete req.session.tokenemail;
Session and account improvements.
2019-02-10 23:13:03 -05:00
delete req.session.success;
delete req.session.error;
delete req.session.passhint;
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
req.session.userid = userid;
req.session.domainid = domain.id;
req.session.currentNode = '';
if (req.body.viewmode) { req.session.viewmode = req.body.viewmode; }
if (req.body.host) {
// TODO: This is a terrible search!!! FIX THIS.
/*
obj.db.GetAllType('node', function (err, docs) {
for (var i = 0; i < docs.length; i++) {
if (docs[i].name == req.body.host) {
req.session.currentNode = docs[i]._id;
break;
}
}
console.log("CurrentNode: " + req.session.currentNode);
// This redirect happens after finding node is completed
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
});
*/
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req)); // Temporary
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
} else {
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added support for both U2F and OTP hardware login keys.
2019-02-08 12:24:00 -05:00
}
//});
}
Initial main commit
2017-08-28 12:27:45 -04:00
function handleCreateAccountRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap')) { res.sendStatus(404); return; }
Improved user handling with domain auth, email validation.
2019-01-16 15:04:48 -05:00
Account emails are not always lowercase.
2019-07-15 13:24:31 -04:00
// Always lowercase the email address
if (req.body.email) { req.body.email = req.body.email.toLowerCase(); }
Improved keyboard support, new email as username mode.
2019-07-08 18:59:44 -04:00
// If the email is the username, set this here.
if (domain.usernameisemail) { req.body.username = req.body.email; }
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 16:42:54 -04:00
// Check if we are allowed to create new users using the login screen
var domainUserCount = -1;
if ((domain.newaccounts !== 1) && (domain.newaccounts !== true)) {
domainUserCount = 0;
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { domainUserCount++; } }
if (domainUserCount > 0) { res.sendStatus(401); return; }
}
Session and account improvements.
2019-02-10 23:13:03 -05:00
Added newAccountEmailDomains, more server fixes.
2019-02-25 19:07:27 -05:00
// Check if this request is for an allows email domain
if ((domain.newaccountemaildomains != null) && Array.isArray(domain.newaccountemaildomains)) {
var i = -1;
if (typeof req.body.email == 'string') { i = req.body.email.indexOf('@'); }
if (i == -1) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '2';
Added newAccountEmailDomains, more server fixes.
2019-02-25 19:07:27 -05:00
req.session.error = '<b style=color:#8C001A>Unable to create account.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added newAccountEmailDomains, more server fixes.
2019-02-25 19:07:27 -05:00
return;
}
var emailok = false, emaildomain = req.body.email.substring(i + 1).toLowerCase();
for (var i in domain.newaccountemaildomains) { if (emaildomain == domain.newaccountemaildomains[i].toLowerCase()) { emailok = true; } }
if (emailok == false) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '2';
Added newAccountEmailDomains, more server fixes.
2019-02-25 19:07:27 -05:00
req.session.error = '<b style=color:#8C001A>Unable to create account.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added newAccountEmailDomains, more server fixes.
2019-02-25 19:07:27 -05:00
return;
}
}
Session and account improvements.
2019-02-10 23:13:03 -05:00
// Check if we exceed the maximum number of user accounts
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
obj.db.isMaxType(domain.limits.maxuseraccounts, 'user', domain.id, function (maxExceed) {
Session and account improvements.
2019-02-10 23:13:03 -05:00
if (maxExceed) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '2';
Session and account improvements.
2019-02-10 23:13:03 -05:00
req.session.error = '<b style=color:#8C001A>Account limit reached.</b>';
console.log('max', req.session);
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Session and account improvements.
2019-02-10 23:13:03 -05:00
} else {
if (!obj.common.validateUsername(req.body.username, 1, 64) || !obj.common.validateEmail(req.body.email, 1, 256) || !obj.common.validateString(req.body.password1, 1, 256) || !obj.common.validateString(req.body.password2, 1, 256) || (req.body.password1 != req.body.password2) || req.body.username == '~' || !obj.common.checkPasswordRequirements(req.body.password1, domain.passwordrequirements)) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '2';
Session and account improvements.
2019-02-10 23:13:03 -05:00
req.session.error = '<b style=color:#8C001A>Unable to create account.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
Session and account improvements.
2019-02-10 23:13:03 -05:00
// Check if this email was already verified
obj.db.GetUserWithVerifiedEmail(domain.id, req.body.email, function (err, docs) {
if (docs.length > 0) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '2';
Session and account improvements.
2019-02-10 23:13:03 -05:00
req.session.error = '<b style=color:#8C001A>Existing account with this email address.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Session and account improvements.
2019-02-10 23:13:03 -05:00
} else {
// Check if there is domain.newAccountToken, check if supplied token is valid
if ((domain.newaccountspass != null) && (domain.newaccountspass != '') && (req.body.anewaccountpass != domain.newaccountspass)) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '2';
Session and account improvements.
2019-02-10 23:13:03 -05:00
req.session.error = '<b style=color:#8C001A>Invalid account creation token.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Session and account improvements.
2019-02-10 23:13:03 -05:00
return;
}
// Check if user exists
if (obj.users['user/' + domain.id + '/' + req.body.username.toLowerCase()]) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '2';
Session and account improvements.
2019-02-10 23:13:03 -05:00
req.session.error = '<b style=color:#8C001A>Username already exists.</b>';
} else {
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
var user = { type: 'user', _id: 'user/' + domain.id + '/' + req.body.username.toLowerCase(), name: req.body.username, email: req.body.email, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id };
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-12 22:14:24 -04:00
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; }
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true) && (req.body.apasswordhint)) { var hint = req.body.apasswordhint; if (hint.length > 250) { hint = hint.substring(0, 250); } user.passhint = hint; }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 01:13:56 -04:00
if (domainUserCount == 0) { user.siteadmin = 4294967295; /*if (domain.newaccounts === 2) { delete domain.newaccounts; }*/ } // If this is the first user, give the account site admin.
Session and account improvements.
2019-02-10 23:13:03 -05:00
obj.users[user._id] = user;
req.session.userid = user._id;
req.session.domainid = domain.id;
// Create a user, generate a salt and hash the password
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(req.body.password1, function (err, salt, hash, tag) {
Session and account improvements.
2019-02-10 23:13:03 -05:00
if (err) throw err;
user.salt = salt;
user.hash = hash;
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
delete user.passtype;
Session and account improvements.
2019-02-10 23:13:03 -05:00
obj.db.SetUser(user);
// Send the verification email
Added LDAP support.
2019-04-11 16:41:51 -04:00
if ((obj.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (obj.common.validateEmail(user.email, 1, 256) == true)) { obj.parent.mailserver.sendAccountCheckMail(domain, user.name, user.email); }
Added batch account addition.
2019-05-14 17:39:26 -04:00
}, 0);
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, email is ' + req.body.email, domain: domain.id };
Improved MongoDB change stream.
2019-05-29 17:36:14 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
Session and account improvements.
2019-02-10 23:13:03 -05:00
}
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Session and account improvements.
2019-02-10 23:13:03 -05:00
}
});
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
}
Session and account improvements.
2019-02-10 23:13:03 -05:00
}
});
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
}
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
// Called to process an account password reset
function handleResetPasswordRequest(req, res) {
const domain = checkUserIpAddress(req, res);
// Check everything is ok
Added LDAP support.
2019-04-11 16:41:51 -04:00
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (typeof req.body.rpassword1 != 'string') || (typeof req.body.rpassword2 != 'string') || (req.body.rpassword1 != req.body.rpassword2) || (typeof req.body.rpasswordhint != 'string') || (req.session == null) || (typeof req.session.resettokenusername != 'string') || (typeof req.session.resettokenpassword != 'string')) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
delete req.session.loginmode;
delete req.session.tokenusername;
delete req.session.tokenpassword;
delete req.session.resettokenusername;
delete req.session.resettokenpassword;
delete req.session.tokenemail;
delete req.session.success;
delete req.session.error;
delete req.session.passhint;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
return;
}
// Authenticate the user
obj.authenticate(req.session.resettokenusername, req.session.resettokenpassword, domain, function (err, userid, passhint) {
if (userid) {
// Login
var user = obj.users[userid];
// If we have password requirements, check this here.
if (!obj.common.checkPasswordRequirements(req.body.rpassword1, domain.passwordrequirements)) {
req.session.loginmode = '6';
req.session.error = '<b style=color:#8C001A>Password rejected, use a different one.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
return;
}
// Check if the password is the same as the previous one
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(req.body.rpassword1, user.salt, function (err, hash, tag) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
if (user.hash == hash) {
// This is the same password, request a password change again
req.session.loginmode = '6';
req.session.error = '<b style=color:#8C001A>Password rejected, use a different one.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
} else {
// Update the password, use a different salt.
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(req.body.rpassword1, function (err, salt, hash, tag) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
if (err) throw err;
user.salt = salt;
user.hash = hash;
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true)) { var hint = req.body.rpasswordhint; if (hint.length > 250) { hint = hint.substring(0, 250); } user.passhint = hint; } else { delete user.passhint; }
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
user.passchange = Math.floor(Date.now() / 1000);
delete user.passtype;
obj.db.SetUser(user);
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'User password reset', domain: domain.id };
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
// Login succesful
req.session.userid = userid;
req.session.domainid = domain.id;
completeLoginRequest(req, res, domain, obj.users[userid], userid, req.session.tokenusername, req.session.tokenpassword);
Added batch account addition.
2019-05-14 17:39:26 -04:00
}, 0);
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
}
Added batch account addition.
2019-05-14 17:39:26 -04:00
}, 0);
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
} else {
// Failed, error out.
delete req.session.loginmode;
delete req.session.tokenusername;
delete req.session.tokenpassword;
delete req.session.resettokenusername;
delete req.session.resettokenpassword;
delete req.session.tokenemail;
delete req.session.success;
delete req.session.error;
delete req.session.passhint;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
return;
}
});
}
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
// Called to process an account reset request
function handleResetAccountRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Added support for wildcard Let's Encrypt certs.
2019-06-07 18:55:24 -04:00
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (obj.args.lanonly == true) || (obj.parent.certificates.CommonName == null) || (obj.parent.certificates.CommonName.indexOf('.') == -1)) { res.sendStatus(404); return; }
Improved user handling with domain auth, email validation.
2019-01-16 15:04:48 -05:00
Account emails are not always lowercase.
2019-07-15 13:24:31 -04:00
// Always lowercase the email address
if (req.body.email) { req.body.email = req.body.email.toLowerCase(); }
Fixed e-mail password recovery.
2019-02-11 17:59:04 -05:00
// Get the email from the body or session.
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
var email = req.body.email;
if ((email == null) || (email == '')) { email = req.session.tokenemail; }
Server fixes, added locale arg in web app.
2019-06-11 14:33:44 -04:00
// Check the email string format
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
if (!email || checkEmail(email) == false) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '3';
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
req.session.error = '<b style=color:#8C001A>Invalid email.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
obj.db.GetUserWithVerifiedEmail(domain.id, email, function (err, docs) {
if ((err != null) || (docs.length == 0)) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '3';
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
req.session.error = '<b style=color:#8C001A>Account not found.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
Server fixes, added locale arg in web app.
2019-06-11 14:33:44 -04:00
// If many accounts have the same validated e-mail, we are going to use the first one for display, but sent a reset email for all accounts.
var responseSent = false;
for (var i in docs) {
var user = docs[i];
if (checkUserOneTimePasswordRequired(domain, user) == true) {
// Second factor setup, request it now.
checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result) {
if (result == false) {
if (i == 0) {
// 2-step auth is required, but the token is not present or not valid.
if ((req.body.token != null) || (req.body.hwtoken != null)) { req.session.error = '<b style=color:#8C001A>Invalid token, try again.</b>'; }
req.session.loginmode = '5';
req.session.tokenemail = email;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Server fixes, added locale arg in web app.
2019-06-11 14:33:44 -04:00
}
} else {
// Send email to perform recovery.
delete req.session.tokenemail;
if (obj.parent.mailserver != null) {
obj.parent.mailserver.sendAccountResetMail(domain, user.name, user.email);
if (i == 0) {
req.session.loginmode = '1';
req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Server fixes, added locale arg in web app.
2019-06-11 14:33:44 -04:00
}
} else {
if (i == 0) {
req.session.loginmode = '3';
req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Server fixes, added locale arg in web app.
2019-06-11 14:33:44 -04:00
}
}
}
});
} else {
// No second factor, send email to perform recovery.
if (obj.parent.mailserver != null) {
obj.parent.mailserver.sendAccountResetMail(domain, user.name, user.email);
if (i == 0) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '1';
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Server fixes, added locale arg in web app.
2019-06-11 14:33:44 -04:00
}
} else {
if (i == 0) {
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
req.session.loginmode = '3';
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
}
}
}
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
}
}
});
}
}
// Called to process a web based email verification request
function handleCheckMailRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap')) { res.sendStatus(404); return; }
Improved user handling with domain auth, email validation.
2019-01-16 15:04:48 -05:00
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
if (req.query.c != null) {
Added loginToken support and improved way to embed page into other sites.
2017-12-13 17:52:57 -05:00
var cookie = obj.parent.decodeCookie(req.query.c, obj.parent.mailserver.mailCookieEncryptionKey, 30);
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
if ((cookie != null) && (cookie.u != null) && (cookie.e != null)) {
var idsplit = cookie.u.split('/');
if ((idsplit.length != 2) || (idsplit[0] != domain.id)) {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'ERROR: Invalid domain. <a href="' + domain.url + '">Go to login page</a>.' });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
Minor fixes.
2019-02-12 16:37:01 -05:00
obj.db.Get('user/' + cookie.u.toLowerCase(), function (err, docs) {
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
if (docs.length == 0) {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'ERROR: Invalid username \"' + EscapeHtml(idsplit[1]) + '\". <a href="' + domain.url + '">Go to login page</a>.' });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
var user = docs[0];
if (user.email != cookie.e) {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'ERROR: Invalid e-mail \"' + EscapeHtml(user.email) + '\" for user \"' + EscapeHtml(user.name) + '\". <a href="' + domain.url + '">Go to login page</a>.' });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
if (cookie.a == 1) {
// Account email verification
if (user.emailVerified == true) {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'E-mail \"' + EscapeHtml(user.email) + '\" for user \"' + EscapeHtml(user.name) + '\" already verified. <a href="' + domain.url + '">Go to login page</a>.' });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
obj.db.GetUserWithVerifiedEmail(domain.id, user.email, function (err, docs) {
if (docs.length > 0) {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'E-mail \"' + EscapeHtml(user.email) + '\" already in use on a different account. Change the email address and try again. <a href="' + domain.url + '">Go to login page</a>.' });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
// Set the verified flag
obj.users[user._id].emailVerified = true;
user.emailVerified = true;
obj.db.SetUser(user);
// Event the change
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Verified email of user ' + EscapeHtml(user.name) + ' (' + EscapeHtml(user.email) + ')', domain: domain.id };
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
// Send the confirmation page
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'Verified email <b>' + EscapeHtml(user.email) + '</b> for user account <b>' + EscapeHtml(user.name) + '</b>. <a href="' + domain.url + '">Go to login page</a>.' });
Added loginToken support and improved way to embed page into other sites.
2017-12-13 17:52:57 -05:00
// Send a notification
Added one time passwords for user 2-factor login.
2019-02-05 22:07:12 -05:00
obj.parent.DispatchEvent([user._id], obj, { action: 'notify', value: 'Email verified:<br /><b>' + EscapeHtml(user.email) + '</b>.', nolog: 1 });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
}
});
}
} else if (cookie.a == 2) {
// Account reset
if (user.emailVerified != true) {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'E-mail \"' + EscapeHtml(user.email) + '\" for user \"' + EscapeHtml(user.name) + '\" not verified. <a href="' + domain.url + '">Go to login page</a>.' });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
} else {
// Set a temporary password
obj.crypto.randomBytes(16, function (err, buf) {
var newpass = buf.toString('base64').split('=').join('').split('/').join('');
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(newpass, function (err, salt, hash, tag) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var userinfo = null;
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
if (err) throw err;
// Change the password
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
userinfo = obj.users[user._id];
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
userinfo.salt = salt;
userinfo.hash = hash;
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
delete userinfo.passtype;
Fixed server account and login times.
2019-01-24 20:01:50 -05:00
userinfo.passchange = Math.floor(Date.now() / 1000);
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
delete userinfo.passhint;
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
//delete userinfo.otpsecret; // Currently a email password reset will turn off 2-step login.
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
obj.db.SetUser(userinfo);
// Event the change
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: user._id, username: userinfo.name, account: obj.CloneSafeUser(userinfo), action: 'accountchange', msg: 'Password reset for user ' + EscapeHtml(user.name), domain: domain.id };
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
// Send the new password
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: '<div>Password for account <b>' + EscapeHtml(user.name) + '</b> has been reset to:</div><div style=padding:14px;font-size:18px><b>' + EscapeHtml(newpass) + '</b></div>Login and go to the \"My Account\" tab to update your password. <a href="' + domain.url + '">Go to login page</a>.' });
Added batch account addition.
2019-05-14 17:39:26 -04:00
}, 0);
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
});
}
} else {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'ERROR: Invalid account check. <a href="' + domain.url + '">Go to login page</a>.' });
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
}
}
}
});
}
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', domainurl: domain.url, message: 'ERROR: Invalid account check, verification url is only valid for 30 minutes. <a href="' + domain.url + '">Go to login page</a>.' });
Initial main commit
2017-08-28 12:27:45 -04:00
}
}
}
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
Added public agent install invitation link support.
2019-06-03 16:15:38 -04:00
// Called to process an agent invite request
function handleAgentInviteRequest(req, res) {
const domain = checkUserIpAddress(req, res);
if ((domain == null) || ((req.query.m == null) && (req.query.c == null))) { res.sendStatus(404); return; }
if (req.query.c != null) {
// A cookie is specified in the query string, use that
Fixed invitation link encryption key.
2019-06-07 20:11:56 -04:00
var cookie = obj.parent.decodeCookie(req.query.c, obj.parent.invitationLinkEncryptionKey);
Added public agent install invitation link support.
2019-06-03 16:15:38 -04:00
if (cookie == null) { res.sendStatus(404); return; }
var mesh = obj.meshes[cookie.mid];
if (mesh == null) { res.sendStatus(404); return; }
var installflags = cookie.f;
if (typeof installflags != 'number') { installflags = 0; }
res.render(obj.path.join(obj.parent.webViewsPath, 'agentinvite'), { title: domain.title, title2: domain.title2, domainurl: domain.url, meshid: mesh._id.split('/')[2], serverport: ((args.aliasport != null) ? args.aliasport : args.port), serverhttps: ((args.notls == true) ? '0' : '1'), servernoproxy: ((domain.agentnoproxy === true) ? '1' : '0'), meshname: encodeURIComponent(mesh.name), installflags: installflags });
} else if (req.query.m != null) {
// The MeshId is specified in the query string, use that
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.m.toLowerCase()];
if (mesh == null) { res.sendStatus(404); return; }
var installflags = 0;
if (req.query.f) { installflags = parseInt(req.query.f); }
if (typeof installflags != 'number') { installflags = 0; }
res.render(obj.path.join(obj.parent.webViewsPath, 'agentinvite'), { title: domain.title, title2: domain.title2, domainurl: domain.url, meshid: mesh._id.split('/')[2], serverport: ((args.aliasport != null) ? args.aliasport : args.port), serverhttps: ((args.notls == true) ? '0' : '1'), servernoproxy: ((domain.agentnoproxy === true) ? '1' : '0'), meshname: encodeURIComponent(mesh.name), installflags: installflags });
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
function handleDeleteAccountRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap')) { res.sendStatus(404); return; }
Improved user handling with domain auth, email validation.
2019-01-16 15:04:48 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Check if the user is logged and we have all required parameters
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if (!req.session || !req.session.userid || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.domainid != domain.id)) { res.redirect(domain.url + getQueryPortion(req)); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
var user = obj.users[req.session.userid];
if (!user) return;
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Check if the password is correct
obj.authenticate(user.name, req.body.apassword1, domain, function (err, userid) {
var user = obj.users[userid];
if (user) {
Access permission and CIRA improvements.
2018-03-26 20:13:32 -04:00
// Remove all the mesh links to this user
if (user.links != null) {
for (var meshid in user.links) {
// Get the mesh
var mesh = obj.meshes[meshid];
if (mesh) {
// Remove user from the mesh
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if (mesh.links[userid] != null) { delete mesh.links[userid]; obj.db.Set(obj.common.escapeLinksFieldName(mesh)); }
Access permission and CIRA improvements.
2018-03-26 20:13:32 -04:00
// Notify mesh change
Windows MeshAgent fixes, small UI improvements
2018-09-24 20:47:03 -04:00
var change = 'Removed user ' + user.name + ' from group ' + mesh.name;
Much improved event logs
2019-07-29 19:35:48 -04:00
obj.parent.DispatchEvent(['*', mesh._id, user._id, userid], obj, { etype: 'mesh', userid: user._id, username: user.name, meshid: mesh._id, name: mesh.name, mtype: mesh.mtype, desc: mesh.desc, action: 'meshchange', links: mesh.links, msg: change, domain: domain.id });
Access permission and CIRA improvements.
2018-03-26 20:13:32 -04:00
}
}
}
Fixed account delete issues
2018-05-17 16:37:50 -04:00
// Remove notes for this user
obj.db.Remove('nt' + user._id);
Access permission and CIRA improvements.
2018-03-26 20:13:32 -04:00
// Remove the user
Initial main commit
2017-08-28 12:27:45 -04:00
obj.db.Remove(user._id);
delete obj.users[user._id];
Improved http session handling, new account page
2018-08-22 19:18:01 -04:00
req.session = null;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Much improved event logs
2019-07-29 19:35:48 -04:00
obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'accountremove', msg: 'Account removed', domain: domain.id });
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Initial main commit
2017-08-28 12:27:45 -04:00
}
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
// Check a user's password
obj.checkUserPassword = function(domain, user, password, func) {
// Check the old password
if (user.passtype != null) {
// IIS default clear or weak password hashing (SHA-1)
require('./pass').iishash(user.passtype, password, user.salt, function (err, hash) {
if (err) return func(false);
if (hash == user.hash) {
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { return func(false); } // Account is locked
return func(true); // Allow password change
}
func(false);
});
} else {
// Default strong password hashing (pbkdf2 SHA384)
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(password, user.salt, function (err, hash, tag) {
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
if (err) return func(false);
if (hash == user.hash) {
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { return func(false); } // Account is locked
return func(true); // Allow password change
}
func(false);
Added batch account addition.
2019-05-14 17:39:26 -04:00
}, 0);
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle password changes
function handlePasswordChangeRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap')) { res.sendStatus(404); return; }
Improved user handling with domain auth, email validation.
2019-01-16 15:04:48 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Check if the user is logged and we have all required parameters
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if (!req.session || !req.session.userid || !req.body.apassword0 || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.domainid != domain.id)) { res.redirect(domain.url + getQueryPortion(req)); return; }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
// Get the current user
var user = obj.users[req.session.userid];
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if (!user) { res.redirect(domain.url + getQueryPortion(req)); return; }
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
// Check old password
obj.checkUserPassword(domain, user, req.body.apassword0, function (result) {
if (result == true) {
// Update the password
Added batch account addition.
2019-05-14 17:39:26 -04:00
require('./pass').hash(req.body.apassword1, function (err, salt, hash, tag) {
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
if (err) throw err;
user.salt = salt;
user.hash = hash;
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true) && (req.body.apasswordhint)) { var hint = req.body.apasswordhint; if (hint.length > 250) hint = hint.substring(0, 250); user.passhint = hint; } else { delete user.passhint; }
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
user.passchange = Math.floor(Date.now() / 1000);
delete user.passtype;
obj.db.SetUser(user);
req.session.viewmode = 2;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Much improved event logs
2019-07-29 19:35:48 -04:00
obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'passchange', msg: 'Account password changed: ' + user.name, domain: domain.id });
Added batch account addition.
2019-05-14 17:39:26 -04:00
}, 0);
Updated Windows agent, security improvements.
2019-02-12 22:23:40 -05:00
}
Initial main commit
2017-08-28 12:27:45 -04:00
});
}
// Indicates that any request to "/" should render "default" or "login" depending on login state
function handleRootRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
if (!obj.args) { res.sendStatus(500); return; }
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
if ((domain.sspi != null) && ((req.query.login == null) || (obj.parent.loginCookieEncryptionKey == null))) {
// Login using SSPI
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
domain.sspi.authenticate(req, res, function (err) { if ((err != null) || (req.connection.user == null)) { res.end('Authentication Required...'); } else { handleRootRequestEx(req, res, domain); } });
Many fixes.
2018-12-20 15:12:24 -05:00
} else if (req.query.user && req.query.pass) {
// User credentials are being passed in the URL. WARNING: Putting credentials in a URL is not good security... but people are requesting this option.
Added LDAP support.
2019-04-11 16:41:51 -04:00
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid) {
req.session.userid = userid;
req.session.domainid = domain.id;
req.session.currentNode = '';
handleRootRequestEx(req, res, domain);
});
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
} else {
// Login using a different system
handleRootRequestEx(req, res, domain);
}
}
function handleRootRequestEx(req, res, domain) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var nologout = false, user = null, features = 0;
Initial main commit
2017-08-28 12:27:45 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' });
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Check if we have an incomplete domain name in the path
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if ((domain.id != '') && (domain.dns == null) && (req.url.split('/').length == 2)) { res.redirect(domain.url + getQueryPortion(req)); return; }
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
if (obj.args.nousers == true) {
// If in single user mode, setup things here.
if (req.session && req.session.loginmode) { delete req.session.loginmode; }
req.session.userid = 'user/' + domain.id + '/~';
req.session.domainid = domain.id;
req.session.currentNode = '';
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (obj.users[req.session.userid] == null) {
Initial main commit
2017-08-28 12:27:45 -04:00
// Create the dummy user ~ with impossible password
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 01:13:56 -04:00
obj.users[req.session.userid] = { type: 'user', _id: req.session.userid, name: '~', email: '~', domain: domain.id, siteadmin: 4294967295 };
Initial main commit
2017-08-28 12:27:45 -04:00
obj.db.SetUser(obj.users[req.session.userid]);
}
Fixed desktop tools
2018-09-11 17:28:47 -04:00
} else if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
Initial main commit
2017-08-28 12:27:45 -04:00
// If a default user is active, setup the session here.
if (req.session && req.session.loginmode) { delete req.session.loginmode; }
req.session.userid = 'user/' + domain.id + '/' + obj.args.user.toLowerCase();
req.session.domainid = domain.id;
req.session.currentNode = '';
Added loginToken support and improved way to embed page into other sites.
2017-12-13 17:52:57 -05:00
} else if (req.query.login && (obj.parent.loginCookieEncryptionKey != null)) {
var loginCookie = obj.parent.decodeCookie(req.query.login, obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
if ((loginCookie != null) && (loginCookie.a == 3) && (loginCookie.u != null) && (loginCookie.u.split('/')[1] == domain.id)) {
// If a login cookie was provided, setup the session here.
if (req.session && req.session.loginmode) { delete req.session.loginmode; }
req.session.userid = loginCookie.u;
req.session.domainid = domain.id;
req.session.currentNode = '';
}
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
} else if (domain.sspi != null) {
// SSPI login (Windows only)
//console.log(req.connection.user, req.connection.userSid);
if ((req.connection.user == null) || (req.connection.userSid == null)) {
res.sendStatus(404); return;
} else {
nologout = true;
Added recovery core support.
2019-01-21 17:05:50 -05:00
req.session.userid = 'user/' + domain.id + '/' + req.connection.user.toLowerCase();
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
req.session.usersid = req.connection.userSid;
req.session.usersGroups = req.connection.userGroups;
req.session.domainid = domain.id;
req.session.currentNode = '';
// Check if this user exists, create it if not.
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
user = obj.users[req.session.userid];
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
if ((user == null) || (user.sid != req.session.usersid)) {
// Create the domain user
Fixed server account and login times.
2019-01-24 20:01:50 -05:00
var usercount = 0, user2 = { type: 'user', _id: req.session.userid, name: req.connection.user, domain: domain.id, sid: req.session.usersid, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000) };
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-12 22:14:24 -04:00
if (domain.newaccountsrights) { user2.siteadmin = domain.newaccountsrights; }
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 01:13:56 -04:00
if (usercount == 0) { user2.siteadmin = 4294967295; } // If this is the first user, give the account site admin.
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.users[req.session.userid] = user2;
obj.db.SetUser(user2);
Much improved event logs
2019-07-29 19:35:48 -04:00
var event = { etype: 'user', userid: req.session.userid, username: req.connection.user, account: obj.CloneSafeUser(user2), action: 'accountcreate', msg: 'Domain account created, user ' + req.connection.user, domain: domain.id };
Improved MongoDB change stream.
2019-05-29 17:36:14 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
}
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
Added password requirements checking.
2018-12-20 17:14:37 -05:00
// Figure out the minimal password requirement
var passRequirements = null;
if (domain.passwordrequirements != null) {
if (domain.passrequirementstr == null) { domain.passwordrequirementsstr = encodeURIComponent(JSON.stringify(domain.passwordrequirements)); }
passRequirements = domain.passwordrequirementsstr;
}
Fixed user session counts
2018-11-06 22:41:21 -05:00
// If a user exists and is logged in, serve the default app, otherwise server the login app.
if (req.session && req.session.userid && obj.users[req.session.userid]) {
var user = obj.users[req.session.userid];
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if (req.session.domainid != domain.id) { req.session = null; res.redirect(domain.url + getQueryPortion(req)); return; } // Check is the session is for the correct domain
Session and account improvements.
2019-02-10 23:13:03 -05:00
// Check if this is a locked account
if ((user.siteadmin != null) && ((user.siteadmin & 32) != 0) && (user.siteadmin != 0xFFFFFFFF)) {
// Locked account
delete req.session.userid;
delete req.session.domainid;
delete req.session.currentNode;
delete req.session.passhint;
req.session.error = '<b style=color:#8C001A>Account locked.</b>';
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Session and account improvements.
2019-02-10 23:13:03 -05:00
return;
}
Initial main commit
2017-08-28 12:27:45 -04:00
var viewmode = 1;
if (req.session.viewmode) {
viewmode = req.session.viewmode;
delete req.session.viewmode;
Added loginToken support and improved way to embed page into other sites.
2017-12-13 17:52:57 -05:00
} else if (req.query.viewmode) {
viewmode = req.query.viewmode;
Initial main commit
2017-08-28 12:27:45 -04:00
}
var currentNode = '';
if (req.session.currentNode) {
currentNode = req.session.currentNode;
delete req.session.currentNode;
Added loginToken support and improved way to embed page into other sites.
2017-12-13 17:52:57 -05:00
} else if (req.query.node) {
currentNode = 'node/' + domain.id + '/' + req.query.node;
Initial main commit
2017-08-28 12:27:45 -04:00
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var logoutcontrol = '';
Fixed user session counts
2018-11-06 22:41:21 -05:00
if (obj.args.nousers != true) { logoutcontrol = 'Welcome ' + user.name + '.'; }
Added agent installation invite using email.
2018-01-23 17:15:59 -05:00
// Give the web page a list of supported server features
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
features = 0;
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if (obj.args.wanonly == true) { features += 0x00000001; } // WAN-only mode
if (obj.args.lanonly == true) { features += 0x00000002; } // LAN-only mode
if (obj.args.nousers == true) { features += 0x00000004; } // Single user mode
if (domain.userQuota == -1) { features += 0x00000008; } // No server files mode
if (obj.args.mpstlsoffload) { features += 0x00000010; } // No mutual-auth CIRA
Improved charts, added no2factorauth switch
2019-03-26 17:11:51 -04:00
if (parent.config.settings.allowframing == true) { features += 0x00000020; } // Allow site within iframe
Server improvements, first Intel AMT CCM activation.
2019-03-05 02:48:45 -05:00
if ((obj.parent.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true)) { features += 0x00000040; } // Email invites
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if (obj.args.webrtc == true) { features += 0x00000080; } // Enable WebRTC (Default false for now)
if (obj.args.clickonce !== false) { features += 0x00000100; } // Enable ClickOnce (Default true)
if (obj.args.allowhighqualitydesktop == true) { features += 0x00000200; } // Enable AllowHighQualityDesktop (Default false)
if (obj.args.lanonly == true || obj.args.mpsport == 0) { features += 0x00000400; } // No CIRA
if ((obj.parent.serverSelfWriteAllowed == true) && (user != null) && (user.siteadmin == 0xFFFFFFFF)) { features += 0x00000800; } // Server can self-write (Allows self-update)
Improved charts, added no2factorauth switch
2019-03-26 17:11:51 -04:00
if ((parent.config.settings.no2factorauth !== true) && (domain.auth != 'sspi') && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.nousers !== true)) { features += 0x00001000; } // 2-step login supported
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if (domain.agentnoproxy === true) { features += 0x00002000; } // Indicates that agents should be installed without using a HTTP proxy
Improved charts, added no2factorauth switch
2019-03-26 17:11:51 -04:00
if ((parent.config.settings.no2factorauth !== true) && domain.yubikey && domain.yubikey.id && domain.yubikey.secret) { features += 0x00004000; } // Indicates Yubikey support
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if (domain.geolocation == true) { features += 0x00008000; } // Enable geo-location features
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true)) { features += 0x00010000; } // Enable password hints
Complete replacement of the WebAuthn 2 factor support.
2019-05-16 17:55:07 -04:00
if (parent.config.settings.no2factorauth !== true) { features += 0x00020000; } // Enable WebAuthn/FIDO2 support
Added option to force 2 factor auth setup
2019-04-10 14:33:17 -04:00
if ((obj.args.nousers != true) && (domain.passwordrequirements != null) && (domain.passwordrequirements.force2factor === true)) { features += 0x00040000; } // Force 2-factor auth
Fixed adding unknown user to device group.
2019-05-08 18:15:34 -04:00
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { features += 0x00080000; } // LDAP or SSPI in use, warn that users must login first before adding a user to a group.
Started work on Intel AMT ACM activation.
2019-06-12 22:40:27 -04:00
if (domain.amtacmactivation) { features += 0x00100000; } // Intel AMT ACM activation/upgrade is possible
Improved keyboard support, new email as username mode.
2019-07-08 18:59:44 -04:00
if (domain.usernameisemail) { features += 0x00200000; } // Username is email address
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
// Create a authentication cookie
const authCookie = obj.parent.encodeCookie({ userid: user._id, domainid: domain.id }, obj.parent.loginCookieEncryptionKey);
Added agent installation invite using email.
2018-01-23 17:15:59 -05:00
// Send the master web application
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
if ((!obj.args.user) && (obj.args.nousers != true) && (nologout == false)) { logoutcontrol += ' <a href=' + domain.url + 'logout?' + Math.random() + ' style=color:white>Logout</a>'; } // If a default user is in use or no user mode, don't display the logout button
MeshAgents on Windows are now signed.
2018-03-08 20:58:22 -05:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Added web app minifiy support
2018-08-23 19:55:06 -04:00
Added browser notification support in the main web app.
2019-04-29 18:31:11 -04:00
// Fetch the web state
obj.db.Get('ws' + user._id, function (err, states) {
var webstate = (states.length == 1) ? states[0].state : '';
if (obj.args.minify && !req.query.nominify) {
// Try to server the minified version if we can.
try {
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'default-mobile-min' : 'default-min'), { authCookie: authCookie, viewmode: viewmode, currentNode: currentNode, logoutControl: logoutcontrol, title: domain.title, title2: domain.title2, extitle: encodeURIComponent(domain.title), extitle2: encodeURIComponent(domain.title2), domainurl: domain.url, domain: domain.id, debuglevel: parent.debugLevel, serverDnsName: obj.getWebServerName(domain), serverRedirPort: args.redirport, serverPublicPort: httpsPort, noServerBackup: (args.noserverbackup == 1 ? 1 : 0), features: features, sessiontime: args.sessiontime, mpspass: args.mpspass, passRequirements: passRequirements, webcerthash: Buffer.from(obj.webCertificateFullHashs[domain.id], 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$'), footer: (domain.footer == null) ? '' : domain.footer, webstate: encodeURIComponent(webstate) });
} catch (ex) {
// In case of an exception, serve the non-minified version.
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'default-mobile' : 'default'), { authCookie: authCookie, viewmode: viewmode, currentNode: currentNode, logoutControl: logoutcontrol, title: domain.title, title2: domain.title2, extitle: encodeURIComponent(domain.title), extitle2: encodeURIComponent(domain.title2), domainurl: domain.url, domain: domain.id, debuglevel: parent.debugLevel, serverDnsName: obj.getWebServerName(domain), serverRedirPort: args.redirport, serverPublicPort: httpsPort, noServerBackup: (args.noserverbackup == 1 ? 1 : 0), features: features, sessiontime: args.sessiontime, mpspass: args.mpspass, passRequirements: passRequirements, webcerthash: Buffer.from(obj.webCertificateFullHashs[domain.id], 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$'), footer: (domain.footer == null) ? '' : domain.footer, webstate: encodeURIComponent(webstate) });
}
} else {
// Serve non-minified version of web pages.
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'default-mobile' : 'default'), { authCookie: authCookie, viewmode: viewmode, currentNode: currentNode, logoutControl: logoutcontrol, title: domain.title, title2: domain.title2, extitle: encodeURIComponent(domain.title), extitle2: encodeURIComponent(domain.title2), domainurl: domain.url, domain: domain.id, debuglevel: parent.debugLevel, serverDnsName: obj.getWebServerName(domain), serverRedirPort: args.redirport, serverPublicPort: httpsPort, noServerBackup: (args.noserverbackup == 1 ? 1 : 0), features: features, sessiontime: args.sessiontime, mpspass: args.mpspass, passRequirements: passRequirements, webcerthash: Buffer.from(obj.webCertificateFullHashs[domain.id], 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$'), footer: (domain.footer == null) ? '' : domain.footer, webstate: encodeURIComponent(webstate) });
Added web app minifiy support
2018-08-23 19:55:06 -04:00
}
Added browser notification support in the main web app.
2019-04-29 18:31:11 -04:00
});
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
// Send back the login application
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
// If this is a 2 factor auth request, look for a hardware key challenge.
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
// Normal login 2 factor request
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
if ((req.session.loginmode == '4') && (req.session.tokenusername)) {
More FIDO2 fixes.
2019-03-25 17:43:58 -04:00
var user = obj.users['user/' + domain.id + '/' + req.session.tokenusername.toLowerCase()];
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
if (user != null) {
More FIDO2 fixes.
2019-03-25 17:43:58 -04:00
getHardwareKeyChallenge(req, domain, user, function (hwchallenge) { handleRootRequestLogin(req, res, domain, hwchallenge, passRequirements); });
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
return;
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
}
}
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
// Password recovery 2 factor request
if ((req.session.loginmode == '5') && (req.session.tokenemail)) {
obj.db.GetUserWithVerifiedEmail(domain.id, req.session.tokenemail, function (err, docs) {
if ((err != null) || (docs.length == 0)) {
req.session = null;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
} else {
var user = obj.users[docs[0]._id];
if (user != null) {
More FIDO2 fixes.
2019-03-25 17:43:58 -04:00
getHardwareKeyChallenge(req, domain, user, function (hwchallenge) { handleRootRequestLogin(req, res, domain, hwchallenge, passRequirements); });
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
} else {
req.session = null;
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
res.redirect(domain.url + getQueryPortion(req));
Added user account, user session and agent session per-domain limits.
2019-02-11 17:41:15 -05:00
}
}
});
return;
}
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
handleRootRequestLogin(req, res, domain, '', passRequirements);
}
}
Completed support for hardware key 2-factor auth.
2019-02-08 01:30:33 -05:00
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
function handleRootRequestLogin(req, res, domain, hardwareKeyChallenge, passRequirements) {
var features = 0;
if ((parent.config != null) && (parent.config.settings != null) && (parent.config.settings.allowframing == true)) { features += 32; } // Allow site within iframe
Improved keyboard support, new email as username mode.
2019-07-08 18:59:44 -04:00
if (domain.usernameisemail) { features += 0x00200000; } // Username is email address
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
var loginmode = req.session.loginmode;
delete req.session.loginmode; // Clear this state, if the user hits refresh, we want to go back to the login page.
Session and account improvements.
2019-02-10 23:13:03 -05:00
// Format an error message if needed
var err = null, msg = null, passhint = null;
if (req.session != null) {
err = req.session.error;
msg = req.session.success;
Updated clickonce, password hint is configurable.
2019-02-28 19:17:22 -05:00
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true)) { passhint = EscapeHtml(req.session.passhint); }
Session and account improvements.
2019-02-10 23:13:03 -05:00
delete req.session.error;
delete req.session.success;
delete req.session.passhint;
}
var message = '';
if (err != null) message = '<p class="msg error">' + err + '</p>';
if (msg != null) message = '<p class="msg success">' + msg + '</p>';
Added support for wildcard Let's Encrypt certs.
2019-06-07 18:55:24 -04:00
var emailcheck = ((obj.parent.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
Removed email verification when authenticating using SSPI.
2019-02-20 21:09:57 -05:00
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 16:42:54 -04:00
// Check if we are allowed to create new users using the login screen
var newAccountsAllowed = true;
if ((domain.newaccounts !== 1) && (domain.newaccounts !== true)) { for (var i in obj.users) { if (obj.users[i].domain == domain.id) { newAccountsAllowed = false; break; } } }
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
if (obj.args.minify && !req.query.nominify) {
// Try to server the minified version if we can.
try {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'login-mobile-min' : 'login-min'), { loginmode: loginmode, rootCertLink: getRootCertLink(), domainurl: domain.url, title: domain.title, title2: domain.title2, newAccount: newAccountsAllowed, newAccountPass: (((domain.newaccountspass == null) || (domain.newaccountspass == '')) ? 0 : 1), serverDnsName: obj.getWebServerName(domain), serverPublicPort: httpsPort, emailcheck: emailcheck, features: features, sessiontime: args.sessiontime, passRequirements: passRequirements, footer: (domain.footer == null) ? '' : domain.footer, hkey: encodeURIComponent(hardwareKeyChallenge), message: message, passhint: passhint, welcometext: domain.welcometext?encodeURIComponent(domain.welcometext):null });
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
} catch (ex) {
// In case of an exception, serve the non-minified version.
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'login-mobile' : 'login'), { loginmode: loginmode, rootCertLink: getRootCertLink(), domainurl: domain.url, title: domain.title, title2: domain.title2, newAccount: newAccountsAllowed, newAccountPass: (((domain.newaccountspass == null) || (domain.newaccountspass == '')) ? 0 : 1), serverDnsName: obj.getWebServerName(domain), serverPublicPort: httpsPort, emailcheck: emailcheck, features: features, sessiontime: args.sessiontime, passRequirements: passRequirements, footer: (domain.footer == null) ? '' : domain.footer, hkey: encodeURIComponent(hardwareKeyChallenge), message: message, passhint: passhint, welcometext: domain.welcometext ? encodeURIComponent(domain.welcometext) : null });
Added web app minifiy support
2018-08-23 19:55:06 -04:00
}
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
} else {
// Serve non-minified version of web pages.
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'login-mobile' : 'login'), { loginmode: loginmode, rootCertLink: getRootCertLink(), domainurl: domain.url, title: domain.title, title2: domain.title2, newAccount: newAccountsAllowed, newAccountPass: (((domain.newaccountspass == null) || (domain.newaccountspass == '')) ? 0 : 1), serverDnsName: obj.getWebServerName(domain), serverPublicPort: httpsPort, emailcheck: emailcheck, features: features, sessiontime: args.sessiontime, passRequirements: passRequirements, footer: (domain.footer == null) ? '' : domain.footer, hkey: encodeURIComponent(hardwareKeyChallenge), message: message, passhint: passhint, welcometext: domain.welcometext ? encodeURIComponent(domain.welcometext) : null });
Initial main commit
2017-08-28 12:27:45 -04:00
}
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
/*
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 16:42:54 -04:00
var xoptions = { loginmode: loginmode, rootCertLink: getRootCertLink(), title: domain.title, title2: domain.title2, newAccount: newAccountsAllowed, newAccountPass: (((domain.newaccountspass == null) || (domain.newaccountspass == '')) ? 0 : 1), serverDnsName: obj.getWebServerName(domain), serverPublicPort: httpsPort, emailcheck: obj.parent.mailserver != null, features: features, footer: (domain.footer == null) ? '' : domain.footer };
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
var xpath = obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'login-mobile' : 'login');
console.log('Render...');
res.render(xpath, xoptions, function (err, html) {
console.log(err, html);
});
*/
Initial main commit
2017-08-28 12:27:45 -04:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Many server improvements & stability fixes.
2019-02-14 17:44:38 -05:00
// Return true if it looks like we are using a real TLS certificate.
function isTrustedCert() {
if (obj.args.notls == true) return false; // We are not using TLS, so not trusted cert.
if (obj.args.tlsoffload != null) return true; // We are using TLS offload, a real cert is likely used.
if (obj.parent.config.letsencrypt != null) return true; // We are using Let's Encrypt, real cert in use.
if (obj.certificates.WebIssuer.indexOf('MeshCentralRoot-') == 0) return false; // Our cert is issued by self-signed cert.
Server improvements, first Intel AMT CCM activation.
2019-03-05 02:48:45 -05:00
if (obj.certificates.CommonName.indexOf('.') == -1) return false; // Our cert is named with a fake name
Many server improvements & stability fixes.
2019-02-14 17:44:38 -05:00
return true; // This is a guess
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Get the link to the root certificate if needed
function getRootCertLink() {
Partinally ran code thru JsHint
2018-08-29 20:40:30 -04:00
// Check if the HTTPS certificate is issued from MeshCentralRoot, if so, add download link to root certificate.
Server improvements, first Intel AMT CCM activation.
2019-03-05 02:48:45 -05:00
if ((obj.args.notls == null) && (obj.args.tlsoffload == null) && (obj.parent.config.letsencrypt == null) && (obj.tlsSniCredentials == null) && (obj.certificates.WebIssuer.indexOf('MeshCentralRoot-') == 0) && (obj.certificates.CommonName.indexOf('.') != -1)) { return '<a href=/MeshServerRootCert.cer title="Download the root certificate for this server">Root Certificate</a>'; }
Initial main commit
2017-08-28 12:27:45 -04:00
return '';
}
Many fixes.
2018-12-20 15:12:24 -05:00
// Render the terms of service.
Initial main commit
2017-08-28 12:27:45 -04:00
function handleTermsRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Added a way to specify terms of service in terms.txt.
2018-11-28 19:33:07 -05:00
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
// See if term.txt was loaded from the database
if ((parent.configurationFiles != null) && (parent.configurationFiles['terms.txt'] != null)) {
// Send the terms from the database
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' });
if (req.session && req.session.userid) {
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if (req.session.domainid != domain.id) { req.session = null; res.redirect(domain.url + getQueryPortion(req)); return; } // Check is the session is for the correct domain
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
var user = obj.users[req.session.userid];
Added half relay timeout, terms page fix.
2019-05-13 17:06:13 -04:00
var logoutcontrol = 'Welcome ' + user.name + '.';
if ((domain.ldap == null) && (domain.sspi == null) && (obj.args.user == null) && (obj.args.nousers != true)) { logoutcontrol += ' <a href=' + domain.url + 'logout?' + Math.random() + ' style=color:white>Logout</a>'; } // If a default user is in use or no user mode, don't display the logout button
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'terms-mobile' : 'terms'), { title: domain.title, title2: domain.title2, domainurl: domain.url, terms: encodeURIComponent(parent.configurationFiles['terms.txt'].toString()), logoutControl: logoutcontrol });
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
} else {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'terms-mobile' : 'terms'), { title: domain.title, title2: domain.title2, domainurl: domain.url, terms: encodeURIComponent(parent.configurationFiles['terms.txt'].toString()) });
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
}
} else {
// See if there is a terms.txt file in meshcentral-data
var p = obj.path.join(obj.parent.datapath, 'terms.txt');
if (obj.fs.existsSync(p)) {
obj.fs.readFile(p, 'utf8', function (err, data) {
if (err != null) { res.sendStatus(404); return; }
Added a way to specify terms of service in terms.txt.
2018-11-28 19:33:07 -05:00
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
// Send the terms from terms.txt
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' });
if (req.session && req.session.userid) {
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if (req.session.domainid != domain.id) { req.session = null; res.redirect(domain.url + getQueryPortion(req)); return; } // Check is the session is for the correct domain
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
var user = obj.users[req.session.userid];
Added half relay timeout, terms page fix.
2019-05-13 17:06:13 -04:00
var logoutcontrol = 'Welcome ' + user.name + '.';
if ((domain.ldap == null) && (domain.sspi == null) && (obj.args.user == null) && (obj.args.nousers != true)) { logoutcontrol += ' <a href=' + domain.url + 'logout?' + Math.random() + ' style=color:white>Logout</a>'; } // If a default user is in use or no user mode, don't display the logout button
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'terms-mobile' : 'terms'), { title: domain.title, title2: domain.title2, domainurl: domain.url, terms: encodeURIComponent(data), logoutControl: logoutcontrol });
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
} else {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'terms-mobile' : 'terms'), { title: domain.title, title2: domain.title2, domainurl: domain.url, terms: encodeURIComponent(data) });
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
}
});
} else {
// Send the default terms
Added a way to specify terms of service in terms.txt.
2018-11-28 19:33:07 -05:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' });
if (req.session && req.session.userid) {
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
if (req.session.domainid != domain.id) { req.session = null; res.redirect(domain.url + getQueryPortion(req)); return; } // Check is the session is for the correct domain
Added a way to specify terms of service in terms.txt.
2018-11-28 19:33:07 -05:00
var user = obj.users[req.session.userid];
Added half relay timeout, terms page fix.
2019-05-13 17:06:13 -04:00
var logoutcontrol = 'Welcome ' + user.name + '.';
if ((domain.ldap == null) && (domain.sspi == null) && (obj.args.user == null) && (obj.args.nousers != true)) { logoutcontrol += ' <a href=' + domain.url + 'logout?' + Math.random() + ' style=color:white>Logout</a>'; } // If a default user is in use or no user mode, don't display the logout button
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'terms-mobile' : 'terms'), { title: domain.title, title2: domain.title2, domainurl: domain.url, logoutControl: logoutcontrol });
Added a way to specify terms of service in terms.txt.
2018-11-28 19:33:07 -05:00
} else {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, isMobileBrowser(req) ? 'terms-mobile' : 'terms'), { title: domain.title, title2: domain.title2, domainurl: domain.url });
Added a way to specify terms of service in terms.txt.
2018-11-28 19:33:07 -05:00
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
}
}
Many fixes.
2018-12-20 15:12:24 -05:00
// Render the messenger application.
function handleMessengerRequest(req, res) {
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
const domain = checkUserIpAddress(req, res);
if (domain == null) { res.sendStatus(404); return; }
Many fixes.
2018-12-20 15:12:24 -05:00
var webRtcConfig = null;
if (obj.parent.config.settings && obj.parent.config.settings.webrtconfig && (typeof obj.parent.config.settings.webrtconfig == 'object')) { webRtcConfig = encodeURIComponent(JSON.stringify(obj.parent.config.settings.webrtconfig)); }
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' });
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'messenger'), { webrtconfig: webRtcConfig, domainurl: domain.url });
Many fixes.
2018-12-20 15:12:24 -05:00
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Returns the server root certificate encoded in base64
function getRootCertBase64() {
var rootcert = obj.certificates.root.cert;
var i = rootcert.indexOf("-----BEGIN CERTIFICATE-----\r\n");
if (i >= 0) { rootcert = rootcert.substring(i + 29); }
i = rootcert.indexOf("-----END CERTIFICATE-----");
if (i >= 0) { rootcert = rootcert.substring(i, 0); }
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
return Buffer.from(rootcert, 'base64').toString('base64');
Initial main commit
2017-08-28 12:27:45 -04:00
}
// Returns the mesh server root certificate
function handleRootCertRequest(req, res) {
Added server-side Intel AMT configuration options.
2019-02-07 18:00:10 -05:00
if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { return; } // Check server-wide IP filter only.
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
try {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="' + certificates.RootName + '.cer"' });
} catch (ex) {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="rootcert.cer"' });
}
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
res.send(Buffer.from(getRootCertBase64(), 'base64'));
Initial main commit
2017-08-28 12:27:45 -04:00
}
Server partially supports hardware login keys.
2019-02-07 23:06:01 -05:00
// Return the CIRA configuration script
obj.getCiraCleanupScript = function(func) {
obj.fs.readFile(obj.parent.path.join(obj.parent.webPublicPath, 'scripts/cira_cleanup.mescript'), 'utf8', function (err, data) {
if (err != null) { func(null); return; }
func(Buffer.from(data));
});
}
// Return the CIRA configuration script
obj.getCiraConfigurationScript = function(meshid, func) {
var serverNameSplit = obj.certificates.AmtMpsName.split('.');
// Figure out the MPS port, use the alias if set
var mpsport = ((obj.args.mpsaliasport != null) ? obj.args.mpsaliasport : obj.args.mpsport);
if ((serverNameSplit.length == 4) && (parseInt(serverNameSplit[0]) == serverNameSplit[0]) && (parseInt(serverNameSplit[1]) == serverNameSplit[1]) && (parseInt(serverNameSplit[2]) == serverNameSplit[2]) && (parseInt(serverNameSplit[3]) == serverNameSplit[3])) {
// Server name is an IPv4 address
obj.fs.readFile(obj.parent.path.join(obj.parent.webPublicPath, 'scripts/cira_setup_script_ip.mescript'), 'utf8', function (err, data) {
if (err != null) { func(null); return; }
var scriptFile = JSON.parse(data);
// Change a few things in the script
scriptFile.scriptBlocks[2].vars.CertBin.value = getRootCertBase64(); // Set the root certificate
scriptFile.scriptBlocks[3].vars.IP.value = obj.certificates.AmtMpsName; // Set the server IPv4 address name
scriptFile.scriptBlocks[3].vars.ServerName.value = obj.certificates.AmtMpsName; // Set the server certificate name
scriptFile.scriptBlocks[3].vars.Port.value = mpsport; // Set the server MPS port
scriptFile.scriptBlocks[3].vars.username.value = meshid; // Set the username
scriptFile.scriptBlocks[3].vars.password.value = obj.args.mpspass ? obj.args.mpspass : 'A@xew9rt'; // Set the password
scriptFile.scriptBlocks[4].vars.AccessInfo1.value = obj.certificates.AmtMpsName + ':' + mpsport; // Set the primary server name:port to set periodic timer
//scriptFile.scriptBlocks[4].vars.AccessInfo2.value = obj.certificates.AmtMpsName + ':' + mpsport; // Set the secondary server name:port to set periodic timer
if (obj.args.ciralocalfqdn != null) { scriptFile.scriptBlocks[6].vars.DetectionStrings.value = obj.args.ciralocalfqdn; } // Set the environment detection local FQDN's
// Compile the script
var scriptEngine = require('./amtscript.js').CreateAmtScriptEngine();
var runscript = scriptEngine.script_blocksToScript(scriptFile.blocks, scriptFile.scriptBlocks);
scriptFile.mescript = Buffer.from(scriptEngine.script_compile(runscript), 'binary').toString('base64');
scriptFile.scriptText = runscript;
// Send the script
func(Buffer.from(JSON.stringify(scriptFile, null, ' ')));
});
} else {
// Server name is a hostname
obj.fs.readFile(obj.parent.path.join(obj.parent.webPublicPath, 'scripts/cira_setup_script_dns.mescript'), 'utf8', function (err, data) {
if (err != null) { res.sendStatus(404); return; }
var scriptFile = JSON.parse(data);
// Change a few things in the script
scriptFile.scriptBlocks[2].vars.CertBin.value = getRootCertBase64(); // Set the root certificate
scriptFile.scriptBlocks[3].vars.FQDN.value = obj.certificates.AmtMpsName; // Set the server DNS name
scriptFile.scriptBlocks[3].vars.Port.value = mpsport; // Set the server MPS port
scriptFile.scriptBlocks[3].vars.username.value = meshid; // Set the username
scriptFile.scriptBlocks[3].vars.password.value = obj.args.mpspass ? obj.args.mpspass : 'A@xew9rt'; // Set the password
scriptFile.scriptBlocks[4].vars.AccessInfo1.value = obj.certificates.AmtMpsName + ':' + mpsport; // Set the primary server name:port to set periodic timer
//scriptFile.scriptBlocks[4].vars.AccessInfo2.value = obj.certificates.AmtMpsName + ':' + mpsport; // Set the secondary server name:port to set periodic timer
if (obj.args.ciralocalfqdn != null) { scriptFile.scriptBlocks[6].vars.DetectionStrings.value = obj.args.ciralocalfqdn; } // Set the environment detection local FQDN's
// Compile the script
var scriptEngine = require('./amtscript.js').CreateAmtScriptEngine();
var runscript = scriptEngine.script_blocksToScript(scriptFile.blocks, scriptFile.scriptBlocks);
scriptFile.mescript = Buffer.from(scriptEngine.script_compile(runscript), 'binary').toString('base64');
scriptFile.scriptText = runscript;
// Send the script
func(Buffer.from(JSON.stringify(scriptFile, null, ' ')));
});
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Returns an mescript for Intel AMT configuration
function handleMeScriptRequest(req, res) {
Added server-side Intel AMT configuration options.
2019-02-07 18:00:10 -05:00
if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { return; } // Check server-wide IP filter only.
Initial main commit
2017-08-28 12:27:45 -04:00
if (req.query.type == 1) {
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
obj.getCiraConfigurationScript(req.query.meshid, function (script) {
Server partially supports hardware login keys.
2019-02-07 23:06:01 -05:00
if (script == null) { res.sendStatus(404); } else {
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="cira_setup.mescript"' });
Server partially supports hardware login keys.
2019-02-07 23:06:01 -05:00
res.send(script);
}
});
} else if (req.query.type == 2) {
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
obj.getCiraCleanupScript(function (script) {
Server partially supports hardware login keys.
2019-02-07 23:06:01 -05:00
if (script == null) { res.sendStatus(404); } else {
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="cira_cleanup.mescript"' });
Server partially supports hardware login keys.
2019-02-07 23:06:01 -05:00
res.send(script);
}
Initial main commit
2017-08-28 12:27:45 -04:00
});
}
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle user public file downloads
function handleDownloadUserFiles(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Minor security fixes.
2019-01-04 20:59:13 -05:00
if (obj.common.validateString(req.path, 1, 4096) == false) { res.sendStatus(404); return; }
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
var domainname = 'domain', spliturl = decodeURIComponent(req.path).split('/'), filename = '';
Initial main commit
2017-08-28 12:27:45 -04:00
if ((spliturl.length < 3) || (obj.common.IsFilenameValid(spliturl[2]) == false) || (domain.userQuota == -1)) { res.sendStatus(404); return; }
if (domain.id != '') { domainname = 'domain-' + domain.id; }
var path = obj.path.join(obj.filespath, domainname + "/user-" + spliturl[2] + "/Public");
for (var i = 3; i < spliturl.length; i++) { if (obj.common.IsFilenameValid(spliturl[i]) == true) { path += '/' + spliturl[i]; filename = spliturl[i]; } else { res.sendStatus(404); return; } }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
var stat = null;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
try { stat = obj.fs.statSync(path); } catch (e) { }
Initial main commit
2017-08-28 12:27:45 -04:00
if ((stat != null) && ((stat.mode & 0x004000) == 0)) {
if (req.query.download == 1) {
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
try {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename=\"' + filename + '\"' });
} catch (ex) {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename=\"file.bin\"' });
}
Initial main commit
2017-08-28 12:27:45 -04:00
try { res.sendFile(obj.path.resolve(__dirname, path)); } catch (e) { res.sendStatus(404); }
} else {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'download'), { rootCertLink: getRootCertLink(), title: domain.title, title2: domain.title2, domainurl: domain.url, message: "<a href='" + req.path + "?download=1'>" + filename + "</a>, " + stat.size + " byte" + ((stat.size < 2) ? '' : 's') + "." });
Initial main commit
2017-08-28 12:27:45 -04:00
}
} else {
Fixed relative URL links when using a non-DNS subdomain.
2019-05-22 17:48:41 -04:00
res.render(obj.path.join(obj.parent.webViewsPath, 'download'), { rootCertLink: getRootCertLink(), title: domain.title, title2: domain.title2, domainurl: domain.url, message: "Invalid file link, please check the URL again." });
Initial main commit
2017-08-28 12:27:45 -04:00
}
}
Added customization of the web site title logo.
2018-12-21 17:39:26 -05:00
// Handle logo request
function handleLogoRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Added customization of the web site title logo.
2018-12-21 17:39:26 -05:00
res.set({ 'Cache-Control': 'max-age=86400' }); // 1 day
if ((domain != null) && domain.titlepicture) {
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
if ((parent.configurationFiles != null) && (parent.configurationFiles[domain.titlepicture] != null)) {
// Use the logo in the database
res.set({ 'Content-Type': 'image/jpeg' });
res.send(parent.configurationFiles[domain.titlepicture]);
} else {
// Use the logo on file
try { res.sendFile(obj.path.join(obj.parent.datapath, domain.titlepicture)); } catch (e) {
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, 'images/logoback.png')); } catch (e) { res.sendStatus(404); }
}
Added customization of the web site title logo.
2018-12-21 17:39:26 -05:00
}
} else {
New agents, NeDB encryption, WebApp Fixes.
2019-01-24 15:08:48 -05:00
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, 'images/logoback.png')); } catch (e) { res.sendStatus(404); }
Added customization of the web site title logo.
2018-12-21 17:39:26 -05:00
}
}
Added welcome page customization options.
2019-02-13 16:22:52 -05:00
// Handle welcome image request
function handleWelcomeImageRequest(req, res) {
const domain = checkUserIpAddress(req, res);
res.set({ 'Cache-Control': 'max-age=86400' }); // 1 day
if ((domain != null) && domain.welcomepicture) {
if ((parent.configurationFiles != null) && (parent.configurationFiles[domain.welcomepicture] != null)) {
// Use the welcome image in the database
res.set({ 'Content-Type': 'image/jpeg' });
res.send(parent.configurationFiles[domain.welcomepicture]);
} else {
// Use the logo on file
try { res.sendFile(obj.path.join(obj.parent.datapath, domain.welcomepicture)); } catch (e) {
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, 'images/mainwelcome.jpg')); } catch (e) { res.sendStatus(404); }
}
}
} else {
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, 'images/mainwelcome.jpg')); } catch (e) { res.sendStatus(404); }
}
}
Added server redirection and unlimited invite URL's.
2019-06-07 13:20:54 -04:00
// Handle domain redirection
function handleDomainRedirect(req, res) {
const domain = checkUserIpAddress(req, res);
if ((domain == null) || (domain.redirects == null)) { res.sendStatus(404); return; }
var urlArgs = '', urlName = null, splitUrl = req.originalUrl.split("?");
if (splitUrl.length > 1) { urlArgs = '?' + splitUrl[1]; }
if ((splitUrl.length > 0) && (splitUrl[0].length > 1)) { urlName = splitUrl[0].substring(1).toLowerCase(); }
Server fixes when agent comes in with unknown agentid.
2019-06-17 18:37:13 -04:00
if ((urlName == null) || (domain.redirects[urlName] == null) || (urlName[0] == '_')) { res.sendStatus(404); return; }
Server fixes and webapp trace support.
2019-06-17 20:17:23 -04:00
if (domain.redirects[urlName] == '~showversion') {
// Show the current version
res.end('MeshCentral v' + obj.parent.currentVer);
} else {
// Perform redirection
res.redirect(domain.redirects[urlName] + urlArgs + getQueryPortion(req));
}
Added server redirection and unlimited invite URL's.
2019-06-07 13:20:54 -04:00
}
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
// Take a "user/domain/userid/path/file" format and return the actual server disk file path if access is allowed
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
obj.getServerFilePath = function (user, domain, path) {
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
var splitpath = path.split('/'), serverpath = obj.path.join(obj.filespath, 'domain'), filename = '';
if ((splitpath.length < 3) || (splitpath[0] != 'user' && splitpath[0] != 'mesh') || (splitpath[1] != domain.id)) return null; // Basic validation
var objid = splitpath[0] + '/' + splitpath[1] + '/' + splitpath[2];
if (splitpath[0] == 'user' && (objid != user._id)) return null; // User validation, only self allowed
if (splitpath[0] == 'mesh') { var link = user.links[objid]; if ((link == null) || (link.rights == null) || ((link.rights & 32) == 0)) { return null; } } // Check mesh server file rights
if (splitpath[1] != '') { serverpath += '-' + splitpath[1]; } // Add the domain if needed
serverpath += ('/' + splitpath[0] + '-' + splitpath[2]);
for (var i = 3; i < splitpath.length; i++) { if (obj.common.IsFilenameValid(splitpath[i]) == true) { serverpath += '/' + splitpath[i]; filename = splitpath[i]; } else { return null; } } // Check that each folder is correct
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
return { fullpath: obj.path.resolve(obj.filespath, serverpath), path: serverpath, name: filename, quota: obj.getQuota(objid, domain) };
};
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
// Return the maximum number of bytes allowed in the user account "My Files".
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
obj.getQuota = function (objid, domain) {
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
if (objid == null) return 0;
if (objid.startsWith('user/')) {
var user = obj.users[objid];
if (user == null) return 0;
Server bug fixing and new MeshAgent
2018-08-31 18:23:42 -04:00
if (user.siteadmin == 0xFFFFFFFF) return null; // Administrators have no user limit
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
if ((user.quota != null) && (typeof user.quota == 'number')) { return user.quota; }
Server bug fixing and new MeshAgent
2018-08-31 18:23:42 -04:00
if ((domain != null) && (domain.userquota != null) && (typeof domain.userquota == 'number')) { return domain.userquota; }
return null; // By default, the user will have no limit
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
} else if (objid.startsWith('mesh/')) {
var mesh = obj.meshes[objid];
if (mesh == null) return 0;
if ((mesh.quota != null) && (typeof mesh.quota == 'number')) { return mesh.quota; }
Server bug fixing and new MeshAgent
2018-08-31 18:23:42 -04:00
if ((domain != null) && (domain.meshquota != null) && (typeof domain.meshquota == 'number')) { return domain.meshquota; }
return null; // By default, the mesh will have no limit
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
}
return 0;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Download a file from the server
function handleDownloadFile(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if ((req.query.link == null) || (req.session == null) || (req.session.userid == null) || (domain == null) || (domain.userQuota == -1)) { res.sendStatus(404); return; }
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const user = obj.users[req.session.userid];
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (user == null) { res.sendStatus(404); return; }
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const file = obj.getServerFilePath(user, domain, req.query.link);
Initial main commit
2017-08-28 12:27:45 -04:00
if (file == null) { res.sendStatus(404); return; }
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
try {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename=\"' + file.name + '\"' });
} catch (ex) {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename=\"file.bin\"' });
}
Initial main commit
2017-08-28 12:27:45 -04:00
try { res.sendFile(file.fullpath); } catch (e) { res.sendStatus(404); }
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Upload a MeshCore.js file to the server
function handleUploadMeshCoreFile(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
if ((domain.id !== '') || (!req.session) || (req.session == null) || (!req.session.userid)) { res.sendStatus(401); return; }
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const user = obj.users[req.session.userid];
Initial main commit
2017-08-28 12:27:45 -04:00
if (user.siteadmin != 0xFFFFFFFF) { res.sendStatus(401); return; } // Check if we have mesh core upload rights (Full admin only)
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const multiparty = require('multiparty');
const form = new multiparty.Form();
Initial main commit
2017-08-28 12:27:45 -04:00
form.parse(req, function (err, fields, files) {
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if ((fields == null) || (fields.attrib == null) || (fields.attrib.length != 1)) { res.sendStatus(404); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
for (var i in files.files) {
var file = files.files[i];
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
obj.fs.readFile(file.path, 'utf8', function (err, data) {
if (err != null) return;
Initial main commit
2017-08-28 12:27:45 -04:00
data = obj.common.IntToStr(0) + data; // Add the 4 bytes encoding type & flags (Set to 0 for raw)
Added recovery core support.
2019-01-21 17:05:50 -05:00
obj.sendMeshAgentCore(user, domain, fields.attrib[0], 'custom', data); // Upload the core
Initial main commit
2017-08-28 12:27:45 -04:00
try { obj.fs.unlinkSync(file.path); } catch (e) { }
});
}
res.send('');
});
}
// Upload a file to the server
function handleUploadFile(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
if ((domain.id !== '') || (!req.session) || (req.session == null) || (!req.session.userid) || (domain.userQuota == -1)) { res.sendStatus(401); return; }
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const user = obj.users[req.session.userid];
Initial main commit
2017-08-28 12:27:45 -04:00
if ((user.siteadmin & 8) == 0) { res.sendStatus(401); return; } // Check if we have file rights
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const multiparty = require('multiparty');
const form = new multiparty.Form();
Initial main commit
2017-08-28 12:27:45 -04:00
form.parse(req, function (err, fields, files) {
Server bug fixing and new MeshAgent
2018-08-31 18:23:42 -04:00
if ((fields == null) || (fields.link == null) || (fields.link.length != 1)) { /*console.log('UploadFile, Invalid Fields:', fields, files);*/ res.sendStatus(404); return; }
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
var xfile = obj.getServerFilePath(user, domain, decodeURIComponent(fields.link[0]));
Initial main commit
2017-08-28 12:27:45 -04:00
if (xfile == null) { res.sendStatus(404); return; }
// Get total bytes in the path
var totalsize = readTotalFileSize(xfile.fullpath);
Server bug fixing and new MeshAgent
2018-08-31 18:23:42 -04:00
if ((xfile.quota == null) || (totalsize < xfile.quota)) { // Check if the quota is not already broken
Improved login screen, Mesh server directory handling
2019-02-19 18:38:27 -05:00
if (fields.name != null) {
DB record expire in config + Mesh folder optimizations
2019-02-19 01:20:25 -05:00
Improved login screen, Mesh server directory handling
2019-02-19 18:38:27 -05:00
// See if we need to create the folder
var domainx = 'domain';
if (domain.id.length > 0) { domainx = 'domain-' + usersplit[1]; }
try { obj.fs.mkdirSync(obj.parent.filespath); } catch (e) { }
try { obj.fs.mkdirSync(obj.parent.path.join(obj.parent.filespath, domainx)); } catch (e) { }
try { obj.fs.mkdirSync(xfile.fullpath); } catch (e) { }
DB record expire in config + Mesh folder optimizations
2019-02-19 01:20:25 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Upload method where all the file data is within the fields.
var names = fields.name[0].split('*'), sizes = fields.size[0].split('*'), types = fields.type[0].split('*'), datas = fields.data[0].split('*');
if ((names.length == sizes.length) && (types.length == datas.length) && (names.length == types.length)) {
for (var i = 0; i < names.length; i++) {
if (obj.common.IsFilenameValid(names[i]) == false) { res.sendStatus(404); return; }
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
var filedata = Buffer.from(datas[i].split(',')[1], 'base64');
Server bug fixing and new MeshAgent
2018-08-31 18:23:42 -04:00
if ((xfile.quota == null) || ((totalsize + filedata.length) < xfile.quota)) { // Check if quota would not be broken if we add this file
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
// Create the user folder if needed
(function (fullpath, filename, filedata) {
obj.fs.mkdir(xfile.fullpath, function () {
// Write the file
obj.fs.writeFile(obj.path.join(xfile.fullpath, filename), filedata, function () {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.parent.DispatchEvent([user._id], obj, 'updatefiles'); // Fire an event causing this user to update this files
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
});
});
})(xfile.fullpath, names[i], filedata);
Initial main commit
2017-08-28 12:27:45 -04:00
}
}
}
} else {
// More typical upload method, the file data is in a multipart mime post.
for (var i in files.files) {
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
var file = files.files[i], fpath = obj.path.join(xfile.fullpath, file.originalFilename);
Server bug fixing and new MeshAgent
2018-08-31 18:23:42 -04:00
if (obj.common.IsFilenameValid(file.originalFilename) && ((xfile.quota == null) || ((totalsize + file.size) < xfile.quota))) { // Check if quota would not be broken if we add this file
Improved login screen, Mesh server directory handling
2019-02-19 18:38:27 -05:00
// See if we need to create the folder
var domainx = 'domain';
if (domain.id.length > 0) { domainx = 'domain-' + usersplit[1]; }
try { obj.fs.mkdirSync(obj.parent.filespath); } catch (e) { }
try { obj.fs.mkdirSync(obj.parent.path.join(obj.parent.filespath, domainx)); } catch (e) { }
try { obj.fs.mkdirSync(xfile.fullpath); } catch (e) { }
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
obj.fs.rename(file.path, fpath, function () {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
obj.parent.DispatchEvent([user._id], obj, 'updatefiles'); // Fire an event causing this user to update this files
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
});
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Fixed unlink() required callback in NodeJS v10.
2019-01-06 23:32:12 -05:00
try { obj.fs.unlink(file.path, function (err) { }); } catch (e) { }
Initial main commit
2017-08-28 12:27:45 -04:00
}
}
}
}
res.send('');
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Subscribe to all events we are allowed to receive
obj.subscribe = function (userid, target) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const user = obj.users[userid];
const subscriptions = [userid, 'server-global'];
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (user.siteadmin != null) {
Initial main commit
2017-08-28 12:27:45 -04:00
if (user.siteadmin == 0xFFFFFFFF) subscriptions.push('*');
First version with user groups enforcement.
2019-04-16 20:32:18 -04:00
if ((user.siteadmin & 2) != 0) {
if ((user.groups == null) || (user.groups.length == 0)) {
// Subscribe to all user changes
subscriptions.push('server-users');
} else {
// Subscribe to user changes for some groups
for (var i in user.groups) { subscriptions.push('server-users:' + i); }
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
}
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (user.links != null) { for (var i in user.links) { subscriptions.push(i); } }
Initial main commit
2017-08-28 12:27:45 -04:00
obj.parent.RemoveAllEventDispatch(target);
obj.parent.AddEventDispatch(subscriptions, target);
return subscriptions;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle a web socket relay request
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
function handleRelayWebSocket(ws, req, domain, user, cookie) {
if (!(req.query.host)) { console.log('ERR: No host target specified'); try { ws.close(); } catch (e) { } return; } // Disconnect websocket
Initial main commit
2017-08-28 12:27:45 -04:00
Debug(1, 'Websocket relay connected from ' + user.name + ' for ' + req.query.host + '.');
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
try { ws._socket.setKeepAlive(true, 240000); } catch (ex) { } // Set TCP keep alive
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Fetch information about the target
obj.db.Get(req.query.host, function (err, docs) {
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
if (docs.length == 0) { console.log('ERR: Node not found'); try { ws.close(); } catch (e) { } return; } // Disconnect websocket
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
var node = docs[0];
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
if (!node.intelamt) { console.log('ERR: Not AMT node'); try { ws.close(); } catch (e) { } return; } // Disconnect websocket
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Check if this user has permission to manage this computer
var meshlinks = user.links[node.meshid];
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
if ((!meshlinks) || (!meshlinks.rights) || ((meshlinks.rights & MESHRIGHT_REMOTECONTROL) == 0)) { console.log('ERR: Access denied (2)'); try { ws.close(); } catch (e) { } return; }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Check what connectivity is available for this node
Added a lot of the load-balancing support
2017-09-13 14:25:57 -04:00
var state = parent.GetConnectivityState(req.query.host);
Initial main commit
2017-08-28 12:27:45 -04:00
var conn = 0;
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (!state || state.connectivity == 0) { Debug(1, 'ERR: No routing possible (1)'); try { ws.close(); } catch (e) { } return; } else { conn = state.connectivity; }
// Check what server needs to handle this connection
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
if ((obj.parent.multiServer != null) && (cookie == null)) { // If a cookie is provided, don't allow the connection to jump again to a different server
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
var server = obj.parent.GetRoutingServerId(req.query.host, 2); // Check for Intel CIRA connection
if (server != null) {
if (server.serverid != obj.parent.serverId) {
// Do local Intel CIRA routing using a different server
Debug(1, 'Route Intel AMT CIRA connection to peer server: ' + server.serverid);
obj.parent.multiServer.createPeerRelay(ws, req, server.serverid, user);
return;
}
} else {
server = obj.parent.GetRoutingServerId(req.query.host, 4); // Check for local Intel AMT connection
if ((server != null) && (server.serverid != obj.parent.serverId)) {
// Do local Intel AMT routing using a different server
Debug(1, 'Route Intel AMT direct connection to peer server: ' + server.serverid);
obj.parent.multiServer.createPeerRelay(ws, req, server.serverid, user);
return;
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
}
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
Node 6.x cbor fix.
2019-08-07 17:25:23 -04:00
// Setup session recording if needed
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
if (domain.sessionrecording == true || ((typeof domain.sessionrecording == 'object') && ((domain.sessionrecording.protocols == null) || (domain.sessionrecording.protocols.indexOf((req.query.p == 2) ? 101 : 100) >= 0)))) { // TODO 100
Fixed bad minified meshcore modules, added session player and session recording fixes
2019-08-11 01:34:21 -04:00
var now = new Date(Date.now());
var recFilename = 'relaysession' + ((domain.id == '') ? '' : '-') + domain.id + '-' + now.getUTCFullYear() + '-' + obj.common.zeroPad(now.getUTCMonth(), 2) + '-' + obj.common.zeroPad(now.getUTCDate(), 2) + '-' + obj.common.zeroPad(now.getUTCHours(), 2) + '-' + obj.common.zeroPad(now.getUTCMinutes(), 2) + '-' + obj.common.zeroPad(now.getUTCSeconds(), 2) + '-' + getRandomPassword() + '.mcrec'
Node 6.x cbor fix.
2019-08-07 17:25:23 -04:00
var recFullFilename = null;
if (domain.sessionrecording.filepath) {
try { obj.fs.mkdirSync(domain.sessionrecording.filepath); } catch (e) { }
recFullFilename = obj.path.join(domain.sessionrecording.filepath, recFilename);
} else {
try { obj.fs.mkdirSync(parent.recordpath); } catch (e) { }
recFullFilename = obj.path.join(parent.recordpath, recFilename);
}
var fd = obj.fs.openSync(recFullFilename, 'w');
if (fd != null) {
// Write the recording file header
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
var firstBlock = JSON.stringify({ magic: 'MeshCentralRelaySession', ver: 1, userid: user._id, username: user.name, ipaddr: cleanRemoteAddr(ws._socket.remoteAddress), nodeid: node._id, intelamt: true, protocol: (req.query.p == 2) ? 101 : 100, time: new Date().toLocaleString() })
Node 6.x cbor fix.
2019-08-07 17:25:23 -04:00
recordingEntry(fd, 1, 0, firstBlock, function () { });
ws.logfile = { fd: fd, lock: false };
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
// If Intel AMT CIRA connection is available, use it
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (((conn & 2) != 0) && (parent.mpsserver.ciraConnections[req.query.host] != null)) {
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
Debug(1, 'Opening relay CIRA channel connection to ' + req.query.host + '.');
Initial main commit
2017-08-28 12:27:45 -04:00
var ciraconn = parent.mpsserver.ciraConnections[req.query.host];
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Compute target port, look at the CIRA port mappings, if non-TLS is allowed, use that, if not use TLS
var port = 16993;
//if (node.intelamt.tls == 0) port = 16992; // DEBUG: Allow TLS flag to set TLS mode within CIRA
if (ciraconn.tag.boundPorts.indexOf(16992) >= 0) port = 16992; // RELEASE: Always use non-TLS mode if available within CIRA
if (req.query.p == 2) port += 2;
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Setup a new CIRA channel
if ((port == 16993) || (port == 16995)) {
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
// Perform TLS - ( TODO: THIS IS BROKEN on Intel AMT v7 but works on v10, Not sure why. Well, could be broken TLS 1.0 in firmware )
Initial main commit
2017-08-28 12:27:45 -04:00
var ser = new SerialTunnel();
var chnl = parent.mpsserver.SetupCiraChannel(ciraconn, port);
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
// Let's chain up the TLSSocket <-> SerialTunnel <-> CIRA APF (chnl)
Initial main commit
2017-08-28 12:27:45 -04:00
// Anything that needs to be forwarded by SerialTunnel will be encapsulated by chnl write
ser.forwardwrite = function (msg) {
// TLS ---> CIRA
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
chnl.write(msg.toString('binary'));
Initial main commit
2017-08-28 12:27:45 -04:00
};
// When APF tunnel return something, update SerialTunnel buffer
chnl.onData = function (ciraconn, data) {
// CIRA ---> TLS
Debug(3, 'Relay TLS CIRA data', data.length);
if (data.length > 0) { try { ser.updateBuffer(Buffer.from(data, 'binary')); } catch (e) { } }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Initial main commit
2017-08-28 12:27:45 -04:00
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
// Handle CIRA tunnel state change
Initial main commit
2017-08-28 12:27:45 -04:00
chnl.onStateChange = function (ciraconn, state) {
Debug(2, 'Relay TLS CIRA state change', state);
if (state == 0) { try { ws.close(); } catch (e) { } }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Initial main commit
2017-08-28 12:27:45 -04:00
// TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const TLSSocket = require('tls').TLSSocket;
Fixed user IP filtering when using reverse-proxy + updated Let's Encrypt URLs.
2019-01-05 17:15:14 -05:00
const tlsoptions = { secureProtocol: ((req.query.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const tlsock = new TLSSocket(ser, tlsoptions);
Initial main commit
2017-08-28 12:27:45 -04:00
tlsock.on('error', function (err) { Debug(1, "CIRA TLS Connection Error ", err); });
Updated to Express-ws 4.x
2018-12-01 00:23:10 -05:00
tlsock.on('secureConnect', function () { Debug(2, "CIRA Secure TLS Connection"); ws._socket.resume(); });
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Decrypted tunnel from TLS communcation to be forwarded to websocket
tlsock.on('data', function (data) {
// AMT/TLS ---> WS
try {
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
data = data.toString('binary');
if (ws.interceptor) { data = ws.interceptor.processAmtData(data); } // Run data thru interceptor
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
//ws.send(Buffer.from(data, 'binary'));
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
ws.send(data);
Initial main commit
2017-08-28 12:27:45 -04:00
} catch (e) { }
});
// If TLS is on, forward it through TLSSocket
ws.forwardclient = tlsock;
ws.forwardclient.xtls = 1;
} else {
// Without TLS
ws.forwardclient = parent.mpsserver.SetupCiraChannel(ciraconn, port);
ws.forwardclient.xtls = 0;
Updated to Express-ws 4.x
2018-12-01 00:23:10 -05:00
ws._socket.resume();
Initial main commit
2017-08-28 12:27:45 -04:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// When data is received from the web socket, forward the data into the associated CIRA cahnnel.
// If the CIRA connection is pending, the CIRA channel has built-in buffering, so we are ok sending anyway.
ws.on('message', function (msg) {
// WS ---> AMT/TLS
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
msg = msg.toString('binary');
if (ws.interceptor) { msg = ws.interceptor.processBrowserData(msg); } // Run data thru interceptor
Added server-side IDER over CIRA support.
2019-04-25 18:13:32 -04:00
//console.log('WS --> AMT', Buffer.from(msg, 'binary').toString('hex'));
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
// Log to recording file
if (ws.logfile == null) {
// Forward data to the associated TCP connection.
if (ws.forwardclient.xtls == 1) { ws.forwardclient.write(Buffer.from(msg, 'binary')); } else { ws.forwardclient.write(msg); }
} else {
// Log to recording file
var msg2 = Buffer.from(msg, 'binary');
recordingEntry(ws.logfile.fd, 2, 2, msg2, function () { try { if (ws.forwardclient.xtls == 1) { ws.forwardclient.write(msg2); } else { ws.forwardclient.write(msg); } } catch (ex) { } });
}
Initial main commit
2017-08-28 12:27:45 -04:00
});
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
// If error, close the associated TCP connection.
ws.on('error', function (err) {
console.log('CIRA server websocket error from ' + ws._socket.remoteAddress + ', ' + err.toString().split('\r')[0] + '.');
Debug(1, 'Websocket relay closed on error.');
if (ws.forwardclient && ws.forwardclient.close) { ws.forwardclient.close(); } // TODO: If TLS is used, we need to close the socket that is wrapped by TLS
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
// Close the recording file
if (ws.logfile != null) { obj.fs.close(ws.logfile.fd); ws.logfile = null; }
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
});
Initial main commit
2017-08-28 12:27:45 -04:00
// If the web socket is closed, close the associated TCP connection.
ws.on('close', function (req) {
Debug(1, 'Websocket relay closed.');
if (ws.forwardclient && ws.forwardclient.close) { ws.forwardclient.close(); } // TODO: If TLS is used, we need to close the socket that is wrapped by TLS
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
// Close the recording file
if (ws.logfile != null) { obj.fs.close(ws.logfile.fd); ws.logfile = null; }
Initial main commit
2017-08-28 12:27:45 -04:00
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
ws.forwardclient.onStateChange = function (ciraconn, state) {
Debug(2, 'Relay CIRA state change', state);
if (state == 0) { try { ws.close(); } catch (e) { } }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
ws.forwardclient.onData = function (ciraconn, data) {
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
Debug(4, 'Relay CIRA data', data.length);
Initial main commit
2017-08-28 12:27:45 -04:00
if (ws.interceptor) { data = ws.interceptor.processAmtData(data); } // Run data thru interceptor
Added server-side IDER over CIRA support.
2019-04-25 18:13:32 -04:00
//console.log('AMT --> WS', Buffer.from(data, 'binary').toString('hex'));
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
if (data.length > 0) {
if (ws.logfile == null) {
try { ws.send(Buffer.from(data, 'binary')); } catch (e) { } // TODO: Add TLS support
} else {
// Log to recording file
data = Buffer.from(data, 'binary');
recordingEntry(ws.logfile.fd, 2, 2, data, function () { try { ws.send(data); } catch (e) { } }); // TODO: Add TLS support
}
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
ws.forwardclient.onSendOk = function (ciraconn) {
// TODO: Flow control? (Dont' really need it with AMT, but would be nice)
//console.log('onSendOk');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Fetch Intel AMT credentials & Setup interceptor
if (req.query.p == 1) {
Debug(3, 'INTERCEPTOR1', { host: node.host, port: port, user: node.intelamt.user, pass: node.intelamt.pass });
ws.interceptor = obj.interceptor.CreateHttpInterceptor({ host: node.host, port: port, user: node.intelamt.user, pass: node.intelamt.pass });
WebRTC is now used by default and fully automatic.
2018-02-05 14:56:29 -05:00
ws.interceptor.blockAmtStorage = true;
Initial main commit
2017-08-28 12:27:45 -04:00
}
else if (req.query.p == 2) {
Debug(3, 'INTERCEPTOR2', { user: node.intelamt.user, pass: node.intelamt.pass });
ws.interceptor = obj.interceptor.CreateRedirInterceptor({ user: node.intelamt.user, pass: node.intelamt.pass });
WebRTC is now used by default and fully automatic.
2018-02-05 14:56:29 -05:00
ws.interceptor.blockAmtStorage = true;
Initial main commit
2017-08-28 12:27:45 -04:00
}
return;
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// If Intel AMT direct connection is possible, option a direct socket
if ((conn & 4) != 0) { // We got a new web socket connection, initiate a TCP connection to the target Intel AMT host/port.
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
Debug(1, 'Opening relay TCP socket connection to ' + req.query.host + '.');
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
// When data is received from the web socket, forward the data into the associated TCP connection.
ws.on('message', function (msg) {
Update MeshAgents, fixed MeshCmd.js
2018-08-06 21:57:30 -04:00
if (obj.parent.debugLevel >= 1) { // DEBUG
Started work on server side Intel AMT redirection transport module.
2019-04-23 22:17:33 -04:00
Debug(2, 'TCP relay data to ' + node.host + ', ' + msg.length + ' bytes');
Update MeshAgents, fixed MeshCmd.js
2018-08-06 21:57:30 -04:00
if (obj.parent.debugLevel >= 4) { Debug(4, ' ' + msg.toString('hex')); }
}
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
msg = msg.toString('binary');
if (ws.interceptor) { msg = ws.interceptor.processBrowserData(msg); } // Run data thru interceptor
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
// Log to recording file
if (ws.logfile == null) {
// Forward data to the associated TCP connection.
try { ws.forwardclient.write(Buffer.from(msg, 'binary')); } catch (ex) { }
} else {
// Log to recording file
msg = Buffer.from(msg, 'binary');
recordingEntry(ws.logfile.fd, 2, 2, msg, function () { try { ws.forwardclient.write(msg); } catch (ex) { } });
}
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
});
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
// If error, close the associated TCP connection.
ws.on('error', function (err) {
console.log('Error with relay web socket connection from ' + ws._socket.remoteAddress + ', ' + err.toString().split('\r')[0] + '.');
Debug(1, 'Error with relay web socket connection from ' + ws._socket.remoteAddress + '.');
if (ws.forwardclient) { try { ws.forwardclient.destroy(); } catch (e) { } }
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
// Close the recording file
if (ws.logfile != null) { obj.fs.close(ws.logfile.fd); ws.logfile = null; }
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
});
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
// If the web socket is closed, close the associated TCP connection.
Added chat to device support, more fixes.
2018-12-07 19:36:27 -05:00
ws.on('close', function () {
Debug(1, 'Closing relay web socket connection to ' + req.query.host + '.');
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (ws.forwardclient) { try { ws.forwardclient.destroy(); } catch (e) { } }
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
// Close the recording file
if (ws.logfile != null) { obj.fs.close(ws.logfile.fd); ws.logfile = null; }
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
});
Initial main commit
2017-08-28 12:27:45 -04:00
// Compute target port
var port = 16992;
if (node.intelamt.tls > 0) port = 16993; // This is a direct connection, use TLS when possible
if (req.query.p == 2) port += 2;
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
if (node.intelamt.tls == 0) {
// If this is TCP (without TLS) set a normal TCP socket
ws.forwardclient = new obj.net.Socket();
ws.forwardclient.setEncoding('binary');
ws.forwardclient.xstate = 0;
ws.forwardclient.forwardwsocket = ws;
Updated to Express-ws 4.x
2018-12-01 00:23:10 -05:00
ws._socket.resume();
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
// If TLS is going to be used, setup a TLS socket
Fixed user IP filtering when using reverse-proxy + updated Let's Encrypt URLs.
2019-01-05 17:15:14 -05:00
var tlsoptions = { secureProtocol: ((req.query.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
ws.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () {
Initial main commit
2017-08-28 12:27:45 -04:00
// The TLS connection method is the same as TCP, but located a bit differently.
Debug(2, 'TLS connected to ' + node.host + ':' + port + '.');
ws.forwardclient.xstate = 1;
Updated to Express-ws 4.x
2018-12-01 00:23:10 -05:00
ws._socket.resume();
Initial main commit
2017-08-28 12:27:45 -04:00
});
ws.forwardclient.setEncoding('binary');
ws.forwardclient.xstate = 0;
ws.forwardclient.forwardwsocket = ws;
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// When we receive data on the TCP connection, forward it back into the web socket connection.
ws.forwardclient.on('data', function (data) {
Update MeshAgents, fixed MeshCmd.js
2018-08-06 21:57:30 -04:00
if (obj.parent.debugLevel >= 1) { // DEBUG
Started work on server side Intel AMT redirection transport module.
2019-04-23 22:17:33 -04:00
Debug(2, 'TCP relay data from ' + node.host + ', ' + data.length + ' bytes.');
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
if (obj.parent.debugLevel >= 4) { Debug(4, ' ' + Buffer.from(data, 'binary').toString('hex')); }
Update MeshAgents, fixed MeshCmd.js
2018-08-06 21:57:30 -04:00
}
Initial main commit
2017-08-28 12:27:45 -04:00
if (ws.interceptor) { data = ws.interceptor.processAmtData(data); } // Run data thru interceptor
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
if (ws.logfile == null) {
// No logging
try { ws.send(Buffer.from(data, 'binary')); } catch (e) { }
} else {
// Log to recording file
data = Buffer.from(data, 'binary');
recordingEntry(ws.logfile.fd, 2, 0, data, function () { try { ws.send(data); } catch (e) { } });
}
Initial main commit
2017-08-28 12:27:45 -04:00
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// If the TCP connection closes, disconnect the associated web socket.
ws.forwardclient.on('close', function () {
Debug(1, 'TCP relay disconnected from ' + node.host + '.');
try { ws.close(); } catch (e) { }
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// If the TCP connection causes an error, disconnect the associated web socket.
ws.forwardclient.on('error', function (err) {
Debug(1, 'TCP relay error from ' + node.host + ': ' + err.errno);
try { ws.close(); } catch (e) { }
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Fetch Intel AMT credentials & Setup interceptor
if (req.query.p == 1) { ws.interceptor = obj.interceptor.CreateHttpInterceptor({ host: node.host, port: port, user: node.intelamt.user, pass: node.intelamt.pass }); }
else if (req.query.p == 2) { ws.interceptor = obj.interceptor.CreateRedirInterceptor({ user: node.intelamt.user, pass: node.intelamt.pass }); }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
if (node.intelamt.tls == 0) {
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
// A TCP connection to Intel AMT just connected, start forwarding.
Initial main commit
2017-08-28 12:27:45 -04:00
ws.forwardclient.connect(port, node.host, function () {
Debug(1, 'TCP relay connected to ' + node.host + ':' + port + '.');
ws.forwardclient.xstate = 1;
Updated to Express-ws 4.x
2018-12-01 00:23:10 -05:00
ws._socket.resume();
Initial main commit
2017-08-28 12:27:45 -04:00
});
}
return;
}
});
}
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
// Handle a Intel AMT activation request
function handleAmtActivateWebSocket(ws, req) {
const domain = checkUserIpAddress(ws, req);
if (domain == null) { ws.send(JSON.stringify({ errorText: 'Invalid domain' })); ws.close(); return; }
if (req.query.id == null) { ws.send(JSON.stringify({ errorText: 'Missing group identifier' })); ws.close(); return; }
// Fetch the mesh object
ws.meshid = 'mesh/' + domain.id + '/' + req.query.id;
const mesh = obj.meshes[ws.meshid];
if (mesh == null) { delete ws.meshid; ws.send(JSON.stringify({ errorText: 'Invalid device group' })); ws.close(); return; }
if (mesh.mtype != 1) { ws.send(JSON.stringify({ errorText: 'Invalid device group type' })); ws.close(); return; }
more Intel AMT ACM work...
2019-06-23 01:06:50 -04:00
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
// Fetch the remote IP:Port for logging
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
ws.remoteaddr = (req.ip.startsWith('::ffff:')) ? (req.ip.substring(7)) : req.ip;
ws.remoteaddrport = ws.remoteaddr + ':' + ws._socket.remotePort;
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
// When data is received from the web socket, echo it back
ws.on('message', function (data) {
// Parse the incoming command
var cmd = null;
try { cmd = JSON.parse(data); } catch (ex) { };
if (cmd == null) return;
// Process the command
switch (cmd.action) {
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
case 'ccmactivate':
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
case 'acmactivate': {
// Check the command
if (cmd.version != 1) { ws.send(JSON.stringify({ errorText: 'Unsupported version' })); ws.close(); return; }
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
if (obj.common.validateString(cmd.realm, 16, 256) == false) { ws.send(JSON.stringify({ errorText: 'Invalid realm argument' })); ws.close(); return; }
if (obj.common.validateString(cmd.uuid, 36, 36) == false) { ws.send(JSON.stringify({ errorText: 'Invalid UUID argument' })); ws.close(); return; }
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
if (typeof cmd.hashes != 'object') { ws.send(JSON.stringify({ errorText: 'Invalid hashes' })); ws.close(); return; }
if (typeof cmd.fqdn != 'string') { ws.send(JSON.stringify({ errorText: 'Invalid FQDN' })); ws.close(); return; }
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
if ((obj.common.validateString(cmd.ver, 5, 16) == false) || (cmd.ver.split('.').length != 3)) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT version' })); ws.close(); return; }
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
if (obj.common.validateArray(cmd.modes, 1, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid activation modes' })); ws.close(); return; }
Started work on MeshCtrl, a MeshCentral command line tool.
2019-06-28 21:31:18 -04:00
if (obj.common.validateInt(cmd.currentMode, 0, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid current mode' })); ws.close(); return; }
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
// Get the current Intel AMT policy
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
var mesh = obj.meshes[ws.meshid], activationMode = 4; // activationMode: 2 = CCM, 4 = ACM
if ((mesh == null) || (mesh.amt == null) || (mesh.amt.password == null) || ((mesh.amt.type != 2) && (mesh.amt.type != 3))) { ws.send(JSON.stringify({ errorText: 'Unable to activate' })); ws.close(); return; }
if ((mesh.amt.type != 3) || (domain.amtacmactivation == null) || (domain.amtacmactivation.acmmatch == null)) { activationMode = 2; }
if (activationMode == 4) {
// Check if we have a FQDN/Hash match
var matchingHash = null, matchingCN = null;
for (var i in domain.amtacmactivation.acmmatch) {
// Check for a matching FQDN
if ((domain.amtacmactivation.acmmatch[i].cn == '*') || (domain.amtacmactivation.acmmatch[i].cn.toLowerCase() == cmd.fqdn)) {
// Check for a matching certificate
if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha256) >= 0) {
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
matchingHash = domain.amtacmactivation.acmmatch[i].sha256;
continue;
} else if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha1) >= 0) {
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
matchingHash = domain.amtacmactivation.acmmatch[i].sha1;
continue;
}
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
}
}
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
// If no cert match or wildcard match which is not yet supported, do CCM activation.
if ((matchingHash == null) || (matchingCN == '*')) { activationMode = 2; } else { cmd.hash = matchingHash; }
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
}
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
// Check if we are going to activate in an allowed mode. cmd.modes: 1 = CCM, 2 = ACM
if ((activationMode == 4) && (cmd.modes.indexOf(2) == -1)) { activationMode = 2; } // We want to do ACM, but mode is not allowed. Change to CCM.
// If we want to do CCM, but mode is not allowed. Error out.
if ((activationMode == 2) && (cmd.modes.indexOf(1) == -1)) { ws.send(JSON.stringify({ errorText: 'Unsupported activation mode' })); ws.close(); return; }
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
// Get the Intel AMT admin password, randomize if needed.
var amtpassword = ((mesh.amt.password == '') ? getRandomAmtPassword() : mesh.amt.password);
if (checkAmtPassword(amtpassword) == false) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT password' })); ws.close(); return; } // Invalid Intel AMT password, this should never happen.
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
// Save some state, if activation is succesful, we need this to add the device
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
ws.xxstate = { uuid: cmd.uuid, realm: cmd.realm, tag: cmd.tag, name: cmd.name, pass: amtpassword, flags: activationMode, ver: cmd.ver }; // Flags: 2 = CCM, 4 = ACM
if (activationMode == 4) {
// ACM: Agent is asking the server to sign an Intel AMT ACM activation request
var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
ws.send(JSON.stringify(signResponse));
} else {
// CCM: Log the activation request, logging is a required step for activation.
if (parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: 'ccmactivate', domain: domain.id, amtUuid: cmd.uuid, amtRealm: cmd.realm, user: 'admin', password: amtpassword, ipport: ws.remoteaddrport, meshid: ws.meshid, tag: cmd.tag, name: cmd.name }) == false) return { errorText: 'Unable to log operation' };
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
// Compute the HTTP digest hash and send the response for CCM activation
ws.send(JSON.stringify({ action: 'ccmactivate', password: obj.crypto.createHash('md5').update('admin:' + cmd.realm + ':' + amtpassword).digest('hex') }));
}
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
break;
}
case 'ccmactivate-failed':
case 'acmactivate-failed': {
// Log the activation response
parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: cmd.action, domain: domain.id, amtUuid: cmd.uuid, ipport: ws.remoteaddrport, meshid: ws.meshid });
break;
}
Started work on MeshCtrl, a MeshCentral command line tool.
2019-06-28 21:31:18 -04:00
case 'amtdiscover':
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
case 'ccmactivate-success':
case 'acmactivate-success': {
Started work on MeshCtrl, a MeshCentral command line tool.
2019-06-28 21:31:18 -04:00
// If this is a discovery command, set the state.
if (cmd.action == 'amtdiscover') {
if (cmd.version != 1) { ws.send(JSON.stringify({ errorText: 'Unsupported version' })); ws.close(); return; }
if (obj.common.validateString(cmd.realm, 16, 256) == false) { ws.send(JSON.stringify({ errorText: 'Invalid realm argument' })); ws.close(); return; }
if (obj.common.validateString(cmd.uuid, 36, 36) == false) { ws.send(JSON.stringify({ errorText: 'Invalid UUID argument' })); ws.close(); return; }
if (typeof cmd.hashes != 'object') { ws.send(JSON.stringify({ errorText: 'Invalid hashes' })); ws.close(); return; }
if (typeof cmd.fqdn != 'string') { ws.send(JSON.stringify({ errorText: 'Invalid FQDN' })); ws.close(); return; }
if ((obj.common.validateString(cmd.ver, 5, 16) == false) || (cmd.ver.split('.').length != 3)) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT version' })); ws.close(); return; }
if (obj.common.validateArray(cmd.modes, 1, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid activation modes' })); ws.close(); return; }
if (obj.common.validateInt(cmd.currentMode, 0, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid current mode' })); ws.close(); return; }
var activationMode = 0; if (cmd.currentMode == 1) { activationMode = 2; } else if (cmd.currentMode == 2) { activationMode = 4; }
ws.xxstate = { uuid: cmd.uuid, realm: cmd.realm, tag: cmd.tag, name: cmd.name, flags: activationMode, ver: cmd.ver }; // Flags: 2 = CCM, 4 = ACM
} else {
// If this is an activation success, check that state was set already.
if (ws.xxstate == null) { ws.send(JSON.stringify({ errorText: 'Invalid command' })); ws.close(); return; }
}
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
// Log the activation response
parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: cmd.action, domain: domain.id, amtUuid: cmd.uuid, ipport: ws.remoteaddrport, meshid: ws.meshid });
// Get the current Intel AMT policy
var mesh = obj.meshes[ws.meshid];
if (mesh == null) { ws.send(JSON.stringify({ errorText: 'Unknown device group' })); ws.close(); return; }
// Fix the computer name if needed
if ((ws.xxstate.name == null) || (ws.xxstate.name.length == 0)) { ws.xxstate.name = ws.xxstate.uuid; }
db.getAmtUuidNode(ws.meshid, ws.xxstate.uuid, function (err, nodes) {
if ((nodes == null) || (nodes.length == 0)) {
// Create a new nodeid
parent.crypto.randomBytes(48, function (err, buf) {
// Create the new node
var xxnodeid = 'node/' + domain.id + '/' + buf.toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
Started work on MeshCtrl, a MeshCentral command line tool.
2019-06-28 21:31:18 -04:00
var device = { type: 'node', _id: xxnodeid, meshid: ws.meshid, name: ws.xxstate.name, rname: ws.xxstate.name, host: ws.remoteaddr, domain: domain.id, intelamt: { state: 2, flags: ws.xxstate.flags, tls: 0, uuid: ws.xxstate.uuid, realm: ws.xxstate.realm, tag: ws.xxstate.tag, ver: ws.xxstate.ver } };
if (ws.xxstate.pass != null) { device.intelamt.user = 'admin'; device.intelamt.pass = ws.xxstate.pass; }
if (device.intelamt.flags != 0) { device.intelamt.state = 2; } else { device.intelamt.state = 0; }
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
db.Set(device);
// Event the new node
var device2 = obj.common.Clone(device);
delete device2.intelamt.pass; // Remove the Intel AMT password before eventing this.
parent.DispatchEvent(['*', ws.meshid], obj, { etype: 'node', action: 'addnode', node: device2, msg: 'Added device ' + ws.xxstate.name + ' to mesh ' + mesh.name, domain: domain.id });
});
} else {
// Change an existing device
var device = nodes[0];
if (device.host != ws.remoteaddr) { device.host = ws.remoteaddr; }
Started work on MeshCtrl, a MeshCentral command line tool.
2019-06-28 21:31:18 -04:00
if ((ws.xxstate.name != null) && (device.rname != ws.xxstate.name)) { device.rname = ws.xxstate.name; }
if (device.intelamt.flags != 0) {
if (device.intelamt.state != 2) { device.intelamt.state = 2; }
}
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
if (device.intelamt.flags != ws.xxstate.flags) { device.intelamt.state = ws.xxstate.flags; }
Started work on MeshCtrl, a MeshCentral command line tool.
2019-06-28 21:31:18 -04:00
if (ws.xxstate.pass != null) {
if (device.intelamt.user != 'admin') { device.intelamt.user = 'admin'; }
if (device.intelamt.pass != ws.xxstate.pass) { device.intelamt.pass = ws.xxstate.pass; }
}
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
if (device.intelamt.realm != ws.xxstate.realm) { device.intelamt.realm = ws.xxstate.realm; }
if (ws.xxstate.realm == null) { delete device.intelamt.tag; }
else if (device.intelamt.tag != ws.xxstate.tag) { device.intelamt.tag = ws.xxstate.tag; }
if (device.intelamt.ver != ws.xxstate.ver) { device.intelamt.ver = ws.xxstate.ver; }
db.Set(device);
// Event the new node
var device2 = obj.common.Clone(device);
delete device2.intelamt.pass; // Remove the Intel AMT password before eventing this.
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
parent.DispatchEvent(['*', ws.meshid], obj, { etype: 'node', action: 'changenode', nodeid: device2._id, node: device2, msg: 'Changed device ' + device.name + ' in mesh ' + mesh.name, domain: domain.id });
}
});
Started work on MeshCtrl, a MeshCentral command line tool.
2019-06-28 21:31:18 -04:00
if (cmd.action == 'amtdiscover') { ws.send(JSON.stringify({ action: 'amtdiscover' })); }
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
break;
}
default: {
// This is not a known command
ws.send(JSON.stringify({ errorText: 'Invalid command' })); ws.close(); return;
}
}
});
// If close or error, do nothing.
ws.on('error', function (err) { });
ws.on('close', function (req) { });
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle the web socket echo request, just echo back the data sent
function handleEchoWebSocket(ws, req) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(ws, req);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
More ClickOnce fixes.
2017-10-25 12:58:14 -04:00
ws._socket.setKeepAlive(true, 240000); // Set TCP keep alive
Added user IP filtering.
2017-09-27 15:43:20 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// When data is received from the web socket, echo it back
ws.on('message', function (data) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
if (data.toString('utf8') == 'close') {
Initial main commit
2017-08-28 12:27:45 -04:00
try { ws.close(); } catch (e) { console.log(e); }
} else {
try { ws.send(data); } catch (e) { console.log(e); }
}
});
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
// If error, do nothing.
ws.on('error', function (err) { console.log('Echo server error from ' + ws._socket.remoteAddress + ', ' + err.toString().split('\r')[0] + '.'); });
Initial main commit
2017-08-28 12:27:45 -04:00
// If closed, do nothing
ws.on('close', function (req) { });
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
// Get the total size of all files in a folder and all sub-folders. (TODO: try to make all async version)
Initial main commit
2017-08-28 12:27:45 -04:00
function readTotalFileSize(path) {
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
var r = 0, dir;
try { dir = obj.fs.readdirSync(path); } catch (e) { return 0; }
Initial main commit
2017-08-28 12:27:45 -04:00
for (var i in dir) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var stat = obj.fs.statSync(path + '/' + dir[i]);
Initial main commit
2017-08-28 12:27:45 -04:00
if ((stat.mode & 0x004000) == 0) { r += stat.size; } else { r += readTotalFileSize(path + '/' + dir[i]); }
}
return r;
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Fixed server files upload/download
2017-11-30 17:40:46 -05:00
// Delete a folder and all sub items. (TODO: try to make all async version)
Initial main commit
2017-08-28 12:27:45 -04:00
function deleteFolderRec(path) {
if (obj.fs.existsSync(path) == false) return;
obj.fs.readdirSync(path).forEach(function (file, index) {
var pathx = path + "/" + file;
if (obj.fs.lstatSync(pathx).isDirectory()) { deleteFolderRec(pathx); } else { obj.fs.unlinkSync(pathx); }
});
obj.fs.rmdirSync(path);
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle Intel AMT events
// To subscribe, add "http://server:port/amtevents.ashx" to Intel AMT subscriptions.
obj.handleAmtEventRequest = function (req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = getDomain(req);
Initial main commit
2017-08-28 12:27:45 -04:00
try {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
if (req.headers.authorization) {
var authstr = req.headers.authorization;
Initial main commit
2017-08-28 12:27:45 -04:00
if (authstr.substring(0, 7) == "Digest ") {
var auth = obj.common.parseNameValueList(obj.common.quoteSplit(authstr.substring(7)));
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
if ((req.url === auth.uri) && (obj.httpAuthRealm === auth.realm) && (auth.opaque === obj.crypto.createHmac('SHA384', obj.httpAuthRandom).update(auth.nonce).digest('hex'))) {
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Read the data, we need to get the arg field
var eventData = '';
req.on('data', function (chunk) { eventData += chunk; });
req.on('end', function () {
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Completed event read, let get the argument that must contain the nodeid
var i = eventData.indexOf('<m:arg xmlns:m="http://x.com">');
if (i > 0) {
Base64 encoding of meshid/nodeid in the database.
2017-10-15 20:36:06 -04:00
var nodeid = eventData.substring(i + 30, i + 30 + 64);
Initial main commit
2017-08-28 12:27:45 -04:00
if (nodeid.length == 64) {
var nodekey = 'node/' + domain.id + '/' + nodeid;
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// See if this node exists in the database
obj.db.Get(nodekey, function (err, nodes) {
if (nodes.length == 1) {
// Yes, the node exists, compute Intel AMT digest password
var node = nodes[0];
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
var amtpass = obj.crypto.createHash('sha384').update(auth.username.toLowerCase() + ":" + nodeid + ":" + obj.parent.dbconfig.amtWsEventSecret).digest("base64").substring(0, 12).split("/").join("x").split("\\").join("x");
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Check the MD5 hash
if (auth.response === obj.common.ComputeDigesthash(auth.username, amtpass, auth.realm, "POST", auth.uri, auth.qop, auth.nonce, auth.nc, auth.cnonce)) {
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// This is an authenticated Intel AMT event, update the host address
Added NGNX reverse-proxy support.
2018-11-01 18:01:21 -04:00
var amthost = req.ip;
Initial main commit
2017-08-28 12:27:45 -04:00
if (amthost.substring(0, 7) === '::ffff:') { amthost = amthost.substring(7); }
if (node.host != amthost) {
// Get the mesh for this device
var mesh = obj.meshes[node.meshid];
if (mesh) {
// Update the database
var oldname = node.host;
node.host = amthost;
obj.db.Set(node);
// Event the node change
Windows MeshAgent fixes, small UI improvements
2018-09-24 20:47:03 -04:00
var event = { etype: 'node', action: 'changenode', nodeid: node._id, domain: domain.id, msg: 'Intel(R) AMT host change ' + node.name + ' from group ' + mesh.name + ': ' + oldname + ' to ' + amthost };
Initial main commit
2017-08-28 12:27:45 -04:00
var node2 = obj.common.Clone(node);
if (node2.intelamt && node2.intelamt.pass) delete node2.intelamt.pass; // Remove the Intel AMT password before eventing this.
event.node = node2;
Added MongoDB change stream support.
2019-05-28 20:25:23 -04:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
Initial main commit
2017-08-28 12:27:45 -04:00
obj.parent.DispatchEvent(['*', node.meshid], obj, event);
}
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
parent.amtEventHandler.handleAmtEvent(eventData, nodeid, amthost);
//res.send('OK');
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
return;
}
}
});
}
}
});
}
}
}
} catch (e) { console.log(e); }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Send authentication response
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
obj.crypto.randomBytes(48, function (err, buf) {
var nonce = buf.toString('hex'), opaque = obj.crypto.createHmac('SHA384', obj.httpAuthRandom).update(nonce).digest('hex');
Initial main commit
2017-08-28 12:27:45 -04:00
res.set({ 'WWW-Authenticate': 'Digest realm="' + obj.httpAuthRealm + '", qop="auth,auth-int", nonce="' + nonce + '", opaque="' + opaque + '"' });
res.sendStatus(401);
});
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle a server backup request
function handleBackupRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-24 18:11:00 -04:00
if ((!req.session) || (req.session == null) || (!req.session.userid) || (obj.parent.args.noserverbackup == 1)) { res.sendStatus(401); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
var user = obj.users[req.session.userid];
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-24 18:11:00 -04:00
if ((user == null) || ((user.siteadmin & 1) == 0)) { res.sendStatus(401); return; } // Check if we have server backup rights
Initial main commit
2017-08-28 12:27:45 -04:00
// Require modules
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
const archive = require('archiver')('zip', { level: 9 }); // Sets the compression method to maximum.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Good practice to catch this error explicitly
archive.on('error', function (err) { throw err; });
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Set the archive name
res.attachment(domain.title + '-Backup-' + new Date().toLocaleDateString().replace('/', '-').replace('/', '-') + '.zip');
// Pipe archive data to the file
archive.pipe(res);
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Append all of the files for this backup
var backupList = ['config.json', 'meshcentral.db', 'agentserver-cert-private.key', 'agentserver-cert-public.crt', 'mpsserver-cert-private.key', 'mpsserver-cert-public.crt', 'data/root-cert-private.key', 'root-cert-public.crt', 'webserver-cert-private.key', 'webserver-cert-public.crt'];
for (var i in backupList) {
var filename = backupList[i];
var filepath = obj.path.join(obj.parent.datapath, filename);
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
if (obj.fs.existsSync(filepath)) { archive.file(filepath, { name: filename }); }
Initial main commit
2017-08-28 12:27:45 -04:00
}
// Finalize the archive (ie we are done appending files but streams have to finish yet)
archive.finalize();
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle a server restore request
function handleRestoreRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-24 18:11:00 -04:00
if ((!req.session) || (req.session == null) || (!req.session.userid) || (obj.parent.args.noserverbackup == 1)) { res.sendStatus(401); return; }
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const user = obj.users[req.session.userid];
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-24 18:11:00 -04:00
if ((user == null) || ((user.siteadmin & 4) == 0)) { res.sendStatus(401); return; } // Check if we have server restore rights
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const multiparty = require('multiparty');
const form = new multiparty.Form();
Initial main commit
2017-08-28 12:27:45 -04:00
form.parse(req, function (err, fields, files) {
res.send('Server must be restarted, <a href="' + domain.url + '">click here to login</a>.');
parent.Stop(files.datafile[0].path);
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle a request to download a mesh agent
obj.handleMeshAgentRequest = function (req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Improved MicroLMS and MeshCmd.
2018-01-30 21:23:57 -05:00
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }
Improved MicroLMS and MeshCmd.
2018-01-30 21:23:57 -05:00
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (req.query.id != null) {
Initial main commit
2017-08-28 12:27:45 -04:00
// Send a specific mesh agent back
var argentInfo = obj.parent.meshAgentBinaries[req.query.id];
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (argentInfo == null) { res.sendStatus(404); return; }
Improved executable binary handling
2018-01-19 21:04:54 -05:00
if ((req.query.meshid == null) || (argentInfo.platform != 'win32')) {
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="' + argentInfo.rname + '"' });
Improved executable binary handling
2018-01-19 21:04:54 -05:00
res.sendFile(argentInfo.path);
} else {
// We are going to embed the .msh file into the Windows executable (signed or not).
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
// First, fetch the mesh object to build the .msh file
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.meshid];
if (mesh == null) { res.sendStatus(401); return; }
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true))) {
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
var user = obj.users[req.session.userid];
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((user == null) || (mesh.links[user._id] == null) || ((mesh.links[user._id].rights & 1) == 0)) { res.sendStatus(401); return; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
if (domain.id != mesh.domain) { res.sendStatus(401); return; }
}
Improved executable binary handling
2018-01-19 21:04:54 -05:00
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
var meshidhex = Buffer.from(req.query.meshid.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
var serveridhex = Buffer.from(obj.agentCertificateHashBase64.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Improved executable binary handling
2018-01-19 21:04:54 -05:00
Fixed downloads links with HTML5 solution.
2019-06-21 15:10:06 -04:00
// Prepare a mesh agent file name using the device group name.
var meshfilename = mesh.name
meshfilename = meshfilename.split('\\').join('').split('/').join('').split(':').join('').split('*').join('').split('?').join('').split('"').join('').split('<').join('').split('>').join('').split('|').join('').split(' ').join('').split('\'').join('');
if (argentInfo.rname.endsWith('.exe')) { meshfilename = argentInfo.rname.substring(0, argentInfo.rname.length - 4) + '-' + meshfilename + '.exe'; } else { meshfilename = argentInfo.rname + '-' + meshfilename; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += "/";
var meshsettings = "MeshName=" + mesh.name + "\r\nMeshType=" + mesh.mtype + "\r\nMeshID=0x" + meshidhex + "\r\nServerID=" + serveridhex + "\r\n";
Fixed .msh file when server is local.
2019-03-02 20:57:37 -05:00
if (obj.args.lanonly != true) { meshsettings += "MeshServer=ws" + (obj.args.notls ? '' : 's') + "://" + obj.getWebServerName(domain) + ":" + httpsPort + "/" + xdomain + "agent.ashx\r\n"; } else { meshsettings += "MeshServer=local\r\n"; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
if (req.query.tag != null) { meshsettings += "Tag=" + req.query.tag + "\r\n"; }
Added install flags to mesh agent installation.
2018-11-28 16:51:12 -05:00
if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += "InstallFlags=" + req.query.installflags + "\r\n"; }
Updates agents and small server fixes.
2019-03-01 20:13:11 -05:00
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += "ignoreProxyFile=1\r\n"; }
Added server side agent msh config option.
2019-02-18 21:08:36 -05:00
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + "\r\n"; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + "\r\n"; } }
Added install flags to mesh agent installation.
2018-11-28 16:51:12 -05:00
More Intel AMT ACM/CCM work.
2019-06-24 21:56:14 -04:00
try {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="' + meshfilename + '"' });
} catch (ex) {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="' + argentInfo.rname + '"' });
}
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
obj.parent.exeHandler.streamExeWithMeshPolicy({ platform: 'win32', sourceFileName: obj.parent.meshAgentBinaries[req.query.id].path, destinationStream: res, msh: meshsettings, peinfo: obj.parent.meshAgentBinaries[req.query.id].pe });
Improved executable binary handling
2018-01-19 21:04:54 -05:00
}
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
} else if (req.query.script != null) {
Initial main commit
2017-08-28 12:27:45 -04:00
// Send a specific mesh install script back
var scriptInfo = obj.parent.meshAgentInstallScripts[req.query.script];
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (scriptInfo == null) { res.sendStatus(404); return; }
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'text/plain', 'Content-Disposition': 'attachment; filename="' + scriptInfo.rname + '"' });
Improved Linux install script.
2019-07-11 14:43:45 -04:00
var data = scriptInfo.data;
var cmdoptions = { wgetoptionshttp: '', wgetoptionshttps: '', curloptionshttp: '-L ', curloptionshttps: '-L ' }
Added Intel AMT power actions to MeshCMD
2019-07-11 19:54:27 -04:00
if (isTrustedCert() != true) {
Improved Linux install script.
2019-07-11 14:43:45 -04:00
cmdoptions.wgetoptionshttps += '--no-check-certificate ';
cmdoptions.curloptionshttps += '-k ';
}
if (domain.agentnoproxy === true) {
cmdoptions.wgetoptionshttp += '--no-proxy ';
cmdoptions.wgetoptionshttps += '--no-proxy ';
cmdoptions.curloptionshttp += '--noproxy \'*\' ';
cmdoptions.curloptionshttps += '--noproxy \'*\' ';
}
for (var i in cmdoptions) { data = data.split('{{{' + i + '}}}').join(cmdoptions[i]); }
res.send(data);
Added support for MeshCmd routing.
2017-10-31 19:19:58 -04:00
} else if (req.query.meshcmd != null) {
// Send meshcmd for a specific platform back
MeshAgents on Windows are now signed.
2018-03-08 20:58:22 -05:00
var agentid = parseInt(req.query.meshcmd);
Added signed MeshCmd.exe.
2018-03-09 19:39:14 -05:00
// If the agentid is 3 or 4, check if we have a signed MeshCmd.exe
if ((agentid == 3)) { // Signed Windows MeshCmd.exe x86
var stats = null, meshCmdPath = obj.path.join(__dirname, 'agents', 'MeshCmd-signed.exe');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
try { stats = obj.fs.statSync(meshCmdPath); } catch (e) { }
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
if ((stats != null)) { res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="meshcmd' + ((req.query.meshcmd <= 3) ? '.exe' : '') + '"' }); res.sendFile(meshCmdPath); return; }
Added signed MeshCmd.exe.
2018-03-09 19:39:14 -05:00
} else if ((agentid == 4)) { // Signed Windows MeshCmd64.exe x64
var stats = null, meshCmd64Path = obj.path.join(__dirname, 'agents', 'MeshCmd64-signed.exe');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
try { stats = obj.fs.statSync(meshCmd64Path); } catch (e) { }
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
if ((stats != null)) { res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="meshcmd' + ((req.query.meshcmd <= 4) ? '.exe' : '') + '"' }); res.sendFile(meshCmd64Path); return; }
Added signed MeshCmd.exe.
2018-03-09 19:39:14 -05:00
}
// No signed agents, we are going to merge a new MeshCmd.
MeshAgents on Windows are now signed.
2018-03-08 20:58:22 -05:00
if ((agentid < 10000) && (obj.parent.meshAgentBinaries[agentid + 10000] != null)) { agentid += 10000; } // Avoid merging javascript to a signed mesh agent.
var argentInfo = obj.parent.meshAgentBinaries[agentid];
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
if ((argentInfo == null) || (obj.parent.defaultMeshCmd == null)) { res.sendStatus(404); return; }
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="meshcmd' + ((req.query.meshcmd <= 4) ? '.exe' : '') + '"' });
Improved executable binary handling
2018-01-19 21:04:54 -05:00
res.statusCode = 200;
MeshAgents on Windows are now signed.
2018-03-08 20:58:22 -05:00
if (argentInfo.signedMeshCmdPath != null) {
// If we hav a pre-signed MeshCmd, send that.
res.sendFile(argentInfo.signedMeshCmdPath);
} else {
// Merge JavaScript to a unsigned agent and send that.
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
obj.parent.exeHandler.streamExeWithJavaScript({ platform: argentInfo.platform, sourceFileName: argentInfo.path, destinationStream: res, js: Buffer.from(obj.parent.defaultMeshCmd, 'utf8'), peinfo: argentInfo.pe });
MeshAgents on Windows are now signed.
2018-03-08 20:58:22 -05:00
}
Added support for MeshCmd routing.
2017-10-31 19:19:58 -04:00
} else if (req.query.meshaction != null) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Improved MeshCmd support
2017-12-15 16:43:04 -05:00
if (domain == null) { res.sendStatus(404); return; }
Added support for MeshCmd routing.
2017-10-31 19:19:58 -04:00
var user = obj.users[req.session.userid];
Improved MeshCmd support
2017-12-15 16:43:04 -05:00
if ((req.query.meshaction == 'route') && (req.query.nodeid != null)) {
obj.db.Get(req.query.nodeid, function (err, nodes) {
if (nodes.length != 1) { res.sendStatus(401); return; }
var node = nodes[0];
Fixed meshagent.txt when CertUrl is used.
2019-04-10 14:54:55 -04:00
Improved MeshCmd support
2017-12-15 16:43:04 -05:00
// Create the meshaction.txt file for meshcmd.exe
var meshaction = {
action: req.query.meshaction,
localPort: 1234,
remoteName: node.name,
remoteNodeId: node._id,
remotePort: 3389,
username: '',
password: '',
serverId: obj.agentCertificateHashHex.toUpperCase(), // SHA384 of server HTTPS public key
Fixed meshagent.txt when CertUrl is used.
2019-04-10 14:54:55 -04:00
serverHttpsHash: Buffer.from(obj.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(), // SHA384 of server HTTPS certificate
Improved MeshCmd support
2017-12-15 16:43:04 -05:00
debugLevel: 0
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Improved MeshCmd support
2017-12-15 16:43:04 -05:00
if (user != null) { meshaction.username = user.name; }
MeshAgents on Windows are now signed.
2018-03-08 20:58:22 -05:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Added chat to device support, more fixes.
2018-12-07 19:36:27 -05:00
if (obj.args.lanonly != true) { meshaction.serverUrl = ((obj.args.notls == true) ? 'ws://' : 'wss://') + obj.getWebServerName(domain) + ':' + httpsPort + '/' + ((domain.id == '') ? '' : ('/' + domain.id)) + 'meshrelay.ashx'; }
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'text/plain', 'Content-Disposition': 'attachment; filename="meshaction.txt"' });
Improved MeshCmd support
2017-12-15 16:43:04 -05:00
res.send(JSON.stringify(meshaction, null, ' '));
});
}
else if (req.query.meshaction == 'generic') {
Added support for MeshCmd routing.
2017-10-31 19:19:58 -04:00
var meshaction = {
username: '',
password: '',
serverId: obj.agentCertificateHashHex.toUpperCase(), // SHA384 of server HTTPS public key
Fixed meshagent.txt when CertUrl is used.
2019-04-10 14:54:55 -04:00
serverHttpsHash: Buffer.from(obj.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(), // SHA384 of server HTTPS certificate
Added support for MeshCmd routing.
2017-10-31 19:19:58 -04:00
debugLevel: 0
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Added support for MeshCmd routing.
2017-10-31 19:19:58 -04:00
if (user != null) { meshaction.username = user.name; }
MeshAgents on Windows are now signed.
2018-03-08 20:58:22 -05:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Added chat to device support, more fixes.
2018-12-07 19:36:27 -05:00
if (obj.args.lanonly != true) { meshaction.serverUrl = ((obj.args.notls == true) ? 'ws://' : 'wss://') + obj.getWebServerName(domain) + ':' + httpsPort + '/' + ((domain.id == '') ? '' : ('/' + domain.id)) + 'meshrelay.ashx'; }
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'text/plain', 'Content-Disposition': 'attachment; filename="meshaction.txt"' });
Added support for MeshCmd routing.
2017-10-31 19:19:58 -04:00
res.send(JSON.stringify(meshaction, null, ' '));
Added MeshCentral Router as part of the server.
2019-04-23 17:15:48 -04:00
} else if (req.query.meshaction == 'winrouter') {
var p = obj.path.join(__dirname, 'agents', 'MeshCentralRouter.exe');
if (obj.fs.existsSync(p)) {
Fixed downloads links with HTML5 solution.
2019-06-21 15:10:06 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="MeshCentralRouter.exe"' });
Added MeshCentral Router as part of the server.
2019-04-23 17:15:48 -04:00
try { res.sendFile(p); } catch (e) { res.sendStatus(404); }
} else { res.sendStatus(404); }
Improved MeshCmd support
2017-12-15 16:43:04 -05:00
} else {
res.sendStatus(401);
}
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
// Send a list of available mesh agents
var response = '<html><head><title>Mesh Agents</title><style>table,th,td { border:1px solid black;border-collapse:collapse;padding:3px; }</style></head><body><table>';
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
response += '<tr style="background-color:lightgray"><th>ID</th><th>Description</th><th>Link</th><th>Size</th><th>SHA384</th><th>MeshCmd</th></tr>';
Initial main commit
2017-08-28 12:27:45 -04:00
for (var agentid in obj.parent.meshAgentBinaries) {
var agentinfo = obj.parent.meshAgentBinaries[agentid];
response += '<tr><td>' + agentinfo.id + '</td><td>' + agentinfo.desc + '</td>';
Fixed downloads links with HTML5 solution.
2019-06-21 15:10:06 -04:00
response += '<td><a download href="' + req.originalUrl + '?id=' + agentinfo.id + '">' + agentinfo.rname + '</a></td>';
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
response += '<td>' + agentinfo.size + '</td><td>' + agentinfo.hash + '</td>';
Fixed downloads links with HTML5 solution.
2019-06-21 15:10:06 -04:00
response += '<td><a download href="' + req.originalUrl + '?meshcmd=' + agentinfo.id + '">' + agentinfo.rname.replace('agent', 'cmd') + '</a></td></tr>';
Initial main commit
2017-08-28 12:27:45 -04:00
}
response += '</table></body></html>';
res.send(response);
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
// Get the web server hostname. This may change if using a domain with a DNS name.
Added chat to device support, more fixes.
2018-12-07 19:36:27 -05:00
obj.getWebServerName = function(domain) {
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
if (domain.dns != null) return domain.dns;
return obj.certificates.CommonName;
}
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
// Create a OSX mesh agent installer
obj.handleMeshOsxAgentRequest = function (req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
if ((domain == null) || (req.query.id == null)) { res.sendStatus(404); return; }
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
// Send a specific mesh agent back
var argentInfo = obj.parent.meshAgentBinaries[req.query.id];
Many agent & UI improvements
2018-09-21 19:34:35 -04:00
if ((argentInfo == null) || (req.query.meshid == null)) { res.sendStatus(404); return; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
// We are going to embed the .msh file into the Windows executable (signed or not).
// First, fetch the mesh object to build the .msh file
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.meshid];
if (mesh == null) { res.sendStatus(401); return; }
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true))) {
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
var user = obj.users[req.session.userid];
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((user == null) || (mesh.links[user._id] == null) || ((mesh.links[user._id].rights & 1) == 0)) { res.sendStatus(401); return; }
Many agent & UI improvements
2018-09-21 19:34:35 -04:00
if (domain.id != mesh.domain) { res.sendStatus(401); return; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
}
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
var meshidhex = Buffer.from(req.query.meshid.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
var serveridhex = Buffer.from(obj.agentCertificateHashBase64.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += "/";
var meshsettings = "MeshName=" + mesh.name + "\r\nMeshType=" + mesh.mtype + "\r\nMeshID=0x" + meshidhex + "\r\nServerID=" + serveridhex + "\r\n";
Updates agents and small server fixes.
2019-03-01 20:13:11 -05:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Fixed .msh file when server is local.
2019-03-02 20:57:37 -05:00
if (obj.args.lanonly != true) { meshsettings += "MeshServer=ws" + (obj.args.notls ? '' : 's') + "://" + obj.getWebServerName(domain) + ":" + httpsPort + "/" + xdomain + "agent.ashx\r\n"; } else { meshsettings += "MeshServer=local\r\n"; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
if (req.query.tag != null) { meshsettings += "Tag=" + req.query.tag + "\r\n"; }
Added install flags to mesh agent installation.
2018-11-28 16:51:12 -05:00
if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += "InstallFlags=" + req.query.installflags + "\r\n"; }
Updates agents and small server fixes.
2019-03-01 20:13:11 -05:00
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += "ignoreProxyFile=1\r\n"; }
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + "\r\n"; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + "\r\n"; } }
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
// Setup the response output
var archive = require('archiver')('zip', { level: 5 }); // Sets the compression method.
archive.on('error', function (err) { throw err; });
Fixed improved content-disposition fix.
2019-04-30 19:07:14 -04:00
try {
// Set the agent download including the mesh name.
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/zip', 'Content-Disposition': 'attachment; filename="MeshAgent-' + mesh.name + '.zip"' });
} catch (ex) {
// If the mesh name contains invalid characters, just use a generic name.
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/zip', 'Content-Disposition': 'attachment; filename="MeshAgent.zip"' });
}
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
archive.pipe(res);
// Opens the "MeshAgentOSXPackager.zip"
var yauzl = require("yauzl");
yauzl.open(obj.path.join(__dirname, 'agents', 'MeshAgentOSXPackager.zip'), { lazyEntries: true }, function (err, zipfile) {
if (err) { res.sendStatus(500); return; }
zipfile.readEntry();
zipfile.on("entry", function (entry) {
if (/\/$/.test(entry.fileName)) {
// Skip all folder entries
zipfile.readEntry();
} else {
First working MacOS mesh agent
2018-11-14 18:44:28 -05:00
if (entry.fileName == 'MeshAgent.mpkg/Contents/distribution.dist') {
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
// This is a special file entry, we need to fix it.
zipfile.openReadStream(entry, function (err, readStream) {
readStream.on("data", function (data) { if (readStream.xxdata) { readStream.xxdata += data; } else { readStream.xxdata = data; } });
readStream.on("end", function () {
First working MacOS mesh agent
2018-11-14 18:44:28 -05:00
var meshname = mesh.name.split(']').join('').split('[').join(''); // We can't have ']]' in the string since it will terminate the CDATA.
var welcomemsg = 'Welcome to the MeshCentral agent for MacOS\n\nThis installer will install the mesh agent for "' + meshname + '" and allow the administrator to remotely monitor and control this computer over the internet. For more information, go to https://www.meshcommander.com/meshcentral2.\n\nThis software is provided under Apache 2.0 license.\n';
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
var installsize = Math.floor((argentInfo.size + meshsettings.length) / 1024);
archive.append(readStream.xxdata.toString().split('###WELCOMEMSG###').join(welcomemsg).split('###INSTALLSIZE###').join(installsize), { name: entry.fileName });
zipfile.readEntry();
});
});
} else {
// Normal file entry
zipfile.openReadStream(entry, function (err, readStream) {
if (err) { throw err; }
First working MacOS mesh agent
2018-11-14 18:44:28 -05:00
var options = { name: entry.fileName };
if (entry.fileName.endsWith('postflight') || entry.fileName.endsWith('Uninstall.command')) { options.mode = 493; }
archive.append(readStream, options);
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
readStream.on('end', function () { zipfile.readEntry(); });
});
}
}
});
zipfile.on("end", function () {
First working MacOS mesh agent
2018-11-14 18:44:28 -05:00
archive.file(argentInfo.path, { name: "MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.bin" });
archive.append(meshsettings, { name: "MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.msh" });
Getting ready for OSX support, added OSX agent installer system.
2018-09-07 20:09:02 -04:00
archive.finalize();
});
});
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Handle a request to download a mesh settings
obj.handleMeshSettingsRequest = function (req, res) {
Server code cleanup & fixes.
2019-01-05 15:04:18 -05:00
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Initial main commit
2017-08-28 12:27:45 -04:00
//if ((domain.id !== '') || (!req.session) || (req.session == null) || (!req.session.userid)) { res.sendStatus(401); return; }
Improved MicroLMS and MeshCmd.
2018-01-30 21:23:57 -05:00
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }
Improved MicroLMS and MeshCmd.
2018-01-30 21:23:57 -05:00
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
// Fetch the mesh object
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.id];
if (mesh == null) { res.sendStatus(401); return; }
Improved MicroLMS and MeshCmd.
2018-01-30 21:23:57 -05:00
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
// If needed, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true))) {
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
var user = obj.users[req.session.userid];
Updated MeshCommander and fixes to message dispatch.
2019-07-10 17:27:38 -04:00
if ((user == null) || (mesh.links[user._id] == null) || ((mesh.links[user._id].rights & 1) == 0)) { res.sendStatus(401); return; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
if (domain.id != mesh.domain) { res.sendStatus(401); return; }
}
Base64 encoding of meshid/nodeid in the database.
2017-10-15 20:36:06 -04:00
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-02 21:03:34 -05:00
var meshidhex = Buffer.from(req.query.id.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
var serveridhex = Buffer.from(obj.agentCertificateHashBase64.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
Base64 encoding of meshid/nodeid in the database.
2017-10-15 20:36:06 -04:00
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += "/";
var meshsettings = "MeshName=" + mesh.name + "\r\nMeshType=" + mesh.mtype + "\r\nMeshID=0x" + meshidhex + "\r\nServerID=" + serveridhex + "\r\n";
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Fixed .msh file when server is local.
2019-03-02 20:57:37 -05:00
if (obj.args.lanonly != true) { meshsettings += "MeshServer=ws" + (obj.args.notls ? '' : 's') + "://" + obj.getWebServerName(domain) + ":" + httpsPort + "/" + xdomain + "agent.ashx\r\n"; } else { meshsettings += "MeshServer=local\r\n"; }
Added install flags to mesh agent installation.
2018-11-28 16:51:12 -05:00
if (req.query.tag != null) { meshsettings += "Tag=" + req.query.tag + "\r\n"; }
if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += "InstallFlags=" + req.query.installflags + "\r\n"; }
Updates agents and small server fixes.
2019-03-01 20:13:11 -05:00
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += "ignoreProxyFile=1\r\n"; }
Added server side agent msh config option.
2019-02-18 21:08:36 -05:00
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + "\r\n"; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + "\r\n"; } }
Initial main commit
2017-08-28 12:27:45 -04:00
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="meshagent.msh"' });
Mesh agents can now connect and skip server cert check to boost speed
2018-08-21 18:08:15 -04:00
res.send(meshsettings);
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Initial main commit
2017-08-28 12:27:45 -04:00
Fixed device timeline.
2019-03-20 15:40:02 -04:00
// Handle a request for power events
obj.handleDevicePowerEvents = function (req, res) {
const domain = checkUserIpAddress(req, res);
Terminal is not bash, fixed chat feature.
2019-05-30 12:40:59 -04:00
if (domain == null) { res.sendStatus(404); return; }
Fixed device timeline.
2019-03-20 15:40:02 -04:00
if ((domain.id !== '') || (!req.session) || (req.session == null) || (!req.session.userid) || (req.query.id == null) || (typeof req.query.id != 'string')) { res.sendStatus(401); return; }
var x = req.query.id.split('/');
var user = obj.users[req.session.userid];
if ((x.length != 3) || (x[0] != 'node') || (x[1] != domain.id) || (user == null) || (user.links == null)) { res.sendStatus(401); return; }
obj.db.Get(req.query.id, function (err, docs) {
if (docs.length != 1) {
res.sendStatus(401);
} else {
var node = docs[0];
// Check if we have right to this node
var rights = 0;
for (var i in user.links) { if (i == node.meshid) { rights = user.links[i].rights; } }
if (rights == 0) { res.sendStatus(401); return; }
// Get the list of power events and send them
Fixed content-disposition headers.
2019-04-30 18:40:19 -04:00
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'text/csv', 'Content-Disposition': 'attachment; filename="powerevents.csv"' });
Fixed device timeline.
2019-03-20 15:40:02 -04:00
obj.db.getPowerTimeline(node._id, function (err, docs) {
var xevents = [ 'Time, State, Previous State' ], prevState = 0;
for (var i in docs) {
if (docs[i].power != prevState) {
prevState = docs[i].power;
if (docs[i].oldPower != null) {
xevents.push(docs[i].time.toString() + ',' + docs[i].power + ',' + docs[i].oldPower);
} else {
xevents.push(docs[i].time.toString() + ',' + docs[i].power);
}
}
}
res.send(xevents.join('\r\n'));
});
}
});
}
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Starts the HTTPS server, this should be called after the user/mesh tables are loaded
function serverStart() {
// Start the server, only after users and meshes are loaded from the database.
if (obj.args.notls || obj.args.tlsoffload) {
// Setup the HTTP server without TLS
obj.expressWs = require('express-ws')(obj.app);
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Setup the HTTP server with TLS, use only TLS 1.2 and higher with perfect forward secrecy (PFS).
const tlsOptions = { cert: obj.certificates.web.cert, key: obj.certificates.web.key, ca: obj.certificates.web.ca, rejectUnauthorized: true, ciphers: "HIGH:!aNULL:!eNULL:!EXPORT:!RSA:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 };
if (obj.tlsSniCredentials != null) { tlsOptions.SNICallback = TlsSniCallback; } // We have multiple web server certificate used depending on the domain name
obj.tlsServer = require('https').createServer(tlsOptions, obj.app);
obj.tlsServer.on('secureConnection', function () { /*console.log('tlsServer secureConnection');*/ });
obj.tlsServer.on('error', function () { console.log('tlsServer error'); });
obj.tlsServer.on('newSession', function (id, data, cb) { if (tlsSessionStoreCount > 1000) { tlsSessionStoreCount = 0; tlsSessionStore = {}; } tlsSessionStore[id.toString('hex')] = data; tlsSessionStoreCount++; cb(); });
obj.tlsServer.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); });
obj.expressWs = require('express-ws')(obj.app, obj.tlsServer);
Initial main commit
2017-08-28 12:27:45 -04:00
}
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Setup middleware
Fix for Express-handlebars@3.1.0
2019-05-14 20:14:43 -04:00
obj.app.engine('handlebars', obj.exphbs({ defaultLayout: null })); // defaultLayout: 'main'
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.set('view engine', 'handlebars');
if (obj.args.tlsoffload) { obj.app.set('trust proxy', obj.args.tlsoffload); } // Reverse proxy should add the "X-Forwarded-*" headers
obj.app.use(obj.bodyParser.urlencoded({ extended: false }));
var sessionOptions = {
name: 'xid', // Recommended security practice to not use the default cookie name
httpOnly: true,
keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
secure: (obj.args.notls != true) // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
}
if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }
obj.app.use(obj.session(sessionOptions));
// Add HTTP security headers to all responses
obj.app.use(function (req, res, next) {
res.removeHeader("X-Powered-By");
var domain = req.xdomain = getDomain(req);
Added database merge feature.
2019-02-15 17:50:23 -05:00
// If this domain has configured headers, use them.
// Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
// { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
Fixed to server crash issues.
2019-02-18 22:11:34 -05:00
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); }
Added database merge feature.
2019-02-15 17:50:23 -05:00
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Detect if this is a file sharing domain, if so, just share files.
if ((domain != null) && (domain.share != null)) {
var rpath;
if (domain.dns == null) { rpath = req.url.split('/'); rpath.splice(1, 1); rpath = rpath.join('/'); } else { rpath = req.url; }
if ((res.headers != null) && (res.headers.upgrade)) {
// If this is a websocket, stop here.
res.sendStatus(404);
} else {
// Check if the file exists, if so, serve it.
obj.fs.exists(obj.path.join(domain.share, rpath), function (exists) { if (exists == true) { res.sendfile(rpath, { root: domain.share }); } else { res.sendStatus(404); } });
}
Improved server UI, new Auto-Remote agent feature.
2018-09-26 17:58:55 -04:00
} else {
Added database merge feature.
2019-02-15 17:50:23 -05:00
//if (parent.config.settings.accesscontrolalloworigin != null) { headers['Access-Control-Allow-Origin'] = parent.config.settings.accesscontrolalloworigin; }
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
return next();
Improved server UI, new Auto-Remote agent feature.
2018-09-26 17:58:55 -04:00
}
});
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Setup all HTTP handlers
if (parent.multiServer != null) { obj.app.ws('/meshserver.ashx', function (ws, req) { parent.multiServer.CreatePeerInServer(parent.multiServer, ws, req); }); }
for (var i in parent.config.domains) {
if (parent.config.domains[i].dns != null) { continue; } // This is a subdomain with a DNS name, no added HTTP bindings needed.
var url = parent.config.domains[i].url;
obj.app.get(url, handleRootRequest);
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-24 18:11:00 -04:00
obj.app.get(url + 'backup.zip', handleBackupRequest);
obj.app.post(url + 'restoreserver.ashx', handleRestoreRequest);
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.get(url + 'terms', handleTermsRequest);
obj.app.post(url + 'login', handleLoginRequest);
obj.app.post(url + 'tokenlogin', handleLoginRequest);
obj.app.get(url + 'logout', handleLogoutRequest);
obj.app.get(url + 'MeshServerRootCert.cer', handleRootCertRequest);
obj.app.get(url + 'mescript.ashx', handleMeScriptRequest);
obj.app.post(url + 'changepassword', handlePasswordChangeRequest);
obj.app.post(url + 'deleteaccount', handleDeleteAccountRequest);
obj.app.post(url + 'createaccount', handleCreateAccountRequest);
Added server password timeout and reset on next login.
2019-02-27 21:48:50 -05:00
obj.app.post(url + 'resetpassword', handleResetPasswordRequest);
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.post(url + 'resetaccount', handleResetAccountRequest);
obj.app.get(url + 'checkmail', handleCheckMailRequest);
Added public agent install invitation link support.
2019-06-03 16:15:38 -04:00
obj.app.get(url + 'agentinvite', handleAgentInviteRequest);
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.post(url + 'amtevents.ashx', obj.handleAmtEventRequest);
obj.app.get(url + 'meshagents', obj.handleMeshAgentRequest);
obj.app.get(url + 'messenger', handleMessengerRequest);
obj.app.get(url + 'meshosxagent', obj.handleMeshOsxAgentRequest);
obj.app.get(url + 'meshsettings', obj.handleMeshSettingsRequest);
Fixed device timeline.
2019-03-20 15:40:02 -04:00
obj.app.get(url + 'devicepowerevents.ashx', obj.handleDevicePowerEvents);
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.get(url + 'downloadfile.ashx', handleDownloadFile);
obj.app.post(url + 'uploadfile.ashx', handleUploadFile);
obj.app.post(url + 'uploadmeshcorefile.ashx', handleUploadMeshCoreFile);
obj.app.get(url + 'userfiles/*', handleDownloadUserFiles);
obj.app.ws(url + 'echo.ashx', handleEchoWebSocket);
obj.app.ws(url + 'meshrelay.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie) { obj.meshRelayHandler.CreateMeshRelay(obj, ws1, req1, domain, user, cookie); }); });
obj.app.get(url + 'webrelay.ashx', function (req, res) { res.send('Websocket connection expected'); });
Added health.ashx for load-balancer health checking.
2019-05-14 14:30:08 -04:00
obj.app.get(url + 'health.ashx', function (req, res) { res.send('ok'); }); // TODO: Perform more server checking.
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.ws(url + 'webrelay.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, handleRelayWebSocket); });
Started work on server side Intel AMT redirection transport module.
2019-04-23 22:17:33 -04:00
obj.app.ws(url + 'webider.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, function (ws1, req1, domain, user, cookie) { obj.meshIderHandler.CreateAmtIderSession(obj, obj.db, ws1, req1, obj.args, domain, user); }); });
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.ws(url + 'control.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, function (ws1, req1, domain, user, cookie) { obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user); }); });
obj.app.get(url + 'logo.png', handleLogoRequest);
Added welcome page customization options.
2019-02-13 16:22:52 -05:00
obj.app.get(url + 'welcome.jpg', handleWelcomeImageRequest);
Intel AMT activation improvements.
2019-06-27 19:04:52 -04:00
obj.app.ws(url + 'amtactivate', handleAmtActivateWebSocket);
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
Added server redirection and unlimited invite URL's.
2019-06-07 13:20:54 -04:00
// Server redirects
Server fixes when agent comes in with unknown agentid.
2019-06-17 18:37:13 -04:00
if (parent.config.domains[i].redirects) { for (var j in parent.config.domains[i].redirects) { if (j[0] != '_') { obj.app.get(url + j, handleDomainRedirect); } } }
Added server redirection and unlimited invite URL's.
2019-06-07 13:20:54 -04:00
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Server picture
obj.app.get(url + 'serverpic.ashx', function (req, res) {
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
// Check if we have "server.jpg" in the data folder, if so, use that.
Improved night mode in web app.
2019-05-11 17:02:42 -04:00
if ((parent.configurationFiles != null) && (parent.configurationFiles['server.png'] != null)) {
res.set({ 'Content-Type': 'image/png' });
res.send(parent.configurationFiles['server.png']);
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
} else {
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
// Check if we have "server.jpg" in the data folder, if so, use that.
Improved night mode in web app.
2019-05-11 17:02:42 -04:00
var p = obj.path.join(obj.parent.datapath, 'server.png');
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
if (obj.fs.existsSync(p)) {
// Use the data folder server picture
try { res.sendFile(p); } catch (e) { res.sendStatus(404); }
} else {
// Use the default server picture
Improved night mode in web app.
2019-05-11 17:02:42 -04:00
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, 'images/server-256.png')); } catch (e) { res.sendStatus(404); }
Added first support for running state-less.
2019-02-02 17:54:36 -05:00
}
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
}
});
Initial main commit
2017-08-28 12:27:45 -04:00
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Receive mesh agent connections
obj.app.ws(url + 'agent.ashx', function (ws, req) {
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-30 16:43:42 -05:00
var domain = checkAgentIpAddress(ws, req);
if (domain == null) { Debug(1, 'Got agent connection from blocked IP address ' + ws._socket.remoteAddress + ', holding.'); return; }
// console.log('Agent connect: ' + ws._socket.remoteAddress);
try { obj.meshAgentHandler.CreateMeshAgent(obj, obj.db, ws, req, obj.args, domain); } catch (e) { console.log(e); }
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
});
Server fixes
2019-03-14 15:28:58 -04:00
// Memory Tracking
if (typeof obj.args.memorytracking == 'number') {
obj.app.get(url + 'memorytracking.csv', function (req, res) {
try { res.sendFile(obj.parent.getConfigFilePath('memorytracking.csv')); } catch (e) { res.sendStatus(404); }
});
}
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Creates a login token using the user/pass that is passed in as URL arguments.
// For example: https://localhost/createLoginToken.ashx?user=admin&pass=admin&a=3
// It's not advised to use this to create login tokens since the URL is often logged and you got credentials in the URL.
Database performance + mesh undelete.
2019-02-18 17:32:55 -05:00
// Since it's bad, it's only offered when an untrusted certificate is used as a way to help developers get started.
if (isTrustedCert() == false) {
obj.app.get(url + 'createLoginToken.ashx', function (req, res) {
// A web socket session can be authenticated in many ways (Default user, session, user/pass and cookie). Check authentication here.
if ((req.query.user != null) && (req.query.pass != null)) {
// A user/pass is provided in URL arguments
obj.authenticate(req.query.user, req.query.pass, getDomain(req), function (err, userid) {
if ((err == null) && (obj.users[userid])) {
// User is authenticated, create a token
var x = { a: 3 }; for (var i in req.query) { if ((i != 'user') && (i != 'pass')) { x[i] = obj.common.toNumber(req.query[i]); } } x.u = userid;
res.send(obj.parent.encodeCookie(x, obj.parent.loginCookieEncryptionKey));
} else {
res.sendStatus(404);
}
});
} else {
res.sendStatus(404);
}
});
}
Added support for AES128/HMAC-SHA256 login tokens and online token generation.
2018-12-29 00:55:23 -05:00
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
obj.app.get(url + 'stop', function (req, res) { res.send('Stopping Server, <a href="' + url + '">click here to login</a>.'); setTimeout(function () { parent.Stop(); }, 500); });
Initial main commit
2017-08-28 12:27:45 -04:00
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
// Indicates to ExpressJS that the public folder should be used to serve static files.
New agents, NeDB encryption, WebApp Fixes.
2019-01-24 15:08:48 -05:00
obj.app.use(url, obj.express.static(obj.parent.webPublicPath));
Added agent trouble detection on the server.
2019-01-22 22:34:55 -05:00
// Start regular disconnection list flush every 2 minutes.
obj.wsagentsDisconnectionsTimer = setInterval(function () { obj.wsagentsDisconnections = {}; }, 120000);
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
}
// Start server on a free port
CheckListenPort(obj.args.port, StartWebServer);
Initial main commit
2017-08-28 12:27:45 -04:00
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
// Authenticates a session and forwards
Fixed a ClickOnce exception
2018-10-15 20:51:03 -04:00
function PerformWSSessionAuth(ws, req, noAuthOk, func) {
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
try {
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
// Hold this websocket until we are ready.
Updated to Express-ws 4.x
2018-12-01 00:23:10 -05:00
ws._socket.pause();
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
// Check IP filtering and domain
Fixed user IP address filtering.
2019-01-04 17:35:01 -05:00
var domain = null;
if (noAuthOk == true) { domain = getDomain(req); } else { domain = checkUserIpAddress(ws, req); } // If auth is required, enforce IP address filtering.
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
if (domain == null) { try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-1' })); ws.close(); return; } catch (e) { return; } }
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
// A web socket session can be authenticated in many ways (Default user, session, user/pass and cookie). Check authentication here.
if ((req.query.user != null) && (req.query.pass != null)) {
// A user/pass is provided in URL arguments
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid) {
Improved websocket auth when 2nd factor is used.
2019-03-21 14:45:08 -04:00
var user = obj.users[userid];
if ((err == null) && (user)) {
// Check if a 2nd factor is needed
if (checkUserOneTimePasswordRequired(domain, user) == true) {
if (req.query.token) {
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired' })); ws.close(); } catch (e) { }
} else {
checkUserOneTimePassword(req, domain, user, req.query.token, null, function (result) {
if (result == false) {
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired' })); ws.close(); } catch (e) { }
} else {
// We are authenticated with 2nd factor.
func(ws, req, domain, user);
}
});
}
} else {
// We are authenticated
func(ws, req, domain, user);
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
} else {
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
// Failed to authenticate, see if a default user is active
if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
// A default user is active
func(ws, req, domain, obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]);
} else {
// If not authenticated, close the websocket connection
Debug(1, 'ERR: Websocket bad user/pass auth');
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2' })); ws.close(); } catch (e) { }
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
}
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
});
return;
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
} else if ((req.query.auth != null) && (req.query.auth != '')) {
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
// This is a encrypted cookie authentication
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
var cookie = obj.parent.decodeCookie(req.query.auth, obj.parent.loginCookieEncryptionKey, 240); // Cookie with 4 hour timeout
if ((cookie != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id)) {
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
// Valid cookie, we are authenticated
func(ws, req, domain, obj.users[cookie.userid], cookie);
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
} else {
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
// This is a bad cookie, keep going anyway, maybe we have a active session that will save us.
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
Debug(1, 'ERR: Websocket bad cookie auth: ' + req.query.auth);
Improved websocket auth when 2nd factor is used.
2019-03-21 14:45:08 -04:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2' })); ws.close(); } catch (e) { }
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 14:45:08 -04:00
return;
} else if (req.headers['x-meshauth'] != null) {
// This is authentication using a custom HTTP header
var s = req.headers['x-meshauth'].split(',');
for (var i in s) { s[i] = Buffer.from(s[i], 'base64').toString(); }
if ((s.length < 2) || (s.length > 3)) { try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2' })); ws.close(); } catch (e) { } return; }
obj.authenticate(s[0], s[1], domain, function (err, userid) {
var user = obj.users[userid];
if ((err == null) && (user)) {
// Check if a 2nd factor is needed
if (checkUserOneTimePasswordRequired(domain, user) == true) {
if (s.length != 3) {
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired' })); ws.close(); } catch (e) { }
} else {
checkUserOneTimePassword(req, domain, user, s[2], null, function (result) {
if (result == false) {
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired' })); ws.close(); } catch (e) { }
} else {
// We are authenticated with 2nd factor.
func(ws, req, domain, user);
}
});
}
} else {
// We are authenticated
func(ws, req, domain, user);
}
} else {
// Failed to authenticate, see if a default user is active
if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
// A default user is active
func(ws, req, domain, obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]);
} else {
// If not authenticated, close the websocket connection
Debug(1, 'ERR: Websocket bad user/pass auth');
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2' })); ws.close(); } catch (e) { }
}
}
});
return;
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 14:45:08 -04:00
//console.log(req.headers['x-meshauth']);
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
// A default user is active
func(ws, req, domain, obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]);
return;
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
} else if (req.session && (req.session.userid != null) && (req.session.domainid == domain.id) && (obj.users[req.session.userid])) {
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
// This user is logged in using the ExpressJS session
Fixed MeshRelay access control
2018-10-16 13:52:05 -04:00
func(ws, req, domain, obj.users[req.session.userid]);
Fixed ClickOnce support & improved websocket authentication
2018-10-15 20:21:37 -04:00
return;
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
}
Fixed a ClickOnce exception
2018-10-15 20:51:03 -04:00
if (noAuthOk != true) {
// If not authenticated, close the websocket connection
Debug(1, 'ERR: Websocket no auth');
Removed dependency on browser cookies to make the site work.
2019-01-28 18:47:54 -05:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-4' })); ws.close(); } catch (e) { }
Fixed a ClickOnce exception
2018-10-15 20:51:03 -04:00
} else {
// Continue this session without user authentication,
// this is expected if the agent is connecting for a tunnel.
func(ws, req, domain, null);
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-13 19:04:04 -04:00
} catch (e) { console.log(e); }
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Find a free port starting with the specified one and going up.
function CheckListenPort(port, func) {
var s = obj.net.createServer(function (socket) { });
obj.tcpServer = s.listen(port, function () { s.close(function () { if (func) { func(port); } }); }).on('error', function (err) {
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
if (args.exactports) { console.error('ERROR: MeshCentral HTTPS server port ' + port + ' not available.'); process.exit(); }
Initial main commit
2017-08-28 12:27:45 -04:00
else { if (port < 65535) { CheckListenPort(port + 1, func); } else { if (func) { func(0); } } }
});
}
// Start the ExpressJS web server
function StartWebServer(port) {
if (port == 0 || port == 65535) return;
obj.args.port = port;
if (obj.tlsServer != null) {
if (obj.args.lanonly == true) {
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
obj.tcpServer = obj.tlsServer.listen(port, function () { console.log('MeshCentral HTTPS server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
obj.tcpServer = obj.tlsServer.listen(port, function () { console.log('MeshCentral HTTPS server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
Added serverstate.txt file in data folder
2018-03-14 15:10:13 -04:00
obj.parent.updateServerState('servername', certificates.CommonName);
Initial main commit
2017-08-28 12:27:45 -04:00
}
Added serverstate.txt file in data folder
2018-03-14 15:10:13 -04:00
obj.parent.updateServerState('https-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); }
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
Improved some websocket error handling.
2019-01-02 21:34:50 -05:00
obj.tcpServer = obj.app.listen(port, function () { console.log('MeshCentral HTTP server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
Added serverstate.txt file in data folder
2018-03-14 15:10:13 -04:00
obj.parent.updateServerState('http-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('http-aliasport', args.aliasport); }
Initial main commit
2017-08-28 12:27:45 -04:00
}
}
// Force mesh agent disconnection
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
obj.forceMeshAgentDisconnect = function (user, domain, nodeid, disconnectMode) {
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (nodeid == null) return;
Initial main commit
2017-08-28 12:27:45 -04:00
var splitnode = nodeid.split('/');
if ((splitnode.length != 3) || (splitnode[1] != domain.id)) return; // Check that nodeid is valid and part of our domain
var agent = obj.wsagents[nodeid];
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (agent == null) return;
Initial main commit
2017-08-28 12:27:45 -04:00
// Check we have agent rights
var rights = user.links[agent.dbMeshKey].rights;
Bug fixes and fixed database performance problem.
2019-02-16 15:56:33 -05:00
if ((rights != null) && ((rights & MESHRIGHT_AGENTCONSOLE) != 0) || (user.siteadmin == 0xFFFFFFFF)) { agent.close(disconnectMode); }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Initial main commit
2017-08-28 12:27:45 -04:00
// Send the core module to the mesh agent
Added recovery core support.
2019-01-21 17:05:50 -05:00
obj.sendMeshAgentCore = function (user, domain, nodeid, coretype, coredata) {
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (nodeid == null) return;
Added recovery core support.
2019-01-21 17:05:50 -05:00
const splitnode = nodeid.split('/');
Initial main commit
2017-08-28 12:27:45 -04:00
if ((splitnode.length != 3) || (splitnode[1] != domain.id)) return; // Check that nodeid is valid and part of our domain
Added recovery core support.
2019-01-21 17:05:50 -05:00
// TODO: This command only works if the agent is connected on the same server. Will not work with multi server peering.
const agent = obj.wsagents[nodeid];
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if (agent == null) return;
Initial main commit
2017-08-28 12:27:45 -04:00
// Check we have agent rights
var rights = user.links[agent.dbMeshKey].rights;
Bug fixes and fixed database performance problem.
2019-02-16 15:56:33 -05:00
if ((rights != null) && ((rights & MESHRIGHT_AGENTCONSOLE) != 0) || (user.siteadmin == 0xFFFFFFFF)) {
Added recovery core support.
2019-01-21 17:05:50 -05:00
if (coretype == 'clear') {
Initial main commit
2017-08-28 12:27:45 -04:00
// Clear the mesh agent core
Added recovery core support.
2019-01-21 17:05:50 -05:00
agent.agentCoreCheck = 1000; // Tell the agent object we are using a custom core.
Initial main commit
2017-08-28 12:27:45 -04:00
agent.send(obj.common.ShortToStr(10) + obj.common.ShortToStr(0));
Added recovery core support.
2019-01-21 17:05:50 -05:00
} else if (coretype == 'default') {
// Reset to default code
Initial main commit
2017-08-28 12:27:45 -04:00
agent.agentCoreCheck = 0; // Tell the agent object we are using a default code
agent.send(obj.common.ShortToStr(11) + obj.common.ShortToStr(0)); // Command 11, ask for mesh core hash.
Added recovery core support.
2019-01-21 17:05:50 -05:00
} else if (coretype == 'recovery') {
// Reset to recovery core
agent.agentCoreCheck = 1001; // Tell the agent object we are using the recovery core.
agent.send(obj.common.ShortToStr(11) + obj.common.ShortToStr(0)); // Command 11, ask for mesh core hash.
} else if (coretype == 'custom') {
agent.agentCoreCheck = 1000; // Tell the agent object we are using a custom core.
Fixed database and webserver race condition.
2019-01-22 18:40:08 -05:00
const hash = obj.crypto.createHash('sha384').update(Buffer.from(coredata, 'binary')).digest().toString('binary'); // Perform a SHA384 hash on the core module
agent.send(obj.common.ShortToStr(10) + obj.common.ShortToStr(0) + hash + coredata); // Send the code module to the agent
Initial main commit
2017-08-28 12:27:45 -04:00
}
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Get the server path of a user or mesh object
function getServerRootFilePath(obj) {
Added new account creation and server peering flow control
2017-09-15 14:45:06 -04:00
if ((typeof obj != 'object') || (obj.domain == null) || (obj._id == null)) return null;
Initial main commit
2017-08-28 12:27:45 -04:00
var domainname = 'domain', splitname = obj._id.split('/');
if (splitname.length != 3) return null;
if (obj.domain !== '') domainname = 'domain-' + obj.domain;
return obj.path.join(obj.filespath, domainname + "/" + splitname[0] + "-" + splitname[2]);
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
Added SMTP email support, email verification and password reset support
2017-12-12 19:04:54 -05:00
// Return true is the input string looks like an email address
function checkEmail(str) {
var x = str.split('@');
var ok = ((x.length == 2) && (x[0].length > 0) && (x[1].split('.').length > 1) && (x[1].length > 2));
if (ok == true) { var y = x[1].split('.'); for (var i in y) { if (y[i].length == 0) { ok = false; } } }
return ok;
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Debug
function Debug(lvl) {
if (lvl > obj.parent.debugLevel) return;
if (arguments.length == 2) { console.log(arguments[1]); }
else if (arguments.length == 3) { console.log(arguments[1], arguments[2]); }
else if (arguments.length == 4) { console.log(arguments[1], arguments[2], arguments[3]); }
else if (arguments.length == 5) { console.log(arguments[1], arguments[2], arguments[3], arguments[4]); }
else if (arguments.length == 6) { console.log(arguments[1], arguments[2], arguments[3], arguments[4], arguments[5]); }
else if (arguments.length == 7) { console.log(arguments[1], arguments[2], arguments[3], arguments[4], arguments[5], arguments[6]); }
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
/*
obj.wssessions = {}; // UserId --> Array Of Sessions
obj.wssessions2 = {}; // "UserId + SessionRnd" --> Session (Note that the SessionId is the UserId + / + SessionRnd)
obj.wsPeerSessions = {}; // ServerId --> Array Of "UserId + SessionRnd"
obj.wsPeerSessions2 = {}; // "UserId + SessionRnd" --> ServerId
obj.wsPeerSessions3 = {}; // ServerId --> UserId --> [ SessionId ]
*/
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
// Count sessions and event any changes
obj.recountSessions = function (changedSessionId) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
var userid, oldcount, newcount, x, serverid;
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
if (changedSessionId == null) {
// Recount all sessions
// Calculate the session count for all userid's
var newSessionsCount = {};
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
for (userid in obj.wssessions) { newSessionsCount[userid] = obj.wssessions[userid].length; }
for (serverid in obj.wsPeerSessions3) {
for (userid in obj.wsPeerSessions3[serverid]) {
x = obj.wsPeerSessions3[serverid][userid].length;
if (newSessionsCount[userid] == null) { newSessionsCount[userid] = x; } else { newSessionsCount[userid] += x; }
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
}
}
// See what session counts have changed, event any changes
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
for (userid in newSessionsCount) {
newcount = newSessionsCount[userid];
oldcount = obj.sessionsCount[userid];
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
if (oldcount == null) { oldcount = 0; } else { delete obj.sessionsCount[userid]; }
if (newcount != oldcount) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
x = userid.split('/');
User permission fixes, user list export feature.
2019-05-04 15:55:46 -04:00
var u = users[userid];
if (u) {
var targets = ['*', 'server-users'];
if (u.groups) { for (var i in u.groups) { targets.push('server-users:' + i); } }
Much improved event logs
2019-07-29 19:35:48 -04:00
obj.parent.DispatchEvent(targets, obj, { action: 'wssessioncount', userid: userid, username: x[2], count: newcount, domain: x[1], nolog: 1, nopeers: 1 });
User permission fixes, user list export feature.
2019-05-04 15:55:46 -04:00
}
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
}
}
// If there are any counts left in the old counts, event to zero
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
for (userid in obj.sessionsCount) {
oldcount = obj.sessionsCount[userid];
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
if ((oldcount != null) && (oldcount != 0)) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
x = userid.split('/');
User permission fixes, user list export feature.
2019-05-04 15:55:46 -04:00
var u = users[userid];
if (u) {
var targets = ['*', 'server-users'];
if (u.groups) { for (var i in u.groups) { targets.push('server-users:' + i); } }
Much improved event logs
2019-07-29 19:35:48 -04:00
obj.parent.DispatchEvent(['*'], obj, { action: 'wssessioncount', userid: userid, username: x[2], count: 0, domain: x[1], nolog: 1, nopeers: 1 })
User permission fixes, user list export feature.
2019-05-04 15:55:46 -04:00
}
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
}
}
// Set the new session counts
obj.sessionsCount = newSessionsCount;
} else {
// Figure out the userid
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
userid = changedSessionId.split('/').slice(0, 3).join('/');
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
// Recount only changedSessionId
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
newcount = 0;
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
if (obj.wssessions[userid] != null) { newcount = obj.wssessions[userid].length; }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
for (serverid in obj.wsPeerSessions3) { if (obj.wsPeerSessions3[serverid][userid] != null) { newcount += obj.wsPeerSessions3[serverid][userid].length; } }
oldcount = obj.sessionsCount[userid];
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
if (oldcount == null) { oldcount = 0; }
// If the count changed, update and event
if (newcount != oldcount) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
x = userid.split('/');
User permission fixes, user list export feature.
2019-05-04 15:55:46 -04:00
var u = users[userid];
if (u) {
var targets = ['*', 'server-users'];
if (u.groups) { for (var i in u.groups) { targets.push('server-users:' + i); } }
Much improved event logs
2019-07-29 19:35:48 -04:00
obj.parent.DispatchEvent(targets, obj, { action: 'wssessioncount', userid: userid, username: x[2], count: newcount, domain: x[1], nolog: 1, nopeers: 1 });
User permission fixes, user list export feature.
2019-05-04 15:55:46 -04:00
obj.sessionsCount[userid] = newcount;
}
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
}
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};
Completed server load-balancing support
2017-09-20 17:44:22 -04:00
Added one time passwords for user 2-factor login.
2019-02-05 22:07:12 -05:00
// Clone a safe version of a user object, remove everything that is secret.
obj.CloneSafeUser = function(user) {
if (typeof user != 'object') { return user; }
var user2 = obj.common.Clone(user);
delete user2.hash;
delete user2.passhint;
delete user2.salt;
delete user2.type;
delete user2.domain;
delete user2.subscriptions;
delete user2.passtype;
Improved U2F authentication, added multiple U2F key support.
2019-02-10 19:04:36 -05:00
if (typeof user2.otpsecret == 'string') { user2.otpsecret = 1; } // Indicates a time secret is present.
if (typeof user2.otpkeys == 'object') { user2.otpkeys = 0; if (user.otpkeys != null) { for (var i = 0; i < user.otpkeys.keys.length; i++) { if (user.otpkeys.keys[i].u == true) { user2.otpkeys = 1; } } } } // Indicates the number of one time backup codes that are active.
if (typeof user2.otphkeys == 'object') { user2.otphkeys = user2.otphkeys.length; } // Indicates the number of hardware keys setup
Added one time passwords for user 2-factor login.
2019-02-05 22:07:12 -05:00
return user2;
}
Started work on mobile web site
2018-05-21 19:36:51 -04:00
// Return true if a mobile browser is detected.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 00:43:44 -04:00
// This code comes from "http://detectmobilebrowsers.com/" and was modified, This is free and unencumbered software released into the public domain. For more information, please refer to the http://unlicense.org/
Added mesh screen to mobile web page
2018-05-29 19:57:08 -04:00
function isMobileBrowser(req) {
//var ua = req.headers['user-agent'].toLowerCase();
//return (/(android|bb\d+|meego).+mobile|mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(ua) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(ua.substr(0, 4)));
Partinally ran code thru JsHint
2018-08-29 20:40:30 -04:00
if (typeof req.headers['user-agent'] != 'string') return false;
Added mesh screen to mobile web page
2018-05-29 19:57:08 -04:00
return (req.headers['user-agent'].toLowerCase().indexOf('mobile') >= 0);
Started work on mobile web site
2018-05-21 19:36:51 -04:00
}
Added invitation link email, server fixes and improvements.
2019-06-12 13:23:26 -04:00
// Return the query string portion of the URL, the ? and anything after.
function getQueryPortion(req) { var s = req.url.indexOf('?'); if (s == -1) { if (req.body && req.body.urlargs) { return req.body.urlargs; } return ''; } return req.url.substring(s); }
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
// Generate a random Intel AMT password
function checkAmtPassword(p) { return (p.length > 7) && (/\d/.test(p)) && (/[a-z]/.test(p)) && (/[A-Z]/.test(p)) && (/\W/.test(p)); }
function getRandomAmtPassword() { var p; do { p = Buffer.from(obj.crypto.randomBytes(9), 'binary').toString('base64').split('/').join('@'); } while (checkAmtPassword(p) == false); return p; }
Added Intel AMT session recording
2019-08-07 19:07:12 -04:00
function getRandomPassword() { return Buffer.from(obj.crypto.randomBytes(9), 'binary').toString('base64').split('/').join('@'); }
New Intel AMT ACM activation with MeshCMD
2019-06-21 20:18:48 -04:00
Node 6.x cbor fix.
2019-08-07 17:25:23 -04:00
// Clean a IPv6 address that encodes a IPv4 address
function cleanRemoteAddr(addr) { if (addr.startsWith('::ffff:')) { return addr.substring(7); } else { return addr; } }
// Record a new entry in a recording log
function recordingEntry(fd, type, flags, data, func) {
try {
if (typeof data == 'string') {
// String write
var blockData = Buffer.from(data), header = Buffer.alloc(16); // Header: Type (2) + Flags (2) + Size(4) + Time(8)
header.writeInt16BE(type, 0); // Type (1 = Header, 2 = Network Data)
header.writeInt16BE(flags, 2); // Flags (1 = Binary, 2 = User)
header.writeInt32BE(blockData.length, 4); // Size
header.writeIntBE(new Date(), 10, 6); // Time
var block = Buffer.concat([header, blockData]);
obj.fs.write(fd, block, 0, block.length, func);
} else {
// Binary write
var header = Buffer.alloc(16); // Header: Type (2) + Flags (2) + Size(4) + Time(8)
header.writeInt16BE(type, 0); // Type (1 = Header, 2 = Network Data)
header.writeInt16BE(flags | 1, 2); // Flags (1 = Binary, 2 = User)
header.writeInt32BE(data.length, 4); // Size
header.writeIntBE(new Date(), 10, 6); // Time
var block = Buffer.concat([header, data]);
obj.fs.write(fd, block, 0, block.length, func);
}
} catch (ex) { console.log(ex); func(); }
}
Initial main commit
2017-08-28 12:27:45 -04:00
return obj;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 15:05:23 -04:00
};