+
+
+
+Depending on how the agent is connected to the server, there are multiple methods to remote control. Mesh Agent, RDP, and AMT
+
+For RDP connections, if you have previously saved the credentials that is usable by all users on the system. If you want to remove those saved credentials that's under the `General Tab` > `Credentials`. Click pen to clear them.
+
## Server Certificate
As seen in the previous chapter, MeshCentral is setup with a self-signed certificate by default and the web browser will issue a warning concerning the validity of the certificate.
@@ -448,6 +458,34 @@ This first line will load many of the “meshcentral-data” files into the data
Note that MeshCentral does not currently support placing a Let’s Encrypt certificate in the database. Generally, one would use a reverse proxy with Let’s Encrypt support and TLS offload in the reverse proxy and then run MeshCentral in state-less mode in a Docket container.
+## Commandline Options
+
+In general, doing `--option value` is the same as adding `"option": value` in the settings section of the config.json.
+
+Here are the most common options found by running `meshcentral --help`
+
+```
+Run as a background service
+ --install/uninstall Install MeshCentral as a background service.
+ --start/stop/restart Control MeshCentral background service.
+
+Run standalone, console application
+ --user [username] Always login as [username] if account exists.
+ --port [number] Web server port number.
+ --redirport [number] Creates an additional HTTP server to redirect users to the HTTPS server.
+ --exactports Server must run with correct ports or exit.
+ --noagentupdate Server will not update mesh agent native binaries.
+ --nedbtodb Transfer all NeDB records into current database.
+ --listuserids Show a list of a user identifiers in the database.
+ --cert [name], (country), (org) Create a web server certificate with [name] server name.
+ country and organization can optionally be set.
+
+Server recovery commands, use only when MeshCentral is offline.
+ --createaccount [userid] Create a new user account.
+ --resetaccount [userid] Unlock an account, disable 2FA and set a new account password.
+ --adminaccount [userid] Promote account to site administrator.
+```
+
## TLS Offloading
A good way for MeshCentral to handle a high traffic is to setup a TLS offload device at front of the server that takes care of doing all the TLS negotiation and encryption so that the server could offload this. There are many vendors who offer TLS or SSL offload as a software module (Nginx* or Apache*) so please contact your network administrator for the best solution that suits your setup.
@@ -517,8 +555,6 @@ If you successfully setup a Let’s Encrypt certificate using the Let’s Encryp
If Let’s Encrypt works for you, please consider donating to them as they provide a critical service to the Internet community.
-
-
## Server IP filtering
For improved security, it’s good to limit access to MeshCentral with IP address. For example, we want to allow mesh agents and Intel AMT computers to connect from anywhere, but whitelist IP address for users that we allow to access MeshCentral.
@@ -706,12 +742,19 @@ MeshCentral supports the local device group allowing devices that do not have an
+To enable SSH support, add this line to the domain section of your config.json:
+
+```json
+"ssh": true
+```
+
Video Walkthru
+
+
+
Sometimes it’s useful to setup MeshCentral with a reverse-proxy in front of it. This is useful if you need to host many services on a single public IP address, if you want to offload TLS and perform extra web caching. In this section we will setup NGINX, a popular reverse-proxy, in front of MeshCentral. NGNIX is available at: https://www.nginx.com/
@@ -1180,6 +1229,38 @@ mongorestore --archive=backup.archive
This will re-import the database from the backup. You can then start MeshCentral again.
+### Backup to Google Drive
+
+```bash
+sudo systemctl stop meshcentral.service
+nano /opt/meshcentral/meshcentral-data/config.json
+```
+
+Remove underscored items
+
+
+
+```bash
+sudo systemctl start meshcentral.service
+sudo systemctl status meshcentral.service
+```
+
+Log into your MC:
+
+
+
+
+
+Create desktop app
+
+
+
+Enter the Client ID and Client Secret into MC
+
+
+
+
+
## HashiCorp Vault support
MeshCentral has built-in support for HashiCorp Vault so that all configuration and certificates used by MeshCentral are retrieved from a Vault server. Vault is a secret store server and when used with MeshCentral, the MeshCentral server will not be storing any secrets locally. You can get started with Vault here: https://www.vaultproject.io/
@@ -1685,3 +1766,11 @@ su -c '/bin/bash -i' myOtherUser
```
This will run bash in interactive mode and work correctly.
+
+#### SSH and SFTP integration to the Terminal
+
+MeshCentral has built-in web-based integration of SSH in the "Termina" tab and SFTP in the "Files" tab.
+
+
+
+
\ No newline at end of file
diff --git a/docs/docs/meshcentral/plugins.md b/docs/docs/meshcentral/plugins.md
new file mode 100644
index 00000000..e9d664ff
--- /dev/null
+++ b/docs/docs/meshcentral/plugins.md
@@ -0,0 +1,9 @@
+# Plugins
+
+## Installation
+
+1. Enable plugins in the configuration and restart MC as described.
+2. Log into MC as full administrator.
+3. Go my `My Server` -> `Plugins`, hit the Download plugin button.
+4. A dialog opens requesting an URL, put in:
+
+
+
MeshCmd has all the code needed to perform Intel AMT IDE Redirection from the command line. This allows disk images on the administrator’s computer to be remotely mounted to an Intel AMT computer. You need to start with a floppy disk .img file and/or an .iso CDROM file.
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 9ea8f3dc..326c1f94 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -9,6 +9,7 @@ nav:
- MeshCentral2:
- 'MeshCentral2 Guide': 'meshcentral/index.md'
- 'All Configuration Options': 'meshcentral/config.md'
+ - 'Device Tabs': 'meshcentral/devicetabs.md'
- 'Tokens': 'meshcentral/tokens.md'
- 'Assistant': 'meshcentral/assistant.md'
- 'Code Signing': 'meshcentral/codesigning.md'
diff --git a/docs/powerpoints/README.md b/docs/powerpoints/README.md
new file mode 100644
index 00000000..159d630d
--- /dev/null
+++ b/docs/powerpoints/README.md
@@ -0,0 +1 @@
+Please place Powerpoints and slides here
\ No newline at end of file
diff --git a/meshagent.js b/meshagent.js
index 297c3b25..f4fa5419 100644
--- a/meshagent.js
+++ b/meshagent.js
@@ -1889,7 +1889,10 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
if (!device.intelamt) { device.intelamt = {}; }
if ((command.intelamt.Versions != null) && (typeof command.intelamt.Versions == 'object')) {
if ((command.intelamt.Versions.AMT != null) && (typeof command.intelamt.Versions.AMT == 'string') && (command.intelamt.Versions.AMT.length < 12) && (device.intelamt.ver != command.intelamt.Versions.AMT)) { changes.push('AMT version'); device.intelamt.ver = command.intelamt.Versions.AMT; change = 1; log = 1; }
- if ((command.intelamt.Versions.Sku != null) && (typeof command.intelamt.Versions.Sku == 'string')) { var sku = parseInt(command.intelamt.Versions.Sku); if (device.intelamt.sku !== command.intelamt.sku) { device.intelamt.sku = sku; change = 1; log = 1; } }
+ if ((command.intelamt.Versions.Sku != null) && (typeof command.intelamt.Versions.Sku == 'string')) {
+ const sku = parseInt(command.intelamt.Versions.Sku);
+ if (device.intelamt.sku !== sku) { device.intelamt.sku = sku; change = 1; log = 1; }
+ }
}
if ((command.intelamt.ProvisioningState != null) && (typeof command.intelamt.ProvisioningState == 'number') && (device.intelamt.state != command.intelamt.ProvisioningState)) { changes.push('AMT state'); device.intelamt.state = command.intelamt.ProvisioningState; change = 1; log = 1; }
if ((command.intelamt.Flags != null) && (typeof command.intelamt.Flags == 'number') && (device.intelamt.flags != command.intelamt.Flags)) {
diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index 7e41c70b..46060972 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -101,6 +101,8 @@
"agentCoreDump": { "type": "boolean", "default": false, "description": "Automatically activates and transfers any agent crash dump files to the server in meshcentral-data/coredumps." },
"agentCoreDumpUsers": { "type": "array", "description": "List of non-administrator users that have access to mesh agent crash dumps." },
"agentSignLock": { "type": "boolean", "default": false, "description": "When code signing an agent using authenticode, lock the agent to only allow connection to this server. (This is in testing, the default value will change to true in the future)." },
+ "agentTimeStampServer": { "type": [ "boolean", "string" ], "default": "http://timestamp.comodoca.com/authenticode", "description": "The time stamping server to use when code signing Windows executables. When set to false, the executables are not time stamped." },
+ "agentTimeStampProxy": { "type": [ "boolean", "string" ], "description": "The HTTP proxy to use when contacting the time stamping server, if false, no proxy is used. By default, the npmproxy value is used." },
"ignoreAgentHashCheck": { "type": [ "boolean", "string" ], "default": false, "description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma seperated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"." },
"exactPorts": { "type": "boolean", "default": false, "description": "When set to true, MeshCentral will only grab the required TCP listening ports or fail. It will not try to use the next available port of it's busy." },
"allowLoginToken": { "type": "boolean", "default": false },
@@ -542,6 +544,20 @@
"backgroundColor": { "type": "string", "default": null, "description": "Background color, valid values are RBG in format 0,0,0 to 255,255,255 or format #000000 to #FFFFFF." }
}
},
+ "agentFileInfo": {
+ "type": "object",
+ "additionalProperties": false,
+ "description": "Use this section to set resource metadata of the Windows agents prior to signing. In Windows, you can right-click and select properties to view these values.",
+ "properties": {
+ "fileDescription": { "type": "string", "description": "Executable file description." },
+ "fileVersion": { "type": "string", "description": "Executable file version, generally in the form of 1.2.3.4." },
+ "internalName": { "type": "string", "description": "Executable internal name." },
+ "legalCopyright": { "type": "string", "description": "Executable legal copyright." },
+ "originalFilename": { "type": "string", "description": "Executable original file name." },
+ "productName": { "type": "string", "description": "Executable product name." },
+ "productVersion": { "type": "string", "description": "Executable product version, generally in the form of 1.2.3.4." }
+ }
+ },
"assistantCustomization": {
"type": "object",
"additionalProperties": false,
diff --git a/meshcentral.js b/meshcentral.js
index 8043ff2e..3d5a0590 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -145,7 +145,7 @@ function CreateMeshCentralServer(config, args) {
if ((obj.args.help == true) || (obj.args['?'] == true)) {
console.log('MeshCentral v' + getCurrentVersion() + ', remote computer management web portal.');
console.log('This software is open source under Apache 2.0 license.');
- console.log('Details at: https://www.meshcommander.com/meshcentral2\r\n');
+ console.log('Details at: https://www.meshcentral.com\r\n');
if ((obj.platform == 'win32') || (obj.platform == 'linux')) {
console.log('Run as a background service');
console.log(' --install/uninstall Install MeshCentral as a background service.');
@@ -1617,275 +1617,282 @@ function CreateMeshCentralServer(config, args) {
// Load the list of mesh agents and install scripts
if ((obj.args.noagentupdate == 1) || (obj.args.noagentupdate == true)) { for (i in obj.meshAgentsArchitectureNumbers) { obj.meshAgentsArchitectureNumbers[i].update = false; } }
- obj.updateMeshAgentsTable(obj.config.domains[''], function () {
- obj.updateMeshAgentInstallScripts();
+ obj.signMeshAgents(obj.config.domains[''], function () {
+ obj.updateMeshAgentsTable(obj.config.domains[''], function () {
+ obj.updateMeshAgentInstallScripts();
- // Setup and start the web server
- obj.crypto.randomBytes(48, function (err, buf) {
- // Setup Mesh Multi-Server if needed
- obj.multiServer = require('./multiserver.js').CreateMultiServer(obj, obj.args);
- if (obj.multiServer != null) {
- if ((obj.db.databaseType != 3) || (obj.db.changeStream != true)) { console.log("ERROR: Multi-server support requires use of MongoDB with ReplicaSet and ChangeStream enabled."); process.exit(0); return; }
- if (typeof obj.args.sessionkey != 'string') { console.log("ERROR: Multi-server support requires \"SessionKey\" be set in the settings section of config.json, same key for all servers."); process.exit(0); return; }
- obj.serverId = obj.multiServer.serverid;
- for (var serverid in obj.config.peers.servers) { obj.peerConnectivityByNode[serverid] = {}; }
- }
+ // Setup and start the web server
+ obj.crypto.randomBytes(48, function (err, buf) {
+ // Setup Mesh Multi-Server if needed
+ obj.multiServer = require('./multiserver.js').CreateMultiServer(obj, obj.args);
+ if (obj.multiServer != null) {
+ if ((obj.db.databaseType != 3) || (obj.db.changeStream != true)) { console.log("ERROR: Multi-server support requires use of MongoDB with ReplicaSet and ChangeStream enabled."); process.exit(0); return; }
+ if (typeof obj.args.sessionkey != 'string') { console.log("ERROR: Multi-server support requires \"SessionKey\" be set in the settings section of config.json, same key for all servers."); process.exit(0); return; }
+ obj.serverId = obj.multiServer.serverid;
+ for (var serverid in obj.config.peers.servers) { obj.peerConnectivityByNode[serverid] = {}; }
+ }
- // If the server is set to "nousers", allow only loopback unless IP filter is set
- if ((obj.args.nousers == true) && (obj.args.userallowedip == null)) { obj.args.userallowedip = "::1,127.0.0.1"; }
+ // If the server is set to "nousers", allow only loopback unless IP filter is set
+ if ((obj.args.nousers == true) && (obj.args.userallowedip == null)) { obj.args.userallowedip = "::1,127.0.0.1"; }
- // Set the session length to 60 minutes if not set and set a random key if needed
- if ((obj.args.sessiontime != null) && ((typeof obj.args.sessiontime != 'number') || (obj.args.sessiontime < 1))) { delete obj.args.sessiontime; }
- if (typeof obj.args.sessionkey != 'string') { obj.args.sessionkey = buf.toString('hex').toUpperCase(); }
+ // Set the session length to 60 minutes if not set and set a random key if needed
+ if ((obj.args.sessiontime != null) && ((typeof obj.args.sessiontime != 'number') || (obj.args.sessiontime < 1))) { delete obj.args.sessiontime; }
+ if (typeof obj.args.sessionkey != 'string') { obj.args.sessionkey = buf.toString('hex').toUpperCase(); }
- // Create MQTT Broker to hook into webserver and mpsserver
- if ((typeof obj.config.settings.mqtt == 'object') && (typeof obj.config.settings.mqtt.auth == 'object') && (typeof obj.config.settings.mqtt.auth.keyid == 'string') && (typeof obj.config.settings.mqtt.auth.key == 'string')) { obj.mqttbroker = require("./mqttbroker.js").CreateMQTTBroker(obj, obj.db, obj.args); }
+ // Create MQTT Broker to hook into webserver and mpsserver
+ if ((typeof obj.config.settings.mqtt == 'object') && (typeof obj.config.settings.mqtt.auth == 'object') && (typeof obj.config.settings.mqtt.auth.keyid == 'string') && (typeof obj.config.settings.mqtt.auth.key == 'string')) { obj.mqttbroker = require("./mqttbroker.js").CreateMQTTBroker(obj, obj.db, obj.args); }
- // Start the web server and if needed, the redirection web server.
- obj.webserver = require('./webserver.js').CreateWebServer(obj, obj.db, obj.args, obj.certificates, obj.StartEx5);
- if (obj.redirserver != null) { obj.redirserver.hookMainWebServer(obj.certificates); }
+ // Start the web server and if needed, the redirection web server.
+ obj.webserver = require('./webserver.js').CreateWebServer(obj, obj.db, obj.args, obj.certificates, obj.StartEx5);
+ if (obj.redirserver != null) { obj.redirserver.hookMainWebServer(obj.certificates); }
- // Update proxy certificates
- if (obj.supportsProxyCertificatesRequest == true) { obj.updateProxyCertificates(true); }
+ // Start the HTTP relay web server if needed
+ if ((obj.args.relayport != null) && (obj.args.relayport != 0)) {
+ obj.webrelayserver = require('./webrelayserver.js').CreateWebRelayServer(obj, obj.db, obj.args, obj.certificates, function () { });
+ }
- // Setup the Intel AMT event handler
- obj.amtEventHandler = require('./amtevents.js').CreateAmtEventsHandler(obj);
+ // Update proxy certificates
+ if (obj.supportsProxyCertificatesRequest == true) { obj.updateProxyCertificates(true); }
- // Setup the Intel AMT local network scanner
- if (obj.args.wanonly != true) {
- if (obj.args.amtscanner != false) { obj.amtScanner = require('./amtscanner.js').CreateAmtScanner(obj).start(); }
- if (obj.args.meshscanner != false) { obj.meshScanner = require('./meshscanner.js').CreateMeshScanner(obj).start(); }
- }
+ // Setup the Intel AMT event handler
+ obj.amtEventHandler = require('./amtevents.js').CreateAmtEventsHandler(obj);
- // Setup and start the MPS server
- obj.mpsserver = require('./mpsserver.js').CreateMpsServer(obj, obj.db, obj.args, obj.certificates);
+ // Setup the Intel AMT local network scanner
+ if (obj.args.wanonly != true) {
+ if (obj.args.amtscanner != false) { obj.amtScanner = require('./amtscanner.js').CreateAmtScanner(obj).start(); }
+ if (obj.args.meshscanner != false) { obj.meshScanner = require('./meshscanner.js').CreateMeshScanner(obj).start(); }
+ }
- // Setup the Intel AMT manager
- if (obj.args.amtmanager !== false) {
- obj.amtManager = require('./amtmanager.js').CreateAmtManager(obj);
- }
+ // Setup and start the MPS server
+ obj.mpsserver = require('./mpsserver.js').CreateMpsServer(obj, obj.db, obj.args, obj.certificates);
- // Setup and start the legacy swarm server
- if ((obj.certificates.swarmserver != null) && (obj.args.swarmport != null) && (obj.args.swarmport !== 0)) {
- obj.swarmserver = require('./swarmserver.js').CreateSwarmServer(obj, obj.db, obj.args, obj.certificates);
- }
+ // Setup the Intel AMT manager
+ if (obj.args.amtmanager !== false) {
+ obj.amtManager = require('./amtmanager.js').CreateAmtManager(obj);
+ }
- // Setup the main email server
- if (obj.config.sendgrid != null) {
- // Sendgrid server
- obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
- obj.mailserver.verify();
- if (obj.args.lanonly == true) { addServerWarning("SendGrid server has limited use in LAN mode.", 17); }
- } else if (obj.config.smtp != null) {
- // SMTP server
- obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
- obj.mailserver.verify();
- if (obj.args.lanonly == true) { addServerWarning("SMTP server has limited use in LAN mode.", 18); }
- } else if (obj.config.sendmail != null) {
- // Sendmail server
- obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
- obj.mailserver.verify();
- if (obj.args.lanonly == true) { addServerWarning("SMTP server has limited use in LAN mode.", 18); }
- }
+ // Setup and start the legacy swarm server
+ if ((obj.certificates.swarmserver != null) && (obj.args.swarmport != null) && (obj.args.swarmport !== 0)) {
+ obj.swarmserver = require('./swarmserver.js').CreateSwarmServer(obj, obj.db, obj.args, obj.certificates);
+ }
- // Setup the email server for each domain
- for (i in obj.config.domains) {
- if (obj.config.domains[i].sendgrid != null) {
+ // Setup the main email server
+ if (obj.config.sendgrid != null) {
// Sendgrid server
- obj.config.domains[i].mailserver = require('./meshmail.js').CreateMeshMail(obj, obj.config.domains[i]);
- obj.config.domains[i].mailserver.verify();
+ obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
+ obj.mailserver.verify();
if (obj.args.lanonly == true) { addServerWarning("SendGrid server has limited use in LAN mode.", 17); }
- } else if ((obj.config.domains[i].smtp != null) && (obj.config.domains[i].smtp.host != null) && (obj.config.domains[i].smtp.from != null)) {
+ } else if (obj.config.smtp != null) {
// SMTP server
- obj.config.domains[i].mailserver = require('./meshmail.js').CreateMeshMail(obj, obj.config.domains[i]);
- obj.config.domains[i].mailserver.verify();
+ obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
+ obj.mailserver.verify();
if (obj.args.lanonly == true) { addServerWarning("SMTP server has limited use in LAN mode.", 18); }
- } else if (obj.config.domains[i].sendmail != null) {
+ } else if (obj.config.sendmail != null) {
// Sendmail server
- obj.config.domains[i].mailserver = require('./meshmail.js').CreateMeshMail(obj, obj.config.domains[i]);
- obj.config.domains[i].mailserver.verify();
+ obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
+ obj.mailserver.verify();
if (obj.args.lanonly == true) { addServerWarning("SMTP server has limited use in LAN mode.", 18); }
- } else {
- // Setup the parent mail server for this domain
- if (obj.mailserver != null) { obj.config.domains[i].mailserver = obj.mailserver; }
}
- }
- // Setup SMS gateway
- if (config.sms != null) {
- obj.smsserver = require('./meshsms.js').CreateMeshSMS(obj);
- if ((obj.smsserver != null) && (obj.args.lanonly == true)) { addServerWarning("SMS gateway has limited use in LAN mode.", 19); }
- }
-
- // Setup web based push notifications
- if ((typeof config.settings.webpush == 'object') && (typeof config.settings.webpush.email == 'string')) {
- obj.webpush = require('web-push');
- var vapidKeys = null;
- try { vapidKeys = JSON.parse(obj.fs.readFileSync(obj.path.join(obj.datapath, 'vapid.json')).toString()); } catch (ex) { }
- if ((vapidKeys == null) || (typeof vapidKeys.publicKey != 'string') || (typeof vapidKeys.privateKey != 'string')) {
- console.log("Generating web push VAPID keys...");
- vapidKeys = obj.webpush.generateVAPIDKeys();
- obj.fs.writeFileSync(obj.path.join(obj.datapath, 'vapid.json'), JSON.stringify(vapidKeys));
- }
- obj.webpush.vapidPublicKey = vapidKeys.publicKey;
- obj.webpush.setVapidDetails('mailto:' + config.settings.webpush.email, vapidKeys.publicKey, vapidKeys.privateKey);
- if (typeof config.settings.webpush.gcmapi == 'string') { webpush.setGCMAPIKey(config.settings.webpush.gcmapi); }
- }
-
- // Setup Firebase
- if ((config.firebase != null) && (typeof config.firebase.senderid == 'string') && (typeof config.firebase.serverkey == 'string')) {
- obj.firebase = require('./firebase').CreateFirebase(obj, config.firebase.senderid, config.firebase.serverkey);
- } else if ((typeof config.firebaserelay == 'object') && (typeof config.firebaserelay.url == 'string')) {
- // Setup the push messaging relay
- obj.firebase = require('./firebase').CreateFirebaseRelay(obj, config.firebaserelay.url, config.firebaserelay.key);
- } else if (obj.config.settings.publicpushnotifications === true) {
- // Setup the Firebase push messaging relay using https://meshcentral.com, this is the public push notification server.
- obj.firebase = require('./firebase').CreateFirebaseRelay(obj, 'https://meshcentral.com/firebaserelay.aspx');
- }
-
- // Start periodic maintenance
- obj.maintenanceTimer = setInterval(obj.maintenanceActions, 1000 * 60 * 60); // Run this every hour
-
- // Dispatch an event that the server is now running
- obj.DispatchEvent(['*'], obj, { etype: 'server', action: 'started', msg: 'Server started' });
-
- // Plugin hook. Need to run something at server startup? This is the place.
- if (obj.pluginHandler) { obj.pluginHandler.callHook('server_startup'); }
-
- // Setup the login cookie encryption key
- if ((obj.config) && (obj.config.settings) && (typeof obj.config.settings.logincookieencryptionkey == 'string')) {
- // We have a string, hash it and use that as a key
- try { obj.loginCookieEncryptionKey = Buffer.from(obj.config.settings.logincookieencryptionkey, 'hex'); } catch (ex) { }
- if ((obj.loginCookieEncryptionKey == null) || (obj.loginCookieEncryptionKey.length != 80)) { addServerWarning("Invalid \"LoginCookieEncryptionKey\" in config.json.", 20); obj.loginCookieEncryptionKey = null; }
- }
-
- // Login cookie encryption key not set, use one from the database
- if (obj.loginCookieEncryptionKey == null) {
- obj.db.Get('LoginCookieEncryptionKey', function (err, docs) {
- if ((docs != null) && (docs.length > 0) && (docs[0].key != null) && (obj.args.logintokengen == null) && (docs[0].key.length >= 160)) {
- obj.loginCookieEncryptionKey = Buffer.from(docs[0].key, 'hex');
+ // Setup the email server for each domain
+ for (i in obj.config.domains) {
+ if (obj.config.domains[i].sendgrid != null) {
+ // Sendgrid server
+ obj.config.domains[i].mailserver = require('./meshmail.js').CreateMeshMail(obj, obj.config.domains[i]);
+ obj.config.domains[i].mailserver.verify();
+ if (obj.args.lanonly == true) { addServerWarning("SendGrid server has limited use in LAN mode.", 17); }
+ } else if ((obj.config.domains[i].smtp != null) && (obj.config.domains[i].smtp.host != null) && (obj.config.domains[i].smtp.from != null)) {
+ // SMTP server
+ obj.config.domains[i].mailserver = require('./meshmail.js').CreateMeshMail(obj, obj.config.domains[i]);
+ obj.config.domains[i].mailserver.verify();
+ if (obj.args.lanonly == true) { addServerWarning("SMTP server has limited use in LAN mode.", 18); }
+ } else if (obj.config.domains[i].sendmail != null) {
+ // Sendmail server
+ obj.config.domains[i].mailserver = require('./meshmail.js').CreateMeshMail(obj, obj.config.domains[i]);
+ obj.config.domains[i].mailserver.verify();
+ if (obj.args.lanonly == true) { addServerWarning("SMTP server has limited use in LAN mode.", 18); }
} else {
- obj.loginCookieEncryptionKey = obj.generateCookieKey(); obj.db.Set({ _id: 'LoginCookieEncryptionKey', key: obj.loginCookieEncryptionKey.toString('hex'), time: Date.now() });
+ // Setup the parent mail server for this domain
+ if (obj.mailserver != null) { obj.config.domains[i].mailserver = obj.mailserver; }
+ }
+ }
+
+ // Setup SMS gateway
+ if (config.sms != null) {
+ obj.smsserver = require('./meshsms.js').CreateMeshSMS(obj);
+ if ((obj.smsserver != null) && (obj.args.lanonly == true)) { addServerWarning("SMS gateway has limited use in LAN mode.", 19); }
+ }
+
+ // Setup web based push notifications
+ if ((typeof config.settings.webpush == 'object') && (typeof config.settings.webpush.email == 'string')) {
+ obj.webpush = require('web-push');
+ var vapidKeys = null;
+ try { vapidKeys = JSON.parse(obj.fs.readFileSync(obj.path.join(obj.datapath, 'vapid.json')).toString()); } catch (ex) { }
+ if ((vapidKeys == null) || (typeof vapidKeys.publicKey != 'string') || (typeof vapidKeys.privateKey != 'string')) {
+ console.log("Generating web push VAPID keys...");
+ vapidKeys = obj.webpush.generateVAPIDKeys();
+ obj.fs.writeFileSync(obj.path.join(obj.datapath, 'vapid.json'), JSON.stringify(vapidKeys));
+ }
+ obj.webpush.vapidPublicKey = vapidKeys.publicKey;
+ obj.webpush.setVapidDetails('mailto:' + config.settings.webpush.email, vapidKeys.publicKey, vapidKeys.privateKey);
+ if (typeof config.settings.webpush.gcmapi == 'string') { webpush.setGCMAPIKey(config.settings.webpush.gcmapi); }
+ }
+
+ // Setup Firebase
+ if ((config.firebase != null) && (typeof config.firebase.senderid == 'string') && (typeof config.firebase.serverkey == 'string')) {
+ obj.firebase = require('./firebase').CreateFirebase(obj, config.firebase.senderid, config.firebase.serverkey);
+ } else if ((typeof config.firebaserelay == 'object') && (typeof config.firebaserelay.url == 'string')) {
+ // Setup the push messaging relay
+ obj.firebase = require('./firebase').CreateFirebaseRelay(obj, config.firebaserelay.url, config.firebaserelay.key);
+ } else if (obj.config.settings.publicpushnotifications === true) {
+ // Setup the Firebase push messaging relay using https://meshcentral.com, this is the public push notification server.
+ obj.firebase = require('./firebase').CreateFirebaseRelay(obj, 'https://meshcentral.com/firebaserelay.aspx');
+ }
+
+ // Start periodic maintenance
+ obj.maintenanceTimer = setInterval(obj.maintenanceActions, 1000 * 60 * 60); // Run this every hour
+
+ // Dispatch an event that the server is now running
+ obj.DispatchEvent(['*'], obj, { etype: 'server', action: 'started', msg: 'Server started' });
+
+ // Plugin hook. Need to run something at server startup? This is the place.
+ if (obj.pluginHandler) { obj.pluginHandler.callHook('server_startup'); }
+
+ // Setup the login cookie encryption key
+ if ((obj.config) && (obj.config.settings) && (typeof obj.config.settings.logincookieencryptionkey == 'string')) {
+ // We have a string, hash it and use that as a key
+ try { obj.loginCookieEncryptionKey = Buffer.from(obj.config.settings.logincookieencryptionkey, 'hex'); } catch (ex) { }
+ if ((obj.loginCookieEncryptionKey == null) || (obj.loginCookieEncryptionKey.length != 80)) { addServerWarning("Invalid \"LoginCookieEncryptionKey\" in config.json.", 20); obj.loginCookieEncryptionKey = null; }
+ }
+
+ // Login cookie encryption key not set, use one from the database
+ if (obj.loginCookieEncryptionKey == null) {
+ obj.db.Get('LoginCookieEncryptionKey', function (err, docs) {
+ if ((docs != null) && (docs.length > 0) && (docs[0].key != null) && (obj.args.logintokengen == null) && (docs[0].key.length >= 160)) {
+ obj.loginCookieEncryptionKey = Buffer.from(docs[0].key, 'hex');
+ } else {
+ obj.loginCookieEncryptionKey = obj.generateCookieKey(); obj.db.Set({ _id: 'LoginCookieEncryptionKey', key: obj.loginCookieEncryptionKey.toString('hex'), time: Date.now() });
+ }
+ });
+ }
+
+ // Load the invitation link encryption key from the database
+ obj.db.Get('InvitationLinkEncryptionKey', function (err, docs) {
+ if ((docs != null) && (docs.length > 0) && (docs[0].key != null) && (docs[0].key.length >= 160)) {
+ obj.invitationLinkEncryptionKey = Buffer.from(docs[0].key, 'hex');
+ } else {
+ obj.invitationLinkEncryptionKey = obj.generateCookieKey(); obj.db.Set({ _id: 'InvitationLinkEncryptionKey', key: obj.invitationLinkEncryptionKey.toString('hex'), time: Date.now() });
}
});
- }
- // Load the invitation link encryption key from the database
- obj.db.Get('InvitationLinkEncryptionKey', function (err, docs) {
- if ((docs != null) && (docs.length > 0) && (docs[0].key != null) && (docs[0].key.length >= 160)) {
- obj.invitationLinkEncryptionKey = Buffer.from(docs[0].key, 'hex');
- } else {
- obj.invitationLinkEncryptionKey = obj.generateCookieKey(); obj.db.Set({ _id: 'InvitationLinkEncryptionKey', key: obj.invitationLinkEncryptionKey.toString('hex'), time: Date.now() });
+ // Setup Intel AMT hello server
+ if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string') && (typeof config.settings.amtprovisioningserver.ip == 'string')) {
+ obj.amtProvisioningServer = require('./amtprovisioningserver').CreateAmtProvisioningServer(obj, config.settings.amtprovisioningserver);
}
- });
- // Setup Intel AMT hello server
- if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string') && (typeof config.settings.amtprovisioningserver.ip == 'string')) {
- obj.amtProvisioningServer = require('./amtprovisioningserver').CreateAmtProvisioningServer(obj, config.settings.amtprovisioningserver);
- }
+ // Start collecting server stats every 5 minutes
+ obj.trafficStats = obj.webserver.getTrafficStats();
+ setInterval(function () {
+ obj.serverStatsCounter++;
+ var hours = 720; // Start with all events lasting 30 days.
+ if (((obj.serverStatsCounter) % 2) == 1) { hours = 3; } // Half of the event get removed after 3 hours.
+ else if ((Math.floor(obj.serverStatsCounter / 2) % 2) == 1) { hours = 8; } // Another half of the event get removed after 8 hours.
+ else if ((Math.floor(obj.serverStatsCounter / 4) % 2) == 1) { hours = 24; } // Another half of the event get removed after 24 hours.
+ else if ((Math.floor(obj.serverStatsCounter / 8) % 2) == 1) { hours = 48; } // Another half of the event get removed after 48 hours.
+ else if ((Math.floor(obj.serverStatsCounter / 16) % 2) == 1) { hours = 72; } // Another half of the event get removed after 72 hours.
+ const expire = new Date();
+ expire.setTime(expire.getTime() + (60 * 60 * 1000 * hours));
- // Start collecting server stats every 5 minutes
- obj.trafficStats = obj.webserver.getTrafficStats();
- setInterval(function () {
- obj.serverStatsCounter++;
- var hours = 720; // Start with all events lasting 30 days.
- if (((obj.serverStatsCounter) % 2) == 1) { hours = 3; } // Half of the event get removed after 3 hours.
- else if ((Math.floor(obj.serverStatsCounter / 2) % 2) == 1) { hours = 8; } // Another half of the event get removed after 8 hours.
- else if ((Math.floor(obj.serverStatsCounter / 4) % 2) == 1) { hours = 24; } // Another half of the event get removed after 24 hours.
- else if ((Math.floor(obj.serverStatsCounter / 8) % 2) == 1) { hours = 48; } // Another half of the event get removed after 48 hours.
- else if ((Math.floor(obj.serverStatsCounter / 16) % 2) == 1) { hours = 72; } // Another half of the event get removed after 72 hours.
- const expire = new Date();
- expire.setTime(expire.getTime() + (60 * 60 * 1000 * hours));
+ // Get traffic data
+ var trafficStats = obj.webserver.getTrafficDelta(obj.trafficStats);
+ obj.trafficStats = trafficStats.current;
- // Get traffic data
- var trafficStats = obj.webserver.getTrafficDelta(obj.trafficStats);
- obj.trafficStats = trafficStats.current;
+ var data = {
+ time: new Date(),
+ expire: expire,
+ mem: process.memoryUsage(),
+ conn: {
+ ca: Object.keys(obj.webserver.wsagents).length,
+ cu: Object.keys(obj.webserver.wssessions).length,
+ us: Object.keys(obj.webserver.wssessions2).length,
+ rs: obj.webserver.relaySessionCount
+ },
+ traffic: trafficStats.delta
+ };
+ try { data.cpu = require('os').loadavg(); } catch (ex) { }
+ if (obj.mpsserver != null) {
+ data.conn.am = 0;
+ for (var i in obj.mpsserver.ciraConnections) { data.conn.am += obj.mpsserver.ciraConnections[i].length; }
+ }
+ if (obj.firstStats === true) { delete obj.firstStats; data.first = true; }
+ if (obj.multiServer != null) { data.s = obj.multiServer.serverid; }
+ obj.db.SetServerStats(data); // Save the stats to the database
+ obj.DispatchEvent(['*'], obj, { action: 'servertimelinestats', data: data }); // Event the server stats
+ }, 300000);
- var data = {
- time: new Date(),
- expire: expire,
- mem: process.memoryUsage(),
- conn: {
- ca: Object.keys(obj.webserver.wsagents).length,
- cu: Object.keys(obj.webserver.wssessions).length,
- us: Object.keys(obj.webserver.wssessions2).length,
- rs: obj.webserver.relaySessionCount
- },
- traffic: trafficStats.delta
- };
- try { data.cpu = require('os').loadavg(); } catch (ex) { }
- if (obj.mpsserver != null) {
- data.conn.am = 0;
- for (var i in obj.mpsserver.ciraConnections) { data.conn.am += obj.mpsserver.ciraConnections[i].length; }
+ obj.debug('main', "Server started");
+ if (obj.args.nousers == true) { obj.updateServerState('nousers', '1'); }
+ obj.updateServerState('state', "running");
+
+ // Setup auto-backup defaults
+ if (obj.config.settings.autobackup == null) { obj.config.settings.autobackup = { backupintervalhours: 24, keeplastdaysbackup: 10 }; }
+ else if (obj.config.settings.autobackup === false) { delete obj.config.settings.autobackup; }
+
+ // Check that autobackup path is not within the "meshcentral-data" folder.
+ if ((typeof obj.config.settings.autobackup == 'object') && (typeof obj.config.settings.autobackup.backuppath == 'string') && (obj.path.normalize(obj.config.settings.autobackup.backuppath).startsWith(obj.path.normalize(obj.datapath)))) {
+ addServerWarning("Backup path can't be set within meshcentral-data folder, backup settings ignored.", 21);
+ delete obj.config.settings.autobackup;
}
- if (obj.firstStats === true) { delete obj.firstStats; data.first = true; }
- if (obj.multiServer != null) { data.s = obj.multiServer.serverid; }
- obj.db.SetServerStats(data); // Save the stats to the database
- obj.DispatchEvent(['*'], obj, { action: 'servertimelinestats', data: data }); // Event the server stats
- }, 300000);
- obj.debug('main', "Server started");
- if (obj.args.nousers == true) { obj.updateServerState('nousers', '1'); }
- obj.updateServerState('state', "running");
+ // Load Intel AMT passwords from the "amtactivation.log" file
+ obj.loadAmtActivationLogPasswords(function (amtPasswords) {
+ obj.amtPasswords = amtPasswords;
+ });
- // Setup auto-backup defaults
- if (obj.config.settings.autobackup == null) { obj.config.settings.autobackup = { backupintervalhours: 24, keeplastdaysbackup: 10 }; }
- else if (obj.config.settings.autobackup === false) { delete obj.config.settings.autobackup; }
-
- // Check that autobackup path is not within the "meshcentral-data" folder.
- if ((typeof obj.config.settings.autobackup == 'object') && (typeof obj.config.settings.autobackup.backuppath == 'string') && (obj.path.normalize(obj.config.settings.autobackup.backuppath).startsWith(obj.path.normalize(obj.datapath)))) {
- addServerWarning("Backup path can't be set within meshcentral-data folder, backup settings ignored.", 21);
- delete obj.config.settings.autobackup;
- }
-
- // Load Intel AMT passwords from the "amtactivation.log" file
- obj.loadAmtActivationLogPasswords(function (amtPasswords) {
- obj.amtPasswords = amtPasswords;
- });
-
- // Setup users that can see all device groups
- if (typeof obj.config.settings.managealldevicegroups == 'string') { obj.config.settings.managealldevicegroups = obj.config.settings.managealldevicegroups.split(','); }
- else if (Array.isArray(obj.config.settings.managealldevicegroups) == false) { obj.config.settings.managealldevicegroups = []; }
- for (i in obj.config.domains) {
- if (Array.isArray(obj.config.domains[i].managealldevicegroups)) {
- for (var j in obj.config.domains[i].managealldevicegroups) {
- if (typeof obj.config.domains[i].managealldevicegroups[j] == 'string') {
- const u = 'user/' + i + '/' + obj.config.domains[i].managealldevicegroups[j];
- if (obj.config.settings.managealldevicegroups.indexOf(u) == -1) { obj.config.settings.managealldevicegroups.push(u); }
+ // Setup users that can see all device groups
+ if (typeof obj.config.settings.managealldevicegroups == 'string') { obj.config.settings.managealldevicegroups = obj.config.settings.managealldevicegroups.split(','); }
+ else if (Array.isArray(obj.config.settings.managealldevicegroups) == false) { obj.config.settings.managealldevicegroups = []; }
+ for (i in obj.config.domains) {
+ if (Array.isArray(obj.config.domains[i].managealldevicegroups)) {
+ for (var j in obj.config.domains[i].managealldevicegroups) {
+ if (typeof obj.config.domains[i].managealldevicegroups[j] == 'string') {
+ const u = 'user/' + i + '/' + obj.config.domains[i].managealldevicegroups[j];
+ if (obj.config.settings.managealldevicegroups.indexOf(u) == -1) { obj.config.settings.managealldevicegroups.push(u); }
+ }
}
}
}
- }
- obj.config.settings.managealldevicegroups.sort();
+ obj.config.settings.managealldevicegroups.sort();
- // Start watchdog timer if needed
- // This is used to monitor if NodeJS is servicing IO correctly or getting held up a lot. Add this line to the settings section of config.json
- // "watchDog": { "interval": 100, "timeout": 150 }
- // This will check every 100ms, if the timer is more than 150ms late, it will warn.
- if ((typeof config.settings.watchdog == 'object') && (typeof config.settings.watchdog.interval == 'number') && (typeof config.settings.watchdog.timeout == 'number') && (config.settings.watchdog.interval >= 50) && (config.settings.watchdog.timeout >= 50)) {
- obj.watchdogtime = Date.now();
- obj.watchdogmax = 0;
- obj.watchdogmaxtime = null;
- obj.watchdogtable = [];
- obj.watchdog = setInterval(function () {
- const now = Date.now(), delta = now - obj.watchdogtime - config.settings.watchdog.interval;
- if (delta > obj.watchdogmax) { obj.watchdogmax = delta; obj.watchdogmaxtime = new Date().toLocaleString(); }
- if (delta > config.settings.watchdog.timeout) {
- const msg = obj.common.format("Watchdog timer timeout, {0}ms.", delta);
- obj.watchdogtable.push(new Date().toLocaleString() + ', ' + delta + 'ms');
- while (obj.watchdogtable.length > 10) { obj.watchdogtable.shift(); }
- obj.debug('main', msg);
- try {
- var errlogpath = null;
- if (typeof obj.args.mesherrorlogpath == 'string') { errlogpath = obj.path.join(obj.args.mesherrorlogpath, 'mesherrors.txt'); } else { errlogpath = obj.getConfigFilePath('mesherrors.txt'); }
- obj.fs.appendFileSync(errlogpath, new Date().toLocaleString() + ': ' + msg + '\r\n');
- } catch (ex) { console.log('ERROR: Unable to write to mesherrors.txt.'); }
- }
- obj.watchdogtime = now;
- }, config.settings.watchdog.interval);
- obj.debug('main', "Started watchdog timer.");
- }
+ // Start watchdog timer if needed
+ // This is used to monitor if NodeJS is servicing IO correctly or getting held up a lot. Add this line to the settings section of config.json
+ // "watchDog": { "interval": 100, "timeout": 150 }
+ // This will check every 100ms, if the timer is more than 150ms late, it will warn.
+ if ((typeof config.settings.watchdog == 'object') && (typeof config.settings.watchdog.interval == 'number') && (typeof config.settings.watchdog.timeout == 'number') && (config.settings.watchdog.interval >= 50) && (config.settings.watchdog.timeout >= 50)) {
+ obj.watchdogtime = Date.now();
+ obj.watchdogmax = 0;
+ obj.watchdogmaxtime = null;
+ obj.watchdogtable = [];
+ obj.watchdog = setInterval(function () {
+ const now = Date.now(), delta = now - obj.watchdogtime - config.settings.watchdog.interval;
+ if (delta > obj.watchdogmax) { obj.watchdogmax = delta; obj.watchdogmaxtime = new Date().toLocaleString(); }
+ if (delta > config.settings.watchdog.timeout) {
+ const msg = obj.common.format("Watchdog timer timeout, {0}ms.", delta);
+ obj.watchdogtable.push(new Date().toLocaleString() + ', ' + delta + 'ms');
+ while (obj.watchdogtable.length > 10) { obj.watchdogtable.shift(); }
+ obj.debug('main', msg);
+ try {
+ var errlogpath = null;
+ if (typeof obj.args.mesherrorlogpath == 'string') { errlogpath = obj.path.join(obj.args.mesherrorlogpath, 'mesherrors.txt'); } else { errlogpath = obj.getConfigFilePath('mesherrors.txt'); }
+ obj.fs.appendFileSync(errlogpath, new Date().toLocaleString() + ': ' + msg + '\r\n');
+ } catch (ex) { console.log('ERROR: Unable to write to mesherrors.txt.'); }
+ }
+ obj.watchdogtime = now;
+ }, config.settings.watchdog.interval);
+ obj.debug('main', "Started watchdog timer.");
+ }
+ });
});
});
};
@@ -2841,46 +2848,60 @@ function CreateMeshCentralServer(config, args) {
10006: { id: 10006, localname: 'MeshCentralAssistant.exe', rname: 'MeshCentralAssistant.exe', desc: 'MeshCentral Assistant for Windows', update: false, amt: false, platform: 'win32' } // MeshCentral Assistant
};
- // Update the list of available mesh agents
- obj.updateMeshAgentsTable = function (domain, func) {
+ // Sign windows agents
+ obj.signMeshAgents = function (domain, func) {
// Setup the domain is specified
var objx = domain, suffix = '';
if (domain.id == '') { objx = obj; } else { suffix = '-' + domain.id; objx.meshAgentBinaries = {}; }
// Check if a custom agent signing certificate is available
- var agentSignCertInfo = require('./authenticode.js').loadCertificates([ obj.path.join(obj.datapath, 'agentsigningcert.pem') ]);
+ var agentSignCertInfo = require('./authenticode.js').loadCertificates([obj.path.join(obj.datapath, 'agentsigningcert.pem')]);
// If not using a custom signing cert, get agent code signature certificate ready with the full cert chain
if ((agentSignCertInfo == null) && (obj.certificates.codesign != null)) {
agentSignCertInfo = {
cert: obj.certificateOperations.forge.pki.certificateFromPem(obj.certificates.codesign.cert),
key: obj.certificateOperations.forge.pki.privateKeyFromPem(obj.certificates.codesign.key),
- extraCerts: [obj.certificateOperations.forge.pki.certificateFromPem(obj.certificates.root.cert) ]
+ extraCerts: [obj.certificateOperations.forge.pki.certificateFromPem(obj.certificates.root.cert)]
}
}
+ if (agentSignCertInfo == null) { func(); return; } // No code signing certificate, nothing to do.
+
+ // Setup the domain is specified
+ var objx = domain, suffix = '';
+ if (domain.id == '') { objx = obj; } else { suffix = '-' + domain.id; objx.meshAgentBinaries = {}; }
// Generate the agent signature description and URL
- var serverSignedAgentsPath, signDesc, signUrl;
- if (agentSignCertInfo != null) {
- serverSignedAgentsPath = obj.path.join(obj.datapath, 'signedagents' + suffix);
- signDesc = (domain.title ? domain.title : agentSignCertInfo.cert.subject.hash);
- var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
- signUrl = 'https://' + ((domain.dns != null) ? domain.dns : obj.certificates.CommonName);
- if (httpsPort != 443) { signUrl += ':' + httpsPort; }
- var xdomain = (domain.dns == null) ? domain.id : '';
- if (xdomain != '') xdomain += '/';
- signUrl += '/' + xdomain;
+ const serverSignedAgentsPath = obj.path.join(obj.datapath, 'signedagents' + suffix);
+ const signDesc = (domain.title ? domain.title : agentSignCertInfo.cert.subject.hash);
+ const httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
+ var httpsHost = ((domain.dns != null) ? domain.dns : obj.certificates.CommonName);
+ if (obj.args.agentaliasdns != null) { httpsHost = obj.args.agentaliasdns; }
+ var signUrl = 'https://' + httpsHost;
+ if (httpsPort != 443) { signUrl += ':' + httpsPort; }
+ var xdomain = (domain.dns == null) ? domain.id : '';
+ if (xdomain != '') xdomain += '/';
+ signUrl += '/' + xdomain;
- // If requested, lock the agent to this server
- if (obj.config.settings.agentsignlock) { signUrl += '?ServerID=' + obj.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert).toUpperCase(); }
- }
+ // If requested, lock the agent to this server
+ if (obj.config.settings.agentsignlock) { signUrl += '?ServerID=' + obj.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert).toUpperCase(); }
- // Load agent information file. This includes the data & time of the agent.
- const agentInfo = [];
- try { agentInfo = JSON.parse(obj.fs.readFileSync(obj.path.join(__dirname, 'agents', 'hashagents.json'), 'utf8')); } catch (ex) { }
+ // Setup the time server
+ var timeStampUrl = 'http://timestamp.comodoca.com/authenticode';
+ if (args.agenttimestampserver === false) { timeStampUrl = null; }
+ else if (typeof args.agenttimestampserver == 'string') { timeStampUrl = args.agenttimestampserver; }
+
+ // Setup the time server proxy
+ var timeStampProxy = null;
+ if (typeof args.agenttimestampproxy == 'string') { timeStampProxy = args.agenttimestampproxy; }
+ else if ((args.agenttimestampproxy !== false) && (typeof args.npmproxy == 'string')) { timeStampProxy = args.npmproxy; }
+
+ // Setup the pending operations counter
+ var pendingOperations = 1;
- var archcount = 0;
for (var archid in obj.meshAgentsArchitectureNumbers) {
+ if (obj.meshAgentsArchitectureNumbers[archid].codesign !== true) continue;
+
var agentpath;
if (domain.id == '') {
// Load all agents when processing the default domain
@@ -2893,46 +2914,137 @@ function CreateMeshCentralServer(config, args) {
if (obj.fs.existsSync(agentpath)) { delete obj.meshAgentsArchitectureNumbers[archid].codesign; } else { continue; } // If the agent is not present in "meshcentral-data/agents" skip.
}
+ // Open the original agent with authenticode
+ const signeedagentpath = obj.path.join(serverSignedAgentsPath, obj.meshAgentsArchitectureNumbers[archid].localname);
+ const originalAgent = require('./authenticode.js').createAuthenticodeHandler(agentpath);
+ if (originalAgent != null) {
+ // Check if the agent is already signed correctly
+ const destinationAgent = require('./authenticode.js').createAuthenticodeHandler(signeedagentpath);
+ var destinationAgentOk = (
+ (destinationAgent != null) &&
+ (destinationAgent.fileHashSigned != null) &&
+ (Buffer.compare(destinationAgent.fileHashSigned, destinationAgent.fileHashActual) == 0) &&
+ (destinationAgent.signingAttribs.indexOf(signUrl) >= 0) &&
+ (destinationAgent.signingAttribs.indexOf(signDesc) >= 0)
+ );
+
+ if (destinationAgent != null) {
+ // If the agent is signed correctly, look to see if the resources in the destination agent are correct
+ var orgVersionStrings = originalAgent.getVersionInfo();
+ if (destinationAgentOk == true) {
+ var versionStrings = destinationAgent.getVersionInfo();
+ var versionProperties = ['FileDescription', 'FileVersion', 'InternalName', 'LegalCopyright', 'OriginalFilename', 'ProductName', 'ProductVersion'];
+ for (var i in versionProperties) {
+ const prop = versionProperties[i], propl = prop.toLowerCase();
+ if ((domain.agentfileinfo != null) && (typeof domain.agentfileinfo == 'object') && (typeof domain.agentfileinfo[propl] == 'string')) {
+ if (domain.agentfileinfo[propl] != versionStrings[prop]) { destinationAgentOk = false; } // If the resource we want is not the same as the destination executable, we need to re-sign the agent.
+ } else {
+ if (orgVersionStrings[prop] != versionStrings[prop]) { destinationAgentOk = false; } // if the resource of the orginal agent not the same as the destination executable, we need to re-sign the agent.
+ }
+ }
+ }
+
+ // If everything looks ok, runs a hash of the original and destination agent skipping the CRC, resource and signature blocks. If different, sign the agent again.
+ if ((destinationAgentOk == true) && (originalAgent.getHashNoResources('sha384').compare(destinationAgent.getHashNoResources('sha384')) != 0)) { destinationAgentOk = false; }
+
+ // We are done comparing the destination agent, close it.
+ destinationAgent.close();
+ }
+
+ if (destinationAgentOk == false) {
+ // If not signed correctly, sign it. First, create the server signed agent folder if needed
+ try { obj.fs.mkdirSync(serverSignedAgentsPath); } catch (ex) { }
+ const xagentSignedFunc = function agentSignedFunc(err, size) {
+ if (err == null) {
+ // Agent was signed succesfuly
+ console.log(obj.common.format('Code signed agent {0}.', agentSignedFunc.objx.meshAgentsArchitectureNumbers[agentSignedFunc.archid].localname));
+ } else {
+ // Failed to sign agent
+ addServerWarning('Failed to sign agent \"' + agentSignedFunc.objx.meshAgentsArchitectureNumbers[agentSignedFunc.archid].localname + '\": ' + err, 22, [ agentSignedFunc.objx.meshAgentsArchitectureNumbers[agentSignedFunc.archid].localname, err ]);
+ }
+ if (--pendingOperations === 0) { agentSignedFunc.func(); }
+ }
+ pendingOperations++;
+ xagentSignedFunc.func = func;
+ xagentSignedFunc.objx = objx;
+ xagentSignedFunc.archid = archid;
+ xagentSignedFunc.signeedagentpath = signeedagentpath;
+
+ // Parse the resources in the executable and make any required changes
+ var resChanges = false, versionStrings = null;
+ if ((domain.agentfileinfo != null) && (typeof domain.agentfileinfo == 'object')) {
+ versionStrings = originalAgent.getVersionInfo();
+ var versionProperties = ['FileDescription', 'FileVersion', 'InternalName', 'LegalCopyright', 'OriginalFilename', 'ProductName', 'ProductVersion'];
+ for (var i in versionProperties) {
+ const prop = versionProperties[i], propl = prop.toLowerCase();
+ if (domain.agentfileinfo[propl] && (domain.agentfileinfo[propl] != versionStrings[prop])) { versionStrings[prop] = domain.agentfileinfo[propl]; resChanges = true; }
+ }
+ if (resChanges == true) { originalAgent.setVersionInfo(versionStrings); }
+ }
+
+ const signingArguments = { out: signeedagentpath, desc: signDesc, url: signUrl, time: timeStampUrl, proxy: timeStampProxy }; // Shallow clone
+ obj.debug('main', "Code signing agent with arguments: " + JSON.stringify(signingArguments));
+ if (resChanges == false) {
+ // Sign the agent the simple way, without changing any resources.
+ originalAgent.sign(agentSignCertInfo, signingArguments, xagentSignedFunc);
+ } else {
+ // Change the agent resources and sign the agent, this is a much more involved process.
+ // NOTE: This is experimental and could corupt the agent.
+ originalAgent.writeExecutable(signingArguments, agentSignCertInfo, xagentSignedFunc);
+ }
+ } else {
+ // Signed agent is already ok, use it.
+ originalAgent.close();
+ }
+ }
+ }
+
+ if (--pendingOperations === 0) { func(); }
+ }
+
+ // Update the list of available mesh agents
+ obj.updateMeshAgentsTable = function (domain, func) {
+ // Check if a custom agent signing certificate is available
+ var agentSignCertInfo = require('./authenticode.js').loadCertificates([obj.path.join(obj.datapath, 'agentsigningcert.pem')]);
+
+ // If not using a custom signing cert, get agent code signature certificate ready with the full cert chain
+ if ((agentSignCertInfo == null) && (obj.certificates.codesign != null)) {
+ agentSignCertInfo = {
+ cert: obj.certificateOperations.forge.pki.certificateFromPem(obj.certificates.codesign.cert),
+ key: obj.certificateOperations.forge.pki.privateKeyFromPem(obj.certificates.codesign.key),
+ extraCerts: [obj.certificateOperations.forge.pki.certificateFromPem(obj.certificates.root.cert)]
+ }
+ }
+
+ // Setup the domain is specified
+ var objx = domain, suffix = '';
+ if (domain.id == '') { objx = obj; } else { suffix = '-' + domain.id; objx.meshAgentBinaries = {}; }
+
+ // Load agent information file. This includes the data & time of the agent.
+ const agentInfo = [];
+ try { agentInfo = JSON.parse(obj.fs.readFileSync(obj.path.join(__dirname, 'agents', 'hashagents.json'), 'utf8')); } catch (ex) { }
+
+ var archcount = 0;
+ for (var archid in obj.meshAgentsArchitectureNumbers) {
+ var agentpath;
+ if (domain.id == '') {
+ // Load all agents when processing the default domain
+ agentpath = obj.path.join(__dirname, 'agents' + suffix, obj.meshAgentsArchitectureNumbers[archid].localname);
+ const agentpath2 = obj.path.join(obj.datapath, 'signedagents' + suffix, obj.meshAgentsArchitectureNumbers[archid].localname);
+ if (obj.fs.existsSync(agentpath2)) { agentpath = agentpath2; } // If the agent is present in "meshcentral-data/signedagents", use that one instead.
+ const agentpath3 = obj.path.join(obj.datapath, 'agents' + suffix, obj.meshAgentsArchitectureNumbers[archid].localname);
+ if (obj.fs.existsSync(agentpath3)) { agentpath = agentpath3; } // If the agent is present in "meshcentral-data/agents", use that one instead.
+ } else {
+ // When processing an extra domain, only load agents that are specific to that domain
+ var agentpath = obj.path.join(obj.datapath, 'agents' + suffix, obj.meshAgentsArchitectureNumbers[archid].localname);
+ if (obj.fs.existsSync(agentpath)) { delete obj.meshAgentsArchitectureNumbers[archid].codesign; } else { continue; } // If the agent is not present in "meshcentral-data/agents" skip.
+ }
+
// Fetch agent binary information
var stats = null;
try { stats = obj.fs.statSync(agentpath); } catch (ex) { }
if ((stats == null)) continue; // If this agent does not exist, skip it.
- // Check if we need to sign this agent, if so, check if it's already been signed
- if ((obj.meshAgentsArchitectureNumbers[archid].codesign === true) && (agentSignCertInfo != null)) {
- // Open the original agent with authenticode
- var signeedagentpath = obj.path.join(serverSignedAgentsPath, obj.meshAgentsArchitectureNumbers[archid].localname);
- const originalAgent = require('./authenticode.js').createAuthenticodeHandler(agentpath);
- if (originalAgent != null) {
- // Check if the agent is already signed correctly
- const destinationAgent = require('./authenticode.js').createAuthenticodeHandler(signeedagentpath);
- var destinationAgentOk = (
- (destinationAgent != null) &&
- (destinationAgent.fileHashSigned != null) &&
- (Buffer.compare(destinationAgent.fileHashSigned, destinationAgent.fileHashActual) == 0) &&
- ((Buffer.compare(destinationAgent.fileHashSigned, originalAgent.getHash(destinationAgent.fileHashAlgo))) == 0) &&
- (destinationAgent.signingAttribs.indexOf(signUrl) >= 0) &&
- (destinationAgent.signingAttribs.indexOf(signDesc) >= 0)
- );
- if (destinationAgent != null) { destinationAgent.close(); }
- if (destinationAgentOk == false) {
- // If not signed correctly, sign it. First, create the server signed agent folder if needed
- try { obj.fs.mkdirSync(serverSignedAgentsPath); } catch (ex) { }
- if (originalAgent.sign(agentSignCertInfo, { out: signeedagentpath, desc: signDesc, url: signUrl }) == true) {
- // Agent was signed succesfuly
- agentpath = signeedagentpath;
- console.log(obj.common.format('Code signed agent {0}.', obj.meshAgentsArchitectureNumbers[archid].localname));
- } else {
- console.log(obj.common.format('Failed to sign agent {0}.', obj.meshAgentsArchitectureNumbers[archid].localname));
- }
- } else {
- // Signed agent is already ok, use it.
- agentpath = signeedagentpath;
- }
- originalAgent.close();
- }
- }
-
// Setup agent information
archcount++;
objx.meshAgentBinaries[archid] = Object.assign({}, obj.meshAgentsArchitectureNumbers[archid]);
@@ -2952,7 +3064,7 @@ function CreateMeshCentralServer(config, args) {
// Load the agent with a random msh added to it.
const outStream = new require('stream').Duplex();
outStream.meshAgentBinary = objx.meshAgentBinaries[archid];
- outStream.meshAgentBinary.randomMsh = agentSignCertInfo.cert.subject.hash;
+ if (agentSignCertInfo) { outStream.meshAgentBinary.randomMsh = agentSignCertInfo.cert.subject.hash; } else { outStream.meshAgentBinary.randomMsh = obj.crypto.randomBytes(16).toString('hex'); }
outStream.bufferList = [];
outStream._write = function (chunk, encoding, callback) { this.bufferList.push(chunk); if (callback) callback(); }; // Append the chuck.
outStream._read = function (size) { }; // Do nothing, this is not going to be called.
diff --git a/meshrelay.js b/meshrelay.js
index d2915e67..aab96b60 100644
--- a/meshrelay.js
+++ b/meshrelay.js
@@ -43,6 +43,8 @@ const MESHRIGHT_ADMIN = 0xFFFFFFFF;
// 10 = Web-RDP
// 11 = Web-SSH
// 12 = Web-VNC
+// 13 = Web-SSH-Files
+// 14 = Web-TCP
// 100 = Intel AMT WSMAN
// 101 = Intel AMT Redirection
// 200 = Messenger
diff --git a/meshuser.js b/meshuser.js
index 2c2ec115..aa2fe965 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -696,7 +696,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Request a list of all nodes
db.GetAllTypeNoTypeFieldMeshFiltered(links, extraids, domain.id, 'node', command.id, function (err, docs) {
- //console.log(docs);
+ //console.log(err, docs);
if (docs == null) { docs = []; }
parent.common.unEscapeAllLinksFieldName(docs);
@@ -2867,8 +2867,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if ((command.actiontype == 400) && common.validateInt(command.time, 1, 30000)) { routeCommandToNode({ action: 'msg', type: 'console', nodeid: node._id, value: 'flash ' + command.time }, MESHRIGHT_ADMIN, 0); }
if ((command.actiontype == 401) && common.validateInt(command.time, 1, 30000)) { routeCommandToNode({ action: 'msg', type: 'console', nodeid: node._id, value: 'vibrate ' + command.time }, MESHRIGHT_ADMIN, 0); }
} else {
- // Check we have the rights to delete this device
- if ((rights & MESHRIGHT_RESETOFF) == 0) return;
+ // Check we have the rights to perform this operation
+ if ((command.actiontype == 302) && ((rights & MESHRIGHT_WAKEDEVICE) == 0)) return; // This is a Intel AMT power on operation, check if we have WAKE rights
+ if ((command.actiontype != 302) && ((rights & MESHRIGHT_RESETOFF) == 0)) return; // For all other operations, check that we have RESET/OFF rights
// If this device is connected on MQTT, send a power action.
if ((parent.parent.mqttbroker != null) && (command.actiontype >= 0) && (command.actiontype <= 4)) { parent.parent.mqttbroker.publish(node._id, 'powerAction', ['', '', 'poweroff', 'reset', 'sleep'][command.actiontype]); }
@@ -2913,7 +2914,6 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Perform input validation
try {
if (common.validateStrArray(command.nodeids, 1, 256) == false) { err = "Invalid nodeids"; } // Check nodeids
- else if (common.validateString(command.title, 1, 512) == false) { err = "Invalid title"; } // Check title
else if (common.validateString(command.msg, 1, 4096) == false) { err = "Invalid message"; } // Check message
else {
var nodeids = [];
@@ -2928,6 +2928,12 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
break;
}
+ // Check the title, if needed, use a default one
+ if (common.validateString(command.title, 1, 512) == false) { delete command.title } // Check title
+ if ((command.title == null) && (typeof domain.notificationmessages == 'object') && (typeof domain.notificationmessages.title == 'string')) { command.title = domain.notificationmessages.title; }
+ if ((command.title == null) && (typeof domain.title == 'string')) { command.title = domain.title; }
+ if (command.title == null) { command.title = "MeshCentral"; }
+
for (i in command.nodeids) {
// Get the node and the rights for this node
parent.GetNodeWithRights(domain, user, command.nodeids[i], function (node, rights, visible) {
@@ -3020,6 +3026,22 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
}
}
+ if ((typeof command.httpport == 'number') && (command.httpport > 0) && (command.httpport < 65536)) {
+ if ((command.httpport == 80) && (node.httpport != null)) {
+ delete node.httpport; change = 1; changes.push('httpport'); // Delete the HTTP port
+ } else {
+ node.httpport = command.httpport; change = 1; changes.push('httpport'); // Set the HTTP port
+ }
+ }
+
+ if ((typeof command.httpsport == 'number') && (command.httpsport > 0) && (command.httpsport < 65536)) {
+ if ((command.httpsport == 443) && (node.httpsport != null)) {
+ delete node.httpsport; change = 1; changes.push('httpsport'); // Delete the HTTPS port
+ } else {
+ node.httpsport = command.httpsport; change = 1; changes.push('httpsport'); // Set the HTTPS port
+ }
+ }
+
if ((typeof command.ssh == 'number') && (command.ssh == 0)) {
if ((node.ssh != null) && (node.ssh[user._id] != null)) { delete node.ssh[user._id]; change = 1; changes.push('ssh'); } // Delete the SSH cendentials
}
diff --git a/mpsserver.js b/mpsserver.js
index 11ec460c..cacc4241 100644
--- a/mpsserver.js
+++ b/mpsserver.js
@@ -484,7 +484,10 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
// We are under the limit, create the new device.
// Node is not in the database, add it. Credentials will be empty until added by the user.
var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: domainid, intelamt: { user: (typeof socket.tag.meiState.amtuser == 'string') ? socket.tag.meiState.amtuser : '', pass: (typeof socket.tag.meiState.amtpass == 'string') ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
- if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if (socket.tag.meiState != null) {
+ if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
+ }
obj.db.Set(device);
// Event the new node
@@ -506,7 +509,10 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
// Node is not in the database, add it. Credentials will be empty until added by the user.
var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: domainid, intelamt: { user: (typeof socket.tag.meiState.amtuser == 'string') ? socket.tag.meiState.amtuser : '', pass: (typeof socket.tag.meiState.amtpass == 'string') ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
- if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if (socket.tag.meiState != null) {
+ if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
+ }
obj.db.Set(device);
// Event the new node
@@ -707,7 +713,10 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
// We are under the limit, create the new device.
// Node is not in the database, add it. Credentials will be empty until added by the user.
var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, intelamt: { user: (typeof socket.tag.meiState.amtuser == 'string') ? socket.tag.meiState.amtuser : '', pass: (typeof socket.tag.meiState.amtpass == 'string') ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
- if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if (socket.tag.meiState != null) {
+ if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
+ }
obj.db.Set(device);
// Event the new node
@@ -733,7 +742,10 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
// Node is not in the database, add it. Credentials will be empty until added by the user.
var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState && socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, intelamt: { user: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtuser == 'string')) ? socket.tag.meiState.amtuser : '', pass: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtpass == 'string')) ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
- if ((socket.tag.meiState != null) && (typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if (socket.tag.meiState != null) {
+ if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
+ }
obj.db.Set(device);
// Event the new node
@@ -793,7 +805,10 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
// Node is not in the database, add it. Credentials will be empty until added by the user.
var device = { type: 'node', mtype: 2, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: hostname, icon: (socket.tag.meiState && socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, intelamt: { user: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtuser == 'string')) ? socket.tag.meiState.amtuser : '', pass: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtpass == 'string')) ? socket.tag.meiState.amtpass : '', tls: 0, state: 2, agent: { id: 0, caps: 0 } } };
- if ((socket.tag.meiState != null) && (typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if (socket.tag.meiState != null) {
+ if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
+ }
obj.db.Set(device);
// Event the new node
@@ -827,9 +842,11 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
// Node is not in the database, add it. Credentials will be empty until added by the user.
var device = { type: 'node', mtype: 2, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: hostname, icon: (socket.tag.meiState && socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, agent: { ver: 0, id: 0, caps: 0 }, intelamt: { uuid: socket.tag.SystemId, user: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtuser == 'string')) ? socket.tag.meiState.amtuser : '', pass: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtpass == 'string')) ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
- if ((socket.tag.meiState != null) && (typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if (socket.tag.meiState != null) {
+ if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
+ if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
+ }
obj.db.Set(device);
- console.log('ADDED', device);
// Event the new node
addedDeviceCount++;
diff --git a/package.json b/package.json
index 5753a7d6..644f28f1 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "meshcentral",
- "version": "1.0.36",
+ "version": "1.0.45",
"keywords": [
"Remote Device Management",
"Remote Device Monitoring",
diff --git a/public/scripts/agent-desktop-0.0.2-min.js b/public/scripts/agent-desktop-0.0.2-min.js
index 8496d77a..bffc1eba 100644
--- a/public/scripts/agent-desktop-0.0.2-min.js
+++ b/public/scripts/agent-desktop-0.0.2-min.js
@@ -1 +1 @@
-Uint8Array.prototype.slice||Object.defineProperty(Uint8Array.prototype,"slice",{value:function(e,t){return new Uint8Array(Array.prototype.slice.call(this,e,t))}});var CreateAgentRemoteDesktop=function(e,t){var p={};"string"==typeof(p.CanvasId=e)&&(p.CanvasId=Q(e)),p.Canvas=p.CanvasId.getContext("2d"),p.scrolldiv=t,p.State=0,p.PendingOperations=[],p.tilesReceived=0,p.TilesDrawn=0,p.KillDraw=0,p.ipad=!1,p.tabletKeyboardVisible=!1,p.LastX=0,p.LastY=0,p.touchenabled=0,p.submenuoffset=0,p.touchtimer=null,p.TouchArray={},p.connectmode=0,p.connectioncount=0,p.rotation=0,p.protocol=2,p.debugmode=0,p.firstUpKeys=[],p.stopInput=!1,p.localKeyMap=!0,p.remoteKeyMap=!1,p.pressedKeys=[],p.sessionid=0,p.username,p.oldie=!1,p.ImageType=1,p.CompressionLevel=50,p.ScalingLevel=1024,p.FrameRateTimer=100,p.SwapMouse=!1,p.UseExtendedKeyFlag=!0,p.FirstDraw=!1,p.onRemoteInputLockChanged=null,p.RemoteInputLock=null,p.onKeyboardStateChanged=null,p.KeyboardState=0,p.ScreenWidth=960,p.ScreenHeight=701,p.width=960,p.height=960,p.displays=null,p.selectedDisplay=null,p.onScreenSizeChange=null,p.onMessage=null,p.onConnectCountChanged=null,p.onDebugMessage=null,p.onTouchEnabledChanged=null,p.onDisplayinfo=null;var S=!(p.accumulator=null),v="default";p.mouseCursorActive=function(e){S!=e&&(S=e,p.CanvasId.style.cursor=1==e?v:"default")};var C=["default","progress","crosshair","pointer","help","text","no-drop","move","nesw-resize","ns-resize","nwse-resize","w-resize","alias","wait","none","not-allowed","col-resize","row-resize","copy","zoom-in","zoom-out"];p.Start=function(){p.State=0,p.accumulator=null},p.Stop=function(){p.setRotation(0),p.UnGrabKeyInput(),p.UnGrabMouseInput(),p.touchenabled=0,null!=p.onScreenSizeChange&&p.onScreenSizeChange(p,p.ScreenWidth,p.ScreenHeight,p.CanvasId),p.Canvas.clearRect(0,0,p.CanvasId.width,p.CanvasId.height)},p.xxStateChange=function(e){p.State!=e&&(p.State=e,p.CanvasId.style.cursor="default",0===e&&p.Stop())},p.send=function(e){2'; // Show action button, only show if we have permissions 4, 8, 64 - if (((meshrights & (4 + 8 + 64)) != 0) && (node.mtype < 3)) { x += ''; } + if (((meshrights & (4 + 8 + 64 + 262144)) != 0) && (node.mtype < 3)) { x += ''; } x += ''; //if ((connectivity & 1) && (meshrights & 8) && (node.agent.id < 5)) { x += ''; } @@ -3676,35 +3676,6 @@ if (currentDevicePanel == 1) { deskAdjust(); } } - /* - function deviceActionFunction() { - if (xxdialogMode) return; - var rights = GetNodeRights(currentNode), count = 0; - var x = "Select an operation to perform on this device." + '
'; - var y = ''; - x += addHtmlValue("Operation", y); - if (count == 0) { x = "No actions currently available for this device."; } - setDialogMode(2, "Device Action", (count == 0) ? 1 : 3, deviceActionFunctionEx, x); - } - - function deviceActionFunctionEx() { - var op = Q('d2deviceop').value; - if (op == 100) { - // Device wake - meshserver.send({ action: 'wakedevices', nodeids: [currentNode._id] }); - } else { - // Power operation - meshserver.send({ action: 'poweraction', nodeids: [currentNode._id], actiontype: op }); - } - } - */ - function deviceActionFunction() { if (xxdialogMode) return; var rights = GetNodeRights(currentNode), count = 0; @@ -3723,12 +3694,15 @@ //if (((currentNode.conn & 1) != 0) && ((rights & 131072) != 0)) { count++; y += ''; } // Remote command permission if ((currentNode.conn != 0) && ((rights & 262144) != 0)) { count++; y += ''; } //if ((currentNode.conn & 16) != 0) { count++; y += ''; } - if ((currentNode.intelamt != null) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && (rights == 0xFFFFFFFF)) { + if ((currentNode.intelamt != null) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && ((rights & 262144) != 0)) { count++; y += ''; - y += ''; y += ''; } + if ((currentNode.intelamt != null) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && ((rights & 64) != 0)) { + count++; + y += ''; + } //if ((getNodeAmtVersion(currentNode) >= 15) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && (rights == 0xFFFFFFFF) && ((features & 0x00000400) == 0)) { count++; y += ''; } // CIRA (2) or AMT (4) connected //if (((currentNode.conn & 1) != 0) && ((rights & 32768) != 0)) { count++; y += ''; } } @@ -4070,7 +4044,7 @@ ); // Show the right settings - QV('d7amtkvm', (currentNode.intelamt != null && ((currentNode.intelamt.ver != null) || (currentNode.agent == null))) && ((deskState == 0) || (desktop.contype == 2))); + QV('d7amtkvm', (currentNode.intelamt != null && ((typeof currentNode.intelamt.sku != 'number') || ((currentNode.intelamt.sku & 16) == 0)) && ((currentNode.intelamt.ver != null) || (currentNode.agent == null))) && ((deskState == 0) || (desktop.contype == 2))); QV('d7meshkvm', ((currentNode.agent != null) && (currentNode.agent.caps & 1) && ((deskState == false) || (desktop.contype == 1)))); // Enable buttons @@ -4241,7 +4215,7 @@ } function applyDesktopSettings() { - var r = '', ops = (features & 512) ? [90, 70, 50, 40, 30, 20, 10, 5, 1] : [50, 40, 30, 20, 10, 5, 1]; + var r = '', ops = (features & 512) ? [100, 90, 70, 50, 40, 30, 20, 10, 5, 1] : [50, 40, 30, 20, 10, 5, 1]; for (var i in ops) { r += ''; } QH('d7bitmapquality', r); d7desktopmode.value = desktopsettings.encoding; @@ -4695,7 +4669,7 @@ // Enable action button if mesh type is not "local devices" QV('termActionsBtn', terminalNode.mtype != 3); - if (((termState == true) && (terminal.contype != 3)) || (terminalNode.agent.id == 3) || (terminalNode.agent.id == 4)) { + if (((termState == true) && (terminal.contype != 3)) || (terminalNode.agent == null) || (terminalNode.agent.id == 3) || (terminalNode.agent.id == 4)) { QH('terminalCustomUpperRight', ''); } else { QH('terminalCustomUpperRight', '' + format("SSH Port {0}", (terminalNode.sshport ? terminalNode.sshport : 22)) + ''); @@ -5321,7 +5295,7 @@ QE('p13PasteButton', advancedFeatures && (currentNode.mtype != 3) && ((p13filetreelocation.length > 0) || (winAgent == false)) && ((p13clipboard != null) && (p13clipboard.length > 0))); } var filesState = ((files != null) && (files.state != 0)); - if (((filesState == true) && (files.contype != 2)) || (filesNode.agent.id == 3) || (filesNode.agent.id == 4)) { + if (((filesState == true) && (files.contype != 2)) || (filesNode.agent == null) || (filesNode.agent.id == 3) || (filesNode.agent.id == 4)) { QH('filesCustomUpperRight', ''); } else { QH('filesCustomUpperRight', '' + format("SSH Port {0}", (filesNode.sshport ? filesNode.sshport : 22)) + ''); @@ -5798,20 +5772,13 @@ } } for (var j = 0; j < m.length; j++) { - var iplayer = m[j]; - if (iplayer.family == 'IPv4') { - if (iplayer.gateway && iplayer.netmask) { - x += addDetailItem("IPv4 Layer", format("{0}, Mask: {1}, Gateway: {2}", EscapeHtml(iplayer.address), EscapeHtml(iplayer.netmask), EscapeHtml(iplayer.gateway))); - } else { - if (iplayer.address) { x += addDetailItem("IPv4 Layer", format("{0}", EscapeHtml(iplayer.address))); } - } - } - if (iplayer.family == 'IPv6') { - if (iplayer.gateway && iplayer.netmask) { - x += addDetailItem("IPv6 Layer", format("{0}, Mask: {1}, Gateway: {2}", EscapeHtml(iplayer.address), EscapeHtml(iplayer.netmask), EscapeHtml(iplayer.gateway))); - } else { - if (iplayer.address) { x += addDetailItem("IPv6 Layer", format("{0}", EscapeHtml(iplayer.address))); } - } + var iplayer = m[j], items = []; + if (iplayer.address) { items.push(format("IP: {0}", EscapeHtml(iplayer.address))); } + if (iplayer.netmask) { items.push(format("Mask: {0}", EscapeHtml(iplayer.netmask))); } + if (iplayer.gateway) { items.push(format("Gateway: {0}", EscapeHtml(iplayer.gateway))); } + if (items.length > 0) { + if (iplayer.family == 'IPv4') { x += addDetailItem("IPv4 Layer", items.join(", ")); } + if (iplayer.family == 'IPv6') { x += addDetailItem("IPv6 Layer", items.join(", ")); } } } x += ''; @@ -5831,7 +5798,13 @@ x += addDetailItem("Security", (node.intelamt.tls == 1) ? "Secured using TLS" : "TLS is not setup", s); // Check that the Intel AMT user is setup and there is no warnings (1 = invalid credentials, 8 = trying) x += addDetailItem("Admin Credentials", ((node.intelamt.user) == null || (node.intelamt.user == '') || ((node.intelamt.warn != null) && ((node.intelamt.warn & 9) != 0))) ? "Not Known" : "Known", s); - if (x != '') { sections.push({ name: "Intel® Active Management Technology (Intel® AMT)", html: x, img: 'amt' }); } + if (x != '') { + if ((typeof node.intelamt.sku == 'number') && ((node.intelamt.sku & 16) != 0)) { + sections.push({ name: "Intel® Standard Manageability (Intel® SM)", html: x, img: 'amt' }); + } else { + sections.push({ name: "Intel® Active Management Technology (Intel® AMT)", html: x, img: 'amt' }); + } + } } if (hardware.identifiers) { diff --git a/views/default.handlebars b/views/default.handlebars index b5000e5a..7bfaf286 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -112,6 +112,12 @@ + +
-
Intel® AMT Redirection port or KVM feature is disabled, click here to enable it.
+ Redirection port or KVM feature is disabled, click here to enable it.
@@ -655,7 +661,7 @@
-
+
Disconnected
@@ -696,7 +702,7 @@
-
+
@@ -731,7 +737,7 @@
-
Intel® AMT Redirection port or KVM feature is disabled, click here to enable it.
+ Redirection port or KVM feature is disabled, click here to enable it.
@@ -864,7 +870,7 @@
-
@@ -1323,6 +1329,7 @@
Intel® AMT -
+Intel® AMT -
Other Settings
+
@@ -1346,6 +1353,7 @@
+
@@ -1379,6 +1387,7 @@
+
@@ -1446,6 +1455,7 @@
var features = parseInt('{{{features}}}');
var features2 = parseInt('{{{features2}}}');
var sessionTime = parseInt('{{{sessiontime}}}');
+ var webRelayPort = parseInt('{{{webRelayPort}}}');
var sessionRefreshTimer = null;
var domain = '{{{domain}}}';
var domainUrl = '{{{domainurl}}}';
@@ -2316,7 +2326,8 @@
18: "SMTP server has limited use in LAN mode.",
19: "SMS gateway has limited use in LAN mode.",
20: "Invalid \"LoginCookieEncryptionKey\" in config.json.",
- 21: "Backup path can't be set within meshcentral-data folder, backup settings ignored."
+ 21: "Backup path can't be set within meshcentral-data folder, backup settings ignored.",
+ 22: "Failed to sign agent {0}: {1}"
};
var x = '';
for (var i in message.warnings) {
@@ -2325,7 +2336,7 @@
x += '' + "WARNING: " + y + '
';
} else {
var z = ServerWarnings[y.id];
- if (z == null) { z = y.msg; } else { z = format(z, y.args); }
+ if (z == null) { z = y.msg; } else { z = format(z, ...y.args); }
x += '' + "WARNING: " + z + '
';
}
}
@@ -2733,7 +2744,7 @@
if (message.name != null) { url += ('&name=' + encodeURIComponentEx(message.name)); }
if (message.ip != null) { url += ('&remoteip=' + message.ip); }
url += ('&appid=' + message.protocol + '&autoexit=1'); // Protocol: 0 = Custom, 1 = HTTP, 2 = HTTPS, 3 = RDP, 4 = PuTTY, 5 = WinSCP, 6 = MCRDesktop, 7 = MCRFiles
- console.log(url);
+ //console.log(url);
downloadFile(url, '');
} else if (message.tag == 'novnc') {
var vncurl = window.location.origin + domainUrl + 'novnc/vnc.html?ws=wss%3A%2F%2F' + window.location.host + encodeURIComponentEx(domainUrl) + (message.localRelay?'local':'mesh') + 'relay.ashx%3Fauth%3D' + message.cookie + '&show_dot=1' + (urlargs.key?('&key=' + urlargs.key):'') + '&l={{{lang}}}';
@@ -3235,6 +3246,8 @@
node.rdpport = message.event.node.rdpport;
node.rfbport = message.event.node.rfbport;
node.sshport = message.event.node.sshport;
+ node.httpport = message.event.node.httpport;
+ node.httpsport = message.event.node.httpsport;
node.consent = message.event.node.consent;
node.pmt = message.event.node.pmt;
if (message.event.node.links != null) { node.links = message.event.node.links; } else { delete node.links; }
@@ -4569,6 +4582,10 @@
// RDP link, show this link only of the remote machine is Windows.
if ((((node.conn & 1) != 0) || (node.mtype == 3)) && (node.agent) && ((meshrights & 8) != 0) && (node.agent.id != 14)) {
+ if (webRelayPort != 0) {
+ x += '' + "HTTP" + ((node.httpport && (node.httpport != 80)) ? '/' + node.httpport : '') + ' ';
+ x += '' + "HTTPS" + ((node.httspport && (node.httpsport != 443)) ? '/' + node.httpsport : '') + ' ';
+ }
if ((node.agent.id > 0) && (node.agent.id < 5)) {
if (navigator.platform.toLowerCase() == 'win32') {
if ((serverinfo.devicemeshrouterlinks == null) || (serverinfo.devicemeshrouterlinks.rdp != false)) {
@@ -4579,12 +4596,12 @@
if (node.agent.id > 4) {
if ((navigator.platform.toLowerCase() == 'win32') || (navigator.platform.toLowerCase() == 'macintel')) {
if ((serverinfo.devicemeshrouterlinks == null) || (serverinfo.devicemeshrouterlinks.ssh != false)) {
- x += '' + "SSH" + ' ';
+ x += '' + "SSH" + ' ';
}
}
if (navigator.platform.toLowerCase() == 'win32') {
if ((serverinfo.devicemeshrouterlinks == null) || (serverinfo.devicemeshrouterlinks.scp != false)) {
- x += '' + "SCP" + ' ';
+ x += '' + "SCP" + ' ';
}
}
}
@@ -4851,6 +4868,7 @@
desk.m.ScalingLevel = multidesktopsettings.scaling;
if (multidesktopsettings.framerate) { desk.m.FrameRateTimer = multidesktopsettings.framerate; }
if (multidesktopsettings.swapmouse) { desk.m.SwapMouse = multidesktopsettings.swapmouse; }
+ if (multidesktopsettings.rmw) { desk.m.ReverseMouseWheel = multidesktopsettings.rmw; }
if (multidesktopsettings.remotekeymap == true) { desk.m.remoteKeyMap = multidesktopsettings.remotekeymap; }
//desk.m.onDisplayinfo = deskDisplayInfo;
desk.m.onScreenSizeChange = mdeskAdjust; // Multi-Desktop Adjust
@@ -5546,6 +5564,7 @@
var op = Q('d2deviceop').value, title = Q('dp2notifyTitle').value, msg = Q('d2notifyMsg').value, chkNodeIds = getCheckedDevices();
if (msg.length == 0) return;
if (title == '') { title = decodeURIComponent('{{{extitle}}}'); }
+ if (title == '') { title = "MeshCentral"; }
if (op == 1) { // MessageBox
for (var i = 0; i < chkNodeIds.length; i++) { meshserver.send({ action: 'msg', type: 'messagebox', nodeid: chkNodeIds[i], title: title, msg: msg }); }
} else if (op == 2) { // Toast
@@ -6055,6 +6074,32 @@
if (currentNode.rfbport != null) { Q('d10rfbport').value = currentNode.rfbport; }
}
+ function cmhttpportaction(action) {
+ if (xxdialogMode) return;
+ var x = "HTTP remote connection port:" + ''; + setDialogMode(2, "HTTP Connection", 3, function() { + // Save the new HTTP port to the server + var httpport = ((Q('d10httpport').value.length > 0) ? parseInt(Q('d10httpport').value) : 80); + meshserver.send({ action: 'changedevice', nodeid: currentNode._id, httpport: httpport }); + //if (currentNode != null) { p10rfb(currentNode._id, httpport); } + }, x, currentNode); + Q('d10httpport').focus(); + if (currentNode.httpport != null) { Q('d10httpport').value = currentNode.httpport; } + } + + function cmhttpsportaction(action) { + if (xxdialogMode) return; + var x = "HTTPS remote connection port:" + '
'; + setDialogMode(2, "HTTPS Connection", 3, function() { + // Save the new HTTP port to the server + var httpsport = ((Q('d10httpsport').value.length > 0) ? parseInt(Q('d10httpsport').value) : 443); + meshserver.send({ action: 'changedevice', nodeid: currentNode._id, httpsport: httpsport }); + //if (currentNode != null) { p10rfb(currentNode._id, httpsport); } + }, x, currentNode); + Q('d10httpsport').focus(); + if (currentNode.httpsport != null) { Q('d10httpsport').value = currentNode.httpsport; } + } + function cmfilesaction(action) { if (xxdialogMode) return; var filetreexx = p13sort_files(p13filetree.dir); @@ -6144,6 +6189,8 @@ QV('altPortContextMenu', false); QV('rfbPortContextMenu', false); QV('sshPortContextMenu', false); + QV('httpPortContextMenu', false); + QV('httpsPortContextMenu', false); QV('filesContextMenu', false); QV('deskPlayerContextMenu', false); QV('deskKeyShortcutContextMenu', false); @@ -7066,7 +7113,7 @@ x += '
'; // Show action button, only show if we have permissions 4, 8, 64 - if (((meshrights & (4 + 8 + 64)) != 0) && (node.mtype < 3) && ((node.agent == null) || (node.agent.id != 34))) { x += ''; } + if (((meshrights & (4 + 8 + 64 + 262144)) != 0) && (node.mtype < 3) && ((node.agent == null) || (node.agent.id != 34))) { x += ''; } x += ''; x += ''; if (node.mtype != 4) { @@ -7135,22 +7182,26 @@ // RDP link, show this link only of the remote machine is Windows. if ((((connectivity & 1) != 0) || (node.mtype == 3)) && (node.agent) && ((meshrights & 8) != 0)) { + if (webRelayPort != 0) { + x += '' + "HTTP" + ((node.httpport && (node.httpport != 80)) ? '/' + node.httpport : '') + ' '; + x += '' + "HTTPS" + ((node.httpsport && (node.httpsport != 443)) ? '/' + node.httpsport : '') + ' '; + } if ((node.agent.id > 0) && (node.agent.id < 5)) { if (navigator.platform.toLowerCase() == 'win32') { if ((serverinfo.devicemeshrouterlinks == null) || (serverinfo.devicemeshrouterlinks.rdp != false)) { - x += '' + "RDP" + ' '; + x += '' + "RDP" + ((node.rdpport && (node.rdpport != 3389)) ? '/' + node.rdpport : '') + ' '; } } } if (node.agent.id > 4) { if ((navigator.platform.toLowerCase() == 'win32') || (navigator.platform.toLowerCase() == 'macintel')) { if ((serverinfo.devicemeshrouterlinks == null) || (serverinfo.devicemeshrouterlinks.ssh != false)) { - x += '' + "SSH" + ' '; + x += '' + "SSH" + ((node.sshport && (node.sshport != 22)) ? '/' + node.sshport : '') + ' '; } } if (navigator.platform.toLowerCase() == 'win32') { if ((serverinfo.devicemeshrouterlinks == null) || (serverinfo.devicemeshrouterlinks.scp != false)) { - x += '' + "SCP" + ' '; + x += '' + "SCP" + ((node.sshport && (node.sshport != 22)) ? '/' + node.sshport : '') + ' '; } } } @@ -7254,6 +7305,15 @@ QV('p15uploadCore', (node.agent != null) && (node.agent.caps != null) && ((node.agent.caps & 16) != 0)); QH('p15coreName', ((node.agent != null) && (node.agent.core != null))?node.agent.core:''); + // Set the Intel AMT / Intel SM tab name + if ((node.intelamt != null) && (typeof node.intelamt.sku == 'number') && ((node.intelamt.sku & 16) != 0)) { + QH('MainDevAmt', "Intel®SM"); + QH('p14deviceNamePrefix', "Intel® SM"); + } else { + QH('MainDevAmt', "Intel®AMT"); + QH('p14deviceNamePrefix', "Intel® AMT"); + } + // Setup/Refresh Intel AMT tab var amtFrameNode = Q('p14iframe').contentWindow.getCurrentMeshNode(); if ((amtFrameNode != null) && (amtFrameNode._id != currentNode._id)) { Q('p14iframe').contentWindow.disconnect(); } @@ -7585,10 +7645,12 @@ } function deviceMessageFunctionEx() { + var title = decodeURIComponent('{{{extitle}}}'); + if (title == '') { title = "MeshCentral"; } if (currentNode.pmt == 1) { - meshserver.send({ action: 'pushmessage', nodeid: currentNode._id, title: decodeURIComponent('{{{extitle}}}'), msg: Q('d2devMessage').value }); + meshserver.send({ action: 'pushmessage', nodeid: currentNode._id, title: title, msg: Q('d2devMessage').value }); } else { - meshserver.send({ action: 'msg', type: 'messagebox', nodeid: currentNode._id, title: decodeURIComponent('{{{extitle}}}'), msg: Q('d2devMessage').value }); + meshserver.send({ action: 'msg', type: 'messagebox', nodeid: currentNode._id, title: title, msg: Q('d2devMessage').value }); } } @@ -7749,12 +7811,15 @@ if (((currentNode.conn & 1) != 0) && ((rights & 131072) != 0)) { count++; y += ''; } // Remote command permission if ((currentNode.conn != 0) && ((rights & 262144) != 0)) { count++; y += ''; } if ((currentNode.conn & 16) != 0) { count++; y += ''; } - if ((currentNode.intelamt != null) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && (rights == 0xFFFFFFFF)) { + if ((currentNode.intelamt != null) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && ((rights & 262144) != 0)) { count++; y += ''; - y += ''; y += ''; } + if ((currentNode.intelamt != null) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && ((rights & 64) != 0)) { + count++; + y += ''; + } if ((getNodeAmtVersion(currentNode) >= 15) && (currentNode.intelamt.state == 2) && ((currentNode.conn & 6) != 0) && (rights == 0xFFFFFFFF) && ((features & 0x00000400) == 0)) { count++; y += ''; } // CIRA (2) or AMT (4) connected if (((currentNode.conn & 1) != 0) && ((rights & 32768) != 0)) { count++; y += ''; } } @@ -8043,6 +8108,22 @@ meshserver.send({ action: 'removedevices', nodeids: [ nodeid ] }); } + function p10WebRouter(nodeid, protocol, port, addr) { + var relayid = null; + var node = getNodeFromId(nodeid); + if (node.mtype == 3) { // Setup device relay if needed + var mesh = meshes[node.meshid]; + if (mesh && mesh.relayid) { relayid = mesh.relayid; addr = node.host; } + } + var servername = serverinfo.name; + if ((servername.indexOf('.') == -1) || ((features & 2) != 0)) { servername = window.location.hostname; } // If the server name is not set or it's in LAN-only mode, use the URL hostname as server name. + var url = 'https://' + servername + ':' + webRelayPort + '/control-redirect.ashx?n=' + nodeid + '&p=' + port + '&appid=' + protocol; // Protocol: 1 = HTTP, 2 = HTTPS + if (addr != null) { url += '&addr=' + addr; } + if (relayid != null) { url += '&relayid=' + relayid; } + safeNewWindow(url, 'WebRelay'); + return false; + } + function p10MCRouter(nodeid, protocol, port, addr, localport) { var node = getNodeFromId(nodeid); var mesh = meshes[node.meshid]; @@ -8370,7 +8451,7 @@ ); } // Show the right settings - QV('td7amtkvm', (currentNode.intelamt != null && ((currentNode.intelamt.ver != null) || (currentNode.agent == null))) && ((deskState == 0) || (desktop.contype == 2))); + QV('td7amtkvm', ((currentNode.intelamt != null) && ((typeof currentNode.intelamt.sku != 'number') || ((currentNode.intelamt.sku & 16) == 0)) && ((currentNode.intelamt.ver != null) || (currentNode.agent == null))) && ((deskState == 0) || (desktop.contype == 2))); QV('td7meshkvm', (webRtcDesktop) || ((currentNode.agent != null) && (currentNode.agent.caps & 1) && ((deskState == 0) || (desktop.contype == 1)))); QV('td7rdpkvm', ((currentNode.agent != null) && ((currentNode.agent.id == 3) || (currentNode.agent.id == 4)) && ((deskState == 0) || (desktop.contype == 4)))); @@ -8456,6 +8537,7 @@ desktop.m.bpp = (desktopsettings.encoding == 1 || desktopsettings.encoding == 3) ? 1 : 2; desktop.m.useZRLE = (desktopsettings.encoding < 3); desktop.m.localKeyMap = desktopsettings.localkeymap; + desktop.m.ReverseMouseWheel = desktopsettings.kvmrmw; desktop.m.showmouse = desktopsettings.showmouse; desktop.m.onScreenSizeChange = deskAdjust; desktop.m.onKvmData = function (x) { @@ -8568,6 +8650,7 @@ desktop.m.ScalingLevel = desktopsettings.scaling; if (desktopsettings.framerate) { desktop.m.FrameRateTimer = desktopsettings.framerate; } if (desktopsettings.swapmouse) { desktop.m.SwapMouse = desktopsettings.swapmouse; } + if (desktopsettings.rmw) { desktop.m.ReverseMouseWheel = desktopsettings.rmw; } if (desktopsettings.remotekeymap == true) { desktop.m.remoteKeyMap = desktopsettings.remotekeymap; } desktop.m.onDisplayinfo = deskDisplayInfo; desktop.m.onScreenSizeChange = deskAdjust; @@ -8584,6 +8667,7 @@ desktop.m.onScreenSizeChange = mdeskAdjust; desktop.m.onClipboardChanged = function(text) { if ((text != null) && (desktopsettings.rdpautoclipboard) && (navigator.clipboard != null)) { navigator.clipboard.writeText(text).then(function() { }).catch(function(err) { console.log(err); }) } } // Put remote clipboard data into our clipboard if (desktopsettings.rdpsmb) { desktop.m.SwapMouse = desktopsettings.rdpsmb; } + if (desktopsettings.rdprmw) { desktop.m.ReverseMouseWheel = desktopsettings.rdprmw; } desktop.Start(desktopNode._id, currentNode.rdpport ? currentNode.rdpport : 3389, tsid); desktop.contype = 4; desktop.onConsoleMessageChange = function () { @@ -8866,12 +8950,15 @@ desktopsettings.scaling = d7bitmapscaling.value; desktopsettings.framerate = d7framelimiter.value; desktopsettings.swapmouse = d7deskSwapMouse.checked; + desktopsettings.rmw = d7deskrmw.checked; desktopsettings.remotekeymap = d7deskRemoteKeyMap.checked; desktopsettings.autoclipboard = d7deskAutoClipboard.checked; desktopsettings.autolock = d7deskAutoLock.checked; desktopsettings.localkeymap = d7localKeyMap.checked; + desktopsettings.kvmrmw = d7kvmrmw.checked; desktopsettings.rdpsize = d7rdpsize.value; desktopsettings.rdpsmb = d7rdpsmb.checked; + desktopsettings.rdprmw = d7rdprmw.checked; desktopsettings.rdpautoclipboard = d7rdpclip.checked; var rdpflags = 0; for (var i = 1; i < 10; i++) { if ((i != 5) && (Q('d7rdp' + i).checked)) { rdpflags |= (1 << (i - 1)); } } @@ -8880,23 +8967,29 @@ applyDesktopSettings(); updateDesktopButtons(); if (desktop) { - if (desktop.contype == 1) { + if (desktop.contype == 1) { // Intel AMT KVM desktop.m.SwapMouse = desktopsettings.swapmouse; + desktop.m.ReverseMouseWheel = desktopsettings.rmw; desktop.m.remoteKeyMap = desktopsettings.remotekeymap; if (desktop.State != 0) { desktop.m.SendCompressionLevel(webpSupport?4:1, desktopsettings.quality, desktopsettings.scaling, desktopsettings.framerate); desktop.sendCtrlMsg('{"ctrlChannel":"102938","type":"autolock","value":' + desktopsettings.autolock + '}'); } } - if (desktop.contype == 2) { + if (desktop.contype == 2) { // Mesh Agent Remote Desktop + desktop.m.ReverseMouseWheel = desktopsettings.kvmrmw; if (desktopsettings.showfocus == false) { desktop.m.focusmode = 0; deskFocusBtn.value = "All Focus"; } if (desktop.State != 0) { desktop.Stop(); setTimeout(function () { connectDesktop(null, 2); }, 50); } } + if (desktop.contype == 4) { // Web-RDP + desktop.m.SwapMouse = desktopsettings.rdpsmb; + desktop.m.ReverseMouseWheel = desktopsettings.rdprmw; + } } } function applyDesktopSettings() { - var r = '', ops = (features & 512)?[90,80,70,60,50,40,30,20,10,5,1]:[60,50,40,30,20,10,5,1]; + var r = '', ops = (features & 512)?[100,90,80,70,60,50,40,30,20,10,5,1]:[60,50,40,30,20,10,5,1]; for (var i in ops) { r += ''; } QH('d7bitmapquality', r); d7desktopmode.value = desktopsettings.encoding; @@ -8907,14 +9000,17 @@ d7bitmapscaling.value = desktopsettings.scaling; if (desktopsettings.framerate) { d7framelimiter.value = desktopsettings.framerate; } else { d7framelimiter.value = 100; } if (desktopsettings.swapmouse != null) { d7deskSwapMouse.checked = desktopsettings.swapmouse; } + if (desktopsettings.rmw != null) { d7deskrmw.checked = desktopsettings.rmw; } if (desktopsettings.remotekeymap != null) { d7deskRemoteKeyMap.checked = desktopsettings.remotekeymap; } if (desktopsettings.autoclipboard != null) { d7deskAutoClipboard.checked = desktopsettings.autoclipboard; } if (desktopsettings.autolock != null) { d7deskAutoLock.checked = desktopsettings.autolock; } if (desktopsettings.localkeymap) { d7localKeyMap.checked = desktopsettings.localkeymap; } + if (desktopsettings.kvmrmw) { d7kvmrmw.checked = desktopsettings.kvmrmw; } QV('deskFocusBtn', (desktop != null) && (desktop.contype == 2) && (desktop.state != 0) && (desktopsettings.showfocus)); if (desktopsettings.rdpsize != null) { d7rdpsize.value = desktopsettings.rdpsize; } if (desktopsettings.rdpflags == null) { desktopsettings.rdpflags = 0x2F; } if (desktopsettings.rdpsmb != null) { d7rdpsmb.checked = desktopsettings.rdpsmb; } + if (desktopsettings.rdprmw != null) { d7rdprmw.checked = desktopsettings.rdprmw; } if (desktopsettings.rdpautoclipboard != null) { d7rdpclip.checked = desktopsettings.rdpautoclipboard; } for (var i = 1; i < 10; i++) { if (i != 5) { Q('d7rdp' + i).checked = ((desktopsettings.rdpflags & (1 << (i - 1))) != 0); } } } @@ -9639,7 +9735,7 @@ // Enable action button if mesh type is not "local devices" QV('termActionsBtn', terminalNode.mtype != 3); - if (((termState == true) && (terminal.contype != 3)) || (terminalNode.agent.id == 3) || (terminalNode.agent.id == 4)) { + if (((termState == true) && (terminal.contype != 3)) || (terminalNode.agent == null) || (terminalNode.agent.id == 3) || (terminalNode.agent.id == 4)) { QH('terminalCustomUpperRight', ''); } else { QH('terminalCustomUpperRight', '' + format("SSH Port {0}", (terminalNode.sshport?terminalNode.sshport:22)) + ''); @@ -10431,7 +10527,7 @@ QE('p13PasteButton', advancedFeatures && ((p13filetreelocation.length > 0) || (winAgent == false)) && ((p13clipboard != null) && (p13clipboard.length > 0))); } var filesState = ((files != null) && (files.state != 0)); - if (((filesState == true) && (files.contype != 2)) || (filesNode.agent.id == 3) || (filesNode.agent.id == 4)) { + if (((filesState == true) && (files.contype != 2)) || (filesNode.agent == null) || (filesNode.agent.id == 3) || (filesNode.agent.id == 4)) { QH('filesCustomUpperRight', ''); } else { QH('filesCustomUpperRight', '' + format("SSH Port {0}", (filesNode.sshport?filesNode.sshport:22)) + ''); @@ -11130,20 +11226,13 @@ } } for (var j = 0; j < m.length; j++) { - var iplayer = m[j]; - if (iplayer.family == 'IPv4') { - if (iplayer.gateway && iplayer.netmask) { - x += addDetailItem("IPv4 Layer", format("IP: {0}, Mask: {1}, Gateway: {2}", EscapeHtml(iplayer.address), EscapeHtml(iplayer.netmask), EscapeHtml(iplayer.gateway))); - } else { - if (iplayer.address) { x += addDetailItem("IPv4 Layer", format("IP: {0}", EscapeHtml(iplayer.address))); } - } - } - if (iplayer.family == 'IPv6') { - if (iplayer.gateway && iplayer.netmask) { - x += addDetailItem("IPv6 Layer", format("IP: {0}, Mask: {1}, Gateway: {2}", EscapeHtml(iplayer.address), EscapeHtml(iplayer.netmask), EscapeHtml(iplayer.gateway))); - } else { - if (iplayer.address) { x += addDetailItem("IPv6 Layer", format("IP: {0}", EscapeHtml(iplayer.address))); } - } + var iplayer = m[j], items = []; + if (iplayer.address) { items.push(format("IP: {0}", EscapeHtml(iplayer.address))); } + if (iplayer.netmask) { items.push(format("Mask: {0}", EscapeHtml(iplayer.netmask))); } + if (iplayer.gateway) { items.push(format("Gateway: {0}", EscapeHtml(iplayer.gateway))); } + if (items.length > 0) { + if (iplayer.family == 'IPv4') { x += addDetailItem("IPv4 Layer", items.join(", ")); } + if (iplayer.family == 'IPv6') { x += addDetailItem("IPv6 Layer", items.join(", ")); } } } x += ''; @@ -11163,7 +11252,13 @@ x += addDetailItem("Security", (node.intelamt.tls == 1)?"Secured using TLS":"TLS is not setup", s); // Check that the Intel AMT user is setup and there is no warnings (1 = invalid credentials, 8 = trying) x += addDetailItem("Admin Credentials", ((node.intelamt.user) == null || (node.intelamt.user == '') || ((node.intelamt.warn != null) && ((node.intelamt.warn & 9) != 0)))?"Not Known":"Known", s); - if (x != '') { sections.push({ name: "Intel® Active Management Technology (Intel® AMT)", html: x, img: 'amt64.png' }); } + if (x != '') { + if ((typeof node.intelamt.sku == 'number') && ((node.intelamt.sku & 16) != 0)) { + sections.push({ name: "Intel® Standard Manageability (Intel® SM)", html: x, img: 'amt64.png' }); + } else { + sections.push({ name: "Intel® Active Management Technology (Intel® AMT)", html: x, img: 'amt64.png' }); + } + } } if (hardware.identifiers) { diff --git a/views/sharing-mobile.handlebars b/views/sharing-mobile.handlebars index 87bb00ce..e2ad0125 100644 --- a/views/sharing-mobile.handlebars +++ b/views/sharing-mobile.handlebars @@ -1188,7 +1188,7 @@ } function applyDesktopSettings() { - var r = '', ops = (features & 512) ? [90, 70, 50, 40, 30, 20, 10, 5, 1] : [50, 40, 30, 20, 10, 5, 1]; + var r = '', ops = (features & 512) ? [100, 90, 70, 50, 40, 30, 20, 10, 5, 1] : [50, 40, 30, 20, 10, 5, 1]; for (var i in ops) { r += ''; } QH('d7bitmapquality', r); d7desktopmode.value = desktopsettings.encoding; diff --git a/views/sharing.handlebars b/views/sharing.handlebars index ca10d11a..4208d680 100644 --- a/views/sharing.handlebars +++ b/views/sharing.handlebars @@ -780,7 +780,7 @@ } function applyDesktopSettings() { - var r = '', ops = (features2 & 1) ? [90, 80, 70, 60, 50, 40, 30, 20, 10, 5, 1] : [60, 50, 40, 30, 20, 10, 5, 1] + var r = '', ops = (features2 & 1) ? [100, 90, 80, 70, 60, 50, 40, 30, 20, 10, 5, 1] : [60, 50, 40, 30, 20, 10, 5, 1] for (var i in ops) { r += ''; } QH('d7bitmapquality', r); d7desktopmode.value = desktopsettings.encoding; diff --git a/webrelayserver.js b/webrelayserver.js new file mode 100644 index 00000000..15d7334c --- /dev/null +++ b/webrelayserver.js @@ -0,0 +1,272 @@ +/** +* @description Meshcentral web relay server +* @author Ylian Saint-Hilaire +* @copyright Intel Corporation 2018-2022 +* @license Apache-2.0 +* @version v0.0.1 +*/ + +/*jslint node: true */ +/*jshint node: true */ +/*jshint strict:false */ +/*jshint -W097 */ +/*jshint esversion: 6 */ +"use strict"; + +// Construct a HTTP redirection web server object +module.exports.CreateWebRelayServer = function (parent, db, args, certificates, func) { + var obj = {}; + obj.parent = parent; + obj.db = db; + obj.express = require('express'); + obj.session = require('cookie-session'); + obj.expressWs = null; + obj.tlsServer = null; + obj.net = require('net'); + obj.app = obj.express(); + if (args.compression !== false) { obj.app.use(require('compression')()); } + obj.app.disable('x-powered-by'); + obj.webRelayServer = null; + obj.port = 0; + obj.cleanupTimer = null; + var nextSessionId = 1; + var relaySessions = {} // RelayID --> Web Mutli-Tunnel + const constants = (require('crypto').constants ? require('crypto').constants : require('constants')); // require('constants') is deprecated in Node 11.10, use require('crypto').constants instead. + var tlsSessionStore = {}; // Store TLS session information for quick resume. + var tlsSessionStoreCount = 0; // Number of cached TLS session information in store. + + function serverStart() { + if (args.trustedproxy) { + // Reverse proxy should add the "X-Forwarded-*" headers + try { + obj.app.set('trust proxy', args.trustedproxy); + } catch (ex) { + // If there is an error, try to resolve the string + if ((args.trustedproxy.length == 1) && (typeof args.trustedproxy[0] == 'string')) { + require('dns').lookup(args.trustedproxy[0], function (err, address, family) { if (err == null) { obj.app.set('trust proxy', address); args.trustedproxy = [address]; } }); + } + } + } + else if (typeof args.tlsoffload == 'object') { + // Reverse proxy should add the "X-Forwarded-*" headers + try { + obj.app.set('trust proxy', args.tlsoffload); + } catch (ex) { + // If there is an error, try to resolve the string + if ((Array.isArray(args.tlsoffload)) && (args.tlsoffload.length == 1) && (typeof args.tlsoffload[0] == 'string')) { + require('dns').lookup(args.tlsoffload[0], function (err, address, family) { if (err == null) { obj.app.set('trust proxy', address); args.tlsoffload = [address]; } }); + } + } + } + + // Setup cookie session + var sessionOptions = { + name: 'xid', // Recommended security practice to not use the default cookie name + httpOnly: true, + keys: [args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances + secure: (args.tlsoffload == null), // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html) + sameSite: args.sessionsamesite + } + if (args.sessiontime != null) { sessionOptions.maxAge = (args.sessiontime * 60 * 1000); } + obj.app.use(obj.session(sessionOptions)); + + // Add HTTP security headers to all responses + obj.app.use(function (req, res, next) { + parent.debug('webrequest', req.url + ' (RelayServer)'); + res.removeHeader('X-Powered-By'); + res.set({ + 'strict-transport-security': 'max-age=60000; includeSubDomains', + 'Referrer-Policy': 'no-referrer', + 'x-frame-options': 'SAMEORIGIN', + 'X-XSS-Protection': '1; mode=block', + 'X-Content-Type-Options': 'nosniff', + 'Content-Security-Policy': "default-src 'none'; style-src 'self' 'unsafe-inline';" + }); + + // Set the real IP address of the request + // If a trusted reverse-proxy is sending us the remote IP address, use it. + var ipex = '0.0.0.0', xforwardedhost = req.headers.host; + if (typeof req.connection.remoteAddress == 'string') { ipex = (req.connection.remoteAddress.startsWith('::ffff:')) ? req.connection.remoteAddress.substring(7) : req.connection.remoteAddress; } + if ( + (args.trustedproxy === true) || (args.tlsoffload === true) || + ((typeof args.trustedproxy == 'object') && (isIPMatch(ipex, args.trustedproxy))) || + ((typeof args.tlsoffload == 'object') && (isIPMatch(ipex, args.tlsoffload))) + ) { + // Get client IP + if (req.headers['cf-connecting-ip']) { // Use CloudFlare IP address if present + req.clientIp = req.headers['cf-connecting-ip'].split(',')[0].trim(); + } else if (req.headers['x-forwarded-for']) { + req.clientIp = req.headers['x-forwarded-for'].split(',')[0].trim(); + } else if (req.headers['x-real-ip']) { + req.clientIp = req.headers['x-real-ip'].split(',')[0].trim(); + } else { + req.clientIp = ipex; + } + + // If there is a port number, remove it. This will only work for IPv4, but nice for people that have a bad reverse proxy config. + const clientIpSplit = req.clientIp.split(':'); + if (clientIpSplit.length == 2) { req.clientIp = clientIpSplit[0]; } + + // Get server host + if (req.headers['x-forwarded-host']) { xforwardedhost = req.headers['x-forwarded-host'].split(',')[0]; } // If multiple hosts are specified with a comma, take the first one. + } else { + req.clientIp = ipex; + } + + // If this is a session start or a websocket, have the application handle this + if ((req.headers.upgrade == 'websocket') || (req.url.startsWith('/control-redirect.ashx?n='))) { + return next(); + } else { + // If this is a normal request (GET, POST, etc) handle it here + if ((req.session.userid != null) && (req.session.rid != null)) { + var relaySession = relaySessions[req.session.userid + '/' + req.session.rid]; + if (relaySession != null) { + // The web relay session is valid, use it + relaySession.handleRequest(req, res); + } else { + // No web relay ession with this relay identifier, close the HTTP request. + res.end(); + } + } else { + // The user is not logged in or does not have a relay identifier, close the HTTP request. + res.end(); + } + } + }); + + // Start the server, only after users and meshes are loaded from the database. + if (args.tlsoffload) { + // Setup the HTTP server without TLS + obj.expressWs = require('express-ws')(obj.app, null, { wsOptions: { perMessageDeflate: (args.wscompression === true) } }); + } else { + // Setup the HTTP server with TLS, use only TLS 1.2 and higher with perfect forward secrecy (PFS). + const tlsOptions = { cert: certificates.web.cert, key: certificates.web.key, ca: certificates.web.ca, rejectUnauthorized: true, ciphers: "HIGH:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 }; + obj.tlsServer = require('https').createServer(tlsOptions, obj.app); + obj.tlsServer.on('secureConnection', function () { /*console.log('tlsServer secureConnection');*/ }); + obj.tlsServer.on('error', function (err) { console.log('tlsServer error', err); }); + obj.tlsServer.on('newSession', function (id, data, cb) { if (tlsSessionStoreCount > 1000) { tlsSessionStoreCount = 0; tlsSessionStore = {}; } tlsSessionStore[id.toString('hex')] = data; tlsSessionStoreCount++; cb(); }); + obj.tlsServer.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); }); + obj.expressWs = require('express-ws')(obj.app, obj.tlsServer, { wsOptions: { perMessageDeflate: (args.wscompression === true) } }); + } + + // Handle incoming web socket calls + obj.app.ws('/*', function (ws, req) { + if ((req.session.userid != null) && (req.session.rid != null)) { + var relaySession = relaySessions[req.session.userid + '/' + req.session.rid]; + if (relaySession != null) { + // The multi-tunnel session is valid, use it + relaySession.handleWebSocket(ws, req); + } else { + // No multi-tunnel session with this relay identifier, close the websocket. + ws.close(); + } + } else { + // The user is not logged in or does not have a relay identifier, close the websocket. + ws.close(); + } + }); + + // This is the magic URL that will setup the relay session + obj.app.get('/control-redirect.ashx', function (req, res) { + if ((req.session == null) || (req.session.userid == null)) { res.redirect('/'); return; } + res.set({ 'Cache-Control': 'no-store' }); + parent.debug('web', 'webRelaySetup'); + + // Check that all the required arguments are present + if ((req.session.userid == null) || (req.query.n == null) || (req.query.p == null) || ((req.query.appid != 1) && (req.query.appid != 2))) { res.redirect('/'); return; } + + // Get the user and domain information + const userid = req.session.userid; + const domainid = userid.split('/')[1]; + const domain = parent.config.domains[domainid]; + const nodeid = ((req.query.relayid != null) ? req.query.relayid : req.query.n); + const addr = (req.query.addr != null) ? req.query.addr : '127.0.0.1'; + const port = parseInt(req.query.p); + const appid = parseInt(req.query.appid); + + // Check to see if we already have a multi-relay session that matches exactly this device and port for this user + var relaySession = null; + for (var i in relaySessions) { + const xrelaySession = relaySessions[i]; + if ((xrelaySession.domain.id == domain.id) && (xrelaySession.userid == userid) && (xrelaySession.nodeid == nodeid) && (xrelaySession.addr == addr) && (xrelaySession.port == port) && (xrelaySession.appid == appid)) { + relaySession = xrelaySession; // We found an exact match + } + } + + if (relaySession != null) { + // Since we found a match, use it + req.session.rid = relaySession.sessionId; + } else { + // Create a web relay session + relaySession = require('./apprelays.js').CreateWebRelaySession(parent, db, req, args, domain, userid, nodeid, addr, port, appid); + relaySession.onclose = function (sessionId) { + // Remove the relay session + delete relaySessions[sessionId]; + // If there are not more relay sessions, clear the cleanup timer + if ((Object.keys(relaySessions).length == 0) && (obj.cleanupTimer != null)) { clearInterval(obj.cleanupTimer); obj.cleanupTimer = null; } + } + relaySession.sessionId = nextSessionId++; + + // Set the multi-tunnel session + relaySessions[userid + '/' + relaySession.sessionId] = relaySession; + req.session.rid = relaySession.sessionId; + + // Setup the cleanup timer if needed + if (obj.cleanupTimer == null) { obj.cleanupTimer = setInterval(checkTimeout, 10000); } + } + + // Redirect to root + res.redirect('/'); + }); + } + + // Check that everything is cleaned up + function checkTimeout() { + for (var i in relaySessions) { relaySessions[i].checkTimeout(); } + } + + // Find a free port starting with the specified one and going up. + function CheckListenPort(port, addr, func) { + var s = obj.net.createServer(function (socket) { }); + obj.webRelayServer = s.listen(port, addr, function () { s.close(function () { if (func) { func(port, addr); } }); }).on("error", function (err) { + if (args.exactports) { console.error("ERROR: MeshCentral HTTP relay server port " + port + " not available."); process.exit(); } + else { if (port < 65535) { CheckListenPort(port + 1, addr, func); } else { if (func) { func(0); } } } + }); + } + + // Start the ExpressJS web server, if the port is busy try the next one. + function StartWebRelayServer(port, addr) { + if (port == 0 || port == 65535) { return; } + if (obj.tlsServer != null) { + if (args.lanonly == true) { + obj.tcpServer = obj.tlsServer.listen(port, addr, function () { console.log('MeshCentral HTTPS relay server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); }); + } else { + obj.tcpServer = obj.tlsServer.listen(port, addr, function () { console.log('MeshCentral HTTPS relay server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); }); + obj.parent.updateServerState('servername', certificates.CommonName); + } + if (obj.parent.authlog) { obj.parent.authLog('https', 'Web relay server listening on ' + ((addr != null) ? addr : '0.0.0.0') + ' port ' + port + '.'); } + obj.parent.updateServerState('https-relay-port', port); + if (args.aliasport != null) { obj.parent.updateServerState('https-relay-aliasport', args.aliasport); } + } else { + obj.tcpServer = obj.app.listen(port, addr, function () { console.log('MeshCentral HTTP relay server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); }); + obj.parent.updateServerState('http-relay-port', port); + if (args.aliasport != null) { obj.parent.updateServerState('http-relay-aliasport', args.aliasport); } + } + obj.port = port; + } + + function getRandomPassword() { return Buffer.from(require('crypto').randomBytes(9), 'binary').toString('base64').split('/').join('@'); } + + // Perform a IP match against a list + function isIPMatch(ip, matchList) { + const ipcheck = require('ipcheck'); + for (var i in matchList) { if (ipcheck.match(ip, matchList[i]) == true) return true; } + return false; + } + + // Start up the web relay server + serverStart(); + CheckListenPort(args.relayport, args.relayportbind, StartWebRelayServer); + + return obj; +}; diff --git a/webserver.js b/webserver.js index b4b6be3e..70b57ff6 100644 --- a/webserver.js +++ b/webserver.js @@ -2858,7 +2858,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF footer: (domain.footer == null) ? '' : domain.footer, webstate: encodeURIComponent(webstate).replace(/'/g, '%27'), amtscanoptions: amtscanoptions, - pluginHandler: (parent.pluginHandler == null) ? 'null' : parent.pluginHandler.prepExports() + pluginHandler: (parent.pluginHandler == null) ? 'null' : parent.pluginHandler.prepExports(), + webRelayPort: ((parent.webrelayserver != null) ? parent.webrelayserver.port : 0) }, dbGetFunc.req, domain), user); } xdbGetFunc.req = req; @@ -5846,11 +5847,19 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF var selfurl = ' wss://' + req.headers.host; if ((xforwardedhost != null) && (xforwardedhost != req.headers.host)) { selfurl += ' wss://' + xforwardedhost; } const extraScriptSrc = (parent.config.settings.extrascriptsrc != null) ? (' ' + parent.config.settings.extrascriptsrc) : ''; + + // If the web relay port is enabled, allow the web page to redirect to it + var extraFrameSrc = ''; + if ((parent.webrelayserver != null) && (parent.webrelayserver.port != 0)) { + extraFrameSrc = ' https://' + req.headers.host + ':' + parent.webrelayserver.port; + if ((xforwardedhost != null) && (xforwardedhost != req.headers.host)) { extraFrameSrc += ' https://' + xforwardedhost + ':' + parent.webrelayserver.port; } + } + const headers = { 'Referrer-Policy': 'no-referrer', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', - 'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self' blob: data:" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:; media-src 'self'; form-action 'self'" + 'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self' blob: data:" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:" + extraFrameSrc + "; media-src 'self'; form-action 'self'" }; if (req.headers['user-agent'] && (req.headers['user-agent'].indexOf('Chrome') >= 0)) { headers['Permissions-Policy'] = 'interest-cohort=()'; } // Remove Google's FLoC Network, only send this if Chrome browser if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; } @@ -6063,7 +6072,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF obj.app.ws(url + 'mstscrelay.ashx', function (ws, req) { const domain = getDomain(req); if (domain == null) { parent.debug('web', 'mstsc: failed checks.'); try { ws.close(); } catch (e) { } return; } - require('./apprelays.js').CreateMstscRelay(obj, obj.db, ws, req, obj.args, domain); + // If no user is logged in and we have a default user, set it now. + if ((req.session.userid == null) && (typeof obj.args.user == 'string') && (obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()])) { req.session.userid = 'user/' + domain.id + '/' + obj.args.user.toLowerCase(); } + try { require('./apprelays.js').CreateMstscRelay(obj, obj.db, ws, req, obj.args, domain); } catch (ex) { console.log(ex); } }); } @@ -6073,9 +6084,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF obj.app.ws(url + 'sshrelay.ashx', function (ws, req) { const domain = getDomain(req); if (domain == null) { parent.debug('web', 'ssh: failed checks.'); try { ws.close(); } catch (e) { } return; } - try { - require('./apprelays.js').CreateSshRelay(obj, obj.db, ws, req, obj.args, domain); - } catch (ex) { console.log(ex); } + // If no user is logged in and we have a default user, set it now. + if ((req.session.userid == null) && (typeof obj.args.user == 'string') && (obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()])) { req.session.userid = 'user/' + domain.id + '/' + obj.args.user.toLowerCase(); } + try { require('./apprelays.js').CreateSshRelay(obj, obj.db, ws, req, obj.args, domain); } catch (ex) { console.log(ex); } }); obj.app.ws(url + 'sshterminalrelay.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {