From 05ebe75074942e3191d81823fa3fe38c0a216edb Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Fri, 23 Oct 2020 13:28:31 -0700
Subject: [PATCH] Improved CIRA setup when MPS is not running.

---
 amtmanager.js                |  33 +++++++++++++++++++++------------
 meshuser.js                  |   2 +-
 public/images/checkbox60.png | Bin 0 -> 2447 bytes
 views/default.handlebars     |  13 +++++++++----
 4 files changed, 31 insertions(+), 17 deletions(-)
 create mode 100644 public/images/checkbox60.png

diff --git a/amtmanager.js b/amtmanager.js
index 228ff49c..cacb596e 100644
--- a/amtmanager.js
+++ b/amtmanager.js
@@ -302,9 +302,16 @@ module.exports.CreateAmtManager = function (parent) {
             var amtPolicy = 0, ciraPolicy = 0, badPass = 0, password = null;
             if (mesh.amt != null) {
                 if (mesh.amt.type) { amtPolicy = mesh.amt.type; }
-                if (mesh.amt.cirasetup) { ciraPolicy = mesh.amt.cirasetup; }
-                if (mesh.amt.badpass) { badPass = mesh.amt.badpass; }
-                if ((typeof mesh.amt.password == 'string') && (mesh.amt.password != '')) { password = mesh.amt.password; }
+                if (mesh.amt.type == 4) {
+                    // Fully automatic policy
+                    ciraPolicy = 2; // CIRA will be setup
+                    badPass = 1; // Automatically re-active CCM
+                    password = null; // Randomize the password.
+                } else {
+                    if (mesh.amt.cirasetup) { ciraPolicy = mesh.amt.cirasetup; }
+                    if (mesh.amt.badpass) { badPass = mesh.amt.badpass; }
+                    if ((typeof mesh.amt.password == 'string') && (mesh.amt.password != '')) { password = mesh.amt.password; }
+                }
             }
             if (amtPolicy < 2) { ciraPolicy = 0; }
             dev.policy = { amtPolicy: amtPolicy, ciraPolicy: ciraPolicy, badPass: badPass, password: password };
@@ -343,7 +350,7 @@ module.exports.CreateAmtManager = function (parent) {
     // Attempt to perform initial contact with Intel AMT
     function attemptInitialContact(dev) {
         delete dev.amtstack; // If there is a WSMAn stack setup, clean it up now.
-        parent.debug('amt', "Attempt Initial Contact", dev.name, dev.connType);
+        parent.debug('amt', "Attempt Initial Contact", dev.name, ["CIRA", "CIRA-Relay", "CIRA-LMS", "Local"][dev.connType]);
 
         // Check Intel AMT policy when CIRA-LMS connection is in use.
         if ((dev.connType == 2) && (dev.mpsConnection != null) && (dev.mpsConnection.tag != null) && (dev.mpsConnection.tag.meiState != null)) {
@@ -354,7 +361,7 @@ module.exports.CreateAmtManager = function (parent) {
                 return;
             }
             // Check if we have an ACM activation policy, but the device is in CCM
-            if ((dev.policy.amtPolicy == 3) && ((dev.mpsConnection.tag.meiState.Flags & 2) != 0)) {
+            if (((dev.policy.amtPolicy == 3) || (dev.policy.amtPolicy == 4)) && ((dev.mpsConnection.tag.meiState.Flags & 2) != 0)) {
                 // This device in is CCM, check if we can upgrade to ACM
                 if (activateIntelAmt(dev) == false) return; // If this return true, the platform is in CCM and can't go to ACM, keep going with management.
             }
@@ -562,7 +569,7 @@ module.exports.CreateAmtManager = function (parent) {
                 dev.tlsfail = true; attemptInitialContact(dev); return;
             } else if (status == 401) {
                 // Authentication error, see if we can use alternative credentials
-                if ((dev.acctry == null) && (dev.policy.password != null)) { dev.acctry = 'policy'; attemptInitialContact(dev); return; }
+                if ((dev.acctry == null) && (typeof dev.policy.password == 'string') && (dev.policy.password != '')) { dev.acctry = 'policy'; attemptInitialContact(dev); return; }
                 if ((dev.acctry == null) || (dev.acctry == 'policy') && (obj.amtAdminAccounts[dev.domainid] != null) && (obj.amtAdminAccounts[dev.domainid].length > 0)) { dev.acctry = 0; attemptInitialContact(dev); return; }
                 if ((dev.acctry != null) && (obj.amtAdminAccounts[dev.domainid] != null) && (obj.amtAdminAccounts[dev.domainid].length > (dev.acctry + 1))) { dev.acctry++; attemptInitialContact(dev); return; }
 
@@ -1070,7 +1077,7 @@ module.exports.CreateAmtManager = function (parent) {
     // Check if Intel AMT has the server root certificate
     function attemptRootCertSync(dev, func) {
         if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
-        if ((dev.connType != 2) || (dev.policy.ciraPolicy != 2)) { func(dev); return; } // Server root certificate does not need to be present is CIRA is not needed
+        if ((dev.connType != 2) || (dev.policy.ciraPolicy != 2) || (parent.mpsserver.server == null)) { func(dev); return; } // Server root certificate does not need to be present is CIRA is not needed
 
         // Find the current TLS certificate & MeshCentral root certificate
         var xxMeshCentralRoot = null;
@@ -1150,7 +1157,7 @@ module.exports.CreateAmtManager = function (parent) {
             // Fetch the server's CIRA settings
             dev.cira.mpsPresent = null;
             dev.cira.mpsPolicy = false;
-            if (dev.policy.ciraPolicy == 2) {
+            if ((dev.policy.ciraPolicy == 2) && (parent.mpsserver.server != null)) { // parent.mpsserver.server is not null if the MPS server is listening for TCP/TLS connections
                 dev.cira.meshidx = dev.meshid.split('/')[2].replace(/\@/g, 'X').replace(/\$/g, 'X').substring(0, 16);
                 dev.cira.mpsName = parent.webserver.certificates.AmtMpsName;
                 var serverNameSplit = dev.cira.mpsName.split('.');
@@ -1190,7 +1197,8 @@ module.exports.CreateAmtManager = function (parent) {
             }
 
             // If we need to setup CIRA, start by checking the MPS server
-            if (dev.policy.ciraPolicy == 2) { addMpsServer(dev); } else { checkEnvironmentDetection(dev); }
+            // parent.mpsserver.server is not null if the MPS server is listening for TCP/TLS connections
+            if ((dev.policy.ciraPolicy == 2) && (parent.mpsserver.server != null)) { addMpsServer(dev); } else { checkEnvironmentDetection(dev); }
         });
     }
 
@@ -1202,6 +1210,7 @@ module.exports.CreateAmtManager = function (parent) {
                 if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
                 if (status != 200) { dev.consoleMsg("Failed to create new MPS server (" + status + ")."); removeAmtDevice(dev); return; }
                 dev.cira.mpsPresent = getItem(response.Body.MpServer.ReferenceParameters.SelectorSet.Selector, '@Name', 'Name').Value;
+                console.log(dev.cira.mpsPresent);
                 dev.consoleMsg("Created new MPS server.");
                 addMpsPolicy(dev);
             });
@@ -1251,7 +1260,7 @@ module.exports.CreateAmtManager = function (parent) {
         var currentEnvDetect = dev.cira.xxEnvironementDetection['DetectionStrings'];
         if (currentEnvDetect == null) { currentEnvDetect = []; }
 
-        if (dev.policy.ciraPolicy == 2) { // ciraPolicy: 0 = Do Nothing, 1 = Clear, 2 = Set
+        if ((dev.policy.ciraPolicy == 2) && (parent.mpsserver.server != null)) { // ciraPolicy: 0 = Do Nothing, 1 = Clear, 2 = Set
             const newEnvDetect = parent.config.domains[dev.domainid].amtmanager.environmentdetection;
             if (newEnvDetect == null) {
                 // If no environment detection is specified in the config.json, check that we have a random environment detection
@@ -1270,7 +1279,7 @@ module.exports.CreateAmtManager = function (parent) {
                 if (mismatch == true) { editEnvironmentDetectionTmp = newEnvDetect; changes = true; }
             }
             
-        } else if (dev.policy.ciraPolicy == 1) {
+        } else if ((dev.policy.ciraPolicy == 1) || (parent.mpsserver.server == null)) {
             // Check environment detection is clear
             if (currentEnvDetect.length != 0) { editEnvironmentDetectionTmp = []; changes = true; }
         }
@@ -1589,7 +1598,7 @@ module.exports.CreateAmtManager = function (parent) {
         if ((typeof dev.mpsConnection.tag.meiState.OsAdmin != 'object') || (typeof dev.mpsConnection.tag.meiState.OsAdmin.user != 'string') || (typeof dev.mpsConnection.tag.meiState.OsAdmin.pass != 'string')) { amtPolicy = 0; }
         if (amtPolicy == 0) { removeAmtDevice(dev); return false; } // Do nothing, we should not have gotten this CIRA-LMS connection.
         if (amtPolicy == 2) { activateIntelAmtCcm(dev, mesh.amt.password); } // Activate to CCM policy
-        if (amtPolicy == 3) { // Activate to ACM policy
+        if ((amtPolicy == 3) || (amtPolicy == 4)) { // Activate to ACM policy
             var acminfo = checkAcmActivation(dev);
             if (acminfo == null) {
                 // No opportunity to activate to ACM, check if we are already in CCM
diff --git a/meshuser.js b/meshuser.js
index 82f3dc41..dfe06a4c 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -3301,7 +3301,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                     // Change a mesh Intel AMT policy
                     if (common.validateString(command.meshid, 1, 1024) == false) break; // Check the meshid
                     if (common.validateObject(command.amtpolicy) == false) break; // Check the amtpolicy
-                    if (common.validateInt(command.amtpolicy.type, 0, 3) == false) break; // Check the amtpolicy.type
+                    if (common.validateInt(command.amtpolicy.type, 0, 4) == false) break; // Check the amtpolicy.type
                     if (command.amtpolicy.type === 2) {
                         if (common.validateString(command.amtpolicy.password, 0, 32) == false) break; // Check the amtpolicy.password
                         if ((command.amtpolicy.badpass != null) && common.validateInt(command.amtpolicy.badpass, 0, 1) == false) break; // Check the amtpolicy.badpass
diff --git a/public/images/checkbox60.png b/public/images/checkbox60.png
new file mode 100644
index 0000000000000000000000000000000000000000..4e1d0a5d7f4e4da8ac3569650d31e53e5243c307
GIT binary patch
literal 2447
zcmV;A32^p_P)<h;3K|Lk000e1NJLTq002Ay002A)1^@s6I{evk00001b5ch_0Itp)
z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGp`~UzI`~e>~vxNWv2_#8GK~!i%?V1Zv
zRM#2D|GO)@AOQ+u1X4>>5UH&}@CBkKLxNV+PBa<Q#7u26P1B}nMw1j1jY%_VV4}vD
zI(D#<XpK#ijv{q1rcI~g#56NnTOWw>3=ac>5#-H2`<-*oy?gh`!Y(K?{D<$J^L^*;
z+3$D1b0514Mm4HYjcQc4L$?<GQ1rY?E83B(o0((Kx?lsWwlAq4E217XvVm{R4}#6M
z16J!+Sgd!!VtZMPc$7x8BTvm4!Ib_!z_y0_Hok4A1CWN8e^+wPjYejLo6^H+34cPB
zT|+IXvXELUi*LcTxgNPj9`Ln!kpxvlwv2-+W|jM^$QFyeT{N<mbp71%lyMRDGWZf^
z#x}eal46zAreM;UE*?{9<W#tJ&OKDslT^J7n2CxnV^LLkS=%d}K$ee+G?#*o4B+b7
zu>@5@Hj~3S0LsQd$&@kcGt|!!Gbp<AmvrT<Sjw`5FHtUnp+C7RwW8w?r;QB_G&T>@
z|96eYNq2UI%hO^h;S*G`6sdB`g-NcWQ%v@in1!IHh}pRA+zOYaj-%{8rQR&1Vyecq
zs!l#=RRGUm#(AZ>Om`;m<&<zrt(ba?`UT@HZR|dk7dwb-6H+c1rJ!AIfpc?nBdB?j
zY!z85StuFXcPI`JOSO-zjI5+OuI2D2S?6|AbcsS?haq#0$sLjnowWTG*&(D|R1MhW
z0zk0o)D)6U<AGt6MQcUz{PV{0iP!a<NP!X?uRd;&t;Xz2|Ky$rIRFzZtL90vXdWQx
z^?F1^L?9?ANJIiFi^YQW_I7ml_Tcl>%lJ=XEddA;_h9yMCaFs=!V1hSy}&&$Qh*7T
z5uGKQ!TjjxXk=$+BQY@%TJ6wY%&j&nUafcs?;1a%`~?hacvt1~)_ELP$a0Wzxte?Z
zNKL|S(i}ECJRED+u0>K((vZV49d0YZp1zM^lb@XATa4_>PgZ8~S)UslvzF4)%JvnO
zNlmj{v{<-sA;QAKgy*O_Q<LZgMqhPZ!1MLnU^1Hos0<^(<ol`|<3@d}?Go9KkXcqQ
zrt(Q@;F)a0D$16zJAKerj5#$=prrE)T21uEeyXak4v$s6h#q5)1R_<<5lne*mRk<X
zD!T-Wt_}#6NevvyHaeZo?FFi|w+gQ`?LwRJ7M`ffMd3~Mp=I#8W$DD)s#np}+hT`P
zKvm}O+|2i>qC4$UJW%fNK;f&@!2ANH(P+4-)oJa<&l}!AE5Wh^dQ81|q2Vp;ZuwB`
zF>tM~$-|lUivr3SmifGrlF!GvUr&~UtnxZB&48r_rkN#Rwb;^q>DqRj>ns(?NM<&f
zv7v4!-uz}SxfZdvZ~8;ypYh>!dXQ4!#JuwJvTIeDHB)>!vMaBOX$B=Vuv@)<<0uX^
z)ACiWlyVYQSm_>`*HD1pHSF>EoIcxe5wF$kvR6$3ljn8ocN6StEU7v#rWv%n0)NqQ
z4lmbkhfR57Rg$6_4EpW*{dlvkf9Q5|C!W2!868G?0+gYYsyfcA@=at<Bd7XbVj92X
z5xAna7Ef0E7G0(;@y6<eL{hvZOzP*?7GP`bUK*yj2W_g_iA(LYBE{>R=dr^|zQ$s+
z>CBpqw5mQ5Q}`{nz>UThJW}=>H1;%$WK>DH_30xDRr;-(z1UrUP|V_}&u@N-{q=v5
z_IF!V5fk$<yRT`A>AAB%F2=)Oi&^}aTVM-a_ro>x0ZBg3l!Tm;a!Q;%7jLZCfdk(h
z5i?2ZpryS2@)kbsGKXT0v3px5;K8p`Z6Rho1p+6xz~9wRz-KcG@w2;Efj+?46X~ZS
z%(qxfc)s*?9J~H^X)@B=)djfPQ6=r;JcoSH<T+@3d{;PDRA)eE^LmLHlswKDq7BA-
zQ#WJlr1c20>g-85RaKp++&7wx_{I5G@Kx)7QQldDz14pbV@|K(zKDr=$LS)m=G&zR
zF&jiCftA-oI7Xwxy7;G1I6V(zHNmPR<%C(Hs-zXOqOI>1esbp5c<Is>bo6yN?c@9!
z$=6ynC`ipif+1dH5P12tW*&`Miod1qLrl;(Rg!X|&OVt~u8rN-@mV9?P2_Q9b*O!*
z)zInvTJj6XiOmx4IyCb6B$*#I3n%6rK)fN25_AM}0a1+YN39YUzQec_TORiiUYz!<
zc(<X`fUXM3VF@^qeh^7xC)<;jVHF73SI4ODe9o)J6UN?)J+rn!uN|6iRn!^~Fw^AF
z@8M+TA*4q9z$I~RGMG|*=W*6jOpJ$U3^<hedyEgJ(`6VmU|^=0;JZ<r`99`E-scJ;
z`@HYYmt*WA1>~h|LP``JykXLyfSIBVQ8=<-KjuZHiYk&hSJk60wU5Lv!_$e6iy4PU
zg9c_|&_@>)5_Fmb!cD+=^d*}bHU+!Vw_%KSjF@eB<QFhgq~SaG>jV3d5;>hfRB&=N
z*+*q&G$hCM2*SRF?;wg^JKXXcm?=7#mUq?%NDiNB2Xg_pAB>GN*J17iS{1iJ0Rd);
z3yne1;)9rc7d<68!>Z2VthfbOH<SGua(fgoV5a!6i8!+40LB~SCo%?VuWYnF3cK&m
zAC~*ACj}IkX<B3=4lgc1s5V3amErT|zm6#plf<64M`~bp_Q9t9-DZ$la8CyIJ@_sR
zba9fFwG}H9mSfHLSBpKoOO*rb4D1`iexwF&VH=algx=m>9`Hvir>?-}^bH&~Zfp#;
z-@jFic$e91Mt66&@W48)Qa3PC1D|6Xc66^?VZTrLuXVGZ!%wF_j%|zHKwMbA{|3p`
z)YOF5R)w*FY{-C*lJT{4>eMN;wD5xaC9Ot__ZIKOqsb48h<CA-b^Q2ox~TKBi|JT?
ze!l<bm`Xa)A~Q3S{l@wb*+jOi%F4?4PcEUMp)eQ>E??05DxFrx!M%ws;mXQN6crWm
z3JW!pJ$3r@X_tR4^G6O8xw*N?)ck{tKJ-drKZyGS?2C*>Bl`OK)E6su5qXTNdrWcz
zCl?BWPNL?IWEo`MOA~l8Vz$zLN%koLvsggowrm8gr)C-1N;3Ap9_*Jz78?qg$lA!*
zuYv4ejXoyOZ>b#;^}9|9o>iHBg{YkG0T#Q@_7S9Vr5e?!M&+Y`{{!MgBGUF~a+Cl7
N002ovPDHLkV1m)`x!(W)

literal 0
HcmV?d00001

diff --git a/views/default.handlebars b/views/default.handlebars
index a0f6f1e0..01e63f16 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -9428,6 +9428,8 @@
                     } else if (currentMesh.amt.type == 3) {
                         intelAmtPolicy = "Simple Admin Control Mode (ACM)";
                         if (currentMesh.amt.cirasetup == 2) { intelAmtPolicy += " + CIRA"; }
+                    } else if (currentMesh.amt.type == 4) {
+                        intelAmtPolicy = "Fully Automatic";
                     }
                 }
                 x += addHtmlValue("Intel&reg; AMT", addLinkConditional(intelAmtPolicy, 'p20editMeshAmt()', meshrights & 1));
@@ -9517,7 +9519,7 @@
             if (xxdialogMode) return;
             var x = '', acmoption = '';
             if ((features & 0x100000) != 0) { acmoption = '<option value=3>' + "Simple Admin Control Mode (ACM)" + '</option>'; }
-            x += addHtmlValue("Type", '<select id=dp20amtpolicy style=width:230px onchange=p20editMeshAmtChange()><option value=0>' + "No Policy" + '</option><option value=1>' + "Deactivate Client Control Mode (CCM)" + '</option><option value=2>' + "Simple Client Control Mode (CCM)" + '</option>' + acmoption + '</select>');
+            x += addHtmlValue("Type", '<select id=dp20amtpolicy style=width:230px onchange=p20editMeshAmtChange()><option value=0>' + "No Policy" + '</option><option value=1>' + "Deactivate Client Control Mode (CCM)" + '</option><option value=2>' + "Simple Client Control Mode (CCM)" + '</option>' + acmoption + '<option value=4>' + "Fully Automatic" + '</option></select>');
             x += '<div id=dp20amtpolicydiv></div>';
             setDialogMode(2, "Intel&reg; AMT Policy", 3, p20editMeshAmtEx, x);
             if (currentMesh.amt) { Q('dp20amtpolicy').value = currentMesh.amt.type; }
@@ -9535,7 +9537,7 @@
 
         function p20editMeshAmtChange() {
             var ptype = Q('dp20amtpolicy').value, x = '';
-            if (ptype >= 2) {
+            if ((ptype >= 2) && (ptype < 4)) {
                 x = addHtmlValue("Password*", '<input id=dp20amtpolicypass type=password style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() autocomplete=off />')
                 x += addHtmlValue("Password*", '<input id=dp20amtpolicypass2 type=password style=width:230px maxlength=32 onchange=dp20amtValidatePolicy() onkeyup=dp20amtValidatePolicy() autocomplete=off />')
                 x += addHtmlValue("Password mismatch", '<select id=dp20amtbadpass style=width:230px><option value=0>' + "Do nothing" + '</option><option value=1>' + "Reactivate Intel&reg; AMT" + '</option></select>');
@@ -9550,6 +9552,7 @@
                     }
                 }
             }
+            if (ptype == 4) { x = '<table style=padding-top:4px><tr><td><img style=padding-right:8px src=images/checkbox60.png width=60 height=60><td>' + "This is the recommanded policy type. Intel&reg; AMT activation and management is completely automated." + '</table>'; }
             QH('dp20amtpolicydiv', x);
             setTimeout(dp20amtValidatePolicy, 1);
         }
@@ -9565,12 +9568,14 @@
 
         function p20editMeshAmtEx() {
             var ptype = parseInt(Q('dp20amtpolicy').value), amtpolicy = { type: ptype };
-            if (ptype == 2) {
+            if (ptype == 2) { // CCM policy
                 amtpolicy = { type: ptype, password: Q('dp20amtpolicypass').value, badpass: parseInt(Q('dp20amtbadpass').value) };
                 if ((features & 0x400) == 0) { amtpolicy.cirasetup = parseInt(Q('dp20amtcira').value); } else { amtpolicy.cirasetup = 1; }
-            } else if (ptype == 3) {
+            } else if (ptype == 3) { // ACM policy
                 amtpolicy = { type: ptype, password: Q('dp20amtpolicypass').value, badpass: parseInt(Q('dp20amtbadpass').value) };
                 if ((features & 0x400) == 0) { amtpolicy.cirasetup = parseInt(Q('dp20amtcira').value); } else { amtpolicy.cirasetup = 1; }
+            } else if (ptype == 4) { // Fully automatic policy
+                amtpolicy = { type: ptype };
             }
             meshserver.send({ action: 'meshamtpolicy', meshid: currentMesh._id, amtpolicy: amtpolicy });
         }