Added loginkey support to meshctrl.js, #3115

This commit is contained in:
Ylian Saint-Hilaire 2021-09-10 13:04:10 -07:00
parent f918ae537c
commit 15d8f4b027
3 changed files with 13 additions and 8 deletions

View File

@ -2767,6 +2767,7 @@ function CreateMeshCentralServer(config, args) {
if ((docs.length > 0) && (docs[0].key != null) && (obj.args.logintokengen == null) && (docs[0].key.length >= 160)) {
// Key is present, use it.
obj.loginCookieEncryptionKey = Buffer.from(docs[0].key, 'hex');
console.log('obj.loginCookieEncryptionKey', obj.loginCookieEncryptionKey);
func(obj.encodeCookie({ u: userid, a: 3 }, obj.loginCookieEncryptionKey));
} else {
// Key is not present, generate one.

View File

@ -968,7 +968,7 @@ function displayConfigHelp() {
}
function performConfigOperations(args) {
var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapuseremail', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide', 'loginkey'];
var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapuseremail', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide'];
var domainObjectValues = [ 'ldapoptions', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording' ];
var domainArrayValues = [ 'newaccountemaildomains', 'newaccountsrights', 'loginkey', 'agentconfig' ];
var configChange = false;
@ -1111,19 +1111,19 @@ function serverConnect() {
}
// Cookie authentication
var ckey = null;
var ckey = null, loginCookie = null;
if (args.loginkey != null) {
// User key passed in a argument hex
if (args.loginkey.length != 160) { console.log("Invalid login key."); process.exit(); return; }
if (args.loginkey.length != 160) { loginCookie = args.loginkey; }
ckey = Buffer.from(args.loginkey, 'hex');
if (ckey != 80) { console.log("Invalid login key."); process.exit(); return; }
if (ckey != 80) { ckey = null; loginCookie = args.loginkey; }
} else if (args.loginkeyfile != null) {
// Load key from hex file
var fs = require('fs');
try {
var keydata = fs.readFileSync(args.loginkeyfile, 'utf8').split(' ').join('').split('\r').join('').split('\n').join('');
ckey = Buffer.from(keydata, 'hex');
if (ckey.length != 80) { console.log("Invalid login key file."); process.exit(); return; }
if (ckey.length != 80) { ckey = null; loginCookie = args.loginkey; }
} catch (ex) { console.log(ex.message); process.exit(); return; }
}
@ -1135,10 +1135,11 @@ function serverConnect() {
url += '?auth=' + encodeCookie({ userid: 'user/' + domainid + '/' + username, domainid: domainid }, ckey);
} else {
if (args.logindomain != null) { console.log("--logindomain can only be used along with --loginkey."); process.exit(); return; }
if (loginCookie != null) { url += '?auth=' + loginCookie; }
}
const ws = new WebSocket(url, options);
//console.log('Connecting to ' + url);
console.log('Connecting to ' + url);
ws.on('open', function open() {
//console.log('Connected.');

View File

@ -6473,9 +6473,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
parent.debug('web', 'ERR: Invalid cookie IP address, got \"' + cookie.ip + '\", expected \"' + cleanRemoteAddr(req.clientIp) + '\".');
cookie = null;
}
if ((cookie != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id)) {
// Valid cookie, we are authenticated
if ((cookie != null) && (cookie.userid != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id) && (cookie.userid.split('/')[1] == domain.id)) {
// Valid cookie, we are authenticated. Cookie of format { userid: 'user//name', domain: '' }
func(ws, req, domain, obj.users[cookie.userid], cookie);
} else if ((cookie != null) && (cookie.a === 3) && (typeof cookie.u == 'string') && (obj.users[cookie.u]) && (cookie.u.split('/')[1] == domain.id)) {
// Valid cookie, we are authenticated. Cookie of format { u: 'user//name', a: 3 }
func(ws, req, domain, obj.users[cookie.u], cookie);
} else {
// This is a bad cookie, keep going anyway, maybe we have a active session that will save us.
if ((cookie != null) && (cookie.domainid != domain.id)) { parent.debug('web', 'ERR: Invalid domain, got \"' + cookie.domainid + '\", expected \"' + domain.id + '\".'); }