More work on cross-domain admin.

This commit is contained in:
Ylian Saint-Hilaire 2020-05-27 17:23:38 -07:00
parent 32a9991afb
commit 27191d3cd3
4 changed files with 361 additions and 286 deletions

View File

@ -7,7 +7,7 @@ try { require('ws'); } catch (ex) { console.log('Missing module "ws", type "npm
var settings = {};
const crypto = require('crypto');
const args = require('minimist')(process.argv.slice(2));
const possibleCommands = ['listusers', 'listusersessions', 'listdevicegroups', 'listdevices', 'listusersofdevicegroup', 'serverinfo', 'userinfo', 'adduser', 'removeuser', 'adddevicegroup', 'removedevicegroup', 'broadcast', 'showevents', 'addusertodevicegroup', 'removeuserfromdevicegroup', 'addusertodevice', 'removeuserfromdevice', 'sendinviteemail', 'generateinvitelink', 'config', 'movetodevicegroup', 'deviceinfo'];
const possibleCommands = ['listusers', 'listusersessions', 'listdevicegroups', 'listdevices', 'listusersofdevicegroup', 'serverinfo', 'userinfo', 'adduser', 'removeuser', 'adddevicegroup', 'removedevicegroup', 'broadcast', 'showevents', 'addusertodevicegroup', 'removeuserfromdevicegroup', 'addusertodevice', 'removeuserfromdevice', 'sendinviteemail', 'generateinvitelink', 'config', 'movetodevicegroup', 'deviceinfo', 'addusergroup', 'listusergroups', 'removeusergroup'];
if (args.proxy != null) { try { require('https-proxy-agent'); } catch (ex) { console.log('Missing module "https-proxy-agent", type "npm install https-proxy-agent" to install it.'); return; } }
if (args['_'].length == 0) {
@ -20,6 +20,7 @@ if (args['_'].length == 0) {
console.log(" UserInfo - Show user information.");
console.log(" ListUsers - List user accounts.");
console.log(" ListUsersSessions - List online users.");
console.log(" ListUserGroups - List user groups.");
console.log(" ListDevices - List devices.");
console.log(" ListDeviceGroups - List device groups.");
console.log(" ListUsersOfDeviceGroup - List the users in a device group.");
@ -27,6 +28,8 @@ if (args['_'].length == 0) {
console.log(" Config - Perform operation on config.json file.");
console.log(" AddUser - Create a new user account.");
console.log(" RemoveUser - Delete a user account.");
console.log(" AddUserGroup - Create a new user group.");
console.log(" RemoveUserGroup - Delete a user group.");
console.log(" AddDeviceGroup - Create a new device group.");
console.log(" RemoveDeviceGroup - Delete a device group.");
console.log(" MoveToDeviceGroup - Move a device to a different device group.");
@ -45,7 +48,7 @@ if (args['_'].length == 0) {
console.log(" --token [number] - 2nd factor authentication token.");
console.log(" --loginkey [hex] - Server login key in hex.");
console.log(" --loginkeyfile [file] - File containing server login key in hex.");
console.log(" --domain [domainid] - Domain id, default is empty, only used with loginkey.");
console.log(" --logindomain [domainid] - Domain id, default is empty, only used with loginkey.");
console.log(" --proxy [http://proxy:1] - Specify an HTTP proxy.");
return;
} else {
@ -60,6 +63,7 @@ if (args['_'].length == 0) {
case 'userinfo': { ok = true; break; }
case 'listusers': { ok = true; break; }
case 'listusersessions': { ok = true; break; }
case 'listusergroups': { ok = true; break; }
case 'listdevicegroups': { ok = true; break; }
case 'listdevices': { ok = true; break; }
case 'listusersofdevicegroup': {
@ -132,6 +136,16 @@ if (args['_'].length == 0) {
else { ok = true; }
break;
}
case 'addusergroup': {
if (args.name == null) { console.log("New user group name missing, use --name [name]"); }
else { ok = true; }
break;
}
case 'removeusergroup': {
if (args.groupid == null) { console.log("Remove user group id missing, use --groupid [id]"); }
else { ok = true; }
break;
}
case 'sendinviteemail': {
if ((args.id == null) && (args.group == null)) { console.log("Device group identifier missing, use --id [groupid] or --group [groupname]"); }
else if (args.email == null) { console.log("Device email is missing, use --email [email]"); }
@ -211,6 +225,12 @@ if (args['_'].length == 0) {
console.log(" MeshCtrl ListUserSessions --json");
break;
}
case 'listusergroups': {
console.log("List user groups on the MeshCentral server, Example usages:\r\n");
console.log(" MeshCtrl ListUserGroups");
console.log(" MeshCtrl ListUserGroups --json");
break;
}
case 'listdevicegroups': {
console.log("List the device groups for this account, Example usages:\r\n");
console.log(" MeshCtrl ListDeviceGroups ");
@ -260,6 +280,7 @@ if (args['_'].length == 0) {
console.log(" --locked - This account will be locked.");
console.log(" --nonewgroups - Account will not be allowed to create device groups.");
console.log(" --notools - Account not see MeshCMD download links.");
console.log(" --domain [domain] - Account domain, only for cross-domain admins.");
break;
}
case 'removeuser': {
@ -574,11 +595,11 @@ function serverConnect() {
if (ckey != null) {
var domainid = '', username = 'admin';
if (args.domain != null) { domainid = args.domain; }
if (args.logindomain != null) { domainid = args.logindomain; }
if (args.loginuser != null) { username = args.loginuser; }
url += '?auth=' + encodeCookie({ userid: 'user/' + domainid + '/' + username, domainid: domainid }, ckey);
} else {
if (args.domain != null) { console.log("--domain can only be used along with --loginkey."); process.exit(); return; }
if (args.logindomain != null) { console.log("--logindomain can only be used along with --loginkey."); process.exit(); return; }
}
const ws = new WebSocket(url, options);
@ -591,6 +612,7 @@ function serverConnect() {
case 'userinfo': { break; }
case 'listusers': { ws.send(JSON.stringify({ action: 'users' })); break; }
case 'listusersessions': { ws.send(JSON.stringify({ action: 'wssessioncount' })); }
case 'listusergroups': { ws.send(JSON.stringify({ action: 'usergroups' })); }
case 'listdevicegroups': { ws.send(JSON.stringify({ action: 'meshes' })); break; }
case 'listusersofdevicegroup': { ws.send(JSON.stringify({ action: 'meshes' })); break; }
case 'listdevices': {
@ -618,14 +640,28 @@ function serverConnect() {
if (args.email) { op.email = args.email; if (args.emailverified) { op.emailVerified = true; } }
if (args.resetpass) { op.resetNextLogin = true; }
if (siteadmin != 0) { op.siteadmin = siteadmin; }
if (args.domain) { op.domain = args.domain; }
ws.send(JSON.stringify(op));
break;
}
case 'removeuser': {
var op = { action: 'deleteuser', userid: args.userid, responseid: 'meshctrl' };
var userid = args.userid;
if ((args.domain != null) && (userid.indexOf('/') < 0)) { userid = 'user/' + args.domain + '/' + userid; }
ws.send(JSON.stringify({ action: 'deleteuser', userid: userid, responseid: 'meshctrl' }));
break;
}
case 'addusergroup': {
var op = { action: 'createusergroup', name: args.name, desc: args.desc, responseid: 'meshctrl' };
if (args.domain) { op.domain = args.domain; }
ws.send(JSON.stringify(op));
break;
}
case 'removeusergroup': {
var ugrpid = args.groupid;
if ((args.domain != null) && (userid.indexOf('/') < 0)) { ugrpid = 'ugrp/' + args.domain + '/' + ugrpid; }
ws.send(JSON.stringify({ action: 'deleteusergroup', ugrpid: ugrpid, responseid: 'meshctrl' }));
break;
}
case 'adddevicegroup': {
var op = { action: 'createmesh', meshname: args.name, meshtype: 2, responseid: 'meshctrl' };
if (args.desc) { op.desc = args.desc; }
@ -807,6 +843,8 @@ function serverConnect() {
case 'removemeshuser': //
case 'inviteAgent': //
case 'adddeviceuser': //
case 'createusergroup': //
case 'deleteusergroup': //
case 'userbroadcast': { // BROADCAST
if (data.responseid == 'meshctrl') {
if (data.meshid) { console.log(data.result, data.meshid); }
@ -832,6 +870,19 @@ function serverConnect() {
process.exit();
break;
}
case 'usergroups': { // LIST USER GROUPS
if (args.json) {
console.log(JSON.stringify(data.ugroups, ' ', 2));
} else {
for (var i in data.ugroups) {
var x = i + ', ' + data.ugroups[i].name;
if (data.ugroups[i].desc && (data.ugroups[i].desc != '')) { x += ', ' + data.ugroups[i].desc; }
console.log(x);
}
}
process.exit();
break;
}
case 'users': { // LISTUSERS
if (args.filter) {
// Filter the list of users

View File

@ -1398,7 +1398,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (parent.parent.multiServer == null) {
// No peering, use simple session counting
for (i in parent.wssessions) {
if (parent.wssessions[i][0].domainid == domain.id) {
if ((obj.crossDomain === true) || (parent.wssessions[i][0].domainid == domain.id)) {
if ((user.groups == null) || (user.groups.length == 0)) {
// No user groups, count everything
wssessions[i] = parent.wssessions[i].length;
@ -1414,7 +1414,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
} else {
// We have peer servers, use more complex session counting
for (i in parent.sessionsCount) {
if (i.split('/')[1] == domain.id) {
if ((obj.crossDomain === true) || (i.split('/')[1] == domain.id)) {
if ((user.groups == null) || (user.groups.length == 0)) {
// No user groups, count everything
wssessions[i] = parent.sessionsCount[i];
@ -1441,6 +1441,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if ((user.siteadmin & 2) == 0) { err = 'Permission denied'; }
else if (common.validateString(command.userid, 1, 2048) == false) { err = 'Invalid userid'; }
else {
if (command.userid.indexOf('/') < 0) { command.userid = 'user/' + domain.id + '/' + command.userid; }
delusersplit = command.userid.split('/');
deluserid = command.userid;
deluser = parent.users[deluserid];
@ -1950,19 +1951,32 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
}
case 'deleteusergroup':
{
if ((user.siteadmin & SITERIGHT_USERGROUPS) == 0) { return; }
var err = null;
if ((user.siteadmin & SITERIGHT_USERGROUPS) == 0) { err = "Permission denied"; }
// Change the name or description of a user group
if (common.validateString(command.ugrpid, 1, 1024) == false) break; // Check the user group id
var ugroupidsplit = command.ugrpid.split('/');
if ((ugroupidsplit.length != 3) || (ugroupidsplit[0] != 'ugrp') || ((obj.crossDomain !== true) && (ugroupidsplit[1] != domain.id))) break;
else if (common.validateString(command.ugrpid, 1, 1024) == false) { err = "Invalid group id"; } // Check the user group id
else {
var ugroupidsplit = command.ugrpid.split('/');
if ((ugroupidsplit.length != 3) || (ugroupidsplit[0] != 'ugrp') || ((obj.crossDomain !== true) && (ugroupidsplit[1] != domain.id))) { err = "Invalid domain id"; }
}
// Get the domain
var delGroupDomain = parent.parent.config.domains[ugroupidsplit[1]];
if (delGroupDomain == null) break;
if (delGroupDomain == null) { err = "Invalid domain id"; }
// Handle any errors
if (err != null) {
if (command.responseid != null) { try { ws.send(JSON.stringify({ action: 'deleteusergroup', responseid: command.responseid, result: err })); } catch (ex) { } }
break;
}
db.Get(command.ugrpid, function (err, groups) {
if ((err != null) || (groups.length != 1)) return;
if ((err != null) || (groups.length != 1)) {
try { ws.send(JSON.stringify({ action: 'deleteusergroup', responseid: command.responseid, result: 'Unknown device group' })); } catch (ex) { }
return;
}
var group = groups[0];
// Unlink any user and meshes that have a link to this group
@ -2007,6 +2021,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Log in the auth log
if (parent.parent.authlog) { parent.parent.authLog('https', 'User ' + user.name + ' deleted user group ' + group.name); }
try { ws.send(JSON.stringify({ action: 'deleteusergroup', responseid: command.responseid, result: 'ok', ugrpid: group._id })); } catch (ex) { }
});
break;
}

File diff suppressed because it is too large Load Diff

View File

@ -2330,7 +2330,7 @@
case 'accountcreate':
case 'accountchange': {
// An account was created or changed
if (userinfo.name == message.event.account.name) {
if (userinfo._id == message.event.account._id) {
var newsiteadmin = message.event.account.siteadmin?message.event.account.siteadmin:0;
var oldsiteadmin = userinfo.siteadmin?userinfo.siteadmin:0;
if ((message.event.account.quota != userinfo.quota) || (((userinfo.siteadmin & 8) == 0) && ((message.event.account.siteadmin & 8) != 0))) { meshserver.send({ action: 'files' }); }
@ -8923,7 +8923,6 @@
}
function p20showAddMeshUserDialog(userid, selected) {
console.log('p20showAddMeshUserDialog', userid, selected);
if (xxdialogMode) return false;
var x = '';
if ((userid == null) || (userid == 5)) {
@ -10664,13 +10663,16 @@
var x = '<div style=min-height:80px><table style=width:100%>';
if ((args.hide & 8) != 0) { x += '<br />' + addDeviceAttribute("Name", gname); } // If title bar is hidden, display the user group name here
if (serverinfo.crossDomain != null) {
var d = group._id.split('/')[1];
x += addDeviceAttribute("Domain", (d != '')?EscapeHtml(d):('<i>' + "Default" + '</i>'));
x += addDeviceAttribute("Group Identifier", EscapeHtml(group._id));
}
if ((userinfo.siteadmin & 256) != 0) {
x += addDeviceAttribute("Description", '<span onclick=p51editgroup(2) style=cursor:pointer>' + desc + ' <img class=hoverButton src="images/link5.png" /></span>');
} else {
x += addDeviceAttribute("Description", desc);
}
if (serverinfo.crossDomain != null) { x += addDeviceAttribute("Group Identifier", group._id); }
x += addDeviceAttribute("Users", usercount);
x += addDeviceAttribute("Device Groups", meshcount);
x += addDeviceAttribute("Devices", devicecount);
@ -10939,7 +10941,7 @@
if (user == null) { setDialogMode(0); go(4); return; }
QH('p30userName', user.name);
QH('p31userName', user.name);
var self = (user.name == userinfo.name), activeSessions = 0;
var self = (user._id == userinfo._id), activeSessions = 0;
if (wssessions != null && wssessions[user._id]) { activeSessions = wssessions[user._id]; }
// Change user grayscale
@ -10971,6 +10973,8 @@
if (serverinfo.emailcheck) { everify = ((user.emailVerified == true) ? '<b style=color:green;cursor:pointer title="' + "Email is verified" + '">&#x2713</b> ' : '<b style=color:red;cursor:pointer title="' + "Email not verified" + '">&#x2717;</b> '); }
if (serverinfo.crossDomain) {
var d = user._id.split('/')[1];
x += addDeviceAttribute("Domain", ((d != '')?EscapeHtml(d):('<i>' + "Default" + '</i>')));
x += addDeviceAttribute("User Identifier", EscapeHtml(user._id));
} else {
if (user.name.toLowerCase() != user._id.split('/')[2]) { x += addDeviceAttribute("User Identifier", EscapeHtml(user._id.split('/')[2])); }