From 3329acc5a866a403fc12cbdd052c1ea855927703 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Wed, 28 Jul 2021 15:03:06 -0700
Subject: [PATCH] ACM activation debug improvements, #2948

---
 amtmanager.js                  |  5 +++--
 meshcentral-config-schema.json |  2 +-
 mpsserver.js                   | 10 +++++-----
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/amtmanager.js b/amtmanager.js
index e687f55d..9751f6f1 100644
--- a/amtmanager.js
+++ b/amtmanager.js
@@ -1898,6 +1898,7 @@ module.exports.CreateAmtManager = function (parent) {
                         if (dev.mpsConnection.tag.meiState.OsDnsSuffix != null) { trustedFqdn = dev.mpsConnection.tag.meiState.OsDnsSuffix; }
                         if (dev.mpsConnection.tag.meiState.DnsSuffix != null) { trustedFqdn = dev.mpsConnection.tag.meiState.DnsSuffix; }
                         dev.consoleMsg("No opportunity for ACM activation, trusted FQDN: " + ((trustedFqdn == null) ? "(Not Set)" : trustedFqdn));
+                        dev.consoleMsg("No opportunity for ACM activation, trusted FQDN: " + ((trustedFqdn == null) ? "(Not Set)" : (trustedFqdn + ", HEX: " + Buffer.from(trustedFqdn).toString('hex'))));
                         removeAmtDevice(dev, 38);
                         return false; // We are not in CCM and policy restricts use of CCM, so exit now.
                     } 
@@ -1910,9 +1911,9 @@ module.exports.CreateAmtManager = function (parent) {
                 } else {
                     // We are not activated now, go to ACM directly.
                     // Check if we are allowed to perform TLS ACM activation
-                    var TlsAcmActivation = true;
+                    var TlsAcmActivation = false;
                     var domain = parent.config.domains[dev.domainid];
-                    if (domain && domain.amtmanager && (domain.amtmanager.tlsacmactivation == false)) { TlsAcmActivation = false; }
+                    if (domain && domain.amtmanager && (domain.amtmanager.tlsacmactivation == true)) { TlsAcmActivation = true; }
 
                     // Check Intel AMT version
                     if (typeof dev.intelamt.ver == 'string') { var verSplit = dev.intelamt.ver.split('.'); if (verSplit.length >= 3) { dev.aquired.majorver = parseInt(verSplit[0]); dev.aquired.minorver = parseInt(verSplit[1]); } }
diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index e85c6806..d54e589f 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -528,7 +528,7 @@
             "additionalProperties": false,
             "description": "Information passed to the AMT manager module that impacts all Intel AMT device managed within this domain.",
             "properties": {
-              "TlsAcmActivation": { "type": "boolean", "default": true, "description": "When set to false, MeshCentral will not attempt a TLS ACM activation on Intel AMT v14+" },
+              "TlsAcmActivation": { "type": "boolean", "default": false, "description": "When set to false, MeshCentral will not attempt a TLS ACM activation on Intel AMT v14+" },
               "AdminAccounts": {
                 "description": "List of username and passwords to try when connecting to Intel AMT.",
                 "type": "array",
diff --git a/mpsserver.js b/mpsserver.js
index cd968de4..b2d84838 100644
--- a/mpsserver.js
+++ b/mpsserver.js
@@ -600,8 +600,8 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
                     }
                     if (obj.parent.webserver.meshes[cookie.m] == null) {
                         meshNotFoundCount++;
-                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (1)' });
-                        parent.debug('mps', 'Device group not found (1)', username, password);
+                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (1): ' + cookie.m });
+                        parent.debug('mps', 'Device group not found (1): ' + cookie.m, username, password);
                         SendUserAuthFail(socket);
                         return -1;
                     }
@@ -635,7 +635,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
                     }
                     // Find the device group for this CIRA connection. Since Intel AMT does not allow @ or $ in the username, we escape these.
                     // For possible for CIRA-LMS connections to still send @ or $, so we need to escape both sides.
-                    var meshIdStart = ('/' + username).replace(/\@/g, 'X').replace(/\$/g, 'X'), mesh = null;
+                    const meshIdStart = ('/' + username).replace(/\@/g, 'X').replace(/\$/g, 'X'), mesh = null;
                     if (obj.parent.webserver.meshes) {
                         for (var i in obj.parent.webserver.meshes) {
                             if (obj.parent.webserver.meshes[i]._id.replace(/\@/g, 'X').replace(/\$/g, 'X').indexOf(meshIdStart) > 0) {
@@ -645,8 +645,8 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
                     }
                     if (mesh == null) {
                         meshNotFoundCount++;
-                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (2)' });
-                        parent.debug('mps', 'Device group not found (2)', username, password);
+                        socket.ControlMsg({ action: 'console', msg: 'Device group not found (2): ' + meshIdStart + ', u: ' + username + ', p: ' + password });
+                        parent.debug('mps', 'Device group not found (2)', meshIdStart, username, password);
                         SendUserAuthFail(socket);
                         return -1;
                     }