Added code to skip the agent code signing certificate if missing and getting certs from database or vault (#4299)
This commit is contained in:
parent
46e511ef95
commit
3dd8531ef9
|
@ -855,6 +855,9 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
if (obj.fileExists("codesign-cert-public.crt") && obj.fileExists("codesign-cert-private.key")) {
|
if (obj.fileExists("codesign-cert-public.crt") && obj.fileExists("codesign-cert-private.key")) {
|
||||||
r.codesign = { cert: obj.fileLoad("codesign-cert-public.crt", 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad("codesign-cert-private.key", 'utf8')) };
|
r.codesign = { cert: obj.fileLoad("codesign-cert-public.crt", 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad("codesign-cert-private.key", 'utf8')) };
|
||||||
if (obj.checkCertificate(r.codesign.cert, r.codesign.key) == false) { delete r.codesign; } else { rcount++; }
|
if (obj.checkCertificate(r.codesign.cert, r.codesign.key) == false) { delete r.codesign; } else { rcount++; }
|
||||||
|
} else {
|
||||||
|
// If we are reading certificates from a database or vault and are just missing the code signing cert, skip it.
|
||||||
|
if (parent.configurationFiles != null) { rcount++; }
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the swarm server certificate exist, load it (This is an optional certificate)
|
// If the swarm server certificate exist, load it (This is an optional certificate)
|
||||||
|
@ -969,6 +972,7 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If we have all the certificates we need, stop here.
|
||||||
if (rcount === rcountmax) {
|
if (rcount === rcountmax) {
|
||||||
if ((certargs == null) && (mpscertargs == null)) { if (func != undefined) { func(r); } return r; } // If no certificate arguments are given, keep the certificate
|
if ((certargs == null) && (mpscertargs == null)) { if (func != undefined) { func(r); } return r; } // If no certificate arguments are given, keep the certificate
|
||||||
var xcountry, xcountryField = webCertificate.subject.getField('C');
|
var xcountry, xcountryField = webCertificate.subject.getField('C');
|
||||||
|
|
|
@ -896,9 +896,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||||
var origin = 'https://' + (domain.dns ? domain.dns : parent.certificates.CommonName);
|
var origin = 'https://' + (domain.dns ? domain.dns : parent.certificates.CommonName);
|
||||||
if (httpport != 443) { origin += ':' + httpport; }
|
if (httpport != 443) { origin += ':' + httpport; }
|
||||||
|
|
||||||
const sec = parent.decryptSessionData(req.session.e);
|
var u2fchallenge = null;
|
||||||
|
if ((req.session != null) && (req.session.e != null)) { const sec = parent.decryptSessionData(req.session.e); if (sec != null) { u2fchallenge = sec.u2f; } }
|
||||||
var assertionExpectations = {
|
var assertionExpectations = {
|
||||||
challenge: sec.u2f,
|
challenge: u2fchallenge,
|
||||||
origin: origin,
|
origin: origin,
|
||||||
factor: 'either',
|
factor: 'either',
|
||||||
fmt: 'fido-u2f',
|
fmt: 'fido-u2f',
|
||||||
|
@ -978,6 +979,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||||
// Return a U2F hardware key challenge
|
// Return a U2F hardware key challenge
|
||||||
function getHardwareKeyChallenge(req, domain, user, func) {
|
function getHardwareKeyChallenge(req, domain, user, func) {
|
||||||
delete req.session.u2f;
|
delete req.session.u2f;
|
||||||
|
if (req.session = null) { req.session = {}; }
|
||||||
const sec = parent.decryptSessionData(req.session.e);
|
const sec = parent.decryptSessionData(req.session.e);
|
||||||
|
|
||||||
if (user.otphkeys && (user.otphkeys.length > 0)) {
|
if (user.otphkeys && (user.otphkeys.length > 0)) {
|
||||||
|
@ -1015,6 +1017,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||||
if (domain == null) { return; }
|
if (domain == null) { return; }
|
||||||
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
|
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
|
||||||
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
|
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
|
||||||
|
if (req.session == null) { req.session = {}; }
|
||||||
|
|
||||||
// Check if this is a banned ip address
|
// Check if this is a banned ip address
|
||||||
if (obj.checkAllowLogin(req) == false) {
|
if (obj.checkAllowLogin(req) == false) {
|
||||||
|
@ -3019,7 +3022,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
||||||
|
|
||||||
// Encrypt the hardware key challenge state if needed
|
// Encrypt the hardware key challenge state if needed
|
||||||
var hwstate = null;
|
var hwstate = null;
|
||||||
if (hardwareKeyChallenge) {
|
if (hardwareKeyChallenge && req.session) {
|
||||||
const sec = parent.decryptSessionData(req.session.e);
|
const sec = parent.decryptSessionData(req.session.e);
|
||||||
hwstate = obj.parent.encodeCookie({ u: sec.tuser, p: sec.tpass, c: sec.u2f }, obj.parent.loginCookieEncryptionKey)
|
hwstate = obj.parent.encodeCookie({ u: sec.tuser, p: sec.tpass, c: sec.u2f }, obj.parent.loginCookieEncryptionKey)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue