mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2025-01-11 23:13:21 -05:00
Improved DB records encryption support.
This commit is contained in:
Ylian Saint-Hilaire
parent
a34d4385a3
commit
5af831a0aa
34
db.js
34
db.js
@ -195,6 +195,18 @@ module.exports.CreateDB = function (parent, func) {
|
|||||||
obj.getValueOfTheDay = function (id, startValue, func) { obj.Get(id, function (err, docs) { var date = new Date(), t = date.toLocaleDateString(); if (docs.length == 1) { var r = docs[0]; if (r.day == t) { func({ _id: id, value: r.value, day: t }); return; } } func({ _id: id, value: startValue, day: t }); }); };
|
obj.getValueOfTheDay = function (id, startValue, func) { obj.Get(id, function (err, docs) { var date = new Date(), t = date.toLocaleDateString(); if (docs.length == 1) { var r = docs[0]; if (r.day == t) { func({ _id: id, value: r.value, day: t }); return; } } func({ _id: id, value: startValue, day: t }); }); };
|
||||||
obj.escapeBase64 = function escapeBase64(val) { return (val.replace(/\+/g, '@').replace(/\//g, '$')); }
|
obj.escapeBase64 = function escapeBase64(val) { return (val.replace(/\+/g, '@').replace(/\//g, '$')); }
|
||||||
|
|
||||||
|
// Encrypt an database object
|
||||||
|
obj.performRecordEncryptionRecode = function (func) {
|
||||||
|
var count = 0;
|
||||||
|
obj.GetAllType('user', function (err, docs) {
|
||||||
|
if (err == null) { for (var i in docs) { count++; obj.Set(docs[i]); } }
|
||||||
|
obj.GetAllType('node', function (err, docs) {
|
||||||
|
if (err == null) { for (var i in docs) { count++; obj.Set(docs[i]); } }
|
||||||
|
func(count);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
// Encrypt an database object
|
// Encrypt an database object
|
||||||
function performTypedRecordDecrypt(data) {
|
function performTypedRecordDecrypt(data) {
|
||||||
if ((obj.dbRecordsDecryptKey == null) || (typeof data != 'object')) return data;
|
if ((obj.dbRecordsDecryptKey == null) || (typeof data != 'object')) return data;
|
||||||
@ -237,10 +249,11 @@ module.exports.CreateDB = function (parent, func) {
|
|||||||
// Encrypt an object and return a base64.
|
// Encrypt an object and return a base64.
|
||||||
function performRecordEncrypt(plainobj) {
|
function performRecordEncrypt(plainobj) {
|
||||||
if (obj.dbRecordsEncryptKey == null) return null;
|
if (obj.dbRecordsEncryptKey == null) return null;
|
||||||
const iv = parent.crypto.randomBytes(16);
|
const iv = parent.crypto.randomBytes(12);
|
||||||
const aes = parent.crypto.createCipheriv('aes-256-cbc', obj.dbRecordsEncryptKey, iv);
|
const aes = parent.crypto.createCipheriv('aes-256-gcm', obj.dbRecordsEncryptKey, iv);
|
||||||
var ciphertext = aes.update(JSON.stringify(plainobj));
|
var ciphertext = aes.update(JSON.stringify(plainobj));
|
||||||
ciphertext = Buffer.concat([iv, ciphertext, aes.final()]);
|
var cipherfinal = aes.final();
|
||||||
|
ciphertext = Buffer.concat([iv, aes.getAuthTag(), ciphertext, cipherfinal]);
|
||||||
return ciphertext.toString('base64');
|
return ciphertext.toString('base64');
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -248,12 +261,17 @@ module.exports.CreateDB = function (parent, func) {
|
|||||||
function performRecordDecrypt(ciphertext) {
|
function performRecordDecrypt(ciphertext) {
|
||||||
if (obj.dbRecordsDecryptKey == null) return null;
|
if (obj.dbRecordsDecryptKey == null) return null;
|
||||||
const ciphertextBytes = Buffer.from(ciphertext, 'base64');
|
const ciphertextBytes = Buffer.from(ciphertext, 'base64');
|
||||||
const iv = ciphertextBytes.slice(0, 16);
|
const iv = ciphertextBytes.slice(0, 12);
|
||||||
const data = ciphertextBytes.slice(16);
|
const data = ciphertextBytes.slice(28);
|
||||||
const aes = parent.crypto.createDecipheriv('aes-256-cbc', obj.dbRecordsDecryptKey, iv);
|
const aes = parent.crypto.createDecipheriv('aes-256-gcm', obj.dbRecordsDecryptKey, iv);
|
||||||
var plaintextBytes = Buffer.from(aes.update(data));
|
aes.setAuthTag(ciphertextBytes.slice(12, 16));
|
||||||
|
var plaintextBytes, r;
|
||||||
|
try {
|
||||||
|
plaintextBytes = Buffer.from(aes.update(data));
|
||||||
plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]);
|
plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]);
|
||||||
return JSON.parse(plaintextBytes.toString());
|
r = JSON.parse(plaintextBytes.toString());
|
||||||
|
} catch (e) { throw "Incorrect DbRecordsDecryptKey/DbRecordsEncryptKey or invalid database _CRYPT data: " + e; }
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Clone an object (TODO: Make this more efficient)
|
// Clone an object (TODO: Make this more efficient)
|
||||||
|
|||||||
@ -114,7 +114,7 @@ function CreateMeshCentralServer(config, args) {
|
|||||||
try { require('./pass').hash('test', function () { }, 0); } catch (e) { console.log('Old version of node, must upgrade.'); return; } // TODO: Not sure if this test works or not.
|
try { require('./pass').hash('test', function () { }, 0); } catch (e) { console.log('Old version of node, must upgrade.'); return; } // TODO: Not sure if this test works or not.
|
||||||
|
|
||||||
// Check for invalid arguments
|
// Check for invalid arguments
|
||||||
var validArguments = ['_', 'notls', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'shownodes', 'showmeshes', 'showevents', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbexportmin', 'dbimport', 'dbmerge', 'dbencryptkey', 'selfupdate', 'tlsoffload', 'userallowedip', 'userblockedip', 'swarmallowedip', 'agentallowedip', 'agentblockedip', 'fastcert', 'swarmport', 'logintoken', 'logintokenkey', 'logintokengen', 'logintokengen', 'mailtokengen', 'admin', 'unadmin', 'sessionkey', 'sessiontime', 'minify', 'minifycore', 'dblistconfigfiles', 'dbshowconfigfile', 'dbpushconfigfiles', 'dbpullconfigfiles', 'dbdeleteconfigfiles', 'configkey', 'loadconfigfromdb', 'npmpath', 'memorytracking', 'serverid'];
|
var validArguments = ['_', 'notls', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'shownodes', 'showmeshes', 'showevents', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbexportmin', 'dbimport', 'dbmerge', 'dbencryptkey', 'selfupdate', 'tlsoffload', 'userallowedip', 'userblockedip', 'swarmallowedip', 'agentallowedip', 'agentblockedip', 'fastcert', 'swarmport', 'logintoken', 'logintokenkey', 'logintokengen', 'logintokengen', 'mailtokengen', 'admin', 'unadmin', 'sessionkey', 'sessiontime', 'minify', 'minifycore', 'dblistconfigfiles', 'dbshowconfigfile', 'dbpushconfigfiles', 'dbpullconfigfiles', 'dbdeleteconfigfiles', 'configkey', 'loadconfigfromdb', 'npmpath', 'memorytracking', 'serverid', 'recordencryptionrecode'];
|
||||||
for (var arg in obj.args) { obj.args[arg.toLocaleLowerCase()] = obj.args[arg]; if (validArguments.indexOf(arg.toLocaleLowerCase()) == -1) { console.log('Invalid argument "' + arg + '", use --help.'); return; } }
|
for (var arg in obj.args) { obj.args[arg.toLocaleLowerCase()] = obj.args[arg]; if (validArguments.indexOf(arg.toLocaleLowerCase()) == -1) { console.log('Invalid argument "' + arg + '", use --help.'); return; } }
|
||||||
if (obj.args.mongodb == true) { console.log('Must specify: --mongodb [connectionstring] \r\nSee https://docs.mongodb.com/manual/reference/connection-string/ for MongoDB connection string.'); return; }
|
if (obj.args.mongodb == true) { console.log('Must specify: --mongodb [connectionstring] \r\nSee https://docs.mongodb.com/manual/reference/connection-string/ for MongoDB connection string.'); return; }
|
||||||
for (i in obj.config.settings) { obj.args[i] = obj.config.settings[i]; } // Place all settings into arguments, arguments have already been placed into settings so arguments take precedence.
|
for (i in obj.config.settings) { obj.args[i] = obj.config.settings[i]; } // Place all settings into arguments, arguments have already been placed into settings so arguments take precedence.
|
||||||
@ -286,6 +286,7 @@ function CreateMeshCentralServer(config, args) {
|
|||||||
if (obj.args.showiplocations) { obj.db.GetAllType('iploc', function (err, docs) { console.log(docs); process.exit(); }); return; }
|
if (obj.args.showiplocations) { obj.db.GetAllType('iploc', function (err, docs) { console.log(docs); process.exit(); }); return; }
|
||||||
if (obj.args.logintoken) { obj.getLoginToken(obj.args.logintoken, function (r) { console.log(r); process.exit(); }); return; }
|
if (obj.args.logintoken) { obj.getLoginToken(obj.args.logintoken, function (r) { console.log(r); process.exit(); }); return; }
|
||||||
if (obj.args.logintokenkey) { obj.showLoginTokenKey(function (r) { console.log(r); process.exit(); }); return; }
|
if (obj.args.logintokenkey) { obj.showLoginTokenKey(function (r) { console.log(r); process.exit(); }); return; }
|
||||||
|
if (obj.args.recordencryptionrecode) { obj.db.performRecordEncryptionRecode(function (count) { console.log('Re-encoded ' + count + ' record(s).'); process.exit(); }); return; }
|
||||||
|
|
||||||
// Show a list of all configuration files in the database
|
// Show a list of all configuration files in the database
|
||||||
if (obj.args.dblistconfigfiles) {
|
if (obj.args.dblistconfigfiles) {
|
||||||
|
|||||||
@ -2570,7 +2570,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
|||||||
actionText = 'New 2FA backup codes generated.';
|
actionText = 'New 2FA backup codes generated.';
|
||||||
} else if (command.subaction == 2) { // Clear all tokens
|
} else if (command.subaction == 2) { // Clear all tokens
|
||||||
actionTaken = (user.otpkeys != null);
|
actionTaken = (user.otpkeys != null);
|
||||||
user.otpkeys = null;
|
delete user.otpkeys;
|
||||||
if (actionTaken) { actionText = '2FA backup codes cleared.'; }
|
if (actionTaken) { actionText = '2FA backup codes cleared.'; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -12,6 +12,8 @@
|
|||||||
"_SessionKey": "MyReallySecretPassword1",
|
"_SessionKey": "MyReallySecretPassword1",
|
||||||
"_SessionSameSite": "strict",
|
"_SessionSameSite": "strict",
|
||||||
"_DbEncryptKey": "MyReallySecretPassword2",
|
"_DbEncryptKey": "MyReallySecretPassword2",
|
||||||
|
"_DbRecordsEncryptKey": "MyReallySecretPassword",
|
||||||
|
"_DbRecordsDecryptKey": "MyReallySecretPassword",
|
||||||
"_DbExpire": {
|
"_DbExpire": {
|
||||||
"events": 1728000,
|
"events": 1728000,
|
||||||
"powerevents": 864000
|
"powerevents": 864000
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user