mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-24 22:25:52 -05:00
more Intel AMT ACM work...
This commit is contained in:
parent
f1e6c49ed2
commit
82300f0cbe
Binary file not shown.
Binary file not shown.
@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
|
||||
function onVerifyServer(clientName, certs) {
|
||||
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
|
||||
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
|
||||
if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
|
||||
console.log(settings.serverhttpshash);
|
||||
if (settings.serverhttpshash != null) {
|
||||
console.log('Error: Failed to verify server certificate.');
|
||||
console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
|
||||
exit(255);
|
||||
throw 'Invalid server certificate';
|
||||
}
|
||||
}
|
||||
|
||||
// Various utility functions
|
||||
@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
|
||||
|
||||
// Establish WebSocket connection to activation server
|
||||
var options = http.parseUri(settings.url);
|
||||
options.checkServerIdentity = function (clientName, certs) { }; // TODO
|
||||
//options.checkServerIdentity = function (clientName, certs) { }; // TODO
|
||||
options.checkServerIdentity = onVerifyServer;
|
||||
options.rejectUnauthorized = false;
|
||||
var connection = http.request(options);
|
||||
connection.on('upgrade', function (response, socket) {
|
||||
|
11
agents/meshcmd.min.js
vendored
11
agents/meshcmd.min.js
vendored
@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
|
||||
function onVerifyServer(clientName, certs) {
|
||||
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
|
||||
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
|
||||
if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
|
||||
console.log(settings.serverhttpshash);
|
||||
if (settings.serverhttpshash != null) {
|
||||
console.log('Error: Failed to verify server certificate.');
|
||||
console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
|
||||
exit(255);
|
||||
throw 'Invalid server certificate';
|
||||
}
|
||||
}
|
||||
|
||||
// Various utility functions
|
||||
@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
|
||||
|
||||
// Establish WebSocket connection to activation server
|
||||
var options = http.parseUri(settings.url);
|
||||
options.checkServerIdentity = function (clientName, certs) { }; // TODO
|
||||
//options.checkServerIdentity = function (clientName, certs) { }; // TODO
|
||||
options.checkServerIdentity = onVerifyServer;
|
||||
options.rejectUnauthorized = false;
|
||||
var connection = http.request(options);
|
||||
connection.on('upgrade', function (response, socket) {
|
||||
|
@ -291,6 +291,15 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
|
||||
// Build server information object
|
||||
var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1)), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) };
|
||||
serverinfo.tlshash = Buffer.from(parent.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(); // SHA384 of server HTTPS certificate
|
||||
if ((parent.parent.config.domains[domain.id].amtacmactivation != null) && (parent.parent.config.domains[domain.id].amtacmactivation.acmmatch != null)) {
|
||||
var matchingDomains = [];
|
||||
for (var i in parent.parent.config.domains[domain.id].amtacmactivation.acmmatch) {
|
||||
var cn = parent.parent.config.domains[domain.id].amtacmactivation.acmmatch[i].cn;
|
||||
if ((cn != '*') && (matchingDomains.indexOf(cn) == -1)) { matchingDomains.push(cn); }
|
||||
}
|
||||
if (matchingDomains.length > 0) { serverinfo.amtAcmFqdn = matchingDomains; }
|
||||
}
|
||||
if (args.notls == true) { serverinfo.https = false; } else { serverinfo.https = true; serverinfo.redirport = args.redirport; }
|
||||
if (typeof domain.userconsentflags == 'number') { serverinfo.consent = domain.userconsentflags; }
|
||||
if ((typeof domain.usersessionidletimeout == 'number') && (domain.usersessionidletimeout > 0)) { serverinfo.timeout = (domain.usersessionidletimeout * 60 * 1000); }
|
||||
|
@ -2577,6 +2577,9 @@
|
||||
r += ' <a style=cursor:pointer;font-size:10px title="Add a new Intel® AMT computer that is located on the local network." onclick=addDeviceToMesh(\"' + mesh._id + '\")>Add Local</a>';
|
||||
r += ' <a style=cursor:pointer;font-size:10px title="Add a new Intel® AMT computer by scanning the local network." onclick=addAmtScanToMesh(\"' + mesh._id + '\")>Scan Network</a>';
|
||||
}
|
||||
if ((features & 0x00100000) != 0) { // ACM activation
|
||||
r += ' <a style=cursor:pointer;font-size:10px title="Perform Intel AMT admin control mode (ACM) activation." onclick=showAcmActivation(\"' + mesh._id + '\")>Activation</a>';
|
||||
}
|
||||
}
|
||||
if (mesh.mtype == 2) {
|
||||
r += ' <a style=cursor:pointer;font-size:10px title="Add a new computer to this mesh by installing the mesh agent." onclick=addAgentToMesh(\"' + mesh._id + '\")>Add Agent</a>';
|
||||
@ -2599,6 +2602,27 @@
|
||||
Q('dp1devicename').focus();
|
||||
}
|
||||
|
||||
// Intel AMT Activation
|
||||
function showAcmActivation(meshid) {
|
||||
if (xxdialogMode) return;
|
||||
var servername = serverinfo.name, mesh = meshes[meshid];
|
||||
if ((servername.indexOf('.') == -1) || ((features & 2) != 0)) { servername = window.location.hostname; } // If the server name is not set or it's in LAN-only mode, use the URL hostname as server name.
|
||||
var url, domainUrlNoSlash = domainUrl.substring(0, domainUrl.length - 1);
|
||||
if (serverinfo.https == true) {
|
||||
var portStr = (serverinfo.port == 443) ? '' : (":" + serverinfo.port);
|
||||
url = "wss://" + servername + portStr + domainUrl;
|
||||
} else {
|
||||
var portStr = (serverinfo.port == 80) ? '' : (":" + serverinfo.port);
|
||||
url = "ws://" + servername + portStr + domainUrl;
|
||||
}
|
||||
var x = "Perform Intel AMT admin control mode (ACM) activation to group \"" + EscapeHtml(mesh.name) + "\" by downloading the MeshCMD tool and running it like this:<br /><br />";
|
||||
x += '<textarea readonly=readonly style=width:100%;resize:none;height:100px;overflow:auto;font-size:12px readonly>meshcmd amtacm --url ' + url + 'amtactivate?id=' + meshid.split('/')[2] + ' --serverhttpshash ' + serverinfo.tlshash + '</textarea>';
|
||||
if (serverinfo.amtAcmFqdn != null) {
|
||||
x += '<div style=margin-top:8px>Intel AMT will need to be set with a Trusted FQDN in MEBx or have a wired LAN on the network: <b>' + serverinfo.amtAcmFqdn.join(', ') + '</b></div>';
|
||||
}
|
||||
setDialogMode(2, "Intel® AMT activation", 9, null, x);
|
||||
}
|
||||
|
||||
// Display the Intel AMT scanning dialog box
|
||||
function addAmtScanToMesh(meshid) {
|
||||
if (xxdialogMode) return;
|
||||
|
@ -2215,7 +2215,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
|
||||
// Agent is asking the server to sign an Intel AMT ACM activation request
|
||||
var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
|
||||
ws.send(JSON.stringify(signResponse));
|
||||
//ws.send(JSON.stringify(signResponse)); // DEBUG***************************
|
||||
break;
|
||||
}
|
||||
default: {
|
||||
|
Loading…
Reference in New Issue
Block a user