Server peering fixes.

This commit is contained in:
Ylian Saint-Hilaire 2020-11-12 18:42:26 -08:00
parent 7386a3f8c2
commit a3d712d207
2 changed files with 11 additions and 9 deletions

8
db.js
View File

@ -448,7 +448,7 @@ module.exports.CreateDB = function (parent, func) {
} else { } else {
obj.fileChangeStream = obj.file.watch([{ $match: { $or: [{ 'fullDocument.type': { $in: ['node', 'mesh', 'user', 'ugrp'] } }, { 'operationType': 'delete' }] } }], { fullDocument: 'updateLookup' }); obj.fileChangeStream = obj.file.watch([{ $match: { $or: [{ 'fullDocument.type': { $in: ['node', 'mesh', 'user', 'ugrp'] } }, { 'operationType': 'delete' }] } }], { fullDocument: 'updateLookup' });
obj.fileChangeStream.on('change', function (change) { obj.fileChangeStream.on('change', function (change) {
if (change.operationType == 'update') { if ((change.operationType == 'update') || (change.operationType == 'replace')) {
switch (change.fullDocument.type) { switch (change.fullDocument.type) {
case 'node': { dbNodeChange(change, false); break; } // A node has changed case 'node': { dbNodeChange(change, false); break; } // A node has changed
case 'mesh': { dbMeshChange(change, false); break; } // A device group has changed case 'mesh': { dbMeshChange(change, false); break; } // A device group has changed
@ -1579,7 +1579,7 @@ module.exports.CreateDB = function (parent, func) {
// Called when a node has changed // Called when a node has changed
function dbNodeChange(nodeChange, added) { function dbNodeChange(nodeChange, added) {
common.unEscapeLinksFieldName(nodeChange.fullDocument); common.unEscapeLinksFieldName(nodeChange.fullDocument);
const node = nodeChange.fullDocument; const node = performTypedRecordDecrypt([nodeChange.fullDocument])[0];
if (node.intelamt != null) { // Remove the Intel AMT password and MPS password before eventing this. if (node.intelamt != null) { // Remove the Intel AMT password and MPS password before eventing this.
if (node.intelamt.pass != null) { node.intelamt.pass = 1; } if (node.intelamt.pass != null) { node.intelamt.pass = 1; }
if (node.intelamt.mpspass != null) { node.intelamt.mpspass = 1; } if (node.intelamt.mpspass != null) { node.intelamt.mpspass = 1; }
@ -1591,7 +1591,7 @@ module.exports.CreateDB = function (parent, func) {
function dbMeshChange(meshChange, added) { function dbMeshChange(meshChange, added) {
if (parent.webserver == null) return; if (parent.webserver == null) return;
common.unEscapeLinksFieldName(meshChange.fullDocument); common.unEscapeLinksFieldName(meshChange.fullDocument);
const mesh = meshChange.fullDocument; const mesh = performTypedRecordDecrypt([meshChange.fullDocument])[0];
// Update the mesh object in memory // Update the mesh object in memory
const mmesh = parent.webserver.meshes[mesh._id]; const mmesh = parent.webserver.meshes[mesh._id];
@ -1613,7 +1613,7 @@ module.exports.CreateDB = function (parent, func) {
// Called when a user account has changed // Called when a user account has changed
function dbUserChange(userChange, added) { function dbUserChange(userChange, added) {
if (parent.webserver == null) return; if (parent.webserver == null) return;
const user = userChange.fullDocument; const user = performTypedRecordDecrypt([userChange.fullDocument])[0];
// Update the user object in memory // Update the user object in memory
const muser = parent.webserver.users[user._id]; const muser = parent.webserver.users[user._id];

View File

@ -624,12 +624,14 @@ module.exports.CreateMultiServer = function (parent, args) {
peerTunnel.ws2.on('open', function () { peerTunnel.ws2.on('open', function () {
peerTunnel.parent.parent.debug('peer', 'FTunnel ' + peerTunnel.serverid + ': Connected'); peerTunnel.parent.parent.debug('peer', 'FTunnel ' + peerTunnel.serverid + ': Connected');
// Get the peer server's certificate and compute the server public key hash if (peerTunnel.ws2._socket.getPeerCertificate != null) {
var serverCert = obj.forge.pki.certificateFromAsn1(obj.forge.asn1.fromDer(peerTunnel.ws2._socket.getPeerCertificate().raw.toString('binary'))); // Get the peer server's certificate and compute the server public key hash
var serverCertHashHex = Buffer.from(obj.forge.pki.getPublicKeyFingerprint(serverCert.publicKey, { encoding: 'binary', md: obj.forge.md.sha384.create() }), 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); var serverCert = obj.forge.pki.certificateFromAsn1(obj.forge.asn1.fromDer(peerTunnel.ws2._socket.getPeerCertificate().raw.toString('binary')));
var serverCertHashHex = Buffer.from(obj.forge.pki.getPublicKeyFingerprint(serverCert.publicKey, { encoding: 'binary', md: obj.forge.md.sha384.create() }), 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
// Check if the peer certificate is the expected one for this serverid // Check if the peer certificate is the expected one for this serverid
if ((obj.peerServers[serverid] == null) || (obj.peerServers[serverid].serverCertHash != serverCertHashHex)) { console.log('ERROR: Outer certificate hash mismatch (1). (' + peerTunnel.url + ', ' + peerTunnel.serverid + ').'); peerTunnel.close(); return; } if ((obj.peerServers[serverid] == null) || (obj.peerServers[serverid].serverCertHash != serverCertHashHex)) { console.log('ERROR: Outer certificate hash mismatch (1). (' + peerTunnel.url + ', ' + peerTunnel.serverid + ').'); peerTunnel.close(); return; }
}
// Connection accepted, resume the web socket to start the data flow // Connection accepted, resume the web socket to start the data flow
peerTunnel.ws1._socket.resume(); peerTunnel.ws1._socket.resume();