From af8a6ec2a1488d1de4810fbb3a158d4e03e5a390 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 14 Apr 2022 11:47:04 -0700 Subject: [PATCH] Many improvements to apprelay.js --- apprelays.js | 197 ++++++++++++++++++++++++++----------------------- meshcentral.js | 1 + meshuser.js | 1 + 3 files changed, 108 insertions(+), 91 deletions(-) diff --git a/apprelays.js b/apprelays.js index 593b3057..4ec5861d 100644 --- a/apprelays.js +++ b/apprelays.js @@ -42,7 +42,7 @@ module.exports.CreateMstscRelay = function (parent, db, ws, req, args, domain) { const Net = require('net'); const WebSocket = require('ws'); - var obj = {}; + const obj = {}; obj.ws = ws; obj.tcpServerPort = 0; obj.relayActive = false; @@ -86,7 +86,7 @@ module.exports.CreateMstscRelay = function (parent, db, ws, req, args, domain) { // Start the looppback server function startTcpServer() { obj.tcpServer = new Net.Server(); - obj.tcpServer.listen(0, '127.0.0.1', function () { obj.tcpServerPort = obj.tcpServer.address().port; startRdp(obj.tcpServerPort); }); + obj.tcpServer.listen(0, 'localhost', function () { obj.tcpServerPort = obj.tcpServer.address().port; startRdp(obj.tcpServerPort); }); obj.tcpServer.on('connection', function (socket) { if (obj.relaySocket != null) { socket.close(); @@ -100,12 +100,11 @@ module.exports.CreateMstscRelay = function (parent, db, ws, req, args, domain) { obj.relaySocket.on('error', function (err) { obj.close(); }); // Setup the correct URL with domain and use TLS only if needed. - var options = { rejectUnauthorized: false }; - if (domain.dns != null) { options.servername = domain.dns; } - var protocol = (args.tlsoffload) ? 'ws' : 'wss'; + const options = { rejectUnauthorized: false }; + const protocol = (args.tlsoffload) ? 'ws' : 'wss'; var domainadd = ''; if ((domain.dns == null) && (domain.id != '')) { domainadd = domain.id + '/' } - var url = protocol + '://127.0.0.1:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=10&auth=' + obj.infos.ip; // Protocol 10 is Web-RDP + const url = protocol + '://localhost:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=10&auth=' + obj.infos.ip; // Protocol 10 is Web-RDP parent.parent.debug('relay', 'RDP: Connection websocket to ' + url); obj.wsClient = new WebSocket(url, options); obj.wsClient.on('open', function () { parent.parent.debug('relay', 'RDP: Relay websocket open'); }); @@ -159,7 +158,7 @@ module.exports.CreateMstscRelay = function (parent, db, ws, req, args, domain) { send(['rdp-close']); }).on('error', function (err) { send(['rdp-error', err]); - }).connect('127.0.0.1', obj.tcpServerPort); + }).connect('localhost', obj.tcpServerPort); } catch (ex) { console.log('startRdpException', ex); obj.close(); @@ -184,7 +183,7 @@ module.exports.CreateMstscRelay = function (parent, db, ws, req, args, domain) { // Event node change if needed if (changed) { // Event the node change - var event = { etype: 'node', action: 'changenode', nodeid: obj.nodeid, domain: domain.id, userid: obj.cookie.userid, node: parent.CloneSafeNode(node), msg: "Changed RDP credentials" }; + const event = { etype: 'node', action: 'changenode', nodeid: obj.nodeid, domain: domain.id, userid: obj.cookie.userid, node: parent.CloneSafeNode(node), msg: "Changed RDP credentials" }; if (parent.parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come. parent.parent.DispatchEvent(parent.CreateMeshDispatchTargets(node.meshid, [obj.nodeid]), obj, event); } @@ -208,14 +207,14 @@ module.exports.CreateMstscRelay = function (parent, db, ws, req, args, domain) { // Get node parent.parent.db.Get(obj.nodeid, function (err, nodes) { + if (obj.ws == null) return; // obj has been cleaned up, just exit. if ((err != null) || (nodes == null) || (nodes.length != 1)) { obj.close(); return; } const node = nodes[0]; obj.mtype = node.mtype; // Store the device group type obj.meshid = node.meshid; // Store the MeshID // Check if we need to relay thru a different agent - // TODO: Check if we have rights to the relayid device - var mesh = parent.meshes[obj.meshid]; + const mesh = parent.meshes[obj.meshid]; if (mesh && mesh.relayid) { obj.relaynodeid = mesh.relayid; obj.tcpaddr = node.host; @@ -225,24 +224,30 @@ module.exports.CreateMstscRelay = function (parent, db, ws, req, args, domain) { obj.infos.ip = parent.parent.encodeCookie(cookieContent, parent.parent.loginCookieEncryptionKey); } - // Check if we need to load server stored credentials - if ((typeof obj.infos.options == 'object') && (obj.infos.options.useServerCreds == true)) { - // Check if RDP credentials exist - if ((domain.allowsavingdevicecredentials === false) && (typeof node.rdp == 'object') && (typeof node.rdp.d == 'string') && (typeof node.rdp.u == 'string') && (typeof node.rdp.p == 'string')) { - obj.infos.domain = node.rdp.d; - obj.infos.username = node.rdp.u; - obj.infos.password = node.rdp.p; - startTcpServer(); + // Check if we have rights to the relayid device, does nothing if a relay is not used + checkRelayRights(parent, domain, obj.userid, obj.relaynodeid, function (allowed) { + if (obj.ws == null) return; // obj has been cleaned up, just exit. + if (allowed !== true) { parent.parent.debug('relay', 'RDP: Attempt to use un-authorized relay'); obj.close(); return; } + + // Check if we need to load server stored credentials + if ((typeof obj.infos.options == 'object') && (obj.infos.options.useServerCreds == true)) { + // Check if RDP credentials exist + if ((domain.allowsavingdevicecredentials === false) && (typeof node.rdp == 'object') && (typeof node.rdp.d == 'string') && (typeof node.rdp.u == 'string') && (typeof node.rdp.p == 'string')) { + obj.infos.domain = node.rdp.d; + obj.infos.username = node.rdp.u; + obj.infos.password = node.rdp.p; + startTcpServer(); + } else { + // No server credentials. + obj.infos.domain = ''; + obj.infos.username = ''; + obj.infos.password = ''; + startTcpServer(); + } } else { - // No server credentials. - obj.infos.domain = ''; - obj.infos.username = ''; - obj.infos.password = ''; startTcpServer(); } - } else { - startTcpServer(); - } + }); }); break; } @@ -285,7 +290,7 @@ module.exports.CreateSshRelay = function (parent, db, ws, req, args, domain) { // SerialTunnel object is used to embed SSH within another connection. function SerialTunnel(options) { - var obj = new require('stream').Duplex(options); + const obj = new require('stream').Duplex(options); obj.forwardwrite = null; obj.updateBuffer = function (chunk) { this.push(chunk); }; obj._write = function (chunk, encoding, callback) { if (obj.forwardwrite != null) { obj.forwardwrite(chunk); } if (callback) callback(); }; // Pass data written to forward @@ -298,8 +303,6 @@ module.exports.CreateSshRelay = function (parent, db, ws, req, args, domain) { obj.ws = ws; obj.relayActive = false; - parent.parent.debug('relay', 'SSH: Request for SSH relay (' + req.clientIp + ')'); - // Disconnect obj.close = function (arg) { if (obj.ws == null) return; @@ -374,28 +377,22 @@ module.exports.CreateSshRelay = function (parent, db, ws, req, args, domain) { // Event node change if needed if (changed) { // Event the node change - var event = { etype: 'node', action: 'changenode', nodeid: obj.cookie.nodeid, domain: domain.id, userid: obj.cookie.userid, node: parent.CloneSafeNode(node), msg: "Changed SSH credentials" }; + const event = { etype: 'node', action: 'changenode', nodeid: obj.cookie.nodeid, domain: domain.id, userid: obj.cookie.userid, node: parent.CloneSafeNode(node), msg: "Changed SSH credentials" }; if (parent.parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come. parent.parent.DispatchEvent(parent.CreateMeshDispatchTargets(node.meshid, [obj.cookie.nodeid]), obj, event); } }); } - // Decode the authentication cookie - obj.cookie = parent.parent.decodeCookie(req.query.auth, parent.parent.loginCookieEncryptionKey); - if (obj.cookie == null) { obj.ws.send(JSON.stringify({ action: 'sessionerror' })); obj.close(); return; } - // Start the looppback server function startRelayConnection() { try { // Setup the correct URL with domain and use TLS only if needed. - var options = { rejectUnauthorized: false }; - if (domain.dns != null) { options.servername = domain.dns; } - var protocol = 'wss'; - if (args.tlsoffload) { protocol = 'ws'; } + const options = { rejectUnauthorized: false }; + const protocol = (args.tlsoffload) ? 'ws' : 'wss'; var domainadd = ''; if ((domain.dns == null) && (domain.id != '')) { domainadd = domain.id + '/' } - var url = protocol + '://127.0.0.1:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=11&auth=' + obj.xcookie; // Protocol 11 is Web-SSH + const url = protocol + '://localhost:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=11&auth=' + obj.xcookie; // Protocol 11 is Web-SSH parent.parent.debug('relay', 'SSH: Connection websocket to ' + url); obj.wsClient = new WebSocket(url, options); obj.wsClient.on('open', function () { parent.parent.debug('relay', 'SSH: Relay websocket open'); }); @@ -440,7 +437,7 @@ module.exports.CreateSshRelay = function (parent, db, ws, req, args, domain) { obj.ser.forwardwrite = function (data) { if ((data.length > 0) && (obj.wsClient != null)) { try { obj.wsClient.send(data); } catch (ex) { } } }; // Connect the SSH module to the serial tunnel - var connectionOptions = { sock: obj.ser } + const connectionOptions = { sock: obj.ser } if (typeof obj.username == 'string') { connectionOptions.username = obj.username; } if (typeof obj.password == 'string') { connectionOptions.password = obj.password; } if (typeof obj.privateKey == 'string') { connectionOptions.privateKey = obj.privateKey; } @@ -540,8 +537,15 @@ module.exports.CreateSshRelay = function (parent, db, ws, req, args, domain) { // If the web socket is closed ws.on('close', function (req) { parent.parent.debug('relay', 'SSH: Browser websocket closed'); obj.close(); }); + parent.parent.debug('relay', 'SSH: Request for SSH relay (' + req.clientIp + ')'); + + // Decode the authentication cookie + obj.cookie = parent.parent.decodeCookie(req.query.auth, parent.parent.loginCookieEncryptionKey); + if (obj.cookie == null) { obj.ws.send(JSON.stringify({ action: 'sessionerror' })); obj.close(); return; } + // Get the meshid for this device parent.parent.db.Get(obj.cookie.nodeid, function (err, nodes) { + if (obj.cookie == null) return; // obj has been cleaned up, just exit. if ((err != null) || (nodes == null) || (nodes.length != 1)) { parent.parent.debug('relay', 'SSH: Invalid device'); obj.close(); } const node = nodes[0]; obj.nodeid = node._id; // Store the NodeID @@ -549,15 +553,20 @@ module.exports.CreateSshRelay = function (parent, db, ws, req, args, domain) { obj.mtype = node.mtype; // Store the device group type // Check if we need to relay thru a different agent - // TODO: Check if we have rights to the relayid device - var mesh = parent.meshes[obj.meshid]; + const mesh = parent.meshes[obj.meshid]; if (mesh && mesh.relayid) { obj.relaynodeid = mesh.relayid; obj.tcpaddr = node.host; - // Re-encode a cookie with a device relay - const cookieContent = { userid: obj.cookie.userid, domainid: obj.cookie.domainid, nodeid: mesh.relayid, tcpaddr: node.host, tcpport: obj.cookie.tcpport }; - obj.xcookie = parent.parent.encodeCookie(cookieContent, parent.parent.loginCookieEncryptionKey); + // Check if we have rights to the relayid device, does nothing if a relay is not used + checkRelayRights(parent, domain, obj.cookie.userid, obj.relaynodeid, function (allowed) { + if (obj.cookie == null) return; // obj has been cleaned up, just exit. + if (allowed !== true) { parent.parent.debug('relay', 'SSH: Attempt to use un-authorized relay'); obj.close(); return; } + + // Re-encode a cookie with a device relay + const cookieContent = { userid: obj.cookie.userid, domainid: obj.cookie.domainid, nodeid: mesh.relayid, tcpaddr: node.host, tcpport: obj.cookie.tcpport }; + obj.xcookie = parent.parent.encodeCookie(cookieContent, parent.parent.loginCookieEncryptionKey); + }); } else { obj.xcookie = req.query.auth; } @@ -574,7 +583,7 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u // SerialTunnel object is used to embed SSH within another connection. function SerialTunnel(options) { - var obj = new require('stream').Duplex(options); + const obj = new require('stream').Duplex(options); obj.forwardwrite = null; obj.updateBuffer = function (chunk) { this.push(chunk); }; obj._write = function (chunk, encoding, callback) { if (obj.forwardwrite != null) { obj.forwardwrite(chunk); } if (callback) callback(); }; // Pass data written to forward @@ -633,7 +642,6 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u obj.relayActive = false; delete obj.termSize; - delete obj.cookie; delete obj.nodeid; delete obj.meshid; delete obj.ws; @@ -661,7 +669,7 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u // Event node change if needed if (changed) { // Event the node change - var event = { etype: 'node', action: 'changenode', nodeid: obj.nodeid, domain: domain.id, userid: user._id, username: user.name, node: parent.CloneSafeNode(node), msg: "Changed SSH credentials" }; + const event = { etype: 'node', action: 'changenode', nodeid: obj.nodeid, domain: domain.id, userid: user._id, username: user.name, node: parent.CloneSafeNode(node), msg: "Changed SSH credentials" }; if (parent.parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come. parent.parent.DispatchEvent(parent.CreateMeshDispatchTargets(node.meshid, [obj.nodeid]), obj, event); } @@ -672,13 +680,11 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u function startRelayConnection(authCookie) { try { // Setup the correct URL with domain and use TLS only if needed. - var options = { rejectUnauthorized: false }; - if (domain.dns != null) { options.servername = domain.dns; } - var protocol = 'wss'; - if (args.tlsoffload) { protocol = 'ws'; } + const options = { rejectUnauthorized: false }; + const protocol = (args.tlsoffload) ? 'ws' : 'wss'; var domainadd = ''; if ((domain.dns == null) && (domain.id != '')) { domainadd = domain.id + '/' } - var url = protocol + '://127.0.0.1:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=11&auth=' + authCookie // Protocol 11 is Web-SSH + const url = protocol + '://localhost:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=11&auth=' + authCookie // Protocol 11 is Web-SSH parent.parent.debug('relay', 'SSH: Connection websocket to ' + url); obj.wsClient = new WebSocket(url, options); obj.wsClient.on('open', function () { parent.parent.debug('relay', 'SSH: Relay websocket open'); }); @@ -725,7 +731,7 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u obj.ser.forwardwrite = function (data) { if ((data.length > 0) && (obj.wsClient != null)) { try { obj.wsClient.send(data); } catch (ex) { } } }; // Connect the SSH module to the serial tunnel - var connectionOptions = { sock: obj.ser } + const connectionOptions = { sock: obj.ser } if (typeof obj.username == 'string') { connectionOptions.username = obj.username; } if (typeof obj.password == 'string') { connectionOptions.password = obj.password; } if (typeof obj.privateKey == 'string') { connectionOptions.privateKey = obj.privateKey; } @@ -780,7 +786,7 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u obj.privateKeyPass = msg.keypass; // Create a mesh relay authentication cookie - var cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; + const cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; if (obj.relaynodeid) { cookieContent.nodeid = obj.relaynodeid; cookieContent.tcpaddr = obj.tcpaddr; @@ -798,7 +804,7 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u if ((obj.username == null) || ((obj.password == null) && (obj.privateKey == null))) return; // Create a mesh relay authentication cookie - var cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; + const cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; if (obj.relaynodeid) { cookieContent.nodeid = obj.relaynodeid; cookieContent.tcpaddr = obj.tcpaddr; @@ -833,6 +839,8 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u // Check that we have a user and nodeid if ((user == null) || (req.query.nodeid == null)) { obj.close(); return; } // Invalid nodeid parent.GetNodeWithRights(domain, user, req.query.nodeid, function (node, rights, visible) { + if (obj.ws == null) return; // obj has been cleaned up, just exit. + // Check permissions if ((rights & 8) == 0) { obj.close(); return; } // No MESHRIGHT_REMOTECONTROL rights if ((rights != 0xFFFFFFFF) && (rights & 0x00000200)) { obj.close(); return; } // MESHRIGHT_NOTERMINAL is set @@ -845,18 +853,18 @@ module.exports.CreateSshTerminalRelay = function (parent, db, ws, req, domain, u if (typeof node.sshport == 'number') { obj.tcpport = node.sshport; } // Check if we need to relay thru a different agent - // TODO: Check if we have rights to the relayid device - var mesh = parent.meshes[obj.meshid]; + const mesh = parent.meshes[obj.meshid]; if (mesh && mesh.relayid) { obj.relaynodeid = mesh.relayid; obj.tcpaddr = node.host; } - // We are all set, start receiving data - ws._socket.resume(); + // Check if we have rights to the relayid device, does nothing if a relay is not used + checkRelayRights(parent, domain, user, obj.relaynodeid, function (allowed) { + if (obj.ws == null) return; // obj has been cleaned up, just exit. + if (allowed !== true) { parent.parent.debug('relay', 'SSH: Attempt to use un-authorized relay'); obj.close(); return; } - // Check if we have SSH credentials for this device - parent.parent.db.Get(obj.nodeid, function (err, nodes) { - if ((err != null) || (nodes == null) || (nodes.length != 1)) return; - const node = nodes[0]; + // We are all set, start receiving data + ws._socket.resume(); + // Check if we have SSH credentials for this device if ((domain.allowsavingdevicecredentials === false) || (node.ssh == null) || (typeof node.ssh != 'object') || (typeof node.ssh.u != 'string') || ((typeof node.ssh.p != 'string') && (typeof node.ssh.k != 'string'))) { // Send a request for SSH authentication try { ws.send(JSON.stringify({ action: 'sshauth' })) } catch (ex) { } @@ -887,7 +895,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user // SerialTunnel object is used to embed SSH within another connection. function SerialTunnel(options) { - var obj = new require('stream').Duplex(options); + const obj = new require('stream').Duplex(options); obj.forwardwrite = null; obj.updateBuffer = function (chunk) { this.push(chunk); }; obj._write = function (chunk, encoding, callback) { if (obj.forwardwrite != null) { obj.forwardwrite(chunk); } if (callback) callback(); }; // Pass data written to forward @@ -940,7 +948,6 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user obj.ws.removeAllListeners(); obj.relayActive = false; - delete obj.cookie; delete obj.sftp; delete obj.nodeid; delete obj.meshid; @@ -969,7 +976,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user // Event node change if needed if (changed) { // Event the node change - var event = { etype: 'node', action: 'changenode', nodeid: obj.nodeid, domain: domain.id, userid: user._id, username: user.name, node: parent.CloneSafeNode(node), msg: "Changed SSH credentials" }; + const event = { etype: 'node', action: 'changenode', nodeid: obj.nodeid, domain: domain.id, userid: user._id, username: user.name, node: parent.CloneSafeNode(node), msg: "Changed SSH credentials" }; if (parent.parent.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come. parent.parent.DispatchEvent(parent.CreateMeshDispatchTargets(node.meshid, [obj.nodeid]), obj, event); } @@ -980,13 +987,11 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user function startRelayConnection(authCookie) { try { // Setup the correct URL with domain and use TLS only if needed. - var options = { rejectUnauthorized: false }; - if (domain.dns != null) { options.servername = domain.dns; } - var protocol = 'wss'; - if (args.tlsoffload) { protocol = 'ws'; } + const options = { rejectUnauthorized: false }; + const protocol = (args.tlsoffload) ? 'ws' : 'wss'; var domainadd = ''; if ((domain.dns == null) && (domain.id != '')) { domainadd = domain.id + '/' } - var url = protocol + '://127.0.0.1:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=13&auth=' + authCookie // Protocol 13 is Web-SSH-Files + const url = protocol + '://localhost:' + args.port + '/' + domainadd + (((obj.mtype == 3) && (obj.relaynodeid == null)) ? 'local' : 'mesh') + 'relay.ashx?noping=1&p=13&auth=' + authCookie // Protocol 13 is Web-SSH-Files parent.parent.debug('relay', 'SSH: Connection websocket to ' + url); obj.wsClient = new WebSocket(url, options); obj.wsClient.on('open', function () { parent.parent.debug('relay', 'SSH: Relay websocket open'); }); @@ -1027,7 +1032,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user obj.ser.forwardwrite = function (data) { if ((data.length > 0) && (obj.wsClient != null)) { try { obj.wsClient.send(data); } catch (ex) { } } }; // Connect the SSH module to the serial tunnel - var connectionOptions = { sock: obj.ser } + const connectionOptions = { sock: obj.ser } if (typeof obj.username == 'string') { connectionOptions.username = obj.username; } if (typeof obj.password == 'string') { connectionOptions.password = obj.password; } if (typeof obj.privateKey == 'string') { connectionOptions.privateKey = obj.privateKey; } @@ -1068,7 +1073,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user if (msg[0] == 123) { msg = msg.toString(); } else if ((obj.sftp != null) && (obj.uploadHandle != null)) { - var off = (msg[0] == 0) ? 1 : 0; + const off = (msg[0] == 0) ? 1 : 0; obj.sftp.write(obj.uploadHandle, msg, off, msg.length - off, obj.uploadPosition, function (err) { if (err != null) { obj.sftp.close(obj.uploadHandle, function () { }); @@ -1097,9 +1102,9 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user if (requestedPath.startsWith('/') == false) { requestedPath = '/' + requestedPath; } obj.sftp.readdir(requestedPath, function(err, list) { if (err) { console.log(err); obj.close(); } - var r = { path: requestedPath, reqid: msg.reqid, dir: [] }; + const r = { path: requestedPath, reqid: msg.reqid, dir: [] }; for (var i in list) { - var file = list[i]; + const file = list[i]; if (file.longname[0] == 'd') { r.dir.push({ t: 2, n: file.filename, d: new Date(file.attrs.mtime * 1000).toISOString() }); } else { r.dir.push({ t: 3, n: file.filename, d: new Date(file.attrs.mtime * 1000).toISOString(), s: file.attrs.size }); } } @@ -1114,7 +1119,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user obj.sftp.mkdir(requestedPath, function (err) { }); // Event the file delete - var targets = ['*', 'server-users']; + const targets = ['*', 'server-users']; if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } parent.parent.DispatchEvent(targets, obj, { etype: 'node', action: 'agentlog', nodeid: obj.nodeid, userid: user._id, username: user.name, msgid: 44, msgArgs: [requestedPath], msg: 'Create folder: \"' + requestedPath + '\"', domain: domain.id }); break; @@ -1129,7 +1134,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user if (msg.rec === true) { obj.sftp.rmdir(ul + '/', function (err) { }); } // Event the file delete - var targets = ['*', 'server-users']; + const targets = ['*', 'server-users']; if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } parent.parent.DispatchEvent(targets, obj, { etype: 'node', action: 'agentlog', nodeid: obj.nodeid, userid: user._id, username: user.name, msgid: 45, msgArgs: [ul], msg: 'Delete: \"' + ul + '\"', domain: domain.id }); } @@ -1145,7 +1150,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user obj.sftp.rename(oldpath, newpath, function (err) { }); // Event the file rename - var targets = ['*', 'server-users']; + const targets = ['*', 'server-users']; if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } parent.parent.DispatchEvent(targets, obj, { etype: 'node', action: 'agentlog', nodeid: obj.nodeid, userid: user._id, username: user.name, msgid: 48, msgArgs: [oldpath, msg.newname], msg: 'Rename: \"' + oldpath + '\" to \"' + msg.newname + '\"', domain: domain.id }); break; @@ -1166,7 +1171,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user try { obj.ws.send(Buffer.from(JSON.stringify({ action: 'uploadstart', reqid: obj.uploadReqid }))) } catch (ex) { } // Event the file upload - var targets = ['*', 'server-users']; + const targets = ['*', 'server-users']; if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } parent.parent.DispatchEvent(targets, obj, { etype: 'node', action: 'agentlog', nodeid: obj.nodeid, userid: user._id, username: user.name, msgid: 105, msgArgs: [obj.uploadFullpath, obj.uploadSize], msg: 'Upload: ' + obj.uploadFullpath + ', Size: ' + obj.uploadSize, domain: domain.id }); } @@ -1218,7 +1223,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user try { obj.ws.send(JSON.stringify({ action: 'download', sub: 'start', id: obj.downloadId })) } catch (ex) { } // Event the file download - var targets = ['*', 'server-users']; + const targets = ['*', 'server-users']; if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } parent.parent.DispatchEvent(targets, obj, { etype: 'node', action: 'agentlog', nodeid: obj.nodeid, userid: user._id, username: user.name, msgid: 49, msgArgs: [obj.downloadFullpath], msg: 'Download: ' + obj.downloadFullpath, domain: domain.id }); } @@ -1263,7 +1268,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user obj.privateKeyPass = msg.keypass; // Create a mesh relay authentication cookie - var cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; + const cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; if (obj.relaynodeid) { cookieContent.nodeid = obj.relaynodeid; cookieContent.tcpaddr = obj.tcpaddr; @@ -1316,6 +1321,8 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user // Check that we have a user and nodeid if ((user == null) || (req.query.nodeid == null)) { obj.close(); return; } // Invalid nodeid parent.GetNodeWithRights(domain, user, req.query.nodeid, function (node, rights, visible) { + if (obj.ws == null) return; // obj has been cleaned up, just exit. + // Check permissions if ((rights & 8) == 0) { obj.close(); return; } // No MESHRIGHT_REMOTECONTROL rights if ((rights != 0xFFFFFFFF) && (rights & 0x00000200)) { obj.close(); return; } // MESHRIGHT_NOTERMINAL is set @@ -1328,18 +1335,18 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user if (typeof node.sshport == 'number') { obj.tcpport = node.sshport; } // Check if we need to relay thru a different agent - // TODO: Check if we have rights to the relayid device - var mesh = parent.meshes[obj.meshid]; + const mesh = parent.meshes[obj.meshid]; if (mesh && mesh.relayid) { obj.relaynodeid = mesh.relayid; obj.tcpaddr = node.host; } - // We are all set, start receiving data - ws._socket.resume(); + // Check if we have rights to the relayid device, does nothing if a relay is not used + checkRelayRights(parent, domain, user, obj.relaynodeid, function (allowed) { + if (obj.ws == null) return; // obj has been cleaned up, just exit. + if (allowed !== true) { parent.parent.debug('relay', 'SSH: Attempt to use un-authorized relay'); obj.close(); return; } - // Check if we have SSH credentials for this device - parent.parent.db.Get(obj.nodeid, function (err, nodes) { - if ((err != null) || (nodes == null) || (nodes.length != 1)) return; - const node = nodes[0]; + // We are all set, start receiving data + ws._socket.resume(); + // Check if we have SSH credentials for this device if ((domain.allowsavingdevicecredentials === false) || (node.ssh == null) || (typeof node.ssh != 'object') || (typeof node.ssh.u != 'string') || ((typeof node.ssh.p != 'string') && (typeof node.ssh.k != 'string'))) { // Send a request for SSH authentication try { ws.send(JSON.stringify({ action: 'sshauth' })) } catch (ex) { } @@ -1354,7 +1361,7 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user } // Create a mesh relay authentication cookie - var cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; + const cookieContent = { userid: user._id, domainid: user.domain, nodeid: obj.nodeid, tcpport: obj.tcpport }; if (obj.relaynodeid) { cookieContent.nodeid = obj.relaynodeid; cookieContent.tcpaddr = obj.tcpaddr; @@ -1364,8 +1371,16 @@ module.exports.CreateSshFilesRelay = function (parent, db, ws, req, domain, user startRelayConnection(parent.parent.encodeCookie(cookieContent, parent.parent.loginCookieEncryptionKey)); } }); - }); return obj; }; + + +// Check that the user has full rights on a relay device before allowing it. +function checkRelayRights(parent, domain, user, relayNodeId, func) { + if (relayNodeId == null) { func(true); return; } // No relay, do nothing. + parent.GetNodeWithRights(domain, user, relayNodeId, function (node, rights, visible) { + func((node != null) && (rights == 0xFFFFFFFF)); + }); +} \ No newline at end of file diff --git a/meshcentral.js b/meshcentral.js index 874130a5..937bc1ad 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -447,6 +447,7 @@ function CreateMeshCentralServer(config, args) { // Launch MeshCentral as a child server and monitor it. obj.launchChildServer = function (startArgs) { var child_process = require('child_process'); + try { if (process.traceDeprecation === true) { startArgs.unshift('--trace-deprecation'); } } catch (ex) { } childProcess = child_process.execFile(process.argv[0], startArgs, { maxBuffer: Infinity, cwd: obj.parentpath }, function (error, stdout, stderr) { if (childProcess.xrestart == 1) { setTimeout(function () { obj.launchChildServer(startArgs); }, 500); // This is an expected restart. diff --git a/meshuser.js b/meshuser.js index 5b7f61b2..0d942684 100644 --- a/meshuser.js +++ b/meshuser.js @@ -6677,6 +6677,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use try { info.memoryUsage = process.memoryUsage(); } catch (ex) { } try { info.warnings = parent.parent.getServerWarnings(); } catch (ex) { } try { info.allDevGroupManagers = parent.parent.config.settings.managealldevicegroups; } catch (ex) { } + try { if (process.traceDeprecation == true) { info.traceDeprecation = true; } } catch (ex) { } cmdData.result = JSON.stringify(info, null, 4); }