Updated packages, new agent rights enforcement

This commit is contained in:
Ylian Saint-Hilaire 2018-11-27 17:13:01 -08:00
parent d636b76da6
commit d968fd8f0f
4 changed files with 1549 additions and 15 deletions

View File

@ -21,6 +21,17 @@ process.on('uncaughtException', function (ex) {
//attachDebugger({ webport: 9999, wait: 1 }).then(function (prt) { console.log('Point Browser for Debug to port: ' + prt); }); //attachDebugger({ webport: 9999, wait: 1 }).then(function (prt) { console.log('Point Browser for Debug to port: ' + prt); });
// Mesh Rights
const MESHRIGHT_EDITMESH = 1;
const MESHRIGHT_MANAGEUSERS = 2;
const MESHRIGHT_MANAGECOMPUTERS = 4;
const MESHRIGHT_REMOTECONTROL = 8;
const MESHRIGHT_AGENTCONSOLE = 16;
const MESHRIGHT_SERVERFILES = 32;
const MESHRIGHT_WAKEDEVICE = 64;
const MESHRIGHT_SETNOTES = 128;
const MESHRIGHT_REMOTEVIEW = 256;
function createMeshCore(agent) { function createMeshCore(agent) {
var obj = {}; var obj = {};
@ -414,11 +425,11 @@ function createMeshCore(agent) {
tunnel.tcpport = data.tcpport; tunnel.tcpport = data.tcpport;
tunnel.end(); tunnel.end();
// Put the tunnel in the tunnels list // Put the tunnel in the tunnels list
var index = nextTunnelIndex++;; var index = nextTunnelIndex++;
tunnel.index = index; tunnel.index = index;
tunnels[index] = tunnel; tunnels[index] = tunnel;
sendConsoleText('New tunnel connection #' + index + ': ' + tunnel.url + ', rights: ' + tunnel.rights, data.sessionid); //sendConsoleText('New tunnel connection #' + index + ': ' + tunnel.url + ', rights: ' + tunnel.rights, data.sessionid);
} }
} }
break; break;
@ -554,7 +565,7 @@ function createMeshCore(agent) {
function onTunnelClosed() { function onTunnelClosed() {
if (tunnels[this.httprequest.index] == null) return; // Stop duplicate calls. if (tunnels[this.httprequest.index] == null) return; // Stop duplicate calls.
sendConsoleText("Tunnel #" + this.httprequest.index + " closed.", this.httprequest.sessionid); //sendConsoleText("Tunnel #" + this.httprequest.index + " closed.", this.httprequest.sessionid);
delete tunnels[this.httprequest.index]; delete tunnels[this.httprequest.index];
/* /*
@ -584,7 +595,7 @@ function createMeshCore(agent) {
// Clean up WebSocket // Clean up WebSocket
this.removeAllListeners('data'); this.removeAllListeners('data');
} }
function onTunnelSendOk() { sendConsoleText("Tunnel #" + this.index + " SendOK.", this.sessionid); } function onTunnelSendOk() { /*sendConsoleText("Tunnel #" + this.index + " SendOK.", this.sessionid);*/ }
function onTunnelData(data) { function onTunnelData(data) {
//console.log("OnTunnelData"); //console.log("OnTunnelData");
//sendConsoleText('OnTunnelData, ' + data.length + ', ' + typeof data + ', ' + data); //sendConsoleText('OnTunnelData, ' + data.length + ', ' + typeof data + ', ' + data);
@ -608,7 +619,7 @@ function createMeshCore(agent) {
if (this.httprequest.state == 0) { if (this.httprequest.state == 0) {
// Check if this is a relay connection // Check if this is a relay connection
if (data == 'c') { this.httprequest.state = 1; sendConsoleText("Tunnel #" + this.httprequest.index + " now active", this.httprequest.sessionid); } if (data == 'c') { this.httprequest.state = 1; /*sendConsoleText("Tunnel #" + this.httprequest.index + " now active", this.httprequest.sessionid);*/ }
} else { } else {
// Handle tunnel data // Handle tunnel data
if (this.httprequest.protocol == 0) { // 1 = SOL, 2 = KVM, 3 = IDER, 4 = Files, 5 = FileTransfer if (this.httprequest.protocol == 0) { // 1 = SOL, 2 = KVM, 3 = IDER, 4 = Files, 5 = FileTransfer
@ -616,12 +627,21 @@ function createMeshCore(agent) {
this.httprequest.protocol = parseInt(data); this.httprequest.protocol = parseInt(data);
if (typeof this.httprequest.protocol != 'number') { this.httprequest.protocol = 0; } if (typeof this.httprequest.protocol != 'number') { this.httprequest.protocol = 0; }
if (this.httprequest.protocol == 1) { if (this.httprequest.protocol == 1) {
// Check user access rights
if ((this.httprequest.rights & MESHRIGHT_REMOTECONTROL) == 0) {
// Disengage this tunnel, user does not have the rights to do this!!
this.httprequest.protocol = 999999;
sendConsoleText('Error: No Remote Control Rights.');
return;
}
// Remote terminal using native pipes // Remote terminal using native pipes
if (process.platform == "win32") { if (process.platform == "win32") {
this.httprequest.process = childProcess.execFile("%windir%\\system32\\cmd.exe"); this.httprequest.process = childProcess.execFile("%windir%\\system32\\cmd.exe");
} else { } else {
this.httprequest.process = childProcess.execFile("/bin/sh", ["sh"], { type: childProcess.SpawnTypes.TERM }); this.httprequest.process = childProcess.execFile("/bin/sh", ["sh"], { type: childProcess.SpawnTypes.TERM });
} }
this.httprequest.process.tunnel = this; this.httprequest.process.tunnel = this;
this.httprequest.process.on('exit', function (ecode, sig) { this.tunnel.end(); }); this.httprequest.process.on('exit', function (ecode, sig) { this.tunnel.end(); });
this.httprequest.process.stderr.on('data', function (chunk) { this.parent.tunnel.write(chunk); }); this.httprequest.process.stderr.on('data', function (chunk) { this.parent.tunnel.write(chunk); });
@ -634,6 +654,14 @@ function createMeshCore(agent) {
if (process.platform == 'linux') { this.httprequest.process.stdin.write("stty erase ^H\nalias ls='ls --color=auto'\nclear\n"); } if (process.platform == 'linux') { this.httprequest.process.stdin.write("stty erase ^H\nalias ls='ls --color=auto'\nclear\n"); }
} else if (this.httprequest.protocol == 2) } else if (this.httprequest.protocol == 2)
{ {
// Check user access rights
if (((this.httprequest.rights & MESHRIGHT_REMOTECONTROL) == 0) && ((this.httprequest.rights & MESHRIGHT_REMOTEVIEW) == 0)) {
// Disengage this tunnel, user does not have the rights to do this!!
this.httprequest.protocol = 999999;
sendConsoleText('Error: No Remote Control Rights.');
return;
}
// Remote desktop using native pipes // Remote desktop using native pipes
this.httprequest.desktop = { state: 0, kvm: mesh.getRemoteDesktopStream(), tunnel: this }; this.httprequest.desktop = { state: 0, kvm: mesh.getRemoteDesktopStream(), tunnel: this };
this.httprequest.desktop.kvm.parent = this.httprequest.desktop; this.httprequest.desktop.kvm.parent = this.httprequest.desktop;
@ -653,12 +681,29 @@ function createMeshCore(agent) {
} }
}; };
if (this.httprequest.desktop.kvm.hasOwnProperty("connectionCount")) { this.httprequest.desktop.kvm.connectionCount++; } else { this.httprequest.desktop.kvm.connectionCount = 1; } if (this.httprequest.desktop.kvm.hasOwnProperty("connectionCount")) { this.httprequest.desktop.kvm.connectionCount++; } else { this.httprequest.desktop.kvm.connectionCount = 1; }
this.pipe(this.httprequest.desktop.kvm, { dataTypeSkip: 1, end: false }); // 0 = Binary, 1 = Text.
this.httprequest.desktop.kvm.pipe(this, { dataTypeSkip: 1 }); // 0 = Binary, 1 = Text. //sendConsoleText('KVM Rights: ' + this.httprequest.rights);
if ((this.httprequest.rights & MESHRIGHT_REMOTECONTROL) != 0) {
// If we have remote control rights, pipe the KVM input
this.pipe(this.httprequest.desktop.kvm, { dataTypeSkip: 1, end: false }); // 0 = Binary, 1 = Text. Pipe the Browser --> KVM input.
} else {
// We need to only pipe non-mouse & non-keyboard inputs.
// TODO!!!
}
this.httprequest.desktop.kvm.pipe(this, { dataTypeSkip: 1 }); // 0 = Binary, 1 = Text. Pipe the KVM --> Browser images.
this.removeAllListeners('data'); this.removeAllListeners('data');
this.on('data', onTunnelControlData); this.on('data', onTunnelControlData);
//this.write('MeshCore KVM Hello!1'); //this.write('MeshCore KVM Hello!1');
} else if (this.httprequest.protocol == 5) { } else if (this.httprequest.protocol == 5) {
// Check user access rights
if ((this.httprequest.rights & MESHRIGHT_REMOTECONTROL) == 0) {
// Disengage this tunnel, user does not have the rights to do this!!
this.httprequest.protocol = 999999;
sendConsoleText('Error: No Remote Control Rights.');
return;
}
// Setup files // Setup files
// NOP // NOP
} }

View File

@ -35,6 +35,7 @@ module.exports.CreateMeshRelay = function (parent, ws, req, domain, user, cookie
const MESHRIGHT_SERVERFILES = 32; const MESHRIGHT_SERVERFILES = 32;
const MESHRIGHT_WAKEDEVICE = 64; const MESHRIGHT_WAKEDEVICE = 64;
const MESHRIGHT_SETNOTES = 128; const MESHRIGHT_SETNOTES = 128;
const MESHRIGHT_REMOTEVIEW = 256;
// Site rights // Site rights
const SITERIGHT_SERVERBACKUP = 1; const SITERIGHT_SERVERBACKUP = 1;

1487
package-lock.json generated Normal file

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
{ {
"name": "meshcentral", "name": "meshcentral",
"version": "0.2.3-g", "version": "0.2.3-h",
"keywords": [ "keywords": [
"Remote Management", "Remote Management",
"Intel AMT", "Intel AMT",
@ -28,19 +28,20 @@
"dependencies": { "dependencies": {
"archiver": "^1.3.0", "archiver": "^1.3.0",
"body-parser": "^1.18.2", "body-parser": "^1.18.2",
"compression": "^1.7.1", "compression": "^1.7.3",
"connect-redis": "^3.3.3", "connect-redis": "^3.4.0",
"cookie-session": "^2.0.0-beta.3", "cookie-session": "^2.0.0-beta.3",
"express": "^4.16.2", "express": "^4.16.4",
"express-handlebars": "^3.0.0", "express-handlebars": "^3.0.0",
"express-session": "^1.15.6", "express-session": "^1.15.6",
"express-ws": "^2.0.0", "express-ws": "^3.0.0",
"meshcentral": "*", "meshcentral": "*",
"minimist": "^1.2.0", "minimist": "^1.2.0",
"multiparty": "^4.1.3", "multiparty": "^4.2.1",
"nedb": "^1.8.0", "nedb": "^1.8.0",
"node-forge": "^0.6.49", "node-forge": "^0.7.6",
"ws": "^3.3.3", "node-windows": "^0.1.14",
"ws": "^6.1.2",
"xmldom": "^0.1.27", "xmldom": "^0.1.27",
"yauzl": "^2.9.1" "yauzl": "^2.9.1"
}, },