Merge pull request #5281 from si458/fix-schema

fix meshcentral-config-schema.json
This commit is contained in:
Ylian Saint-Hilaire 2023-08-14 19:59:23 -07:00 committed by GitHub
commit ecc6ce5617
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -3,7 +3,10 @@
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "MeshCentral configuration file schema",
"type": "object",
"required": [ "settings", "domains" ],
"required": [
"settings",
"domains"
],
"properties": {
"settings": {
"type": "object",
@ -220,7 +223,11 @@
"sessionSameSite": {
"type": "string",
"default": "lax",
"enum": [ "strict", "lax", "none" ]
"enum": [
"strict",
"lax",
"none"
]
},
"dbEncryptKey": {
"type": "string",
@ -357,16 +364,25 @@
"description": "When code signing an agent using authenticode, lock the agent to only allow connection to this server. (This is in testing, the default value will change to true in the future)."
},
"agentTimeStampServer": {
"type": [ "boolean", "string" ],
"type": [
"boolean",
"string"
],
"default": "http://timestamp.comodoca.com/authenticode",
"description": "The time stamping server to use when code signing Windows executables. When set to false, the executables are not time stamped."
},
"agentTimeStampProxy": {
"type": [ "boolean", "string" ],
"type": [
"boolean",
"string"
],
"description": "The HTTP proxy to use when contacting the time stamping server, if false, no proxy is used. By default, the npmproxy value is used."
},
"ignoreAgentHashCheck": {
"type": [ "boolean", "string" ],
"type": [
"boolean",
"string"
],
"default": false,
"description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma separated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"."
},
@ -380,7 +396,10 @@
"default": false
},
"StrictTransportSecurity": {
"type": [ "boolean", "string" ],
"type": [
"boolean",
"string"
],
"default": null,
"description": "Controls the Strict-Transport-Security header, default is 1 year. Set to false to remove, true to force enable, or string to set a custom value. If set to null, MeshCentral will enable if a trusted certificate is set."
},
@ -390,13 +409,23 @@
"description": "When enabled, the MeshCentral web site can be embedded within another website's iframe."
},
"cookieIpCheck": {
"type": [ "string", "boolean" ],
"type": [
"string",
"boolean"
],
"default": "lax",
"enum": [ "strict", "lax", "none" ]
"enum": [
"strict",
"lax",
"none"
]
},
"cookieEncoding": {
"type": "string",
"enum": [ "hex", "base64" ],
"enum": [
"hex",
"base64"
],
"default": "base64",
"description": "Encoding format of cookies in the HTTP headers, this is typically Base64 but some reverse proxies will require HEX."
},
@ -531,7 +560,9 @@
"description": "Server administrator email given to the FireFox and Chrome push notification services."
}
},
"required": [ "email" ]
"required": [
"email"
]
},
"RunOnServerStarted": {
"type": "boolean",
@ -564,22 +595,34 @@
"description": "If set, a user from a banned IP address will be redirected to this URL."
},
"userAllowedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, only users from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
"userBlockedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, users from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
"agentAllowedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, only agents from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
"agentBlockedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, agents from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
@ -628,10 +671,16 @@
"description": "When set, encrypts all LAN discovery traffic to agents and tools using this key. This is only useful in LAN/Hybrid mode when agents and tools user multicast to find the server."
}
},
"required": [ "name", "info" ]
"required": [
"name",
"info"
]
},
"tlsOffload": {
"type": [ "boolean", "string" ],
"type": [
"boolean",
"string"
],
"default": false,
"description": "When true, indicates that a TLS offloader is in front of the MeshCentral server. More typically, set this to the IP address of the reverse proxy or TLS offloader so that IP forwarding headers will be trusted. For example: \"127.0.0.1,192.168.1.100\"."
},
@ -712,11 +761,15 @@
"type": "string"
}
},
"required": [ "urls" ]
"required": [
"urls"
]
}
}
},
"required": [ "iceServers" ]
"required": [
"iceServers"
]
},
"crowdsec": {
"type": "object",
@ -734,11 +787,18 @@
"fallbackRemediation": {
"type": "string",
"default": "ban",
"enum": [ "bypass", "captcha", "ban" ],
"enum": [
"bypass",
"captcha",
"ban"
],
"description": "Action to perform if the CrowdSec agent can't be contacted."
}
},
"required": [ "url", "apiKey" ]
"required": [
"url",
"apiKey"
]
},
"autoBackup": {
"type": "object",
@ -872,7 +932,12 @@
"amtProvisioningServer": {
"type": "object",
"additionalProperties": false,
"required": [ "deviceGroup", "newMebxPassword", "trustedFqdn", "ip" ],
"required": [
"deviceGroup",
"newMebxPassword",
"trustedFqdn",
"ip"
],
"description": "When present, this section will enable the Intel AMT provisioning server on the local network. This is used for Intel AMT bare-metal ACM activation.",
"properties": {
"port": {
@ -905,7 +970,9 @@
"type": "boolean"
}
},
"required": [ "enabled" ]
"required": [
"enabled"
]
}
}
},
@ -974,7 +1041,10 @@
"type": "integer"
},
"loginKey": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"items": {
"type": "string"
},
@ -982,7 +1052,10 @@
"description": "Requires that users add the value ?key=xxx in the URL in order to see the web site."
},
"agentKey": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"items": {
"type": "string"
},
@ -1088,7 +1161,10 @@
"default": "This value is normally auto-detected, when set to true, MeshCentral assumes that the TLS certificate comes from a trusted CA and will insure download tools perform certificate checking."
},
"guestDeviceSharing": {
"type": [ "boolean", "object" ],
"type": [
"boolean",
"object"
],
"default": true,
"description": "When set to false, the desktop/terminal sharing link feature is not available.",
"properties": {
@ -1111,7 +1187,10 @@
"description": "When set to true, the devices search box will match on both the server name and client name of a device."
},
"agentSelfGuestSharing": {
"type": [ "boolean", "object" ],
"type": [
"boolean",
"object"
],
"default": false,
"description": "When set to true, MeshCentral Assistant can create it's own guest sharing links.",
"properties": {
@ -1127,7 +1206,10 @@
"description": "When set, your can try click the run button to run on of these scripts on the remote device.",
"items": {
"type": "object",
"required": [ "name", "type" ],
"required": [
"name",
"type"
],
"properties": {
"name": {
"description": "Name of the script.",
@ -1136,12 +1218,21 @@
"type": {
"description": "The type of script.",
"type": "string",
"enum": [ "bat", "ps1", "sh", "agent" ]
"enum": [
"bat",
"ps1",
"sh",
"agent"
]
},
"runas": {
"description": "How to run this script, does not apply to agent scripts.",
"type": "string",
"enum": [ "agent", "userfirst", "user" ]
"enum": [
"agent",
"userfirst",
"user"
]
},
"cmd": {
"description": "The command or \\r\\n separated commands to run, if set do not use the file key.",
@ -1160,7 +1251,10 @@
"description": "When set, you can right click on the input button in the desktop tab and instantly remotely type one of these pre-configured strings.",
"items": {
"type": "object",
"required": [ "name", "value" ],
"required": [
"name",
"value"
],
"properties": {
"name": {
"description": "Name of the text string.",
@ -1192,12 +1286,19 @@
},
"type": {
"type": "string",
"enum": [ null, "user", "device" ],
"enum": [
null,
"user",
"device"
],
"default": null,
"description": "Indicate if this button should be shown in the user or device type. If omitted, it will be displayed in both."
}
},
"required": [ "name", "url" ]
"required": [
"name",
"url"
]
}
},
"deviceMeshRouterLinks": {
@ -1223,7 +1324,11 @@
"items": {
"type": "object",
"additionalProperties": false,
"required": [ "name", "protocol", "port" ],
"required": [
"name",
"protocol",
"port"
],
"properties": {
"name": {
"description": "Name of the link to be displayed on the web site.",
@ -1261,6 +1366,7 @@
}
}
}
}
},
"certUrl": {
"type": "string",
@ -1268,7 +1374,10 @@
"description": "https url when to get the TLS certificate that MeshAgent's will see when connecting to this server. This setting is used when a reverse proxy like NGINX is used in front of MeshCentral."
},
"myServer": {
"type": [ "object", "boolean" ],
"type": [
"object",
"boolean"
],
"additionalProperties": false,
"properties": {
"Backup": {
@ -1393,7 +1502,10 @@
"description": "Uses WildLeek to block use of the 10000 most commonly used passwords."
},
"loginTokens": {
"type": [ "boolean", "array" ],
"type": [
"boolean",
"array"
],
"default": true,
"description": "Allows users to create alternative username/passwords for their account. Set to false to disallow all users, or set to a userid array to only allow some users."
},
@ -1427,7 +1539,11 @@
"auth": {
"type": "string",
"default": null,
"enum": [ null, "sspi", "ldap" ],
"enum": [
null,
"sspi",
"ldap"
],
"description": "Type of user authentication to use, this can be SSPI on Windows or LDAP. If not set, username/password is used."
},
"ldapUserKey": {
@ -1476,25 +1592,37 @@
"description": "The LDAP value to use for the user's group memberships."
},
"ldapSyncWithUserGroups": {
"type": [ "boolean", "object" ],
"type": [
"boolean",
"object"
],
"default": false,
"description": "When set to true or set to an object, MeshCentral will synchronize LDAP user memberships to MeshCentral user groups.",
"additionalProperties": false,
"properties": {
"filter": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set to a string or array of strings, only LDAP membership groups that includes one of the strings will be synchronized with MeshCentral user groups."
}
}
},
"ldapSiteAdminGroups": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set to a list of LDAP groups, users that are part of one of these groups will be set a site administrator, otherwise site administrator rights will be removed."
},
"ldapUserRequiredGroupMembership": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "A list of LDAP groups. Users must be part of at least one of these groups to allow login. If null, all users are allowed to login."
},
@ -1755,22 +1883,34 @@
"description": "When set, requires that a browser request have set HTTP header to allow user login. Example: \"{ \"Sec-Fetch-Dest\": \"iframe\" }\""
},
"userAllowedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, only users from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
"userBlockedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, users from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
"agentAllowedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, only agents from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
"agentBlockedIP": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"default": null,
"description": "When set, agents from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""
},
@ -1883,7 +2023,12 @@
},
"linuxShell": {
"type": "string",
"enum": [ "any", "root", "user", "login" ],
"enum": [
"any",
"root",
"user",
"login"
],
"default": "any",
"description": "Indicate what terminal options are available when the user clicks the right mouse button on the terminal connect button."
},
@ -1948,7 +2093,9 @@
"items": {
"type": "object",
"additionalProperties": false,
"required": [ "pass" ],
"required": [
"pass"
],
"properties": {
"user": {
"description": "Intel AMT administrator username.",
@ -2000,7 +2147,9 @@
"items": {
"type": "object",
"additionalProperties": false,
"required": [ "ssid" ],
"required": [
"ssid"
],
"properties": {
"name": {
"description": "WIFI profile name, if not specified the SSID is used.",
@ -2026,7 +2175,10 @@
"encryption": {
"description": "WIFI encryption.",
"type": "string",
"enum": [ "ccmp-aes", "tkip-rc4" ],
"enum": [
"ccmp-aes",
"tkip-rc4"
],
"default": "ccmp-aes"
},
"password": {
@ -2040,11 +2192,16 @@
"default": null,
"type": "object",
"additionalProperties": false,
"required": [ "authenticationProtocol" ],
"required": [
"authenticationProtocol"
],
"properties": {
"authenticationProtocol": {
"description": "Identifies the authentication protocol used to authenticate the access requestor to the AAA server.",
"type": [ "integer", "string" ],
"type": [
"integer",
"string"
],
"enum": [
"EAP-TLS",
"EAP-TTLS/MSCHAPv2",
@ -2071,10 +2228,18 @@
]
},
"serverCertificateNameComparison": {
"type": [ "integer", "string" ],
"type": [
"integer",
"string"
],
"default": "FullName",
"description": "Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server.",
"enum": [ "FullName", "DomainSuffix", 2, 3 ]
"enum": [
"FullName",
"DomainSuffix",
2,
3
]
},
"serverCertificateName": {
"type": "string",
@ -2136,13 +2301,21 @@
"802.1x": {
"description": "802.1x settings for the Intel AMT Wired interface. If set to false, any existing 802.1x wired profile will be removed from Intel AMT.",
"default": null,
"type": [ "object", "boolean" ],
"type": [
"object",
"boolean"
],
"additionalProperties": false,
"required": [ "authenticationProtocol" ],
"required": [
"authenticationProtocol"
],
"properties": {
"authenticationProtocol": {
"description": "Identifies the authentication protocol used to authenticate the access requestor to the AAA server.",
"type": [ "integer", "string" ],
"type": [
"integer",
"string"
],
"enum": [
"EAP-TLS",
"EAP-TTLS/MSCHAPv2",
@ -2169,9 +2342,17 @@
]
},
"serverCertificateNameComparison": {
"type": [ "integer", "string" ],
"type": [
"integer",
"string"
],
"description": "Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server.",
"enum": [ "FullName", "DomainSuffix", 2, 3 ]
"enum": [
"FullName",
"DomainSuffix",
2,
3
]
},
"serverCertificateName": {
"type": "string",
@ -2258,11 +2439,16 @@
"type": "string"
}
},
"required": [ "certfiles", "keyfile" ]
"required": [
"certfiles",
"keyfile"
]
}
}
},
"required": [ "certs" ]
"required": [
"certs"
]
},
"redirects": {
"type": "object",
@ -2286,7 +2472,10 @@
"format": "uri"
}
},
"required": [ "id", "secret" ]
"required": [
"id",
"secret"
]
},
"httpHeaders": {
"type": "object",
@ -2379,7 +2568,9 @@
"description": "This is an array: 1 = Terminal, 2 = Desktop, 5 = Files, 100 = Intel AMT WSMAN, 101 = Intel AMT Redirection, 200 = Messenger"
}
},
"required": [ "protocols" ]
"required": [
"protocols"
]
},
"showPasswordLogin": {
"type": "boolean",
@ -2411,7 +2602,10 @@
"description": "Time to wait before sending a device connection/disconnection notification email. If many events occur, they will be merged into a single email."
}
},
"required": [ "from", "apikey" ]
"required": [
"from",
"apikey"
]
},
"smtp": {
"title": "SMTP email server",
@ -2455,7 +2649,11 @@
"type": "string"
}
},
"required": [ "clientId", "clientSecret", "refreshToken" ]
"required": [
"clientId",
"clientSecret",
"refreshToken"
]
},
"tlscertcheck": {
"type": "boolean"
@ -2474,7 +2672,9 @@
"description": "Time to wait before sending a device connection/disconnection notification email. If many events occur, they will be merged into a single email."
}
},
"required": [ "from" ]
"required": [
"from"
]
},
"sendmail": {
"title": "Send email using the sendmail command",
@ -2541,7 +2741,10 @@
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
}
},
"required": [ "clientid", "clientsecret" ]
"required": [
"clientid",
"clientsecret"
]
},
"google": {
"type": "object",
@ -2573,7 +2776,10 @@
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
}
},
"required": [ "clientid", "clientsecret" ]
"required": [
"clientid",
"clientsecret"
]
},
"github": {
"type": "object",
@ -2605,7 +2811,10 @@
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
}
},
"required": [ "clientid", "clientsecret" ]
"required": [
"clientid",
"clientsecret"
]
},
"reddit": {
"type": "object",
@ -2637,7 +2846,10 @@
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
}
},
"required": [ "clientid", "clientsecret" ]
"required": [
"clientid",
"clientsecret"
]
},
"azure": {
"type": "object",
@ -2672,7 +2884,11 @@
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
}
},
"required": [ "clientid", "clientsecret", "tenantid" ]
"required": [
"clientid",
"clientsecret",
"tenantid"
]
},
"jumpcloud": {
"type": "object",
@ -2708,7 +2924,11 @@
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
}
},
"required": [ "entityid", "idpurl", "cert" ]
"required": [
"entityid",
"idpurl",
"cert"
]
},
"saml": {
"type": "object",
@ -2754,7 +2974,11 @@
"description": "Then set, the user will be redirected to this URL when hitting the logout link."
}
},
"required": [ "entityid", "idpurl", "cert" ]
"required": [
"entityid",
"idpurl",
"cert"
]
},
"oidc": {
"type": "object",
@ -2803,15 +3027,24 @@
"type": "object",
"properties": {
"required": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"description": "When set, the user must be part of one of the OIDC user groups to login to MeshCentral."
},
"siteadmin": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"description": "When set, users part of these groups will be promoted with site administrator in MeshCentral, users that are not part of these groups will be demoted."
},
"sync": {
"type": [ "boolean", "object" ],
"type": [
"boolean",
"object"
],
"description": "Allows some or all ODIC user groups to be mirrored within MeshCentral as user groups.",
"properties": {
"enabled": {
@ -2819,7 +3052,10 @@
"default": false
},
"filter": {
"type": [ "string", "array" ],
"type": [
"string",
"array"
],
"description": "When set, limits what OIDC groups are mirrored into MeshCentral user groups."
}
}
@ -2864,7 +3100,10 @@
"description": "By default a test certificate will be obtained from Let's Encrypt. Always start by getting a test certificate and make sure that works before setting this to true and obtaining a production certificate. Making too many bad requests for a production certificate will get you banned for a long period of time."
}
},
"required": [ "email", "names" ]
"required": [
"email",
"names"
]
},
"peers": {
"title": "Server peering",
@ -2889,11 +3128,16 @@
"format": "uri"
}
},
"required": [ "url" ]
"required": [
"url"
]
}
}
},
"required": [ "serverId", "servers" ]
"required": [
"serverId",
"servers"
]
},
"sendgrid": {
"title": "SendGrid.com Email server",
@ -2915,7 +3159,10 @@
"description": "When set to false, the email format and DNS MX record are not checked."
}
},
"required": [ "from", "apikey" ]
"required": [
"from",
"apikey"
]
},
"smtp": {
"title": "SMTP email server",
@ -2951,7 +3198,12 @@
"description": "When set to false, the email format and DNS MX record are not checked."
}
},
"required": [ "host", "port", "from", "tls" ]
"required": [
"host",
"port",
"from",
"tls"
]
},
"sms": {
"title": "SMS provider",
@ -2962,7 +3214,9 @@
"properties": {
"provider": {
"type": "string",
"enum": [ "twilio" ]
"enum": [
"twilio"
]
},
"sid": {
"type": "string"
@ -2974,14 +3228,21 @@
"type": "string"
}
},
"required": [ "provider", "sid", "auth", "from" ]
"required": [
"provider",
"sid",
"auth",
"from"
]
},
{
"type": "object",
"properties": {
"provider": {
"type": "string",
"enum": [ "plivo" ]
"enum": [
"plivo"
]
},
"id": {
"type": "string"
@ -2993,14 +3254,21 @@
"type": "string"
}
},
"required": [ "provider", "id", "token", "from" ]
"required": [
"provider",
"id",
"token",
"from"
]
},
{
"type": "object",
"properties": {
"provider": {
"type": "string",
"enum": [ "telnyx" ]
"enum": [
"telnyx"
]
},
"apikey": {
"type": "string"
@ -3009,21 +3277,29 @@
"type": "string"
}
},
"required": [ "provider", "apikey", "from" ]
"required": [
"provider",
"apikey",
"from"
]
},
{
"type": "object",
"properties": {
"provider": {
"type": "string",
"enum": [ "url" ]
"enum": [
"url"
]
},
"url": {
"type": "string",
"description": "A http or https URL with {{phone}} and {{message}} in the string. These will be replaced with the URL encoded target phone number and message."
}
},
"required": [ "url" ]
"required": [
"url"
]
}
]
},
@ -3061,7 +3337,9 @@
"description": "A Discord bot token that MeshCentral will use to login to Discord."
}
},
"required": [ "token" ]
"required": [
"token"
]
},
"xmpp": {
"type": "object",
@ -3084,7 +3362,9 @@
}
}
},
"required": [ "credentials" ]
"required": [
"credentials"
]
},
"callmebot": {
"type": "boolean",
@ -3100,10 +3380,15 @@
"description": "A Pushover application token that MeshCentral will use to login."
}
},
"required": [ "token" ]
"required": [
"token"
]
},
"ntfy": {
"type": [ "boolean", "object" ],
"type": [
"boolean",
"object"
],
"default": false,
"properties": {
"host": {
@ -3140,5 +3425,4 @@
}
}
}
}
}