Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-10-26 09:59:51 +03:00
Code Issues Packages Projects Releases Wiki Activity

Improved user authentication log and added 'authlog' tracing.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2022-09-01 22:06:08 -07:00
parent 2689f4e22a
commit 49e04bd454
3 changed files with 38 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
meshcentral.js
View File

@ -739,7 +739,6 @@ function CreateMeshCentralServer(config, args) {
obj.syslogjson.log(obj.syslogjson.LOG_INFO, "MeshCentral v" + getCurrentVersion() + " Server Start"); obj.syslogjson.log(obj.syslogjson.LOG_INFO, "MeshCentral v" + getCurrentVersion() + " Server Start");
} }
if (typeof config.settings.syslogauth == 'string') { if (typeof config.settings.syslogauth == 'string') {
obj.authlog = true;
obj.syslogauth = require('modern-syslog'); obj.syslogauth = require('modern-syslog');
console.log('Starting ' + config.settings.syslogauth + ' auth syslog.'); console.log('Starting ' + config.settings.syslogauth + ' auth syslog.');
obj.syslogauth.init(config.settings.syslogauth, obj.syslogauth.LOG_PID | obj.syslogauth.LOG_ODELAY, obj.syslogauth.LOG_LOCAL0); obj.syslogauth.init(config.settings.syslogauth, obj.syslogauth.LOG_PID | obj.syslogauth.LOG_ODELAY, obj.syslogauth.LOG_LOCAL0);
@ -1231,7 +1230,7 @@ function CreateMeshCentralServer(config, args) {
// Linux format /var/log/auth.log // Linux format /var/log/auth.log
if (obj.config.settings.authlog != null) { if (obj.config.settings.authlog != null) {
obj.fs.open(obj.config.settings.authlog, 'a', function (err, fd) { obj.fs.open(obj.config.settings.authlog, 'a', function (err, fd) {
if (err == null) { obj.authlogfile = fd; obj.authlog = true; } else { console.log('ERROR: Unable to open: ' + obj.config.settings.authlog); } if (err == null) { obj.authlogfile = fd; } else { console.log('ERROR: Unable to open: ' + obj.config.settings.authlog); }
}) })
} }
@ -3642,14 +3641,20 @@ function CreateMeshCentralServer(config, args) {
obj.addServerWarning = function (msg, id, args, print) { serverWarnings.push({ msg: msg, id: id, args: args }); if (print !== false) { console.log("WARNING: " + msg); } } obj.addServerWarning = function (msg, id, args, print) { serverWarnings.push({ msg: msg, id: id, args: args }); if (print !== false) { console.log("WARNING: " + msg); } }
// auth.log functions // auth.log functions
obj.authLog = function (server, msg) { obj.authLog = function (server, msg, args) {
if (typeof msg != 'string') return; if (typeof msg != 'string') return;
if (obj.syslogauth != null) { try { obj.syslogauth.log(obj.syslogauth.LOG_INFO, msg); } catch (ex) { } } var str = msg;
if (args != null) {
if (typeof args.sessionid == 'string') { str += ', SessionID: ' + args.sessionid; }
if (typeof args.useragent == 'string') { const userAgentInfo = obj.webserver.getUserAgentInfo(args.useragent); str += ', Browser: ' + userAgentInfo.browserStr + ', OS: ' + userAgentInfo.osStr; }
}
obj.debug('authlog', str);
if (obj.syslogauth != null) { try { obj.syslogauth.log(obj.syslogauth.LOG_INFO, str); } catch (ex) { } }
if (obj.authlogfile != null) { // Write authlog to file if (obj.authlogfile != null) { // Write authlog to file
try { try {
const d = new Date(), month = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'][d.getMonth()]; const d = new Date(), month = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'][d.getMonth()];
msg = month + ' ' + d.getDate() + ' ' + obj.common.zeroPad(d.getHours(), 2) + ':' + obj.common.zeroPad(d.getMinutes(), 2) + ':' + d.getSeconds() + ' meshcentral ' + server + '[' + process.pid + ']: ' + msg + ((obj.platform == 'win32') ? '\r\n' : '\n'); msg = month + ' ' + d.getDate() + ' ' + obj.common.zeroPad(d.getHours(), 2) + ':' + obj.common.zeroPad(d.getMinutes(), 2) + ':' + d.getSeconds() + ' meshcentral ' + server + '[' + process.pid + ']: ' + msg + ((obj.platform == 'win32') ? '\r\n' : '\n');
obj.fs.write(obj.authlogfile, msg, function (err, written, string) { }); obj.fs.write(obj.authlogfile, str, function (err, written, string) { });
} catch (ex) { console.log(ex); } } catch (ex) { console.log(ex); }
} }
} }

5
views/default.handlebars
View File

@ -17325,6 +17325,7 @@
x += '<div><label><input type=checkbox id=p41c6 ' + ((serverTraceSources.indexOf('webrequest') >= 0) ? 'checked' : '') + '>' + "Web Server Requests" + '</label></div>'; x += '<div><label><input type=checkbox id=p41c6 ' + ((serverTraceSources.indexOf('webrequest') >= 0) ? 'checked' : '') + '>' + "Web Server Requests" + '</label></div>';
x += '<div><label><input type=checkbox id=p41c7 ' + ((serverTraceSources.indexOf('relay') >= 0) ? 'checked' : '') + '>' + "Web Socket Relay" + '</label></div>'; x += '<div><label><input type=checkbox id=p41c7 ' + ((serverTraceSources.indexOf('relay') >= 0) ? 'checked' : '') + '>' + "Web Socket Relay" + '</label></div>';
x += '<div><label><input type=checkbox id=p41c20 ' + ((serverTraceSources.indexOf('httpheaders') >= 0) ? 'checked' : '') + '>' + "Web Server HTTP Headers" + '</label></div>'; x += '<div><label><input type=checkbox id=p41c20 ' + ((serverTraceSources.indexOf('httpheaders') >= 0) ? 'checked' : '') + '>' + "Web Server HTTP Headers" + '</label></div>';
x += '<div><label><input type=checkbox id=p41c21 ' + ((serverTraceSources.indexOf('authlog') >= 0) ? 'checked' : '') + '>' + "User Authentication Log" + '</label></div>';
//x += '<div><label><input type=checkbox id=p41c8 ' + ((serverTraceSources.indexOf('webrelaydata') >= 0) ? 'checked' : '') + '>' + "Traffic Relay 2 Data" + '</label></div>'; //x += '<div><label><input type=checkbox id=p41c8 ' + ((serverTraceSources.indexOf('webrelaydata') >= 0) ? 'checked' : '') + '>' + "Traffic Relay 2 Data" + '</label></div>';
x += '<div style="width:100%;border-bottom:1px solid gray;margin-bottom:5px;margin-top:5px"><b>' + "Intel&reg; AMT" + '</b></div>'; x += '<div style="width:100%;border-bottom:1px solid gray;margin-bottom:5px;margin-top:5px"><b>' + "Intel&reg; AMT" + '</b></div>';
x += '<div><label><input type=checkbox id=p41c19 ' + ((serverTraceSources.indexOf('amt') >= 0) ? 'checked' : '') + '>' + "Intel AMT manager" + '</label></div>'; x += '<div><label><input type=checkbox id=p41c19 ' + ((serverTraceSources.indexOf('amt') >= 0) ? 'checked' : '') + '>' + "Intel AMT manager" + '</label></div>';
@ -17339,8 +17340,8 @@
} }
function setServerTracingEx(b) { function setServerTracingEx(b) {
var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert', 'db', 'email', 'amt', 'httpheaders']; var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert', 'db', 'email', 'amt', 'httpheaders', 'authlog'];
if (b == 1) { for (var i = 1; i < 21; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } } if (b == 1) { for (var i = 1; i < 22; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } }
meshserver.send({ action: 'traceinfo', traceSources: sources }); meshserver.send({ action: 'traceinfo', traceSources: sources });
} }

48
webserver.js
View File

@ -788,7 +788,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
var userid = req.session.userid; var userid = req.session.userid;
if (req.session.userid) { if (req.session.userid) {
var user = obj.users[req.session.userid]; var user = obj.users[req.session.userid];
if (user != null) { obj.parent.DispatchEvent(['*'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'logout', msgid: 2, msg: 'Account logout', domain: domain.id }); } if (user != null) {
obj.parent.authLog('https', 'User ' + user.name + ' logout from ' + req.clientIp + ' port ' + req.connection.remotePort, { sessionid: req.session.x, useragent: req.headers['user-agent'] });
obj.parent.DispatchEvent(['*'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'logout', msgid: 2, msg: 'Account logout', domain: domain.id });
}
if (req.session.x) { clearDestroyedSessions(); obj.destroyedSessions[req.session.userid + '/' + req.session.x] = Date.now(); } // Destroy this session if (req.session.x) { clearDestroyedSessions(); obj.destroyedSessions[req.session.userid + '/' + req.session.x] = Date.now(); } // Destroy this session
} }
req.session = null; req.session = null;
@ -1175,9 +1178,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((req.body.token != null) || (req.body.hwtoken != null)) { if ((req.body.token != null) || (req.body.hwtoken != null)) {
randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds. randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds.
req.session.messageid = 108; // Invalid token, try again. req.session.messageid = 108; // Invalid token, try again.
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed 2FA for ' + xusername + ' from ' + cleanRemoteAddr(req.clientIp) + ' port ' + req.port); } obj.parent.authLog('https', 'Failed 2FA for ' + xusername + ' from ' + cleanRemoteAddr(req.clientIp) + ' port ' + req.port, { useragent: req.headers['user-agent'] });
parent.debug('web', 'handleLoginRequest: invalid 2FA token'); parent.debug('web', 'handleLoginRequest: invalid 2FA token');
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { action: 'authfail', username: user.name, userid: user._id, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + req.clientIp, msgid: 108, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] }); obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { action: 'authfail', username: user.name, userid: user._id, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + req.clientIp, msgid: 108, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
obj.setbad2Fa(req); obj.setbad2Fa(req);
} else { } else {
@ -1215,7 +1218,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
} }
// Login successful // Login successful
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleLoginRequest: successful 2FA login'); parent.debug('web', 'handleLoginRequest: successful 2FA login');
if (authData != null) { if (loginOptions == null) { loginOptions = {}; } loginOptions.twoFactorType = authData.twoFactorType; } if (authData != null) { if (loginOptions == null) { loginOptions = {}; } loginOptions.twoFactorType = authData.twoFactorType; }
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct, loginOptions); completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct, loginOptions);
@ -1237,13 +1239,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
} }
// Login successful // Login successful
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleLoginRequest: successful login'); parent.debug('web', 'handleLoginRequest: successful login');
if (twoFactorSkip != null) { if (loginOptions == null) { loginOptions = {}; } loginOptions.twoFactorType = twoFactorSkip.twoFactorType; } if (twoFactorSkip != null) { if (loginOptions == null) { loginOptions = {}; } loginOptions.twoFactorType = twoFactorSkip.twoFactorType; }
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct, loginOptions); completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct, loginOptions);
} else { } else {
// Login failed, log the error // Login failed, log the error
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); } obj.parent.authLog('https', 'Failed password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort, { useragent: req.headers['user-agent'] });
// Wait a random delay // Wait a random delay
setTimeout(function () { setTimeout(function () {
@ -1253,19 +1254,19 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (err == 'locked') { if (err == 'locked') {
parent.debug('web', 'handleLoginRequest: login failed, locked account'); parent.debug('web', 'handleLoginRequest: login failed, locked account');
req.session.messageid = 110; // Account locked. req.session.messageid = 110; // Account locked.
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'User login attempt on locked account from ' + req.clientIp, msgid: 109, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] }); obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'User login attempt on locked account from ' + req.clientIp, msgid: 109, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
obj.setbadLogin(req); obj.setbadLogin(req);
} else if (err == 'denied') { } else if (err == 'denied') {
parent.debug('web', 'handleLoginRequest: login failed, access denied'); parent.debug('web', 'handleLoginRequest: login failed, access denied');
req.session.messageid = 111; // Access denied. req.session.messageid = 111; // Access denied.
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'Denied user login from ' + req.clientIp, msgid: 155, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] }); obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'Denied user login from ' + req.clientIp, msgid: 155, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
obj.setbadLogin(req); obj.setbadLogin(req);
} else { } else {
parent.debug('web', 'handleLoginRequest: login failed, bad username and password'); parent.debug('web', 'handleLoginRequest: login failed, bad username and password');
req.session.messageid = 112; // Login failed, check username and password. req.session.messageid = 112; // Login failed, check username and password.
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'Invalid user login attempt from ' + req.clientIp, msgid: 110, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] }); obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'Invalid user login attempt from ' + req.clientIp, msgid: 110, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
obj.setbadLogin(req); obj.setbadLogin(req);
} }
@ -1311,7 +1312,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Notify account login // Notify account login
const targets = ['*', 'server-users', user._id]; const targets = ['*', 'server-users', user._id];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login from ' + req.clientIp + ', ' + ua.browserStr + ', ' + ua.osStr, domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], rport: req.connection.remotePort }; const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login from ' + req.clientIp + ', ' + ua.browserStr + ', ' + ua.osStr, domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], rport: req.connection.remotePort };
if (loginOptions != null) { if (loginOptions != null) {
if ((loginOptions.tokenName != null) && (loginOptions.tokenUser != null)) { loginEvent.tokenName = loginOptions.tokenName; loginEvent.tokenUser = loginOptions.tokenUser; } // If a login token was used, add it to the event. if ((loginOptions.tokenName != null) && (loginOptions.tokenUser != null)) { loginEvent.tokenName = loginOptions.tokenName; loginEvent.tokenUser = loginOptions.tokenUser; } // If a login token was used, add it to the event.
@ -1339,6 +1340,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
req.session.userid = userid; req.session.userid = userid;
req.session.ip = req.clientIp; req.session.ip = req.clientIp;
setSessionRandom(req); setSessionRandom(req);
obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort, { useragent: req.headers['user-agent'], sessionid: req.session.x });
// If a login token was used, add this information and expire time to the session. // If a login token was used, add this information and expire time to the session.
if ((loginOptions != null) && (loginOptions.tokenName != null) && (loginOptions.tokenUser != null)) { if ((loginOptions != null) && (loginOptions.tokenName != null) && (loginOptions.tokenUser != null)) {
@ -1731,7 +1733,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
req.session.messageid = 4; // SMS sent. req.session.messageid = 4; // SMS sent.
} else { } else {
req.session.messageid = 108; // Invalid token, try again. req.session.messageid = 108; // Invalid token, try again.
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { action: 'authfail', username: user.name, userid: user._id, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + req.clientIp, msgid: 108, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] }); obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { action: 'authfail', username: user.name, userid: user._id, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + req.clientIp, msgid: 108, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
obj.setbad2Fa(req); obj.setbad2Fa(req);
} }
@ -1917,7 +1919,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
obj.parent.DispatchEvent([user._id], obj, { action: 'notify', title: 'Email verified', value: user.email, nolog: 1, id: Math.random() }); obj.parent.DispatchEvent([user._id], obj, { action: 'notify', title: 'Email verified', value: user.email, nolog: 1, id: Math.random() });
// Send to authlog // Send to authlog
if (obj.parent.authlog) { obj.parent.authLog('https', 'Verified email address ' + user.email + ' for user ' + user.name); } obj.parent.authLog('https', 'Verified email address ' + user.email + ' for user ' + user.name, { useragent: req.headers['user-agent'] });
} }
}); });
} }
@ -1953,7 +1955,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'handleCheckMailRequest: send temporary password.'); parent.debug('web', 'handleCheckMailRequest: send temporary password.');
// Send to authlog // Send to authlog
if (obj.parent.authlog) { obj.parent.authLog('https', 'Performed account reset for user ' + user.name); } obj.parent.authLog('https', 'Performed account reset for user ' + user.name);
}, 0); }, 0);
}); });
} else { } else {
@ -2558,7 +2560,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Notify account login using SSO // Notify account login using SSO
var targets = ['*', 'server-users', user._id]; var targets = ['*', 'server-users', user._id];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' }; const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' };
obj.parent.DispatchEvent(targets, obj, loginEvent); obj.parent.DispatchEvent(targets, obj, loginEvent);
} else { } else {
@ -2590,7 +2592,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Notify account login using SSO // Notify account login using SSO
var targets = ['*', 'server-users', user._id]; var targets = ['*', 'server-users', user._id];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } } if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
const ua = getUserAgentInfo(req); const ua = obj.getUserAgentInfo(req);
const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' }; const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' };
obj.parent.DispatchEvent(targets, obj, loginEvent); obj.parent.DispatchEvent(targets, obj, loginEvent);
} }
@ -2630,11 +2632,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Login using SSPI // Login using SSPI
domain.sspi.authenticate(req, res, function (err) { domain.sspi.authenticate(req, res, function (err) {
if ((err != null) || (req.connection.user == null)) { if ((err != null) || (req.connection.user == null)) {
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed SSPI-auth for ' + req.connection.user + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); } obj.parent.authLog('https', 'Failed SSPI-auth for ' + req.connection.user + ' from ' + req.clientIp + ' port ' + req.connection.remotePort, { useragent: req.headers['user-agent'] });
parent.debug('web', 'handleRootRequest: SSPI auth required.'); parent.debug('web', 'handleRootRequest: SSPI auth required.');
res.sendStatus(401); res.sendStatus(401);
} else { } else {
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted SSPI-auth for ' + req.connection.user + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleRootRequest: SSPI auth ok.'); parent.debug('web', 'handleRootRequest: SSPI auth ok.');
handleRootRequestEx(req, res, domain, direct); handleRootRequestEx(req, res, domain, direct);
} }
@ -2644,12 +2645,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) { obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) {
if ((userid != null) && (err == null)) { if ((userid != null) && (err == null)) {
// Login success // Login success
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + userid + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.'); parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.');
req.session.userid = userid; req.session.userid = userid;
delete req.session.currentNode; delete req.session.currentNode;
req.session.ip = req.clientIp; // Bind this session to the IP address of the request req.session.ip = req.clientIp; // Bind this session to the IP address of the request
setSessionRandom(req); setSessionRandom(req);
obj.parent.authLog('https', 'Accepted password for ' + userid + ' from ' + req.clientIp + ' port ' + req.connection.remotePort, { useragent: req.headers['user-agent'], sessionid: req.session.x });
handleRootRequestEx(req, res, domain, direct); handleRootRequestEx(req, res, domain, direct);
} else { } else {
// Login failed // Login failed
@ -2728,6 +2729,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
delete req.session.currentNode; delete req.session.currentNode;
req.session.ip = req.clientIp; // Bind this session to the IP address of the request req.session.ip = req.clientIp; // Bind this session to the IP address of the request
setSessionRandom(req); setSessionRandom(req);
obj.parent.authLog('https', 'Accepted SSPI-auth for ' + req.connection.user + ' from ' + req.clientIp + ' port ' + req.connection.remotePort, { useragent: req.headers['user-agent'], sessionid: req.session.x });
// Check if this user exists, create it if not. // Check if this user exists, create it if not.
user = obj.users[req.session.userid]; user = obj.users[req.session.userid];
@ -7508,7 +7510,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
}); });
obj.parent.updateServerState('servername', certificates.CommonName); obj.parent.updateServerState('servername', certificates.CommonName);
} }
if (obj.parent.authlog) { obj.parent.authLog('https', 'Server listening on ' + ((addr != null) ? addr : '0.0.0.0') + ' port ' + port + '.'); } obj.parent.authLog('https', 'Server listening on ' + ((addr != null) ? addr : '0.0.0.0') + ' port ' + port + '.');
obj.parent.updateServerState('https-port', port); obj.parent.updateServerState('https-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); } if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); }
} else { } else {
@ -7545,7 +7547,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
} else { } else {
obj.tcpAltServer = obj.tlsAltServer.listen(port, addr, function () { console.log('MeshCentral HTTPS agent-only server running on ' + certificates.CommonName + ':' + port + ((agentAliasPort != null) ? (', alias port ' + agentAliasPort) : '') + '.'); }); obj.tcpAltServer = obj.tlsAltServer.listen(port, addr, function () { console.log('MeshCentral HTTPS agent-only server running on ' + certificates.CommonName + ':' + port + ((agentAliasPort != null) ? (', alias port ' + agentAliasPort) : '') + '.'); });
} }
if (obj.parent.authlog) { obj.parent.authLog('https', 'Server listening on 0.0.0.0 port ' + port + '.'); } obj.parent.authLog('https', 'Server listening on 0.0.0.0 port ' + port + '.');
obj.parent.updateServerState('https-agent-port', port); obj.parent.updateServerState('https-agent-port', port);
} else { } else {
obj.tcpAltServer = obj.agentapp.listen(port, addr, function () { console.log('MeshCentral HTTP agent-only server running on port ' + port + ((agentAliasPort != null) ? (', alias port ' + agentAliasPort) : '') + '.'); }); obj.tcpAltServer = obj.agentapp.listen(port, addr, function () { console.log('MeshCentral HTTP agent-only server running on port ' + port + ((agentAliasPort != null) ? (', alias port ' + agentAliasPort) : '') + '.'); });
@ -8511,10 +8513,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
} }
// Return decoded user agent information // Return decoded user agent information
function getUserAgentInfo(req) { obj.getUserAgentInfo = function(req) {
var browser = 'Unknown', os = 'Unknown'; var browser = 'Unknown', os = 'Unknown';
try { try {
const ua = obj.uaparser(req.headers['user-agent']); const ua = obj.uaparser((typeof req == 'string') ? req : req.headers['user-agent']);
if (ua.browser && ua.browser.name) { ua.browserStr = ua.browser.name; if (ua.browser.version) { ua.browserStr += '/' + ua.browser.version } } if (ua.browser && ua.browser.name) { ua.browserStr = ua.browser.name; if (ua.browser.version) { ua.browserStr += '/' + ua.browser.version } }
if (ua.os && ua.os.name) { ua.osStr = ua.os.name; if (ua.os.version) { ua.osStr += '/' + ua.os.version } } if (ua.os && ua.os.name) { ua.osStr = ua.os.name; if (ua.os.version) { ua.osStr += '/' + ua.os.version } }
return ua; return ua;
@ -8837,7 +8839,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.DispatchEvent(['*', ugrpid, user._id], obj, event); // Even if DB change stream is active, this event must be acted upon. parent.DispatchEvent(['*', ugrpid, user._id], obj, event); // Even if DB change stream is active, this event must be acted upon.
// Log in the auth log // Log in the auth log
if (parent.authlog) { parent.authLog('https', 'Created ' + userMembershipType + ' user group ' + ugrp.name); } parent.authLog('https', 'Created ' + userMembershipType + ' user group ' + ugrp.name);
} }
if (existingUserMemberships[ugrpid] == null) { if (existingUserMemberships[ugrpid] == null) {