diff --git a/db.js b/db.js index 864c3602..0b4fed30 100644 --- a/db.js +++ b/db.js @@ -940,7 +940,6 @@ module.exports.CreateDB = function (parent, func) { obj.dispose = function () { for (var x in obj) { if (obj[x].close) { obj[x].close(); } delete obj[x]; } }; obj.getLocalAmtNodes = function (func) { sqlDbQuery('SELECT doc FROM meshcentral.main WHERE (type = "node") AND (extraex IS NOT NULL)', null, function (err, docs) { var r = []; if (err == null) { for (var i in docs) { if (docs[i].host != null) { r.push(docs[i]); } } } func(err, r); }); }; obj.getAmtUuidMeshNode = function (meshid, uuid, func) { sqlDbQuery('SELECT doc FROM meshcentral.main WHERE meshid = ? AND extraex = ?', [meshid, 'uuid/' + uuid], func); }; - obj.getAmtUuidNode = function (uuid, func) { sqlDbQuery('SELECT doc FROM meshcentral.main WHERE type = "node" AND extraex = ?', ['uuid/' + uuid], func); }; obj.isMaxType = function (max, type, domainid, func) { if (max == null) { func(false); } else { sqlDbExec('SELECT COUNT(id) FROM meshcentral.main WHERE domain = ? AND type = ?', [domainid, type], function (err, response) { func((response['COUNT(id)'] == null) || (response['COUNT(id)'] > max), response['COUNT(id)']) }); } } // Database actions on the events collection @@ -1144,9 +1143,8 @@ module.exports.CreateDB = function (parent, func) { obj.DeleteDomain = function (domain, func) { obj.file.deleteMany({ domain: domain }, { multi: true }, func); }; obj.SetUser = function (user) { if (user.subscriptions != null) { var u = Clone(user); if (u.subscriptions) { delete u.subscriptions; } obj.Set(u); } else { obj.Set(user); } }; obj.dispose = function () { for (var x in obj) { if (obj[x].close) { obj[x].close(); } delete obj[x]; } }; - obj.getLocalAmtNodes = function (func) { obj.file.find({ type: 'node', host: { $exists: true, $ne: null }, intelamt: { $exists: true } }).toArray(func); }; + obj.getLocalAmtNodes = function (func) { obj.file.find({ type: 'node', host: { $exists: true, $ne: null }, intelamt: { $exists: true } }).toArray(func); }; // TODO: This query is not optimized, but local mode only. obj.getAmtUuidMeshNode = function (meshid, uuid, func) { obj.file.find({ type: 'node', meshid: meshid, 'intelamt.uuid': uuid }).toArray(func); }; - obj.getAmtUuidNode = function (uuid, func) { obj.file.find({ type: 'node', 'intelamt.uuid': uuid }).toArray(func); }; // TODO: Starting in MongoDB 4.0.3, you should use countDocuments() instead of count() that is deprecated. We should detect MongoDB version and switch. // https://docs.mongodb.com/manual/reference/method/db.collection.countDocuments/ @@ -1329,7 +1327,6 @@ module.exports.CreateDB = function (parent, func) { obj.dispose = function () { for (var x in obj) { if (obj[x].close) { obj[x].close(); } delete obj[x]; } }; obj.getLocalAmtNodes = function (func) { obj.file.find({ type: 'node', host: { $exists: true, $ne: null }, intelamt: { $exists: true } }, func); }; obj.getAmtUuidMeshNode = function (meshid, uuid, func) { obj.file.find({ type: 'node', meshid: meshid, 'intelamt.uuid': uuid }, func); }; - obj.getAmtUuidNode = function (uuid, func) { obj.file.find({ type: 'node', 'intelamt.uuid': uuid }, func); }; obj.isMaxType = function (max, type, domainid, func) { if (max == null) { func(false); } else { obj.file.count({ type: type, domain: domainid }, function (err, count) { func((err != null) || (count > max), count); }); } } // Database actions on the events collection diff --git a/mpsserver.js b/mpsserver.js index 8c49666e..699b29f9 100644 --- a/mpsserver.js +++ b/mpsserver.js @@ -637,7 +637,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) { }); } else if (mesh.mtype == 2) { // If this is a agent mesh, search the mesh for this device UUID // Intel AMT GUID (socket.tag.SystemId) will be used to search the node - obj.db.getAmtUuidNode(socket.tag.SystemId, function (err, nodes) { // TODO: May need to optimize this request with indexes + obj.db.getAmtUuidMeshNode(mesh._id, socket.tag.SystemId, function (err, nodes) { // TODO: Need to optimize this request with indexes if ((nodes == null) || (nodes.length === 0) || (obj.parent.webserver.meshes == null)) { // New CIRA connection for unknown node, disconnect. unknownNodeCount++; diff --git a/webserver.js b/webserver.js index 5ec61e52..345b4d7b 100644 --- a/webserver.js +++ b/webserver.js @@ -3787,195 +3787,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { }); } - // Handle a Intel AMT activation request - function handleAmtActivateWebSocket(ws, req) { - const domain = checkUserIpAddress(ws, req); - if (domain == null) { return; } - if (req.query.id == null) { ws.send(JSON.stringify({ errorText: 'Missing group identifier' })); ws.close(); return; } - - // Fetch the mesh object - ws.meshid = 'mesh/' + domain.id + '/' + req.query.id; - const mesh = obj.meshes[ws.meshid]; - if (mesh == null) { ws.send(JSON.stringify({ errorText: 'Invalid device group: ' + ws.meshid })); delete ws.meshid; ws.close(); return; } - if (mesh.mtype != 1) { ws.send(JSON.stringify({ errorText: 'Invalid device group type:' + ws.meshid })); delete ws.meshid; ws.close(); return; } - - // Fetch the remote IP:Port for logging - ws.remoteaddr = req.clientIp; - ws.remoteaddrport = ws.remoteaddr + ':' + ws._socket.remotePort; - - // When data is received from the web socket, echo it back - ws.on('message', function (data) { - // Parse the incoming command - var cmd = null; - try { cmd = JSON.parse(data); } catch (ex) { }; - if (cmd == null) return; - - // Process the command - switch (cmd.action) { - case 'ccmactivate': - case 'acmactivate': { - // Check the command - if (cmd.version != 1) { ws.send(JSON.stringify({ errorText: 'Unsupported version' })); ws.close(); return; } - if (obj.common.validateString(cmd.realm, 16, 256) == false) { ws.send(JSON.stringify({ errorText: 'Invalid realm argument' })); ws.close(); return; } - if (obj.common.validateString(cmd.uuid, 36, 36) == false) { ws.send(JSON.stringify({ errorText: 'Invalid UUID argument' })); ws.close(); return; } - if (typeof cmd.hashes !== 'object') { ws.send(JSON.stringify({ errorText: 'Invalid hashes' })); ws.close(); return; } - if (typeof cmd.fqdn !== 'string') { ws.send(JSON.stringify({ errorText: 'Invalid FQDN' })); ws.close(); return; } - if ((obj.common.validateString(cmd.ver, 5, 16) == false) || (cmd.ver.split('.').length != 3)) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT version' })); ws.close(); return; } - if (obj.common.validateArray(cmd.modes, 1, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid activation modes' })); ws.close(); return; } - if (obj.common.validateInt(cmd.currentMode, 0, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid current mode' })); ws.close(); return; } - if (typeof cmd.sku !== 'number') { ws.send(JSON.stringify({ errorText: 'Invalid SKU number' })); ws.close(); return; } - - // Get the current Intel AMT policy - var mesh = obj.meshes[ws.meshid], activationMode = 4; // activationMode: 2 = CCM, 4 = ACM - if ((mesh == null) || (mesh.amt == null) || (mesh.amt.password == null) || ((mesh.amt.type != 2) && (mesh.amt.type != 3))) { ws.send(JSON.stringify({ errorText: 'Unable to activate' })); ws.close(); return; } - if ((mesh.amt.type != 3) || (domain.amtacmactivation == null) || (domain.amtacmactivation.acmmatch == null)) { activationMode = 2; } - - if (activationMode == 4) { - // Check if we have a FQDN/Hash match - var matchingHash = null, matchingCN = null; - for (var i in domain.amtacmactivation.acmmatch) { - // Check for a matching FQDN - if ((domain.amtacmactivation.acmmatch[i].cn == '*') || (domain.amtacmactivation.acmmatch[i].cn.toLowerCase() == cmd.fqdn)) { - // Check for a matching certificate - if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha256) >= 0) { - matchingCN = domain.amtacmactivation.acmmatch[i].cn; - matchingHash = domain.amtacmactivation.acmmatch[i].sha256; - continue; - } else if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha1) >= 0) { - matchingCN = domain.amtacmactivation.acmmatch[i].cn; - matchingHash = domain.amtacmactivation.acmmatch[i].sha1; - continue; - } - } - } - // If no cert match or wildcard match which is not yet supported, do CCM activation. - if ((matchingHash == null) || (matchingCN == '*')) { ws.send(JSON.stringify({ messageText: 'No matching ACM activation certificates, activating in CCM instead...' })); activationMode = 2; } else { cmd.hash = matchingHash; } - } - - // Check if we are going to activate in an allowed mode. cmd.modes: 1 = CCM, 2 = ACM - if ((activationMode == 4) && (cmd.modes.indexOf(2) == -1)) { ws.send(JSON.stringify({ messageText: 'ACM not allowed on this machine, activating in CCM instead...' })); activationMode = 2; } // We want to do ACM, but mode is not allowed. Change to CCM. - - // If we want to do CCM, but mode is not allowed. Error out. - if ((activationMode == 2) && (cmd.modes.indexOf(1) == -1)) { ws.send(JSON.stringify({ errorText: 'CCM is not an allowed activation mode' })); ws.close(); return; } - - // Get the Intel AMT admin password, randomize if needed. - var amtpassword = ((mesh.amt.password == '') ? getRandomAmtPassword() : mesh.amt.password); - if (checkAmtPassword(amtpassword) == false) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT password' })); ws.close(); return; } // Invalid Intel AMT password, this should never happen. - - // Save some state, if activation is successful, we need this to add the device - ws.xxstate = { uuid: cmd.uuid, realm: cmd.realm, tag: cmd.tag, name: cmd.name, hostname: cmd.hostname, pass: amtpassword, flags: activationMode, ver: cmd.ver, sku: cmd.sku }; // Flags: 2 = CCM, 4 = ACM - - if (activationMode == 4) { - // ACM: Agent is asking the server to sign an Intel AMT ACM activation request - var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null); - ws.send(JSON.stringify(signResponse)); - } else { - // CCM: Log the activation request, logging is a required step for activation. - if (parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: 'ccmactivate', domain: domain.id, amtUuid: cmd.uuid, amtRealm: cmd.realm, user: 'admin', password: amtpassword, ipport: ws.remoteaddrport, meshid: ws.meshid, tag: cmd.tag, name: cmd.name }) == false) return { errorText: 'Unable to log operation' }; - - // Compute the HTTP digest hash and send the response for CCM activation - ws.send(JSON.stringify({ action: 'ccmactivate', password: obj.crypto.createHash('md5').update('admin:' + cmd.realm + ':' + amtpassword).digest('hex') })); - } - break; - } - case 'ccmactivate-failed': - case 'acmactivate-failed': { - // Log the activation response - parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: cmd.action, domain: domain.id, amtUuid: cmd.uuid, ipport: ws.remoteaddrport, meshid: ws.meshid }); - break; - } - case 'amtdiscover': - case 'ccmactivate-success': - case 'acmactivate-success': { - // If this is a discovery command, set the state. - if (cmd.action == 'amtdiscover') { - if (cmd.version != 1) { ws.send(JSON.stringify({ errorText: 'Unsupported version' })); ws.close(); return; } - if (obj.common.validateString(cmd.realm, 16, 256) == false) { ws.send(JSON.stringify({ errorText: 'Invalid realm argument' })); ws.close(); return; } - if (obj.common.validateString(cmd.uuid, 36, 36) == false) { ws.send(JSON.stringify({ errorText: 'Invalid UUID argument' })); ws.close(); return; } - if (typeof cmd.hashes != 'object') { ws.send(JSON.stringify({ errorText: 'Invalid hashes' })); ws.close(); return; } - if (typeof cmd.fqdn != 'string') { ws.send(JSON.stringify({ errorText: 'Invalid FQDN' })); ws.close(); return; } - if ((obj.common.validateString(cmd.ver, 5, 16) == false) || (cmd.ver.split('.').length != 3)) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT version' })); ws.close(); return; } - if (obj.common.validateArray(cmd.modes, 1, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid activation modes' })); ws.close(); return; } - if (obj.common.validateInt(cmd.currentMode, 0, 2) == false) { ws.send(JSON.stringify({ errorText: 'Invalid current mode' })); ws.close(); return; } - var activationMode = 0; if (cmd.currentMode == 1) { activationMode = 2; } else if (cmd.currentMode == 2) { activationMode = 4; } - ws.xxstate = { uuid: cmd.uuid, realm: cmd.realm, tag: cmd.tag, name: cmd.name, hostname: cmd.hostname, flags: activationMode, ver: cmd.ver, sku: cmd.sku }; // Flags: 2 = CCM, 4 = ACM - } else { - // If this is an activation success, check that state was set already. - if (ws.xxstate == null) { ws.send(JSON.stringify({ errorText: 'Invalid command' })); ws.close(); return; } - } - - // Log the activation response - parent.certificateOperations.logAmtActivation(domain, { time: new Date(), action: cmd.action, domain: domain.id, amtUuid: cmd.uuid, ipport: ws.remoteaddrport, meshid: ws.meshid }); - - // Get the current Intel AMT policy - var mesh = obj.meshes[ws.meshid]; - if (mesh == null) { ws.send(JSON.stringify({ errorText: 'Unknown device group' })); ws.close(); return; } - - // Fix the computer name if needed - if ((ws.xxstate.name == null) || (ws.xxstate.name.length == 0)) { ws.xxstate.name = ws.xxstate.hostname; } - if ((ws.xxstate.name == null) || (ws.xxstate.name.length == 0)) { ws.xxstate.name = ws.xxstate.uuid; } - - db.getAmtUuidNode(ws.meshid, ws.xxstate.uuid, function (err, nodes) { - if ((nodes == null) || (nodes.length == 0)) { - // Create a new nodeid - parent.crypto.randomBytes(48, function (err, buf) { - // Create the new node - var xxnodeid = 'node/' + domain.id + '/' + buf.toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); - var device = { type: 'node', _id: xxnodeid, meshid: ws.meshid, name: ws.xxstate.name, rname: ws.xxstate.name, host: ws.remoteaddr, domain: domain.id, intelamt: { state: 2, flags: ws.xxstate.flags, tls: 0, uuid: ws.xxstate.uuid, realm: ws.xxstate.realm, tag: ws.xxstate.tag, ver: ws.xxstate.ver, sku: ws.xxstate.sku } }; - if (ws.xxstate.pass != null) { device.intelamt.user = 'admin'; device.intelamt.pass = ws.xxstate.pass; } - if (device.intelamt.flags != 0) { device.intelamt.state = 2; } else { device.intelamt.state = 0; } - db.Set(device); - - // Event the new node - var device2 = Object.assign({}, device); // Shallow clone - device2.intelamt = Object.assign({}, device2.intelamt); // Shallow clone - delete device2.intelamt.pass; // Remove the Intel AMT password before eventing this. - parent.DispatchEvent(['*', ws.meshid], obj, { etype: 'node', action: 'addnode', node: device2, msg: 'Added device ' + ws.xxstate.name + ' to mesh ' + mesh.name, domain: domain.id }); - }); - } else { - // Change an existing device - var device = nodes[0]; - if (device.host != ws.remoteaddr) { device.host = ws.remoteaddr; } - if ((ws.xxstate.name != null) && (device.rname != ws.xxstate.name)) { device.rname = ws.xxstate.name; } - if (device.intelamt.flags != 0) { - if (device.intelamt.state != 2) { device.intelamt.state = 2; } - } - if (device.intelamt.flags != ws.xxstate.flags) { device.intelamt.state = ws.xxstate.flags; } - if (ws.xxstate.pass != null) { - if (device.intelamt.user != 'admin') { device.intelamt.user = 'admin'; } - if (device.intelamt.pass != ws.xxstate.pass) { device.intelamt.pass = ws.xxstate.pass; } - } - if (device.intelamt.realm != ws.xxstate.realm) { device.intelamt.realm = ws.xxstate.realm; } - if (ws.xxstate.realm == null) { delete device.intelamt.tag; } - else if (device.intelamt.tag != ws.xxstate.tag) { device.intelamt.tag = ws.xxstate.tag; } - if (device.intelamt.ver != ws.xxstate.ver) { device.intelamt.ver = ws.xxstate.ver; } - if (device.intelamt.sku != ws.xxstate.sku) { device.intelamt.sku = ws.xxstate.sku; } - db.Set(device); - - // Event the new node - var device2 = Object.assign({}, device); // Shallow clone - device2.intelamt = Object.assign({}, device2.intelamt); // Shallow clone - delete device2.intelamt.pass; // Remove the Intel AMT password before eventing this. - if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come. - parent.DispatchEvent(['*', ws.meshid], obj, { etype: 'node', action: 'changenode', nodeid: device2._id, node: device2, msg: 'Changed device ' + device.name + ' in mesh ' + mesh.name, domain: domain.id }); - } - }); - - if (cmd.action == 'amtdiscover') { ws.send(JSON.stringify({ action: 'amtdiscover' })); } - break; - } - default: { - // This is not a known command - ws.send(JSON.stringify({ errorText: 'Invalid command' })); ws.close(); return; - } - } - }); - - // If close or error, do nothing. - ws.on('error', function (err) { }); - ws.on('close', function (req) { }); - } - // Setup agent to/from server file transfer handler function handleAgentFileTransfer(ws, req) { var domain = checkAgentIpAddress(ws, req); @@ -5146,7 +4957,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { obj.app.get(url + 'player', handlePlayerRequest); obj.app.get(url + 'desktop', handleDesktopRequest); obj.app.get(url + 'terminal', handleTerminalRequest); - obj.app.ws(url + 'amtactivate', handleAmtActivateWebSocket); obj.app.ws(url + 'agenttransfer.ashx', handleAgentFileTransfer); // Setup agent to/from server file transfer handler obj.app.ws(url + 'meshrelay.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie) {