mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-08-15 19:50:44 +03:00
First working version with local device relay.
This commit is contained in:
Ylian Saint-Hilaire
parent
8498025175
commit
699f46c319
148
meshrelay.js
148
meshrelay.js
@ -938,4 +938,150 @@ a given size and timestamp. When looking at network traffic the flags are import
|
||||
|
||||
- If traffic has the first (0x0001) flag set, the data is binary otherwise it's a string.
|
||||
- If the traffic has the second (0x0002) flag set, traffic is coming from the user's browser, if not, it's coming from the MeshAgent.
|
||||
*/
|
||||
*/
|
||||
|
||||
|
||||
|
||||
|
||||
module.exports.CreateLocalRelay = function (parent, ws, req, domain, user, cookie) {
|
||||
CreateLocalRelayEx(parent, ws, req, domain, user, cookie);
|
||||
}
|
||||
|
||||
function CreateLocalRelayEx(parent, ws, req, domain, user, cookie) {
|
||||
const net = require('net');
|
||||
var obj = {};
|
||||
obj.id = Buffer.from(parent.crypto.randomBytes(9), 'binary').toString('base64');
|
||||
obj.req = req;
|
||||
obj.ws = ws;
|
||||
obj.user = user;
|
||||
|
||||
// If there is no authentication, drop this connection
|
||||
if (obj.user == null) { try { ws.close(); parent.parent.debug('relay', 'Relay: Connection with no authentication'); } catch (e) { console.log(e); } return; }
|
||||
|
||||
// Check for nodeid and tcpport
|
||||
if ((req.query == null) || (req.query.nodeid == null) || (req.query.tcpport == null)) { try { ws.close(); parent.parent.debug('relay', 'Relay: Connection with invalid arguments'); } catch (e) { console.log(e); } return; }
|
||||
const tcpport = parseInt(req.query.tcpport);
|
||||
if ((typeof tcpport != 'number') || (tcpport < 1) || (tcpport > 65535)) { try { ws.close(); parent.parent.debug('relay', 'Relay: Connection with invalid arguments'); } catch (e) { console.log(e); } return; }
|
||||
var nodeidsplit = req.query.nodeid.split('/');
|
||||
if ((nodeidsplit.length != 3) || (nodeidsplit[0] != 'node') || (nodeidsplit[1] != domain.id) || (nodeidsplit[2].length < 10)) { try { ws.close(); parent.parent.debug('relay', 'Relay: Connection with invalid arguments'); } catch (e) { console.log(e); } return; }
|
||||
obj.nodeid = req.query.nodeid;
|
||||
obj.tcpport = tcpport;
|
||||
|
||||
// Relay session count (we may remove this in the future)
|
||||
obj.relaySessionCounted = true;
|
||||
parent.relaySessionCount++;
|
||||
|
||||
// Setup slow relay is requested. This will show down sending any data to this peer.
|
||||
if ((req.query.slowrelay != null)) {
|
||||
var sr = null;
|
||||
try { sr = parseInt(req.query.slowrelay); } catch (ex) { }
|
||||
if ((typeof sr == 'number') && (sr > 0) && (sr < 1000)) { obj.ws.slowRelay = sr; }
|
||||
}
|
||||
|
||||
// Hold traffic until we connect to the target
|
||||
ws._socket.pause();
|
||||
|
||||
// Mesh Rights
|
||||
const MESHRIGHT_EDITMESH = 1;
|
||||
const MESHRIGHT_MANAGEUSERS = 2;
|
||||
const MESHRIGHT_MANAGECOMPUTERS = 4;
|
||||
const MESHRIGHT_REMOTECONTROL = 8;
|
||||
const MESHRIGHT_AGENTCONSOLE = 16;
|
||||
const MESHRIGHT_SERVERFILES = 32;
|
||||
const MESHRIGHT_WAKEDEVICE = 64;
|
||||
const MESHRIGHT_SETNOTES = 128;
|
||||
const MESHRIGHT_REMOTEVIEW = 256;
|
||||
|
||||
// Site rights
|
||||
const SITERIGHT_SERVERBACKUP = 1;
|
||||
const SITERIGHT_MANAGEUSERS = 2;
|
||||
const SITERIGHT_SERVERRESTORE = 4;
|
||||
const SITERIGHT_FILEACCESS = 8;
|
||||
const SITERIGHT_SERVERUPDATE = 16;
|
||||
const SITERIGHT_LOCKED = 32;
|
||||
|
||||
// Clean a IPv6 address that encodes a IPv4 address
|
||||
function cleanRemoteAddr(addr) { if (addr.startsWith('::ffff:')) { return addr.substring(7); } else { return addr; } }
|
||||
|
||||
// Disconnect
|
||||
obj.close = function (arg) {
|
||||
if ((arg == 1) || (arg == null)) { try { ws.close(); parent.parent.debug('relay', 'Relay: Soft disconnect'); } catch (e) { console.log(e); } } // Soft close, close the websocket
|
||||
if (arg == 2) { try { ws._socket._parent.end(); parent.parent.debug('relay', 'Relay: Hard disconnect'); } catch (e) { console.log(e); } } // Hard close, close the TCP socket
|
||||
|
||||
// Update the relay session count
|
||||
if (obj.relaySessionCounted) { parent.relaySessionCount--; delete obj.relaySessionCounted; }
|
||||
|
||||
// Log the disconnection
|
||||
if (obj.time) {
|
||||
var event = { etype: 'relay', action: 'relaylog', domain: domain.id, userid: obj.user._id, username: obj.user.name, msgid: 9, msgArgs: [obj.id, obj.req.clientIp, obj.host, Math.floor((Date.now() - obj.time) / 1000)], msg: 'Ended relay session \"' + obj.id + '\" from ' + obj.req.clientIp + ' to ' + obj.host + ', ' + Math.floor((Date.now() - obj.time) / 1000) + ' second(s)', nodeid: obj.req.query.nodeid };
|
||||
parent.parent.DispatchEvent(['*', user._id], obj, event);
|
||||
}
|
||||
|
||||
// Aggressive cleanup
|
||||
delete obj.ws;
|
||||
delete obj.req;
|
||||
delete obj.time;
|
||||
delete obj.nodeid;
|
||||
delete obj.meshid;
|
||||
delete obj.tcpport;
|
||||
delete obj.expireTimer;
|
||||
if (obj.client != null) { obj.client.destroy(); delete obj.client; }
|
||||
if (obj.pingtimer != null) { clearInterval(obj.pingtimer); delete obj.pingtimer; }
|
||||
if (obj.pongtimer != null) { clearInterval(obj.pongtimer); delete obj.pongtimer; }
|
||||
|
||||
// Unsubscribe
|
||||
if (obj.pid != null) { parent.parent.RemoveAllEventDispatch(obj); }
|
||||
};
|
||||
|
||||
// Send a PING/PONG message
|
||||
function sendPing() { try { obj.ws.send('{"ctrlChannel":"102938","type":"ping"}'); } catch (ex) { } }
|
||||
function sendPong() { try { obj.ws.send('{"ctrlChannel":"102938","type":"pong"}'); } catch (ex) { } }
|
||||
|
||||
function performRelay() {
|
||||
ws._socket.setKeepAlive(true, 240000); // Set TCP keep alive
|
||||
|
||||
// Setup the agent PING/PONG timers unless requested not to
|
||||
if (obj.req.query.noping != 1) {
|
||||
if ((typeof parent.parent.args.agentping == 'number') && (obj.pingtimer == null)) { obj.pingtimer = setInterval(sendPing, parent.parent.args.agentping * 1000); }
|
||||
else if ((typeof parent.parent.args.agentpong == 'number') && (obj.pongtimer == null)) { obj.pongtimer = setInterval(sendPong, parent.parent.args.agentpong * 1000); }
|
||||
}
|
||||
|
||||
parent.db.Get(obj.nodeid, function (err, docs) {
|
||||
if ((err != null) || (docs == null) || (docs.length != 1)) { try { obj.close(); } catch (e) { } return; } // Disconnect websocket
|
||||
const node = docs[0];
|
||||
obj.host = node.host;
|
||||
obj.meshid = node.meshid;
|
||||
|
||||
// Check if this user has permission to manage this computer
|
||||
if ((parent.GetNodeRights(obj.user, node.meshid, node._id) & MESHRIGHT_REMOTECONTROL) == 0) { console.log('ERR: Access denied (2)'); try { obj.close(); } catch (e) { } return; }
|
||||
|
||||
// Setup TCP client
|
||||
obj.client = new net.Socket();
|
||||
obj.client.connect(obj.tcpport, node.host, function () { ws.send('c'); ws._socket.resume(); });
|
||||
obj.client.on('data', function (data) { try { this.pause(); ws.send(data, this.clientResume); } catch (ex) { console.log(ex); } }); // Perform relay
|
||||
obj.client.on('close', function () { obj.close(); });
|
||||
obj.client.on('error', function (err) { obj.close(); });
|
||||
obj.client.clientResume = function () { try { obj.client.resume(); } catch (ex) { console.log(ex); } };
|
||||
|
||||
// Log the start of the connection
|
||||
obj.time = Date.now();
|
||||
var event = { etype: 'relay', action: 'relaylog', domain: domain.id, userid: obj.user._id, username: obj.user.name, msgid: 13, msgArgs: [obj.id, obj.req.clientIp, obj.host], msg: 'Started relay session \"' + obj.id + '\" from ' + obj.req.clientIp + ' to ' + obj.host, nodeid: req.query.nodeid };
|
||||
parent.parent.DispatchEvent(['*', obj.user._id, obj.meshid, obj.nodeid], obj, event);
|
||||
});
|
||||
}
|
||||
|
||||
ws.flushSink = function () { try { ws._socket.resume(); } catch (ex) { console.log(ex); } };
|
||||
|
||||
// When data is received from the mesh relay web socket
|
||||
ws.on('message', function (data) { if (typeof data != 'string') { try { ws._socket.pause(); obj.client.write(data, ws.flushSink); } catch (ex) { } } }); // Perform relay
|
||||
|
||||
// If error, close both sides of the relay.
|
||||
ws.on('error', function (err) { parent.relaySessionErrorCount++; obj.close(); });
|
||||
|
||||
// Relay web socket is closed
|
||||
ws.on('close', function (req) { obj.close(); });
|
||||
|
||||
// If this is not an authenticated session, or the session does not have routing instructions, just go ahead an connect to existing session.
|
||||
performRelay();
|
||||
return obj;
|
||||
};
|
||||
@ -3625,6 +3625,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) return; // Invalid domain, operation only valid for current domain
|
||||
if (common.validateString(command.devicename, 1, 256) == false) break; // Check device name
|
||||
if (common.validateString(command.hostname, 1, 256) == false) break; // Check hostname
|
||||
if (typeof command.type != 'number') break; // Type must be a number
|
||||
if ((command.type != 4) && (command.type != 6) && (command.type != 29)) break; // Check device type
|
||||
|
||||
// Get the mesh
|
||||
@ -3639,7 +3640,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
parent.crypto.randomBytes(48, function (err, buf) {
|
||||
// Create the new node
|
||||
nodeid = 'node/' + domain.id + '/' + buf.toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
|
||||
var device = { type: 'node', _id: nodeid, meshid: command.meshid, name: command.devicename, host: command.hostname, domain: domain.id, mtype: 3, agent: { id: command.type, caps: 0 } };
|
||||
var device = { type: 'node', _id: nodeid, meshid: command.meshid, mtype: 3, icon: 1, name: command.devicename, host: command.hostname, domain: domain.id, agent: { id: command.type, caps: 0 } };
|
||||
db.Set(device);
|
||||
|
||||
// Event the new node
|
||||
@ -3676,7 +3677,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
parent.crypto.randomBytes(48, function (err, buf) {
|
||||
// Create the new node
|
||||
nodeid = 'node/' + domain.id + '/' + buf.toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
|
||||
var device = { type: 'node', _id: nodeid, meshid: command.meshid, name: command.devicename, host: command.hostname, domain: domain.id, intelamt: { user: command.amtusername, pass: command.amtpassword, tls: command.amttls } };
|
||||
var device = { type: 'node', _id: nodeid, meshid: command.meshid, mtype: 1, icon: 1, name: command.devicename, host: command.hostname, domain: domain.id, intelamt: { user: command.amtusername, pass: command.amtpassword, tls: command.amttls } };
|
||||
db.Set(device);
|
||||
|
||||
// Event the new node
|
||||
@ -4316,6 +4317,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
if (command.ip) { cookieContent.ip = command.ip; } // Indicates the browser want to agent to relay a TCP connection to a IP:port
|
||||
command.cookie = parent.parent.encodeCookie(cookieContent, parent.parent.loginCookieEncryptionKey);
|
||||
command.trustedCert = parent.isTrustedCert(domain);
|
||||
if (node.mtype == 3) { command.localRelay = true; }
|
||||
try { ws.send(JSON.stringify(command)); } catch (ex) { }
|
||||
});
|
||||
break;
|
||||
|
||||
@ -2463,11 +2463,12 @@
|
||||
var url = 'mcrouter://' + servername + portStr + domainUrl + 'control.ashx?c=' + authCookie + '&t=' + serverinfo.tlshash + '&l={{{lang}}}' + (urlargs.key?('&key=' + urlargs.key):'');
|
||||
if (message.nodeid != null) { url += ('&nodeid=' + message.nodeid); }
|
||||
if (message.tcpport != null) { url += ('&protocol=1&remoteport=' + message.tcpport); }
|
||||
if (message.localRelay) { url += '&local=1'; }
|
||||
if (message.ip != null) { url += ('&remoteip=' + message.ip); }
|
||||
url += ('&appid=' + message.protocol + '&autoexit=1'); // Protocol: 0 = Custom, 1 = HTTP, 2 = HTTPS, 3 = RDP, 4 = PuTTY, 5 = WinSCP
|
||||
downloadFile(url, '');
|
||||
} else if (message.tag == 'novnc') {
|
||||
var vncurl = window.location.origin + domainUrl + 'novnc/vnc.html?ws=wss%3A%2F%2F' + window.location.host + encodeURIComponentEx(domainUrl) + 'meshrelay.ashx%3Fauth%3D' + message.cookie + '&show_dot=1' + (urlargs.key?('&key=' + urlargs.key):'') + '&l={{{lang}}}';
|
||||
var vncurl = window.location.origin + domainUrl + 'novnc/vnc.html?ws=wss%3A%2F%2F' + window.location.host + encodeURIComponentEx(domainUrl) + (message.localRelay?'local':'mesh') + 'relay.ashx%3Fauth%3D' + message.cookie + '&show_dot=1' + (urlargs.key?('&key=' + urlargs.key):'') + '&l={{{lang}}}';
|
||||
var node = getNodeFromId(message.nodeid);
|
||||
if (node != null) { vncurl += '&name=' + encodeURIComponentEx(node.name); }
|
||||
safeNewWindow(vncurl, 'mcnovnc/' + message.nodeid);
|
||||
@ -2475,6 +2476,7 @@
|
||||
var rdpurl = window.location.origin + domainUrl + 'mstsc.html?ws=' + message.cookie + (urlargs.key?('&key=' + urlargs.key):'');
|
||||
var node = getNodeFromId(message.nodeid);
|
||||
if (node != null) { rdpurl += '&name=' + encodeURIComponentEx(node.name); }
|
||||
if (message.localRelay) { url += '&local=1'; }
|
||||
safeNewWindow(rdpurl, 'mcmstsc/' + message.nodeid);
|
||||
}
|
||||
break;
|
||||
@ -4455,7 +4457,7 @@
|
||||
function addLocalDeviceToMeshEx(button, meshid) {
|
||||
var host = Q('dp1hostname').value;
|
||||
if (host == '') host = Q('dp1devicename').value;
|
||||
meshserver.send({ action: 'addlocaldevice', meshid: meshid, devicename: Q('dp1devicename').value, hostname: host, type: Q('dp1type').value });
|
||||
meshserver.send({ action: 'addlocaldevice', meshid: meshid, devicename: Q('dp1devicename').value, hostname: host, type: parseInt(Q('dp1type').value) });
|
||||
}
|
||||
|
||||
function addDeviceToMesh(meshid) {
|
||||
@ -7154,7 +7156,7 @@
|
||||
function p10showChangeGroupDialog(nodeids) {
|
||||
if (xxdialogMode) return false;
|
||||
var targetMeshId = null;
|
||||
if (nodeids.length == 1) { try { targetMeshId = meshes[getNodeFromId(nodeids[0])]._id; } catch (ex) { } }
|
||||
if (nodeids.length == 1) { try { targetMeshId = meshes[getNodeFromId(nodeids[0]).meshid]._id; } catch (ex) { } }
|
||||
|
||||
// List all available alternative groups
|
||||
var y = '<select id=p10newGroup style=width:236px>', count = 0, altGroups = [];
|
||||
|
||||
13
webserver.js
13
webserver.js
@ -5355,7 +5355,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
parent.debug('webrequest', '(' + req.clientIp + ') ' + req.url);
|
||||
|
||||
// Skip the rest is this is an agent connection
|
||||
if ((req.url.indexOf('/meshrelay.ashx/.websocket') >= 0) || (req.url.indexOf('/agent.ashx/.websocket') >= 0)) { next(); return; }
|
||||
if ((req.url.indexOf('/meshrelay.ashx/.websocket') >= 0) || (req.url.indexOf('/agent.ashx/.websocket') >= 0) || (req.url.indexOf('/localrelay.ashx/.websocket') >= 0)) { next(); return; }
|
||||
|
||||
// If this domain has configured headers, use them.
|
||||
// Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
|
||||
@ -5538,6 +5538,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
}
|
||||
});
|
||||
});
|
||||
if (obj.args.wanonly != true) { // If the server is not in WAN mode, allow server relayed connections.
|
||||
obj.app.ws(url + 'localrelay.ashx', function (ws, req) {
|
||||
PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie) {
|
||||
if ((user == null) || (cookie == null)) {
|
||||
try { ws1.close(); } catch (ex) { }
|
||||
} else {
|
||||
obj.meshRelayHandler.CreateLocalRelay(obj, ws1, req1, domain, user, cookie); // Local relay
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
if (domain.agentinvitecodes == true) {
|
||||
obj.app.get(url + 'invite', handleInviteRequest);
|
||||
obj.app.post(url + 'invite', handleInviteRequest);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user