Centralization of user access control.

This commit is contained in:
Ylian Saint-Hilaire 2019-12-26 22:53:01 -08:00
parent 7452ee6a13
commit caa37f338c
2 changed files with 145 additions and 123 deletions

View File

@ -113,10 +113,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (meshpath[0] != user._id) return null; // Only allow own user folder if (meshpath[0] != user._id) return null; // Only allow own user folder
} else if (splitid[0] == 'mesh') { } else if (splitid[0] == 'mesh') {
// Check mesh access // Check mesh access
var meshrights = user.links[meshpath[0]]; if ((parent.GetMeshRights(user, meshpath[0]) & MESHRIGHT_SERVERFILES) == 0) return null; // This user must have mesh rights to "server files"
if (meshrights == null) return null; // No meth rights for this user
meshrights = meshrights.rights; // Get the rights bit mask
if ((meshrights == null) || ((meshrights & 32) == 0)) return null; // This user must have mesh rights to "server files"
} else return null; } else return null;
var rootfolder = meshpath[0], rootfoldersplit = rootfolder.split('/'), domainx = 'domain'; var rootfolder = meshpath[0], rootfoldersplit = rootfolder.split('/'), domainx = 'domain';
if (rootfoldersplit[1].length > 0) domainx = 'domain-' + rootfoldersplit[1]; if (rootfoldersplit[1].length > 0) domainx = 'domain-' + rootfoldersplit[1];
@ -155,11 +152,11 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
var agent = parent.wsagents[command.nodeid]; var agent = parent.wsagents[command.nodeid];
if (agent != null) { if (agent != null) {
// Check if we have permission to send a message to that node // Check if we have permission to send a message to that node
var rights = user.links[agent.dbMeshKey]; var meshrights = parent.GetMeshRights(user, agent.dbMeshKey);
var mesh = parent.meshes[agent.dbMeshKey]; var mesh = parent.meshes[agent.dbMeshKey];
if ((rights != null) && (mesh != null) && ((rights.rights & 8) || (rights.rights & 256))) { // 8 is remote control permission, 256 is desktop read only if ((mesh != null) && ((meshrights & MESHRIGHT_REMOTECONTROL) || (meshrights & MESHRIGHT_REMOTEVIEWONLY))) { // 8 is remote control permission, 256 is desktop read only
command.sessionid = ws.sessionId; // Set the session id, required for responses command.sessionid = ws.sessionId; // Set the session id, required for responses
command.rights = rights.rights; // Add user rights flags to the message command.rights = meshrights; // Add user rights flags to the message
command.consent = mesh.consent; // Add user consent command.consent = mesh.consent; // Add user consent
if (typeof domain.userconsentflags == 'number') { command.consent |= domain.userconsentflags; } // Add server required consent flags if (typeof domain.userconsentflags == 'number') { command.consent |= domain.userconsentflags; } // Add server required consent flags
command.username = user.name; // Add user name command.username = user.name; // Add user name
@ -174,11 +171,11 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
var routing = parent.parent.GetRoutingServerId(command.nodeid, 1); // 1 = MeshAgent routing type var routing = parent.parent.GetRoutingServerId(command.nodeid, 1); // 1 = MeshAgent routing type
if (routing != null) { if (routing != null) {
// Check if we have permission to send a message to that node // Check if we have permission to send a message to that node
var rights = user.links[routing.meshid]; var meshrights = parent.GetMeshRights(user, routing.meshid);
var mesh = parent.meshes[routing.meshid]; var mesh = parent.meshes[routing.meshid];
if ((rights != null) && (mesh != null) && ((rights.rights & 8) || (rights.rights & 256))) { // 8 is remote control permission if ((mesh != null) && ((meshrights & MESHRIGHT_REMOTECONTROL) || (meshrights & MESHRIGHT_REMOTEVIEWONLY))) { // 8 is remote control permission
command.fromSessionid = ws.sessionId; // Set the session id, required for responses command.fromSessionid = ws.sessionId; // Set the session id, required for responses
command.rights = rights.rights; // Add user rights flags to the message command.rights = meshrights; // Add user rights flags to the message
command.consent = mesh.consent; // Add user consent command.consent = mesh.consent; // Add user consent
if (typeof domain.userconsentflags == 'number') { command.consent |= domain.userconsentflags; } // Add server required consent flags if (typeof domain.userconsentflags == 'number') { command.consent |= domain.userconsentflags; } // Add server required consent flags
command.username = user.name; // Add user name command.username = user.name; // Add user name
@ -261,8 +258,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Because of the device group "Show Self Events Only", we need to do more checks here. // Because of the device group "Show Self Events Only", we need to do more checks here.
if (id.startsWith('mesh/')) { if (id.startsWith('mesh/')) {
// Check if we have rights to get this message. If we have limited events on this mesh, don't send the event to the user. // Check if we have rights to get this message. If we have limited events on this mesh, don't send the event to the user.
var meshlink = obj.user.links[id]; var meshrights = parent.GetMeshRights(user, id);
if ((meshlink != null) && ((meshlink.rights == 0xFFFFFFFF) || ((meshlink.rights & 8192) == 0) || (ids.indexOf(user._id) >= 0))) { if ((meshrights == 0xFFFFFFFF) || ((meshrights & MESHRIGHT_LIMITEVENTS) == 0) || (ids.indexOf(user._id) >= 0)) {
// We have the device group rights to see this event or we are directly targetted by the event // We have the device group rights to see this event or we are directly targetted by the event
ws.send(JSON.stringify({ action: 'event', event: event })); ws.send(JSON.stringify({ action: 'event', event: event }));
} else { } else {
@ -435,14 +432,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
case 'meshes': case 'meshes':
{ {
// Request a list of all meshes this user as rights to // Request a list of all meshes this user as rights to
var docs = []; try { ws.send(JSON.stringify({ action: 'meshes', meshes: parent.GetAllMeshWithRights(user).map(parent.CloneSafeMesh), tag: command.tag })); } catch (ex) { }
for (i in user.links) {
if ((parent.meshes[i]) && (parent.meshes[i].deleted == null)) {
// Remove the Intel AMT password if present
docs.push(parent.CloneSafeMesh(parent.meshes[i]));
}
}
try { ws.send(JSON.stringify({ action: 'meshes', meshes: docs, tag: command.tag })); } catch (ex) { }
break; break;
} }
case 'nodes': case 'nodes':
@ -451,13 +441,13 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
try { try {
if (command.meshid == null) { if (command.meshid == null) {
// Request a list of all meshes this user as rights to // Request a list of all meshes this user as rights to
for (i in user.links) { links.push(i); } links = parent.GetAllMeshIdWithRights(user);
} else { } else {
// Request list of all nodes for one specific meshid // Request list of all nodes for one specific meshid
meshid = command.meshid; meshid = command.meshid;
if (common.validateString(meshid, 0, 128) == false) { err = 'Invalid group id'; } else { if (common.validateString(meshid, 0, 128) == false) { err = 'Invalid group id'; } else {
if (meshid.split('/').length == 1) { meshid = 'mesh/' + domain.id + '/' + command.meshid; } if (meshid.split('/').length == 1) { meshid = 'mesh/' + domain.id + '/' + command.meshid; }
if (user.links[meshid] != null) { links.push(meshid); } else { err = 'Invalid group id'; } if (obj.IsMeshViewable(user, meshid)) { links.push(meshid); } else { err = 'Invalid group id'; }
} }
} }
} catch (ex) { err = 'Validation exception: ' + ex; } } catch (ex) { err = 'Validation exception: ' + ex; }
@ -519,13 +509,11 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if ((snode.length != 3) || (snode[1] != domain.id)) break; if ((snode.length != 3) || (snode[1] != domain.id)) break;
// Check that we have permissions for this node. // Check that we have permissions for this node.
if (obj.user.links == null) return;
db.Get(command.nodeid, function (err, nodes) { db.Get(command.nodeid, function (err, nodes) {
if (nodes == null || nodes.length != 1) return; if (nodes == null || nodes.length != 1) return;
const node = nodes[0]; const node = nodes[0];
var meshlink = obj.user.links[node.meshid]; if (parent.GetMeshRights(user, node.meshid) != 0) {
if ((meshlink != null) && (meshlink.rights != 0)) {
// Query the database for the power timeline for a given node // Query the database for the power timeline for a given node
// The result is a compacted array: [ startPowerState, startTimeUTC, powerState ] + many[ deltaTime, powerState ] // The result is a compacted array: [ startPowerState, startTimeUTC, powerState ] + many[ deltaTime, powerState ]
db.getPowerTimeline(command.nodeid, function (err, docs) { db.getPowerTimeline(command.nodeid, function (err, docs) {
@ -566,13 +554,11 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if ((snode.length != 3) || (snode[1] != domain.id)) break; if ((snode.length != 3) || (snode[1] != domain.id)) break;
// Check that we have permissions for this node. // Check that we have permissions for this node.
if (obj.user.links == null) return;
db.Get(command.nodeid, function (err, nodes) { db.Get(command.nodeid, function (err, nodes) {
if (nodes == null || nodes.length != 1) return; if (nodes == null || nodes.length != 1) return;
const node = nodes[0]; const node = nodes[0];
var meshlink = obj.user.links[node.meshid]; if (parent.GetMeshRights(user, node.meshid) != 0) {
if ((meshlink != null) && (meshlink.rights != 0)) {
// Query the database system information // Query the database system information
db.Get('si' + command.nodeid, function (err, docs) { db.Get('si' + command.nodeid, function (err, docs) {
if ((docs != null) && (docs.length > 0)) { if ((docs != null) && (docs.length > 0)) {
@ -600,13 +586,11 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if ((snode.length != 3) || (snode[1] != domain.id)) break; if ((snode.length != 3) || (snode[1] != domain.id)) break;
// Check that we have permissions for this node. // Check that we have permissions for this node.
if (obj.user.links == null) return;
db.Get(command.nodeid, function (err, nodes) { db.Get(command.nodeid, function (err, nodes) {
if (nodes == null || nodes.length != 1) return; if (nodes == null || nodes.length != 1) return;
const node = nodes[0]; const node = nodes[0];
var meshlink = obj.user.links[node.meshid]; if (parent.GetMeshRights(user, node.meshid) != 0) {
if ((meshlink != null) && (meshlink.rights != 0)) {
// Query the database for the last time this node connected // Query the database for the last time this node connected
db.Get('lc' + command.nodeid, function (err, docs) { db.Get('lc' + command.nodeid, function (err, docs) {
if ((docs != null) && (docs.length > 0)) { if ((docs != null) && (docs.length > 0)) {
@ -981,18 +965,17 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
} }
} else if (common.validateString(command.nodeid, 0, 128) == true) { // Device filtered events } else if (common.validateString(command.nodeid, 0, 128) == true) { // Device filtered events
// Check that the user has access to this nodeid // Check that the user has access to this nodeid
if (obj.user.links == null) return;
db.Get(command.nodeid, function (err, nodes) { db.Get(command.nodeid, function (err, nodes) {
if ((nodes == null) || (nodes.length != 1)) return; if ((nodes == null) || (nodes.length != 1)) return;
const node = nodes[0]; const node = nodes[0];
var meshlink = obj.user.links[node.meshid]; var meshrights = parent.GetMeshRights(user, node.meshid);
if ((meshlink != null) && (meshlink.rights != 0)) { if (meshrights != 0) {
// Put a limit on the number of returned entries if present // Put a limit on the number of returned entries if present
var limit = 10000; var limit = 10000;
if (common.validateInt(command.limit, 1, 60000) == true) { limit = command.limit; } if (common.validateInt(command.limit, 1, 60000) == true) { limit = command.limit; }
if ((meshlink.rights & 8192) != 0) { if ((meshrights & MESHRIGHT_LIMITEVENTS) != 0) {
// Send the list of most recent events for this nodeid that only apply to us, up to 'limit' count // Send the list of most recent events for this nodeid that only apply to us, up to 'limit' count
db.GetNodeEventsSelfWithLimit(command.nodeid, domain.id, user._id, limit, function (err, docs) { db.GetNodeEventsSelfWithLimit(command.nodeid, domain.id, user._id, limit, function (err, docs) {
if (err != null) return; if (err != null) return;
@ -1014,8 +997,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// All events // All events
var exGroupFilter2 = [], filter = [], filter2 = user.subscriptions; var exGroupFilter2 = [], filter = [], filter2 = user.subscriptions;
// Remove MeshID's that we do not have rights to see events for // Remove MeshID's that we do not have rights to see events for (TODO: user groups)
for (var link in obj.user.links) { if (((obj.user.links[link].rights & 8192) != 0) && ((obj.user.links[link].rights != 0xFFFFFFFF))) { exGroupFilter2.push(link); } } for (var link in obj.user.links) { if (((obj.user.links[link].rights & MESHRIGHT_LIMITEVENTS) != 0) && ((obj.user.links[link].rights != 0xFFFFFFFF))) { exGroupFilter2.push(link); } }
for (var i in filter2) { if (exGroupFilter2.indexOf(filter2[i]) == -1) { filter.push(filter2[i]); } } for (var i in filter2) { if (exGroupFilter2.indexOf(filter2[i]) == -1) { filter.push(filter2[i]); } }
if ((command.limit == null) || (typeof command.limit != 'number')) { if ((command.limit == null) || (typeof command.limit != 'number')) {
@ -1215,6 +1198,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
} }
} }
// TODO: Remove user groups??
db.Remove('ws' + deluser._id); // Remove user web state db.Remove('ws' + deluser._id); // Remove user web state
db.Remove('nt' + deluser._id); // Remove notes for this user db.Remove('nt' + deluser._id); // Remove notes for this user
@ -1522,13 +1507,13 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (common.validateString(command.meshid, 1, 1024) == false) { err = 'Invalid group identifier'; } // Check the meshid if (common.validateString(command.meshid, 1, 1024) == false) { err = 'Invalid group identifier'; } // Check the meshid
else if (command.meshid.indexOf('/') == -1) { command.meshid = 'mesh/' + domain.id + '/' + command.meshid; } else if (command.meshid.indexOf('/') == -1) { command.meshid = 'mesh/' + domain.id + '/' + command.meshid; }
if (common.validateInt(command.notify) == false) { err = 'Invalid notification flags'; } if (common.validateInt(command.notify) == false) { err = 'Invalid notification flags'; }
if ((user.links == null) || (user.links[command.meshid] == null)) { err = 'Incorrect group identifier'; } if (parent.GetMeshRights(user, command.meshid) == 0) err = 'Access denied';
} catch (ex) { err = 'Validation exception: ' + ex; } } catch (ex) { err = 'Validation exception: ' + ex; }
// Handle any errors // Handle any errors
if (err != null) { if (command.responseid != null) { try { ws.send(JSON.stringify({ action: 'changemeshnotify', responseid: command.responseid, result: err })); } catch (ex) { } } break; } if (err != null) { if (command.responseid != null) { try { ws.send(JSON.stringify({ action: 'changemeshnotify', responseid: command.responseid, result: err })); } catch (ex) { } } break; }
// Change the notification // Change the notification (TODO: Add user group support, not sure how to do this here)
if (command.notify == 0) { if (command.notify == 0) {
delete user.links[command.meshid].notify; delete user.links[command.meshid].notify;
} else { } else {
@ -1702,7 +1687,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & MESHRIGHT_CHATNOTIFY) == 0)) return; if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_CHATNOTIFY) == 0) return;
// Create the server url // Create the server url
var httpsPort = ((args.aliasport == null) ? args.port : args.aliasport); // Use HTTPS alias port is specified var httpsPort = ((args.aliasport == null) ? args.port : args.aliasport); // Use HTTPS alias port is specified
@ -1820,7 +1805,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Check if this user has rights to do this // Check if this user has rights to do this
var err = null; var err = null;
if (mesh.links[user._id] == null || mesh.links[user._id].rights != 0xFFFFFFFF) { err = 'Access denied'; } if (parent.GetMeshRights(user, mesh) != 0xFFFFFFFF) { err = 'Access denied'; }
if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) { err = 'Invalid group'; } // Invalid domain, operation only valid for current domain if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) { err = 'Invalid group'; } // Invalid domain, operation only valid for current domain
// Handle any errors // Handle any errors
@ -1867,7 +1852,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & 1) == 0)) return; if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_EDITMESH) == 0) return;
if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) return; // Invalid domain, operation only valid for current domain if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) return; // Invalid domain, operation only valid for current domain
if ((common.validateString(command.meshname, 1, 64) == true) && (command.meshname != mesh.name)) { change = 'Group name changed from "' + mesh.name + '" to "' + command.meshname + '"'; mesh.name = command.meshname; } if ((common.validateString(command.meshname, 1, 64) == true) && (command.meshname != mesh.name)) { change = 'Group name changed from "' + mesh.name + '" to "' + command.meshname + '"'; mesh.name = command.meshname; }
@ -1894,7 +1879,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (command.meshid.indexOf('/') == -1) { command.meshid = 'mesh/' + domain.id + '/' + command.meshid; } if (command.meshid.indexOf('/') == -1) { command.meshid = 'mesh/' + domain.id + '/' + command.meshid; }
mesh = parent.meshes[command.meshid]; mesh = parent.meshes[command.meshid];
if (mesh == null) { err = 'Unknown group'; } if (mesh == null) { err = 'Unknown group'; }
else if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & 2) == 0)) { err = 'Permission denied'; } else if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_MANAGEUSERS) == 0) { err = 'Permission denied'; }
else if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) { err = 'Invalid domain'; } // Invalid domain, operation only valid for current domain else if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) { err = 'Invalid domain'; } // Invalid domain, operation only valid for current domain
} }
} catch (ex) { err = 'Validation exception: ' + ex; } } catch (ex) { err = 'Validation exception: ' + ex; }
@ -1953,7 +1938,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (command.meshid.indexOf('/') == -1) { command.meshid = 'mesh/' + domain.id + '/' + command.meshid; } if (command.meshid.indexOf('/') == -1) { command.meshid = 'mesh/' + domain.id + '/' + command.meshid; }
mesh = parent.meshes[command.meshid]; mesh = parent.meshes[command.meshid];
if (mesh == null) { err = "Unknown device group"; } if (mesh == null) { err = "Unknown device group"; }
else if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & 2) == 0)) { err = "Permission denied"; } else if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_MANAGEUSERS) == 0) { err = "Permission denied"; }
else if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) { err = "Invalid domain"; } // Invalid domain, operation only valid for current domain else if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) { err = "Invalid domain"; } // Invalid domain, operation only valid for current domain
} }
} catch (ex) { err = "Validation exception: " + ex; } } catch (ex) { err = "Validation exception: " + ex; }
@ -2014,7 +1999,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
change = ''; change = '';
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if ((mesh.links[user._id] == null) || ((mesh.links[user._id].rights & 1) == 0)) return; if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_EDITMESH) == 0) return;
if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) return; // Invalid domain, operation only valid for current domain if ((command.meshid.split('/').length != 3) || (command.meshid.split('/')[1] != domain.id)) return; // Invalid domain, operation only valid for current domain
// TODO: Check if this is a change from the existing policy // TODO: Check if this is a change from the existing policy
@ -2064,7 +2049,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (mesh.mtype != 1) return; // This operation is only allowed for mesh type 1, Intel AMT agentless mesh. if (mesh.mtype != 1) return; // This operation is only allowed for mesh type 1, Intel AMT agentless mesh.
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & 4) == 0)) return; if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_MANAGECOMPUTERS) == 0) return;
// Create a new nodeid // Create a new nodeid
parent.crypto.randomBytes(48, function (err, buf) { parent.crypto.randomBytes(48, function (err, buf) {
@ -2110,9 +2095,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
try { if (parent.meshes[node.meshid].mtype != parent.meshes[command.meshid].mtype) return; } catch (e) { return; }; try { if (parent.meshes[node.meshid].mtype != parent.meshes[command.meshid].mtype) return; } catch (e) { return; };
// Make sure that we have rights on both source and destination mesh // Make sure that we have rights on both source and destination mesh
const sourceMeshRights = user.links[node.meshid].rights; const sourceMeshRights = parent.GetMeshRights(user, node.meshid);
const targetMeshRights = user.links[command.meshid].rights; const targetMeshRights = parent.GetMeshRights(user, command.meshid);
if (((sourceMeshRights & 4) == 0) || ((targetMeshRights & 4) == 0)) return; if (((sourceMeshRights & MESHRIGHT_MANAGECOMPUTERS) == 0) || ((targetMeshRights & MESHRIGHT_MANAGECOMPUTERS) == 0)) return;
// Perform the switch, start by saving the node with the new meshid. // Perform the switch, start by saving the node with the new meshid.
const oldMeshId = node.meshid; const oldMeshId = node.meshid;
@ -2169,7 +2154,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & 4) == 0)) return; if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_MANAGECOMPUTERS) == 0) return;
// Delete this node including network interface information, events and timeline // Delete this node including network interface information, events and timeline
db.Remove(node._id); // Remove node with that id db.Remove(node._id); // Remove node with that id
@ -2224,7 +2209,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] != null && ((mesh.links[user._id].rights & 64) != 0)) { if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_WAKEDEVICE) != 0) {
// If this device is connected on MQTT, send a wake action. // If this device is connected on MQTT, send a wake action.
if (parent.parent.mqttbroker != null) { parent.parent.mqttbroker.publish(node._id, 'powerAction', 'wake'); } if (parent.parent.mqttbroker != null) { parent.parent.mqttbroker.publish(node._id, 'powerAction', 'wake'); }
@ -2241,7 +2226,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Get the list of mesh this user as access to // Get the list of mesh this user as access to
var targetMeshes = []; var targetMeshes = [];
for (i in user.links) { targetMeshes.push(i); } for (i in user.links) { targetMeshes.push(i); } // TODO: Include used security groups!!
// Go thru all the connected agents and send wake-on-lan on all the ones in the target mesh list // Go thru all the connected agents and send wake-on-lan on all the ones in the target mesh list
for (i in parent.wsagents) { for (i in parent.wsagents) {
@ -2281,7 +2266,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] != null && ((mesh.links[user._id].rights & MESHRIGHT_UNINSTALL) != 0)) { if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_UNINSTALL) != 0) {
// Send uninstall command to connected agent // Send uninstall command to connected agent
var agent = parent.wsagents[node._id]; var agent = parent.wsagents[node._id];
if (agent != null) { if (agent != null) {
@ -2317,8 +2302,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (parent.parent.mqttbroker != null) { parent.parent.mqttbroker.publish(nodeid, 'powerAction', ['', '', 'poweroff', 'reset', 'sleep'][command.actiontype]); } if (parent.parent.mqttbroker != null) { parent.parent.mqttbroker.publish(nodeid, 'powerAction', ['', '', 'poweroff', 'reset', 'sleep'][command.actiontype]); }
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] != null && ((mesh.links[user._id].rights & 8) != 0)) { // "Remote Control permission" if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_REMOTECONTROL) != 0) { // "Remote Control permission"
// Get this device // Get this device
var agent = parent.wsagents[node._id]; var agent = parent.wsagents[node._id];
if (agent != null) { if (agent != null) {
@ -2354,7 +2338,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] != null && ((mesh.links[user._id].rights & MESHRIGHT_CHATNOTIFY) != 0)) { if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_CHATNOTIFY) != 0) {
// Get this device // Get this device
var agent = parent.wsagents[node._id]; var agent = parent.wsagents[node._id];
if (agent != null) { if (agent != null) {
@ -2383,7 +2367,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || (mesh.links[user._id].rights == 0)) { try { ws.send(JSON.stringify({ action: 'getnetworkinfo', nodeid: command.nodeid, netif: null })); } catch (ex) { } return; } if (parent.GetMeshRights(user, mesh) == 0) { try { ws.send(JSON.stringify({ action: 'getnetworkinfo', nodeid: command.nodeid, netif: null })); } catch (ex) { } return; }
// Get network information about this node // Get network information about this node
db.Get('if' + command.nodeid, function (err, netinfos) { db.Get('if' + command.nodeid, function (err, netinfos) {
@ -2411,7 +2395,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & 4) == 0)) return; if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_MANAGECOMPUTERS) == 0) return;
// Ready the node change event // Ready the node change event
var changes = [], event = { etype: 'node', userid: user._id, username: user.name, action: 'changenode', nodeid: node._id, domain: domain.id }; var changes = [], event = { etype: 'node', userid: user._id, username: user.name, action: 'changenode', nodeid: node._id, domain: domain.id };
@ -2477,7 +2461,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || (((mesh.links[user._id].rights & 16) == 0) && (user.siteadmin != 0xFFFFFFFF))) { return; } if (((parent.GetMeshRights(user, mesh) & MESHRIGHT_AGENTCONSOLE) == 0) && (user.siteadmin != 0xFFFFFFFF)) { return; }
if (command.type == 'default') { if (command.type == 'default') {
// Send the default core to the agent // Send the default core to the agent
@ -2518,7 +2502,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || (((mesh.links[user._id].rights & 16) == 0) && (user.siteadmin != 0xFFFFFFFF))) return; if (((parent.GetMeshRights(user, mesh) & MESHRIGHT_AGENTCONSOLE) == 0) && (user.siteadmin != 0xFFFFFFFF)) return;
// Force mesh agent disconnection // Force mesh agent disconnection
parent.forceMeshAgentDisconnect(user, domain, command.nodeid, command.disconnectMode); parent.forceMeshAgentDisconnect(user, domain, command.nodeid, command.disconnectMode);
@ -2539,8 +2523,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (common.validateString(command.nodeid, 1, 1024) == false) break; // Check nodeid if (common.validateString(command.nodeid, 1, 1024) == false) break; // Check nodeid
db.Get(command.nodeid, function (err, nodes) { // TODO: Make a NodeRights(user) method that also does not do a db call if agent is connected (???) db.Get(command.nodeid, function (err, nodes) { // TODO: Make a NodeRights(user) method that also does not do a db call if agent is connected (???)
if ((nodes == null) || (nodes.length == 1)) { if ((nodes == null) || (nodes.length == 1)) {
meshlinks = user.links[nodes[0].meshid]; if ((parent.GetMeshRights(user, nodes[0].meshid) & MESHRIGHT_REMOTECONTROL) != 0) {
if ((meshlinks) && (meshlinks.rights) && ((meshlinks.rights & MESHRIGHT_REMOTECONTROL) != 0)) {
// Add a user authentication cookie to a url // Add a user authentication cookie to a url
var cookieContent = { userid: user._id, domainid: user.domain }; var cookieContent = { userid: user._id, domainid: user.domain };
if (command.nodeid) { cookieContent.nodeid = command.nodeid; } if (command.nodeid) { cookieContent.nodeid = command.nodeid; }
@ -2569,7 +2552,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[command.meshid]; mesh = parent.meshes[command.meshid];
if (mesh == null) { err = 'Unknown device group'; } // Check if the group exists if (mesh == null) { err = 'Unknown device group'; } // Check if the group exists
else if (mesh.mtype != 2) { err = 'Invalid group type'; } // Check if this is the correct group type else if (mesh.mtype != 2) { err = 'Invalid group type'; } // Check if this is the correct group type
else if (mesh.links[user._id] == null) { err = 'Not allowed'; } // Check if this user has rights to do this else if (parent.GetMeshRights(user, mesh) == 0) { err = 'Not allowed'; } // Check if this user has rights to do this
} }
} }
} catch (ex) { err = 'Validation exception: ' + ex; } } catch (ex) { err = 'Validation exception: ' + ex; }
@ -2600,8 +2583,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Check if this user has rights on this id to set notes // Check if this user has rights on this id to set notes
db.Get(command.nodeid, function (err, nodes) { db.Get(command.nodeid, function (err, nodes) {
if ((nodes == null) || (nodes.length == 1)) { if ((nodes == null) || (nodes.length == 1)) {
meshlinks = user.links[nodes[0].meshid]; if (parent.GetMeshRights(user, nodes[0].meshid) != 0) {
if ((meshlinks) && (meshlinks.rights) && (meshlinks.rights != 0)) {
// Add an event for this device // Add an event for this device
var targets = ['*', 'server-users', user._id, nodes[0].meshid]; var targets = ['*', 'server-users', user._id, nodes[0].meshid];
var event = { etype: 'node', userid: user._id, username: user.name, nodeid: nodes[0]._id, action: 'manual', msg: decodeURIComponent(command.msg), domain: domain.id }; var event = { etype: 'node', userid: user._id, username: user.name, nodeid: nodes[0]._id, action: 'manual', msg: decodeURIComponent(command.msg), domain: domain.id };
@ -2625,8 +2607,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Check if this user has rights on this id to set notes // Check if this user has rights on this id to set notes
db.Get(command.id, function (err, nodes) { // TODO: Make a NodeRights(user) method that also does not do a db call if agent is connected (???) db.Get(command.id, function (err, nodes) { // TODO: Make a NodeRights(user) method that also does not do a db call if agent is connected (???)
if ((nodes == null) || (nodes.length == 1)) { if ((nodes == null) || (nodes.length == 1)) {
meshlinks = user.links[nodes[0].meshid]; if ((parent.GetMeshRights(user, nodes[0].meshid) & MESHRIGHT_SETNOTES) != 0) {
if ((meshlinks) && (meshlinks.rights) && ((meshlinks.rights & MESHRIGHT_SETNOTES) != 0)) {
// Set the id's notes // Set the id's notes
if (common.validateString(command.notes, 1) == false) { if (common.validateString(command.notes, 1) == false) {
db.Remove('nt' + command.id); // Delete the note for this node db.Remove('nt' + command.id); // Delete the note for this node
@ -2641,7 +2622,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[command.id]; mesh = parent.meshes[command.id];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if ((mesh.links[user._id] == null) || ((mesh.links[user._id].rights & 1) == 0)) { return; } // Must have rights to edit the mesh if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_EDITMESH) == 0) return; // Must have rights to edit the mesh
// Set the id's notes // Set the id's notes
if (common.validateString(command.notes, 1) == false) { if (common.validateString(command.notes, 1) == false) {
@ -2921,7 +2902,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has "remote" rights to do this // Check if this user has "remote" rights to do this
if ((mesh.links[user._id] == null) || ((mesh.links[user._id].rights & 16) == 0)) return; var meshrights = parent.GetMeshRights(user, mesh);
if ((meshrights & MESHRIGHT_AGENTCONSOLE) == 0) return;
// Ask for clipboard data from agent // Ask for clipboard data from agent
var agent = parent.wsagents[node._id]; var agent = parent.wsagents[node._id];
@ -2943,7 +2925,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has "remote" rights to do this // Check if this user has "remote" rights to do this
if ((mesh.links[user._id] == null) || ((mesh.links[user._id].rights & 16) == 0)) return; if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_AGENTCONSOLE) == 0) return;
// Send clipboard data to the agent // Send clipboard data to the agent
var agent = parent.wsagents[node._id]; var agent = parent.wsagents[node._id];
@ -2978,7 +2960,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || (mesh.links[user._id].rights == 0)) { return; } if (parent.GetMeshRights(user, mesh) == 0) return;
// Get the notes about this node // Get the notes about this node
db.Get('nt' + command.id, function (err, notes) { db.Get('nt' + command.id, function (err, notes) {
@ -2994,7 +2976,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[command.id]; mesh = parent.meshes[command.id];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] == null || ((mesh.links[user._id].rights & 1) == 0)) { return; } // Must have rights to edit the mesh if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_EDITMESH) == 0) return; // Must have rights to edit the mesh
// Get the notes about this node // Get the notes about this node
db.Get('nt' + command.id, function (err, notes) { db.Get('nt' + command.id, function (err, notes) {
@ -3082,7 +3064,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
mesh = parent.meshes[node.meshid]; mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] != null && ((mesh.links[user._id].rights & 64) != 0)) { if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_WAKEDEVICE) != 0) {
// If this device is connected on MQTT, send a wake action. // If this device is connected on MQTT, send a wake action.
if (parent.parent.mqttbroker != null) { parent.parent.mqttbroker.publish(node._id, command.topic, command.msg); } if (parent.parent.mqttbroker != null) { parent.parent.mqttbroker.publish(node._id, command.topic, command.msg); }
} }
@ -3112,7 +3094,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
var mesh = parent.meshes[node.meshid]; var mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if ((mesh.links[user._id] != null) && (mesh.links[user._id].rights == 0xFFFFFFFF)) { if ((parent.GetMeshRights(user, mesh) == 0xFFFFFFFF)) {
var token = parent.parent.mqttbroker.generateLogin(mesh._id, node._id); var token = parent.parent.mqttbroker.generateLogin(mesh._id, node._id);
var r = { action: 'getmqttlogin', responseid: command.responseid, nodeid: node._id, user: token.user, pass: token.pass }; var r = { action: 'getmqttlogin', responseid: command.responseid, nodeid: node._id, user: token.user, pass: token.pass };
const serverName = parent.getWebServerName(domain); const serverName = parent.getWebServerName(domain);
@ -3165,7 +3147,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
var mesh = parent.meshes[node.meshid]; var mesh = parent.meshes[node.meshid];
if (mesh) { if (mesh) {
// Check if this user has rights to do this // Check if this user has rights to do this
if (mesh.links[user._id] != null && ((mesh.links[user._id].rights & 8) != 0)) { // "Remote Control permission" if ((parent.GetMeshRights(user, mesh) & MESHRIGHT_REMOTECONTROL) != 0) { // "Remote Control permission"
handleAmtCommand(command, node); handleAmtCommand(command, node);
} }
} }
@ -3333,7 +3315,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
try { files.filetree.f[user._id].f = readFilesRec(parent.path.join(parent.filespath, domainx + "/user-" + usersplit[2])); } catch (e) { } try { files.filetree.f[user._id].f = readFilesRec(parent.path.join(parent.filespath, domainx + "/user-" + usersplit[2])); } catch (e) { }
} }
// Add files for each mesh // Add files for each mesh // TODO: Get all meshes including groups!!
for (var i in user.links) { for (var i in user.links) {
if ((user.links[i].rights & 32) != 0) { // Check that we have file permissions if ((user.links[i].rights & 32) != 0) { // Check that we have file permissions
var mesh = parent.meshes[i]; var mesh = parent.meshes[i];

View File

@ -11,7 +11,7 @@
/*jshint strict:false */ /*jshint strict:false */
/*jshint -W097 */ /*jshint -W097 */
/*jshint esversion: 6 */ /*jshint esversion: 6 */
"use strict"; 'use strict';
/* /*
class SerialTunnel extends require('stream').Duplex { class SerialTunnel extends require('stream').Duplex {
@ -63,7 +63,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
const constants = (obj.crypto.constants ? obj.crypto.constants : require('constants')); // require('constants') is deprecated in Node 11.10, use require('crypto').constants instead. const constants = (obj.crypto.constants ? obj.crypto.constants : require('constants')); // require('constants') is deprecated in Node 11.10, use require('crypto').constants instead.
// Setup WebAuthn / FIDO2 // Setup WebAuthn / FIDO2
obj.webauthn = require("./webauthn.js").CreateWebAuthnModule(); obj.webauthn = require('./webauthn.js').CreateWebAuthnModule();
// Variables // Variables
obj.parent = parent; obj.parent = parent;
@ -75,11 +75,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.tcpServer = null; obj.tcpServer = null;
obj.certificates = certificates; obj.certificates = certificates;
obj.args = args; obj.args = args;
obj.users = {}; obj.users = {}; // UserID --> User
obj.meshes = {}; obj.meshes = {}; // MeshID --> Mesh (also called device group)
obj.userAllowedIp = args.userallowedip; // List of allowed IP addresses for users obj.userAllowedIp = args.userallowedip; // List of allowed IP addresses for users
obj.agentAllowedIp = args.agentallowedip; // List of allowed IP addresses for agents obj.agentAllowedIp = args.agentallowedip; // List of allowed IP addresses for agents
obj.agentBlockedIp = args.agentblockedip; // List of blocked IP addresses for agents obj.agentBlockedIp = args.agentblockedip; // List of blocked IP addresses for agents
obj.tlsSniCredentials = null; obj.tlsSniCredentials = null;
obj.dnsDomains = {}; obj.dnsDomains = {};
obj.relaySessionCount = 0; obj.relaySessionCount = 0;
@ -196,7 +196,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} }
} }
function EscapeHtml(x) { if (typeof x == "string") return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;'); if (typeof x == "boolean") return x; if (typeof x == "number") return x; } function EscapeHtml(x) { if (typeof x == 'string') return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;'); if (typeof x == 'boolean') return x; if (typeof x == 'number') return x; }
//function EscapeHtmlBreaks(x) { if (typeof x == "string") return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;').replace(/\r/g, '<br />').replace(/\n/g, '').replace(/\t/g, '&nbsp;&nbsp;'); if (typeof x == "boolean") return x; if (typeof x == "number") return x; } //function EscapeHtmlBreaks(x) { if (typeof x == "string") return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;').replace(/\r/g, '<br />').replace(/\n/g, '').replace(/\t/g, '&nbsp;&nbsp;'); if (typeof x == "boolean") return x; if (typeof x == "number") return x; }
// Fetch all users from the database, keep this in memory // Fetch all users from the database, keep this in memory
obj.db.GetAllType('user', function (err, docs) { obj.db.GetAllType('user', function (err, docs) {
@ -506,7 +506,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (user != null) { obj.parent.DispatchEvent(['*'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'logout', msg: 'Account logout', domain: domain.id }); } if (user != null) { obj.parent.DispatchEvent(['*'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'logout', msg: 'Account logout', domain: domain.id }); }
} }
req.session = null; req.session = null;
if (req.query.key != null) { res.redirect(domain.url + "?key=" + req.query.key); } else { res.redirect(domain.url); } if (req.query.key != null) { res.redirect(domain.url + '?key=' + req.query.key); } else { res.redirect(domain.url); }
parent.debug('web', 'handleLogoutRequest: success.'); parent.debug('web', 'handleLogoutRequest: success.');
} }
@ -1756,9 +1756,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Returns the server root certificate encoded in base64 // Returns the server root certificate encoded in base64
function getRootCertBase64() { function getRootCertBase64() {
var rootcert = obj.certificates.root.cert; var rootcert = obj.certificates.root.cert;
var i = rootcert.indexOf("-----BEGIN CERTIFICATE-----\r\n"); var i = rootcert.indexOf('-----BEGIN CERTIFICATE-----\r\n');
if (i >= 0) { rootcert = rootcert.substring(i + 29); } if (i >= 0) { rootcert = rootcert.substring(i + 29); }
i = rootcert.indexOf("-----END CERTIFICATE-----"); i = rootcert.indexOf('-----END CERTIFICATE-----');
if (i >= 0) { rootcert = rootcert.substring(i, 0); } if (i >= 0) { rootcert = rootcert.substring(i, 0); }
return Buffer.from(rootcert, 'base64').toString('base64'); return Buffer.from(rootcert, 'base64').toString('base64');
} }
@ -1899,7 +1899,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
var domainname = 'domain', spliturl = decodeURIComponent(req.path).split('/'), filename = ''; var domainname = 'domain', spliturl = decodeURIComponent(req.path).split('/'), filename = '';
if ((spliturl.length < 3) || (obj.common.IsFilenameValid(spliturl[2]) == false) || (domain.userQuota == -1)) { res.sendStatus(404); return; } if ((spliturl.length < 3) || (obj.common.IsFilenameValid(spliturl[2]) == false) || (domain.userQuota == -1)) { res.sendStatus(404); return; }
if (domain.id != '') { domainname = 'domain-' + domain.id; } if (domain.id != '') { domainname = 'domain-' + domain.id; }
var path = obj.path.join(obj.filespath, domainname + "/user-" + spliturl[2] + "/Public"); var path = obj.path.join(obj.filespath, domainname + '/user-' + spliturl[2] + '/Public');
for (var i = 3; i < spliturl.length; i++) { if (obj.common.IsFilenameValid(spliturl[i]) == true) { path += '/' + spliturl[i]; filename = spliturl[i]; } else { res.sendStatus(404); return; } } for (var i = 3; i < spliturl.length; i++) { if (obj.common.IsFilenameValid(spliturl[i]) == true) { path += '/' + spliturl[i]; filename = spliturl[i]; } else { res.sendStatus(404); return; } }
var stat = null; var stat = null;
@ -2046,7 +2046,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.handleDomainRedirect = function (req, res) { obj.handleDomainRedirect = function (req, res) {
const domain = checkUserIpAddress(req, res); const domain = checkUserIpAddress(req, res);
if ((domain == null) || (domain.redirects == null)) { res.sendStatus(404); return; } if ((domain == null) || (domain.redirects == null)) { res.sendStatus(404); return; }
var urlArgs = '', urlName = null, splitUrl = req.originalUrl.split("?"); var urlArgs = '', urlName = null, splitUrl = req.originalUrl.split('?');
if (splitUrl.length > 1) { urlArgs = '?' + splitUrl[1]; } if (splitUrl.length > 1) { urlArgs = '?' + splitUrl[1]; }
if ((splitUrl.length > 0) && (splitUrl[0].length > 1)) { urlName = splitUrl[0].substring(1).toLowerCase(); } if ((splitUrl.length > 0) && (splitUrl[0].length > 1)) { urlName = splitUrl[0].substring(1).toLowerCase(); }
if ((urlName == null) || (domain.redirects[urlName] == null) || (urlName[0] == '_')) { res.sendStatus(404); return; } if ((urlName == null) || (domain.redirects[urlName] == null) || (urlName[0] == '_')) { res.sendStatus(404); return; }
@ -2837,7 +2837,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
try { try {
if (req.headers.authorization) { if (req.headers.authorization) {
var authstr = req.headers.authorization; var authstr = req.headers.authorization;
if (authstr.substring(0, 7) == "Digest ") { if (authstr.substring(0, 7) == 'Digest ') {
var auth = obj.common.parseNameValueList(obj.common.quoteSplit(authstr.substring(7))); var auth = obj.common.parseNameValueList(obj.common.quoteSplit(authstr.substring(7)));
if ((req.url === auth.uri) && (obj.httpAuthRealm === auth.realm) && (auth.opaque === obj.crypto.createHmac('SHA384', obj.httpAuthRandom).update(auth.nonce).digest('hex'))) { if ((req.url === auth.uri) && (obj.httpAuthRealm === auth.realm) && (auth.opaque === obj.crypto.createHmac('SHA384', obj.httpAuthRandom).update(auth.nonce).digest('hex'))) {
@ -2858,10 +2858,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (nodes.length == 1) { if (nodes.length == 1) {
// Yes, the node exists, compute Intel AMT digest password // Yes, the node exists, compute Intel AMT digest password
var node = nodes[0]; var node = nodes[0];
var amtpass = obj.crypto.createHash('sha384').update(auth.username.toLowerCase() + ":" + nodeid + ":" + obj.parent.dbconfig.amtWsEventSecret).digest("base64").substring(0, 12).split("/").join("x").split("\\").join("x"); var amtpass = obj.crypto.createHash('sha384').update(auth.username.toLowerCase() + ':' + nodeid + ":" + obj.parent.dbconfig.amtWsEventSecret).digest('base64').substring(0, 12).split('/').join('x').split('\\').join('x');
// Check the MD5 hash // Check the MD5 hash
if (auth.response === obj.common.ComputeDigesthash(auth.username, amtpass, auth.realm, "POST", auth.uri, auth.qop, auth.nonce, auth.nc, auth.cnonce)) { if (auth.response === obj.common.ComputeDigesthash(auth.username, amtpass, auth.realm, 'POST', auth.uri, auth.qop, auth.nonce, auth.nc, auth.cnonce)) {
// This is an authenticated Intel AMT event, update the host address // This is an authenticated Intel AMT event, update the host address
var amthost = req.ip; var amthost = req.ip;
@ -3014,14 +3014,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly. // Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : ''; var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += "/"; if (xdomain != '') xdomain += '/';
var meshsettings = "MeshName=" + mesh.name + "\r\nMeshType=" + mesh.mtype + "\r\nMeshID=0x" + meshidhex + "\r\nServerID=" + serveridhex + "\r\n"; var meshsettings = 'MeshName=' + mesh.name + '\r\nMeshType=' + mesh.mtype + '\r\nMeshID=0x' + meshidhex + '\r\nServerID=' + serveridhex + '\r\n';
if (obj.args.lanonly != true) { meshsettings += "MeshServer=ws" + (obj.args.notls ? '' : 's') + "://" + obj.getWebServerName(domain) + ":" + httpsPort + "/" + xdomain + "agent.ashx\r\n"; } else { meshsettings += "MeshServer=local\r\n"; } if (obj.args.lanonly != true) { meshsettings += 'MeshServer=ws' + (obj.args.notls ? '' : 's') + '://' + obj.getWebServerName(domain) + ':' + httpsPort + '/' + xdomain + 'agent.ashx\r\n'; } else { meshsettings += 'MeshServer=local\r\n'; }
if (req.query.tag != null) { meshsettings += "Tag=" + req.query.tag + "\r\n"; } if (req.query.tag != null) { meshsettings += 'Tag=' + req.query.tag + '\r\n'; }
if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += "InstallFlags=" + req.query.installflags + "\r\n"; } if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += 'InstallFlags=' + req.query.installflags + '\r\n'; }
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += "ignoreProxyFile=1\r\n"; } if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += 'ignoreProxyFile=1\r\n'; }
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + "\r\n"; } } if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + '\r\n'; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + "\r\n"; } } if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + '\r\n'; } }
try { try {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="' + meshfilename + '"' }); res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="' + meshfilename + '"' });
@ -3178,15 +3178,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly. // Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : ''; var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += "/"; if (xdomain != '') xdomain += '/';
var meshsettings = "MeshName=" + mesh.name + "\r\nMeshType=" + mesh.mtype + "\r\nMeshID=0x" + meshidhex + "\r\nServerID=" + serveridhex + "\r\n"; var meshsettings = 'MeshName=' + mesh.name + '\r\nMeshType=' + mesh.mtype + '\r\nMeshID=0x' + meshidhex + '\r\nServerID=' + serveridhex + '\r\n';
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
if (obj.args.lanonly != true) { meshsettings += "MeshServer=ws" + (obj.args.notls ? '' : 's') + "://" + obj.getWebServerName(domain) + ":" + httpsPort + "/" + xdomain + "agent.ashx\r\n"; } else { meshsettings += "MeshServer=local\r\n"; } if (obj.args.lanonly != true) { meshsettings += 'MeshServer=ws' + (obj.args.notls ? '' : 's') + '://' + obj.getWebServerName(domain) + ':' + httpsPort + '/' + xdomain + 'agent.ashx\r\n'; } else { meshsettings += 'MeshServer=local\r\n'; }
if (req.query.tag != null) { meshsettings += "Tag=" + req.query.tag + "\r\n"; } if (req.query.tag != null) { meshsettings += 'Tag=' + req.query.tag + '\r\n'; }
if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += "InstallFlags=" + req.query.installflags + "\r\n"; } if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += 'InstallFlags=' + req.query.installflags + '\r\n'; }
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += "ignoreProxyFile=1\r\n"; } if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += 'ignoreProxyFile=1\r\n'; }
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + "\r\n"; } } if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + '\r\n'; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + "\r\n"; } } if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + '\r\n'; } }
// Setup the response output // Setup the response output
var archive = require('archiver')('zip', { level: 5 }); // Sets the compression method. var archive = require('archiver')('zip', { level: 5 }); // Sets the compression method.
@ -3201,11 +3201,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
archive.pipe(res); archive.pipe(res);
// Opens the "MeshAgentOSXPackager.zip" // Opens the "MeshAgentOSXPackager.zip"
var yauzl = require("yauzl"); var yauzl = require('yauzl');
yauzl.open(obj.path.join(__dirname, 'agents', 'MeshAgentOSXPackager.zip'), { lazyEntries: true }, function (err, zipfile) { yauzl.open(obj.path.join(__dirname, 'agents', 'MeshAgentOSXPackager.zip'), { lazyEntries: true }, function (err, zipfile) {
if (err) { res.sendStatus(500); return; } if (err) { res.sendStatus(500); return; }
zipfile.readEntry(); zipfile.readEntry();
zipfile.on("entry", function (entry) { zipfile.on('entry', function (entry) {
if (/\/$/.test(entry.fileName)) { if (/\/$/.test(entry.fileName)) {
// Skip all folder entries // Skip all folder entries
zipfile.readEntry(); zipfile.readEntry();
@ -3213,8 +3213,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (entry.fileName == 'MeshAgent.mpkg/Contents/distribution.dist') { if (entry.fileName == 'MeshAgent.mpkg/Contents/distribution.dist') {
// This is a special file entry, we need to fix it. // This is a special file entry, we need to fix it.
zipfile.openReadStream(entry, function (err, readStream) { zipfile.openReadStream(entry, function (err, readStream) {
readStream.on("data", function (data) { if (readStream.xxdata) { readStream.xxdata += data; } else { readStream.xxdata = data; } }); readStream.on('data', function (data) { if (readStream.xxdata) { readStream.xxdata += data; } else { readStream.xxdata = data; } });
readStream.on("end", function () { readStream.on('end', function () {
var meshname = mesh.name.split(']').join('').split('[').join(''); // We can't have ']]' in the string since it will terminate the CDATA. var meshname = mesh.name.split(']').join('').split('[').join(''); // We can't have ']]' in the string since it will terminate the CDATA.
var welcomemsg = 'Welcome to the MeshCentral agent for MacOS\n\nThis installer will install the mesh agent for "' + meshname + '" and allow the administrator to remotely monitor and control this computer over the internet. For more information, go to https://www.meshcommander.com/meshcentral2.\n\nThis software is provided under Apache 2.0 license.\n'; var welcomemsg = 'Welcome to the MeshCentral agent for MacOS\n\nThis installer will install the mesh agent for "' + meshname + '" and allow the administrator to remotely monitor and control this computer over the internet. For more information, go to https://www.meshcommander.com/meshcentral2.\n\nThis software is provided under Apache 2.0 license.\n';
var installsize = Math.floor((argentInfo.size + meshsettings.length) / 1024); var installsize = Math.floor((argentInfo.size + meshsettings.length) / 1024);
@ -3234,9 +3234,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} }
} }
}); });
zipfile.on("end", function () { zipfile.on('end', function () {
archive.file(argentInfo.path, { name: "MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.bin" }); archive.file(argentInfo.path, { name: 'MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.bin' });
archive.append(meshsettings, { name: "MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.msh" }); archive.append(meshsettings, { name: 'MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.msh' });
archive.finalize(); archive.finalize();
}); });
}); });
@ -3267,15 +3267,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly. // Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : ''; var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += "/"; if (xdomain != '') xdomain += '/';
var meshsettings = "MeshName=" + mesh.name + "\r\nMeshType=" + mesh.mtype + "\r\nMeshID=0x" + meshidhex + "\r\nServerID=" + serveridhex + "\r\n"; var meshsettings = 'MeshName=' + mesh.name + '\r\nMeshType=' + mesh.mtype + '\r\nMeshID=0x' + meshidhex + '\r\nServerID=' + serveridhex + '\r\n';
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
if (obj.args.lanonly != true) { meshsettings += "MeshServer=ws" + (obj.args.notls ? '' : 's') + "://" + obj.getWebServerName(domain) + ":" + httpsPort + "/" + xdomain + "agent.ashx\r\n"; } else { meshsettings += "MeshServer=local\r\n"; } if (obj.args.lanonly != true) { meshsettings += 'MeshServer=ws' + (obj.args.notls ? '' : 's') + '://' + obj.getWebServerName(domain) + ':' + httpsPort + '/' + xdomain + 'agent.ashx\r\n'; } else { meshsettings += 'MeshServer=local\r\n'; }
if (req.query.tag != null) { meshsettings += "Tag=" + req.query.tag + "\r\n"; } if (req.query.tag != null) { meshsettings += 'Tag=' + req.query.tag + '\r\n'; }
if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += "InstallFlags=" + req.query.installflags + "\r\n"; } if ((req.query.installflags != null) && (req.query.installflags != 0)) { meshsettings += 'InstallFlags=' + req.query.installflags + '\r\n'; }
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += "ignoreProxyFile=1\r\n"; } if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += 'ignoreProxyFile=1\r\n'; }
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + "\r\n"; } } if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + '\r\n'; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + "\r\n"; } } if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + '\r\n'; } }
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="meshagent.msh"' }); res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="meshagent.msh"' });
res.send(meshsettings); res.send(meshsettings);
@ -3907,6 +3907,46 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} }
}; };
// Returns a list of all meshes that this user has some rights too
obj.GetAllMeshWithRights = function (user, rights) {
if (typeof user == 'string') { user = obj.users[user]; }
if ((user == null) || (user.links == null)) { return []; }
var r = [];
for (var i in user.links) { const m = obj.meshes[i]; if ((m) && (m.deleted == null) && ((rights == null) || ((m.rights & rights) != 0))) { r.push(m); } }
return r;
}
// Returns a list of all mesh id's that this user has some rights too
obj.GetAllMeshIdWithRights = function (user, rights) {
if (typeof user == 'string') { user = obj.users[user]; }
if ((user == null) || (user.links == null)) { return []; }
var r = [];
for (var i in user.links) { const m = obj.meshes[i]; if ((m) && (m.deleted == null) && ((rights == null) || ((m.rights & rights) != 0))) { r.push(m._id); } }
return r;
}
// Get the right of a user on a given device group
obj.GetMeshRights = function (user, mesh) {
if ((user == null) || (mesh == null)) { return 0; }
if (typeof user == 'string') { user = obj.users[user]; }
if ((user == null) || (user.links == null)) { return 0; }
var r = 0;
if (typeof mesh == 'string') { r = user.links[mesh]; } else { r = user.links[mesh._id]; }
if (r == null) { return 0; }
return r.rights;
}
// Returns true if the user can view the given device group
obj.IsMeshViewable = function (user, mesh) {
if ((user == null) || (mesh == null)) { return false; }
if (typeof user == 'string') { user = obj.users[user]; }
if ((user == null) || (user.links == null)) { return false; }
var r = 0;
if (typeof mesh == 'string') { r = user.links[mesh]; } else { r = user.links[mesh._id]; }
if (r == null) { return false; }
return true;
}
// Clone a safe version of a user object, remove everything that is secret. // Clone a safe version of a user object, remove everything that is secret.
obj.CloneSafeUser = function (user) { obj.CloneSafeUser = function (user) {
if (typeof user != 'object') { return user; } if (typeof user != 'object') { return user; }