From 15d8f4b027d27f77a01e85f51cad820648df3f8d Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Fri, 10 Sep 2021 13:04:10 -0700 Subject: [PATCH] Added loginkey support to meshctrl.js, #3115 --- meshcentral.js | 1 + meshctrl.js | 13 +++++++------ webserver.js | 7 +++++-- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/meshcentral.js b/meshcentral.js index d2da0091..2060958b 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -2767,6 +2767,7 @@ function CreateMeshCentralServer(config, args) { if ((docs.length > 0) && (docs[0].key != null) && (obj.args.logintokengen == null) && (docs[0].key.length >= 160)) { // Key is present, use it. obj.loginCookieEncryptionKey = Buffer.from(docs[0].key, 'hex'); + console.log('obj.loginCookieEncryptionKey', obj.loginCookieEncryptionKey); func(obj.encodeCookie({ u: userid, a: 3 }, obj.loginCookieEncryptionKey)); } else { // Key is not present, generate one. diff --git a/meshctrl.js b/meshctrl.js index a070cef0..33183fd0 100644 --- a/meshctrl.js +++ b/meshctrl.js @@ -968,7 +968,7 @@ function displayConfigHelp() { } function performConfigOperations(args) { - var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapuseremail', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide', 'loginkey']; + var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapuseremail', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide']; var domainObjectValues = [ 'ldapoptions', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording' ]; var domainArrayValues = [ 'newaccountemaildomains', 'newaccountsrights', 'loginkey', 'agentconfig' ]; var configChange = false; @@ -1111,19 +1111,19 @@ function serverConnect() { } // Cookie authentication - var ckey = null; + var ckey = null, loginCookie = null; if (args.loginkey != null) { // User key passed in a argument hex - if (args.loginkey.length != 160) { console.log("Invalid login key."); process.exit(); return; } + if (args.loginkey.length != 160) { loginCookie = args.loginkey; } ckey = Buffer.from(args.loginkey, 'hex'); - if (ckey != 80) { console.log("Invalid login key."); process.exit(); return; } + if (ckey != 80) { ckey = null; loginCookie = args.loginkey; } } else if (args.loginkeyfile != null) { // Load key from hex file var fs = require('fs'); try { var keydata = fs.readFileSync(args.loginkeyfile, 'utf8').split(' ').join('').split('\r').join('').split('\n').join(''); ckey = Buffer.from(keydata, 'hex'); - if (ckey.length != 80) { console.log("Invalid login key file."); process.exit(); return; } + if (ckey.length != 80) { ckey = null; loginCookie = args.loginkey; } } catch (ex) { console.log(ex.message); process.exit(); return; } } @@ -1135,10 +1135,11 @@ function serverConnect() { url += '?auth=' + encodeCookie({ userid: 'user/' + domainid + '/' + username, domainid: domainid }, ckey); } else { if (args.logindomain != null) { console.log("--logindomain can only be used along with --loginkey."); process.exit(); return; } + if (loginCookie != null) { url += '?auth=' + loginCookie; } } const ws = new WebSocket(url, options); - //console.log('Connecting to ' + url); + console.log('Connecting to ' + url); ws.on('open', function open() { //console.log('Connected.'); diff --git a/webserver.js b/webserver.js index 281e7177..5ca9b405 100644 --- a/webserver.js +++ b/webserver.js @@ -6473,9 +6473,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { parent.debug('web', 'ERR: Invalid cookie IP address, got \"' + cookie.ip + '\", expected \"' + cleanRemoteAddr(req.clientIp) + '\".'); cookie = null; } - if ((cookie != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id)) { - // Valid cookie, we are authenticated + if ((cookie != null) && (cookie.userid != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id) && (cookie.userid.split('/')[1] == domain.id)) { + // Valid cookie, we are authenticated. Cookie of format { userid: 'user//name', domain: '' } func(ws, req, domain, obj.users[cookie.userid], cookie); + } else if ((cookie != null) && (cookie.a === 3) && (typeof cookie.u == 'string') && (obj.users[cookie.u]) && (cookie.u.split('/')[1] == domain.id)) { + // Valid cookie, we are authenticated. Cookie of format { u: 'user//name', a: 3 } + func(ws, req, domain, obj.users[cookie.u], cookie); } else { // This is a bad cookie, keep going anyway, maybe we have a active session that will save us. if ((cookie != null) && (cookie.domainid != domain.id)) { parent.debug('web', 'ERR: Invalid domain, got \"' + cookie.domainid + '\", expected \"' + domain.id + '\".'); }