292 lines
9.5 KiB
JavaScript
292 lines
9.5 KiB
JavaScript
/* eslint-disable complexity */
|
|
/* eslint no-unused-expressions: ["error", { "allowShortCircuit": true, "allowTernary": true }],
|
|
no-console: ["error", { allow: ["warn", "error"] }] */
|
|
/* jshint esversion: 6, asi: true, node: true */
|
|
// socket.js
|
|
|
|
// private
|
|
const debug = require('debug');
|
|
const SSH = require('ssh2').Client;
|
|
const CIDRMatcher = require('cidr-matcher');
|
|
const validator = require('validator');
|
|
const dnsPromises = require('dns').promises;
|
|
const util = require('util');
|
|
const { webssh2debug, auditLog, logError } = require('./logging');
|
|
|
|
/**
|
|
* parse conn errors
|
|
* @param {object} socket Socket object
|
|
* @param {object} err Error object
|
|
*/
|
|
function connError(socket, err) {
|
|
let msg = util.inspect(err);
|
|
const { session } = socket.request;
|
|
if (err?.level === 'client-authentication') {
|
|
msg = `Authentication failure user=${session.username} from=${socket.handshake.address}`;
|
|
socket.emit('allowreauth', session.ssh.allowreauth);
|
|
socket.emit('reauth');
|
|
}
|
|
if (err?.code === 'ENOTFOUND') {
|
|
msg = `Host not found: ${err.hostname}`;
|
|
}
|
|
if (err?.level === 'client-timeout') {
|
|
msg = `Connection Timeout: ${session.ssh.host}`;
|
|
}
|
|
logError(socket, 'CONN ERROR', msg);
|
|
}
|
|
|
|
/**
|
|
* check ssh host is in allowed subnet
|
|
* @param {object} socket Socket information
|
|
*/
|
|
async function checkSubnet(socket) {
|
|
let ipaddress = socket.request.session.ssh.host;
|
|
if (!validator.isIP(`${ipaddress}`)) {
|
|
try {
|
|
const result = await dnsPromises.lookup(socket.request.session.ssh.host);
|
|
ipaddress = result.address;
|
|
} catch (err) {
|
|
logError(
|
|
socket,
|
|
'CHECK SUBNET',
|
|
`${err.code}: ${err.hostname} user=${socket.request.session.username} from=${socket.handshake.address}`
|
|
);
|
|
socket.emit('ssherror', '404 HOST IP NOT FOUND');
|
|
socket.disconnect(true);
|
|
return;
|
|
}
|
|
}
|
|
|
|
const matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets);
|
|
if (!matcher.contains(ipaddress)) {
|
|
logError(
|
|
socket,
|
|
'CHECK SUBNET',
|
|
`Requested host ${ipaddress} outside configured subnets / REJECTED user=${socket.request.session.username} from=${socket.handshake.address}`
|
|
);
|
|
socket.emit('ssherror', '401 UNAUTHORIZED');
|
|
socket.disconnect(true);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @type {Map<string, {
|
|
conn: SSH;
|
|
isLogin: () => boolean;
|
|
changeSocket: (newSocket: any) => void;
|
|
}>}
|
|
*/
|
|
const sshMap = new Map();
|
|
|
|
/**
|
|
*
|
|
* @param {import ("socket.io-client").Socket} socket
|
|
* @returns
|
|
*/
|
|
function setupNewConnection(socket) {
|
|
const conn = new SSH();
|
|
let login = false;
|
|
let stream;
|
|
|
|
conn.on('banner', (data) => {
|
|
// need to convert to cr/lf for proper formatting
|
|
socket.emit('data', data.replace(/\r?\n/g, '\r\n').toString('utf-8'));
|
|
});
|
|
|
|
function handshake() {
|
|
socket.emit('setTerminalOpts', socket.request.session.ssh.terminal);
|
|
socket.emit('menu');
|
|
socket.emit('allowreauth', socket.request.session.ssh.allowreauth);
|
|
socket.emit('title', `ssh://${socket.request.session.ssh.host}`);
|
|
if (socket.request.session.ssh.header.background)
|
|
socket.emit('headerBackground', socket.request.session.ssh.header.background);
|
|
if (socket.request.session.ssh.header.name)
|
|
socket.emit('header', socket.request.session.ssh.header.name);
|
|
socket.emit(
|
|
'footer',
|
|
`ssh://${socket.request.session.username}@${socket.request.session.ssh.host}:${socket.request.session.ssh.port}`
|
|
);
|
|
|
|
socket.emit('status', 'SSH CONNECTION ESTABLISHED');
|
|
socket.emit('statusBackground', 'green');
|
|
socket.emit('allowreplay', socket.request.session.ssh.allowreplay);
|
|
|
|
socket.on('control', (controlData) => {
|
|
if (!stream) return;
|
|
if (controlData === 'replayCredentials' && socket.request.session.ssh.allowreplay) {
|
|
stream.write(`${socket.request.session.userpassword}\n`);
|
|
}
|
|
if (controlData === 'reauth' && socket.request.session.username && login === true) {
|
|
auditLog(
|
|
socket,
|
|
`LOGOUT user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host}:${socket.request.session.ssh.port}`
|
|
);
|
|
login = false;
|
|
socket.disconnect(true);
|
|
conn.end()
|
|
}
|
|
webssh2debug(socket, `SOCKET CONTROL: ${controlData}`);
|
|
});
|
|
socket.on('resize', (data) => {
|
|
if (!stream) return;
|
|
stream.setWindow(data.rows, data.cols);
|
|
webssh2debug(socket, `SOCKET RESIZE: ${JSON.stringify([data.rows, data.cols])}`);
|
|
});
|
|
socket.on('data', (data) => {
|
|
if (!stream) return;
|
|
stream.write(data);
|
|
});
|
|
}
|
|
conn.on('handshake', handshake);
|
|
|
|
conn.on('ready', () => {
|
|
webssh2debug(
|
|
socket,
|
|
`CONN READY: LOGIN: user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host} port=${socket.request.session.ssh.port} allowreplay=${socket.request.session.ssh.allowreplay} term=${socket.request.session.ssh.term}`
|
|
);
|
|
auditLog(
|
|
socket,
|
|
`LOGIN user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host}:${socket.request.session.ssh.port}`
|
|
);
|
|
login = true;
|
|
const { term, cols, rows } = socket.request.session.ssh;
|
|
conn.shell({ term, cols, rows }, (err, s) => {
|
|
if (err) {
|
|
logError(socket, `EXEC ERROR`, err);
|
|
conn.end();
|
|
socket.disconnect(true);
|
|
return;
|
|
}
|
|
socket.once('disconnect', (reason) => {
|
|
webssh2debug(socket, `CLIENT SOCKET DISCONNECT: ${util.inspect(reason)}`);
|
|
});
|
|
socket.on('error', (errMsg) => {
|
|
if (!socket) return;
|
|
webssh2debug(socket, `SOCKET ERROR: ${errMsg}`);
|
|
logError(socket, 'SOCKET ERROR', errMsg);
|
|
conn.end();
|
|
login = false;
|
|
socket.disconnect(true);
|
|
});
|
|
stream = s;
|
|
stream.on('data', (data) => {
|
|
if (!socket) return;
|
|
socket.emit('data', data.toString('utf-8'));
|
|
});
|
|
stream.on('close', (code, signal) => {
|
|
if (!socket) return;
|
|
webssh2debug(socket, `STREAM CLOSE: ${util.inspect([code, signal])}`);
|
|
if (socket.request.session?.username) {
|
|
auditLog(
|
|
socket,
|
|
`LOGOUT user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host}:${socket.request.session.ssh.port}`
|
|
);
|
|
}
|
|
if (code !== 0 && typeof code !== 'undefined')
|
|
logError(socket, 'STREAM CLOSE', util.inspect({ message: [code, signal] }));
|
|
socket.disconnect(true);
|
|
});
|
|
stream.stderr.on('data', (data) => {
|
|
console.error(`STDERR: ${data}`);
|
|
});
|
|
});
|
|
});
|
|
|
|
conn.on('end', (err) => {
|
|
if (err) logError(socket, 'CONN END BY HOST', err);
|
|
webssh2debug(socket, 'CONN END BY HOST');
|
|
socket.disconnect(true);
|
|
});
|
|
conn.on('close', (err) => {
|
|
if (err) logError(socket, 'CONN CLOSE', err);
|
|
webssh2debug(socket, 'CONN CLOSE');
|
|
socket.disconnect(true);
|
|
});
|
|
conn.on('error', (err) => connError(socket, err));
|
|
|
|
conn.on('keyboard-interactive', (_name, _instructions, _instructionsLang, _prompts, finish) => {
|
|
webssh2debug(socket, 'CONN keyboard-interactive');
|
|
finish([socket.request.session.userpassword]);
|
|
});
|
|
|
|
return {
|
|
conn, isLogin: () => login, changeSocket: (newSocket) => {
|
|
if (!socket.disconnected) {
|
|
socket.disconnect();
|
|
}
|
|
socket = newSocket;
|
|
|
|
// to display after resuming connection
|
|
if (login && stream) {
|
|
handshake();
|
|
stream.write("\n");
|
|
}
|
|
}
|
|
};
|
|
}
|
|
|
|
// public
|
|
module.exports = function appSocket(socket) {
|
|
let login = false;
|
|
|
|
socket.once('disconnecting', (reason) => {
|
|
webssh2debug(socket, `SOCKET DISCONNECTING: ${reason}`);
|
|
if (login === true) {
|
|
auditLog(
|
|
socket,
|
|
`LOGOUT user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host}:${socket.request.session.ssh.port}`
|
|
);
|
|
login = false;
|
|
}
|
|
});
|
|
|
|
// if websocket connection arrives without an express session, kill it
|
|
if (!socket.request.session) {
|
|
socket.emit('401 UNAUTHORIZED');
|
|
webssh2debug(socket, 'SOCKET: No Express Session / REJECTED');
|
|
socket.disconnect(true);
|
|
return;
|
|
}
|
|
|
|
if (
|
|
!socket.request.session.username ||
|
|
!(socket.request.session.userpassword || socket.request.session.privateKey) ||
|
|
!socket.request.session.ssh
|
|
) {
|
|
webssh2debug(
|
|
socket,
|
|
`CONN CONNECT: Attempt to connect without session.username/password or session varialbles defined, potentially previously abandoned client session. disconnecting websocket client.\r\nHandshake information: \r\n ${util.inspect(
|
|
socket.handshake
|
|
)}`
|
|
);
|
|
socket.emit('ssherror', 'WEBSOCKET ERROR - Refresh the browser and try again');
|
|
socket.request.session.destroy();
|
|
socket.disconnect(true);
|
|
return;
|
|
}
|
|
|
|
// If configured, check that requsted host is in a permitted subnet
|
|
if (socket.request.session?.ssh?.allowedSubnets?.length > 0) {
|
|
checkSubnet(socket);
|
|
}
|
|
|
|
const mapKey = [socket.request.sessionID, socket.request.session.username, socket.request.session.ssh.host].join('/')
|
|
var connMap = sshMap.get(mapKey);
|
|
if (!connMap) {
|
|
connMap = setupNewConnection(socket);
|
|
sshMap.set(mapKey, connMap);
|
|
} else {
|
|
connMap.changeSocket(socket);
|
|
}
|
|
const { conn, isLogin } = connMap;
|
|
|
|
|
|
const { ssh } = socket.request.session;
|
|
ssh.username = socket.request.session.username;
|
|
ssh.password = socket.request.session.userpassword;
|
|
ssh.tryKeyboard = true;
|
|
ssh.debug = debug('ssh2');
|
|
if (!isLogin())
|
|
conn.connect(ssh);
|
|
|
|
};
|