ZeroTierOne/controller/migrate-sqlite/migrate.js

'use strict';

var sqlite3 = require('sqlite3').verbose();
var fs = require('fs');
var async = require('async');

function blobToIPv4(b)
{
	if (!b)
		return null;
	if (b.length !== 16)
		return null;
	return b.readUInt8(12).toString()+'.'+b.readUInt8(13).toString()+'.'+b.readUInt8(14).toString()+'.'+b.readUInt8(15).toString();
}
function blobToIPv6(b)
{
	if (!b)
		return null;
	if (b.length !== 16)
		return null;
	var s = '';
	for(var i=0;i<16;++i) {
		var x = b.readUInt8(i).toString(16);
		if (x.length === 1)
			s += '0';
		s += x;
		if ((((i+1) & 1) === 0)&&(i !== 15))
			s += ':';
	}
	return s;
}

if (process.argv.length !== 4) {
	console.log('ZeroTier Old Sqlite3 Controller DB Migration Utility');
	console.log('(c)2017 ZeroTier, Inc. [GPL3]');
	console.log('');
	console.log('Usage: node migrate.js </path/to/controller.db> </path/to/controller.d>');
	console.log('');
	console.log('The first argument must be the path to the old Sqlite3 controller.db');
	console.log('file. The second must be the path to the EMPTY controller.d database');
	console.log('directory for a new (1.1.17 or newer) controller. If this path does');
	console.log('not exist it will be created.');
	console.log('');
	console.log('WARNING: this will ONLY work correctly on a 1.1.14 controller database.');
	console.log('If your controller is old you should first upgrade to 1.1.14 and run the');
	console.log('controller so that it will brings its Sqlite3 database up to the latest');
	console.log('version before running this migration.');
	console.log('');
	process.exit(1);
}

var oldDbPath = process.argv[2];
var newDbPath = process.argv[3];

console.log('Starting migrate of "'+oldDbPath+'" to "'+newDbPath+'"...');
console.log('');

var old = new sqlite3.Database(oldDbPath);

var networks = {};

var nodeIdentities = {};
var networkCount = 0;
var memberCount = 0;
var routeCount = 0;
var ipAssignmentPoolCount = 0;
var ipAssignmentCount = 0;
var ruleCount = 0;
var oldSchemaVersion = -1;

async.series([function(nextStep) {

	old.each('SELECT v from Config WHERE k = \'schemaVersion\'',function(err,row) {
		oldSchemaVersion = parseInt(row.v)||-1;
	},nextStep);

},function(nextStep) {

	if (oldSchemaVersion !== 4) {
		console.log('FATAL: this MUST be run on a 1.1.14 controller.db! Upgrade your old');
		console.log('controller to 1.1.14 first and run it once to bring its DB up to date.');
		return process.exit(1);
	}

	console.log('Reading networks...');
	old.each('SELECT * FROM Network',function(err,row) {
		if ((typeof row.id === 'string')&&(row.id.length === 16)) {
			var flags = parseInt(row.flags)||0;
			networks[row.id] = {
				id: row.id,
				nwid: row.id,
				objtype: 'network',
				authTokens: [],
				capabilities: [],
				creationTime: parseInt(row.creationTime)||0,
				enableBroadcast: !!row.enableBroadcast,
				ipAssignmentPools: [],
				multicastLimit: row.multicastLimit||32,
				name: row.name||'',
				private: !!row.private,
				revision: parseInt(row.revision)||1,
				rules: [{ 'type': 'ACTION_ACCEPT' }], // populated later if there are defined rules, otherwise default is allow all
				routes: [],
				v4AssignMode: {
					'zt': ((flags & 1) !== 0)
				},
				v6AssignMode: {
					'6plane': ((flags & 4) !== 0),
					'rfc4193': ((flags & 2) !== 0),
					'zt': ((flags & 8) !== 0)
				},
				_members: {} // temporary
			};
			++networkCount;
			//console.log(networks[row.id]);
		}
	},nextStep);

},function(nextStep) {

	console.log('  '+networkCount+' networks.');
	console.log('Reading network route definitions...');
	old.each('SELECT * from Route WHERE ipVersion = 4 OR ipVersion = 6',function(err,row) {
		var network = networks[row.networkId];
		if (network) {
			var rt = {
				target: (((row.ipVersion == 4) ? blobToIPv4(row.target) : blobToIPv6(row.target))+'/'+row.targetNetmaskBits),
				via: ((row.via) ? ((row.ipVersion == 4) ? blobToIPv4(row.via) : blobToIPv6(row.via)) : null)
			};
			network.routes.push(rt);
			++routeCount;
		}
	},nextStep);

},function(nextStep) {

	console.log('  '+routeCount+' routes in '+networkCount+' networks.');
	console.log('Reading IP assignment pools...');
	old.each('SELECT * FROM IpAssignmentPool WHERE ipVersion = 4 OR ipVersion = 6',function(err,row) {
		var network = networks[row.networkId];
		if (network) {
			var p = {
				ipRangeStart: ((row.ipVersion == 4) ? blobToIPv4(row.ipRangeStart) : blobToIPv6(row.ipRangeStart)),
				ipRangeEnd: ((row.ipVersion == 4) ? blobToIPv4(row.ipRangeEnd) : blobToIPv6(row.ipRangeEnd))
			};
			network.ipAssignmentPools.push(p);
			++ipAssignmentPoolCount;
		}
	},nextStep);

},function(nextStep) {

	console.log('  '+ipAssignmentPoolCount+' IP assignment pools in '+networkCount+' networks.');
	console.log('Reading known node identities...');
	old.each('SELECT * FROM Node',function(err,row) {
		nodeIdentities[row.id] = row.identity;
	},nextStep);

},function(nextStep) {

	console.log('  '+Object.keys(nodeIdentities).length+' known identities.');
	console.log('Reading network members...');
	old.each('SELECT * FROM Member',function(err,row) {
		var network = networks[row.networkId];
		if (network) {
			network._members[row.nodeId] = {
				id: row.nodeId,
				address: row.nodeId,
				objtype: 'member',
				authorized: !!row.authorized,
				activeBridge: !!row.activeBridge,
				authHistory: [],
				capabilities: [],
				creationTime: 0,
				identity: nodeIdentities[row.nodeId]||null,
				ipAssignments: [],
				lastAuthorizedTime: (row.authorized) ? Date.now() : 0,
				lastDeauthorizedTime: (row.authorized) ? 0 : Date.now(),
				lastRequestMetaData: '',
				noAutoAssignIps: false,
				nwid: row.networkId,
				revision: parseInt(row.memberRevision)||1,
				tags: [],
				recentLog: []
			};
			++memberCount;
			//console.log(network._members[row.nodeId]);
		}
	},nextStep);

},function(nextStep) {

	console.log('  '+memberCount+' members of '+networkCount+' networks.');
	console.log('Reading static IP assignments...');
	old.each('SELECT * FROM IpAssignment WHERE ipVersion = 4 OR ipVersion = 6',function(err,row) {
		var network = networks[row.networkId];
		if (network) {
			var member = network._members[row.nodeId];
			if ((member)&&((member.authorized)||(!network['private']))) { // don't mirror assignments to unauthorized members to avoid conflicts
				if (row.ipVersion == 4) {
					member.ipAssignments.push(blobToIPv4(row.ip));
					++ipAssignmentCount;
				} else if (row.ipVersion == 6) {
					member.ipAssignments.push(blobToIPv6(row.ip));
					++ipAssignmentCount;
				}
			}
		}
	},nextStep);

},function(nextStep) {

	// Old versions only supported Ethertype whitelisting, so that's
	// all we mirror forward. The other fields were always unused.

	console.log('  '+ipAssignmentCount+' IP assignments for '+memberCount+' authorized members of '+networkCount+' networks.');
	console.log('Reading allowed Ethernet types (old basic rules)...');
	var etherTypesByNetwork = {};
	old.each('SELECT DISTINCT networkId,ruleNo,etherType FROM Rule WHERE "action" = \'accept\'',function(err,row) {
		if (row.networkId in networks) {
			var et = parseInt(row.etherType)||0;
			var ets = etherTypesByNetwork[row.networkId];
			if (!ets)
				etherTypesByNetwork[row.networkId] = [ et ];
			else ets.push(et);
		}
	},function(err) {
		if (err) return nextStep(err);
		for(var nwid in etherTypesByNetwork) {
			var ets = etherTypesByNetwork[nwid].sort();
			var network = networks[nwid];
			if (network) {
				var rules = [];
				if (ets.indexOf(0) >= 0) {
					// If 0 is in the list, all Ethernet types are allowed so we accept all.
					rules.push({ 'type': 'ACTION_ACCEPT' });
				} else {
					// Otherwise we whitelist.
					for(var i=0;i<ets.length;++i) {
						rules.push({
							'etherType': ets[i],
							'not': true,
							'or': false,
							'type': 'MATCH_ETHERTYPE'
						});
					}
					rules.push({ 'type': 'ACTION_DROP' });
					rules.push({ 'type': 'ACTION_ACCEPT' });
				}
				network.rules = rules;
				++ruleCount;
			}
		}
		return nextStep(null);
	});

}],function(err) {

	if (err) {
		console.log('FATAL: '+err.toString());
		return process.exit(1);
	}

	console.log('  '+ruleCount+' ethernet type whitelists converted to new format rules.');
	old.close();
	console.log('Done reading and converting Sqlite3 database! Writing JSONDB files...');

	try {
		fs.mkdirSync(newDbPath,0o700);
	} catch (e) {}
	var nwBase = newDbPath+'/network';
	try {
		fs.mkdirSync(nwBase,0o700);
	} catch (e) {}
	nwBase = nwBase + '/';
	var nwids = Object.keys(networks).sort();
	var fileCount = 0;
	for(var ni=0;ni<nwids.length;++ni) {
		var network = networks[nwids[ni]];

		var mids = Object.keys(network._members).sort();
		if (mids.length > 0) {
			try {
				fs.mkdirSync(nwBase+network.id);
			} catch (e) {}
			var mbase = nwBase+network.id+'/member';
			try {
				fs.mkdirSync(mbase,0o700);
			} catch (e) {}
			mbase = mbase + '/';

			for(var mi=0;mi<mids.length;++mi) {
				var member = network._members[mids[mi]];
				fs.writeFileSync(mbase+member.id+'.json',JSON.stringify(member,null,1),{ mode: 0o600 });
				++fileCount;
				//console.log(mbase+member.id+'.json');
			}
		}

		delete network._members; // temporary field, not part of actual JSONDB, so don't write
		fs.writeFileSync(nwBase+network.id+'.json',JSON.stringify(network,null,1),{ mode: 0o600 });
		++fileCount;
		//console.log(nwBase+network.id+'.json');
	}

	console.log('');
	console.log('SUCCESS! Wrote '+fileCount+' JSONDB files.');

	console.log('');
	console.log('You should still inspect the new DB before going live. Also be sure');
	console.log('to "chown -R" and "chgrp -R" the new DB to the user and group under');
	console.log('which the ZeroTier One instance acting as controller will be running.');
	console.log('The controller must be able to read and write the DB, of course.');
	console.log('');
	console.log('Have fun!');

	return process.exit(0);
});