1. Different ways to secure STM32CubeMonitor
There are many ways to secure the STM32CubeMonitor tool. Each of these secured ways is easy to set up:
- Prevent or allow remote access: decide if any machine different from the host can see the STM32CubeMonitor tool
- Secure the flow: create accounts with different permissions to modify the flow
- Secure the dashboard: create an account to regulate the accesses to the dashboard
2. How to prevent or allow the connection of other machines to the tool?
This configuration prevents or allows the connection to the user's STM32CubeMonitor environment by someone knowing its IP address. From STM32CubeMonitor 1.5.0 onwards, the default value is to prevent external access. External access should be open only on secured networks.
Go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file and comment or uncomment the uiHost line :
uiHost: "127.0.0.1",
If this line is uncommented, nobody can access the STM32CubeMonitor tool except from the host machine. If the line is commented, anybody can access the STM32CubeMonitor tool.
3. How to secure my flow?
Add a login and a password to the STM32CubeMonitor tool. This authentication prevents non-logged users from modifying and deploying the flow. Nevertheless, non-logged users are able to enter the dashboard mode and start the acquisition.
To secure the flow:
- Generate a password hash to hide the new password (see below)
- Go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file
- Uncomment the adminAuth block.
- Choose the username, and replace the default password by the new password hash. Finally, choose between two permissions:
- * : the user has full control on the flow.
- read : the user is only able to see the flow configuration and switch in dashboard view; The user cannot deploy the flow. This is a "read-only" mode.
The "default" key gives the "read" permission to any user, even to the non-logged users.
adminAuth: { type: "credentials", users: [{ username: "admin", password: "$2b$08$jLZtZBM8ySdwPGpbGsDaE.kZagU4cetH5c7QPhspaOJ60QSOahaoa", //password : admin permissions: "*" }, { username: "user", password: "$2b$08$f1pbalRjiHDBjOoPJ3fsmO6caEvFwGmbh0kFsTMmHuSkM6Z/BT8O.", //password : user permissions: "read" }], default: { permissions: "read" } },
Once the above is performed, the tool is secured, An authentication is needed to deploy the flow.
To go further, see the Node-RED® page on how to secure a Node-RED® flow.
4. How to secure my dashboard?
Add a login and a password to access to the dashboard window. The connection is done after a click on the "dashboard" button and the popup that displays. Thus, a user without an account to connect to the dashboard is however able to modify and deploy the flow. It is also possible to combine the flow security and the dashboard security.
Like for the flow security, to secure the dashboard, go in the ~/STMicroelectronics/stm32cubemonitor folder. Open the settings.js file and uncomment the httpNodeAuth line. It is possible to change the username and generate a new password following the same method (see below):
httpNodeAuth: {user:"demo",pass:"$2b$08$50L83HdgJESfdUETL1f2ceyJVhi.Yi77XJ2C/.8rPRZZGTZpR5Zoy"}, //password : demo
To have more information, see the Node-RED® page on how to secure a Node-RED® dashboard.
5. How to generate the password hash?
It is easy to generate the password hash with a flow in the editor:
- In the editor, add the node "bcrypt". (need STM32CubeMonitor 1.5.0 or above)
- Connect an inject node to send the password
- Connect a debug node to log the result.
Copy/paste this code to import the nodes:
[{"id":"8c42fc7298eddcf0","type":"inject","z":"0c142a1d01775c4b","name":"","props":[{"p":"payload"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"mypassword","payloadType":"str","x":430,"y":80,"wires":[["fc91ac3519e28fee"]]},{"id":"fc91ac3519e28fee","type":"bcrypt","z":"0c142a1d01775c4b","name":"Hash","action":"encrypt","field":"payload","hash":"payload","target":"payload","assignment":"replace","match":"match","outputs":1,"rounds":10,"x":590,"y":80,"wires":[["22350cdbe3af32a8"]]},{"id":"22350cdbe3af32a8","type":"debug","z":"0c142a1d01775c4b","name":"Hash password","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":780,"y":80,"wires":[]}]
In the inject node, set the password you want to use. Then click on the square button of the inject node. The hashed password is visible in the log on the right side of the tool.