jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Handle exposed ldap allowlist

Browse Source
This commit is contained in:
Johannes Zellner
2021-12-10 16:20:58 +01:00
parent 86d642c8a3
commit 1c7eeb6ac6
5 changed files with 58 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/settings.js
+21 -5
View File
@@ -146,8 +146,10 @@ const assert = require('assert'),
externalLdap = require('./externalldap.js'),
moment = require('moment-timezone'),
mounts = require('./mounts.js'),
path = require('path'),
paths = require('./paths.js'),
safe = require('safetydance'),
shell = require('./shell.js'),
sysinfo = require('./sysinfo.js'),
tokens = require('./tokens.js'),
translation = require('./translation.js'),
@@ -157,6 +159,7 @@ const assert = require('assert'),
const SETTINGS_FIELDS = [ 'name', 'value' ].join(',');
const SETTINGS_BLOB_FIELDS = [ 'name', 'valueBlob' ].join(',');
const SET_LDAP_ALLOWLIST_CMD = path.join(__dirname, 'scripts/setldapallowlist.sh');
const gDefaults = (function () {
const result = { };
@@ -512,17 +515,30 @@ async function setExposedLdapConfig(exposedLdapConfig) {
const config = {
enabled: exposedLdapConfig.enabled,
allowlist: exposedLdapConfig.allowlistc || ''
// if list is empty, we allow all IPs
allowlist: exposedLdapConfig.allowlist || '0.0.0.0/0'
};
for (const line of exposedLdapConfig.allowlist.split('\n')) {
if (!line || line.startsWith('#')) continue;
const rangeOrIP = line.trim();
if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`);
if (config.enabled) {
for (const line of exposedLdapConfig.allowlist.split('\n')) {
if (!line || line.startsWith('#')) continue;
const rangeOrIP = line.trim();
if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`);
}
}
await set(exports.EXPOSED_LDAP_KEY, JSON.stringify(config));
// this is done only because it's easier for the shell script and the firewall service to get the value
if (config.enabled) {
if (!safe.fs.writeFileSync(paths.LDAP_ALLOWLIST_FILE, exposedLdapConfig.allowlist + '\n', 'utf8')) throw new BoxError(BoxError.FS_ERROR, safe.error.message);
} else {
safe.fs.unlinkSync(paths.LDAP_ALLOWLIST_FILE);
}
const [error] = await safe(shell.promises.sudo('setLdapAllowlist', [ SET_LDAP_ALLOWLIST_CMD ], {}));
if (error) throw new BoxError(BoxError.IPTABLES_ERROR, `Error setting ldap allowlist: ${error.message}`);
notifyChange(exports.EXPOSED_LDAP_KEY, config);
}