userdirectory: move the validation and apply logic
This commit is contained in:
Girish Ramakrishnan
+3
-29
@@ -150,20 +150,17 @@ const assert = require('assert'),
|
||||
externalLdap = require('./externalldap.js'),
|
||||
moment = require('moment-timezone'),
|
||||
mounts = require('./mounts.js'),
|
||||
path = require('path'),
|
||||
paths = require('./paths.js'),
|
||||
safe = require('safetydance'),
|
||||
shell = require('./shell.js'),
|
||||
sysinfo = require('./sysinfo.js'),
|
||||
tokens = require('./tokens.js'),
|
||||
translation = require('./translation.js'),
|
||||
userdirectory = require('./userdirectory.js'),
|
||||
users = require('./users.js'),
|
||||
validator = require('validator'),
|
||||
_ = require('underscore');
|
||||
|
||||
const SETTINGS_FIELDS = [ 'name', 'value' ].join(',');
|
||||
const SETTINGS_BLOB_FIELDS = [ 'name', 'valueBlob' ].join(',');
|
||||
const SET_LDAP_ALLOWLIST_CMD = path.join(__dirname, 'scripts/setldapallowlist.sh');
|
||||
|
||||
const gDefaults = (function () {
|
||||
const result = { };
|
||||
@@ -547,32 +544,9 @@ async function setUserDirectoryConfig(userDirectoryConfig) {
|
||||
allowlist: userDirectoryConfig.allowlist || ''
|
||||
};
|
||||
|
||||
if (config.enabled) {
|
||||
if (!config.secret) throw new BoxError(BoxError.BAD_FIELD, 'secret cannot be empty');
|
||||
|
||||
let gotOne = false;
|
||||
for (const line of userDirectoryConfig.allowlist.split('\n')) {
|
||||
if (!line || line.startsWith('#')) continue;
|
||||
const rangeOrIP = line.trim();
|
||||
if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`);
|
||||
gotOne = true;
|
||||
}
|
||||
|
||||
// only allow if we at least have one allowed IP/range
|
||||
if (!gotOne) throw new BoxError(BoxError.BAD_FIELD, 'allowlist must at least contain one IP or range');
|
||||
}
|
||||
|
||||
await userdirectory.validateConfig(config);
|
||||
await set(exports.USER_DIRECTORY_KEY, JSON.stringify(config));
|
||||
|
||||
// this is done only because it's easier for the shell script and the firewall service to get the value
|
||||
if (config.enabled) {
|
||||
if (!safe.fs.writeFileSync(paths.LDAP_ALLOWLIST_FILE, userDirectoryConfig.allowlist + '\n', 'utf8')) throw new BoxError(BoxError.FS_ERROR, safe.error.message);
|
||||
} else {
|
||||
safe.fs.unlinkSync(paths.LDAP_ALLOWLIST_FILE);
|
||||
}
|
||||
|
||||
const [error] = await safe(shell.promises.sudo('setLdapAllowlist', [ SET_LDAP_ALLOWLIST_CMD ], {}));
|
||||
if (error) throw new BoxError(BoxError.IPTABLES_ERROR, `Error setting ldap allowlist: ${error.message}`);
|
||||
await userdirectory.applyConfig(config);
|
||||
|
||||
notifyChange(exports.USER_DIRECTORY_KEY, config);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user