diff --git a/src/routes/settings.js b/src/routes/settings.js index 311eebd58..d10ba8f33 100644 --- a/src/routes/settings.js +++ b/src/routes/settings.js @@ -148,6 +148,7 @@ async function setExposedLdapConfig(req, res, next) { assert.strictEqual(typeof req.body, 'object'); if (typeof req.body.enabled !== 'boolean') return next(new HttpError(400, 'enabled must be a boolean')); + if (typeof req.body.secret !== 'string') return next(new HttpError(400, 'secret must be a string')); if ('allowlist' in req.body && typeof req.body.allowlist !== 'string') return next(new HttpError(400, 'allowlist must be a string')); const [error] = await safe(settings.setExposedLdapConfig(req.body)); diff --git a/src/routes/test/settings-test.js b/src/routes/test/settings-test.js index 1dba5cee3..f3b19d2e4 100644 --- a/src/routes/test/settings-test.js +++ b/src/routes/test/settings-test.js @@ -83,6 +83,7 @@ describe('Settings API', function () { // keep in sync with defaults in settings.js let defaultConfig = { enabled: false, + secret: '', allowlist: '' }; @@ -106,10 +107,49 @@ describe('Settings API', function () { expect(response.statusCode).to.equal(400); }); - it('can set exposed_ldap_config', async function () { + it('cannot set exposed_ldap_config without secret', async function () { + let tmp = JSON.parse(JSON.stringify(defaultConfig)); + delete tmp.secret; + + const response = await superagent.post(`${serverUrl}/api/v1/settings/exposed_ldap_config`) + .query({ access_token: owner.token }) + .send(tmp) + .ok(() => true); + + expect(response.statusCode).to.equal(400); + }); + + it('cannot enable exposed_ldap_config with empty secret', async function () { let tmp = JSON.parse(JSON.stringify(defaultConfig)); tmp.enabled = true; + const response = await superagent.post(`${serverUrl}/api/v1/settings/exposed_ldap_config`) + .query({ access_token: owner.token }) + .send(tmp) + .ok(() => true); + + expect(response.statusCode).to.equal(400); + }); + + it('cannot enable exposed_ldap_config with empty allowlist', async function () { + let tmp = JSON.parse(JSON.stringify(defaultConfig)); + tmp.enabled = true; + tmp.secret = 'ldapsecret'; + + const response = await superagent.post(`${serverUrl}/api/v1/settings/exposed_ldap_config`) + .query({ access_token: owner.token }) + .send(tmp) + .ok(() => true); + + expect(response.statusCode).to.equal(400); + }); + + it('can enable exposed_ldap_config', async function () { + let tmp = JSON.parse(JSON.stringify(defaultConfig)); + tmp.enabled = true; + tmp.secret = 'ldapsecret'; + tmp.allowlist = '1.2.3.4'; + const response = await superagent.post(`${serverUrl}/api/v1/settings/exposed_ldap_config`) .query({ access_token: owner.token }) .send(tmp); @@ -125,7 +165,7 @@ describe('Settings API', function () { .query({ access_token: owner.token }); expect(response.statusCode).to.equal(200); - expect(response.body).to.eql({ enabled: true, allowlist: '' }); + expect(response.body).to.eql({ enabled: true, secret: 'ldapsecret', allowlist: '1.2.3.4' }); }); }); diff --git a/src/settings.js b/src/settings.js index be104bbb5..9861b37b6 100644 --- a/src/settings.js +++ b/src/settings.js @@ -190,6 +190,7 @@ const gDefaults = (function () { }; result[exports.EXPOSED_LDAP_KEY] = { enabled: false, + secret: '', allowlist: '' // empty means allow all }; result[exports.REGISTRY_CONFIG_KEY] = { @@ -515,11 +516,14 @@ async function setExposedLdapConfig(exposedLdapConfig) { const config = { enabled: exposedLdapConfig.enabled, + secret: exposedLdapConfig.secret, // if list is empty, we allow all IPs allowlist: exposedLdapConfig.allowlist || '' }; if (config.enabled) { + if (!config.secret) throw new BoxError(BoxError.BAD_FIELD, 'secret cannot be empty'); + let gotOne = false; for (const line of exposedLdapConfig.allowlist.split('\n')) { if (!line || line.startsWith('#')) continue;