diff --git a/src/routes/settings.js b/src/routes/settings.js index 0042bc32f..311eebd58 100644 --- a/src/routes/settings.js +++ b/src/routes/settings.js @@ -148,6 +148,7 @@ async function setExposedLdapConfig(req, res, next) { assert.strictEqual(typeof req.body, 'object'); if (typeof req.body.enabled !== 'boolean') return next(new HttpError(400, 'enabled must be a boolean')); + if ('allowlist' in req.body && typeof req.body.allowlist !== 'string') return next(new HttpError(400, 'allowlist must be a string')); const [error] = await safe(settings.setExposedLdapConfig(req.body)); if (error) return next(BoxError.toHttpError(error)); diff --git a/src/settings.js b/src/settings.js index 26e27cac2..2a334e868 100644 --- a/src/settings.js +++ b/src/settings.js @@ -152,6 +152,7 @@ const assert = require('assert'), tokens = require('./tokens.js'), translation = require('./translation.js'), users = require('./users.js'), + validator = require('validator'), _ = require('underscore'); const SETTINGS_FIELDS = [ 'name', 'value' ].join(','); @@ -185,7 +186,8 @@ const gDefaults = (function () { autoCreate: false }; result[exports.EXPOSED_LDAP_KEY] = { - enabled: false + enabled: false, + allowlist: '' // empty means allow all }; result[exports.REGISTRY_CONFIG_KEY] = { provider: 'noop' @@ -509,9 +511,16 @@ async function setExposedLdapConfig(exposedLdapConfig) { if (isDemo()) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode'); const config = { - enabled: exposedLdapConfig.enabled + enabled: exposedLdapConfig.enabled, + allowlist: exposedLdapConfig.allowlistc || '' }; + for (const line of exposedLdapConfig.allowlist.split('\n')) { + if (!line || line.startsWith('#')) continue; + const rangeOrIP = line.trim(); + if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`); + } + await set(exports.EXPOSED_LDAP_KEY, JSON.stringify(config)); notifyChange(exports.EXPOSED_LDAP_KEY, config);