Store allowlist for exposed directory server

2021-11-26 10:43:50 +01:00
parent 63fe75ecd2
commit 98b28db092
2 changed files with 12 additions and 2 deletions
@@ -148,6 +148,7 @@ async function setExposedLdapConfig(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (typeof req.body.enabled !== 'boolean') return next(new HttpError(400, 'enabled must be a boolean'));
+    if ('allowlist' in req.body && typeof req.body.allowlist !== 'string') return next(new HttpError(400, 'allowlist must be a string'));

    const [error] = await safe(settings.setExposedLdapConfig(req.body));
    if (error) return next(BoxError.toHttpError(error));
@@ -152,6 +152,7 @@ const assert = require('assert'),
    tokens = require('./tokens.js'),
    translation = require('./translation.js'),
    users = require('./users.js'),
+    validator = require('validator'),
    _ = require('underscore');

 const SETTINGS_FIELDS = [ 'name', 'value' ].join(',');
@@ -185,7 +186,8 @@ const gDefaults = (function () {
        autoCreate: false
    };
    result[exports.EXPOSED_LDAP_KEY] = {
-        enabled: false
+        enabled: false,
+        allowlist: '' // empty means allow all
    };
    result[exports.REGISTRY_CONFIG_KEY] = {
        provider: 'noop'
@@ -509,9 +511,16 @@ async function setExposedLdapConfig(exposedLdapConfig) {
    if (isDemo()) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');

    const config = {
-        enabled: exposedLdapConfig.enabled
+        enabled: exposedLdapConfig.enabled,
+        allowlist: exposedLdapConfig.allowlistc || ''
    };

+    for (const line of exposedLdapConfig.allowlist.split('\n')) {
+        if (!line || line.startsWith('#')) continue;
+        const rangeOrIP = line.trim();
+        if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`);
+    }
+
    await set(exports.EXPOSED_LDAP_KEY, JSON.stringify(config));

    notifyChange(exports.EXPOSED_LDAP_KEY, config);