Store allowlist for exposed directory server

src/settings.js

@@ -152,6 +152,7 @@ const assert = require('assert'),
     tokens = require('./tokens.js'),
     translation = require('./translation.js'),
     users = require('./users.js'),
+    validator = require('validator'),
     _ = require('underscore');
 
 const SETTINGS_FIELDS = [ 'name', 'value' ].join(',');
@@ -185,7 +186,8 @@ const gDefaults = (function () {
         autoCreate: false
     };
     result[exports.EXPOSED_LDAP_KEY] = {
-        enabled: false
+        enabled: false,
+        allowlist: '' // empty means allow all
     };
     result[exports.REGISTRY_CONFIG_KEY] = {
         provider: 'noop'
@@ -509,9 +511,16 @@ async function setExposedLdapConfig(exposedLdapConfig) {
     if (isDemo()) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
 
     const config = {
-        enabled: exposedLdapConfig.enabled
+        enabled: exposedLdapConfig.enabled,
+        allowlist: exposedLdapConfig.allowlistc || ''
     };
 
+    for (const line of exposedLdapConfig.allowlist.split('\n')) {
+        if (!line || line.startsWith('#')) continue;
+        const rangeOrIP = line.trim();
+        if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`);
+    }
+
     await set(exports.EXPOSED_LDAP_KEY, JSON.stringify(config));
 
     notifyChange(exports.EXPOSED_LDAP_KEY, config);