Attributes.pm 113 KB
Newer Older
1 2 3 4
# This file contains the description of all configuration parameters
# It may be included only by batch files, never in portal or handler chain
# for performances reasons

Yadd's avatar
Yadd committed
5
# DON'T FORGET TO RUN "make json" AFTER EACH CHANGE
6 7 8

package Lemonldap::NG::Manager::Build::Attributes;

Yadd's avatar
Yadd committed
9
our $VERSION = '2.0.0';
10 11 12 13
use strict;
use Regexp::Common qw/URI/;

my $perlExpr = sub {
14
    my ( $val, $conf ) = @_;
Yadd's avatar
Yadd committed
15
    my $s = '';
Yadd's avatar
Yadd committed
16
    no warnings( 'redefine', 'uninitialized' );
17
    eval "$s $val";
Yadd's avatar
Yadd committed
18 19 20
    my $err = join( '',
        grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) );
    return $err ? ( 1, "__badExpression__: $err" ) : (1);
21 22
};

Yadd's avatar
Yadd committed
23
my $url = $RE{URI}{HTTP}{ -scheme => "https?" };
Yadd's avatar
Yadd committed
24 25 26
$url =~ s/(?<=[^\\])\$/\\\$/g;
$url = qr/$url/;

27 28 29 30 31
sub types {
    return {

        # Simple text types
        text => {
Yadd's avatar
Yadd committed
32
            test    => sub { 1 },
33 34 35
            msgFail => '__malformedValue__',
        },
        password => {
Yadd's avatar
Yadd committed
36
            test    => sub { 1 },
37 38 39 40 41 42 43
            msgFail => '__malformedValue__',
        },
        longtext => {
            test => sub { 1 }
        },
        url => {
            form    => 'text',
Yadd's avatar
Yadd committed
44
            test    => $url,
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
            msgFail => '__badUrl__',
        },
        PerlModule => {
            form    => 'text',
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
        },
        hostname => {
            form    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::host)?$/,
            msgFail => '__badHostname__',
        },
        pcre => {
            form => 'text',
            test => sub {
                eval { qr/$_[0]/ };
                return $@ ? ( 0, "__badRegexp__: $@" ) : (1);
            },
        },
        lmAttrOrMacro => {
            form => 'text',
Yadd's avatar
Yadd committed
66 67
            test => sub {
                my ( $val, $conf ) = @_;
68 69 70 71 72 73
                return 1
                  if ( defined $conf->{macros}->{$val} or $val eq '_timezone' );
                foreach ( keys %$conf ) {
                    return 1
                      if ( $_ =~ /exportedvars$/i
                        and defined $conf->{$_}->{$val} );
Yadd's avatar
Yadd committed
74
                }
75
                return ( 1, "__unknownAttrOrMacro__: $val" );
Yadd's avatar
Yadd committed
76
            },
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
        },

        # Other types
        int => {
            test    => qr/^\-?\d+$/,
            msgFail => '__notAnInteger__',
        },
        bool => {
            test    => qr/^[01]$/,
            msgFail => '__notABoolean__',
        },
        trool => {
            test    => qr/^(?:-1|0|1)$/,
            msgFail => '__authorizedValues__: -1, 0, 1',
        },
        boolOrExpr => {
            test    => $perlExpr,
            msgFail => '__notAValidPerlExpression__',
        },
Yadd's avatar
Yadd committed
96 97
        keyTextContainer => {
            test       => qr/./,
Yadd's avatar
Yadd committed
98
            msgFail    => '__emptyValueNotAllowed__',
Yadd's avatar
Yadd committed
99
            keyTest    => qr/^\w[\w\.\-]*$/,
Yadd's avatar
Yadd committed
100
            keyMsgFail => '__badKeyName__',
Yadd's avatar
Yadd committed
101 102 103 104 105
        },
        subContainer => {
            keyTest => qr/\w/,
            test    => sub { 1 },
        },
Yadd's avatar
Yadd committed
106 107 108
        select => {
            test => sub {
                my $test =
Yadd's avatar
Yadd committed
109 110
                  grep ( { $_ eq $_[0] }
                    map ( { $_->{k} } @{ $_[2]->{select} } ) );
Yadd's avatar
Yadd committed
111 112
                return $test
                  ? 1
113
                  : ( 1, "Invalid value '$_[0]' for this select" );
Yadd's avatar
Yadd committed
114 115
            },
        },
116 117 118 119 120 121

        # Files type (long text)
        file => {
            test => sub { 1 }
        },
        RSAPublicKey => {
122
            test => sub {
123 124
                return (
                    $_[0] =~
125 126
/^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$/s
                    ? (1)
127 128
                    : ( 1, '__badPemEncoding__' )
                );
129
            },
130
        },
131
        'RSAPublicKeyOrCertificate' => {
132
            'test' => sub {
133 134
                return (
                    $_[0] =~
135 136
/^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$/s
                    ? (1)
137 138
                    : ( 1, '__badPemEncoding__' )
                );
139
            },
140
        },
141
        RSAPrivateKey => {
142
            test => sub {
143 144
                return (
                    $_[0] =~
145
/^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$/s
146
                    ? (1)
147 148
                    : ( 1, '__badPemEncoding__' )
                );
149
            },
150 151 152 153 154 155 156 157 158 159 160 161 162
        },

        authParamsText => {
            test => sub { 1 }
        },
        blackWhiteList => {
            test => sub { 1 }
        },
        catAndAppList => {
            test => sub { 1 }
        },
        keyText => {
            keyTest => qr/^[a-zA-Z0-9_]+$/,
Yadd's avatar
Yadd committed
163
            test    => qr/^.*$/,
164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
            msgFail => '__badValue__',
        },
        menuApp => {
            test => sub { 1 }
        },
        menuCat => {
            test => sub { 1 }
        },
        oidcOPMetaDataNode => {
            test => sub { 1 }
        },
        oidcRPMetaDataNode => {
            test => sub { 1 }
        },
        oidcmetadatajson => {
            test => sub { 1 }
        },
        oidcmetadatajwks => {
            test => sub { 1 }
        },
        portalskin => {
            test => sub { 1 }
        },
        portalskinbackground => {
            test => sub { 1 }
        },
        post => {
            test => sub { 1 }
        },
        rule => {
            test => sub { 1 }
        },
        samlAssertion => {
            test => sub { 1 }
        },
        samlAttribute => {
            test => sub { 1 }
        },
        samlIDPMetaDataNode => {
            test => sub { 1 }
        },
        samlSPMetaDataNode => {
            test => sub { 1 }
        },
        samlService => {
            test => sub { 1 }
        },
211 212 213
        array => {
            test => sub { 1 }
        },
214 215 216 217 218 219 220
    };
}

sub attributes {
    return {

        # Other
Yadd's avatar
Yadd committed
221 222 223 224 225
        checkTime => {
            type => 'int',
            documentation =>
              'Timeout to check new configuration in local cache',
            default => 600,
226 227 228 229 230 231 232
            flags   => 'hp',
        },
        mySessionAuthorizedRWKeys => {
            type          => 'array',
            documentation => 'Alterable session keys by user itself',
            default =>
              [ '_appsListOrder', '_oidcConnectedRP', '_oidc_consent_*' ],
Yadd's avatar
Yadd committed
233
        },
Yadd's avatar
Yadd committed
234 235 236 237 238 239 240 241 242 243 244 245
        configStorage => {
            type          => 'text',
            documentation => 'Configuration storage',
            flags         => 'hmp',
        },
        localStorage => {
            type          => 'text',
            documentation => 'Local cache',
            flags         => 'hmp',
        },
        localStorageOptions => {
            type          => 'keyTextContainer',
Yadd's avatar
Yadd committed
246
            documentation => 'Local cache parameters',
Yadd's avatar
Yadd committed
247 248
            flags         => 'hmp',
        },
249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269
        cfgNum => {
            type          => 'int',
            default       => 0,
            documentation => 'Enable Cross Domain Authentication',
        },
        cfgAuthor => {
            type          => 'text',
            documentation => 'Name of the author of the current configuration',
        },
        cfgAuthorIP => {
            type          => 'text',
            documentation => 'Uploader IP address of the current configuration',
        },
        cfgDate => {
            type          => 'int',
            documentation => 'Timestamp of the current configuration',
        },
        cfgLog => {
            type          => 'longtext',
            documentation => 'Configuration update log',
        },
270 271 272 273
        cfgVersion => {
            type          => 'text',
            documentation => 'Version of LLNG which build configuration',
        },
Yadd's avatar
Yadd committed
274 275 276 277 278
        status => {
            type          => 'bool',
            documentation => 'Status daemon activation',
            flags         => 'h',
        },
279 280 281 282 283 284 285
        confirmFormMethod => {
            type => "select",
            select =>
              [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
            default       => 'post',
            documentation => 'HTTP method for confirm page form',
        },
286 287
        customFunctions => {
            type          => 'text',
Yadd's avatar
Yadd committed
288
            test          => qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/,
289
            msgFail       => "__badCustomFuncName__",
Yadd's avatar
Yadd committed
290 291
            documentation => 'List of custom functions',
            flags         => 'hmp',
292 293
        },
        https => {
294 295 296
            default       => 0,
            type          => 'bool',
            documentation => 'Use HTTPS for redirection from portal',
Yadd's avatar
Yadd committed
297
            flags         => 'h',
298 299 300 301 302 303 304 305
        },
        infoFormMethod => {
            type => "select",
            select =>
              [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
            default       => 'get',
            documentation => 'HTTP method for info page form',
        },
Yadd's avatar
Yadd committed
306 307 308 309 310
        port => {
            type          => 'int',
            documentation => 'Force port in redirection',
            flags         => 'h',
        },
311 312 313 314 315 316 317 318 319 320 321 322 323 324 325
        jsRedirect => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Use javascript for redirections',
        },
        logoutServices => {
            type          => 'keyTextContainer',
            help          => 'logoutforward.html',
            default       => {},
            documentation => 'Send logout trough GET request to these services',
        },
        maintenance => {
            default       => 0,
            type          => 'bool',
            documentation => 'Maintenance mode for all virtual hosts',
Yadd's avatar
Yadd committed
326
            flags         => 'h',
327
        },
Yadd's avatar
Yadd committed
328 329 330 331 332
        nginxCustomHandlers => {
            type    => 'keyTextContainer',
            keyTest => qr/^\w+$/,
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
Yadd's avatar
Yadd committed
333
            documentation => 'Custom Nginx handler (deprecated)',
Yadd's avatar
Yadd committed
334
        },
335 336 337 338 339
        noAjaxHook => {
            default       => 0,
            type          => 'bool',
            documentation => 'Avoid replacing 302 by 401 for Ajax responses',
        },
340 341 342 343
        portal => {
            type          => 'url',
            default       => 'http://auth.example.com/',
            documentation => 'Portal URL',
Yadd's avatar
Yadd committed
344
            flags         => 'hmp',
345
        },
Yadd's avatar
Yadd committed
346 347 348 349 350
        portalStatus => {
            type          => 'bool',
            default       => 0,
            documentation => 'Enable portal status',
        },
351 352 353
        portalUserAttr => {
            type    => 'text',
            default => '_user',
Yadd's avatar
Yadd committed
354
            help    => 'monitoring.html',
355 356 357 358 359 360 361 362 363 364 365
            documentation =>
              'Session parameter to display connected user in portal',
        },
        redirectFormMethod => {
            type => "select",
            select =>
              [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
            default       => 'get',
            documentation => 'HTTP method for redirect page form',
        },
        reloadUrls => {
Yadd's avatar
Yadd committed
366 367 368 369 370 371
            type          => 'keyTextContainer',
            help          => 'configlocation.html#configuration_reload',
            keyTest       => qr/^$Regexp::Common::URI::RFC2396::host(?::\d+)?$/,
            test          => $url,
            msgFail       => '__badUrl__',
            documentation => 'URL to call on reload',
372 373 374 375 376
        },
        staticPrefix => {
            type          => 'text',
            documentation => 'Prefix of static files for HTML templates',
        },
Yadd's avatar
Yadd committed
377 378 379 380
        multiValuesSeparator => {
            type          => 'authParamsText',
            default       => '; ',
            documentation => 'Separator for multiple values',
Yadd's avatar
Yadd committed
381
            flags         => 'hmp',
Yadd's avatar
Yadd committed
382
        },
Yadd's avatar
Yadd committed
383 384 385 386
        stayConnected => {
            type          => 'bool',
            documentation => 'Enable StayConnected plugin',
        },
Yadd's avatar
Yadd committed
387
        checkState => {
388
            type          => 'bool',
Yadd's avatar
Yadd committed
389 390 391
            documentation => 'Enable CheckState plugin',
        },
        checkStateSecret => {
392
            type          => 'text',
Yadd's avatar
Yadd committed
393 394
            documentation => 'Secret token for CheckState plugin',
        },
395 396 397 398 399
        skipRenewConfirmation => {
            type => 'bool',
            documentation =>
              'Avoid asking confirmation when an Issuer asks to renew auth',
        },
400

401 402 403 404 405 406 407 408 409
        # Loggers (ini only)
        logLevel => {
            type          => 'text',
            documentation => 'Log level, must be set in .ini',
            flags         => 'hmp',
        },
        logger => {
            type          => 'text',
            documentation => 'technical logger',
Yadd's avatar
Yadd committed
410
            flags         => 'hmp',
411 412 413 414
        },
        userLogger => {
            type          => 'text',
            documentation => 'User actions logger',
Yadd's avatar
Yadd committed
415
            flags         => 'hmp',
416 417 418 419
        },
        log4perlConfFile => {
            type          => 'text',
            documentation => 'Log4Perl logger configuration file',
Yadd's avatar
Yadd committed
420
            flags         => 'hmp',
421 422 423 424
        },
        sentryDsn => {
            type          => 'text',
            documentation => 'Sentry logger DSN',
Yadd's avatar
Yadd committed
425
            flags         => 'hmp',
426 427 428 429
        },
        syslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger technical facility',
Yadd's avatar
Yadd committed
430
            flags         => 'hmp',
431 432 433 434
        },
        userSyslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger user-actions facility',
Yadd's avatar
Yadd committed
435
            flags         => 'hmp',
436 437 438
        },

        # Manager or PSGI protected apps
439 440 441 442 443
        protection => {
            type          => 'text',
            test          => qr/^(?:none|authenticate|manager|)$/,
            msgFail       => '__authorizedValues__: none authenticate manager',
            documentation => 'Manager protection method',
Yadd's avatar
Yadd committed
444
            flags         => 'hm',
445 446 447 448 449 450 451 452 453 454
        },

        # Menu
        activeTimer => {
            type          => 'bool',
            default       => 1,
            documentation => 'Enable timers on portal pages',
        },
        applicationList => {
            type    => 'catAndAppList',
Yadd's avatar
Yadd committed
455
            keyTest => qr/\w/,
456 457 458 459 460 461
            help    => 'portalmenu.html#categories_and_applications',
            default => {
                default => { catname => 'Default category', type => "category" }
            },
            documentation => 'Applications list',
        },
462 463 464 465 466
        portalErrorOnExpiredSession => {
            type          => 'bool',
            default       => 1,
            documentation => 'Show error if session is expired',
        },
467
        portalErrorOnMailNotFound => {
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
468 469 470 471
            type    => 'bool',
            default => 0,
            documentation =>
              'Show error if mail is not found in password reset process',
472
        },
473 474 475 476 477 478 479 480 481 482 483 484 485 486
        portalOpenLinkInNewWindow => {
            type          => 'bool',
            default       => 0,
            documentation => 'Open applications in new windows',
        },
        portalPingInterval => {
            type          => 'int',
            default       => 60000,
            documentation => 'Interval in ms between portal Ajax pings ',
        },
        portalSkin => {
            type          => 'portalskin',
            default       => 'bootstrap',
            documentation => 'Name of portal skin',
Yadd's avatar
Yadd committed
487
            select        => [ { k => 'bootstrap', v => 'Bootstrap' }, ],
488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515
        },
        portalSkinBackground => {
            type          => 'portalskinbackground',
            documentation => 'Background image of portal skin',
            select        => [
                { k => "", v => 'None' },
                {
                    k => "1280px-Anse_Source_d'Argent_2-La_Digue.jpg",
                    v => 'Anse'
                },
                {
                    k =>
"1280px-Autumn-clear-water-waterfall-landscape_-_Virginia_-_ForestWander.jpg",
                    v => 'Waterfall'
                },
                { k => "1280px-BrockenSnowedTrees.jpg", v => 'Snowed Trees' },
                {
                    k => "1280px-Cedar_Breaks_National_Monument_partially.jpg",
                    v => 'National Monument'
                },
                {
                    k => "1280px-Parry_Peak_from_Winter_Park.jpg",
                    v => 'Winter'
                },
                { k => "Aletschgletscher_mit_Pinus_cembra1.jpg", v => 'Pinus' },
            ],
        },
        portalSkinRules => {
Yadd's avatar
Yadd committed
516 517 518 519 520 521 522
            type          => 'keyTextContainer',
            help          => 'portalcustom.html',
            keyTest       => $perlExpr,
            keyMsgFail    => '__badSkinRule__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
            documentation => 'Rules to choose portal skin',
523 524 525
        },

        # Security
Yadd's avatar
Yadd committed
526
        formTimeout => {
Yadd's avatar
Yadd committed
527 528
            default       => 120,
            type          => 'int',
Yadd's avatar
Yadd committed
529 530 531
            documentation => 'Token timeout for forms',
        },
        requireToken => {
Yadd's avatar
Yadd committed
532 533
            default       => 1,
            type          => 'bool',
Yadd's avatar
Yadd committed
534 535
            documentation => 'Enable token for forms',
        },
536 537 538 539 540
        tokenUseGlobalStorage => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable global token storage',
        },
541 542 543 544
        cda => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable Cross Domain Authentication',
Yadd's avatar
Yadd committed
545
            flags         => 'hp',
546 547 548 549 550 551 552
        },
        checkXSS => {
            default       => 1,
            type          => 'bool',
            documentation => 'Check XSS',
        },
        grantSessionRules => {
Yadd's avatar
Yadd committed
553 554 555 556
            type          => 'grantContainer',
            keyTest       => $perlExpr,
            test          => sub { 1 },
            documentation => 'Rules to grant sessions',
557 558 559 560 561 562 563 564 565 566
        },
        hiddenAttributes => {
            type          => 'text',
            default       => '_password',
            documentation => 'Name of attributes to hide in logs',
        },
        key => {
            type          => 'password',
            documentation => 'Secret key',
        },
567 568
        cspDefault => {
            type          => 'text',
Yadd's avatar
Yadd committed
569
            default       => "'self'",
570 571 572 573
            documentation => 'Default value for Content-Security-Policy',
        },
        cspImg => {
            type          => 'text',
574
            default       => "'self' data:",
575 576 577 578 579 580 581 582 583
            documentation => 'Image source for Content-Security-Policy',
        },
        cspScript => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Javascript source for Content-Security-Policy',
        },
        cspStyle => {
            type          => 'text',
Yadd's avatar
Yadd committed
584
            default       => "'self'",
585 586 587 588 589 590 591 592 593 594 595 596 597
            documentation => 'Style source for Content-Security-Policy',
        },
        cspConnect => {
            type    => 'text',
            default => "'self'",
            documentation =>
              'Authorizated Ajax destination for Content-Security-Policy',
        },
        cspFont => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Font source for Content-Security-Policy',
        },
598 599 600 601 602
        portalAntiFrame => {
            default       => 1,
            type          => 'bool',
            documentation => 'Avoid portal to be displayed inside frames',
        },
603

604 605 606 607 608 609 610
        portalCheckLogins => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display login history checkbox in portal',
        },
        portalForceAuthnInterval => {
            type    => 'int',
611
            default => 5,
612 613 614 615 616 617 618 619
            documentation =>
'Minimum number of seconds since last authentifcation to force reauthentication',
        },
        randomPasswordRegexp => {
            type          => 'pcre',
            default       => '[A-Z]{3}[a-z]{5}.\d{2}',
            documentation => 'Regular expression to create a random password',
        },
Yadd's avatar
Yadd committed
620 621 622
        trustedDomains =>
          { type => 'text', documentation => 'Trusted domains', },
        storePassword => {
623 624 625 626 627 628
            default       => 0,
            type          => 'bool',
            documentation => 'Store password in session',
        },
        timeout => {
            type          => 'int',
Yadd's avatar
Yadd committed
629
            test          => sub { $_[0] > 0 },
630 631 632 633
            default       => 72000,
            documentation => 'Session timeout on server side',
        },
        timeoutActivity => {
634
            type          => 'int',
Yadd's avatar
Yadd committed
635
            test          => sub { $_[0] >= 0 },
636 637 638
            default       => 0,
            documentation => 'Session activity timeout on server side',
        },
639 640 641 642 643 644
        timeoutActivityInterval => {
            type          => 'int',
            test          => sub { $_[0] >= 0 },
            default       => 60,
            documentation => 'Update session timeout interval on server side',
        },
645 646 647 648 649 650 651 652 653 654 655 656 657 658
        trustedProxies => {
            type          => 'text',
            default       => '',
            documentation => 'Trusted proxies',
        },
        userControl => {
            type          => 'pcre',
            default       => '^[\w\.\-@]+$',
            documentation => 'Regular expression to validate login',
        },
        useRedirectOnError => {
            type          => 'bool',
            default       => 1,
            documentation => 'Use 302 redirect code for error (500)',
Yadd's avatar
Yadd committed
659
            flags         => 'h',
660 661 662 663 664 665 666 667 668
        },
        useRedirectOnForbidden => {
            default       => 0,
            type          => 'bool',
            documentation => 'Use 302 redirect code for forbidden (403)',
        },
        useSafeJail => {
            default       => 1,
            type          => 'bool',
Yadd's avatar
Yadd committed
669
            help          => 'safejail.html',
670
            documentation => 'Activate Safe jail',
Yadd's avatar
Yadd committed
671
            flags         => 'hp',
672 673 674 675 676
        },
        whatToTrace => {
            type          => 'lmAttrOrMacro',
            default       => 'uid',
            documentation => 'Session parameter used to fill REMOTE_USER',
Yadd's avatar
Yadd committed
677
            flags         => 'hp',
678
        },
Yadd's avatar
Yadd committed
679
        lwpOpts => {
Yadd's avatar
Yadd committed
680 681 682
            type          => 'keyTextContainer',
            documentation => 'Options given to LWP::UserAgent',
        },
Yadd's avatar
Yadd committed
683 684 685 686
        lwpSslOpts => {
            type          => 'keyTextContainer',
            documentation => 'SSL options given to LWP::UserAgent',
        },
687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731

        # History
        failedLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of failures stored in login history',
        },
        loginHistoryEnabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable login history',
        },
        portalDisplayLoginHistory => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display login history tab in portal',
        },
        successLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of success stored in login history',
        },

        # Other displays
        portalDisplayAppslist => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display applications tab in portal',
        },
        portalDisplayChangePassword => {
            type          => 'boolOrExpr',
            default       => '$_auth =~ /^(LDAP|DBI|Demo)$/',
            documentation => 'Display password tab in portal',
        },
        portalDisplayLogout => {
            default       => 1,
            type          => 'boolOrExpr',
            documentation => 'Display logout tab in portal',
        },
        portalDisplayRegister => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display register button in portal',
        },
        portalDisplayResetPassword => {
Yadd's avatar
Yadd committed
732
            default       => 0,
733 734 735
            type          => 'bool',
            documentation => 'Display reset password button in portal',
        },
Yadd's avatar
Yadd committed
736 737
        portalDisplayOidcConsents => {
            type          => 'boolOrExpr',
738
            default       => '$_oidcConnectedRP',
Yadd's avatar
Yadd committed
739 740
            documentation => 'Display OIDC consent tab in portal',
        },
741 742

        # Cookies
Yadd's avatar
Yadd committed
743 744 745 746 747
        cookieExpiration => {
            type          => 'text',
            documentation => 'Cookie expiration',
            flags         => 'hp',
        },
Yadd's avatar
Yadd committed
748
        cookieName => {
749 750 751 752 753
            type          => 'text',
            test          => qr/^[a-zA-Z][a-zA-Z0-9_-]*$/,
            msgFail       => '__badCookieName__',
            default       => 'lemonldap',
            documentation => 'Name of the main cookie',
Yadd's avatar
Yadd committed
754
            flags         => 'hp',
755 756 757
        },
        domain => {
            type          => 'text',
Yadd's avatar
Yadd committed
758
            test          => qr/^(?:$Regexp::Common::URI::RFC2396::hostname)?$/,
759 760 761
            msgFail       => '__badDomainName__',
            default       => 'example.com',
            documentation => 'DNS domain',
Yadd's avatar
Yadd committed
762
            flags         => 'hp',
763 764 765 766 767
        },
        httpOnly => {
            default       => 1,
            type          => 'bool',
            documentation => 'Enable httpOnly flag in cookie',
Yadd's avatar
Yadd committed
768
            flags         => 'hp',
769 770 771 772 773 774 775 776 777 778 779
        },
        securedCookie => {
            type   => 'select',
            select => [
                { k => '0', v => 'unsecuredCookie' },
                { k => '1', v => 'securedCookie' },
                { k => '2', v => 'doubleCookie' },
                { k => '3', v => 'doubleCookieForSingleSession' },
            ],
            default       => 0,
            documentation => 'Cookie securisation method',
Yadd's avatar
Yadd committed
780
            flags         => 'hp',
781 782 783
        },

        # Notification
784
        oldNotifFormat => {
Yadd's avatar
Yadd committed
785 786
            type          => 'bool',
            default       => 0,
Yadd's avatar
Yadd committed
787
            documentation => 'Use old XML format for notifications',
788
        },
789 790 791 792 793
        notificationWildcard => {
            type          => 'text',
            default       => 'allusers',
            documentation => 'Notification string to match all users',
        },
Yadd's avatar
Yadd committed
794 795 796 797 798
        notificationXSLTfile => {
            type          => 'text',
            documentation => 'Custom XSLT document for notifications',
        },
        notification => {
799 800 801 802
            default       => 0,
            type          => 'bool',
            documentation => 'Notification activation',
        },
Yadd's avatar
Yadd committed
803 804 805 806 807
        notificationServer => {
            default       => 0,
            type          => 'bool',
            documentation => 'Notification server activation',
        },
808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825
        notificationStorage => {
            type          => 'PerlModule',
            default       => 'File',
            documentation => 'Notification backend',
        },
        notificationStorageOptions => {
            type    => 'keyTextContainer',
            default => { dirName => '/var/lib/lemonldap-ng/notifications', },
            documentation => 'Notification backend options',
        },

        # Captcha
        captcha_login_enabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Captcha on login page',
        },
        captcha_mail_enabled => {
826
            default       => 1,
827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845
            type          => 'bool',
            documentation => 'Captcha on password reset page',
        },
        captcha_register_enabled => {
            default       => 1,
            type          => 'bool',
            documentation => 'Captcha on account creation page',
        },
        captcha_size => {
            type          => 'int',
            default       => 6,
            documentation => 'Captcha size',
        },

        # Variables
        exportedVars => {
            type          => 'keyTextContainer',
            help          => 'exportedvars.html',
            keyTest       => qr/^!?[_a-zA-Z][a-zA-Z0-9_]*$/,
Yadd's avatar
Yadd committed
846
            keyMsgFail    => '__badVariableName__',
847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864
            test          => qr/^[_a-zA-Z][a-zA-Z0-9_:\-]*$/,
            msgFail       => '__badValue__',
            default       => { 'UA' => 'HTTP_USER_AGENT' },
            documentation => 'Main exported variables',
        },
        groups => {
            type => 'keyTextContainer',
            help =>
              'exportedvars.html#extend_variables_using_macros_and_groups',
            test          => $perlExpr,
            default       => {},
            documentation => 'Groups',
        },
        macros => {
            type => 'keyTextContainer',
            help =>
              'exportedvars.html#extend_variables_using_macros_and_groups',
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
Yadd's avatar
Yadd committed
865
            keyMsgFail    => '__badMacroName__',
866 867 868 869 870 871 872 873 874 875
            test          => $perlExpr,
            default       => {},
            documentation => 'Macros',
        },

        # Storage
        globalStorage => {
            type          => 'PerlModule',
            default       => 'Apache::Session::File',
            documentation => 'Session backend module',
Yadd's avatar
Yadd committed
876
            flags         => 'hp',
877 878 879 880 881 882 883 884 885 886
        },
        globalStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'Directory'     => '/var/lib/lemonldap-ng/sessions/',
                'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/',
                'generateModule' =>
                  'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
            },
            documentation => 'Session backend module options',
Yadd's avatar
Yadd committed
887
            flags         => 'hp',
888 889
        },
        localSessionStorage => {
Yadd's avatar
Yadd committed
890 891
            type          => 'PerlModule',
            default       => 'Cache::FileCache',
Yadd's avatar
Yadd committed
892
            documentation => 'Local sessions cache module',
893 894 895 896 897 898 899 900 901 902 903 904 905 906
        },
        localSessionStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'namespace'          => 'lemonldap-ng-sessions',
                'default_expires_in' => 600,
                'directory_umask'    => '007',
                'cache_root'         => '/tmp',
                'cache_depth'        => 3,
            },
            documentation => 'Sessions cache module options',
        },

        # Persistent storage
Yadd's avatar
Yadd committed
907 908 909 910 911 912 913 914 915 916 917 918 919
        persistentStorage => {
            type          => 'PerlModule',
            documentation => 'Storage module for persistent sessions'
        },
        persistentStorageOptions => {
            type          => 'keyTextContainer',
            documentation => 'Options for persistent sessions storage module'
        },
        sessionDataToRemember => {
            type          => 'keyTextContainer',
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
            keyMsgFail    => '__invalidSessionData__',
            documentation => 'Data to remember in login history',
920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941
        },

        # SAML issuer
        issuerDBSAMLActivation => {
            default       => 0,
            type          => 'bool',
            documentation => 'SAML IDP activation',
        },
        issuerDBSAMLPath => {
            type          => 'pcre',
            default       => '^/saml/',
            documentation => 'SAML IDP request path',
        },
        issuerDBSAMLRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'SAML IDP rule',
        },

        # OpenID-Connect issuer
        issuerDBOpenIDConnectActivation => {
            type          => 'bool',
Yadd's avatar
Yadd committed
942
            default       => 0,
943 944 945 946 947 948 949 950 951 952 953 954 955
            documentation => 'OpenID Connect server activation',
        },
        issuerDBOpenIDConnectPath => {
            type          => 'text',
            default       => '^/oauth2/',
            documentation => 'OpenID Connect server request path',
        },
        issuerDBOpenIDConnectRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'OpenID Connect server rule',
        },

Yadd's avatar
Yadd committed
956 957 958
        # GET issuer
        issuerDBGetActivation => {
            type          => 'bool',
Yadd's avatar
Yadd committed
959
            default       => 0,
Yadd's avatar
Yadd committed
960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981
            documentation => 'Get issuer activation',
        },
        issuerDBGetPath => {
            type          => 'text',
            default       => '^/get/',
            documentation => 'Get issuer request path',
        },
        issuerDBGetRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Get issuer rule',
        },
        issuerDBGetParameters => {
            type       => 'doubleHash',
            default    => {},
            keyTest    => qr/^$Regexp::Common::URI::RFC2396::hostname$/,
            keyMsgFail => '__badHostname__',
            test       => {
                keyTest    => qr/^(?=[^\-])[\w\-]+(?<=[^-])$/,
                keyMsgFail => '__badKeyName__',
                test       => sub {
                    my ( $val, $conf ) = @_;
982 983 984 985 986 987 988
                    return 1
                      if ( defined $conf->{macros}->{$val}
                        or $val eq '_timezone' );
                    foreach ( keys %$conf ) {
                        return 1
                          if ( $_ =~ /exportedvars$/i
                            and defined $conf->{$_}->{$val} );
Yadd's avatar
Yadd committed
989
                    }
990
                    return ( 1, "__unknownAttrOrMacro__: $val" );
Yadd's avatar
Yadd committed
991 992 993 994 995
                },
            },
            documentation => 'List of virtualHosts with their get parameters',
        },

996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013
        # Password
        mailOnPasswordChange => {
            default       => 0,
            type          => 'bool',
            documentation => 'Send a mail when password is changed',
        },
        portalRequireOldPassword => {
            default       => 1,
            type          => 'bool',
            documentation => 'Old password is required to change the password',
        },
        hideOldPassword => {
            default       => 0,
            type          => 'bool',
            documentation => 'Hide old password in portal',
        },

        # Mails
Yadd's avatar
Yadd committed
1014 1015
        mailBody =>
          { type => 'longtext', documentation => 'Custom mail body', },
1016 1017 1018 1019 1020
        mailCharset => {
            type          => 'text',
            default       => 'utf-8',
            documentation => 'Mail charset',
        },
Yadd's avatar
Yadd committed
1021 1022
        mailConfirmBody =>
          { type => 'longtext', documentation => 'Custom confirm mail body', },
1023 1024 1025 1026 1027 1028 1029 1030 1031
        mailConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for reset confirmation',
        },
        mailFrom => {
            type          => 'text',
            default       => 'noreply@example.com',
            documentation => 'Sender email',
        },
Yadd's avatar
Yadd committed
1032
        mailReplyTo => { type => 'text', documentation => 'Reply-To address' },
1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048
        mailSessionKey => {
            type          => 'text',
            default       => 'mail',
            documentation => 'Session parameter where mail is stored',
        },
        mailSubject => {
            type          => 'text',
            documentation => 'Mail subject for new password email',
        },
        mailTimeout => {
            type          => 'int',
            default       => 0,
            documentation => 'Mail session timeout',
        },
        mailUrl => {
            type          => 'url',
Yadd's avatar
Yadd committed
1049
            default       => 'http://auth.example.com/resetpwd',
1050 1051 1052
            documentation => 'URL of password reset page',
        },
        SMTPServer => {
Yadd's avatar
Yadd committed
1053 1054 1055
            type    => 'text',
            default => '',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::host(?::\d+)?)?$/,
1056 1057
            documentation => 'SMTP Server',
        },
Yadd's avatar
Yadd committed
1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075
        SMTPPort => {
            type          => 'int',
            documentation => 'Fix SMTP port',
        },
        SMTPTLS => {
            type    => 'select',
            default => '',
            select  => [
                { k => '',         v => 'none' },
                { k => 'starttls', v => 'SMTP + STARTTLS' },
                { k => 'ssl',      v => 'SMTPS' },
            ],
            documentation => 'TLS protocol to use with SMTP',
        },
        SMTPTLSOpts => {
            type          => 'keyTextContainer',
            documentation => 'TLS/SSL options for SMTP',
        },
Yadd's avatar
Yadd committed
1076 1077 1078 1079 1080 1081 1082 1083
        SMTPAuthUser => {
            type          => 'text',
            documentation => 'Login to use to send mails',
        },
        SMTPAuthPass => {
            type          => 'password',
            documentation => 'Password to use to send mails',
        },
1084 1085 1086 1087 1088 1089 1090 1091 1092

        # Registration
        registerConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for register confirmation',
        },
        registerDB => {
            type   => 'select',
            select => [
1093 1094 1095 1096 1097
                { k => 'AD',     v => 'Active Directory' },
                { k => 'Demo',   v => 'Demonstration' },
                { k => 'LDAP',   v => 'LDAP' },
                { k => 'Null',   v => 'None' },
                { k => 'Custom', v => 'customModule' },
1098
            ],
1099
            default       => 'Null',
1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110
            documentation => 'Register module',
        },
        registerDoneSubject => {
            type          => 'text',
            documentation => 'Mail subject when register is done',
        },
        registerTimeout => {
            default       => 0,
            type          => 'int',
            documentation => 'Register session timeout',
        },
Yadd's avatar
Yadd committed
1111 1112
        registerUrl => {
            type          => 'text',
1113
            default       => 'http://auth.example.com/register',
Yadd's avatar
Yadd committed
1114 1115
            documentation => 'URL of register page',
        },
1116

Yadd's avatar
Yadd committed
1117 1118 1119
        # Upgrade session
        upgradeSession => {
            type          => 'bool',
Yadd's avatar
Yadd committed
1120
            default       => 1,
Yadd's avatar
Yadd committed
1121 1122
            documentation => 'Upgrade session activation',
        },
1123

1124 1125 1126 1127
        # 2F
        max2FDevices => {
            default       => 10,
            type          => 'int',
1128
            documentation => 'Maximum registered 2F devices',
1129 1130 1131 1132
        },
        max2FDevicesNameLength => {
            default       => 20,
            type          => 'int',
1133
            documentation => 'Maximum 2F devices name length',
1134
        },
1135

Yadd's avatar
Yadd committed
1136 1137
        # U2F
        u2fActivation => {
Yadd's avatar
Yadd committed
1138
            type          => 'boolOrExpr',
Yadd's avatar
Yadd committed
1139 1140 1141
            default       => 0,
            documentation => 'U2F activation',
        },
Yadd's avatar
Yadd committed
1142
        u2fSelfRegistration => {
Yadd's avatar
Yadd committed
1143
            type          => 'boolOrExpr',
Yadd's avatar
Yadd committed
1144 1145
            default       => 0,
            documentation => 'U2F self registration activation',
Yadd's avatar
Yadd committed
1146
        },
Yadd's avatar
Yadd committed
1147 1148 1149 1150 1151
        u2fAuthnLevel => {
            type => 'int',
            documentation =>
              'Authentication level for users authentified by password+U2F'
        },
1152 1153 1154 1155 1156
        u2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing U2F key',
        },
Yadd's avatar
Yadd committed
1157

Yadd's avatar
Yadd committed
1158 1159 1160 1161 1162 1163
        # TOTP second factor
        totp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'TOTP activation',
        },
1164
        totp2fSelfRegistration => {
Yadd's avatar
Yadd committed
1165
            type          => 'boolOrExpr',
Yadd's avatar
Yadd committed
1166 1167 1168 1169 1170 1171 1172 1173
            default       => 0,
            documentation => 'TOTP self registration activation',
        },
        totp2fAuthnLevel => {
            type => 'int',
            documentation =>
              'Authentication level for users authentified by password+TOTP'
        },
Yadd's avatar
Yadd committed
1174 1175 1176 1177
        totp2fIssuer => {
            type          => 'text',
            documentation => 'TOTP Issuer',
        },
Yadd's avatar
Yadd committed
1178 1179 1180 1181 1182 1183 1184 1185 1186 1187
        totp2fInterval => {
            type          => 'int',
            default       => 30,
            documentation => 'TOTP interval',
        },
        totp2fRange => {
            type          => 'int',
            default       => 1,
            documentation => 'TOTP range (number of interval to test)',
        },
Yadd's avatar
Yadd committed
1188 1189 1190 1191 1192
        totp2fDigits => {
            type          => 'int',
            default       => 6,
            documentation => 'Number of digits for TOTP code',
        },
Yadd's avatar
Yadd committed
1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203
        totp2fDisplayExistingSecret => {
            type    => 'bool',
            default => 0,
            documentation =>
              'Display existing TOTP secret in registration form',
        },
        totp2fUserCanChangeKey => {
            type          => 'bool',
            default       => 0,
            documentation => 'Authorize users to change existing TOTP secret',
        },
1204 1205 1206 1207 1208
        totp2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing TOTP secret',
        },
Yadd's avatar
Yadd committed
1209

Yadd's avatar
Yadd committed
1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221
        # UTOTP 2F
        utotp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'UTOTP activation (mixed U2F/TOTP module)',
        },
        utotp2fAuthnLevel => {
            type => 'int',
            documentation =>
'Authentication level for users authentified by password+(U2F or TOTP)'
        },