Attributes.pm 117 KB
Newer Older
Christophe Maudoux's avatar
Christophe Maudoux committed
1
#  This file contains the description of all configuration parameters
2 3 4
# It may be included only by batch files, never in portal or handler chain
# for performances reasons

Xavier Guimard's avatar
Xavier Guimard committed
5
# DON'T FORGET TO RUN "make json" AFTER EACH CHANGE
6 7 8

package Lemonldap::NG::Manager::Build::Attributes;

Xavier Guimard's avatar
Xavier Guimard committed
9
our $VERSION = '2.0.2';
10 11 12 13
use strict;
use Regexp::Common qw/URI/;

my $perlExpr = sub {
14
    my ( $val, $conf ) = @_;
15
    my $s = '';
16
    Safe->new->reval("BEGIN { warnings->unimport; } $s $val");
17 18 19
    my $err = join( '',
        grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) );
    return $err ? ( 1, "__badExpression__: $err" ) : (1);
20 21
};

Xavier Guimard's avatar
Xavier Guimard committed
22
my $url = $RE{URI}{HTTP}{ -scheme => "https?" };
Xavier Guimard's avatar
Xavier Guimard committed
23 24 25
$url =~ s/(?<=[^\\])\$/\\\$/g;
$url = qr/$url/;

26 27 28 29 30
sub types {
    return {

        # Simple text types
        text => {
31
            test    => sub {1},
32 33 34
            msgFail => '__malformedValue__',
        },
        password => {
35
            test    => sub {1},
36 37 38
            msgFail => '__malformedValue__',
        },
        longtext => {
39
            test => sub {1}
40 41 42
        },
        url => {
            form    => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
43
            test    => $url,
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
            msgFail => '__badUrl__',
        },
        PerlModule => {
            form    => 'text',
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
        },
        hostname => {
            form    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::host)?$/,
            msgFail => '__badHostname__',
        },
        pcre => {
            form => 'text',
            test => sub {
59
                eval {qr/$_[0]/};
60 61 62 63 64
                return $@ ? ( 0, "__badRegexp__: $@" ) : (1);
            },
        },
        lmAttrOrMacro => {
            form => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
65 66
            test => sub {
                my ( $val, $conf ) = @_;
67
                return 1
68
                    if ( defined $conf->{macros}->{$val}
69
                    or $val eq '_timezone' );
70 71
                foreach ( keys %$conf ) {
                    return 1
72
                        if ( $_ =~ /exportedvars$/i
73
                        and defined $conf->{$_}->{$val} );
Xavier Guimard's avatar
Xavier Guimard committed
74
                }
75
                return ( 1, "__unknownAttrOrMacro__: $val" );
Xavier Guimard's avatar
Xavier Guimard committed
76
            },
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
        },

        # Other types
        int => {
            test    => qr/^\-?\d+$/,
            msgFail => '__notAnInteger__',
        },
        bool => {
            test    => qr/^[01]$/,
            msgFail => '__notABoolean__',
        },
        trool => {
            test    => qr/^(?:-1|0|1)$/,
            msgFail => '__authorizedValues__: -1, 0, 1',
        },
        boolOrExpr => {
            test    => $perlExpr,
            msgFail => '__notAValidPerlExpression__',
        },
Xavier Guimard's avatar
Xavier Guimard committed
96 97
        keyTextContainer => {
            test       => qr/./,
Xavier Guimard's avatar
Xavier Guimard committed
98
            msgFail    => '__emptyValueNotAllowed__',
Xavier Guimard's avatar
Xavier Guimard committed
99
            keyTest    => qr/^\w[\w\.\-]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
100
            keyMsgFail => '__badKeyName__',
Xavier Guimard's avatar
Xavier Guimard committed
101 102 103
        },
        subContainer => {
            keyTest => qr/\w/,
104
            test    => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
105
        },
Xavier Guimard's avatar
Xavier Guimard committed
106 107
        select => {
            test => sub {
108
                my $test = grep ( { $_ eq $_[0] }
Xavier Guimard's avatar
Xavier Guimard committed
109
                    map ( { $_->{k} } @{ $_[2]->{select} } ) );
Xavier Guimard's avatar
Xavier Guimard committed
110
                return $test
111 112
                    ? 1
                    : ( 1, "Invalid value '$_[0]' for this select" );
Xavier Guimard's avatar
Xavier Guimard committed
113 114
            },
        },
115 116 117

        # Files type (long text)
        file => {
118
            test => sub {1}
119 120
        },
        RSAPublicKey => {
121
            test => sub {
122
                return (
123 124
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$/s
125
                    ? (1)
126 127
                    : ( 1, '__badPemEncoding__' )
                );
128
            },
129
        },
130
        'RSAPublicKeyOrCertificate' => {
131
            'test' => sub {
132
                return (
133 134
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$/s
135
                    ? (1)
136 137
                    : ( 1, '__badPemEncoding__' )
                );
138
            },
139
        },
140
        RSAPrivateKey => {
141
            test => sub {
142
                return (
143 144
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$/s
145
                    ? (1)
146 147
                    : ( 1, '__badPemEncoding__' )
                );
148
            },
149 150 151
        },

        authParamsText => {
152
            test => sub {1}
153 154
        },
        blackWhiteList => {
155
            test => sub {1}
156 157
        },
        catAndAppList => {
158
            test => sub {1}
159 160 161
        },
        keyText => {
            keyTest => qr/^[a-zA-Z0-9_]+$/,
Xavier Guimard's avatar
Xavier Guimard committed
162
            test    => qr/^.*$/,
163 164 165
            msgFail => '__badValue__',
        },
        menuApp => {
166
            test => sub {1}
167 168
        },
        menuCat => {
169
            test => sub {1}
170 171
        },
        oidcOPMetaDataNode => {
172
            test => sub {1}
173 174
        },
        oidcRPMetaDataNode => {
175
            test => sub {1}
176 177
        },
        oidcmetadatajson => {
178
            test => sub {1}
179 180
        },
        oidcmetadatajwks => {
181
            test => sub {1}
182 183
        },
        portalskin => {
184
            test => sub {1}
185 186
        },
        portalskinbackground => {
187
            test => sub {1}
188 189
        },
        post => {
190
            test => sub {1}
191 192
        },
        rule => {
193
            test => sub {1}
194 195
        },
        samlAssertion => {
196
            test => sub {1}
197 198
        },
        samlAttribute => {
199
            test => sub {1}
200 201
        },
        samlIDPMetaDataNode => {
202
            test => sub {1}
203 204
        },
        samlSPMetaDataNode => {
205
            test => sub {1}
206 207
        },
        samlService => {
208
            test => sub {1}
209
        },
210
        array => {
211
            test => sub {1}
212
        },
213 214 215 216 217 218 219
    };
}

sub attributes {
    return {

        # Other
220 221 222
        checkTime => {
            type => 'int',
            documentation =>
223
                'Timeout to check new configuration in local cache',
224
            default => 600,
225 226 227 228 229 230
            flags   => 'hp',
        },
        mySessionAuthorizedRWKeys => {
            type          => 'array',
            documentation => 'Alterable session keys by user itself',
            default =>
231
                [ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
232
        },
Xavier Guimard's avatar
Xavier Guimard committed
233 234 235 236 237 238 239 240 241 242 243 244
        configStorage => {
            type          => 'text',
            documentation => 'Configuration storage',
            flags         => 'hmp',
        },
        localStorage => {
            type          => 'text',
            documentation => 'Local cache',
            flags         => 'hmp',
        },
        localStorageOptions => {
            type          => 'keyTextContainer',
Xavier Guimard's avatar
Xavier Guimard committed
245
            documentation => 'Local cache parameters',
Xavier Guimard's avatar
Xavier Guimard committed
246 247
            flags         => 'hmp',
        },
248 249 250 251 252 253
        cfgNum => {
            type          => 'int',
            default       => 0,
            documentation => 'Enable Cross Domain Authentication',
        },
        cfgAuthor => {
254 255 256
            type => 'text',
            documentation =>
                'Name of the author of the current configuration',
257 258
        },
        cfgAuthorIP => {
259 260 261
            type => 'text',
            documentation =>
                'Uploader IP address of the current configuration',
262 263 264 265 266 267 268 269 270
        },
        cfgDate => {
            type          => 'int',
            documentation => 'Timestamp of the current configuration',
        },
        cfgLog => {
            type          => 'longtext',
            documentation => 'Configuration update log',
        },
271 272 273 274
        cfgVersion => {
            type          => 'text',
            documentation => 'Version of LLNG which build configuration',
        },
Xavier Guimard's avatar
Xavier Guimard committed
275 276 277 278 279
        status => {
            type          => 'bool',
            documentation => 'Status daemon activation',
            flags         => 'h',
        },
280 281 282
        confirmFormMethod => {
            type => "select",
            select =>
283
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
284 285 286
            default       => 'post',
            documentation => 'HTTP method for confirm page form',
        },
287 288
        customFunctions => {
            type          => 'text',
289
            test          => qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/,
290
            help          => 'customfunctions.html',
291
            msgFail       => "__badCustomFuncName__",
Xavier Guimard's avatar
Xavier Guimard committed
292 293
            documentation => 'List of custom functions',
            flags         => 'hmp',
294 295
        },
        https => {
296 297 298
            default       => 0,
            type          => 'bool',
            documentation => 'Use HTTPS for redirection from portal',
Xavier Guimard's avatar
Xavier Guimard committed
299
            flags         => 'h',
300 301 302 303
        },
        infoFormMethod => {
            type => "select",
            select =>
304
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
305 306 307
            default       => 'get',
            documentation => 'HTTP method for info page form',
        },
Xavier Guimard's avatar
Xavier Guimard committed
308 309 310 311 312
        port => {
            type          => 'int',
            documentation => 'Force port in redirection',
            flags         => 'h',
        },
313 314 315 316 317 318
        jsRedirect => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Use javascript for redirections',
        },
        logoutServices => {
319 320 321 322 323
            type    => 'keyTextContainer',
            help    => 'logoutforward.html',
            default => {},
            documentation =>
                'Send logout trough GET request to these services',
324 325 326 327 328
        },
        maintenance => {
            default       => 0,
            type          => 'bool',
            documentation => 'Maintenance mode for all virtual hosts',
Xavier Guimard's avatar
Xavier Guimard committed
329
            flags         => 'h',
330
        },
Xavier Guimard's avatar
Xavier Guimard committed
331 332 333 334
        nginxCustomHandlers => {
            type    => 'keyTextContainer',
            keyTest => qr/^\w+$/,
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
335
            help    => 'handlerarch.html',
Xavier Guimard's avatar
Xavier Guimard committed
336
            msgFail => '__badPerlPackageName__',
Xavier Guimard's avatar
Xavier Guimard committed
337
            documentation => 'Custom Nginx handler (deprecated)',
Xavier Guimard's avatar
Xavier Guimard committed
338
        },
339 340 341 342 343
        noAjaxHook => {
            default       => 0,
            type          => 'bool',
            documentation => 'Avoid replacing 302 by 401 for Ajax responses',
        },
344 345 346 347
        portal => {
            type          => 'url',
            default       => 'http://auth.example.com/',
            documentation => 'Portal URL',
Xavier Guimard's avatar
Xavier Guimard committed
348
            flags         => 'hmp',
349 350
            test          => $url,
            msgFail       => '__badUrl__',
351
        },
352 353 354
        portalStatus => {
            type          => 'bool',
            default       => 0,
Xavier Guimard's avatar
Typo  
Xavier Guimard committed
355
            help          => 'status.html',
356 357
            documentation => 'Enable portal status',
        },
358 359 360 361
        portalUserAttr => {
            type    => 'text',
            default => '_user',
            documentation =>
362
                'Session parameter to display connected user in portal',
363 364 365 366
        },
        redirectFormMethod => {
            type => "select",
            select =>
367
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
368 369 370
            default       => 'get',
            documentation => 'HTTP method for redirect page form',
        },
371 372 373 374 375 376
        reloadTimeout => {
            type          => 'int',
            default       => 5,
            documentation => 'Configuration reload timeout',
            flags         => 'm',
        },
377
        reloadUrls => {
378 379 380 381 382
            type    => 'keyTextContainer',
            help    => 'configlocation.html#configuration_reload',
            keyTest => qr/^$Regexp::Common::URI::RFC2396::host(?::\d+)?$/,
            test    => $url,
            msgFail => '__badUrl__',
Xavier Guimard's avatar
Xavier Guimard committed
383
            documentation => 'URL to call on reload',
384
        },
Clément OUDOT's avatar
Clément OUDOT committed
385
        portalMainLogo => {
386 387 388 389
            type          => 'text',
            default       => 'common/logos/logo_llng_400px.png',
            documentation => 'Portal main logo path',
        },
390 391 392 393 394
        showLanguages => {
            type          => 'bool',
            default       => 1,
            documentation => 'Display langs icons',
        },
395 396 397 398
        staticPrefix => {
            type          => 'text',
            documentation => 'Prefix of static files for HTML templates',
        },
399 400 401 402
        multiValuesSeparator => {
            type          => 'authParamsText',
            default       => '; ',
            documentation => 'Separator for multiple values',
Xavier Guimard's avatar
Xavier Guimard committed
403
            flags         => 'hmp',
404
        },
Xavier Guimard's avatar
Xavier Guimard committed
405
        stayConnected => {
Xavier Guimard's avatar
Typo  
Xavier Guimard committed
406 407
            type => 'bool',

408
            #help          => 'stayconnected.html',
409
            default       => 0,
Xavier Guimard's avatar
Xavier Guimard committed
410 411
            documentation => 'Enable StayConnected plugin',
        },
412
        checkState => {
413
            type          => 'bool',
414
            default       => 0,
415 416
            documentation => 'Enable CheckState plugin',
        },
417
        checkStateSecret => {
418
            type          => 'text',
419 420
            documentation => 'Secret token for CheckState plugin',
        },
421
        skipRenewConfirmation => {
422 423
            type    => 'bool',
            default => 0,
424
            documentation =>
425
                'Avoid asking confirmation when an Issuer asks to renew auth',
426
        },
427 428 429 430
        handlerInternalCache => {
            type          => 'int',
            default       => 15,
            documentation => 'Handler internal cache timeout',
Christophe Maudoux's avatar
Christophe Maudoux committed
431
            flags         => 'hp',
432
        },
433

434 435 436 437 438 439 440 441 442
        # Loggers (ini only)
        logLevel => {
            type          => 'text',
            documentation => 'Log level, must be set in .ini',
            flags         => 'hmp',
        },
        logger => {
            type          => 'text',
            documentation => 'technical logger',
Xavier Guimard's avatar
Xavier Guimard committed
443
            flags         => 'hmp',
444 445 446 447
        },
        userLogger => {
            type          => 'text',
            documentation => 'User actions logger',
Xavier Guimard's avatar
Xavier Guimard committed
448
            flags         => 'hmp',
449 450 451 452
        },
        log4perlConfFile => {
            type          => 'text',
            documentation => 'Log4Perl logger configuration file',
Xavier Guimard's avatar
Xavier Guimard committed
453
            flags         => 'hmp',
454 455 456 457
        },
        sentryDsn => {
            type          => 'text',
            documentation => 'Sentry logger DSN',
Xavier Guimard's avatar
Xavier Guimard committed
458
            flags         => 'hmp',
459 460 461 462
        },
        syslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger technical facility',
Xavier Guimard's avatar
Xavier Guimard committed
463
            flags         => 'hmp',
464 465 466 467
        },
        userSyslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger user-actions facility',
Xavier Guimard's avatar
Xavier Guimard committed
468
            flags         => 'hmp',
469 470 471
        },

        # Manager or PSGI protected apps
472
        protection => {
473 474 475
            type    => 'text',
            test    => qr/^(?:none|authenticate|manager|)$/,
            msgFail => '__authorizedValues__: none authenticate manager',
476
            documentation => 'Manager protection method',
Xavier Guimard's avatar
Xavier Guimard committed
477
            flags         => 'hm',
478 479 480 481 482 483 484 485 486 487
        },

        # Menu
        activeTimer => {
            type          => 'bool',
            default       => 1,
            documentation => 'Enable timers on portal pages',
        },
        applicationList => {
            type    => 'catAndAppList',
488
            keyTest => qr/\w/,
489 490
            help    => 'portalmenu.html#categories_and_applications',
            default => {
491 492
                default =>
                    { catname => 'Default category', type => "category" }
493 494 495
            },
            documentation => 'Applications list',
        },
496 497 498 499 500
        portalErrorOnExpiredSession => {
            type          => 'bool',
            default       => 1,
            documentation => 'Show error if session is expired',
        },
501
        portalErrorOnMailNotFound => {
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
502 503 504
            type    => 'bool',
            default => 0,
            documentation =>
505
                'Show error if mail is not found in password reset process',
506
        },
507 508 509 510 511 512 513 514 515 516 517 518 519 520
        portalOpenLinkInNewWindow => {
            type          => 'bool',
            default       => 0,
            documentation => 'Open applications in new windows',
        },
        portalPingInterval => {
            type          => 'int',
            default       => 60000,
            documentation => 'Interval in ms between portal Ajax pings ',
        },
        portalSkin => {
            type          => 'portalskin',
            default       => 'bootstrap',
            documentation => 'Name of portal skin',
Xavier Guimard's avatar
Xavier Guimard committed
521
            select        => [ { k => 'bootstrap', v => 'Bootstrap' }, ],
522 523 524 525 526 527
        },
        portalSkinBackground => {
            type          => 'portalskinbackground',
            documentation => 'Background image of portal skin',
            select        => [
                { k => "", v => 'None' },
528
                {   k => "1280px-Anse_Source_d'Argent_2-La_Digue.jpg",
529 530
                    v => 'Anse'
                },
531 532
                {   k =>
                        "1280px-Autumn-clear-water-waterfall-landscape_-_Virginia_-_ForestWander.jpg",
533 534 535
                    v => 'Waterfall'
                },
                { k => "1280px-BrockenSnowedTrees.jpg", v => 'Snowed Trees' },
536 537
                {   k =>
                        "1280px-Cedar_Breaks_National_Monument_partially.jpg",
538 539
                    v => 'National Monument'
                },
540
                {   k => "1280px-Parry_Peak_from_Winter_Park.jpg",
541 542
                    v => 'Winter'
                },
543
                {   k => "Aletschgletscher_mit_Pinus_cembra1.jpg",
544 545
                    v => 'Pinus'
                },
546 547 548
            ],
        },
        portalSkinRules => {
Xavier Guimard's avatar
Xavier Guimard committed
549 550 551 552 553 554 555
            type          => 'keyTextContainer',
            help          => 'portalcustom.html',
            keyTest       => $perlExpr,
            keyMsgFail    => '__badSkinRule__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
            documentation => 'Rules to choose portal skin',
556 557 558
        },

        # Security
559
        formTimeout => {
Xavier Guimard's avatar
Xavier Guimard committed
560 561
            default       => 120,
            type          => 'int',
562 563 564
            documentation => 'Token timeout for forms',
        },
        requireToken => {
Xavier Guimard's avatar
Xavier Guimard committed
565 566
            default       => 1,
            type          => 'bool',
567 568
            documentation => 'Enable token for forms',
        },
569 570 571 572 573
        tokenUseGlobalStorage => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable global token storage',
        },
574 575 576 577
        cda => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable Cross Domain Authentication',
Xavier Guimard's avatar
Xavier Guimard committed
578
            flags         => 'hp',
579 580 581 582 583 584
        },
        checkXSS => {
            default       => 1,
            type          => 'bool',
            documentation => 'Check XSS',
        },
585
        portalForceAuthn => {
586
            default => 0,
587
            help    => 'forcereauthn.html',
588 589
            type    => 'bool',
            documentation =>
590
                'Enable force to authenticate when displaying portal',
591
        },
592 593
        portalForceAuthnInterval => {
            default => 5,
594 595
            type    => 'int',
            documentation =>
596
                'Maximum interval in seconds since last authentication to force reauthentication',
597
        },
598
        bruteForceProtection => {
599
            default       => 0,
600
            help          => 'bruteforceprotection.html',
601 602 603 604 605 606 607
            type          => 'bool',
            documentation => 'Enable brute force attack protection',
        },
        bruteForceProtectionTempo => {
            default => 30,
            type    => 'int',
            documentation =>
608
                'Brute force attack protection -> Tempo before try again',
609 610 611 612 613
        },
        bruteForceProtectionMaxAge => {
            default => 300,
            type    => 'int',
            documentation =>
614
                'Brute force attack protection -> Max age between last and first allowed failed login',
615 616 617 618 619
        },
        bruteForceProtectionMaxFailed => {
            default => 3,
            type    => 'int',
            documentation =>
620
                'Brute force attack protection -> Max allowed failed login',
621
        },
622
        grantSessionRules => {
Xavier Guimard's avatar
Xavier Guimard committed
623 624
            type          => 'grantContainer',
            keyTest       => $perlExpr,
625
            test          => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
626
            documentation => 'Rules to grant sessions',
627 628 629 630 631 632 633 634 635 636
        },
        hiddenAttributes => {
            type          => 'text',
            default       => '_password',
            documentation => 'Name of attributes to hide in logs',
        },
        key => {
            type          => 'password',
            documentation => 'Secret key',
        },
637 638
        cspDefault => {
            type          => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
639
            default       => "'self'",
640 641
            documentation => 'Default value for Content-Security-Policy',
        },
642
        cspFormAction => {
643 644 645
            type    => 'text',
            default => "'self'",
            documentation =>
646
                'Form action destination for Content-Security-Policy',
647
        },
648 649
        cspImg => {
            type          => 'text',
650
            default       => "'self' data:",
651 652 653 654 655 656 657 658 659
            documentation => 'Image source for Content-Security-Policy',
        },
        cspScript => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Javascript source for Content-Security-Policy',
        },
        cspStyle => {
            type          => 'text',
660
            default       => "'self'",
661 662 663 664 665 666
            documentation => 'Style source for Content-Security-Policy',
        },
        cspConnect => {
            type    => 'text',
            default => "'self'",
            documentation =>
667
                'Authorized Ajax destination for Content-Security-Policy',
668 669 670 671 672 673
        },
        cspFont => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Font source for Content-Security-Policy',
        },
674 675 676 677 678 679 680 681 682 683 684 685 686 687 688
        portalAntiFrame => {
            default       => 1,
            type          => 'bool',
            documentation => 'Avoid portal to be displayed inside frames',
        },
        portalCheckLogins => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display login history checkbox in portal',
        },
        randomPasswordRegexp => {
            type          => 'pcre',
            default       => '[A-Z]{3}[a-z]{5}.\d{2}',
            documentation => 'Regular expression to create a random password',
        },
Xavier Guimard's avatar
Xavier Guimard committed
689
        trustedDomains =>
690
            { type => 'text', documentation => 'Trusted domains', },
Xavier Guimard's avatar
Xavier Guimard committed
691
        storePassword => {
692 693 694 695 696 697
            default       => 0,
            type          => 'bool',
            documentation => 'Store password in session',
        },
        timeout => {
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
698
            test          => sub { $_[0] > 0 },
699 700 701 702
            default       => 72000,
            documentation => 'Session timeout on server side',
        },
        timeoutActivity => {
703
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
704
            test          => sub { $_[0] >= 0 },
705 706 707
            default       => 0,
            documentation => 'Session activity timeout on server side',
        },
708 709 710 711 712 713
        timeoutActivityInterval => {
            type          => 'int',
            test          => sub { $_[0] >= 0 },
            default       => 60,
            documentation => 'Update session timeout interval on server side',
        },
714 715 716 717 718 719 720 721 722 723 724 725 726 727
        trustedProxies => {
            type          => 'text',
            default       => '',
            documentation => 'Trusted proxies',
        },
        userControl => {
            type          => 'pcre',
            default       => '^[\w\.\-@]+$',
            documentation => 'Regular expression to validate login',
        },
        useRedirectOnError => {
            type          => 'bool',
            default       => 1,
            documentation => 'Use 302 redirect code for error (500)',
Xavier Guimard's avatar
Xavier Guimard committed
728
            flags         => 'h',
729 730 731 732 733 734 735 736 737
        },
        useRedirectOnForbidden => {
            default       => 0,
            type          => 'bool',
            documentation => 'Use 302 redirect code for forbidden (403)',
        },
        useSafeJail => {
            default       => 1,
            type          => 'bool',
Xavier Guimard's avatar
Xavier Guimard committed
738
            help          => 'safejail.html',
739
            documentation => 'Activate Safe jail',
Xavier Guimard's avatar
Xavier Guimard committed
740
            flags         => 'hp',
741 742 743 744 745
        },
        whatToTrace => {
            type          => 'lmAttrOrMacro',
            default       => 'uid',
            documentation => 'Session parameter used to fill REMOTE_USER',
Xavier Guimard's avatar
Xavier Guimard committed
746
            flags         => 'hp',
747
        },
748
        lwpOpts => {
Xavier Guimard's avatar
Xavier Guimard committed
749 750 751
            type          => 'keyTextContainer',
            documentation => 'Options given to LWP::UserAgent',
        },
752 753 754 755
        lwpSslOpts => {
            type          => 'keyTextContainer',
            documentation => 'SSL options given to LWP::UserAgent',
        },
756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800

        # History
        failedLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of failures stored in login history',
        },
        loginHistoryEnabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable login history',
        },
        portalDisplayLoginHistory => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display login history tab in portal',
        },
        successLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of success stored in login history',
        },

        # Other displays
        portalDisplayAppslist => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display applications tab in portal',
        },
        portalDisplayChangePassword => {
            type          => 'boolOrExpr',
            default       => '$_auth =~ /^(LDAP|DBI|Demo)$/',
            documentation => 'Display password tab in portal',
        },
        portalDisplayLogout => {
            default       => 1,
            type          => 'boolOrExpr',
            documentation => 'Display logout tab in portal',
        },
        portalDisplayRegister => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display register button in portal',
        },
        portalDisplayResetPassword => {
Xavier Guimard's avatar
Xavier Guimard committed
801
            default       => 0,
802 803 804
            type          => 'bool',
            documentation => 'Display reset password button in portal',
        },
805
        passwordResetAllowedRetries => {
Christophe Maudoux's avatar
Christophe Maudoux committed
806
            default       => 3,
807 808 809
            type          => 'int',
            documentation => 'Maximum number of retries to reset password',
        },
810 811
        portalDisplayOidcConsents => {
            type          => 'boolOrExpr',
812
            default       => '$_oidcConnectedRP',
813 814
            documentation => 'Display OIDC consent tab in portal',
        },
815 816

        # Cookies
Xavier Guimard's avatar
Xavier Guimard committed
817
        cookieExpiration => {
818
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
819 820 821
            documentation => 'Cookie expiration',
            flags         => 'hp',
        },
Xavier Guimard's avatar
Xavier Guimard committed
822
        cookieName => {
823 824 825 826 827
            type          => 'text',
            test          => qr/^[a-zA-Z][a-zA-Z0-9_-]*$/,
            msgFail       => '__badCookieName__',
            default       => 'lemonldap',
            documentation => 'Name of the main cookie',
Xavier Guimard's avatar
Xavier Guimard committed
828
            flags         => 'hp',
829 830
        },
        domain => {
831 832 833 834
            type    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::hostname)?$/,
            msgFail => '__badDomainName__',
            default => 'example.com',
835
            documentation => 'DNS domain',
Xavier Guimard's avatar
Xavier Guimard committed
836
            flags         => 'hp',
837 838 839 840 841
        },
        httpOnly => {
            default       => 1,
            type          => 'bool',
            documentation => 'Enable httpOnly flag in cookie',
Xavier Guimard's avatar
Xavier Guimard committed
842
            flags         => 'hp',
843 844 845 846 847 848 849 850 851 852 853
        },
        securedCookie => {
            type   => 'select',
            select => [
                { k => '0', v => 'unsecuredCookie' },
                { k => '1', v => 'securedCookie' },
                { k => '2', v => 'doubleCookie' },
                { k => '3', v => 'doubleCookieForSingleSession' },
            ],
            default       => 0,
            documentation => 'Cookie securisation method',
Xavier Guimard's avatar
Xavier Guimard committed
854
            flags         => 'hp',
855 856 857
        },

        # Notification
858
        oldNotifFormat => {
Xavier Guimard's avatar
Xavier Guimard committed
859 860
            type          => 'bool',
            default       => 0,
Xavier Guimard's avatar
Xavier Guimard committed
861
            documentation => 'Use old XML format for notifications',
862
        },
863 864 865 866 867
        notificationWildcard => {
            type          => 'text',
            default       => 'allusers',
            documentation => 'Notification string to match all users',
        },
Xavier Guimard's avatar
Xavier Guimard committed
868 869 870 871 872
        notificationXSLTfile => {
            type          => 'text',
            documentation => 'Custom XSLT document for notifications',
        },
        notification => {
873 874 875 876
            default       => 0,
            type          => 'bool',
            documentation => 'Notification activation',
        },
877 878 879 880 881
        notificationServer => {
            default       => 0,
            type          => 'bool',
            documentation => 'Notification server activation',
        },
882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899
        notificationStorage => {
            type          => 'PerlModule',
            default       => 'File',
            documentation => 'Notification backend',
        },
        notificationStorageOptions => {
            type    => 'keyTextContainer',
            default => { dirName => '/var/lib/lemonldap-ng/notifications', },
            documentation => 'Notification backend options',
        },

        # Captcha
        captcha_login_enabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Captcha on login page',
        },
        captcha_mail_enabled => {
900
            default       => 1,
901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919
            type          => 'bool',
            documentation => 'Captcha on password reset page',
        },
        captcha_register_enabled => {
            default       => 1,
            type          => 'bool',
            documentation => 'Captcha on account creation page',
        },
        captcha_size => {
            type          => 'int',
            default       => 6,
            documentation => 'Captcha size',
        },

        # Variables
        exportedVars => {
            type          => 'keyTextContainer',
            help          => 'exportedvars.html',
            keyTest       => qr/^!?[_a-zA-Z][a-zA-Z0-9_]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
920
            keyMsgFail    => '__badVariableName__',
921 922 923 924 925 926 927 928
            test          => qr/^[_a-zA-Z][a-zA-Z0-9_:\-]*$/,
            msgFail       => '__badValue__',
            default       => { 'UA' => 'HTTP_USER_AGENT' },
            documentation => 'Main exported variables',
        },
        groups => {
            type => 'keyTextContainer',
            help =>
929
                'exportedvars.html#extend_variables_using_macros_and_groups',
930 931 932 933 934 935 936
            test          => $perlExpr,
            default       => {},
            documentation => 'Groups',
        },
        macros => {
            type => 'keyTextContainer',
            help =>
937
                'exportedvars.html#extend_variables_using_macros_and_groups',
938
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
939
            keyMsgFail    => '__badMacroName__',
940 941 942 943 944 945 946 947 948 949
            test          => $perlExpr,
            default       => {},
            documentation => 'Macros',
        },

        # Storage
        globalStorage => {
            type          => 'PerlModule',
            default       => 'Apache::Session::File',
            documentation => 'Session backend module',
Xavier Guimard's avatar
Xavier Guimard committed
950
            flags         => 'hp',
951 952 953 954 955 956 957
        },
        globalStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'Directory'     => '/var/lib/lemonldap-ng/sessions/',
                'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/',
                'generateModule' =>
958
                    'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
959 960
            },
            documentation => 'Session backend module options',
Xavier Guimard's avatar
Xavier Guimard committed
961
            flags         => 'hp',
962 963
        },
        localSessionStorage => {
Xavier Guimard's avatar
Xavier Guimard committed
964 965
            type          => 'PerlModule',
            default       => 'Cache::FileCache',
Xavier Guimard's avatar
Xavier Guimard committed
966
            documentation => 'Local sessions cache module',
967 968 969 970 971 972 973 974 975 976 977 978 979 980
        },
        localSessionStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'namespace'          => 'lemonldap-ng-sessions',
                'default_expires_in' => 600,
                'directory_umask'    => '007',
                'cache_root'         => '/tmp',
                'cache_depth'        => 3,
            },
            documentation => 'Sessions cache module options',
        },

        # Persistent storage
Xavier Guimard's avatar
Xavier Guimard committed
981 982 983 984 985 986 987 988 989 990 991 992 993
        persistentStorage => {
            type          => 'PerlModule',
            documentation => 'Storage module for persistent sessions'
        },
        persistentStorageOptions => {
            type          => 'keyTextContainer',
            documentation => 'Options for persistent sessions storage module'
        },
        sessionDataToRemember => {
            type          => 'keyTextContainer',
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
            keyMsgFail    => '__invalidSessionData__',
            documentation => 'Data to remember in login history',
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015
        },

        # SAML issuer
        issuerDBSAMLActivation => {
            default       => 0,
            type          => 'bool',
            documentation => 'SAML IDP activation',
        },
        issuerDBSAMLPath => {
            type          => 'pcre',
            default       => '^/saml/',
            documentation => 'SAML IDP request path',
        },
        issuerDBSAMLRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'SAML IDP rule',
        },

        # OpenID-Connect issuer
        issuerDBOpenIDConnectActivation => {
            type          => 'bool',
1016
            default       => 0,
1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
            documentation => 'OpenID Connect server activation',
        },
        issuerDBOpenIDConnectPath => {
            type          => 'text',
            default       => '^/oauth2/',
            documentation => 'OpenID Connect server request path',
        },
        issuerDBOpenIDConnectRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'OpenID Connect server rule',
        },

1030 1031 1032
        # GET issuer
        issuerDBGetActivation => {
            type          => 'bool',
1033
            default       => 0,
1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055
            documentation => 'Get issuer activation',
        },
        issuerDBGetPath => {
            type          => 'text',
            default       => '^/get/',
            documentation => 'Get issuer request path',
        },
        issuerDBGetRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Get issuer rule',
        },
        issuerDBGetParameters => {
            type       => 'doubleHash',
            default    => {},
            keyTest    => qr/^$Regexp::Common::URI::RFC2396::hostname$/,
            keyMsgFail => '__badHostname__',
            test       => {
                keyTest    => qr/^(?=[^\-])[\w\-]+(?<=[^-])$/,
                keyMsgFail => '__badKeyName__',
                test       => sub {
                    my ( $val, $conf ) = @_;
1056
                    return 1
1057
                        if ( defined $conf->{macros}->{$val}
1058 1059 1060
                        or $val eq '_timezone' );
                    foreach ( keys %$conf ) {
                        return 1
1061
                            if ( $_ =~ /exportedvars$/i
1062
                            and defined $conf->{$_}->{$val} );
1063
                    }
1064
                    return ( 1, "__unknownAttrOrMacro__: $val" );
1065 1066 1067 1068 1069
                },
            },
            documentation => 'List of virtualHosts with their get parameters',
        },

1070 1071 1072 1073 1074 1075 1076
        # Password
        mailOnPasswordChange => {
            default       => 0,
            type          => 'bool',
            documentation => 'Send a mail when password is changed',
        },
        portalRequireOldPassword => {
1077 1078 1079 1080
            default => 1,
            type    => 'bool',
            documentation =>
                'Old password is required to change the password',
1081 1082 1083 1084 1085 1086 1087
        },
        hideOldPassword => {
            default       => 0,
            type          => 'bool',
            documentation => 'Hide old password in portal',
        },

1088
        # SMTP server
1089
        SMTPServer => {
1090 1091
            type    => 'text',
            default => '',
1092
            test => qr/^(?:$Regexp::Common::URI::RFC2396::host(?::\d+)?)?$/,
1093 1094
            documentation => 'SMTP Server',
        },
1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112
        SMTPPort => {
            type          => 'int',
            documentation => 'Fix SMTP port',
        },
        SMTPTLS => {
            type    => 'select',
            default => '',
            select  => [
                { k => '',         v => 'none' },
                { k => 'starttls', v => 'SMTP + STARTTLS' },
                { k => 'ssl',      v => 'SMTPS' },
            ],
            documentation => 'TLS protocol to use with SMTP',
        },
        SMTPTLSOpts => {
            type          => 'keyTextContainer',
            documentation => 'TLS/SSL options for SMTP',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1113 1114 1115 1116 1117 1118 1119 1120
        SMTPAuthUser => {
            type          => 'text',
            documentation => 'Login to use to send mails',
        },
        SMTPAuthPass => {
            type          => 'password',
            documentation => 'Password to use to send mails',
        },
1121

1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139
        # Mails
        mailCharset => {
            type          => 'text',
            default       => 'utf-8',
            documentation => 'Mail charset',
        },
        mailFrom => {
            type          => 'text',
            default       => 'noreply@example.com',
            documentation => 'Sender email',
        },
        mailSessionKey => {
            type          => 'text',
            default       => 'mail',
            documentation => 'Session parameter where mail is stored',
        },
        mailReplyTo =>
            { type => 'text', documentation => 'Reply-To address' },
1140
        mailPwdRstTimeout => {
1141 1142
            type          => 'int',
            default       => 0,
1143
            documentation => 'Mail password reset session timeout',
1144 1145 1146 1147
        },

        # Password reset
        mailPwdRstBody =>
1148
            { type => 'longtext', documentation => 'Custom password reset mail body', },
1149 1150 1151

        mailPwdRstConfirmBody => {
            type          => 'longtext',
1152
            documentation => 'Custom confirm password reset mail body',
1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168
        },
        mailPwdRstConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for reset confirmation',
        },
        mailPwdRstSubject => {
            type          => 'text',
            documentation => 'Mail subject for new password email',
        },

        mailPwdRstUrl => {
            type          => 'url',
            default       => 'http://auth.example.com/resetpwd',
            documentation => 'URL of password reset page',
        },

1169 1170 1171 1172 1173 1174 1175 1176
        # Registration
        registerConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for register confirmation',
        },
        registerDB => {
            type   => 'select',
            select => [
1177 1178 1179 1180 1181
                { k => 'AD',     v => 'Active Directory' },
                { k => 'Demo',   v => 'Demonstration' },
                { k => 'LDAP',   v => 'LDAP' },
                { k => 'Null',   v => 'None' },
                { k => 'Custom', v => 'customModule' },
1182
            ],
1183
            default       => 'Null',
1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194
            documentation => 'Register module',
        },
        registerDoneSubject => {
            type          => 'text',
            documentation => 'Mail subject when register is done',
        },
        registerTimeout => {
            default       => 0,
            type          => 'int',
            documentation => 'Register session timeout',
        },
1195 1196
        registerUrl => {
            type          => 'text',
1197
            default       => 'http://auth.example.com/register',
1198 1199
            documentation => 'URL of register page',
        },
1200

1201 1202 1203
        # Upgrade session
        upgradeSession => {
            type          => 'bool',
1204
            default       => 1,
1205 1206
            documentation => 'Upgrade session activation',
        },
1207

1208 1209 1210 1211
        # 2F
        max2FDevices => {
            default       => 10,
            type          => 'int',
1212
            documentation => 'Maximum registered 2F devices',
1213 1214 1215 1216
        },
        max2FDevicesNameLength => {
            default       => 20,
            type          => 'int',