Tests.pm 18 KB
Newer Older
Xavier Guimard's avatar
Xavier Guimard committed
1 2
package Lemonldap::NG::Manager::Conf::Tests;

Xavier Guimard's avatar
Xavier Guimard committed
3
use utf8;
4 5
use Lemonldap::NG::Common::Regexp;

Xavier Guimard's avatar
Xavier Guimard committed
6 7
our $VERSION = '2.0.0';

Xavier Guimard's avatar
Xavier Guimard committed
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
## @method hashref tests(hashref conf)
# Return a hash ref where keys are the names of the tests and values
# subroutines to execute.
#
# Subroutines can return one of the followings :
# -  (1)         : everything is OK
# -  (1,message) : OK with a warning
# -  (0,message) : NOK
# - (-1,message) : OK, but must be confirmed (ignored if confirm parameter is
# set
#
# Those subroutines can also modify configuration.
#
# @param $conf Configuration to test
# @return hash ref where keys are the names of the tests and values
sub tests {
    my $conf = shift;
    return {

        # 1. CHECKS

        # Check if portal is in domain
        portalIsInDomain => sub {
            return (
                1,
                (
                    index( $conf->{portal}, $conf->{domain} ) > 0
                    ? ''
                    : "Portal seems not to be in the domain $conf->{domain}"
                )
            );
        },

41 42
        # Check if portal URL is well formated
        portalURL => sub {
43 44

            # Checking for ending slash
45
            $conf->{portal} .= '/'
46 47 48 49 50 51
              unless ( $conf->{portal} =~ qr#/$# );

            # Deleting trailing ending slash
            my $regex = qr#/+$#;
            $conf->{portal} =~ s/$regex/\//;

52 53 54
            return 1;
        },

Xavier Guimard's avatar
Xavier Guimard committed
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
        # Check if virtual hosts are in the domain
        vhostInDomainOrCDA => sub {
            return 1 if ( $conf->{cda} );
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh unless ( index( $vh, $conf->{domain} ) >= 0 );
            }
            return (
                1,
                (
                    @pb
                    ? 'Virtual hosts '
                      . join( ', ', @pb )
                      . " are not in $conf->{domain} and cross-domain-authentication is not set"
                    : undef
                )
            );
        },

        # Check if virtual host do not contain a port
        vhostWithPort => sub {
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh if ( $vh =~ /:/ );
            }
            if (@pb) {
                return ( 0,
                        'Virtual hosts '
                      . join( ', ', @pb )
                      . " contain a port, this is not allowed" );
            }
            else { return 1; }
        },

        # Force vhost to be lowercase
        vhostUpperCase => sub {
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh if ( $vh ne lc $vh );
            }
            if (@pb) {
                return ( 0,
                        'Virtual hosts '
                      . join( ', ', @pb )
                      . " must be in lower case" );
            }
            else { return 1; }
        },

        # Check if "userDB" and "authentication" are consistent
        authAndUserDBConsistency => sub {
106 107 108
            foreach
              my $type (qw(Facebook Google OpenID OpenIDConnect SAML WebID))
            {
Xavier Guimard's avatar
Xavier Guimard committed
109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
                return ( 0,
"\"$type\" can not be used as user database without using \"$type\" for authentication"
                  )
                  if (  $conf->{userDB} =~ /$type/
                    and $conf->{authentication} !~ /$type/ );
            }
            return 1;
        },

        # Check that OpenID macros exists
        checkAttrAndMacros => sub {
            my @tmp;
            foreach my $k ( keys %$conf ) {
                if ( $k =~
/^(?:openIdSreg_(?:(?:(?:full|nick)nam|languag|postcod|timezon)e|country|gender|email|dob)|whatToTrace)$/
                  )
                {
                    my $v = $conf->{$k};
                    $v =~ s/^$//;
                    next if ( $v =~ /^_/ );
                    push @tmp,
                      $k
                      unless (
                        defined(
                            $conf->{exportedVars}->{$v}
                              or defined( $conf->{macros}->{$v} )
                        )
                      );
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not defined in exported attributes or macros'
                    : ''
                )
            );
        },

        # Test that variables are exported if Google is used as UserDB
        checkUserDBGoogleAXParams => sub {
            my @tmp;
154
            if ( $conf->{userDB} =~ /^Google$/ ) {
155 156
                foreach my $k ( keys %{ $conf->{exportedVars} } ) {
                    my $v = $conf->{exportedVars}->{$k};
Xavier Guimard's avatar
Xavier Guimard committed
157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176
                    if ( $v !~ Lemonldap::NG::Common::Regexp::GOOGLEAXATTR() ) {
                        push @tmp, $v;
                    }
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not exported by Google'
                    : ''
                )
            );
        },

        # Test that variables are exported if OpenID is used as UserDB
        checkUserDBOpenIDParams => sub {
            my @tmp;
177
            if ( $conf->{userDB} =~ /^OpenID$/ ) {
178 179
                foreach my $k ( keys %{ $conf->{exportedVars} } ) {
                    my $v = $conf->{exportedVars}->{$k};
Xavier Guimard's avatar
Xavier Guimard committed
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200
                    if ( $v !~ Lemonldap::NG::Common::Regexp::OPENIDSREGATTR() )
                    {
                        push @tmp, $v;
                    }
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not exported by OpenID SREG'
                    : ''
                )
            );
        },

        # Try to use Apache::Session module
        testApacheSession => sub {
            my ( $id, %h );
201
            my $gc =
202
              $Lemonldap::NG::Handler::PSGI::Main::tsv->{sessionStorageModule};
Xavier Guimard's avatar
Xavier Guimard committed
203
            return 1
204
              if ( ( $gc and $gc eq $conf->{globalStorage} )
Xavier Guimard's avatar
Xavier Guimard committed
205 206
                or $conf->{globalStorage} =~
                /^Lemonldap::NG::Common::Apache::Session::/ );
Xavier Guimard's avatar
Xavier Guimard committed
207 208 209
            eval "use $conf->{globalStorage}";
            return ( -1, "Unknown package $conf->{globalStorage}" ) if ($@);
            eval {
Xavier Guimard's avatar
Xavier Guimard committed
210 211 212 213 214
                tie %h, 'Lemonldap::NG::Common::Apache::Session', undef,
                  {
                    %{ $conf->{globalStorageOptions} },
                    backend => $conf->{globalStorage}
                  };
Xavier Guimard's avatar
Xavier Guimard committed
215 216 217 218 219 220 221
            };
            return ( -1, "Unable to create a session ($@)" )
              if ( $@ or not tied(%h) );
            eval {
                $h{a} = 1;
                $id = $h{_session_id} or return ( -1, 'No _session_id' );
                untie(%h);
Xavier Guimard's avatar
Xavier Guimard committed
222 223 224 225 226
                tie %h, 'Lemonldap::NG::Common::Apache::Session', $id,
                  {
                    %{ $conf->{globalStorageOptions} },
                    backend => $conf->{globalStorage}
                  };
Xavier Guimard's avatar
Xavier Guimard committed
227
            };
Xavier Guimard's avatar
Xavier Guimard committed
228
            return ( -1, "Unable to insert data ($@)" ) if ($@);
Xavier Guimard's avatar
Xavier Guimard committed
229 230 231 232 233
            return ( -1, "Unable to recover data stored" )
              unless ( $h{a} == 1 );
            eval { tied(%h)->delete; };
            return ( -1, "Unable to delete session ($@)" ) if ($@);
            return ( -1,
234
'All sessions may be lost and you must restart all your Apache servers'
Xavier Guimard's avatar
Xavier Guimard committed
235
            ) if ( $gc and $conf->{globalStorage} ne $gc );
Xavier Guimard's avatar
Xavier Guimard committed
236 237 238 239 240
            return 1;
        },

        # Warn if cookie name has changed
        cookieNameChanged => sub {
241
            my $cn = $Lemonldap::NG::Handler::PSGI::API::tsv->{cookieName};
Xavier Guimard's avatar
Xavier Guimard committed
242 243 244
            return (
                1,
                (
245 246
                    $cn
                      and $cn ne $conf->{cookieName}
247
                    ? 'Cookie name has changed, you must restart all your web servers'
Xavier Guimard's avatar
Xavier Guimard committed
248 249 250 251
                    : ()
                )
            );
        },
Christophe Maudoux's avatar
Christophe Maudoux committed
252

253
        # Warn if cookie TTL is equal or lower than one hour
254 255
        cookieTTL => sub {
            return 1 unless ( defined $conf->{cookieExpiration} );
256 257 258 259 260
            return ( 0, "Cookie TTL must be higher than one minute" )
              unless ( $conf->{cookieExpiration} > 60 );
            return ( 1, "Cookie TTL should be higher or equal than one hour" )
              unless ( $conf->{cookieExpiration} >= 3600
                || $conf->{cookieExpiration} == 0 );
Christophe Maudoux's avatar
Christophe Maudoux committed
261

262 263 264
            # Return
            return 1;
        },
Xavier Guimard's avatar
Xavier Guimard committed
265 266 267 268 269 270 271 272 273 274 275 276 277

        # Warn if manager seems to be unprotected
        managerProtection => sub {
            return (
                1,
                (
                    $conf->{cfgAuthor} eq 'anonymous'
                    ? 'Your manager seems to be unprotected'
                    : ''
                )
            );
        },

278
        # Test SMTP connection and authentication (warning only)
Xavier Guimard's avatar
Xavier Guimard committed
279 280 281 282 283 284 285
        smtpConnectionAuthentication => sub {

            # Skip test if no SMTP configuration
            return 1 unless ( $conf->{SMTPServer} );

            # Use SMTP
            eval "use Net::SMTP";
286
            return ( 1, "Net::SMTP module is required to use SMTP server" )
Xavier Guimard's avatar
Xavier Guimard committed
287 288 289
              if ($@);

            # Create SMTP object
Christophe Maudoux's avatar
Christophe Maudoux committed
290
            my $smtp = Net::SMTP->new( $conf->{SMTPServer}, Timeout => 5 );
291
            return ( 1,
Xavier Guimard's avatar
Xavier Guimard committed
292 293 294 295 296 297 298 299
                "SMTP connection to " . $conf->{SMTPServer} . " failed" )
              unless ($smtp);

            # Skip other tests if no authentication
            return 1
              unless ( $conf->{SMTPAuthUser} and $conf->{SMTPAuthPass} );

            # Try authentication
300
            return ( 1, "SMTP authentication failed" )
Xavier Guimard's avatar
Xavier Guimard committed
301 302 303 304 305 306
              unless $smtp->auth( $conf->{SMTPAuthUser},
                $conf->{SMTPAuthPass} );

            # Return
            return 1;
        },
307

308
        # SAML entity ID must be uniq
309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332
        samlIDPEntityIdUniqueness => sub {
            return 1
              unless ( $conf->{samlIDPMetaDataXML}
                and %{ $conf->{samlIDPMetaDataXML} } );
            my @msg;
            my $res = 1;
            my %entityIds;
            foreach my $idpId ( keys %{ $conf->{samlIDPMetaDataXML} } ) {
                unless (
                    $conf->{samlIDPMetaDataXML}->{$idpId}->{samlIDPMetaDataXML}
                    =~ /entityID=(['"])(.+?)\1/si )
                {
                    push @msg, "$idpId SAML metadata has no EntityID";
                    $res = 0;
                    next;
                }
                my $eid = $2;
                if ( defined $entityIds{$eid} ) {
                    push @msg,
                      "$idpId and $entityIds{$eid} have the same SAML EntityID";
                    $res = 0;
                    next;
                }
                $entityIds{$eid} = $idpId;
333 334 335 336 337 338 339 340 341 342 343 344
            }
            return ( $res, join( ', ', @msg ) );
        },
        samlSPEntityIdUniqueness => sub {
            return 1
              unless ( $conf->{samlSPMetaDataXML}
                and %{ $conf->{samlSPMetaDataXML} } );
            my @msg;
            my $res = 1;
            my %entityIds;
            foreach my $spId ( keys %{ $conf->{samlSPMetaDataXML} } ) {
                unless (
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
345 346
                    $conf->{samlSPMetaDataXML}->{$spId}->{samlSPMetaDataXML} =~
                    /entityID=(['"])(.+?)\1/si )
347 348 349 350 351 352 353 354 355 356 357 358 359
                {
                    push @msg, "$spId SAML metadata has no EntityID";
                    $res = 0;
                    next;
                }
                my $eid = $2;
                if ( defined $entityIds{$eid} ) {
                    push @msg,
                      "$spId and $entityIds{$eid} have the same SAML EntityID";
                    $res = 0;
                    next;
                }
                $entityIds{$eid} = $spId;
360 361 362 363
            }
            return ( $res, join( ', ', @msg ) );
        },

364
        # Try to parse combination with declared modules
365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383
        checkCombinations => sub {
            return 1 unless ( $conf->{authentication} eq 'Combination' );
            require Lemonldap::NG::Common::Combination::Parser;
            return ( 0, 'No module declared for combination' )
              unless ( $conf->{combModules} and %{ $conf->{combModules} } );
            my $moduleList;
            foreach my $md ( keys %{ $conf->{combModules} } ) {
                my $entry = $conf->{combModules}->{$md};
                $moduleList->{$md} = (
                      $entry->{for} == 2 ? [ undef, {} ]
                    : $entry->{for} == 1 ? [ {}, undef ]
                    :                      [ {}, {} ]
                );
            }
            eval {
                Lemonldap::NG::Common::Combination::Parser->parse( $moduleList,
                    $conf->{combination} );
            };
            return ( 0, $@ ) if ($@);
Christophe Maudoux's avatar
Christophe Maudoux committed
384

385 386 387 388
            # Return
            return 1;
        },

389
        # Warn if 2F dependencies seem missing
390
        sfaDependencies => sub {
391

Christophe Maudoux's avatar
Christophe Maudoux committed
392
            my $ok = 0;
393
            foreach (qw(u totp utotp yubikey)) {
Christophe Maudoux's avatar
Christophe Maudoux committed
394 395
                $ok ||= $conf->{ $_ . '2fActivation' };
                last if ($ok);
396
            }
Christophe Maudoux's avatar
Christophe Maudoux committed
397
            return 1 unless ($ok);
398 399 400 401 402 403

            # Use TOTP
            if (   $conf->{totp2fActivation}
                or $conf->{utotp2fActivation} )
            {
                eval "use Convert::Base32";
404
                return ( 1,
405 406 407 408 409 410 411 412 413
                    "Convert::Base32 module is required to enable TOTP" )
                  if ($@);
            }

            # Use U2F
            if (   $conf->{u2fActivation}
                or $conf->{utotp2fActivation} )
            {
                eval "use Crypt::U2F::Server::Simple";
414
                return ( 1,
415 416 417
"Crypt::U2F::Server::Simple module is required to enable U2F"
                ) if ($@);
            }
Christophe Maudoux's avatar
Christophe Maudoux committed
418

Christophe Maudoux's avatar
typo  
Christophe Maudoux committed
419 420 421
            # Use Yubikey
            if ( $conf->{yubikey2fActivation} ) {
                eval "use Auth::Yubikey_WebClient";
422
                return ( 1,
Christophe Maudoux's avatar
typo  
Christophe Maudoux committed
423 424 425 426
"Auth::Yubikey_WebClient module is required to enable Yubikey"
                ) if ($@);
            }

427
            # Return
428 429
            return 1;
        },
430 431 432 433

        # Warn if TOTP or U2F is enabled with UTOTP (U2F + TOTP)
        utotp => sub {
            return 1 unless ( $conf->{utotp2fActivation} );
434
            my $w = "";
435
            foreach ( 'totp', 'u' ) {
Christophe Maudoux's avatar
Christophe Maudoux committed
436
                $w .= uc($_) . "2F is activated twice \n"
437
                  if ( $conf->{ $_ . '2fActivation' } eq '1' );
438 439 440
            }
            return ( 1, ( $w ? $w : () ) );
        },
441 442

        # Warn if TOTP not 6 or 8 digits long
Xavier Guimard's avatar
Xavier Guimard committed
443
        totp2fDigits => sub {
Christophe Maudoux's avatar
Christophe Maudoux committed
444
            return 1 unless ( $conf->{totp2fActivation} );
Xavier Guimard's avatar
Xavier Guimard committed
445 446 447 448 449 450 451 452 453 454 455 456 457
            return 1 unless ( defined $conf->{totp2fDigits} );
            return (
                1,
                (
                    (
                             $conf->{totp2fDigits} == 6
                          or $conf->{totp2fDigits} == 8
                    )
                    ? ''
                    : 'TOTP should be 6 or 8 digits long'
                )
            );
        },
Christophe Maudoux's avatar
Christophe Maudoux committed
458

Christophe Maudoux's avatar
Christophe Maudoux committed
459
        # Test TOTP params
Christophe Maudoux's avatar
Christophe Maudoux committed
460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487
        totp2fParams => sub {
            return 1 unless ( $conf->{totp2fActivation} );
            return ( 0, 'TOTP range must be defined' )
              unless ( $conf->{totp2fRange} );
            return ( 1, "TOTP interval should be higher than 10s" )
              unless ( $conf->{totp2fInterval} > 10 );

            # Return
            return 1;
        },

        # Error if Yubikey client ID and secret key are missing
        # Warn if Yubikey public ID size is not 12 digits long
        yubikey2fParams => sub {
            return 1 unless ( $conf->{yubikey2fActivation} );
            return ( 0, "Yubikey client ID and secret key must be set" )
              unless ( defined $conf->{yubikey2fSecretKey}
                && defined $conf->{yubikey2fClientID} );
            return (
                1,
                (
                    ( $conf->{yubikey2fPublicIDSize} == 12 )
                    ? ''
                    : 'Yubikey public ID size should be 12 digits long'
                )
            );
        },

488 489
        # Error if REST 2F verify URL is missing
        rest2fVerifyUrl => sub {
Christophe Maudoux's avatar
Christophe Maudoux committed
490
            return 1 unless ( $conf->{rest2fActivation} );
491
            return ( 0, "REST 2F Verify URL must be set" )
Christophe Maudoux's avatar
Christophe Maudoux committed
492 493 494 495 496 497
              unless ( defined $conf->{rest2fVerifyUrl} );

            # Return
            return 1;
        },

Christophe Maudoux's avatar
Christophe Maudoux committed
498
        # Warn if 2FA is required without a registrable 2F module enabled
Christophe Maudoux's avatar
Christophe Maudoux committed
499 500
        required2FA => sub {
            return 1 unless ( $conf->{sfRequired} );
501

Christophe Maudoux's avatar
Christophe Maudoux committed
502 503
            my $msg = '';
            my $ok  = 0;
Christophe Maudoux's avatar
Christophe Maudoux committed
504
            foreach (qw(u totp yubikey)) {
Christophe Maudoux's avatar
Christophe Maudoux committed
505 506
                $ok ||= $conf->{ $_ . '2fActivation' }
                  && $conf->{ $_ . '2fSelfRegistration' };
Christophe Maudoux's avatar
Christophe Maudoux committed
507
                last if ($ok);
508
            }
Christophe Maudoux's avatar
Christophe Maudoux committed
509

Christophe Maudoux's avatar
Christophe Maudoux committed
510 511 512 513 514
            $ok ||= $conf->{'utotp2fActivation'}
              && ( $conf->{'u2fSelfRegistration'}
                || $conf->{'totp2fSelfRegistration'} );
            $msg = "A self registrable module should be enabled to require 2FA"
              unless ($ok);
Christophe Maudoux's avatar
Christophe Maudoux committed
515

Christophe Maudoux's avatar
Christophe Maudoux committed
516
            return ( 1, $msg );
Christophe Maudoux's avatar
Christophe Maudoux committed
517 518 519 520 521
        },

        # Error if external 2F Send or Validate command is missing
        ext2fCommands => sub {
            return 1 unless ( $conf->{ext2fActivation} );
522
            return ( 0, "External 2F Send or Validate command must be set" )
Christophe Maudoux's avatar
Christophe Maudoux committed
523 524
              unless ( defined $conf->{ext2FSendCommand}
                && defined $conf->{ext2FValidateCommand} );
525 526 527

            # Return
            return 1;
528 529
        },

Christophe Maudoux's avatar
Christophe Maudoux committed
530
        # Warn if XSRF token TTL is higher than 10s
Xavier Guimard's avatar
Xavier Guimard committed
531
        formTimeout => sub {
Christophe Maudoux's avatar
Christophe Maudoux committed
532
            return 1 unless ( defined $conf->{formTimeout} );
Christophe Maudoux's avatar
Christophe Maudoux committed
533 534
            return ( 0, "XSRF form token TTL must be higher than 30s" )
              unless ( $conf->{formTimeout} > 30 );
Christophe Maudoux's avatar
Christophe Maudoux committed
535
            return ( 1, "XSRF form token TTL should not be higher than 2mn" )
Xavier Guimard's avatar
Xavier Guimard committed
536
              if ( $conf->{formTimeout} > 120 );
Christophe Maudoux's avatar
Christophe Maudoux committed
537

538
            # Return
Xavier Guimard's avatar
Xavier Guimard committed
539 540
            return 1;
        },
Xavier Guimard's avatar
Xavier Guimard committed
541 542 543 544
    };
}

1;