Tests.pm 18 KB
Newer Older
Xavier Guimard's avatar
Xavier Guimard committed
1 2
package Lemonldap::NG::Manager::Conf::Tests;

Xavier Guimard's avatar
Xavier Guimard committed
3
use utf8;
4 5
use Lemonldap::NG::Common::Regexp;

Xavier Guimard's avatar
Xavier Guimard committed
6 7
our $VERSION = '2.0.0';

Xavier Guimard's avatar
Xavier Guimard committed
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
## @method hashref tests(hashref conf)
# Return a hash ref where keys are the names of the tests and values
# subroutines to execute.
#
# Subroutines can return one of the followings :
# -  (1)         : everything is OK
# -  (1,message) : OK with a warning
# -  (0,message) : NOK
# - (-1,message) : OK, but must be confirmed (ignored if confirm parameter is
# set
#
# Those subroutines can also modify configuration.
#
# @param $conf Configuration to test
# @return hash ref where keys are the names of the tests and values
sub tests {
    my $conf = shift;
    return {

        # 1. CHECKS

        # Check if portal is in domain
        portalIsInDomain => sub {
            return (
                1,
                (
                    index( $conf->{portal}, $conf->{domain} ) > 0
                    ? ''
                    : "Portal seems not to be in the domain $conf->{domain}"
                )
            );
        },

41 42
        # Check if portal URL is well formated
        portalURL => sub {
43 44

            # Checking for ending slash
45
            $conf->{portal} .= '/'
46 47 48 49 50 51
              unless ( $conf->{portal} =~ qr#/$# );

            # Deleting trailing ending slash
            my $regex = qr#/+$#;
            $conf->{portal} =~ s/$regex/\//;

52 53 54
            return 1;
        },

Xavier Guimard's avatar
Xavier Guimard committed
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
        # Check if virtual hosts are in the domain
        vhostInDomainOrCDA => sub {
            return 1 if ( $conf->{cda} );
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh unless ( index( $vh, $conf->{domain} ) >= 0 );
            }
            return (
                1,
                (
                    @pb
                    ? 'Virtual hosts '
                      . join( ', ', @pb )
                      . " are not in $conf->{domain} and cross-domain-authentication is not set"
                    : undef
                )
            );
        },

        # Check if virtual host do not contain a port
        vhostWithPort => sub {
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh if ( $vh =~ /:/ );
            }
            if (@pb) {
                return ( 0,
                        'Virtual hosts '
                      . join( ', ', @pb )
                      . " contain a port, this is not allowed" );
            }
            else { return 1; }
        },

        # Force vhost to be lowercase
        vhostUpperCase => sub {
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh if ( $vh ne lc $vh );
            }
            if (@pb) {
                return ( 0,
                        'Virtual hosts '
                      . join( ', ', @pb )
                      . " must be in lower case" );
            }
            else { return 1; }
        },

        # Check if "userDB" and "authentication" are consistent
        authAndUserDBConsistency => sub {
106 107 108
            foreach
              my $type (qw(Facebook Google OpenID OpenIDConnect SAML WebID))
            {
Xavier Guimard's avatar
Xavier Guimard committed
109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
                return ( 0,
"\"$type\" can not be used as user database without using \"$type\" for authentication"
                  )
                  if (  $conf->{userDB} =~ /$type/
                    and $conf->{authentication} !~ /$type/ );
            }
            return 1;
        },

        # Check that OpenID macros exists
        checkAttrAndMacros => sub {
            my @tmp;
            foreach my $k ( keys %$conf ) {
                if ( $k =~
/^(?:openIdSreg_(?:(?:(?:full|nick)nam|languag|postcod|timezon)e|country|gender|email|dob)|whatToTrace)$/
                  )
                {
                    my $v = $conf->{$k};
                    $v =~ s/^$//;
                    next if ( $v =~ /^_/ );
                    push @tmp,
                      $k
                      unless (
                        defined(
                            $conf->{exportedVars}->{$v}
                              or defined( $conf->{macros}->{$v} )
                        )
                      );
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not defined in exported attributes or macros'
                    : ''
                )
            );
        },

        # Test that variables are exported if Google is used as UserDB
        checkUserDBGoogleAXParams => sub {
            my @tmp;
154
            if ( $conf->{userDB} =~ /^Google$/ ) {
155 156
                foreach my $k ( keys %{ $conf->{exportedVars} } ) {
                    my $v = $conf->{exportedVars}->{$k};
Xavier Guimard's avatar
Xavier Guimard committed
157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176
                    if ( $v !~ Lemonldap::NG::Common::Regexp::GOOGLEAXATTR() ) {
                        push @tmp, $v;
                    }
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not exported by Google'
                    : ''
                )
            );
        },

        # Test that variables are exported if OpenID is used as UserDB
        checkUserDBOpenIDParams => sub {
            my @tmp;
177
            if ( $conf->{userDB} =~ /^OpenID$/ ) {
178 179
                foreach my $k ( keys %{ $conf->{exportedVars} } ) {
                    my $v = $conf->{exportedVars}->{$k};
Xavier Guimard's avatar
Xavier Guimard committed
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200
                    if ( $v !~ Lemonldap::NG::Common::Regexp::OPENIDSREGATTR() )
                    {
                        push @tmp, $v;
                    }
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not exported by OpenID SREG'
                    : ''
                )
            );
        },

        # Try to use Apache::Session module
        testApacheSession => sub {
            my ( $id, %h );
201
            my $gc =
202
              $Lemonldap::NG::Handler::PSGI::Main::tsv->{sessionStorageModule};
Xavier Guimard's avatar
Xavier Guimard committed
203
            return 1
204
              if ( ( $gc and $gc eq $conf->{globalStorage} )
Xavier Guimard's avatar
Xavier Guimard committed
205 206
                or $conf->{globalStorage} =~
                /^Lemonldap::NG::Common::Apache::Session::/ );
Xavier Guimard's avatar
Xavier Guimard committed
207 208 209
            eval "use $conf->{globalStorage}";
            return ( -1, "Unknown package $conf->{globalStorage}" ) if ($@);
            eval {
Xavier Guimard's avatar
Xavier Guimard committed
210 211 212 213 214
                tie %h, 'Lemonldap::NG::Common::Apache::Session', undef,
                  {
                    %{ $conf->{globalStorageOptions} },
                    backend => $conf->{globalStorage}
                  };
Xavier Guimard's avatar
Xavier Guimard committed
215 216 217 218 219 220 221
            };
            return ( -1, "Unable to create a session ($@)" )
              if ( $@ or not tied(%h) );
            eval {
                $h{a} = 1;
                $id = $h{_session_id} or return ( -1, 'No _session_id' );
                untie(%h);
Xavier Guimard's avatar
Xavier Guimard committed
222 223 224 225 226
                tie %h, 'Lemonldap::NG::Common::Apache::Session', $id,
                  {
                    %{ $conf->{globalStorageOptions} },
                    backend => $conf->{globalStorage}
                  };
Xavier Guimard's avatar
Xavier Guimard committed
227
            };
Xavier Guimard's avatar
Xavier Guimard committed
228
            return ( -1, "Unable to insert data ($@)" ) if ($@);
Xavier Guimard's avatar
Xavier Guimard committed
229 230 231 232 233
            return ( -1, "Unable to recover data stored" )
              unless ( $h{a} == 1 );
            eval { tied(%h)->delete; };
            return ( -1, "Unable to delete session ($@)" ) if ($@);
            return ( -1,
234
'All sessions may be lost and you must restart all your Apache servers'
Xavier Guimard's avatar
Xavier Guimard committed
235
            ) if ( $gc and $conf->{globalStorage} ne $gc );
Xavier Guimard's avatar
Xavier Guimard committed
236 237 238 239 240
            return 1;
        },

        # Warn if cookie name has changed
        cookieNameChanged => sub {
241
            my $cn = $Lemonldap::NG::Handler::PSGI::API::tsv->{cookieName};
Xavier Guimard's avatar
Xavier Guimard committed
242 243 244
            return (
                1,
                (
245 246
                    $cn
                      and $cn ne $conf->{cookieName}
247
                    ? 'Cookie name has changed, you must restart all your web servers'
Xavier Guimard's avatar
Xavier Guimard committed
248 249 250 251
                    : ()
                )
            );
        },
Christophe Maudoux's avatar
Christophe Maudoux committed
252

253
        # Warn if cookie TTL is equal or lower than one hour
254 255
        cookieTTL => sub {
            return 1 unless ( defined $conf->{cookieExpiration} );
256 257 258 259 260
            return ( 0, "Cookie TTL must be higher than one minute" )
              unless ( $conf->{cookieExpiration} > 60 );
            return ( 1, "Cookie TTL should be higher or equal than one hour" )
              unless ( $conf->{cookieExpiration} >= 3600
                || $conf->{cookieExpiration} == 0 );
Christophe Maudoux's avatar
Christophe Maudoux committed
261

262 263 264
            # Return
            return 1;
        },
Xavier Guimard's avatar
Xavier Guimard committed
265 266 267 268 269 270 271 272 273 274 275 276 277

        # Warn if manager seems to be unprotected
        managerProtection => sub {
            return (
                1,
                (
                    $conf->{cfgAuthor} eq 'anonymous'
                    ? 'Your manager seems to be unprotected'
                    : ''
                )
            );
        },

278
        # Test SMTP connection and authentication (warning only)
Xavier Guimard's avatar
Xavier Guimard committed
279 280 281 282 283 284 285
        smtpConnectionAuthentication => sub {

            # Skip test if no SMTP configuration
            return 1 unless ( $conf->{SMTPServer} );

            # Use SMTP
            eval "use Net::SMTP";
286
            return ( 1, "Net::SMTP module is required to use SMTP server" )
Xavier Guimard's avatar
Xavier Guimard committed
287 288 289
              if ($@);

            # Create SMTP object
Christophe Maudoux's avatar
Christophe Maudoux committed
290
            my $smtp = Net::SMTP->new( $conf->{SMTPServer}, Timeout => 5 );
291
            return ( 1,
Xavier Guimard's avatar
Xavier Guimard committed
292 293 294 295 296 297 298 299
                "SMTP connection to " . $conf->{SMTPServer} . " failed" )
              unless ($smtp);

            # Skip other tests if no authentication
            return 1
              unless ( $conf->{SMTPAuthUser} and $conf->{SMTPAuthPass} );

            # Try authentication
300
            return ( 1, "SMTP authentication failed" )
Xavier Guimard's avatar
Xavier Guimard committed
301 302 303 304 305 306
              unless $smtp->auth( $conf->{SMTPAuthUser},
                $conf->{SMTPAuthPass} );

            # Return
            return 1;
        },
307

308
        # SAML entity ID must be uniq
309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332
        samlIDPEntityIdUniqueness => sub {
            return 1
              unless ( $conf->{samlIDPMetaDataXML}
                and %{ $conf->{samlIDPMetaDataXML} } );
            my @msg;
            my $res = 1;
            my %entityIds;
            foreach my $idpId ( keys %{ $conf->{samlIDPMetaDataXML} } ) {
                unless (
                    $conf->{samlIDPMetaDataXML}->{$idpId}->{samlIDPMetaDataXML}
                    =~ /entityID=(['"])(.+?)\1/si )
                {
                    push @msg, "$idpId SAML metadata has no EntityID";
                    $res = 0;
                    next;
                }
                my $eid = $2;
                if ( defined $entityIds{$eid} ) {
                    push @msg,
                      "$idpId and $entityIds{$eid} have the same SAML EntityID";
                    $res = 0;
                    next;
                }
                $entityIds{$eid} = $idpId;
333 334 335 336 337 338 339 340 341 342 343 344
            }
            return ( $res, join( ', ', @msg ) );
        },
        samlSPEntityIdUniqueness => sub {
            return 1
              unless ( $conf->{samlSPMetaDataXML}
                and %{ $conf->{samlSPMetaDataXML} } );
            my @msg;
            my $res = 1;
            my %entityIds;
            foreach my $spId ( keys %{ $conf->{samlSPMetaDataXML} } ) {
                unless (
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
345 346
                    $conf->{samlSPMetaDataXML}->{$spId}->{samlSPMetaDataXML} =~
                    /entityID=(['"])(.+?)\1/si )
347 348 349 350 351 352 353 354 355 356 357 358 359
                {
                    push @msg, "$spId SAML metadata has no EntityID";
                    $res = 0;
                    next;
                }
                my $eid = $2;
                if ( defined $entityIds{$eid} ) {
                    push @msg,
                      "$spId and $entityIds{$eid} have the same SAML EntityID";
                    $res = 0;
                    next;
                }
                $entityIds{$eid} = $spId;
360 361 362 363
            }
            return ( $res, join( ', ', @msg ) );
        },

364
        # Try to parse combination with declared modules
365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383
        checkCombinations => sub {
            return 1 unless ( $conf->{authentication} eq 'Combination' );
            require Lemonldap::NG::Common::Combination::Parser;
            return ( 0, 'No module declared for combination' )
              unless ( $conf->{combModules} and %{ $conf->{combModules} } );
            my $moduleList;
            foreach my $md ( keys %{ $conf->{combModules} } ) {
                my $entry = $conf->{combModules}->{$md};
                $moduleList->{$md} = (
                      $entry->{for} == 2 ? [ undef, {} ]
                    : $entry->{for} == 1 ? [ {}, undef ]
                    :                      [ {}, {} ]
                );
            }
            eval {
                Lemonldap::NG::Common::Combination::Parser->parse( $moduleList,
                    $conf->{combination} );
            };
            return ( 0, $@ ) if ($@);
Christophe Maudoux's avatar
Christophe Maudoux committed
384

385 386 387 388
            # Return
            return 1;
        },

389
        # Warn if 2F dependencies seem missing
390
        sfaDependencies => sub {
391 392 393 394 395 396

            my $enabled2fModule = 0;
            foreach (qw(u totp utotp yubikey)) {
                $enabled2fModule ||= $conf->{ $_ . '2fActivation' };
            }
            return 1 unless ($enabled2fModule);
397 398 399 400 401 402

            # Use TOTP
            if (   $conf->{totp2fActivation}
                or $conf->{utotp2fActivation} )
            {
                eval "use Convert::Base32";
403
                return ( 1,
404 405 406 407 408 409 410 411 412
                    "Convert::Base32 module is required to enable TOTP" )
                  if ($@);
            }

            # Use U2F
            if (   $conf->{u2fActivation}
                or $conf->{utotp2fActivation} )
            {
                eval "use Crypt::U2F::Server::Simple";
413
                return ( 1,
414 415 416
"Crypt::U2F::Server::Simple module is required to enable U2F"
                ) if ($@);
            }
Christophe Maudoux's avatar
Christophe Maudoux committed
417

Christophe Maudoux's avatar
typo  
Christophe Maudoux committed
418 419 420
            # Use Yubikey
            if ( $conf->{yubikey2fActivation} ) {
                eval "use Auth::Yubikey_WebClient";
421
                return ( 1,
Christophe Maudoux's avatar
typo  
Christophe Maudoux committed
422 423 424 425
"Auth::Yubikey_WebClient module is required to enable Yubikey"
                ) if ($@);
            }

426
            # Return
427 428
            return 1;
        },
429 430 431 432

        # Warn if TOTP or U2F is enabled with UTOTP (U2F + TOTP)
        utotp => sub {
            return 1 unless ( $conf->{utotp2fActivation} );
433
            my $w = "";
434
            foreach ( 'totp', 'u' ) {
Christophe Maudoux's avatar
Christophe Maudoux committed
435
                $w .= uc($_) . "2F is activated twice \n"
436
                  if ( $conf->{ $_ . '2fActivation' } eq '1' );
437 438 439
            }
            return ( 1, ( $w ? $w : () ) );
        },
440 441

        # Warn if TOTP not 6 or 8 digits long
Xavier Guimard's avatar
Xavier Guimard committed
442
        totp2fDigits => sub {
Christophe Maudoux's avatar
Christophe Maudoux committed
443
            return 1 unless ( $conf->{totp2fActivation} );
Xavier Guimard's avatar
Xavier Guimard committed
444 445 446 447 448 449 450 451 452 453 454 455 456
            return 1 unless ( defined $conf->{totp2fDigits} );
            return (
                1,
                (
                    (
                             $conf->{totp2fDigits} == 6
                          or $conf->{totp2fDigits} == 8
                    )
                    ? ''
                    : 'TOTP should be 6 or 8 digits long'
                )
            );
        },
Christophe Maudoux's avatar
Christophe Maudoux committed
457

Christophe Maudoux's avatar
Christophe Maudoux committed
458
        # Test TOTP params
Christophe Maudoux's avatar
Christophe Maudoux committed
459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486
        totp2fParams => sub {
            return 1 unless ( $conf->{totp2fActivation} );
            return ( 0, 'TOTP range must be defined' )
              unless ( $conf->{totp2fRange} );
            return ( 1, "TOTP interval should be higher than 10s" )
              unless ( $conf->{totp2fInterval} > 10 );

            # Return
            return 1;
        },

        # Error if Yubikey client ID and secret key are missing
        # Warn if Yubikey public ID size is not 12 digits long
        yubikey2fParams => sub {
            return 1 unless ( $conf->{yubikey2fActivation} );
            return ( 0, "Yubikey client ID and secret key must be set" )
              unless ( defined $conf->{yubikey2fSecretKey}
                && defined $conf->{yubikey2fClientID} );
            return (
                1,
                (
                    ( $conf->{yubikey2fPublicIDSize} == 12 )
                    ? ''
                    : 'Yubikey public ID size should be 12 digits long'
                )
            );
        },

487 488
        # Error if REST 2F verify URL is missing
        rest2fVerifyUrl => sub {
Christophe Maudoux's avatar
Christophe Maudoux committed
489
            return 1 unless ( $conf->{rest2fActivation} );
490
            return ( 0, "REST 2F Verify URL must be set" )
Christophe Maudoux's avatar
Christophe Maudoux committed
491 492 493 494 495 496
              unless ( defined $conf->{rest2fVerifyUrl} );

            # Return
            return 1;
        },

Christophe Maudoux's avatar
Christophe Maudoux committed
497
        # Warn if 2FA is required without a registrable 2F module enabled
Christophe Maudoux's avatar
Christophe Maudoux committed
498 499
        required2FA => sub {
            return 1 unless ( $conf->{sfRequired} );
500

Christophe Maudoux's avatar
Christophe Maudoux committed
501 502 503
            my $msg = '';
            my $ok  = 0;

Christophe Maudoux's avatar
Christophe Maudoux committed
504
            foreach (qw(u totp yubikey)) {
Christophe Maudoux's avatar
Christophe Maudoux committed
505 506
                $ok ||= $conf->{ $_ . '2fActivation' }
                  && $conf->{ $_ . '2fSelfRegistration' };
507
            }
Christophe Maudoux's avatar
Christophe Maudoux committed
508

Christophe Maudoux's avatar
Christophe Maudoux committed
509 510 511 512 513
            $ok ||= $conf->{'utotp2fActivation'}
              && ( $conf->{'u2fSelfRegistration'}
                || $conf->{'totp2fSelfRegistration'} );
            $msg = "A self registrable module should be enabled to require 2FA"
              unless ($ok);
Christophe Maudoux's avatar
Christophe Maudoux committed
514

Christophe Maudoux's avatar
Christophe Maudoux committed
515
            return ( 1, $msg );
Christophe Maudoux's avatar
Christophe Maudoux committed
516 517 518 519 520
        },

        # Error if external 2F Send or Validate command is missing
        ext2fCommands => sub {
            return 1 unless ( $conf->{ext2fActivation} );
521
            return ( 0, "External 2F Send or Validate command must be set" )
Christophe Maudoux's avatar
Christophe Maudoux committed
522 523
              unless ( defined $conf->{ext2FSendCommand}
                && defined $conf->{ext2FValidateCommand} );
524 525 526

            # Return
            return 1;
527 528
        },

Christophe Maudoux's avatar
Christophe Maudoux committed
529
        # Warn if XSRF token TTL is higher than 10s
Xavier Guimard's avatar
Xavier Guimard committed
530
        formTimeout => sub {
Christophe Maudoux's avatar
Christophe Maudoux committed
531
            return 1 unless ( defined $conf->{formTimeout} );
Christophe Maudoux's avatar
Christophe Maudoux committed
532 533
            return ( 0, "XSRF form token TTL must be higher than 30s" )
              unless ( $conf->{formTimeout} > 30 );
Christophe Maudoux's avatar
Christophe Maudoux committed
534
            return ( 1, "XSRF form token TTL should not be higher than 2mn" )
Xavier Guimard's avatar
Xavier Guimard committed
535
              if ( $conf->{formTimeout} > 120 );
Christophe Maudoux's avatar
Christophe Maudoux committed
536

537
            # Return
Xavier Guimard's avatar
Xavier Guimard committed
538 539
            return 1;
        },
Xavier Guimard's avatar
Xavier Guimard committed
540 541 542 543
    };
}

1;