Tests.pm 14.5 KB
Newer Older
Xavier Guimard's avatar
Xavier Guimard committed
1 2
package Lemonldap::NG::Manager::Conf::Tests;

Xavier Guimard's avatar
Xavier Guimard committed
3
use utf8;
4 5
use Lemonldap::NG::Common::Regexp;

Xavier Guimard's avatar
Xavier Guimard committed
6 7
our $VERSION = '2.0.0';

Xavier Guimard's avatar
Xavier Guimard committed
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
## @method hashref tests(hashref conf)
# Return a hash ref where keys are the names of the tests and values
# subroutines to execute.
#
# Subroutines can return one of the followings :
# -  (1)         : everything is OK
# -  (1,message) : OK with a warning
# -  (0,message) : NOK
# - (-1,message) : OK, but must be confirmed (ignored if confirm parameter is
# set
#
# Those subroutines can also modify configuration.
#
# @param $conf Configuration to test
# @return hash ref where keys are the names of the tests and values
sub tests {
    my $conf = shift;
    return {

        # 1. CHECKS

        # Check if portal is in domain
        portalIsInDomain => sub {
            return (
                1,
                (
                    index( $conf->{portal}, $conf->{domain} ) > 0
                    ? ''
                    : "Portal seems not to be in the domain $conf->{domain}"
                )
            );
        },

41 42
        # Check if portal URL is well formated
        portalURL => sub {
43 44

            # Checking for ending slash
45
            $conf->{portal} .= '/'
46 47 48 49 50 51
              unless ( $conf->{portal} =~ qr#/$# );

            # Deleting trailing ending slash
            my $regex = qr#/+$#;
            $conf->{portal} =~ s/$regex/\//;

52 53 54
            return 1;
        },

Xavier Guimard's avatar
Xavier Guimard committed
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
        # Check if virtual hosts are in the domain
        vhostInDomainOrCDA => sub {
            return 1 if ( $conf->{cda} );
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh unless ( index( $vh, $conf->{domain} ) >= 0 );
            }
            return (
                1,
                (
                    @pb
                    ? 'Virtual hosts '
                      . join( ', ', @pb )
                      . " are not in $conf->{domain} and cross-domain-authentication is not set"
                    : undef
                )
            );
        },

        # Check if virtual host do not contain a port
        vhostWithPort => sub {
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh if ( $vh =~ /:/ );
            }
            if (@pb) {
                return ( 0,
                        'Virtual hosts '
                      . join( ', ', @pb )
                      . " contain a port, this is not allowed" );
            }
            else { return 1; }
        },

        # Force vhost to be lowercase
        vhostUpperCase => sub {
            my @pb;
            foreach my $vh ( keys %{ $conf->{locationRules} } ) {
                push @pb, $vh if ( $vh ne lc $vh );
            }
            if (@pb) {
                return ( 0,
                        'Virtual hosts '
                      . join( ', ', @pb )
                      . " must be in lower case" );
            }
            else { return 1; }
        },

        # Check if "userDB" and "authentication" are consistent
        authAndUserDBConsistency => sub {
106 107 108
            foreach
              my $type (qw(Facebook Google OpenID OpenIDConnect SAML WebID))
            {
Xavier Guimard's avatar
Xavier Guimard committed
109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
                return ( 0,
"\"$type\" can not be used as user database without using \"$type\" for authentication"
                  )
                  if (  $conf->{userDB} =~ /$type/
                    and $conf->{authentication} !~ /$type/ );
            }
            return 1;
        },

        # Check that OpenID macros exists
        checkAttrAndMacros => sub {
            my @tmp;
            foreach my $k ( keys %$conf ) {
                if ( $k =~
/^(?:openIdSreg_(?:(?:(?:full|nick)nam|languag|postcod|timezon)e|country|gender|email|dob)|whatToTrace)$/
                  )
                {
                    my $v = $conf->{$k};
                    $v =~ s/^$//;
                    next if ( $v =~ /^_/ );
                    push @tmp,
                      $k
                      unless (
                        defined(
                            $conf->{exportedVars}->{$v}
                              or defined( $conf->{macros}->{$v} )
                        )
                      );
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not defined in exported attributes or macros'
                    : ''
                )
            );
        },

        # Test that variables are exported if Google is used as UserDB
        checkUserDBGoogleAXParams => sub {
            my @tmp;
154
            if ( $conf->{userDB} =~ /^Google$/ ) {
155 156
                foreach my $k ( keys %{ $conf->{exportedVars} } ) {
                    my $v = $conf->{exportedVars}->{$k};
Xavier Guimard's avatar
Xavier Guimard committed
157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176
                    if ( $v !~ Lemonldap::NG::Common::Regexp::GOOGLEAXATTR() ) {
                        push @tmp, $v;
                    }
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not exported by Google'
                    : ''
                )
            );
        },

        # Test that variables are exported if OpenID is used as UserDB
        checkUserDBOpenIDParams => sub {
            my @tmp;
177
            if ( $conf->{userDB} =~ /^OpenID$/ ) {
178 179
                foreach my $k ( keys %{ $conf->{exportedVars} } ) {
                    my $v = $conf->{exportedVars}->{$k};
Xavier Guimard's avatar
Xavier Guimard committed
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200
                    if ( $v !~ Lemonldap::NG::Common::Regexp::OPENIDSREGATTR() )
                    {
                        push @tmp, $v;
                    }
                }
            }
            return (
                1,
                (
                    @tmp
                    ? 'Values of parameter(s) "'
                      . join( ', ', @tmp )
                      . '" are not exported by OpenID SREG'
                    : ''
                )
            );
        },

        # Try to use Apache::Session module
        testApacheSession => sub {
            my ( $id, %h );
201
            my $gc =
202
              $Lemonldap::NG::Handler::PSGI::Main::tsv->{sessionStorageModule};
Xavier Guimard's avatar
Xavier Guimard committed
203
            return 1
204
              if ( ( $gc and $gc eq $conf->{globalStorage} )
Xavier Guimard's avatar
Xavier Guimard committed
205 206
                or $conf->{globalStorage} =~
                /^Lemonldap::NG::Common::Apache::Session::/ );
Xavier Guimard's avatar
Xavier Guimard committed
207 208 209
            eval "use $conf->{globalStorage}";
            return ( -1, "Unknown package $conf->{globalStorage}" ) if ($@);
            eval {
Xavier Guimard's avatar
Xavier Guimard committed
210 211 212 213 214
                tie %h, 'Lemonldap::NG::Common::Apache::Session', undef,
                  {
                    %{ $conf->{globalStorageOptions} },
                    backend => $conf->{globalStorage}
                  };
Xavier Guimard's avatar
Xavier Guimard committed
215 216 217 218 219 220 221
            };
            return ( -1, "Unable to create a session ($@)" )
              if ( $@ or not tied(%h) );
            eval {
                $h{a} = 1;
                $id = $h{_session_id} or return ( -1, 'No _session_id' );
                untie(%h);
Xavier Guimard's avatar
Xavier Guimard committed
222 223 224 225 226
                tie %h, 'Lemonldap::NG::Common::Apache::Session', $id,
                  {
                    %{ $conf->{globalStorageOptions} },
                    backend => $conf->{globalStorage}
                  };
Xavier Guimard's avatar
Xavier Guimard committed
227
            };
Xavier Guimard's avatar
Xavier Guimard committed
228
            return ( -1, "Unable to insert data ($@)" ) if ($@);
Xavier Guimard's avatar
Xavier Guimard committed
229 230 231 232 233
            return ( -1, "Unable to recover data stored" )
              unless ( $h{a} == 1 );
            eval { tied(%h)->delete; };
            return ( -1, "Unable to delete session ($@)" ) if ($@);
            return ( -1,
234
'All sessions may be lost and you must restart all your Apache servers'
Xavier Guimard's avatar
Xavier Guimard committed
235
            ) if ( $gc and $conf->{globalStorage} ne $gc );
Xavier Guimard's avatar
Xavier Guimard committed
236 237 238 239 240
            return 1;
        },

        # Warn if cookie name has changed
        cookieNameChanged => sub {
241
            my $cn = $Lemonldap::NG::Handler::PSGI::API::tsv->{cookieName};
Xavier Guimard's avatar
Xavier Guimard committed
242 243 244
            return (
                1,
                (
245 246
                    $cn
                      and $cn ne $conf->{cookieName}
247
                    ? 'Cookie name has changed, you must restart all your web servers'
Xavier Guimard's avatar
Xavier Guimard committed
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264
                    : ()
                )
            );
        },

        # Warn if manager seems to be unprotected
        managerProtection => sub {
            return (
                1,
                (
                    $conf->{cfgAuthor} eq 'anonymous'
                    ? 'Your manager seems to be unprotected'
                    : ''
                )
            );
        },

265
        # Test SMTP connection and authentication (warning only)
Xavier Guimard's avatar
Xavier Guimard committed
266 267 268 269 270 271 272
        smtpConnectionAuthentication => sub {

            # Skip test if no SMTP configuration
            return 1 unless ( $conf->{SMTPServer} );

            # Use SMTP
            eval "use Net::SMTP";
273
            return ( 1, "Net::SMTP module is required to use SMTP server" )
Xavier Guimard's avatar
Xavier Guimard committed
274 275 276
              if ($@);

            # Create SMTP object
277
            my $smtp = Net::SMTP->new( $conf->{SMTPServer}, Timeout => 5 );
278
            return ( 1,
Xavier Guimard's avatar
Xavier Guimard committed
279 280 281 282 283 284 285 286
                "SMTP connection to " . $conf->{SMTPServer} . " failed" )
              unless ($smtp);

            # Skip other tests if no authentication
            return 1
              unless ( $conf->{SMTPAuthUser} and $conf->{SMTPAuthPass} );

            # Try authentication
287
            return ( 1, "SMTP authentication failed" )
Xavier Guimard's avatar
Xavier Guimard committed
288 289 290 291 292 293
              unless $smtp->auth( $conf->{SMTPAuthUser},
                $conf->{SMTPAuthPass} );

            # Return
            return 1;
        },
294

295
        # SAML entity ID must be uniq
296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319
        samlIDPEntityIdUniqueness => sub {
            return 1
              unless ( $conf->{samlIDPMetaDataXML}
                and %{ $conf->{samlIDPMetaDataXML} } );
            my @msg;
            my $res = 1;
            my %entityIds;
            foreach my $idpId ( keys %{ $conf->{samlIDPMetaDataXML} } ) {
                unless (
                    $conf->{samlIDPMetaDataXML}->{$idpId}->{samlIDPMetaDataXML}
                    =~ /entityID=(['"])(.+?)\1/si )
                {
                    push @msg, "$idpId SAML metadata has no EntityID";
                    $res = 0;
                    next;
                }
                my $eid = $2;
                if ( defined $entityIds{$eid} ) {
                    push @msg,
                      "$idpId and $entityIds{$eid} have the same SAML EntityID";
                    $res = 0;
                    next;
                }
                $entityIds{$eid} = $idpId;
320 321 322 323 324 325 326 327 328 329 330 331
            }
            return ( $res, join( ', ', @msg ) );
        },
        samlSPEntityIdUniqueness => sub {
            return 1
              unless ( $conf->{samlSPMetaDataXML}
                and %{ $conf->{samlSPMetaDataXML} } );
            my @msg;
            my $res = 1;
            my %entityIds;
            foreach my $spId ( keys %{ $conf->{samlSPMetaDataXML} } ) {
                unless (
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
332 333
                    $conf->{samlSPMetaDataXML}->{$spId}->{samlSPMetaDataXML} =~
                    /entityID=(['"])(.+?)\1/si )
334 335 336 337 338 339 340 341 342 343 344 345 346
                {
                    push @msg, "$spId SAML metadata has no EntityID";
                    $res = 0;
                    next;
                }
                my $eid = $2;
                if ( defined $entityIds{$eid} ) {
                    push @msg,
                      "$spId and $entityIds{$eid} have the same SAML EntityID";
                    $res = 0;
                    next;
                }
                $entityIds{$eid} = $spId;
347 348 349 350
            }
            return ( $res, join( ', ', @msg ) );
        },

351
        # Try to parse combination with declared modules
352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370
        checkCombinations => sub {
            return 1 unless ( $conf->{authentication} eq 'Combination' );
            require Lemonldap::NG::Common::Combination::Parser;
            return ( 0, 'No module declared for combination' )
              unless ( $conf->{combModules} and %{ $conf->{combModules} } );
            my $moduleList;
            foreach my $md ( keys %{ $conf->{combModules} } ) {
                my $entry = $conf->{combModules}->{$md};
                $moduleList->{$md} = (
                      $entry->{for} == 2 ? [ undef, {} ]
                    : $entry->{for} == 1 ? [ {}, undef ]
                    :                      [ {}, {} ]
                );
            }
            eval {
                Lemonldap::NG::Common::Combination::Parser->parse( $moduleList,
                    $conf->{combination} );
            };
            return ( 0, $@ ) if ($@);
Christophe Maudoux's avatar
Christophe Maudoux committed
371

372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401
            # Return
            return 1;
        },

        # Warn if manager seems to be unprotected
        utotp2fDependencies => sub {
            return 1
              unless ( $conf->{utotp2fActivation}
                or $conf->{totp2fActivation}
                or $conf->{u2fActivation} );

            # Use TOTP
            if (   $conf->{totp2fActivation}
                or $conf->{utotp2fActivation} )
            {
                eval "use Convert::Base32";
                return ( 0,
                    "Convert::Base32 module is required to enable TOTP" )
                  if ($@);
            }

            # Use U2F
            if (   $conf->{u2fActivation}
                or $conf->{utotp2fActivation} )
            {
                eval "use Crypt::U2F::Server::Simple";
                return ( 0,
"Crypt::U2F::Server::Simple module is required to enable U2F"
                ) if ($@);
            }
Christophe Maudoux's avatar
Christophe Maudoux committed
402

403
            # Return
404 405
            return 1;
        },
406 407 408 409

        # Warn if TOTP or U2F is enabled with UTOTP (U2F + TOTP)
        utotp => sub {
            return 1 unless ( $conf->{utotp2fActivation} );
410
            my $w = "";
411
            foreach ( 'totp', 'u' ) {
Christophe Maudoux's avatar
Christophe Maudoux committed
412
                $w .= uc($_) . "2F is activated twice \n"
413
                  if ( $conf->{ $_ . '2fActivation' } eq '1' );
414 415
            }
            return ( 1, ( $w ? $w : () ) );
416

417
        },
418 419

        # Warn if TOTP not 6 or 8 digits long
420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439
        #totp2fDigits => sub {
        #    return (
        #        1,
        #        (
        #            (
        #                     $conf->{totp2fDigits} == 6
        #                  or $conf->{totp2fDigits} == 8
        #            )
        #            ? ''
        #            : 'TOTP should be 6 or 8 digits long'
        #        )
        #    );
        #},
        #formTimeout => sub {
        #    return ( 0, "XSRF form token TTL must be higher than 10s" )
        #      unless ( $conf->{formTimeout} > 10 );
        #    return ( 1, "XSRF form token TTL should not be lower or equal to 2mn" )
        #      unless ( $conf->{formTimeout} > 120 );
        #    return 1;
        #},
Xavier Guimard's avatar
Xavier Guimard committed
440 441 442 443
    };
}

1;