Attributes.pm 115 KB
Newer Older
1 2 3 4
# This file contains the description of all configuration parameters
# It may be included only by batch files, never in portal or handler chain
# for performances reasons

Xavier Guimard's avatar
Xavier Guimard committed
5
# DON'T FORGET TO RUN "make json" AFTER EACH CHANGE
6 7 8

package Lemonldap::NG::Manager::Build::Attributes;

9
our $VERSION = '2.0.0';
10 11 12 13
use strict;
use Regexp::Common qw/URI/;

my $perlExpr = sub {
14
    my ( $val, $conf ) = @_;
15
    my $s = '';
Xavier Guimard's avatar
Xavier Guimard committed
16
    no warnings( 'redefine', 'uninitialized' );
17
    eval "$s $val";
18 19 20
    my $err = join( '',
        grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) );
    return $err ? ( 1, "__badExpression__: $err" ) : (1);
21 22
};

Xavier Guimard's avatar
Xavier Guimard committed
23
my $url = $RE{URI}{HTTP}{ -scheme => "https?" };
Xavier Guimard's avatar
Xavier Guimard committed
24 25 26
$url =~ s/(?<=[^\\])\$/\\\$/g;
$url = qr/$url/;

27 28 29 30 31
sub types {
    return {

        # Simple text types
        text => {
32
            test    => sub {1},
33 34 35
            msgFail => '__malformedValue__',
        },
        password => {
36
            test    => sub {1},
37 38 39
            msgFail => '__malformedValue__',
        },
        longtext => {
40
            test => sub {1}
41 42 43
        },
        url => {
            form    => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
44
            test    => $url,
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
            msgFail => '__badUrl__',
        },
        PerlModule => {
            form    => 'text',
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
        },
        hostname => {
            form    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::host)?$/,
            msgFail => '__badHostname__',
        },
        pcre => {
            form => 'text',
            test => sub {
60
                eval {qr/$_[0]/};
61 62 63 64 65
                return $@ ? ( 0, "__badRegexp__: $@" ) : (1);
            },
        },
        lmAttrOrMacro => {
            form => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
66 67
            test => sub {
                my ( $val, $conf ) = @_;
68
                return 1
69 70
                    if ( defined $conf->{macros}->{$val}
                    or $val eq '_timezone' );
71 72
                foreach ( keys %$conf ) {
                    return 1
73
                        if ( $_ =~ /exportedvars$/i
74
                        and defined $conf->{$_}->{$val} );
Xavier Guimard's avatar
Xavier Guimard committed
75
                }
76
                return ( 1, "__unknownAttrOrMacro__: $val" );
Xavier Guimard's avatar
Xavier Guimard committed
77
            },
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
        },

        # Other types
        int => {
            test    => qr/^\-?\d+$/,
            msgFail => '__notAnInteger__',
        },
        bool => {
            test    => qr/^[01]$/,
            msgFail => '__notABoolean__',
        },
        trool => {
            test    => qr/^(?:-1|0|1)$/,
            msgFail => '__authorizedValues__: -1, 0, 1',
        },
        boolOrExpr => {
            test    => $perlExpr,
            msgFail => '__notAValidPerlExpression__',
        },
Xavier Guimard's avatar
Xavier Guimard committed
97 98
        keyTextContainer => {
            test       => qr/./,
Xavier Guimard's avatar
Xavier Guimard committed
99
            msgFail    => '__emptyValueNotAllowed__',
Xavier Guimard's avatar
Xavier Guimard committed
100
            keyTest    => qr/^\w[\w\.\-]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
101
            keyMsgFail => '__badKeyName__',
Xavier Guimard's avatar
Xavier Guimard committed
102 103 104
        },
        subContainer => {
            keyTest => qr/\w/,
105
            test    => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
106
        },
Xavier Guimard's avatar
Xavier Guimard committed
107 108
        select => {
            test => sub {
109
                my $test = grep ( { $_ eq $_[0] }
Xavier Guimard's avatar
Xavier Guimard committed
110
                    map ( { $_->{k} } @{ $_[2]->{select} } ) );
Xavier Guimard's avatar
Xavier Guimard committed
111
                return $test
112 113
                    ? 1
                    : ( 1, "Invalid value '$_[0]' for this select" );
Xavier Guimard's avatar
Xavier Guimard committed
114 115
            },
        },
116 117 118

        # Files type (long text)
        file => {
119
            test => sub {1}
120 121
        },
        RSAPublicKey => {
122
            test => sub {
123
                return (
124 125
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$/s
126
                    ? (1)
127 128
                    : ( 1, '__badPemEncoding__' )
                );
129
            },
130
        },
131
        'RSAPublicKeyOrCertificate' => {
132
            'test' => sub {
133
                return (
134 135
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$/s
136
                    ? (1)
137 138
                    : ( 1, '__badPemEncoding__' )
                );
139
            },
140
        },
141
        RSAPrivateKey => {
142
            test => sub {
143
                return (
144 145
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$/s
146
                    ? (1)
147 148
                    : ( 1, '__badPemEncoding__' )
                );
149
            },
150 151 152
        },

        authParamsText => {
153
            test => sub {1}
154 155
        },
        blackWhiteList => {
156
            test => sub {1}
157 158
        },
        catAndAppList => {
159
            test => sub {1}
160 161 162
        },
        keyText => {
            keyTest => qr/^[a-zA-Z0-9_]+$/,
Xavier Guimard's avatar
Xavier Guimard committed
163
            test    => qr/^.*$/,
164 165 166
            msgFail => '__badValue__',
        },
        menuApp => {
167
            test => sub {1}
168 169
        },
        menuCat => {
170
            test => sub {1}
171 172
        },
        oidcOPMetaDataNode => {
173
            test => sub {1}
174 175
        },
        oidcRPMetaDataNode => {
176
            test => sub {1}
177 178
        },
        oidcmetadatajson => {
179
            test => sub {1}
180 181
        },
        oidcmetadatajwks => {
182
            test => sub {1}
183 184
        },
        portalskin => {
185
            test => sub {1}
186 187
        },
        portalskinbackground => {
188
            test => sub {1}
189 190
        },
        post => {
191
            test => sub {1}
192 193
        },
        rule => {
194
            test => sub {1}
195 196
        },
        samlAssertion => {
197
            test => sub {1}
198 199
        },
        samlAttribute => {
200
            test => sub {1}
201 202
        },
        samlIDPMetaDataNode => {
203
            test => sub {1}
204 205
        },
        samlSPMetaDataNode => {
206
            test => sub {1}
207 208
        },
        samlService => {
209
            test => sub {1}
210
        },
211
        array => {
212
            test => sub {1}
213
        },
214 215 216 217 218 219 220
    };
}

sub attributes {
    return {

        # Other
221 222 223
        checkTime => {
            type => 'int',
            documentation =>
224
                'Timeout to check new configuration in local cache',
225
            default => 600,
226 227 228 229 230 231
            flags   => 'hp',
        },
        mySessionAuthorizedRWKeys => {
            type          => 'array',
            documentation => 'Alterable session keys by user itself',
            default =>
232
                [ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
233
        },
Xavier Guimard's avatar
Xavier Guimard committed
234 235 236 237 238 239 240 241 242 243 244 245
        configStorage => {
            type          => 'text',
            documentation => 'Configuration storage',
            flags         => 'hmp',
        },
        localStorage => {
            type          => 'text',
            documentation => 'Local cache',
            flags         => 'hmp',
        },
        localStorageOptions => {
            type          => 'keyTextContainer',
Xavier Guimard's avatar
Xavier Guimard committed
246
            documentation => 'Local cache parameters',
Xavier Guimard's avatar
Xavier Guimard committed
247 248
            flags         => 'hmp',
        },
249 250 251 252 253 254
        cfgNum => {
            type          => 'int',
            default       => 0,
            documentation => 'Enable Cross Domain Authentication',
        },
        cfgAuthor => {
255 256 257
            type => 'text',
            documentation =>
                'Name of the author of the current configuration',
258 259
        },
        cfgAuthorIP => {
260 261 262
            type => 'text',
            documentation =>
                'Uploader IP address of the current configuration',
263 264 265 266 267 268 269 270 271
        },
        cfgDate => {
            type          => 'int',
            documentation => 'Timestamp of the current configuration',
        },
        cfgLog => {
            type          => 'longtext',
            documentation => 'Configuration update log',
        },
272 273 274 275
        cfgVersion => {
            type          => 'text',
            documentation => 'Version of LLNG which build configuration',
        },
Xavier Guimard's avatar
Xavier Guimard committed
276 277 278 279 280
        status => {
            type          => 'bool',
            documentation => 'Status daemon activation',
            flags         => 'h',
        },
281 282 283
        confirmFormMethod => {
            type => "select",
            select =>
284
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
285 286 287
            default       => 'post',
            documentation => 'HTTP method for confirm page form',
        },
288 289
        customFunctions => {
            type          => 'text',
290
            test          => qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/,
291
            msgFail       => "__badCustomFuncName__",
Xavier Guimard's avatar
Xavier Guimard committed
292 293
            documentation => 'List of custom functions',
            flags         => 'hmp',
294 295
        },
        https => {
296 297 298
            default       => 0,
            type          => 'bool',
            documentation => 'Use HTTPS for redirection from portal',
Xavier Guimard's avatar
Xavier Guimard committed
299
            flags         => 'h',
300 301 302 303
        },
        infoFormMethod => {
            type => "select",
            select =>
304
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
305 306 307
            default       => 'get',
            documentation => 'HTTP method for info page form',
        },
Xavier Guimard's avatar
Xavier Guimard committed
308 309 310 311 312
        port => {
            type          => 'int',
            documentation => 'Force port in redirection',
            flags         => 'h',
        },
313 314 315 316 317 318
        jsRedirect => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Use javascript for redirections',
        },
        logoutServices => {
319 320 321 322 323
            type    => 'keyTextContainer',
            help    => 'logoutforward.html',
            default => {},
            documentation =>
                'Send logout trough GET request to these services',
324 325 326 327 328
        },
        maintenance => {
            default       => 0,
            type          => 'bool',
            documentation => 'Maintenance mode for all virtual hosts',
Xavier Guimard's avatar
Xavier Guimard committed
329
            flags         => 'h',
330
        },
Xavier Guimard's avatar
Xavier Guimard committed
331 332 333 334 335
        nginxCustomHandlers => {
            type    => 'keyTextContainer',
            keyTest => qr/^\w+$/,
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
Xavier Guimard's avatar
Xavier Guimard committed
336
            documentation => 'Custom Nginx handler (deprecated)',
Xavier Guimard's avatar
Xavier Guimard committed
337
        },
338 339 340 341 342
        noAjaxHook => {
            default       => 0,
            type          => 'bool',
            documentation => 'Avoid replacing 302 by 401 for Ajax responses',
        },
343 344 345 346
        portal => {
            type          => 'url',
            default       => 'http://auth.example.com/',
            documentation => 'Portal URL',
Xavier Guimard's avatar
Xavier Guimard committed
347
            flags         => 'hmp',
348 349
            test          => $url,
            msgFail       => '__badUrl__',
350
        },
351 352 353 354 355
        portalStatus => {
            type          => 'bool',
            default       => 0,
            documentation => 'Enable portal status',
        },
356 357 358
        portalUserAttr => {
            type    => 'text',
            default => '_user',
359
            help    => 'monitoring.html',
360
            documentation =>
361
                'Session parameter to display connected user in portal',
362 363 364 365
        },
        redirectFormMethod => {
            type => "select",
            select =>
366
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
367 368 369 370
            default       => 'get',
            documentation => 'HTTP method for redirect page form',
        },
        reloadUrls => {
371 372 373 374 375
            type    => 'keyTextContainer',
            help    => 'configlocation.html#configuration_reload',
            keyTest => qr/^$Regexp::Common::URI::RFC2396::host(?::\d+)?$/,
            test    => $url,
            msgFail => '__badUrl__',
Xavier Guimard's avatar
Xavier Guimard committed
376
            documentation => 'URL to call on reload',
377 378 379 380 381
        },
        staticPrefix => {
            type          => 'text',
            documentation => 'Prefix of static files for HTML templates',
        },
382 383 384 385
        multiValuesSeparator => {
            type          => 'authParamsText',
            default       => '; ',
            documentation => 'Separator for multiple values',
Xavier Guimard's avatar
Xavier Guimard committed
386
            flags         => 'hmp',
387
        },
388 389
        stayConnected => {
            type          => 'bool',
390
            default       => 0,
391 392
            documentation => 'Enable StayConnected plugin',
        },
393
        checkState => {
394
            type          => 'bool',
395
            default       => 0,
396 397 398
            documentation => 'Enable CheckState plugin',
        },
        checkStateSecret => {
399
            type          => 'text',
400 401
            documentation => 'Secret token for CheckState plugin',
        },
402 403 404
        skipRenewConfirmation => {
            type => 'bool',
            documentation =>
405
                'Avoid asking confirmation when an Issuer asks to renew auth',
406
        },
407

408 409 410 411 412 413 414 415 416
        # Loggers (ini only)
        logLevel => {
            type          => 'text',
            documentation => 'Log level, must be set in .ini',
            flags         => 'hmp',
        },
        logger => {
            type          => 'text',
            documentation => 'technical logger',
417
            flags         => 'hmp',
418 419 420 421
        },
        userLogger => {
            type          => 'text',
            documentation => 'User actions logger',
422
            flags         => 'hmp',
423 424 425 426
        },
        log4perlConfFile => {
            type          => 'text',
            documentation => 'Log4Perl logger configuration file',
427
            flags         => 'hmp',
428 429 430 431
        },
        sentryDsn => {
            type          => 'text',
            documentation => 'Sentry logger DSN',
432
            flags         => 'hmp',
433 434 435 436
        },
        syslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger technical facility',
437
            flags         => 'hmp',
438 439 440 441
        },
        userSyslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger user-actions facility',
442
            flags         => 'hmp',
443 444 445
        },

        # Manager or PSGI protected apps
446
        protection => {
447 448 449
            type    => 'text',
            test    => qr/^(?:none|authenticate|manager|)$/,
            msgFail => '__authorizedValues__: none authenticate manager',
450
            documentation => 'Manager protection method',
Xavier Guimard's avatar
Xavier Guimard committed
451
            flags         => 'hm',
452 453 454 455 456 457 458 459 460 461
        },

        # Menu
        activeTimer => {
            type          => 'bool',
            default       => 1,
            documentation => 'Enable timers on portal pages',
        },
        applicationList => {
            type    => 'catAndAppList',
462
            keyTest => qr/\w/,
463 464
            help    => 'portalmenu.html#categories_and_applications',
            default => {
465 466
                default =>
                    { catname => 'Default category', type => "category" }
467 468 469
            },
            documentation => 'Applications list',
        },
470 471 472 473 474
        portalErrorOnExpiredSession => {
            type          => 'bool',
            default       => 1,
            documentation => 'Show error if session is expired',
        },
475
        portalErrorOnMailNotFound => {
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
476 477 478
            type    => 'bool',
            default => 0,
            documentation =>
479
                'Show error if mail is not found in password reset process',
480
        },
481 482 483 484 485 486 487 488 489 490 491 492 493 494
        portalOpenLinkInNewWindow => {
            type          => 'bool',
            default       => 0,
            documentation => 'Open applications in new windows',
        },
        portalPingInterval => {
            type          => 'int',
            default       => 60000,
            documentation => 'Interval in ms between portal Ajax pings ',
        },
        portalSkin => {
            type          => 'portalskin',
            default       => 'bootstrap',
            documentation => 'Name of portal skin',
Xavier Guimard's avatar
Xavier Guimard committed
495
            select        => [ { k => 'bootstrap', v => 'Bootstrap' }, ],
496 497 498 499 500 501
        },
        portalSkinBackground => {
            type          => 'portalskinbackground',
            documentation => 'Background image of portal skin',
            select        => [
                { k => "", v => 'None' },
502
                {   k => "1280px-Anse_Source_d'Argent_2-La_Digue.jpg",
503 504
                    v => 'Anse'
                },
505 506
                {   k =>
                        "1280px-Autumn-clear-water-waterfall-landscape_-_Virginia_-_ForestWander.jpg",
507 508 509
                    v => 'Waterfall'
                },
                { k => "1280px-BrockenSnowedTrees.jpg", v => 'Snowed Trees' },
510 511
                {   k =>
                        "1280px-Cedar_Breaks_National_Monument_partially.jpg",
512 513
                    v => 'National Monument'
                },
514
                {   k => "1280px-Parry_Peak_from_Winter_Park.jpg",
515 516
                    v => 'Winter'
                },
517 518 519
                {   k => "Aletschgletscher_mit_Pinus_cembra1.jpg",
                    v => 'Pinus'
                },
520 521 522
            ],
        },
        portalSkinRules => {
Xavier Guimard's avatar
Xavier Guimard committed
523 524 525 526 527 528 529
            type          => 'keyTextContainer',
            help          => 'portalcustom.html',
            keyTest       => $perlExpr,
            keyMsgFail    => '__badSkinRule__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
            documentation => 'Rules to choose portal skin',
530 531 532
        },

        # Security
533
        formTimeout => {
Xavier Guimard's avatar
Xavier Guimard committed
534 535
            default       => 120,
            type          => 'int',
536 537 538
            documentation => 'Token timeout for forms',
        },
        requireToken => {
Xavier Guimard's avatar
Xavier Guimard committed
539 540
            default       => 1,
            type          => 'bool',
541 542
            documentation => 'Enable token for forms',
        },
543 544 545 546 547
        tokenUseGlobalStorage => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable global token storage',
        },
548 549 550 551
        cda => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable Cross Domain Authentication',
Xavier Guimard's avatar
Xavier Guimard committed
552
            flags         => 'hp',
553 554 555 556 557 558
        },
        checkXSS => {
            default       => 1,
            type          => 'bool',
            documentation => 'Check XSS',
        },
559
        portalForceAuthn => {
560
            default => 0,
561 562 563
            type    => 'bool',
            documentation =>
                'Enable force to authenticate when displaying portal',
564
        },
565 566
        portalForceAuthnInterval => {
            default => 5,
567 568
            type    => 'int',
            documentation =>
569
                'Maximun interval in seconds since last authentifcation to force reauthentication',
570
        },
571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587
        bruteForceProtection => {
            default       => 1,
            type          => 'bool',
            documentation => 'Enable brute force attack protection',
        },
        bruteForceProtectionTempo => {
            default => 30,
            type    => 'int',
            documentation =>
                'Brute force attack protection -> Tempo before try again',
        },
        bruteForceProtectionMaxAge => {
            default => 300,
            type    => 'int',
            documentation =>
                'Brute force attack protection -> Max age third failed login',
        },
588
        grantSessionRules => {
Xavier Guimard's avatar
Xavier Guimard committed
589 590
            type          => 'grantContainer',
            keyTest       => $perlExpr,
591
            test          => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
592
            documentation => 'Rules to grant sessions',
593 594 595 596 597 598 599 600 601 602
        },
        hiddenAttributes => {
            type          => 'text',
            default       => '_password',
            documentation => 'Name of attributes to hide in logs',
        },
        key => {
            type          => 'password',
            documentation => 'Secret key',
        },
603 604
        cspDefault => {
            type          => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
605
            default       => "'self'",
606 607 608 609
            documentation => 'Default value for Content-Security-Policy',
        },
        cspImg => {
            type          => 'text',
610
            default       => "'self' data:",
611 612 613 614 615 616 617 618 619
            documentation => 'Image source for Content-Security-Policy',
        },
        cspScript => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Javascript source for Content-Security-Policy',
        },
        cspStyle => {
            type          => 'text',
620
            default       => "'self'",
621 622 623 624 625 626
            documentation => 'Style source for Content-Security-Policy',
        },
        cspConnect => {
            type    => 'text',
            default => "'self'",
            documentation =>
627
                'Authorizated Ajax destination for Content-Security-Policy',
628 629 630 631 632 633
        },
        cspFont => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Font source for Content-Security-Policy',
        },
634 635 636 637 638 639 640 641 642 643 644 645
        portalAntiFrame => {
            default       => 1,
            type          => 'bool',
            documentation => 'Avoid portal to be displayed inside frames',
        },
        portalCheckLogins => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display login history checkbox in portal',
        },
        portalForceAuthnInterval => {
            type    => 'int',
646
            default => 5,
647
            documentation =>
648
                'Minimum number of seconds since last authentifcation to force reauthentication',
649 650 651 652 653 654
        },
        randomPasswordRegexp => {
            type          => 'pcre',
            default       => '[A-Z]{3}[a-z]{5}.\d{2}',
            documentation => 'Regular expression to create a random password',
        },
Xavier Guimard's avatar
Xavier Guimard committed
655
        trustedDomains =>
656
            { type => 'text', documentation => 'Trusted domains', },
Xavier Guimard's avatar
Xavier Guimard committed
657
        storePassword => {
658 659 660 661 662 663
            default       => 0,
            type          => 'bool',
            documentation => 'Store password in session',
        },
        timeout => {
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
664
            test          => sub { $_[0] > 0 },
665 666 667 668
            default       => 72000,
            documentation => 'Session timeout on server side',
        },
        timeoutActivity => {
669
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
670
            test          => sub { $_[0] >= 0 },
671 672 673
            default       => 0,
            documentation => 'Session activity timeout on server side',
        },
674 675 676 677 678 679
        timeoutActivityInterval => {
            type          => 'int',
            test          => sub { $_[0] >= 0 },
            default       => 60,
            documentation => 'Update session timeout interval on server side',
        },
680 681 682 683 684 685 686 687 688 689 690 691 692 693
        trustedProxies => {
            type          => 'text',
            default       => '',
            documentation => 'Trusted proxies',
        },
        userControl => {
            type          => 'pcre',
            default       => '^[\w\.\-@]+$',
            documentation => 'Regular expression to validate login',
        },
        useRedirectOnError => {
            type          => 'bool',
            default       => 1,
            documentation => 'Use 302 redirect code for error (500)',
Xavier Guimard's avatar
Xavier Guimard committed
694
            flags         => 'h',
695 696 697 698 699 700 701 702 703
        },
        useRedirectOnForbidden => {
            default       => 0,
            type          => 'bool',
            documentation => 'Use 302 redirect code for forbidden (403)',
        },
        useSafeJail => {
            default       => 1,
            type          => 'bool',
Xavier Guimard's avatar
Xavier Guimard committed
704
            help          => 'safejail.html',
705
            documentation => 'Activate Safe jail',
Xavier Guimard's avatar
Xavier Guimard committed
706
            flags         => 'hp',
707 708 709 710 711
        },
        whatToTrace => {
            type          => 'lmAttrOrMacro',
            default       => 'uid',
            documentation => 'Session parameter used to fill REMOTE_USER',
Xavier Guimard's avatar
Xavier Guimard committed
712
            flags         => 'hp',
713
        },
714
        lwpOpts => {
Xavier Guimard's avatar
Xavier Guimard committed
715 716 717
            type          => 'keyTextContainer',
            documentation => 'Options given to LWP::UserAgent',
        },
718 719 720 721
        lwpSslOpts => {
            type          => 'keyTextContainer',
            documentation => 'SSL options given to LWP::UserAgent',
        },
722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766

        # History
        failedLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of failures stored in login history',
        },
        loginHistoryEnabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable login history',
        },
        portalDisplayLoginHistory => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display login history tab in portal',
        },
        successLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of success stored in login history',
        },

        # Other displays
        portalDisplayAppslist => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display applications tab in portal',
        },
        portalDisplayChangePassword => {
            type          => 'boolOrExpr',
            default       => '$_auth =~ /^(LDAP|DBI|Demo)$/',
            documentation => 'Display password tab in portal',
        },
        portalDisplayLogout => {
            default       => 1,
            type          => 'boolOrExpr',
            documentation => 'Display logout tab in portal',
        },
        portalDisplayRegister => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display register button in portal',
        },
        portalDisplayResetPassword => {
767
            default       => 0,
768 769 770
            type          => 'bool',
            documentation => 'Display reset password button in portal',
        },
771 772
        portalDisplayOidcConsents => {
            type          => 'boolOrExpr',
773
            default       => '$_oidcConnectedRP',
774 775
            documentation => 'Display OIDC consent tab in portal',
        },
776 777

        # Cookies
Xavier Guimard's avatar
Xavier Guimard committed
778
        cookieExpiration => {
779
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
780 781 782
            documentation => 'Cookie expiration',
            flags         => 'hp',
        },
Xavier Guimard's avatar
Xavier Guimard committed
783
        cookieName => {
784 785 786 787 788
            type          => 'text',
            test          => qr/^[a-zA-Z][a-zA-Z0-9_-]*$/,
            msgFail       => '__badCookieName__',
            default       => 'lemonldap',
            documentation => 'Name of the main cookie',
Xavier Guimard's avatar
Xavier Guimard committed
789
            flags         => 'hp',
790 791
        },
        domain => {
792 793 794 795
            type    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::hostname)?$/,
            msgFail => '__badDomainName__',
            default => 'example.com',
796
            documentation => 'DNS domain',
Xavier Guimard's avatar
Xavier Guimard committed
797
            flags         => 'hp',
798 799 800 801 802
        },
        httpOnly => {
            default       => 1,
            type          => 'bool',
            documentation => 'Enable httpOnly flag in cookie',
Xavier Guimard's avatar
Xavier Guimard committed
803
            flags         => 'hp',
804 805 806 807 808 809 810 811 812 813 814
        },
        securedCookie => {
            type   => 'select',
            select => [
                { k => '0', v => 'unsecuredCookie' },
                { k => '1', v => 'securedCookie' },
                { k => '2', v => 'doubleCookie' },
                { k => '3', v => 'doubleCookieForSingleSession' },
            ],
            default       => 0,
            documentation => 'Cookie securisation method',
Xavier Guimard's avatar
Xavier Guimard committed
815
            flags         => 'hp',
816 817 818
        },

        # Notification
819
        oldNotifFormat => {
Xavier Guimard's avatar
Xavier Guimard committed
820 821
            type          => 'bool',
            default       => 0,
Xavier Guimard's avatar
Xavier Guimard committed
822
            documentation => 'Use old XML format for notifications',
823
        },
824 825 826 827 828
        notificationWildcard => {
            type          => 'text',
            default       => 'allusers',
            documentation => 'Notification string to match all users',
        },
Xavier Guimard's avatar
Xavier Guimard committed
829 830 831 832 833
        notificationXSLTfile => {
            type          => 'text',
            documentation => 'Custom XSLT document for notifications',
        },
        notification => {
834 835 836 837
            default       => 0,
            type          => 'bool',
            documentation => 'Notification activation',
        },
838 839 840 841 842
        notificationServer => {
            default       => 0,
            type          => 'bool',
            documentation => 'Notification server activation',
        },
843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860
        notificationStorage => {
            type          => 'PerlModule',
            default       => 'File',
            documentation => 'Notification backend',
        },
        notificationStorageOptions => {
            type    => 'keyTextContainer',
            default => { dirName => '/var/lib/lemonldap-ng/notifications', },
            documentation => 'Notification backend options',
        },

        # Captcha
        captcha_login_enabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Captcha on login page',
        },
        captcha_mail_enabled => {
861
            default       => 1,
862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880
            type          => 'bool',
            documentation => 'Captcha on password reset page',
        },
        captcha_register_enabled => {
            default       => 1,
            type          => 'bool',
            documentation => 'Captcha on account creation page',
        },
        captcha_size => {
            type          => 'int',
            default       => 6,
            documentation => 'Captcha size',
        },

        # Variables
        exportedVars => {
            type          => 'keyTextContainer',
            help          => 'exportedvars.html',
            keyTest       => qr/^!?[_a-zA-Z][a-zA-Z0-9_]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
881
            keyMsgFail    => '__badVariableName__',
882 883 884 885 886 887 888 889
            test          => qr/^[_a-zA-Z][a-zA-Z0-9_:\-]*$/,
            msgFail       => '__badValue__',
            default       => { 'UA' => 'HTTP_USER_AGENT' },
            documentation => 'Main exported variables',
        },
        groups => {
            type => 'keyTextContainer',
            help =>
890
                'exportedvars.html#extend_variables_using_macros_and_groups',
891 892 893 894 895 896 897
            test          => $perlExpr,
            default       => {},
            documentation => 'Groups',
        },
        macros => {
            type => 'keyTextContainer',
            help =>
898
                'exportedvars.html#extend_variables_using_macros_and_groups',
899
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
900
            keyMsgFail    => '__badMacroName__',
901 902 903 904 905 906 907 908 909 910
            test          => $perlExpr,
            default       => {},
            documentation => 'Macros',
        },

        # Storage
        globalStorage => {
            type          => 'PerlModule',
            default       => 'Apache::Session::File',
            documentation => 'Session backend module',
Xavier Guimard's avatar
Xavier Guimard committed
911
            flags         => 'hp',
912 913 914 915 916 917 918
        },
        globalStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'Directory'     => '/var/lib/lemonldap-ng/sessions/',
                'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/',
                'generateModule' =>
919
                    'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
920 921
            },
            documentation => 'Session backend module options',
Xavier Guimard's avatar
Xavier Guimard committed
922
            flags         => 'hp',
923 924
        },
        localSessionStorage => {
Xavier Guimard's avatar
Xavier Guimard committed
925 926
            type          => 'PerlModule',
            default       => 'Cache::FileCache',
Xavier Guimard's avatar
Xavier Guimard committed
927
            documentation => 'Local sessions cache module',
928 929 930 931 932 933 934 935 936 937 938 939 940 941
        },
        localSessionStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'namespace'          => 'lemonldap-ng-sessions',
                'default_expires_in' => 600,
                'directory_umask'    => '007',
                'cache_root'         => '/tmp',
                'cache_depth'        => 3,
            },
            documentation => 'Sessions cache module options',
        },

        # Persistent storage
Xavier Guimard's avatar
Xavier Guimard committed
942 943 944 945 946 947 948 949 950 951 952 953 954
        persistentStorage => {
            type          => 'PerlModule',
            documentation => 'Storage module for persistent sessions'
        },
        persistentStorageOptions => {
            type          => 'keyTextContainer',
            documentation => 'Options for persistent sessions storage module'
        },
        sessionDataToRemember => {
            type          => 'keyTextContainer',
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
            keyMsgFail    => '__invalidSessionData__',
            documentation => 'Data to remember in login history',
955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976
        },

        # SAML issuer
        issuerDBSAMLActivation => {
            default       => 0,
            type          => 'bool',
            documentation => 'SAML IDP activation',
        },
        issuerDBSAMLPath => {
            type          => 'pcre',
            default       => '^/saml/',
            documentation => 'SAML IDP request path',
        },
        issuerDBSAMLRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'SAML IDP rule',
        },

        # OpenID-Connect issuer
        issuerDBOpenIDConnectActivation => {
            type          => 'bool',
977
            default       => 0,
978 979 980 981 982 983 984 985 986 987 988 989 990
            documentation => 'OpenID Connect server activation',
        },
        issuerDBOpenIDConnectPath => {
            type          => 'text',
            default       => '^/oauth2/',
            documentation => 'OpenID Connect server request path',
        },
        issuerDBOpenIDConnectRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'OpenID Connect server rule',
        },

991 992 993
        # GET issuer
        issuerDBGetActivation => {
            type          => 'bool',
994
            default       => 0,
995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016
            documentation => 'Get issuer activation',
        },
        issuerDBGetPath => {
            type          => 'text',
            default       => '^/get/',
            documentation => 'Get issuer request path',
        },
        issuerDBGetRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Get issuer rule',
        },
        issuerDBGetParameters => {
            type       => 'doubleHash',
            default    => {},
            keyTest    => qr/^$Regexp::Common::URI::RFC2396::hostname$/,
            keyMsgFail => '__badHostname__',
            test       => {
                keyTest    => qr/^(?=[^\-])[\w\-]+(?<=[^-])$/,
                keyMsgFail => '__badKeyName__',
                test       => sub {
                    my ( $val, $conf ) = @_;
1017
                    return 1
1018
                        if ( defined $conf->{macros}->{$val}
1019 1020 1021
                        or $val eq '_timezone' );
                    foreach ( keys %$conf ) {
                        return 1
1022
                            if ( $_ =~ /exportedvars$/i
1023
                            and defined $conf->{$_}->{$val} );
1024
                    }
1025
                    return ( 1, "__unknownAttrOrMacro__: $val" );
1026 1027 1028 1029 1030
                },
            },
            documentation => 'List of virtualHosts with their get parameters',
        },

1031 1032 1033 1034 1035 1036 1037
        # Password
        mailOnPasswordChange => {
            default       => 0,
            type          => 'bool',
            documentation => 'Send a mail when password is changed',
        },
        portalRequireOldPassword => {
1038 1039 1040 1041
            default => 1,
            type    => 'bool',
            documentation =>
                'Old password is required to change the password',
1042 1043 1044 1045 1046 1047 1048 1049
        },
        hideOldPassword => {
            default       => 0,
            type          => 'bool',
            documentation => 'Hide old password in portal',
        },

        # Mails
Xavier Guimard's avatar
Xavier Guimard committed
1050
        mailBody =>
1051
            { type => 'longtext', documentation => 'Custom mail body', },
1052 1053 1054 1055 1056
        mailCharset => {
            type          => 'text',
            default       => 'utf-8',
            documentation => 'Mail charset',
        },
1057 1058 1059 1060
        mailConfirmBody => {
            type          => 'longtext',
            documentation => 'Custom confirm mail body',
        },
1061 1062 1063 1064 1065 1066 1067 1068 1069
        mailConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for reset confirmation',
        },
        mailFrom => {
            type          => 'text',
            default       => 'noreply@example.com',
            documentation => 'Sender email',
        },
1070 1071
        mailReplyTo =>
            { type => 'text', documentation => 'Reply-To address' },
1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087
        mailSessionKey => {
            type          => 'text',
            default       => 'mail',
            documentation => 'Session parameter where mail is stored',
        },
        mailSubject => {
            type          => 'text',
            documentation => 'Mail subject for new password email',
        },
        mailTimeout => {
            type          => 'int',
            default       => 0,
            documentation => 'Mail session timeout',
        },
        mailUrl => {
            type          => 'url',
1088
            default       => 'http://auth.example.com/resetpwd',
1089 1090 1091
            documentation => 'URL of password reset page',
        },
        SMTPServer => {
1092 1093
            type    => 'text',
            default => '',
1094
            test => qr/^(?:$Regexp::Common::URI::RFC2396::host(?::\d+)?)?$/,
1095 1096
            documentation => 'SMTP Server',
        },
1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114
        SMTPPort => {
            type          => 'int',
            documentation => 'Fix SMTP port',
        },
        SMTPTLS => {
            type    => 'select',
            default => '',
            select  => [
                { k => '',         v => 'none' },
                { k => 'starttls', v => 'SMTP + STARTTLS' },
                { k => 'ssl',      v => 'SMTPS' },
            ],
            documentation => 'TLS protocol to use with SMTP',
        },
        SMTPTLSOpts => {
            type          => 'keyTextContainer',
            documentation => 'TLS/SSL options for SMTP',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1115 1116 1117 1118 1119 1120 1121 1122
        SMTPAuthUser => {
            type          => 'text',
            documentation => 'Login to use to send mails',
        },
        SMTPAuthPass => {
            type          => 'password',
            documentation => 'Password to use to send mails',
        },
1123 1124 1125 1126 1127 1128 1129 1130 1131

        # Registration
        registerConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for register confirmation',
        },
        registerDB => {
            type   => 'select',
            select => [
1132 1133 1134 1135 1136
                { k => 'AD',     v => 'Active Directory' },
                { k => 'Demo',   v => 'Demonstration' },
                { k => 'LDAP',   v => 'LDAP' },
                { k => 'Null',   v => 'None' },
                { k => 'Custom', v => 'customModule' },
1137
            ],
1138
            default       => 'Null',
1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149
            documentation => 'Register module',
        },
        registerDoneSubject => {
            type          => 'text',
            documentation => 'Mail subject when register is done',
        },
        registerTimeout => {
            default       => 0,
            type          => 'int',
            documentation => 'Register session timeout',
        },
1150 1151
        registerUrl => {
            type          => 'text',
1152
            default       => 'http://auth.example.com/register',
1153 1154
            documentation => 'URL of register page',
        },
1155

1156 1157 1158
        # Upgrade session
        upgradeSession => {
            type          => 'bool',
1159
            default       => 1,
1160 1161
            documentation => 'Upgrade session activation',
        },
1162

1163 1164 1165 1166
        # 2F
        max2FDevices => {
            default       => 10,
            type          => 'int',
1167
            documentation => 'Maximum registered 2F devices',
1168 1169 1170 1171
        },
        max2FDevicesNameLength => {
            default       => 20,
            type          => 'int',
1172
            documentation => 'Maximum 2F devices name length',
1173
        },
1174

Xavier Guimard's avatar
Xavier Guimard committed
1175 1176
        # U2F
        u2fActivation => {
Xavier Guimard's avatar
Xavier Guimard committed
1177
            type          => 'boolOrExpr',
Xavier Guimard's avatar
Xavier Guimard committed
1178 1179 1180
            default       => 0,
            documentation => 'U2F activation',
        },
1181
        u2fSelfRegistration => {
1182
            type          => 'boolOrExpr',
1183 1184
            default       => 0,
            documentation => 'U2F self registration activation',
Xavier Guimard's avatar
Xavier Guimard committed
1185
        },
Xavier Guimard's avatar
Xavier Guimard committed
1186 1187 1188
        u2fAuthnLevel => {
            type => 'int',
            documentation =>
1189
                'Authentication level for users authentified by password+U2F'
Xavier Guimard's avatar
Xavier Guimard committed
1190
        },
1191 1192 1193 1194 1195
        u2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing U2F key',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1196

Xavier Guimard's avatar
Xavier Guimard committed
1197 1198 1199 1200 1201 1202
        # TOTP second factor
        totp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'TOTP activation',
        },
1203
        totp2fSelfRegistration => {
1204
            type          => 'boolOrExpr',
Xavier Guimard's avatar
Xavier Guimard committed
1205 1206 1207 1208 1209 1210
            default       => 0,
            documentation => 'TOTP self registration activation',
        },
        totp2fAuthnLevel => {
            type => 'int',
            documentation =>
1211
                'Authentication level for users authentified by password+TOTP'
Xavier Guimard's avatar
Xavier Guimard committed
1212
        },
Xavier Guimard's avatar
Xavier Guimard committed
1213 1214 1215 1216
        totp2fIssuer => {
            type          => 'text',
            documentation => 'TOTP Issuer',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1217 1218 1219 1220 1221 1222 1223 1224 1225 1226
        totp2fInterval => {
            type          => 'int',
            default       => 30,
            documentation => 'TOTP interval',
        },
        totp2fRange => {
            type          => 'int',
            default       => 1,
            documentation => 'TOTP range (number of interval to test)',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1227 1228 1229 1230 1231
        totp2fDigits => {
            type          => 'int',
            default       => 6,
            documentation => 'Number of digits for TOTP code',
        },
1232 1233 1234 1235
        totp2fDisplayExistingSecret => {
            type    => 'bool',
            default => 0,
            documentation =>
1236
                'Display existing TOTP secret in registration form',
1237 1238 1239 1240 1241 1242
        },
        totp2fUserCanChangeKey => {
            type          => 'bool',
            default       => 0,
            documentation => 'Authorize users to change existing TOTP secret',
        },
1243 1244 1245 1246 1247
        totp2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing TOTP secret',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1248

Xavier Guimard's avatar
Xavier Guimard committed
1249 1250 1251 1252 1253 1254 1255 1256 1257
        # UTOTP 2F
        utotp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'UTOTP activation (mixed U2F/TOTP module)',
        },
        utotp2fAuthnLevel => {
            type => 'int',
            documentation =>
1258
                'Authentication level for users authentified by password+(U2F or TOTP)'