Attributes.pm 115 KB
Newer Older
1 2 3 4
# This file contains the description of all configuration parameters
# It may be included only by batch files, never in portal or handler chain
# for performances reasons

Xavier Guimard's avatar
Xavier Guimard committed
5
# DON'T FORGET TO RUN "make json" AFTER EACH CHANGE
6 7 8

package Lemonldap::NG::Manager::Build::Attributes;

9
our $VERSION = '2.0.0';
10 11 12 13
use strict;
use Regexp::Common qw/URI/;

my $perlExpr = sub {
14
    my ( $val, $conf ) = @_;
15
    my $s = '';
Xavier Guimard's avatar
Xavier Guimard committed
16
    no warnings( 'redefine', 'uninitialized' );
17
    eval "$s $val";
18 19 20
    my $err = join( '',
        grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) );
    return $err ? ( 1, "__badExpression__: $err" ) : (1);
21 22
};

Xavier Guimard's avatar
Xavier Guimard committed
23
my $url = $RE{URI}{HTTP}{ -scheme => "https?" };
Xavier Guimard's avatar
Xavier Guimard committed
24 25 26
$url =~ s/(?<=[^\\])\$/\\\$/g;
$url = qr/$url/;

27 28 29 30 31
sub types {
    return {

        # Simple text types
        text => {
32
            test    => sub {1},
33 34 35
            msgFail => '__malformedValue__',
        },
        password => {
36
            test    => sub {1},
37 38 39
            msgFail => '__malformedValue__',
        },
        longtext => {
40
            test => sub {1}
41 42 43
        },
        url => {
            form    => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
44
            test    => $url,
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
            msgFail => '__badUrl__',
        },
        PerlModule => {
            form    => 'text',
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
        },
        hostname => {
            form    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::host)?$/,
            msgFail => '__badHostname__',
        },
        pcre => {
            form => 'text',
            test => sub {
60
                eval {qr/$_[0]/};
61 62 63 64 65
                return $@ ? ( 0, "__badRegexp__: $@" ) : (1);
            },
        },
        lmAttrOrMacro => {
            form => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
66 67
            test => sub {
                my ( $val, $conf ) = @_;
68
                return 1
69 70
                    if ( defined $conf->{macros}->{$val}
                    or $val eq '_timezone' );
71 72
                foreach ( keys %$conf ) {
                    return 1
73
                        if ( $_ =~ /exportedvars$/i
74
                        and defined $conf->{$_}->{$val} );
Xavier Guimard's avatar
Xavier Guimard committed
75
                }
76
                return ( 1, "__unknownAttrOrMacro__: $val" );
Xavier Guimard's avatar
Xavier Guimard committed
77
            },
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
        },

        # Other types
        int => {
            test    => qr/^\-?\d+$/,
            msgFail => '__notAnInteger__',
        },
        bool => {
            test    => qr/^[01]$/,
            msgFail => '__notABoolean__',
        },
        trool => {
            test    => qr/^(?:-1|0|1)$/,
            msgFail => '__authorizedValues__: -1, 0, 1',
        },
        boolOrExpr => {
            test    => $perlExpr,
            msgFail => '__notAValidPerlExpression__',
        },
Xavier Guimard's avatar
Xavier Guimard committed
97 98
        keyTextContainer => {
            test       => qr/./,
Xavier Guimard's avatar
Xavier Guimard committed
99
            msgFail    => '__emptyValueNotAllowed__',
Xavier Guimard's avatar
Xavier Guimard committed
100
            keyTest    => qr/^\w[\w\.\-]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
101
            keyMsgFail => '__badKeyName__',
Xavier Guimard's avatar
Xavier Guimard committed
102 103 104
        },
        subContainer => {
            keyTest => qr/\w/,
105
            test    => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
106
        },
Xavier Guimard's avatar
Xavier Guimard committed
107 108
        select => {
            test => sub {
109
                my $test = grep ( { $_ eq $_[0] }
Xavier Guimard's avatar
Xavier Guimard committed
110
                    map ( { $_->{k} } @{ $_[2]->{select} } ) );
Xavier Guimard's avatar
Xavier Guimard committed
111
                return $test
112 113
                    ? 1
                    : ( 1, "Invalid value '$_[0]' for this select" );
Xavier Guimard's avatar
Xavier Guimard committed
114 115
            },
        },
116 117 118

        # Files type (long text)
        file => {
119
            test => sub {1}
120 121
        },
        RSAPublicKey => {
122
            test => sub {
123
                return (
124 125
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$/s
126
                    ? (1)
127 128
                    : ( 1, '__badPemEncoding__' )
                );
129
            },
130
        },
131
        'RSAPublicKeyOrCertificate' => {
132
            'test' => sub {
133
                return (
134 135
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$/s
136
                    ? (1)
137 138
                    : ( 1, '__badPemEncoding__' )
                );
139
            },
140
        },
141
        RSAPrivateKey => {
142
            test => sub {
143
                return (
144 145
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$/s
146
                    ? (1)
147 148
                    : ( 1, '__badPemEncoding__' )
                );
149
            },
150 151 152
        },

        authParamsText => {
153
            test => sub {1}
154 155
        },
        blackWhiteList => {
156
            test => sub {1}
157 158
        },
        catAndAppList => {
159
            test => sub {1}
160 161 162
        },
        keyText => {
            keyTest => qr/^[a-zA-Z0-9_]+$/,
Xavier Guimard's avatar
Xavier Guimard committed
163
            test    => qr/^.*$/,
164 165 166
            msgFail => '__badValue__',
        },
        menuApp => {
167
            test => sub {1}
168 169
        },
        menuCat => {
170
            test => sub {1}
171 172
        },
        oidcOPMetaDataNode => {
173
            test => sub {1}
174 175
        },
        oidcRPMetaDataNode => {
176
            test => sub {1}
177 178
        },
        oidcmetadatajson => {
179
            test => sub {1}
180 181
        },
        oidcmetadatajwks => {
182
            test => sub {1}
183 184
        },
        portalskin => {
185
            test => sub {1}
186 187
        },
        portalskinbackground => {
188
            test => sub {1}
189 190
        },
        post => {
191
            test => sub {1}
192 193
        },
        rule => {
194
            test => sub {1}
195 196
        },
        samlAssertion => {
197
            test => sub {1}
198 199
        },
        samlAttribute => {
200
            test => sub {1}
201 202
        },
        samlIDPMetaDataNode => {
203
            test => sub {1}
204 205
        },
        samlSPMetaDataNode => {
206
            test => sub {1}
207 208
        },
        samlService => {
209
            test => sub {1}
210
        },
211
        array => {
212
            test => sub {1}
213
        },
214 215 216 217 218 219 220
    };
}

sub attributes {
    return {

        # Other
221 222 223
        checkTime => {
            type => 'int',
            documentation =>
224
                'Timeout to check new configuration in local cache',
225
            default => 600,
226 227 228 229 230 231
            flags   => 'hp',
        },
        mySessionAuthorizedRWKeys => {
            type          => 'array',
            documentation => 'Alterable session keys by user itself',
            default =>
232
                [ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
233
        },
Xavier Guimard's avatar
Xavier Guimard committed
234 235 236 237 238 239 240 241 242 243 244 245
        configStorage => {
            type          => 'text',
            documentation => 'Configuration storage',
            flags         => 'hmp',
        },
        localStorage => {
            type          => 'text',
            documentation => 'Local cache',
            flags         => 'hmp',
        },
        localStorageOptions => {
            type          => 'keyTextContainer',
Xavier Guimard's avatar
Xavier Guimard committed
246
            documentation => 'Local cache parameters',
Xavier Guimard's avatar
Xavier Guimard committed
247 248
            flags         => 'hmp',
        },
249 250 251 252 253 254
        cfgNum => {
            type          => 'int',
            default       => 0,
            documentation => 'Enable Cross Domain Authentication',
        },
        cfgAuthor => {
255 256 257
            type => 'text',
            documentation =>
                'Name of the author of the current configuration',
258 259
        },
        cfgAuthorIP => {
260 261 262
            type => 'text',
            documentation =>
                'Uploader IP address of the current configuration',
263 264 265 266 267 268 269 270 271
        },
        cfgDate => {
            type          => 'int',
            documentation => 'Timestamp of the current configuration',
        },
        cfgLog => {
            type          => 'longtext',
            documentation => 'Configuration update log',
        },
272 273 274 275
        cfgVersion => {
            type          => 'text',
            documentation => 'Version of LLNG which build configuration',
        },
Xavier Guimard's avatar
Xavier Guimard committed
276 277 278 279 280
        status => {
            type          => 'bool',
            documentation => 'Status daemon activation',
            flags         => 'h',
        },
281 282 283
        confirmFormMethod => {
            type => "select",
            select =>
284
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
285 286 287
            default       => 'post',
            documentation => 'HTTP method for confirm page form',
        },
288 289
        customFunctions => {
            type          => 'text',
290
            test          => qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/,
291
            msgFail       => "__badCustomFuncName__",
Xavier Guimard's avatar
Xavier Guimard committed
292 293
            documentation => 'List of custom functions',
            flags         => 'hmp',
294 295
        },
        https => {
296 297 298
            default       => 0,
            type          => 'bool',
            documentation => 'Use HTTPS for redirection from portal',
Xavier Guimard's avatar
Xavier Guimard committed
299
            flags         => 'h',
300 301 302 303
        },
        infoFormMethod => {
            type => "select",
            select =>
304
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
305 306 307
            default       => 'get',
            documentation => 'HTTP method for info page form',
        },
Xavier Guimard's avatar
Xavier Guimard committed
308 309 310 311 312
        port => {
            type          => 'int',
            documentation => 'Force port in redirection',
            flags         => 'h',
        },
313 314 315 316 317 318
        jsRedirect => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Use javascript for redirections',
        },
        logoutServices => {
319 320 321 322 323
            type    => 'keyTextContainer',
            help    => 'logoutforward.html',
            default => {},
            documentation =>
                'Send logout trough GET request to these services',
324 325 326 327 328
        },
        maintenance => {
            default       => 0,
            type          => 'bool',
            documentation => 'Maintenance mode for all virtual hosts',
Xavier Guimard's avatar
Xavier Guimard committed
329
            flags         => 'h',
330
        },
Xavier Guimard's avatar
Xavier Guimard committed
331 332 333 334 335
        nginxCustomHandlers => {
            type    => 'keyTextContainer',
            keyTest => qr/^\w+$/,
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
Xavier Guimard's avatar
Xavier Guimard committed
336
            documentation => 'Custom Nginx handler (deprecated)',
Xavier Guimard's avatar
Xavier Guimard committed
337
        },
338 339 340 341 342
        noAjaxHook => {
            default       => 0,
            type          => 'bool',
            documentation => 'Avoid replacing 302 by 401 for Ajax responses',
        },
343 344 345 346
        portal => {
            type          => 'url',
            default       => 'http://auth.example.com/',
            documentation => 'Portal URL',
Xavier Guimard's avatar
Xavier Guimard committed
347
            flags         => 'hmp',
348 349
            test          => $url,
            msgFail       => '__badUrl__',
350
        },
351 352 353 354 355
        portalStatus => {
            type          => 'bool',
            default       => 0,
            documentation => 'Enable portal status',
        },
356 357 358
        portalUserAttr => {
            type    => 'text',
            default => '_user',
359
            help    => 'monitoring.html',
360
            documentation =>
361
                'Session parameter to display connected user in portal',
362 363 364 365
        },
        redirectFormMethod => {
            type => "select",
            select =>
366
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
367 368 369 370
            default       => 'get',
            documentation => 'HTTP method for redirect page form',
        },
        reloadUrls => {
371 372 373 374 375
            type    => 'keyTextContainer',
            help    => 'configlocation.html#configuration_reload',
            keyTest => qr/^$Regexp::Common::URI::RFC2396::host(?::\d+)?$/,
            test    => $url,
            msgFail => '__badUrl__',
Xavier Guimard's avatar
Xavier Guimard committed
376
            documentation => 'URL to call on reload',
377
        },
378 379 380 381 382
        portalMainLogo    => {
            type          => 'text',
            default       => 'common/logos/logo_llng_400px.png',
            documentation => 'Portal main logo path',
        },
383 384 385 386
        staticPrefix => {
            type          => 'text',
            documentation => 'Prefix of static files for HTML templates',
        },
387 388 389 390
        multiValuesSeparator => {
            type          => 'authParamsText',
            default       => '; ',
            documentation => 'Separator for multiple values',
Xavier Guimard's avatar
Xavier Guimard committed
391
            flags         => 'hmp',
392
        },
393 394
        stayConnected => {
            type          => 'bool',
395
            default       => 0,
396 397
            documentation => 'Enable StayConnected plugin',
        },
398
        checkState => {
399
            type          => 'bool',
400
            default       => 0,
401 402 403
            documentation => 'Enable CheckState plugin',
        },
        checkStateSecret => {
404
            type          => 'text',
405 406
            documentation => 'Secret token for CheckState plugin',
        },
407 408 409
        skipRenewConfirmation => {
            type => 'bool',
            documentation =>
410
                'Avoid asking confirmation when an Issuer asks to renew auth',
411
        },
412

413 414 415 416 417 418 419 420 421
        # Loggers (ini only)
        logLevel => {
            type          => 'text',
            documentation => 'Log level, must be set in .ini',
            flags         => 'hmp',
        },
        logger => {
            type          => 'text',
            documentation => 'technical logger',
422
            flags         => 'hmp',
423 424 425 426
        },
        userLogger => {
            type          => 'text',
            documentation => 'User actions logger',
427
            flags         => 'hmp',
428 429 430 431
        },
        log4perlConfFile => {
            type          => 'text',
            documentation => 'Log4Perl logger configuration file',
432
            flags         => 'hmp',
433 434 435 436
        },
        sentryDsn => {
            type          => 'text',
            documentation => 'Sentry logger DSN',
437
            flags         => 'hmp',
438 439 440 441
        },
        syslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger technical facility',
442
            flags         => 'hmp',
443 444 445 446
        },
        userSyslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger user-actions facility',
447
            flags         => 'hmp',
448 449 450
        },

        # Manager or PSGI protected apps
451
        protection => {
452 453 454
            type    => 'text',
            test    => qr/^(?:none|authenticate|manager|)$/,
            msgFail => '__authorizedValues__: none authenticate manager',
455
            documentation => 'Manager protection method',
Xavier Guimard's avatar
Xavier Guimard committed
456
            flags         => 'hm',
457 458 459 460 461 462 463 464 465 466
        },

        # Menu
        activeTimer => {
            type          => 'bool',
            default       => 1,
            documentation => 'Enable timers on portal pages',
        },
        applicationList => {
            type    => 'catAndAppList',
467
            keyTest => qr/\w/,
468 469
            help    => 'portalmenu.html#categories_and_applications',
            default => {
470 471
                default =>
                    { catname => 'Default category', type => "category" }
472 473 474
            },
            documentation => 'Applications list',
        },
475 476 477 478 479
        portalErrorOnExpiredSession => {
            type          => 'bool',
            default       => 1,
            documentation => 'Show error if session is expired',
        },
480
        portalErrorOnMailNotFound => {
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
481 482 483
            type    => 'bool',
            default => 0,
            documentation =>
484
                'Show error if mail is not found in password reset process',
485
        },
486 487 488 489 490 491 492 493 494 495 496 497 498 499
        portalOpenLinkInNewWindow => {
            type          => 'bool',
            default       => 0,
            documentation => 'Open applications in new windows',
        },
        portalPingInterval => {
            type          => 'int',
            default       => 60000,
            documentation => 'Interval in ms between portal Ajax pings ',
        },
        portalSkin => {
            type          => 'portalskin',
            default       => 'bootstrap',
            documentation => 'Name of portal skin',
Xavier Guimard's avatar
Xavier Guimard committed
500
            select        => [ { k => 'bootstrap', v => 'Bootstrap' }, ],
501 502 503 504 505 506
        },
        portalSkinBackground => {
            type          => 'portalskinbackground',
            documentation => 'Background image of portal skin',
            select        => [
                { k => "", v => 'None' },
507
                {   k => "1280px-Anse_Source_d'Argent_2-La_Digue.jpg",
508 509
                    v => 'Anse'
                },
510 511
                {   k =>
                        "1280px-Autumn-clear-water-waterfall-landscape_-_Virginia_-_ForestWander.jpg",
512 513 514
                    v => 'Waterfall'
                },
                { k => "1280px-BrockenSnowedTrees.jpg", v => 'Snowed Trees' },
515 516
                {   k =>
                        "1280px-Cedar_Breaks_National_Monument_partially.jpg",
517 518
                    v => 'National Monument'
                },
519
                {   k => "1280px-Parry_Peak_from_Winter_Park.jpg",
520 521
                    v => 'Winter'
                },
522 523 524
                {   k => "Aletschgletscher_mit_Pinus_cembra1.jpg",
                    v => 'Pinus'
                },
525 526 527
            ],
        },
        portalSkinRules => {
Xavier Guimard's avatar
Xavier Guimard committed
528 529 530 531 532 533 534
            type          => 'keyTextContainer',
            help          => 'portalcustom.html',
            keyTest       => $perlExpr,
            keyMsgFail    => '__badSkinRule__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
            documentation => 'Rules to choose portal skin',
535 536 537
        },

        # Security
538
        formTimeout => {
Xavier Guimard's avatar
Xavier Guimard committed
539 540
            default       => 120,
            type          => 'int',
541 542 543
            documentation => 'Token timeout for forms',
        },
        requireToken => {
Xavier Guimard's avatar
Xavier Guimard committed
544 545
            default       => 1,
            type          => 'bool',
546 547
            documentation => 'Enable token for forms',
        },
548 549 550 551 552
        tokenUseGlobalStorage => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable global token storage',
        },
553 554 555 556
        cda => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable Cross Domain Authentication',
Xavier Guimard's avatar
Xavier Guimard committed
557
            flags         => 'hp',
558 559 560 561 562 563
        },
        checkXSS => {
            default       => 1,
            type          => 'bool',
            documentation => 'Check XSS',
        },
564
        portalForceAuthn => {
565
            default => 0,
566 567 568
            type    => 'bool',
            documentation =>
                'Enable force to authenticate when displaying portal',
569
        },
570 571
        portalForceAuthnInterval => {
            default => 5,
572 573
            type    => 'int',
            documentation =>
574
                'Maximun interval in seconds since last authentifcation to force reauthentication',
575
        },
576
        bruteForceProtection => {
577
            default       => 0,
578 579 580 581 582 583 584 585 586 587 588 589 590 591 592
            type          => 'bool',
            documentation => 'Enable brute force attack protection',
        },
        bruteForceProtectionTempo => {
            default => 30,
            type    => 'int',
            documentation =>
                'Brute force attack protection -> Tempo before try again',
        },
        bruteForceProtectionMaxAge => {
            default => 300,
            type    => 'int',
            documentation =>
                'Brute force attack protection -> Max age third failed login',
        },
593
        grantSessionRules => {
Xavier Guimard's avatar
Xavier Guimard committed
594 595
            type          => 'grantContainer',
            keyTest       => $perlExpr,
596
            test          => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
597
            documentation => 'Rules to grant sessions',
598 599 600 601 602 603 604 605 606 607
        },
        hiddenAttributes => {
            type          => 'text',
            default       => '_password',
            documentation => 'Name of attributes to hide in logs',
        },
        key => {
            type          => 'password',
            documentation => 'Secret key',
        },
608 609
        cspDefault => {
            type          => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
610
            default       => "'self'",
611 612 613 614
            documentation => 'Default value for Content-Security-Policy',
        },
        cspImg => {
            type          => 'text',
615
            default       => "'self' data:",
616 617 618 619 620 621 622 623 624
            documentation => 'Image source for Content-Security-Policy',
        },
        cspScript => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Javascript source for Content-Security-Policy',
        },
        cspStyle => {
            type          => 'text',
625
            default       => "'self'",
626 627 628 629 630 631
            documentation => 'Style source for Content-Security-Policy',
        },
        cspConnect => {
            type    => 'text',
            default => "'self'",
            documentation =>
632
                'Authorizated Ajax destination for Content-Security-Policy',
633 634 635 636 637 638
        },
        cspFont => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Font source for Content-Security-Policy',
        },
639 640 641 642 643 644 645 646 647 648 649 650 651 652 653
        portalAntiFrame => {
            default       => 1,
            type          => 'bool',
            documentation => 'Avoid portal to be displayed inside frames',
        },
        portalCheckLogins => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display login history checkbox in portal',
        },
        randomPasswordRegexp => {
            type          => 'pcre',
            default       => '[A-Z]{3}[a-z]{5}.\d{2}',
            documentation => 'Regular expression to create a random password',
        },
Xavier Guimard's avatar
Xavier Guimard committed
654
        trustedDomains =>
655
            { type => 'text', documentation => 'Trusted domains', },
Xavier Guimard's avatar
Xavier Guimard committed
656
        storePassword => {
657 658 659 660 661 662
            default       => 0,
            type          => 'bool',
            documentation => 'Store password in session',
        },
        timeout => {
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
663
            test          => sub { $_[0] > 0 },
664 665 666 667
            default       => 72000,
            documentation => 'Session timeout on server side',
        },
        timeoutActivity => {
668
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
669
            test          => sub { $_[0] >= 0 },
670 671 672
            default       => 0,
            documentation => 'Session activity timeout on server side',
        },
673 674 675 676 677 678
        timeoutActivityInterval => {
            type          => 'int',
            test          => sub { $_[0] >= 0 },
            default       => 60,
            documentation => 'Update session timeout interval on server side',
        },
679 680 681 682 683 684 685 686 687 688 689 690 691 692
        trustedProxies => {
            type          => 'text',
            default       => '',
            documentation => 'Trusted proxies',
        },
        userControl => {
            type          => 'pcre',
            default       => '^[\w\.\-@]+$',
            documentation => 'Regular expression to validate login',
        },
        useRedirectOnError => {
            type          => 'bool',
            default       => 1,
            documentation => 'Use 302 redirect code for error (500)',
Xavier Guimard's avatar
Xavier Guimard committed
693
            flags         => 'h',
694 695 696 697 698 699 700 701 702
        },
        useRedirectOnForbidden => {
            default       => 0,
            type          => 'bool',
            documentation => 'Use 302 redirect code for forbidden (403)',
        },
        useSafeJail => {
            default       => 1,
            type          => 'bool',
Xavier Guimard's avatar
Xavier Guimard committed
703
            help          => 'safejail.html',
704
            documentation => 'Activate Safe jail',
Xavier Guimard's avatar
Xavier Guimard committed
705
            flags         => 'hp',
706 707 708 709 710
        },
        whatToTrace => {
            type          => 'lmAttrOrMacro',
            default       => 'uid',
            documentation => 'Session parameter used to fill REMOTE_USER',
Xavier Guimard's avatar
Xavier Guimard committed
711
            flags         => 'hp',
712
        },
713
        lwpOpts => {
Xavier Guimard's avatar
Xavier Guimard committed
714 715 716
            type          => 'keyTextContainer',
            documentation => 'Options given to LWP::UserAgent',
        },
717 718 719 720
        lwpSslOpts => {
            type          => 'keyTextContainer',
            documentation => 'SSL options given to LWP::UserAgent',
        },
721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765

        # History
        failedLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of failures stored in login history',
        },
        loginHistoryEnabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable login history',
        },
        portalDisplayLoginHistory => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display login history tab in portal',
        },
        successLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of success stored in login history',
        },

        # Other displays
        portalDisplayAppslist => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display applications tab in portal',
        },
        portalDisplayChangePassword => {
            type          => 'boolOrExpr',
            default       => '$_auth =~ /^(LDAP|DBI|Demo)$/',
            documentation => 'Display password tab in portal',
        },
        portalDisplayLogout => {
            default       => 1,
            type          => 'boolOrExpr',
            documentation => 'Display logout tab in portal',
        },
        portalDisplayRegister => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display register button in portal',
        },
        portalDisplayResetPassword => {
766
            default       => 0,
767 768 769
            type          => 'bool',
            documentation => 'Display reset password button in portal',
        },
770 771
        portalDisplayOidcConsents => {
            type          => 'boolOrExpr',
772
            default       => '$_oidcConnectedRP',
773 774
            documentation => 'Display OIDC consent tab in portal',
        },
775 776

        # Cookies
Xavier Guimard's avatar
Xavier Guimard committed
777
        cookieExpiration => {
778
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
779 780 781
            documentation => 'Cookie expiration',
            flags         => 'hp',
        },
Xavier Guimard's avatar
Xavier Guimard committed
782
        cookieName => {
783 784 785 786 787
            type          => 'text',
            test          => qr/^[a-zA-Z][a-zA-Z0-9_-]*$/,
            msgFail       => '__badCookieName__',
            default       => 'lemonldap',
            documentation => 'Name of the main cookie',
Xavier Guimard's avatar
Xavier Guimard committed
788
            flags         => 'hp',
789 790
        },
        domain => {
791 792 793 794
            type    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::hostname)?$/,
            msgFail => '__badDomainName__',
            default => 'example.com',
795
            documentation => 'DNS domain',
Xavier Guimard's avatar
Xavier Guimard committed
796
            flags         => 'hp',
797 798 799 800 801
        },
        httpOnly => {
            default       => 1,
            type          => 'bool',
            documentation => 'Enable httpOnly flag in cookie',
Xavier Guimard's avatar
Xavier Guimard committed
802
            flags         => 'hp',
803 804 805 806 807 808 809 810 811 812 813
        },
        securedCookie => {
            type   => 'select',
            select => [
                { k => '0', v => 'unsecuredCookie' },
                { k => '1', v => 'securedCookie' },
                { k => '2', v => 'doubleCookie' },
                { k => '3', v => 'doubleCookieForSingleSession' },
            ],
            default       => 0,
            documentation => 'Cookie securisation method',
Xavier Guimard's avatar
Xavier Guimard committed
814
            flags         => 'hp',
815 816 817
        },

        # Notification
818
        oldNotifFormat => {
Xavier Guimard's avatar
Xavier Guimard committed
819 820
            type          => 'bool',
            default       => 0,
Xavier Guimard's avatar
Xavier Guimard committed
821
            documentation => 'Use old XML format for notifications',
822
        },
823 824 825 826 827
        notificationWildcard => {
            type          => 'text',
            default       => 'allusers',
            documentation => 'Notification string to match all users',
        },
Xavier Guimard's avatar
Xavier Guimard committed
828 829 830 831 832
        notificationXSLTfile => {
            type          => 'text',
            documentation => 'Custom XSLT document for notifications',
        },
        notification => {
833 834 835 836
            default       => 0,
            type          => 'bool',
            documentation => 'Notification activation',
        },
837 838 839 840 841
        notificationServer => {
            default       => 0,
            type          => 'bool',
            documentation => 'Notification server activation',
        },
842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859
        notificationStorage => {
            type          => 'PerlModule',
            default       => 'File',
            documentation => 'Notification backend',
        },
        notificationStorageOptions => {
            type    => 'keyTextContainer',
            default => { dirName => '/var/lib/lemonldap-ng/notifications', },
            documentation => 'Notification backend options',
        },

        # Captcha
        captcha_login_enabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Captcha on login page',
        },
        captcha_mail_enabled => {
860
            default       => 1,
861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879
            type          => 'bool',
            documentation => 'Captcha on password reset page',
        },
        captcha_register_enabled => {
            default       => 1,
            type          => 'bool',
            documentation => 'Captcha on account creation page',
        },
        captcha_size => {
            type          => 'int',
            default       => 6,
            documentation => 'Captcha size',
        },

        # Variables
        exportedVars => {
            type          => 'keyTextContainer',
            help          => 'exportedvars.html',
            keyTest       => qr/^!?[_a-zA-Z][a-zA-Z0-9_]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
880
            keyMsgFail    => '__badVariableName__',
881 882 883 884 885 886 887 888
            test          => qr/^[_a-zA-Z][a-zA-Z0-9_:\-]*$/,
            msgFail       => '__badValue__',
            default       => { 'UA' => 'HTTP_USER_AGENT' },
            documentation => 'Main exported variables',
        },
        groups => {
            type => 'keyTextContainer',
            help =>
889
                'exportedvars.html#extend_variables_using_macros_and_groups',
890 891 892 893 894 895 896
            test          => $perlExpr,
            default       => {},
            documentation => 'Groups',
        },
        macros => {
            type => 'keyTextContainer',
            help =>
897
                'exportedvars.html#extend_variables_using_macros_and_groups',
898
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
Xavier Guimard's avatar
Xavier Guimard committed
899
            keyMsgFail    => '__badMacroName__',
900 901 902 903 904 905 906 907 908 909
            test          => $perlExpr,
            default       => {},
            documentation => 'Macros',
        },

        # Storage
        globalStorage => {
            type          => 'PerlModule',
            default       => 'Apache::Session::File',
            documentation => 'Session backend module',
Xavier Guimard's avatar
Xavier Guimard committed
910
            flags         => 'hp',
911 912 913 914 915 916 917
        },
        globalStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'Directory'     => '/var/lib/lemonldap-ng/sessions/',
                'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/',
                'generateModule' =>
918
                    'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
919 920
            },
            documentation => 'Session backend module options',
Xavier Guimard's avatar
Xavier Guimard committed
921
            flags         => 'hp',
922 923
        },
        localSessionStorage => {
Xavier Guimard's avatar
Xavier Guimard committed
924 925
            type          => 'PerlModule',
            default       => 'Cache::FileCache',
Xavier Guimard's avatar
Xavier Guimard committed
926
            documentation => 'Local sessions cache module',
927 928 929 930 931 932 933 934 935 936 937 938 939 940
        },
        localSessionStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'namespace'          => 'lemonldap-ng-sessions',
                'default_expires_in' => 600,
                'directory_umask'    => '007',
                'cache_root'         => '/tmp',
                'cache_depth'        => 3,
            },
            documentation => 'Sessions cache module options',
        },

        # Persistent storage
Xavier Guimard's avatar
Xavier Guimard committed
941 942 943 944 945 946 947 948 949 950 951 952 953
        persistentStorage => {
            type          => 'PerlModule',
            documentation => 'Storage module for persistent sessions'
        },
        persistentStorageOptions => {
            type          => 'keyTextContainer',
            documentation => 'Options for persistent sessions storage module'
        },
        sessionDataToRemember => {
            type          => 'keyTextContainer',
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
            keyMsgFail    => '__invalidSessionData__',
            documentation => 'Data to remember in login history',
954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975
        },

        # SAML issuer
        issuerDBSAMLActivation => {
            default       => 0,
            type          => 'bool',
            documentation => 'SAML IDP activation',
        },
        issuerDBSAMLPath => {
            type          => 'pcre',
            default       => '^/saml/',
            documentation => 'SAML IDP request path',
        },
        issuerDBSAMLRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'SAML IDP rule',
        },

        # OpenID-Connect issuer
        issuerDBOpenIDConnectActivation => {
            type          => 'bool',
976
            default       => 0,
977 978 979 980 981 982 983 984 985 986 987 988 989
            documentation => 'OpenID Connect server activation',
        },
        issuerDBOpenIDConnectPath => {
            type          => 'text',
            default       => '^/oauth2/',
            documentation => 'OpenID Connect server request path',
        },
        issuerDBOpenIDConnectRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'OpenID Connect server rule',
        },

990 991 992
        # GET issuer
        issuerDBGetActivation => {
            type          => 'bool',
993
            default       => 0,
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015
            documentation => 'Get issuer activation',
        },
        issuerDBGetPath => {
            type          => 'text',
            default       => '^/get/',
            documentation => 'Get issuer request path',
        },
        issuerDBGetRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Get issuer rule',
        },
        issuerDBGetParameters => {
            type       => 'doubleHash',
            default    => {},
            keyTest    => qr/^$Regexp::Common::URI::RFC2396::hostname$/,
            keyMsgFail => '__badHostname__',
            test       => {
                keyTest    => qr/^(?=[^\-])[\w\-]+(?<=[^-])$/,
                keyMsgFail => '__badKeyName__',
                test       => sub {
                    my ( $val, $conf ) = @_;
1016
                    return 1
1017
                        if ( defined $conf->{macros}->{$val}
1018 1019 1020
                        or $val eq '_timezone' );
                    foreach ( keys %$conf ) {
                        return 1
1021
                            if ( $_ =~ /exportedvars$/i
1022
                            and defined $conf->{$_}->{$val} );
1023
                    }
1024
                    return ( 1, "__unknownAttrOrMacro__: $val" );
1025 1026 1027 1028 1029
                },
            },
            documentation => 'List of virtualHosts with their get parameters',
        },

1030 1031 1032 1033 1034 1035 1036
        # Password
        mailOnPasswordChange => {
            default       => 0,
            type          => 'bool',
            documentation => 'Send a mail when password is changed',
        },
        portalRequireOldPassword => {
1037 1038 1039 1040
            default => 1,
            type    => 'bool',
            documentation =>
                'Old password is required to change the password',
1041 1042 1043 1044 1045 1046 1047 1048
        },
        hideOldPassword => {
            default       => 0,
            type          => 'bool',
            documentation => 'Hide old password in portal',
        },

        # Mails
Xavier Guimard's avatar
Xavier Guimard committed
1049
        mailBody =>
1050
            { type => 'longtext', documentation => 'Custom mail body', },
1051 1052 1053 1054 1055
        mailCharset => {
            type          => 'text',
            default       => 'utf-8',
            documentation => 'Mail charset',
        },
1056 1057 1058 1059
        mailConfirmBody => {
            type          => 'longtext',
            documentation => 'Custom confirm mail body',
        },
1060 1061 1062 1063 1064 1065 1066 1067 1068
        mailConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for reset confirmation',
        },
        mailFrom => {
            type          => 'text',
            default       => 'noreply@example.com',
            documentation => 'Sender email',
        },
1069 1070
        mailReplyTo =>
            { type => 'text', documentation => 'Reply-To address' },
1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086
        mailSessionKey => {
            type          => 'text',
            default       => 'mail',
            documentation => 'Session parameter where mail is stored',
        },
        mailSubject => {
            type          => 'text',
            documentation => 'Mail subject for new password email',
        },
        mailTimeout => {
            type          => 'int',
            default       => 0,
            documentation => 'Mail session timeout',
        },
        mailUrl => {
            type          => 'url',
1087
            default       => 'http://auth.example.com/resetpwd',
1088 1089 1090
            documentation => 'URL of password reset page',
        },
        SMTPServer => {
1091 1092
            type    => 'text',
            default => '',
1093
            test => qr/^(?:$Regexp::Common::URI::RFC2396::host(?::\d+)?)?$/,
1094 1095
            documentation => 'SMTP Server',
        },
1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113
        SMTPPort => {
            type          => 'int',
            documentation => 'Fix SMTP port',
        },
        SMTPTLS => {
            type    => 'select',
            default => '',
            select  => [
                { k => '',         v => 'none' },
                { k => 'starttls', v => 'SMTP + STARTTLS' },
                { k => 'ssl',      v => 'SMTPS' },
            ],
            documentation => 'TLS protocol to use with SMTP',
        },
        SMTPTLSOpts => {
            type          => 'keyTextContainer',
            documentation => 'TLS/SSL options for SMTP',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1114 1115 1116 1117 1118 1119 1120 1121
        SMTPAuthUser => {
            type          => 'text',
            documentation => 'Login to use to send mails',
        },
        SMTPAuthPass => {
            type          => 'password',
            documentation => 'Password to use to send mails',
        },
1122 1123 1124 1125 1126 1127 1128 1129 1130

        # Registration
        registerConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for register confirmation',
        },
        registerDB => {
            type   => 'select',
            select => [
1131 1132 1133 1134 1135
                { k => 'AD',     v => 'Active Directory' },
                { k => 'Demo',   v => 'Demonstration' },
                { k => 'LDAP',   v => 'LDAP' },
                { k => 'Null',   v => 'None' },
                { k => 'Custom', v => 'customModule' },
1136
            ],
1137
            default       => 'Null',
1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148
            documentation => 'Register module',
        },
        registerDoneSubject => {
            type          => 'text',
            documentation => 'Mail subject when register is done',
        },
        registerTimeout => {
            default       => 0,
            type          => 'int',
            documentation => 'Register session timeout',
        },
1149 1150
        registerUrl => {
            type          => 'text',
1151
            default       => 'http://auth.example.com/register',
1152 1153
            documentation => 'URL of register page',
        },
1154

1155 1156 1157
        # Upgrade session
        upgradeSession => {
            type          => 'bool',
1158
            default       => 1,
1159 1160
            documentation => 'Upgrade session activation',
        },
1161

1162 1163 1164 1165
        # 2F
        max2FDevices => {
            default       => 10,
            type          => 'int',
1166
            documentation => 'Maximum registered 2F devices',
1167 1168 1169 1170
        },
        max2FDevicesNameLength => {
            default       => 20,
            type          => 'int',
1171
            documentation => 'Maximum 2F devices name length',
1172
        },
1173

Xavier Guimard's avatar
Xavier Guimard committed
1174 1175
        # U2F
        u2fActivation => {
Xavier Guimard's avatar
Xavier Guimard committed
1176
            type          => 'boolOrExpr',
Xavier Guimard's avatar
Xavier Guimard committed
1177 1178 1179
            default       => 0,
            documentation => 'U2F activation',
        },
1180
        u2fSelfRegistration => {
1181
            type          => 'boolOrExpr',
1182 1183
            default       => 0,
            documentation => 'U2F self registration activation',
Xavier Guimard's avatar
Xavier Guimard committed
1184
        },
Xavier Guimard's avatar
Xavier Guimard committed
1185 1186 1187
        u2fAuthnLevel => {
            type => 'int',
            documentation =>
1188
                'Authentication level for users authentified by password+U2F'
Xavier Guimard's avatar
Xavier Guimard committed
1189
        },
1190 1191 1192 1193 1194
        u2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing U2F key',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1195

Xavier Guimard's avatar
Xavier Guimard committed
1196 1197 1198 1199 1200 1201
        # TOTP second factor
        totp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'TOTP activation',
        },
1202
        totp2fSelfRegistration => {
1203
            type          => 'boolOrExpr',
Xavier Guimard's avatar
Xavier Guimard committed
1204 1205 1206 1207 1208 1209
            default       => 0,
            documentation => 'TOTP self registration activation',
        },
        totp2fAuthnLevel => {
            type => 'int',
            documentation =>
1210
                'Authentication level for users authentified by password+TOTP'
Xavier Guimard's avatar
Xavier Guimard committed
1211
        },
Xavier Guimard's avatar
Xavier Guimard committed
1212 1213 1214 1215
        totp2fIssuer => {
            type          => 'text',
            documentation => 'TOTP Issuer',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1216 1217 1218 1219 1220 1221 1222 1223 1224 1225
        totp2fInterval => {
            type          => 'int',
            default       => 30,
            documentation => 'TOTP interval',
        },
        totp2fRange => {
            type          => 'int',
            default       => 1,
            documentation => 'TOTP range (number of interval to test)',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1226 1227 1228 1229 1230
        totp2fDigits => {
            type          => 'int',
            default       => 6,
            documentation => 'Number of digits for TOTP code',
        },
1231 1232 1233 1234
        totp2fDisplayExistingSecret => {
            type    => 'bool',
            default => 0,
            documentation =>
1235
                'Display existing TOTP secret in registration form',
1236 1237 1238 1239 1240 1241
        },
        totp2fUserCanChangeKey => {
            type          => 'bool',
            default       => 0,
            documentation => 'Authorize users to change existing TOTP secret',
        },
1242 1243 1244 1245 1246
        totp2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing TOTP secret',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1247

Xavier Guimard's avatar
Xavier Guimard committed
1248 1249 1250 1251 1252 1253 1254 1255 1256
        # UTOTP 2F
        utotp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'UTOTP activation (mixed U2F/TOTP module)',
        },
        utotp2fAuthnLevel => {
            type => 'int',
            documentation =>
1257
                'Authentication level for users authentified by password+(U2F or TOTP)'
Xavier Guimard's avatar