Attributes.pm 117 KB
Newer Older
Christophe Maudoux's avatar
Christophe Maudoux committed
1
#  This file contains the description of all configuration parameters
2 3 4
# It may be included only by batch files, never in portal or handler chain
# for performances reasons

Yadd's avatar
Yadd committed
5
# DON'T FORGET TO RUN "make json" AFTER EACH CHANGE
6 7 8

package Lemonldap::NG::Manager::Build::Attributes;

Yadd's avatar
Yadd committed
9
our $VERSION = '2.0.2';
10 11 12 13
use strict;
use Regexp::Common qw/URI/;

my $perlExpr = sub {
14
    my ( $val, $conf ) = @_;
Yadd's avatar
Yadd committed
15
    my $s = '';
16
    Safe->new->reval("BEGIN { warnings->unimport; } $s $val");
Yadd's avatar
Yadd committed
17 18 19
    my $err = join( '',
        grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) );
    return $err ? ( 1, "__badExpression__: $err" ) : (1);
20 21
};

Yadd's avatar
Yadd committed
22
my $url = $RE{URI}{HTTP}{ -scheme => "https?" };
Yadd's avatar
Yadd committed
23 24 25
$url =~ s/(?<=[^\\])\$/\\\$/g;
$url = qr/$url/;

26 27 28 29 30
sub types {
    return {

        # Simple text types
        text => {
31
            test    => sub {1},
32 33 34
            msgFail => '__malformedValue__',
        },
        password => {
35
            test    => sub {1},
36 37 38
            msgFail => '__malformedValue__',
        },
        longtext => {
39
            test => sub {1}
40 41 42
        },
        url => {
            form    => 'text',
Yadd's avatar
Yadd committed
43
            test    => $url,
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
            msgFail => '__badUrl__',
        },
        PerlModule => {
            form    => 'text',
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
        },
        hostname => {
            form    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::host)?$/,
            msgFail => '__badHostname__',
        },
        pcre => {
            form => 'text',
            test => sub {
59
                eval {qr/$_[0]/};
60 61 62 63 64
                return $@ ? ( 0, "__badRegexp__: $@" ) : (1);
            },
        },
        lmAttrOrMacro => {
            form => 'text',
Yadd's avatar
Yadd committed
65 66
            test => sub {
                my ( $val, $conf ) = @_;
67
                return 1
68
                    if ( defined $conf->{macros}->{$val}
69
                    or $val eq '_timezone' );
70 71
                foreach ( keys %$conf ) {
                    return 1
72
                        if ( $_ =~ /exportedvars$/i
73
                        and defined $conf->{$_}->{$val} );
Yadd's avatar
Yadd committed
74
                }
75
                return ( 1, "__unknownAttrOrMacro__: $val" );
Yadd's avatar
Yadd committed
76
            },
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
        },

        # Other types
        int => {
            test    => qr/^\-?\d+$/,
            msgFail => '__notAnInteger__',
        },
        bool => {
            test    => qr/^[01]$/,
            msgFail => '__notABoolean__',
        },
        trool => {
            test    => qr/^(?:-1|0|1)$/,
            msgFail => '__authorizedValues__: -1, 0, 1',
        },
        boolOrExpr => {
            test    => $perlExpr,
            msgFail => '__notAValidPerlExpression__',
        },
Yadd's avatar
Yadd committed
96 97
        keyTextContainer => {
            test       => qr/./,
Yadd's avatar
Yadd committed
98
            msgFail    => '__emptyValueNotAllowed__',
Yadd's avatar
Yadd committed
99
            keyTest    => qr/^\w[\w\.\-]*$/,
Yadd's avatar
Yadd committed
100
            keyMsgFail => '__badKeyName__',
Yadd's avatar
Yadd committed
101 102 103
        },
        subContainer => {
            keyTest => qr/\w/,
104
            test    => sub {1},
Yadd's avatar
Yadd committed
105
        },
Yadd's avatar
Yadd committed
106 107
        select => {
            test => sub {
108
                my $test = grep ( { $_ eq $_[0] }
Yadd's avatar
Yadd committed
109
                    map ( { $_->{k} } @{ $_[2]->{select} } ) );
Yadd's avatar
Yadd committed
110
                return $test
111 112
                    ? 1
                    : ( 1, "Invalid value '$_[0]' for this select" );
Yadd's avatar
Yadd committed
113 114
            },
        },
115 116 117

        # Files type (long text)
        file => {
118
            test => sub {1}
119 120
        },
        RSAPublicKey => {
121
            test => sub {
122
                return (
123 124
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$/s
125
                    ? (1)
126 127
                    : ( 1, '__badPemEncoding__' )
                );
128
            },
129
        },
130
        'RSAPublicKeyOrCertificate' => {
131
            'test' => sub {
132
                return (
133 134
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$/s
135
                    ? (1)
136 137
                    : ( 1, '__badPemEncoding__' )
                );
138
            },
139
        },
140
        RSAPrivateKey => {
141
            test => sub {
142
                return (
143 144
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$/s
145
                    ? (1)
146 147
                    : ( 1, '__badPemEncoding__' )
                );
148
            },
149 150 151
        },

        authParamsText => {
152
            test => sub {1}
153 154
        },
        blackWhiteList => {
155
            test => sub {1}
156 157
        },
        catAndAppList => {
158
            test => sub {1}
159 160 161
        },
        keyText => {
            keyTest => qr/^[a-zA-Z0-9_]+$/,
Yadd's avatar
Yadd committed
162
            test    => qr/^.*$/,
163 164 165
            msgFail => '__badValue__',
        },
        menuApp => {
166
            test => sub {1}
167 168
        },
        menuCat => {
169
            test => sub {1}
170 171
        },
        oidcOPMetaDataNode => {
172
            test => sub {1}
173 174
        },
        oidcRPMetaDataNode => {
175
            test => sub {1}
176 177
        },
        oidcmetadatajson => {
178
            test => sub {1}
179 180
        },
        oidcmetadatajwks => {
181
            test => sub {1}
182 183
        },
        portalskin => {
184
            test => sub {1}
185 186
        },
        portalskinbackground => {
187
            test => sub {1}
188 189
        },
        post => {
190
            test => sub {1}
191 192
        },
        rule => {
193
            test => sub {1}
194 195
        },
        samlAssertion => {
196
            test => sub {1}
197 198
        },
        samlAttribute => {
199
            test => sub {1}
200 201
        },
        samlIDPMetaDataNode => {
202
            test => sub {1}
203 204
        },
        samlSPMetaDataNode => {
205
            test => sub {1}
206 207
        },
        samlService => {
208
            test => sub {1}
209
        },
210
        array => {
211
            test => sub {1}
212
        },
213 214 215 216 217 218 219
    };
}

sub attributes {
    return {

        # Other
Yadd's avatar
Yadd committed
220 221 222
        checkTime => {
            type => 'int',
            documentation =>
223
                'Timeout to check new configuration in local cache',
Yadd's avatar
Yadd committed
224
            default => 600,
225 226 227 228 229 230
            flags   => 'hp',
        },
        mySessionAuthorizedRWKeys => {
            type          => 'array',
            documentation => 'Alterable session keys by user itself',
            default =>
231
                [ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
Yadd's avatar
Yadd committed
232
        },
Yadd's avatar
Yadd committed
233 234 235 236 237 238 239 240 241 242 243 244
        configStorage => {
            type          => 'text',
            documentation => 'Configuration storage',
            flags         => 'hmp',
        },
        localStorage => {
            type          => 'text',
            documentation => 'Local cache',
            flags         => 'hmp',
        },
        localStorageOptions => {
            type          => 'keyTextContainer',
Yadd's avatar
Yadd committed
245
            documentation => 'Local cache parameters',
Yadd's avatar
Yadd committed
246 247
            flags         => 'hmp',
        },
248 249 250 251 252 253
        cfgNum => {
            type          => 'int',
            default       => 0,
            documentation => 'Enable Cross Domain Authentication',
        },
        cfgAuthor => {
254 255 256
            type => 'text',
            documentation =>
                'Name of the author of the current configuration',
257 258
        },
        cfgAuthorIP => {
259 260 261
            type => 'text',
            documentation =>
                'Uploader IP address of the current configuration',
262 263 264 265 266 267 268 269 270
        },
        cfgDate => {
            type          => 'int',
            documentation => 'Timestamp of the current configuration',
        },
        cfgLog => {
            type          => 'longtext',
            documentation => 'Configuration update log',
        },
271 272 273 274
        cfgVersion => {
            type          => 'text',
            documentation => 'Version of LLNG which build configuration',
        },
Yadd's avatar
Yadd committed
275 276 277 278 279
        status => {
            type          => 'bool',
            documentation => 'Status daemon activation',
            flags         => 'h',
        },
280 281 282
        confirmFormMethod => {
            type => "select",
            select =>
283
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
284 285 286
            default       => 'post',
            documentation => 'HTTP method for confirm page form',
        },
287 288
        customFunctions => {
            type          => 'text',
Yadd's avatar
Yadd committed
289
            test          => qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/,
290
            help          => 'customfunctions.html',
291
            msgFail       => "__badCustomFuncName__",
Yadd's avatar
Yadd committed
292 293
            documentation => 'List of custom functions',
            flags         => 'hmp',
294 295
        },
        https => {
296 297 298
            default       => 0,
            type          => 'bool',
            documentation => 'Use HTTPS for redirection from portal',
Yadd's avatar
Yadd committed
299
            flags         => 'h',
300 301 302 303
        },
        infoFormMethod => {
            type => "select",
            select =>
304
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
305 306 307
            default       => 'get',
            documentation => 'HTTP method for info page form',
        },
Yadd's avatar
Yadd committed
308 309 310 311 312
        port => {
            type          => 'int',
            documentation => 'Force port in redirection',
            flags         => 'h',
        },
313 314 315 316 317 318
        jsRedirect => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Use javascript for redirections',
        },
        logoutServices => {
319 320 321 322 323
            type    => 'keyTextContainer',
            help    => 'logoutforward.html',
            default => {},
            documentation =>
                'Send logout trough GET request to these services',
324 325 326 327 328
        },
        maintenance => {
            default       => 0,
            type          => 'bool',
            documentation => 'Maintenance mode for all virtual hosts',
Yadd's avatar
Yadd committed
329
            flags         => 'h',
330
        },
Yadd's avatar
Yadd committed
331 332 333 334
        nginxCustomHandlers => {
            type    => 'keyTextContainer',
            keyTest => qr/^\w+$/,
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
335
            help    => 'handlerarch.html',
Yadd's avatar
Yadd committed
336
            msgFail => '__badPerlPackageName__',
Yadd's avatar
Yadd committed
337
            documentation => 'Custom Nginx handler (deprecated)',
Yadd's avatar
Yadd committed
338
        },
339 340 341 342 343
        noAjaxHook => {
            default       => 0,
            type          => 'bool',
            documentation => 'Avoid replacing 302 by 401 for Ajax responses',
        },
344 345 346 347
        portal => {
            type          => 'url',
            default       => 'http://auth.example.com/',
            documentation => 'Portal URL',
Yadd's avatar
Yadd committed
348
            flags         => 'hmp',
349 350
            test          => $url,
            msgFail       => '__badUrl__',
351
        },
Yadd's avatar
Yadd committed
352 353 354
        portalStatus => {
            type          => 'bool',
            default       => 0,
Yadd's avatar
Typo  
Yadd committed
355
            help          => 'status.html',
Yadd's avatar
Yadd committed
356 357
            documentation => 'Enable portal status',
        },
358 359 360 361
        portalUserAttr => {
            type    => 'text',
            default => '_user',
            documentation =>
362
                'Session parameter to display connected user in portal',
363 364 365 366
        },
        redirectFormMethod => {
            type => "select",
            select =>
367
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
368 369 370
            default       => 'get',
            documentation => 'HTTP method for redirect page form',
        },
371 372 373 374 375 376
        reloadTimeout => {
            type          => 'int',
            default       => 5,
            documentation => 'Configuration reload timeout',
            flags         => 'm',
        },
377
        reloadUrls => {
378 379 380 381 382
            type    => 'keyTextContainer',
            help    => 'configlocation.html#configuration_reload',
            keyTest => qr/^$Regexp::Common::URI::RFC2396::host(?::\d+)?$/,
            test    => $url,
            msgFail => '__badUrl__',
Yadd's avatar
Yadd committed
383
            documentation => 'URL to call on reload',
384
        },
Clément OUDOT's avatar
Clément OUDOT committed
385
        portalMainLogo => {
386 387 388 389
            type          => 'text',
            default       => 'common/logos/logo_llng_400px.png',
            documentation => 'Portal main logo path',
        },
390 391 392 393 394
        showLanguages => {
            type          => 'bool',
            default       => 1,
            documentation => 'Display langs icons',
        },
395 396 397 398
        staticPrefix => {
            type          => 'text',
            documentation => 'Prefix of static files for HTML templates',
        },
Yadd's avatar
Yadd committed
399 400 401 402
        multiValuesSeparator => {
            type          => 'authParamsText',
            default       => '; ',
            documentation => 'Separator for multiple values',
Yadd's avatar
Yadd committed
403
            flags         => 'hmp',
Yadd's avatar
Yadd committed
404
        },
Yadd's avatar
Yadd committed
405
        stayConnected => {
Yadd's avatar
Typo  
Yadd committed
406 407
            type => 'bool',

408
            #help          => 'stayconnected.html',
409
            default       => 0,
Yadd's avatar
Yadd committed
410 411
            documentation => 'Enable StayConnected plugin',
        },
Yadd's avatar
Yadd committed
412
        checkState => {
413
            type          => 'bool',
414
            default       => 0,
Yadd's avatar
Yadd committed
415 416
            documentation => 'Enable CheckState plugin',
        },
417
        checkStateSecret => {
418
            type          => 'text',
Yadd's avatar
Yadd committed
419 420
            documentation => 'Secret token for CheckState plugin',
        },
421
        skipRenewConfirmation => {
422 423
            type    => 'bool',
            default => 0,
424
            documentation =>
425
                'Avoid asking confirmation when an Issuer asks to renew auth',
426
        },
427 428 429 430
        handlerInternalCache => {
            type          => 'int',
            default       => 15,
            documentation => 'Handler internal cache timeout',
Christophe Maudoux's avatar
Christophe Maudoux committed
431
            flags         => 'hp',
432
        },
433

434 435 436 437 438 439 440 441 442
        # Loggers (ini only)
        logLevel => {
            type          => 'text',
            documentation => 'Log level, must be set in .ini',
            flags         => 'hmp',
        },
        logger => {
            type          => 'text',
            documentation => 'technical logger',
Yadd's avatar
Yadd committed
443
            flags         => 'hmp',
444 445 446 447
        },
        userLogger => {
            type          => 'text',
            documentation => 'User actions logger',
Yadd's avatar
Yadd committed
448
            flags         => 'hmp',
449 450 451 452
        },
        log4perlConfFile => {
            type          => 'text',
            documentation => 'Log4Perl logger configuration file',
Yadd's avatar
Yadd committed
453
            flags         => 'hmp',
454 455 456 457
        },
        sentryDsn => {
            type          => 'text',
            documentation => 'Sentry logger DSN',
Yadd's avatar
Yadd committed
458
            flags         => 'hmp',
459 460 461 462
        },
        syslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger technical facility',
Yadd's avatar
Yadd committed
463
            flags         => 'hmp',
464 465 466 467
        },
        userSyslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger user-actions facility',
Yadd's avatar
Yadd committed
468
            flags         => 'hmp',
469 470 471
        },

        # Manager or PSGI protected apps
472
        protection => {
473 474 475
            type    => 'text',
            test    => qr/^(?:none|authenticate|manager|)$/,
            msgFail => '__authorizedValues__: none authenticate manager',
476
            documentation => 'Manager protection method',
Yadd's avatar
Yadd committed
477
            flags         => 'hm',
478 479 480 481 482 483 484 485 486 487
        },

        # Menu
        activeTimer => {
            type          => 'bool',
            default       => 1,
            documentation => 'Enable timers on portal pages',
        },
        applicationList => {
            type    => 'catAndAppList',
Yadd's avatar
Yadd committed
488
            keyTest => qr/\w/,
489 490
            help    => 'portalmenu.html#categories_and_applications',
            default => {
491 492
                default =>
                    { catname => 'Default category', type => "category" }
493 494 495
            },
            documentation => 'Applications list',
        },
496 497 498 499 500
        portalErrorOnExpiredSession => {
            type          => 'bool',
            default       => 1,
            documentation => 'Show error if session is expired',
        },
501
        portalErrorOnMailNotFound => {
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
502 503 504
            type    => 'bool',
            default => 0,
            documentation =>
505
                'Show error if mail is not found in password reset process',
506
        },
507 508 509 510 511 512 513 514 515 516 517 518 519 520
        portalOpenLinkInNewWindow => {
            type          => 'bool',
            default       => 0,
            documentation => 'Open applications in new windows',
        },
        portalPingInterval => {
            type          => 'int',
            default       => 60000,
            documentation => 'Interval in ms between portal Ajax pings ',
        },
        portalSkin => {
            type          => 'portalskin',
            default       => 'bootstrap',
            documentation => 'Name of portal skin',
Yadd's avatar
Yadd committed
521
            select        => [ { k => 'bootstrap', v => 'Bootstrap' }, ],
522 523 524 525 526 527
        },
        portalSkinBackground => {
            type          => 'portalskinbackground',
            documentation => 'Background image of portal skin',
            select        => [
                { k => "", v => 'None' },
528
                {   k => "1280px-Anse_Source_d'Argent_2-La_Digue.jpg",
529 530
                    v => 'Anse'
                },
531 532
                {   k =>
                        "1280px-Autumn-clear-water-waterfall-landscape_-_Virginia_-_ForestWander.jpg",
533 534 535
                    v => 'Waterfall'
                },
                { k => "1280px-BrockenSnowedTrees.jpg", v => 'Snowed Trees' },
536 537
                {   k =>
                        "1280px-Cedar_Breaks_National_Monument_partially.jpg",
538 539
                    v => 'National Monument'
                },
540
                {   k => "1280px-Parry_Peak_from_Winter_Park.jpg",
541 542
                    v => 'Winter'
                },
543
                {   k => "Aletschgletscher_mit_Pinus_cembra1.jpg",
544 545
                    v => 'Pinus'
                },
546 547 548
            ],
        },
        portalSkinRules => {
Yadd's avatar
Yadd committed
549 550 551 552 553 554 555
            type          => 'keyTextContainer',
            help          => 'portalcustom.html',
            keyTest       => $perlExpr,
            keyMsgFail    => '__badSkinRule__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
            documentation => 'Rules to choose portal skin',
556 557 558
        },

        # Security
Yadd's avatar
Yadd committed
559
        formTimeout => {
Yadd's avatar
Yadd committed
560 561
            default       => 120,
            type          => 'int',
Yadd's avatar
Yadd committed
562 563 564
            documentation => 'Token timeout for forms',
        },
        requireToken => {
Yadd's avatar
Yadd committed
565 566
            default       => 1,
            type          => 'bool',
Yadd's avatar
Yadd committed
567 568
            documentation => 'Enable token for forms',
        },
569 570 571 572 573
        tokenUseGlobalStorage => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable global token storage',
        },
574 575 576 577
        cda => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable Cross Domain Authentication',
Yadd's avatar
Yadd committed
578
            flags         => 'hp',
579 580 581 582 583 584
        },
        checkXSS => {
            default       => 1,
            type          => 'bool',
            documentation => 'Check XSS',
        },
585
        portalForceAuthn => {
586
            default => 0,
587
            help    => 'forcereauthn.html',
588 589
            type    => 'bool',
            documentation =>
590
                'Enable force to authenticate when displaying portal',
591
        },
592 593
        portalForceAuthnInterval => {
            default => 5,
594 595
            type    => 'int',
            documentation =>
596
                'Maximum interval in seconds since last authentication to force reauthentication',
597
        },
598
        bruteForceProtection => {
599
            default       => 0,
600
            help          => 'bruteforceprotection.html',
601 602 603 604 605 606 607
            type          => 'bool',
            documentation => 'Enable brute force attack protection',
        },
        bruteForceProtectionTempo => {
            default => 30,
            type    => 'int',
            documentation =>
608
                'Brute force attack protection -> Tempo before try again',
609 610 611 612 613
        },
        bruteForceProtectionMaxAge => {
            default => 300,
            type    => 'int',
            documentation =>
614
                'Brute force attack protection -> Max age between last and first allowed failed login',
615 616 617 618 619
        },
        bruteForceProtectionMaxFailed => {
            default => 3,
            type    => 'int',
            documentation =>
620
                'Brute force attack protection -> Max allowed failed login',
621
        },
622
        grantSessionRules => {
Yadd's avatar
Yadd committed
623 624
            type          => 'grantContainer',
            keyTest       => $perlExpr,
625
            test          => sub {1},
Yadd's avatar
Yadd committed
626
            documentation => 'Rules to grant sessions',
627 628 629 630 631 632 633 634 635 636
        },
        hiddenAttributes => {
            type          => 'text',
            default       => '_password',
            documentation => 'Name of attributes to hide in logs',
        },
        key => {
            type          => 'password',
            documentation => 'Secret key',
        },
637 638
        cspDefault => {
            type          => 'text',
Yadd's avatar
Yadd committed
639
            default       => "'self'",
640 641
            documentation => 'Default value for Content-Security-Policy',
        },
642
        cspFormAction => {
643 644 645
            type    => 'text',
            default => "'self'",
            documentation =>
646
                'Form action destination for Content-Security-Policy',
647
        },
648 649
        cspImg => {
            type          => 'text',
650
            default       => "'self' data:",
651 652 653 654 655 656 657 658 659
            documentation => 'Image source for Content-Security-Policy',
        },
        cspScript => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Javascript source for Content-Security-Policy',
        },
        cspStyle => {
            type          => 'text',
Yadd's avatar
Yadd committed
660
            default       => "'self'",
661 662 663 664 665 666
            documentation => 'Style source for Content-Security-Policy',
        },
        cspConnect => {
            type    => 'text',
            default => "'self'",
            documentation =>
667
                'Authorized Ajax destination for Content-Security-Policy',
668 669 670 671 672 673
        },
        cspFont => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Font source for Content-Security-Policy',
        },
674 675 676 677 678 679 680 681 682 683 684 685 686 687 688
        portalAntiFrame => {
            default       => 1,
            type          => 'bool',
            documentation => 'Avoid portal to be displayed inside frames',
        },
        portalCheckLogins => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display login history checkbox in portal',
        },
        randomPasswordRegexp => {
            type          => 'pcre',
            default       => '[A-Z]{3}[a-z]{5}.\d{2}',
            documentation => 'Regular expression to create a random password',
        },
Yadd's avatar
Yadd committed
689
        trustedDomains =>
690
            { type => 'text', documentation => 'Trusted domains', },
Yadd's avatar
Yadd committed
691
        storePassword => {
692 693 694 695 696 697
            default       => 0,
            type          => 'bool',
            documentation => 'Store password in session',
        },
        timeout => {
            type          => 'int',
Yadd's avatar
Yadd committed
698
            test          => sub { $_[0] > 0 },
699 700 701 702
            default       => 72000,
            documentation => 'Session timeout on server side',
        },
        timeoutActivity => {
703
            type          => 'int',
Yadd's avatar
Yadd committed
704
            test          => sub { $_[0] >= 0 },
705 706 707
            default       => 0,
            documentation => 'Session activity timeout on server side',
        },
708 709 710 711 712 713
        timeoutActivityInterval => {
            type          => 'int',
            test          => sub { $_[0] >= 0 },
            default       => 60,
            documentation => 'Update session timeout interval on server side',
        },
714 715 716 717 718 719 720 721 722 723 724 725 726 727
        trustedProxies => {
            type          => 'text',
            default       => '',
            documentation => 'Trusted proxies',
        },
        userControl => {
            type          => 'pcre',
            default       => '^[\w\.\-@]+$',
            documentation => 'Regular expression to validate login',
        },
        useRedirectOnError => {
            type          => 'bool',
            default       => 1,
            documentation => 'Use 302 redirect code for error (500)',
Yadd's avatar
Yadd committed
728
            flags         => 'h',
729 730 731 732 733 734 735 736 737
        },
        useRedirectOnForbidden => {
            default       => 0,
            type          => 'bool',
            documentation => 'Use 302 redirect code for forbidden (403)',
        },
        useSafeJail => {
            default       => 1,
            type          => 'bool',
Yadd's avatar
Yadd committed
738
            help          => 'safejail.html',
739
            documentation => 'Activate Safe jail',
Yadd's avatar
Yadd committed
740
            flags         => 'hp',
741 742 743 744 745
        },
        whatToTrace => {
            type          => 'lmAttrOrMacro',
            default       => 'uid',
            documentation => 'Session parameter used to fill REMOTE_USER',
Yadd's avatar
Yadd committed
746
            flags         => 'hp',
747
        },
Yadd's avatar
Yadd committed
748
        lwpOpts => {
Yadd's avatar
Yadd committed
749 750 751
            type          => 'keyTextContainer',
            documentation => 'Options given to LWP::UserAgent',
        },
Yadd's avatar
Yadd committed
752 753 754 755
        lwpSslOpts => {
            type          => 'keyTextContainer',
            documentation => 'SSL options given to LWP::UserAgent',
        },
756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800

        # History
        failedLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of failures stored in login history',
        },
        loginHistoryEnabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable login history',
        },
        portalDisplayLoginHistory => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display login history tab in portal',
        },
        successLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of success stored in login history',
        },

        # Other displays
        portalDisplayAppslist => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display applications tab in portal',
        },
        portalDisplayChangePassword => {
            type          => 'boolOrExpr',
            default       => '$_auth =~ /^(LDAP|DBI|Demo)$/',
            documentation => 'Display password tab in portal',
        },
        portalDisplayLogout => {
            default       => 1,
            type          => 'boolOrExpr',
            documentation => 'Display logout tab in portal',
        },
        portalDisplayRegister => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display register button in portal',
        },
        portalDisplayResetPassword => {
Yadd's avatar
Yadd committed
801
            default       => 0,
802 803 804
            type          => 'bool',
            documentation => 'Display reset password button in portal',
        },
805
        passwordResetAllowedRetries => {
Christophe Maudoux's avatar
Christophe Maudoux committed
806
            default       => 3,
807 808 809
            type          => 'int',
            documentation => 'Maximum number of retries to reset password',
        },
Yadd's avatar
Yadd committed
810 811
        portalDisplayOidcConsents => {
            type          => 'boolOrExpr',
812
            default       => '$_oidcConnectedRP',
Yadd's avatar
Yadd committed
813 814
            documentation => 'Display OIDC consent tab in portal',
        },
815 816

        # Cookies
Yadd's avatar
Yadd committed
817
        cookieExpiration => {
818
            type          => 'int',
Yadd's avatar
Yadd committed
819 820 821
            documentation => 'Cookie expiration',
            flags         => 'hp',
        },
Yadd's avatar
Yadd committed
822
        cookieName => {
823 824 825 826 827
            type          => 'text',
            test          => qr/^[a-zA-Z][a-zA-Z0-9_-]*$/,
            msgFail       => '__badCookieName__',
            default       => 'lemonldap',
            documentation => 'Name of the main cookie',
Yadd's avatar
Yadd committed
828
            flags         => 'hp',
829 830
        },
        domain => {
831 832 833 834
            type    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::hostname)?$/,
            msgFail => '__badDomainName__',
            default => 'example.com',
835
            documentation => 'DNS domain',
Yadd's avatar
Yadd committed
836
            flags         => 'hp',
837 838 839 840 841
        },
        httpOnly => {
            default       => 1,
            type          => 'bool',
            documentation => 'Enable httpOnly flag in cookie',
Yadd's avatar
Yadd committed
842
            flags         => 'hp',
843 844 845 846 847 848 849 850 851 852 853
        },
        securedCookie => {
            type   => 'select',
            select => [
                { k => '0', v => 'unsecuredCookie' },
                { k => '1', v => 'securedCookie' },
                { k => '2', v => 'doubleCookie' },
                { k => '3', v => 'doubleCookieForSingleSession' },
            ],
            default       => 0,
            documentation => 'Cookie securisation method',
Yadd's avatar
Yadd committed
854
            flags         => 'hp',
855 856 857
        },

        # Notification
858
        oldNotifFormat => {
Yadd's avatar
Yadd committed
859 860
            type          => 'bool',
            default       => 0,
Yadd's avatar
Yadd committed
861
            documentation => 'Use old XML format for notifications',
862
        },
863 864 865 866 867
        notificationWildcard => {
            type          => 'text',
            default       => 'allusers',
            documentation => 'Notification string to match all users',
        },
Yadd's avatar
Yadd committed
868 869 870 871 872
        notificationXSLTfile => {
            type          => 'text',
            documentation => 'Custom XSLT document for notifications',
        },
        notification => {
873 874 875 876
            default       => 0,
            type          => 'bool',
            documentation => 'Notification activation',
        },
Yadd's avatar
Yadd committed
877 878 879 880 881
        notificationServer => {
            default       => 0,
            type          => 'bool',
            documentation => 'Notification server activation',
        },
882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899
        notificationStorage => {
            type          => 'PerlModule',
            default       => 'File',
            documentation => 'Notification backend',
        },
        notificationStorageOptions => {
            type    => 'keyTextContainer',
            default => { dirName => '/var/lib/lemonldap-ng/notifications', },
            documentation => 'Notification backend options',
        },

        # Captcha
        captcha_login_enabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Captcha on login page',
        },
        captcha_mail_enabled => {
900
            default       => 1,
901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919
            type          => 'bool',
            documentation => 'Captcha on password reset page',
        },
        captcha_register_enabled => {
            default       => 1,
            type          => 'bool',
            documentation => 'Captcha on account creation page',
        },
        captcha_size => {
            type          => 'int',
            default       => 6,
            documentation => 'Captcha size',
        },

        # Variables
        exportedVars => {
            type          => 'keyTextContainer',
            help          => 'exportedvars.html',
            keyTest       => qr/^!?[_a-zA-Z][a-zA-Z0-9_]*$/,
Yadd's avatar
Yadd committed
920
            keyMsgFail    => '__badVariableName__',
921 922 923 924 925 926 927 928
            test          => qr/^[_a-zA-Z][a-zA-Z0-9_:\-]*$/,
            msgFail       => '__badValue__',
            default       => { 'UA' => 'HTTP_USER_AGENT' },
            documentation => 'Main exported variables',
        },
        groups => {
            type => 'keyTextContainer',
            help =>
929
                'exportedvars.html#extend_variables_using_macros_and_groups',
930 931 932 933 934 935 936
            test          => $perlExpr,
            default       => {},
            documentation => 'Groups',
        },
        macros => {
            type => 'keyTextContainer',
            help =>
937
                'exportedvars.html#extend_variables_using_macros_and_groups',
938
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
Yadd's avatar
Yadd committed
939
            keyMsgFail    => '__badMacroName__',
940 941 942 943 944 945 946 947 948 949
            test          => $perlExpr,
            default       => {},
            documentation => 'Macros',
        },

        # Storage
        globalStorage => {
            type          => 'PerlModule',
            default       => 'Apache::Session::File',
            documentation => 'Session backend module',
Yadd's avatar
Yadd committed
950
            flags         => 'hp',