Attributes.pm 117 KB
Newer Older
Christophe Maudoux's avatar
Christophe Maudoux committed
1
#  This file contains the description of all configuration parameters
2 3 4
# It may be included only by batch files, never in portal or handler chain
# for performances reasons

Xavier Guimard's avatar
Xavier Guimard committed
5
# DON'T FORGET TO RUN "make json" AFTER EACH CHANGE
6 7 8

package Lemonldap::NG::Manager::Build::Attributes;

Xavier Guimard's avatar
Xavier Guimard committed
9
our $VERSION = '2.0.2';
10 11 12 13
use strict;
use Regexp::Common qw/URI/;

my $perlExpr = sub {
14
    my ( $val, $conf ) = @_;
15
    my $s = '';
16
    Safe->new->reval("BEGIN { warnings->unimport; } $s $val");
17 18 19
    my $err = join( '',
        grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) );
    return $err ? ( 1, "__badExpression__: $err" ) : (1);
20 21
};

22
my $url = $RE{URI}{HTTP}{ -scheme => "https?" };
Xavier Guimard's avatar
Xavier Guimard committed
23 24 25
$url =~ s/(?<=[^\\])\$/\\\$/g;
$url = qr/$url/;

26 27 28 29 30
sub types {
    return {

        # Simple text types
        text => {
31
            test    => sub {1},
32 33 34
            msgFail => '__malformedValue__',
        },
        password => {
35
            test    => sub {1},
36 37 38
            msgFail => '__malformedValue__',
        },
        longtext => {
39
            test => sub {1}
40 41 42
        },
        url => {
            form    => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
43
            test    => $url,
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
            msgFail => '__badUrl__',
        },
        PerlModule => {
            form    => 'text',
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
            msgFail => '__badPerlPackageName__',
        },
        hostname => {
            form    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::host)?$/,
            msgFail => '__badHostname__',
        },
        pcre => {
            form => 'text',
            test => sub {
59
                eval {qr/$_[0]/};
60 61 62 63 64
                return $@ ? ( 0, "__badRegexp__: $@" ) : (1);
            },
        },
        lmAttrOrMacro => {
            form => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
65 66
            test => sub {
                my ( $val, $conf ) = @_;
67
                return 1
68
                    if ( defined $conf->{macros}->{$val}
69
                    or $val eq '_timezone' );
70 71
                foreach ( keys %$conf ) {
                    return 1
72
                        if ( $_ =~ /exportedvars$/i
73
                        and defined $conf->{$_}->{$val} );
Xavier Guimard's avatar
Xavier Guimard committed
74
                }
75
                return ( 1, "__unknownAttrOrMacro__: $val" );
Xavier Guimard's avatar
Xavier Guimard committed
76
            },
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
        },

        # Other types
        int => {
            test    => qr/^\-?\d+$/,
            msgFail => '__notAnInteger__',
        },
        bool => {
            test    => qr/^[01]$/,
            msgFail => '__notABoolean__',
        },
        trool => {
            test    => qr/^(?:-1|0|1)$/,
            msgFail => '__authorizedValues__: -1, 0, 1',
        },
        boolOrExpr => {
            test    => $perlExpr,
            msgFail => '__notAValidPerlExpression__',
        },
Xavier Guimard's avatar
Xavier Guimard committed
96 97
        keyTextContainer => {
            test       => qr/./,
98
            msgFail    => '__emptyValueNotAllowed__',
Xavier Guimard's avatar
Xavier Guimard committed
99
            keyTest    => qr/^\w[\w\.\-]*$/,
100
            keyMsgFail => '__badKeyName__',
Xavier Guimard's avatar
Xavier Guimard committed
101 102 103
        },
        subContainer => {
            keyTest => qr/\w/,
104
            test    => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
105
        },
Xavier Guimard's avatar
Xavier Guimard committed
106 107
        select => {
            test => sub {
108
                my $test = grep ( { $_ eq $_[0] }
109
                    map ( { $_->{k} } @{ $_[2]->{select} } ) );
Xavier Guimard's avatar
Xavier Guimard committed
110
                return $test
111 112
                    ? 1
                    : ( 1, "Invalid value '$_[0]' for this select" );
Xavier Guimard's avatar
Xavier Guimard committed
113 114
            },
        },
115 116 117

        # Files type (long text)
        file => {
118
            test => sub {1}
119 120
        },
        RSAPublicKey => {
121
            test => sub {
122
                return (
123 124
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+PUBLIC\s+KEY\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+PUBLIC\s+KEY\s*\-+)?[\r\n]*)?$/s
125
                    ? (1)
126 127
                    : ( 1, '__badPemEncoding__' )
                );
128
            },
129
        },
130
        'RSAPublicKeyOrCertificate' => {
131
            'test' => sub {
132
                return (
133 134
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+)?[\r\n]*)?$/s
135
                    ? (1)
136 137
                    : ( 1, '__badPemEncoding__' )
                );
138
            },
139
        },
140
        RSAPrivateKey => {
141
            test => sub {
142
                return (
143 144
                    $_[0]
                        =~ /^(?:(?:\-+\s*BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY\s*\-+\r?\n)?(?:Proc-Type:.*\r?\nDEK-Info:.*\r?\n[\r\n]*)?[a-zA-Z0-9\/\+\r\n]+={0,2}(?:\r?\n\-+\s*END\s+(?:RSA\s+)PRIVATE\s+KEY\s*\-+)?[\r\n]*)?$/s
145
                    ? (1)
146 147
                    : ( 1, '__badPemEncoding__' )
                );
148
            },
149 150 151
        },

        authParamsText => {
152
            test => sub {1}
153 154
        },
        blackWhiteList => {
155
            test => sub {1}
156 157
        },
        catAndAppList => {
158
            test => sub {1}
159 160 161
        },
        keyText => {
            keyTest => qr/^[a-zA-Z0-9_]+$/,
162
            test    => qr/^.*$/,
163 164 165
            msgFail => '__badValue__',
        },
        menuApp => {
166
            test => sub {1}
167 168
        },
        menuCat => {
169
            test => sub {1}
170 171
        },
        oidcOPMetaDataNode => {
172
            test => sub {1}
173 174
        },
        oidcRPMetaDataNode => {
175
            test => sub {1}
176 177
        },
        oidcmetadatajson => {
178
            test => sub {1}
179 180
        },
        oidcmetadatajwks => {
181
            test => sub {1}
182 183
        },
        portalskin => {
184
            test => sub {1}
185 186
        },
        portalskinbackground => {
187
            test => sub {1}
188 189
        },
        post => {
190
            test => sub {1}
191 192
        },
        rule => {
193
            test => sub {1}
194 195
        },
        samlAssertion => {
196
            test => sub {1}
197 198
        },
        samlAttribute => {
199
            test => sub {1}
200 201
        },
        samlIDPMetaDataNode => {
202
            test => sub {1}
203 204
        },
        samlSPMetaDataNode => {
205
            test => sub {1}
206 207
        },
        samlService => {
208
            test => sub {1}
209
        },
210
        array => {
211
            test => sub {1}
212
        },
213 214 215 216 217 218 219
    };
}

sub attributes {
    return {

        # Other
220 221 222
        checkTime => {
            type => 'int',
            documentation =>
223
                'Timeout to check new configuration in local cache',
224
            default => 600,
225 226 227 228 229 230
            flags   => 'hp',
        },
        mySessionAuthorizedRWKeys => {
            type          => 'array',
            documentation => 'Alterable session keys by user itself',
            default =>
231
                [ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
232
        },
Xavier Guimard's avatar
Xavier Guimard committed
233 234 235 236 237 238 239 240 241 242 243 244
        configStorage => {
            type          => 'text',
            documentation => 'Configuration storage',
            flags         => 'hmp',
        },
        localStorage => {
            type          => 'text',
            documentation => 'Local cache',
            flags         => 'hmp',
        },
        localStorageOptions => {
            type          => 'keyTextContainer',
Xavier Guimard's avatar
Xavier Guimard committed
245
            documentation => 'Local cache parameters',
Xavier Guimard's avatar
Xavier Guimard committed
246 247
            flags         => 'hmp',
        },
248 249 250 251 252 253
        cfgNum => {
            type          => 'int',
            default       => 0,
            documentation => 'Enable Cross Domain Authentication',
        },
        cfgAuthor => {
254 255 256
            type => 'text',
            documentation =>
                'Name of the author of the current configuration',
257 258
        },
        cfgAuthorIP => {
259 260 261
            type => 'text',
            documentation =>
                'Uploader IP address of the current configuration',
262 263 264 265 266 267 268 269 270
        },
        cfgDate => {
            type          => 'int',
            documentation => 'Timestamp of the current configuration',
        },
        cfgLog => {
            type          => 'longtext',
            documentation => 'Configuration update log',
        },
271 272 273 274
        cfgVersion => {
            type          => 'text',
            documentation => 'Version of LLNG which build configuration',
        },
Xavier Guimard's avatar
Xavier Guimard committed
275 276 277 278 279
        status => {
            type          => 'bool',
            documentation => 'Status daemon activation',
            flags         => 'h',
        },
280 281 282
        confirmFormMethod => {
            type => "select",
            select =>
283
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
284 285 286
            default       => 'post',
            documentation => 'HTTP method for confirm page form',
        },
287 288
        customFunctions => {
            type          => 'text',
289
            test          => qr/^(?:\w+(?:::\w+)*(?:\s+\w+(?:::\w+)*)*)?$/,
290
            help          => 'customfunctions.html',
291
            msgFail       => "__badCustomFuncName__",
Xavier Guimard's avatar
Xavier Guimard committed
292 293
            documentation => 'List of custom functions',
            flags         => 'hmp',
294 295
        },
        https => {
296 297 298
            default       => 0,
            type          => 'bool',
            documentation => 'Use HTTPS for redirection from portal',
Xavier Guimard's avatar
Xavier Guimard committed
299
            flags         => 'h',
300 301 302 303
        },
        infoFormMethod => {
            type => "select",
            select =>
304
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
305 306 307
            default       => 'get',
            documentation => 'HTTP method for info page form',
        },
Xavier Guimard's avatar
Xavier Guimard committed
308 309 310 311 312
        port => {
            type          => 'int',
            documentation => 'Force port in redirection',
            flags         => 'h',
        },
313 314 315 316 317 318
        jsRedirect => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Use javascript for redirections',
        },
        logoutServices => {
319 320 321 322 323
            type    => 'keyTextContainer',
            help    => 'logoutforward.html',
            default => {},
            documentation =>
                'Send logout trough GET request to these services',
324 325 326 327 328
        },
        maintenance => {
            default       => 0,
            type          => 'bool',
            documentation => 'Maintenance mode for all virtual hosts',
Xavier Guimard's avatar
Xavier Guimard committed
329
            flags         => 'h',
330
        },
331 332 333 334
        nginxCustomHandlers => {
            type    => 'keyTextContainer',
            keyTest => qr/^\w+$/,
            test    => qr/^[a-zA-Z][a-zA-Z0-9]*(?:::[a-zA-Z][a-zA-Z0-9]*)*$/,
335
            help    => 'handlerarch.html',
336
            msgFail => '__badPerlPackageName__',
Xavier Guimard's avatar
Xavier Guimard committed
337
            documentation => 'Custom Nginx handler (deprecated)',
338
        },
339 340 341 342 343
        noAjaxHook => {
            default       => 0,
            type          => 'bool',
            documentation => 'Avoid replacing 302 by 401 for Ajax responses',
        },
344 345 346 347
        portal => {
            type          => 'url',
            default       => 'http://auth.example.com/',
            documentation => 'Portal URL',
Xavier Guimard's avatar
Xavier Guimard committed
348
            flags         => 'hmp',
349 350
            test          => $url,
            msgFail       => '__badUrl__',
351
        },
352 353 354
        portalStatus => {
            type          => 'bool',
            default       => 0,
Xavier Guimard's avatar
Xavier Guimard committed
355
            help          => 'status.html',
356 357
            documentation => 'Enable portal status',
        },
358 359 360 361
        portalUserAttr => {
            type    => 'text',
            default => '_user',
            documentation =>
362
                'Session parameter to display connected user in portal',
363 364 365 366
        },
        redirectFormMethod => {
            type => "select",
            select =>
367
                [ { k => 'get', v => 'GET' }, { k => 'post', v => 'POST' }, ],
368 369 370
            default       => 'get',
            documentation => 'HTTP method for redirect page form',
        },
371 372 373 374 375 376
        reloadTimeout => {
            type          => 'int',
            default       => 5,
            documentation => 'Configuration reload timeout',
            flags         => 'm',
        },
377
        reloadUrls => {
378 379 380 381 382
            type    => 'keyTextContainer',
            help    => 'configlocation.html#configuration_reload',
            keyTest => qr/^$Regexp::Common::URI::RFC2396::host(?::\d+)?$/,
            test    => $url,
            msgFail => '__badUrl__',
Xavier Guimard's avatar
Xavier Guimard committed
383
            documentation => 'URL to call on reload',
384
        },
Clément OUDOT's avatar
Clément OUDOT committed
385
        portalMainLogo => {
386 387 388 389
            type          => 'text',
            default       => 'common/logos/logo_llng_400px.png',
            documentation => 'Portal main logo path',
        },
390 391 392 393 394
        showLanguages => {
            type          => 'bool',
            default       => 1,
            documentation => 'Display langs icons',
        },
395 396 397 398
        staticPrefix => {
            type          => 'text',
            documentation => 'Prefix of static files for HTML templates',
        },
399 400 401 402
        multiValuesSeparator => {
            type          => 'authParamsText',
            default       => '; ',
            documentation => 'Separator for multiple values',
Xavier Guimard's avatar
Xavier Guimard committed
403
            flags         => 'hmp',
404
        },
405
        stayConnected => {
Xavier Guimard's avatar
Xavier Guimard committed
406 407
            type => 'bool',

408
            #help          => 'stayconnected.html',
409
            default       => 0,
410 411
            documentation => 'Enable StayConnected plugin',
        },
412
        checkState => {
413
            type          => 'bool',
414
            default       => 0,
415 416
            documentation => 'Enable CheckState plugin',
        },
417
        checkStateSecret => {
418
            type          => 'text',
419 420
            documentation => 'Secret token for CheckState plugin',
        },
421
        skipRenewConfirmation => {
422 423
            type    => 'bool',
            default => 0,
424
            documentation =>
425
                'Avoid asking confirmation when an Issuer asks to renew auth',
426
        },
427 428 429 430
        handlerInternalCache => {
            type          => 'int',
            default       => 15,
            documentation => 'Handler internal cache timeout',
Christophe Maudoux's avatar
Christophe Maudoux committed
431
            flags         => 'hp',
432
        },
433

434 435 436 437 438 439 440 441 442
        # Loggers (ini only)
        logLevel => {
            type          => 'text',
            documentation => 'Log level, must be set in .ini',
            flags         => 'hmp',
        },
        logger => {
            type          => 'text',
            documentation => 'technical logger',
443
            flags         => 'hmp',
444 445 446 447
        },
        userLogger => {
            type          => 'text',
            documentation => 'User actions logger',
448
            flags         => 'hmp',
449 450 451 452
        },
        log4perlConfFile => {
            type          => 'text',
            documentation => 'Log4Perl logger configuration file',
453
            flags         => 'hmp',
454 455 456 457
        },
        sentryDsn => {
            type          => 'text',
            documentation => 'Sentry logger DSN',
458
            flags         => 'hmp',
459 460 461 462
        },
        syslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger technical facility',
463
            flags         => 'hmp',
464 465 466 467
        },
        userSyslogFacility => {
            type          => 'text',
            documentation => 'Syslog logger user-actions facility',
468
            flags         => 'hmp',
469 470 471
        },

        # Manager or PSGI protected apps
472
        protection => {
473 474 475
            type    => 'text',
            test    => qr/^(?:none|authenticate|manager|)$/,
            msgFail => '__authorizedValues__: none authenticate manager',
476
            documentation => 'Manager protection method',
Xavier Guimard's avatar
Xavier Guimard committed
477
            flags         => 'hm',
478 479 480 481 482 483 484 485 486 487
        },

        # Menu
        activeTimer => {
            type          => 'bool',
            default       => 1,
            documentation => 'Enable timers on portal pages',
        },
        applicationList => {
            type    => 'catAndAppList',
488
            keyTest => qr/\w/,
489 490
            help    => 'portalmenu.html#categories_and_applications',
            default => {
491 492
                default =>
                    { catname => 'Default category', type => "category" }
493 494 495
            },
            documentation => 'Applications list',
        },
496 497 498 499 500
        portalErrorOnExpiredSession => {
            type          => 'bool',
            default       => 1,
            documentation => 'Show error if session is expired',
        },
501
        portalErrorOnMailNotFound => {
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
502 503 504
            type    => 'bool',
            default => 0,
            documentation =>
505
                'Show error if mail is not found in password reset process',
506
        },
507 508 509 510 511 512 513 514 515 516 517 518 519 520
        portalOpenLinkInNewWindow => {
            type          => 'bool',
            default       => 0,
            documentation => 'Open applications in new windows',
        },
        portalPingInterval => {
            type          => 'int',
            default       => 60000,
            documentation => 'Interval in ms between portal Ajax pings ',
        },
        portalSkin => {
            type          => 'portalskin',
            default       => 'bootstrap',
            documentation => 'Name of portal skin',
Xavier Guimard's avatar
Xavier Guimard committed
521
            select        => [ { k => 'bootstrap', v => 'Bootstrap' }, ],
522 523 524 525 526 527
        },
        portalSkinBackground => {
            type          => 'portalskinbackground',
            documentation => 'Background image of portal skin',
            select        => [
                { k => "", v => 'None' },
528
                {   k => "1280px-Anse_Source_d'Argent_2-La_Digue.jpg",
529 530
                    v => 'Anse'
                },
531 532
                {   k =>
                        "1280px-Autumn-clear-water-waterfall-landscape_-_Virginia_-_ForestWander.jpg",
533 534 535
                    v => 'Waterfall'
                },
                { k => "1280px-BrockenSnowedTrees.jpg", v => 'Snowed Trees' },
536 537
                {   k =>
                        "1280px-Cedar_Breaks_National_Monument_partially.jpg",
538 539
                    v => 'National Monument'
                },
540
                {   k => "1280px-Parry_Peak_from_Winter_Park.jpg",
541 542
                    v => 'Winter'
                },
543
                {   k => "Aletschgletscher_mit_Pinus_cembra1.jpg",
544 545
                    v => 'Pinus'
                },
546 547 548
            ],
        },
        portalSkinRules => {
Xavier Guimard's avatar
Xavier Guimard committed
549 550 551 552 553 554 555
            type          => 'keyTextContainer',
            help          => 'portalcustom.html',
            keyTest       => $perlExpr,
            keyMsgFail    => '__badSkinRule__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
            documentation => 'Rules to choose portal skin',
556 557 558
        },

        # Security
559
        formTimeout => {
Xavier Guimard's avatar
Xavier Guimard committed
560 561
            default       => 120,
            type          => 'int',
562 563 564
            documentation => 'Token timeout for forms',
        },
        requireToken => {
Xavier Guimard's avatar
Xavier Guimard committed
565 566
            default       => 1,
            type          => 'bool',
567 568
            documentation => 'Enable token for forms',
        },
569 570 571 572 573
        tokenUseGlobalStorage => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable global token storage',
        },
574 575 576 577
        cda => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable Cross Domain Authentication',
Xavier Guimard's avatar
Xavier Guimard committed
578
            flags         => 'hp',
579 580 581 582 583 584
        },
        checkXSS => {
            default       => 1,
            type          => 'bool',
            documentation => 'Check XSS',
        },
585
        portalForceAuthn => {
586
            default => 0,
587
            help    => 'forcereauthn.html',
588 589
            type    => 'bool',
            documentation =>
590
                'Enable force to authenticate when displaying portal',
591
        },
592 593
        portalForceAuthnInterval => {
            default => 5,
594 595
            type    => 'int',
            documentation =>
596
                'Maximum interval in seconds since last authentication to force reauthentication',
597
        },
598
        bruteForceProtection => {
599
            default       => 0,
600
            help          => 'bruteforceprotection.html',
601 602 603 604 605 606 607
            type          => 'bool',
            documentation => 'Enable brute force attack protection',
        },
        bruteForceProtectionTempo => {
            default => 30,
            type    => 'int',
            documentation =>
608
                'Brute force attack protection -> Tempo before try again',
609 610 611 612 613
        },
        bruteForceProtectionMaxAge => {
            default => 300,
            type    => 'int',
            documentation =>
614
                'Brute force attack protection -> Max age between last and first allowed failed login',
615 616 617 618 619
        },
        bruteForceProtectionMaxFailed => {
            default => 3,
            type    => 'int',
            documentation =>
620
                'Brute force attack protection -> Max allowed failed login',
621
        },
622
        grantSessionRules => {
Xavier Guimard's avatar
Xavier Guimard committed
623 624
            type          => 'grantContainer',
            keyTest       => $perlExpr,
625
            test          => sub {1},
Xavier Guimard's avatar
Xavier Guimard committed
626
            documentation => 'Rules to grant sessions',
627 628 629 630 631 632 633 634 635 636
        },
        hiddenAttributes => {
            type          => 'text',
            default       => '_password',
            documentation => 'Name of attributes to hide in logs',
        },
        key => {
            type          => 'password',
            documentation => 'Secret key',
        },
637 638
        cspDefault => {
            type          => 'text',
Xavier Guimard's avatar
Xavier Guimard committed
639
            default       => "'self'",
640 641
            documentation => 'Default value for Content-Security-Policy',
        },
642
        cspFormAction => {
643 644 645
            type    => 'text',
            default => "'self'",
            documentation =>
646
                'Form action destination for Content-Security-Policy',
647
        },
648 649
        cspImg => {
            type          => 'text',
650
            default       => "'self' data:",
651 652 653 654 655 656 657 658 659
            documentation => 'Image source for Content-Security-Policy',
        },
        cspScript => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Javascript source for Content-Security-Policy',
        },
        cspStyle => {
            type          => 'text',
660
            default       => "'self'",
661 662 663 664 665 666
            documentation => 'Style source for Content-Security-Policy',
        },
        cspConnect => {
            type    => 'text',
            default => "'self'",
            documentation =>
667
                'Authorized Ajax destination for Content-Security-Policy',
668 669 670 671 672 673
        },
        cspFont => {
            type          => 'text',
            default       => "'self'",
            documentation => 'Font source for Content-Security-Policy',
        },
674 675 676 677 678 679 680 681 682 683 684 685 686 687 688
        portalAntiFrame => {
            default       => 1,
            type          => 'bool',
            documentation => 'Avoid portal to be displayed inside frames',
        },
        portalCheckLogins => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display login history checkbox in portal',
        },
        randomPasswordRegexp => {
            type          => 'pcre',
            default       => '[A-Z]{3}[a-z]{5}.\d{2}',
            documentation => 'Regular expression to create a random password',
        },
Xavier Guimard's avatar
Xavier Guimard committed
689
        trustedDomains =>
690
            { type => 'text', documentation => 'Trusted domains', },
Xavier Guimard's avatar
Xavier Guimard committed
691
        storePassword => {
692 693 694 695 696 697
            default       => 0,
            type          => 'bool',
            documentation => 'Store password in session',
        },
        timeout => {
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
698
            test          => sub { $_[0] > 0 },
699 700 701 702
            default       => 72000,
            documentation => 'Session timeout on server side',
        },
        timeoutActivity => {
703
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
704
            test          => sub { $_[0] >= 0 },
705 706 707
            default       => 0,
            documentation => 'Session activity timeout on server side',
        },
708 709 710 711 712 713
        timeoutActivityInterval => {
            type          => 'int',
            test          => sub { $_[0] >= 0 },
            default       => 60,
            documentation => 'Update session timeout interval on server side',
        },
714 715 716 717 718 719 720 721 722 723 724 725 726 727
        trustedProxies => {
            type          => 'text',
            default       => '',
            documentation => 'Trusted proxies',
        },
        userControl => {
            type          => 'pcre',
            default       => '^[\w\.\-@]+$',
            documentation => 'Regular expression to validate login',
        },
        useRedirectOnError => {
            type          => 'bool',
            default       => 1,
            documentation => 'Use 302 redirect code for error (500)',
Xavier Guimard's avatar
Xavier Guimard committed
728
            flags         => 'h',
729 730 731 732 733 734 735 736 737
        },
        useRedirectOnForbidden => {
            default       => 0,
            type          => 'bool',
            documentation => 'Use 302 redirect code for forbidden (403)',
        },
        useSafeJail => {
            default       => 1,
            type          => 'bool',
Xavier Guimard's avatar
Xavier Guimard committed
738
            help          => 'safejail.html',
739
            documentation => 'Activate Safe jail',
Xavier Guimard's avatar
Xavier Guimard committed
740
            flags         => 'hp',
741 742 743 744 745
        },
        whatToTrace => {
            type          => 'lmAttrOrMacro',
            default       => 'uid',
            documentation => 'Session parameter used to fill REMOTE_USER',
Xavier Guimard's avatar
Xavier Guimard committed
746
            flags         => 'hp',
747
        },
748
        lwpOpts => {
749 750 751
            type          => 'keyTextContainer',
            documentation => 'Options given to LWP::UserAgent',
        },
752 753 754 755
        lwpSslOpts => {
            type          => 'keyTextContainer',
            documentation => 'SSL options given to LWP::UserAgent',
        },
756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800

        # History
        failedLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of failures stored in login history',
        },
        loginHistoryEnabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable login history',
        },
        portalDisplayLoginHistory => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display login history tab in portal',
        },
        successLoginNumber => {
            default       => 5,
            type          => 'int',
            documentation => 'Number of success stored in login history',
        },

        # Other displays
        portalDisplayAppslist => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Display applications tab in portal',
        },
        portalDisplayChangePassword => {
            type          => 'boolOrExpr',
            default       => '$_auth =~ /^(LDAP|DBI|Demo)$/',
            documentation => 'Display password tab in portal',
        },
        portalDisplayLogout => {
            default       => 1,
            type          => 'boolOrExpr',
            documentation => 'Display logout tab in portal',
        },
        portalDisplayRegister => {
            default       => 1,
            type          => 'bool',
            documentation => 'Display register button in portal',
        },
        portalDisplayResetPassword => {
801
            default       => 0,
802 803 804
            type          => 'bool',
            documentation => 'Display reset password button in portal',
        },
805
        passwordResetAllowedRetries => {
Christophe Maudoux's avatar
Christophe Maudoux committed
806
            default       => 3,
807 808 809
            type          => 'int',
            documentation => 'Maximum number of retries to reset password',
        },
810 811
        portalDisplayOidcConsents => {
            type          => 'boolOrExpr',
812
            default       => '$_oidcConnectedRP',
813 814
            documentation => 'Display OIDC consent tab in portal',
        },
815 816

        # Cookies
Xavier Guimard's avatar
Xavier Guimard committed
817
        cookieExpiration => {
818
            type          => 'int',
Xavier Guimard's avatar
Xavier Guimard committed
819 820 821
            documentation => 'Cookie expiration',
            flags         => 'hp',
        },
Xavier Guimard's avatar
Xavier Guimard committed
822
        cookieName => {
823 824 825 826 827
            type          => 'text',
            test          => qr/^[a-zA-Z][a-zA-Z0-9_-]*$/,
            msgFail       => '__badCookieName__',
            default       => 'lemonldap',
            documentation => 'Name of the main cookie',
Xavier Guimard's avatar
Xavier Guimard committed
828
            flags         => 'hp',
829 830
        },
        domain => {
831 832 833 834
            type    => 'text',
            test    => qr/^(?:$Regexp::Common::URI::RFC2396::hostname)?$/,
            msgFail => '__badDomainName__',
            default => 'example.com',
835
            documentation => 'DNS domain',
Xavier Guimard's avatar
Xavier Guimard committed
836
            flags         => 'hp',
837 838 839 840 841
        },
        httpOnly => {
            default       => 1,
            type          => 'bool',
            documentation => 'Enable httpOnly flag in cookie',
Xavier Guimard's avatar
Xavier Guimard committed
842
            flags         => 'hp',
843 844 845 846 847 848 849 850 851 852 853
        },
        securedCookie => {
            type   => 'select',
            select => [
                { k => '0', v => 'unsecuredCookie' },
                { k => '1', v => 'securedCookie' },
                { k => '2', v => 'doubleCookie' },
                { k => '3', v => 'doubleCookieForSingleSession' },
            ],
            default       => 0,
            documentation => 'Cookie securisation method',
Xavier Guimard's avatar
Xavier Guimard committed
854
            flags         => 'hp',
855 856 857
        },

        # Notification
858
        oldNotifFormat => {
Xavier Guimard's avatar
Xavier Guimard committed
859 860
            type          => 'bool',
            default       => 0,
Xavier Guimard's avatar
Xavier Guimard committed
861
            documentation => 'Use old XML format for notifications',
862
        },
863 864 865 866 867
        notificationWildcard => {
            type          => 'text',
            default       => 'allusers',
            documentation => 'Notification string to match all users',
        },
Xavier Guimard's avatar
Xavier Guimard committed
868 869 870 871 872
        notificationXSLTfile => {
            type          => 'text',
            documentation => 'Custom XSLT document for notifications',
        },
        notification => {
873 874 875 876
            default       => 0,
            type          => 'bool',
            documentation => 'Notification activation',
        },
877 878 879 880 881
        notificationServer => {
            default       => 0,
            type          => 'bool',
            documentation => 'Notification server activation',
        },
882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899
        notificationStorage => {
            type          => 'PerlModule',
            default       => 'File',
            documentation => 'Notification backend',
        },
        notificationStorageOptions => {
            type    => 'keyTextContainer',
            default => { dirName => '/var/lib/lemonldap-ng/notifications', },
            documentation => 'Notification backend options',
        },

        # Captcha
        captcha_login_enabled => {
            default       => 0,
            type          => 'bool',
            documentation => 'Captcha on login page',
        },
        captcha_mail_enabled => {
900
            default       => 1,
901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919
            type          => 'bool',
            documentation => 'Captcha on password reset page',
        },
        captcha_register_enabled => {
            default       => 1,
            type          => 'bool',
            documentation => 'Captcha on account creation page',
        },
        captcha_size => {
            type          => 'int',
            default       => 6,
            documentation => 'Captcha size',
        },

        # Variables
        exportedVars => {
            type          => 'keyTextContainer',
            help          => 'exportedvars.html',
            keyTest       => qr/^!?[_a-zA-Z][a-zA-Z0-9_]*$/,
920
            keyMsgFail    => '__badVariableName__',
921 922 923 924 925 926 927 928
            test          => qr/^[_a-zA-Z][a-zA-Z0-9_:\-]*$/,
            msgFail       => '__badValue__',
            default       => { 'UA' => 'HTTP_USER_AGENT' },
            documentation => 'Main exported variables',
        },
        groups => {
            type => 'keyTextContainer',
            help =>
929
                'exportedvars.html#extend_variables_using_macros_and_groups',
930 931 932 933 934 935 936
            test          => $perlExpr,
            default       => {},
            documentation => 'Groups',
        },
        macros => {
            type => 'keyTextContainer',
            help =>
937
                'exportedvars.html#extend_variables_using_macros_and_groups',
938
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
939
            keyMsgFail    => '__badMacroName__',
940 941 942 943 944 945 946 947 948 949
            test          => $perlExpr,
            default       => {},
            documentation => 'Macros',
        },

        # Storage
        globalStorage => {
            type          => 'PerlModule',
            default       => 'Apache::Session::File',
            documentation => 'Session backend module',
Xavier Guimard's avatar
Xavier Guimard committed
950
            flags         => 'hp',
951 952 953 954 955 956 957
        },
        globalStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'Directory'     => '/var/lib/lemonldap-ng/sessions/',
                'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/',
                'generateModule' =>
958
                    'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
959 960
            },
            documentation => 'Session backend module options',
Xavier Guimard's avatar
Xavier Guimard committed
961
            flags         => 'hp',
962 963
        },
        localSessionStorage => {
Xavier Guimard's avatar
Xavier Guimard committed
964 965
            type          => 'PerlModule',
            default       => 'Cache::FileCache',
Xavier Guimard's avatar
Xavier Guimard committed
966
            documentation => 'Local sessions cache module',
967 968 969 970 971 972 973 974 975 976 977 978 979 980
        },
        localSessionStorageOptions => {
            type    => 'keyTextContainer',
            default => {
                'namespace'          => 'lemonldap-ng-sessions',
                'default_expires_in' => 600,
                'directory_umask'    => '007',
                'cache_root'         => '/tmp',
                'cache_depth'        => 3,
            },
            documentation => 'Sessions cache module options',
        },

        # Persistent storage
Xavier Guimard's avatar
Xavier Guimard committed
981 982 983 984 985 986 987 988 989 990 991 992 993
        persistentStorage => {
            type          => 'PerlModule',
            documentation => 'Storage module for persistent sessions'
        },
        persistentStorageOptions => {
            type          => 'keyTextContainer',
            documentation => 'Options for persistent sessions storage module'
        },
        sessionDataToRemember => {
            type          => 'keyTextContainer',
            keyTest       => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
            keyMsgFail    => '__invalidSessionData__',
            documentation => 'Data to remember in login history',
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015
        },

        # SAML issuer
        issuerDBSAMLActivation => {
            default       => 0,
            type          => 'bool',
            documentation => 'SAML IDP activation',
        },
        issuerDBSAMLPath => {
            type          => 'pcre',
            default       => '^/saml/',
            documentation => 'SAML IDP request path',
        },
        issuerDBSAMLRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'SAML IDP rule',
        },

        # OpenID-Connect issuer
        issuerDBOpenIDConnectActivation => {
            type          => 'bool',
1016
            default       => 0,
1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
            documentation => 'OpenID Connect server activation',
        },
        issuerDBOpenIDConnectPath => {
            type          => 'text',
            default       => '^/oauth2/',
            documentation => 'OpenID Connect server request path',
        },
        issuerDBOpenIDConnectRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'OpenID Connect server rule',
        },

1030 1031 1032
        # GET issuer
        issuerDBGetActivation => {
            type          => 'bool',
1033
            default       => 0,
1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055
            documentation => 'Get issuer activation',
        },
        issuerDBGetPath => {
            type          => 'text',
            default       => '^/get/',
            documentation => 'Get issuer request path',
        },
        issuerDBGetRule => {
            type          => 'boolOrExpr',
            default       => 1,
            documentation => 'Get issuer rule',
        },
        issuerDBGetParameters => {
            type       => 'doubleHash',
            default    => {},
            keyTest    => qr/^$Regexp::Common::URI::RFC2396::hostname$/,
            keyMsgFail => '__badHostname__',
            test       => {
                keyTest    => qr/^(?=[^\-])[\w\-]+(?<=[^-])$/,
                keyMsgFail => '__badKeyName__',
                test       => sub {
                    my ( $val, $conf ) = @_;
1056
                    return 1
1057
                        if ( defined $conf->{macros}->{$val}
1058 1059 1060
                        or $val eq '_timezone' );
                    foreach ( keys %$conf ) {
                        return 1
1061
                            if ( $_ =~ /exportedvars$/i
1062
                            and defined $conf->{$_}->{$val} );
1063
                    }
1064
                    return ( 1, "__unknownAttrOrMacro__: $val" );
1065 1066 1067 1068 1069
                },
            },
            documentation => 'List of virtualHosts with their get parameters',
        },

1070 1071 1072 1073 1074 1075 1076
        # Password
        mailOnPasswordChange => {
            default       => 0,
            type          => 'bool',
            documentation => 'Send a mail when password is changed',
        },
        portalRequireOldPassword => {
1077 1078 1079 1080
            default => 1,
            type    => 'bool',
            documentation =>
                'Old password is required to change the password',
1081 1082 1083 1084 1085 1086 1087
        },
        hideOldPassword => {
            default       => 0,
            type          => 'bool',
            documentation => 'Hide old password in portal',
        },

1088
        # SMTP server
1089
        SMTPServer => {
1090 1091
            type    => 'text',
            default => '',
1092
            test => qr/^(?:$Regexp::Common::URI::RFC2396::host(?::\d+)?)?$/,
1093 1094
            documentation => 'SMTP Server',
        },
1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112
        SMTPPort => {
            type          => 'int',
            documentation => 'Fix SMTP port',
        },
        SMTPTLS => {
            type    => 'select',
            default => '',
            select  => [
                { k => '',         v => 'none' },
                { k => 'starttls', v => 'SMTP + STARTTLS' },
                { k => 'ssl',      v => 'SMTPS' },
            ],
            documentation => 'TLS protocol to use with SMTP',
        },
        SMTPTLSOpts => {
            type          => 'keyTextContainer',
            documentation => 'TLS/SSL options for SMTP',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1113 1114 1115 1116 1117 1118 1119 1120
        SMTPAuthUser => {
            type          => 'text',
            documentation => 'Login to use to send mails',
        },
        SMTPAuthPass => {
            type          => 'password',
            documentation => 'Password to use to send mails',
        },
1121

1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168
        # Mails
        mailCharset => {
            type          => 'text',
            default       => 'utf-8',
            documentation => 'Mail charset',
        },
        mailFrom => {
            type          => 'text',
            default       => 'noreply@example.com',
            documentation => 'Sender email',
        },
        mailSessionKey => {
            type          => 'text',
            default       => 'mail',
            documentation => 'Session parameter where mail is stored',
        },
        mailReplyTo =>
            { type => 'text', documentation => 'Reply-To address' },
        mailTimeout => {
            type          => 'int',
            default       => 0,
            documentation => 'Mail session timeout',
        },

        # Password reset
        mailPwdRstBody =>
            { type => 'longtext', documentation => 'Custom mail body', },

        mailPwdRstConfirmBody => {
            type          => 'longtext',
            documentation => 'Custom confirm mail body',
        },
        mailPwdRstConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for reset confirmation',
        },
        mailPwdRstSubject => {
            type          => 'text',
            documentation => 'Mail subject for new password email',
        },

        mailPwdRstUrl => {
            type          => 'url',
            default       => 'http://auth.example.com/resetpwd',
            documentation => 'URL of password reset page',
        },

1169 1170 1171 1172 1173 1174 1175 1176
        # Registration
        registerConfirmSubject => {
            type          => 'text',
            documentation => 'Mail subject for register confirmation',
        },
        registerDB => {
            type   => 'select',
            select => [
1177 1178 1179 1180 1181
                { k => 'AD',     v => 'Active Directory' },
                { k => 'Demo',   v => 'Demonstration' },
                { k => 'LDAP',   v => 'LDAP' },
                { k => 'Null',   v => 'None' },
                { k => 'Custom', v => 'customModule' },
1182
            ],
1183
            default       => 'Null',
1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194
            documentation => 'Register module',
        },
        registerDoneSubject => {
            type          => 'text',
            documentation => 'Mail subject when register is done',
        },
        registerTimeout => {
            default       => 0,
            type          => 'int',
            documentation => 'Register session timeout',
        },
1195 1196
        registerUrl => {
            type          => 'text',
1197
            default       => 'http://auth.example.com/register',
1198 1199
            documentation => 'URL of register page',
        },
1200

1201 1202 1203
        # Upgrade session
        upgradeSession => {
            type          => 'bool',
1204
            default       => 1,
1205 1206
            documentation => 'Upgrade session activation',
        },
1207

1208 1209 1210 1211
        # 2F
        max2FDevices => {
            default       => 10,
            type          => 'int',
1212
            documentation => 'Maximum registered 2F devices',
1213 1214 1215 1216
        },
        max2FDevicesNameLength => {
            default       => 20,
            type          => 'int',
1217
            documentation => 'Maximum 2F devices name length',
1218
        },
1219

Xavier Guimard's avatar
Xavier Guimard committed
1220 1221
        # U2F
        u2fActivation => {
1222
            type          => 'boolOrExpr',
Xavier Guimard's avatar
Xavier Guimard committed
1223 1224 1225
            default       => 0,
            documentation => 'U2F activation',
        },
1226
        u2fSelfRegistration => {
1227
            type          => 'boolOrExpr',
1228 1229
            default       => 0,
            documentation => 'U2F self registration activation',
Xavier Guimard's avatar
Xavier Guimard committed
1230
        },
1231 1232 1233
        u2fAuthnLevel => {
            type => 'int',
            documentation =>
1234
                'Authentication level for users authentified by password+U2F'
1235
        },
1236 1237 1238 1239 1240
        u2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing U2F key',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1241

1242 1243 1244 1245 1246 1247
        # TOTP second factor
        totp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'TOTP activation',
        },
1248
        totp2fSelfRegistration => {
1249
            type          => 'boolOrExpr',
1250 1251 1252 1253 1254 1255
            default       => 0,
            documentation => 'TOTP self registration activation',
        },
        totp2fAuthnLevel => {
            type => 'int',
            documentation =>
1256
                'Authentication level for users authentified by password+TOTP'
1257
        },
Xavier Guimard's avatar
Xavier Guimard committed
1258 1259 1260 1261
        totp2fIssuer => {
            type          => 'text',
            documentation => 'TOTP Issuer',
        },
1262 1263 1264 1265 1266 1267 1268 1269 1270 1271
        totp2fInterval => {
            type          => 'int',
            default       => 30,
            documentation => 'TOTP interval',
        },
        totp2fRange => {
            type          => 'int',
            default       => 1,
            documentation => 'TOTP range (number of interval to test)',
        },
Xavier Guimard's avatar
Xavier Guimard committed
1272 1273 1274 1275 1276
        totp2fDigits => {
            type          => 'int',
            default       => 6,
            documentation => 'Number of digits for TOTP code',
        },
1277 1278 1279 1280
        totp2fDisplayExistingSecret => {
            type    => 'bool',
            default => 0,
            documentation =>
1281
                'Display existing TOTP secret in registration form',
1282 1283 1284 1285 1286 1287
        },
        totp2fUserCanChangeKey => {
            type          => 'bool',
            default       => 0,
            documentation => 'Authorize users to change existing TOTP secret',
        },
1288 1289 1290 1291 1292
        totp2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing TOTP secret',
        },
1293

1294 1295 1296 1297 1298 1299 1300 1301 1302
        # UTOTP 2F
        utotp2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'UTOTP activation (mixed U2F/TOTP module)',
        },
        utotp2fAuthnLevel => {
            type => 'int',
            documentation =>
1303
                'Authentication level for users authentified by password+(U2F or TOTP)'
1304 1305
        },

1306 1307
        # External second factor
        ext2fActivation => {
1308
            type          => 'boolOrExpr',
1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322
            default       => 0,
            documentation => 'External second factor activation',
        },
        ext2FSendCommand => {
            type          => 'text',
            documentation => 'Send command of External second factor',
        },
        ext2FValidateCommand => {
            type          => 'text',
            documentation => 'Validation command of External second factor',
        },
        ext2fAuthnLevel => {
            type => 'int',
            documentation =>
1323
                'Authentication level for users authentified by External second factor'
1324
        },
Xavier Guimard's avatar
Xavier Guimard committed
1325 1326 1327 1328
        ext2fLogo => {
            type          => 'text',
            documentation => 'Custom logo for External 2F',
        },
1329

1330 1331 1332 1333 1334 1335 1336
        #  REST External second factor
        rest2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'REST second factor activation',
        },
        rest2fInitUrl => {
Xavier Guimard's avatar
Xavier Guimard committed
1337
            type          => 'url',
1338 1339 1340
            documentation => 'REST 2F init URL',
        },
        rest2fInitArgs => {
Xavier Guimard's avatar
Xavier Guimard committed
1341 1342 1343 1344 1345
            type          => 'keyTextContainer',
            keyTest       => qr/^\w+$/,
            keyMsgFail    => '__badKeyName__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
1346 1347 1348
            documentation => 'Args for REST 2F init',
        },
        rest2fVerifyUrl => {
Xavier Guimard's avatar
Xavier Guimard committed
1349 1350 1351 1352 1353
            type          => 'url',
            keyTest       => qr/^\w+$/,
            keyMsgFail    => '__badKeyName__',
            test          => qr/^\w+$/,
            msgFail       => '__badValue__',
1354 1355 1356
            documentation => 'REST 2F init URL',
        },
        rest2fVerifyArgs => {
Xavier Guimard's avatar
Xavier Guimard committed
1357
            type          => 'keyTextContainer',
1358 1359 1360 1361 1362
            documentation => 'Args for REST 2F init',
        },
        rest2fAuthnLevel => {
            type => 'int',
            documentation =>
1363
                'Authentication level for users authentified by REST second factor'
1364
        },
Xavier Guimard's avatar
Xavier Guimard committed
1365 1366 1367 1368
        rest2fLogo => {
            type          => 'text',
            documentation => 'Custom logo for REST 2F',
        },
1369

1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383
        # Yubikey 2FA
        yubikey2fActivation => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Yubikey second factor activation',
        },
        yubikey2fSelfRegistration => {
            type          => 'boolOrExpr',
            default       => 0,
            documentation => 'Yubikey self registration activation',
        },
        yubikey2fAuthnLevel => {
            type => 'int',
            documentation =>
1384
                'Authentication level for users authentified by Yubikey second factor'
1385 1386
        },
        yubikey2fClientID => {
1387
            type          => 'text',
1388 1389 1390
            documentation => 'Yubico client ID',
        },
        yubikey2fSecretKey => {
1391
            type          => 'text',
1392 1393 1394
            documentation => 'Yubico secret key',
        },
        yubikey2fNonce => {
1395
            type          => 'text',
1396 1397 1398
            documentation => 'Yubico nonce',
        },
        yubikey2fUrl => {
1399
            type          => 'text',
1400 1401 1402
            documentation => 'Yubico server',
        },
        yubikey2fPublicIDSize => {
1403 1404
            type          => 'int',
            default       => 12,
1405 1406
            documentation => 'Yubikey public ID size',
        },
1407 1408 1409 1410 1411
        yubikey2fUserCanRemoveKey => {
            type          => 'bool',
            default       => 1,
            documentation => 'Authorize users to remove existing Yubikey',
        },
1412

1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434
        # Single session
        notifyDeleted => {
            default       => 1,
            type          => 'bool',
            documentation => 'Show deleted sessions in portal',
        },
        notifyOther => {
            default       => 0,
            type          => 'bool',
            documentation => 'Show other sessions in portal',
        },
        singleSession => {
            default       => 0,
            type          => 'bool',
            documentation => 'Allow only one session per user',
        },
        singleIP => {
            default       => 0,
            type          => 'bool',
            documentation => 'Allow only one session per IP',
        },
        singleUserByIP => {
Xavier Guimard's avatar
Xavier Guimard committed
1435 1436 1437
            default       => 0,
            type          => 'bool',
            documentation => 'Allow only one user per IP',
1438 1439 1440 1441 1442 1443 1444
        },
        singleSessionUserByIP => {
            default       => 0,
            type          => 'bool',
            documentation => 'Allow only one session per user on an IP',
        },

1445
        # REST server
1446
        restSessionServer => {
1447 1448
            default       => 0,
            type          => 'bool',
1449 1450 1451 1452 1453 1454
            documentation => 'Enable REST session server',
        },
        restConfigServer => {
            default       => 0,
            type          => 'bool',
            documentation => 'Enable REST config server',
1455 1456
        },

1457
        # SOAP server
1458
        soapSessionServer => {