2015-06-11 20:36:20 +02:00
|
|
|
package Lemonldap::NG::Manager::Conf::Tests;
|
|
|
|
|
|
2016-01-07 13:34:34 +01:00
|
|
|
use utf8;
|
2015-10-22 14:35:43 +02:00
|
|
|
use Lemonldap::NG::Common::Regexp;
|
|
|
|
|
|
2019-01-09 13:42:30 +01:00
|
|
|
our $VERSION = '2.0.2';
|
2017-02-28 21:53:19 +01:00
|
|
|
|
2015-06-11 20:36:20 +02:00
|
|
|
## @method hashref tests(hashref conf)
|
|
|
|
|
# Return a hash ref where keys are the names of the tests and values
|
|
|
|
|
# subroutines to execute.
|
|
|
|
|
#
|
|
|
|
|
# Subroutines can return one of the followings :
|
|
|
|
|
# - (1) : everything is OK
|
|
|
|
|
# - (1,message) : OK with a warning
|
|
|
|
|
# - (0,message) : NOK
|
|
|
|
|
# - (-1,message) : OK, but must be confirmed (ignored if confirm parameter is
|
|
|
|
|
# set
|
|
|
|
|
#
|
|
|
|
|
# Those subroutines can also modify configuration.
|
|
|
|
|
#
|
|
|
|
|
# @param $conf Configuration to test
|
|
|
|
|
# @return hash ref where keys are the names of the tests and values
|
|
|
|
|
sub tests {
|
|
|
|
|
my $conf = shift;
|
|
|
|
|
return {
|
|
|
|
|
|
|
|
|
|
# 1. CHECKS
|
|
|
|
|
|
|
|
|
|
# Check if portal is in domain
|
|
|
|
|
portalIsInDomain => sub {
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
index( $conf->{portal}, $conf->{domain} ) > 0
|
2015-06-11 20:36:20 +02:00
|
|
|
? ''
|
|
|
|
|
: "Portal seems not to be in the domain $conf->{domain}"
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
|
|
|
|
|
2018-06-15 20:57:48 +02:00
|
|
|
# Check if portal URL is well formated
|
|
|
|
|
portalURL => sub {
|
2018-06-16 10:05:11 +02:00
|
|
|
|
|
|
|
|
# Checking for ending slash
|
2018-06-15 20:57:48 +02:00
|
|
|
$conf->{portal} .= '/'
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{portal} =~ qr#/$# );
|
2018-06-16 10:05:11 +02:00
|
|
|
|
|
|
|
|
# Deleting trailing ending slash
|
|
|
|
|
my $regex = qr#/+$#;
|
|
|
|
|
$conf->{portal} =~ s/$regex/\//;
|
|
|
|
|
|
2018-06-15 20:57:48 +02:00
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
2015-06-11 20:36:20 +02:00
|
|
|
# Check if virtual hosts are in the domain
|
|
|
|
|
vhostInDomainOrCDA => sub {
|
|
|
|
|
return 1 if ( $conf->{cda} );
|
|
|
|
|
my @pb;
|
|
|
|
|
foreach my $vh ( keys %{ $conf->{locationRules} } ) {
|
|
|
|
|
push @pb, $vh unless ( index( $vh, $conf->{domain} ) >= 0 );
|
|
|
|
|
}
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
@pb
|
2015-06-11 20:36:20 +02:00
|
|
|
? 'Virtual hosts '
|
2019-01-16 11:09:52 +01:00
|
|
|
. join( ', ', @pb )
|
|
|
|
|
. " are not in $conf->{domain} and cross-domain-authentication is not set"
|
2015-06-11 20:36:20 +02:00
|
|
|
: undef
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Check if virtual host do not contain a port
|
|
|
|
|
vhostWithPort => sub {
|
|
|
|
|
my @pb;
|
|
|
|
|
foreach my $vh ( keys %{ $conf->{locationRules} } ) {
|
|
|
|
|
push @pb, $vh if ( $vh =~ /:/ );
|
|
|
|
|
}
|
|
|
|
|
if (@pb) {
|
|
|
|
|
return ( 0,
|
2019-01-16 11:09:52 +01:00
|
|
|
'Virtual hosts '
|
|
|
|
|
. join( ', ', @pb )
|
|
|
|
|
. " contain a port, this is not allowed" );
|
2015-06-11 20:36:20 +02:00
|
|
|
}
|
|
|
|
|
else { return 1; }
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Force vhost to be lowercase
|
|
|
|
|
vhostUpperCase => sub {
|
|
|
|
|
my @pb;
|
|
|
|
|
foreach my $vh ( keys %{ $conf->{locationRules} } ) {
|
|
|
|
|
push @pb, $vh if ( $vh ne lc $vh );
|
|
|
|
|
}
|
|
|
|
|
if (@pb) {
|
|
|
|
|
return ( 0,
|
2019-01-16 11:09:52 +01:00
|
|
|
'Virtual hosts '
|
|
|
|
|
. join( ', ', @pb )
|
|
|
|
|
. " must be in lower case" );
|
2015-06-11 20:36:20 +02:00
|
|
|
}
|
|
|
|
|
else { return 1; }
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Check if "userDB" and "authentication" are consistent
|
|
|
|
|
authAndUserDBConsistency => sub {
|
2015-10-22 14:52:12 +02:00
|
|
|
foreach
|
2019-01-16 11:09:52 +01:00
|
|
|
my $type (qw(Facebook Google OpenID OpenIDConnect SAML WebID))
|
2015-10-22 14:52:12 +02:00
|
|
|
{
|
2015-06-11 20:36:20 +02:00
|
|
|
return ( 0,
|
2019-01-16 11:09:52 +01:00
|
|
|
"\"$type\" can not be used as user database without using \"$type\" for authentication"
|
|
|
|
|
)
|
|
|
|
|
if ( $conf->{userDB} =~ /$type/
|
2015-06-11 20:36:20 +02:00
|
|
|
and $conf->{authentication} !~ /$type/ );
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Check that OpenID macros exists
|
|
|
|
|
checkAttrAndMacros => sub {
|
|
|
|
|
my @tmp;
|
|
|
|
|
foreach my $k ( keys %$conf ) {
|
2019-01-16 11:09:52 +01:00
|
|
|
if ( $k =~
|
|
|
|
|
/^(?:openIdSreg_(?:(?:(?:full|nick)nam|languag|postcod|timezon)e|country|gender|email|dob)|whatToTrace)$/
|
|
|
|
|
)
|
2015-06-11 20:36:20 +02:00
|
|
|
{
|
|
|
|
|
my $v = $conf->{$k};
|
|
|
|
|
$v =~ s/^$//;
|
|
|
|
|
next if ( $v =~ /^_/ );
|
|
|
|
|
push @tmp,
|
2019-01-16 11:09:52 +01:00
|
|
|
$k
|
|
|
|
|
unless (
|
2015-06-11 20:36:20 +02:00
|
|
|
defined(
|
|
|
|
|
$conf->{exportedVars}->{$v}
|
2019-01-16 11:09:52 +01:00
|
|
|
or defined( $conf->{macros}->{$v} )
|
2015-06-11 20:36:20 +02:00
|
|
|
)
|
2019-01-16 11:09:52 +01:00
|
|
|
);
|
2015-06-11 20:36:20 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
@tmp
|
2015-06-11 20:36:20 +02:00
|
|
|
? 'Values of parameter(s) "'
|
2019-01-16 11:09:52 +01:00
|
|
|
. join( ', ', @tmp )
|
|
|
|
|
. '" are not defined in exported attributes or macros'
|
2015-06-11 20:36:20 +02:00
|
|
|
: ''
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Test that variables are exported if Google is used as UserDB
|
|
|
|
|
checkUserDBGoogleAXParams => sub {
|
|
|
|
|
my @tmp;
|
2015-10-22 14:52:11 +02:00
|
|
|
if ( $conf->{userDB} =~ /^Google$/ ) {
|
2016-02-13 11:06:48 +01:00
|
|
|
foreach my $k ( keys %{ $conf->{exportedVars} } ) {
|
|
|
|
|
my $v = $conf->{exportedVars}->{$k};
|
2019-01-16 11:09:52 +01:00
|
|
|
if ( $v !~ Lemonldap::NG::Common::Regexp::GOOGLEAXATTR() ) {
|
2015-06-11 20:36:20 +02:00
|
|
|
push @tmp, $v;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
@tmp
|
2015-06-11 20:36:20 +02:00
|
|
|
? 'Values of parameter(s) "'
|
2019-01-16 11:09:52 +01:00
|
|
|
. join( ', ', @tmp )
|
|
|
|
|
. '" are not exported by Google'
|
2015-06-11 20:36:20 +02:00
|
|
|
: ''
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Test that variables are exported if OpenID is used as UserDB
|
|
|
|
|
checkUserDBOpenIDParams => sub {
|
|
|
|
|
my @tmp;
|
2015-10-22 14:52:11 +02:00
|
|
|
if ( $conf->{userDB} =~ /^OpenID$/ ) {
|
2016-02-13 11:06:48 +01:00
|
|
|
foreach my $k ( keys %{ $conf->{exportedVars} } ) {
|
|
|
|
|
my $v = $conf->{exportedVars}->{$k};
|
2019-01-16 11:09:52 +01:00
|
|
|
if ( $v !~ Lemonldap::NG::Common::Regexp::OPENIDSREGATTR() )
|
2015-06-11 20:36:20 +02:00
|
|
|
{
|
|
|
|
|
push @tmp, $v;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
@tmp
|
2015-06-11 20:36:20 +02:00
|
|
|
? 'Values of parameter(s) "'
|
2019-01-16 11:09:52 +01:00
|
|
|
. join( ', ', @tmp )
|
|
|
|
|
. '" are not exported by OpenID SREG'
|
2015-06-11 20:36:20 +02:00
|
|
|
: ''
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Try to use Apache::Session module
|
|
|
|
|
testApacheSession => sub {
|
|
|
|
|
my ( $id, %h );
|
2019-01-16 11:09:52 +01:00
|
|
|
my $gc = Lemonldap::NG::Handler::Main->tsv->{sessionStorageModule};
|
2015-06-11 20:36:20 +02:00
|
|
|
return 1
|
2019-01-16 11:09:52 +01:00
|
|
|
if ( ( $gc and $gc eq $conf->{globalStorage} )
|
|
|
|
|
or $conf->{globalStorage} =~
|
|
|
|
|
/^Lemonldap::NG::Common::Apache::Session::/ );
|
2015-06-11 20:36:20 +02:00
|
|
|
eval "use $conf->{globalStorage}";
|
|
|
|
|
return ( -1, "Unknown package $conf->{globalStorage}" ) if ($@);
|
|
|
|
|
eval {
|
2017-01-27 10:39:58 +01:00
|
|
|
tie %h, 'Lemonldap::NG::Common::Apache::Session', undef,
|
2019-01-16 11:09:52 +01:00
|
|
|
{
|
2017-01-27 10:39:58 +01:00
|
|
|
%{ $conf->{globalStorageOptions} },
|
|
|
|
|
backend => $conf->{globalStorage}
|
2019-01-16 11:09:52 +01:00
|
|
|
};
|
2015-06-11 20:36:20 +02:00
|
|
|
};
|
|
|
|
|
return ( -1, "Unable to create a session ($@)" )
|
2019-01-16 11:09:52 +01:00
|
|
|
if ( $@ or not tied(%h) );
|
2015-06-11 20:36:20 +02:00
|
|
|
eval {
|
|
|
|
|
$h{a} = 1;
|
|
|
|
|
$id = $h{_session_id} or return ( -1, 'No _session_id' );
|
|
|
|
|
untie(%h);
|
2017-01-27 10:39:58 +01:00
|
|
|
tie %h, 'Lemonldap::NG::Common::Apache::Session', $id,
|
2019-01-16 11:09:52 +01:00
|
|
|
{
|
2017-01-27 10:39:58 +01:00
|
|
|
%{ $conf->{globalStorageOptions} },
|
|
|
|
|
backend => $conf->{globalStorage}
|
2019-01-16 11:09:52 +01:00
|
|
|
};
|
2015-06-11 20:36:20 +02:00
|
|
|
};
|
2018-07-05 22:56:16 +02:00
|
|
|
return ( -1, "Unable to insert data ($@)" ) if ($@);
|
2015-06-11 20:36:20 +02:00
|
|
|
return ( -1, "Unable to recover data stored" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $h{a} == 1 );
|
2015-06-11 20:36:20 +02:00
|
|
|
eval { tied(%h)->delete; };
|
|
|
|
|
return ( -1, "Unable to delete session ($@)" ) if ($@);
|
|
|
|
|
return ( -1,
|
2019-01-16 11:09:52 +01:00
|
|
|
'All sessions may be lost and you must restart all your Apache servers'
|
2017-01-27 10:39:58 +01:00
|
|
|
) if ( $gc and $conf->{globalStorage} ne $gc );
|
2015-06-11 20:36:20 +02:00
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Warn if cookie name has changed
|
|
|
|
|
cookieNameChanged => sub {
|
2019-01-16 11:02:58 +01:00
|
|
|
my $cn = Lemonldap::NG::Handler::Main->tsv->{cookieName};
|
2015-06-11 20:36:20 +02:00
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
$cn
|
|
|
|
|
and $cn ne $conf->{cookieName}
|
2018-04-08 22:43:33 +02:00
|
|
|
? 'Cookie name has changed, you must restart all your web servers'
|
2015-06-11 20:36:20 +02:00
|
|
|
: ()
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
2018-07-26 20:52:35 +02:00
|
|
|
|
2018-07-27 20:48:30 +02:00
|
|
|
# Warn if cookie TTL is equal or lower than one hour
|
2018-07-26 20:49:57 +02:00
|
|
|
cookieTTL => sub {
|
|
|
|
|
return 1 unless ( defined $conf->{cookieExpiration} );
|
2018-07-30 19:18:06 +02:00
|
|
|
return ( 0, "Cookie TTL must be higher than one minute" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{cookieExpiration} == 0
|
|
|
|
|
|| $conf->{cookieExpiration} > 60 );
|
2018-07-30 19:18:06 +02:00
|
|
|
return ( 1, "Cookie TTL should be higher or equal than one hour" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{cookieExpiration} >= 3600
|
2018-07-30 19:18:06 +02:00
|
|
|
|| $conf->{cookieExpiration} == 0 );
|
2018-07-26 20:52:35 +02:00
|
|
|
|
2018-07-26 20:49:57 +02:00
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
2015-06-11 20:36:20 +02:00
|
|
|
|
2018-11-03 22:54:48 +01:00
|
|
|
# Warn if session timeout is lower than 10 minutes
|
2018-12-30 19:46:45 +01:00
|
|
|
sessionTimeout => sub {
|
2018-11-03 22:54:48 +01:00
|
|
|
return 1 unless ( defined $conf->{timeout} );
|
2018-12-30 19:46:45 +01:00
|
|
|
return ( -1, "Session timeout should be higher than ten minutes" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{timeout} > 600
|
2018-11-03 22:54:48 +01:00
|
|
|
|| $conf->{timeout} == 0 );
|
|
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Error if session Activity Timeout is equal or lower than one minute
|
2018-12-30 19:46:45 +01:00
|
|
|
sessionTimeoutActivity => sub {
|
2018-11-03 22:54:48 +01:00
|
|
|
return 1 unless ( defined $conf->{timeoutActivity} );
|
|
|
|
|
return ( 0,
|
2019-01-16 11:09:52 +01:00
|
|
|
"Session activity timeout must be higher or equal than one minute"
|
|
|
|
|
)
|
|
|
|
|
unless ( $conf->{timeoutActivity} > 59
|
2018-11-03 22:54:48 +01:00
|
|
|
|| $conf->{timeoutActivity} == 0 );
|
|
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Error if session Activity Timeout is equal or lower than one minute
|
|
|
|
|
timeoutActivityInterval => sub {
|
|
|
|
|
return 1 unless ( defined $conf->{timeoutActivityInterval} );
|
|
|
|
|
return ( 0,
|
2019-01-16 11:09:52 +01:00
|
|
|
"Activity timeout interval must be lower than session activity timeout"
|
|
|
|
|
)
|
|
|
|
|
if ( $conf->{timeoutActivity}
|
|
|
|
|
and $conf->{timeoutActivity} <=
|
|
|
|
|
$conf->{timeoutActivityInterval} );
|
2018-11-03 22:54:48 +01:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
2015-06-11 20:36:20 +02:00
|
|
|
# Warn if manager seems to be unprotected
|
|
|
|
|
managerProtection => sub {
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
$conf->{cfgAuthor} eq 'anonymous'
|
2015-06-11 20:36:20 +02:00
|
|
|
? 'Your manager seems to be unprotected'
|
|
|
|
|
: ''
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
|
|
|
|
|
2018-04-08 22:43:33 +02:00
|
|
|
# Test SMTP connection and authentication (warning only)
|
2015-06-11 20:36:20 +02:00
|
|
|
smtpConnectionAuthentication => sub {
|
|
|
|
|
|
|
|
|
|
# Skip test if no SMTP configuration
|
|
|
|
|
return 1 unless ( $conf->{SMTPServer} );
|
|
|
|
|
|
|
|
|
|
# Use SMTP
|
|
|
|
|
eval "use Net::SMTP";
|
2017-01-13 17:16:33 +01:00
|
|
|
return ( 1, "Net::SMTP module is required to use SMTP server" )
|
2019-01-16 11:09:52 +01:00
|
|
|
if ($@);
|
2015-06-11 20:36:20 +02:00
|
|
|
|
|
|
|
|
# Create SMTP object
|
2019-01-30 10:34:45 +01:00
|
|
|
my $smtp = Net::SMTP->new(
|
|
|
|
|
$conf->{SMTPServer},
|
|
|
|
|
Timeout => 5,
|
|
|
|
|
( $conf->{SMTPPort} ? ( Port => $conf->{SMTPPort} ) : () ),
|
|
|
|
|
);
|
2017-01-13 17:16:33 +01:00
|
|
|
return ( 1,
|
2015-06-11 20:36:20 +02:00
|
|
|
"SMTP connection to " . $conf->{SMTPServer} . " failed" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ($smtp);
|
2015-06-11 20:36:20 +02:00
|
|
|
|
|
|
|
|
# Skip other tests if no authentication
|
|
|
|
|
return 1
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{SMTPAuthUser} and $conf->{SMTPAuthPass} );
|
2015-06-11 20:36:20 +02:00
|
|
|
|
|
|
|
|
# Try authentication
|
2017-01-13 17:16:33 +01:00
|
|
|
return ( 1, "SMTP authentication failed" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless $smtp->auth( $conf->{SMTPAuthUser},
|
2015-06-11 20:36:20 +02:00
|
|
|
$conf->{SMTPAuthPass} );
|
|
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
2017-03-11 11:10:25 +01:00
|
|
|
|
2018-04-08 22:43:33 +02:00
|
|
|
# SAML entity ID must be uniq
|
2017-03-11 11:10:25 +01:00
|
|
|
samlIDPEntityIdUniqueness => sub {
|
|
|
|
|
return 1
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{samlIDPMetaDataXML}
|
2017-03-11 11:10:25 +01:00
|
|
|
and %{ $conf->{samlIDPMetaDataXML} } );
|
|
|
|
|
my @msg;
|
|
|
|
|
my $res = 1;
|
|
|
|
|
my %entityIds;
|
|
|
|
|
foreach my $idpId ( keys %{ $conf->{samlIDPMetaDataXML} } ) {
|
2019-01-16 11:09:52 +01:00
|
|
|
unless (
|
|
|
|
|
$conf->{samlIDPMetaDataXML}->{$idpId}->{samlIDPMetaDataXML}
|
|
|
|
|
=~ /entityID=(['"])(.+?)\1/si )
|
2017-03-11 11:10:25 +01:00
|
|
|
{
|
|
|
|
|
push @msg, "$idpId SAML metadata has no EntityID";
|
|
|
|
|
$res = 0;
|
|
|
|
|
next;
|
|
|
|
|
}
|
|
|
|
|
my $eid = $2;
|
|
|
|
|
if ( defined $entityIds{$eid} ) {
|
|
|
|
|
push @msg,
|
2019-01-16 11:09:52 +01:00
|
|
|
"$idpId and $entityIds{$eid} have the same SAML EntityID";
|
2017-03-11 11:10:25 +01:00
|
|
|
$res = 0;
|
|
|
|
|
next;
|
|
|
|
|
}
|
|
|
|
|
$entityIds{$eid} = $idpId;
|
2017-05-09 17:14:31 +02:00
|
|
|
}
|
|
|
|
|
return ( $res, join( ', ', @msg ) );
|
|
|
|
|
},
|
|
|
|
|
samlSPEntityIdUniqueness => sub {
|
|
|
|
|
return 1
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{samlSPMetaDataXML}
|
2017-05-09 17:14:31 +02:00
|
|
|
and %{ $conf->{samlSPMetaDataXML} } );
|
|
|
|
|
my @msg;
|
|
|
|
|
my $res = 1;
|
|
|
|
|
my %entityIds;
|
|
|
|
|
foreach my $spId ( keys %{ $conf->{samlSPMetaDataXML} } ) {
|
|
|
|
|
unless (
|
2019-01-16 11:09:52 +01:00
|
|
|
$conf->{samlSPMetaDataXML}->{$spId}->{samlSPMetaDataXML} =~
|
|
|
|
|
/entityID=(['"])(.+?)\1/si )
|
2017-05-09 17:14:31 +02:00
|
|
|
{
|
|
|
|
|
push @msg, "$spId SAML metadata has no EntityID";
|
|
|
|
|
$res = 0;
|
|
|
|
|
next;
|
|
|
|
|
}
|
|
|
|
|
my $eid = $2;
|
|
|
|
|
if ( defined $entityIds{$eid} ) {
|
|
|
|
|
push @msg,
|
2019-01-16 11:09:52 +01:00
|
|
|
"$spId and $entityIds{$eid} have the same SAML EntityID";
|
2017-05-09 17:14:31 +02:00
|
|
|
$res = 0;
|
|
|
|
|
next;
|
|
|
|
|
}
|
|
|
|
|
$entityIds{$eid} = $spId;
|
2017-03-11 11:10:25 +01:00
|
|
|
}
|
|
|
|
|
return ( $res, join( ', ', @msg ) );
|
|
|
|
|
},
|
|
|
|
|
|
2018-04-08 22:43:33 +02:00
|
|
|
# Try to parse combination with declared modules
|
2017-02-07 07:21:23 +01:00
|
|
|
checkCombinations => sub {
|
|
|
|
|
return 1 unless ( $conf->{authentication} eq 'Combination' );
|
|
|
|
|
require Lemonldap::NG::Common::Combination::Parser;
|
|
|
|
|
return ( 0, 'No module declared for combination' )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{combModules} and %{ $conf->{combModules} } );
|
2017-02-07 07:21:23 +01:00
|
|
|
my $moduleList;
|
|
|
|
|
foreach my $md ( keys %{ $conf->{combModules} } ) {
|
|
|
|
|
my $entry = $conf->{combModules}->{$md};
|
|
|
|
|
$moduleList->{$md} = (
|
|
|
|
|
$entry->{for} == 2 ? [ undef, {} ]
|
|
|
|
|
: $entry->{for} == 1 ? [ {}, undef ]
|
|
|
|
|
: [ {}, {} ]
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
eval {
|
2019-01-16 11:09:52 +01:00
|
|
|
Lemonldap::NG::Common::Combination::Parser->parse( $moduleList,
|
|
|
|
|
$conf->{combination} );
|
2017-02-07 07:21:23 +01:00
|
|
|
};
|
|
|
|
|
return ( 0, $@ ) if ($@);
|
2018-07-10 23:06:15 +02:00
|
|
|
|
2018-07-10 23:04:08 +02:00
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
2018-12-16 00:15:47 +01:00
|
|
|
# Check Combination parameters
|
|
|
|
|
combinationParameters => sub {
|
|
|
|
|
return 1 unless ( $conf->{authentication} eq "Combination" );
|
|
|
|
|
return ( 0, "Combination rule must be defined" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{combination} );
|
2018-12-16 00:15:47 +01:00
|
|
|
return ( 0, 'userDB must be set to "Same" to enable Combination' )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{userDB} eq "Same" );
|
2018-12-16 00:15:47 +01:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
2018-08-07 18:06:36 +02:00
|
|
|
# Warn if 2F dependencies seem missing
|
2018-07-31 20:34:50 +02:00
|
|
|
sfaDependencies => sub {
|
2018-08-19 00:10:27 +02:00
|
|
|
|
2018-08-31 23:58:27 +02:00
|
|
|
my $ok = 0;
|
2018-08-19 00:10:27 +02:00
|
|
|
foreach (qw(u totp utotp yubikey)) {
|
2018-08-31 23:58:27 +02:00
|
|
|
$ok ||= $conf->{ $_ . '2fActivation' };
|
|
|
|
|
last if ($ok);
|
2018-08-19 00:10:27 +02:00
|
|
|
}
|
2018-08-31 23:58:27 +02:00
|
|
|
return 1 unless ($ok);
|
2018-07-10 23:04:08 +02:00
|
|
|
|
|
|
|
|
# Use TOTP
|
|
|
|
|
if ( $conf->{totp2fActivation}
|
|
|
|
|
or $conf->{utotp2fActivation} )
|
|
|
|
|
{
|
|
|
|
|
eval "use Convert::Base32";
|
2018-07-31 21:25:31 +02:00
|
|
|
return ( 1,
|
2018-07-10 23:04:08 +02:00
|
|
|
"Convert::Base32 module is required to enable TOTP" )
|
2019-01-16 11:09:52 +01:00
|
|
|
if ($@);
|
2018-07-10 23:04:08 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Use U2F
|
|
|
|
|
if ( $conf->{u2fActivation}
|
|
|
|
|
or $conf->{utotp2fActivation} )
|
|
|
|
|
{
|
|
|
|
|
eval "use Crypt::U2F::Server::Simple";
|
2018-07-31 21:25:31 +02:00
|
|
|
return ( 1,
|
2019-01-16 11:09:52 +01:00
|
|
|
"Crypt::U2F::Server::Simple module is required to enable U2F"
|
2018-07-10 23:04:08 +02:00
|
|
|
) if ($@);
|
|
|
|
|
}
|
2018-07-10 23:06:15 +02:00
|
|
|
|
2018-07-31 21:05:03 +02:00
|
|
|
# Use Yubikey
|
|
|
|
|
if ( $conf->{yubikey2fActivation} ) {
|
|
|
|
|
eval "use Auth::Yubikey_WebClient";
|
2018-07-31 21:25:31 +02:00
|
|
|
return ( 1,
|
2019-01-16 11:09:52 +01:00
|
|
|
"Auth::Yubikey_WebClient module is required to enable Yubikey"
|
2018-07-31 21:05:03 +02:00
|
|
|
) if ($@);
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-10 23:04:08 +02:00
|
|
|
# Return
|
2017-02-07 07:21:23 +01:00
|
|
|
return 1;
|
|
|
|
|
},
|
2018-04-08 22:43:33 +02:00
|
|
|
|
|
|
|
|
# Warn if TOTP or U2F is enabled with UTOTP (U2F + TOTP)
|
|
|
|
|
utotp => sub {
|
|
|
|
|
return 1 unless ( $conf->{utotp2fActivation} );
|
2018-04-10 22:54:27 +02:00
|
|
|
my $w = "";
|
2018-04-08 22:43:33 +02:00
|
|
|
foreach ( 'totp', 'u' ) {
|
2018-04-29 22:02:26 +02:00
|
|
|
$w .= uc($_) . "2F is activated twice \n"
|
2019-01-16 11:09:52 +01:00
|
|
|
if ( $conf->{ $_ . '2fActivation' } eq '1' );
|
2018-04-08 22:43:33 +02:00
|
|
|
}
|
|
|
|
|
return ( 1, ( $w ? $w : () ) );
|
|
|
|
|
},
|
2018-07-09 21:34:53 +02:00
|
|
|
|
|
|
|
|
# Warn if TOTP not 6 or 8 digits long
|
2018-07-11 22:33:50 +02:00
|
|
|
totp2fDigits => sub {
|
2018-08-18 23:14:09 +02:00
|
|
|
return 1 unless ( $conf->{totp2fActivation} );
|
2018-07-11 22:33:50 +02:00
|
|
|
return 1 unless ( defined $conf->{totp2fDigits} );
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
(
|
|
|
|
|
$conf->{totp2fDigits} == 6
|
|
|
|
|
or $conf->{totp2fDigits} == 8
|
2018-07-11 22:33:50 +02:00
|
|
|
)
|
|
|
|
|
? ''
|
|
|
|
|
: 'TOTP should be 6 or 8 digits long'
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
2018-07-26 20:52:35 +02:00
|
|
|
|
2018-08-25 11:52:23 +02:00
|
|
|
# Test TOTP params
|
2018-08-18 23:14:09 +02:00
|
|
|
totp2fParams => sub {
|
|
|
|
|
return 1 unless ( $conf->{totp2fActivation} );
|
|
|
|
|
return ( 0, 'TOTP range must be defined' )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{totp2fRange} );
|
2018-08-18 23:14:09 +02:00
|
|
|
return ( 1, "TOTP interval should be higher than 10s" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{totp2fInterval} > 10 );
|
2018-08-18 23:14:09 +02:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Error if Yubikey client ID and secret key are missing
|
|
|
|
|
# Warn if Yubikey public ID size is not 12 digits long
|
|
|
|
|
yubikey2fParams => sub {
|
|
|
|
|
return 1 unless ( $conf->{yubikey2fActivation} );
|
|
|
|
|
return ( 0, "Yubikey client ID and secret key must be set" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( defined $conf->{yubikey2fSecretKey}
|
2018-08-18 23:14:09 +02:00
|
|
|
&& defined $conf->{yubikey2fClientID} );
|
|
|
|
|
return (
|
|
|
|
|
1,
|
2019-01-16 11:09:52 +01:00
|
|
|
(
|
|
|
|
|
( $conf->{yubikey2fPublicIDSize} == 12 )
|
2018-08-18 23:14:09 +02:00
|
|
|
? ''
|
|
|
|
|
: 'Yubikey public ID size should be 12 digits long'
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
},
|
|
|
|
|
|
2018-08-07 18:06:36 +02:00
|
|
|
# Error if REST 2F verify URL is missing
|
|
|
|
|
rest2fVerifyUrl => sub {
|
2018-08-18 23:14:09 +02:00
|
|
|
return 1 unless ( $conf->{rest2fActivation} );
|
2018-08-07 18:06:36 +02:00
|
|
|
return ( 0, "REST 2F Verify URL must be set" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( defined $conf->{rest2fVerifyUrl} );
|
2018-08-18 23:14:09 +02:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
2018-08-25 11:52:23 +02:00
|
|
|
# Warn if 2FA is required without a registrable 2F module enabled
|
2018-08-18 23:14:09 +02:00
|
|
|
required2FA => sub {
|
|
|
|
|
return 1 unless ( $conf->{sfRequired} );
|
2018-08-19 00:10:27 +02:00
|
|
|
|
2018-08-31 23:47:36 +02:00
|
|
|
my $msg = '';
|
|
|
|
|
my $ok = 0;
|
2018-08-25 11:52:23 +02:00
|
|
|
foreach (qw(u totp yubikey)) {
|
2018-08-31 23:47:36 +02:00
|
|
|
$ok ||= $conf->{ $_ . '2fActivation' }
|
2019-01-16 11:09:52 +01:00
|
|
|
&& $conf->{ $_ . '2fSelfRegistration' };
|
2018-08-31 23:58:27 +02:00
|
|
|
last if ($ok);
|
2018-08-19 00:10:27 +02:00
|
|
|
}
|
2018-08-25 11:52:23 +02:00
|
|
|
|
2018-08-31 23:47:36 +02:00
|
|
|
$ok ||= $conf->{'utotp2fActivation'}
|
2019-01-16 11:09:52 +01:00
|
|
|
&& ( $conf->{'u2fSelfRegistration'}
|
2018-08-31 23:47:36 +02:00
|
|
|
|| $conf->{'totp2fSelfRegistration'} );
|
2019-01-16 11:09:52 +01:00
|
|
|
$msg = "A self registrable module should be enabled to require 2FA"
|
|
|
|
|
unless ($ok);
|
2018-08-18 23:14:09 +02:00
|
|
|
|
2018-08-31 23:47:36 +02:00
|
|
|
return ( 1, $msg );
|
2018-08-18 23:14:09 +02:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
# Error if external 2F Send or Validate command is missing
|
|
|
|
|
ext2fCommands => sub {
|
|
|
|
|
return 1 unless ( $conf->{ext2fActivation} );
|
2018-08-19 00:10:27 +02:00
|
|
|
return ( 0, "External 2F Send or Validate command must be set" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( defined $conf->{ext2FSendCommand}
|
2018-08-18 23:14:09 +02:00
|
|
|
&& defined $conf->{ext2FValidateCommand} );
|
2018-08-07 20:29:44 +02:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
2018-08-07 18:06:36 +02:00
|
|
|
},
|
|
|
|
|
|
2018-07-31 21:12:22 +02:00
|
|
|
# Warn if XSRF token TTL is higher than 10s
|
2018-07-11 22:33:50 +02:00
|
|
|
formTimeout => sub {
|
2018-07-13 20:55:18 +02:00
|
|
|
return 1 unless ( defined $conf->{formTimeout} );
|
2018-08-31 23:49:25 +02:00
|
|
|
return ( 0, "XSRF form token TTL must be higher than 30s" )
|
2019-01-16 11:09:52 +01:00
|
|
|
unless ( $conf->{formTimeout} > 30 );
|
2018-07-26 20:52:35 +02:00
|
|
|
return ( 1, "XSRF form token TTL should not be higher than 2mn" )
|
2019-01-16 11:09:52 +01:00
|
|
|
if ( $conf->{formTimeout} > 120 );
|
2018-10-09 23:24:24 +02:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
2018-10-09 23:13:03 +02:00
|
|
|
},
|
2018-07-26 20:52:35 +02:00
|
|
|
|
2018-11-16 22:55:53 +01:00
|
|
|
# Warn if number of password reset retries is null
|
|
|
|
|
passwordResetRetries => sub {
|
|
|
|
|
return 1 unless ( $conf->{portalDisplayResetPassword} );
|
2019-01-16 11:09:52 +01:00
|
|
|
return ( 1, "Number of reset password retries should not be null" )
|
|
|
|
|
unless ( $conf->{passwordResetAllowedRetries} );
|
2018-11-16 22:55:53 +01:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
|
|
|
|
|
2018-11-03 22:54:48 +01:00
|
|
|
# Warn if bruteForceProtection enabled without History
|
2018-10-09 23:13:03 +02:00
|
|
|
bruteForceProtection => sub {
|
|
|
|
|
return 1 unless ( $conf->{bruteForceProtection} );
|
|
|
|
|
return ( 1,
|
2019-01-16 11:09:52 +01:00
|
|
|
'"History" plugin is required to enable "BruteForceProtection" plugin'
|
2018-10-09 23:13:03 +02:00
|
|
|
) unless ( $conf->{loginHistoryEnabled} );
|
2018-10-12 22:30:23 +02:00
|
|
|
return ( 1,
|
2019-01-16 11:09:52 +01:00
|
|
|
'Number of failed logins must be higher than 2 to enable "BruteForceProtection" plugin'
|
2018-10-12 22:30:23 +02:00
|
|
|
) unless ( $conf->{failedLoginNumber} > 2 );
|
2018-10-09 23:24:24 +02:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
2018-07-11 22:33:50 +02:00
|
|
|
},
|
2018-12-15 22:28:58 +01:00
|
|
|
|
2018-12-26 22:55:03 +01:00
|
|
|
# Warn if Mailrest plugin is enabled without Token or Captcha
|
|
|
|
|
checkMailResetSecurity => sub {
|
|
|
|
|
return 1 unless ( $conf->{portalDisplayResetPassword} );
|
2018-12-30 19:46:45 +01:00
|
|
|
return ( -1,
|
2019-01-16 11:09:52 +01:00
|
|
|
'"passwordMailReset" plugin is enabled without CSRF Token neither Captcha required !!!'
|
|
|
|
|
)
|
|
|
|
|
unless ( $conf->{requireToken}
|
2018-12-30 19:46:45 +01:00
|
|
|
or $conf->{captcha_mail_enabled} );
|
2018-12-26 22:55:03 +01:00
|
|
|
|
|
|
|
|
# Return
|
|
|
|
|
return 1;
|
|
|
|
|
},
|
2018-12-30 19:46:45 +01:00
|
|
|
|
2015-06-11 20:36:20 +02:00
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
1;
|
