# All the Flask configuration values can be used:
# https://flask.palletsprojects.com/en/1.1.x/config/#builtin-configuration-values

# The flask secret key for cookies. You MUST change this.
SECRET_KEY = "change me before you go in production"

# Your organization name.
NAME = "Canaille"

# The interface on which canaille will be served
# SERVER_NAME = "auth.mydomain.tld"
# PREFERRED_URL_SCHEME = "https"

# You can display a logo to be recognized on login screens
LOGO = "/static/img/canaille-head.png"

# Your favicon. If unset the LOGO will be used.
FAVICON = "/static/img/canaille-c.png"

# The name of a theme in the 'theme' directory, or an absolute path
# to a theme. Defaults to 'default'. Theming is done with
# https://github.com/tktech/flask-themer
# THEME = "default"

# If unset, language is detected
# LANGUAGE = "en"

# Path to the RFC8414 metadata file. You should update those files
# with your production URLs.
OAUTH2_METADATA_FILE = "canaille/conf/oauth-authorization-server.json"
OIDC_METADATA_FILE = "canaille/conf/openid-configuration.json"

# If you have a sentry instance, you can set its dsn here:
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"

# If this option is set to true, when a user tries to sign in with
# an invalid login, a message is shown indicating that the login does not
# exist. If this option is set to false (the default) a message is
# shown indicating that the password is wrong, but does not give a clue
# wether the login exists or not.
# HIDE_INVALID_LOGINS = false

[LOGGING]
# LEVEL can be one value among:
# DEBUG, INFO, WARNING, ERROR, CRITICAL
# LEVEL = "WARNING"

# The path of the log file. If not set (the default) logs are
# written in the standard error output.
# PATH = ""

[LDAP]
URI = "ldap://ldap"
ROOT_DN = "dc=mydomain,dc=tld"
BIND_DN = "cn=admin,dc=mydomain,dc=tld"
BIND_PW = "admin"
TIMEOUT =

# Where to search for users?
USER_BASE = "ou=users,dc=mydomain,dc=tld"

# The object class to use for creating new users
USER_CLASS = "inetOrgPerson"

# The attribute to identify an object in the User dn.
USER_ID_ATTRIBUTE = "cn"

# Filter to match users on sign in. Supports a variable
# {login} that can be used to compare against several fields:
USER_FILTER = "(|(uid={login})(mail={login}))"

# Where to search for groups?
GROUP_BASE = "ou=groups"

# The object class to use for creating new groups
GROUP_CLASS = "groupOfNames"

# The attribute to identify an object in the User dn.
GROUP_ID_ATTRIBUTE = "cn"

# The attribute to use to identify a group
GROUP_NAME_ATTRIBUTE = "cn"

# A filter to check if a user belongs to a group
# A 'user' variable is available.
GROUP_USER_FILTER = "member={user.dn}"

# You can define access controls that define what users can do on canaille
# An access control consists in a FILTER to match users, a list of PERMISSIONS
# matched users will be able to perform, and fields users will be able
# to READ and WRITE. Users matching several filters will cumulate permissions.
#
# A 'FILTER' parameter that is a LDAP filter used to determine if a user
# belongs to an access control. If absent, all the users will match this
# access control. If your LDAP server has the 'memberof' overlay, you can
# filter against group membership.
# Here are some examples
#     FILTER = 'uid=admin'
#     FILTER = 'memberof=cn=admins,ou=groups,dc=mydomain,dc=tld'
#
# The 'PERMISSIONS' parameter that is an list of items the users in the access
# control will be able to manage. 'PERMISSIONS' is optionnal. Values can be:
# - "use_oidc" to allow OpenID Connect authentication
# - "manage_oidc" to allow OpenID Connect client managements
# - "manage_users" to allow other users management
# - "manage_groups" to allow group edition and creation
# - "delete_account" allows a user to delete his own account. If used with
#                    manage_users, the user can delete any account
# - "impersonate_users" to allow a user to take the identity of another user
#
# The 'READ' and 'WRITE' attributes are the LDAP attributes of the user
# object that users will be able to read and/or write.
[ACL.DEFAULT]
PERMISSIONS = ["use_oidc"]
READ = ["uid", "groups"]
WRITE = ["givenName", "sn", "userPassword", "telephoneNumber", "jpegPhoto", "mail"]

[ACL.ADMIN]
FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"
PERMISSIONS = [
    "manage_users",
    "manage_groups",
    "manage_oidc",
    "delete_account",
    "impersonate_users",
]
WRITE = ["groups"]

# The jwt configuration. You can generate a RSA keypair with:
# openssl genrsa -out private.pem 4096
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
[JWT]
PRIVATE_KEY = "canaille/conf/private.pem"
PUBLIC_KEY = "canaille/conf/public.pem"
KTY = "RSA"
ALG = "RS256"
EXP = 3600

[JWT.MAPPING]
# Mapping between JWT fields and LDAP attributes from your
# User objectClass. Default values fits inetOrgPerson.
SUB = "uid"
NAME = "cn"
PHONE_NUMBER = "telephoneNumber"
EMAIL = "mail"
GIVEN_NAME = "givenName"
FAMILY_NAME = "sn"
PREFERRED_USERNAME = "displayName"
LOCALE = "preferredLanguage"
PICTURE = "jpegPhoto"
ADDRESS = "postalAddress"

# The SMTP server options. If not set, mail related features such as
# user invitations, and password reset emails, will be disabled.
# [SMTP]
# HOST = "localhost"
# PORT = 25
# TLS = false
# LOGIN = ""
# PASSWORD = ""
# FROM_ADDR = "admin@mydomain.tld"