File Coverage

blib/lib/Config/Apple/Profile/Payload/WiFi/EAPClientConfiguration.pm
Criterion Covered Total %
statement 40 40 100.0
branch 17 18 94.4
condition 30 30 100.0
subroutine 10 10 100.0
pod 1 1 100.0
total 98 99 98.9


line stmt bran cond sub pod time code
1             # This is the code for Config::Apple::Profile::Payload::WiFi::EAPClientConfiguration.
2             # For Copyright, please see the bottom of the file.
3              
4             package Config::Apple::Profile::Payload::WiFi::EAPClientConfiguration;
5              
6 3     3   1885 use 5.10.1;
  3         8  
  3         104  
7 3     3   11 use strict;
  3         3  
  3         76  
8 3     3   12 use warnings FATAL => 'all';
  3         4  
  3         86  
9 3     3   11 use base qw(Config::Apple::Profile::Payload::Common);
  3         5  
  3         613  
10              
11             our $VERSION = '0.87.1';
12              
13 3     3   358 use Config::Apple::Profile::Config;
  3         4  
  3         106  
14 3     3   13 use Config::Apple::Profile::Payload::Common;
  3         3  
  3         67  
15 3     3   11 use Config::Apple::Profile::Payload::Types qw(:all);
  3         5  
  3         463  
16 3     3   16 use Config::Apple::Profile::Targets qw(:all);
  3         3  
  3         261  
17 3     3   15 use Readonly;
  3         4  
  3         1720  
18              
19              
20             =encoding utf8
21              
22             =head1 NAME
23              
24             Config::Apple::Profile::Payload::Wi-Fi::EAPClientConfiguration - Class for the
25             EAPClientConfiguration payload key in the Wi-Fi payload.
26              
27             =head1 DESCRIPTION
28              
29             This class implements part of the Wi-Fi payload. Specifically, this class
30             implements the C dictionary. This contains all of the
31             EAP configuration when WPA-Enterprise or WPA2-Enterprise is being used on a
32             Wi-Fi network.
33              
34             Even though this class is not a payload in its own right, it can be treated as
35             a payload.
36              
37              
38             =head1 INSTANCE METHODS
39              
40             The following instance methods are provided by this class.
41              
42              
43             =head2 validate_key($key, $value)
44              
45             Performs additional validation for certain payload keys in this class:
46              
47             =over 4
48              
49             =item * C
50              
51             This must be C<13>, C<17>, C<18>, C<21>, C<23>, C<25>, or C<43>.
52              
53             =item * C
54              
55             Only valid host and domain names are allowed, although the asterisk (C<*>) is
56             acceptable as a wildcard.
57              
58             =item * C
59              
60             This must be either C<2> or C<3>.
61              
62             =item * C
63              
64             This must be C, C, C, or C.
65              
66             =back
67              
68             All other payload keys will be checked as usual by the parent class.
69              
70             See also the documentation in L.
71              
72             =cut
73              
74             # $TLSTrustedServerNames_regex matches hostnames, but allows * as a wildcard
75             # character. It is based on $RE{net}{domain}{-keep}{-nospace} from
76             # Regexp::Common by Damien Conway and Abigail, but rewritten because that
77             # module's code is not available under the GPL2, which we are.
78             Readonly my $TLSTrustedServerNames_hostname => qr/
79             [A-Z0-9*] # First character can be a letter or a digit
80             (?: # We don't have to have more than 1 character, but...
81             [-A-Z0-9*]{0,253} # Middle characters allow hyphens
82             [A-Z0-9*] # End character is a letter or a digit
83             )?
84             /ix;
85             Readonly my $TLSTrustedServerNames_regex => qr/
86             ^( # Match the whole string; capture the match
87             $TLSTrustedServerNames_hostname # We need at least 1 hostname
88             (?:
89             \. # Domains require a dot before subsequent
90             $TLSTrustedServerNames_hostname # hostnames, but…
91             )* # We don't have to have a domain name.
92             )$
93             /isx;
94              
95             sub validate_key {
96 41     41 1 53 my ($self, $key, $value) = @_;
97            
98             # Let's start by letting the parent do the generic validation.
99 41         162 my $parent_value = $self->SUPER::validate_key($key, $value);
100 41 100       244 return $parent_value if !defined $parent_value;
101            
102             # Let's check over some of our keys
103             # Only allow EAP-type values for AcceptEAPTypes
104 39 100       97 if ($key eq 'AcceptEAPTypes') {
    100          
    100          
    50          
105 18 100 100     193 unless ( ($value == 13)
      100        
      100        
      100        
      100        
      100        
106             || ($value == 17)
107             || ($value == 18)
108             || ($value == 21)
109             || ($value == 23)
110             || ($value == 25)
111             || ($value == 43)
112             ) {
113             ## no critic (ProhibitExplicitReturnUndef)
114 11         33 return undef;
115             ## use critic
116             }
117             }
118            
119             # TLSTrustedServerNames allows hostnames and domains, but also allows * as
120             # a wildcard character.
121             elsif ($key eq 'TLSTrustedServerNames') {
122 10 100       31 if ($value =~ $TLSTrustedServerNames_regex) {
123 5         63 return $1;
124             }
125             else {
126             ## no critic (ProhibitExplicitReturnUndef)
127 5         56 return undef;
128             ## use critic
129             }
130             }
131            
132             # Only allow certain values for TTLSInnerAuthentication
133             elsif ($key eq 'TTLSInnerAuthentication') {
134 7 100 100     48 unless ( ($value eq 'PAP')
      100        
      100        
135             || ($value eq 'CHAP')
136             || ($value eq 'MSCHAP')
137             || ($value eq 'MSCHAPv2')
138             ) {
139             ## no critic (ProhibitExplicitReturnUndef)
140 3         9 return undef;
141             ## use critic
142             }
143             }
144            
145             # EAPSIMNumberOfRANDs must be 2 or 3
146             elsif ($key eq 'EAPSIMNumberOfRANDs') {
147             ## no critic (ProhibitExplicitReturnUndef)
148 4 100 100     22 return undef unless (($value == 2) || ($value == 3));
149             ## use critic
150             }
151            
152             # At this point, we've checked all of our special keys and we're good!
153 13         33 return $value;
154             }
155              
156              
157             =head1 PAYLOAD KEYS
158              
159             This payload has the following keys:
160              
161              
162             =head2 C
163              
164             This is an I, where each number represents one type of EAP
165             method to use.
166              
167             At least one EAP method must be specified. The following EAP methods are
168             supported:
169              
170             =over 4
171              
172             =item C<13> = EAP-TLS
173              
174             As defined in RFC 5216, available at L.
175             The client is authenticated using an identity certificate.
176              
177             =item C<17> = LEAP
178              
179             The Cisco-developed protocol. This should not be used for new environments.
180              
181             =item C<18> = EAP-SIM
182              
183             As defined in RFC 4186, available at L.
184             The client is authenticated using their phone's SIM, using challenge-response.
185              
186             =item C<21> = EAP-TTLS
187              
188             As defined in RFC 5281, available at L.
189             The client is authenticated using a username & password, but that authentication
190             takes place inside of a TLS connection.
191              
192             =item C<23> = EAP-AKA
193              
194             As defined in RFC 5448, available at L.
195             The client is authenticated using their phone's USIM, using challenge-response.
196              
197             =item C<25> = PEAP
198              
199             =item C<43> = EAP-FAST
200              
201             As defined in RFC 4581, available at L.
202             The client is authenticated using a pre-shared credential, or (if none is
203             available) some other EAP method, embedded in a TLS connection.
204              
205             =back
206              
207             If multiple EAP types are listed, Apple's documentataion does not specify the
208             order that they will be used.
209              
210              
211             =head2 Basic Authentication Parameters
212              
213             =head3 C
214              
215             I
216              
217             A I. This is the exact username to use. If not provided, the user will
218             be asked to enter this information during authentication.
219              
220              
221             =head3 C
222              
223             I, relevent only to TTLS, PEAP, and FAST.
224              
225             A I. If present, the value of this string will be used as the username
226             outside of the encrypted tunnel; the real username will only be passed inside
227             the encrypted tunnel.
228              
229              
230             =head3 C
231              
232             I
233              
234             A I. If a password is used during authentication, it will be taken from
235             here. If a password is needed, but not already provided, then the user will
236             be prompted.
237              
238              
239             =head3 C
240              
241             I
242              
243             A I. If C, then the user will be asked for a password every time
244             the device connects to the wireless network. If C, the password will be
245             saved for future connections to the wireless network.
246              
247             Default is C.
248              
249              
250             =head2 TLS Configuration
251              
252             =head3 C
253              
254             I, used by authentication methods that provide a TLS certificate.
255              
256             An I. The UUIDs point to I payloads that have
257             been loaded onto the device, either as part of this profile or via an already-
258             installed profile.
259              
260             When the EAP server provides their TLS certificate, the
261             device must confirm that the server's certificate is trusted. If this array is
262             provided, the device will use it as the list of trusted certificates, for the
263             purposes of certificate verification and trust.
264              
265             The EAP server's certificate must pass this test, as well as the test defined in
266             L>, before the certificate will be trusted.
267              
268             See L for more information on the
269             certificate payload types. See also L>.
270              
271              
272             =head3 C
273              
274             I, used by authentication methods that provide a TLS certificate.
275              
276             An I. Each string is a domain name, with the C<*> wildcard
277             allowed. When the EAP server presents its certificate, the certificate's
278             common name will be checked against this list; if the common name does not
279             match any of the patterns in the list, the certificate will not be trusted.
280              
281             The EAP server's certificate must pass this test, as well as the test defined in
282             L>, before the certificate will be trusted.
283              
284             See also L>.
285              
286              
287             =head3 C
288              
289             I, used by authentication methods that provide a TLS certificate.
290              
291             A I.
292              
293             Certificate trust is automatically determined using the payload keys
294             C and C. If both keys are
295             undefined, then automatic validation fails. If both keys are defined, and
296             either test failed, the automatic validation fails. If only one key is defined,
297             then automatic validation fails if that one test fails.
298              
299             If this key is true, and automatic validation had failed, then the user will be
300             given the option to explicitly trust the certificate, or to cancel the
301             connection attempt. If this key is false, then the user will not be given any
302             option; if automatic validation fails, then the connection fails.
303              
304             The default value is not fixed: If either C or
305             C is defined, then the default value is C. If
306             both C and C are undefined,
307             then the default value is C.
308              
309              
310             =head3 C
311              
312             I, relevent only to PEAP, EAP-TTLS, EAP-FAST, and EAP-TLS.
313             I.
314              
315             If C, allows for two-factor authentication for PEAP, EAP-TTLS, and
316             EAP-FAST. If C, allowes for zero-factor authentication for EAP-TLS.
317              
318             The default value is not fixed. If EAP-TLS is being used, then the default is
319             C. For all other EAP types, the default is C.
320              
321              
322             =head2 EAP-TTLS Configruation
323              
324             The key in this section is only used with EAP-TTLS.
325              
326              
327             =head3 C
328              
329             I
330              
331             A I. This the the authentication method used inside the tunnel. Valid
332             values are:
333              
334             =over 4
335              
336             =item C
337              
338             =item C
339              
340             =item C
341              
342             =item C
343              
344             =back
345              
346             The default is C.
347              
348              
349             =head2 EAP-FAST Configuration
350              
351             The keys in this section are only used with EAP-FAST.
352              
353              
354             =head3 C
355              
356             I
357              
358             A I. If an existing PAC is present, and this key is C, then
359             use the existing PAC. Otherwise, the server must use a certificate to prove
360             its identity.
361              
362             Default is C.
363              
364              
365             =head3 C
366              
367             I
368              
369             A I. If C, allow PAC provisioning. This key has no effect
370             unless C is C.
371              
372             Default is C.
373              
374              
375             =head3 C
376              
377             I
378              
379             A I. If C, the PAC may be provisioned anonymously.
380              
381             B Anonymous PAC provisioning has known man-in-the-middle attacks. If
382             PAC provisioning is used, this key shoudl be set to C.
383              
384             Default is C.
385              
386              
387             =head3 C
388              
389             I
390              
391             A I, either C<2> or C<3>. This is the number of RANDs expected for
392             EAP-SIM.
393              
394             Default is C<3>.
395              
396             =cut
397              
398             Readonly our %payloadKeys => (
399             # We are NOT using the common keys. We are just defining our own.
400             # Since we are not a separate payload, we will not be defining basic keys.
401            
402             # Basic configuration
403             'AcceptEAPTypes' => {
404             type => $ProfileArray,
405             subtype => $ProfileNumber,
406             description => 'The list of EAP types to accept.',
407             targets => {
408             $TargetIOS => '5.0',
409             $TargetMACOSX => '10.7',
410             },
411             },
412            
413             # Authentication information
414             'UserName' => {
415             type => $ProfileString,
416             description => 'The exact user name. If not present, the user is '
417             . 'prompted when they authenticate.',
418             optional => 1,
419             targets => {
420             $TargetIOS => '5.0',
421             $TargetMACOSX => '10.7',
422             },
423             },
424             'OuterIdentity' => {
425             type => $ProfileString,
426             description => 'The outer identity to use in TTLS, PEAP, and EAP-FAST.',
427             optional => 1,
428             targets => {
429             $TargetIOS => '5.0',
430             $TargetMACOSX => '10.7',
431             },
432             },
433             'UserPassword' => {
434             type => $ProfileString,
435             description => 'The password. If not present, the user is prompted '
436             . 'when they authenticate.',
437             optional => 1,
438             private => 1,
439             targets => {
440             $TargetIOS => '5.0',
441             $TargetMACOSX => '10.7',
442             },
443             },
444             'OneTimePassword' => {
445             type => $ProfileBool,
446             description => 'Prompt for password whenever connecting to the '
447             . 'wireless network. Default is false.',
448             optional => 1,
449             targets => {
450             $TargetIOS => '5.0',
451             $TargetMACOSX => '10.7',
452             },
453             },
454            
455             # TLS configuration
456             'PayloadCertificateAnchorUUID' => {
457             type => $ProfileArray,
458             subtype => $ProfileUUID,
459             description => 'A list of server certificate UUIDs to trust.',
460             optional => 1,
461             targets => {
462             $TargetIOS => '5.0',
463             $TargetMACOSX => '10.7',
464             },
465             },
466             'TLSTrustedServerNames' => {
467             type => $ProfileArray,
468             subtype => $ProfileString,
469             description => 'A list of common names to explicitly trust.',
470             optional => 1,
471             targets => {
472             $TargetIOS => '5.0',
473             $TargetMACOSX => '10.7',
474             },
475             },
476             'TLSAllowTrustExceptions' => {
477             type => $ProfileBool,
478             description => 'Allow the user to choose to trust the server cert.',
479             optional => 1,
480             targets => {
481             $TargetIOS => '5.0',
482             $TargetMACOSX => '10.7',
483             },
484             },
485             'TLSCertificateIsRequired' => {
486             type => $ProfileBool,
487             description => 'Varies depending on the EAP type used.',
488             optional => 1,
489             targets => {
490             $TargetIOS => '7.0',
491             $TargetMACOSX => '10.7',
492             },
493             },
494            
495             # TTLS Configuration
496             'TTLSInnerAuthentication' => {
497             type => $ProfileString,
498             description => 'The inner authentication method to use with TTLS.',
499             optional => 1,
500             targets => {
501             $TargetIOS => '5.0',
502             $TargetMACOSX => '10.7',
503             },
504             },
505            
506             # EAP-FAST Configuration
507             'EAPFASTUsePAC' => {
508             type => $ProfileBool,
509             description => 'If trust, use a PAC if available. Default is false.',
510             optional => 1,
511             targets => {
512             $TargetIOS => '5.0',
513             $TargetMACOSX => '10.7',
514             },
515             },
516             'EAPFASTProvisionPAC' => {
517             type => $ProfileBool,
518             description => 'Allow PAC provisioning.',
519             optional => 1,
520             targets => {
521             $TargetIOS => '5.0',
522             $TargetMACOSX => '10.7',
523             },
524             },
525             'EAPFASTProvisionPACAnonymously' => {
526             type => $ProfileBool,
527             description => '[UNSAFE] Provision PAC anonymously. Defaults to false.',
528             optional => 1,
529             targets => {
530             $TargetIOS => '5.0',
531             $TargetMACOSX => '10.7',
532             },
533             },
534             'EAPSIMNumberOfRANDs' => {
535             type => $ProfileNumber,
536             description => 'The number of expected RANDs for EAP-SIM. Default is 3.',
537             optional => 1,
538             targets => {
539             $TargetIOS => '5.0',
540             $TargetMACOSX => '10.7',
541             },
542             },
543             ); # End of %payloadKeys
544              
545              
546             =head1 ACKNOWLEDGEMENTS
547              
548             Refer to L for acknowledgements.
549              
550              
551             =head1 AUTHOR
552              
553             A. Karl Kornel, C<< >>
554              
555              
556             =head1 COPYRIGHT AND LICENSE
557              
558             Copyright © 2014 A. Karl Kornel.
559              
560             This program is free software; you can redistribute it and/or modify it
561             under the terms of either: the GNU General Public License as published
562             by the Free Software Foundation; or the Artistic License.
563              
564             See L for more information.
565              
566             =cut
567              
568             1;