ConfAssistant - Code Metrics - GEANT/CAT - Measure and Improve Code Quality continuously with Scrutinizer

ConfAssistant
last analyzed 2026-01-13 10:29 UTC

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	215
Duplicated Lines	0 %

Importance

Changes

Metric	Value
wmc	0
eloc	77
c	0
b	0
f	0
dl	0
loc	215

<?php

/*
 * *****************************************************************************
 * Contributions to this work were made on behalf of the GÉANT project, a 
 * project that has received funding from the European Union’s Framework 
 * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
 * Horizon 2020 research and innovation programme under Grant Agreements No. 
 * 691567 (GN4-1) and No. 731122 (GN4-2).
 * On behalf of the aforementioned projects, GEANT Association is the sole owner
 * of the copyright in all material which was developed by a member of the GÉANT
 * project. GÉANT Vereniging (Association) is registered with the Chamber of 
 * Commerce in Amsterdam with registration number 40535155 and operates in the 
 * UK as a branch of GÉANT Vereniging.
 * 
 * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. 
 * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
 *
 * License: see the web/copyright.inc.php file in the file structure or
 *          <base_url>/copyright.php after deploying the software
 */
?>
<?php

/**
 * This is the main (and currently: only) configuration file for CAT
 *
 * @package Configuration
 */

namespace config;

/**
 * This classes' members hold the configuration for CAT
 *
 * @author Stefan Winter <[email protected]>
 * @author Tomasz Wolniewicz <[email protected]>
 *
 * @package Configuration
 */
class ConfAssistant
{

    /**
     * Defines various general parameters of the roaming consortium.
     * name: the display name of the consortium
     * ssid: an array of default SSIDs for this consortium; they are automatically added to all installers.
     * interworking-consortium-oi: Organisation Identifier of the roaming consortium for Interworking/Hotspot 2.0; 
     *                             a profile with these OIs will be added to all installers
     * interworking-domainname-fallback: This will be used in Windows installers for the DomainName setting if
     *                             the IdP configuration does not supply its own realm
     * homepage: URL of the consortium's general homepage.
     * signer_name: if installers are configured for digital signature, this parameter should contain the "O" name
     *           in the certificate. If left empty, signatures are not advertised even if configured and working
     * allow_self_service_registration: if set to NULL, federation admins need to invite new inst admins manually
     *                                  if set to a federation ID string, e.g. "DE" for Germany, new admins can
     *                                  self-register and will be put into that federation.
     * registration_API_keys: allows select federations to make bulk registrations for new IdPs (e.g. if they have
     *                        an own, opaque, customer management system. The API will be documented at a later stage
     * LOGOS: there are several variants of the consortium logo scattered in the
     *        source. Please change them at the appropriate places:
     *        - web/resources/images/consortium_logo.png
     *        - web/favicon.ico
     *        - devices/ms/Files/eduroam_150.bmp
     *        - devices/ms/Files/eduroam32.ico
     * 
     * @var array
     */
    public const CONSORTIUM = [
        // for technical usages inside the product and things in installers not 
        // reaching the human eye. Please keep this ASCII only. There are some
        // code paths in the product which are only taken when the value is "eduroam"
        'name' => 'eduroam',
        // pretty-print version of the consortium name, for places where this is
        // presented to actual humans.
        'display_name' => 'eduroam®',
        'ssid' => ['eduroam'],
        'homepage' => 'https://www.eduroam.org',
        'signer_name' => 'GÉANT Association',
        'selfservice_registration' => NULL,
#        'deployment-voodoo'         => "Operations Team",
        'ssid' => ['eduroam'],
        'interworking-consortium-oi' => ['001bc50460'],
        'interworking-domainname-fallback' => 'eduroam.org',
        'networks' => [
            'eduroam'     => [
                'ssid' => ['eduroam'], 
                'oi' => [
                    '001bc50460' /* eduroam RCOI */ 
                    ], 
                'condition' => TRUE],
            'OpenRoaming® (%REALM%)' => [
                'ssid' => [], /* OpenRoaming has left SSIDs behind */
                'oi' => [
                    '5A03BA0000', /* OpenRoaming/AllIdentities/SettlementFree/NoPersonalData/BaselineQoS */
                    '5A03BA0800', /* OpenRoaming/EduIdentities/SettlementFree/NoPersonalData/BaselineQoS */
                    ],
                'condition' => 'internal:openroaming',
                ],
        ],
        'registration_API_keys' => [
        // 'secretvalue' => 'UK',
        // 'othervalue' => 'DE',
        ],
        /*  Please note that many languages that CAT is translated to distinguish
          grammatical gender and if you change this phrase it might get a wrong
          article in some translated strings or look odd. This only affects the
          administrative interface and not end users.
          Since this product has a flagship use for the eduroam consortium
          (which uses the term "Identity Provider"), at least the German
          translation is geared towards *male* declination to match that term.
         */
        'nomenclature_federation' => 'National Roaming Operator',
        'nomenclature_idp' => 'Identity Provider',
        'nomenclature_hotspot' => 'Service Provider',
        'nomenclature_participant' => 'Organisation',
        'entitlement' => 'urn:geant:eduroam:inst:admin',
    ];

    /** eduPKI options:
     *
     * "testing" controls which instance of eduPKI we are using and also
     * the requested expiry time of the certificates (1y for testing, 5y for production)
     * "max_expiry" set to true means that we will be requesting certificates
     * with maximum avaliable validity, controlled by eduPKI defaults (at the moment
     * the expiry date of the CA certificate)
     */
    const eduPKI = [

        'testing' => false,
        'max_expiry' => true,
    ];
    /** silverbullet options:
     *         default_maxusers: an institution is not allowed to create more than that amount of users
     *             the value can be overridden as a per-federation option in fed-operator UI
     *         realm_suffix: user credentials have a realm which always includes the inst ID and profile ID and the name
     *             of the federation; for routing aggregation purposes /all/ realms should end with a common suffix though
     *             if left empty, realms would end in the federation name only
     *         server_suffix: the suffix of the auth server's name. It will be auth.<fedname> followed by this suffix
     *         gracetime: admins need to re-login and verify that accounts are still valid. This prevents lazy admins
     *             who forget deletion of people who have lost their eligibility. The number is an integer value in days
     *         CA: the code can either act as its own CA ("embedded") or use API calls to an external CA. This config
     *             value steers where to get certificates from 
     * 
     */
    const SILVERBULLET = [
        'product_name' => 'Hosted Services',
        'subproduct_sp_name' => 'Managed SP',
        'subproduct_idp_name' => 'Managed IdP',
        'documentation' => 'https://wiki.geant.org/pages/viewpage.action?pageId=66650390',
        'default_maxusers' => 200,
        'realm_suffix' => '.hosted.eduroam.org',
        'server_suffix' => '.hosted.eduroam.org',
        'gracetime' => 90,
        'CA' => ["type" => "embedded"], # OCSP URL needs to be configured in openssl.cnf
            # 'CA' => ["type" => "DFN", "SOAP_API_ENDPOINT" => "http://no.idea.where/"],
    ];

    /**
     * Various paths.
     * makensis: path to the makensis executable. If you just fill in "makensis" the one from the system $PATH will be taken.
     * zip: path to the zip executable. If you just fill in "zip" the one from the system $PATH will be taken.
     *   See also NSIS_VERSION further down
     * trust-store-*: if an IdP wants to auto-detect his root CA rather than specifying it properly, we need to have repositories
     *                of "known-good" CAs. Mozilla's trust store is usually good, plus ones we can ship ourselves
     * @var array
     */
    const PATHS = [
        'makensis' => 'makensis',
        'zip' => 'zip',
        'trust-store-mozilla' => '/etc/ssl/certs/ca-certificates.crt',
        'trust-store-custom' => __DIR__."/known-roots.pem",
    ];

    /**
     * NSIS version - with version 3 UTF installers will be created
     * see also $PATHS['makensis']
     * 
     * @var integer
     */
    const NSIS_VERSION = 3;
    const MAPPROVIDER = [
        'PROVIDER' => 'OpenLayers', // recognised values: Google, Bing, OpenLayers, None
        'USERNAME' => '' // or equivalent; for Google, this is the APIKEY
    ];

    /**
     * Configures SMS gateway settings
     */
    const SMSSETTINGS = [
        'provider' => 'Nexmo',
        'username' => '...',
        'password' => '...',
    ];
    
    /**
     * Lists the RADIUS servers. They have a built-in DB to log auth requests.
     * We need to query those to get auth stats for silverbullet admins
     *
     * @var array
     */
    const DB = [
        // names don't matter - the source code will iterate through
        // all entries
        'RADIUS_1' => [
            'host' => 'auth-1.hosted.eduroam.org',
            'db' => 'radacct',
            'user' => 'someuser',
            'pass' => 'somepass',
            'readonly' => TRUE, ],
        'RADIUS_2' => [
            'host' => 'auth-2.hosted.eduroam.org',
            'db' => 'radacct',
            'user' => 'someuser',
            'pass' => 'somepass',
            'readonly' => TRUE, ],
    ];

    /**
     * Determines if DiscoJuice keywords should be used in the discovery service
     * The keywords contain other language variants of the IdP name making it
     * easier to follow keyboard search. Turning this option on will add
     * about 40% size to the IdP list
     */
    const USE_KEYWORDS = true;
    /**
     * Determines if the IdP list for DiscoJouce should be preloaded in the background
     * at the main page load
     */
    const PRELOAD_IDPS = true;
    /**
     * Points to information on what certificates should be used for servers
     * and corresponding CAs
     * If this value is set to an empty string then no link will be displayed.
     */
    const CERT_GUIDELINES = 'https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations';
    
    /**
     * These are warning thresholds used to analyse certificates in profiles
     * These default settings are probably much too low.
     */
    const CERT_WARNINGS = [
        'expiry_warning' => 5184000, // 60 days
        'expiry_critical' => 0, //
    ];
    
    /**
     * 'startday' sets the date from which you started recording admins logins
     * 'allowed_inactivity_days' the number of allowed inactivity days - above that the warning will
     *     be shown on the NRO page; be aware that admins who were not active AFTER the date you
     *     started recording the logins will be shown as inactive, so to be completely OK
     *     there should be a synchronisation between the moment you start the system, startday and allowed_inactivity_days
     */
    const ADMIN_LOGINS = [
        'startday' => '2030-01-01', // change this to your date 
        'allowed_inactivity_days' =>  365,
    ];

}


1			<?php
2
3			/*
4			* *****************************************************************************
5			* Contributions to this work were made on behalf of the GÉANT project, a
6			* project that has received funding from the European Union’s Framework
7			* Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
8			* Horizon 2020 research and innovation programme under Grant Agreements No.
9			* 691567 (GN4-1) and No. 731122 (GN4-2).
10			* On behalf of the aforementioned projects, GEANT Association is the sole owner
11			* of the copyright in all material which was developed by a member of the GÉANT
12			* project. GÉANT Vereniging (Association) is registered with the Chamber of
13			* Commerce in Amsterdam with registration number 40535155 and operates in the
14			* UK as a branch of GÉANT Vereniging.
15			*
16			* Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
17			* UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
18			*
19			* License: see the web/copyright.inc.php file in the file structure or
20			* <base_url>/copyright.php after deploying the software
21			*/
22			?>
23			<?php
24
25			/**
26			* This is the main (and currently: only) configuration file for CAT
27			*
28			* @package Configuration
29			*/
30
31			namespace config;
32
33			/**
34			* This classes' members hold the configuration for CAT
35			*
36			* @author Stefan Winter <[email protected]>
37			* @author Tomasz Wolniewicz <[email protected]>
38			*
39			* @package Configuration
40			*/
41			class ConfAssistant
42			{
43
44			/**
45			* Defines various general parameters of the roaming consortium.
46			* name: the display name of the consortium
47			* ssid: an array of default SSIDs for this consortium; they are automatically added to all installers.
48			* interworking-consortium-oi: Organisation Identifier of the roaming consortium for Interworking/Hotspot 2.0;
49			* a profile with these OIs will be added to all installers
50			* interworking-domainname-fallback: This will be used in Windows installers for the DomainName setting if
51			* the IdP configuration does not supply its own realm
52			* homepage: URL of the consortium's general homepage.
53			* signer_name: if installers are configured for digital signature, this parameter should contain the "O" name
54			* in the certificate. If left empty, signatures are not advertised even if configured and working
55			* allow_self_service_registration: if set to NULL, federation admins need to invite new inst admins manually
56			* if set to a federation ID string, e.g. "DE" for Germany, new admins can
57			* self-register and will be put into that federation.
58			* registration_API_keys: allows select federations to make bulk registrations for new IdPs (e.g. if they have
59			* an own, opaque, customer management system. The API will be documented at a later stage
60			* LOGOS: there are several variants of the consortium logo scattered in the
61			* source. Please change them at the appropriate places:
62			* - web/resources/images/consortium_logo.png
63			* - web/favicon.ico
64			* - devices/ms/Files/eduroam_150.bmp
65			* - devices/ms/Files/eduroam32.ico
66			*
67			* @var array
68			*/
69			public const CONSORTIUM = [
70			// for technical usages inside the product and things in installers not
71			// reaching the human eye. Please keep this ASCII only. There are some
72			// code paths in the product which are only taken when the value is "eduroam"
73			'name' => 'eduroam',
74			// pretty-print version of the consortium name, for places where this is
75			// presented to actual humans.
76			'display_name' => 'eduroam®',
77			'ssid' => ['eduroam'],
78			'homepage' => 'https://www.eduroam.org',
79			'signer_name' => 'GÉANT Association',
80			'selfservice_registration' => NULL,
81			# 'deployment-voodoo' => "Operations Team",
82			'ssid' => ['eduroam'],
83			'interworking-consortium-oi' => ['001bc50460'],
84			'interworking-domainname-fallback' => 'eduroam.org',
85			'networks' => [
86			'eduroam' => [
87			'ssid' => ['eduroam'],
88			'oi' => [
89			'001bc50460' /* eduroam RCOI */
90			],
91			'condition' => TRUE],
92			'OpenRoaming® (%REALM%)' => [
93			'ssid' => [], /* OpenRoaming has left SSIDs behind */
94			'oi' => [
95			'5A03BA0000', /* OpenRoaming/AllIdentities/SettlementFree/NoPersonalData/BaselineQoS */
96			'5A03BA0800', /* OpenRoaming/EduIdentities/SettlementFree/NoPersonalData/BaselineQoS */
97			],
98			'condition' => 'internal:openroaming',
99			],
100			],
101			'registration_API_keys' => [
102			// 'secretvalue' => 'UK',
103			// 'othervalue' => 'DE',
104			],
105			/* Please note that many languages that CAT is translated to distinguish
106			grammatical gender and if you change this phrase it might get a wrong
107			article in some translated strings or look odd. This only affects the
108			administrative interface and not end users.
109			Since this product has a flagship use for the eduroam consortium
110			(which uses the term "Identity Provider"), at least the German
111			translation is geared towards male declination to match that term.
112			*/
113			'nomenclature_federation' => 'National Roaming Operator',
114			'nomenclature_idp' => 'Identity Provider',
115			'nomenclature_hotspot' => 'Service Provider',
116			'nomenclature_participant' => 'Organisation',
117			'entitlement' => 'urn:geant:eduroam:inst:admin',
118			];
119
120			/** eduPKI options:
121			*
122			* "testing" controls which instance of eduPKI we are using and also
123			* the requested expiry time of the certificates (1y for testing, 5y for production)
124			* "max_expiry" set to true means that we will be requesting certificates
125			* with maximum avaliable validity, controlled by eduPKI defaults (at the moment
126			* the expiry date of the CA certificate)
127			*/
128			const eduPKI = [
			0 ignored issues – show Coding Style introduced 2024-02-26 09:07 UTC by Report Bug Copy Issue Report This class constant is not uppercase (expected `EDUPKI`). Loading history...
129			'testing' => false,
130			'max_expiry' => true,
131			];
132			/** silverbullet options:
133			* default_maxusers: an institution is not allowed to create more than that amount of users
134			* the value can be overridden as a per-federation option in fed-operator UI
135			* realm_suffix: user credentials have a realm which always includes the inst ID and profile ID and the name
136			* of the federation; for routing aggregation purposes /all/ realms should end with a common suffix though
137			* if left empty, realms would end in the federation name only
138			* server_suffix: the suffix of the auth server's name. It will be auth.<fedname> followed by this suffix
139			* gracetime: admins need to re-login and verify that accounts are still valid. This prevents lazy admins
140			* who forget deletion of people who have lost their eligibility. The number is an integer value in days
141			* CA: the code can either act as its own CA ("embedded") or use API calls to an external CA. This config
142			* value steers where to get certificates from
143			*
144			*/
145			const SILVERBULLET = [
146			'product_name' => 'Hosted Services',
147			'subproduct_sp_name' => 'Managed SP',
148			'subproduct_idp_name' => 'Managed IdP',
149			'documentation' => 'https://wiki.geant.org/pages/viewpage.action?pageId=66650390',
150			'default_maxusers' => 200,
151			'realm_suffix' => '.hosted.eduroam.org',
152			'server_suffix' => '.hosted.eduroam.org',
153			'gracetime' => 90,
154			'CA' => ["type" => "embedded"], # OCSP URL needs to be configured in openssl.cnf
155			# 'CA' => ["type" => "DFN", "SOAP_API_ENDPOINT" => "http://no.idea.where/"],
156			];
157
158			/**
159			* Various paths.
160			* makensis: path to the makensis executable. If you just fill in "makensis" the one from the system $PATH will be taken.
161			* zip: path to the zip executable. If you just fill in "zip" the one from the system $PATH will be taken.
162			* See also NSIS_VERSION further down
163			* trust-store-*: if an IdP wants to auto-detect his root CA rather than specifying it properly, we need to have repositories
164			* of "known-good" CAs. Mozilla's trust store is usually good, plus ones we can ship ourselves
165			* @var array
166			*/
167			const PATHS = [
168			'makensis' => 'makensis',
169			'zip' => 'zip',
170			'trust-store-mozilla' => '/etc/ssl/certs/ca-certificates.crt',
171			'trust-store-custom' => __DIR__."/known-roots.pem",
172			];
173
174			/**
175			* NSIS version - with version 3 UTF installers will be created
176			* see also $PATHS['makensis']
177			*
178			* @var integer
179			*/
180			const NSIS_VERSION = 3;
181			const MAPPROVIDER = [
182			'PROVIDER' => 'OpenLayers', // recognised values: Google, Bing, OpenLayers, None
183			'USERNAME' => '' // or equivalent; for Google, this is the APIKEY
184			];
185
186			/**
187			* Configures SMS gateway settings
188			*/
189			const SMSSETTINGS = [
190			'provider' => 'Nexmo',
191			'username' => '...',
192			'password' => '...',
193			];
194
195			/**
196			* Lists the RADIUS servers. They have a built-in DB to log auth requests.
197			* We need to query those to get auth stats for silverbullet admins
198			*
199			* @var array
200			*/
201			const DB = [
202			// names don't matter - the source code will iterate through
203			// all entries
204			'RADIUS_1' => [
205			'host' => 'auth-1.hosted.eduroam.org',
206			'db' => 'radacct',
207			'user' => 'someuser',
208			'pass' => 'somepass',
209			'readonly' => TRUE, ],
210			'RADIUS_2' => [
211			'host' => 'auth-2.hosted.eduroam.org',
212			'db' => 'radacct',
213			'user' => 'someuser',
214			'pass' => 'somepass',
215			'readonly' => TRUE, ],
216			];
217
218			/**
219			* Determines if DiscoJuice keywords should be used in the discovery service
220			* The keywords contain other language variants of the IdP name making it
221			* easier to follow keyboard search. Turning this option on will add
222			* about 40% size to the IdP list
223			*/
224			const USE_KEYWORDS = true;
225			/**
226			* Determines if the IdP list for DiscoJouce should be preloaded in the background
227			* at the main page load
228			*/
229			const PRELOAD_IDPS = true;
230			/**
231			* Points to information on what certificates should be used for servers
232			* and corresponding CAs
233			* If this value is set to an empty string then no link will be displayed.
234			*/
235			const CERT_GUIDELINES = 'https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations';
236
237			/**
238			* These are warning thresholds used to analyse certificates in profiles
239			* These default settings are probably much too low.
240			*/
241			const CERT_WARNINGS = [
242			'expiry_warning' => 5184000, // 60 days
243			'expiry_critical' => 0, //
244			];
245
246			/**
247			* 'startday' sets the date from which you started recording admins logins
248			* 'allowed_inactivity_days' the number of allowed inactivity days - above that the warning will
249			* be shown on the NRO page; be aware that admins who were not active AFTER the date you
250			* started recording the logins will be shown as inactive, so to be completely OK
251			* there should be a synchronisation between the moment you start the system, startday and allowed_inactivity_days
252			*/
253			const ADMIN_LOGINS = [
254			'startday' => '2030-01-01', // change this to your date
255			'allowed_inactivity_days' => 365,
256			];
257
258			}
259

GEANT / CAT

ConfAssistant last analyzed 2026-01-13 10:29 UTC

Complexity

Size/Duplication

Importance

Duplication Side-by-Side

Filter issues like

ConfAssistant
last analyzed 2026-01-13 10:29 UTC