more modularization of captcha system (WIP) (#894)

htdocs/change.php

@@ -59,7 +59,7 @@
 #==============================================================================
 # Check captcha
 #==============================================================================
-if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->global_captcha_check();}
+if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->verify_captcha_challenge();}
 
 #==============================================================================
 # Check old password

htdocs/changecustompwdfield.php

@@ -84,7 +84,7 @@ function set_default_value(&$variable, $defaultValue)
 #==============================================================================
 # Check captcha
 #==============================================================================
-if ( ( $result === "" ) and $use_captcha ) { $result = $captchaInstance->global_captcha_check();}
+if ( ( $result === "" ) and $use_captcha ) { $result = $captchaInstance->verify_captcha_challenge();}
 
 #==============================================================================
 # Default configuration

htdocs/changesshkey.php

@@ -53,7 +53,7 @@
 #==============================================================================
 # Check captcha
 #==============================================================================
-if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->global_captcha_check();}
+if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->verify_captcha_challenge();}
 
 #==============================================================================
 # Check password

htdocs/index.php

@@ -227,6 +227,17 @@
     auditlog($audit_log_file, $userdn, $login, $action, $result);
 }
 
+#==============================================================================
+# Generate captcha
+#==============================================================================
+$captcha_html = '';
+$captcha_js = '';
+if(isset($use_captcha) && $use_captcha == true)
+{
+    $captcha_html = $captchaInstance->generate_html_captcha($messages);
+    $captcha_js = $captchaInstance->generate_js_captcha();
+}
+
 #==============================================================================
 # Smarty
 #==============================================================================
@@ -275,6 +286,8 @@
 $smarty->assign('mail_address_use_ldap', $mail_address_use_ldap);
 $smarty->assign('sms_use_ldap', $sms_use_ldap);
 $smarty->assign('default_action', $default_action);
+$smarty->assign('captcha_html', $captcha_html);
+$smarty->assign('captcha_js', $captcha_js);
 //$smarty->assign('',);
 
 if (isset($source)) { $smarty->assign('source', $source); }

htdocs/resetbyquestions.php

@@ -84,7 +84,7 @@
 #==============================================================================
 # Check captcha
 #==============================================================================
-if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->global_captcha_check();}
+if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->verify_captcha_challenge();}
 
 # Should we pre-populate the question?
 #   This should ensure that $login is valid and everything else is empty.

htdocs/sendsms.php

@@ -148,7 +148,7 @@
 # Check captcha
 #==============================================================================
 if ( $result === "" and $use_captcha) {
-        $result = $captchaInstance->global_captcha_check();
+        $result = $captchaInstance->verify_captcha_challenge();
 }
 
 #==============================================================================

htdocs/sendtoken.php

@@ -59,7 +59,7 @@
 # Check captcha
 #==============================================================================
 if ( ( $result === "" ) and $use_captcha) {
-    $result = $captchaInstance->global_captcha_check();
+    $result = $captchaInstance->verify_captcha_challenge();
 }
 
 #==============================================================================

htdocs/setattributes.php

@@ -51,7 +51,7 @@
 #==============================================================================
 # Check captcha
 #==============================================================================
-if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->global_captcha_check();}
+if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->verify_captcha_challenge();}
 
 #==============================================================================
 # Check password

htdocs/setquestions.php

@@ -74,7 +74,7 @@
 #==============================================================================
 # Check captcha
 #==============================================================================
-if ( ( $result === "" ) and $use_captcha) { $result = global_captcha_check();}
+if ( ( $result === "" ) and $use_captcha) { $result = $captchaInstance->verify_captcha_challenge();}
 
 #==============================================================================
 # Check password

lib/captcha/InternalCaptcha.php

@@ -4,18 +4,18 @@
 include_once( __DIR__ . "/Captcha.php");
 require_once(__DIR__."/../../vendor/autoload.php");
 use Gregwar\Captcha\PhraseBuilder;
+use Gregwar\Captcha\CaptchaBuilder;
 
 /*
 TODO:
-- rename global_captcha_check method (will be used by all captcha modules)
-- split global_captcha_check method into multiple methods: initialize the captcha, verify the captcha, and call these hooks among the code
-- replace template loading in templates/{setattributes.tpl,resetbyquestions.tpl,changesshkey.tpl,sendtoken.tpl,changecustompwdfield.tpl,sendsms.tpl,setquestions.tpl,change.tpl}
+- add possibility to declare a new route to a "newcaptcha.php" endpoint, that will call the generate_captcha_challenge() method corresponding to the current captcha module
 - find a way to reload the captcha (without loading the whole page again), see #789 -> for this issue, we need to call a "verify_captcha" method through a REST API
 - decide where the following elements will reside as parameters in config.inc.php, as properties of the class InternalCaptcha or Captcha, or as values sent by a function in this class:
   * extra css resource (online or local)
   * extra js resource (online or local?)
   * html to inject as the captcha
 - add unit test for each class
+- add audit logs for failed captcha actions
 */
 
 class InternalCaptcha extends Captcha
@@ -26,28 +26,58 @@ class InternalCaptcha extends Captcha
     function initialize(){
     }
 
-    # Function that generate the captcha challenge (which format for return value?)
-    # Could be called by the backend, or by a call through a REST API to define
-    function generate_challenge(){
-    }
+    # Function that insert extra js
+    function generate_js_captcha(){
+        $captcha_js = '';
 
-    # Function that verify that the result sent by the user
-    # matches the captcha challenge
-    function verify_challenge(){
+        return $captcha_js;
     }
 
-    # Function that generate the HTML widget corresponding to the captcha
-    function generate_widget(){
+    # Function that generate the html part containing the captcha
+    function generate_html_captcha($messages){
+
+        $captcha_html ='
+        <div class="row mb-3">
+            <div class="col-sm-4 col-form-label text-end captcha">
+                <img src="'.$this->generate_captcha_challenge().'" alt="captcha" />
+                <i class="fa fa-fw fa-refresh"></i>
+            </div>
+            <div class="col-sm-8">
+                <div class="input-group">
+                    <span class="input-group-text"><i class="fa fa-fw fa-check-circle"></i></span>
+                    <input type="text" autocomplete="new-password" name="captchaphrase" id="captchaphrase" class="form-control" placeholder="'.$messages["captcha"].'" />
+                </div>
+            </div>
+        </div>';
+
+        return $captcha_html;
     }
 
+    # Function that generate the captcha challenge (which format for return value?)
+    # Could be called by the backend, or by a call through a REST API to define
+    function generate_captcha_challenge(){
+
+        # cookie for captcha session
+        ini_set("session.use_cookies",1);
+        ini_set("session.use_only_cookies",1);
+        session_name("captcha");
+        session_start();
+
+        $captcha = new CaptchaBuilder;
+
+        $_SESSION['phrase'] = $captcha->getPhrase();
 
+        # session is stored and closed now, used only for captcha
+        session_write_close();
 
-    function check_captcha( $captcha_value, $user_value ) {
-        return PhraseBuilder::comparePhrases($captcha_value,$user_value);
+        $captcha_image = $captcha->build()->inline();
+
+        return $captcha_image;
     }
 
-    # see ../htdocs/captcha.php where captcha cookie and $_SESSION['phrase'] are set.
-    function global_captcha_check() {
+    # Function that verify that the result sent by the user
+    # matches the captcha challenge
+    function verify_captcha_challenge(){
         $result="";
         if (isset($_POST["captchaphrase"]) and $_POST["captchaphrase"]) {
             # captcha cookie for session
@@ -57,7 +87,8 @@ function global_captcha_check() {
             session_name("captcha");
             session_start();
             $captchaphrase = strval($_POST["captchaphrase"]);
-            if (!isset($_SESSION['phrase']) or ! $this->check_captcha($_SESSION['phrase'], $captchaphrase)) {
+            if (! isset($_SESSION['phrase']) or
+                ! PhraseBuilder::comparePhrases($_SESSION['phrase'], $captchaphrase)) {
                 $result = "badcaptcha";
             }
             unset($_SESSION['phrase']);
@@ -70,7 +101,6 @@ function global_captcha_check() {
         return $result;
     }
 
-
 }
 
 

templates/change.tpl

@@ -75,7 +75,7 @@
             </div>
         </div>
         {if ($use_captcha)}
-             {include file="captcha.tpl"}
+            {$captcha_html nofilter}
         {/if}
         <div class="row mb-3">
             <div class="offset-sm-4 col-sm-8">

templates/changecustompwdfield.tpl

@@ -76,7 +76,7 @@
                 </div>
             </div>
             {if ($use_captcha)}
-                 {include file="captcha.tpl"}
+                {$captcha_html nofilter}
             {/if}
             <div class="row mb-3">
             <div class="offset-sm-4 col-sm-8">

templates/changesshkey.tpl

@@ -34,7 +34,7 @@
             </div>
         </div>
         {if ($use_captcha)}
-             {include file="captcha.tpl"}
+            {$captcha_html nofilter}
         {/if}
         <div class="row mb-3">
             <div class="offset-sm-4 col-sm-8">

templates/footer.tpl

@@ -12,6 +12,7 @@
          policy = JSON.parse(atob(json_policy));
 </script>
 <script src="js/ppolicy.js"></script>
+<script>{$captcha_js nofilter}</script>
 {if ($questions_count > 1)}
 <script src="js/jquery.selectunique.js"></script>
 <script>$(document).ready(function() { $('.question').selectunique(); })</script>

templates/resetbyquestions.tpl

@@ -101,7 +101,7 @@
             </div>
         </div>
         {if ($use_captcha)}
-             {include file="captcha.tpl"}
+             {$captcha_html nofilter}
         {/if}
         <div class="row mb-3">
             <div class="offset-sm-4 col-sm-8">

templates/sendsms.tpl

@@ -79,7 +79,7 @@
             </div>
         </div>
         {if ($use_captcha)}
-             {include file="captcha.tpl"}
+            {$captcha_html nofilter}
         {/if}
         {if !$sms_use_ldap}
           <div class="row mb-3">

templates/sendtoken.tpl

@@ -35,7 +35,7 @@
     </div>
     {/if}
     {if ($use_captcha)}
-        {include file="captcha.tpl"}
+        {$captcha_html nofilter}
     {/if}
     <div class="row mb-3">
         <div class="offset-sm-4 col-sm-8">

templates/setattributes.tpl

@@ -49,7 +49,7 @@
     {/if}
 
     {if ($use_captcha)}
-        {include file="captcha.tpl"}
+        {$captcha_html nofilter}
     {/if}
     <div class="row mb-3">
         <div class="offset-sm-4 col-sm-8">

templates/setquestions.tpl

@@ -76,7 +76,7 @@
         </div>
     {/if}
     {if ($use_captcha)}
-        {include file="captcha.tpl"}
+        {$captcha_html nofilter}
     {/if}
     <div class="row mb-3">
         <div class="offset-sm-4 col-sm-8">