Merge branch 'master' into issue-165-multiple_sms_tokens

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
       with:
         php_version: 7.4
         command: update
-        php_extensions: ldap
+        php_extensions: ldap gd mbstring
     - name: PHPUnit Tests for php7.4
       uses: php-actions/phpunit@v3
       with:

.gitignore

@@ -1,2 +1,2 @@
 /vendor/
-/htdocs/vendor/bootstrap/
+/htdocs/vendor/

composer.json

@@ -2,12 +2,21 @@
     "require": {
         "ltb-project/ldap": "v0.1.0",
         "bjeavons/zxcvbn-php": "^1.0",
-        "twbs/bootstrap": "v5.3.2"
+        "twbs/bootstrap": "v5.3.3",
+        "defuse/php-encryption": "2.4.0",
+        "gregwar/captcha": "v1.2.1",
+        "mxrxdxn/pwned-passwords": "v2.1.0",
+        "components/jquery": "v3.7.1",
+        "fortawesome/font-awesome": "6.5.1"
     },
     "scripts": {
         "post-update-cmd": [
             "rm -rf htdocs/vendor/bootstrap",
-            "cp -R vendor/twbs/bootstrap/dist htdocs/vendor/bootstrap"
+            "cp -R vendor/twbs/bootstrap/dist htdocs/vendor/bootstrap",
+            "rm -rf htdocs/vendor/jquery",
+            "cp -R vendor/components/jquery htdocs/vendor/jquery",
+            "rm -rf htdocs/vendor/font-awesome ",
+            "cp -R vendor/fortawesome/font-awesome htdocs/vendor/font-awesome"
         ]
     }
 }

conf/config.inc.php

@@ -2,8 +2,8 @@
 #==============================================================================
 # LTB Self Service Password
 #
-# Copyright (C) 2009 Clement OUDOT
-# Copyright (C) 2009 LTB-project.org
+# Copyright (C) 2024 Clement OUDOT
+# Copyright (C) 2024 LTB-project.org
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -245,6 +245,13 @@
 # Token lifetime in seconds
 $token_lifetime = "3600";
 
+# Reset URL (mandatory)
+$reset_url = "http://ssp.example.com/";
+# If inside a virtual host
+#$reset_url = ($_SERVER['HTTPS'] ? "https" : "http") . "://" . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'];
+# If behind a reverse proxy with a virtual host
+#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
+
 ## Mail
 # LDAP mail attribute
 $mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );
@@ -319,9 +326,6 @@
 #$attribute_phone = "mobile";
 #$who_change_attributes = "manager";
 
-# Reset URL (if behind a reverse proxy)
-#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
-
 # Display help messages
 $show_help = true;
 

docs/config_general.rst

@@ -16,10 +16,10 @@ configuration file named ``config.inc.local.php`` in
    ?>
 
 Self Service Password default configuration file is
-``self-service-password/conf/config.inc.php``. It includes
-``config.inc.local.php``. Consequently, you can override all parameters
-in ``config.inc.local.php``. This prevents you to be disturbed by an
-upgrade.
+``/etc/self-service-password/config.inc.php``. It includes
+``config.inc.local.php``. Consequently, you should override all parameters
+in a dedicated file ``config.inc.local.php``. This prevents you to be disturbed
+by an upgrade.
 
 Multi tenancy
 -------------
@@ -32,7 +32,7 @@ This feature is disable by default. To enable it:
    $header_name_extra_config = "SSP-Extra-Config";
 
 Then if you send the header ``SSP-Extra-Config: domain1``, the file
-``conf/config.inc.domain1.php`` will be loaded.
+``config.inc.domain1.php`` will be loaded.
 
 Using Apache, we may set such header using the following:
 

docs/config_questions.rst

@@ -138,7 +138,11 @@ To add a question, you can create a new value in the
 
    $messages['questions']['ice'] = "What is your favorite ice cream flavor?";
 
-Or better, to be able to translate it, create it in every customized lang file under ``conf/``.
+Or better, to be able to translate it, create it in every customized lang file under
+configuration directory:
+
+* ``conf/`` directory for self-service-password archive
+* ``/etc/self-service-password`` directory for rpm/deb packages
 
 To disable the default questions form the main configuration file, set:
 

docs/installation.rst

@@ -14,7 +14,7 @@ Prerequisites:
 * php-ldap
 * php-mbstring (reset mail)
 * php-openssl (token crypt, probably built-in)
-* Smarty (version >=3)
+* smarty (3 or 4)
 
 Tarball can be downloaded from `LTB project website <https://ltb-project.org/download.html>`_.
 
@@ -40,14 +40,6 @@ Adapt ownership of Smarty cache repositories so Apache user can write into them.
 Debian / Ubuntu
 ---------------
 
-.. warning:: You need to install first the package `smarty3`_. If you face the error ``syntax error, unexpected token "class"``, try to install a newer version of the package:
-
-   ``# wget http://ftp.us.debian.org/debian/pool/main/s/smarty3/smarty3_3.1.47-2_all.deb``
-
-   ``# dpkg -i smarty3_3.1.47-2_all.deb``
-
-.. _smarty3: https://packages.debian.org/sid/smarty3
-
 Configure the repository:
 
 .. prompt:: bash #
@@ -79,7 +71,7 @@ You are now ready to install:
 CentOS / RedHat
 ---------------
 
-.. warning::  You may need to install first the package `php-Smarty`_ which is not in official repositories.
+.. warning::  You must install the package `php-Smarty`_.You can get it from EPEL repositories.
 
 .. _php-Smarty: https://pkgs.org/download/php-Smarty
 

docs/upgrade.rst

@@ -5,7 +5,7 @@ From 1.5 to 1.6
 ---------------
 
 SMS configuration
-------------------
+~~~~~~~~~~~~~~~~~
 
 We now demand by default the telephone number to the user, if you want to ask only the login and to read the telephone number from LDAP:
 
@@ -20,6 +20,103 @@ The default notification's behaviour for sms is obscured. To change this behavio
    $obscure_notfound_sendsms = false;
 
 
+Bundled dependencies
+~~~~~~~~~~~~~~~~~~~~
+
+The dependencies are now explicitly listed in the self-service-password package, including the bundled ones.
+
+You can find bundled dependencies list:
+
+* in package description in debian package
+* in Provides field in rpm package
+
+The license of self-service-password is still GPL2+, but now the bundled dependencies licenses are also listed:
+
+* in copyright file for deb package
+* in License tag in rpm package
+
+Configuration location
+~~~~~~~~~~~~~~~~~~~~~~
+
+The configuration files are now in ``/etc/self-service-password`` directory.
+
+During the upgrade process towards 1.6, the previous configuration files present in ``/usr/share/self-service-password/conf`` (all .php files) are migrated to ``/etc/self-service-password/``:
+
+* ``config.inc.php`` is migrated as a ``config.inc.php.bak`` file,
+* all other php file names are preserved. (including local conf, domain conf, and customized lang files)
+
+Please take in consideration that ``config.inc.php`` is now replaced systematically by the version in the RPM package. A .rpmsave backup will be done with the current version. The deb package will continue asking which file to use, it is advised to replace the current one with the version in the package.
+
+The very old configuration files, present directly under ``/usr/share/self-service-password/`` are **NOT** migrated during the upgrade process, and must be upgraded manually. These files have been deprecated since version 0.9, released in 2015 of October. If you are migrating from version this old, you must move your configuration files manually. Move your ``config.inc.local.php`` into ``/etc/self-service-password``. If you have modified ``config.inc.php``, just identify the modified parameters and add/replace them into a ``/etc/self-service-password/config.inc.local.php``. Avoid as much as possible editing the ``/etc/self-service-password/config.inc.php`` file.
+
+Reset URL
+~~~~~~~~~
+
+To avoid any security issue, the `$reset_url` is now initialized to a default value, that you need to configure.
+
+If you run in a virtual host or behind a reverse proxy virtual host, you can use generic values. For example:
+
+.. code-block:: php
+
+   $reset_url = ($_SERVER['HTTPS'] ? "https" : "http") . "://" . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'];
+
+Else you need to force the URL according to the DNS of the application:
+
+.. code-block:: php
+
+   $reset_url = "https://reset.acme.com";
+
+Cache cleaning
+~~~~~~~~~~~~~~
+
+Now the cache is being cleaned-up during self-service-password upgrade / install.
+
+This is intended to avoid smarty problems due to self-service-password templates upgrade, and possibly smarty upgrade itself.
+
+
+Dependencies update
+~~~~~~~~~~~~~~~~~~~
+
+Packaged dependencies:
+
+* smarty is now a required package. self-service-password will work with either version 3 or 4.
+* php >= 7.3 is now required (previously version 5)
+* sed is a now a required package
+* php-gd, php-ldap and php-mbstring have been kept as dependencies
+
+Bundled dependencies:
+
+* bjeavons-zxcvbn-php 1.3.1 is a new dependency used for computing password entropy
+* defuse-php-encryption has been updated from version 2.0.3 to version 2.4.0
+* gregwar-captcha has been updated from version 1.1.9 to version 1.2.1
+* guzzlehttp-guzzle has been updated from version 7.4.5 to version 7.8.1
+* guzzlehttp-promises has been updated from version 1.5.1 to version 2.0.2
+* guzzlehttp-psr7 has been updated from version 2.5.0 to version 2.6.2
+* some functions of self-service-password have been externalized in ltb-project-ldap 0.1.0 php library
+* mxrxdxn-pwned-passwords has been kept in version 2.1.0
+* phpmailer has been updated from version 6.5.3 to version 6.9.1
+* psr-http-client has been updated from version 1.0.1 to version 1.0.3
+* psr-http-factory has been kept in version 1.0.2
+* psr-http-message has been updated from version 1.1 to version 2.0
+* ralouphie-getallheaders has been kept in version 3.0.3
+* symfony-deprecation-contracts has been updated from version 2.5.1 to version 3.4.0
+* symfony-finder has been updated from version 5.3.7 to version 7.0.0
+* symfony-polyfill has been updated from version 1.23.1 to version 1.29.0
+* bootstrap has been updated from version 3.4.1 to version 5.3.3
+* jquery has been updated from version 3.5.1 to version 3.7.1
+* jquery-selectunique has been kept in version 0.1.0
+* font-awesome has been updated from version 4.7.0 to version 6.5.1
+
+Note that hidden files (.gitignore, ...) from bundled dependencies are now removed from packages.
+
+For developers
+~~~~~~~~~~~~~~
+
+During the build process of rpm or deb packages, the unit tests are now run:
+
+* for any version of debian / ubuntu
+* for fedora OS
+
 From 1.4 to 1.5
 ---------------
 

htdocs/captcha.php

@@ -2,8 +2,8 @@
 #==============================================================================
 # LTB Self Service Password
 #
-# Copyright (C) 2009 Clement OUDOT
-# Copyright (C) 2009 LTB-project.org
+# Copyright (C) 2024 Clement OUDOT
+# Copyright (C) 2024 LTB-project.org
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -19,7 +19,7 @@
 #
 #==============================================================================
 
-require_once("../lib/vendor/autoload.php");
+require_once(__DIR__."/../vendor/autoload.php");
 use Gregwar\Captcha\CaptchaBuilder;
 
 # cookie for captcha session

htdocs/change.php

@@ -2,8 +2,8 @@
 #==============================================================================
 # LTB Self Service Password
 #
-# Copyright (C) 2009 Clement OUDOT
-# Copyright (C) 2009 LTB-project.org
+# Copyright (C) 2024 Clement OUDOT
+# Copyright (C) 2024 LTB-project.org
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License

htdocs/changesshkey.php

@@ -2,8 +2,8 @@
 #==============================================================================
 # LTB Self Service Password
 #
-# Copyright (C) 2009 Clement OUDOT
-# Copyright (C) 2009 LTB-project.org
+# Copyright (C) 2024 Clement OUDOT
+# Copyright (C) 2024 LTB-project.org
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License

htdocs/index.php

@@ -14,16 +14,10 @@
 # Includes
 #==============================================================================
 require_once("../vendor/autoload.php");
-require_once("../lib/vendor/defuse-crypto.phar");
-require_once("../lib/vendor/autoload.php");
 require_once("../lib/functions.inc.php");
 if ($use_captcha) {
     require_once("../lib/captcha.inc.php");
 }
-// should be included by ../lib/vendor/autoload.php
-//if ($use_pwnedpasswords) {
-//    require_once("../lib/vendor/mxrxdxn/pwned-passwords/src/PwnedPasswords/PwnedPasswords.php");
-//}
 
 #==============================================================================
 # VARIABLES
@@ -81,9 +75,15 @@
 # Check PHP xml presence
 if ( ! function_exists('utf8_decode') ) { $dependency_check_results[] = "nophpxml"; }
 
+# Check crypt_tokens option
+if ( $use_sms and !$crypt_tokens ) { $dependency_check_results[] = "nocrypttokens"; }
+
 # Check keyphrase setting
 if ( ( ( $use_tokens and $crypt_tokens ) or $use_sms or $crypt_answers ) and ( empty($keyphrase) or $keyphrase == "secret") ) { $dependency_check_results[] = "nokeyphrase"; }
 
+# Check reset_url setting
+if ( $use_tokens and empty($reset_url) ) { $dependency_check_results[] = "noreseturl"; }
+
 #==============================================================================
 # Email Config
 #==============================================================================

htdocs/js/ppolicy.js

@@ -51,10 +51,10 @@
         return value === "good" || value === "info";
       };
     })(this))) {
-      $('.help').removeClass('border-danger').addClass('border-success');
+      $('.ppolicy').removeClass('border-danger').addClass('border-success');
       return (ref = $('#newpassword').get(0)) != null ? ref.setCustomValidity('') : void 0;
     } else {
-      $('.help').removeClass('border-success').addClass('border-danger');
+      $('.ppolicy').removeClass('border-success').addClass('border-danger');
       return (ref1 = $('#newpassword').get(0)) != null ? ref1.setCustomValidity("Insufficient quality") : void 0;
     }
   };
@@ -75,6 +75,16 @@
       }
     };
 
+    removePPolicyCriteria = function(criteria, feedback) {
+      // first consider the criteria as fullfilled
+      report( true , feedback);
+      // remove criteria from the list of ppolicy checks
+      delete window.policy[criteria];
+      // remove the <li> tag parent to given feedback
+      $( "#" + feedback ).parent().remove();
+    };
+
+
     // Criteria checks
     if (window.policy.pwd_min_length > 0) {
       report(password.length >= window.policy.pwd_min_length, 'ppolicy-pwd_min_length-feedback');
@@ -107,7 +117,7 @@
       }
       else
       {
-        report( true , 'ppolicy-pwd_no_reuse-feedback');
+        removePPolicyCriteria("pwd_no_reuse", 'ppolicy-pwd_no_reuse-feedback');
       }
     }
 
@@ -124,7 +134,7 @@
     }
 
     if (window.policy.pwd_diff_last_min_chars > 0) {
-      if( $( "#oldpassword" ).length && $( "#oldpassword" ).val().length > 0 && password.length > 0 )
+      if( $( "#oldpassword" ).length )
       {
         minDiffChars = window.policy.pwd_diff_last_min_chars;
         oldpassword = $( "#oldpassword" ).val();
@@ -141,7 +151,7 @@
       }
       else
       {
-        report( true , 'ppolicy-pwd_diff_last_min_chars-feedback');
+        removePPolicyCriteria("pwd_diff_last_min_chars", 'ppolicy-pwd_diff_last_min_chars-feedback');
       }
     }
 

htdocs/resetbyquestions.php

@@ -2,8 +2,8 @@
 #==============================================================================
 # LTB Self Service Password
 #
-# Copyright (C) 2009 Clement OUDOT
-# Copyright (C) 2009 LTB-project.org
+# Copyright (C) 2024 Clement OUDOT
+# Copyright (C) 2024 LTB-project.org
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License