fix display errors for ppolicy messages (#119)

htdocs/display.php

@@ -209,4 +209,12 @@
 $smarty->assign("prehookresult", $prehookresult);
 $smarty->assign("posthookresult", $posthookresult);
 if ($pwdLockout == false) $smarty->assign("use_lockaccount", $pwdLockout);
+if(isset($messages[$resetpasswordresult]))
+{
+    $smarty->assign('msg_resetpasswordresult',$messages[$resetpasswordresult]);
+}
+else
+{
+    $smarty->assign('msg_resetpasswordresult','');
+}
 ?>

htdocs/resetpassword.php

@@ -62,27 +62,37 @@
             $entry["pwdReset"] = "TRUE";
         }
 
-        if ( isset($prehook) ) {
+        #==============================================================================
+        # Check password strength
+        #==============================================================================
+        # TODO: get login first to prevent password = login
+        # TODO: get ldap entry first, to prevent pwd_forbidden_ldap_fields in password
+        $result = \Ltb\Ppolicy::check_password_strength( $password, "", $pwd_policy_config, "", array(), array() );
 
-            if ( !isset($prehook_login_value) ) {
-                $prehook_return = 255;
-                $prehook_message = "No login found, cannot execute prehook script";
-            } else {
-                $command = hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64);
-                exec($command, $prehook_output, $prehook_return);
-                $prehook_message = $prehook_output[0];
+        if( $result === "")
+        {
+            if ( isset($prehook) ) {
+
+                if ( !isset($prehook_login_value) ) {
+                    $prehook_return = 255;
+                    $prehook_message = "No login found, cannot execute prehook script";
+                } else {
+                    $command = hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64);
+                    exec($command, $prehook_output, $prehook_return);
+                    $prehook_message = $prehook_output[0];
+                }
             }
-        }
 
-        if ( $prehook_return > 0 and !$ignore_prehook_return) {
-            $result = "passwordrefused";
-        } else {
-            $modification = ldap_mod_replace($ldap, $dn, $entry);
-            $errno = ldap_errno($ldap);
-            if ( $errno ) {
+            if ( $prehook_return > 0 and !$ignore_prehook_return) {
                 $result = "passwordrefused";
             } else {
-                $result = "passwordchanged";
+                $modification = ldap_mod_replace($ldap, $dn, $entry);
+                $errno = ldap_errno($ldap);
+                if ( $errno ) {
+                    $result = "passwordrefused";
+                } else {
+                    $result = "passwordchanged";
+                }
             }
         }
 

lang/en.inc.php

@@ -108,5 +108,48 @@
 $messages['welcome'] = "Welcome to LDAP Tool Box service desk";
 $messages['willexpireaccounts'] = "Passwords soon expired";
 $messages['willexpireaccountstitle'] = "Passwords that will expire within $willexpiredays days";
+$messages['notcomplex'] = "Your password does not have enough different classes of characters";
+$messages['tooshort'] = "Your password is too short";
+$messages['toobig'] = "Your password is too long";
+$messages['minlower'] = "Your password does not have enough lowercase characters";
+$messages['policyminlower'] = "Minimum number of lowercase characters:";
+$messages['minupper'] = "Your password does not have enough uppercase characters";
+$messages['policyminupper'] = "Minimum number of uppercase characters:";
+$messages['mindigit'] = "Your password does not have enough digits";
+$messages['policymindigit'] = "Minimum number of digits:";
+$messages['minspecial'] = "Your password does not have enough special characters";
+$messages['policyminspecial'] = "Minimum number of special characters:";
+$messages['forbiddenchars'] = "You password contains forbidden characters";
+$messages['policyforbiddenchars'] = "Forbidden characters:";
+$messages['specialatends'] = "Your new password has its only special character at the beginning or end";
+$messages['policyspecialatends'] = "Your new password may not have its only special character at the beginning or end";
+$messages['sameasold'] = "Your new password is identical to your old password";
+$messages['sameaslogin'] = "Your new password is identical to your login";
+$messages['policydiffminchars'] = "Minimum number of new unique characters:";
+$messages['diffminchars'] = "Your new password is too similar to your old password";
+$messages['forbiddenwords'] = "Your passwords contains forbidden words or strings";
+$messages['policyforbiddenwords'] = "Your password must not contain:";
+$messages['forbiddenldapfields'] = "Your password contains values from your LDAP entry";
+$messages['policyforbiddenldapfields'] = "Your password may not contain values from the following LDAP fields:";
+$messages['sameascustompwd'] = "The new password is not unique across other password fields";
+$messages['pwned'] = "Your new password has already been published on leaks, you should consider changing it on any other service that it is in use";
+$messages['policypwned'] = "Your new password may not be published on any previous public password leak from any site";
+$messages['insufficiententropy'] = "Insufficient entropy for new password";
+$messages['policy'] = "Your password must conform to the following constraints:";
+$messages['policyminlength'] = "Minimum length:";
+$messages['policymaxlength'] = "Maximum length:";
+$messages['policyminlower'] = "Minimum number of lowercase characters:";
+$messages['policyminupper'] = "Minimum number of uppercase characters:";
+$messages['policymindigit'] = "Minimum number of digits:";
+$messages['policyminspecial'] = "Minimum number of special characters:";
+$messages['policycomplex'] = "Minimum number of different classes of characters:";
+$messages['policyforbiddenchars'] = "Forbidden characters:";
+$messages['policydiffminchars'] = "Minimum number of new unique characters:";
+$messages['policynoreuse'] = "Your new password may not be the same as your old password";
+$messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['policydifflogin'] = "Your new password may not be the same as your login";
+$messages['policypwned'] = "Your new password may not be published on any previous public password leak from any site";
+$messages['policyspecialatends'] = "Your new password may not have its only special character at the beginning or end";
+$messages['policyentropy'] = "Password strength";
 
 ?>

lang/fr.inc.php

@@ -107,5 +107,48 @@
 $messages['welcome'] = "Bienvenue sur le guichet de service LDAP Tool Box";
 $messages['willexpireaccounts'] = "Mots de passe bientôt expirés";
 $messages['willexpireaccountstitle'] = "Mots de passe allant expirer dans moins de $willexpiredays jours";
+$messages['notcomplex'] = "Votre mot de passe n'a pas assez de classes de caractères différentes.";
+$messages['tooshort'] = "Votre mot de passe est trop court";
+$messages['toobig'] = "Votre mot de passe est trop long";
+$messages['minlower'] = "Votre mot de passe n'a pas assez de minuscules";
+$messages['policyminlower'] = "Nombre minimum de minuscules :";
+$messages['minupper'] = "Votre mot de passe n'a pas assez de majuscules";
+$messages['policyminupper'] = "Nombre minimum de majuscules :";
+$messages['mindigit'] = "Votre mot de passe n'a pas assez de chiffres";
+$messages['policymindigit'] = "Nombre minimum de chiffres :";
+$messages['minspecial'] = "Votre mot de passe n'a pas assez de caractères spéciaux";
+$messages['policyminspecial'] = "Nombre minimum de caractères spéciaux :";
+$messages['forbiddenchars'] = "Votre mot de passe contient des caractères interdits";
+$messages['policyforbiddenchars'] = "Caractères interdits :";
+$messages['specialatends'] = "Votre nouveau mot de passe a son unique caractère spécial en première ou dernière position";
+$messages['policyspecialatends'] = "Votre nouveau mot de passe ne doit pas avoir son seul caractère spécial en première ou dernière position.";
+$messages['sameasold'] = "Votre mot de passe est identique au précédent";
+$messages['sameaslogin'] = "Votre mot de passe est identique à votre identifiant";
+$messages['policydiffminchars'] = "Nombre de nouveaux caractères unique :";
+$messages['diffminchars'] = "Votre nouveau mot de passe est trop similaire au précédant";
+$messages['forbiddenwords'] = "Votre mot de passe contient des mots interdits";
+$messages['policyforbiddenwords'] = "Votre mot de passe ne doit pas contenir ::";
+$messages['forbiddenldapfields'] = "Votre mot de passe contient des valeurs de votre entrée LDAP";
+$messages['policyforbiddenldapfields'] = "Votre mot de passe ne doit pas contenir la valeur des attributs de votre entrée :";
+$messages['sameascustompwd'] = "Le nouveau mot de passe n'est pas unique par rapport aux autres champs de mots de passe personnalisés";
+$messages['pwned'] = "Votre nouveau mot de passe est compromis, vous devriez le changer partout où vous l'utilisez";
+$messages['policypwned'] = "Votre nouveau mot de passe ne doit pas être connu d'une base publique de mots de passe compromis";
+$messages['insufficiententropy'] = "Entropie insuffisante pour le nouveau mot de passe";
+$messages['policy'] = "Votre mot de passe doit respecter les contraintes suivantes :";
+$messages['policyminlength'] = "Nombre minimum de caractères :";
+$messages['policymaxlength'] = "Nombre maximum de caractères :";
+$messages['policyminlower'] = "Nombre minimum de minuscules :";
+$messages['policyminupper'] = "Nombre minimum de majuscules :";
+$messages['policymindigit'] = "Nombre minimum de chiffres :";
+$messages['policyminspecial'] = "Nombre minimum de caractères spéciaux :";
+$messages['policycomplex'] = "Nombre minimum de classes de caractères :";
+$messages['policyforbiddenchars'] = "Caractères interdits :";
+$messages['policydiffminchars'] = "Nombre de nouveaux caractères unique :";
+$messages['policynoreuse'] = "Votre nouveau mot de passe ne doit pas être identique à l'ancien";
+$messages['policynoreusecustompwdfield'] = "Votre nouveau mot de passe ne devrait pas être le même que le mot de passe de connexion";
+$messages['policydifflogin'] = "Votre nouveau mot de passe ne doit pas être identique à votre identifiant";
+$messages['policypwned'] = "Votre nouveau mot de passe ne doit pas être connu d'une base publique de mots de passe compromis";
+$messages['policyspecialatends'] = "Votre nouveau mot de passe ne doit pas avoir son seul caractère spécial en première ou dernière position.";
+$messages['policyentropy'] = "Force du mot de passe";
 
 ?>

templates/display.tpl

@@ -151,12 +151,13 @@
                  <form id="resetpassword" method="post" action="index.php?page=resetpassword">
                      {if $resetpasswordresult eq 'passwordrequired'}
                      <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_passwordrequired}</div>
-                     {/if}
-                     {if $resetpasswordresult eq 'passwordrefused'}
+                     {elseif $resetpasswordresult eq 'passwordrefused'}
                      <div class="alert alert-danger"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_passwordrefused}</div>
-                     {/if}
-                     {if $resetpasswordresult eq 'passwordchanged'}
+                     {elseif $resetpasswordresult eq 'passwordchanged'}
                      <div class="alert alert-success"><i class="fa fa-fw fa-check"></i> {$msg_passwordchanged}</div>
+                     {elseif $resetpasswordresult eq ''}
+                     {else}
+                     <div class="alert alert-danger"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_resetpasswordresult}</div>
                      {/if}
                      {if $prehookresult}
                      <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$prehookresult}</div>