From 048167d6beba309af60c55ee766d3dc0c694b463 Mon Sep 17 00:00:00 2001
From: Christian Heusel <christian@heusel.eu>
Date: Mon, 4 Mar 2024 22:56:28 +0100
Subject: [PATCH] archwiki: Switch captcha to time-based method

Up until now the captcha has depended on the exact output of the pacman
version command which could lead to multiple problematic scenarios:

    a) User uses testing repos (user pacman newer)
    b) Server is not instantly updated (user pacman newer)
    c) User system is not updated (user pacman older)

Circumvent this problem by switching to a time based captcha instead.

Signed-off-by: Christian Heusel <christian@heusel.eu>
---
 roles/archwiki/tasks/main.yml                            | 8 ++------
 roles/archwiki/templates/LocalSettings.php.j2            | 2 +-
 .../archwiki/templates/archwiki-question-updater.hook.j2 | 9 ---------
 .../templates/archwiki-question-updater.service.j2       | 3 ++-
 .../templates/archwiki-question-updater.timer.j2         | 9 +++++++++
 5 files changed, 14 insertions(+), 17 deletions(-)
 delete mode 100644 roles/archwiki/templates/archwiki-question-updater.hook.j2
 create mode 100644 roles/archwiki/templates/archwiki-question-updater.timer.j2

diff --git a/roles/archwiki/tasks/main.yml b/roles/archwiki/tasks/main.yml
index 4d25d14e0..7ab910b99 100644
--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -107,6 +107,7 @@
     - archwiki-prune-cache.service
     - archwiki-prune-cache.timer
     - archwiki-question-updater.service
+    - archwiki-question-updater.timer
 
 - name: Start and enable archwiki timers and services
   systemd:
@@ -118,6 +119,7 @@
     - archwiki-runjobs.timer
     - archwiki-prune-cache.timer
     - archwiki-runjobs-wait.service
+    - archwiki-question-updater.timer
 
 - name: Create question answer file
   systemd:
@@ -127,9 +129,3 @@
 
 - name: Ensure question answer file exists and set permissions
   file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
-
-- name: Create pacman.d hooks dir
-  file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks
-
-- name: Install archwiki question updater hook
-  template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644
diff --git a/roles/archwiki/templates/LocalSettings.php.j2 b/roles/archwiki/templates/LocalSettings.php.j2
index bd3edbdff..49a3f58c4 100644
--- a/roles/archwiki/templates/LocalSettings.php.j2
+++ b/roles/archwiki/templates/LocalSettings.php.j2
@@ -421,7 +421,7 @@ $wgCaptchaTriggers['addurl'] = false;
 $wgCaptchaTriggers['createaccount'] = true;
 $wgCaptchaTriggers['badlogin'] = true;
 $wgCaptchaQuestions = [
-    'What is the output of: <code>pacman -V|base32|head -1</code>' => trim(file_get_contents("{{ archwiki_question_answer_file }}"))
+    'What is the output of: <code>LC_ALL=C pacman -V|sed -r "s#[0-9]+#$(date -u +%m)#g"|base32|head -1</code>' => trim(file_get_contents("{{ archwiki_question_answer_file }}"))
 ];
 
 # Restrict expensive actions to logged in users
diff --git a/roles/archwiki/templates/archwiki-question-updater.hook.j2 b/roles/archwiki/templates/archwiki-question-updater.hook.j2
deleted file mode 100644
index 43c6017ef..000000000
--- a/roles/archwiki/templates/archwiki-question-updater.hook.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-[Trigger]
-Operation = Install
-Operation = Upgrade
-Type = Package
-Target = pacman
-
-[Action]
-When = PostTransaction
-Exec = /usr/bin/systemctl start archwiki-question-updater.service
diff --git a/roles/archwiki/templates/archwiki-question-updater.service.j2 b/roles/archwiki/templates/archwiki-question-updater.service.j2
index 093f10dc3..8b0eae342 100644
--- a/roles/archwiki/templates/archwiki-question-updater.service.j2
+++ b/roles/archwiki/templates/archwiki-question-updater.service.j2
@@ -3,4 +3,5 @@ Description=Update Archwiki pacman question answer
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash -c 'pacman -V|base32|head -1 > "{{archwiki_question_answer_file}}"'
+# %% is needed here to escape systemd's own templating
+ExecStart=/bin/bash -c 'LC_ALL=C pacman -V|sed -r "s#[0-9]+#$(date -u +%%m)#g"|base32|head -1 > "{{archwiki_question_answer_file}}"'
diff --git a/roles/archwiki/templates/archwiki-question-updater.timer.j2 b/roles/archwiki/templates/archwiki-question-updater.timer.j2
new file mode 100644
index 000000000..4933f35cd
--- /dev/null
+++ b/roles/archwiki/templates/archwiki-question-updater.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Monthly Timer to update the Archwiki pacman question
+
+[Timer]
+OnCalendar=*-*-1 00:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
-- 
GitLab