disband, reinstate PI groups

Author: simonLeary42

LDAP.md

@@ -3,3 +3,5 @@ Terminology:
 - **qualified user**: a user who is currently a PI or a member of at least one PI group
 - **native user**: a user who's entries exist in the OUs given in `config.ini`
   - it is up to the administrator to ensure that no non-native entries exist in these OUs
+- **disabled group**: a PI group that was disabled by its owner or had its owner disabled
+  - memberuid attribute should be empty

README.md

@@ -123,6 +123,14 @@ rm "$prod" && ln -s "$old" "$prod"
 
 ### Version-specific update instructions:
 
+### 1.6 -> 1.7
+
+- a new LDAP schema needs to be added:
+  ```shell
+  scp tools/docker-dev/identity/unity-cluster-schema.ldif root@your-ldap-server:/root/unity-cluster-schema.ldif
+  ssh root@your-ldap-server ldapadd -Y EXTERNAL -H ldapi:/// -f /root/unity-cluster-schema.ldif
+  ```
+
 ### 1.5 -> 1.6
 
 - the `[site]getting_started_url` option should be defined

resources/lib/UnityGroup.php

@@ -40,7 +40,7 @@ public function __toString(): string
     public function requestGroup(?bool $send_mail_to_admins = null, bool $send_mail = true): void
     {
         $send_mail_to_admins ??= CONFIG["mail"]["send_pimesg_to_admins"];
-        if ($this->exists()) {
+        if ($this->exists() && !$this->getIsDisabled()) {
             return;
         }
         if ($this->SQL->accDeletionRequestExists($this->getOwner()->uid)) {
@@ -63,18 +63,64 @@ public function requestGroup(?bool $send_mail_to_admins = null, bool $send_mail
         }
     }
 
+    public function disable(bool $send_mail = true): void
+    {
+        $this->SQL->addLog("disable_pi_group", $this->gid);
+        $memberuids = $this->getMemberUIDs();
+        if ($send_mail) {
+            $member_attributes = $this->LDAP->getUsersAttributes($memberuids, ["mail"]);
+            $member_mails = array_map(fn($x) => $x["mail"][0], $member_attributes);
+            $this->MAILER->sendMail($member_mails, "group_disabled", [
+                "group_name" => $this->gid,
+            ]);
+        }
+        $this->setIsDisabled(true);
+        if (count($memberuids) > 0) {
+            $this->entry->setAttribute("memberuid", []);
+        }
+        // TODO optimmize
+        // UnityUser::__construct() makes one LDAP query for each user
+        // updateIsQualified() makes one LDAP query for each member
+        // if user is no longer in any PI group, disqualify them
+        // FIXME uncomment
+        // foreach ($memberuids as $uid) {
+        //     $user = new UnityUser($uid, $this->LDAP, $this->SQL, $this->MAILER, $this->WEBHOOK);
+        //     $user->updateIsQualified($send_mail);
+        // }
+    }
+
+    private function reenable(bool $send_mail = true)
+    {
+        $this->SQL->addLog("reenabled_pi_group", $this->gid);
+        if ($send_mail) {
+            $this->MAILER->sendMail($this->getOwner()->getMail(), "group_reenabled", [
+                "group_name" => $this->gid,
+            ]);
+        }
+        $this->setIsDisabled(false);
+        $owner_uid = $this->getOwner()->uid;
+        if (!$this->memberUIDExists($owner_uid)) {
+            $this->addMemberUID($owner_uid);
+        }
+        // FIXME uncomment
+        // $this->getOwner()->updateIsQualified($send_mail);
+    }
+
     /**
      * This method will create the group (this is what is executed when an admin approved the group)
      */
     public function approveGroup(bool $send_mail = true): void
     {
         $uid = $this->getOwner()->uid;
         $request = $this->SQL->getRequest($uid, UnitySQL::REQUEST_BECOME_PI);
-        if ($this->exists()) {
-            return;
-        }
         \ensure($this->getOwner()->exists());
-        $this->init();
+        if (!$this->entry->exists()) {
+            $this->init();
+        } elseif ($this->getIsDisabled()) {
+            $this->reenable();
+        } else {
+            throw new Exception("cannot approve group that already exists and is not disabled");
+        }
         $this->SQL->removeRequest($this->getOwner()->uid, UnitySQL::REQUEST_BECOME_PI);
         $this->SQL->addLog("approved_group", $this->getOwner()->uid);
         if ($send_mail) {
@@ -126,42 +172,6 @@ public function cancelGroupJoinRequest(UnityUser $user, bool $send_mail = true):
         }
     }
 
-    // /**
-    //  * This method will delete the group, either by admin action or PI action
-    //  */
-    // public function removeGroup($send_mail = true)
-    // {
-    //     // remove any pending requests
-    //     // this will silently fail if the request doesn't exist (which is what we want)
-    //     $this->SQL->removeRequests($this->gid);
-
-    //     // we don't need to do anything extra if the group is already deleted
-    //     if (!$this->exists()) {
-    //         return;
-    //     }
-
-    //     // first, we must record the users in the group currently
-    //     $users = $this->getGroupMembers();
-
-    //     // now we delete the ldap entry
-    //     $this->entry->ensureExists();
-    //     $this->entry->delete();
-
-    //     // Logs the change
-    //     $this->SQL->addLog("removed_group", $this->gid);
-
-    //     // send email to every user of the now deleted PI group
-    //     if ($send_mail) {
-    //         foreach ($users as $user) {
-    //             $this->MAILER->sendMail(
-    //                 $user->getMail(),
-    //                 "group_disband",
-    //                 array("group_name" => $this->gid)
-    //             );
-    //         }
-    //     }
-    // }
-
     /**
      * This method is executed when a user is approved to join the group
      * (either by admin or the group owner)
@@ -226,7 +236,7 @@ public function removeUser(UnityUser $new_user, bool $send_mail = true): void
             return;
         }
         if ($new_user->uid == $this->getOwner()->uid) {
-            throw new Exception("Cannot delete group owner from group. Disband group instead");
+            throw new Exception("Cannot delete group owner from group. Disable group instead");
         }
         // remove request, this will fail silently if the request doesn't exist
         $this->removeMemberUID($new_user->uid);
@@ -329,7 +339,7 @@ private function init(): void
         \ensure(!$this->entry->exists());
         $nextGID = $this->LDAP->getNextPIGIDNumber();
         $this->entry->create([
-            "objectclass" => UnityLDAP::POSIX_GROUP_CLASS,
+            "objectclass" => ["unityClusterPIGroup", "posixGroup", "top"],
             "gidnumber" => strval($nextGID),
             "memberuid" => [$owner->uid],
         ]);
@@ -385,4 +395,40 @@ public function getGroupMembersAttributes(array $attributes, array $default_valu
             $default_values,
         );
     }
+
+    public function getIsDisabled(): bool
+    {
+        $value = $this->entry->getAttribute("isDisabled");
+        switch (count($value)) {
+            case 0:
+                return false;
+            case 1:
+                switch ($value[0]) {
+                    case "TRUE":
+                        return true;
+                    case "FALSE":
+                        return false;
+                    default:
+                        throw new \RuntimeException(
+                            sprintf(
+                                "unexpected value for isDisabled: '%s'. expected 'TRUE' or 'FALSE'",
+                                $value[0],
+                            ),
+                        );
+                }
+            default:
+                throw new \RuntimeException(
+                    sprintf(
+                        "expected value of length 0 or 1, found value %s of length %s",
+                        jsonEncode($value),
+                        count($value),
+                    ),
+                );
+        }
+    }
+
+    public function setIsDisabled(bool $new_value): void
+    {
+        $this->entry->setAttribute("isDisabled", $new_value ? "TRUE" : "FALSE");
+    }
 }

resources/lib/UnityLDAP.php

@@ -30,7 +30,8 @@ class UnityLDAP extends LDAPConn
         "ldapPublicKey",
     ];
 
-    public const array POSIX_GROUP_CLASS = ["posixGroup", "top"];
+    // isDisabled unset or set to "FALSE"
+    private static string $NON_DEFUNCT_FILTER = "(|(!(isDisabled=*))(isDisabled=FALSE))";
 
     private string $custom_mappings_path =
         __DIR__ . "/../../" . CONFIG["ldap"]["custom_user_mappings_dir"];
@@ -182,7 +183,7 @@ public function getAllNativeUsersAttributes(
         );
     }
 
-    public function getAllPIGroups(
+    public function getAllNonDisabledPIGroups(
         UnitySQL $UnitySQL,
         UnityMailer $UnityMailer,
         UnityWebhook $UnityWebhook,
@@ -191,6 +192,7 @@ public function getAllPIGroups(
         $pi_groups_attributes = $this->pi_groupOU->getChildrenArrayStrict(
             attributes: ["cn"],
             recursive: false,
+            filter: self::$NON_DEFUNCT_FILTER,
         );
         foreach ($pi_groups_attributes as $attributes) {
             array_push(
@@ -201,33 +203,39 @@ public function getAllPIGroups(
         return $out;
     }
 
-    public function getAllPIGroupsAttributes(array $attributes, array $default_values = []): array
-    {
+    public function getAllNonDisabledPIGroupsAttributes(
+        array $attributes,
+        array $default_values = [],
+    ): array {
         return $this->pi_groupOU->getChildrenArrayStrict(
             $attributes,
             false, // non-recursive
-            "objectClass=posixGroup",
+            self::$NON_DEFUNCT_FILTER,
             $default_values,
         );
     }
 
-    public function getPIGroupGIDsWithMemberUID(string $uid): array
+    public function getNonDisabledPIGroupGIDsWithMemberUID(string $uid): array
     {
         return array_map(
             fn($x) => $x["cn"][0],
             $this->pi_groupOU->getChildrenArrayStrict(
                 ["cn"],
                 false,
-                "(memberuid=" . ldap_escape($uid, "", LDAP_ESCAPE_FILTER) . ")",
+                sprintf(
+                    "(&(memberuid=%s)%s)",
+                    ldap_escape($uid, "", LDAP_ESCAPE_FILTER),
+                    self::$NON_DEFUNCT_FILTER,
+                ),
             ),
         );
     }
 
-    public function getAllPIGroupOwnerUIDs(): array
+    public function getAllNonDisabledPIGroupOwnerUIDs(): array
     {
         return array_map(
             fn($x) => UnityGroup::GID2OwnerUID($x["cn"][0]),
-            $this->pi_groupOU->getChildrenArrayStrict(["cn"]),
+            $this->getAllNonDisabledPIGroupsAttributes(["cn"]),
         );
     }
 
@@ -238,7 +246,7 @@ public function getUID2PIGIDs(): array
     {
         $uid2pigids = [];
         // for each PI group, append that GID to the member list for each of its member UIDs
-        $pi_groups_attributes = $this->getAllPIGroupsAttributes(
+        $pi_groups_attributes = $this->getAllNonDisabledPIGroupsAttributes(
             ["cn", "memberuid"],
             default_values: ["memberuid" => []],
         );

resources/lib/UnityOrg.php

@@ -37,7 +37,7 @@ public function init(): void
         \ensure(!$this->entry->exists());
         $nextGID = $this->LDAP->getNextOrgGIDNumber();
         $this->entry->create([
-            "objectclass" => UnityLDAP::POSIX_GROUP_CLASS,
+            "objectclass" => ["posixGroup", "top"],
             "gidnumber" => strval($nextGID),
         ]);
     }

resources/lib/UnityUser.php

@@ -60,7 +60,7 @@ public function init(
         $id = $this->LDAP->getNextUIDGIDNumber($this->uid);
         \ensure(!$ldapGroupEntry->exists());
         $ldapGroupEntry->create([
-            "objectclass" => UnityLDAP::POSIX_GROUP_CLASS,
+            "objectclass" => ["posixGroup", "top"],
             "gidnumber" => strval($id),
         ]);
         \ensure(!$this->entry->exists());
@@ -344,7 +344,7 @@ public function getHomeDir(): string
      */
     public function isPI(): bool
     {
-        return $this->getPIGroup()->exists();
+        return $this->getPIGroup()->exists() && !$this->getPIGroup()->getIsDisabled();
     }
 
     public function getPIGroup(): UnityGroup
@@ -374,7 +374,7 @@ public function getOrgGroup(): UnityOrg
      */
     public function getPIGroupGIDs(): array
     {
-        return $this->LDAP->getPIGroupGIDsWithMemberUID($this->uid);
+        return $this->LDAP->getNonDisabledPIGroupGIDsWithMemberUID($this->uid);
     }
 
     /**

resources/mail/group_disband.php resources/mail/group_disabled.phpresources/mail/group_disband.php renamed to resources/mail/group_disabled.php

@@ -1,11 +1,11 @@
 <?php
 
-// This template is sent to all users of a group when that group is disbanded (deleted)
-$this->Subject = "PI Group Disbanded"; ?>
+// This template is sent to all users of a group when that group is disabled
+$this->Subject = "PI Group Disabled"; ?>
 
 <p>Hello,</p>
 
-<p>Your PI group, <?php echo $data["group_name"]; ?>, has been disbanded on the UnityHPC Platform.
+<p>Your PI group, <?php echo $data["group_name"]; ?>, has been disabled on the UnityHPC Platform.
 Any jobs associated with this PI account have been killed.</p>
 
 <p>If you believe this to be a mistake, please reply to this email</p>

resources/mail/group_reenabled.php

@@ -0,0 +1,12 @@
+<?php
+
+// This template is sent to the group owner when that group is re-enabled
+$this->Subject = "PI Group Re-Enabled"; ?>
+
+<p>Hello,</p>
+
+<p>
+Your PI group, <?php echo $data["group_name"]; ?>, has been reenabled on the UnityHPC Platform.
+</p>
+
+<p>If you believe this to be a mistake, please reply to this email</p>

resources/mail/user_flag_removed.php

@@ -1,9 +1,9 @@
 <?php use UnityWebPortal\lib\UserFlag; ?>
 <?php switch ($data["flag"]):
 case UserFlag::QUALIFIED: ?>
-<?php $this->Subject = "User Deactivated"; ?>
+<?php $this->Subject = "User Disabled"; ?>
 <p>Hello,</p>
-<p>Your account on the UnityHPC Platform has been deactivated.</p>
+<p>Your account on the UnityHPC Platform has been disabled.</p>
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
 <?php break; ?>
 

test/functional/PIBecomeApproveTest.php

@@ -75,4 +75,27 @@ public function testApprovePI()
             ensurePIGroupDoesNotExist();
         }
     }
+
+    public function testReenableGroup()
+    {
+        global $USER, $SSO, $LDAP, $SQL, $MAILER, $WEBHOOK;
+        $this->switchUser("ResurrectedOwnerOfDisabledPIGroup");
+        $this->assertFalse($USER->isPI());
+        $user = $USER;
+        $pi_group = $USER->getPIGroup();
+        $approve_uid = $USER->uid;
+        try {
+            $this->requestGroupCreation();
+            $this->assertRequestedPIGroup(true);
+            $this->switchUser("Admin");
+            $this->approveGroup($approve_uid);
+            $this->assertTrue($user->isPI());
+        } finally {
+            if ($pi_group->memberUIDExists($approve_uid)) {
+                $pi_group->removeMemberUID($approve_uid);
+                $pi_group->setIsDisabled(true);
+                assert(!$user->isPI());
+            }
+        }
+    }
 }