expire users 1

defaults/config.ini.default

@@ -122,3 +122,14 @@ url = "https://hooks.slack.com/services/T04BB3N3M26/B050A55CBNX/IGm1YA0VhjczAfs5
 [page]  ; which sql objects to use for the content on these pages
 home = "home"
 support = "support"
+
+[expiry]
+idlelock_warning_days[] = 180
+idlelock_warning_days[] = 200
+idlelock_warning_days[] = 219
+idlelock_day = 220
+
+disable_warning_days[] = 360
+disable_warning_days[] = 380
+disable_warning_days[] = 399
+disable_day = 400

deployment/overrides/phpunit/config/config.ini

@@ -6,3 +6,12 @@ allow_die = false
 enable_verbose_error_log = false
 enable_exception_handler = false
 enable_error_handler = false
+
+[expiry]
+idlelock_warning_days[] = 2
+idlelock_warning_days[] = 3
+idlelock_day = 4
+
+disable_warning_days[] = 6
+disable_warning_days[] = 7
+disable_day = 8

resources/lib/UnityLDAP.php

@@ -24,13 +24,6 @@ class UnityLDAP extends LDAPConn
 {
     private const string RDN = "cn"; // The defauls RDN for LDAP entries is set to "common name"
 
-    public const array POSIX_ACCOUNT_CLASS = [
-        "inetorgperson",
-        "posixAccount",
-        "top",
-        "ldapPublicKey",
-    ];
-
     // isDisabled unset or set to "FALSE"
     private static string $NON_DISABLED_FILTER = "(|(!(isDisabled=*))(isDisabled=FALSE))";
 

resources/lib/UnityMailer.php

@@ -76,8 +76,11 @@ public function __construct()
         }
     }
 
-    /** @param string|string[] $recipients */
-    public function sendMail(string|array $recipients, string $template, mixed $data = null): bool
+    /**
+     * @param string|string[] $recipients
+     * @param ?mixed[] $data
+     */
+    public function sendMail(string|array $recipients, string $template, ?array $data = null): bool
     {
         $this->setFrom($this->MSG_SENDER_EMAIL, $this->MSG_SENDER_NAME);
         $this->addReplyTo($this->MSG_SUPPORT_EMAIL, $this->MSG_SUPPORT_NAME);

resources/lib/UnitySQL.php

@@ -4,6 +4,12 @@
 
 use PDO;
 
+enum UserExpiryWarningType: string
+{
+    case IDLELOCK = "idlelock";
+    case DISABLE = "disable";
+}
+
 /**
  * @phpstan-type account_deletion_request array{timestamp: string, uid: string}
  * @phpstan-type user_last_login array{operator: string, last_login: string}
@@ -14,6 +20,8 @@
     private const string TABLE_REQS = "requests";
     private const string TABLE_AUDIT_LOG = "audit_log";
     private const string TABLE_ACCOUNT_DELETION_REQUESTS = "account_deletion_requests";
+    private const string TABLE_USER_LAST_LOGINS = "user_last_logins";
+    private const string TABLE_USER_EXPIRY = "user_expiry";
     // FIXME this string should be changed to something more intuitive, requires production change
     public const string REQUEST_BECOME_PI = "admin";
 
@@ -194,4 +202,119 @@
         $stmt->execute();
         return $stmt->fetchAll();
     }
+
+    /**
+     * returns an array where each key is a UID and each value is another array
+     * where each key is a warning type and each value is a sorted list of
+     * day numbers when a warning was sent
+     *
+     * day numbers count up from the last day that the user logged in,
+     * so on day 5 the user has been idle for 5 days
+     * for example, a user might get idlelock warnings on day numbers 180, 200, 219
+     * before actually getting idlelocked on day 220
+     * in this case, the output would be:
+     * ['username_here' => ['idlelock' => [180, 200, 219], 'disable' => []], ...]
+     * @return array<string, array<string, int[]>>
+     */
+    public function getAllUsersExpirationWarningDaysSent(): array
+    {
+        $stmt = $this->conn->prepare("SELECT * FROM " . self::TABLE_USER_EXPIRY);
+        $stmt->execute();
+        $records = $stmt->fetchAll();
+        $output = [];
+        foreach ($records as $record) {
+            $uid = $record["uid"];
+            $idlelock = _json_decode($record["idlelock_warning_days_sent"]);
+            $disable = _json_decode($record["disable_warning_days_sent"]);
+            $output[$uid] = ["idlelock" => $idlelock, "disable" => $disable];
+        }
+        return $output;
+    }
+
+    /**
+     * example output: ['idlelock' => [1,2,3], 'disable' => [4,5,6]]
+     * @return array<string, int[]>
+     */
+    public function getUserExpirationWarningDaysSent(string $uid): array
+    {
+        $stmt = $this->conn->prepare(
+            sprintf("SELECT * FROM %s WHERE uid=:uid", self::TABLE_USER_EXPIRY),
+        );
+        $stmt->bindParam(":uid", $uid);
+        $stmt->execute();
+        $records = $stmt->fetchAll();
+        switch (count($records)) {
+            case 0:
+                return ["idlelock" => [], "disable" => []];
+            case 1:
+                $record = $records[0];
+                $uid = $record["uid"];
+                $idlelock = _json_decode($record["idlelock_warning_days_sent"]);
+                $disable = _json_decode($record["disable_warning_days_sent"]);
+                return ["idlelock" => $idlelock, "disable" => $disable];
+            default:
+                throw new \Exception("multiple records found with uid='$uid'");
+        }
+    }
+
+    public function recordUserExpirationWarningDaySent(
+        string $uid,
+        UserExpiryWarningType $warning_type,
+        int $day,
+    ): void {
+        $warning_type_to_days_sent = $this->getUserExpirationWarningDaysSent($uid);
+        array_push($warning_type_to_days_sent[$warning_type->value], $day);
+        sort($warning_type_to_days_sent[$warning_type->value]);
+        $idlelock_days_sent_str = _json_encode($warning_type_to_days_sent["idlelock"]);
+        $disable_days_sent_str = _json_encode($warning_type_to_days_sent["disable"]);
+        $table = self::TABLE_USER_EXPIRY;
+        $stmt = $this->conn->prepare("
+            INSERT INTO $table
+            (uid, idlelock_warning_days_sent, disable_warning_days_sent)
+            VALUES(:uid, :idlelock_days, :disable_days)
+            ON DUPLICATE KEY UPDATE
+            idlelock_warning_days_sent=:idlelock_days, disable_warning_days_sent=:disable_days
+        ");
+        $stmt->bindParam(":uid", $uid);
+        $stmt->bindParam(":idlelock_days", $idlelock_days_sent_str);
+        $stmt->bindParam(":disable_days", $disable_days_sent_str);
+        $stmt->execute();
+    }
+
+    public function resetUserExpirationWarningDaysSent(string $uid): void
+    {
+        $table = self::TABLE_USER_EXPIRY;
+        $stmt = $this->conn->prepare("
+            INSERT INTO $table
+            (uid, idlelock_warning_days_sent, disable_warning_days_sent)
+            VALUES (:uid, '[]', '[]')
+            ON DUPLICATE KEY UPDATE
+            idlelock_warning_days_sent='[]', disable_warning_days_sent='[]'
+        ");
+        $stmt->bindParam(":uid", $uid);
+        $stmt->execute();
+    }
+
+    /** @return string[] */
+    public function getAllUserLastLogins(): array
+    {
+        $stmt = $this->conn->prepare("SELECT * FROM " . self::TABLE_USER_LAST_LOGINS);
+        $stmt->execute();
+        return $stmt->fetchAll();
+    }
+
+    /* for testing purposes */
+    private function setUserLastLoginDaysAgo(string $uid, int $days): void
+    {
+        $datetime = date("Y-m-d H:i:s", time() - $days * 24 * 60 * 60);
+        $stmt = $this->conn->prepare(
+            sprintf(
+                "UPDATE %s SET last_login=:datetime WHERE operator=:uid",
+                self::TABLE_USER_LAST_LOGINS,
+            ),
+        );
+        $stmt->bindParam(":uid", $uid);
+        $stmt->bindParam(":datetime", $datetime);
+        $stmt->execute();
+    }
 }

resources/lib/UnityUser.php

@@ -63,7 +63,7 @@ public function init(
         ]);
         \ensure(!$this->entry->exists());
         $this->entry->create([
-            "objectclass" => UnityLDAP::POSIX_ACCOUNT_CLASS,
+            "objectclass" => ["inetorgperson", "posixAccount", "top", "ldapPublicKey"],
             "uid" => $this->uid,
             "givenname" => $firstname,
             "sn" => $lastname,
@@ -91,6 +91,7 @@ public function getFlag(UserFlag $flag): bool
         return $this->LDAP->userFlagGroups[$flag->value]->memberUIDExists($this->uid);
     }
 
+    /** if you want to set the "disabled" flag, you should probably use disable() or reEnable() */
     public function setFlag(
         UserFlag $flag,
         bool $newValue,

resources/mail/user_expiry_disable_warning_member.php

@@ -0,0 +1,25 @@
+<p>Hello,</p>
+<p>
+<?php
+
+$this->Subject = "PI Group Expiration Warning";
+
+$idle_days = $data["idle_days"];
+$expiration_date = $data["expiration_date"];
+$warning_number = $data["warning_number"];
+$is_final_warning = $data["is_final_warning"];
+$pi_group_gid = $data["pi_group_gid"];
+
+echo "The PI group $pi_group_gid is set to be disabled on $expiration_date because the group owner has been idle for too long.\n";
+if ($is_final_warning) {
+    echo "This is the final warning.\n";
+} else {
+    echo "This is warning number $warning_number.\n";
+}
+?>
+<p>
+Upon expiration, this group's files will be permanently deleted,
+and you will lose access to UnityHPC Platform services unless you are a member of any other PI group.
+If you don't wish for this to happen,
+remind your PI to reset the inactivity timer by simply logging in to the <?php echo getHyperlink("Unity account portal") ?>.
+</p>

resources/mail/user_expiry_disable_warning_non_pi.php

@@ -0,0 +1,24 @@
+<p>Hello,</p>
+<p>
+<?php
+
+$this->Subject = "Account Expiration Warning";
+
+$idle_days = $data["idle_days"];
+$expiration_date = $data["expiration_date"];
+$warning_number = $data["warning_number"];
+$is_final_warning = $data["is_final_warning"];
+
+echo "Your account is set to be disabled on $expiration_date because you have been idle for too long.\n";
+if ($is_final_warning) {
+    echo "This is the final warning.\n";
+} else {
+    echo "This is warning number $warning_number.\n";
+}
+?>
+</p>
+<p>
+Upon expiration, you will lose access to UnityHPC Platform services.
+If you don't wish for this to happen,
+reset the inactivity timer by simply logging in to the <?php echo getHyperlink("Unity account portal") ?>.
+</p>

resources/mail/user_expiry_disable_warning_pi.php

@@ -0,0 +1,26 @@
+<p>Hello,</p>
+<p>
+<?php
+
+$this->Subject = "Account Expiration Warning";
+
+$idle_days = $data["idle_days"];
+$expiration_date = $data["expiration_date"];
+$warning_number = $data["warning_number"];
+$is_final_warning = $data["is_final_warning"];
+$pi_group_gid = $data["pi_group_gid"];
+
+echo "Your account and PI group are set to be disabled on $expiration_date because you have been idle for too long.\n";
+if ($is_final_warning) {
+    echo "This is the final warning.\n";
+} else {
+    echo "This is warning number $warning_number.\n";
+}
+?>
+<p>
+Upon expiration, your files and your PI group's files will be permanently deleted,
+you will lose access to UnityHPC Platform services,
+and your group members also may lose access unless they are a member of some other group.
+If you don't wish for this to happen,
+reset the inactivity timer by simply logging in to the <?php echo getHyperlink("Unity account portal") ?>.
+</p>

resources/mail/user_expiry_idlelock_warning.php

@@ -0,0 +1,21 @@
+<p>Hello,</p>
+<p>
+<?php
+
+$this->Subject = "Account Expiration Warning";
+
+$idle_days = $data["idle_days"];
+$expiration_date = $data["expiration_date"];
+$warning_number = $data["warning_number"];
+$is_final_warning = $data["is_final_warning"];
+
+echo "Your account is set to be disabled on $expiration_date because you have been idle for too long.\n";
+if ($is_final_warning) {
+    echo "This is the final warning.\n";
+} else {
+    echo "This is warning number $warning_number.\n";
+}
+?>
+<p>
+Upon expiration, you will lose access to UnityHPC Platform services until you reset the inactivity timer by logging in to the <?php echo getHyperlink("Unity account portal") ?>.
+</p>