modifiers

Author: simonLeary42

defaults/config.ini.default

@@ -29,15 +29,15 @@ user_ou = "ou=users,dc=unityhpc,dc=test"  ; User organizational unit (may contai
 group_ou = "ou=groups,dc=unityhpc,dc=test"  ; Group organizational unit
 pigroup_ou = "ou=pi_groups,dc=unityhpc,dc=test"  ; PI Group organizational unit
 orggroup_ou = "ou=org_groups,dc=unityhpc,dc=test"  ; ORG group organizational unit
-admin_group = "cn=web_admins,dc=unityhpc,dc=test"  ; admin dn (members of this group are admins on the web portal)
-qualified_user_group = "cn=unityusers,dc=unityhpc,dc=test" ; Qualified user group (in at least one PI group)
-locked_user_group = "cn=locked,dc=unityhpc,dc=test"  ; locked user group dn
-idlelocked_user_group = "cn=idlelocked,dc=unityhpc,dc=test"  ; idlelocked user group dn
-ghost_user_group = "cn=ghost,dc=unityhpc,dc=test"  ; ghost user group dn
 def_user_shell = "/bin/bash"  ; Default shell for new users
 offset_UIDGID = 1000000 ; start point when allocating new UID/GID pairs for a new user
 offset_PIGID = 2000000 ; start point when allocating new GID for a new PI group
 offset_ORGGID = 3000000 ; start point when allocating new GID for a new org group
+user_modifier_groups[admin] =      "cn=web_admins,dc=unityhpc,dc=test" ; admin user group dn
+user_modifier_groups[ghost] =      "cn=ghost,dc=unityhpc,dc=test"      ; ghost user group dn
+user_modifier_groups[idlelocked] = "cn=idlelocked,dc=unityhpc,dc=test" ; idlelocked user group dn
+user_modifier_groups[locked] =     "cn=locked,dc=unityhpc,dc=test"     ; locked user group dn
+user_modifier_groups[qualified] =  "cn=unityusers,dc=unityhpc,dc=test" ; qualified user group (in at least one PI group)
 
 [sql]
 host = "sql"  ; mariadb hostname

resources/init.php

@@ -44,7 +44,7 @@
     $_SESSION["SSO"] = $SSO;
 
     $OPERATOR = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
-    $_SESSION["is_admin"] = $OPERATOR->isAdmin();
+    $_SESSION["is_admin"] = $OPERATOR->getModifier("admin");
 
     if (isset($_SESSION["viewUser"]) && $_SESSION["is_admin"]) {
         $USER = new UnityUser($_SESSION["viewUser"], $LDAP, $SQL, $MAILER, $WEBHOOK);

resources/lib/UnityGroup.php

@@ -85,7 +85,7 @@ public function approveGroup(?UnityUser $operator = null, bool $send_mail = true
         if ($send_mail) {
             $this->MAILER->sendMail($this->getOwner()->getMail(), "group_created");
         }
-        $this->getOwner()->setIsQualified(true); // having your own group makes you qualified
+        $this->getOwner()->setModifier("qualified", true); // having your own group makes you qualified
     }
 
     /**
@@ -191,7 +191,7 @@ public function approveUser(UnityUser $new_user, bool $send_mail = true): void
                 "org" => $new_user->getOrg(),
             ]);
         }
-        $new_user->setIsQualified(true); // being in a group makes you qualified
+        $new_user->setModifier("qualified", true); // being in a group makes you qualified
     }
 
     public function denyUser(UnityUser $new_user, bool $send_mail = true): void

resources/lib/UnityLDAP.php

@@ -37,11 +37,7 @@ class UnityLDAP extends LDAPConn
     private LDAPEntry $pi_groupOU;
     private LDAPEntry $org_groupOU;
 
-    public PosixGroup $adminGroup;
-    public PosixGroup $qualifiedUserGroup;
-    public PosixGroup $lockedUserGroup;
-    public PosixGroup $idlelockedUserGroup;
-    public PosixGroup $ghostUserGroup;
+    public array $userModifierGroups;
 
     public function __construct()
     {
@@ -51,21 +47,10 @@ public function __construct()
         $this->groupOU = $this->getEntry(CONFIG["ldap"]["group_ou"]);
         $this->pi_groupOU = $this->getEntry(CONFIG["ldap"]["pigroup_ou"]);
         $this->org_groupOU = $this->getEntry(CONFIG["ldap"]["orggroup_ou"]);
-        $this->adminGroup = new PosixGroup(
-            new LDAPEntry($this->conn, CONFIG["ldap"]["admin_group"]),
-        );
-        $this->qualifiedUserGroup = new PosixGroup(
-            new LDAPEntry($this->conn, CONFIG["ldap"]["qualified_user_group"]),
-        );
-        $this->lockedUserGroup = new PosixGroup(
-            new LDAPEntry($this->conn, CONFIG["ldap"]["locked_user_group"]),
-        );
-        $this->idlelockedUserGroup = new PosixGroup(
-            new LDAPEntry($this->conn, CONFIG["ldap"]["idlelocked_user_group"]),
-        );
-        $this->ghostUserGroup = new PosixGroup(
-            new LDAPEntry($this->conn, CONFIG["ldap"]["ghost_user_group"]),
-        );
+        $this->userModifierGroups = [];
+        foreach (CONFIG["ldap"]["user_modifier_groups"] as $gid => $dn) {
+            $this->userModifierGroups[$gid] = new PosixGroup(new LDAPEntry($this->conn, $dn));
+        }
     }
 
     public function getUserOU(): LDAPEntry
@@ -199,7 +184,7 @@ public function getQualifiedUsersUIDs(): array
     {
         // should not use $user_ou->getChildren or $base_ou->getChildren(objectClass=posixAccount)
         // qualified users might be outside user ou, and not all users in LDAP tree are qualified users
-        return $this->qualifiedUserGroup->getMemberUIDs();
+        return $this->userModifierGroups["qualified"]->getMemberUIDs();
     }
 
     public function getQualifiedUsers($UnitySQL, $UnityMailer, $UnityWebhook): array

resources/lib/UnityUser.php

@@ -97,31 +97,33 @@ public function init(
         $this->SQL->addLog($this->uid, $_SERVER["REMOTE_ADDR"], "user_added", $this->uid);
     }
 
-    public function isQualified(): bool
+    public function getModifier($modifier): bool
     {
-        return $this->LDAP->qualifiedUserGroup->memberUIDExists($this->uid);
+        return $this->LDAP->userModifierGroups[$modifier]->memberUIDExists($this->uid);
     }
 
-    public function setIsQualified(bool $newIsQualified, bool $doSendMail = true): void
+    public function setModifier($modifier, bool $newValue, bool $doSendMail = true): void
     {
-        $oldIsQualified = $this->isQualified();
-        if ($oldIsQualified == $newIsQualified) {
+        $oldValue = $this->getModifier($modifier);
+        if ($oldValue == $newValue) {
             return;
         }
-        if ($newIsQualified) {
-            $this->LDAP->qualifiedUserGroup->addMemberUID($this->uid);
+        if ($newValue) {
+            $this->LDAP->userModifierGroups[$modifier]->addMemberUID($this->uid);
             if ($doSendMail) {
-                $this->MAILER->sendMail($this->getMail(), "user_qualified", [
+                $this->MAILER->sendMail($this->getMail(), "user_modifier_added", [
                     "user" => $this->uid,
                     "org" => $this->getOrg(),
+                    "modifier" => $modifier,
                 ]);
             }
         } else {
-            $this->LDAP->qualifiedUserGroup->removeMemberUID($this->uid);
+            $this->LDAP->userModifierGroups[$modifier]->removeMemberUID($this->uid);
             if ($doSendMail) {
-                $this->MAILER->sendMail($this->getMail(), "user_dequalified", [
+                $this->MAILER->sendMail($this->getMail(), "user_modifier_removed", [
                     "user" => $this->uid,
                     "org" => $this->getOrg(),
+                    "modifier" => $modifier,
                 ]);
             }
         }
@@ -315,14 +317,6 @@ public function getHomeDir(): string
         return $this->entry->getAttribute("homedirectory");
     }
 
-    /**
-     * Checks if the current account is an admin
-     */
-    public function isAdmin(): bool
-    {
-        return $this->LDAP->adminGroup->memberUIDExists($this->uid);
-    }
-
     /**
      * Checks if current user is a PI
      */

test/functional/PIBecomeApproveTest.php

@@ -64,7 +64,7 @@ public function testApprovePI()
 
             $this->assertRequestedPIGroup(false);
             $this->assertTrue($pi_group->exists());
-            $this->assertTrue($USER->isQualified());
+            $this->assertTrue($USER->getModifier("qualified"));
 
             // $third_request_failed = false;
             // try {

test/functional/PiMemberApproveTest.php

@@ -107,7 +107,7 @@ public function testApproveMemberByPI()
             $this->assertTrue(!$pi_group->requestExists($USER));
             $this->assertRequestedMembership(false, $gid);
             $this->assertTrue($pi_group->memberUIDExists($USER->uid));
-            $this->assertTrue($USER->isQualified());
+            $this->assertTrue($USER->getModifier("qualified"));
 
             // $third_request_failed = false;
             // try {
@@ -167,7 +167,7 @@ public function testApproveMemberByAdmin()
             $this->assertTrue(!$pi_group->requestExists($USER));
             $this->assertRequestedMembership(false, $gid);
             $this->assertTrue($pi_group->memberUIDExists($USER->uid));
-            $this->assertTrue($USER->isQualified());
+            $this->assertTrue($USER->getModifier("qualified"));
 
             // $third_request_failed = false;
             // try {

test/functional/ViewAsUserTest.php

@@ -10,7 +10,7 @@ public function _testViewAsUser(array $beforeUser, array $afterUser)
         switchUser(...$afterUser);
         $afterUid = $USER->uid;
         switchUser(...$beforeUser);
-        // $this->assertTrue($USER->isAdmin());
+        // $this->assertTrue($USER->getModifier("admin"));
         $beforeUid = $USER->uid;
         // $this->assertNotEquals($afterUid, $beforeUid);
         http_post(__DIR__ . "/../../webroot/admin/user-mgmt.php", [
@@ -57,7 +57,7 @@ public function testNonAdminViewAsAdmin()
         global $USER;
         switchUser(...getAdminUser());
         $adminUid = $USER->uid;
-        $this->assertTrue($USER->isAdmin());
+        $this->assertTrue($USER->getModifier("admin"));
         switchUser(...getNormalUser());
         http_post(__DIR__ . "/../../webroot/admin/user-mgmt.php", [
             "form_type" => "viewAsUser",

test/phpunit-bootstrap.php

@@ -186,8 +186,8 @@ function ensureUserDoesNotExist()
         $USER->getGroupEntry()->delete();
         ensure(!$USER->getGroupEntry()->exists());
     }
-    $USER->setIsQualified(false);
-    ensure(!$LDAP->qualifiedUserGroup->memberUIDExists($USER->uid));
+    $USER->setModifier("qualified", false);
+    ensure(!$LDAP->userModifierGroups["qualified"]->memberUIDExists($USER->uid));
 }
 
 function ensureOrgGroupDoesNotExist()

webroot/admin/ajax/get_group_members.php

@@ -5,7 +5,7 @@
 use UnityWebPortal\lib\UnityGroup;
 use UnityWebPortal\lib\UnityHTTPD;
 
-if (!$USER->isAdmin()) {
+if (!$USER->getModifier("admin")) {
     UnityHTTPD::forbidden("not an admin");
 }