Merge branch 'main' into validate-ssh-keys

Author: simonLeary42

.github/workflows/phpunit.yml

@@ -13,8 +13,8 @@ jobs:
       uses: shivammathur/setup-php@v2
       with:
         php-version: "8.3"
-        # php extensions also listed in tools/docker-dev/web/Dockerfile
-        extensions: curl,mysql,ldap,pdo,redis
+        # php extensions also listed in tools/docker-dev/web/Dockerfile and README.md
+        extensions: curl,mysql,ldap,pdo,redis,intl
         tools: composer:v2
     - name: Install dependencies
       run: composer install --prefer-dist --no-progress

README.md

@@ -21,12 +21,15 @@ Unity Web Portal is a PHP application built in top of MariaDB and LDAP which act
     1. Some HTTP Authentication mechanism (such as Shibboleth SP)
     1. Composer (`apt install composer` on Ubuntu)
     1. PHP Extensions
+        1. `php-cli`
+        1. `php-curl`
+        1. `php-intl`
         1. `php-ldap`
-        2. `php-curl`
-        3. `php-redis`
-        4. `php-cli`
-        5. `php-mysql`
-        6. `php-pdo`
+        1. `php-mbstring`
+        1. `php-mysql`
+        1. `php-pdo`
+        1. `php-redis`
+        1. `php-xml`
 2. Composer packages
     1. `cd` to this repository
     1. Setup git submodules `git submodule update --init --checkout`

defaults/config.ini.default

@@ -12,13 +12,15 @@ url = "https://127.0.0.1:8000/"  ; URL of the website
 description = "The Unity Web Portal is a lightweight HPC cluster front-end"  ; Description of the website
 logo = "logo.png"  ; path to logo file, in the webroot/assets/branding folder
 terms_of_service_url = "https://github.com" ; this can be external or a portal page created with "content management"
+account_policy_url = "https://github.com" ; this can be external or a portal page created with "content management"
 
 [ldap]
 uri = "ldap://identity"  ; URI of remote LDAP server
 user = "cn=admin,dc=unityhpc,dc=test"  ; Admin bind DN LDAP user
 pass = "password"  ; Admin bind password
 basedn = "dc=unityhpc,dc=test"  ; Base search DN
-user_ou = "ou=users,dc=unityhpc,dc=test"  ; User organizational unit
+user_ou = "ou=users,dc=unityhpc,dc=test"  ; User organizational unit (may contain more than user group)
+user_group = "cn=unityusers,dc=unityhpc,dc=test" ; User group
 group_ou = "ou=groups,dc=unityhpc,dc=test"  ; Group organizational unit
 pigroup_ou = "ou=pi_groups,dc=unityhpc,dc=test"  ; PI Group organizational unit
 orggroup_ou = "ou=org_groups,dc=unityhpc,dc=test"  ; ORG group organizational unit

resources/init.php

@@ -45,6 +45,7 @@
     $CONFIG["ldap"]["pigroup_ou"],
     $CONFIG["ldap"]["orggroup_ou"],
     $CONFIG["ldap"]["admin_group"],
+    $CONFIG["ldap"]["user_group"],
     $CONFIG["ldap"]["def_user_shell"]
 );
 

resources/lib/UnityGroup.php

@@ -198,6 +198,41 @@ public function denyGroup($operator = null, $send_mail = true)
         }
     }
 
+    public function cancelGroupRequest($send_mail = true)
+    {
+        if (!$this->SQL->requestExists($this->getOwner()->getUID())) {
+            return;
+        }
+
+        $this->SQL->removeRequest($this->getOwner()->getUID());
+
+        if ($send_mail) {
+            // send email to requestor
+            $this->MAILER->sendMail(
+                "admin",
+                "group_request_cancelled"
+            );
+        }
+    }
+
+    public function cancelGroupJoinRequest($user, $send_mail = true)
+    {
+        if (!$this->requestExists($user)) {
+            return;
+        }
+
+        $this->SQL->removeRequest($user->getUID(), $this->pi_uid);
+
+        if ($send_mail) {
+            // send email to requestor
+            $this->MAILER->sendMail(
+                $this->getOwner()->getMail(),
+                "group_join_request_cancelled",
+                ["group" => $this->pi_uid]
+            );
+        }
+    }
+
     // /**
     //  * This method will delete the group, either by admin action or PI action
     //  */
@@ -218,8 +253,7 @@ public function denyGroup($operator = null, $send_mail = true)
     //     // now we delete the ldap entry
     //     $ldapPiGroupEntry = $this->getLDAPPiGroup();
     //     if ($ldapPiGroupEntry->exists()) {
-    //         ldapPiGroupEntry->delete();
-
+    //         $ldapPiGroupEntry->delete();
     //         $this->REDIS->removeCacheArray("sorted_groups", "", $this->getPIUID());
     //         foreach ($users as $user) {
     //             $this->REDIS->removeCacheArray($user->getUID(), "groups", $this->getPIUID());
@@ -252,7 +286,7 @@ public function approveUser($new_user, $send_mail = true)
         $this->addUserToGroup($new_user);
 
         // remove request, this will fail silently if the request doesn't exist
-        $this->removeRequest($new_user->getUID());
+        $this->SQL->removeRequest($new_user->getUID(), $this->pi_uid);
 
         // send email to the requestor
         if ($send_mail) {
@@ -284,7 +318,7 @@ public function denyUser($new_user, $send_mail = true)
         }
 
         // remove request, this will fail silently if the request doesn't exist
-        $this->removeRequest($new_user->getUID());
+        $this->SQL->removeRequest($new_user->getUID(), $this->pi_uid);
 
         if ($send_mail) {
             // send email to the user
@@ -523,11 +557,6 @@ private function addRequest($uid)
         $this->SQL->addRequest($uid, $this->pi_uid);
     }
 
-    private function removeRequest($uid)
-    {
-        $this->SQL->removeRequest($uid, $this->pi_uid);
-    }
-
     //
     // Public helper functions
     //

resources/lib/UnityLDAP.php

@@ -38,6 +38,7 @@ class UnityLDAP extends ldapConn
     private $pi_groupOU;
     private $org_groupOU;
     private $adminGroup;
+    private $userGroup;
 
     private $custom_mappings_path;
 
@@ -53,6 +54,7 @@ public function __construct(
         $pigroup_ou,
         $orggroup_ou,
         $admin_group,
+        $user_group_dn,
         $def_user_shell
     ) {
         parent::__construct($host, $dn, $pass);
@@ -69,6 +71,7 @@ public function __construct(
         $this->pi_groupOU = $this->getEntry($pigroup_ou);
         $this->org_groupOU = $this->getEntry($orggroup_ou);
         $this->adminGroup = $this->getEntry($admin_group);
+        $this->userGroup = $this->getEntry($user_group_dn);
 
         $this->custom_mappings_path = $custom_user_mappings;
 
@@ -103,6 +106,11 @@ public function getAdminGroup()
         return $this->adminGroup;
     }
 
+    public function getUserGroup()
+    {
+        return $this->userGroup;
+    }
+
     public function getDefUserShell()
     {
         return $this->def_user_shell;
@@ -236,10 +244,10 @@ public function getAllUsers($UnitySQL, $UnityMailer, $UnityRedis, $UnityWebhook,
             }
         }
 
-        $users = $this->userOU->getChildren(true);
-
+        $users = $this->userGroup->getAttribute("memberuid");
+        sort($users);
         foreach ($users as $user) {
-            $params = array($user->getAttribute("cn")[0], $this, $UnitySQL, $UnityMailer, $UnityRedis, $UnityWebhook);
+            $params = array($user, $this, $UnitySQL, $UnityMailer, $UnityRedis, $UnityWebhook);
             array_push($out, new UnityUser(...$params));
         }
 
@@ -312,28 +320,24 @@ public function getAllOrgGroups($UnitySQL, $UnityMailer, $UnityRedis, $UnityWebh
     public function getUserEntry($uid)
     {
         $uid = ldap_escape($uid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$uid," . $this->STR_USEROU);
-        return $ldap_entry;
+        return $this->getEntry(unityLDAP::RDN . "=$uid," . $this->STR_USEROU);
     }
 
     public function getGroupEntry($gid)
     {
-        $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_GROUPOU);
-        return $ldap_entry;
+        $gid = ldap_escape($gid, LDAP_ESCAPE_DN);
+        return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_GROUPOU);
     }
 
     public function getPIGroupEntry($gid)
     {
-        $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_PIGROUPOU);
-        return $ldap_entry;
+        $gid = ldap_escape($gid, LDAP_ESCAPE_DN);
+        return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_PIGROUPOU);
     }
 
     public function getOrgGroupEntry($gid)
     {
-        $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_ORGGROUPOU);
-        return $ldap_entry;
+        $gid = ldap_escape($gid, LDAP_ESCAPE_DN);
+        return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_ORGGROUPOU);
     }
 }

resources/lib/UnitySQL.php

@@ -20,7 +20,7 @@ class UnitySQL
 
 
     // FIXME this string should be changed to something more intuitive, requires production sql change
-    private const REQUEST_BECOME_PI = "admin";
+    public const REQUEST_BECOME_PI = "admin";
 
     private $conn;
 

resources/lib/UnitySite.php

@@ -26,10 +26,8 @@ public static function die($x = null)
 
     public static function redirect($destination)
     {
-        if ($_SERVER["PHP_SELF"] != $destination) {
-            header("Location: $destination");
-            self::die("Redirect failed, click <a href='$destination'>here</a> to continue.");
-        }
+        header("Location: $destination");
+        self::die("Redirect failed, click <a href='$destination'>here</a> to continue.");
     }
 
     private static function headerResponseCode(int $code, string $reason)

resources/lib/UnityUser.php

@@ -71,6 +71,10 @@ public function init($send_mail = true)
             $ldapUserEntry->setAttribute("uid", $this->uid);
             $ldapUserEntry->setAttribute("givenname", $this->getFirstname());
             $ldapUserEntry->setAttribute("sn", $this->getLastname());
+            $ldapUserEntry->setAttribute(
+                "gecos",
+                \transliterator_transliterate("Latin-ASCII", "{$this->getFirstname()} {$this->getLastname()}")
+            );
             $ldapUserEntry->setAttribute("mail", $this->getMail());
             $ldapUserEntry->setAttribute("o", $this->getOrg());
             $ldapUserEntry->setAttribute("homedirectory", self::HOME_DIR . $this->uid);
@@ -102,6 +106,10 @@ public function init($send_mail = true)
             $orgEntry->addUser($this);
         }
 
+        // add to user group as well as user OU
+        $this->LDAP->getUserGroup()->appendAttribute("memberuid", $this->getUID());
+        $this->LDAP->getUserGroup()->write();
+
         // add user to cache
         $this->REDIS->appendCacheArray("sorted_users", "", $this->getUID());
 

resources/mail/group_join_request_cancelled.php

@@ -0,0 +1,11 @@
+<?php
+
+// This template is sent to the user cancelling the request
+$this->Subject = "Unity Account Request Cancelled";
+?>
+
+<p>Hello,</p>
+
+<p>Your request to join group '<?php echo $data["group"]; ?>' on the Unity Cluster has been cancelled per your request.
+</p>
+