feat(mis): 删除账户和用户-不删除数据

.changeset/lazy-lions-raise.md

@@ -0,0 +1,13 @@
+---
+"@scow/lib-operation-log": minor
+"@scow/audit-server": minor
+"@scow/test-adapter": minor
+"@scow/mis-server": minor
+"@scow/demo-vagrant": minor
+"@scow/mis-web": minor
+"@scow/auth": minor
+"@scow/lib-auth": minor
+"@scow/cli": minor
+---
+
+新增删除用户账户功能以及用户账户的删除状态带来的其他相关接口与测试文件完善

.changeset/nasty-hornets-yawn.md

@@ -0,0 +1,5 @@
+---
+"@scow/grpc-api": minor
+---
+
+新增删除用户账户相关接口

.changeset/nine-owls-remember.md

@@ -0,0 +1,5 @@
+---
+"@scow/config": minor
+---
+
+新增 ldap 的用户 loginShell 属性与删除用户时删除标识配置

.changeset/orange-vans-add.md

@@ -0,0 +1,5 @@
+---
+"@scow/scheduler-adapter-protos": minor
+---
+
+**删除账户用户功能**需要**1.7.0 及以上版本**的接口

.changeset/thin-vans-rhyme.md

@@ -0,0 +1,7 @@
+---
+"@scow/audit-server": patch
+"@scow/mis-server": patch
+"@scow/mis-web": patch
+---
+
+账户列表导出时增加拥有者 ID 和姓名筛选，操作日志修正为导出账户

apps/audit-server/src/services/statistic.ts

@@ -94,6 +94,7 @@ export const statisticServiceServer = plugin((server) => {
       const misOperationType: OperationType[] = [
         "setJobTimeLimit",
         "createUser",
+        "deleteUser",
         "addUserToAccount",
         "removeUserFromAccount",
         "setAccountAdmin",
@@ -109,6 +110,7 @@ export const statisticServiceServer = plugin((server) => {
         "unsetTenantFinance",
         "tenantChangePassword",
         "createAccount",
+        "deleteAccount",
         "addAccountToWhitelist",
         "removeAccountFromWhitelist",
         "accountPay",

apps/auth/config/auth.yml

@@ -78,6 +78,7 @@ ldap:
     uid: uid
     name: cn
     mail: mail
+    loginShell: loginShell
 
 ssh:
   baseNode: localhost:22222

apps/auth/src/auth/AuthProvider.ts

@@ -27,6 +27,7 @@ export type CreateUserResult = "AlreadyExists" | "OK";
 export type ChangePasswordResult = "NotFound" | "OK";
 export type CheckPasswordResult = "NotFound" | "Match" | "NotMatch";
 export type ChangeEmailResult = "NotFound" | "OK";
+export type DeleteUserResult = "NotFound" | "OK" | "Faild";
 
 export interface UserInfo {
   identityId: string;
@@ -46,4 +47,5 @@ export interface AuthProvider {
   => Promise<CheckPasswordResult>);
   changeEmail: undefined | ((id: string, newEmail: string,
     req: FastifyRequest) => Promise<ChangeEmailResult>);
+  deleteUser: undefined | ((identityId: string, req: FastifyRequest) => Promise<DeleteUserResult>);
 }

apps/auth/src/auth/ldap/delete.ts

@@ -0,0 +1,68 @@
+/**
+ * Copyright (c) 2022 Peking University and Peking University Institute for Computing and Digital Economy
+ * SCOW is licensed under Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ *          http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+/**
+ * References
+ * https://datatracker.ietf.org/doc/html/rfc3062
+ * https://stackoverflow.com/questions/65745679/how-do-i-pass-parameters-to-the-ldapjs-exop-function
+ */
+
+import { FastifyBaseLogger } from "fastify";
+import ldapjs from "ldapjs";
+import { useLdap } from "src/auth/ldap/helpers";
+import { LdapConfigSchema } from "src/config/auth";
+import { promisify } from "util";
+
+function handleIfInvalidCredentials(e: any) {
+  if (e.message === "Invalid Credentials") {
+    return false;
+  } else {
+    throw e;
+  }
+}
+
+export async function modifyNoLoginBase(
+  userId: string, client: ldapjs.Client,
+): Promise<boolean> {
+
+  try {
+    const modify = promisify(client.modify.bind(client));
+    await modify(userId, new ldapjs.Change({
+      operation: "replace",
+      modification: {
+        "loginShell": "/sbin/nologin",
+      },
+    }),
+    );
+    return true;
+
+  } catch (e: any) {
+    return handleIfInvalidCredentials(e);
+  }
+}
+
+export async function modifyNoLogin(
+  log: FastifyBaseLogger,
+  ldap: LdapConfigSchema,
+  userDn: string,
+): Promise<boolean> {
+  try {
+
+    return await useLdap(log, ldap)(async (client) => {
+
+      await modifyNoLoginBase(userDn, client);
+      return true;
+    });
+  } catch (e: any) {
+    return handleIfInvalidCredentials(e);
+  }
+}

apps/auth/src/auth/ldap/helpers.ts

@@ -132,8 +132,9 @@ export const extractUserInfoFromEntry = (
 
   const name = config.attrs.name ? takeOne(extractAttr(entry, config.attrs.name)) : undefined;
   const mail = config.attrs.mail ? takeOne(extractAttr(entry, config.attrs.mail)) : undefined;
+  const loginShell = config.attrs.loginShell ? takeOne(extractAttr(entry, config.attrs.loginShell)) : undefined;
 
-  return { identityId, name, mail };
+  return { identityId, name, mail, loginShell };
 };
 
 export function takeOne(val: string | string[] | undefined) {

apps/auth/src/auth/ldap/index.ts

@@ -13,6 +13,7 @@
 import { FastifyInstance } from "fastify";
 import { AuthProvider } from "src/auth/AuthProvider";
 import { createUser } from "src/auth/ldap/createUser";
+import { modifyNoLogin } from "src/auth/ldap/delete";
 import { modifyEmailAsSelf } from "src/auth/ldap/email";
 import { findUser, useLdap } from "src/auth/ldap/helpers";
 import { checkPassword, modifyPassword } from "src/auth/ldap/password";
@@ -70,6 +71,18 @@ export const createLdapAuthProvider = (f: FastifyInstance) => {
         return result ? "OK" : "Wrong";
       });
     },
+    deleteUser: async (identityId, req) => {
+      return useLdap(req.log, ldap)(async (client) => {
+        const user = await findUser(req.log, ldap, client, identityId);
+        if (!user) {
+          return "NotFound";
+        }
+
+        const result = await modifyNoLogin(req.log, ldap, user.dn);
+
+        return result ? "OK" : "Faild";
+      });
+    },
   } as AuthProvider;
 
 };

apps/auth/src/auth/ldap/postHandler.ts

@@ -58,7 +58,7 @@ export function registerPostHandler(f: FastifyInstance, ldapConfig: LdapConfigSc
 
       const user = await findUser(logger, ldapConfig, client, username);
 
-      if (!user) {
+      if (!user || user.loginShell === "/sbin/nologin") { // 用户删除即禁止用户登录后视为不存在该用户
         logger.info("Didn't find user with %s=%s", ldapConfig.attrs.uid, username);
         await serveLoginHtml(true, callbackUrl, req, res);
         return;

apps/auth/src/auth/ssh/index.ts

@@ -77,6 +77,7 @@ export const createSshAuthProvider = (f: FastifyInstance) => {
     changePassword: undefined,
     checkPassword: undefined,
     changeEmail: undefined,
+    deleteUser: undefined,
   } satisfies AuthProvider;
 
 };

apps/auth/src/config/auth.ts

@@ -137,6 +137,7 @@ export const LdapConfigSchema = Type.Object({
         3. 管理系统添加用户时，不验证ID与姓名是否匹配
     ` })),
     mail: Type.Optional(Type.String({ description: "LDAP中对应用户的邮箱的属性名。可不填。此字段只用于在创建用户的时候把邮件信息填入LDAP。" })),
+    loginShell: Type.Optional(Type.String({ description: "LDAP中对应用户在 Unix/Linux 系统上的默认shel。当前仅用于判断用户是否被禁止登录" })),
   }, { description: "属性映射" }),
 }, { description: "LDAP配置" });
 

apps/auth/src/routes/capabilities.ts

@@ -20,6 +20,7 @@ const CapabilitiesSchema = Type.Object({
   getUser: Type.Optional(Type.Boolean({ description: "是否可以查询用户" })),
   accountUserRelation: Type.Optional(Type.Boolean({ description: "是否可以管理账户用户关系" })),
   checkPassword: Type.Optional(Type.Boolean({ description: "是否可以验证密码" })),
+  deleteUser: Type.Optional(Type.Boolean({ description: "是否可以删除用户" })),
 });
 
 export type Capabilities = Static<typeof CapabilitiesSchema>;
@@ -51,6 +52,7 @@ export const getCapabilitiesRoute = fp(async (f) => {
         changeEmail: provider.changeEmail !== undefined,
         getUser: provider.getUser !== undefined,
         accountUserRelation: false,
+        deleteUser: provider.deleteUser !== undefined,
       };
     },
   );

apps/auth/src/routes/deleteUser.ts

@@ -0,0 +1,60 @@
+/**
+ * Copyright (c) 2022 Peking University and Peking University Institute for Computing and Digital Economy
+ * SCOW is licensed under Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ *          http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+import { Static, Type } from "@sinclair/typebox";
+import fp from "fastify-plugin";
+import { DeleteUserResult } from "src/auth/AuthProvider";
+
+const QuerystringSchema = Type.Object({
+  identityId: Type.String({ description: "用户ID" }),
+});
+
+const ResponsesSchema = Type.Object({
+  204: Type.Null({ description: "删除成功" }),
+  404: Type.Null({ description: "未找到该用户" }),
+  501: Type.Null({ description: "不支持ldap禁止用户登录" }),
+});
+
+const codes: Record<DeleteUserResult, number> = {
+  NotFound: 404,
+  OK: 204,
+  Faild: 501,
+};
+
+/**
+ * 删除用户，其实是改变用户状态
+ */
+export const deleteUserRoute = fp(async (f) => {
+  f.delete<{
+    Querystring: Static<typeof QuerystringSchema>
+    Responses: Static<typeof ResponsesSchema>,
+  }>(
+    "/user/delete",
+    {
+      schema: {
+        querystring: QuerystringSchema,
+        response: ResponsesSchema.properties,
+      },
+    },
+    async (req, rep) => {
+      if (!f.auth.deleteUser) {
+        return await rep.code(501).send({ code: "NOT_SUPPORTED" });
+      }
+
+      const { identityId } = req.query;
+
+      const result = await f.auth.deleteUser(identityId, req);
+
+      return await rep.status(codes[result]).send(null);
+    },
+  );
+});

apps/auth/src/routes/index.ts

@@ -15,6 +15,7 @@ import { changeEmailRoute } from "src/routes/changeEmail";
 import { changePasswordRoute } from "src/routes/changePassword";
 import { checkPasswordRoute } from "src/routes/checkPassword";
 import { createUserRoute } from "src/routes/createUser";
+import { deleteUserRoute } from "src/routes/deleteUser";
 import { getUserRoute } from "src/routes/getUser";
 import { logoutRoute } from "src/routes/logout";
 
@@ -33,4 +34,5 @@ export const routes = [
   getUserRoute,
   changeEmailRoute,
   checkPasswordRoute,
+  deleteUserRoute,
 ];

apps/auth/tests/ldap/ldap.test.ts

@@ -120,6 +120,7 @@ it("creates user and group if groupStrategy is newGroupPerUser", async () => {
   expect(responseUser).toEqual({
     dn: userDn,
     identityId: user.identityId,
+    loginShell: "/bin/bash",
     mail: savedUserMail,
     name: user.name,
   });
@@ -377,3 +378,55 @@ it("change password", async () => {
   expect(notExistedResp.statusCode).toBe(404);
   expect(notExistedResp.json()).toBe(null);
 });
+
+it("delete user", async () => {
+  await createUser();
+
+  const { payload, headers } = createFormData({
+    username: user.identityId,
+    password: user.password,
+    callbackUrl,
+    token: user.captchaToken,
+    code: user.captchaCode,
+  });
+  await saveCaptchaText(server, user.captchaCode, user.captchaToken);
+
+  const resp = await server.inject({
+    method: "POST",
+    url: "/public/auth",
+    payload,
+    headers,
+  });
+
+  expect(resp.statusCode).toBe(302);
+
+  const deleteUserResp = await server.inject({
+    method: "DELETE",
+    url: "/user/delete",
+    query: { identityId: user.identityId },
+  });
+
+  expect(deleteUserResp.statusCode).toBe(204);
+
+  const newResp = await server.inject({
+    method: "POST",
+    url: "/public/auth",
+    payload,
+    headers,
+  });
+
+  expect(newResp.statusCode).toBe(400);
+  // 只是设置了loginshell，并没有在ldap中真正清除用户
+  const userInfo = await server.inject({
+    method: "GET",
+    url: "/user",
+    query: { identityId: user.identityId },
+  });
+
+  expect(userInfo.statusCode).toBe(200);
+  expect(userInfo.json()).toEqual({ user: {
+    identityId: user.identityId,
+    name: user.name,
+    mail: savedUserMail,
+  } });
+});

apps/cli/assets/init-full/config/auth.yml

@@ -41,6 +41,8 @@ authType: ssh
 
 #     # LDAP中对应用户的邮箱的属性名。可不填。此字段只用于在创建用户的时候把邮件信息填入LDAP。
 #     # mail: mail
+#     # LDAP中对应用户在 Unix/Linux 系统上的默认shel。当前仅用于判断用户是否被禁止登录。
+#      # loginShell: loginShell
 
 #   # 添加用户的相关配置。可不填，不填的话SCOW不支持创建用户。
 #   addUser:

apps/cli/assets/init/config/auth.yml

@@ -14,6 +14,7 @@ ldap:
     uid: uid
     name: cn
     mail: mail
+    loginShell: loginShell
 
   addUser:
     userBase: "ou=People,ou=hpc,o=pku"

apps/mis-server/src/entities/Account.ts

@@ -25,6 +25,7 @@ export enum AccountState {
   NORMAL = "NORMAL",
   FROZEN = "FROZEN",
   BLOCKED_BY_ADMIN = "BLOCKED_BY_ADMIN",
+  DELETED = "DELETED",
 }
 
 @Entity()