Add ability to cancel request, require confirmation of account policy, fix dubious redirect

defaults/config.ini.default

@@ -12,6 +12,7 @@ url = "https://127.0.0.1:8000/"  ; URL of the website
 description = "The Unity Web Portal is a lightweight HPC cluster front-end"  ; Description of the website
 logo = "logo.png"  ; path to logo file, in the webroot/assets/branding folder
 terms_of_service_url = "https://github.com" ; this can be external or a portal page created with "content management"
+account_policy_url = "https://github.com" ; this can be external or a portal page created with "content management"
 
 [ldap]
 uri = "ldap://identity"  ; URI of remote LDAP server

resources/lib/UnityGroup.php

@@ -198,6 +198,41 @@ public function denyGroup($operator = null, $send_mail = true)
         }
     }
 
+    public function cancelGroupRequest($send_mail = true)
+    {
+        if (!$this->SQL->requestExists($this->getOwner()->getUID())) {
+            return;
+        }
+
+        $this->SQL->removeRequest($this->getOwner()->getUID());
+
+        if ($send_mail) {
+            // send email to requestor
+            $this->MAILER->sendMail(
+                "admin",
+                "group_request_cancelled"
+            );
+        }
+    }
+
+    public function cancelGroupJoinRequest($user, $send_mail = true)
+    {
+        if (!$this->requestExists($user)) {
+            return;
+        }
+
+        $this->SQL->removeRequest($user->getUID(), $this->pi_uid);
+
+        if ($send_mail) {
+            // send email to requestor
+            $this->MAILER->sendMail(
+                $this->getOwner()->getMail(),
+                "group_join_request_cancelled",
+                ["group" => $this->pi_uid]
+            );
+        }
+    }
+
     // /**
     //  * This method will delete the group, either by admin action or PI action
     //  */
@@ -251,7 +286,7 @@ public function approveUser($new_user, $send_mail = true)
         $this->addUserToGroup($new_user);
 
         // remove request, this will fail silently if the request doesn't exist
-        $this->removeRequest($new_user->getUID());
+        $this->SQL->removeRequest($new_user->getUID(), $this->pi_uid);
 
         // send email to the requestor
         if ($send_mail) {
@@ -283,7 +318,7 @@ public function denyUser($new_user, $send_mail = true)
         }
 
         // remove request, this will fail silently if the request doesn't exist
-        $this->removeRequest($new_user->getUID());
+        $this->SQL->removeRequest($new_user->getUID(), $this->pi_uid);
 
         if ($send_mail) {
             // send email to the user
@@ -522,11 +557,6 @@ private function addRequest($uid)
         $this->SQL->addRequest($uid, $this->pi_uid);
     }
 
-    private function removeRequest($uid)
-    {
-        $this->SQL->removeRequest($uid, $this->pi_uid);
-    }
-
     //
     // Public helper functions
     //

resources/lib/UnityLDAP.php

@@ -38,6 +38,7 @@ class UnityLDAP extends ldapConn
     private $pi_groupOU;
     private $org_groupOU;
     private $adminGroup;
+    private $userGroup;
 
     private $custom_mappings_path;
 

resources/lib/UnitySQL.php

@@ -20,7 +20,7 @@ class UnitySQL
 
 
     // FIXME this string should be changed to something more intuitive, requires production sql change
-    private const REQUEST_BECOME_PI = "admin";
+    public const REQUEST_BECOME_PI = "admin";
 
     private $conn;
 

resources/lib/UnitySite.php

@@ -26,10 +26,8 @@ public static function die($x = null)
 
     public static function redirect($destination)
     {
-        if ($_SERVER["PHP_SELF"] != $destination) {
-            header("Location: $destination");
-            self::die("Redirect failed, click <a href='$destination'>here</a> to continue.");
-        }
+        header("Location: $destination");
+        self::die("Redirect failed, click <a href='$destination'>here</a> to continue.");
     }
 
     private static function headerResponseCode(int $code, string $reason)

resources/mail/group_join_request_cancelled.php

@@ -0,0 +1,11 @@
+<?php
+
+// This template is sent to the user cancelling the request
+$this->Subject = "Unity Account Request Cancelled";
+?>
+
+<p>Hello,</p>
+
+<p>Your request to join group '<?php echo $data["group"]; ?>' on the Unity Cluster has been cancelled per your request.
+</p>
+

resources/mail/group_request_cancelled.php

@@ -0,0 +1,10 @@
+<?php
+
+// This template is sent to the user cancelling the request
+$this->Subject = "Unity PI Account Request Cancelled";
+?>
+
+<p>Hello,</p>
+
+<p>Your request for a PI account on the Unity Cluster has been cancelled per your request.</p>
+

resources/templates/header.php

@@ -11,7 +11,7 @@
 }
 
 if (isset($SSO)) {
-    if (!$_SESSION["user_exists"]) {
+    if (!$_SESSION["user_exists"] && !str_ends_with($_SERVER['PHP_SELF'], "/panel/new_account.php")) {
         UnitySite::redirect($CONFIG["site"]["prefix"] . "/panel/new_account.php");
     }
 }

test/functional/CancelRequestTest.php

@@ -0,0 +1,71 @@
+<?php
+
+use PHPUnit\Framework\TestCase;
+use UnityWebPortal\lib\exceptions\PhpUnitNoDieException;
+
+class CancelRequestTest extends TestCase
+{
+    private function assertNumberGroupRequests(int $x)
+    {
+        global $USER, $SQL;
+        $this->assertEquals($x, count($SQL->getRequestsByUser($USER->getUID())));
+    }
+
+    public function testCancelPIRequest()
+    {
+        global $USER, $SQL;
+        switchUser(...getNonExistentUser());
+        // First create a request
+        try {
+            http_post(
+                __DIR__ . "/../../webroot/panel/new_account.php",
+                ["new_user_sel" => "pi", "eula" => "agree", "confirm_pi" => "agree"]
+            );
+        } catch (PhpUnitNoDieException $e) {
+            // Ignore the exception from http_post
+        }
+
+        $this->assertNumberGroupRequests(1);
+
+        // Now try to cancel it
+        try {
+            http_post(
+                __DIR__ . "/../../webroot/panel/new_account.php",
+                ["cancel" => "true"] # value of cancel is arbitrary
+            );
+        } catch (PhpUnitNoDieException $e) {
+            // Ignore the exception from http_post
+        }
+
+        $this->assertNumberGroupRequests(0);
+    }
+
+    public function testCancelGroupJoinRequest()
+    {
+        global $USER, $SQL;
+        switchUser(...getNonExistentUser());
+
+        try {
+            http_post(
+                __DIR__ . "/../../webroot/panel/new_account.php",
+                ["new_user_sel" => "not_pi", "eula" => "agree", "pi" => getExistingPI()]
+            );
+        } catch (PhpUnitNoDieException $e) {
+            // Ignore the exception from http_post
+        }
+
+        $this->assertNumberGroupRequests(1);
+
+        // Now try to cancel it
+        try {
+            http_post(
+                __DIR__ . "/../../webroot/panel/new_account.php",
+                ["cancel" => "true"] # value of cancel is arbitrary
+            );
+        } catch (PhpUnitNoDieException $e) {
+            // Ignore the exception from http_post
+        }
+
+        $this->assertNumberGroupRequests(0);
+    }
+}

test/phpunit-bootstrap.php

@@ -76,28 +76,34 @@ function switchUser(
 function http_post(string $phpfile, array $post_data): void
 {
     global $CONFIG, $REDIS, $LDAP, $SQL, $MAILER, $WEBHOOK, $GITHUB, $SITE, $SSO, $OPERATOR, $USER, $SEND_PIMESG_TO_ADMINS, $LOC_HEADER, $LOC_FOOTER;
+    $_PREVIOUS_SERVER = $_SERVER;
     $_SERVER["REQUEST_METHOD"] = "POST";
+    $_SERVER["PHP_SELF"] = preg_replace("/.*webroot\//", "/", $phpfile);
     $_POST = $post_data;
     ob_start();
     try {
         include $phpfile;
     } finally {
         ob_get_clean(); // discard output
         unset($_POST);
-        unset($_SERVER["REQUEST_METHOD"]);
+        $_SERVER = $_PREVIOUS_SERVER;
     }
 }
 
-function http_get(string $phpfile): void
+function http_get(string $phpfile, array $get_data = array()): void
 {
     global $CONFIG, $REDIS, $LDAP, $SQL, $MAILER, $WEBHOOK, $GITHUB, $SITE, $SSO, $OPERATOR, $USER, $SEND_PIMESG_TO_ADMINS, $LOC_HEADER, $LOC_FOOTER;
+    $_PREVIOUS_SERVER = $_SERVER;
     $_SERVER["REQUEST_METHOD"] = "GET";
+    $_SERVER["PHP_SELF"] = preg_replace("/.*webroot\//", "/", $phpfile);
+    $_GET = $get_data;
     ob_start();
     try {
         include $phpfile;
     } finally {
         ob_get_clean(); // discard output
-        unset($_SERVER["REQUEST_METHOD"]);
+        unset($_GET);
+        $_PREVIOUS_SERVER = $_SERVER;
     }
 }
 
@@ -153,10 +159,15 @@ function getUserIsPIHasAtLeastOneMember()
 
 function getNonExistentUser()
 {
-    return ["user1@nonexistent.test", "foo", "bar", "user1@nonexistent.test"];
+    return ["user2000@org2.test", "foo", "bar", "user2000@org2.test"];
 }
 
 function getAdminUser()
 {
     return ["user1@org1.test", "foo", "bar", "user1@org1.test"];
 }
+
+function getExistingPI()
+{
+    return "pi_user1005_org3_test";
+}

test/unit/UnityGithubTest.php

@@ -17,7 +17,7 @@ public static function providerTestGetGithubKeys()
             # user with no keys
             ["sheldor1510", []],
             # user with 1 key
-            ["simonLeary42", ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGRl6JWPj+Gq2Lz9GjYdUl4/unLoFOyfgeiII1CxutpabPByRJbeuonR0zTpn51tZeYuAUOJBOeKt+Lj4i4UDGl6igpdXXSwkBXl7jxfRPwJ6WuTkDx7Z8ynwnqlDV2q089q4OX/b/uuHgsIhIBwrouKsRQaZIqTbwNMfiqQ2zl14V0KMrTPzOiwR6Q+hqSaR5Z29WKE7ff/OWzSC3/0T6avCmcCbQaRPJdVM+QC17B0vl8FzPwRjorMngwZ0cImdQ/0Ww1d12YAL7UWp1c2egfnthKP3MuQZnNF8ixsAk1eIIwTRdiI87BOoorW8NXhxXmhyheRCsFwyP4LJBqyUVoZJ0UYyk0AO4G9EStnfpiz8YXGK+M1G4tUrWgzs1cdjlHtgCWUmITtgabnYCC4141m7n4GZTk2H/lSrJcvAs3JEiwLTj1lzeGgzeSsz/XKsnOJyzjEVr2Jp3iT+J9PbQpfS0SxTCIGgxMqllovv79pfsF/zc+vaxqSShyHW7oyn7hLMHM60LO/IIX1RWGL3rD9ecXx2pXXQ1RhIkVteIi13XkFt+KW00cstFlAd3EHCoY/XorShd2jeID7tpnYlmNfotYUs6IKefvpNC0PWkh5UXFEv3SUfw4Wd8O0DiHfhkrhxn1W/GajqSIlZ5DKgPzFg8EHexv8lSa7WJg0H3YQ=="]]
+            ["simonLeary42", ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL2oMxcq04PWw1iB2ZQZezFPGmX2HEKhHD6kLIoLz1RUKTNN7Glw2iF5uMFnKxYgTvdfrNjrvvLnOXvhPBvjeec="]]
         ];
     }