From 0bb6888ad0da9e18f5ac8d4478c736ced50a9fdc Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 16 Jul 2016 09:52:09 +0200
Subject: [PATCH] added job to move or delete expired accounts

---
 lam/graphics/trashBig.png         | Bin 0 -> 1607 bytes
 lam/help/help.inc                 |  12 +++++
 lam/lib/account.inc               |  43 +++++++++++++++++
 lam/lib/modules/shadowAccount.inc |  77 +++++++++++++++++++++++++++++-
 lam/templates/delete.php          |  43 -----------------
 5 files changed, 131 insertions(+), 44 deletions(-)
 create mode 100644 lam/graphics/trashBig.png

diff --git a/lam/graphics/trashBig.png b/lam/graphics/trashBig.png
new file mode 100644
index 0000000000000000000000000000000000000000..a069fcb8f536a32635db42ce6b96d2a3b422cd85
GIT binary patch
literal 1607
zcmV-N2Dtf&P)<h;3K|Lk000e1NJLTq001BW001Be1^@s6b9#F8000IKNkl<ZScRRJ
z&5vAH5ygL1b?<%MJ=5LeN&H0|#)b$ICU*FevJ2j@V8bFT5ep<XVaW<42U%j1|9}Km
z?7T(6@ggL_i);`i1}8Z22Uxaan~Y<7hUpnk_q(@PydHaOPmePxsil7X)K%x6I(6zj
zad#dSOG``BYs29$Oy#Ga-Mm%KetiD-hrjp2E0&Dl-~p~*UFe(XVMk`Nmp?wS=S#QE
z<dL~$A^-=+@#0+l@3kYr!f$%LE>Vqte()jZE?oT8559l+m4BW6h;FCbneO&}5@LLH
zY3U{qPR-8rzth{%FP&CrO8`3QhBpX!>+QF6@#gIpR#xuNuG&}#eB<e7+5PzJuaCd^
z=RZt$y6=Q`>qcj)^Qx&b-Q7VR=5H!`;`BdG_ix->*b;ypJ$iKF%{NY*c<K0`j=%oo
z+}xq6-J*&WRjWcoP_x+Xbe`KkH@APLJsqtRncXqVOuxtMV?92*aqFwEz4qIeO7`jb
z`T4ge)d-uO-ksuw%U3S{eE#6GyQ`SEdgThAT)K!#BvwLQJ26JioH>Jg!7%zerm@&&
zs?}j_xJC)uALaZr;K(EZo3=n43Q8&Xk6wI{-b|ml17GI7_dn#j&p*%Co;t{>(;sl@
z!etH~I>`P5Px6(oKgHfB_OWm8ULJeA%kAX>dv@;T?8oP-i4;!);M&}93d_qY6fa0o
zE?)SEP%@W4xx|}qoZ#Je-@%I_R?%rsG1H%+Gu=T`MIL3!um<t6Z2;g14n?Gtf|r5|
zbbEbDDWp``H+O(t`wn0MOq?>Rp)|Fc$tr|ai)K)_2|!Rp98t(6BPiz3w#1reRtH0Z
zDhZ(;)p$`bKmd30T8)chqNuW^8Eh)T<`m6Qau!^i?1FX^E;YmKv|4RQf$U8M2Z{?K
zf|wwlu@K0VdfN=(P8Pwzkb<}nL@)_RF<c5ELA#ZZJObe^2!P?J#@*3q7<>^8fR-@<
zqk;pjLJR>jB@ahT#YDtV2fs`57(#X&AxZ$z?Q6gR5fDVOkDBkrQ4Q3kP$)>1@JboV
z=&sNO8GDEWjs``=wyHltgbn?;fM=&rK%FX9;03RRq%A59xC=;=#!Ciqif3?8RYbPl
zcAGO$8U}Eul#GsDAyxs&f>5YBfe;g3kN3uyId|?}sVazUAHe$HxI;ZYKt@TOirSlU
z$=aA1xfEpMq`BkX=*Dzw`X>YMrk^5+mkc;kgtk_Yn}SvuRTU}JJV>(V<_EQj8s8d#
zh~qffanBidC{`2O3B(Z*Dr=z@nz`QqppoAgfGTY5Lz7w{jT?fjw?MN}S;9qegpdR^
zrQi=_X&z!45!$2bPi{fOYbi|&nu)Mvjl-#ss)`g6k{|xBd&8hU%7>X`#f=95qPZT=
zxIvW?&{%DZfnbJjQlgA~!Bij8$AdA^h`jOEvYx?<V<94{2!UV$i=o+?8<3AzNOPsy
zbaRW?lmS^sai6}7lp4{cDiBkJn!#pc-Y5|>gD=8B6J?yLIe@s6Vuh$;AreC*xNNd%
zHdwJLzF|{r78BO7uRoI9Q?Y;sMO>(2AjW_^bV47upfnjonu*vVCNR)cHP!K=5mbZ}
zT38Ik7_pd$7VZNe+*?SF;9jVzmMjmJKR<wV5tZT$ha<BPfP%YY(J&J%Mp6t|P;3JN
zr)ibDkEJ2R6xzp*9h>_642<)|V6)=%3XYi(LZsblk%Ez8q)G`jyRQSP3MK>#s2OI4
znsr}3^74U603OnStoIQH@4f%`lRJ0q{PF5wh2gH6PN&0Y<b)7WQ_PJbAfn(f8je^S
z4q3QygN21pxq9s?|2hBfzuj3~xi$&FrtgM6rt#!oPVQb@TKwh8>go?E?5o<H)ay?Z
zQ@|u}=gtt7#-zZgf-+cH<=XY@ga6&Wea>3x_4#L>{@rtjzICPF?`;DBe%Faaq&*m{
zJhQlX>)T69OY?)}!JgsTush0ms;)<pO9>&UwyMrrs=`8*TIZ*xr%%oFdVlTr`<L7)
z7ACLd$#2K^Au1FU6%44xpTIp08Bhbuz#4dd<Q5vo{{j4@twmA?iRb_T002ovPDHLk
FV1nmE56J)k

literal 0
HcmV?d00001

diff --git a/lam/help/help.inc b/lam/help/help.inc
index dee0e630..15051ba7 100644
--- a/lam/help/help.inc
+++ b/lam/help/help.inc
@@ -333,6 +333,18 @@ $helpArray = array (
 					"Headline" => _('BCC address'),
 					"Text" => _('This email address will be set as BCC address of all mails.')
 				),
+				'807' => array(
+					"Headline" => _('Delay'),
+					"Text" => _('Delay this action by a number of days after account expiry.')
+				),
+				'808' => array(
+					"Headline" => _('Action'),
+					"Text" => _('You can delete or move expired accounts.')
+				),
+				'809' => array(
+					"Headline" => _('Target DN'),
+					"Text" => _('The expired accounts will be moved to this DN.')
+				),
 );
 
 /* This is a sample help entry. Just copy this line an modify the values between the [] brackets.
diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index 5923c650..b0a73eea 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -802,6 +802,49 @@ function ldapGetDN($dn, $attributes = array('dn'), $handle = null) {
 	return $return;
 }
 
+/**
+* Deletes a DN and all child entries.
+*
+* @param string $dn DN to delete
+* @param boolean $recursive recursive delete also child entries
+* @return array error messages
+*/
+function deleteDN($dn, $recursive) {
+	$errors = array();
+	if (($dn == null) || ($dn == '')) {
+		$errors[] = array('ERROR', _('Entry does not exist'));
+		return $errors;
+	}
+	if ($recursive) {
+		$sr = @ldap_list($_SESSION['ldap']->server(), $dn, 'objectClass=*', array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
+		if ($sr) {
+			$entries = ldap_get_entries($_SESSION['ldap']->server(), $sr);
+			cleanLDAPResult($entries);
+			for ($i = 0; $i < sizeof($entries); $i++) {
+				// delete recursively
+				$subErrors = deleteDN($entries[$i]['dn'], $recursive);
+				for ($e = 0; $e < sizeof($subErrors); $e++) $errors[] = $subErrors[$e];
+			}
+		}
+		else {
+			$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
+			return $errors;
+		}
+	}
+	// delete parent DN
+	$success = @ldap_delete($_SESSION['ldap']->server(), $dn);
+	$ldapUser = $_SESSION['ldap']->decrypt_login();
+	$ldapUser = $ldapUser[0];
+	if (!$success) {
+		logNewMessage(LOG_ERR, '[' . $ldapUser .'] Unable to delete DN: ' . $dn . ' (' . ldap_error($_SESSION['ldap']->server()) . ').');
+		$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
+	}
+	else {
+		logNewMessage(LOG_NOTICE, '[' . $ldapUser .'] Deleted DN: ' . $dn);
+	}
+	return $errors;
+}
+
 /**
  * Returns the parameters for a StatusMessage of the last LDAP search.
  *
diff --git a/lam/lib/modules/shadowAccount.inc b/lam/lib/modules/shadowAccount.inc
index db79d58a..8c157105 100644
--- a/lam/lib/modules/shadowAccount.inc
+++ b/lam/lib/modules/shadowAccount.inc
@@ -772,7 +772,8 @@ class shadowAccount extends baseModule implements passwordService {
 	 */
 	public function getSupportedJobs(&$config) {
 		return array(
-			new ShadowAccountPasswordNotifyJob()
+			new ShadowAccountPasswordNotifyJob(),
+			new ShadowAccountExpirationCleanupJob()
 		);
 	}
 
@@ -894,6 +895,80 @@ if (interface_exists('\LAM\JOB\Job', false)) {
 
 	}
 
+	/**
+	 * Job to delete or move users on account expiration.
+	 *
+	 * @package jobs
+	 */
+	class ShadowAccountExpirationCleanupJob extends \LAM\JOB\AccountExpirationCleanupJob {
+
+		/**
+		 * Returns the alias name of the job.
+		 *
+		 * @return String name
+		 */
+		public function getAlias() {
+			return _('Shadow') .  ': ' . _('Cleanup expired user accounts');
+		}
+
+		/**
+		 * Returns the description of the job.
+		 *
+		 * @return String description
+		 */
+		public function getDescription() {
+			return _('This job deletes or moves user accounts when they expire.');
+		}
+
+		/**
+		 * Searches for users in LDAP.
+		 *
+		 * @param String $jobID unique job identifier
+		 * @param array $options config options (name => value)
+		 * @return array list of user attributes
+		 */
+		protected function findUsers($jobID, $options) {
+			// read users
+			$attrs = array('shadowExpire');
+			$userResults = searchLDAPByFilter('(shadowExpire=*)', $attrs, array('user'));
+			return $userResults;
+		}
+
+		/**
+		 * Checks if a user needs to change his password.
+		 *
+		 * @param integer $jobID job ID
+		 * @param array $options job settings
+		 * @param PDO $pdo PDO
+		 * @param DateTime $now current time
+		 * @param array $policyOptions list of policy options by getPolicyOptions()
+		 * @param array $user user attributes
+		 * @param boolean $isDryRun just do a dry run, nothing is modified
+		 */
+		protected function checkSingleUser($jobID, $options, &$pdo, $now, $policyOptions, $user, $isDryRun) {
+			$expireTimeUnix = $user['shadowexpire'][0] * 3600 * 24;
+			$expireTime = new DateTime('@' . $expireTimeUnix, new DateTimeZone('UTC'));
+			logNewMessage(LOG_DEBUG, "Expiration on " . $expireTime->format('Y-m-d'));
+			$delay = 0;
+			if (!empty($options[$this->getConfigPrefix() . '_delay' . $jobID][0])) {
+				$delay = $options[$this->getConfigPrefix() . '_delay' . $jobID][0];
+			}
+			if (!empty($user['shadowwarning'][0]) && ($user['shadowwarning'][0] > 0)) {
+				$numDaysToWarn += $user['shadowwarning'][0];
+			}
+			$actionTime = clone $expireTime;
+			if ($delay != 0) {
+				$actionTime->add(new DateInterval('P' . $delay . 'D'));
+			}
+			$actionTime->setTimeZone(getTimeZone());
+			logNewMessage(LOG_DEBUG, "Action time on " . $actionTime->format('Y-m-d'));
+			if ($actionTime <= $now) {
+				$this->performAction($jobID, $options, $user, $isDryRun);
+			}
+		}
+
+	}
+
 }
 
 ?>
diff --git a/lam/templates/delete.php b/lam/templates/delete.php
index 3bda6ad7..b6efe474 100644
--- a/lam/templates/delete.php
+++ b/lam/templates/delete.php
@@ -328,47 +328,4 @@ function getChildCount($dn) {
 	return (sizeof($entries) - 1);
 }
 
-/**
-* Deletes a DN and all child entries.
-*
-* @param string $dn DN to delete
-* @param boolean $recursive recursive delete also child entries
-* @return array error messages
-*/
-function deleteDN($dn, $recursive) {
-	$errors = array();
-	if (($dn == null) || ($dn == '')) {
-		$errors[] = array('ERROR', _('Entry does not exist'));
-		return $errors;
-	}
-	if ($recursive) {
-		$sr = @ldap_list($_SESSION['ldap']->server(), $dn, 'objectClass=*', array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
-		if ($sr) {
-			$entries = ldap_get_entries($_SESSION['ldap']->server(), $sr);
-			cleanLDAPResult($entries);
-			for ($i = 0; $i < sizeof($entries); $i++) {
-				// delete recursively
-				$subErrors = deleteDN($entries[$i]['dn'], $recursive);
-				for ($e = 0; $e < sizeof($subErrors); $e++) $errors[] = $subErrors[$e];
-			}
-		}
-		else {
-			$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
-			return $errors;
-		}
-	}
-	// delete parent DN
-	$success = @ldap_delete($_SESSION['ldap']->server(), $dn);
-	$ldapUser = $_SESSION['ldap']->decrypt_login();
-	$ldapUser = $ldapUser[0];
-	if (!$success) {
-		logNewMessage(LOG_ERR, '[' . $ldapUser .'] Unable to delete DN: ' . $dn . ' (' . ldap_error($_SESSION['ldap']->server()) . ').');
-		$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
-	}
-	else {
-		logNewMessage(LOG_NOTICE, '[' . $ldapUser .'] Deleted DN: ' . $dn);
-	}
-	return $errors;
-}
-
 ?>