Block unused accounts

ldap/locked.go

@@ -9,7 +9,8 @@ type Locked int
 
 const (
 	Unlocked Locked = iota
-	Unused
+	Blocked
+	Deleted
 	Unknown
 )
 
@@ -17,8 +18,10 @@ func LockedFromString(s string) Locked {
 	switch strings.ToLower(s) {
 	case "":
 		return Unlocked
-	case "unused":
-		return Unused
+	case "blocked":
+		return Blocked
+	case "deleted":
+		return Deleted
 	default:
 		log.Printf("Not valid locked status: %s", s)
 		return Unknown
@@ -29,8 +32,10 @@ func (r Locked) String() string {
 	switch r {
 	case Unlocked:
 		return ""
-	case Unused:
-		return "unused"
+	case Blocked:
+		return "blocked"
+	case Deleted:
+		return "deleted"
 	default:
 		return "unknown"
 	}

ldap/user.go

@@ -11,6 +11,10 @@ import (
 	"gopkg.in/ldap.v3"
 )
 
+const (
+	dateFormat = "20060102150405Z"
+)
+
 var searchAttributes = []string{"dn", "uid", "uidNumber", "gidNumber", "loginShell", "homeDirectory", "mail", "authTimestamp", "sdRole", "sdLocked", "userPassword"}
 
 //User has the ldap data of the user
@@ -265,7 +269,7 @@ func (l Ldap) searchUser(user string, conn *ldap.Conn) (entry *ldap.Entry, err e
 func newUser(entry *ldap.Entry) User {
 	uid, _ := strconv.Atoi(entry.GetAttributeValue("uidNumber"))
 	gid, _ := strconv.Atoi(entry.GetAttributeValue("gidNumber"))
-	lastLogin, _ := time.Parse("20060102150405Z", entry.GetAttributeValue("authTimestamp"))
+	lastLogin, _ := time.Parse(dateFormat, entry.GetAttributeValue("authTimestamp"))
 	return User{
 		DN:        entry.DN,
 		Name:      entry.GetAttributeValue("uid"),

main.go

@@ -16,8 +16,9 @@ import (
 )
 
 var (
-	inviteExpireDuration  = time.Hour * 24 * 30 // 30 days
-	accountExpireDuration = time.Hour * 24 * 90 // 90 days
+	inviteExpireDuration  = time.Hour * 24 * 30     // 30 days
+	accountExpireDuration = time.Hour * 24 * 90     // 90 days
+	accountBlockDuration  = time.Hour * 24 * 6 * 30 // ~ 6 months
 )
 
 func main() {
@@ -49,6 +50,7 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
+	go lockUsers(l)
 
 	ldb, err := db.Init(*dbpath)
 	if err != nil {
@@ -65,6 +67,32 @@ func main() {
 	log.Fatal(server.Serve(*httpaddr, &l, m, ldb, usersAskRole))
 }
 
+func lockUsers(l ldap.Ldap) {
+	for {
+		users, err := l.ListUsers()
+		if err != nil {
+			log.Printf("Error listing users for locking: %v", err)
+			time.Sleep(time.Minute * 61)
+			continue
+		}
+
+		for _, u := range users {
+			// TODO: add deleted flag
+			if u.Locked != ldap.Unlocked ||
+				u.LastLogin.Add(accountBlockDuration).After(time.Now()) {
+				continue
+			}
+
+			err = l.ChangeLocked(u.Name, ldap.Blocked)
+			if err != nil {
+				log.Printf("Error changing locked for user %s: %v", u.Name, err)
+			}
+		}
+
+		time.Sleep(time.Minute * 61)
+	}
+}
+
 func cleanInvites(ldb *db.DB) {
 	for {
 		ldb.ExpireInvites(inviteExpireDuration)

server/admin.go

@@ -3,6 +3,7 @@ package server
 import (
 	"log"
 	"net/http"
+	"sort"
 
 	"0xacab.org/sindominio/lowry/ldap"
 	"github.com/gorilla/mux"
@@ -22,6 +23,9 @@ func (s *server) usersHandler(w http.ResponseWriter, r *http.Request) {
 		s.errorHandler(w, r)
 		return
 	}
+	sort.Slice(users, func(i, j int) bool {
+		return users[i].Locked < users[j].Locked
+	})
 	response.execute(users)
 }
 

tmpl/users.html

@@ -16,6 +16,7 @@
 			<th scope="col">Nombre</th>
 			<th scope="col">Rol</th>
 			<th scope="col">Shell</th>
+			<th scope="col">Bloqueada</th>
 			<th scope="col">Login</th>
 			<th scope="col">UID</th>
 			<th scope="col">GID</th>
@@ -26,7 +27,8 @@
 		<tr {{if eq (printf "%v" .Role) "sindominante"}}class="table-success"{{end}}>
 			<th scope="row"><a href="/users/{{.Name}}">{{.Name}}</a></th>
 			<td>{{.Role}}</td>
-			<td {{if ne .Shell "/bin/false"}}class="font-weight-bold"{{end}}>{{.Shell}}</td>
+			<td {{if ne .Shell "/bin/false"}}class="font-weight-bold"{{end}}>{{if ne .Shell "/bin/false"}}Si{{else}}No{{end}}</td>
+			<td>{{.Locked}}</td>
 			<td>{{.LastLogin}}</td>
 			<td>{{.UID}}</td>
 			<td>{{.GID}}</td>