Bug 53631 – Feature: Scheduled activation of user accounts

Bug 53631 - Feature: Scheduled activation of user accounts


Summary:	Feature: Scheduled activation of user accounts

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-0-errata
Assigned To:	Florian Best
QA Contact:	Erik Damrose

URL:	https://git.knut.univention.de/univen...
Keywords:

Duplicates:	53686 (view as bug list)
Depends on:
Blocks:	53829 53830 53675 53857 54092
	Show dependency tree / graph

Reported:	2021-08-05 20:50 CEST by Arvid Requate
Modified:	2021-11-18 16:02 CET (History)
CC List:	4 users (show)

See Also:	46349 48880 38762 53726
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021071221000421
Bug group (optional):	Further conceptual development
Max CVSS v3 score:

Attachments
TwoThirds DateBox (142.09 KB, image/png) 2021-09-10 12:48 CEST, Johannes Keiser	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2021-08-05 20:50:30 CEST

Ticket# 2021071221000421 requests this feature:

User story: An administator wants to create a user account but it should only become usable later. At a definable point in time the account gets activated automatically.

Technical concept:
* UDM module users/user shall be adjusted to support a new property for specifying the activation date+time+timezone.
* The property shall be backed by an LDAP attribute like krb5ValidStart that has suitable properties for time ordering
* show property on tab account settings
* only write the attribute if it has been explicitly changed by the admin
* Default time zone to TZ of server
* Correctly convert between UTC value and displayed localtime
* If a value for krb5ValidStart greater than the current time is written, then the disabled property shall be set automatically too
* If krb5ValidStart is removed, disabled-state shall remain unchanged
* If disabled-state is unset, krb5ValidStart shall be unset too

* The property shall be presented with a selectable timezone in UMC, e.g. by means of a dropdown, which defaults to the server TZ
* For the date+time a either picker may be used or a simple text field

* An activation script shall be run periodically, e.g. via cron
* The activation script shall run only on the UCS primary node

* The ACLs in univention-ldap shall be adjusted to allow modification of krb5ValidStart by Domain Admins
* The attribute shall be eq-indexed (Ok for >= comparison, see https://www.openldap.com/lists/openldap-technical/201205/msg00027.html)

* Test cases shall establish reliability

* Backport from UCS 5.0 to UCS 4.4

* Documentation in the UCS manual

Comment 1 Arvid Requate

2021-08-19 09:55:15 CEST

27cd1989cc | register UDM property accountActivationDate
7a10fa035f | Define dedicated syntax for UDM property accountActivationDate
64a0d79c4a | convert timezone from accountActivationDate
ecbcf27158 | Adjust layout
1e248a07c2 | set disabled state if accountActivationDate > now
7ab97f7a6a | Fix default value
c7c5078800 | Add cron based account activation
fd7dc81857 | Use LDAPI to reduce slapd load
1aa92007e8 | Testcase for accountActivationDate
ac3a146859 | Explain accountActivationDate in manual
d26130832c | Clean up krb5ValidStart in case krb5ValidEnd has also passed
7db0c5e467 | Extend testcases
524e42bf3e | Reset accountActivationDate to default if disabled state gets changed back to 0
5fc5297a35 | Merge branch 'arequate/bug53631-ucs-issue-651-krb5ValidStart' into 5.0-0
24a96b2eb3 | debian/changelog entries
ad0573df26 | Advisory update


Package: univention-directory-manager-modules
Version: 15.0.11-18A~5.0.0.202108190945
Branch: ucs_5.0-0
Scope: errata5.0-0

We probably also need a testcase for UCS@school to check that this new property doesn't affect teachers capability to reset passwords, but that would be for UCS 4.4 currently first. So, my next step would be to backport this to UCS 4.4-8 first.

Comment 2 Florian Best

2021-08-19 12:22:24 CEST

> c7c5078800 | Add cron based account activation
REOPEN: cron jobs should test if the scripts to be called exists and otherwise do nothing. Otherwise a email is send if we remove this script somewhen but the cron config files is kept.

Comment 3 Florian Best

2021-08-19 12:24:47 CEST

REOPEN: sed -i s/sepcified/specified/ doc/manual/user-management-en.xml

Comment 4 Florian Best

2021-08-20 11:26:54 CEST

Maybe this caused Bug #53686 - not analyzed yet.

Comment 5 Florian Best

2021-08-20 17:25:59 CEST

(In reply to Florian Best from comment #4)
> Maybe this caused Bug #53686 - not analyzed yet.

Yes, fixed in:

univention-directory-manager-modules (15.0.11-18)
ab629e3bea17 | fixup! Bug #53631: Define dedicated syntax for UDM property accountActivationDate

Comment 6 Florian Best

2021-08-20 17:26:10 CEST

*** Bug 53686 has been marked as a duplicate of this bug. ***

Comment 7 Florian Best

2021-08-24 15:32:13 CEST

doc/manual/user-management-en.xml
When saving the changes, den account is autmatically marked as deactivated
                         ^^^              ^^

Comment 8 Arvid Requate

2021-08-25 22:41:29 CEST

96e2cca65f Bug #53631: Advisory text update
ab629e3bea fixup! Bug #53631: Define dedicated syntax for UDM property accountActivationDate
27c6bcc16b fixup! Bug #53631: Explain accountActivationDate in manual
98cfc88edb Bug #53631: Convert testcase to Python
4ea1908f9c fixup! Bug #53631: Explain accountActivationDate in manual
38f7620956 fixup! Bug #53631: Convert testcase to Python

The pytest rewrite also covers Comment 2.

Comment 9 Julia Bremer

2021-08-27 18:33:35 CEST

Users with accountActivationDate in the future are created as disabled: OK 
Users with accountActivationDate in the past are created as active: OK 
Activation status can be updated via the script /usr/share/univention-directory-manager-tools/univention-delayed-account-activation: OK
Creation of users via UMC: ~OK

Usability nitpick: When looking at the Activationdate, the TimeString is cut off.
I'd prefer a size="Half" in syntax.py instead of "OneThird". 

Time zone calculations: OK 
Time displayed in UTC: OK
Default values: OK 
Manual entry: OK 

REOPEN:

The file etc/cron.d/univention-delayed-account-activation is neither installed nor registered as an ucr template file. 
The ucr variable "directory/manager/user/accountactivation/cron" is not registered. 
The cron based activation therefore doesn't work yet.
Due to this, the automated test 40_udm_users_delayed_activation.py fails in UCS4 and UCS5.

Comment 10 Arvid Requate

2021-08-29 22:03:23 CEST

Oh, I didn't commit the file:

783f1792a3 Bug #53631: Register ucr template for cron job
9a1c723274 Bug #53631: Advisory update

Comment 11 Arvid Requate

2021-08-30 14:53:25 CEST

098bf10e43 | fixup! Bug #53631: Register ucr template for cron job
473f6c8246 | Advisory update

I've also verified manually that the test case actually fails if the cron job is disabled:

ucr set --force directory/manager/user/accountactivation/cron="# "
pytest /usr/share/ucs-test/61_udm-users/40_udm_users_delayed_activation.py -k test_disabled_user_creation_activation

Comment 12 Arvid Requate

2021-08-30 14:57:54 CEST

Wrong commit hashes in Comment 11, these are the correct ones:

098bf10e43 | fixup! Bug #53631: Register ucr template for cron job
473f6c8246 | Advisory update

Comment 13 Florian Best

2021-09-08 09:27:52 CEST

RFC: some transactions in the listener get lost during the upgrade: Ignore it?
I did not search further, maybe the appcenter code is also affected in the same way as Bug #53754.

Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/faillog.py", line 38, in <module>
    from univention.admin.handlers.users.user import unmapLocked
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 238, in <module>
    syntax=univention.admin.syntax.ActivationDateTimeTimezone,
AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone'

Comment 14 Arvid Requate

2021-09-08 10:06:52 CEST

As discussed in chat, this is a generic issue that is orthogonal to
the feature implemented here. You mentioned Bug #53726 as a possible
generic way to fix that.

Comment 15 Florian Best

2021-09-09 12:17:48 CEST

REOPENED: See Bug #53675 comment 8.

Comment 16 Florian Best

2021-09-09 14:06:55 CEST

Fixed  in (details at Bug #53675):

univention-web.yaml
807addf458a6 | Bug #53631: fix copying user object

univention-web (4.0.1-40)
807addf458a6 | Bug #53631: fix copying user object

univention-management-console-module-udm.yaml
807addf458a6 | Bug #53631: fix copying user object

univention-management-console-module-udm (10.0.1-16)
807addf458a6 | Bug #53631: fix copying user object

univention-directory-manager-modules (15.0.11-20)
807addf458a6 | Bug #53631: fix copying user object

Comment 17 Florian Best

2021-09-09 19:12:33 CEST

(In reply to Florian Best from comment #2)
> > c7c5078800 | Add cron based account activation
> REOPEN: cron jobs should test if the scripts to be called exists and
> otherwise do nothing. Otherwise a email is send if we remove this script
> somewhen but the cron config files is kept.

This is not yet implemented.

Comment 18 Johannes Keiser

2021-09-10 12:48:04 CEST

Created attachment 10818 [details]
TwoThirds DateBox

ecbcf27158d5d30ddfc0995a2e465fbba0f54f93 adjusts size for all DateBox widgets to TwoThirds

This does not look good in e.g. users/user

Comment 19 Florian Best

2021-09-10 18:42:39 CEST

(In reply to Florian Best from comment #17)
> (In reply to Florian Best from comment #2)
> > > c7c5078800 | Add cron based account activation
> > REOPEN: cron jobs should test if the scripts to be called exists and
> > otherwise do nothing. Otherwise a email is send if we remove this script
> > somewhen but the cron config files is kept.
> 
> This is not yet implemented.
univention-directory-manager-modules (15.0.11-20)
3bc66af384e6 | Bug #53631: add -executable condition to cronjob

(In reply to Johannes Keiser from comment #18)
> Created attachment 10818 [details]
> TwoThirds DateBox
> 
> ecbcf27158d5d30ddfc0995a2e465fbba0f54f93 adjusts size for all DateBox
> widgets to TwoThirds
> 
> This does not look good in e.g. users/user

univention-directory-manager-modules (15.0.11-20)
022a26e0563b | Bug #53631: fix sizing of ActivationDateTimeTimezone without influencing all other properties

Comment 20 Florian Best

2021-09-11 21:42:29 CEST

(In reply to Florian Best from comment #13)
other tracebacks:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/admin/hook.py", line 66, in import_hook_files
    exec(fd.read(), sys.modules[__name__].__dict__)
  File "<string>", line 41, in <module>
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/__init__.py", line 36, in <module>
    from .computer import *  # noqa: F401, F403
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/computer.py", line 51, in <module>
    from .base import MultipleObjectsError, RoleSupportMixin, UCSSchoolHelperAbstractClass
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/base.py", line 53, in <module>
    from .meta import UCSSchoolHelperMetaClass
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/meta.py", line 51, in <module>
    udm_modules.update()
  File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 148, in update
    _walk(root, w_root, w_files)
  File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 132, in _walk
    m = importlib.import_module('univention.admin.handlers.%s' % (modulepackage,))  # type: Any
  File "/usr/lib/python3.7/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/container/dc.py", line 43, in <module>
    import univention.admin.handlers.users.user
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 237, in <module>
    syntax=univention.admin.syntax.ActivationDateTimeTimezone,
AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone'

Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/ucs-school-user-logonscript.py", line 51, in <module>
    univention.admin.modules.update()
  File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 148, in update
    _walk(root, w_root, w_files)
  File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 132, in _walk
    m = importlib.import_module('univention.admin.handlers.%s' % (modulepackage,))  # type: Any
  File "/usr/lib/python3.7/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
  File "<frozen importlib._bootstrap>", line 983, in _find_and_load
  File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 728, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/container/dc.py", line 43, in <module>
    import univention.admin.handlers.users.user
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 237, in <module>
    syntax=univention.admin.syntax.ActivationDateTimeTimezone,
AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone'

Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/pupilgroups.py", line 41, in <module>
    from ucsschool.lib.models.school import School
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/__init__.py", line 36, in <module>
    from .computer import *  # noqa: F401, F403
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/computer.py", line 51, in <module>
    from .base import MultipleObjectsError, RoleSupportMixin, UCSSchoolHelperAbstractClass
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/base.py", line 53, in <module>
    from .meta import UCSSchoolHelperMetaClass
  File "/usr/lib/python3/dist-packages/ucsschool/lib/models/meta.py", line 51, in <module>
    udm_modules.update()
  File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 148, in update
    _walk(root, w_root, w_files)
  File "/usr/lib/python3/dist-packages/univention/admin/modules.py", line 132, in _walk
    m = importlib.import_module('univention.admin.handlers.%s' % (modulepackage,))  # type: Any
  File "/usr/lib/python3.7/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/container/dc.py", line 43, in <module>
    import univention.admin.handlers.users.user
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 237, in <module>
    syntax=univention.admin.syntax.ActivationDateTimeTimezone,
AttributeError: module 'univention.admin.syntax' has no attribute 'ActivationDateTimeTimezone'

Comment 21 Florian Best

2021-09-13 12:54:34 CEST

I fixed these errors as well (with the wrong bug number):

univention-directory-manager-modules (15.0.11-20)
d13c48d3cfe9 | Bug #53754: fix errors due to missing syntax classes during errata upgrades

Comment 22 Erik Damrose

2021-09-14 13:38:31 CEST

Reopen: When selecting only a date and a time in UMC while leaving the timezone field empty, a traceback is shown when saving the user object. (The traceback is slighty different depending on which field is left empty. We could show a helpful message instead, or is it possible to mark all 3 fields as required and prevent the save operation, highlighting the missing fields?

Interner Server-Fehler in "udm/put (users/user)".
Request: udm/put (users/user)

  File "/usr/lib/python3/dist-packages/notifier/threads.py", line 80, in _run
    result = self._function()
  File "/usr/lib/python3/dist-packages/notifier/__init__.py", line 105, in __call__
    return self._function(*tmp, **self._kwargs)
  File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/__init__.py", line 442, in _thread
    module.modify(properties)
  File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 649, in modify
    obj.modify()
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1477, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 633, in modify
    self._ldap_pre_ready()
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1696, in _ldap_pre_ready
    if self['accountActivationDate'] and self['accountActivationDate'][0] and datetime.now(tz=pytz.utc) < datetime_from_local_datetimetimezone_tuple(self['accountActivationDate']):
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1224, in datetime_from_local_datetimetimezone_tuple
    return pytz.timezone(tz).localize(naive_dt)
  File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 161, in timezone
    raise UnknownTimeZoneError(None)
pytz.exceptions.UnknownTimeZoneError: None


Reopen: The requirements state

> Technical concept:
> * Default time zone to TZ of server
> * The property shall be presented with a selectable timezone in UMC, e.g. by means of a dropdown, which defaults to the server TZ

The timezone field is empty by default

RFC: The administrator can select the timezone when setting the activation date. This information is not saved internally, so upon reopening the user, the activation date is presented in UTC. This might be confusing, as administrators have to convert the time manually to find out when the account is going to be activated. Is this okay?

Comment 23 Erik Damrose

2021-09-14 14:30:38 CEST

Reopen: The default for UCR directory/manager/user/accountactivation/cron is empty so the cronjob does not run by default.

Comment 24 Florian Best

2021-09-14 17:14:32 CEST

(In reply to Erik Damrose from comment #22)
> Reopen: When selecting only a date and a time in UMC while leaving the
> timezone field empty, a traceback is shown when saving the user object. (The
> traceback is slighty different depending on which field is left empty. We
> could show a helpful message instead, or is it possible to mark all 3 fields
> as required and prevent the save operation, highlighting the missing fields?
> 
> Interner Server-Fehler in "udm/put (users/user)".
> Request: udm/put (users/user)
> 
>   File "/usr/lib/python3/dist-packages/notifier/threads.py", line 80, in _run
>     result = self._function()
>   File "/usr/lib/python3/dist-packages/notifier/__init__.py", line 105, in
> __call__
>     return self._function(*tmp, **self._kwargs)
>   File
> "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/
> __init__.py", line 442, in _thread
>     module.modify(properties)
>   File
> "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/
> udm_ldap.py", line 649, in modify
>     obj.modify()
>   File
> "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py",
> line 1477, in modify
>     return super(object, self).modify(*args, **kwargs)
>   File
> "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line
> 633, in modify
>     self._ldap_pre_ready()
>   File
> "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py",
> line 1696, in _ldap_pre_ready
>     if self['accountActivationDate'] and self['accountActivationDate'][0]
> and datetime.now(tz=pytz.utc) <
> datetime_from_local_datetimetimezone_tuple(self['accountActivationDate']):
>   File
> "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py",
> line 1224, in datetime_from_local_datetimetimezone_tuple
>     return pytz.timezone(tz).localize(naive_dt)
>   File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 161, in
> timezone
>     raise UnknownTimeZoneError(None)
> pytz.exceptions.UnknownTimeZoneError: None
I removed the possibility to set an empty value for the timezone. So this can't happen anymore.
Also I raised the constraints so that all values must be non-empty to be set, which fixes all combinations.
We can't do anything more flexible with the current Javascript.

a2d64bbff373 | Bug #53631: only set accountActivationDate if all fields are specified

> Reopen: The requirements state
> 
> > Technical concept:
> > * Default time zone to TZ of server
> > * The property shall be presented with a selectable timezone in UMC, e.g. by means of a dropdown, which defaults to the server TZ
> 
> The timezone field is empty by default
OK, I set the default to the local timezone.

11a1ae31d2b1 | Bug #53631: set local timezone as default value of accountActivationDate

> RFC: The administrator can select the timezone when setting the activation
> date. This information is not saved internally, so upon reopening the user,
> the activation date is presented in UTC. This might be confusing, as
> administrators have to convert the time manually to find out when the
> account is going to be activated. Is this okay?
hmm… I don't know what Arvid thought about this.
In general I dislike transforming values to local time in that layer. (We also had problems due to this in the past because our Jenkins Tests run in different timezones than we live).
But yes, it looks inconsistent now.
I will think about it.

(In reply to Erik Damrose from comment #23)
> Reopen: The default for UCR directory/manager/user/accountactivation/cron is
> empty so the cronjob does not run by default.
I set the cronjob to be activated every 15 minutes by default.

a6b046812201 | Bug #53631: enable crontab every 15 minutes
11a1ae31d2b1 | Bug #53631: set local timezone as default value of accountActivationDate

Comment 25 Florian Best

2021-09-14 19:35:30 CEST

Also fix the test case regarding default value and disabled cronjob on non-master systems as specified by comment 0.

0dd66cfb2e16 | fixup! fixup! Bug #53631: enable crontab every 15 minutes
6810f3ed556c | fixup! Bug #53631: enable crontab every 15 minutes

As discussed, for now we don't transform UTC into local time in unmap().
If we do this, we should do it only in the Javascript widget.

Comment 26 Erik Damrose

2021-09-15 12:54:12 CEST

The remaining open points were addressed.
Automatic and manual tests as described in comment 9 successful
Verified

Comment 27 Erik Damrose

2021-09-15 17:41:49 CEST

<https://errata.software-univention.de/#/?erratum=5.0x100>
<https://errata.software-univention.de/#/?erratum=5.0x90>
<https://errata.software-univention.de/#/?erratum=5.0x99>