[batch/auth] Set accounts to "inactive" after extended inactivity

auth/auth/auth.py

@@ -821,7 +821,7 @@ async def get_userinfo_from_hail_session_id(request: web.Request, session_id: st
 SELECT users.*
 FROM users
 INNER JOIN sessions ON users.id = sessions.user_id
-WHERE users.state = 'active' AND sessions.session_id = %s AND (ISNULL(sessions.max_age_secs) OR (NOW() < TIMESTAMPADD(SECOND, sessions.max_age_secs, sessions.created)));
+WHERE (users.state = 'active' OR users.state = 'inactive') AND sessions.session_id = %s AND (ISNULL(sessions.max_age_secs) OR (NOW() < TIMESTAMPADD(SECOND, sessions.max_age_secs, sessions.created)));
 """,
             session_id,
             'get_userinfo',
@@ -830,6 +830,18 @@ async def get_userinfo_from_hail_session_id(request: web.Request, session_id: st
 
     if len(users) != 1:
         return None
+
+    if users[0]['state'] == 'active':
+        current_uid = users[0]['id']
+        await db.execute_update(
+            """
+UPDATE users
+SET last_activated = UTC_TIMESTAMP(3)
+WHERE id = %s;
+""",
+            current_uid,
+        )
+
     return typing.cast(UserData, users[0])
 
 

auth/sql/estimated-current.sql

@@ -1,7 +1,7 @@
 CREATE TABLE `users` (
   `id` INT(11) NOT NULL AUTO_INCREMENT,
   `state` VARCHAR(100) NOT NULL,
-  -- creating, active, deleting, deleted
+  -- creating, active, deleting, deleted, inactive
   `username` varchar(255) NOT NULL COLLATE utf8mb4_0900_as_cs,
   `login_id` varchar(255) DEFAULT NULL COLLATE utf8mb4_0900_as_cs,
   `display_name` varchar(255) DEFAULT NULL,
@@ -16,6 +16,8 @@ CREATE TABLE `users` (
   -- namespace, for developers
   `namespace_name` varchar(255) DEFAULT NULL,
   `trial_bp_name` varchar(300) DEFAULT NULL,
+  -- "last activated" tracking
+  `last_activated` DATETIME NOT NULL DEFAULT NOW(3),
   PRIMARY KEY (`id`),
   UNIQUE KEY `email` (`email`),
   UNIQUE KEY `username` (`username`)

batch/batch/driver/main.py

@@ -1643,6 +1643,14 @@ async def scheduling_cancelling_bump(app):
     app['cancel_running_state_changed'].set()
 
 
+async def update_inactive_users(db: Database):
+    await db.execute_update("""
+UPDATE users
+SET users.state = 'inactive'
+WHERE (users.state = 'active') AND (users.last_activated IS NOT NULL) AND (DATEDIFF(CURRENT_DATE(), users.last_activated) > 60);
+""")
+
+
 Resource = namedtuple('Resource', ['resource_id', 'deduped_resource_id'])
 
 
@@ -1754,6 +1762,7 @@ async def close_and_wait():
     task_manager.ensure_future(periodically_call(60, compact_agg_billing_project_users_by_date_table, app, db))
     task_manager.ensure_future(periodically_call(60, delete_committed_job_groups_inst_coll_staging_records, db))
     task_manager.ensure_future(periodically_call(60, delete_prev_cancelled_job_group_cancellable_resources_records, db))
+    task_manager.ensure_future(periodically_call(86400, update_inactive_users, db))  # 86400 seconds = 1 day
 
 
 async def on_cleanup(app):

batch/sql/add-users-last-active.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN last_activated DATETIME NOT NULL DEFAULT NOW(3), ALGORITHM=INSTANT;

build.yaml

@@ -2347,6 +2347,9 @@ steps:
       - name: fix-mark-job-complete-deadlocks
         script: /io/sql/fix-mark-job-complete-deadlocks.sql
         online: true
+      - name: add-users-last-active
+        script: /io/sql/add-users-last-active.sql
+        online: true
       - name: jobs-add-n-max-attempts
         script: /io/sql/jobs-add-n-max-attempts.sql
         online: true

gear/gear/auth.py

@@ -65,6 +65,11 @@ async def wrapped(request: web.Request) -> web.StreamResponse:
                     if redirect or (redirect is None and '/api/' not in request.path):
                         raise login_redirect(request)
                     raise web.HTTPUnauthorized()
+                elif userdata['state'] == 'inactive':
+                    raise web.HTTPUnauthorized(
+                        text="Account is inactive. Please contact a Hail administrator to reactivate."
+                    )
+
                 request['userdata'] = userdata
                 return await fun(request, userdata)