Peers date consistency fixes as follow up to PR384

mig/assets/css/V3/style.css

@@ -816,3 +816,8 @@ var, sampl, code {
     border: 1px solid #ff9900;
     margin-bottom: 20px;
 }
+
+/* Disable border on e.g. input elements if specifically requested */
+.noborder {
+    border: 0;
+}

mig/shared/defaults.py

@@ -1,3 +1,3 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 #
@@ -20,7 +20,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 #
 # -- END_HEADER ---
 #
@@ -33,8 +33,8 @@
 import os
 import sys
 
 MIG_BASE = os.path.realpath(os.path.join(os.path.dirname(__file__), '../..'))
 MIG_ENV = os.getenv('MIG_ENV', 'default')
 
 # NOTE: python3 switched strings to use unicode by default in contrast to bytes
 #       in python2. File systems remain with utf8 however so we need to
@@ -42,11 +42,11 @@
 #       to unicode depending on the python used.
 #       Please refer to the helpers in shared.base for actual handling of it.
 if sys.version_info[0] >= 3:
     default_str_coding = 'unicode'
     default_fs_coding = 'utf8'
 else:
     default_str_coding = 'utf8'
     default_fs_coding = 'utf8'
 
 CODING_KINDS = (STR_KIND, FS_KIND) = ('__STR__', '__FS__')
 
@@ -78,7 +78,7 @@
 any_protocol = keyword_any
 any_state = keyword_any
 
 AUTH_NONE, AUTH_GENERIC, AUTH_CERTIFICATE = "None", "Generic", "X.509 Certificate"
 AUTH_OPENID_CONNECT, AUTH_OPENID_V2 = "OpenID Connect", "OpenID 2.0"
 
 AUTH_MIG_OID = "Site %s" % AUTH_OPENID_V2
@@ -173,13 +173,13 @@
     'freeotp': {'name': 'FreeOTP',
                 'url': 'https://freeotp.github.io/'},
     'yubico': {'name': 'Yubico Authenticator',
                'url': 'https://www.yubico.com/products/yubico-authenticator/#h-download-yubico-authenticator'},
     'bitwarden': {'name': 'Bitwarden',
                   'url': 'https://bitwarden.com/download/'},
     'microfocus': {'name': 'NetIQ Advanced Authentication',
                    'url': 'https://www.microfocus.com/en-us/products/netiq-advanced-authentication/overview'},
     'microsoft': {'name': 'Microsoft Authenticator',
                   'url': 'https://www.microsoft.com/en-us/security/mobile-authenticator-app'},
 }
 
 # Sharelink format helpers
@@ -208,6 +208,10 @@
 # Number of days before expire that auto extend attempts kick in
 # NOTE: must be lower than all X_auto_extend_days values to avoid hammering
 attempt_auto_extend_days = 10
+# Enforce peers expire value (End date) to default/min/max days in the future
+peers_expire_default_days = generic_valid_days
+peers_expire_min_days = 7
+peers_expire_max_days = 3652
 
 # Strictly ordered list of account status values to enable use of filemarks
 # for caching account status using integer timestamps outside user DB.
@@ -270,7 +274,7 @@
 # can't let users edit them because it would result in arbitrary code execution
 # holes.
 #
 # IMPORTANT: please use the invisible_{path,file,dir} helpers from mig.shared.base
 #            instead of using these variables directly.
 _dot_vgrid = ['.vgrid%s' % i for i in ['wiki', 'scm', 'tracker', 'forum']]
 _protected_dirs = [trash_destdir]
@@ -372,7 +376,7 @@
 # 0|~/mig > ./codegrep.py safe_handler|grep import|sort|awk '{ print $1; }'| \
 #               sed 's@.*/functionality/\(.*\).py:from@\\"\1\\",@g'|xargs
 csrf_backends = [
     "addresowner", "addvgridmember", "addvgridowner", "addvgridres", "addvgridtrigger", "autocreate", "chksum", "cleanallstores", "cleanexe", "cleanfe", "cleanstore", "cp", "createfreeze", "createre", "createvgrid", "datatransfer", "deletefreeze", "deletere", "delres", "editfile", "extcertaction", "extoidaction", "imagepreview", "jobaction", "jobfeasible", "jobobjsubmit", "jobschedule", "liveio", "mkdir", "mqueue", "mv", "pack", "rejectresreq", "rejectvgridreq", "reqcertaction", "reseditaction", "restartallexes", "restartallstores", "restartexe", "restartfe", "restartstore", "resubmit", "rmdir", "rm", "rmresowner", "rmvgridmember", "rmvgridowner", "rmvgridres", "rmvgridtrigger", "scripts", "sendrequestaction", "settingsaction", "sharelink", "sssadmin", "ssscreateimg", "stopallexes", "stopallstores", "stopexe", "stopfe", "stopstore", "submitfields", "submit", "tar", "testresupport", "textarea", "touch", "truncate", "unpack", "untar", "unzip", "updateresconfig", "updatevgrid", "uploadchunked", "upload", "vgridforum", "vgridsettings", "vmachines", "zip",
 ]
 
 # freeze archive flavor
@@ -454,9 +458,9 @@
 # ciphers.
 # On older versions of OpenSSL, unavailable ciphers will be discarded
 # automatically.
 STRONG_TLS_CIPHERS = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 # NOTE: keep the previous list around in case of problems e.g. with IO clients
 STRONG_TLS_LEGACY_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!SEED:!IDEA:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA"
 # TODO: enforce curve order in Apache (2.4.8+), too?
 #       https://superuser.com/questions/964907/apache-and-ecc-curve-order
 # TODO: add curve 'X25519' as first choice once we reach openssl-1.1?
@@ -483,7 +487,7 @@
 STRONG_SSH_HOSTKEYALGOS = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256"
 LEGACY_SSH_HOSTKEYALGOS = ",".join([STRONG_SSH_HOSTKEYALGOS, "ssh-rsa"])
 FALLBACK_SSH_HOSTKEYALGOS = LEGACY_SSH_HOSTKEYALGOS
 STRONG_SSH_KEXALGOS = "curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512"
 # NOTE: fall back to relatively safe DH group-exchange-sha256 on old paramiko etc.
 LEGACY_SSH_KEXALGOS = ",".join([STRONG_SSH_KEXALGOS,
                                 "diffie-hellman-group-exchange-sha256"])

mig/shared/functionality/peers.py

@@ -1,10 +1,10 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 #
 # --- BEGIN_HEADER ---
 #
 # peers - manage external collaboration partners, etc.
-# Copyright (C) 2003-2021  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -41,7 +41,8 @@
 from mig.shared.base import pretty_format_user, fill_distinguished_name, \
     client_id_dir, force_native_str_rec
 from mig.shared.defaults import csrf_field, peers_filename, \
-    pending_peers_filename, peers_fields, peer_kinds, default_pager_entries
+    pending_peers_filename, peers_fields, peer_kinds, default_pager_entries, \
+    peers_expire_min_days, peers_expire_max_days
 from mig.shared.functional import validate_input_and_cert
 from mig.shared.handlers import get_csrf_limit, make_csrf_token
 from mig.shared.htmlgen import man_base_js, man_base_html, html_post_helper
@@ -217,6 +218,12 @@
                     'csrf_field': csrf_field, 'csrf_limit': csrf_limit,
                     'target_op': target_op, 'csrf_token': csrf_token,
                     'expire_help': expire_help,
+                    # NOTE: allow select expire N days or more from now
+                    'min_peers_expire': datetime.date.today() + \
+                    datetime.timedelta(days=peers_expire_min_days),
+                    # NOTE: allow up to N days in the future
+                    'max_peers_expire': datetime.date.today() + \
+                    datetime.timedelta(days=peers_expire_max_days),
                     'csv_header': csv_sep.join([i for i in peers_fields])}
     form_prefix_html = '''
 <form class="save_peers save_general" method="%(form_method)s"
@@ -257,7 +264,8 @@
           </label>
           <input class="form-control themed-select html-select fill-width"
             type="date" name="peers_expire" required pattern="[0-9/-]+"
-            title="Access expiry date" />
+            min="%(min_peers_expire)s" max="%(max_peers_expire)s"
+            title="Access expiry date"/>
       </div>
     </div>
 '''

mig/shared/functionality/peersaction.py

@@ -1,10 +1,10 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 #
 # --- BEGIN_HEADER ---
 #
 # peersaction - handle management of peers
-# Copyright (C) 2003-2023  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -41,7 +41,8 @@
 from mig.shared.base import client_id_dir, fill_distinguished_name, \
     extract_field
 from mig.shared.defaults import peers_filename, peer_kinds, peers_fields, \
-    keyword_auto, csrf_field
+    keyword_auto, csrf_field, peers_expire_default_days, \
+    peers_expire_min_days, peers_expire_max_days
 from mig.shared.functional import validate_input, REJECT_UNSET
 from mig.shared.handlers import safe_handler, get_csrf_limit
 from mig.shared.htmlgen import html_post_helper
@@ -51,7 +52,6 @@
 from mig.shared.url import urlencode
 from mig.shared.useradm import get_full_user_map
 
-default_expire_days = 7
 peer_actions = ['import', 'add', 'remove', 'update', 'accept', 'reject']
 
 
@@ -155,17 +155,20 @@
             expire = now
         else:
             expire = datetime.datetime.strptime(raw_expire, '%Y-%m-%d')
-            if now > expire:
-                raise ValueError("specified expire value is in the past!")
+            if now + datetime.timedelta(days=peers_expire_min_days) > expire:
+                raise ValueError("specified expire is in the past!")
+            if now + datetime.timedelta(days=peers_expire_max_days) < expire:
+                raise ValueError("specified expire is too far in the future!")
     except Exception as exc:
-        logger.error("expire %r could not be parsed into a (future) date" %
+        logger.error("expire %r could not be parsed into a valid date" %
                      raw_expire)
         output_objects.append(
-            {'object_type': 'text', 'text':
-             'No valid expire provided - using default: %d days' %
-             default_expire_days})
+            {'object_type': 'warning', 'text':
+             'End date must be %d - %d days from now - using default %d days' %
+             (peers_expire_min_days, peers_expire_max_days,
+              peers_expire_default_days)})
         expire = now
-        expire += datetime.timedelta(days=default_expire_days)
+        expire += datetime.timedelta(days=peers_expire_default_days)
     expire = expire.date().isoformat()
 
     peers_path = os.path.join(configuration.user_settings, client_dir,

mig/shared/output.py

@@ -1,3 +1,3 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 #
@@ -1560,6 +1560,11 @@
                 single_peer['state'] = single_peer.get('state', '')
                 if not single_peer['state']:
                     single_peer['state'] = 'NA'
+                single_peer['expire'] = single_peer.get('expire', '')
+                if single_peer['expire']:
+                    # Make a dummy input field to force consistent date format
+                    single_peer['expire'] = "<input class='noborder' type=date " + \
+                        "value='%(expire)s' readonly=readonly />" % single_peer
                 lines.append('''<tr>
 <td>%(full_name)s</td><td>%(organization)s</td><td>%(email)s</td>
 <td>%(country)s</td><td>%(state)s</td><td>%(kind)s</td><td>%(label)s</td><td>%(expire)s</td>