From da45cb699883b6c3d6fee4831873787cfb43432f Mon Sep 17 00:00:00 2001
From: Pierre Lehnen <55164754+pierre-lehnen-rc@users.noreply.github.com>
Date: Fri, 19 Apr 2024 19:11:48 -0300
Subject: [PATCH] feat: Add setting to automatically disable users missing from
 LDAP search (#32084)

Co-authored-by: Matheus Barbosa Silva <36537004+matheusbsilva137@users.noreply.github.com>
---
 .changeset/nervous-elephants-jam.md           |  7 +++++
 .../server/classes/ImportDataConverter.ts     |  1 +
 apps/meteor/ee/server/lib/ldap/Manager.ts     | 29 ++++++++++++++++---
 apps/meteor/ee/server/settings/ldap.ts        | 13 +++++----
 apps/meteor/server/models/raw/Users.js        | 11 +++++++
 packages/i18n/src/locales/en.i18n.json        |  2 ++
 .../model-typings/src/models/IUsersModel.ts   |  2 ++
 7 files changed, 56 insertions(+), 9 deletions(-)
 create mode 100644 .changeset/nervous-elephants-jam.md

diff --git a/.changeset/nervous-elephants-jam.md b/.changeset/nervous-elephants-jam.md
new file mode 100644
index 00000000000..cc74cd85842
--- /dev/null
+++ b/.changeset/nervous-elephants-jam.md
@@ -0,0 +1,7 @@
+---
+'@rocket.chat/model-typings': minor
+'@rocket.chat/i18n': minor
+'@rocket.chat/meteor': minor
+---
+
+Added a new setting to automatically disable users from LDAP that can no longer be found by the background sync
diff --git a/apps/meteor/app/importer/server/classes/ImportDataConverter.ts b/apps/meteor/app/importer/server/classes/ImportDataConverter.ts
index f5315b4f1e6..493d14061bf 100644
--- a/apps/meteor/app/importer/server/classes/ImportDataConverter.ts
+++ b/apps/meteor/app/importer/server/classes/ImportDataConverter.ts
@@ -502,6 +502,7 @@ export class ImportDataConverter {
 					}
 
 					const userId = await this.insertUser(data);
+					data._id = userId;
 					insertedIds.add(userId);
 
 					if (!this._options.skipDefaultChannels) {
diff --git a/apps/meteor/ee/server/lib/ldap/Manager.ts b/apps/meteor/ee/server/lib/ldap/Manager.ts
index c17d81d412e..b99b6b08cbe 100644
--- a/apps/meteor/ee/server/lib/ldap/Manager.ts
+++ b/apps/meteor/ee/server/lib/ldap/Manager.ts
@@ -10,6 +10,7 @@ import type {
 import { addUserToRoom } from '../../../../app/lib/server/functions/addUserToRoom';
 import { createRoom } from '../../../../app/lib/server/functions/createRoom';
 import { removeUserFromRoom } from '../../../../app/lib/server/functions/removeUserFromRoom';
+import { setUserActiveStatus } from '../../../../app/lib/server/functions/setUserActiveStatus';
 import { settings } from '../../../../app/settings/server';
 import { getValidRoomName } from '../../../../app/utils/server/lib/getValidRoomName';
 import { ensureArray } from '../../../../lib/utils/arrayUtils';
@@ -28,6 +29,7 @@ export class LDAPEEManager extends LDAPManager {
 
 		const createNewUsers = settings.get<boolean>('LDAP_Background_Sync_Import_New_Users') ?? true;
 		const updateExistingUsers = settings.get<boolean>('LDAP_Background_Sync_Keep_Existant_Users_Updated') ?? true;
+		let disableMissingUsers = updateExistingUsers && (settings.get<boolean>('LDAP_Background_Sync_Disable_Missing_Users') ?? false);
 		const mergeExistingUsers = settings.get<boolean>('LDAP_Background_Sync_Merge_Existent_Users') ?? false;
 
 		const options = this.getConverterOptions();
@@ -36,6 +38,7 @@ export class LDAPEEManager extends LDAPManager {
 
 		const ldap = new LDAPConnection();
 		const converter = new LDAPDataConverter(true, options);
+		const touchedUsers = new Set<IUser['_id']>();
 
 		try {
 			await ldap.connect();
@@ -43,7 +46,9 @@ export class LDAPEEManager extends LDAPManager {
 			if (createNewUsers || mergeExistingUsers) {
 				await this.importNewUsers(ldap, converter);
 			} else if (updateExistingUsers) {
-				await this.updateExistingUsers(ldap, converter);
+				await this.updateExistingUsers(ldap, converter, disableMissingUsers);
+				// Missing users will have been disabled automatically by the update operation, so no need to do a separate query for them
+				disableMissingUsers = false;
 			}
 
 			const membersOfGroupFilter = await ldap.searchMembersOfGroupFilter();
@@ -60,9 +65,17 @@ export class LDAPEEManager extends LDAPManager {
 
 					return membersOfGroupFilter.includes(memberFormat);
 				}) as ImporterBeforeImportCallback,
-				afterImportFn: (async ({ data }, isNewRecord: boolean): Promise<void> =>
-					this.advancedSync(ldap, data as IImportUser, converter, isNewRecord)) as ImporterAfterImportCallback,
+				afterImportFn: (async ({ data }, isNewRecord: boolean): Promise<void> => {
+					if (data._id) {
+						touchedUsers.add(data._id);
+					}
+					await this.advancedSync(ldap, data as IImportUser, converter, isNewRecord);
+				}) as ImporterAfterImportCallback,
 			});
+
+			if (disableMissingUsers) {
+				await this.disableMissingUsers([...touchedUsers]);
+			}
 		} catch (error) {
 			logger.error(error);
 		}
@@ -579,7 +592,7 @@ export class LDAPEEManager extends LDAPManager {
 		});
 	}
 
-	private static async updateExistingUsers(ldap: LDAPConnection, converter: LDAPDataConverter): Promise<void> {
+	private static async updateExistingUsers(ldap: LDAPConnection, converter: LDAPDataConverter, disableMissingUsers = false): Promise<void> {
 		const users = await Users.findLDAPUsers().toArray();
 		for await (const user of users) {
 			const ldapUser = await this.findLDAPUser(ldap, user);
@@ -587,10 +600,18 @@ export class LDAPEEManager extends LDAPManager {
 			if (ldapUser) {
 				const userData = this.mapUserData(ldapUser, user.username);
 				converter.addUserSync(userData, { dn: ldapUser.dn, username: this.getLdapUsername(ldapUser) });
+			} else if (disableMissingUsers) {
+				await setUserActiveStatus(user._id, false, true);
 			}
 		}
 	}
 
+	private static async disableMissingUsers(foundUsers: IUser['_id'][]): Promise<void> {
+		const userIds = (await Users.findLDAPUsersExceptIds(foundUsers, { projection: { _id: 1 } }).toArray()).map(({ _id }) => _id);
+
+		await Promise.allSettled(userIds.map((id) => setUserActiveStatus(id, false, true)));
+	}
+
 	private static async updateUserAvatars(ldap: LDAPConnection): Promise<void> {
 		const users = await Users.findLDAPUsers().toArray();
 		for await (const user of users) {
diff --git a/apps/meteor/ee/server/settings/ldap.ts b/apps/meteor/ee/server/settings/ldap.ts
index cc5125e3738..f85f67a4064 100644
--- a/apps/meteor/ee/server/settings/ldap.ts
+++ b/apps/meteor/ee/server/settings/ldap.ts
@@ -27,6 +27,7 @@ export function addSettings(): Promise<void> {
 					});
 
 					const backgroundSyncQuery = [enableQuery, { _id: 'LDAP_Background_Sync', value: true }];
+					const backgroundUpdateQuery = [...backgroundSyncQuery, { _id: 'LDAP_Background_Sync_Keep_Existant_Users_Updated', value: true }];
 
 					await this.add('LDAP_Background_Sync_Interval', 'every_24_hours', {
 						type: 'select',
@@ -70,11 +71,13 @@ export function addSettings(): Promise<void> {
 
 					await this.add('LDAP_Background_Sync_Merge_Existent_Users', false, {
 						type: 'boolean',
-						enableQuery: [
-							...backgroundSyncQuery,
-							{ _id: 'LDAP_Background_Sync_Keep_Existant_Users_Updated', value: true },
-							{ _id: 'LDAP_Merge_Existing_Users', value: true },
-						],
+						enableQuery: [...backgroundUpdateQuery, { _id: 'LDAP_Merge_Existing_Users', value: true }],
+						invalidValue: false,
+					});
+
+					await this.add('LDAP_Background_Sync_Disable_Missing_Users', false, {
+						type: 'boolean',
+						enableQuery: backgroundUpdateQuery,
 						invalidValue: false,
 					});
 
diff --git a/apps/meteor/server/models/raw/Users.js b/apps/meteor/server/models/raw/Users.js
index a4b7bfe9a39..c6b545caedb 100644
--- a/apps/meteor/server/models/raw/Users.js
+++ b/apps/meteor/server/models/raw/Users.js
@@ -432,6 +432,17 @@ export class UsersRaw extends BaseRaw {
 		return this.find(query, options);
 	}
 
+	findLDAPUsersExceptIds(userIds, options = {}) {
+		const query = {
+			ldap: true,
+			_id: {
+				$nin: userIds,
+			},
+		};
+
+		return this.find(query, options);
+	}
+
 	findConnectedLDAPUsers(options) {
 		const query = {
 			'ldap': true,
diff --git a/packages/i18n/src/locales/en.i18n.json b/packages/i18n/src/locales/en.i18n.json
index 71bcacbbcd5..7707942cb85 100644
--- a/packages/i18n/src/locales/en.i18n.json
+++ b/packages/i18n/src/locales/en.i18n.json
@@ -2989,6 +2989,8 @@
   "LDAP_Background_Sync_Avatars": "Avatar Background Sync",
   "LDAP_Background_Sync_Avatars_Description": "Enable a separate background process to sync user avatars.",
   "LDAP_Background_Sync_Avatars_Interval": "Avatar Background Sync Interval",
+  "LDAP_Background_Sync_Disable_Missing_Users": "Automatically disable users that are no longer found on LDAP",
+  "LDAP_Background_Sync_Disable_Missing_Users_Description": "This option will deactivate users on Rocket.Chat when their data is not found on LDAP. Any rooms owned by those users will be automatically assigned to new owners, or removed if no other user has access to them.",
   "LDAP_Background_Sync_Import_New_Users": "Background Sync Import New Users",
   "LDAP_Background_Sync_Import_New_Users_Description": "Will import all users (based on your filter criteria) that exists in LDAP and does not exists in Rocket.Chat",
   "LDAP_Background_Sync_Interval": "Background Sync Interval",
diff --git a/packages/model-typings/src/models/IUsersModel.ts b/packages/model-typings/src/models/IUsersModel.ts
index f9a2b1c45a2..65b7d4f5366 100644
--- a/packages/model-typings/src/models/IUsersModel.ts
+++ b/packages/model-typings/src/models/IUsersModel.ts
@@ -77,6 +77,8 @@ export interface IUsersModel extends IBaseModel<IUser> {
 
 	findLDAPUsers<T = IUser>(options?: any): FindCursor<T>;
 
+	findLDAPUsersExceptIds<T = IUser>(userIds: IUser['_id'][], options?: FindOptions<IUser>): FindCursor<T>;
+
 	findConnectedLDAPUsers<T = IUser>(options?: any): FindCursor<T>;
 
 	isUserInRole(userId: IUser['_id'], roleId: IRole['_id']): Promise<boolean>;