From c82759079058920ba0ad0cbcc8dbfdfa08e876f2 Mon Sep 17 00:00:00 2001
From: Adam Ruzicka <aruzicka@redhat.com>
Date: Mon, 8 Apr 2024 17:07:51 +0200
Subject: [PATCH] Also find groups added through groupOfUniqueNames

when looking up groups assigned to a user
---
 lib/ldap_fluff/posix_member_service.rb | 10 +++++++++-
 test/posix_member_services_test.rb     | 20 ++++++++++++++++----
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/lib/ldap_fluff/posix_member_service.rb b/lib/ldap_fluff/posix_member_service.rb
index 440b2c2..4ac40d6 100644
--- a/lib/ldap_fluff/posix_member_service.rb
+++ b/lib/ldap_fluff/posix_member_service.rb
@@ -18,7 +18,7 @@ def find_user(uid, base_dn = @base)
   def find_user_groups(uid)
     groups = []
     @ldap.search(
-      :filter => Net::LDAP::Filter.eq('memberuid', uid),
+      :filter => user_group_filter(uid),
       :base => @group_base, :attributes => ["cn"]
     ).each do |entry|
       groups << entry[:cn][0]
@@ -52,4 +52,12 @@ class UIDNotFoundException < LdapFluff::Error
 
   class GIDNotFoundException < LdapFluff::Error
   end
+
+  private
+
+  def user_group_filter(uid)
+    unique_filter = Net::LDAP::Filter.eq('uniquemember', "uid=#{uid},#{@base}") &
+                    Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames')
+    Net::LDAP::Filter.eq('memberuid', uid) | unique_filter
+  end
 end
diff --git a/test/posix_member_services_test.rb b/test/posix_member_services_test.rb
index 2a49fe4..c89aa1c 100644
--- a/test/posix_member_services_test.rb
+++ b/test/posix_member_services_test.rb
@@ -19,20 +19,24 @@ def test_find_user
 
   def test_find_user_groups
     user = posix_group_payload
-    @ldap.expect(:search, user, [:filter => @ms.name_filter('john'),
+    username = 'john'
+    filter = @ldap.send(:user_group_filter, username)
+    @ldap.expect(:search, user, [:filter => filter,
                                  :base => config.group_base,
                                  :attributes => ["cn"]])
     @ms.ldap = @ldap
-    assert_equal ['broze'], @ms.find_user_groups('john')
+    assert_equal ['broze'], @ms.find_user_groups(username)
     @ldap.verify
   end
 
   def test_find_no_groups
-    @ldap.expect(:search, [], [:filter => @ms.name_filter("john"),
+    username = 'john'
+    filter = @ldap.send(:user_group_filter, username)
+    @ldap.expect(:search, [], [:filter => filter,
                                :base => config.group_base,
                                :attributes => ["cn"]])
     @ms.ldap = @ldap
-    assert_equal [], @ms.find_user_groups('john')
+    assert_equal [], @ms.find_user_groups(username)
     @ldap.verify
   end
 
@@ -69,4 +73,12 @@ def test_group_doesnt_exists
     assert_raises(LdapFluff::Posix::MemberService::GIDNotFoundException) { @ms.find_group('broze') }
     @ldap.verify
   end
+
+  def test_user_group_filter
+    username = 'john'
+    unique_filter = Net::LDAP::Filter.eq('uniquemember', "uid=#{username},#{config.base_dn}") &
+                    Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames')
+    expected = @ms.name_filter(username) | unique_filter
+    assert_equal expected, @ldap.send(:user_group_filter, username)
+  end
 end