[AAP-45540] Add PosixUIDGroupType to LDAP Group Type list (#748)

Dostonbek1 · web-flow · commit 79c4f9eeb87f · 2025-07-10T10:27:25.000-04:00
## Description  LDAP Plugin is currently missing `PosixUIDGroupType` in the Group Type list. This PR adds this group type similar to how awx has implemented. ## Type of Change  - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [ ] Test update - [ ] Refactoring (no functional changes) - [ ] Development environment change - [ ] Configuration change ## Self-Review Checklist  - [x] I have performed a self-review of my code - [x] I have added relevant comments to complex code sections - [ ] I have updated documentation where needed - [x] I have considered the security impact of these changes - [x] I have considered performance implications - [x] I have thought about error handling and edge cases - [x] I have tested the changes in my local environment ## Testing Instructions   ### Prerequisites  ### Steps to Test 1. 2. 3. ### Expected Results  ## Additional Context  ### Required Actions   - [ ] Requires documentation updates  - [ ] Requires downstream repository changes  - [ ] Requires infrastructure/deployment changes  - [ ] Requires coordination with other teams  - [ ] Blocked by PR/MR: #XXX  ### Screenshots/Logs  <img width="400" alt="Screenshot 2025-06-30 at 11 15 49 AM" src="https://github.com/user-attachments/assets/2350d2fa-9571-4f6e-86df-ab8c6a5c3875" /> <img width="843" alt="Screenshot 2025-06-30 at 11 15 49 AM" src="https://github.com/user-attachments/assets/5730af77-2d9a-4b7d-a423-81180faf4164" />
diff --git a/ansible_base/authentication/authenticator_plugins/ldap.py b/ansible_base/authentication/authenticator_plugins/ldap.py
@@ -5,6 +5,7 @@
 from typing import Any
 
 import ldap
+from django.utils.encoding import force_str
 from django.utils.translation import gettext_lazy as _
 from django_auth_ldap import config
 from django_auth_ldap.backend import LDAPBackend
@@ -28,6 +29,68 @@
 user_search_string = '%(user)s'
 
 
+class PosixUIDGroupType(LDAPGroupType):
+    """
+    An LDAPGroupType subclass that handles non-standard Directory Servers.
+    """
+
+    def __init__(self, name_attr='cn', ldap_group_user_attr='uid'):
+        self.ldap_group_user_attr = ldap_group_user_attr
+        super().__init__(name_attr)
+
+    def user_groups(self, ldap_user, group_search):
+        """
+        Searches for any group that is either the user's primary or contains the
+        user as a member.
+        """
+        groups = []
+
+        try:
+            user_uid = ldap_user.attrs[self.ldap_group_user_attr][0]
+
+            if 'gidNumber' in ldap_user.attrs:
+                user_gid = ldap_user.attrs['gidNumber'][0]
+                filterstr = "(|(gidNumber={})(memberUid={}))".format(
+                    self.ldap.filter.escape_filter_chars(user_gid),
+                    self.ldap.filter.escape_filter_chars(user_uid),
+                )
+            else:
+                filterstr = "(memberUid={})".format(self.ldap.filter.escape_filter_chars(user_uid))
+
+            search = group_search.search_with_additional_term_string(filterstr)
+            search.attrlist = [str(self.name_attr)]
+            groups = search.execute(ldap_user.connection)
+        except (KeyError, IndexError):
+            pass
+
+        return groups
+
+    def is_member(self, ldap_user, group_dn):
+        """
+        Returns True if the group is the user's primary group or if the user is
+        listed in the group's memberUid attribute.
+        """
+        is_member = False
+        try:
+            user_uid = ldap_user.attrs[self.ldap_group_user_attr][0]
+
+            try:
+                is_member = ldap_user.connection.compare_s(force_str(group_dn), 'memberUid', force_str(user_uid))
+            except (ldap.UNDEFINED_TYPE, ldap.NO_SUCH_ATTRIBUTE):
+                is_member = False
+
+            if not is_member:
+                try:
+                    user_gid = ldap_user.attrs['gidNumber'][0]
+                    is_member = ldap_user.connection.compare_s(force_str(group_dn), 'gidNumber', force_str(user_gid))
+                except (ldap.UNDEFINED_TYPE, ldap.NO_SUCH_ATTRIBUTE):
+                    is_member = False
+        except (KeyError, IndexError):
+            is_member = False
+
+        return is_member
+
+
 def validate_ldap_dn(value: str, with_user: bool = False, required: bool = True) -> None:
     if not value and not required:
         return
@@ -333,7 +396,7 @@ def validate(self, attrs):
         # Check interdependent fields
         errors = {}
 
-        group_type_class = getattr(config, attrs['GROUP_TYPE'], None)
+        group_type_class = find_class_in_modules(attrs["GROUP_TYPE"])
         if group_type_class:
             group_type_params = attrs['GROUP_TYPE_PARAMS']
             logger.error(f"Validating group type params for {attrs['GROUP_TYPE']}")
@@ -400,7 +463,7 @@ def __init__(self, prefix: str = 'AUTH_LDAP_', defaults: dict = {}):
         setattr(self, 'CONNECTION_OPTIONS', internal_data)
 
         # Group type needs to be an object instead of a String so instantiate it
-        group_type_class = getattr(config, defaults['GROUP_TYPE'], None)
+        group_type_class = find_class_in_modules(defaults["GROUP_TYPE"])
         setattr(self, 'GROUP_TYPE', group_type_class(**defaults['GROUP_TYPE_PARAMS']))
 
 
@@ -528,3 +591,12 @@ def get_or_build_user(self, username, ldap_user):
         )
 
         return user, created
+
+
+def find_class_in_modules(class_name: str) -> object:
+    """
+    Used to find ldap subclasses by string
+    """
+    if class_name == "PosixUIDGroupType":
+        return PosixUIDGroupType
+    return getattr(config, class_name, None)
diff --git a/test_app/tests/authentication/authenticator_plugins/test_ldap.py b/test_app/tests/authentication/authenticator_plugins/test_ldap.py
@@ -4,6 +4,7 @@
 
 import ldap
 import pytest
+from django_auth_ldap import config
 from rest_framework.serializers import ValidationError
 from typeguard import suppress_type_checks
 
@@ -12,6 +13,8 @@
     AuthenticatorPlugin,
     LDAPSearchField,
     LDAPSettings,
+    PosixUIDGroupType,
+    find_class_in_modules,
     validate_ldap_filter,
 )
 from ansible_base.authentication.models import Authenticator
@@ -683,3 +686,88 @@ def test_ldap_user_search_validation(
 )
 def test_ldap_search_field_is_single_search(value, expected_result):
     assert LDAPSearchField.is_single_search(value) is expected_result
+
+
+@pytest.mark.parametrize(
+    "cls_name,cls",
+    [("PosixGroupType", config.PosixGroupType), ("PosixUIDGroupType", PosixUIDGroupType), ("NonExistentClass", None)],
+)
+def test_find_class_in_modules(cls_name, cls):
+    found_cls = find_class_in_modules(cls_name)
+    if found_cls:
+        assert found_cls.__name__ == cls.__name__
+    else:
+        assert found_cls is cls
+
+
+@pytest.fixture
+def group_type():
+    return PosixUIDGroupType()
+
+
+@pytest.fixture
+def ldap_user():
+    user = MagicMock()
+    user.connection = MagicMock()
+    return user
+
+
+@pytest.fixture
+def group_search():
+    return MagicMock()
+
+
+def test_user_groups_with_gidNumber(group_type, ldap_user, group_search):
+    ldap_user.attrs = {"uid": ["jdoe"], "gidNumber": ["1000"]}
+    mock_search = MagicMock()
+    mock_search.execute.return_value = ["group1", "group2"]
+    group_search.search_with_additional_term_string.return_value = mock_search
+    groups = group_type.user_groups(ldap_user, group_search)
+    assert groups == ["group1", "group2"]
+    group_search.search_with_additional_term_string.assert_called_once()
+    mock_search.execute.assert_called_once()
+
+
+def test_user_groups_without_gidNumber(group_type, ldap_user, group_search):
+    ldap_user.attrs = {"uid": ["jdoe"]}
+    mock_search = MagicMock()
+    mock_search.execute.return_value = ["group3"]
+    group_search.search_with_additional_term_string.return_value = mock_search
+    groups = group_type.user_groups(ldap_user, group_search)
+    assert groups == ["group3"]
+
+
+def test_user_groups_missing_uid(group_type, ldap_user, group_search):
+    ldap_user.attrs = {"gidNumber": ["1000"]}
+    groups = group_type.user_groups(ldap_user, group_search)
+    assert groups == []
+
+
+def test_is_member_by_memberUid(group_type, ldap_user):
+    ldap_user.attrs = {"uid": ["jdoe"], "gidNumber": ["1000"]}
+    ldap_user.connection.compare_s.side_effect = [True, False]
+    result = group_type.is_member(ldap_user, "cn=group1,dc=example,dc=com")
+    assert result is True
+    assert ldap_user.connection.compare_s.call_count == 1
+
+
+def test_is_member_by_gidNumber(group_type, ldap_user):
+    ldap_user.attrs = {"uid": ["jdoe"], "gidNumber": ["1000"]}
+    # Simulate memberUid fails, gidNumber succeeds
+    ldap_user.connection.compare_s.side_effect = [False, True]
+    result = group_type.is_member(ldap_user, "cn=group2,dc=example,dc=com")
+    assert result is True
+    assert ldap_user.connection.compare_s.call_count == 2
+
+
+def test_is_member_none_match(group_type, ldap_user):
+    ldap_user.attrs = {"uid": ["jdoe"], "gidNumber": ["1000"]}
+    ldap_user.connection.compare_s.side_effect = [False, False]
+    result = group_type.is_member(ldap_user, "cn=group3,dc=example,dc=com")
+    assert result is False
+
+
+def test_is_member_missing_uid(group_type, ldap_user):
+    ldap_user.attrs = {"gidNumber": ["1000"]}
+    result = group_type.is_member(ldap_user, "cn=group,dc=example,dc=com")
+    assert result is False
