From f821c8398f8e738853d7498d00c7c369b4fdfaa0 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 10 Nov 2025 13:11:54 -0500
Subject: [PATCH] qualified user group

---
 README.md                       |  4 ++++
 defaults/config.ini.default     |  2 +-
 resources/lib/UnityLDAP.php     | 34 ++++++++++++++++-----------------
 resources/lib/UnityUser.php     |  6 +++---
 test/functional/NewUserTest.php | 25 ++++++++++++++++--------
 webroot/admin/user-mgmt.php     |  2 +-
 workers/update-ldap-cache.php   |  4 ++--
 7 files changed, 45 insertions(+), 32 deletions(-)

diff --git a/README.md b/README.md
index 722ca0b6..29081e3d 100644
--- a/README.md
+++ b/README.md
@@ -114,6 +114,10 @@ rm "$prod" && ln -s "$old" "$prod"
 
 ### Version-specific update instructions:
 
+### 1.3 -> 1.4
+
+- the `[ldap]user_group` option has been renamed to `[ldap]qualified_user_group`
+
 ### 1.2 -> 1.3
 
 - SQL:
diff --git a/defaults/config.ini.default b/defaults/config.ini.default
index 487a0aaa..033eba22 100644
--- a/defaults/config.ini.default
+++ b/defaults/config.ini.default
@@ -25,7 +25,7 @@ pass = "password"  ; Admin bind password
 custom_user_mappings_dir = "deployment/custom_user_mappings" ; for internal use only
 basedn = "dc=unityhpc,dc=test"  ; Base search DN
 user_ou = "ou=users,dc=unityhpc,dc=test"  ; User organizational unit (may contain more than user group)
-user_group = "cn=unityusers,dc=unityhpc,dc=test" ; User group
+qualified_user_group = "cn=unityusers,dc=unityhpc,dc=test" ; User group
 group_ou = "ou=groups,dc=unityhpc,dc=test"  ; Group organizational unit
 pigroup_ou = "ou=pi_groups,dc=unityhpc,dc=test"  ; PI Group organizational unit
 orggroup_ou = "ou=org_groups,dc=unityhpc,dc=test"  ; ORG group organizational unit
diff --git a/resources/lib/UnityLDAP.php b/resources/lib/UnityLDAP.php
index db8ba3f2..f666675f 100644
--- a/resources/lib/UnityLDAP.php
+++ b/resources/lib/UnityLDAP.php
@@ -35,7 +35,7 @@ class UnityLDAP extends ldapConn
     private LDAPEntry $pi_groupOU;
     private LDAPEntry $org_groupOU;
     private LDAPEntry $adminGroup;
-    private LDAPEntry $userGroup;
+    private LDAPEntry $qualifiedUserGroup;
 
     public function __construct()
     {
@@ -46,7 +46,7 @@ public function __construct()
         $this->pi_groupOU = $this->getEntry(CONFIG["ldap"]["pigroup_ou"]);
         $this->org_groupOU = $this->getEntry(CONFIG["ldap"]["orggroup_ou"]);
         $this->adminGroup = $this->getEntry(CONFIG["ldap"]["admin_group"]);
-        $this->userGroup = $this->getEntry(CONFIG["ldap"]["user_group"]);
+        $this->qualifiedUserGroup = $this->getEntry(CONFIG["ldap"]["qualified_user_group"]);
     }
 
     public function getUserOU(): LDAPEntry
@@ -74,9 +74,9 @@ public function getAdminGroup(): LDAPEntry
         return $this->adminGroup;
     }
 
-    public function getUserGroup(): LDAPEntry
+    public function getQualifiedUserGroup(): LDAPEntry
     {
-        return $this->userGroup;
+        return $this->qualifiedUserGroup;
     }
 
     public function getDefUserShell(): string
@@ -182,11 +182,11 @@ private function getAllGIDNumbersInUse(): array
         );
     }
 
-    public function getAllUsersUIDs(): array
+    public function getQualifiedUsersUIDs(): array
     {
         // should not use $user_ou->getChildren or $base_ou->getChildren(objectClass=posixAccount)
-        // Unity users might be outside user ou, and not all users in LDAP tree are unity users
-        return $this->userGroup->getAttribute("memberuid");
+        // qualified users might be outside user ou, and not all users in LDAP tree are qualified users
+        return $this->qualifiedUserGroup->getAttribute("memberuid");
     }
 
     public function getAllUsers(
@@ -199,9 +199,9 @@ public function getAllUsers(
         $out = [];
 
         if (!$ignorecache) {
-            $users = $UnityRedis->getCache("sorted_users", "");
-            if (!is_null($users)) {
-                foreach ($users as $user) {
+            $qualifiedUsers = $UnityRedis->getCache("sorted_qualified_users", "");
+            if (!is_null($qualifiedUsers)) {
+                foreach ($qualifiedUsers as $user) {
                     array_push(
                         $out,
                         new UnityUser(
@@ -218,18 +218,18 @@ public function getAllUsers(
             }
         }
 
-        $users = $this->getAllUsersUIDs();
-        sort($users);
-        foreach ($users as $user) {
+        $qualifiedUsers = $this->getQualifiedUsersUIDs();
+        sort($qualifiedUsers);
+        foreach ($qualifiedUsers as $user) {
             $params = [$user, $this, $UnitySQL, $UnityMailer, $UnityRedis, $UnityWebhook];
             array_push($out, new UnityUser(...$params));
         }
         return $out;
     }
 
-    public function getAllUsersAttributes(array $attributes): array
+    public function getQualifiedUsersAttributes(array $attributes): array
     {
-        $include_uids = $this->getAllUsersUIDs();
+        $include_uids = $this->getQualifiedUsersUIDs();
         $user_attributes = $this->baseOU->getChildrenArray(
             $attributes,
             true, // recursive
@@ -307,7 +307,7 @@ public function getAllPIGroupOwnerAttributes(array $attributes): array
             fn($x) => UnityGroup::GID2OwnerUID($x),
             array_map(fn($x) => $x["cn"][0], $this->pi_groupOU->getChildrenArray(["cn"])),
         );
-        $owner_attributes = $this->getAllUsersAttributes($attributes);
+        $owner_attributes = $this->getQualifiedUsersAttributes($attributes);
         foreach ($owner_attributes as $i => $attributes) {
             if (!in_array($attributes["uid"][0], $owner_uids)) {
                 unset($owner_attributes[$i]);
@@ -333,7 +333,7 @@ public function getAllPIGroupOwnerAttributes(array $attributes): array
     public function getAllUID2PIGIDs(): array
     {
         // initialize output so each UID is a key with an empty array as its value
-        $uids = $this->getAllUsersUIDs();
+        $uids = $this->getQualifiedUsersUIDs();
         $uid2pigids = array_combine($uids, array_fill(0, count($uids), []));
         // for each PI group, append that GID to the member list for each of its member UIDs
         foreach ($this->getAllPIGroupsAttributes(["cn", "memberuid"]) as $array) {
diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php
index f63e910d..f98bbcb7 100644
--- a/resources/lib/UnityUser.php
+++ b/resources/lib/UnityUser.php
@@ -105,10 +105,10 @@ public function init(
             $org->addUser($this);
         }
 
-        $this->LDAP->getUserGroup()->appendAttribute("memberuid", $this->uid);
-        $this->LDAP->getUserGroup()->write();
+        $this->LDAP->getQualifiedUserGroup()->appendAttribute("memberuid", $this->uid);
+        $this->LDAP->getQualifiedUserGroup()->write();
 
-        $this->REDIS->appendCacheArray("sorted_users", "", $this->uid);
+        $this->REDIS->appendCacheArray("sorted_qualified_users", "", $this->uid);
 
         $this->SQL->addLog($this->uid, $_SERVER["REMOTE_ADDR"], "user_added", $this->uid);
 
diff --git a/test/functional/NewUserTest.php b/test/functional/NewUserTest.php
index 9b38c32f..97e97f2a 100644
--- a/test/functional/NewUserTest.php
+++ b/test/functional/NewUserTest.php
@@ -108,7 +108,7 @@ private function ensureUserDoesNotExist()
             $USER->getGroupEntry()->delete();
             ensure(!$USER->getGroupEntry()->exists());
         }
-        $all_users_group = $LDAP->getUserGroup();
+        $all_users_group = $LDAP->getQualifiedUserGroup();
         $all_member_uids = $all_users_group->getAttribute("memberuid");
         if (in_array($USER->uid, $all_member_uids)) {
             $all_users_group->setAttribute(
@@ -120,7 +120,7 @@ private function ensureUserDoesNotExist()
             $all_users_group->write();
             ensure(!in_array($USER->uid, $all_users_group->getAttribute("memberuid")));
         }
-        $REDIS->removeCacheArray("sorted_users", "", $USER->uid);
+        $REDIS->removeCacheArray("sorted_qualified_users", "", $USER->uid);
     }
 
     private function ensureOrgGroupDoesNotExist()
@@ -204,9 +204,12 @@ public function testCreateUserByJoinGoupByPI($user_to_create_args, $expected_uid
             $this->assertTrue($newOrg->exists());
 
             $user_entry = $LDAP->getUserEntry($approve_uid);
-            $user_group_entry = $LDAP->getGroupEntry($approve_uid);
+            $qualified_user_group_entry = $LDAP->getGroupEntry($approve_uid);
             $this->assertEquals($expected_uid_gid, $user_entry->getAttribute("uidnumber")[0]);
-            $this->assertEquals($expected_uid_gid, $user_group_entry->getAttribute("gidnumber")[0]);
+            $this->assertEquals(
+                $expected_uid_gid,
+                $qualified_user_group_entry->getAttribute("gidnumber")[0],
+            );
 
             // $third_request_failed = false;
             // try {
@@ -309,9 +312,12 @@ public function testCreateUserByJoinGoupByAdmin($user_to_create_args, $expected_
             $this->assertTrue($newOrg->exists());
 
             $user_entry = $LDAP->getUserEntry($approve_uid);
-            $user_group_entry = $LDAP->getGroupEntry($approve_uid);
+            $qualified_user_group_entry = $LDAP->getGroupEntry($approve_uid);
             $this->assertEquals($expected_uid_gid, $user_entry->getAttribute("uidnumber")[0]);
-            $this->assertEquals($expected_uid_gid, $user_group_entry->getAttribute("gidnumber")[0]);
+            $this->assertEquals(
+                $expected_uid_gid,
+                $qualified_user_group_entry->getAttribute("gidnumber")[0],
+            );
 
             // $third_request_failed = false;
             // try {
@@ -372,9 +378,12 @@ public function testCreateUserByCreateGroup($user_to_create_args, $expected_uid_
             $this->assertTrue($newOrg->exists());
 
             $user_entry = $LDAP->getUserEntry($approve_uid);
-            $user_group_entry = $LDAP->getGroupEntry($approve_uid);
+            $qualified_user_group_entry = $LDAP->getGroupEntry($approve_uid);
             $this->assertEquals($expected_uid_gid, $user_entry->getAttribute("uidnumber")[0]);
-            $this->assertEquals($expected_uid_gid, $user_group_entry->getAttribute("gidnumber")[0]);
+            $this->assertEquals(
+                $expected_uid_gid,
+                $qualified_user_group_entry->getAttribute("gidnumber")[0],
+            );
 
             // $third_request_failed = false;
             // try {
diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php
index 7df16e5c..46945386 100644
--- a/webroot/admin/user-mgmt.php
+++ b/webroot/admin/user-mgmt.php
@@ -44,7 +44,7 @@ class="filterSearch"
 
     <?php
     $UID2PIGIDs = $LDAP->getAllUID2PIGIDs();
-    $user_attributes = $LDAP->getAllUsersAttributes(["uid", "gecos", "o", "mail"]);
+    $user_attributes = $LDAP->getQualifiedUsersAttributes(["uid", "gecos", "o", "mail"]);
     usort($user_attributes, fn ($a, $b) => strcmp($a["uid"][0], $b["uid"][0]));
     foreach ($user_attributes as $attributes) {
         $uid = $attributes["uid"][0];
diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php
index f891fcfd..b646625b 100755
--- a/workers/update-ldap-cache.php
+++ b/workers/update-ldap-cache.php
@@ -38,9 +38,9 @@
     echo "waiting for LDAP search (users)...\n";
     $users = $LDAP->search("objectClass=posixAccount", CONFIG["ldap"]["basedn"], []);
     echo "response received.\n";
-    $user_CNs = $LDAP->getUserGroup()->getAttribute("memberuid");
+    $user_CNs = $LDAP->getQualifiedUserGroup()->getAttribute("memberuid");
     sort($user_CNs);
-    $REDIS->setCache("sorted_users", "", $user_CNs);
+    $REDIS->setCache("sorted_qualified_users", "", $user_CNs);
     foreach ($users as $user) {
         $uid = $user->getAttribute("cn")[0];
         if (!in_array($uid, $user_CNs)) {