Merge pull request #15 from mauriciozanettisalomao/feat/jira-497-user-data-consumption-backward-compatible

[LFXV2-498, LFXV2-499] User data consumption req/reply - hybrid input support

Author: mauriciozanettisalomao

.gitleaks.toml

@@ -0,0 +1,10 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+title = "gitleaks config"
+
+[allowlist]
+description = "Allowlist for false positives"
+paths = [
+  "pkg/jwt/parser_test.go"
+]

.gitleaksignore

@@ -0,0 +1,2 @@
+# Ignore false positives in test files
+pkg/jwt/parser_test.go

README.md

@@ -162,16 +162,43 @@ To retrieve user metadata, send a NATS request to the following subject:
 **Subject:** `lfx.auth-service.user_metadata.read`  
 **Pattern:** Request/Reply
 
-The service takes a token and validates/retrieves user data from the target identity provider based on the `USER_REPOSITORY_TYPE` environment variable configuration.
+The service supports a **hybrid approach** for user metadata retrieval, accepting multiple input types and automatically determining the appropriate lookup strategy based on the input format.
+
+#### Hybrid Input Support
+
+The service intelligently handles different input types:
+
+1. **JWT Tokens** (Auth0) or **Authelia Tokens** (Authelia)
+2. **Subject Identifiers** (canonical user IDs)
+3. **Usernames**
 
 ##### Request Payload
 
-The request payload should be a token (no JSON wrapping required):
+The request payload can be any of the following formats (no JSON wrapping required):
 
+**JWT Token (Auth0):**
 ```
 eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
 ```
 
+**Subject Identifier:**
+```
+auth0|123456789
+```
+
+**Username:**
+```
+john.doe
+```
+
+##### Lookup Strategy
+
+The service automatically determines the lookup strategy based on input format:
+
+- **Token Strategy**: If input is a JWT/Authelia token, validates the token and extracts the subject identifier
+- **Canonical Lookup**: If input contains `|` (pipe character) or is a UUID, treats as subject identifier for direct lookup
+- **Username Search**: If input doesn't match above patterns, treats as username for search lookup
+
 ##### Reply
 
 The service returns a structured reply with user metadata:
@@ -218,12 +245,19 @@ The service returns a structured reply with user metadata:
 ##### Example using NATS CLI
 
 ```bash
-# Retrieve user metadata using token
+# Retrieve user metadata using JWT token
 nats request lfx.auth-service.user_metadata.read "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
+
+# Retrieve user metadata using subject identifier
+nats request lfx.auth-service.user_metadata.read "auth0|123456789"
+
+# Retrieve user metadata using username
+nats request lfx.auth-service.user_metadata.read "john.doe"
 ```
 
 **Important Notes:**
-- The service validates the token and extracts user information from the target identity provider
+- The service automatically detects input type and applies the appropriate lookup strategy
+- JWT tokens are validated for signature and expiration before extracting subject information
 - The target identity provider is determined by the `USER_REPOSITORY_TYPE` environment variable
 - For detailed Auth0-specific behavior and limitations, see: [`internal/infrastructure/auth0/README.md`](internal/infrastructure/auth0/README.md)
 - For detailed Authelia-specific behavior and SUB management, see: [`internal/infrastructure/authelia/README.md`](internal/infrastructure/authelia/README.md)

charts/lfx-v2-auth-service/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-auth-service
 description: LFX Platform V2 Auth Service chart
 type: application
-version: 0.2.6
+version: 0.2.7
 appVersion: "latest"

internal/infrastructure/auth0/jwt_parser.go

@@ -14,6 +14,7 @@ import (
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/errors"
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/httpclient"
 	jwtparser "github.com/linuxfoundation/lfx-v2-auth-service/pkg/jwt"
+	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/redaction"
 )
 
 // JWTVerificationConfig holds configuration for JWT signature verification
@@ -61,7 +62,7 @@ func (j *JWTVerificationConfig) JWTVerify(ctx context.Context, token string, req
 	}
 
 	slog.DebugContext(ctx, "JWT signature verification successful",
-		"user_id", claims.Subject,
+		"user_id", redaction.Redact(claims.Subject),
 		"issuer", claims.Issuer,
 		"audience", claims.Audience,
 		"expires_at", claims.ExpiresAt,

internal/infrastructure/auth0/jwt_parser_test.go

@@ -359,7 +359,7 @@ func TestMetadataLookupWithoutJWTVerificationConfig(t *testing.T) {
 		{
 			name:        "missing JWT verification config for metadata lookup",
 			token:       "any-token",
-			expectError: true,
+			expectError: false, // Now handled as username lookup with M2M token
 		},
 	}
 

internal/infrastructure/auth0/user.go

@@ -16,6 +16,7 @@ import (
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/constants"
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/errors"
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/httpclient"
+	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/jwt"
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/redaction"
 )
 
@@ -81,6 +82,10 @@ func (u *userReaderWriter) SearchUser(ctx context.Context, user *model.User, cri
 	}
 
 	if user.Token == "" {
+		slog.DebugContext(ctx, "getting M2M token",
+			"criteria", criteria,
+		)
+
 		m2mToken, errGetToken := u.config.M2MTokenManager.GetToken(ctx)
 		if errGetToken != nil {
 			return nil, errors.NewUnexpected("failed to get M2M token", errGetToken)
@@ -162,6 +167,18 @@ func (u *userReaderWriter) GetUser(ctx context.Context, user *model.User) (*mode
 
 	slog.DebugContext(ctx, "getting user", "user_id", user.UserID)
 
+	if user.Token == "" {
+		slog.DebugContext(ctx, "getting M2M token",
+			"user_id", redaction.Redact(user.UserID),
+		)
+
+		m2mToken, errGetToken := u.config.M2MTokenManager.GetToken(ctx)
+		if errGetToken != nil {
+			return nil, errors.NewUnexpected("failed to get M2M token", errGetToken)
+		}
+		user.Token = m2mToken
+	}
+
 	// If we don't have a user ID, we can't fetch the user
 	if user.UserID == "" {
 		return nil, errors.NewValidation("user_id is required to get user")
@@ -207,7 +224,7 @@ func (u *userReaderWriter) GetUser(ctx context.Context, user *model.User) (*mode
 }
 
 // MetadataLookup prepares the user for metadata lookup based on the input
-// Verifies JWT token with read:current_user scope and extracts user information
+// Accepts JWT token, username, or sub
 func (u *userReaderWriter) MetadataLookup(ctx context.Context, input string) (*model.User, error) {
 	// Validate input
 	input = strings.TrimSpace(input)
@@ -217,37 +234,52 @@ func (u *userReaderWriter) MetadataLookup(ctx context.Context, input string) (*m
 
 	slog.DebugContext(ctx, "metadata lookup", "input", redaction.Redact(input))
 
-	// Verify JWT token with read scope
-	if u.config.JWTVerificationConfig == nil {
-		return nil, errors.NewValidation("JWT verification configuration is required")
-	}
+	user := &model.User{}
 
-	claims, err := u.config.JWTVerificationConfig.JWTVerify(ctx, input, userReadRequiredScope)
-	if err != nil {
-		slog.ErrorContext(ctx, "JWT signature verification failed for metadata lookup",
-			"error", err,
+	// First, try to parse as JWT token to extract the sub
+	if cleanToken, isJWT := jwt.LooksLikeJWT(input); isJWT {
+
+		slog.DebugContext(ctx, "jwt strategy", "input", redaction.Redact(input))
+
+		// Verify JWT token with read scope
+		if u.config.JWTVerificationConfig == nil {
+			return nil, errors.NewValidation("JWT verification configuration is required")
+		}
+
+		claims, err := u.config.JWTVerificationConfig.JWTVerify(ctx, cleanToken, userReadRequiredScope)
+		if err != nil {
+			slog.ErrorContext(ctx, "JWT signature verification failed",
+				"error", err,
+			)
+			return nil, err
+		}
+
+		// Successfully verified JWT token
+		user.Token = cleanToken
+		user.UserID = claims.Subject
+		user.Sub = claims.Subject
+
+		slog.DebugContext(ctx, "JWT signature verification successful for metadata lookup",
+			"sub", user.Sub,
 		)
-		return nil, err
-	}
+		return user, nil
 
-	// Clean the token by removing Bearer prefix if present
-	cleanToken := strings.TrimSpace(input)
-	parts := strings.Fields(input)
-	if len(parts) > 1 && strings.EqualFold(parts[0], "Bearer") {
-		cleanToken = strings.Join(parts[1:], " ")
 	}
 
-	// Create user object with cleaned token and extracted claims
-	user := &model.User{
-		Token:  cleanToken,
-		UserID: claims.Subject,
-		Sub:    claims.Subject,
+	// Determine lookup strategy based on input format
+	switch {
+	case strings.Contains(input, "|"):
+		// Input contains "|", use as sub for canonical lookup
+		user.UserID = input
+		slog.DebugContext(ctx, "canonical lookup strategy", "sub", redaction.Redact(input))
+
+	default:
+		// username search
+		user.Username = input
+		user.UserID = ""
+		slog.DebugContext(ctx, "username search strategy", "username", redaction.Redact(input))
 	}
 
-	slog.DebugContext(ctx, "JWT signature verification successful for metadata lookup",
-		"sub", user.Sub,
-	)
-
 	return user, nil
 }
 

internal/infrastructure/auth0/user_test.go

@@ -697,17 +697,17 @@ func TestUserReaderWriter_MetadataLookup(t *testing.T) {
 		{
 			name:        "invalid JWT token",
 			input:       "invalid-token",
-			expectError: true,
+			expectError: false, // Now handled as username lookup
 		},
 		{
 			name:        "non-JWT input",
 			input:       "test@example.com",
-			expectError: true,
+			expectError: false, // Now handled as email lookup
 		},
 		{
 			name:        "username input",
 			input:       "testuser",
-			expectError: true,
+			expectError: false, // Now handled as username lookup
 		},
 		{
 			name:        "valid JWT token with read:current_user scope",

internal/infrastructure/authelia/user.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/google/uuid"
 	"github.com/linuxfoundation/lfx-v2-auth-service/internal/domain/model"
 	"github.com/linuxfoundation/lfx-v2-auth-service/internal/domain/port"
 	"github.com/linuxfoundation/lfx-v2-auth-service/internal/infrastructure/nats"
@@ -134,37 +135,47 @@ func (a *userReaderWriter) GetUser(ctx context.Context, user *model.User) (*mode
 }
 
 // MetadataLookup prepares the user for metadata lookup based on the input
-// Returns true if should use canonical lookup, false if should use search
+// Accepts Authelia token, username, or sub
 func (u *userReaderWriter) MetadataLookup(ctx context.Context, input string) (*model.User, error) {
 
 	if input == "" {
 		return nil, errors.NewValidation("input is required")
 	}
 
-	userInfo, err := u.fetchOIDCUserInfo(ctx, input)
-	if err != nil {
-		slog.ErrorContext(ctx, "failed to fetch OIDC userinfo",
-			"error", err,
-		)
-		return nil, err
-	}
+	slog.DebugContext(ctx, "metadata lookup", "input", redaction.Redact(input))
 
 	user := &model.User{}
-	if userInfo != nil {
-		if userInfo.Sub != "" {
-			slog.DebugContext(ctx, "found sub in OIDC userinfo",
-				"sub", userInfo.Sub,
-			)
-			user.Sub = userInfo.Sub
-		}
-		if userInfo.PreferredUsername != "" {
-			slog.DebugContext(ctx, "found username in OIDC userinfo",
-				"username", userInfo.PreferredUsername,
+
+	// First, try to parse as Authelia token (starts with 'authelia')
+	if strings.HasPrefix(input, "authelia") {
+		// Handle Authelia token
+		userInfo, err := u.fetchOIDCUserInfo(ctx, input)
+		if err != nil {
+			slog.ErrorContext(ctx, "failed to fetch OIDC userinfo",
+				"error", err,
 			)
-			user.Username = userInfo.PreferredUsername
+			return nil, err
 		}
+		user.Token = input
+		user.UserID = userInfo.Sub
+		user.Sub = userInfo.Sub
+		user.Username = userInfo.PreferredUsername
+		return user, nil
+	}
+
+	sub, errParseUUID := uuid.Parse(input)
+	if errParseUUID == nil {
+		user.UserID = sub.String()
+		user.Sub = user.UserID
+		slog.DebugContext(ctx, "canonical lookup strategy", "sub", redaction.Redact(input))
+		return user, nil
 	}
 
+	// username search
+	user.Username = input
+	user.Sub = input
+	slog.DebugContext(ctx, "username search strategy", "username", redaction.Redact(input))
+
 	return user, nil
 }
 

internal/infrastructure/authelia/user_test.go

@@ -97,8 +97,7 @@ func TestUserReaderWriter_MetadataLookup(t *testing.T) {
 		{
 			name:        "invalid token - should fail OIDC fetch",
 			input:       "invalid-token",
-			expectError: true,
-			// The actual error message will depend on the OIDC configuration
+			expectError: false, // Now handled as username lookup
 		},
 	}