Merge pull request #12 from mauriciozanettisalomao/feat/lfxv2-588-user-metadata-read-authelia

[LFXV2-588] User metadata read - authelia

Author: mauriciozanettisalomao

README.md

@@ -261,8 +261,10 @@ nats request lfx.auth-service.user_metadata.read john.doe
 - **Search lookups** are provided for convenience and user-facing interfaces
 - The pipe character (`|`) in canonical identifiers must be escaped with quotes in shell commands
 - Both strategies return the same metadata format on success
+- The service supports **Auth0**, **Authelia**, and **mock** repositories based on configuration
 - When using mock or authelia mode, the service simulates Auth0 behavior for development and testing
 - For detailed Auth0-specific behavior and limitations, see the [Auth0 Integration Documentation](internal/infrastructure/auth0/README.md)
+- For detailed Authelia-specific behavior and SUB management, see the [Authelia Integration Documentation](internal/infrastructure/authelia/README.md)
 
 ---
 

charts/lfx-v2-auth-service/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-auth-service
 description: LFX Platform V2 Auth Service chart
 type: application
-version: 0.2.4
+version: 0.2.5
 appVersion: "latest"

internal/domain/model/user.go

@@ -237,22 +237,3 @@ func (a *UserMetadata) Patch(update *UserMetadata) bool {
 
 	return updated
 }
-
-// PrepareForMetadataLookup prepares the user for metadata lookup based on the input
-// Returns true if should use canonical lookup, false if should use search
-func (u *User) PrepareForMetadataLookup(input string) bool {
-	input = strings.TrimSpace(input)
-
-	if strings.Contains(input, "|") {
-		// Input contains "|", use as sub for canonical lookup
-		u.Sub = input
-		u.UserID = input // Auth0 uses user_id for the canonical lookup
-		u.Username = ""  // Clear username field
-		return true
-	}
-	// Input doesn't contain "|", use for search query
-	u.Sub = ""    // Clear sub field
-	u.UserID = "" // Clear user_id field
-	u.Username = input
-	return false
-}

internal/domain/model/user_test.go

@@ -394,229 +394,6 @@ func TestUserMetadata_userMetadataSanitize(t *testing.T) {
 	})
 }
 
-func TestUser_PrepareForMetadataLookup(t *testing.T) {
-	tests := []struct {
-		name              string
-		input             string
-		expectedCanonical bool
-		expectedSub       string
-		expectedUserID    string
-		expectedUsername  string
-	}{
-		{
-			name:              "canonical lookup with auth0 connection",
-			input:             "auth0|123456789",
-			expectedCanonical: true,
-			expectedSub:       "auth0|123456789",
-			expectedUserID:    "auth0|123456789",
-			expectedUsername:  "",
-		},
-		{
-			name:              "canonical lookup with google oauth2",
-			input:             "google-oauth2|987654321",
-			expectedCanonical: true,
-			expectedSub:       "google-oauth2|987654321",
-			expectedUserID:    "google-oauth2|987654321",
-			expectedUsername:  "",
-		},
-		{
-			name:              "canonical lookup with github connection",
-			input:             "github|456789123",
-			expectedCanonical: true,
-			expectedSub:       "github|456789123",
-			expectedUserID:    "github|456789123",
-			expectedUsername:  "",
-		},
-		{
-			name:              "canonical lookup with samlp enterprise",
-			input:             "samlp|enterprise|user123",
-			expectedCanonical: true,
-			expectedSub:       "samlp|enterprise|user123",
-			expectedUserID:    "samlp|enterprise|user123",
-			expectedUsername:  "",
-		},
-		{
-			name:              "canonical lookup with linkedin",
-			input:             "linkedin|789123456",
-			expectedCanonical: true,
-			expectedSub:       "linkedin|789123456",
-			expectedUserID:    "linkedin|789123456",
-			expectedUsername:  "",
-		},
-		{
-			name:              "search lookup with simple username",
-			input:             "john.doe",
-			expectedCanonical: false,
-			expectedSub:       "",
-			expectedUserID:    "",
-			expectedUsername:  "john.doe",
-		},
-		{
-			name:              "search lookup with complex username",
-			input:             "jane.smith123",
-			expectedCanonical: false,
-			expectedSub:       "",
-			expectedUserID:    "",
-			expectedUsername:  "jane.smith123",
-		},
-		{
-			name:              "search lookup with developer username",
-			input:             "developer123",
-			expectedCanonical: false,
-			expectedSub:       "",
-			expectedUserID:    "",
-			expectedUsername:  "developer123",
-		},
-		{
-			name:              "canonical lookup with spaces (trimmed)",
-			input:             "  auth0|123456789  ",
-			expectedCanonical: true,
-			expectedSub:       "auth0|123456789",
-			expectedUserID:    "auth0|123456789",
-			expectedUsername:  "",
-		},
-		{
-			name:              "search lookup with spaces (trimmed)",
-			input:             "  john.doe  ",
-			expectedCanonical: false,
-			expectedSub:       "",
-			expectedUserID:    "",
-			expectedUsername:  "john.doe",
-		},
-		{
-			name:              "canonical lookup with pipe at start",
-			input:             "|startpipe",
-			expectedCanonical: true,
-			expectedSub:       "|startpipe",
-			expectedUserID:    "|startpipe",
-			expectedUsername:  "",
-		},
-		{
-			name:              "canonical lookup with pipe at end",
-			input:             "endpipe|",
-			expectedCanonical: true,
-			expectedSub:       "endpipe|",
-			expectedUserID:    "endpipe|",
-			expectedUsername:  "",
-		},
-		{
-			name:              "empty input (search strategy)",
-			input:             "",
-			expectedCanonical: false,
-			expectedSub:       "",
-			expectedUserID:    "",
-			expectedUsername:  "",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			user := &User{}
-			result := user.PrepareForMetadataLookup(tt.input)
-
-			// Check strategy result
-			if result != tt.expectedCanonical {
-				t.Errorf("PrepareForMetadataLookup() returned %v, expected %v", result, tt.expectedCanonical)
-			}
-
-			// Check Sub field
-			if user.Sub != tt.expectedSub {
-				t.Errorf("Sub = %q, expected %q", user.Sub, tt.expectedSub)
-			}
-
-			// Check UserID field
-			if user.UserID != tt.expectedUserID {
-				t.Errorf("UserID = %q, expected %q", user.UserID, tt.expectedUserID)
-			}
-
-			// Check Username field
-			if user.Username != tt.expectedUsername {
-				t.Errorf("Username = %q, expected %q", user.Username, tt.expectedUsername)
-			}
-		})
-	}
-}
-
-func TestUser_PrepareForMetadataLookup_Idempotency(t *testing.T) {
-	// Test that calling PrepareForMetadataLookup multiple times with the same input
-	// produces the same result
-	user := &User{}
-
-	// First call
-	result1 := user.PrepareForMetadataLookup("auth0|123456789")
-	sub1, userID1, username1 := user.Sub, user.UserID, user.Username
-
-	// Second call with same input
-	result2 := user.PrepareForMetadataLookup("auth0|123456789")
-	sub2, userID2, username2 := user.Sub, user.UserID, user.Username
-
-	// Results should be identical
-	if result1 != result2 {
-		t.Errorf("PrepareForMetadataLookup() not idempotent: first=%v, second=%v", result1, result2)
-	}
-	if sub1 != sub2 {
-		t.Errorf("Sub not idempotent: first=%q, second=%q", sub1, sub2)
-	}
-	if userID1 != userID2 {
-		t.Errorf("UserID not idempotent: first=%q, second=%q", userID1, userID2)
-	}
-	if username1 != username2 {
-		t.Errorf("Username not idempotent: first=%q, second=%q", username1, username2)
-	}
-}
-
-func TestUser_PrepareForMetadataLookup_StrategySwitch(t *testing.T) {
-	// Test that switching between strategies properly clears the other fields
-	user := &User{}
-
-	// Start with canonical lookup
-	canonical := user.PrepareForMetadataLookup("auth0|123456789")
-	if !canonical {
-		t.Fatal("Expected canonical strategy")
-	}
-	if user.Sub == "" || user.UserID == "" || user.Username != "" {
-		t.Errorf("Canonical strategy fields not set correctly: Sub=%q, UserID=%q, Username=%q",
-			user.Sub, user.UserID, user.Username)
-	}
-
-	// Switch to search lookup
-	search := user.PrepareForMetadataLookup("john.doe")
-	if search {
-		t.Fatal("Expected search strategy")
-	}
-	if user.Sub != "" || user.UserID != "" || user.Username == "" {
-		t.Errorf("Search strategy fields not set correctly: Sub=%q, UserID=%q, Username=%q",
-			user.Sub, user.UserID, user.Username)
-	}
-}
-
-func TestUser_PrepareForMetadataLookup_PreservesOtherFields(t *testing.T) {
-	// Test that PrepareForMetadataLookup doesn't modify other user fields
-	user := &User{
-		Token:        "test-token",
-		PrimaryEmail: "test@example.com",
-		UserMetadata: &UserMetadata{
-			Name: converters.StringPtr("Test User"),
-		},
-	}
-
-	originalToken := user.Token
-	originalEmail := user.PrimaryEmail
-	originalMetadata := user.UserMetadata
-
-	user.PrepareForMetadataLookup("auth0|123456789")
-
-	if user.Token != originalToken {
-		t.Errorf("Token was modified: got %q, expected %q", user.Token, originalToken)
-	}
-	if user.PrimaryEmail != originalEmail {
-		t.Errorf("PrimaryEmail was modified: got %q, expected %q", user.PrimaryEmail, originalEmail)
-	}
-	if user.UserMetadata != originalMetadata {
-		t.Errorf("UserMetadata was modified")
-	}
-}
-
 func TestUser_buildIndexKey(t *testing.T) {
 	tests := []struct {
 		name         string

internal/domain/port/user.go

@@ -19,6 +19,7 @@ type UserReaderWriter interface {
 type UserReader interface {
 	GetUser(ctx context.Context, user *model.User) (*model.User, error)
 	SearchUser(ctx context.Context, user *model.User, criteria string) (*model.User, error)
+	MetadataLookup(ctx context.Context, input string, user *model.User) bool
 }
 
 // UserWriter defines the behavior of the user writer

internal/domain/model/auth0.go internal/infrastructure/auth0/models.gointernal/domain/model/auth0.go renamed to internal/infrastructure/auth0/models.go

@@ -1,7 +1,9 @@
 // Copyright The Linux Foundation and each contributor to LFX.
 // SPDX-License-Identifier: MIT
 
-package model
+package auth0
+
+import "github.com/linuxfoundation/lfx-v2-auth-service/internal/domain/model"
 
 // Auth0User represents a user in Auth0
 type Auth0User struct {
@@ -45,10 +47,10 @@ type Auth0UserMetadata struct {
 }
 
 // ToUser converts an Auth0User to a User
-func (u *Auth0User) ToUser() *User {
-	var meta *UserMetadata
+func (u *Auth0User) ToUser() *model.User {
+	var meta *model.UserMetadata
 	if u.UserMetadata != nil {
-		meta = &UserMetadata{
+		meta = &model.UserMetadata{
 			Name:          u.UserMetadata.Name,
 			FamilyName:    u.UserMetadata.FamilyName,
 			GivenName:     u.UserMetadata.GivenName,
@@ -65,7 +67,7 @@ func (u *Auth0User) ToUser() *User {
 			Zoneinfo:      u.UserMetadata.Zoneinfo,
 		}
 	}
-	return &User{
+	return &model.User{
 		UserID:       u.UserID,
 		Username:     u.Username,
 		PrimaryEmail: u.Email,

internal/infrastructure/auth0/user.go

@@ -174,7 +174,7 @@ func (u *userReaderWriter) SearchUser(ctx context.Context, user *model.User, cri
 		httpclient.WithDescription("search user"),
 	)
 
-	var users []model.Auth0User
+	var users []Auth0User
 
 	statusCode, errCall := apiRequest.Call(ctx, &users)
 	if errCall != nil {
@@ -264,7 +264,7 @@ func (u *userReaderWriter) GetUser(ctx context.Context, user *model.User) (*mode
 	)
 
 	// Parse the response to update the user object
-	var auth0User *model.Auth0User
+	var auth0User *Auth0User
 	statusCode, errCall := apiRequest.Call(ctx, &auth0User)
 	if errCall != nil {
 		slog.ErrorContext(ctx, "failed to get user from Auth0",
@@ -291,6 +291,25 @@ func (u *userReaderWriter) GetUser(ctx context.Context, user *model.User) (*mode
 	return auth0User.ToUser(), nil
 }
 
+// MetadataLookup prepares the user for metadata lookup based on the input
+// Returns true if should use canonical lookup, false if should use search
+func (u *userReaderWriter) MetadataLookup(ctx context.Context, input string, user *model.User) bool {
+	input = strings.TrimSpace(input)
+
+	if strings.Contains(input, "|") {
+		// Input contains "|", use as sub for canonical lookup
+		user.Sub = input
+		user.UserID = input // Auth0 uses user_id for the canonical lookup
+		user.Username = ""  // Clear username field
+		return true
+	}
+	// Input doesn't contain "|", use for search query
+	user.Sub = ""    // Clear sub field
+	user.UserID = "" // Clear user_id field
+	user.Username = input
+	return false
+}
+
 func (u *userReaderWriter) UpdateUser(ctx context.Context, user *model.User) (*model.User, error) {
 
 	if err := u.jwtVerify(ctx, user); err != nil {