feat: enhance user metadata lookup functionality

- Added comprehensive tests for the MetadataLookup method across Auth0, Authelia, and mock implementations, ensuring accurate handling of various input formats including canonical and search lookups.
- Updated README files to reflect support for Auth0 and Authelia, detailing the handling of Subject Identifiers (SUB) and their generation.
- Bumped version in Chart.yaml from 0.2.4 to 0.2.5 to reflect the latest changes.

Jira Ticket: https://linuxfoundation.atlassian.net/browse/LFXV2-493

Generated with [Cursor](https://cursor.com/)

Signed-off-by: Mauricio Zanetti Salomao <mauriciozanetti86@gmail.com>

Author: mauriciozanettisalomao

README.md

@@ -261,8 +261,10 @@ nats request lfx.auth-service.user_metadata.read john.doe
 - **Search lookups** are provided for convenience and user-facing interfaces
 - The pipe character (`|`) in canonical identifiers must be escaped with quotes in shell commands
 - Both strategies return the same metadata format on success
+- The service supports **Auth0**, **Authelia**, and **mock** repositories based on configuration
 - When using mock or authelia mode, the service simulates Auth0 behavior for development and testing
 - For detailed Auth0-specific behavior and limitations, see the [Auth0 Integration Documentation](internal/infrastructure/auth0/README.md)
+- For detailed Authelia-specific behavior and SUB management, see the [Authelia Integration Documentation](internal/infrastructure/authelia/README.md)
 
 ---
 

charts/lfx-v2-auth-service/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-auth-service
 description: LFX Platform V2 Auth Service chart
 type: application
-version: 0.2.4
+version: 0.2.5
 appVersion: "latest"

internal/infrastructure/auth0/user_test.go

@@ -809,6 +809,161 @@ func ptrValue(ptr *string) string {
 	return *ptr
 }
 
+// TestUserReaderWriter_MetadataLookup tests the MetadataLookup method for Auth0 implementation
+func TestUserReaderWriter_MetadataLookup(t *testing.T) {
+	ctx := context.Background()
+	writer := &userReaderWriter{}
+
+	tests := []struct {
+		name                 string
+		input                string
+		expectedCanonical    bool
+		expectedSub          string
+		expectedUserID       string
+		expectedUsername     string
+		expectedPrimaryEmail string
+	}{
+		{
+			name:                 "canonical lookup with pipe separator",
+			input:                "auth0|123456789",
+			expectedCanonical:    true,
+			expectedSub:          "auth0|123456789",
+			expectedUserID:       "auth0|123456789",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "canonical lookup with google oauth",
+			input:                "google-oauth2|987654321",
+			expectedCanonical:    true,
+			expectedSub:          "google-oauth2|987654321",
+			expectedUserID:       "google-oauth2|987654321",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "canonical lookup with github oauth",
+			input:                "github|456789123",
+			expectedCanonical:    true,
+			expectedSub:          "github|456789123",
+			expectedUserID:       "github|456789123",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "canonical lookup with saml enterprise",
+			input:                "samlp|enterprise|user123",
+			expectedCanonical:    true,
+			expectedSub:          "samlp|enterprise|user123",
+			expectedUserID:       "samlp|enterprise|user123",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "canonical lookup with linkedin oauth",
+			input:                "linkedin|789123456",
+			expectedCanonical:    true,
+			expectedSub:          "linkedin|789123456",
+			expectedUserID:       "linkedin|789123456",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "search lookup with username",
+			input:                "john.doe",
+			expectedCanonical:    false,
+			expectedSub:          "",
+			expectedUserID:       "",
+			expectedUsername:     "john.doe",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "search lookup with username containing numbers",
+			input:                "developer123",
+			expectedCanonical:    false,
+			expectedSub:          "",
+			expectedUserID:       "",
+			expectedUsername:     "developer123",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "search lookup with username containing dots and underscores",
+			input:                "jane_smith.dev",
+			expectedCanonical:    false,
+			expectedSub:          "",
+			expectedUserID:       "",
+			expectedUsername:     "jane_smith.dev",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "empty input",
+			input:                "",
+			expectedCanonical:    false,
+			expectedSub:          "",
+			expectedUserID:       "",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "whitespace only input",
+			input:                "   ",
+			expectedCanonical:    false,
+			expectedSub:          "",
+			expectedUserID:       "",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "input with leading/trailing whitespace - canonical",
+			input:                "  auth0|123456789  ",
+			expectedCanonical:    true,
+			expectedSub:          "auth0|123456789",
+			expectedUserID:       "auth0|123456789",
+			expectedUsername:     "",
+			expectedPrimaryEmail: "",
+		},
+		{
+			name:                 "input with leading/trailing whitespace - search",
+			input:                "  john.doe  ",
+			expectedCanonical:    false,
+			expectedSub:          "",
+			expectedUserID:       "",
+			expectedUsername:     "john.doe",
+			expectedPrimaryEmail: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			user := &model.User{}
+
+			isCanonical := writer.MetadataLookup(ctx, tt.input, user)
+
+			// Check canonical vs search lookup decision
+			if isCanonical != tt.expectedCanonical {
+				t.Errorf("MetadataLookup() canonical = %v, expected %v", isCanonical, tt.expectedCanonical)
+			}
+
+			// Check user fields are set correctly
+			if user.Sub != tt.expectedSub {
+				t.Errorf("MetadataLookup() Sub = %q, expected %q", user.Sub, tt.expectedSub)
+			}
+
+			if user.UserID != tt.expectedUserID {
+				t.Errorf("MetadataLookup() UserID = %q, expected %q", user.UserID, tt.expectedUserID)
+			}
+
+			if user.Username != tt.expectedUsername {
+				t.Errorf("MetadataLookup() Username = %q, expected %q", user.Username, tt.expectedUsername)
+			}
+
+			if user.PrimaryEmail != tt.expectedPrimaryEmail {
+				t.Errorf("MetadataLookup() PrimaryEmail = %q, expected %q", user.PrimaryEmail, tt.expectedPrimaryEmail)
+			}
+		})
+	}
+}
+
 // Helper function to check if a string contains a substring
 func containsString(s, substr string) bool {
 	return len(s) >= len(substr) && (s == substr ||

internal/infrastructure/authelia/README.md

@@ -108,7 +108,9 @@ The Authelia integration requires the following configuration parameters:
 
 The Subject Identifier (SUB) in Authelia is a deterministic UUID that uniquely identifies each user within the system. Key characteristics:
 
-- **Deterministic Generation**: The SUB is a UUID that is consistently generated for each user by Authelia
+- **Deterministic Generation**: The SUB is a UUID that is deterministically generated from the username by Authelia
+- **No Provider Prefix**: Unlike Auth0 (which uses formats like `auth0|123456789`), Authelia SUBs are pure UUIDs without any provider prefix (e.g., `550e8400-e29b-41d4-a716-446655440000`)
+- **Username-Based**: The SUB is consistently derived from the username, ensuring the same username always produces the same SUB
 - **Token-Based Persistence**: To ensure consistent data retrieval from Authelia, the SUB is only persisted when a user is updated using a valid authentication token
 - **OIDC UserInfo Endpoint**: The SUB can be retrieved from Authelia's OIDC UserInfo endpoint at `/api/oidc/userinfo` using a valid token
 

internal/infrastructure/authelia/user.go

@@ -16,6 +16,8 @@ import (
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/errors"
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/httpclient"
 	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/redaction"
+
+	"github.com/google/uuid"
 )
 
 // userReaderWriter implements UserReaderWriter with pluggable storage and ConfigMap sync
@@ -112,7 +114,11 @@ func (a *userReaderWriter) GetUser(ctx context.Context, user *model.User) (*mode
 		return nil, errors.NewValidation("user is required")
 	}
 
-	key := user.Sub
+	key := ""
+	if user.Sub != "" {
+		key = a.storage.BuildLookupKey(ctx, "sub", user.BuildSubIndexKey(ctx))
+	}
+
 	if key == "" {
 		key = user.Username
 	}
@@ -128,6 +134,24 @@ func (a *userReaderWriter) GetUser(ctx context.Context, user *model.User) (*mode
 	return existingUser.User, nil
 }
 
+// MetadataLookup prepares the user for metadata lookup based on the input
+// Returns true if should use canonical lookup, false if should use search
+func (u *userReaderWriter) MetadataLookup(ctx context.Context, input string, user *model.User) bool {
+	input = strings.TrimSpace(input)
+
+	user.Username = input
+	if input != "" {
+		sub, err := uuid.Parse(input)
+		if err != nil {
+			return false
+		}
+		user.Sub = sub.String()
+		user.UserID = sub.String()
+		return true
+	}
+	return false
+}
+
 // UpdateUser updates a user only in storage with patch-like behavior, updating only changed fields
 func (a *userReaderWriter) UpdateUser(ctx context.Context, user *model.User) (*model.User, error) {
 	if user == nil {