add support to match identity based on email with fallback rules (#19)

mcalinghee · web-flow · commit a8109a3d860b · 2025-08-23T11:41:32.000+02:00
* add email mapping fallback rule

* add :tchap: comment
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/cli/src/commands/server.rs b/crates/cli/src/commands/server.rs
@@ -22,6 +22,9 @@ use mas_config::{
 };
 use mas_context::LogContext;
 use mas_data_model::{
+    //:tchap:
+    EmailLookupFallbackRule,
+    //:tchap:end
     SystemClock,
     //:tchap:
     TchapConfig, // :tchap: end
@@ -361,6 +364,14 @@ impl Options {
 fn tchap_config_from_tchap_app_config(tchap_app_config: &TchapAppConfig) -> TchapConfig {
     TchapConfig {
         identity_server_url: tchap_app_config.identity_server_url.clone(),
+        email_lookup_fallback_rules: tchap_app_config
+            .email_lookup_fallback_rules
+            .iter()
+            .map(|rule| EmailLookupFallbackRule {
+                match_with: rule.match_with.clone(),
+                search: rule.search.clone(),
+            })
+            .collect(),
     }
 }
 //:tchap: end
diff --git a/crates/config/src/sections/tchap.rs b/crates/config/src/sections/tchap.rs
@@ -41,6 +41,24 @@ pub struct TchapAppConfig {
     /// Identity Server Url
     #[serde(default = "default_identity_server_url")]
     pub identity_server_url: Url,
+
+    /// Fallback Rules to use when linking an upstream account
+    #[serde(default)]
+    pub email_lookup_fallback_rules: Vec<EmailLookupFallbackRule>,
+}
+
+/// When linking the localpart, the email can be used to find the correct
+/// localpart. By using the fallback rule, we can search for a Matrix account
+/// with the `search` email pattern for an upstream account matching with the
+/// `match_with` pattern
+#[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug, Default, JsonSchema)]
+pub struct EmailLookupFallbackRule {
+    /// The upstream email pattern to match with when linking the localpart by
+    /// email
+    pub match_with: String,
+    /// The email pattern to use for the search when linking the localpart by
+    /// email
+    pub search: String,
 }
 
 impl ConfigurationSection for TchapAppConfig {
@@ -72,6 +90,9 @@ mod tests {
                 r"
                     tchap:
                       identity_server_url: http://localhost:8091
+                      email_lookup_fallback_rules:
+                        - match_with : '@upstream.domain.tld'
+                          search: '@matrix.domain.tld'
                 ",
             )?;
 
@@ -84,6 +105,14 @@ mod tests {
                 "http://localhost:8091/"
             );
 
+            assert_eq!(
+                config.email_lookup_fallback_rules,
+                vec![EmailLookupFallbackRule {
+                    match_with: "@upstream.domain.tld".to_string(),
+                    search: "@matrix.domain.tld".to_string(),
+                }]
+            );
+
             Ok(())
         });
     }
diff --git a/crates/data-model/src/tchap_config.rs b/crates/data-model/src/tchap_config.rs
@@ -31,4 +31,13 @@ use url::Url;
 pub struct TchapConfig {
     /// Identity Server Url
     pub identity_server_url: Url,
+
+    /// Fallback Rules to use when linking an upstream account
+    pub email_lookup_fallback_rules: Vec<EmailLookupFallbackRule>,
+}
+
+#[derive(PartialEq, Eq, Clone, Debug)]
+pub struct EmailLookupFallbackRule {
+    pub match_with: String,
+    pub search: String,
 }
diff --git a/crates/handlers/src/upstream_oauth2/link.rs b/crates/handlers/src/upstream_oauth2/link.rs
@@ -524,7 +524,32 @@ pub(crate) async fn get(
                         // We could run policy & existing user checks when the user submits the
                         // form, but this lead to poor UX. This is why we do
                         // it ahead of time here.
-                        let maybe_existing_user = repo.user().find_by_username(&localpart).await?;
+                        //:tchap:
+                        let mut maybe_existing_user =
+                            repo.user().find_by_username(&localpart).await?;
+                        //if not found by username, check by email
+                        if maybe_existing_user.is_none() {
+                            let template = provider
+                                .claims_imports
+                                .email
+                                .template
+                                .as_deref()
+                                .unwrap_or(DEFAULT_EMAIL_TEMPLATE);
+
+                            let maybe_email = render_attribute_template(
+                                &env,
+                                template,
+                                &context,
+                                provider.claims_imports.email.is_required(),
+                            );
+
+                            if let Ok(Some(email)) = maybe_email {
+                                maybe_existing_user =
+                                    tchap::search_user_by_email(&mut repo, &email, &tchap_config)
+                                        .await?;
+                            }
+                        }
+                        //:tchap: end
                         let is_available = homeserver
                             .is_localpart_available(&localpart)
                             .await
diff --git a/crates/tchap/Cargo.toml b/crates/tchap/Cargo.toml
@@ -14,4 +14,5 @@ tokio.workspace = true
 url.workspace = true
 serde.workspace = true
 
-mas-data-model.workspace = true
+mas-data-model.workspace = true
+mas-storage.workspace = true
diff --git a/crates/tchap/src/lib.rs b/crates/tchap/src/lib.rs
@@ -27,6 +27,7 @@
 
 extern crate tracing;
 use mas_data_model::TchapConfig;
+use mas_storage::BoxRepository;
 use tracing::info;
 
 mod identity_client;
@@ -233,6 +234,80 @@ pub async fn is_email_allowed(
     }
 }
 
+/// Search for a user by email with fallback rules
+///
+/// # Parameters
+/// * `repo` - Repository access
+/// * `email` - The email to search for
+/// * `fallback_rules` - Fallback rules for email transformation
+///
+/// # Returns
+/// Option<`mas_data_model::User`> - The found user if any
+pub async fn search_user_by_email(
+    repo: &mut BoxRepository,
+    email: &str,
+    tchap_config: &TchapConfig,
+) -> Result<Option<mas_data_model::User>, mas_storage::RepositoryError> {
+    tracing::info!("Matching oidc identity by email:{}", email);
+    let maybe_user_email = repo.user_email().find_by_email(email).await?;
+
+    if let Some(user_email) = maybe_user_email {
+        let maybe_user_found: Option<mas_data_model::User> =
+            repo.user().lookup(user_email.user_id).await?;
+        return Ok(maybe_user_found);
+    }
+
+    tracing::info!(
+        "Email not found, Matching oidc identity by email using fallback rules:{}",
+        email
+    );
+    let fallback_rules = &tchap_config.email_lookup_fallback_rules;
+    // let fallback_rules: Value =
+    //     serde_json::from_str(r#"[{"match":"@numerique.gouv.fr",
+    // "search":"@beta.gouv.fr"}]"#)         .unwrap();
+
+    // Iterate on fallback_rules, if a rule 'match' matches the email,
+    // replace by value of 'search' and lookup again the email
+    for rule in fallback_rules {
+        let match_pattern = &rule.match_with;
+        let search_value = &rule.search;
+        tracing::info!(
+            "Checking fallback rules {} : {}",
+            match_pattern,
+            search_value
+        );
+
+        // Check if email contains the match pattern
+        if email.contains(match_pattern) {
+            // Replace match pattern with search value
+            let transformed_email = email.replace(match_pattern, search_value);
+            tracing::debug!(
+                "Search by transformed email fallback rules {}",
+                transformed_email
+            );
+
+            // Look up the transformed email
+            let maybe_transformed_user_email =
+                repo.user_email().find_by_email(&transformed_email).await?;
+
+            if let Some(transformed_user_email) = maybe_transformed_user_email {
+                let user_found: Option<mas_data_model::User> =
+                    repo.user().lookup(transformed_user_email.user_id).await?;
+                tracing::info!(
+                    "User found with fallback rules {} : {}",
+                    match_pattern,
+                    search_value
+                );
+
+                return Ok(user_found);
+            }
+        }
+    }
+
+    Ok(None)
+}
+//:tchap: end
+
 pub use self::test_utils::*;
 
 #[cfg(test)]
diff --git a/crates/tchap/src/test_utils.rs b/crates/tchap/src/test_utils.rs
@@ -29,5 +29,6 @@ use url::Url;
 pub fn test_tchap_config() -> TchapConfig {
     TchapConfig {
         identity_server_url: Url::parse("http://localhost:8091").unwrap(),
+        email_lookup_fallback_rules: vec![],
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,6 @@ use url::Url;`
`29`	`29`	`pub fn test_tchap_config() -> TchapConfig {`
`30`	`30`	`TchapConfig {`
`31`	`31`	`identity_server_url: Url::parse("http://localhost:8091").unwrap(),`
	`32`	`+ email_lookup_fallback_rules: vec![],`
`32`	`33`	`}`
`33`	`34`	`}`