+func (s *LoginSuite) TestGoogleLogin_RealName(c *check.C) {
+ s.authEmail = "joe.smith@primary.example.com"
+ s.fakePeopleAPIResponse = map[string]interface{}{
+ "names": []map[string]interface{}{
+ {
+ "metadata": map[string]interface{}{"primary": false},
+ "givenName": "Joe",
+ "familyName": "Smith",
+ },
+ {
+ "metadata": map[string]interface{}{"primary": true},
+ "givenName": "Joseph",
+ "familyName": "Psmith",
+ },
+ },
+ }
+ state := s.startLogin(c)
+ s.localdb.Login(context.Background(), arvados.LoginOptions{
+ Code: s.validCode,
+ State: state,
+ })
+
+ authinfo := s.getCallbackAuthInfo(c)
+ c.Check(authinfo.FirstName, check.Equals, "Joseph")
+ c.Check(authinfo.LastName, check.Equals, "Psmith")
+}
+
+func (s *LoginSuite) TestGoogleLogin_OIDCRealName(c *check.C) {
+ s.authName = "Joe P. Smith"
+ s.authEmail = "joe.smith@primary.example.com"
+ state := s.startLogin(c)
+ s.localdb.Login(context.Background(), arvados.LoginOptions{
+ Code: s.validCode,
+ State: state,
+ })
+
+ authinfo := s.getCallbackAuthInfo(c)
+ c.Check(authinfo.FirstName, check.Equals, "Joe P.")
+ c.Check(authinfo.LastName, check.Equals, "Smith")
+}
+
+// People API returns some additional email addresses.
+func (s *LoginSuite) TestGoogleLogin_AlternateEmailAddresses(c *check.C) {
+ s.authEmail = "joe.smith@primary.example.com"
+ s.fakePeopleAPIResponse = map[string]interface{}{
+ "emailAddresses": []map[string]interface{}{
+ {
+ "metadata": map[string]interface{}{"verified": true},
+ "value": "joe.smith@work.example.com",
+ },
+ {
+ "value": "joe.smith@unverified.example.com", // unverified, so this one will be ignored
+ },
+ {
+ "metadata": map[string]interface{}{"verified": true},
+ "value": "joe.smith@home.example.com",
+ },
+ },
+ }
+ state := s.startLogin(c)
+ s.localdb.Login(context.Background(), arvados.LoginOptions{
+ Code: s.validCode,
+ State: state,
+ })
+
+ authinfo := s.getCallbackAuthInfo(c)
+ c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
+ c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com", "joe.smith@work.example.com"})
+}
+
+// Primary address is not the one initially returned by oidc.
+func (s *LoginSuite) TestGoogleLogin_AlternateEmailAddresses_Primary(c *check.C) {
+ s.authEmail = "joe.smith@alternate.example.com"
+ s.fakePeopleAPIResponse = map[string]interface{}{
+ "emailAddresses": []map[string]interface{}{
+ {
+ "metadata": map[string]interface{}{"verified": true, "primary": true},
+ "value": "joe.smith@primary.example.com",
+ },
+ {
+ "metadata": map[string]interface{}{"verified": true},
+ "value": "joe.smith@alternate.example.com",
+ },
+ },
+ }
+ state := s.startLogin(c)
+ s.localdb.Login(context.Background(), arvados.LoginOptions{
+ Code: s.validCode,
+ State: state,
+ })
+ authinfo := s.getCallbackAuthInfo(c)
+ c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
+ c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@alternate.example.com"})
+}
+
+func (s *LoginSuite) TestGoogleLogin_NoPrimaryEmailAddress(c *check.C) {
+ s.authEmail = "joe.smith@unverified.example.com"
+ s.authEmailVerified = false
+ s.fakePeopleAPIResponse = map[string]interface{}{
+ "emailAddresses": []map[string]interface{}{
+ {
+ "metadata": map[string]interface{}{"verified": true},
+ "value": "joe.smith@work.example.com",
+ },
+ {
+ "metadata": map[string]interface{}{"verified": true},
+ "value": "joe.smith@home.example.com",
+ },
+ },
+ }
+ state := s.startLogin(c)
+ s.localdb.Login(context.Background(), arvados.LoginOptions{
+ Code: s.validCode,
+ State: state,
+ })
+
+ authinfo := s.getCallbackAuthInfo(c)
+ c.Check(authinfo.Email, check.Equals, "joe.smith@work.example.com") // first verified email in People response
+ c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com"})
+}
+
+func (s *LoginSuite) getCallbackAuthInfo(c *check.C) (authinfo rpc.UserSessionAuthInfo) {
+ for _, dump := range s.railsSpy.RequestDumps {
+ c.Logf("spied request: %q", dump)
+ split := bytes.Split(dump, []byte("\r\n\r\n"))
+ c.Assert(split, check.HasLen, 2)
+ hdr, body := string(split[0]), string(split[1])
+ if strings.Contains(hdr, "POST /auth/controller/callback") {
+ vs, err := url.ParseQuery(body)
+ c.Check(json.Unmarshal([]byte(vs.Get("auth_info")), &authinfo), check.IsNil)
+ c.Check(err, check.IsNil)
+ sort.Strings(authinfo.AlternateEmails)
+ return
+ }
+ }
+ c.Error("callback not found")
+ return
+}
+
+func (s *LoginSuite) startLogin(c *check.C) (state string) {
+ // Initiate login, but instead of following the redirect to
+ // the provider, just grab state from the redirect URL.
+ resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{ReturnTo: "https://app.example.com/foo?bar"})
+ c.Check(err, check.IsNil)
+ target, err := url.Parse(resp.RedirectLocation)
+ c.Check(err, check.IsNil)
+ state = target.Query().Get("state")
+ c.Check(state, check.Not(check.Equals), "")
+ return
+}
+