Faet/Fix #4973, #4974, #4975

Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io>

Assisted by [OpenAI](https://platform.openai.com/)

Assisted by [GitHub Copilot](https://github.com/features/copilot)

Author: lukaszgryglicki

.github/workflows/cypress-functional-pr.yml

@@ -11,6 +11,10 @@ on:
 permissions:
   contents: read
 
+concurrency:                          
+  group: easycla-shared-dev-cypress-functional                               
+  cancel-in-progress: false
+
 jobs:
   cypress-functional:
     if: ${{ github.event.pull_request.head.repo.fork == false }}
@@ -65,6 +69,7 @@ jobs:
           APP_URL=https://api-gw.dev.platform.linuxfoundation.org/
           AUTH0_TOKEN_API=https://linuxfoundation-dev.auth0.com/oauth/token
           CYPRESS_ENV=dev
+          CYPRESS_E2E_RUN_ID=${{ github.run_id }}-${{ github.run_attempt }}
 
           AUTH0_USER_NAME=${{ secrets.AUTH0_USER_NAME }}
           AUTH0_PASSWORD=${{ secrets.AUTH0_PASSWORD }}

cla-backend-go/auth/authorizer.go

@@ -134,6 +134,10 @@ func (a Authorizer) SecurityAuth(token string, scopes []string) (*user.CLAUser,
 		}
 		return nil, err
 	}
+
+	if name != "" {
+		lfuser.Name = name
+	}
 	//log.WithFields(f).Debugf("user loaded : %+v with scopes : %+v", lfuser, scopes)
 
 	for _, scope := range scopes {

cla-backend-go/cmd/server.go

@@ -746,6 +746,27 @@ func responseLoggingMiddleware(next http.Handler) http.Handler {
 	})
 }
 
+func refreshStoredUserName(usersService users.Service, userModel *models.User, claUser *user.CLAUser) *models.User {
+	if userModel == nil || claUser == nil || claUser.Name == "" || userModel.Username == claUser.Name {
+		return userModel
+	}
+
+	updatedUser, err := usersService.UpdateUser(userModel.UserID, map[string]interface{}{
+		"user_name":     claUser.Name,
+		"date_modified": time.Now().UTC().Format(time.RFC3339),
+	})
+	if err != nil {
+		log.WithFields(logrus.Fields{
+			"functionName": "cmd.refreshStoredUserName",
+			"userID":       userModel.UserID,
+			"lfUsername":   claUser.LFUsername,
+		}).WithError(err).Warn("unable to refresh stored user_name from current identity claims")
+		return userModel
+	}
+
+	return updatedUser
+}
+
 // create user form http authorization token
 // this function creates user if user does not exist and token is valid
 func createUserFromRequest(authorizer auth.Authorizer, usersService users.Service, eventsService events.Service, r *http.Request) *http.Request {
@@ -788,8 +809,9 @@ func createUserFromRequest(authorizer auth.Authorizer, usersService users.Servic
 			return r
 		}
 	}
-	// If found - just return
+	// If found - refresh the stored display name and return
 	if userModel != nil {
+		userModel = refreshStoredUserName(usersService, userModel, claUser)
 		if !needToStoreUser {
 			return r
 		}
@@ -807,8 +829,9 @@ func createUserFromRequest(authorizer auth.Authorizer, usersService users.Servic
 			return r
 		}
 	}
-	// If found - just return
+	// If found - refresh the stored display name and return
 	if userModel != nil {
+		userModel = refreshStoredUserName(usersService, userModel, claUser)
 		if !needToStoreUser {
 			return r
 		}

cla-backend-go/v2/gitlab_organizations/service.go

@@ -888,6 +888,28 @@ func (s *Service) InitiateSignRequest(ctx context.Context, req *http.Request, gi
 	return &consoleURL, nil
 }
 
+func (s *Service) refreshGitLabUserName(ctx context.Context, claUser *models.User, gitlabUser *goGitLab.User) *models.User {
+	if claUser == nil || gitlabUser == nil || gitlabUser.Name == "" || claUser.Username == gitlabUser.Name {
+		return claUser
+	}
+
+	updatedUser, err := s.userService.UpdateUser(claUser.UserID, map[string]interface{}{
+		"user_name":     gitlabUser.Name,
+		"date_modified": time.Now().UTC().Format(time.RFC3339),
+	})
+	if err != nil {
+		log.WithFields(logrus.Fields{
+			"functionName":   "v2.gitlab_organizations.service.refreshGitLabUserName",
+			utils.XREQUESTID: ctx.Value(utils.XREQUESTID),
+			"userID":         claUser.UserID,
+			"gitlabUserID":   gitlabUser.ID,
+		}).WithError(err).Warn("unable to refresh stored GitLab user_name")
+		return claUser
+	}
+
+	return updatedUser
+}
+
 func (s *Service) getOrCreateUser(ctx context.Context, gitlabClient *goGitLab.Client, eventsService events.Service) (*models.User, error) {
 
 	f := logrus.Fields{
@@ -927,7 +949,7 @@ func (s *Service) getOrCreateUser(ctx context.Context, gitlabClient *goGitLab.Cl
 		})
 		return claUser, nil
 	}
-	return claUser, nil
+	return s.refreshGitLabUserName(ctx, claUser, gitlabUser), nil
 }
 
 func buildInstallationURL(gitlabOrgID string, authStateNonce string) *strfmt.URI {

cla-backend-go/v2/gitlab_sign/service.go

@@ -181,6 +181,28 @@ func (s service) InitiateSignRequest(ctx context.Context, req *http.Request, git
 	return &consoleURL, nil
 }
 
+func (s service) refreshGitLabUserName(ctx context.Context, claUser *models.User, gitlabUser *gitlab.User) *models.User {
+	if claUser == nil || gitlabUser == nil || gitlabUser.Name == "" || claUser.Username == gitlabUser.Name {
+		return claUser
+	}
+
+	updatedUser, err := s.userService.UpdateUser(claUser.UserID, map[string]interface{}{
+		"user_name":     gitlabUser.Name,
+		"date_modified": time.Now().UTC().Format(time.RFC3339),
+	})
+	if err != nil {
+		log.WithFields(logrus.Fields{
+			"functionName":   "v2.gitlab_sign.service.refreshGitLabUserName",
+			utils.XREQUESTID: ctx.Value(utils.XREQUESTID),
+			"userID":         claUser.UserID,
+			"gitlabUserID":   gitlabUser.ID,
+		}).WithError(err).Warn("unable to refresh stored GitLab user_name")
+		return claUser
+	}
+
+	return updatedUser
+}
+
 func (s service) getOrCreateUser(ctx context.Context, gitlabClient *gitlab.Client, eventsService events.Service) (*models.User, error) {
 	f := logrus.Fields{
 		"functionName":   "v2.gitlab_sign.service.getOrCreateUser",
@@ -197,23 +219,23 @@ func (s service) getOrCreateUser(ctx context.Context, gitlabClient *gitlab.Clien
 	claUser, err := s.userService.GetUserByGitlabID(gitlabUser.ID)
 	if err == nil && claUser != nil {
 		log.WithFields(f).Debugf("found user by GitLab ID: %d", gitlabUser.ID)
-		return claUser, nil
+		return s.refreshGitLabUserName(ctx, claUser, gitlabUser), nil
 	}
-	log.WithFields(f).Debugf("unable to lookup user by github ID: %d, error: %+v ", gitlabUser.ID, err)
+	log.WithFields(f).Debugf("unable to lookup user by GitLab ID: %d, error: %+v ", gitlabUser.ID, err)
 
 	log.WithFields(f).Debugf("looking up user by GitLab username: %s", gitlabUser.Username)
 	claUser, err = s.userService.GetUserByGitLabUsername(gitlabUser.Username)
 	if err == nil && claUser != nil {
 		log.WithFields(f).Debugf("found user by GitLab username: %s", gitlabUser.Username)
-		return claUser, nil
+		return s.refreshGitLabUserName(ctx, claUser, gitlabUser), nil
 	}
-	log.WithFields(f).Debugf("unable to lookup user by github username: %s, error: %+v ", gitlabUser.Username, err)
+	log.WithFields(f).Debugf("unable to lookup user by GitLab username: %s, error: %+v ", gitlabUser.Username, err)
 
 	log.WithFields(f).Debugf("looking up user by GitLab email: %s", gitlabUser.Email)
 	claUser, err = s.userService.GetUserByEmail(gitlabUser.Email)
 	if err == nil && claUser != nil {
 		log.WithFields(f).Debugf("found user by GitLab email: %s", gitlabUser.Email)
-		return claUser, nil
+		return s.refreshGitLabUserName(ctx, claUser, gitlabUser), nil
 	}
 
 	log.WithFields(f).Infof("unable to locate GitLab user - creating a new user record for GitLab user : %+v ", gitlabUser)
@@ -225,8 +247,8 @@ func (s service) getOrCreateUser(ctx context.Context, gitlabClient *gitlab.Clien
 		Username:       gitlabUser.Name,
 	}
 	claUser, userErr := s.userService.CreateUser(user, nil)
-	if err != nil {
-		log.WithFields(f).Debugf("unable to create claUser with details : %+v, error: %+v", user, userErr)
+	if userErr != nil {
+		log.WithFields(f).Debugf("unable to create claUser with details: %+v, error: %+v", user, userErr)
 		return nil, userErr
 	}
 

cla-backend-go/v2/sign/handlers.go

@@ -24,6 +24,7 @@ import (
 	"github.com/linuxfoundation/easycla/cla-backend-go/gen/v2/restapi/operations/sign"
 	"github.com/linuxfoundation/easycla/cla-backend-go/utils"
 	"github.com/linuxfoundation/easycla/cla-backend-go/v2/organization-service/client/organizations"
+	user_service "github.com/linuxfoundation/easycla/cla-backend-go/v2/user-service"
 
 	"github.com/go-openapi/runtime"
 )
@@ -77,6 +78,8 @@ func CCLADocusignMiddleware(next http.Handler) http.Handler {
 }
 
 // Configure API call
+//
+//nolint:gocyclo
 func Configure(api *operations.EasyclaAPI, service Service, userService users.Service) {
 	// Retrieve a list of available templates
 	api.SignClearCachesHandler = sign.ClearCachesHandlerFunc(
@@ -180,12 +183,36 @@ func Configure(api *operations.EasyclaAPI, service Service, userService users.Se
 				if userErr != nil {
 					return sign.NewRequestIndividualSignatureBadRequest().WithPayload(errorResponse(reqId, userErr))
 				}
-				if len(user.Emails) == 0 {
+				if user == nil {
+					msg := fmt.Sprintf("user not found: %s", *params.Input.UserID)
+					log.WithFields(f).Warn(msg)
+					return sign.NewRequestIndividualSignatureBadRequest().WithPayload(errorResponse(reqId, errors.New(msg)))
+				}
+				userServiceClient := user_service.GetClient()
+				if userServiceClient != nil && userServiceClient.IsConfigured() && user.LfUsername != "" {
+					platformUser, platformUserErr := userServiceClient.GetUserByUsername(user.LfUsername)
+					if platformUserErr != nil {
+						log.WithFields(f).WithError(platformUserErr).Warn("unable to fetch platform user for primary email lookup")
+					} else if platformUser != nil {
+						for _, email := range platformUser.Emails {
+							if email != nil && email.IsPrimary != nil && *email.IsPrimary && email.EmailAddress != nil && *email.EmailAddress != "" {
+								preferredEmail = *email.EmailAddress
+								break
+							}
+						}
+					}
+				}
+
+				if preferredEmail == "" && len(user.Emails) > 0 {
+					preferredEmail = user.Emails[0]
+				}
+
+				if preferredEmail == "" {
 					msg := "no emails found"
 					log.WithFields(f).Warn(msg)
 					return sign.NewRequestIndividualSignatureBadRequest().WithPayload(errorResponse(reqId, errors.New(msg)))
 				}
-				preferredEmail = user.Emails[0]
+
 				log.WithFields(f).Debug("requesting individual signature for github/gitlab")
 				resp, err = service.RequestIndividualSignature(ctx, params.Input, preferredEmail)
 			} else if strings.ToLower(params.Input.ReturnURLType) == "gerrit" {

cla-backend-go/v2/sign/service.go

@@ -2170,6 +2170,12 @@ func getUserEmail(user *v1Models.User, preferredEmail string, allowLFEmail bool)
 		if utils.StringInSlice(preferredEmail, user.Emails) || (allowLFEmail && user.LfEmail == strfmt.Email(preferredEmail)) {
 			return preferredEmail
 		}
+		// For GitHub/GitLab individual-signature flows, preferredEmail comes
+		// from upstream identity data and may not exist in the locally cached
+		// EasyCLA emails yet. In those flows allowLFEmail is false.
+		if !allowLFEmail {
+			return preferredEmail
+		}
 	}
 	if allowLFEmail && user.LfEmail != "" {
 		return string(user.LfEmail)

cla-backend-go/v2/user-service/client.go

@@ -61,6 +61,11 @@ func GetClient() *Client {
 	return userServiceClient
 }
 
+// IsConfigured reports whether the user-service client has a usable API gateway URL.
+func (usc *Client) IsConfigured() bool {
+	return usc != nil && strings.TrimSpace(usc.apiGwURL) != ""
+}
+
 // GetUsersByUsernames search users by lf username
 func (usc *Client) GetUsersByUsernames(lfUsernames []string) ([]*models.User, error) {
 	f := logrus.Fields{

cla-backend/cla/controllers/signing.py

@@ -42,18 +42,42 @@ def request_individual_signature(project_id, user_id, return_url_type, return_ur
             github = get_repository_service("github")
             primary_user_email = github.get_primary_user_email(request)
         elif return_url_type.lower() == "gitlab":
+            primary_user_email = None
+
             try:
                 cla.log.debug(f"Fetching user details for: {user_id}")
                 user = User()
                 user.load(user_id)
             except DoesNotExist as err:
                 cla.log.warning('Individual Signature - user ID was NOT found for: {}'.format(user_id))
                 return {'errors': {'user_id': str(err)}}
-            primary_user_email = user.get_user_email()
+
+            lf_username = user.get_lf_username()
+            if lf_username:
+                try:
+                    platform_users = UserService.get_users_by_username(lf_username) or []
+                except Exception as err:
+                    cla.log.warning(
+                        f'Individual Signature - unable to fetch platform user by username: {lf_username}, error: {err}'
+                    )
+                    platform_users = []
+
+                for platform_user in platform_users:
+                    if not platform_user:
+                        continue
+                    for email in (platform_user.get('Emails') or []):
+                        if email and email.get('IsPrimary') and email.get('EmailAddress'):
+                            primary_user_email = email.get('EmailAddress')
+                            break
+                    if primary_user_email:
+                        break
+
+            if not primary_user_email:
+                primary_user_email = next(iter(user.get_user_emails() or []), None)
+
         return signing_service.request_individual_signature(str(project_id), str(user_id), return_url, return_url_type,
                                                             preferred_email=primary_user_email)
 
-
 def request_corporate_signature(auth_user,
                                 project_id: str,
                                 company_id: str,

cla-backend/cla/controllers/user.py

@@ -512,5 +512,10 @@ def get_or_create_user(auth_user):
 
         return user
 
-    # Just return the first matching record
-    return users[0]
+    # Just return the first matching record, but refresh the display name when it changed upstream.
+    user = users[0]
+    user_name = auth_user.name.strip() if auth_user.name else None
+    if user_name and user.get_user_name() != user_name:
+        user.set_user_name(user_name)
+        user.save()
+    return user