ultisuite-backend/internal/migration/claim_email_match_test.go

package migration

import "testing"

func TestInviteEmailMatchesIdentityExact(t *testing.T) {
	id := ClaimIdentity{Email: "Alice@Acme.com"}
	if !InviteEmailMatchesIdentity("alice@acme.com", nil, "", id) {
		t.Fatal("expected case-insensitive exact match")
	}
}

func TestInviteEmailMatchesIdentityPreferredUsername(t *testing.T) {
	id := ClaimIdentity{
		Email:             "alice.smith@acme.com",
		PreferredUsername: "alice@acme.com",
	}
	if !InviteEmailMatchesIdentity("alice@acme.com", nil, "", id) {
		t.Fatal("expected preferred_username match")
	}
}

func TestInviteEmailMatchesIdentityUPN(t *testing.T) {
	id := ClaimIdentity{
		Email: "alice.smith@acme.com",
		UPN:   "alice@acme.com",
	}
	if !InviteEmailMatchesIdentity("alice@acme.com", nil, "", id) {
		t.Fatal("expected upn match")
	}
}

func TestInviteEmailMatchesIdentityAlternateEmail(t *testing.T) {
	id := ClaimIdentity{Email: "alice.smith@acme.com"}
	if !InviteEmailMatchesIdentity("alice@acme.com", []string{"alice.smith@acme.com"}, "", id) {
		t.Fatal("expected alternate email match")
	}
}

func TestInviteEmailMatchesIdentityGmailDotAlias(t *testing.T) {
	id := ClaimIdentity{Email: "alice.smith@acme.com"}
	if !InviteEmailMatchesIdentity("alice.smith@acme.com", nil, "", id) {
		t.Fatal("expected exact match baseline")
	}
	id = ClaimIdentity{Email: "a.l.i.c.e.smith@acme.com"}
	if !InviteEmailMatchesIdentity("alice.smith@acme.com", nil, "", id) {
		t.Fatal("expected dot-insensitive local-part match")
	}
}

func TestInviteEmailMatchesIdentityPlusTag(t *testing.T) {
	id := ClaimIdentity{Email: "alice+tag@acme.com"}
	if !InviteEmailMatchesIdentity("alice@acme.com", nil, "", id) {
		t.Fatal("expected plus-tag stripped match")
	}
}

func TestInviteEmailMatchesIdentityProjectDomainUPN(t *testing.T) {
	id := ClaimIdentity{
		Email:             "alice.smith@acme.com",
		PreferredUsername: "alice@contoso.onmicrosoft.com",
	}
	if !InviteEmailMatchesIdentity("alice@acme.com", nil, "acme.com", id) {
		t.Fatal("expected project-domain UPN local-part match")
	}
}

func TestInviteEmailMatchesIdentityRejectsDifferentUserSameDomain(t *testing.T) {
	id := ClaimIdentity{Email: "bob@acme.com"}
	if InviteEmailMatchesIdentity("alice@acme.com", nil, "acme.com", id) {
		t.Fatal("expected reject for different local-part on same domain")
	}
}

func TestInviteEmailMatchesIdentityRejectsUnrelatedDomain(t *testing.T) {
	id := ClaimIdentity{Email: "alice@evil.com"}
	if InviteEmailMatchesIdentity("alice@acme.com", nil, "", id) {
		t.Fatal("expected reject for different domain without alias")
	}
}

func TestInviteEmailMatchesIdentityEmptyIdentity(t *testing.T) {
	if InviteEmailMatchesIdentity("alice@acme.com", nil, "", ClaimIdentity{}) {
		t.Fatal("expected reject for empty identity")
	}
}

func TestInviteEmailMatchesIdentityIgnoresNonEmailPreferredUsername(t *testing.T) {
	id := ClaimIdentity{PreferredUsername: "alice"}
	if InviteEmailMatchesIdentity("alice@acme.com", nil, "", id) {
		t.Fatal("expected reject when preferred_username is not an email")
	}
}