authentication: fix Switch edu-ID authentication

* Fixes an issue when the accounts from Switch and Invenio are linked and the email address are not corresponding because of case sensivity.
* Makes the check for the existence of a user email case insensitive.
* Closes #397.

Co-Authored-by: Sébastien Délèze <sebastien.deleze@rero.ch>

sonar/es_templates/v7/record.json

@@ -20,6 +20,15 @@
             "icu_folding",
             "german_normalization"
           ]
+        },
+        "custom_keyword": {
+          "type": "custom",
+          "tokenizer": "keyword",
+          "filter": [
+            "lowercase",
+            "icu_folding",
+            "german_normalization"
+          ]
         }
       }
     }

sonar/modules/shibboleth_authenticator/handlers.py

@@ -21,13 +21,15 @@
 
 from flask import current_app, redirect, session
 from flask_login import current_user, logout_user
+from invenio_accounts.models import User
 from invenio_db import db
 from invenio_oauthclient.errors import AlreadyLinkedError
 from invenio_oauthclient.handlers import get_session_next_url, \
     oauth_error_handler, token_session_key
 from invenio_oauthclient.utils import create_csrf_disabled_registrationform, \
     fill_form, oauth_authenticate, oauth_get_user, oauth_link_external_id, \
     oauth_register
+from sqlalchemy import func
 from werkzeug.local import LocalProxy
 
 from .utils import get_account_info
@@ -61,7 +63,17 @@ def authorized_#_handler(auth, remote=None, *args, **kwargs):
 
     account_info = get_account_info(auth.get_attributes(), remote)
 
-    user = oauth_get_user(remote, account_info=account_info)
+    user = None
+    # Pre-check done to use a case insensitive comparison because this is not
+    # done in invenio --> https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/utils.py#L82  # nopep8
+    if account_info.get('user', {}).get('email'):
+        user = User.query.filter(
+            func.lower(User.email) == func.lower(account_info['user']
+                                                 ['email'])).one_or_none()
+
+    if user is None:
+        user = oauth_get_user(remote, account_info=account_info)
+
     if user is None:
         # Auto sign-up if user not found
         form = create_csrf_disabled_registrationform()

sonar/modules/users/jsonschemas/users/user-v1.0.0.json

@@ -45,7 +45,9 @@
       "form": {
         "validation": {
           "validators": {
-            "valueAlreadyExists": {}
+            "valueAlreadyExists": {
+              "term": "email.analyzed"
+            }
           },
           "messages": {
             "pattern": "Email should have at least one `@` and  one `.`."

sonar/modules/users/mappings/v7/users/user-v1.0.0.json

@@ -24,7 +24,13 @@
         "type": "date"
       },
       "email": {
-        "type": "keyword"
+        "type": "keyword",
+        "fields": {
+          "analyzed": {
+            "type": "text",
+            "analyzer": "custom_keyword"
+          }
+        }
       },
       "street": {
         "type": "text"

tests/ui/shibboleth_authenticator/test_shibboleth_handlers.py

@@ -74,6 +74,9 @@ def is_authenticated(self):
     monkeypatch.setattr(
         'sonar.modules.shibboleth_authenticator.handlers.oauth_get_user',
         lambda remote, account_info: None)
+    monkeypatch.setattr(
+        'sonar.modules.shibboleth_authenticator.handlers.get_account_info',
+        lambda *args: {'user': {}})
     monkeypatch.setattr(
         'sonar.modules.shibboleth_authenticator.handlers.oauth_register',
         lambda form: None)