Merge pull request 'Implement remote user login source and promotion to regular user' (#2465) from earl-warren/forgejo:wip-remote-user into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2465

models/auth/source.go

@@ -33,6 +33,7 @@ const (
 	DLDAP       // 5
 	OAuth2      // 6
 	SSPI        // 7
+	Remote      // 8
 )
 
 // String returns the string name of the LoginType
@@ -53,6 +54,7 @@ var Names = map[Type]string{
 	PAM:    "PAM",
 	OAuth2: "OAuth2",
 	SSPI:   "SPNEGO with SSPI",
+	Remote: "Remote",
 }
 
 // Config represents login config as far as the db is concerned
@@ -181,6 +183,10 @@ func (source *Source) IsSSPI() bool {
 	return source.Type == SSPI
 }
 
+func (source *Source) IsRemote() bool {
+	return source.Type == Remote
+}
+
 // HasTLS returns true of this source supports TLS.
 func (source *Source) HasTLS() bool {
 	hasTLSer, ok := source.Cfg.(HasTLSer)

models/user/fixtures/user.yml

@@ -0,0 +1,36 @@
+-
+  id: 1041
+  lower_name: remote01
+  name: remote01
+  full_name: Remote01
+  email: remote01@example.com
+  keep_email_private: false
+  email_notifications_preference: onmention
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 1001
+  login_name: 123
+  type: 5
+  salt: ZogKvWdyEx
+  max_repo_creation: -1
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: true
+  avatar: avatarremote01
+  avatar_email: avatarremote01@example.com
+  use_custom_avatar: false
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 0
+  num_teams: 0
+  num_members: 0
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: false

models/user/search.go

@@ -45,7 +45,11 @@ type SearchUserOptions struct {
 
 func (opts *SearchUserOptions) toSearchQueryBase(ctx context.Context) *xorm.Session {
 	var cond builder.Cond
+	if opts.Type == UserTypeIndividual {
+		cond = builder.In("type", UserTypeIndividual, UserTypeRemoteUser)
+	} else {
 		cond = builder.Eq{"type": opts.Type}
+	}
 	if opts.IncludeReserved {
 		if opts.Type == UserTypeIndividual {
 			cond = cond.Or(builder.Eq{"type": UserTypeUserReserved}).Or(

models/user/user.go

@@ -216,7 +216,7 @@ func (u *User) GetEmail() string {
 // GetAllUsers returns a slice of all individual users found in DB.
 func GetAllUsers(ctx context.Context) ([]*User, error) {
 	users := make([]*User, 0)
-	return users, db.GetEngine(ctx).OrderBy("id").Where("type = ?", UserTypeIndividual).Find(&users)
+	return users, db.GetEngine(ctx).OrderBy("id").In("type", UserTypeIndividual, UserTypeRemoteUser).Find(&users)
 }
 
 // GetAllAdmins returns a slice of all adminusers found in DB.
@@ -416,6 +416,10 @@ func (u *User) IsBot() bool {
 	return u.Type == UserTypeBot
 }
 
+func (u *User) IsRemote() bool {
+	return u.Type == UserTypeRemoteUser
+}
+
 // DisplayName returns full name if it's not empty,
 // returns username otherwise.
 func (u *User) DisplayName() string {
@@ -918,7 +922,8 @@ func GetUserByName(ctx context.Context, name string) (*User, error) {
 	if len(name) == 0 {
 		return nil, ErrUserNotExist{Name: name}
 	}
-	u := &User{LowerName: strings.ToLower(name), Type: UserTypeIndividual}
+	// adding Type: UserTypeIndividual is a noop because it is zero and discarded
+	u := &User{LowerName: strings.ToLower(name)}
 	has, err := db.GetEngine(ctx).Get(u)
 	if err != nil {
 		return nil, err

models/user/user_test.go

@@ -21,6 +21,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -33,6 +34,35 @@ func TestOAuth2Application_LoadUser(t *testing.T) {
 	assert.NotNil(t, user)
 }
 
+func TestGetUserByName(t *testing.T) {
+	defer tests.AddFixtures("models/user/fixtures/")()
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	{
+		_, err := user_model.GetUserByName(db.DefaultContext, "")
+		assert.True(t, user_model.IsErrUserNotExist(err), err)
+	}
+	{
+		_, err := user_model.GetUserByName(db.DefaultContext, "UNKNOWN")
+		assert.True(t, user_model.IsErrUserNotExist(err), err)
+	}
+	{
+		user, err := user_model.GetUserByName(db.DefaultContext, "USER2")
+		assert.NoError(t, err)
+		assert.Equal(t, user.Name, "user2")
+	}
+	{
+		user, err := user_model.GetUserByName(db.DefaultContext, "org3")
+		assert.NoError(t, err)
+		assert.Equal(t, user.Name, "org3")
+	}
+	{
+		user, err := user_model.GetUserByName(db.DefaultContext, "remote01")
+		assert.NoError(t, err)
+		assert.Equal(t, user.Name, "remote01")
+	}
+}
+
 func TestGetUserEmailsByNames(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 
@@ -61,7 +91,24 @@ func TestCanCreateOrganization(t *testing.T) {
 	assert.False(t, user.CanCreateOrganization())
 }
 
+func TestGetAllUsers(t *testing.T) {
+	defer tests.AddFixtures("models/user/fixtures/")()
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	users, err := user_model.GetAllUsers(db.DefaultContext)
+	assert.NoError(t, err)
+
+	found := make(map[user_model.UserType]bool, 0)
+	for _, user := range users {
+		found[user.Type] = true
+	}
+	assert.True(t, found[user_model.UserTypeIndividual], users)
+	assert.True(t, found[user_model.UserTypeRemoteUser], users)
+	assert.False(t, found[user_model.UserTypeOrganization], users)
+}
+
 func TestSearchUsers(t *testing.T) {
+	defer tests.AddFixtures("models/user/fixtures/")()
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	testSuccess := func(opts *user_model.SearchUserOptions, expectedUserOrOrgIDs []int64) {
 		users, _, err := user_model.SearchUsers(db.DefaultContext, opts)
@@ -102,13 +149,13 @@ func TestSearchUsers(t *testing.T) {
 	}
 
 	testUserSuccess(&user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 1}},
-		[]int64{1, 2, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 32, 34, 37, 38, 39, 40})
+		[]int64{1, 2, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 32, 34, 37, 38, 39, 40, 1041})
 
 	testUserSuccess(&user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsActive: optional.Some(false)},
 		[]int64{9})
 
 	testUserSuccess(&user_model.SearchUserOptions{OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 1}, IsActive: optional.Some(true)},
-		[]int64{1, 2, 4, 5, 8, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 32, 34, 37, 38, 39, 40})
+		[]int64{1, 2, 4, 5, 8, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 32, 34, 37, 38, 39, 40, 1041})
 
 	testUserSuccess(&user_model.SearchUserOptions{Keyword: "user1", OrderBy: "id ASC", ListOptions: db.ListOptions{Page: 1}, IsActive: optional.Some(true)},
 		[]int64{1, 10, 11, 12, 13, 14, 15, 16, 18})
@@ -124,7 +171,7 @@ func TestSearchUsers(t *testing.T) {
 		[]int64{29})
 
 	testUserSuccess(&user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsProhibitLogin: optional.Some(true)},
-		[]int64{37})
+		[]int64{1041, 37})
 
 	testUserSuccess(&user_model.SearchUserOptions{ListOptions: db.ListOptions{Page: 1}, IsTwoFactorEnabled: optional.Some(true)},
 		[]int64{24})

routers/web/auth/oauth.go

@@ -35,6 +35,7 @@ import (
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/externalaccount"
 	"code.gitea.io/gitea/services/forms"
+	remote_service "code.gitea.io/gitea/services/remote"
 	user_service "code.gitea.io/gitea/services/user"
 
 	"gitea.com/go-chi/binding"
@@ -1202,9 +1203,21 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
 	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
 }
 
-// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
-// login the user
 func oAuth2UserLoginCallback(ctx *context.Context, authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
+	gothUser, err := oAuth2FetchUser(ctx, authSource, request, response)
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+
+	if _, _, err := remote_service.MaybePromoteRemoteUser(ctx, authSource, gothUser.UserID, gothUser.Email); err != nil {
+		return nil, goth.User{}, err
+	}
+
+	u, err := oAuth2GothUserToUser(request.Context(), authSource, gothUser)
+	return u, gothUser, err
+}
+
+func oAuth2FetchUser(ctx *context.Context, authSource *auth.Source, request *http.Request, response http.ResponseWriter) (goth.User, error) {
 	oauth2Source := authSource.Cfg.(*oauth2.Source)
 
 	// Make sure that the response is not an error response.
@@ -1216,10 +1229,10 @@ func oAuth2UserLoginCallback(ctx *context.Context, authSource *auth.Source, requ
 		// Delete the goth session
 		err := gothic.Logout(response, request)
 		if err != nil {
-			return nil, goth.User{}, err
+			return goth.User{}, err
 		}
 
-		return nil, goth.User{}, errCallback{
+		return goth.User{}, errCallback{
 			Code:        errorName,
 			Description: errorDescription,
 		}
@@ -1232,24 +1245,28 @@ func oAuth2UserLoginCallback(ctx *context.Context, authSource *auth.Source, requ
 			log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
 			err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
 		}
-		return nil, goth.User{}, err
+		return goth.User{}, err
 	}
 
 	if oauth2Source.RequiredClaimName != "" {
 		claimInterface, has := gothUser.RawData[oauth2Source.RequiredClaimName]
 		if !has {
-			return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
+			return goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
 		}
 
 		if oauth2Source.RequiredClaimValue != "" {
 			groups := claimValueToStringSet(claimInterface)
 
 			if !groups.Contains(oauth2Source.RequiredClaimValue) {
-				return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
+				return goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
 			}
 		}
 	}
 
+	return gothUser, nil
+}
+
+func oAuth2GothUserToUser(ctx go_context.Context, authSource *auth.Source, gothUser goth.User) (*user_model.User, error) {
 	user := &user_model.User{
 		LoginName:   gothUser.UserID,
 		LoginType:   auth.OAuth2,
@@ -1258,27 +1275,28 @@ func oAuth2UserLoginCallback(ctx *context.Context, authSource *auth.Source, requ
 
 	hasUser, err := user_model.GetUser(ctx, user)
 	if err != nil {
-		return nil, goth.User{}, err
+		return nil, err
 	}
 
 	if hasUser {
-		return user, gothUser, nil
+		return user, nil
 	}
+	log.Debug("no user found for LoginName %v, LoginSource %v, LoginType %v", user.LoginName, user.LoginSource, user.LoginType)
 
 	// search in external linked users
 	externalLoginUser := &user_model.ExternalLoginUser{
 		ExternalID:    gothUser.UserID,
 		LoginSourceID: authSource.ID,
 	}
-	hasUser, err = user_model.GetExternalLogin(request.Context(), externalLoginUser)
+	hasUser, err = user_model.GetExternalLogin(ctx, externalLoginUser)
 	if err != nil {
-		return nil, goth.User{}, err
+		return nil, err
 	}
 	if hasUser {
-		user, err = user_model.GetUserByID(request.Context(), externalLoginUser.UserID)
+		user, err = user_model.GetUserByID(ctx, externalLoginUser.UserID)
-		return user, gothUser, err
+		return user, err
 	}
 
 	// no user found to login
-	return nil, gothUser, nil
+	return nil, nil
 }

services/auth/source/remote/source.go

@@ -0,0 +1,33 @@
+// Copyright Earl Warren <contact@earl-warren.org>
+// SPDX-License-Identifier: MIT
+
+package remote
+
+import (
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/json"
+)
+
+type Source struct {
+	URL            string
+	MatchingSource string
+
+	// reference to the authSource
+	authSource *auth.Source
+}
+
+func (source *Source) FromDB(bs []byte) error {
+	return json.UnmarshalHandleDoubleEncode(bs, &source)
+}
+
+func (source *Source) ToDB() ([]byte, error) {
+	return json.Marshal(source)
+}
+
+func (source *Source) SetAuthSource(authSource *auth.Source) {
+	source.authSource = authSource
+}
+
+func init() {
+	auth.RegisterTypeConfig(auth.Remote, &Source{})
+}

services/remote/promote.go

@@ -0,0 +1,133 @@
+// Copyright Earl Warren <contact@earl-warren.org>
+// SPDX-License-Identifier: MIT
+
+package remote
+
+import (
+	"context"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/services/auth/source/oauth2"
+	remote_source "code.gitea.io/gitea/services/auth/source/remote"
+)
+
+type Reason int
+
+const (
+	ReasonNoMatch Reason = iota
+	ReasonNotAuth2
+	ReasonBadAuth2
+	ReasonLoginNameNotExists
+	ReasonNotRemote
+	ReasonEmailIsSet
+	ReasonNoSource
+	ReasonSourceWrongType
+	ReasonCanPromote
+	ReasonPromoted
+	ReasonUpdateFail
+	ReasonErrorLoginName
+	ReasonErrorGetSource
+)
+
+func NewReason(level log.Level, reason Reason, message string, args ...any) Reason {
+	log.Log(1, level, message, args...)
+	return reason
+}
+
+func getUsersByLoginName(ctx context.Context, name string) ([]*user_model.User, error) {
+	if len(name) == 0 {
+		return nil, user_model.ErrUserNotExist{Name: name}
+	}
+
+	users := make([]*user_model.User, 0, 5)
+
+	return users, db.GetEngine(ctx).
+		Table("user").
+		Where("login_name = ? AND login_type = ? AND type = ?", name, auth_model.Remote, user_model.UserTypeRemoteUser).
+		Find(&users)
+}
+
+// The remote user has:
+//
+//	Type        UserTypeRemoteUser
+//	LogingType  Remote
+//	LoginName   set to the unique identifier of the originating authentication source
+//	LoginSource set to the Remote source that can be matched against an OAuth2 source
+//
+// If the source from which an authentification happens is OAuth2, an existing
+// remote user will be promoted to an OAuth2 user provided:
+//
+//	user.LoginName is the same as goth.UserID (argument loginName)
+//	user.LoginSource has a MatchingSource equals to the name of the OAuth2 provider
+//
+// Once promoted, the user will be logged in without further interaction from the
+// user and will own all repositories, issues, etc. associated with it.
+func MaybePromoteRemoteUser(ctx context.Context, source *auth_model.Source, loginName, email string) (promoted bool, reason Reason, err error) {
+	user, reason, err := getRemoteUserToPromote(ctx, source, loginName, email)
+	if err != nil || user == nil {
+		return false, reason, err
+	}
+	promote := &user_model.User{
+		ID:          user.ID,
+		Type:        user_model.UserTypeIndividual,
+		Email:       email,
+		LoginSource: source.ID,
+		LoginType:   source.Type,
+	}
+	reason = NewReason(log.DEBUG, ReasonPromoted, "promote user %v: LoginName %v => %v, LoginSource %v => %v, LoginType %v => %v, Email %v => %v", user.ID, user.LoginName, promote.LoginName, user.LoginSource, promote.LoginSource, user.LoginType, promote.LoginType, user.Email, promote.Email)
+	if err := user_model.UpdateUserCols(ctx, promote, "type", "email", "login_source", "login_type"); err != nil {
+		return false, ReasonUpdateFail, err
+	}
+	return true, reason, nil
+}
+
+func getRemoteUserToPromote(ctx context.Context, source *auth_model.Source, loginName, email string) (*user_model.User, Reason, error) {
+	if !source.IsOAuth2() {
+		return nil, NewReason(log.DEBUG, ReasonNotAuth2, "source %v is not OAuth2", source), nil
+	}
+	oauth2Source, ok := source.Cfg.(*oauth2.Source)
+	if !ok {
+		return nil, NewReason(log.ERROR, ReasonBadAuth2, "source claims to be OAuth2 but is not"), nil
+	}
+
+	users, err := getUsersByLoginName(ctx, loginName)
+	if err != nil {
+		return nil, NewReason(log.ERROR, ReasonErrorLoginName, "getUserByLoginName('%s') %v", loginName, err), err
+	}
+	if len(users) == 0 {
+		return nil, NewReason(log.ERROR, ReasonLoginNameNotExists, "no user with LoginType UserTypeRemoteUser and LoginName '%s'", loginName), nil
+	}
+
+	reason := ReasonNoSource
+	for _, u := range users {
+		userSource, err := auth_model.GetSourceByID(ctx, u.LoginSource)
+		if err != nil {
+			if auth_model.IsErrSourceNotExist(err) {
+				reason = NewReason(log.DEBUG, ReasonNoSource, "source id = %v for user %v not found %v", u.LoginSource, u.ID, err)
+				continue
+			}
+			return nil, NewReason(log.ERROR, ReasonErrorGetSource, "GetSourceByID('%s') %v", u.LoginSource, err), err
+		}
+		if u.Email != "" {
+			reason = NewReason(log.DEBUG, ReasonEmailIsSet, "the user email is already set to '%s'", u.Email)
+			continue
+		}
+		remoteSource, ok := userSource.Cfg.(*remote_source.Source)
+		if !ok {
+			reason = NewReason(log.DEBUG, ReasonSourceWrongType, "expected a remote source but got %T %v", userSource, userSource)
+			continue
+		}
+
+		if oauth2Source.Provider != remoteSource.MatchingSource {
+			reason = NewReason(log.DEBUG, ReasonNoMatch, "skip OAuth2 source %s because it is different from %s which is the expected match for the remote source %s", oauth2Source.Provider, remoteSource.MatchingSource, remoteSource.URL)
+			continue
+		}
+
+		return u, ReasonCanPromote, nil
+	}
+
+	return nil, reason, nil
+}

tests/integration/integration_test.go

@@ -42,6 +42,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers"
+	"code.gitea.io/gitea/services/auth/source/remote"
 	gitea_context "code.gitea.io/gitea/services/context"
 	repo_service "code.gitea.io/gitea/services/repository"
 	files_service "code.gitea.io/gitea/services/repository/files"
@@ -53,7 +54,8 @@ import (
 	gouuid "github.com/google/uuid"
 	"github.com/markbates/goth"
 	"github.com/markbates/goth/gothic"
-	goth_gitlab "github.com/markbates/goth/providers/gitlab"
+	goth_gitlab "github.com/markbates/goth/providers/github"
+	goth_github "github.com/markbates/goth/providers/gitlab"
 	"github.com/santhosh-tekuri/jsonschema/v5"
 	"github.com/stretchr/testify/assert"
 )
@@ -338,6 +340,36 @@ func authSourcePayloadGitLabCustom(name string) map[string]string {
 	return payload
 }
 
+func authSourcePayloadGitHub(name string) map[string]string {
+	payload := authSourcePayloadOAuth2(name)
+	payload["oauth2_provider"] = "github"
+	return payload
+}
+
+func authSourcePayloadGitHubCustom(name string) map[string]string {
+	payload := authSourcePayloadGitHub(name)
+	payload["oauth2_use_custom_url"] = "on"
+	payload["oauth2_auth_url"] = goth_github.AuthURL
+	payload["oauth2_token_url"] = goth_github.TokenURL
+	payload["oauth2_profile_url"] = goth_github.ProfileURL
+	return payload
+}
+
+func createRemoteAuthSource(t *testing.T, name, url, matchingSource string) *auth.Source {
+	assert.NoError(t, auth.CreateSource(context.Background(), &auth.Source{
+		Type:     auth.Remote,
+		Name:     name,
+		IsActive: true,
+		Cfg: &remote.Source{
+			URL:            url,
+			MatchingSource: matchingSource,
+		},
+	}))
+	source, err := auth.GetSourceByName(context.Background(), name)
+	assert.NoError(t, err)
+	return source
+}
+
 func createUser(ctx context.Context, t testing.TB, user *user_model.User) func() {
 	user.MustChangePassword = false
 	user.LowerName = strings.ToLower(user.Name)

tests/integration/remote_test.go

@@ -0,0 +1,205 @@
+// Copyright Earl Warren <contact@earl-warren.org>
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/test"
+	remote_service "code.gitea.io/gitea/services/remote"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/markbates/goth"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRemote_MaybePromoteUserSuccess(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	//
+	// OAuth2 authentication source GitLab
+	//
+	gitlabName := "gitlab"
+	_ = addAuthSource(t, authSourcePayloadGitLabCustom(gitlabName))
+	//
+	// Remote authentication source matching the GitLab authentication source
+	//
+	remoteName := "remote"
+	remote := createRemoteAuthSource(t, remoteName, "http://mygitlab.eu", gitlabName)
+
+	//
+	// Create a user as if it had previously been created by the remote
+	// authentication source.
+	//
+	gitlabUserID := "5678"
+	gitlabEmail := "gitlabuser@example.com"
+	userBeforeSignIn := &user_model.User{
+		Name:        "gitlabuser",
+		Type:        user_model.UserTypeRemoteUser,
+		LoginType:   auth_model.Remote,
+		LoginSource: remote.ID,
+		LoginName:   gitlabUserID,
+	}
+	defer createUser(context.Background(), t, userBeforeSignIn)()
+
+	//
+	// A request for user information sent to Goth will return a
+	// goth.User exactly matching the user created above.
+	//
+	defer mockCompleteUserAuth(func(res http.ResponseWriter, req *http.Request) (goth.User, error) {
+		return goth.User{
+			Provider: gitlabName,
+			UserID:   gitlabUserID,
+			Email:    gitlabEmail,
+		}, nil
+	})()
+	req := NewRequest(t, "GET", fmt.Sprintf("/user/oauth2/%s/callback?code=XYZ&state=XYZ", gitlabName))
+	resp := MakeRequest(t, req, http.StatusSeeOther)
+	assert.Equal(t, "/", test.RedirectURL(resp))
+	userAfterSignIn := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userBeforeSignIn.ID})
+
+	// both are about the same user
+	assert.Equal(t, userAfterSignIn.ID, userBeforeSignIn.ID)
+	// the login time was updated, proof the login succeeded
+	assert.Greater(t, userAfterSignIn.LastLoginUnix, userBeforeSignIn.LastLoginUnix)
+	// the login type was promoted from Remote to OAuth2
+	assert.Equal(t, userBeforeSignIn.LoginType, auth_model.Remote)
+	assert.Equal(t, userAfterSignIn.LoginType, auth_model.OAuth2)
+	// the OAuth2 email was used to set the missing user email
+	assert.Equal(t, userBeforeSignIn.Email, "")
+	assert.Equal(t, userAfterSignIn.Email, gitlabEmail)
+}
+
+func TestRemote_MaybePromoteUserFail(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	ctx := context.Background()
+	//
+	// OAuth2 authentication source GitLab
+	//
+	gitlabName := "gitlab"
+	gitlabSource := addAuthSource(t, authSourcePayloadGitLabCustom(gitlabName))
+	//
+	// Remote authentication source matching the GitLab authentication source
+	//
+	remoteName := "remote"
+	remoteSource := createRemoteAuthSource(t, remoteName, "http://mygitlab.eu", gitlabName)
+
+	{
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, &auth_model.Source{}, "", "")
+		assert.NoError(t, err)
+		assert.False(t, promoted)
+		assert.Equal(t, remote_service.ReasonNotAuth2, reason)
+	}
+
+	{
+		remoteSource.Type = auth_model.OAuth2
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, remoteSource, "", "")
+		assert.NoError(t, err)
+		assert.False(t, promoted)
+		assert.Equal(t, remote_service.ReasonBadAuth2, reason)
+		remoteSource.Type = auth_model.Remote
+	}
+
+	{
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, "unknownloginname", "")
+		assert.NoError(t, err)
+		assert.False(t, promoted)
+		assert.Equal(t, remote_service.ReasonLoginNameNotExists, reason)
+	}
+
+	{
+		remoteUserID := "844"
+		remoteUser := &user_model.User{
+			Name:        "withmailuser",
+			Type:        user_model.UserTypeRemoteUser,
+			LoginType:   auth_model.Remote,
+			LoginSource: remoteSource.ID,
+			LoginName:   remoteUserID,
+			Email:       "some@example.com",
+		}
+		defer createUser(context.Background(), t, remoteUser)()
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, "")
+		assert.NoError(t, err)
+		assert.False(t, promoted)
+		assert.Equal(t, remote_service.ReasonEmailIsSet, reason)
+	}
+
+	{
+		remoteUserID := "7464"
+		nonexistentloginsource := int64(4344)
+		remoteUser := &user_model.User{
+			Name:        "badsourceuser",
+			Type:        user_model.UserTypeRemoteUser,
+			LoginType:   auth_model.Remote,
+			LoginSource: nonexistentloginsource,
+			LoginName:   remoteUserID,
+		}
+		defer createUser(context.Background(), t, remoteUser)()
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, "")
+		assert.NoError(t, err)
+		assert.False(t, promoted)
+		assert.Equal(t, remote_service.ReasonNoSource, reason)
+	}
+
+	{
+		remoteUserID := "33335678"
+		remoteUser := &user_model.User{
+			Name:        "badremoteuser",
+			Type:        user_model.UserTypeRemoteUser,
+			LoginType:   auth_model.Remote,
+			LoginSource: gitlabSource.ID,
+			LoginName:   remoteUserID,
+		}
+		defer createUser(context.Background(), t, remoteUser)()
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, "")
+		assert.NoError(t, err)
+		assert.False(t, promoted)
+		assert.Equal(t, remote_service.ReasonSourceWrongType, reason)
+	}
+
+	{
+		unrelatedName := "unrelated"
+		unrelatedSource := addAuthSource(t, authSourcePayloadGitHubCustom(unrelatedName))
+		assert.NotNil(t, unrelatedSource)
+
+		remoteUserID := "488484"
+		remoteEmail := "4848484@example.com"
+		remoteUser := &user_model.User{
+			Name:        "unrelateduser",
+			Type:        user_model.UserTypeRemoteUser,
+			LoginType:   auth_model.Remote,
+			LoginSource: remoteSource.ID,
+			LoginName:   remoteUserID,
+		}
+		defer createUser(context.Background(), t, remoteUser)()
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, unrelatedSource, remoteUserID, remoteEmail)
+		assert.NoError(t, err)
+		assert.False(t, promoted)
+		assert.Equal(t, remote_service.ReasonNoMatch, reason)
+	}
+
+	{
+		remoteUserID := "5678"
+		remoteEmail := "gitlabuser@example.com"
+		remoteUser := &user_model.User{
+			Name:        "remoteuser",
+			Type:        user_model.UserTypeRemoteUser,
+			LoginType:   auth_model.Remote,
+			LoginSource: remoteSource.ID,
+			LoginName:   remoteUserID,
+		}
+		defer createUser(context.Background(), t, remoteUser)()
+		promoted, reason, err := remote_service.MaybePromoteRemoteUser(ctx, gitlabSource, remoteUserID, remoteEmail)
+		assert.NoError(t, err)
+		assert.True(t, promoted)
+		assert.Equal(t, remote_service.ReasonPromoted, reason)
+	}
+}