store: GetUserByOIDCSubject + scanUser auth_source/oidc_subject

internal/store/users_test.go

@@ -165,6 +165,54 @@ func TestCreateUserLowercasesUsername(t *testing.T) {
 	}
 }
 
+func TestGetUserByOIDCSubject(t *testing.T) {
+	t.Parallel()
+	s := openTestStore(t)
+	ctx := context.Background()
+	now := time.Now().UTC()
+	sub := "sub-abc-123"
+
+	if err := s.CreateUser(ctx, User{
+		ID: "u1", Username: "alice", PasswordHash: "",
+		Role: RoleAdmin, CreatedAt: now,
+		AuthSource: "oidc", OIDCSubject: &sub,
+	}); err != nil {
+		t.Fatalf("create: %v", err)
+	}
+	got, err := s.GetUserByOIDCSubject(ctx, sub)
+	if err != nil {
+		t.Fatalf("get by sub: %v", err)
+	}
+	if got.ID != "u1" || got.AuthSource != "oidc" {
+		t.Errorf("unexpected: %+v", got)
+	}
+	if _, err := s.GetUserByOIDCSubject(ctx, "nope"); !errors.Is(err, ErrNotFound) {
+		t.Errorf("missing sub: want ErrNotFound, got %v", err)
+	}
+}
+
+func TestSetUserOIDCSubject(t *testing.T) {
+	t.Parallel()
+	s := openTestStore(t)
+	ctx := context.Background()
+	now := time.Now().UTC()
+
+	if err := s.CreateUser(ctx, User{
+		ID: "u1", Username: "alice", PasswordHash: "x",
+		Role: RoleAdmin, CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("create: %v", err)
+	}
+	sub := "sub-456"
+	if err := s.SetUserOIDCSubject(ctx, "u1", "oidc", sub); err != nil {
+		t.Fatalf("set: %v", err)
+	}
+	got, _ := s.GetUserByID(ctx, "u1")
+	if got.AuthSource != "oidc" || got.OIDCSubject == nil || *got.OIDCSubject != sub {
+		t.Errorf("after set: %+v", got)
+	}
+}
+
 func TestEnrollmentTokenSingleUse(t *testing.T) {
 	t.Parallel()
 	s := openTestStore(t)