Documentation
¶
Overview ¶
Package claimrolemapping provides shared configuration types and constructor functions for building a PrincipalExtractor from claim-based role mapping rules. Services embed ExtractorConfig in their own config struct to share a consistent auth configuration surface.
Index ¶
- Constants
- func BuildExtractorConfig(mappings []ClaimRoleMappingConfig, logger zerolog.Logger) auth.DefaultExtractorConfig
- func BuildPrincipalExtractor(config ExtractorConfig, logger zerolog.Logger) auth.PrincipalExtractor
- func ValidateRoleMappings(mappings []ClaimRoleMappingConfig, knownRoles []string) []string
- type ClaimRoleMappingConfig
- type ExtractorConfig
Constants ¶
const ( SourceFlyio = "flyio" SourceGithubActions = "githubactions" SourceAWS = "aws" SourceOIDC = "oidc" SourceJWT = "jwt" )
Source name constants for use in ClaimRoleMappingConfig.Source.
Variables ¶
This section is empty.
Functions ¶
func BuildExtractorConfig ¶
func BuildExtractorConfig(mappings []ClaimRoleMappingConfig, logger zerolog.Logger) auth.DefaultExtractorConfig
BuildExtractorConfig constructs a per-source DefaultExtractorConfig from claim-role mapping rules. It emits Info-level startup logs for each configured source and a Warn when any rule has Debug enabled.
func BuildPrincipalExtractor ¶
func BuildPrincipalExtractor(config ExtractorConfig, logger zerolog.Logger) auth.PrincipalExtractor
BuildPrincipalExtractor constructs a PrincipalExtractor from config. When AllowUnauthenticated is true it returns an allow-all extractor suitable for development. Otherwise it builds a proper extractor with per-source claim-to-role mapping.
func ValidateRoleMappings ¶ added in v0.7.0
func ValidateRoleMappings(mappings []ClaimRoleMappingConfig, knownRoles []string) []string
ValidateRoleMappings returns a warning string for each role name in mappings that does not appear in knownRoles. Call at application startup and log the results at Warn level to surface misconfigured claim-role mappings early.
knownRoles should include both canonical role names and alias names from the authoriser's PolicyMetadata (convert RoleCapabilities keys and RoleAliases keys to []string before calling).
Types ¶
type ClaimRoleMappingConfig ¶
type ClaimRoleMappingConfig struct {
// Source restricts this mapping to a named PrincipalSource (e.g. "flyio",
// "aws"). Empty means match any source.
Source string `mapstructure:"source"`
// Claims maps claim keys to required values. A value of "*" matches any
// non-empty string.
Claims map[string]string `mapstructure:"claims"`
// Role is the internal role granted when all claim predicates match.
Role string `mapstructure:"role"`
// Debug enables per-request structured debug logging for this rule.
// Do not enable in production — evaluated claim values appear in the log output.
Debug bool `mapstructure:"debug"`
}
ClaimRoleMappingConfig maps a set of JWT claim predicates to an internal role, optionally restricted to a specific PrincipalSource. An empty Source matches any source.
type ExtractorConfig ¶
type ExtractorConfig struct {
AllowUnauthenticated bool `mapstructure:"allow-unauthenticated"`
ClaimRoleMappings []ClaimRoleMappingConfig `mapstructure:"claim-role-mappings"`
}
ExtractorConfig is the common auth configuration for services that need JWT-based principal extraction with claim-to-role mapping. Embed this in a service config with the mapstructure ",squash" tag to preserve the flat YAML key structure.