claimrolemapping

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 19, 2026 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package claimrolemapping provides shared configuration types and constructor functions for building a PrincipalExtractor from claim-based role mapping rules. Services embed ExtractorConfig in their own config struct to share a consistent auth configuration surface.

Index

Constants

View Source
const (
	SourceFlyio         = "flyio"
	SourceGithubActions = "githubactions"
	SourceAWS           = "aws"
	SourceOIDC          = "oidc"
	SourceJWT           = "jwt"
)

Source name constants for use in ClaimRoleMappingConfig.Source.

Variables

This section is empty.

Functions

func BuildExtractorConfig

func BuildExtractorConfig(mappings []ClaimRoleMappingConfig, logger zerolog.Logger) auth.DefaultExtractorConfig

BuildExtractorConfig constructs a per-source DefaultExtractorConfig from claim-role mapping rules. It emits Info-level startup logs for each configured source and a Warn when any rule has Debug enabled.

func BuildPrincipalExtractor

func BuildPrincipalExtractor(config ExtractorConfig, logger zerolog.Logger) auth.PrincipalExtractor

BuildPrincipalExtractor constructs a PrincipalExtractor from config. When AllowUnauthenticated is true it returns an allow-all extractor suitable for development. Otherwise it builds a proper extractor with per-source claim-to-role mapping.

func ValidateRoleMappings added in v0.7.0

func ValidateRoleMappings(mappings []ClaimRoleMappingConfig, knownRoles []string) []string

ValidateRoleMappings returns a warning string for each role name in mappings that does not appear in knownRoles. Call at application startup and log the results at Warn level to surface misconfigured claim-role mappings early.

knownRoles should include both canonical role names and alias names from the authoriser's PolicyMetadata (convert RoleCapabilities keys and RoleAliases keys to []string before calling).

Types

type ClaimRoleMappingConfig

type ClaimRoleMappingConfig struct {
	// Source restricts this mapping to a named PrincipalSource (e.g. "flyio",
	// "aws"). Empty means match any source.
	Source string `mapstructure:"source"`
	// Claims maps claim keys to required values. A value of "*" matches any
	// non-empty string.
	Claims map[string]string `mapstructure:"claims"`
	// Role is the internal role granted when all claim predicates match.
	Role string `mapstructure:"role"`
	// Debug enables per-request structured debug logging for this rule.
	// Do not enable in production — evaluated claim values appear in the log output.
	Debug bool `mapstructure:"debug"`
}

ClaimRoleMappingConfig maps a set of JWT claim predicates to an internal role, optionally restricted to a specific PrincipalSource. An empty Source matches any source.

type ExtractorConfig

type ExtractorConfig struct {
	AllowUnauthenticated bool                     `mapstructure:"allow-unauthenticated"`
	ClaimRoleMappings    []ClaimRoleMappingConfig `mapstructure:"claim-role-mappings"`
}

ExtractorConfig is the common auth configuration for services that need JWT-based principal extraction with claim-to-role mapping. Embed this in a service config with the mapstructure ",squash" tag to preserve the flat YAML key structure.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL