Extract role assignments from claims

Add a UserRoleAssigner implementation that extract role names from the users' claims and creates role assignments in the settings service based on a configured mapping of claim values to ocis role names. Closes: #5669
2026-04-26 17:55:24 +02:00 · 2023-03-15 18:59:25 +01:00
parent d57d52b33d
commit a448c75c75
7 changed files with 361 additions and 82 deletions
--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -52,7 +52,20 @@ func DefaultConfig() *config.Config {
 			},
 		},
 		PolicySelector: nil,
-		Reva:           shared.DefaultRevaConfig(),
+		RoleAssignment: config.RoleAssignment{
+			Driver: "default",
+			// this default is only relevant when Driver is set to "oidc"
+			OIDCRoleMapper: config.OIDCRoleMapper{
+				RoleClaim: "roles",
+				RoleMapping: map[string]string{
+					"admin":      "ocisAdmin",
+					"spaceadmin": "ocisSpaceAdmin",
+					"user":       "ocisUser",
+					"guest":      "ocisGuest",
+				},
+			},
+		},
+		Reva: shared.DefaultRevaConfig(),
 		PreSignedURL: config.PreSignedURL{
 			AllowedHTTPMethods: []string{"GET"},
 			Enabled:            true,