Class: LcpRuby::Authentication::RoleMapper
- Inherits:
-
Object
- Object
- LcpRuby::Authentication::RoleMapper
- Defined in:
- lib/lcp_ruby/authentication/role_mapper.rb
Overview
Translates IdP claims into LCP role strings according to a Provider’s role_source policy (yaml | host | db). Pure function — no Rails, no DB.
Returns Array<String>. Raises NoRoleMatch when resolution yields an empty result and the provider has no default_role.
Class Method Summary collapse
- .call(claims, provider) ⇒ Object
-
.dig_path(hash, path) ⇒ Object
Walks a dotted JSON path through a string-keyed hash.
Class Method Details
.call(claims, provider) ⇒ Object
12 13 14 15 16 17 18 19 20 |
# File 'lib/lcp_ruby/authentication/role_mapper.rb', line 12 def call(claims, provider) claim_path = provider.claim_mappings[:roles_from] values = claim_path ? Array(dig_path(claims, claim_path)).map(&:to_s) : [] mapped = resolve(provider, values, claims) mapped = [ provider.default_role.to_s ] if mapped.empty? && provider.default_role raise NoRoleMatch, "no roles matched for provider '#{provider.name}'" if mapped.empty? mapped end |
.dig_path(hash, path) ⇒ Object
Walks a dotted JSON path through a string-keyed hash. Returns nil for missing keys. Used to read nested claims like ‘realm_access.roles’ (Keycloak). Callers must hand in claims with string keys throughout —UserResolver#extract_claims normalises at the boundary.
26 27 28 |
# File 'lib/lcp_ruby/authentication/role_mapper.rb', line 26 def dig_path(hash, path) hash.dig(*path.to_s.split(".")) end |