Module: Legion::Rbac::EntraClaimsMapper

Extended by:: Logging::Helper

Defined in:: lib/legion/rbac/entra_claims_mapper.rb

Constant Summary collapse

DEFAULT_ROLE_MAP =

{
  'Legion.Admin'      => 'admin',
  'Legion.Supervisor' => 'supervisor',
  'Legion.Worker'     => 'worker',
  'Legion.Observer'   => 'governance-observer'
}.freeze

DEFAULT_TEAM_KEYS =

%i[legion_team extension_legion_team tid].freeze

Class Method Summary collapse

.claim_value(claims, *keys) ⇒ Object
.map_claims(entra_claims, role_map: DEFAULT_ROLE_MAP, group_map: {}, default_role: 'worker', team_keys: DEFAULT_TEAM_KEYS, team_map: nil) ⇒ Object
.resolve_roles(entra_claims, role_map:, group_map:) ⇒ Object
.resolve_team(entra_claims, team_keys:, team_map:) ⇒ Object

Class Method Details

.claim_value(claims, *keys) ⇒ `Object`

# File 'lib/legion/rbac/entra_claims_mapper.rb', line 67

def claim_value(claims, *keys)
  keys.each do |key|
    value = claims[key] || claims[key.to_s]
    return value unless value.nil?
  end

  nil
end

.map_claims(entra_claims, role_map: DEFAULT_ROLE_MAP, group_map: {}, default_role: 'worker', team_keys: DEFAULT_TEAM_KEYS, team_map: nil) ⇒ `Object`

# File 'lib/legion/rbac/entra_claims_mapper.rb', line 20

def map_claims(entra_claims, role_map: DEFAULT_ROLE_MAP, group_map: {}, default_role: 'worker',
               team_keys: DEFAULT_TEAM_KEYS, team_map: nil)
  roles = resolve_roles(entra_claims, role_map: role_map, group_map: group_map)
  used_default_role = roles.empty?
  roles << default_role if used_default_role
  team = resolve_team(entra_claims, team_keys: team_keys, team_map: team_map)

  claims = {
    sub:   claim_value(entra_claims, :oid, :sub),
    name:  claim_value(entra_claims, :name, :preferred_username),
    roles: roles.to_a,
    team:  team,
    scope: 'human'
  }
  log.info(
    "RBAC entra_claims map sub=#{claims[:sub]} roles=#{claims[:roles].size} " \
    "team=#{claims[:team]} default_role=#{used_default_role}"
  )
  claims
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'rbac.entra_claims_mapper.map_claims')
  raise
end

.resolve_roles(entra_claims, role_map:, group_map:) ⇒ `Object`

# File 'lib/legion/rbac/entra_claims_mapper.rb', line 44

def resolve_roles(entra_claims, role_map:, group_map:)
  roles = Set.new

  Array(claim_value(entra_claims, :roles)).each do |entra_role|
    legion_role = role_map[entra_role]
    roles << legion_role if legion_role
  end

  Array(claim_value(entra_claims, :groups)).each do |group_oid|
    legion_role = group_map[group_oid]
    roles << legion_role if legion_role
  end

  roles
end

.resolve_team(entra_claims, team_keys:, team_map:) ⇒ `Object`

# File 'lib/legion/rbac/entra_claims_mapper.rb', line 60

def resolve_team(entra_claims, team_keys:, team_map:)
  raw_team = claim_value(entra_claims, *Array(team_keys))
  return raw_team if raw_team.nil? || team_map.nil? || team_map.empty?

  team_map[raw_team] || team_map[raw_team.to_s] || team_map[raw_team.to_sym]
end

Module: Legion::Rbac::EntraClaimsMapper

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.claim_value(claims, *keys) ⇒ Object

.map_claims(entra_claims, role_map: DEFAULT_ROLE_MAP, group_map: {}, default_role: 'worker', team_keys: DEFAULT_TEAM_KEYS, team_map: nil) ⇒ Object

.resolve_roles(entra_claims, role_map:, group_map:) ⇒ Object

.resolve_team(entra_claims, team_keys:, team_map:) ⇒ Object

.claim_value(claims, *keys) ⇒ `Object`

.map_claims(entra_claims, role_map: DEFAULT_ROLE_MAP, group_map: {}, default_role: 'worker', team_keys: DEFAULT_TEAM_KEYS, team_map: nil) ⇒ `Object`

.resolve_roles(entra_claims, role_map:, group_map:) ⇒ `Object`

.resolve_team(entra_claims, team_keys:, team_map:) ⇒ `Object`