Module: Legion::Rbac::GroupRoleMapper

Defined in:
lib/legion/rbac/group_role_mapper.rb

Class Method Summary collapse

Class Method Details

.enrich_principal(principal:, groups:) ⇒ Hash

Enrich an RBAC principal hash with group-derived roles (additive, never removes).

Parameters:

  • principal (Hash)

    from Identity::Request#to_rbac_principal

  • groups (Array<String>)

    from identity provider

Returns:

  • (Hash)

    principal with :roles enriched



39
40
41
42
43
44
45
46
47
 
# File 'lib/legion/rbac/group_role_mapper.rb', line 39

def self.enrich_principal(principal:, groups:)
  return principal unless Legion::Rbac.enabled?

  additional_roles = resolve_roles(groups: groups)
  return principal if additional_roles.empty?

  existing_roles = principal[:roles] || []
  principal.merge(roles: (existing_roles + additional_roles).uniq)
end

.resolve_roles(groups:, group_role_map: nil) ⇒ Array<String>

Resolve RBAC roles from group memberships using a configurable map.

NOTE: v1 supports exact string match only. Regexp keys in group_role_map are NOT supported —JSON settings cannot represent Regexp objects. All map keys are compared via ‘to_s == to_s`. Pattern matching is deferred to Phase 9.

Parameters:

  • groups (Array<String>)

    group names or OIDs from identity provider

  • group_role_map (Hash, nil) (defaults to: nil)

    { group_name => role_name }; reads default_map when nil

Returns:

  • (Array<String>)

    resolved role names (may be empty)



15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/legion/rbac/group_role_mapper.rb', line 15

def self.resolve_roles(groups:, group_role_map: nil)
  return [] unless Legion::Rbac.enabled?

  map = group_role_map || default_map
  return [] if groups.nil? || groups.empty? || map.empty?

  normalized_map = {}
  map.each do |key, role|
    normalized_map[key.to_s] = role.to_s
  end

  roles = Set.new
  groups.each do |group|
    role = normalized_map[group.to_s]
    roles << role if role
  end
  roles.to_a
end