config: OIDCConfig — YAML + env overlay with defaults

2026-05-05 13:18:01 +01:00
parent e2976a42e6
commit db2fcdd52e
3 changed files with 188 additions and 1 deletions
@@ -0,0 +1,103 @@
+// internal/server/config/oidc.go — OIDC subsection of the server
+// config. Disabled when oidc.issuer is empty or absent.
+package config
+
+import (
+	"errors"
+	"fmt"
+	"os"
+)
+
+// OIDCConfig is the OIDC sub-block. The struct doubles as YAML schema;
+// loadOIDC applies env overlays on top and fills defaults.
+type OIDCConfig struct {
+	Issuer       string            `yaml:"issuer"`
+	ClientID     string            `yaml:"client_id"`
+	ClientSecret string            `yaml:"client_secret"`
+	DisplayName  string            `yaml:"display_name"`
+	Scopes       []string          `yaml:"scopes"`
+	RoleClaim    string            `yaml:"role_claim"`
+	RoleMapping  map[string]string `yaml:"role_mapping"`
+	RedirectURL  string            `yaml:"redirect_url"`
+}
+
+// loadOIDC merges YAML + env, applies defaults, validates. Returns
+// nil + nil when OIDC is disabled (issuer empty after merge); a
+// non-nil OIDCConfig means the caller should wire OIDC.
+//
+// Env vars (override YAML when set):
+//
+//	RM_OIDC_ISSUER, RM_OIDC_CLIENT_ID, RM_OIDC_CLIENT_SECRET,
+//	RM_OIDC_CLIENT_SECRET_FILE, RM_OIDC_DISPLAY_NAME,
+//	RM_OIDC_REDIRECT_URL.
+//
+// envs is passed in (rather than read with os.LookupEnv) so unit
+// tests can supply a fake env map.
+func loadOIDC(envs map[string]string, yaml OIDCConfig) (*OIDCConfig, error) {
+	c := yaml
+	if v, ok := envs["RM_OIDC_ISSUER"]; ok {
+		c.Issuer = v
+	}
+	if v, ok := envs["RM_OIDC_CLIENT_ID"]; ok {
+		c.ClientID = v
+	}
+	if v, ok := envs["RM_OIDC_CLIENT_SECRET"]; ok {
+		c.ClientSecret = v
+	}
+	if v, ok := envs["RM_OIDC_CLIENT_SECRET_FILE"]; ok && v != "" {
+		body, err := os.ReadFile(v)
+		if err != nil {
+			return nil, fmt.Errorf("config: oidc client_secret_file: %w", err)
+		}
+		c.ClientSecret = string(body)
+	}
+	if v, ok := envs["RM_OIDC_DISPLAY_NAME"]; ok {
+		c.DisplayName = v
+	}
+	if v, ok := envs["RM_OIDC_REDIRECT_URL"]; ok {
+		c.RedirectURL = v
+	}
+
+	if c.Issuer == "" {
+		return nil, nil
+	}
+
+	if c.ClientID == "" {
+		return nil, errors.New("config: oidc.client_id required when issuer is set")
+	}
+	if c.ClientSecret == "" {
+		return nil, errors.New("config: oidc.client_secret required when issuer is set")
+	}
+	if len(c.RoleMapping) == 0 {
+		return nil, errors.New("config: oidc.role_mapping must have at least one entry")
+	}
+
+	if c.DisplayName == "" {
+		c.DisplayName = "SSO"
+	}
+	if c.RoleClaim == "" {
+		c.RoleClaim = "groups"
+	}
+	if len(c.Scopes) == 0 {
+		c.Scopes = []string{"openid", "profile", "email", "groups"}
+	}
+	return &c, nil
+}
+
+// envSnapshot reads the OIDC env vars into a map. Lets the production
+// loadOIDC call site stay env-driven while tests pass an explicit
+// map.
+func envSnapshot() map[string]string {
+	keys := []string{
+		"RM_OIDC_ISSUER", "RM_OIDC_CLIENT_ID", "RM_OIDC_CLIENT_SECRET",
+		"RM_OIDC_CLIENT_SECRET_FILE", "RM_OIDC_DISPLAY_NAME",
+		"RM_OIDC_REDIRECT_URL",
+	}
+	out := make(map[string]string, len(keys))
+	for _, k := range keys {
+		if v, ok := os.LookupEnv(k); ok {
+			out[k] = v
+		}
+	}
+	return out
+}