Add support for determining claims based on rules

[halkeye]

So a version that solves #34

I like govalidate rules, its super flexible

Hopefully this works

[Place1]

@halkeye wow, i never thought of this! this is a really cool solution and I can see it being very applicable to future auth backends.

[Place1]

I'm interested in knowing if govaluate is the right choice vs a jq like syntax (idk if that exists).

Could you write some examples to help me understand how govaluate would look if you wanted to check:

1. the user has a claim equal to a value
2. the user has a claim in an object equal to a value
3. the user has doesn't have a claim

[halkeye]

I didn't fully understand 3

PS, you need tests so I can add these cases :)

Given the response from oidc server:

email: gavin@gavinmogan.com
email_verified: true
family_name: Mogan
foo2:
- wireguard-admin
given_name: Gavin
group_membership:
- JellyfinAdministrator
- NextcloudAdmins
- NextcloudUsers
- WireguardAdmins
name: Gavin Mogan
preferred_username: halkeye
sub: something something id

The following rules:

      doesntHaveEmail: "email != 'bill@gates.com'"
      isGavin: "given_name == 'Gavin'"
      hasEmailVerified: 'email_verified'
      isAdmin: "'WireguardAdmins' in group_membership"
      isNotAdmin: "!('WireguardAdmins' in group_membership)"

produces:

- name: doesntHaveEmail
  value: "true"
- name: isGavin
  value: "true"
- name: hasEmailVerified
  value: "true"
- name: isAdmin
  value: "true"
- name: isNotAdmin
  value: "false"

[Place1]

@halkeye cool; i think we should merge this feature using this approach.

I'd like to refactor so that we can have backends set Claims on the Identity struct when calling runtime.SetSession and then refactor the middleware in main.go (code) to apply the rule mappings (i.e. transform the raw provider's claims to our wg-access-server claims (admin)).

The reason I want to refactor this is so that the provider implementation is simple - i.e. just need to pass claims from OIDC/LDAP/Other to the Identity (no logic)

I've got a little side mission to keep the auth layer general so i can break it out into it's own library at some stage 😃

[halkeye]

\o/ Feel free to let me know how I can help, but totally cool with whatever you end up doing with the code. This setup works for me, I have no idea what works for others.

[halkeye]

It's been a couple weeks now. Any idea what your plan is? Do you have changes you want to make? Or are you going to merge and make them?

I want to redeploy soon and would love these two merged

[Place1]

@halkeye i'll get to this one soon as well.

[Place1]

@halkeye this is now up as 0.2.0-rc7 with the SQL change as well.

Let me know if it's all working for you. If you're happy then i'll put it up as a 0.2.0.