feat: implement Dex gRPC connector for identity service (#1351)

* feat: implement Dex gRPC connector for identity service

Add services/identity/connector package providing a local PasswordConnector
that validates credentials directly against the identity domain layer.

- connector.go: implements Login() — resolves tenant from context, looks up
  identity by email, validates password via credentials.ValidatePassword,
  rejects locked/suspended/pending-invite accounts, queries active role
  assignments and returns them as Dex groups
- claims.go: BuildClaims() constructs the JWT custom claims map (sub, email,
  name, x-tenant-id, roles, groups) consumed by Dex's token builder
- connector_test.go / claims_test.go: 18 unit tests covering success path,
  wrong password, locked/suspended/pending-invite accounts, identity not found,
  repository errors, role resolution failure (non-fatal), missing tenant context,
  and claims structure

The connector is decoupled from the Dex library — it defines its own
PasswordConnector interface matching Dex's shape to avoid adding dexidp/dex
as a Go module dependency.

* fix: remove PII from connector log statements

Remove email/username fields from the tenant-context-missing error log
and the identity-not-found info log. tenant_id and identity_id are
sufficient for debugging without logging PII.

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

services/identity/connector/claims.go

@@ -0,0 +1,35 @@
+package connector
+
+import "github.com/meridianhub/meridian/shared/platform/tenant"
+
+// BuildClaims constructs the JWT custom claims map for an authenticated identity.
+// The map is consumed by Dex's ID-token builder when enriching tokens with
+// connector-provided attributes.
+//
+// Claim keys follow the shared platform conventions:
+//   - "sub"        — stable user identifier (UUID)
+//   - "email"      — verified email address
+//   - "name"       — display name (falls back to email when not set)
+//   - "x-tenant-id" — tenant identifier injected into every token for downstream routing
+//   - "roles"      — active role names; downstream services use this for RBAC
+//   - "groups"     — mirrors roles; included for compatibility with Dex's group claim handling
+func BuildClaims(identity Identity, tenantID tenant.TenantID) map[string]interface{} {
+	name := identity.Username
+	if name == "" {
+		name = identity.Email
+	}
+
+	roles := identity.Groups
+	if roles == nil {
+		roles = []string{}
+	}
+
+	return map[string]interface{}{
+		"sub":              identity.UserID,
+		"email":            identity.Email,
+		"name":             name,
+		tenant.TenantIDKey: tenantID.String(),
+		"roles":            roles,
+		"groups":           roles,
+	}
+}

services/identity/connector/claims_test.go

@@ -0,0 +1,74 @@
+package connector_test
+
+import (
+	"testing"
+
+	"github.com/meridianhub/meridian/services/identity/connector"
+	"github.com/meridianhub/meridian/shared/platform/tenant"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildClaims_FullIdentity(t *testing.T) {
+	tid, err := tenant.NewTenantID("volterra")
+	require.NoError(t, err)
+
+	id := connector.Identity{
+		UserID:   "user-uuid-123",
+		Username: "Alice",
+		Email:    "alice@example.com",
+		Groups:   []string{"ADMIN", "OPERATOR"},
+	}
+
+	claims := connector.BuildClaims(id, tid)
+
+	assert.Equal(t, "user-uuid-123", claims["sub"])
+	assert.Equal(t, "alice@example.com", claims["email"])
+	assert.Equal(t, "Alice", claims["name"])
+	assert.Equal(t, "volterra", claims["x-tenant-id"])
+	assert.Equal(t, []string{"ADMIN", "OPERATOR"}, claims["roles"])
+	assert.Equal(t, []string{"ADMIN", "OPERATOR"}, claims["groups"])
+}
+
+func TestBuildClaims_EmptyUsernameDefaultsToEmail(t *testing.T) {
+	tid, err := tenant.NewTenantID("acme")
+	require.NoError(t, err)
+
+	id := connector.Identity{
+		UserID: "user-uuid-456",
+		Email:  "bob@example.com",
+		// Username intentionally empty
+	}
+
+	claims := connector.BuildClaims(id, tid)
+
+	assert.Equal(t, "bob@example.com", claims["name"])
+}
+
+func TestBuildClaims_NilGroupsProducesEmptySlice(t *testing.T) {
+	tid, err := tenant.NewTenantID("demo")
+	require.NoError(t, err)
+
+	id := connector.Identity{
+		UserID: "user-uuid-789",
+		Email:  "carol@example.com",
+		Groups: nil,
+	}
+
+	claims := connector.BuildClaims(id, tid)
+
+	roles, ok := claims["roles"].([]string)
+	require.True(t, ok)
+	assert.Empty(t, roles)
+}
+
+func TestBuildClaims_TenantIDPropagated(t *testing.T) {
+	tid, err := tenant.NewTenantID("tenant_xyz")
+	require.NoError(t, err)
+
+	id := connector.Identity{UserID: "u1", Email: "e@e.com"}
+
+	claims := connector.BuildClaims(id, tid)
+
+	assert.Equal(t, "tenant_xyz", claims["x-tenant-id"])
+}

services/identity/connector/connector.go

@@ -0,0 +1,205 @@
+// Package connector implements a local Dex password connector that validates
+// credentials directly against the identity domain layer without a network hop.
+//
+// Dex supports pluggable connectors via the connector.PasswordConnector interface.
+// Since Meridian runs Dex in the same process (or tightly coupled), this connector
+// bypasses HTTP/gRPC overhead by calling the domain repository directly.
+//
+// The connector:
+//   - Resolves the tenant from context metadata (set by the gateway from subdomain)
+//   - Looks up the identity by email within that tenant scope
+//   - Validates the password using bcrypt via the credentials package
+//   - Checks account status (locked, suspended, pending invite → reject)
+//   - Queries active role assignments and maps them to Dex groups
+//   - Returns a connector.Identity with groups populated for JWT claim injection
+package connector
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"os"
+
+	"github.com/meridianhub/meridian/services/identity/domain"
+	"github.com/meridianhub/meridian/shared/pkg/credentials"
+	"github.com/meridianhub/meridian/shared/platform/tenant"
+)
+
+// Identity represents the result of a successful authentication, compatible with
+// Dex's connector.Identity shape. Groups are populated with the identity's active roles
+// and are injected into the JWT as the "groups" claim by Dex.
+type Identity struct {
+	// UserID is the stable identifier for the user (UUID string).
+	UserID string
+	// Username is the display name, defaulting to email if not set.
+	Username string
+	// Email is the verified email address.
+	Email string
+	// EmailVerified indicates whether the email has been verified.
+	EmailVerified bool
+	// Groups contains active role assignments, used to populate JWT group claims.
+	Groups []string
+	// ConnectorData is opaque bytes stored by Dex for refresh token support.
+	ConnectorData []byte
+}
+
+// LoginResult is returned by Login to convey both success state and the identity.
+type LoginResult struct {
+	Identity Identity
+	// Valid is true when authentication succeeded.
+	Valid bool
+}
+
+// PasswordConnector validates username/password credentials.
+// This interface mirrors Dex's connector.PasswordConnector to keep the implementation
+// decoupled from the Dex library (which is not a declared Go module dependency).
+type PasswordConnector interface {
+	// Login validates credentials and returns the identity on success.
+	// valid is false when credentials are incorrect without an underlying error.
+	Login(ctx context.Context, scopes []string, username, password string) (identity Identity, valid bool, err error)
+}
+
+// ErrRepositoryNil is returned by New when a nil repository is provided.
+var ErrRepositoryNil = errors.New("connector: repository must not be nil")
+
+// Connector is the local implementation of PasswordConnector.
+// It performs credential validation and role resolution directly against the
+// identity domain repository, avoiding any network hop.
+type Connector struct {
+	repo   domain.Repository
+	logger *slog.Logger
+}
+
+// New creates a Connector with the given repository. If logger is nil a default
+// JSON logger writing to stdout is used.
+func New(repo domain.Repository, logger *slog.Logger) (*Connector, error) {
+	if repo == nil {
+		return nil, ErrRepositoryNil
+	}
+	if logger == nil {
+		logger = slog.New(slog.NewJSONHandler(os.Stdout, nil))
+	}
+	return &Connector{repo: repo, logger: logger}, nil
+}
+
+// Login validates the supplied username (email) and password against the identity
+// domain within the tenant derived from ctx.
+//
+// Returns:
+//   - (identity, true, nil) on success
+//   - (zero, false, nil) when credentials are simply wrong (no programming error)
+//   - (zero, false, err) only for unexpected infrastructure errors
+func (c *Connector) Login(ctx context.Context, _ []string, username, password string) (Identity, bool, error) {
+	tenantID, err := tenant.RequireFromContext(ctx)
+	if err != nil {
+		c.logger.ErrorContext(ctx, "connector: tenant context missing during login",
+			"error", err)
+		return Identity{}, false, fmt.Errorf("connector: %w", err)
+	}
+
+	identity, err := c.repo.FindByEmail(ctx, username)
+	if err != nil {
+		if errors.Is(err, domain.ErrIdentityNotFound) {
+			c.logger.InfoContext(ctx, "connector: identity not found",
+				"tenant_id", tenantID)
+			return Identity{}, false, nil
+		}
+		c.logger.ErrorContext(ctx, "connector: repository error looking up identity",
+			"tenant_id", tenantID,
+			"username", username,
+			"error", err)
+		return Identity{}, false, fmt.Errorf("connector: lookup identity: %w", err)
+	}
+
+	// Reject non-active accounts before any password check.
+	switch identity.Status() {
+	case domain.IdentityStatusLocked:
+		c.logger.InfoContext(ctx, "connector: login rejected — account locked",
+			"tenant_id", tenantID,
+			"identity_id", identity.ID())
+		return Identity{}, false, nil
+	case domain.IdentityStatusSuspended:
+		c.logger.InfoContext(ctx, "connector: login rejected — account suspended",
+			"tenant_id", tenantID,
+			"identity_id", identity.ID())
+		return Identity{}, false, nil
+	case domain.IdentityStatusPendingInvite:
+		c.logger.InfoContext(ctx, "connector: login rejected — account not yet activated",
+			"tenant_id", tenantID,
+			"identity_id", identity.ID())
+		return Identity{}, false, nil
+	case domain.IdentityStatusActive:
+		// valid — proceed to password verification
+	default:
+		c.logger.WarnContext(ctx, "connector: login rejected — unknown account status",
+			"tenant_id", tenantID,
+			"identity_id", identity.ID(),
+			"status", identity.Status())
+		return Identity{}, false, nil
+	}
+
+	if err := credentials.ValidatePassword(password, identity.PasswordHash()); err != nil {
+		// Record the failed attempt; best-effort — do not surface save errors to caller.
+		_ = identity.RecordLoginAttempt(false)
+		if saveErr := c.repo.Save(ctx, identity); saveErr != nil {
+			c.logger.ErrorContext(ctx, "connector: failed to persist failed login attempt",
+				"identity_id", identity.ID(),
+				"error", saveErr)
+		}
+		c.logger.InfoContext(ctx, "connector: invalid password",
+			"tenant_id", tenantID,
+			"identity_id", identity.ID())
+		return Identity{}, false, nil
+	}
+
+	// Record successful login; best-effort.
+	_ = identity.RecordLoginAttempt(true)
+	if saveErr := c.repo.Save(ctx, identity); saveErr != nil {
+		c.logger.ErrorContext(ctx, "connector: failed to persist successful login",
+			"identity_id", identity.ID(),
+			"error", saveErr)
+	}
+
+	// Resolve active role assignments → Dex groups.
+	groups, err := c.activeRoles(ctx, identity)
+	if err != nil {
+		// Non-fatal: log and proceed with empty groups rather than denying login.
+		c.logger.ErrorContext(ctx, "connector: failed to load role assignments",
+			"identity_id", identity.ID(),
+			"error", err)
+		groups = []string{}
+	}
+
+	connIdentity := Identity{
+		UserID:        identity.ID().String(),
+		Username:      identity.Email(),
+		Email:         identity.Email(),
+		EmailVerified: true,
+		Groups:        groups,
+	}
+
+	c.logger.InfoContext(ctx, "connector: login successful",
+		"tenant_id", tenantID,
+		"identity_id", identity.ID(),
+		"roles", groups)
+
+	return connIdentity, true, nil
+}
+
+// activeRoles returns the string role names for all non-revoked, non-expired
+// role assignments associated with the given identity.
+func (c *Connector) activeRoles(ctx context.Context, identity *domain.Identity) ([]string, error) {
+	assignments, err := c.repo.FindRoleAssignments(ctx, identity.ID())
+	if err != nil {
+		return nil, fmt.Errorf("find role assignments: %w", err)
+	}
+
+	roles := make([]string, 0, len(assignments))
+	for _, a := range assignments {
+		if a.IsActive() {
+			roles = append(roles, string(a.Role()))
+		}
+	}
+	return roles, nil
+}