feat: [OCISDEV-226] Allow wildcards in role assignments (#11663)

* feat: [OCISDEV-226] Allow wildcards in role assignments

* Update services/proxy/README.md

Co-authored-by: Martin <[email protected]>

---------

Co-authored-by: Martin <[email protected]>

Author: 2403905

services/proxy/README.md

@@ -205,6 +205,35 @@ role_assignment:
 This would assign the role `admin` to users with the value `myAdminRole` in the claim `ocisRoles`.
 The role `user` to users with the values `myUserRole` in the claims `ocisRoles` and so on.
 
+#### Wildcard/Regex Claim Matching
+
+The `claim_value` supports exact strings and regular expressions to map multiple claim values to a single role. Regexes are matched against the entire claim value (implicit start/end anchors).
+
+Examples:
+
+```yaml
+role_assignment:
+  driver: oidc
+  oidc_role_mapper:
+    role_claim: ocisRoles
+    role_mapping:
+      # exact match
+      - role_name: user
+        claim_value: ocisUser
+
+      # regex: match any value starting with "ocis-user-"
+      - role_name: user-light
+        claim_value: ocis-user-.*
+
+      # regex: single alphanumeric suffix
+      - role_name: guest
+        claim_value: ocis-guest-[a-zA-Z0-9]
+```
+
+Note: Regex patterns are treated as full matches. Typically you don't need `^` or `$`.
+If a `claim_value` is an invalid regex, it only matches claim values that are exactly equal; otherwise it's ignored.
+Ordering still applies, and the first matching mapping wins.
+
 Claim values that are not mapped to a specific ownCloud Infinite Scale role will be ignored.
 
 Note: An ownCloud Infinite Scale user can only have a single role assigned. If the configured

services/proxy/pkg/userroles/oidcroles.go

@@ -3,6 +3,7 @@ package userroles
 import (
 	"context"
 	"errors"
+	"regexp"
 	"sync"
 	"time"
 
@@ -69,6 +70,28 @@ func extractRoles(rolesClaim string, claims map[string]interface{}) (map[string]
 	return claimRoles, nil
 }
 
+// matchesClaimMapping returns true if the provided mapping pattern matches at least
+// one of the values present in claimRoles. It supports:
+// - exact match when ClaimValue is a literal equal to a claim value
+// - regex match when ClaimValue is a regex pattern (e.g. "ocis-user-.*")
+// The regex is matched against the entire claim value, not a substring.
+func matchesClaimMapping(mappingValue string, claimRoles map[string]struct{}) bool {
+	if _, ok := claimRoles[mappingValue]; ok {
+		return true
+	}
+
+	rx, err := regexp.Compile("^(?:" + mappingValue + ")$")
+	if err != nil {
+		return false
+	}
+	for cr := range claimRoles {
+		if rx.MatchString(cr) {
+			return true
+		}
+	}
+	return false
+}
+
 // UpdateUserRoleAssignment assigns the role "User" to the supplied user. Unless the user
 // already has a different role assigned.
 func (ra oidcRoleAssigner) UpdateUserRoleAssignment(ctx context.Context, user *cs3.User, claims map[string]interface{}) (*cs3.User, error) {
@@ -96,7 +119,7 @@ func (ra oidcRoleAssigner) UpdateUserRoleAssignment(ctx context.Context, user *c
 	// pick the highest privileged role that matches a value from the claims
 	roleIDFromClaim := ""
 	for _, mapping := range ra.Options.roleMapping {
-		if _, ok := claimRoles[mapping.ClaimValue]; ok {
+		if matchesClaimMapping(mapping.ClaimValue, claimRoles) {
 			logger.Debug().Str("ocisRole", mapping.RoleName).Str("role id", roleNamesToRoleIDs[mapping.RoleName]).Msg("first matching role")
 			roleIDFromClaim = roleNamesToRoleIDs[mapping.RoleName]
 			break

services/proxy/pkg/userroles/oidcroles_test.go

@@ -118,3 +118,41 @@ func TestNoRoles(t *testing.T) {
 		t.Fatal("length of roles mut be 0")
 	}
 }
+
+func TestMatchesClaimMappingExact(t *testing.T) {
+	claimRoles := map[string]struct{}{
+		"ocis-user": {},
+	}
+	if !matchesClaimMapping("ocis-user", claimRoles) {
+		t.Fatal("expected exact match to succeed")
+	}
+	if matchesClaimMapping("admin", claimRoles) {
+		t.Fatal("expected non-matching literal to fail")
+	}
+}
+
+func TestMatchesClaimMappingRegex(t *testing.T) {
+	claimRoles := map[string]struct{}{
+		"ocis-user-1":   {},
+		"ocis-user-42":  {},
+		"ocis-user-lth": {},
+		"admin":         {},
+	}
+	if !matchesClaimMapping("ocis-user-.*", claimRoles) {
+		t.Fatal("expected regex match to succeed")
+	}
+	if !matchesClaimMapping("ocis-user-[a-zA-Z0-9]", claimRoles) {
+		t.Fatal("expected regex match to succeed")
+	}
+	if matchesClaimMapping("admin-.*", claimRoles) {
+		t.Fatal("expected regex match to fail for admin-.*")
+	}
+}
+
+func TestMatchesClaimMappingInvalidRegexFallsBackToExact(t *testing.T) {
+	claimRoles := map[string]struct{}{"ocis-user": {}}
+	// invalid regex pattern
+	if matchesClaimMapping("ocis-user[", claimRoles) {
+		t.Fatal("invalid regex should fall back to exact and not match")
+	}
+}