From bb8c68a5caee6447e50b54648dc71964d03bf6a2 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Wed, 8 Apr 2026 12:21:28 +0200
Subject: [PATCH] feat: seed claim mapping rules in bootstrap after OIDC config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After configuring the server's OIDC settings, the bootstrap now seeds
claim mapping rules so Logto roles (server:admin, server:operator) map
to server RBAC roles (ADMIN, OPERATOR) automatically. Rules are
idempotent — existing mappings are checked by matchValue before creating.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/logto-bootstrap.sh | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 73da618..191898e 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -591,6 +591,31 @@ if [ "$SERVER_HEALTHY" = "yes" ] && [ -n "$TRAD_SECRET" ]; then
       }")
     log "OIDC config response: $(echo "$OIDC_RESPONSE" | head -c 200)"
     log "cameleer3-server OIDC configured."
+
+    # Seed claim mapping rules (roles → server RBAC)
+    log "Seeding claim mapping rules..."
+    EXISTING_MAPPINGS=$(curl -s -H "Authorization: Bearer $SERVER_TOKEN" \
+      "${SERVER_ENDPOINT}/api/v1/admin/claim-mappings" 2>/dev/null || echo "[]")
+
+    seed_claim_mapping() {
+      local match_value="$1"
+      local target="$2"
+      local priority="$3"
+      local exists=$(echo "$EXISTING_MAPPINGS" | jq -r ".[] | select(.matchValue == \"$match_value\") | .id")
+      if [ -n "$exists" ]; then
+        log "  Claim mapping '$match_value' → $target exists"
+      else
+        local resp=$(curl -s -X POST "${SERVER_ENDPOINT}/api/v1/admin/claim-mappings" \
+          -H "Authorization: Bearer $SERVER_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d "{\"claim\":\"roles\",\"matchType\":\"contains\",\"matchValue\":\"$match_value\",\"action\":\"assignRole\",\"target\":\"$target\",\"priority\":$priority}")
+        log "  Created claim mapping '$match_value' → $target"
+      fi
+    }
+
+    seed_claim_mapping "server:admin" "ADMIN" 10
+    seed_claim_mapping "server:operator" "OPERATOR" 20
+    log "Claim mapping rules seeded."
   else
     log "WARNING: Could not login to cameleer3-server — skipping OIDC config"
   fi