From bd78207060cb879c5604fc292d1e0cd2192cd8ae Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 23:07:30 +0200
Subject: [PATCH] feat: add claim mapping rules table and origin tracking to
 RBAC assignments

- Add origin and mapping_id columns to user_roles and user_groups
- Create claim_mapping_rules table with match_type and action constraints
- Update primary keys to include origin column
- Add indexes for fast managed assignment cleanup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../db/migration/V2__claim_mapping.sql        | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 cameleer3-server-app/src/main/resources/db/migration/V2__claim_mapping.sql

diff --git a/cameleer3-server-app/src/main/resources/db/migration/V2__claim_mapping.sql b/cameleer3-server-app/src/main/resources/db/migration/V2__claim_mapping.sql
new file mode 100644
index 00000000..8ce903f0
--- /dev/null
+++ b/cameleer3-server-app/src/main/resources/db/migration/V2__claim_mapping.sql
@@ -0,0 +1,39 @@
+-- V2__claim_mapping.sql
+-- Add origin tracking to assignment tables
+
+ALTER TABLE user_roles ADD COLUMN origin TEXT NOT NULL DEFAULT 'direct';
+ALTER TABLE user_roles ADD COLUMN mapping_id UUID;
+
+ALTER TABLE user_groups ADD COLUMN origin TEXT NOT NULL DEFAULT 'direct';
+ALTER TABLE user_groups ADD COLUMN mapping_id UUID;
+
+-- Drop old primary keys (they don't include origin)
+ALTER TABLE user_roles DROP CONSTRAINT user_roles_pkey;
+ALTER TABLE user_roles ADD PRIMARY KEY (user_id, role_id, origin);
+
+ALTER TABLE user_groups DROP CONSTRAINT user_groups_pkey;
+ALTER TABLE user_groups ADD PRIMARY KEY (user_id, group_id, origin);
+
+-- Claim mapping rules table
+CREATE TABLE claim_mapping_rules (
+    id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    claim       TEXT NOT NULL,
+    match_type  TEXT NOT NULL,
+    match_value TEXT NOT NULL,
+    action      TEXT NOT NULL,
+    target      TEXT NOT NULL,
+    priority    INT NOT NULL DEFAULT 0,
+    created_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
+    CONSTRAINT chk_match_type CHECK (match_type IN ('equals', 'contains', 'regex')),
+    CONSTRAINT chk_action CHECK (action IN ('assignRole', 'addToGroup'))
+);
+
+-- Foreign key from assignments to mapping rules
+ALTER TABLE user_roles ADD CONSTRAINT fk_user_roles_mapping
+    FOREIGN KEY (mapping_id) REFERENCES claim_mapping_rules(id) ON DELETE CASCADE;
+ALTER TABLE user_groups ADD CONSTRAINT fk_user_groups_mapping
+    FOREIGN KEY (mapping_id) REFERENCES claim_mapping_rules(id) ON DELETE CASCADE;
+
+-- Index for fast managed assignment cleanup
+CREATE INDEX idx_user_roles_origin ON user_roles(user_id, origin);
+CREATE INDEX idx_user_groups_origin ON user_groups(user_id, origin);