Add KeyResolver for transaction context to credential key mapping#56
Merged
arnaugiralt merged 5 commits intomasterfrom Mar 9, 2026
Merged
Add KeyResolver for transaction context to credential key mapping#56arnaugiralt merged 5 commits intomasterfrom
arnaugiralt merged 5 commits intomasterfrom
Conversation
arnaugiralt
force-pushed
the
feat/contrib-auth-flows
branch
from
890204a to
c411a2f
Compare
Introduce the KeyResolver interface for mapping transaction context to credential keys, and the ResolveFromContext shared helper that providers call instead of reading tx.Data directly. The helper implements a strict fallback chain: tx.Data override → resolver → error. Malformed overrides never fall through to the resolver (fail-strict). Also adds ErrNoMappingMatch sentinel for StaticMapping (next commit). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Declarative rule table that maps transaction context fields to credential keys using glob patterns. Rules are ranked by specificity (most non-empty fields wins); ties are broken by registration order with a warning log. No match returns ErrNoMappingMatch (fail-closed by design). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace extractString with ResolveFromContext in RefreshTokenSource. TenantID is now resolved via tx.Data override → KeyResolver → error. Resource remains required in tx.Data (per-request concern, nil resolver). The validTenantID regex check runs after resolution regardless of source, preventing path traversal from both tx.Data and resolver values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update contrib-plugins reference with KeyResolver interface, ResolveFromContext helper, StaticMapping API, and MappingRule fields. Update Microsoft SAM tutorial with resolver guidance in "Going further". Update onboarding guide with KeyResolver cross-reference. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
arnaugiralt
force-pushed
the
feat/key-resolver
branch
from
8421fbf to
ef8bae3
Compare
…r-request Move tie-breaking warning from ResolveKey (per-request hot path) to NewStaticMapping (construction time), matching the pattern established for Mux.Handle in PR #48. Add rulesMayOverlap heuristic that reuses the existing fieldsMayOverlap/containsGlob helpers from mux.go. Disjoint literal values (e.g., "EU-germany" vs "US-east") are recognized as non-overlapping and do not trigger a warning. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
qarlosh
approved these changes
Mar 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
KeyResolverabstraction that lets providers resolve credential keys (e.g., tenant IDs) from standard transaction context fields instead of requiring explicit overrides intx.Dataon every request.KeyResolverinterface +ResolveFromContexthelper with strict fallback chain:tx.Dataoverride → resolver → error. Malformed overrides never fall through (fail-strict).StaticMappingbuilt-in implementation: declarative rule table with glob patterns, specificity ranking, and fail-closed on no match. Ambiguous rules (equal specificity, overlapping patterns) are detected and warned at construction time — no per-request overhead.microsoft.RefreshTokenSource—TenantIDis now resolvable viaKeyResolverwhen absent fromtx.Data.Resourceremains required intx.Data(per-request concern).validTenantIDregex runs regardless of source.Motivation
The Connect platform only sends explicit credential keys (like
TenantID) in context data when a connector overrides them. Most requests carry only standard fields (VendorID,MarketplaceID, etc.). Without a resolver, every request must includeTenantID— a requirement that doesn't match real-world usage.Design
Follows the module's existing pattern: interface + built-in implementation, optional in Config.
TokenStoreinterfaceKeyResolverinterfaceFileStorebuilt-in implStaticMappingbuilt-in implKeyResolverin Config, optionalChanges from review
cae15f2):StaticMappingnow detects overlapping rule pairs at construction time using the samefieldsMayOverlapheuristic asMux.Handle(PR feat(contrib): add reusable auth building blocks and request multiplexer #48 precedent). Per-request tie-breaking warning removed fromResolveKey— hot path is allocation-free. Disjoint literal values are recognized as non-overlapping and do not warn.Test plan
ResolveFromContextunit tests: present/absent/malformed values, resolver delegation, error propagationStaticMappingunit tests: specificity ranking, glob matching, tie-breaking, catch-all, empty key panic, no-match errorStaticMappingoverlap detection: glob overlap warns at startup, disjoint literals no warning, different specificity no warningTenantIDabsent,tx.Dataoverrides resolver, malformed data errors with resolver configured, no resolver no data errors, resolver error propagated, path traversal rejected from resolvermake test-racepassesmake lintpasses