Add a UserRoleAssigner implementation that extract role names from the
users' claims and creates role assignments in the settings service based
on a configured mapping of claim values to ocis role names.
Closes: #5669
This moves the lookup and the creation of the users' role assignemt out
of the user backend into its own interface. This makes the user backend
a bit simpler and allows to provide different implemenation for the user
role assignment more easily.
This removes the "withRoles" flag from the GetUserByClaims lookup and move the
functionality into a separate method. This should make the code a bit more readable
in preparation for maintaining the RoleAssignments from OIDC claims.
With 078698fdf4 the semantics of the
ListRoleAssignments Call in the settings service change. It no
no longer returns a "not found" error when there is not RoleAssignment
for a user. We'll just get an empty list as the result.
This changes the behaviour of the default role assignment to work with
the new semantics.
When using an external user management we need to allow users to self-assign
the default role. This adds an explicit check for that to the settings service.
This also means we no longer need to fiddle with the account id in the proxy
upon first login.
Fixes: #5045
