feat(authz): introduce conditional access control via CEL (#4040)

pkg/cel/claim_processor.go

@@ -19,6 +19,9 @@ const defaultUsernameExpr = "claims.iss + '/' + claims.sub"
 type ClaimResult struct {
 	Username string
 	Groups   []string
+	// Claims is the raw OIDC claim set. Carried through so authorization-time
+	// CEL expressions can reference token claims directly via `req.claims`.
+	Claims map[string]any
 }
 
 // ClaimProcessor processes OIDC claims using CEL expressions.
@@ -206,6 +209,7 @@ func (c *ClaimProcessor) Process(ctx context.Context, claims map[string]any) (*C
 	return &ClaimResult{
 		Username: username,
 		Groups:   groups,
+		Claims:   claims,
 	}, nil
 }
 

pkg/cel/expression.go

@@ -55,6 +55,19 @@ func WithStructVariables(vars ...string) Option {
 	}
 }
 
+// WithDynMapVariables declares variables of type map<string, dyn>. Unlike
+// google.protobuf.Struct (JSON-shape only), values in a dyn-valued map carry
+// their natural CEL type, so a Go time.Time at evaluation time surfaces as a
+// CEL timestamp and can be compared with timestamp(...) directly.
+func WithDynMapVariables(vars ...string) Option {
+	return func(o *options) {
+		for _, v := range vars {
+			d := cel.Variable(v, cel.MapType(cel.StringType, cel.DynType))
+			o.variables = append(o.variables, d)
+		}
+	}
+}
+
 // WithCompile specifies that the expression should be compiled,
 // which provides stricter checks at parse time, before evaluation.
 func WithCompile() Option {