stacklok
diff --git a/‎cmd/thv/app/client.go‎
Lines changed: 6 additions & 4 deletions b/‎cmd/thv/app/client.go‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎cmd/thv/app/common.go‎
Lines changed: 2 additions & 1 deletion b/‎cmd/thv/app/common.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cmd/thv/app/config.go‎
Lines changed: 2 additions & 1 deletion b/‎cmd/thv/app/config.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cmd/thv/app/otel.go‎
Lines changed: 28 additions & 14 deletions b/‎cmd/thv/app/otel.go‎
Lines changed: 28 additions & 14 deletions
diff --git a/‎cmd/thv/app/run_flags_test.go‎
Lines changed: 1 addition & 1 deletion b/‎cmd/thv/app/run_flags_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/api/v1/clients.go‎
Lines changed: 6 additions & 4 deletions b/‎pkg/api/v1/clients.go‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎pkg/api/v1/registry_test.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/api/v1/registry_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/api/v1/secrets.go‎
Lines changed: 2 additions & 1 deletion b/‎pkg/api/v1/secrets.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎pkg/authz/authorizers/cedar/core.go‎
Lines changed: 10 additions & 0 deletions b/‎pkg/authz/authorizers/cedar/core.go‎
Lines changed: 10 additions & 0 deletions
@@ -292,15 +292,16 @@ func registerClientsGlobally(
 ) error {
 	for _, clientToRegister := range clients {
 		// Update the global config to register the client
-		err := config.UpdateConfig(func(c *config.Config) {
+		err := config.UpdateConfig(func(c *config.Config) error {
 			for _, registeredClient := range c.Clients.RegisteredClients {
 				if registeredClient == string(clientToRegister.Name) {
 					slog.Debug(fmt.Sprintf("Client %s is already registered, skipping...", clientToRegister.Name))
-					return
+					return nil
 				}
 			}
 
 			c.Clients.RegisteredClients = append(c.Clients.RegisteredClients, string(clientToRegister.Name))
+			return nil
 		})
 		if err != nil {
 			return fmt.Errorf("failed to update configuration for client %s: %w", clientToRegister.Name, err)
@@ -411,15 +412,16 @@ func removeClientGlobally(
 	}
 
 	// Remove client from global registered clients list
-	err = config.UpdateConfig(func(c *config.Config) {
+	err = config.UpdateConfig(func(c *config.Config) error {
 		for i, registeredClient := range c.Clients.RegisteredClients {
 			if registeredClient == string(clientToRemove.Name) {
 				// Remove client from slice
 				c.Clients.RegisteredClients = append(c.Clients.RegisteredClients[:i], c.Clients.RegisteredClients[i+1:]...)
 				slog.Debug(fmt.Sprintf("Successfully unregistered client: %s", clientToRemove.Name))
-				return
+				return nil
 			}
 		}
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration for client %s: %w", clientToRemove.Name, err)
 
@@ -78,9 +78,10 @@ func SetSecretsProvider(ctx context.Context, provider secrets.ProviderType) erro
 	}
 
 	// Update the secrets provider type and mark setup as completed
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.Secrets.ProviderType = string(provider)
 		c.Secrets.SetupCompleted = true
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
 
@@ -344,8 +344,9 @@ func usageMetricsCmdFunc(_ *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid argument: %s (expected 'enable' or 'disable')", action)
 	}
 
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.DisableUsageMetrics = disable
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
 
@@ -235,8 +235,9 @@ func setOtelEndpointCmdFunc(_ *cobra.Command, args []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.Endpoint = endpoint
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -269,8 +270,9 @@ func unsetOtelEndpointCmdFunc(_ *cobra.Command, _ []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.Endpoint = ""
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -292,8 +294,9 @@ func setOtelSamplingRateCmdFunc(_ *cobra.Command, args []string) error {
 	}
 
 	// Update the configuration
-	err = config.UpdateConfig(func(c *config.Config) {
+	err = config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.SamplingRate = rate
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -326,8 +329,9 @@ func unsetOtelSamplingRateCmdFunc(_ *cobra.Command, _ []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.SamplingRate = 0.0
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -346,8 +350,9 @@ func setOtelEnvVarsCmdFunc(_ *cobra.Command, args []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.EnvVars = vars
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -380,8 +385,9 @@ func unsetOtelEnvVarsCmdFunc(_ *cobra.Command, _ []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.EnvVars = []string{}
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -398,8 +404,9 @@ func setOtelMetricsEnabledCmdFunc(_ *cobra.Command, args []string) error {
 	}
 
 	// Update the configuration
-	err = config.UpdateConfig(func(c *config.Config) {
+	err = config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.MetricsEnabled = &enabled
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -428,8 +435,9 @@ func unsetOtelMetricsEnabledCmdFunc(_ *cobra.Command, _ []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.MetricsEnabled = nil
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -446,8 +454,9 @@ func setOtelTracingEnabledCmdFunc(_ *cobra.Command, args []string) error {
 	}
 
 	// Update the configuration
-	err = config.UpdateConfig(func(c *config.Config) {
+	err = config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.TracingEnabled = &enabled
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -476,8 +485,9 @@ func unsetOtelTracingEnabledCmdFunc(_ *cobra.Command, _ []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.TracingEnabled = nil
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -494,8 +504,9 @@ func setOtelInsecureCmdFunc(_ *cobra.Command, args []string) error {
 	}
 
 	// Update the configuration
-	err = config.UpdateConfig(func(c *config.Config) {
+	err = config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.Insecure = enabled
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -523,8 +534,9 @@ func unsetOtelInsecureCmdFunc(_ *cobra.Command, _ []string) error {
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.Insecure = false
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -541,8 +553,9 @@ func setOtelEnablePrometheusMetricsPathCmdFunc(_ *cobra.Command, args []string)
 	}
 
 	// Update the configuration
-	err = config.UpdateConfig(func(c *config.Config) {
+	err = config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.EnablePrometheusMetricsPath = enabled
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
@@ -570,8 +583,9 @@ func unsetOtelEnablePrometheusMetricsPathCmdFunc(_ *cobra.Command, _ []string) e
 	}
 
 	// Update the configuration
-	err := config.UpdateConfig(func(c *config.Config) {
+	err := config.UpdateConfig(func(c *config.Config) error {
 		c.OTEL.EnablePrometheusMetricsPath = false
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
 
@@ -43,7 +43,7 @@ func createTestConfigProvider(t *testing.T, cfg *config.Config) (config.Provider
 
 	// Write the config file if one is provided
 	if cfg != nil {
-		err = provider.UpdateConfig(func(c *config.Config) { *c = *cfg })
+		err = provider.UpdateConfig(func(c *config.Config) error { *c = *cfg; return nil })
 		require.NoError(t, err)
 	}
 
 
@@ -351,15 +351,16 @@ func (c *ClientRoutes) performClientRegistration(ctx context.Context, clients []
 	} else {
 		// We should never reach this point once groups are enabled
 		for _, clientToRegister := range clients {
-			err := config.UpdateConfig(func(c *config.Config) {
+			err := config.UpdateConfig(func(c *config.Config) error {
 				for _, registeredClient := range c.Clients.RegisteredClients {
 					if registeredClient == string(clientToRegister.Name) {
 						slog.Debug("client already registered, skipping", "client", clientToRegister.Name)
-						return
+						return nil
 					}
 				}
 
 				c.Clients.RegisteredClients = append(c.Clients.RegisteredClients, string(clientToRegister.Name))
+				return nil
 			})
 			if err != nil {
 				return fmt.Errorf("failed to update configuration for client %s: %w", clientToRegister.Name, err)
@@ -459,15 +460,16 @@ func (c *ClientRoutes) removeClientGlobally(
 
 	// Remove clients from global registered clients list
 	for _, clientToRemove := range clients {
-		err := config.UpdateConfig(func(c *config.Config) {
+		err := config.UpdateConfig(func(c *config.Config) error {
 			for i, registeredClient := range c.Clients.RegisteredClients {
 				if registeredClient == string(clientToRemove.Name) {
 					// Remove client from slice
 					c.Clients.RegisteredClients = append(c.Clients.RegisteredClients[:i], c.Clients.RegisteredClients[i+1:]...)
 					slog.Debug("successfully unregistered client", "client", clientToRemove.Name)
-					return
+					return nil
 				}
 			}
+			return nil
 		})
 		if err != nil {
 			return fmt.Errorf("failed to update configuration for client %s: %w", clientToRemove.Name, err)
 
@@ -41,7 +41,7 @@ func CreateTestConfigProvider(t *testing.T, cfg *config.Config) (config.Provider
 
 	// Write the config file if one is provided
 	if cfg != nil {
-		err = provider.UpdateConfig(func(c *config.Config) { *c = *cfg })
+		err = provider.UpdateConfig(func(c *config.Config) error { *c = *cfg; return nil })
 		require.NoError(t, err)
 	}
 
 
@@ -182,9 +182,10 @@ func (s *SecretsRoutes) setupSecretsProvider(w http.ResponseWriter, r *http.Requ
 	}
 
 	// Update the secrets provider type and mark setup as completed
-	err := s.configProvider.UpdateConfig(func(c *config.Config) {
+	err := s.configProvider.UpdateConfig(func(c *config.Config) error {
 		c.Secrets.ProviderType = string(providerType)
 		c.Secrets.SetupCompleted = true
+		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to update configuration: %w", err)
 
@@ -164,6 +164,9 @@ type Authorizer struct {
 	// groupClaimName is the JWT claim key that contains group membership.
 	// When empty, the well-known defaults are checked ("groups", "roles", etc.).
 	groupClaimName string
+	// roleClaimName is the JWT claim key that contains role membership.
+	// When empty, no role extraction is performed (backward compatible).
+	roleClaimName string
 	// claimKeyLog rate-limits the diagnostic log of resolved JWT claim keys
 	// so it emits at most once per 30 seconds instead of once per authorization check.
 	claimKeyLog *syncutil.AtMost
@@ -189,6 +192,12 @@ type ConfigOptions struct {
 	// under a URI-style claim (e.g. "https://example.com/groups" in Auth0/Okta).
 	// When empty, only the well-known claim names are checked.
 	GroupClaimName string `json:"group_claim_name,omitempty" yaml:"group_claim_name,omitempty"`
+
+	// RoleClaimName is the JWT claim key that contains role membership for the
+	// principal. When set, the claim is extracted separately from GroupClaimName
+	// and both are mapped to Cedar THVGroup entities.
+	// When empty, no role extraction is performed (backward compatible).
+	RoleClaimName string `json:"role_claim_name,omitempty" yaml:"role_claim_name,omitempty"`
 }
 
 // NewCedarAuthorizer creates a new Cedar authorizer.
@@ -199,6 +208,7 @@ func NewCedarAuthorizer(options ConfigOptions) (authorizers.Authorizer, error) {
 		entityFactory:           NewEntityFactory(),
 		primaryUpstreamProvider: options.PrimaryUpstreamProvider,
 		groupClaimName:          options.GroupClaimName,
+		roleClaimName:           options.RoleClaimName,
 		claimKeyLog:             syncutil.NewAtMost(30 * time.Second),
 	}
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func createTestConfigProvider(t testing.T, cfg config.Config) (config.Provider`
`43`	`43`
`44`	`44`	`// Write the config file if one is provided`
`45`	`45`	`if cfg != nil {`
`46`		`- err = provider.UpdateConfig(func(c config.Config) { c = *cfg })`
	`46`	`+ err = provider.UpdateConfig(func(c config.Config) error { c = *cfg; return nil })`
`47`	`47`	`require.NoError(t, err)`
`48`	`48`	`}`
`49`	`49`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ func CreateTestConfigProvider(t testing.T, cfg config.Config) (config.Provider`
`41`	`41`
`42`	`42`	`// Write the config file if one is provided`
`43`	`43`	`if cfg != nil {`
`44`		`- err = provider.UpdateConfig(func(c config.Config) { c = *cfg })`
	`44`	`+ err = provider.UpdateConfig(func(c config.Config) error { c = *cfg; return nil })`
`45`	`45`	`require.NoError(t, err)`
`46`	`46`	`}`
`47`	`47`