defmodule Mv.Authorization.Checks.OidcRoleSyncContext do
  @moduledoc """
  Policy check: true when the action is run from OIDC role sync (context.private.oidc_role_sync).

  Used to allow the internal set_role_from_oidc_sync action only when called by Mv.OidcRoleSync,
  which sets context.private.oidc_role_sync when performing the update.
  """
  use Ash.Policy.SimpleCheck

  @impl true
  def describe(_opts), do: "called from OIDC role sync (context.private.oidc_role_sync)"

  @impl true
  def match?(_actor, authorizer, _opts) do
    context = Map.get(authorizer, :context) || %{}
    get_in(context, [:private, :oidc_role_sync]) == true
  end
end