legion-crypt 1.4.13 → 1.4.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/lib/legion/crypt/kerberos_auth.rb +23 -6
- data/lib/legion/crypt/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 939ab01a7c1290816ca55ec819f24b7f92d74048d8e03f709e4b5dfa27777bcc
|
|
4
|
+
data.tar.gz: 4695589ab361ab5f0be3abf5d5100ecf46f61a1cc3abf5985240769ba1a3a48e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d0385d55fd7fe6e0e6b7addff8c23cd7f1009fcc3e617c3dee3f998341c1efa6b96879224da517a414d13ba27fdcf9f5bf5c113f08ccd76112202a2915cb7a05
|
|
7
|
+
data.tar.gz: b899bcb0f84e3bc0a895649fd698c53c254fe0645a9248b906edecb8adee1aeef0831fe59d113db0046522316c2c50462dd7fd3fa7ee5ef58338e6dc98cbcec4
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,12 @@
|
|
|
1
1
|
# Legion::Crypt
|
|
2
2
|
|
|
3
|
+
## [1.4.14] - 2026-03-26
|
|
4
|
+
|
|
5
|
+
### Fixed
|
|
6
|
+
- Vault Kerberos auth: send SPNEGO token as HTTP `Authorization` header instead of JSON body (Vault plugin reads headers, not body)
|
|
7
|
+
- Vault Kerberos auth: clear client namespace before auth request (Kerberos mount is at root namespace, not child)
|
|
8
|
+
- Vault Kerberos auth: use `Vault::SecretAuth#renewable?` accessor (not `#renewable`)
|
|
9
|
+
|
|
3
10
|
## [1.4.13] - 2026-03-25
|
|
4
11
|
|
|
5
12
|
### Added
|
|
@@ -43,17 +43,34 @@ module Legion
|
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
def exchange_token(vault_client, spnego_token, auth_path)
|
|
46
|
-
|
|
46
|
+
# Kerberos auth is mounted at the root namespace. Temporarily
|
|
47
|
+
# clear the client namespace so the request reaches the correct
|
|
48
|
+
# mount path, then restore it for subsequent operations.
|
|
49
|
+
saved_ns = vault_client.namespace
|
|
50
|
+
vault_client.namespace = nil
|
|
51
|
+
|
|
52
|
+
# The Vault Kerberos plugin reads the SPNEGO token from the HTTP
|
|
53
|
+
# Authorization header, not the JSON body.
|
|
54
|
+
json = vault_client.put(
|
|
55
|
+
"/v1/#{auth_path}",
|
|
56
|
+
'{}',
|
|
57
|
+
'Authorization' => "Negotiate #{spnego_token}"
|
|
58
|
+
)
|
|
59
|
+
response = ::Vault::Secret.decode(json)
|
|
47
60
|
raise AuthError, 'Vault Kerberos auth returned no auth data' unless response&.auth
|
|
48
61
|
|
|
62
|
+
vault_client.namespace = saved_ns
|
|
63
|
+
|
|
64
|
+
auth = response.auth
|
|
49
65
|
{
|
|
50
|
-
token:
|
|
51
|
-
lease_duration:
|
|
52
|
-
renewable:
|
|
53
|
-
policies:
|
|
54
|
-
metadata:
|
|
66
|
+
token: auth.client_token,
|
|
67
|
+
lease_duration: auth.lease_duration,
|
|
68
|
+
renewable: auth.renewable?,
|
|
69
|
+
policies: auth.policies,
|
|
70
|
+
metadata: auth.metadata
|
|
55
71
|
}
|
|
56
72
|
rescue ::Vault::HTTPClientError => e
|
|
73
|
+
vault_client.namespace = saved_ns if saved_ns
|
|
57
74
|
raise AuthError, "Vault Kerberos auth failed: #{e.message}"
|
|
58
75
|
end
|
|
59
76
|
end
|
data/lib/legion/crypt/version.rb
CHANGED