legion-rbac 0.2.0 → 0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a4b81abbd8b47fb1b0809f98cfc4e070553af729984f9994e2b70708b70e1db
-  data.tar.gz: 29b556506bf933800fadc5af6837f325b65eca9924bc45b0c3b49521a487f750
+  metadata.gz: a3b1a79a9bbe7774bc480993840934423d224605950bcc02f8f0fc6fdd20e432
+  data.tar.gz: e29db0b20c25a9b885f82a997f80f687eb65311cf5c5422f4addb894a6c9a581
 SHA512:
-  metadata.gz: 79b92ac1e96706268e165c0b613bf506a18e56764e7a0da547a3c0096e49e5f8389193fc34350f70f858ab2eca638c9674ec8d70ed244bae7375c4a9d2504dc6
-  data.tar.gz: 00be7bf03360454dc126a73b0f65a66555ed4f56b5c16f8e82082f9bd93cacf82537e8bae173d6de85f1af41f43762e10f6ed0b2335f0f249bc04d71013de294
+  metadata.gz: '044709e04e2f671b76dfc645a254b11d870af45012d23b5ea514cbeec152cc248db09382a68496d74f0152b30984d2be49d9a9a4e4fa655074b0d6bf3636caa2'
+  data.tar.gz: 546da78bffd9f7fbf5bac8fd77f5bc649caca1eb15694dc93fdada82ac7e05fc250ee938cb99e8b14dbe8fca3a4f24cfe07d07cf529c4cebc14df88acca0049c

data/CHANGELOG.md

@@ -1,6 +1,35 @@
 # Changelog
 
-## [Unreleased]
+## [0.2.3] - 2026-03-20
+
+### Added
+- Emit `rbac.deny` event on access denial for safety metrics integration
+
+## [0.2.2] - 2026-03-18
+
+### Added
+- Organizational profile attributes on `Principal`: `title`, `department`, `company`, `city`, `state`, `country`, `country_code`, `cn`, `ad_created_at`
+- `Principal#profile` hash accessor for all extended identity attributes
+- `PROFILE_KEYS` constant defines the full set of identity/org fields
+- `define_method` generates individual accessors from `PROFILE_KEYS`
+
+### Changed
+- `Principal` constructor accepts `**extra` kwargs for profile fields (replaces individual keyword args)
+- `from_claims` iterates `PROFILE_KEYS` to extract all profile fields from claims
+- `KerberosClaimsMapper.map` uses `**profile` splat directly (passes all profile kwargs through)
+
+## [0.2.1] - 2026-03-18
+
+### Added
+- `samaccountname`, `ad_fqdn`, `first_name`, `last_name`, `email`, `display_name` attributes on `Principal`
+- `from_claims` extracts identity attributes from Kerberos claims
+- `KerberosClaimsMapper.map` emits `samaccountname` and `ad_fqdn` from principal, accepts `**profile` kwargs
+- `KerberosClaimsMapper.map_with_fallback` passes profile through to `map`
+
+### Changed
+- `KerberosClaimsMapper.map` now returns `.compact` hash (omits nil values)
+
+## [0.2.0] - 2026-03-17
 
 ### Added
 - `KerberosClaimsMapper` module: maps Kerberos principals and AD group memberships to Legion roles

data/CLAUDE.md

@@ -1,6 +1,8 @@
 # Legion::Rbac
 
 **Parent**: `/Users/miverso2/rubymine/legion/CLAUDE.md`
+**GitHub**: https://github.com/LegionIO/legion-rbac
+**Version**: 0.2.2
 
 Optional RBAC gem for LegionIO. Vault-style flat policy model with deny-always-wins semantics.
 
@@ -46,7 +48,29 @@ lib/legion/rbac/kerberos_claims_mapper.rb # Kerberos principal + AD groups -> Le
 Two identity provider mappers convert external claims to Legion principals:
 
 - **EntraClaimsMapper**: Maps Entra ID `roles` and `groups` claims to Legion roles. Uses `module_function` pattern. Configurable `role_map` and `group_map` with `default_role` fallback.
-- **KerberosClaimsMapper**: Maps Kerberos principal (`user@REALM`) and AD group DNs to Legion roles. `map_with_fallback` tries LDAP groups first, falls back to Entra if configured. Injects `auth_method: 'kerberos'` for identity signal tracking in lex-identity.
+- **KerberosClaimsMapper**: Maps Kerberos principal (`user@REALM`) and AD group DNs to Legion roles. `map_with_fallback` tries LDAP groups first, falls back to Entra if configured. Passes through all `**profile` kwargs (identity + org attributes) from LDAP into the claims hash.
+
+## Principal Identity Model
+
+`Principal` carries core identity (`id`, `type`, `roles`, `team`, `auth_method`, `samaccountname`, `ad_fqdn`) plus a `profile` hash of extended attributes populated from AD/LDAP:
+
+| Accessor | LDAP Source | Example |
+|----------|-------------|---------|
+| `first_name` | `givenName` | Jane |
+| `last_name` | `sn` | Doe |
+| `email` | `mail` | jane.doe@example.com |
+| `display_name` | `displayName` | Doe, Jane A |
+| `title` | `title` | Senior Engineer |
+| `department` | `department` | Platform Engineering |
+| `company` | `company` | Acme Corp |
+| `city` | `l` | Minneapolis |
+| `state` | `st` | MN |
+| `country` | `co` | USA |
+| `country_code` | `c` | US |
+| `cn` | `cn` | jdoe1 |
+| `ad_created_at` | `whenCreated` | 20200115093012.0Z |
+
+All profile fields are accessible as direct methods (`principal.title`) or via `principal.profile` hash.
 
 ## Guards
 

data/README.md

@@ -2,6 +2,8 @@
 
 Role-based access control for LegionIO, following Vault-style flat policy patterns.
 
+**Version**: 0.2.2
+
 ## Features
 
 - Flat policy model: deny-always-wins, no role inheritance
@@ -12,6 +14,7 @@ Role-based access control for LegionIO, following Vault-style flat policy patter
 - Dual-mode store: DB-backed via Sequel or static fallback
 - Entra ID claims mapping (roles and groups to Legion roles)
 - Kerberos claims mapping (AD group DNs to Legion roles, with Entra fallback)
+- Rich identity profile from AD/LDAP (name, email, title, department, company, location)
 - Fully optional: guarded by `if defined?(Legion::Rbac)` in LegionIO
 
 ## Installation
@@ -36,6 +39,12 @@ Legion::Rbac.setup
 ```ruby
 principal = Legion::Rbac::Principal.new(id: 'user-1', roles: [:worker], team: 'team-a')
 Legion::Rbac.authorize!(principal: principal, action: :execute, resource: 'runners/lex-http/request/get')
+
+# Kerberos principals carry full AD profile
+principal.first_name    # => "Jane"
+principal.title         # => "Senior Engineer"
+principal.department    # => "Platform Engineering"
+principal.profile       # => { first_name: "Jane", last_name: "Doe", ... }
 ```
 
 ### Execution Authorization

data/lib/legion/rbac/kerberos_claims_mapper.rb

@@ -7,29 +7,35 @@ module Legion
 
       module_function
 
-      def map(principal:, groups:, role_map: {}, default_role: DEFAULT_ROLE)
-        username = principal.split('@', 2).first
+      def map(principal:, groups:, role_map: {}, default_role: DEFAULT_ROLE, **profile)
+        parts = principal.split('@', 2)
+        username = parts.first
+        realm = parts.length > 1 ? parts.last : nil
         roles = Array(groups).filter_map { |g| role_map[g] }.uniq
         roles = [default_role] if roles.empty?
 
         {
-          sub:         username,
-          roles:       roles,
-          scope:       'human',
-          auth_method: 'kerberos'
-        }
+          sub:            username,
+          samaccountname: username,
+          ad_fqdn:        realm&.downcase,
+          roles:          roles,
+          scope:          'human',
+          auth_method:    'kerberos',
+          **profile
+        }.compact
       end
 
-      def map_with_fallback(principal:, groups: nil, fallback: :entra, role_map: {}, default_role: DEFAULT_ROLE)
+      def map_with_fallback(principal:, groups: nil, fallback: :entra, role_map: {},
+                            default_role: DEFAULT_ROLE, **profile)
         if groups&.any?
-          map(principal: principal, groups: groups, role_map: role_map, default_role: default_role)
+          map(principal: principal, groups: groups, role_map: role_map, default_role: default_role, **profile)
         elsif fallback == :entra && defined?(Legion::Rbac::EntraClaimsMapper)
           entra_claims = { sub: principal, preferred_username: principal }
           result = EntraClaimsMapper.map_claims(entra_claims)
           result&.merge(auth_method: 'kerberos') || map(principal: principal, groups: [],
                                                         role_map: role_map, default_role: default_role)
         else
-          map(principal: principal, groups: [], role_map: role_map, default_role: default_role)
+          map(principal: principal, groups: [], role_map: role_map, default_role: default_role, **profile)
         end
       end
     end

data/lib/legion/rbac/middleware.rb

@@ -31,6 +31,8 @@ module Legion
       end
 
       def call(env)
+        return @app.call(env) unless enforce?
+
         path = env['PATH_INFO']
         return @app.call(env) if skip_path?(path)
         return @app.call(env) if invoke_route?(path)
@@ -50,6 +52,7 @@ module Legion
         if result[:allowed]
           @app.call(env)
         else
+          Legion::Events.emit('rbac.deny', reason: result[:reason]) if defined?(Legion::Events)
           denied_response(result[:reason])
         end
       end
@@ -78,6 +81,14 @@ module Legion
         nil
       end
 
+      def enforce?
+        return false unless defined?(Legion::Settings)
+
+        Legion::Settings[:rbac][:enforce]
+      rescue StandardError
+        true
+      end
+
       def denied_response(reason)
         body = Legion::JSON.dump({ error: 'access_denied', reason: reason })
         [403, { 'content-type' => 'application/json' }, [body]]

data/lib/legion/rbac/principal.rb

@@ -3,31 +3,45 @@
 module Legion
   module Rbac
     class Principal
-      attr_reader :id, :type, :roles, :team
+      PROFILE_KEYS = %i[
+        first_name last_name email display_name cn title
+        department company country country_code city state ad_created_at
+      ].freeze
 
-      def initialize(id:, type: :human, roles: [], team: nil)
+      attr_reader :id, :type, :roles, :team, :auth_method,
+                  :samaccountname, :ad_fqdn, :profile
+
+      def initialize(id:, type: :human, roles: [], team: nil, auth_method: nil, # rubocop:disable Metrics/ParameterLists
+                     samaccountname: nil, ad_fqdn: nil, **extra)
         @id = id
         @type = type.to_sym
         @roles = roles.map(&:to_s)
         @team = team
+        @auth_method = auth_method
+        @samaccountname = samaccountname
+        @ad_fqdn = ad_fqdn
+        @profile = extra.slice(*PROFILE_KEYS).compact
+      end
+
+      PROFILE_KEYS.each do |key|
+        define_method(key) { @profile[key] }
       end
 
       def self.from_claims(claims)
         scope = claims[:scope] || claims['scope']
+        common = {
+          roles:          claims[:roles] || claims['roles'] || [],
+          team:           claims[:team] || claims['team'],
+          auth_method:    claims[:auth_method] || claims['auth_method'],
+          samaccountname: claims[:samaccountname] || claims['samaccountname'],
+          ad_fqdn:        claims[:ad_fqdn] || claims['ad_fqdn']
+        }
+        PROFILE_KEYS.each { |key| common[key] = claims[key] || claims[key.to_s] }
+
         if scope == 'worker'
-          new(
-            id:    claims[:worker_id] || claims['worker_id'],
-            type:  :worker,
-            roles: claims[:roles] || claims['roles'] || [],
-            team:  claims[:team] || claims['team']
-          )
+          new(id: claims[:worker_id] || claims['worker_id'], type: :worker, **common)
         else
-          new(
-            id:    claims[:sub] || claims['sub'],
-            type:  :human,
-            roles: claims[:roles] || claims['roles'] || [],
-            team:  claims[:team] || claims['team']
-          )
+          new(id: claims[:sub] || claims['sub'], type: :human, **common)
         end
       end
 

data/lib/legion/rbac/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Rbac
-    VERSION = '0.2.0'
+    VERSION = '0.2.4'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-rbac
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.4
 platform: ruby
 authors:
 - Esity
@@ -96,7 +96,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.8
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Legion::Rbac
 test_files: []