legionio 1.7.19 → 1.7.21

data/lib/legion/identity/lease_renewer.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require 'concurrent'
+
+module Legion
+  module Identity
+    class LeaseRenewer
+      attr_reader :provider_name
+
+      BACKOFF_SLEEP  = 5
+      MIN_SLEEP      = 1
+      DEFAULT_SLEEP  = 60
+
+      def initialize(provider_name:, provider:, lease:)
+        @provider_name = provider_name
+        @provider      = provider
+        @lease         = Concurrent::AtomicReference.new(lease)
+        @stop          = Concurrent::AtomicBoolean.new(false)
+        @thread        = Thread.new { run_loop }
+        @thread.name   = "lease-renewer-#{provider_name}"
+        @thread.abort_on_exception = false
+      end
+
+      def current_lease
+        @lease.get
+      end
+
+      def stop!
+        @stop.make_true
+        @thread&.wakeup rescue nil # rubocop:disable Style/RescueModifier
+        @thread&.join(5)
+      end
+
+      def alive?
+        @thread&.alive? || false
+      end
+
+      private
+
+      def run_loop
+        until @stop.true?
+          lease      = @lease.get
+          sleep_time = compute_sleep(lease)
+          interruptible_sleep(sleep_time)
+          break if @stop.true?
+
+          renew
+        end
+      end
+
+      def renew
+        new_lease = @provider.provide_token
+        @lease.set(new_lease) if new_lease&.valid?
+      rescue StandardError => e
+        log_renewal_failure(e)
+        interruptible_sleep(BACKOFF_SLEEP)
+      end
+
+      def compute_sleep(lease)
+        return DEFAULT_SLEEP if lease.nil? || lease.expires_at.nil? || lease.issued_at.nil?
+
+        remaining      = lease.expires_at - Time.now
+        half_remaining = remaining / 2.0
+        [half_remaining, MIN_SLEEP].max
+      end
+
+      def interruptible_sleep(seconds)
+        deadline = Time.now + seconds
+        sleep([1, deadline - Time.now].min) while Time.now < deadline && !@stop.true?
+      end
+
+      def log_renewal_failure(error)
+        message = "[LeaseRenewer][#{@provider_name}] renewal failed: #{error.message}"
+        if defined?(Legion::Logging) && Legion::Logging.respond_to?(:warn)
+          Legion::Logging.warn(message)
+        else
+          $stderr.puts message # rubocop:disable Style/StderrPuts
+        end
+      end
+    end
+  end
+end

data/lib/legion/identity/middleware.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Legion
+  module Identity
+    class Middleware
+      SKIP_PATHS     = %w[/api/health /api/ready /api/openapi.json /metrics].freeze
+      LOOPBACK_BINDS = %w[127.0.0.1 ::1 localhost].freeze
+
+      def initialize(app, require_auth: false)
+        @app          = app
+        @require_auth = require_auth
+      end
+
+      def call(env)
+        return @app.call(env) if skip_path?(env['PATH_INFO'])
+
+        # Bridge from existing auth middleware
+        auth_claims  = env['legion.auth']
+        auth_method  = env['legion.auth_method']
+
+        env['legion.principal'] = if auth_claims
+                                    build_request(auth_claims, auth_method)
+                                  elsif @require_auth
+                                    # Auth middleware already handled 401 for protected paths;
+                                    # this is a safety net for any path that slipped through.
+                                    nil
+                                  else
+                                    # No auth required (loopback bind, lite mode, etc.).
+                                    # Set a system-level principal so audit trails always have an identity.
+                                    system_principal
+                                  end
+
+        @app.call(env)
+      end
+
+      # Returns whether the API should require authentication.
+      # Skips auth for lite mode and loopback binds (local dev / CI).
+      def self.require_auth?(bind:, mode:)
+        return false if mode == :lite
+        return false if LOOPBACK_BINDS.include?(bind)
+
+        true
+      end
+
+      private
+
+      def skip_path?(path)
+        SKIP_PATHS.any? { |p| path.start_with?(p) }
+      end
+
+      def build_request(claims, method)
+        Identity::Request.from_auth_context({
+                                              sub:    claims[:sub] || claims[:worker_id] || claims[:owner_msid],
+                                              name:   claims[:name] || claims[:sub],
+                                              kind:   determine_kind(claims, method),
+                                              groups: Array(claims[:roles] || claims[:groups]),
+                                              source: method&.to_sym
+                                            })
+      end
+
+      def determine_kind(claims, method)
+        return :service if claims[:scope] == 'worker' || claims[:worker_id]
+        return :human   if method == 'kerberos' || claims[:scope] == 'human'
+
+        :human
+      end
+
+      def system_principal
+        @system_principal ||= Identity::Request.new(
+          principal_id:   'system:local',
+          canonical_name: 'system',
+          kind:           :service,
+          groups:         [],
+          source:         :local
+        )
+      end
+    end
+  end
+end

data/lib/legion/identity/process.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require 'socket'
+require 'concurrent/atomic/atomic_reference'
+require 'concurrent/atomic/atomic_boolean'
+
+module Legion
+  module Identity
+    module Process
+      EMPTY_STATE = {
+        id:             nil,
+        canonical_name: nil,
+        kind:           nil,
+        persistent:     false,
+        groups:         [].freeze,
+        metadata:       {}.freeze
+      }.freeze
+
+      class << self
+        def id
+          state = @state.get
+          state[:id] || Legion.instance_id
+        end
+
+        def canonical_name
+          state = @state.get
+          state[:canonical_name] || 'anonymous'
+        end
+
+        def kind
+          @state.get[:kind]
+        end
+
+        def mode
+          Legion::Mode.current
+        end
+
+        def queue_prefix
+          name = canonical_name
+          case mode
+          when :worker then "worker.#{name}.#{Legion.instance_id}"
+          when :infra  then "infra.#{name}.#{safe_hostname}"
+          when :lite   then "lite.#{name}.#{Legion.instance_id}"
+          else              "agent.#{name}.#{safe_hostname}"
+          end
+        end
+
+        def resolved?
+          @resolved.true?
+        end
+
+        def persistent?
+          @state.get[:persistent] == true
+        end
+
+        def identity_hash
+          {
+            id:             id,
+            canonical_name: canonical_name,
+            kind:           kind,
+            mode:           mode,
+            queue_prefix:   queue_prefix,
+            resolved:       resolved?,
+            persistent:     persistent?,
+            groups:         @state.get[:groups] || [],
+            metadata:       @state.get[:metadata] || {}
+          }
+        end
+
+        def bind!(provider, identity_hash)
+          @provider = provider
+          @state.set({
+                       id:             identity_hash[:id],
+                       canonical_name: identity_hash[:canonical_name],
+                       kind:           identity_hash[:kind],
+                       persistent:     identity_hash.fetch(:persistent, true),
+                       groups:         Array(identity_hash[:groups]).compact.freeze,
+                       metadata:       identity_hash[:metadata].is_a?(Hash) ? identity_hash[:metadata].dup.freeze : {}.freeze
+                     })
+          @resolved.make_true
+        end
+
+        def bind_fallback!
+          user = ENV.fetch('USER', 'anonymous')
+          @state.set({
+                       id:             nil,
+                       canonical_name: user,
+                       kind:           :human,
+                       persistent:     false,
+                       groups:         [].freeze,
+                       metadata:       {}.freeze
+                     })
+          @resolved.make_false
+        end
+
+        def refresh_credentials
+          return unless defined?(@provider) && @provider.respond_to?(:refresh)
+
+          @provider.refresh
+        end
+
+        def reset!
+          @state    = Concurrent::AtomicReference.new(EMPTY_STATE.dup)
+          @resolved = Concurrent::AtomicBoolean.new(false)
+          @provider = nil
+        end
+
+        private
+
+        def safe_hostname
+          ::Socket.gethostname.downcase
+                  .gsub(/[^a-z0-9]+/, '-')
+                  .gsub(/\A-+|-+\z/, '')
+        end
+      end
+
+      # Initialize atomics at module definition time
+      reset!
+    end
+  end
+end

data/lib/legion/identity/request.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Legion
+  module Identity
+    class Request
+      attr_reader :principal_id, :canonical_name, :kind, :groups, :source, :metadata
+
+      def initialize(principal_id:, canonical_name:, kind:, groups: [], source: nil, metadata: {}) # rubocop:disable Metrics/ParameterLists
+        @principal_id   = principal_id
+        @canonical_name = canonical_name
+        @kind           = kind
+        @groups         = groups.freeze
+        @source         = source
+        @metadata       = metadata.freeze
+        freeze
+      end
+
+      # Reads the already-resolved identity from the Rack env (set by middleware).
+      # Returns nil when the key is absent.
+      def self.from_env(env)
+        env['legion.principal']
+      end
+
+      # Builds a Request from a parsed auth claims hash with symbol keys:
+      #   { sub:, name:, preferred_username:, kind:, groups:, source: }
+      def self.from_auth_context(claims_hash)
+        raw_name = claims_hash[:name] || claims_hash[:preferred_username] || ''
+        canonical = raw_name.to_s.strip.downcase.gsub('.', '-')
+
+        new(
+          principal_id:   claims_hash[:sub],
+          canonical_name: canonical,
+          kind:           claims_hash[:kind] || :human,
+          groups:         claims_hash[:groups] || [],
+          source:         claims_hash[:source]
+        )
+      end
+
+      def identity_hash
+        {
+          principal_id:   principal_id,
+          canonical_name: canonical_name,
+          kind:           kind,
+          groups:         groups,
+          source:         source
+        }
+      end
+
+      # Maps to RBAC principal format.
+      # :service workers are represented as :worker in RBAC.
+      def to_rbac_principal
+        {
+          identity: canonical_name,
+          type:     kind == :service ? :worker : kind
+        }
+      end
+
+      # Pipeline-compatible caller hash (matches legion-llm pipeline format).
+      def to_caller_hash
+        {
+          requested_by: {
+            id:         principal_id,
+            identity:   canonical_name,
+            type:       kind,
+            credential: source
+          }
+        }
+      end
+    end
+  end
+end

data/lib/legion/mode.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Legion
+  module Mode
+    LEGACY_MAP = { full: :agent, api: :worker, router: :worker, worker: :worker, lite: :lite }.freeze
+
+    class << self
+      def current
+        raw = ENV['LEGION_MODE'] ||
+              settings_dig(:mode) ||
+              settings_dig(:process, :mode) ||
+              legacy_role
+        normalize(raw)
+      end
+
+      def agent?
+        current == :agent
+      end
+
+      def worker?
+        current == :worker
+      end
+
+      def infra?
+        current == :infra
+      end
+
+      def lite?
+        current == :lite
+      end
+
+      private
+
+      def normalize(raw)
+        return :agent if raw.nil?
+
+        sym = raw.to_s.downcase.strip.to_sym
+        return sym if %i[agent worker infra lite].include?(sym)
+
+        LEGACY_MAP.fetch(sym, :agent)
+      end
+
+      def legacy_role
+        settings_dig(:process, :role)
+      end
+
+      def fetch_setting_value(container, key)
+        value = container[key]
+        return value unless value.nil?
+
+        alternate_key = case key
+                        when Symbol then key.to_s
+                        when String then key.to_sym
+                        end
+        return value if alternate_key.nil?
+
+        container[alternate_key]
+      end
+
+      def settings_dig(*keys)
+        return nil unless defined?(Legion::Settings) && Legion::Settings.respond_to?(:[])
+
+        result = Legion::Settings
+        keys.each do |k|
+          return nil unless result.respond_to?(:[])
+
+          result = fetch_setting_value(result, k)
+          return nil if result.nil? && keys.last != k
+        end
+        result
+      rescue StandardError
+        nil
+      end
+    end
+  end
+end

data/lib/legion/process_role.rb

@@ -4,10 +4,12 @@ module Legion
   module ProcessRole
     ROLES = {
       full:   { transport: true,  cache: true, data: true,  extensions: true,  api: true,  llm: true,  gaia: true,  crypt: true, supervision: true  },
+      agent:  { transport: true,  cache: true, data: true,  extensions: true,  api: true,  llm: true,  gaia: true,  crypt: true, supervision: true  },
       api:    { transport: true,  cache: true, data: true,  extensions: false, api: true,  llm: false, gaia: false, crypt: true, supervision: false },
       worker: { transport: true,  cache: true, data: true,  extensions: true,  api: false, llm: true,  gaia: true,  crypt: true, supervision: true  },
       router: { transport: true,  cache: true, data: false, extensions: true,  api: false, llm: false, gaia: false, crypt: true, supervision: false },
-      lite:   { transport: true,  cache: true, data: true,  extensions: true,  api: true,  llm: true,  gaia: true,  crypt: false, supervision: true }
+      lite:   { transport: true,  cache: true, data: true,  extensions: true,  api: true,  llm: true,  gaia: true,  crypt: false, supervision: true },
+      infra:  { transport: true,  cache: true, data: true,  extensions: true,  api: true,  llm: true,  gaia: true,  crypt: true, supervision: true }
     }.freeze
 
     def self.resolve(role_name)
@@ -21,7 +23,7 @@ module Legion
 
     def self.current
       settings = begin
-        Legion::Settings[:process]
+        defined?(Legion::Settings) ? Legion::Settings[:process] : nil
       rescue StandardError => e
         Legion::Logging.debug "ProcessRole#current failed to read process settings: #{e.message}" if defined?(Legion::Logging)
         nil

data/lib/legion/readiness.rb

@@ -1,13 +1,17 @@
 # frozen_string_literal: true
 
+require 'concurrent'
+
 module Legion
   module Readiness
-    COMPONENTS = %i[settings crypt transport cache data rbac llm apollo gaia extensions api].freeze
+    REQUIRED_COMPONENTS = %i[settings crypt transport cache data extensions api].freeze
+    OPTIONAL_COMPONENTS = %i[rbac llm apollo gaia identity].freeze
+    COMPONENTS = (REQUIRED_COMPONENTS + OPTIONAL_COMPONENTS).freeze
     DRAIN_TIMEOUT = 5
 
     class << self
       def status
-        @status ||= {}
+        @status ||= Concurrent::Hash.new
       end
 
       def mark_ready(component)
@@ -20,14 +24,19 @@ module Legion
         Legion::Logging.debug "[Readiness] #{component} is not ready" if defined?(Legion::Logging)
       end
 
+      def mark_skipped(component)
+        status[component.to_sym] = :skipped
+        Legion::Logging.debug "[Readiness] #{component} skipped (optional)" if defined?(Legion::Logging)
+      end
+
       def ready?(component = nil)
         if component
-          result = status[component.to_sym] == true
+          result = [true, :skipped].include?(status[component.to_sym])
           Legion::Logging.warn "[Readiness] #{component} is not ready" if !result && defined?(Legion::Logging)
           return result
         end
 
-        not_ready = COMPONENTS.reject { |c| status[c] == true }
+        not_ready = COMPONENTS.reject { |c| [true, :skipped].include?(status[c]) }
         not_ready.each { |c| Legion::Logging.warn "[Readiness] #{c} is not ready" } if !not_ready.empty? && defined?(Legion::Logging)
         not_ready.empty?
       end
@@ -43,12 +52,13 @@ module Legion
       end
 
       def reset
-        @status = {}
+        @status = nil
       end
 
       def to_h
         COMPONENTS.to_h do |c|
-          [c, status[c] == true]
+          val = status[c]
+          [c, [true, :skipped].include?(val)]
         end
       end
     end