legionio 1.7.30 → 1.7.31

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 537bbc9c431e5e8b9fdaf96145ea124a0c4b8e84b4094673cbc4f6b07d4edb21
-  data.tar.gz: da76364c12123a27f644f4fdef175c14796b2542800a93b054b26cb5f27a5e79
+  metadata.gz: 962639f3a96de99418ba1cb7feb2ba06b488776df2c2c3a1ec7dfd0d353e6759
+  data.tar.gz: 87f2e206fab455fac86e36efdc497ff67d4614bb0699be00eb146c764ef43797
 SHA512:
-  metadata.gz: bee0c19f368dffa21a46fc964a43ae7448356912cbc5f0ac6884c9bcd4e00660821bc66c37e2b8d2cc2e05c77ec0fbce17d2f5a6c70b5b2bfb0d5eb4c3c278a6
-  data.tar.gz: 60f48041416adb178c7aae384647c7fb15860aa2a25dde1418500ef947ac323ebf36340ab242e9abcdd2893e717e3bdef94bd62aea43955e927c26acf377aecf
+  metadata.gz: ef4a6788ec894fe2107c834c470fc469d866d36e445618bee17d6149738e2b31ce49c708619f0aaff12d140e799a92562e5383e9515f6d88e1ce15bbaeb9834c
+  data.tar.gz: 3a8a85d88ba670d683c196de7e60c32f37650e3ce420869a5e7b781f0741dcadce758f6c42b6cdb71b61c32ca68ac23d05d1571b00f2b974423da8779d975b82

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Legion Changelog
 
+## [1.7.31] - 2026-04-08
+
+### Added
+- Phase 7 RBAC enrichment: `Identity::Request` gains `roles:` constructor kwarg, `#roles` reader, `#id` alias for `principal_id`, and `roles:` in `identity_hash`
+- `Identity::Middleware#build_request` now separates `claims[:groups]` (group OIDs/names) from `claims[:roles]` (Entra app roles), fixing the pre-existing conflation via `||`
+- Worker token principal_id now correctly uses `claims[:worker_id]` when present, preventing worker tokens owned by a human from sharing the human's RBAC identity
+- `Identity::Middleware` enriches resolved roles via `Legion::Rbac::GroupRoleMapper` when legion-rbac is loaded and enabled (including audit mode)
+- `Identity::Middleware` builds `env['legion.rbac_principal']` (a `Legion::Rbac::Principal`) after setting `env['legion.principal']`, bridging identity to RBAC
+- Middleware mount order fix: `Legion::Rbac::Middleware` removed from class-level `use` in `api.rb`; both `Identity::Middleware` and `Rbac::Middleware` now registered in `service.rb#setup_api` in the correct order (Identity first, then RBAC)
+
+### Changed
+- `Legion::Identity::Request.from_auth_context` now reads `claims[:resolved_roles]` to populate `roles`
+
 ## [1.7.30] - 2026-04-08
 
 ### Added

data/lib/legion/api.rb

@@ -221,7 +221,6 @@ module Legion
     register Routes::GraphQL if defined?(Routes::GraphQL)
 
     use Legion::API::Middleware::RequestLogger
-    use Legion::Rbac::Middleware if defined?(Legion::Rbac::Middleware)
     use ElasticAPM::Middleware if defined?(ElasticAPM::Middleware) &&
                                   Legion::Settings.dig(:api, :elastic_apm, :enabled)
   end

data/lib/legion/identity/middleware.rb

@@ -18,17 +18,39 @@ module Legion
         auth_claims  = env['legion.auth']
         auth_method  = env['legion.auth_method']
 
-        env['legion.principal'] = if auth_claims
-                                    build_request(auth_claims, auth_method)
-                                  elsif @require_auth
-                                    # Auth middleware already handled 401 for protected paths;
-                                    # this is a safety net for any path that slipped through.
-                                    nil
-                                  else
-                                    # No auth required (loopback bind, lite mode, etc.).
-                                    # Set a system-level principal so audit trails always have an identity.
-                                    system_principal
-                                  end
+        request = if auth_claims
+                    build_request(auth_claims, auth_method)
+                  elsif @require_auth
+                    # Auth middleware already handled 401 for protected paths;
+                    # this is a safety net for any path that slipped through.
+                    nil
+                  else
+                    # No auth required (loopback bind, lite mode, etc.).
+                    # Set a system-level principal so audit trails always have an identity.
+                    system_principal
+                  end
+
+        env['legion.principal'] = request
+
+        # Bridge to RBAC principal if legion-rbac is loaded.
+        # This is a data bridge — set regardless of enforce/audit mode so
+        # the RBAC middleware always has a typed principal to evaluate.
+        # Guard: require Legion::Rbac.enabled? to confirm the real gem is loaded
+        # (not a minimal test stub), and rescue construction errors defensively.
+        if request && defined?(Legion::Rbac::Principal) &&
+           defined?(Legion::Rbac) && Legion::Rbac.respond_to?(:enabled?) &&
+           Legion::Rbac.enabled?
+          begin
+            env['legion.rbac_principal'] = Legion::Rbac::Principal.new(
+              id:    request.principal_id,
+              type:  request.kind == :service ? :worker : request.kind,
+              roles: request.roles,
+              team:  request.metadata&.dig(:team)
+            )
+          rescue StandardError
+            # Best-effort bridge: leave legion.rbac_principal unset on construction errors.
+          end
+        end
 
         @app.call(env)
       end
@@ -49,12 +71,39 @@ module Legion
       end
 
       def build_request(claims, method)
+        # Use worker_id as principal_id when present — worker tokens encode both
+        # worker_id and sub=owner_msid, and we want the worker's identity, not the owner's.
+        principal_id = claims[:worker_id] || claims[:sub] || claims[:owner_msid]
+
+        # For worker tokens (scope: 'worker' or worker_id present), derive canonical_name
+        # from the worker's own identity. Production worker JWTs omit :name and carry
+        # sub=owner_msid, so falling back to claims[:sub] would inherit the owner's identity.
+        worker_token = claims[:scope] == 'worker' || claims[:worker_id]
+        display_name = claims[:name] || (worker_token ? principal_id : claims[:sub])
+
+        # Separate group OIDs/names from Entra app roles — they are NOT equivalent.
+        # claims[:groups] = group OIDs/names (for GroupRoleMapper)
+        # claims[:roles]  = Entra app roles (pre-assigned at token-exchange time)
+        groups = Array(claims[:groups])
+        roles  = Array(claims[:roles])
+
+        # Enrich with group-derived RBAC roles when legion-rbac is loaded (including audit mode).
+        resolved_roles = if defined?(Legion::Rbac::GroupRoleMapper) &&
+                            Legion::Rbac.respond_to?(:enabled?) &&
+                            Legion::Rbac.enabled?
+                           group_roles = Legion::Rbac::GroupRoleMapper.resolve_roles(groups: groups)
+                           (roles + group_roles).uniq
+                         else
+                           roles
+                         end
+
         Identity::Request.from_auth_context({
-                                              sub:    claims[:sub] || claims[:worker_id] || claims[:owner_msid],
-                                              name:   claims[:name] || claims[:sub],
-                                              kind:   determine_kind(claims, method),
-                                              groups: Array(claims[:roles] || claims[:groups]),
-                                              source: method&.to_sym
+                                              sub:            principal_id,
+                                              name:           display_name,
+                                              kind:           determine_kind(claims, method),
+                                              groups:         groups,
+                                              resolved_roles: resolved_roles,
+                                              source:         method&.to_sym
                                             })
       end
 

data/lib/legion/identity/request.rb

@@ -16,13 +16,16 @@ module Legion
         system:   :system
       }.freeze
 
-      attr_reader :principal_id, :canonical_name, :kind, :groups, :source, :metadata
+      attr_reader :principal_id, :canonical_name, :kind, :groups, :roles, :source, :metadata
 
-      def initialize(principal_id:, canonical_name:, kind:, groups: [], source: nil, metadata: {}) # rubocop:disable Metrics/ParameterLists
+      alias id principal_id
+
+      def initialize(principal_id:, canonical_name:, kind:, groups: [], roles: [], source: nil, metadata: {}) # rubocop:disable Metrics/ParameterLists
         @principal_id   = principal_id
         @canonical_name = canonical_name
         @kind           = kind
         @groups         = groups.freeze
+        @roles          = roles.freeze
         @source         = SOURCE_NORMALIZATION.fetch(source&.to_sym, source)
         @metadata       = metadata.freeze
         freeze
@@ -35,7 +38,9 @@ module Legion
       end
 
       # Builds a Request from a parsed auth claims hash with symbol keys:
-      #   { sub:, name:, preferred_username:, kind:, groups:, source: }
+      #   { sub:, name:, preferred_username:, kind:, groups:, resolved_roles:, source: }
+      # resolved_roles is the final merged set of Entra app roles + group-derived RBAC
+      # roles (populated by Identity::Middleware before calling this method).
       # The source value is normalized via SOURCE_NORMALIZATION at construction time.
       def self.from_auth_context(claims_hash)
         raw_name = claims_hash[:name] || claims_hash[:preferred_username] || ''
@@ -48,6 +53,7 @@ module Legion
           canonical_name: canonical,
           kind:           claims_hash[:kind] || :human,
           groups:         claims_hash[:groups] || [],
+          roles:          Array(claims_hash[:resolved_roles]),
           source:         normalized_source
         )
       end
@@ -58,6 +64,7 @@ module Legion
           canonical_name: canonical_name,
           kind:           kind,
           groups:         groups,
+          roles:          roles,
           source:         source
         }
       end

data/lib/legion/service.rb

@@ -356,7 +356,7 @@ module Legion
       handle_exception(e, level: :warn, operation: 'service.shutdown_apm')
     end
 
-    def setup_api # rubocop:disable Metrics/MethodLength
+    def setup_api # rubocop:disable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
       if @api_thread&.alive?
         log.warn 'API already running, skipping duplicate setup_api call'
         return
@@ -394,12 +394,25 @@ module Legion
         log.info "Starting Legion API on #{bind}:#{port}"
       end
 
-      # Mount identity middleware — bridges legion.auth to legion.principal
+      # Mount identity middleware — bridges legion.auth to legion.principal.
+      # Identity MUST be mounted before RBAC so env['legion.rbac_principal'] is
+      # populated before the RBAC middleware reads it.
       if defined?(Legion::Identity::Middleware)
         require_auth = Legion::Identity::Middleware.require_auth?(bind: bind, mode: Legion::Mode.current)
         Legion::API.use Legion::Identity::Middleware, require_auth: require_auth
       end
 
+      # Mount RBAC middleware after Identity — reads env['legion.rbac_principal']
+      # set by Identity::Middleware above. Only mount when a compatible RBAC
+      # integration is present and enabled to avoid mixed-version request
+      # failures.
+      if defined?(Legion::Rbac::Middleware) &&
+         defined?(Legion::Rbac::Principal) &&
+         Legion::Rbac.respond_to?(:enabled?) &&
+         Legion::Rbac.enabled?
+        Legion::API.use Legion::Rbac::Middleware
+      end
+
       @api_thread = Thread.new do
         retries = 0
         max_retries = api_settings[:bind_retries]

data/lib/legion/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Legion
-  VERSION = '1.7.30'
+  VERSION = '1.7.31'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legionio
 version: !ruby/object:Gem::Version
-  version: 1.7.30
+  version: 1.7.31
 platform: ruby
 authors:
 - Esity