RubyGems - lex-identity-entra - Versions diffs - 0.3.1 → 0.4.0 - Mend

lex-identity-entra 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bebdd4c4aa004549f0263c8556d2ff39ce4f187f945341021033d510d23d4fb2
-  data.tar.gz: 10144fbe3fb835731c30ee97d3e874bc921fd5e8084e054e93aedc5375f1bbdf
+  metadata.gz: e6731d955e0a738ca12ad20875132f4b3e008e56313e20a8be750ecd5fc96942
+  data.tar.gz: 785a786e42520016f0e3220e646aefed11da78375b2e8870f872a7a0c71bfd07
 SHA512:
-  metadata.gz: 88137e50c75426f3306ab2427e4f1bb81e630d3453186cab9667884f7e17322277c5c77097bdee5d332ea84097854a1424f19d82f528076d49890021411a62d8
-  data.tar.gz: de2187f7d7eb71435e70dc6de3eb4ceb8d817f979c5df9cfa1f6e3680aa9b59ca0ce5160c721766b2e33317c0f070d41b07303399de5d04595521254062d662d
+  metadata.gz: bf3abe1ea0891638459bc7b5ed151d61a5346af07f2599bcede3af0a3f606f04853fd8b0320e3eb5584045243c1b047d3c84f43dbe218d7e95cf31d2a392892f
+  data.tar.gz: 66e861f841b907ca63e1dc452458930afdba359c0a99b042b11e523164d3c919159fca0117c8469094903932ba83ae5dcd0e5a329c43df72488c92054a4100a4

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,17 @@
 ## [Unreleased]
+## [0.4.0] - 2026-05-18
+### Fixed
+- Token refresher actors (workload_identity, application, managed_identity) no longer activate when credentials are absent; eliminates noisy WARN/INFO spam on local dev.
+- Vault read/write operations now require a resolved canonical name before constructing vault paths; prevents 403 errors from writing to `users/anonymous/...` or `users/default/...` before identity resolves.
+- Removed `'default'` fallback from `vault_path`; returns nil when canonical name is unavailable.
+### Changed
+- `canonical_name_available?` helper added to TokenManager; guards all vault operations and backfill logic.
+- Tokens save to local disk first, backfill to vault once identity resolves to real canonical name.
 ## [0.3.1] - 2026-05-15
 ### Fixed

data/lib/legion/extensions/identity/entra/application/actors/token_refresher.rb CHANGED Viewed

@@ -22,7 +22,8 @@ module Legion
               end
               def enabled? # rubocop:disable Legion/Extension/ActorEnabledSideEffects
-                true
+                auth = Legion::Extensions::Identity::Entra::Helpers::TokenManager.settings_auth
+                auth[:tenant_id] && auth[:client_id] && auth[:client_secret]
               end
               def manual

data/lib/legion/extensions/identity/entra/helpers/token_manager.rb CHANGED Viewed

@@ -36,7 +36,7 @@ module Legion
               log.debug("TokenManager.token_data: qualifier=#{qualifier} refresh=#{refresh}")
               vault_data = from_vault_data(qualifier)
               other_data = vault_data || from_local_data(qualifier) || from_memory(qualifier)
-              if other_data && !vault_data && vault_available? && trusted_process_identity?
+              if other_data && !vault_data && vault_available? && canonical_name_available?
                 log.info("TokenManager.token_data: backfilling #{qualifier} token to vault")
                 backfill_saved = save_to_vault(qualifier, access_token:      other_data[:access_token],
                                                           refresh_token:     other_data[:refresh_token],
@@ -85,7 +85,7 @@ module Legion
             end
             def from_vault_data(qualifier)
-              return nil unless vault_available? && trusted_process_identity?
+              return nil unless vault_available? && canonical_name_available?
               path = vault_path(qualifier)
               log.debug("TokenManager.from_vault_data: reading kv/#{path}")
@@ -112,6 +112,7 @@ module Legion
             def save_to_vault(qualifier, access_token:, refresh_token:, expires_at:,
                               scopes: nil, tenant_id: nil, client_id: nil, scope_fingerprint: nil)
               return unless vault_available?
+              return unless canonical_name_available?
               path = vault_path(qualifier)
               cluster = Legion::Crypt.respond_to?(:default_cluster_name) ? Legion::Crypt.default_cluster_name : 'vault'
@@ -279,13 +280,9 @@ module Legion
               auth = settings_auth
               pattern_settings = auth[qualifier.to_sym]
               return pattern_settings[:vault_path] if pattern_settings.is_a?(Hash) && pattern_settings[:vault_path]
+              return nil unless canonical_name_available?
-              identity = if trusted_process_identity?
-                           Legion::Identity::Process.canonical_name
-                         else
-                           'default'
-                         end
-              "users/#{identity}/entra/#{qualifier}/auth"
+              "users/#{Legion::Identity::Process.canonical_name}/entra/#{qualifier}/auth"
             end
             def local_path(qualifier)
@@ -354,6 +351,14 @@ module Legion
               %i[configured verified authenticated].include?(Legion::Identity::Process.trust)
             end
+            def canonical_name_available?
+              return false unless defined?(Legion::Identity::Process)
+              return false unless Legion::Identity::Process.respond_to?(:canonical_name)
+              name = Legion::Identity::Process.canonical_name
+              !name.nil? && !name.empty? && name != 'anonymous'
+            end
           end
         end
       end

data/lib/legion/extensions/identity/entra/managed_identity/actors/token_refresher.rb CHANGED Viewed

@@ -22,7 +22,8 @@ module Legion
               end
               def enabled? # rubocop:disable Legion/Extension/ActorEnabledSideEffects
-                true
+                ENV.fetch('IDENTITY_ENDPOINT', nil) || ENV.fetch('AZURE_IMDS_ENABLED', nil) ||
+                  Legion::Settings.dig(:identity, :entra, :managed_identity, :enabled)
               end
               def manual

data/lib/legion/extensions/identity/entra/version.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Legion
   module Extensions
     module Identity
       module Entra
-        VERSION = '0.3.1'
+        VERSION = '0.4.0'
       end
     end
   end

data/lib/legion/extensions/identity/entra/workload_identity/actors/token_refresher.rb CHANGED Viewed

@@ -22,7 +22,9 @@ module Legion
               end
               def enabled? # rubocop:disable Legion/Extension/ActorEnabledSideEffects
-                true
+                ENV.fetch('AZURE_TENANT_ID', nil) &&
+                  ENV.fetch('AZURE_CLIENT_ID', nil) &&
+                  ENV.fetch('AZURE_FEDERATED_TOKEN_FILE', nil)
               end
               def manual

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-identity-entra
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Esity