lex-identity-kerberos 0.1.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 179745c0e90a6bb28e83916775c8921f8ce2adbe2ee09558a8231c5079f6a777
|
|
4
|
+
data.tar.gz: 4647f3681eed0880eb9b479e2dd4f256035593fc5a6c5e697a854d2741ecd138
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d40ae32383bee896c1768a46c2c1c3c595af640c983968ecd0aee6c68822a615adc834644ad6354c66a8051f019ea19b6e2cdf9ecb4166a6d4250f87f8ed59cf
|
|
7
|
+
data.tar.gz: 5a11e86ebdcc9355bdb55b52c5f646b9b2b5d77f3d3c5d9f9da1122107f29e4bc9c00baef7c05511b312829187049acbd5c741b053567abd351fe8c97cefc989
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,15 @@
|
|
|
2
2
|
|
|
3
3
|
## [Unreleased]
|
|
4
4
|
|
|
5
|
+
## [0.2.0] - 2026-04-24
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
- `trust_level` method returning `:verified` on provider contract
|
|
9
|
+
- Self-registration with `Legion::Identity::Resolver` at load time (with pending_registrations fallback)
|
|
10
|
+
|
|
11
|
+
### Changed
|
|
12
|
+
- `trust_weight` changed from 50 to 30 (wins tiebreak over Entra at same priority)
|
|
13
|
+
|
|
5
14
|
## [0.1.1] - 2026-04-06
|
|
6
15
|
|
|
7
16
|
### Fixed
|
data/CLAUDE.md
CHANGED
|
@@ -13,7 +13,7 @@ the contract interface for the identity pipeline.
|
|
|
13
13
|
|
|
14
14
|
**GitHub**: https://github.com/LegionIO/lex-identity-kerberos
|
|
15
15
|
**License**: MIT
|
|
16
|
-
**Version**: 0.1.
|
|
16
|
+
**Version**: 0.1.1
|
|
17
17
|
|
|
18
18
|
## Architecture
|
|
19
19
|
|
|
@@ -31,14 +31,14 @@ Legion::Extensions::Identity::Kerberos
|
|
|
31
31
|
| `lib/legion/extensions/identity/kerberos.rb` | Entry point; extends Core, declares identity_provider?/remote_invocable?/crypt_required? |
|
|
32
32
|
| `lib/legion/extensions/identity/kerberos/identity.rb` | Provider contract — resolve, provide_token, normalize, vault_auth, capabilities |
|
|
33
33
|
| `lib/legion/extensions/identity/kerberos/helpers/resolver.rb` | principal, extract_username, extract_realm, resolve_identity |
|
|
34
|
-
| `lib/legion/extensions/identity/kerberos/version.rb` | VERSION = '0.1.
|
|
34
|
+
| `lib/legion/extensions/identity/kerberos/version.rb` | VERSION = '0.1.1' |
|
|
35
35
|
|
|
36
36
|
## Key Design Decisions
|
|
37
37
|
|
|
38
38
|
- Reads `Legion::Crypt.kerberos_principal` (set by `KerberosAuth` at boot in legion-crypt).
|
|
39
39
|
No `gssapi` gem, no LDAP. Those stay in `lex-kerberos`.
|
|
40
|
-
- `provide_token`
|
|
41
|
-
|
|
40
|
+
- `provide_token` returns `Legion::Identity::Lease` (or plain Hash fallback if Lease not defined).
|
|
41
|
+
Delegates to `lex-kerberos` `Helpers::Spnego.obtain_spnego_token` — guarded with `defined?` + `respond_to?`.
|
|
42
42
|
- `canonical_name` regex: `^[a-z0-9][a-z0-9_-]*$` — no dots (AMQP word separator).
|
|
43
43
|
- All framework constants guarded with `defined?` checks (never hard-require optional gems).
|
|
44
44
|
- `vault_auth` returns nil — Phase 5 stub.
|
|
@@ -59,17 +59,15 @@ Legion::Extensions::Identity::Kerberos
|
|
|
59
59
|
|
|
60
60
|
Group lookup is `lex-identity-ldap`'s responsibility, not this gem's.
|
|
61
61
|
|
|
62
|
-
### `provide_token` Lease
|
|
62
|
+
### `provide_token` — `Legion::Identity::Lease`
|
|
63
63
|
```ruby
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
metadata: { realm: 'MS.DS.UHC.COM' }
|
|
72
|
-
}
|
|
64
|
+
lease = Identity.provide_token
|
|
65
|
+
lease.provider # => :kerberos
|
|
66
|
+
lease.credential # => '<base64-spnego-token>'
|
|
67
|
+
lease.expires_at # => Time (10h from now)
|
|
68
|
+
lease.renewable # => true
|
|
69
|
+
lease.valid? # => true
|
|
70
|
+
lease.metadata # => { realm: 'MS.DS.UHC.COM' }
|
|
73
71
|
```
|
|
74
72
|
|
|
75
73
|
## Dependencies
|
|
@@ -84,10 +82,12 @@ Optional (guarded, not in gemspec):
|
|
|
84
82
|
|
|
85
83
|
## Testing
|
|
86
84
|
|
|
85
|
+
54 specs across 2 spec files.
|
|
86
|
+
|
|
87
87
|
```bash
|
|
88
88
|
bundle install
|
|
89
|
-
bundle exec rspec
|
|
90
|
-
bundle exec rubocop
|
|
89
|
+
bundle exec rspec
|
|
90
|
+
bundle exec rubocop
|
|
91
91
|
```
|
|
92
92
|
|
|
93
93
|
---
|
|
@@ -13,7 +13,8 @@ module Legion
|
|
|
13
13
|
def provider_type = :auth
|
|
14
14
|
def facing = :human
|
|
15
15
|
def priority = 100
|
|
16
|
-
def trust_weight =
|
|
16
|
+
def trust_weight = 30
|
|
17
|
+
def trust_level = :verified
|
|
17
18
|
def capabilities = %i[authenticate profile vault_auth outbound_auth]
|
|
18
19
|
|
|
19
20
|
# Returns a resolved identity hash or nil when no Kerberos principal is available.
|
|
@@ -17,3 +17,9 @@ module Legion
|
|
|
17
17
|
end
|
|
18
18
|
end
|
|
19
19
|
end
|
|
20
|
+
|
|
21
|
+
if defined?(Legion::Identity::Resolver)
|
|
22
|
+
Legion::Identity::Resolver.register(Legion::Extensions::Identity::Kerberos::Identity)
|
|
23
|
+
elsif defined?(Legion::Identity) && Legion::Identity.respond_to?(:pending_registrations)
|
|
24
|
+
Legion::Identity.pending_registrations << Legion::Extensions::Identity::Kerberos::Identity
|
|
25
|
+
end
|