lex-identity-kerberos 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/CLAUDE.md +8 -84
- data/README.md +5 -5
- data/lex-identity-kerberos.gemspec +2 -1
- data/lib/legion/extensions/identity/kerberos/helpers/resolver.rb +1 -1
- data/lib/legion/extensions/identity/kerberos/version.rb +1 -1
- data/lib/legion/extensions/identity/kerberos.rb +1 -1
- metadata +29 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b18ad754d85e2b8d437b3a136ea8330197fdba43e307a7c0e79fe745e00cf45a
|
|
4
|
+
data.tar.gz: cc52cbfab524762848fbdfef03064a47846b9338c924881333691f7e1cc945c4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cc0b5f21f144db0c8051eef64d7604d924e5a847f7bffecc2a66171aded5b25cd4e2b35aac0126d0adf0beebbace2803c2bae584e1ed6df65cae895e484b51a6
|
|
7
|
+
data.tar.gz: 2551f1754c74e95881f698769128665d4a0b2cdc8954d695653db99e7138ac991e3107d0fe6e370e362c6cdba9f94f73495889e0dd95e071bd3ab2e7fe039bd0
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,11 @@
|
|
|
2
2
|
|
|
3
3
|
## [Unreleased]
|
|
4
4
|
|
|
5
|
+
## [0.2.1] - 2026-05-14
|
|
6
|
+
|
|
7
|
+
### Fixed
|
|
8
|
+
- `crypt_required?` changed from `true` to `false` to prevent boot ordering deadlock where kerberos extension was skipped before `Legion::Crypt` finished initializing.
|
|
9
|
+
|
|
5
10
|
## [0.2.0] - 2026-04-24
|
|
6
11
|
|
|
7
12
|
### Added
|
data/CLAUDE.md
CHANGED
|
@@ -1,95 +1,19 @@
|
|
|
1
|
-
# lex-identity-kerberos
|
|
1
|
+
# lex-identity-kerberos
|
|
2
2
|
|
|
3
|
-
**
|
|
4
|
-
- **Parent (Level 2)**: `/Users/miverso2/rubymine/legion/extensions/CLAUDE.md`
|
|
5
|
-
- **Parent (Level 1)**: `/Users/miverso2/rubymine/legion/CLAUDE.md`
|
|
6
|
-
|
|
7
|
-
## Purpose
|
|
8
|
-
|
|
9
|
-
LegionIO identity provider extension that resolves the authenticated Kerberos principal from
|
|
10
|
-
`legion-crypt` into the unified identity provider contract. Does **not** duplicate GSSAPI or LDAP
|
|
11
|
-
logic — those live in `lex-kerberos`. This gem reads the already-resolved principal and provides
|
|
12
|
-
the contract interface for the identity pipeline.
|
|
13
|
-
|
|
14
|
-
**GitHub**: https://github.com/LegionIO/lex-identity-kerberos
|
|
15
|
-
**License**: MIT
|
|
16
|
-
**Version**: 0.1.1
|
|
17
|
-
|
|
18
|
-
## Architecture
|
|
19
|
-
|
|
20
|
-
```
|
|
21
|
-
Legion::Extensions::Identity::Kerberos
|
|
22
|
-
├── Identity # Provider contract implementation (resolve, provide_token, normalize, vault_auth)
|
|
23
|
-
└── Helpers/
|
|
24
|
-
└── Resolver # Principal extraction from Legion::Crypt.kerberos_principal
|
|
25
|
-
```
|
|
26
|
-
|
|
27
|
-
## File Map
|
|
28
|
-
|
|
29
|
-
| File | Purpose |
|
|
30
|
-
|------|---------|
|
|
31
|
-
| `lib/legion/extensions/identity/kerberos.rb` | Entry point; extends Core, declares identity_provider?/remote_invocable?/crypt_required? |
|
|
32
|
-
| `lib/legion/extensions/identity/kerberos/identity.rb` | Provider contract — resolve, provide_token, normalize, vault_auth, capabilities |
|
|
33
|
-
| `lib/legion/extensions/identity/kerberos/helpers/resolver.rb` | principal, extract_username, extract_realm, resolve_identity |
|
|
34
|
-
| `lib/legion/extensions/identity/kerberos/version.rb` | VERSION = '0.1.1' |
|
|
3
|
+
LegionIO identity provider that resolves the authenticated Kerberos principal from `legion-crypt` into the unified identity provider contract. Does **not** duplicate GSSAPI or LDAP logic — those live in `lex-kerberos`. This gem reads the already-resolved principal and provides the contract interface.
|
|
35
4
|
|
|
36
5
|
## Key Design Decisions
|
|
37
6
|
|
|
38
|
-
- Reads `Legion::Crypt.kerberos_principal` (set by `KerberosAuth` at boot
|
|
39
|
-
|
|
40
|
-
- `provide_token` returns `Legion::Identity::Lease` (or plain Hash fallback if Lease not defined).
|
|
41
|
-
Delegates to `lex-kerberos` `Helpers::Spnego.obtain_spnego_token` — guarded with `defined?` + `respond_to?`.
|
|
7
|
+
- Reads `Legion::Crypt.kerberos_principal` (set by `KerberosAuth` at boot). No `gssapi` gem, no LDAP.
|
|
8
|
+
- `provide_token` delegates to `lex-kerberos` `Helpers::Spnego.obtain_spnego_token` — guarded with `defined?` + `respond_to?`.
|
|
42
9
|
- `canonical_name` regex: `^[a-z0-9][a-z0-9_-]*$` — no dots (AMQP word separator).
|
|
43
|
-
- All framework constants guarded with `defined?` checks (never hard-require optional gems).
|
|
44
10
|
- `vault_auth` returns nil — Phase 5 stub.
|
|
11
|
+
- Group lookup is `lex-identity-ldap`'s responsibility, not this gem's.
|
|
45
12
|
|
|
46
|
-
## Provider Contract
|
|
13
|
+
## Provider Contract
|
|
47
14
|
|
|
48
|
-
### `resolve` identity hash
|
|
49
15
|
```ruby
|
|
50
|
-
{
|
|
51
|
-
canonical_name: 'miverso2',
|
|
52
|
-
kind: :human,
|
|
53
|
-
source: :kerberos,
|
|
54
|
-
principal: 'miverso2@MS.DS.UHC.COM',
|
|
55
|
-
realm: 'MS.DS.UHC.COM',
|
|
56
|
-
groups: []
|
|
57
|
-
}
|
|
16
|
+
{ canonical_name: 'user', kind: :human, source: :kerberos, principal: 'user@REALM', realm: 'REALM', groups: [] }
|
|
58
17
|
```
|
|
59
18
|
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
### `provide_token` — `Legion::Identity::Lease`
|
|
63
|
-
```ruby
|
|
64
|
-
lease = Identity.provide_token
|
|
65
|
-
lease.provider # => :kerberos
|
|
66
|
-
lease.credential # => '<base64-spnego-token>'
|
|
67
|
-
lease.expires_at # => Time (10h from now)
|
|
68
|
-
lease.renewable # => true
|
|
69
|
-
lease.valid? # => true
|
|
70
|
-
lease.metadata # => { realm: 'MS.DS.UHC.COM' }
|
|
71
|
-
```
|
|
72
|
-
|
|
73
|
-
## Dependencies
|
|
74
|
-
|
|
75
|
-
Hard (in gemspec):
|
|
76
|
-
- `legion-json` (>= 1.2.1)
|
|
77
|
-
- `legion-settings` (>= 1.3.14)
|
|
78
|
-
|
|
79
|
-
Optional (guarded, not in gemspec):
|
|
80
|
-
- `legion-crypt` — `Legion::Crypt.kerberos_principal`
|
|
81
|
-
- `lex-kerberos` — `Legion::Extensions::Kerberos::Helpers::Spnego#obtain_spnego_token`
|
|
82
|
-
|
|
83
|
-
## Testing
|
|
84
|
-
|
|
85
|
-
54 specs across 2 spec files.
|
|
86
|
-
|
|
87
|
-
```bash
|
|
88
|
-
bundle install
|
|
89
|
-
bundle exec rspec
|
|
90
|
-
bundle exec rubocop
|
|
91
|
-
```
|
|
92
|
-
|
|
93
|
-
---
|
|
94
|
-
|
|
95
|
-
**Maintained By**: Matthew Iverson (@Esity)
|
|
19
|
+
`provide_token` returns `Legion::Identity::Lease` (or plain Hash fallback if Lease not defined).
|
data/README.md
CHANGED
|
@@ -28,11 +28,11 @@ Returns an identity hash or `nil`:
|
|
|
28
28
|
|
|
29
29
|
```ruby
|
|
30
30
|
{
|
|
31
|
-
canonical_name: '
|
|
31
|
+
canonical_name: 'jdoe', # ^[a-z0-9][a-z0-9_-]*$ — no dots (AMQP word separator)
|
|
32
32
|
kind: :human,
|
|
33
33
|
source: :kerberos,
|
|
34
|
-
principal: '
|
|
35
|
-
realm: '
|
|
34
|
+
principal: 'jdoe@CORP.EXAMPLE.COM',
|
|
35
|
+
realm: 'CORP.EXAMPLE.COM',
|
|
36
36
|
groups: [] # group lookup is lex-identity-ldap's responsibility
|
|
37
37
|
}
|
|
38
38
|
```
|
|
@@ -45,7 +45,7 @@ Strips `@REALM`, downcases, trims whitespace, and removes characters outside `[a
|
|
|
45
45
|
|
|
46
46
|
```ruby
|
|
47
47
|
Identity.normalize('User.Name@REALM.COM') # => 'username'
|
|
48
|
-
Identity.normalize('
|
|
48
|
+
Identity.normalize('jdoe@CORP.EXAMPLE.COM') # => 'jdoe'
|
|
49
49
|
```
|
|
50
50
|
|
|
51
51
|
### `provide_token`
|
|
@@ -59,7 +59,7 @@ lease.credential # => '<base64-spnego-token>'
|
|
|
59
59
|
lease.expires_at # => Time (10h from now)
|
|
60
60
|
lease.renewable # => true
|
|
61
61
|
lease.valid? # => true
|
|
62
|
-
lease.metadata # => { realm: '
|
|
62
|
+
lease.metadata # => { realm: 'CORP.EXAMPLE.COM' }
|
|
63
63
|
```
|
|
64
64
|
|
|
65
65
|
Requires `lex-kerberos` to be loaded and `Legion::Settings[:kerberos][:service_principal]` to be set.
|
|
@@ -28,10 +28,11 @@ Gem::Specification.new do |spec|
|
|
|
28
28
|
spec.require_paths = ['lib']
|
|
29
29
|
|
|
30
30
|
# Core framework dependencies
|
|
31
|
+
spec.add_dependency 'legion-crypt', '>= 1.5.13'
|
|
31
32
|
spec.add_dependency 'legion-json', '>= 1.2.1'
|
|
33
|
+
spec.add_dependency 'legion-logging', '>= 1.5.3'
|
|
32
34
|
spec.add_dependency 'legion-settings', '>= 1.3.14'
|
|
33
35
|
|
|
34
36
|
# Optional runtime dependencies are guarded with defined?() in the source:
|
|
35
|
-
# legion-crypt — for Legion::Crypt.kerberos_principal
|
|
36
37
|
# lex-kerberos — for Legion::Extensions::Kerberos::Helpers::Spnego#obtain_spnego_token
|
|
37
38
|
end
|
|
@@ -8,7 +8,7 @@ module Legion
|
|
|
8
8
|
module Resolver
|
|
9
9
|
module_function
|
|
10
10
|
|
|
11
|
-
# Returns the raw Kerberos principal string (e.g. "
|
|
11
|
+
# Returns the raw Kerberos principal string (e.g. "jdoe@CORP.EXAMPLE.COM")
|
|
12
12
|
# from Legion::Crypt if available, or nil.
|
|
13
13
|
def principal
|
|
14
14
|
return nil unless defined?(Legion::Crypt)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: lex-identity-kerberos
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Esity
|
|
@@ -9,6 +9,20 @@ bindir: bin
|
|
|
9
9
|
cert_chain: []
|
|
10
10
|
date: 1980-01-02 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
|
+
- !ruby/object:Gem::Dependency
|
|
13
|
+
name: legion-crypt
|
|
14
|
+
requirement: !ruby/object:Gem::Requirement
|
|
15
|
+
requirements:
|
|
16
|
+
- - ">="
|
|
17
|
+
- !ruby/object:Gem::Version
|
|
18
|
+
version: 1.5.13
|
|
19
|
+
type: :runtime
|
|
20
|
+
prerelease: false
|
|
21
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
22
|
+
requirements:
|
|
23
|
+
- - ">="
|
|
24
|
+
- !ruby/object:Gem::Version
|
|
25
|
+
version: 1.5.13
|
|
12
26
|
- !ruby/object:Gem::Dependency
|
|
13
27
|
name: legion-json
|
|
14
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -23,6 +37,20 @@ dependencies:
|
|
|
23
37
|
- - ">="
|
|
24
38
|
- !ruby/object:Gem::Version
|
|
25
39
|
version: 1.2.1
|
|
40
|
+
- !ruby/object:Gem::Dependency
|
|
41
|
+
name: legion-logging
|
|
42
|
+
requirement: !ruby/object:Gem::Requirement
|
|
43
|
+
requirements:
|
|
44
|
+
- - ">="
|
|
45
|
+
- !ruby/object:Gem::Version
|
|
46
|
+
version: 1.5.3
|
|
47
|
+
type: :runtime
|
|
48
|
+
prerelease: false
|
|
49
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
50
|
+
requirements:
|
|
51
|
+
- - ">="
|
|
52
|
+
- !ruby/object:Gem::Version
|
|
53
|
+
version: 1.5.3
|
|
26
54
|
- !ruby/object:Gem::Dependency
|
|
27
55
|
name: legion-settings
|
|
28
56
|
requirement: !ruby/object:Gem::Requirement
|