lex-kerberos 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 15ea37e6d645fc9dd2e3c6cb8efb0cde73d4b4fef19cf5d86107e31a82a31bc2
+  data.tar.gz: 9269c50bf9e6ef8b21f7f36ba515576404d522f3893c60903543b8de73564ab7
+SHA512:
+  metadata.gz: e3cb6c6e00bee1659282fde1f92f718e748f145eb270f50d5d014cd203e584ec74cf01bd229404bf5cc340cd1a415d38cff0d0475f91d9afa7628e1f8573f9af
+  data.tar.gz: 6911ada268f1b63dadf7a909be989c49474448be7a7e081682f8956f4d70c85d6881294b3958c6d1c47d9f581badf8449f591a4ff1e11ab6b77dda620dbf45be

data/.github/workflows/ci.yml

@@ -0,0 +1,16 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  ci:
+    uses: LegionIO/.github/.github/workflows/ci.yml@main
+
+  release:
+    needs: ci
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    uses: LegionIO/.github/.github/workflows/release.yml@main
+    secrets:
+      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rubocop.yml

@@ -0,0 +1,15 @@
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 3.4
+  SuggestExtensions: false
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+    - '*.gemspec'
+
+Metrics/ParameterLists:
+  Max: 10
+
+Style/Documentation:
+  Enabled: false

data/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+
+## [Unreleased]
+
+## [0.1.0] - 2026-03-17
+
+### Added
+- SPNEGO/GSSAPI token validation via `gssapi` gem (`Helpers::Spnego#accept_spnego_token`)
+- LDAP group resolution via `net-ldap` gem (`Helpers::Ldap#lookup_groups`) with configurable filter and attribute
+- Keytab management with Vault-primary, file-fallback resolution (`Helpers::Keytab#resolve_keytab`); supports `vault://` URIs, file paths, and Base64 blobs written to `~/.legionio/kerberos/legion.keytab`
+- Standalone `Client` class with `authenticate(token:)` and `resolve_groups(username:)` for framework-independent usage
+- `Runners::Authenticate#validate_spnego`: full pipeline combining keytab resolution, GSSAPI acceptance, and optional LDAP group lookup
+- `Actor::KeytabRefresh`: interval actor (hourly) that re-fetches and caches the keytab from configured sources
+- 43 specs, 91.67% coverage

data/CLAUDE.md

@@ -0,0 +1,122 @@
+# lex-kerberos: Kerberos/SPNEGO Authentication for LegionIO
+
+**Repository Level 3 Documentation**
+- **Parent (Level 2)**: `/Users/miverso2/rubymine/legion/extensions/CLAUDE.md`
+- **Parent (Level 1)**: `/Users/miverso2/rubymine/legion/CLAUDE.md`
+
+## Purpose
+
+Legion Extension that provides Kerberos/SPNEGO authentication. Validates SPNEGO tokens via GSSAPI, resolves LDAP group membership against Active Directory, and manages keytab files with Vault-primary, file-fallback sourcing. Designed for services that accept HTTP Negotiate authentication from AD-joined clients.
+
+**GitHub**: https://github.com/LegionIO/lex-kerberos
+**License**: MIT
+**Version**: 0.1.0
+
+## Architecture
+
+```
+Legion::Extensions::Kerberos
+├── Runners/
+│   └── Authenticate      # validate_spnego: keytab resolve + GSSAPI accept + LDAP groups
+├── Actors/
+│   └── KeytabRefresh     # Every actor (1hr): re-fetch keytab from Vault/sources
+├── Helpers/
+│   ├── Spnego            # GSSAPI token validation, principal/realm extraction
+│   ├── Ldap              # Net::LDAP group lookup via sAMAccountName filter
+│   ├── Keytab            # Multi-source keytab resolution (vault://, file path, Base64)
+│   └── Client            # Settings defaults and Legion::Settings merge
+└── Client                # Standalone client class (includes all helpers)
+```
+
+## File Map
+
+| File | Purpose |
+|------|---------|
+| `lib/legion/extensions/kerberos.rb` | Entry point, requires all helpers/runners/actors, extends Core |
+| `lib/legion/extensions/kerberos/helpers/spnego.rb` | GSSAPI token acceptance via `gssapi` gem; `accept_spnego_token`, `extract_username`, `extract_realm` |
+| `lib/legion/extensions/kerberos/helpers/ldap.rb` | LDAP group lookup via `net-ldap`; `lookup_groups` with configurable filter/attribute |
+| `lib/legion/extensions/kerberos/helpers/keytab.rb` | Multi-source keytab resolution; vault:// URI, file path, Base64 blob; writes to `~/.legionio/kerberos/legion.keytab` |
+| `lib/legion/extensions/kerberos/helpers/client.rb` | `DEFAULTS` constant and `settings` method that merges with `Legion::Settings[:kerberos]` |
+| `lib/legion/extensions/kerberos/runners/authenticate.rb` | `validate_spnego` runner: orchestrates keytab resolve → SPNEGO accept → optional LDAP lookup |
+| `lib/legion/extensions/kerberos/actors/keytab_refresh.rb` | Hourly actor that calls `resolve_keytab` to re-cache from Vault; `run_now? false` (no immediate run at boot) |
+| `lib/legion/extensions/kerberos/client.rb` | Standalone `Client` class with `authenticate(token:)` and `resolve_groups(username:)` |
+| `lib/legion/extensions/kerberos/version.rb` | `VERSION = '0.1.0'` |
+
+## Key Patterns
+
+### GSSAPI Token Acceptance
+
+`Helpers::Spnego#accept_spnego_token` decodes the Base64 SPNEGO token from the HTTP `Authorization: Negotiate` header, sets `KRB5_KTNAME` env var to the keytab path, then uses `GSSAPI::Simple.new(host, service)` to accept the security context. Returns `{ success:, principal:, username:, realm:, output_token: }`.
+
+The service principal must be split as `service/host` (e.g., `HTTP/myapp.example.com`) — `GSSAPI::Simple` takes host and service name separately.
+
+### Keytab Resolution
+
+`Helpers::Keytab#resolve_keytab(sources:)` tries each source in order:
+1. `vault://` URI — resolved via `Legion::Settings::Resolver.resolve_value`, then written as Base64 to cache
+2. File path — used as-is if `File.exist?`
+3. Base64 blob — decoded and written to `~/.legionio/kerberos/legion.keytab` (mode `0600`)
+
+Returns `{ success: true, path:, source: (:file | :base64) }` or `{ success: false, error: }`.
+
+### LDAP Group Lookup
+
+`Helpers::Ldap#lookup_groups` builds a `Net::LDAP` client with TLS, binds with the service account, and searches by `sAMAccountName` filter (format string `%<username>s`). Returns the full DN strings from the `memberOf` attribute (configurable via `group_attribute:`).
+
+Requires `host:` in the ldap opts; if absent, `Runners::Authenticate` skips group lookup and returns an empty array.
+
+### Standalone Client Pattern
+
+`Client.new` accepts `realm:`, `service_principal:`, `keytab:`, and `**opts` (where `opts[:ldap]` is passed to group lookup). Falls back to `settings[:kerberos]` defaults when kwargs are nil. Includes all four helpers. `authenticate(token:)` and `resolve_groups(username:)` are the primary interface methods.
+
+## Settings Reference
+
+```json
+{
+  "kerberos": {
+    "enabled": true,
+    "realm": "EXAMPLE.COM",
+    "service_principal": "HTTP/myapp.example.com",
+    "keytab": ["vault://secret/kerberos#keytab", "/etc/legion/krb5.keytab"],
+    "mutual_auth": true,
+    "ldap": {
+      "host": "dc.example.com",
+      "port": 636,
+      "encryption": "simple_tls",
+      "base_dn": "DC=example,DC=com",
+      "bind_dn": "CN=svc-legion,OU=Service Accounts,DC=example,DC=com",
+      "bind_password": "vault://secret/kerberos/ldap_bind#password",
+      "user_filter": "(sAMAccountName=%<username>s)",
+      "group_attribute": "memberOf"
+    },
+    "role_map": {},
+    "fallback": "entra",
+    "cache_groups_ttl": 300
+  }
+}
+```
+
+Defaults defined in `Helpers::Client::DEFAULTS`. `settings` method merges `Legion::Settings[:kerberos]` on top when available, returning the full merged hash under `:kerberos`.
+
+## Dependencies
+
+| Gem | Purpose |
+|-----|---------|
+| `gssapi` (~> 1.3) | GSSAPI/SPNEGO token validation; requires system MIT Kerberos libraries (`krb5`) |
+| `net-ldap` (~> 0.19) | LDAP group lookup against Active Directory |
+
+Optional framework dependencies (guarded with `defined?`, not in gemspec):
+- `legion-settings` — `Legion::Settings::Resolver` for `vault://` keytab URI resolution
+- `legion-logging` — logging in `KeytabRefresh` actor
+
+## Testing
+
+```bash
+bundle install
+bundle exec rspec     # 43 specs, 91.67% coverage
+bundle exec rubocop   # Clean
+```
+
+---
+
+**Maintained By**: Matthew Iverson (@Esity)

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec
+
+group :development, :test do
+  gem 'rspec', '~> 3.13'
+  gem 'rubocop', '~> 1.75'
+  gem 'simplecov', '~> 0.22'
+end

data/Gemfile.lock

@@ -0,0 +1,159 @@
+PATH
+  remote: .
+  specs:
+    lex-kerberos (0.1.0)
+      gssapi (~> 1.3)
+      net-ldap (~> 0.19)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.9)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    base64 (0.3.0)
+    bigdecimal (4.0.1)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
+    ffi (1.17.3)
+    ffi (1.17.3-aarch64-linux-gnu)
+    ffi (1.17.3-aarch64-linux-musl)
+    ffi (1.17.3-arm-linux-gnu)
+    ffi (1.17.3-arm-linux-musl)
+    ffi (1.17.3-arm64-darwin)
+    ffi (1.17.3-x86-linux-gnu)
+    ffi (1.17.3-x86-linux-musl)
+    ffi (1.17.3-x86_64-darwin)
+    ffi (1.17.3-x86_64-linux-gnu)
+    ffi (1.17.3-x86_64-linux-musl)
+    gssapi (1.3.1)
+      ffi (>= 1.0.1)
+    json (2.19.1)
+    json-schema (6.2.0)
+      addressable (~> 2.8)
+      bigdecimal (>= 3.1, < 5)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    mcp (0.8.0)
+      json-schema (>= 4.1)
+    net-ldap (0.20.0)
+      base64
+      ostruct
+    ostruct (0.6.3)
+    parallel (1.27.0)
+    parser (3.3.10.2)
+      ast (~> 2.4.1)
+      racc
+    prism (1.9.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    regexp_parser (2.11.3)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
+    rubocop (1.85.1)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      mcp (~> 0.6)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    ruby-progressbar (1.13.0)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+
+PLATFORMS
+  aarch64-linux-gnu
+  aarch64-linux-musl
+  arm-linux-gnu
+  arm-linux-musl
+  arm64-darwin
+  ruby
+  x86-linux-gnu
+  x86-linux-musl
+  x86_64-darwin
+  x86_64-linux-gnu
+  x86_64-linux-musl
+
+DEPENDENCIES
+  lex-kerberos!
+  rspec (~> 3.13)
+  rubocop (~> 1.75)
+  simplecov (~> 0.22)
+
+CHECKSUMS
+  addressable (2.8.9) sha256=cc154fcbe689711808a43601dee7b980238ce54368d23e127421753e46895485
+  ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
+  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
+  bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
+  diff-lcs (1.6.2) sha256=9ae0d2cba7d4df3075fe8cd8602a8604993efc0dfa934cff568969efb1909962
+  docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
+  ffi (1.17.3) sha256=0e9f39f7bb3934f77ad6feab49662be77e87eedcdeb2a3f5c0234c2938563d4c
+  ffi (1.17.3-aarch64-linux-gnu) sha256=28ad573df26560f0aedd8a90c3371279a0b2bd0b4e834b16a2baa10bd7a97068
+  ffi (1.17.3-aarch64-linux-musl) sha256=020b33b76775b1abacc3b7d86b287cef3251f66d747092deec592c7f5df764b2
+  ffi (1.17.3-arm-linux-gnu) sha256=5bd4cea83b68b5ec0037f99c57d5ce2dd5aa438f35decc5ef68a7d085c785668
+  ffi (1.17.3-arm-linux-musl) sha256=0d7626bb96265f9af78afa33e267d71cfef9d9a8eb8f5525344f8da6c7d76053
+  ffi (1.17.3-arm64-darwin) sha256=0c690555d4cee17a7f07c04d59df39b2fba74ec440b19da1f685c6579bb0717f
+  ffi (1.17.3-x86-linux-gnu) sha256=868a88fcaf5186c3a46b7c7c2b2c34550e1e61a405670ab23f5b6c9971529089
+  ffi (1.17.3-x86-linux-musl) sha256=f0286aa6ef40605cf586e61406c446de34397b85dbb08cc99fdaddaef8343945
+  ffi (1.17.3-x86_64-darwin) sha256=1f211811eb5cfaa25998322cdd92ab104bfbd26d1c4c08471599c511f2c00bb5
+  ffi (1.17.3-x86_64-linux-gnu) sha256=3746b01f677aae7b16dc1acb7cb3cc17b3e35bdae7676a3f568153fb0e2c887f
+  ffi (1.17.3-x86_64-linux-musl) sha256=086b221c3a68320b7564066f46fed23449a44f7a1935f1fe5a245bd89d9aea56
+  gssapi (1.3.1) sha256=c51cf30842ee39bd93ce7fc33e20405ff8a04cda9dec6092071b61258284aee1
+  json (2.19.1) sha256=dd94fdc59e48bff85913829a32350b3148156bc4fd2a95a2568a78b11344082d
+  json-schema (6.2.0) sha256=e8bff46ed845a22c1ab2bd0d7eccf831c01fe23bb3920caa4c74db4306813666
+  language_server-protocol (3.17.0.5) sha256=fd1e39a51a28bf3eec959379985a72e296e9f9acfce46f6a79d31ca8760803cc
+  lex-kerberos (0.1.0)
+  lint_roller (1.1.0) sha256=2c0c845b632a7d172cb849cc90c1bce937a28c5c8ccccb50dfd46a485003cc87
+  mcp (0.8.0) sha256=ae8bd146bb8e168852866fd26f805f52744f6326afb3211e073f78a95e0c34fb
+  net-ldap (0.20.0) sha256=b2080b350753a9ac4930869ded8e61a1d2151c01e03b0bf07b4675cbd9ce5372
+  ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912
+  parallel (1.27.0) sha256=4ac151e1806b755fb4e2dc2332cbf0e54f2e24ba821ff2d3dcf86bf6dc4ae130
+  parser (3.3.10.2) sha256=6f60c84aa4bdcedb6d1a2434b738fe8a8136807b6adc8f7f53b97da9bc4e9357
+  prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
+  public_suffix (7.0.5) sha256=1a8bb08f1bbea19228d3bed6e5ed908d1cb4f7c2726d18bd9cadf60bc676f623
+  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
+  rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
+  regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
+  rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
+  rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
+  rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836
+  rspec-mocks (3.13.8) sha256=086ad3d3d17533f4237643de0b5c42f04b66348c28bf6b9c2d3f4a3b01af1d47
+  rspec-support (3.13.7) sha256=0640e5570872aafefd79867901deeeeb40b0c9875a36b983d85f54fb7381c47c
+  rubocop (1.85.1) sha256=3dbcf9e961baa4c376eeeb2a03913dca5e3987033b04d38fa538aa1e7406cc77
+  rubocop-ast (1.49.1) sha256=4412f3ee70f6fe4546cc489548e0f6fcf76cafcfa80fa03af67098ffed755035
+  ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
+  simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
+  simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246
+  simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428
+  unicode-display_width (3.2.0) sha256=0cdd96b5681a5949cdbc2c55e7b420facae74c4aaf9a9815eee1087cb1853c42
+  unicode-emoji (4.2.0) sha256=519e69150f75652e40bf736106cfbc8f0f73aa3fb6a65afe62fefa7f80b0f80f
+
+BUNDLED WITH
+  4.0.8

data/README.md

@@ -0,0 +1,202 @@
+# lex-kerberos
+
+Kerberos/SPNEGO authentication integration for [LegionIO](https://github.com/LegionIO/LegionIO). Validates SPNEGO tokens via GSSAPI, resolves LDAP group membership, and manages keytab files with Vault-primary, file-fallback sourcing.
+
+## Installation
+
+```ruby
+gem 'lex-kerberos'
+```
+
+Or install directly:
+
+```bash
+gem install lex-kerberos
+```
+
+## Prerequisites
+
+- MIT Kerberos libraries (`krb5`) installed on the host (`brew install krb5` / `apt install libkrb5-dev`)
+- A keytab file for the service principal (see [Keytab Provisioning](#keytab-provisioning))
+- Active Directory / Kerberos realm reachable from the host
+- For LDAP group resolution: an LDAP bind account with read access to the directory
+
+## Configuration
+
+Settings live under `Legion::Settings[:kerberos]`:
+
+```json
+{
+  "kerberos": {
+    "enabled": true,
+    "realm": "EXAMPLE.COM",
+    "service_principal": "HTTP/myapp.example.com",
+    "keytab": [
+      "vault://secret/kerberos/keytab#data",
+      "/etc/legion/krb5.keytab"
+    ],
+    "mutual_auth": true,
+    "ldap": {
+      "host": "dc.example.com",
+      "port": 636,
+      "encryption": "simple_tls",
+      "base_dn": "DC=example,DC=com",
+      "bind_dn": "CN=svc-legion,OU=Service Accounts,DC=example,DC=com",
+      "bind_password": "vault://secret/kerberos/ldap_bind#password",
+      "user_filter": "(sAMAccountName=%<username>s)",
+      "group_attribute": "memberOf"
+    },
+    "role_map": {},
+    "fallback": "entra",
+    "cache_groups_ttl": 300
+  }
+}
+```
+
+The `keytab` value is an array of sources tried in order. Each source can be:
+- A `vault://` URI resolved via `Legion::Settings::Resolver`
+- An absolute file path (used as-is if the file exists)
+- A Base64-encoded keytab blob written to `~/.legionio/kerberos/legion.keytab`
+
+## Standalone Usage
+
+Use the gem outside the LegionIO framework:
+
+```ruby
+require 'legion/extensions/kerberos'
+
+client = Legion::Extensions::Kerberos::Client.new(
+  realm:             'EXAMPLE.COM',
+  service_principal: 'HTTP/myapp.example.com',
+  keytab:            ['/etc/legion/krb5.keytab'],
+  ldap: {
+    host:          'dc.example.com',
+    port:          636,
+    encryption:    :simple_tls,
+    base_dn:       'DC=example,DC=com',
+    bind_dn:       'CN=svc-legion,OU=Service Accounts,DC=example,DC=com',
+    bind_password: 'password'
+  }
+)
+
+# Validate a SPNEGO token from an HTTP Negotiate header
+authorization_header = request.env['HTTP_AUTHORIZATION']
+token = authorization_header.delete_prefix('Negotiate ')
+result = client.authenticate(token: token)
+# => { success: true, principal: "user@EXAMPLE.COM", username: "user",
+#      realm: "EXAMPLE.COM", output_token: "...", ... }
+
+# Resolve LDAP groups for a username
+groups = client.resolve_groups(username: 'user')
+# => { success: true, groups: ["CN=Domain Users,..."], username: "user" }
+```
+
+### Using helpers directly
+
+```ruby
+helper = Object.new.extend(Legion::Extensions::Kerberos::Helpers::Spnego)
+result = helper.accept_spnego_token(
+  token:             token,
+  keytab:            '/etc/legion/krb5.keytab',
+  service_principal: 'HTTP/myapp.example.com'
+)
+
+keytab_helper = Object.new.extend(Legion::Extensions::Kerberos::Helpers::Keytab)
+kt = keytab_helper.resolve_keytab(sources: ['/etc/legion/krb5.keytab'])
+# => { success: true, path: "/etc/legion/krb5.keytab", source: :file }
+```
+
+## CLI Usage
+
+When running within LegionIO with the `legion-crypt` Vault Kerberos auth integration:
+
+```bash
+legion auth kerberos
+```
+
+This uses the configured service principal and keytab to authenticate via Vault's Kerberos auth method.
+
+## API Usage
+
+When the LegionIO REST API is running, the Negotiate challenge/response endpoint is available:
+
+```
+GET /api/auth/negotiate
+Authorization: Negotiate <base64-spnego-token>
+```
+
+Successful response:
+
+```json
+{
+  "success": true,
+  "principal": "user@EXAMPLE.COM",
+  "username": "user",
+  "realm": "EXAMPLE.COM",
+  "groups": ["CN=Domain Users,DC=example,DC=com"],
+  "auth_method": "kerberos"
+}
+```
+
+## Vault Integration
+
+Store the keytab as a Base64-encoded secret in Vault:
+
+```bash
+base64 -i /etc/legion/krb5.keytab | vault kv put secret/kerberos keytab=-
+```
+
+Configure lex-kerberos to resolve it:
+
+```json
+{
+  "kerberos": {
+    "keytab": ["vault://secret/kerberos#keytab", "/etc/legion/krb5.keytab"]
+  }
+}
+```
+
+The Vault URI is resolved via `Legion::Settings::Resolver`. The keytab bytes are written to `~/.legionio/kerberos/legion.keytab` with permissions `0600` and used for the current session. The `KeytabRefresh` actor runs hourly to re-fetch the keytab from Vault, ensuring the cached file stays current when Vault secrets are rotated.
+
+## Keytab Provisioning
+
+Create a keytab for a Windows AD service principal using `ktpass` on a domain controller:
+
+```cmd
+ktpass -princ HTTP/myapp.example.com@EXAMPLE.COM ^
+       -mapuser svc-legion@EXAMPLE.COM ^
+       -crypto AES256-SHA1 ^
+       -ptype KRB5_NT_PRINCIPAL ^
+       -pass * ^
+       -out legion.keytab
+```
+
+Verify the keytab:
+
+```bash
+klist -k -t /etc/legion/krb5.keytab
+```
+
+Ensure `/etc/krb5.conf` references the correct realm and KDC:
+
+```ini
+[libdefaults]
+  default_realm = EXAMPLE.COM
+
+[realms]
+  EXAMPLE.COM = {
+    kdc = kdc.example.com
+    admin_server = kdc.example.com
+  }
+```
+
+## Requirements
+
+- Ruby >= 3.4
+- [LegionIO](https://github.com/LegionIO/LegionIO) framework (optional for standalone client usage)
+- `gssapi` ~> 1.3 (MIT Kerberos system libraries required)
+- `net-ldap` ~> 0.19
+
+## License
+
+MIT

data/lex-kerberos.gemspec

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative 'lib/legion/extensions/kerberos/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'lex-kerberos'
+  spec.version       = Legion::Extensions::Kerberos::VERSION
+  spec.authors       = ['Esity']
+  spec.email         = ['matthewdiverson@gmail.com']
+
+  spec.summary       = 'LEX Kerberos'
+  spec.description   = 'Connects LegionIO to Kerberos/SPNEGO authentication and LDAP group resolution'
+  spec.homepage      = 'https://github.com/LegionIO/lex-kerberos'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 3.4'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/LegionIO/lex-kerberos'
+  spec.metadata['documentation_uri'] = 'https://github.com/LegionIO/lex-kerberos'
+  spec.metadata['changelog_uri'] = 'https://github.com/LegionIO/lex-kerberos'
+  spec.metadata['bug_tracker_uri'] = 'https://github.com/LegionIO/lex-kerberos/issues'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'gssapi', '~> 1.3'
+  spec.add_dependency 'net-ldap', '~> 0.19'
+end

data/lib/legion/extensions/kerberos/actors/keytab_refresh.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/actors/every' if defined?(Legion::Extensions::Actors)
+
+module Legion
+  module Extensions
+    module Kerberos
+      module Actor
+        class KeytabRefresh < Legion::Extensions::Actors::Every
+          def initialize(**opts)
+            return unless enabled?
+
+            super
+          end
+
+          def time = 3600
+          def run_now? = false
+          def use_runner? = false
+          def check_subtask? = false
+          def generate_task? = false
+
+          def enabled?
+            defined?(Legion::Extensions::Kerberos::Helpers::Keytab)
+          rescue StandardError
+            false
+          end
+
+          def manual
+            result = keytab_helper.resolve_keytab(sources: keytab_sources)
+            log_result(result)
+          rescue StandardError => e
+            log_error(e)
+          end
+
+          private
+
+          def keytab_helper
+            Object.new.extend(Legion::Extensions::Kerberos::Helpers::Keytab)
+          end
+
+          def keytab_sources
+            return [] unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:kerberos, :keytab) || []
+          end
+
+          def log_result(result)
+            return unless defined?(Legion::Logging)
+
+            if result[:success]
+              Legion::Logging.debug("KeytabRefresh: refreshed keytab from #{result[:source]}")
+            else
+              Legion::Logging.warn("KeytabRefresh: #{result[:error]}")
+            end
+          end
+
+          def log_error(err)
+            Legion::Logging.error("KeytabRefresh: #{err.message}") if defined?(Legion::Logging)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/client.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/kerberos/helpers/client'
+require 'legion/extensions/kerberos/helpers/spnego'
+require 'legion/extensions/kerberos/helpers/ldap'
+require 'legion/extensions/kerberos/helpers/keytab'
+
+module Legion
+  module Extensions
+    module Kerberos
+      class Client
+        include Helpers::Client
+        include Helpers::Spnego
+        include Helpers::Ldap
+        include Helpers::Keytab
+
+        attr_reader :realm, :service_principal, :keytab_sources, :opts
+
+        def initialize(realm: nil, service_principal: nil, keytab: nil, **opts)
+          defaults = settings[:kerberos]
+          @realm = realm || defaults[:realm]
+          @service_principal = service_principal || defaults[:service_principal]
+          @keytab_sources = keytab || defaults[:keytab]
+          @opts = opts
+        end
+
+        def authenticate(token:)
+          kt = resolve_keytab(sources: @keytab_sources)
+          return kt unless kt[:success]
+
+          accept_spnego_token(
+            token: token,
+            keytab: kt[:path],
+            service_principal: @service_principal
+          )
+        end
+
+        def resolve_groups(username:)
+          ldap_opts = @opts[:ldap] || settings[:kerberos][:ldap] || {}
+          lookup_groups(username: username, **ldap_opts)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/helpers/client.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Kerberos
+      module Helpers
+        module Client
+          DEFAULTS = {
+            kerberos: {
+              enabled: true,
+              realm: 'MS.DS.UHC.COM',
+              service_principal: 'HTTP/legion.uhg.com',
+              keytab: ['/etc/legion/krb5.keytab'],
+              mutual_auth: true,
+              ldap: {
+                port: 636, encryption: :simple_tls,
+                group_attribute: 'memberOf',
+                user_filter: '(sAMAccountName=%<username>s)'
+              },
+              role_map: {},
+              fallback: :entra,
+              cache_groups_ttl: 300
+            }
+          }.freeze
+
+          def settings
+            if defined?(Legion::Settings) && Legion::Settings.respond_to?(:dig)
+              krb = Legion::Settings[:kerberos] || {}
+              { kerberos: DEFAULTS[:kerberos].merge(krb) }
+            else
+              DEFAULTS
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/helpers/keytab.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'fileutils'
+
+module Legion
+  module Extensions
+    module Kerberos
+      module Helpers
+        module Keytab
+          DEFAULT_CACHE_DIR = File.join(Dir.home, '.legionio', 'kerberos')
+
+          def resolve_keytab(sources:, cache_dir: DEFAULT_CACHE_DIR, **)
+            Array(sources).each do |source|
+              next if source.nil? || source.to_s.empty?
+
+              result = resolve_source(source, cache_dir)
+              return result if result
+            end
+
+            { success: false, error: 'no valid keytab source found' }
+          end
+
+          private
+
+          def resolve_source(source, cache_dir)
+            return resolve_vault_source(source, cache_dir) if vault_uri?(source)
+            return { success: true, path: source, source: :file } if File.exist?(source)
+            return write_keytab_cache(source, cache_dir) if base64?(source)
+
+            nil
+          end
+
+          def vault_uri?(source)
+            source.start_with?('vault://') &&
+              defined?(Legion::Settings) &&
+              defined?(Legion::Settings::Resolver)
+          end
+
+          def resolve_vault_source(source, cache_dir)
+            resolved = Legion::Settings::Resolver.resolve_value(source)
+            return nil unless resolved
+
+            write_keytab_cache(resolved, cache_dir)
+          end
+
+          def base64?(str)
+            str.match?(%r{\A[A-Za-z0-9+/\n]+=*\n?\z}) && str.length > 20
+          end
+
+          def write_keytab_cache(base64_data, cache_dir)
+            FileUtils.mkdir_p(cache_dir)
+            path = File.join(cache_dir, 'legion.keytab')
+            File.binwrite(path, Base64.strict_decode64(base64_data.strip))
+            File.chmod(0o600, path)
+            { success: true, path: path, source: :base64 }
+          rescue ArgumentError => e
+            { success: false, error: "keytab decode failed: #{e.message}" }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/helpers/ldap.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'net-ldap'
+
+module Legion
+  module Extensions
+    module Kerberos
+      module Helpers
+        module Ldap
+          def lookup_groups(username:, host:, base_dn:, bind_dn:, bind_password:,
+                            port: 636, encryption: :simple_tls,
+                            user_filter: '(sAMAccountName=%<username>s)',
+                            group_attribute: 'memberOf', **)
+            ldap = build_ldap_client(host: host, port: port, encryption: encryption,
+                                     bind_dn: bind_dn, bind_password: bind_password)
+            return { success: false, error: 'LDAP bind failed' } unless ldap.bind
+
+            groups = search_groups(ldap: ldap, username: username, base_dn: base_dn,
+                                   user_filter: user_filter, group_attribute: group_attribute)
+            { success: true, groups: groups, username: username }
+          rescue Net::LDAP::Error => e
+            { success: false, error: "LDAP error: #{e.message}" }
+          end
+
+          private
+
+          def build_ldap_client(host:, port:, encryption:, bind_dn:, bind_password:)
+            Net::LDAP.new(
+              host: host, port: port,
+              encryption: { method: encryption },
+              auth: { method: :simple, username: bind_dn, password: bind_password }
+            )
+          end
+
+          def search_groups(ldap:, username:, base_dn:, user_filter:, group_attribute:)
+            filter = Net::LDAP::Filter.construct(format(user_filter, username: username))
+            groups = []
+            ldap.search(base: base_dn, filter: filter, attributes: [group_attribute]) do |entry|
+              groups.concat(Array(entry[group_attribute]).map(&:to_s))
+            end
+            groups
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/helpers/spnego.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'gssapi'
+require 'base64'
+
+module Legion
+  module Extensions
+    module Kerberos
+      module Helpers
+        module Spnego
+          def accept_spnego_token(token:, keytab:, service_principal:, _mutual_auth: true, **)
+            ENV['KRB5_KTNAME'] = keytab if keytab
+
+            input_bytes = Base64.strict_decode64(token)
+            principal, output_bytes = negotiate(input_bytes, service_principal)
+            build_token_result(principal, output_bytes)
+          rescue GSSAPI::GssApiError => e
+            { success: false, error: e.message }
+          rescue ArgumentError => e
+            { success: false, error: "token decode failed: #{e.message}" }
+          end
+
+          def extract_username(principal)
+            principal.split('@', 2).first
+          end
+
+          def extract_realm(principal)
+            parts = principal.split('@', 2)
+            parts.length > 1 ? parts.last : nil
+          end
+
+          private
+
+          def negotiate(input_bytes, service_principal)
+            service, host = service_principal.split('/', 2)
+            ctx = GSSAPI::Simple.new(host, service)
+            ctx.acquire_credentials
+            output_bytes = ctx.accept_context(input_bytes)
+            [ctx.display_name, output_bytes]
+          end
+
+          def build_token_result(principal, output_bytes)
+            {
+              success: true,
+              principal: principal,
+              output_token: output_bytes ? Base64.strict_encode64(output_bytes) : nil,
+              username: extract_username(principal),
+              realm: extract_realm(principal)
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/runners/authenticate.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/kerberos/helpers/spnego'
+require 'legion/extensions/kerberos/helpers/ldap'
+require 'legion/extensions/kerberos/helpers/keytab'
+require 'legion/extensions/kerberos/helpers/client'
+
+module Legion
+  module Extensions
+    module Kerberos
+      module Runners
+        module Authenticate
+          include Helpers::Spnego
+          include Helpers::Ldap
+          include Helpers::Keytab
+          include Helpers::Client
+
+          def validate_spnego(token:, keytab: nil, service_principal: nil, ldap: nil, **)
+            s = settings[:kerberos]
+            keytab ||= s[:keytab]
+            service_principal ||= s[:service_principal]
+
+            kt = resolve_keytab(sources: keytab)
+            return { result: kt } unless kt[:success]
+
+            spnego = accept_spnego_token(token: token, keytab: kt[:path],
+                                         service_principal: service_principal)
+            return { result: spnego } unless spnego[:success]
+
+            groups, ldap_error = resolve_groups(ldap: ldap, cfg: s, username: spnego[:username])
+
+            { result: build_result(spnego: spnego, groups: groups, ldap_error: ldap_error) }
+          end
+
+          private
+
+          def resolve_groups(ldap:, cfg:, username:)
+            ldap_opts = ldap || cfg[:ldap] || {}
+            if ldap_opts[:host]
+              groups_result = lookup_groups(username: username, **ldap_opts)
+              groups = groups_result[:success] ? groups_result[:groups] : []
+              ldap_error = groups_result[:success] ? nil : groups_result[:error]
+            else
+              groups = []
+              ldap_error = nil
+            end
+            [groups, ldap_error]
+          end
+
+          def build_result(spnego:, groups:, ldap_error:)
+            {
+              success: true,
+              principal: spnego[:principal],
+              username: spnego[:username],
+              realm: spnego[:realm],
+              groups: groups,
+              output_token: spnego[:output_token],
+              auth_method: 'kerberos',
+              ldap_error: ldap_error
+            }.compact
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Kerberos
+      VERSION = '0.1.0'
+    end
+  end
+end

data/lib/legion/extensions/kerberos.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/kerberos/version'
+require 'legion/extensions/kerberos/helpers/spnego'
+require 'legion/extensions/kerberos/helpers/ldap'
+require 'legion/extensions/kerberos/helpers/keytab'
+require 'legion/extensions/kerberos/helpers/client'
+require 'legion/extensions/kerberos/runners/authenticate'
+require 'legion/extensions/kerberos/actors/keytab_refresh' if defined?(Legion::Extensions::Actors)
+require 'legion/extensions/kerberos/client'
+
+module Legion
+  module Extensions
+    module Kerberos
+      extend Legion::Extensions::Core if Legion::Extensions.const_defined? :Core
+    end
+  end
+end

metadata

@@ -0,0 +1,92 @@
+--- !ruby/object:Gem::Specification
+name: lex-kerberos
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Esity
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: gssapi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+description: Connects LegionIO to Kerberos/SPNEGO authentication and LDAP group resolution
+email:
+- matthewdiverson@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- CHANGELOG.md
+- CLAUDE.md
+- Gemfile
+- Gemfile.lock
+- README.md
+- lex-kerberos.gemspec
+- lib/legion/extensions/kerberos.rb
+- lib/legion/extensions/kerberos/actors/keytab_refresh.rb
+- lib/legion/extensions/kerberos/client.rb
+- lib/legion/extensions/kerberos/helpers/client.rb
+- lib/legion/extensions/kerberos/helpers/keytab.rb
+- lib/legion/extensions/kerberos/helpers/ldap.rb
+- lib/legion/extensions/kerberos/helpers/spnego.rb
+- lib/legion/extensions/kerberos/runners/authenticate.rb
+- lib/legion/extensions/kerberos/version.rb
+homepage: https://github.com/LegionIO/lex-kerberos
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/LegionIO/lex-kerberos
+  source_code_uri: https://github.com/LegionIO/lex-kerberos
+  documentation_uri: https://github.com/LegionIO/lex-kerberos
+  changelog_uri: https://github.com/LegionIO/lex-kerberos
+  bug_tracker_uri: https://github.com/LegionIO/lex-kerberos/issues
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.4'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: LEX Kerberos
+test_files: []