RubyGems - lex-kerberos - Versions diffs - 0.1.0 → 0.1.2 - Mend

lex-kerberos 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -0
data/CLAUDE.md +3 -3
data/README.md +5 -2
data/lib/legion/extensions/kerberos/helpers/ldap.rb +22 -6
data/lib/legion/extensions/kerberos/runners/authenticate.rb +13 -20
data/lib/legion/extensions/kerberos/version.rb +1 -1
metadata +1 -2
data/Gemfile.lock +0 -159

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15ea37e6d645fc9dd2e3c6cb8efb0cde73d4b4fef19cf5d86107e31a82a31bc2
-  data.tar.gz: 9269c50bf9e6ef8b21f7f36ba515576404d522f3893c60903543b8de73564ab7
+  metadata.gz: 69c3dd5c8ef68a25cc39f06b412e3b9f07854e02643ef44bf2f1082965c72d62
+  data.tar.gz: 0d1b20b4dfc12d31e21a9a00c14be7f76f15ece54a2d8fdb3fcc9703ee76cc46
 SHA512:
-  metadata.gz: e3cb6c6e00bee1659282fde1f92f718e748f145eb270f50d5d014cd203e584ec74cf01bd229404bf5cc340cd1a415d38cff0d0475f91d9afa7628e1f8573f9af
-  data.tar.gz: 6911ada268f1b63dadf7a909be989c49474448be7a7e081682f8956f4d70c85d6881294b3958c6d1c47d9f581badf8449f591a4ff1e11ab6b77dda620dbf45be
+  metadata.gz: c7663b961a7468ccb52e6133b9d12ab57cb47c086cfe2f6264f3a35f3697340a5725415aeb5d115838d44bb0195b4d8e5cb25ef05b681a3680561d57734ffcae
+  data.tar.gz: 27de46aa7005ba6d43a57b0460f2436fecf15a4851a0cccc6f5198efbd82c906d4b9b17f37c8d571a538ba4514ff594a5d5bca614c518050bf735bcd1dca00fb

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,25 @@
 ## [Unreleased]
+## [0.1.2] - 2026-03-18
+### Added
+- Organizational LDAP attributes: `title`, `department`, `company`, `co`, `c`, `l`, `st`, `cn`, `whenCreated`
+- `PROFILE_MAP` constant maps LDAP attribute names to readable Ruby symbols
+### Changed
+- `USER_ATTRIBUTES` expanded to include organizational fields
+- `extract_profile` uses `PROFILE_MAP` for declarative attribute mapping
+## [0.1.1] - 2026-03-18
+### Added
+- LDAP user profile fetching: `givenName`, `sn`, `mail`, `displayName` attributes returned from `lookup_groups`
+- `first_name`, `last_name`, `email`, `display_name` fields in authenticate runner result
+### Changed
+- LDAP search now fetches `USER_ATTRIBUTES` constant (memberOf + profile fields) instead of just group attribute
 ## [0.1.0] - 2026-03-17
 ### Added

data/CLAUDE.md CHANGED Viewed

@@ -10,7 +10,7 @@ Legion Extension that provides Kerberos/SPNEGO authentication. Validates SPNEGO
 **GitHub**: https://github.com/LegionIO/lex-kerberos
 **License**: MIT
-**Version**: 0.1.0
+**Version**: 0.1.2
 ## Architecture
@@ -34,13 +34,13 @@ Legion::Extensions::Kerberos
 |------|---------|
 | `lib/legion/extensions/kerberos.rb` | Entry point, requires all helpers/runners/actors, extends Core |
 | `lib/legion/extensions/kerberos/helpers/spnego.rb` | GSSAPI token acceptance via `gssapi` gem; `accept_spnego_token`, `extract_username`, `extract_realm` |
-| `lib/legion/extensions/kerberos/helpers/ldap.rb` | LDAP group lookup via `net-ldap`; `lookup_groups` with configurable filter/attribute |
+| `lib/legion/extensions/kerberos/helpers/ldap.rb` | LDAP group lookup + profile via `net-ldap`; `lookup_groups` returns groups + org attributes via `PROFILE_MAP` |
 | `lib/legion/extensions/kerberos/helpers/keytab.rb` | Multi-source keytab resolution; vault:// URI, file path, Base64 blob; writes to `~/.legionio/kerberos/legion.keytab` |
 | `lib/legion/extensions/kerberos/helpers/client.rb` | `DEFAULTS` constant and `settings` method that merges with `Legion::Settings[:kerberos]` |
 | `lib/legion/extensions/kerberos/runners/authenticate.rb` | `validate_spnego` runner: orchestrates keytab resolve → SPNEGO accept → optional LDAP lookup |
 | `lib/legion/extensions/kerberos/actors/keytab_refresh.rb` | Hourly actor that calls `resolve_keytab` to re-cache from Vault; `run_now? false` (no immediate run at boot) |
 | `lib/legion/extensions/kerberos/client.rb` | Standalone `Client` class with `authenticate(token:)` and `resolve_groups(username:)` |
-| `lib/legion/extensions/kerberos/version.rb` | `VERSION = '0.1.0'` |
+| `lib/legion/extensions/kerberos/version.rb` | `VERSION = '0.1.2'` |
 ## Key Patterns

data/README.md CHANGED Viewed

@@ -86,9 +86,12 @@ result = client.authenticate(token: token)
 # => { success: true, principal: "user@EXAMPLE.COM", username: "user",
 #      realm: "EXAMPLE.COM", output_token: "...", ... }
-# Resolve LDAP groups for a username
+# Resolve LDAP groups and profile for a username
 groups = client.resolve_groups(username: 'user')
-# => { success: true, groups: ["CN=Domain Users,..."], username: "user" }
+# => { success: true, groups: ["CN=Domain Users,..."], username: "user",
+#      first_name: "Jane", last_name: "Doe", email: "jane.doe@example.com",
+#      title: "Senior Engineer", department: "Platform Engineering",
+#      company: "Acme Corp", city: "Minneapolis", state: "MN", country: "USA" }
 ```
 ### Using helpers directly

data/lib/legion/extensions/kerberos/helpers/ldap.rb CHANGED Viewed

@@ -7,6 +7,17 @@ module Legion
     module Kerberos
       module Helpers
         module Ldap
+          USER_ATTRIBUTES = %w[
+            memberOf givenName sn mail displayName cn
+            title department company co c l st whenCreated
+          ].freeze
+          PROFILE_MAP = {
+            first_name: :givenname, last_name: :sn, email: :mail, display_name: :displayname,
+            cn: :cn, title: :title, department: :department, company: :company,
+            country: :co, country_code: :c, city: :l, state: :st, ad_created_at: :whencreated
+          }.freeze
           def lookup_groups(username:, host:, base_dn:, bind_dn:, bind_password:,
                             port: 636, encryption: :simple_tls,
                             user_filter: '(sAMAccountName=%<username>s)',
@@ -15,9 +26,8 @@ module Legion
                                      bind_dn: bind_dn, bind_password: bind_password)
             return { success: false, error: 'LDAP bind failed' } unless ldap.bind
-            groups = search_groups(ldap: ldap, username: username, base_dn: base_dn,
-                                   user_filter: user_filter, group_attribute: group_attribute)
-            { success: true, groups: groups, username: username }
+            search_user(ldap: ldap, username: username, base_dn: base_dn,
+                        user_filter: user_filter, group_attribute: group_attribute)
           rescue Net::LDAP::Error => e
             { success: false, error: "LDAP error: #{e.message}" }
           end
@@ -32,13 +42,19 @@ module Legion
             )
           end
-          def search_groups(ldap:, username:, base_dn:, user_filter:, group_attribute:)
+          def search_user(ldap:, username:, base_dn:, user_filter:, group_attribute:)
             filter = Net::LDAP::Filter.construct(format(user_filter, username: username))
             groups = []
-            ldap.search(base: base_dn, filter: filter, attributes: [group_attribute]) do |entry|
+            profile = {}
+            ldap.search(base: base_dn, filter: filter, attributes: USER_ATTRIBUTES) do |entry|
               groups.concat(Array(entry[group_attribute]).map(&:to_s))
+              profile = extract_profile(entry)
             end
-            groups
+            { success: true, groups: groups, username: username, **profile }
+          end
+          def extract_profile(entry)
+            PROFILE_MAP.transform_values { |attr| entry[attr]&.first&.to_s }.compact
           end
         end
       end

data/lib/legion/extensions/kerberos/runners/authenticate.rb CHANGED Viewed

@@ -27,37 +27,30 @@ module Legion
                                          service_principal: service_principal)
             return { result: spnego } unless spnego[:success]
-            groups, ldap_error = resolve_groups(ldap: ldap, cfg: s, username: spnego[:username])
+            groups, ldap_error, profile = resolve_groups(ldap: ldap, cfg: s, username: spnego[:username])
-            { result: build_result(spnego: spnego, groups: groups, ldap_error: ldap_error) }
+            { result: build_result(spnego: spnego, groups: groups, ldap_error: ldap_error, profile: profile) }
           end
           private
           def resolve_groups(ldap:, cfg:, username:)
             ldap_opts = ldap || cfg[:ldap] || {}
-            if ldap_opts[:host]
-              groups_result = lookup_groups(username: username, **ldap_opts)
-              groups = groups_result[:success] ? groups_result[:groups] : []
-              ldap_error = groups_result[:success] ? nil : groups_result[:error]
+            return [[], nil, {}] unless ldap_opts[:host]
+            result = lookup_groups(username: username, **ldap_opts)
+            if result[:success]
+              profile = result.slice(:first_name, :last_name, :email, :display_name)
+              [result[:groups], nil, profile]
             else
-              groups = []
-              ldap_error = nil
+              [[], result[:error], {}]
             end
-            [groups, ldap_error]
           end
-          def build_result(spnego:, groups:, ldap_error:)
-            {
-              success: true,
-              principal: spnego[:principal],
-              username: spnego[:username],
-              realm: spnego[:realm],
-              groups: groups,
-              output_token: spnego[:output_token],
-              auth_method: 'kerberos',
-              ldap_error: ldap_error
-            }.compact
+          def build_result(spnego:, groups:, ldap_error:, profile: {})
+            spnego_fields = spnego.slice(:principal, :username, :realm, :output_token)
+            { success: true, groups: groups, auth_method: 'kerberos',
+              ldap_error: ldap_error, **spnego_fields, **profile }.compact
           end
           include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&

data/lib/legion/extensions/kerberos/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Kerberos
-      VERSION = '0.1.0'
+      VERSION = '0.1.2'
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-kerberos
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors:
 - Esity
@@ -50,7 +50,6 @@ files:
 - CHANGELOG.md
 - CLAUDE.md
 - Gemfile
-- Gemfile.lock
 - README.md
 - lex-kerberos.gemspec
 - lib/legion/extensions/kerberos.rb

data/Gemfile.lock DELETED Viewed

@@ -1,159 +0,0 @@
-PATH
-  remote: .
-  specs:
-    lex-kerberos (0.1.0)
-      gssapi (~> 1.3)
-      net-ldap (~> 0.19)
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.8.9)
-      public_suffix (>= 2.0.2, < 8.0)
-    ast (2.4.3)
-    base64 (0.3.0)
-    bigdecimal (4.0.1)
-    diff-lcs (1.6.2)
-    docile (1.4.1)
-    ffi (1.17.3)
-    ffi (1.17.3-aarch64-linux-gnu)
-    ffi (1.17.3-aarch64-linux-musl)
-    ffi (1.17.3-arm-linux-gnu)
-    ffi (1.17.3-arm-linux-musl)
-    ffi (1.17.3-arm64-darwin)
-    ffi (1.17.3-x86-linux-gnu)
-    ffi (1.17.3-x86-linux-musl)
-    ffi (1.17.3-x86_64-darwin)
-    ffi (1.17.3-x86_64-linux-gnu)
-    ffi (1.17.3-x86_64-linux-musl)
-    gssapi (1.3.1)
-      ffi (>= 1.0.1)
-    json (2.19.1)
-    json-schema (6.2.0)
-      addressable (~> 2.8)
-      bigdecimal (>= 3.1, < 5)
-    language_server-protocol (3.17.0.5)
-    lint_roller (1.1.0)
-    mcp (0.8.0)
-      json-schema (>= 4.1)
-    net-ldap (0.20.0)
-      base64
-      ostruct
-    ostruct (0.6.3)
-    parallel (1.27.0)
-    parser (3.3.10.2)
-      ast (~> 2.4.1)
-      racc
-    prism (1.9.0)
-    public_suffix (7.0.5)
-    racc (1.8.1)
-    rainbow (3.1.1)
-    regexp_parser (2.11.3)
-    rspec (3.13.2)
-      rspec-core (~> 3.13.0)
-      rspec-expectations (~> 3.13.0)
-      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.6)
-      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.5)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.8)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-support (3.13.7)
-    rubocop (1.85.1)
-      json (~> 2.3)
-      language_server-protocol (~> 3.17.0.2)
-      lint_roller (~> 1.1.0)
-      mcp (~> 0.6)
-      parallel (~> 1.10)
-      parser (>= 3.3.0.2)
-      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.49.0, < 2.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.49.1)
-      parser (>= 3.3.7.2)
-      prism (~> 1.7)
-    ruby-progressbar (1.13.0)
-    simplecov (0.22.0)
-      docile (~> 1.1)
-      simplecov-html (~> 0.11)
-      simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.13.2)
-    simplecov_json_formatter (0.1.4)
-    unicode-display_width (3.2.0)
-      unicode-emoji (~> 4.1)
-    unicode-emoji (4.2.0)
-PLATFORMS
-  aarch64-linux-gnu
-  aarch64-linux-musl
-  arm-linux-gnu
-  arm-linux-musl
-  arm64-darwin
-  ruby
-  x86-linux-gnu
-  x86-linux-musl
-  x86_64-darwin
-  x86_64-linux-gnu
-  x86_64-linux-musl
-DEPENDENCIES
-  lex-kerberos!
-  rspec (~> 3.13)
-  rubocop (~> 1.75)
-  simplecov (~> 0.22)
-CHECKSUMS
-  addressable (2.8.9) sha256=cc154fcbe689711808a43601dee7b980238ce54368d23e127421753e46895485
-  ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
-  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
-  bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
-  diff-lcs (1.6.2) sha256=9ae0d2cba7d4df3075fe8cd8602a8604993efc0dfa934cff568969efb1909962
-  docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
-  ffi (1.17.3) sha256=0e9f39f7bb3934f77ad6feab49662be77e87eedcdeb2a3f5c0234c2938563d4c
-  ffi (1.17.3-aarch64-linux-gnu) sha256=28ad573df26560f0aedd8a90c3371279a0b2bd0b4e834b16a2baa10bd7a97068
-  ffi (1.17.3-aarch64-linux-musl) sha256=020b33b76775b1abacc3b7d86b287cef3251f66d747092deec592c7f5df764b2
-  ffi (1.17.3-arm-linux-gnu) sha256=5bd4cea83b68b5ec0037f99c57d5ce2dd5aa438f35decc5ef68a7d085c785668
-  ffi (1.17.3-arm-linux-musl) sha256=0d7626bb96265f9af78afa33e267d71cfef9d9a8eb8f5525344f8da6c7d76053
-  ffi (1.17.3-arm64-darwin) sha256=0c690555d4cee17a7f07c04d59df39b2fba74ec440b19da1f685c6579bb0717f
-  ffi (1.17.3-x86-linux-gnu) sha256=868a88fcaf5186c3a46b7c7c2b2c34550e1e61a405670ab23f5b6c9971529089
-  ffi (1.17.3-x86-linux-musl) sha256=f0286aa6ef40605cf586e61406c446de34397b85dbb08cc99fdaddaef8343945
-  ffi (1.17.3-x86_64-darwin) sha256=1f211811eb5cfaa25998322cdd92ab104bfbd26d1c4c08471599c511f2c00bb5
-  ffi (1.17.3-x86_64-linux-gnu) sha256=3746b01f677aae7b16dc1acb7cb3cc17b3e35bdae7676a3f568153fb0e2c887f
-  ffi (1.17.3-x86_64-linux-musl) sha256=086b221c3a68320b7564066f46fed23449a44f7a1935f1fe5a245bd89d9aea56
-  gssapi (1.3.1) sha256=c51cf30842ee39bd93ce7fc33e20405ff8a04cda9dec6092071b61258284aee1
-  json (2.19.1) sha256=dd94fdc59e48bff85913829a32350b3148156bc4fd2a95a2568a78b11344082d
-  json-schema (6.2.0) sha256=e8bff46ed845a22c1ab2bd0d7eccf831c01fe23bb3920caa4c74db4306813666
-  language_server-protocol (3.17.0.5) sha256=fd1e39a51a28bf3eec959379985a72e296e9f9acfce46f6a79d31ca8760803cc
-  lex-kerberos (0.1.0)
-  lint_roller (1.1.0) sha256=2c0c845b632a7d172cb849cc90c1bce937a28c5c8ccccb50dfd46a485003cc87
-  mcp (0.8.0) sha256=ae8bd146bb8e168852866fd26f805f52744f6326afb3211e073f78a95e0c34fb
-  net-ldap (0.20.0) sha256=b2080b350753a9ac4930869ded8e61a1d2151c01e03b0bf07b4675cbd9ce5372
-  ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912
-  parallel (1.27.0) sha256=4ac151e1806b755fb4e2dc2332cbf0e54f2e24ba821ff2d3dcf86bf6dc4ae130
-  parser (3.3.10.2) sha256=6f60c84aa4bdcedb6d1a2434b738fe8a8136807b6adc8f7f53b97da9bc4e9357
-  prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
-  public_suffix (7.0.5) sha256=1a8bb08f1bbea19228d3bed6e5ed908d1cb4f7c2726d18bd9cadf60bc676f623
-  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
-  rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
-  regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
-  rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
-  rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
-  rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836
-  rspec-mocks (3.13.8) sha256=086ad3d3d17533f4237643de0b5c42f04b66348c28bf6b9c2d3f4a3b01af1d47
-  rspec-support (3.13.7) sha256=0640e5570872aafefd79867901deeeeb40b0c9875a36b983d85f54fb7381c47c
-  rubocop (1.85.1) sha256=3dbcf9e961baa4c376eeeb2a03913dca5e3987033b04d38fa538aa1e7406cc77
-  rubocop-ast (1.49.1) sha256=4412f3ee70f6fe4546cc489548e0f6fcf76cafcfa80fa03af67098ffed755035
-  ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
-  simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
-  simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246
-  simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428
-  unicode-display_width (3.2.0) sha256=0cdd96b5681a5949cdbc2c55e7b420facae74c4aaf9a9815eee1087cb1853c42
-  unicode-emoji (4.2.0) sha256=519e69150f75652e40bf736106cfbc8f0f73aa3fb6a65afe62fefa7f80b0f80f
-BUNDLED WITH
-  4.0.8