RubyGems - lex-kerberos - Versions diffs - 0.1.2 → 0.1.3 - Mend

lex-kerberos 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/CLAUDE.md +1 -1
data/lib/legion/extensions/kerberos/hooks/negotiate.rb +19 -0
data/lib/legion/extensions/kerberos/runners/authenticate.rb +74 -0
data/lib/legion/extensions/kerberos/version.rb +1 -1
metadata +2 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69c3dd5c8ef68a25cc39f06b412e3b9f07854e02643ef44bf2f1082965c72d62
-  data.tar.gz: 0d1b20b4dfc12d31e21a9a00c14be7f76f15ece54a2d8fdb3fcc9703ee76cc46
+  metadata.gz: 3f1d192f07e0352efa5eac1726291cab685501a0ef58d3ec63977ac9e803e607
+  data.tar.gz: e7c528d4073e5d21ba399799323784a079b3574054c71db6df756c55c940b3e3
 SHA512:
-  metadata.gz: c7663b961a7468ccb52e6133b9d12ab57cb47c086cfe2f6264f3a35f3697340a5725415aeb5d115838d44bb0195b4d8e5cb25ef05b681a3680561d57734ffcae
-  data.tar.gz: 27de46aa7005ba6d43a57b0460f2436fecf15a4851a0cccc6f5198efbd82c906d4b9b17f37c8d571a538ba4514ff594a5d5bca614c518050bf735bcd1dca00fb
+  metadata.gz: 99e260e9bd9c16e1426eb2fb16227984bae0ef8ac450481fd7cc949423e25b930fc90ae377a89e80dca2c373db18b200b840d77da22ee34814541bd401255f15
+  data.tar.gz: b4ab6bb59a514d3c380ea5da4e47e05dd53a22d2da209e7829ec7d5012442231c93baad21406369fbc4636c0b21c69072914712e8be116c306d21f59efeecd9f

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,17 @@
 ## [Unreleased]
+## [0.1.3] - 2026-03-19
+### Added
+- `Hooks::Negotiate` hook class for Kerberos SPNEGO authentication via expanded hooks system
+- `Runners::Authenticate#negotiate` method handling full HTTP Negotiate flow with custom response
+- RBAC role mapping and JWT token issuance (guarded, requires LegionIO framework)
+- Negotiate endpoint now routes through `Ingress.run` for RBAC and audit support
+### Changed
+- Kerberos negotiate endpoint moves from hardcoded `/api/auth/negotiate` in LegionIO to `/api/hooks/lex/kerberos/negotiate`
 ## [0.1.2] - 2026-03-18
 ### Added

data/CLAUDE.md CHANGED Viewed

@@ -113,7 +113,7 @@ Optional framework dependencies (guarded with `defined?`, not in gemspec):
 ```bash
 bundle install
-bundle exec rspec     # 43 specs, 91.67% coverage
+bundle exec rspec     # 43 specs across 8 spec files, 91.67% coverage
 bundle exec rubocop   # Clean
 ```

data/lib/legion/extensions/kerberos/hooks/negotiate.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+module Legion
+  module Extensions
+    module Kerberos
+      module Hooks
+        class Negotiate < Legion::Extensions::Hooks::Base
+          def route(_headers, _payload)
+            :negotiate
+          end
+          def runner_class
+            'Legion::Extensions::Kerberos::Runners::Authenticate'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/kerberos/runners/authenticate.rb CHANGED Viewed

@@ -32,6 +32,20 @@ module Legion
             { result: build_result(spnego: spnego, groups: groups, ldap_error: ldap_error, profile: profile) }
           end
+          def negotiate(headers: {}, **)
+            auth_header = headers['HTTP_AUTHORIZATION']
+            unless auth_header&.match?(/\ANegotiate\s+/i)
+              return negotiate_error('negotiate_required', 'Negotiate token required')
+            end
+            auth_result = negotiate_authenticate(auth_header.sub(/\ANegotiate\s+/i, ''))
+            unless auth_result&.dig(:success)
+              return negotiate_error('kerberos_auth_failed', 'Kerberos authentication failed')
+            end
+            negotiate_success(auth_result)
+          end
           private
           def resolve_groups(ldap:, cfg:, username:)
@@ -53,6 +67,66 @@ module Legion
               ldap_error: ldap_error, **spnego_fields, **profile }.compact
           end
+          def negotiate_authenticate(token)
+            Client.new.authenticate(token: token)
+          rescue StandardError
+            nil
+          end
+          def negotiate_error(code, message)
+            body = negotiate_json({ error: { code: code, message: message },
+                                    meta: { timestamp: Time.now.utc.iso8601 } })
+            {
+              result: { error: code },
+              response: { status: 401, content_type: 'application/json',
+                          headers: { 'WWW-Authenticate' => 'Negotiate' }, body: body }
+            }
+          end
+          def negotiate_success(auth_result)
+            profile = auth_result.slice(:first_name, :last_name, :email, :display_name)
+            token, roles = issue_negotiate_token(auth_result, profile)
+            data = { token: token, principal: auth_result[:principal],
+                     roles: roles, auth_method: 'kerberos', **profile }.compact
+            negotiate_success_response(auth_result, data)
+          end
+          def negotiate_success_response(auth_result, data)
+            hdrs = ({ 'WWW-Authenticate' => "Negotiate #{auth_result[:output_token]}" } if auth_result[:output_token])
+            body = negotiate_json({ data: data, meta: { timestamp: Time.now.utc.iso8601 } })
+            { result: data,
+              response: { status: 200, content_type: 'application/json',
+                          headers: hdrs, body: body }.compact }
+          end
+          def issue_negotiate_token(auth_result, profile)
+            return [nil, []] unless defined?(Legion::Rbac::KerberosClaimsMapper) && defined?(Legion::API::Token)
+            mapped = map_negotiate_claims(auth_result, profile)
+            display = mapped[:display_name] || mapped[:first_name]
+            token = Legion::API::Token.issue_human_token(
+              msid: mapped[:sub], name: display, roles: mapped[:roles], ttl: 28_800
+            )
+            [token, mapped[:roles]]
+          rescue StandardError
+            [nil, []]
+          end
+          def map_negotiate_claims(auth_result, profile)
+            role_map = defined?(Legion::Settings) ? (Legion::Settings.dig(:kerberos, :role_map) || {}) : {}
+            Legion::Rbac::KerberosClaimsMapper.map_with_fallback(
+              principal: auth_result[:principal], groups: auth_result[:groups] || [],
+              role_map: role_map, **profile
+            )
+          end
+          def negotiate_json(hash)
+            return Legion::JSON.dump(hash) if defined?(Legion::JSON)
+            require 'json'
+            ::JSON.generate(hash)
+          end
           include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers) &&
                                                       Legion::Extensions::Helpers.const_defined?(:Lex)
         end

data/lib/legion/extensions/kerberos/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Kerberos
-      VERSION = '0.1.2'
+      VERSION = '0.1.3'
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-kerberos
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Esity
@@ -59,6 +59,7 @@ files:
 - lib/legion/extensions/kerberos/helpers/keytab.rb
 - lib/legion/extensions/kerberos/helpers/ldap.rb
 - lib/legion/extensions/kerberos/helpers/spnego.rb
+- lib/legion/extensions/kerberos/hooks/negotiate.rb
 - lib/legion/extensions/kerberos/runners/authenticate.rb
 - lib/legion/extensions/kerberos/version.rb
 homepage: https://github.com/LegionIO/lex-kerberos