lex-kerberos 0.1.3 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/CLAUDE.md +8 -5
- data/README.md +3 -3
- data/lex-kerberos.gemspec +7 -0
- data/lib/legion/extensions/kerberos/client.rb +2 -2
- data/lib/legion/extensions/kerberos/helpers/client.rb +1 -1
- data/lib/legion/extensions/kerberos/runners/authenticate.rb +1 -1
- data/lib/legion/extensions/kerberos/version.rb +1 -1
- metadata +99 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d2214a319bad33c022a2a993f75a4430511c49afa0b14525965d881a7e988380
|
|
4
|
+
data.tar.gz: 8139e36719b9defef3f1ef7e15dfc580664f907377c65e20f3868f1d83808188
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: edd954ac9d950a04df67182ab2569a61a730744382f427b275ae717567e928a6e4c48584c8bc410599411b1d2c5a87ee8569aed0bf186597801a8b33d7876114
|
|
7
|
+
data.tar.gz: de5da215c43058d86ebe2ce524487f79c35c4aef86831bf13d65f55b629838756468541c7d618815bdaaf0fc71317489a378886e60ce64ea2f285933d39a73ad
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,13 @@
|
|
|
2
2
|
|
|
3
3
|
## [Unreleased]
|
|
4
4
|
|
|
5
|
+
## [0.1.4] - 2026-03-22
|
|
6
|
+
|
|
7
|
+
### Changed
|
|
8
|
+
- Add legion-cache, legion-crypt, legion-data, legion-json, legion-logging, legion-settings, legion-transport as runtime dependencies
|
|
9
|
+
- Rename `Helpers::Client#settings` to `kerberos_defaults` to avoid collision with `Legion::Settings::Helper#settings` from injected Lex helper
|
|
10
|
+
- Update spec_helper with real sub-gem helper requires and Helpers::Lex stub (all 7 includes)
|
|
11
|
+
|
|
5
12
|
## [0.1.3] - 2026-03-19
|
|
6
13
|
|
|
7
14
|
### Added
|
data/CLAUDE.md
CHANGED
|
@@ -10,16 +10,18 @@ Legion Extension that provides Kerberos/SPNEGO authentication. Validates SPNEGO
|
|
|
10
10
|
|
|
11
11
|
**GitHub**: https://github.com/LegionIO/lex-kerberos
|
|
12
12
|
**License**: MIT
|
|
13
|
-
**Version**: 0.1.
|
|
13
|
+
**Version**: 0.1.3
|
|
14
14
|
|
|
15
15
|
## Architecture
|
|
16
16
|
|
|
17
17
|
```
|
|
18
18
|
Legion::Extensions::Kerberos
|
|
19
19
|
├── Runners/
|
|
20
|
-
│ └── Authenticate # validate_spnego
|
|
20
|
+
│ └── Authenticate # validate_spnego + negotiate (HTTP Negotiate auth flow)
|
|
21
21
|
├── Actors/
|
|
22
22
|
│ └── KeytabRefresh # Every actor (1hr): re-fetch keytab from Vault/sources
|
|
23
|
+
├── Hooks/
|
|
24
|
+
│ └── Negotiate # Hook class for /api/hooks/lex/kerberos/negotiate endpoint
|
|
23
25
|
├── Helpers/
|
|
24
26
|
│ ├── Spnego # GSSAPI token validation, principal/realm extraction
|
|
25
27
|
│ ├── Ldap # Net::LDAP group lookup via sAMAccountName filter
|
|
@@ -37,10 +39,11 @@ Legion::Extensions::Kerberos
|
|
|
37
39
|
| `lib/legion/extensions/kerberos/helpers/ldap.rb` | LDAP group lookup + profile via `net-ldap`; `lookup_groups` returns groups + org attributes via `PROFILE_MAP` |
|
|
38
40
|
| `lib/legion/extensions/kerberos/helpers/keytab.rb` | Multi-source keytab resolution; vault:// URI, file path, Base64 blob; writes to `~/.legionio/kerberos/legion.keytab` |
|
|
39
41
|
| `lib/legion/extensions/kerberos/helpers/client.rb` | `DEFAULTS` constant and `settings` method that merges with `Legion::Settings[:kerberos]` |
|
|
40
|
-
| `lib/legion/extensions/kerberos/
|
|
42
|
+
| `lib/legion/extensions/kerberos/hooks/negotiate.rb` | Hook class auto-discovered by builders/hooks; routes all requests to `negotiate` runner method |
|
|
43
|
+
| `lib/legion/extensions/kerberos/runners/authenticate.rb` | `validate_spnego` runner + `negotiate` (full HTTP Negotiate auth flow with response headers, RBAC mapping, JWT issuance) |
|
|
41
44
|
| `lib/legion/extensions/kerberos/actors/keytab_refresh.rb` | Hourly actor that calls `resolve_keytab` to re-cache from Vault; `run_now? false` (no immediate run at boot) |
|
|
42
45
|
| `lib/legion/extensions/kerberos/client.rb` | Standalone `Client` class with `authenticate(token:)` and `resolve_groups(username:)` |
|
|
43
|
-
| `lib/legion/extensions/kerberos/version.rb` | `VERSION = '0.1.
|
|
46
|
+
| `lib/legion/extensions/kerberos/version.rb` | `VERSION = '0.1.3'` |
|
|
44
47
|
|
|
45
48
|
## Key Patterns
|
|
46
49
|
|
|
@@ -113,7 +116,7 @@ Optional framework dependencies (guarded with `defined?`, not in gemspec):
|
|
|
113
116
|
|
|
114
117
|
```bash
|
|
115
118
|
bundle install
|
|
116
|
-
bundle exec rspec #
|
|
119
|
+
bundle exec rspec # 57 specs across 10 spec files
|
|
117
120
|
bundle exec rubocop # Clean
|
|
118
121
|
```
|
|
119
122
|
|
data/README.md
CHANGED
|
@@ -91,7 +91,7 @@ groups = client.resolve_groups(username: 'user')
|
|
|
91
91
|
# => { success: true, groups: ["CN=Domain Users,..."], username: "user",
|
|
92
92
|
# first_name: "Jane", last_name: "Doe", email: "jane.doe@example.com",
|
|
93
93
|
# title: "Senior Engineer", department: "Platform Engineering",
|
|
94
|
-
# company: "
|
|
94
|
+
# company: "Example Corp", city: "Minneapolis", state: "MN", country: "USA" }
|
|
95
95
|
```
|
|
96
96
|
|
|
97
97
|
### Using helpers directly
|
|
@@ -121,10 +121,10 @@ This uses the configured service principal and keytab to authenticate via Vault'
|
|
|
121
121
|
|
|
122
122
|
## API Usage
|
|
123
123
|
|
|
124
|
-
When the LegionIO REST API is running, the Negotiate challenge/response endpoint is available:
|
|
124
|
+
When the LegionIO REST API is running, the Negotiate challenge/response endpoint is available via the auto-discovered hook:
|
|
125
125
|
|
|
126
126
|
```
|
|
127
|
-
GET /api/
|
|
127
|
+
GET /api/hooks/lex/kerberos/negotiate
|
|
128
128
|
Authorization: Negotiate <base64-spnego-token>
|
|
129
129
|
```
|
|
130
130
|
|
data/lex-kerberos.gemspec
CHANGED
|
@@ -27,5 +27,12 @@ Gem::Specification.new do |spec|
|
|
|
27
27
|
spec.require_paths = ['lib']
|
|
28
28
|
|
|
29
29
|
spec.add_dependency 'gssapi', '~> 1.3'
|
|
30
|
+
spec.add_dependency 'legion-cache', '>= 1.3.11'
|
|
31
|
+
spec.add_dependency 'legion-crypt', '>= 1.4.9'
|
|
32
|
+
spec.add_dependency 'legion-data', '>= 1.4.17'
|
|
33
|
+
spec.add_dependency 'legion-json', '>= 1.2.1'
|
|
34
|
+
spec.add_dependency 'legion-logging', '>= 1.3.2'
|
|
35
|
+
spec.add_dependency 'legion-settings', '>= 1.3.14'
|
|
36
|
+
spec.add_dependency 'legion-transport', '>= 1.3.9'
|
|
30
37
|
spec.add_dependency 'net-ldap', '~> 0.19'
|
|
31
38
|
end
|
|
@@ -17,7 +17,7 @@ module Legion
|
|
|
17
17
|
attr_reader :realm, :service_principal, :keytab_sources, :opts
|
|
18
18
|
|
|
19
19
|
def initialize(realm: nil, service_principal: nil, keytab: nil, **opts)
|
|
20
|
-
defaults =
|
|
20
|
+
defaults = kerberos_defaults[:kerberos]
|
|
21
21
|
@realm = realm || defaults[:realm]
|
|
22
22
|
@service_principal = service_principal || defaults[:service_principal]
|
|
23
23
|
@keytab_sources = keytab || defaults[:keytab]
|
|
@@ -36,7 +36,7 @@ module Legion
|
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
def resolve_groups(username:)
|
|
39
|
-
ldap_opts = @opts[:ldap] ||
|
|
39
|
+
ldap_opts = @opts[:ldap] || kerberos_defaults[:kerberos][:ldap] || {}
|
|
40
40
|
lookup_groups(username: username, **ldap_opts)
|
|
41
41
|
end
|
|
42
42
|
end
|
|
@@ -16,7 +16,7 @@ module Legion
|
|
|
16
16
|
include Helpers::Client
|
|
17
17
|
|
|
18
18
|
def validate_spnego(token:, keytab: nil, service_principal: nil, ldap: nil, **)
|
|
19
|
-
s =
|
|
19
|
+
s = kerberos_defaults[:kerberos]
|
|
20
20
|
keytab ||= s[:keytab]
|
|
21
21
|
service_principal ||= s[:service_principal]
|
|
22
22
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: lex-kerberos
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Esity
|
|
@@ -23,6 +23,104 @@ dependencies:
|
|
|
23
23
|
- - "~>"
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
25
|
version: '1.3'
|
|
26
|
+
- !ruby/object:Gem::Dependency
|
|
27
|
+
name: legion-cache
|
|
28
|
+
requirement: !ruby/object:Gem::Requirement
|
|
29
|
+
requirements:
|
|
30
|
+
- - ">="
|
|
31
|
+
- !ruby/object:Gem::Version
|
|
32
|
+
version: 1.3.11
|
|
33
|
+
type: :runtime
|
|
34
|
+
prerelease: false
|
|
35
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
36
|
+
requirements:
|
|
37
|
+
- - ">="
|
|
38
|
+
- !ruby/object:Gem::Version
|
|
39
|
+
version: 1.3.11
|
|
40
|
+
- !ruby/object:Gem::Dependency
|
|
41
|
+
name: legion-crypt
|
|
42
|
+
requirement: !ruby/object:Gem::Requirement
|
|
43
|
+
requirements:
|
|
44
|
+
- - ">="
|
|
45
|
+
- !ruby/object:Gem::Version
|
|
46
|
+
version: 1.4.9
|
|
47
|
+
type: :runtime
|
|
48
|
+
prerelease: false
|
|
49
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
50
|
+
requirements:
|
|
51
|
+
- - ">="
|
|
52
|
+
- !ruby/object:Gem::Version
|
|
53
|
+
version: 1.4.9
|
|
54
|
+
- !ruby/object:Gem::Dependency
|
|
55
|
+
name: legion-data
|
|
56
|
+
requirement: !ruby/object:Gem::Requirement
|
|
57
|
+
requirements:
|
|
58
|
+
- - ">="
|
|
59
|
+
- !ruby/object:Gem::Version
|
|
60
|
+
version: 1.4.17
|
|
61
|
+
type: :runtime
|
|
62
|
+
prerelease: false
|
|
63
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
64
|
+
requirements:
|
|
65
|
+
- - ">="
|
|
66
|
+
- !ruby/object:Gem::Version
|
|
67
|
+
version: 1.4.17
|
|
68
|
+
- !ruby/object:Gem::Dependency
|
|
69
|
+
name: legion-json
|
|
70
|
+
requirement: !ruby/object:Gem::Requirement
|
|
71
|
+
requirements:
|
|
72
|
+
- - ">="
|
|
73
|
+
- !ruby/object:Gem::Version
|
|
74
|
+
version: 1.2.1
|
|
75
|
+
type: :runtime
|
|
76
|
+
prerelease: false
|
|
77
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
78
|
+
requirements:
|
|
79
|
+
- - ">="
|
|
80
|
+
- !ruby/object:Gem::Version
|
|
81
|
+
version: 1.2.1
|
|
82
|
+
- !ruby/object:Gem::Dependency
|
|
83
|
+
name: legion-logging
|
|
84
|
+
requirement: !ruby/object:Gem::Requirement
|
|
85
|
+
requirements:
|
|
86
|
+
- - ">="
|
|
87
|
+
- !ruby/object:Gem::Version
|
|
88
|
+
version: 1.3.2
|
|
89
|
+
type: :runtime
|
|
90
|
+
prerelease: false
|
|
91
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
92
|
+
requirements:
|
|
93
|
+
- - ">="
|
|
94
|
+
- !ruby/object:Gem::Version
|
|
95
|
+
version: 1.3.2
|
|
96
|
+
- !ruby/object:Gem::Dependency
|
|
97
|
+
name: legion-settings
|
|
98
|
+
requirement: !ruby/object:Gem::Requirement
|
|
99
|
+
requirements:
|
|
100
|
+
- - ">="
|
|
101
|
+
- !ruby/object:Gem::Version
|
|
102
|
+
version: 1.3.14
|
|
103
|
+
type: :runtime
|
|
104
|
+
prerelease: false
|
|
105
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
106
|
+
requirements:
|
|
107
|
+
- - ">="
|
|
108
|
+
- !ruby/object:Gem::Version
|
|
109
|
+
version: 1.3.14
|
|
110
|
+
- !ruby/object:Gem::Dependency
|
|
111
|
+
name: legion-transport
|
|
112
|
+
requirement: !ruby/object:Gem::Requirement
|
|
113
|
+
requirements:
|
|
114
|
+
- - ">="
|
|
115
|
+
- !ruby/object:Gem::Version
|
|
116
|
+
version: 1.3.9
|
|
117
|
+
type: :runtime
|
|
118
|
+
prerelease: false
|
|
119
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
120
|
+
requirements:
|
|
121
|
+
- - ">="
|
|
122
|
+
- !ruby/object:Gem::Version
|
|
123
|
+
version: 1.3.9
|
|
26
124
|
- !ruby/object:Gem::Dependency
|
|
27
125
|
name: net-ldap
|
|
28
126
|
requirement: !ruby/object:Gem::Requirement
|