RubyGems - lex-kerberos - Versions diffs - 0.1.6 → 0.1.7 - Mend

lex-kerberos 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -0
data/CLAUDE.md +4 -4
data/lib/legion/extensions/kerberos/helpers/spnego.rb +7 -2
data/lib/legion/extensions/kerberos/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e0e7ecd19667452d1b11545558778ab33d898324ed4c6de3336bc0df524b06d9
-  data.tar.gz: 321674d1dce2b4d150c84652fde3bca8d4f595f7eafe52d1afef1a0109805fb4
+  metadata.gz: b532fa3b7470e4f7048bbe88b98ad670ff261992a45aac9b32af5e48077f1369
+  data.tar.gz: 451c7b9c3df3f0b84af43d85c4d3aeca1ec1b6a2e3f3fe1b5e41ce074c0e169c
 SHA512:
-  metadata.gz: 2d6ba01ef25f0d429505d9df044ca3d9c7a993ae11f3f70662e4573f08dd2e7e07c7a759879e1296999543d3689b6d9923c38dce6e8a8b0e392a14f5d64aef16
-  data.tar.gz: 4cfe65a4ba6fd0167fe6e0f35c5330a6919255d80f30bbf82a6a6974da37ad1d0018c0a29713119992f8962e9418a0e92112700d0efe4be38c455511b3d4fa39
+  metadata.gz: cade08384530ed4f865dbbc52669c14f57256dd7805bd87011ed24ac69aea637e8b122b28cef5acbc880a1300c11ca76ef3dd12683aab8a7e1450580a5fd66a3
+  data.tar.gz: 59ea5d8ae529436830f799f3cba04e7c9a17c69d19f4fd3509de5cbd1c3c306edc488e3e54837d73c35896093db5beeeece32f8e163df203e1f3f9de97840ee4

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,11 @@
 ## [Unreleased]
+## [0.1.7] - 2026-03-26
+### Fixed
+- Move `disable_gssapi_finalizers` to `ensure` block in `init_spnego_context` and `negotiate` so finalizers are disabled even when GSSAPI operations fail (e.g., expired Kerberos credentials), preventing segfault in `gss_release_name` during later GC
 ## [0.1.6] - 2026-03-26
 ### Fixed

data/CLAUDE.md CHANGED Viewed

@@ -10,7 +10,7 @@ Legion Extension that provides Kerberos/SPNEGO authentication. Validates SPNEGO
 **GitHub**: https://github.com/LegionIO/lex-kerberos
 **License**: MIT
-**Version**: 0.1.3
+**Version**: 0.1.6
 ## Architecture
@@ -35,7 +35,7 @@ Legion::Extensions::Kerberos
 | File | Purpose |
 |------|---------|
 | `lib/legion/extensions/kerberos.rb` | Entry point, requires all helpers/runners/actors, extends Core |
-| `lib/legion/extensions/kerberos/helpers/spnego.rb` | GSSAPI token acceptance via `gssapi` gem; `accept_spnego_token`, `extract_username`, `extract_realm` |
+| `lib/legion/extensions/kerberos/helpers/spnego.rb` | GSSAPI token acceptance and acquisition via `gssapi` gem; `accept_spnego_token`, `obtain_spnego_token`, `extract_username`, `extract_realm`; macOS Heimdal segfault fix via `disable_gssapi_finalizers` |
 | `lib/legion/extensions/kerberos/helpers/ldap.rb` | LDAP group lookup + profile via `net-ldap`; `lookup_groups` returns groups + org attributes via `PROFILE_MAP` |
 | `lib/legion/extensions/kerberos/helpers/keytab.rb` | Multi-source keytab resolution; vault:// URI, file path, Base64 blob; writes to `~/.legionio/kerberos/legion.keytab` |
 | `lib/legion/extensions/kerberos/helpers/client.rb` | `DEFAULTS` constant and `settings` method that merges with `Legion::Settings[:kerberos]` |
@@ -43,7 +43,7 @@ Legion::Extensions::Kerberos
 | `lib/legion/extensions/kerberos/runners/authenticate.rb` | `validate_spnego` runner + `negotiate` (full HTTP Negotiate auth flow with response headers, RBAC mapping, JWT issuance) |
 | `lib/legion/extensions/kerberos/actors/keytab_refresh.rb` | Hourly actor that calls `resolve_keytab` to re-cache from Vault; `run_now? false` (no immediate run at boot) |
 | `lib/legion/extensions/kerberos/client.rb` | Standalone `Client` class with `authenticate(token:)` and `resolve_groups(username:)` |
-| `lib/legion/extensions/kerberos/version.rb` | `VERSION = '0.1.3'` |
+| `lib/legion/extensions/kerberos/version.rb` | `VERSION = '0.1.6'` |
 ## Key Patterns
@@ -116,7 +116,7 @@ Optional framework dependencies (guarded with `defined?`, not in gemspec):
 ```bash
 bundle install
-bundle exec rspec     # 57 specs across 10 spec files
+bundle exec rspec     # 58 specs across 10 spec files
 bundle exec rubocop   # Clean
 ```

data/lib/legion/extensions/kerberos/helpers/spnego.rb CHANGED Viewed

@@ -48,9 +48,12 @@ module Legion
             token_bytes = ctx.init_context
             raise GSSAPI::GssApiError, 'init_context returned nil token' if token_bytes.nil?
-            # Prevent macOS Heimdal segfault in gss_release_name during GC (FFI autopointer finalizer).
-            disable_gssapi_finalizers(ctx) if RUBY_PLATFORM.include?('darwin')
             token_bytes
+          ensure
+            # Prevent macOS Heimdal segfault in gss_release_name during GC (FFI autopointer finalizer).
+            # Must run in ensure so finalizers are disabled even when init_context fails
+            # (e.g., expired Kerberos credentials).
+            disable_gssapi_finalizers(ctx) if ctx && RUBY_PLATFORM.include?('darwin')
           end
           def disable_gssapi_finalizers(ctx)
@@ -67,6 +70,8 @@ module Legion
             ctx.acquire_credentials
             output_bytes = ctx.accept_context(input_bytes)
             [ctx.display_name, output_bytes]
+          ensure
+            disable_gssapi_finalizers(ctx) if ctx && RUBY_PLATFORM.include?('darwin')
           end
           def build_token_result(principal, output_bytes)

data/lib/legion/extensions/kerberos/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Kerberos
-      VERSION = '0.1.6'
+      VERSION = '0.1.7'
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-kerberos
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.7
 platform: ruby
 authors:
 - Esity