Module: Legion::Crypt::KerberosAuth

Extended by:

Logging::Helper

Defined in:

lib/legion/crypt/kerberos_auth.rb

Defined Under Namespace

Classes: AuthError, GemMissingError

Constant Summary

DEFAULT_AUTH_PATH =

'auth/kerberos/login'

Constants included from Logging::Helper

Logging::Helper::CompatLogger

Class Attribute Summary

• .kerberos_principal ⇒ Object readonly

  Returns the value of attribute kerberos_principal.

Class Method Summary

• .login(vault_client:, service_principal:, auth_path: DEFAULT_AUTH_PATH) ⇒ Object
• .reset! ⇒ Object
• .spnego_available? ⇒ Boolean

Methods included from Logging::Helper

handle_exception, log

Class Attribute Details

.kerberos_principal ⇒ Object (readonly)

Returns the value of attribute kerberos_principal.

# File 'lib/legion/crypt/kerberos_auth.rb', line 17

def kerberos_principal
  @kerberos_principal
end

Class Method Details

.login(vault_client:, service_principal:, auth_path: DEFAULT_AUTH_PATH) ⇒ Object

Raises:

• (GemMissingError)

# File 'lib/legion/crypt/kerberos_auth.rb', line 20

def self.login(vault_client:, service_principal:, auth_path: DEFAULT_AUTH_PATH)
  raise GemMissingError, 'lex-kerberos gem is required for Kerberos auth' unless spnego_available?

  log.info "KerberosAuth login requested auth_path=#{auth_path}"
  log.debug("KerberosAuth: login: SPN=#{service_principal}, auth_path=#{auth_path}")
  addr = vault_client.respond_to?(:address) ? vault_client.address : 'n/a'
  ns   = vault_client.respond_to?(:namespace) ? vault_client.namespace.inspect : 'n/a'
  log.debug("KerberosAuth: login: vault_client.address=#{addr}, namespace=#{ns}")

  @kerberos_principal = nil
  token = obtain_token(service_principal)
  log.debug("KerberosAuth: login: SPNEGO token obtained (#{token.length} chars)")

  result = exchange_token(vault_client, token, auth_path)
  @kerberos_principal = result[:metadata]&.dig('username') || result[:metadata]&.dig(:username)
  log.debug("KerberosAuth: login: authenticated as #{@kerberos_principal.inspect}, policies=#{result[:policies].inspect}")
  log.debug("KerberosAuth: login: renewable=#{result[:renewable]}, ttl=#{result[:lease_duration]}s")
  log.info "KerberosAuth login success principal=#{@kerberos_principal || 'unknown'} auth_path=#{auth_path}"
  result
end

.reset! ⇒ Object

# File 'lib/legion/crypt/kerberos_auth.rb', line 54

def self.reset!
  @spnego_available = nil
  @kerberos_principal = nil
end

.spnego_available? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/kerberos_auth.rb', line 41

def self.spnego_available?
  return @spnego_available unless @spnego_available.nil?

  @spnego_available = begin
    require 'legion/extensions/kerberos/helpers/spnego'
    true
  rescue LoadError => e
    handle_exception(e, level: :debug, operation: 'crypt.kerberos_auth.spnego_available')
    # check if constant was already defined (e.g. stubbed in tests or loaded via another path)
    defined?(Legion::Extensions::Kerberos::Helpers::Spnego) ? true : false
  end
end