Module: Legion::Crypt::VaultKerberosAuth

Extended by:
Logging::Helper
Defined in:
lib/legion/crypt/vault_kerberos_auth.rb

Defined Under Namespace

Classes: AuthError

Constant Summary collapse

DEFAULT_AUTH_PATH = 
'auth/kerberos/login'

Constants included from Logging::Helper

Logging::Helper::CompatLogger

Class Method Summary collapse

Methods included from Logging::Helper

handle_exception, log

Class Method Details

.login(spnego_token:, auth_path: DEFAULT_AUTH_PATH) ⇒ Object 



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 
# File 'lib/legion/crypt/vault_kerberos_auth.rb', line 14

def self.(spnego_token:, auth_path: DEFAULT_AUTH_PATH)
  raise AuthError, 'Vault is not connected' unless vault_connected?

  log.info "[crypt:vault_kerberos] login requested auth_path=#{auth_path}"
  response = ::Vault.logical.write(auth_path, authorization: "Negotiate #{spnego_token}")
  raise AuthError, 'Vault Kerberos auth returned no auth data' unless response&.auth

  {
    token:          response.auth.client_token,
    lease_duration: response.auth.lease_duration,
    renewable:      response.auth.renewable?,
    policies:       response.auth.policies,
    metadata:       response.auth.metadata
  }
rescue ::Vault::HTTPClientError => e
  handle_exception(e, level: :warn, operation: 'crypt.vault_kerberos_auth.login', auth_path: auth_path)
  raise AuthError, "Vault Kerberos auth failed: #{e.message}"
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'crypt.vault_kerberos_auth.login', auth_path: auth_path)
  raise
end

.login!(spnego_token:, auth_path: DEFAULT_AUTH_PATH) ⇒ Object 



36
37
38
39
40
41
 
# File 'lib/legion/crypt/vault_kerberos_auth.rb', line 36

def self.login!(spnego_token:, auth_path: DEFAULT_AUTH_PATH)
  result = (spnego_token: spnego_token, auth_path: auth_path)
  ::Vault.token = result[:token]
  log.info "[crypt:vault_kerberos] authenticated via Kerberos auth, policies=#{result[:policies].join(',')}"
  result
end