Module: Legion::Identity::Broker

Defined in:

lib/legion/identity/broker.rb

Constant Summary

GROUPS_CACHE_TTL =

60

AUDIT_QUEUE_MAX =

1000

AUDIT_DROP_LOG_INTERVAL =

100

Class Method Summary

• .authenticated? ⇒ Boolean
• .credentials_available(provider_name) ⇒ Object
• .credentials_for(provider_name, qualifier: nil, service: nil) ⇒ Object
• .emails ⇒ Object
• .groups ⇒ Object
• .invalidate_groups_cache! ⇒ Object
• .lease_for(provider_name, qualifier: nil) ⇒ Object
• .leases ⇒ Object
• .providers ⇒ Object
• .refresh_credential(provider_name, qualifier: nil) ⇒ Object
• .register_provider(provider_name, provider:, lease:, qualifier: :default, default: false) ⇒ Object
• .renewer_for(provider_name, qualifier: nil) ⇒ Object
• .reset! ⇒ Object
• .shutdown ⇒ Object
• .token_for(provider_name, qualifier: nil, for_context: nil, purpose: nil, context: nil) ⇒ Object

Class Method Details

.authenticated? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/identity/broker.rb', line 96

def authenticated?
  Identity::Process.resolved?
end

.credentials_available(provider_name) ⇒ Object

# File 'lib/legion/identity/broker.rb', line 141

def credentials_available(provider_name)
  name = provider_name.to_sym
  all_keys = (renewers.keys + static_leases.keys)
  all_keys.select { |k| k.first == name }.map(&:last).uniq
end

.credentials_for(provider_name, qualifier: nil, service: nil) ⇒ Object

# File 'lib/legion/identity/broker.rb', line 40

def credentials_for(provider_name, qualifier: nil, service: nil)
  name = provider_name.to_sym
  resolved = qualifier || default_qualifier_for(name)
  lease = lease_for(name, qualifier: resolved)
  return nil unless lease&.valid?

  { token: lease.token, provider: name, service: service, lease: lease }
end

.emails ⇒ Object

# File 'lib/legion/identity/broker.rb', line 130

def emails
  process_state = Identity::Process.identity_hash
  metadata = process_state[:metadata] || {}
  Array(metadata[:emails])
end

.groups ⇒ Object

# File 'lib/legion/identity/broker.rb', line 100

def groups
  cached = @groups_cache&.get
  return cached[:groups] if cached && (Time.now - cached[:fetched_at]) < GROUPS_CACHE_TTL

  if @groups_fetch_in_progress.make_true
    begin
      fetched = fetch_groups
      @groups_cache.set({ groups: fetched, fetched_at: Time.now })
      fetched
    ensure
      @groups_fetch_in_progress.make_false
    end
  else
    loop do
      current = @groups_cache&.get
      return current[:groups] if current

      break unless @groups_fetch_in_progress.true?

      sleep(0.01)
    end

    cached ? cached[:groups] : []
  end
end

.invalidate_groups_cache! ⇒ Object

# File 'lib/legion/identity/broker.rb', line 126

def invalidate_groups_cache!
  @groups_cache.set(nil)
end

.lease_for(provider_name, qualifier: nil) ⇒ Object

# File 'lib/legion/identity/broker.rb', line 22

def lease_for(provider_name, qualifier: nil)
  name = provider_name.to_sym
  resolved = qualifier || default_qualifier_for(name)
  key = [name, resolved].freeze

  renewer = renewers[key]
  return renewer.current_lease if renewer

  static_ref = static_leases[key]
  static_ref&.get
end

.leases ⇒ Object

# File 'lib/legion/identity/broker.rb', line 147

def leases
  result = {}
  renewers.each do |key, renewer|
    provider_name, qualifier = key
    result[provider_name] ||= {}
    result[provider_name][qualifier] = renewer.current_lease&.to_h
  end
  static_leases.each do |key, ref|
    provider_name, qualifier = key
    result[provider_name] ||= {}
    result[provider_name][qualifier] = ref.get&.to_h unless result[provider_name].key?(qualifier)
  end
  result
end

.providers ⇒ Object

# File 'lib/legion/identity/broker.rb', line 136

def providers
  all_keys = (renewers.keys + static_leases.keys)
  all_keys.map(&:first).uniq
end

.refresh_credential(provider_name, qualifier: nil) ⇒ Object

# File 'lib/legion/identity/broker.rb', line 78

def refresh_credential(provider_name, qualifier: nil)
  name = provider_name.to_sym
  resolved = qualifier || default_qualifier_for(name)
  key = [name, resolved].freeze

  ref = static_leases[key]
  return false unless ref

  provider = provider_instances[name]
  return false unless provider.respond_to?(:provide_token)

  new_lease = provider.provide_token
  return false unless new_lease&.valid?

  ref.set(new_lease)
  true
end

.register_provider(provider_name, provider:, lease:, qualifier: :default, default: false) ⇒ Object

# File 'lib/legion/identity/broker.rb', line 49

def register_provider(provider_name, provider:, lease:, qualifier: :default, default: false)
  name = provider_name.to_sym
  qual = qualifier
  key = [name, qual].freeze

  # Set default qualifier: first registration or explicit default: true
  default_qualifiers[name] = qual if default || !default_qualifiers.key?(name)

  # Store provider instance (first-write-wins per provider name)
  provider_instances[name] ||= provider

  # Stop existing renewer for this specific tuple key
  renewers[key]&.stop!

  if lease&.expires_at.nil? && !lease&.renewable
    # Static credential — store without a background renewal thread
    renewers.delete(key)
    static_leases[key] = Concurrent::AtomicReference.new(lease)
  else
    # Dynamic credential — create LeaseRenewer
    static_leases.delete(key)
    renewers[key] = LeaseRenewer.new(
      provider_name: name,
      provider:      provider,
      lease:         lease
    )
  end
end

.renewer_for(provider_name, qualifier: nil) ⇒ Object

# File 'lib/legion/identity/broker.rb', line 34

def renewer_for(provider_name, qualifier: nil)
  name = provider_name.to_sym
  resolved = qualifier || default_qualifier_for(name)
  renewers[[name, resolved].freeze]
end

.reset! ⇒ Object

# File 'lib/legion/identity/broker.rb', line 175

def reset!
  shutdown
  @groups_cache = Concurrent::AtomicReference.new(nil)
  @groups_fetch_in_progress = Concurrent::AtomicBoolean.new(false)
  @audit_queue = Concurrent::Array.new
  @audit_drops = Concurrent::AtomicFixnum.new(0)
  @audit_drainer = nil
  @audit_drainer_started = Concurrent::AtomicBoolean.new(false)
end

.shutdown ⇒ Object

# File 'lib/legion/identity/broker.rb', line 162

def shutdown
  renewers.each_value do |r|
    r.stop!
  rescue Exception # rubocop:disable Lint/RescueException
    nil
  end
  renewers.clear
  static_leases.clear
  provider_instances.clear
  default_qualifiers.clear
  stop_audit_drainer
end

.token_for(provider_name, qualifier: nil, for_context: nil, purpose: nil, context: nil) ⇒ Object

# File 'lib/legion/identity/broker.rb', line 13

def token_for(provider_name, qualifier: nil, for_context: nil, purpose: nil, context: nil)
  name = provider_name.to_sym
  resolved = resolve_qualifier(name, qualifier: qualifier, for_context: for_context)
  lease = lease_for(name, qualifier: resolved)
  token = lease&.valid? ? lease.token : nil
  emit_audit(provider: name, qualifier: resolved, purpose: purpose, context: context, granted: !token.nil?)
  token
end