Module: Legion::Identity::Resolver

Extended by:

Logging::Helper

Defined in:

lib/legion/identity/resolver.rb

Constant Summary

TIMEOUT_SECONDS =

5

Class Attribute Summary

• .session_id ⇒ Object readonly

  Returns the value of attribute session_id.

Class Method Summary

• .composite ⇒ Object
• .providers ⇒ Object
• .register(provider) ⇒ Object
• .reset! ⇒ Object
• .reset_all! ⇒ Object
• .resolve!(timeout: TIMEOUT_SECONDS) ⇒ Object
• .resolved? ⇒ Boolean
• .upgrade!(provider, result) ⇒ Object

Class Attribute Details

.session_id ⇒ Object (readonly)

Returns the value of attribute session_id.

# File 'lib/legion/identity/resolver.rb', line 142

def session_id
  @session_id
end

Class Method Details

.composite ⇒ Object

# File 'lib/legion/identity/resolver.rb', line 134

def composite
  @composite.get
end

.providers ⇒ Object

# File 'lib/legion/identity/resolver.rb', line 138

def providers
  @providers.dup
end

.register(provider) ⇒ Object

# File 'lib/legion/identity/resolver.rb', line 18

def register(provider)
  return if @providers.any? { |p| p.provider_name == provider.provider_name }

  log.debug("register: #{provider.provider_name} type=#{provider.provider_type} trust=#{provider.trust_level}")
  @providers << provider
end

.reset! ⇒ Object

# File 'lib/legion/identity/resolver.rb', line 144

def reset!
  @composite  = Concurrent::AtomicReference.new(nil)
  @resolved   = Concurrent::AtomicBoolean.new(false)
  @session_id = SecureRandom.uuid
end

.reset_all! ⇒ Object

# File 'lib/legion/identity/resolver.rb', line 150

def reset_all!
  reset!
  @providers = Concurrent::Array.new
end

.resolve!(timeout: TIMEOUT_SECONDS) ⇒ Object

# File 'lib/legion/identity/resolver.rb', line 25

def resolve!(timeout: TIMEOUT_SECONDS)
  log.debug("resolve!: starting with #{@providers.size} providers, timeout=#{timeout}s")
  drain_pending_registrations

  auth_providers, profile_providers, fallback_providers = partition_providers
  log.debug("resolve!: partitioned auth=#{auth_providers.map(&:provider_name)} " \
            "profile=#{profile_providers.map(&:provider_name)} " \
            "fallback=#{fallback_providers.map(&:provider_name)}")

  winning_provider, winning_result, provider_results = resolve_auth(auth_providers, timeout: timeout)

  if winning_provider.nil?
    log.debug('resolve!: no auth winner, trying fallback providers')
    winning_provider, winning_result, fallback_results = resolve_auth(fallback_providers, timeout: timeout)
    provider_results.merge!(fallback_results) if fallback_results
  end

  unless winning_provider
    log.debug('resolve!: no provider resolved, identity unresolved')
    @resolved.make_false
    @composite.set(nil)
    return nil
  end

  canonical = winning_result[:canonical_name]
  trust_level = winning_provider.trust_level
  source = winning_provider.provider_name
  log.debug("resolve!: winner=#{source} canonical=#{canonical} trust=#{trust_level}")

  profile_data = resolve_profiles(profile_providers, canonical, timeout: timeout)
  log.debug("resolve!: profiles resolved groups=#{profile_data[:groups].size} profile_keys=#{profile_data[:profile].keys}")

  composite = assemble_composite(
    provider_results, profile_data,
    winning_result: winning_result,
    trust_level:    trust_level,
    source:         source
  )

  bind_and_persist(winning_provider, composite, trust_level)
  log.debug("resolve!: complete canonical=#{composite[:canonical_name]} providers=#{composite[:providers].keys}")
  composite
end

.resolved? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/identity/resolver.rb', line 130

def resolved?
  @resolved.true?
end

.upgrade!(provider, result) ⇒ Object

# File 'lib/legion/identity/resolver.rb', line 69

def upgrade!(provider, result)
  current = @composite.get
  return unless current

  log.debug("upgrade!: provider=#{provider.provider_name} trust=#{provider.trust_level} current_canonical=#{current[:canonical_name]}")

  new_trust = provider.trust_level
  new_canonical = result[:canonical_name] || current[:canonical_name]
  canonical_changed = new_canonical != current[:canonical_name]

  # Only promote the composite trust level when the new provider's trust
  # is strictly higher (lower rank index) than the current level.
  # This prevents an accidental downgrade if upgrade! is called with a
  # lower-trust provider such as one with :unverified trust.
  current_trust = current[:trust]
  effective_trust = if defined?(Legion::Identity::Trust) &&
                       Legion::Identity::Trust.respond_to?(:above?) &&
                       Legion::Identity::Trust.above?(new_trust, current_trust)
                      new_trust
                    else
                      current_trust
                    end

  new_aliases = current[:aliases].dup
  provider_identity = result[:provider_identity]
  if provider_identity
    existing = Array(new_aliases[provider.provider_name])
    new_aliases[provider.provider_name] = (existing + [provider_identity]).uniq
  end

  new_providers = current[:providers].dup
  new_providers[provider.provider_name] = {
    status:      :resolved,
    trust:       new_trust,
    resolved_at: Time.now
  }

  updated = current.merge(
    canonical_name: new_canonical,
    trust:          effective_trust,
    source:         provider.provider_name,
    aliases:        new_aliases,
    providers:      new_providers
  )

  handle_canonical_change(current[:canonical_name], new_canonical, updated) if canonical_changed

  @composite.set(updated)
  Legion::Identity::Process.bind!(provider, updated) if defined?(Legion::Identity::Process)

  if defined?(Legion::Settings) && Legion::Settings.respond_to?(:loader) && Legion::Settings.loader.respond_to?(:settings)
    Legion::Settings.loader.settings[:client] ||= {}
    Legion::Settings.loader.settings[:client][:name] = Legion::Identity::Process.queue_prefix
  end

  persist_identity_json(new_canonical, updated[:kind]) unless new_trust == :unverified

  log.debug("upgrade!: complete canonical=#{new_canonical} trust=#{effective_trust} canonical_changed=#{canonical_changed}")
  updated
end