Module: Legion::Extensions::Identity::Entra::Helpers::AccountDiscovery

Extended by:

AccountDiscovery

Includes:

Helpers::Lex, Logging::Helper, Settings::Helper

Included in:

AccountDiscovery

Defined in:

lib/legion/extensions/identity/entra/helpers/account_discovery.rb

Overview

Multi-account discovery for Entra ID.

Detects primary and privileged accounts by iterating stored delegated token qualifiers and resolving each qualifier through Graph /me.

Instance Method Summary

• #account_type_for(qualifier, canonical) ⇒ Object
• #broker_qualifiers ⇒ Object
• #discovered_qualifiers ⇒ Object

  Returns an array of qualifier symbols for which tokens exist locally.

• #local_qualifiers ⇒ Object
• #log_debug(message) ⇒ Object
• #resolve_all_accounts ⇒ Object

  Resolves identity for each discovered qualifier, returning an array of identity hashes (nils filtered out).

Instance Method Details

#account_type_for(qualifier, canonical) ⇒ Object

# File 'lib/legion/extensions/identity/entra/helpers/account_discovery.rb', line 70

def account_type_for(qualifier, canonical)
  value = [qualifier, canonical].compact.join(' ')
  return 'privileged' if value.match?(/\b(adm|admin|priv|svc)[_-]/i)

  qualifier.to_sym == :delegated ? 'primary' : 'secondary'
end

#broker_qualifiers ⇒ Object

# File 'lib/legion/extensions/identity/entra/helpers/account_discovery.rb', line 34

def broker_qualifiers
  return [] unless defined?(Legion::Identity::Broker)
  return [] unless Legion::Identity::Broker.respond_to?(:credentials_available)

  Legion::Identity::Broker.credentials_available(:entra)
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'account_discovery.broker_qualifiers')
  []
end

#discovered_qualifiers ⇒ Object

Returns an array of qualifier symbols for which tokens exist locally.

# File 'lib/legion/extensions/identity/entra/helpers/account_discovery.rb', line 20

def discovered_qualifiers
  (local_qualifiers + broker_qualifiers).uniq
end

#local_qualifiers ⇒ Object

# File 'lib/legion/extensions/identity/entra/helpers/account_discovery.rb', line 24

def local_qualifiers
  return [] unless File.directory?(Legion::Extensions::Identity::Entra::Helpers::TokenManager::TOKEN_DIR)

  Dir.glob(File.join(Legion::Extensions::Identity::Entra::Helpers::TokenManager::TOKEN_DIR, 'entra_*.json')).filter_map do |path|
    basename = File.basename(path, '.json')
    match = basename.match(/\Aentra_(.+)\z/)
    match[1].to_sym if match
  end
end

#log_debug(message) ⇒ Object

# File 'lib/legion/extensions/identity/entra/helpers/account_discovery.rb', line 77

def log_debug(message)
  log.debug("[Entra::AccountDiscovery] #{message}")
end

#resolve_all_accounts ⇒ Object

Resolves identity for each discovered qualifier, returning an array of identity hashes (nils filtered out).

# File 'lib/legion/extensions/identity/entra/helpers/account_discovery.rb', line 46

def resolve_all_accounts
  discovered_qualifiers.filter_map do |qualifier|
    token = Legion::Extensions::Identity::Entra::Helpers::TokenManager.load_token(qualifier)
    next unless token

    profile = Legion::Extensions::Identity::Entra::Helpers::GraphClient.fetch_me(token)
    next unless profile

    canonical = profile[:on_premises_sam_account_name] || profile[:mail_nickname]
    next if canonical.nil? || canonical.empty?

    {
      canonical_name:    Legion::Extensions::Identity::Entra::Delegated::Identity.normalize(canonical),
      kind:              :human,
      source:            :entra,
      qualifier:         qualifier,
      account_type:      account_type_for(qualifier, canonical),
      provider_identity: profile[:id],
      profile:           profile,
      employee_id:       profile[:employee_id]
    }
  end
end