Module: Legion::Extensions::Identity::Entra::Helpers::TokenManager

Extended by:
TokenManager
Includes:
JSON::Helper, Logging::Helper, Settings::Helper
Included in:
TokenManager
Defined in:
lib/legion/extensions/identity/entra/helpers/token_manager.rb

Constant Summary collapse

TOKEN_DIR =
File.join(Dir.home, '.legionio', 'tokens')
REFRESH_BUFFER =
60
MEMORY_STORE =
Concurrent::Hash.new

Instance Method Summary collapse

Instance Method Details

#authenticated?(qualifier = :delegated) ⇒ Boolean

Returns:

  • (Boolean)


288
289
290
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 288

def authenticated?(qualifier = :delegated)
  !load_token(qualifier).nil?
end

#bootstrap_vault_path(qualifier) ⇒ Object

Pre-resolution Vault key for delegated tokens, derived from stable inputs (tenant id + client id) that are available before canonical identity resolution. Lets a fresh process recover a Vault-only delegated token so it can resolve identity (issue #4). Scoped to delegated only — other patterns are unaffected.



313
314
315
316
317
318
319
320
321
322
323
324
325
326
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 313

def bootstrap_vault_path(qualifier)
  return nil unless qualifier.to_sym == :delegated

  auth = settings_auth
  pattern_settings = auth[qualifier.to_sym]
  return pattern_settings[:vault_path] if pattern_settings.is_a?(Hash) && pattern_settings[:vault_path]

  tenant_id = auth[:tenant_id]
  client_id = auth[:client_id]
  return nil unless tenant_id && client_id

   = Digest::MD5.hexdigest("#{tenant_id}:#{client_id}")
  "bootstrap/entra/#{qualifier}/#{}/auth"
end

#canonical_name_available?Boolean

Returns:

  • (Boolean)


395
396
397
398
399
400
401
402
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 395

def canonical_name_available?
  return false unless defined?(Legion::Identity::Process)
  return false unless Legion::Identity::Process.respond_to?(:resolved?) &&
                      Legion::Identity::Process.resolved?

  name = Legion::Identity::Process.canonical_name
  !name.nil? && !name.empty? && name != 'anonymous'
end

#current_scope_fingerprint(qualifier) ⇒ Object



210
211
212
213
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 210

def current_scope_fingerprint(qualifier)
  scopes = Helpers::Scopes.resolve(pattern: qualifier.to_sym)
  Digest::MD5.hexdigest(scopes.split.sort.join(' '))
end

#delete_local(qualifier) ⇒ Object



178
179
180
181
182
183
184
185
186
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 178

def delete_local(qualifier)
  path = local_path(qualifier)
  return unless File.exist?(path)

  File.delete(path)
  log.info("TokenManager.delete_local: removed #{path} (vault is authoritative)")
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'token_manager.delete_local', qualifier: qualifier)
end

#expired?(data) ⇒ Boolean

Returns:

  • (Boolean)


281
282
283
284
285
286
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 281

def expired?(data)
  expires_at = data[:expires_at]
  return false unless expires_at

  expires_at <= (Time.now + REFRESH_BUFFER)
end

#fetch_key(data, key) ⇒ Object



366
367
368
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 366

def fetch_key(data, key)
  data[key] || data[key.to_s]
end

#from_broker(qualifier) ⇒ Object



268
269
270
271
272
273
274
275
276
277
278
279
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 268

def from_broker(qualifier)
  return nil unless defined?(Legion::Identity::Broker)

  log.debug("TokenManager.from_broker: requesting token for #{qualifier}")
  token = Legion::Identity::Broker.token_for(:entra_delegated, qualifier: qualifier)
  log.debug("TokenManager.from_broker: #{token ? 'received' : 'not available'}")
  token
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'token_manager.from_broker',
                      qualifier: qualifier)
  nil
end

#from_local_data(qualifier) ⇒ Object



113
114
115
116
117
118
119
120
121
122
123
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 113

def from_local_data(qualifier)
  path = local_path(qualifier)
  return nil unless File.exist?(path)

  log.debug("TokenManager.from_local_data: reading #{path}")
  normalize_token_data(json_load(File.read(path)))
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'token_manager.from_local_data',
                      qualifier: qualifier, path: path)
  nil
end

#from_memory(qualifier) ⇒ Object



188
189
190
191
192
193
194
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 188

def from_memory(qualifier)
  data = TokenManager.memory_store[qualifier.to_sym]
  return nil unless data

  log.debug("TokenManager.from_memory: token found for #{qualifier}")
  normalize_token_data(data)
end

#from_vault_data(qualifier) ⇒ Object



91
92
93
94
95
96
97
98
99
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 91

def from_vault_data(qualifier)
  return nil unless vault_available?

  # Prefer the canonical (post-resolution) path, then fall back to the
  # bootstrap path so a fresh process can recover a Vault-only token
  # before Legion::Identity::Process is resolved (issue #4).
  read_vault_token(qualifier, vault_path(qualifier)) ||
    read_vault_token(qualifier, bootstrap_vault_path(qualifier))
end

#load_token(qualifier = :delegated) ⇒ Object



27
28
29
30
31
32
33
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 27

def load_token(qualifier = :delegated)
  log.debug("TokenManager.load_token: qualifier=#{qualifier}")
  data = token_data(qualifier, refresh: true)
  token = data&.dig(:access_token) || from_broker(qualifier)
  log.debug("TokenManager.load_token: #{token ? 'token found' : 'no token available'}")
  token
end

#local_path(qualifier) ⇒ Object



328
329
330
331
332
333
334
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 328

def local_path(qualifier)
  auth = settings_auth
  pattern_settings = auth[qualifier.to_sym]
  return File.expand_path(pattern_settings[:local_token_path]) if pattern_settings.is_a?(Hash) && pattern_settings[:local_token_path]

  File.join(TOKEN_DIR, "entra_#{qualifier}.json")
end

#memory_storeObject



23
24
25
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 23

def memory_store
  MEMORY_STORE
end

#normalize_token_data(data) ⇒ Object



349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 349

def normalize_token_data(data)
  return nil unless data.is_a?(Hash)

  access_token = fetch_key(data, :access_token)
  return nil unless access_token

  {
    access_token:      access_token,
    refresh_token:     fetch_key(data, :refresh_token),
    expires_at:        parse_time(fetch_key(data, :expires_at)),
    scopes:            fetch_key(data, :scopes) || fetch_key(data, :scope),
    tenant_id:         fetch_key(data, :tenant_id),
    client_id:         fetch_key(data, :client_id),
    scope_fingerprint: fetch_key(data, :scope_fingerprint)
  }.compact
end

#parse_time(value) ⇒ Object



370
371
372
373
374
375
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 370

def parse_time(value)
  return value if value.is_a?(Time)
  return nil if value.nil? || value.to_s.empty?

  Time.parse(value.to_s)
end

#read_vault_token(qualifier, path) ⇒ Object



101
102
103
104
105
106
107
108
109
110
111
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 101

def read_vault_token(qualifier, path)
  return nil unless path

  log.debug("TokenManager.from_vault_data: reading kv/#{path}")
  result = vault_kv_client.read(path)
  normalize_token_data(result&.data)
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'token_manager.from_vault_data',
                      qualifier: qualifier, path: path)
  nil
end

#refresh_token(qualifier, data) ⇒ Object



225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 225

def refresh_token(qualifier, data)
  log.debug("TokenManager.refresh_token: attempting refresh for #{qualifier}")
  refresh = data[:refresh_token]
  unless refresh
    log.debug('TokenManager.refresh_token: no refresh_token available')
    return nil
  end

  auth = settings_auth.merge(data.compact)
  unless auth[:tenant_id] && auth[:client_id]
    log.debug('TokenManager.refresh_token: missing tenant_id or client_id')
    return nil
  end

  runner = Object.new.extend(Legion::Extensions::Identity::Entra::Delegated::Runners::Login)
  result = runner.refresh_delegated_token(
    tenant_id:     auth[:tenant_id],
    client_id:     auth[:client_id],
    refresh_token: refresh,
    scope:         auth[:scopes] || Legion::Extensions::Identity::Entra::Helpers::Scopes.resolve(pattern: :delegated)
  )
  body = result[:result]
  access_token = fetch_key(body, :access_token)
  unless access_token
    log.warn("TokenManager.refresh_token: refresh failed for #{qualifier}, no access_token in response")
    return nil
  end

  log.info("TokenManager.refresh_token: successfully refreshed token for #{qualifier}")
  save_token(qualifier,
             access_token:  access_token,
             refresh_token: fetch_key(body, :refresh_token) || refresh,
             expires_in:    fetch_key(body, :expires_in) || 3600,
             scopes:        fetch_key(body, :scope) || auth[:scopes],
             tenant_id:     auth[:tenant_id],
             client_id:     auth[:client_id])
  from_memory(qualifier)
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'token_manager.refresh_token',
                      qualifier: qualifier)
  nil
end

#save_to_local(qualifier, access_token:, refresh_token:, expires_at:, scopes: nil, tenant_id: nil, client_id: nil, scope_fingerprint: nil) ⇒ Object



156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 156

def save_to_local(qualifier, access_token:, refresh_token:, expires_at:,
                  scopes: nil, tenant_id: nil, client_id: nil, scope_fingerprint: nil)
  path = local_path(qualifier)
  log.debug("TokenManager.save_to_local: writing #{path}")
  FileUtils.mkdir_p(File.dirname(path))
  File.write(path, json_dump({
                               access_token:      access_token,
                               refresh_token:     refresh_token,
                               expires_at:        expires_at&.utc&.iso8601,
                               scopes:            scopes,
                               tenant_id:         tenant_id,
                               client_id:         client_id,
                               scope_fingerprint: scope_fingerprint
                             }))
  File.chmod(0o600, path)
  log.debug('TokenManager.save_to_local: success')
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'token_manager.save_to_local',
                      qualifier: qualifier, path: path)
  nil
end

#save_to_memory(qualifier, access_token:, refresh_token:, expires_at:, scopes: nil, tenant_id: nil, client_id: nil, scope_fingerprint: nil) ⇒ Object



196
197
198
199
200
201
202
203
204
205
206
207
208
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 196

def save_to_memory(qualifier, access_token:, refresh_token:, expires_at:,
                   scopes: nil, tenant_id: nil, client_id: nil, scope_fingerprint: nil)
  TokenManager.memory_store[qualifier.to_sym] = {
    access_token:      access_token,
    refresh_token:     refresh_token,
    expires_at:        expires_at&.utc&.iso8601,
    scopes:            scopes,
    tenant_id:         tenant_id,
    client_id:         client_id,
    scope_fingerprint: scope_fingerprint
  }
  log.debug("TokenManager.save_to_memory: stored token for #{qualifier}")
end

#save_to_vault(qualifier, access_token:, refresh_token:, expires_at:, scopes: nil, tenant_id: nil, client_id: nil, scope_fingerprint: nil) ⇒ Object



125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 125

def save_to_vault(qualifier, access_token:, refresh_token:, expires_at:,
                  scopes: nil, tenant_id: nil, client_id: nil, scope_fingerprint: nil)
  return unless vault_available?

  # When canonical identity is resolved, write the canonical key (and
  # alias to the bootstrap key so a later fresh process can recover it
  # before resolution). Before resolution, fall back to the bootstrap
  # key so we never write to a placeholder (anonymous) canonical path.
  paths = [vault_path(qualifier), bootstrap_vault_path(qualifier)].compact.uniq
  return if paths.empty?

  cluster = Legion::Crypt.respond_to?(:default_cluster_name) ? Legion::Crypt.default_cluster_name : 'vault'
  paths.each do |path|
    log.info("TokenManager.save_to_vault: writing to #{cluster} :: kv/data/#{path} qualifier=#{qualifier}")
    vault_kv_client.write(path,
                          access_token:      access_token,
                          refresh_token:     refresh_token,
                          expires_at:        expires_at&.utc&.iso8601,
                          scopes:            scopes,
                          tenant_id:         tenant_id,
                          client_id:         client_id,
                          scope_fingerprint: scope_fingerprint)
  end
  log.info('TokenManager.save_to_vault: success')
  true
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'token_manager.save_to_vault',
                      qualifier: qualifier)
  nil
end

#save_token(qualifier, access_token:, refresh_token: nil, expires_at: nil, expires_in: nil, scopes: nil, tenant_id: nil, client_id: nil) ⇒ Object



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 68

def save_token(qualifier, access_token:, refresh_token: nil, expires_at: nil,
               expires_in: nil, scopes: nil, tenant_id: nil, client_id: nil)
  log.debug("TokenManager.save_token: qualifier=#{qualifier} expires_in=#{expires_in}")
  expires_at ||= Time.now + expires_in.to_i if expires_in
  fingerprint = current_scope_fingerprint(qualifier)
  vault_saved = save_to_vault(qualifier, access_token: access_token, refresh_token: refresh_token,
                                         expires_at: expires_at, scopes: scopes,
                                         tenant_id: tenant_id, client_id: client_id,
                                         scope_fingerprint: fingerprint)
  if vault_saved
    delete_local(qualifier)
  else
    save_to_local(qualifier, access_token: access_token, refresh_token: refresh_token,
                             expires_at: expires_at, scopes: scopes,
                             tenant_id: tenant_id, client_id: client_id,
                             scope_fingerprint: fingerprint)
  end
  save_to_memory(qualifier, access_token: access_token, refresh_token: refresh_token,
                            expires_at: expires_at, scopes: scopes,
                            tenant_id: tenant_id, client_id: client_id,
                            scope_fingerprint: fingerprint)
end

#scope_fingerprint_stale?(qualifier, data = nil) ⇒ Boolean

Returns:

  • (Boolean)


215
216
217
218
219
220
221
222
223
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 215

def scope_fingerprint_stale?(qualifier, data = nil)
  data ||= from_local_data(qualifier) || from_memory(qualifier)
  return false unless data

  stored = data[:scope_fingerprint]
  return true unless stored

  stored != current_scope_fingerprint(qualifier)
end

#settings_authObject



336
337
338
339
340
341
342
343
344
345
346
347
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 336

def settings_auth
  identity_entra = Legion::Settings.dig(:identity, :entra) || {}
  auth = identity_entra[:auth].is_a?(Hash) ? identity_entra[:auth].dup : identity_entra.dup

  auth[:tenant_id] ||= ENV.fetch('AZURE_TENANT_ID', nil)
  auth[:client_id] ||= ENV.fetch('AZURE_CLIENT_ID', nil)
  auth[:client_secret] ||= ENV.fetch('AZURE_CLIENT_SECRET', nil)
  auth
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'token_manager.settings_auth')
  {}
end

#token_data(qualifier = :delegated, refresh: true) ⇒ Object



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 35

def token_data(qualifier = :delegated, refresh: true)
  log.debug("TokenManager.token_data: qualifier=#{qualifier} refresh=#{refresh}")
  vault_data = from_vault_data(qualifier)
  other_data = vault_data || from_local_data(qualifier) || from_memory(qualifier)
  if other_data && !vault_data && vault_available? && canonical_name_available?
    log.info("TokenManager.token_data: backfilling #{qualifier} token to vault")
    backfill_saved = save_to_vault(qualifier, access_token:      other_data[:access_token],
                                              refresh_token:     other_data[:refresh_token],
                                              expires_at:        other_data[:expires_at],
                                              scopes:            other_data[:scopes],
                                              tenant_id:         other_data[:tenant_id],
                                              client_id:         other_data[:client_id],
                                              scope_fingerprint: other_data[:scope_fingerprint])
    delete_local(qualifier) if backfill_saved
  end
  data = other_data
  return nil unless data

  if scope_fingerprint_stale?(qualifier, data)
    if refresh && data[:refresh_token]
      log.info("TokenManager.token_data: scope fingerprint mismatch for #{qualifier}, attempting refresh with current scopes")
      return refresh_token(qualifier, data)
    end
    log.info("TokenManager.token_data: scope fingerprint mismatch for #{qualifier}, forcing re-auth")
    return nil
  end

  return data unless expired?(data)

  log.debug("TokenManager.token_data: token expired for #{qualifier}")
  refresh ? refresh_token(qualifier, data) : data
end

#trusted_process_identity?Boolean

Returns:

  • (Boolean)


385
386
387
388
389
390
391
392
393
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 385

def trusted_process_identity?
  return false unless defined?(Legion::Identity::Process)
  return false unless Legion::Identity::Process.respond_to?(:resolved?) &&
                      Legion::Identity::Process.resolved?

  return true unless Legion::Identity::Process.respond_to?(:trust)

  %i[configured verified authenticated].include?(Legion::Identity::Process.trust)
end

#vault_available?Boolean

Returns:

  • (Boolean)


292
293
294
295
296
297
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 292

def vault_available?
  defined?(Legion::Crypt) &&
    Legion::Crypt.respond_to?(:vault_connected?) &&
    Legion::Crypt.vault_connected? &&
    Legion::Crypt.respond_to?(:write)
end

#vault_kv_clientObject



377
378
379
380
381
382
383
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 377

def vault_kv_client
  if Legion::Crypt.respond_to?(:connected_clusters) && Legion::Crypt.connected_clusters.any?
    Legion::Crypt.send(:connected_vault_client, nil).kv('kv')
  else
    ::Vault.kv('kv')
  end
end

#vault_path(qualifier) ⇒ Object



299
300
301
302
303
304
305
306
# File 'lib/legion/extensions/identity/entra/helpers/token_manager.rb', line 299

def vault_path(qualifier)
  auth = settings_auth
  pattern_settings = auth[qualifier.to_sym]
  return pattern_settings[:vault_path] if pattern_settings.is_a?(Hash) && pattern_settings[:vault_path]
  return nil unless canonical_name_available?

  "users/#{Legion::Identity::Process.canonical_name}/entra/#{qualifier}/auth"
end