Module: Legion::Extensions::Identity::Kerberos::Identity

Extended by:

Identity

Included in:

Identity

Defined in:

lib/legion/extensions/identity/kerberos/identity.rb

Instance Method Summary

• #capabilities ⇒ Object
• #facing ⇒ Object
• #normalize(val) ⇒ Object

  Strips @REALM, downcases, strips whitespace, removes non-word chars (no dots).

• #priority ⇒ Object
• #provide_token ⇒ Object

  Returns a Lease-like hash carrying the SPNEGO outbound token, or nil on failure.

• #provider_name ⇒ Object
• #provider_type ⇒ Object
• #resolve ⇒ Object

  Returns a resolved identity hash or nil when no Kerberos principal is available.

• #trust_level ⇒ Object
• #trust_weight ⇒ Object
• #vault_auth ⇒ Object

  Stub for Phase 5 Vault auth delegation.

Instance Method Details

#capabilities ⇒ Object

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 18

def capabilities   = %i[authenticate profile vault_auth outbound_auth]

#facing ⇒ Object

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 14

def facing         = :human

#normalize(val) ⇒ Object

Strips @REALM, downcases, strips whitespace, removes non-word chars (no dots).

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 61

def normalize(val)
  str = val.to_s
  username = str.split('@', 2).first || str
  username.downcase.strip.gsub(/[^a-z0-9_-]/, '')
end

#priority ⇒ Object

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 15

def priority       = 100

#provide_token ⇒ Object

Returns a Lease-like hash carrying the SPNEGO outbound token, or nil on failure.

Delegates to lex-kerberos Helpers::Spnego#obtain_spnego_token when available. Returns nil when lex-kerberos is not loaded or token acquisition fails.

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 34

def provide_token
  return nil unless spnego_available?

  service_principal = spnego_service_principal
  return nil if service_principal.nil? || service_principal.empty?

  result = Legion::Extensions::Kerberos::Helpers::Spnego.obtain_spnego_token(
    service_principal: service_principal
  )
  return nil unless result.is_a?(Hash) && result[:success]

  realm = Helpers::Resolver.extract_realm(Helpers::Resolver.principal.to_s)

  build_lease(
    provider:   :kerberos,
    credential: result[:token],
    lease_id:   nil,
    expires_at: Time.now + (10 * 3600),
    renewable:  true,
    issued_at:  Time.now,
    metadata:   { realm: realm }
  )
rescue StandardError => _e
  nil
end

#provider_name ⇒ Object

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 12

def provider_name  = :kerberos

#provider_type ⇒ Object

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 13

def provider_type  = :auth

#resolve ⇒ Object

Returns a resolved identity hash or nil when no Kerberos principal is available.

Hash shape:

{ canonical_name:, kind: :human, source: :kerberos, principal:, realm:, groups: [] }

canonical_name regex: ^[a-z0-9]*$ (no dots — AMQP word separator)

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 26

def resolve
  Helpers::Resolver.resolve_identity
end

#trust_level ⇒ Object

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 17

def trust_level    = :verified

#trust_weight ⇒ Object

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 16

def trust_weight   = 30

#vault_auth ⇒ Object

Stub for Phase 5 Vault auth delegation. Returns nil.

# File 'lib/legion/extensions/identity/kerberos/identity.rb', line 68

def vault_auth
  nil
end