legion-crypt 0.3.0 → 1.3.0

data/lib/legion/crypt/cipher.rb

@@ -1,8 +1,13 @@
+# frozen_string_literal: true
+
 require 'securerandom'
+require 'legion/crypt/cluster_secret'
 
 module Legion
   module Crypt
     module Cipher
+      include Legion::Crypt::ClusterSecret
+
       def encrypt(message)
         cipher = OpenSSL::Cipher.new('aes-256-cbc')
         cipher.encrypt
@@ -11,7 +16,7 @@ module Legion
         { enciphered_message: Base64.encode64(cipher.update(message) + cipher.final), iv: Base64.encode64(iv) }
       end
 
-      def decrypt(message, iv)
+      def decrypt(message, init_vector)
         until cs.is_a?(String) || Legion::Settings[:client][:shutting_down]
           Legion::Logging.debug('sleeping Legion::Crypt.decrypt due to CS not being set')
           sleep(0.5)
@@ -20,7 +25,7 @@ module Legion
         decipher = OpenSSL::Cipher.new('aes-256-cbc')
         decipher.decrypt
         decipher.key = cs
-        decipher.iv = Base64.decode64(iv)
+        decipher.iv = Base64.decode64(init_vector)
         message = Base64.decode64(message)
         decipher.update(message) + decipher.final
       end
@@ -46,58 +51,6 @@ module Legion
                            OpenSSL::PKey::RSA.new 2048
                          end
       end
-
-      def cs
-        @cs ||= Digest::SHA256.digest(fetch_cs)
-      end
-
-      def fetch_cs # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity
-        if Legion::Settings[:crypt][:vault][:read_cluster_secret] && Legion::Settings[:crypt][:vault][:connected] && Legion::Crypt.exist?('crypt') # rubocop:disable Layout/LineLength
-          Legion::Crypt.get('crypt')[:cluster_secret]
-        elsif Legion::Settings[:crypt][:cluster_secret].is_a? String
-          Legion::Settings[:crypt][:cluster_secret]
-        elsif Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
-          Legion::Settings[:crypt][:cluster_secret] = generate_secure_random
-        elsif Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.positive?
-          require 'legion/transport/messages/request_cluster_secret'
-          Legion::Logging.info 'Requesting cluster secret via public key'
-          start = Time.now
-          Legion::Transport::Messages::RequestClusterSecret.new.publish
-          sleep_time = 0.001
-          until !Legion::Settings[:crypt][:cluster_secret].nil? || (Time.now - start) > Legion::Settings[:crypt][:cluster_secret_timeout]
-            sleep(sleep_time)
-            sleep_time *= 2 unless sleep_time > 0.5
-          end
-
-          if Legion::Settings[:crypt][:cluster_secret].nil?
-            Legion::Logging.warn 'Cluster secret is still nil'
-          else
-            Legion::Logging.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
-          end
-        end
-      rescue StandardError => e
-        Legion::Logging.error(e.message)
-        Legion::Logging.error(e.backtrace)
-      ensure
-        Legion::Settings[:crypt][:cluster_secret] = generate_secure_random unless Legion::Settings[:crypt].key? :cluster_secret
-        nil if Legion::Settings[:crypt][:cluster_secret].nil?
-
-        Legion::Settings[:crypt][:cs_encrypt_ready] = true
-        push_cs_to_vault if Legion::Settings[:crypt][:vault][:push_cs_to_vault]
-
-        return Legion::Settings[:crypt][:cluster_secret] # rubocop:disable Lint/EnsureReturn
-      end
-
-      def push_cs_to_vault
-        return false unless Legion::Settings[:crypt][:vault][:connected] && Legion::Settings[:crypt][:cluster_secret]
-
-        Legion::Logging.info 'Pushing Cluster Secret to Vault'
-        Legion::Crypt.write('cluster', secret: Legion::Settings[:crypt][:cluster_secret])
-      end
-
-      def generate_secure_random
-        SecureRandom.uuid
-      end
     end
   end
 end

data/lib/legion/crypt/cluster_secret.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module Legion
+  module Crypt
+    module ClusterSecret
+      def find_cluster_secret
+        %i[from_settings from_vault from_transport generate_secure_random].each do |method|
+          result = send(method)
+          next if result.nil?
+
+          unless validate_hex(result)
+            Legion::Logging.warn("Legion::Crypt.#{method} gave a value but it isn't a valid hex")
+            next
+          end
+
+          set_cluster_secret(result, method != :from_vault)
+          return result
+        end
+        return unless only_member?
+
+        key = generate_secure_random
+        set_cluster_secret(key)
+        key
+      end
+
+      def from_vault
+        return nil unless method_defined? :get
+        return nil unless Legion::Settings[:crypt][:vault][:read_cluster_secret]
+        return nil unless Legion::Settings[:crypt][:vault][:connected]
+        return nil unless Legion::Crypt.exist?('crypt')
+
+        get('crypt')[:cluster_secret]
+      rescue StandardError
+        nil
+      end
+
+      def from_settings
+        Legion::Settings[:crypt][:cluster_secret]
+      end
+      alias cluster_secret from_settings
+
+      def from_transport
+        return nil unless Legion::Settings[:transport][:connected]
+
+        require 'legion/transport/messages/request_cluster_secret'
+        Legion::Logging.info 'Requesting cluster secret via public key'
+        Legion::Logging.warn 'cluster_secret already set but we are requesting a new value' unless from_settings.nil?
+        start = Time.now
+        Legion::Transport::Messages::RequestClusterSecret.new.publish
+        sleep_time = 0.001
+        until !Legion::Settings[:crypt][:cluster_secret].nil? || (Time.now - start) > cluster_secret_timeout
+          sleep(sleep_time)
+          sleep_time *= 2 unless sleep_time > 0.5
+        end
+
+        unless from_settings.nil?
+          Legion::Logging.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
+          return from_settings
+        end
+
+        Legion::Logging.error 'Cluster secret is still unknown!'
+        nil
+      rescue StandardError => e
+        Legion::Logging.error e.message
+        Legion::Logging.error e.backtrace[0..10]
+      end
+
+      def force_cluster_secret
+        Legion::Settings[:crypt][:force_cluster_secret] || true
+      end
+
+      def settings_push_vault
+        Legion::Settings[:crypt][:vault][:push_cs_to_vault] || true
+      end
+
+      def only_member?
+        Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
+      rescue StandardError
+        nil
+      end
+
+      def set_cluster_secret(value, push_to_vault = true) # rubocop:disable Style/OptionalBooleanParameter
+        raise TypeError unless value.to_i(32).to_s(32).rjust(value.length, '0') == value.downcase
+
+        Legion::Settings[:crypt][:cs_encrypt_ready] = true
+        push_cs_to_vault if push_to_vault && settings_push_vault
+
+        Legion::Settings[:crypt][:cluster_secret] = value
+      end
+
+      def push_cs_to_vault
+        return false unless Legion::Settings[:crypt][:vault][:connected] && Legion::Settings[:crypt][:cluster_secret]
+
+        Legion::Logging.info 'Pushing Cluster Secret to Vault'
+        Legion::Crypt.write('cluster', secret: Legion::Settings[:crypt][:cluster_secret])
+      end
+
+      def cluster_secret_timeout
+        Legion::Settings[:crypt][:cluster_secret_timeout] || 5
+      end
+
+      def secret_length
+        Legion::Settings[:crypt][:cluster_lenth] || 32
+      end
+
+      def generate_secure_random(length = secret_length)
+        SecureRandom.hex(length)
+      end
+
+      def cs
+        @cs ||= Digest::SHA256.digest(find_cluster_secret)
+      rescue StandardError => e
+        Legion::Logging.error e.message
+        Legion::Logging.error e.backtrace[0..10]
+      end
+
+      def validate_hex(value, length = secret_length)
+        return false unless value.is_a?(String)
+        return false if value.empty?
+
+        value.to_i(length).to_s(length).rjust(value.length, '0') == value.downcase
+      end
+    end
+  end
+end

data/lib/legion/crypt/jwt.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'securerandom'
+
+module Legion
+  module Crypt
+    module JWT
+      class Error < StandardError; end
+      class ExpiredTokenError < Error; end
+      class InvalidTokenError < Error; end
+      class DecodeError < Error; end
+
+      SUPPORTED_ALGORITHMS = %w[HS256 RS256].freeze
+
+      def self.issue(payload, signing_key:, algorithm: 'HS256', ttl: 3600, issuer: 'legion')
+        validate_algorithm!(algorithm)
+
+        now = Time.now.to_i
+        claims = {
+          iss: issuer,
+          iat: now,
+          exp: now + ttl,
+          jti: SecureRandom.uuid
+        }.merge(payload)
+
+        ::JWT.encode(claims, signing_key, algorithm)
+      end
+
+      def self.verify(token, verification_key:, **opts)
+        algorithm = opts.fetch(:algorithm, 'HS256')
+        verify_expiration = opts.fetch(:verify_expiration, true)
+        verify_issuer = opts.fetch(:verify_issuer, true)
+        issuer = opts.fetch(:issuer, 'legion')
+
+        validate_algorithm!(algorithm)
+
+        decode_opts = {
+          algorithm:         algorithm,
+          verify_expiration: verify_expiration,
+          verify_iss:        verify_issuer
+        }
+        decode_opts[:iss] = issuer if verify_issuer
+
+        payload, _header = ::JWT.decode(token, verification_key, true, decode_opts)
+        symbolize_keys(payload)
+      rescue ::JWT::ExpiredSignature
+        raise ExpiredTokenError, 'token has expired'
+      rescue ::JWT::VerificationError, ::JWT::IncorrectAlgorithm
+        raise InvalidTokenError, 'token signature verification failed'
+      rescue ::JWT::DecodeError => e
+        raise DecodeError, "failed to decode token: #{e.message}"
+      end
+
+      def self.decode(token)
+        payload, _header = ::JWT.decode(token, nil, false)
+        symbolize_keys(payload)
+      rescue ::JWT::DecodeError => e
+        raise DecodeError, "failed to decode token: #{e.message}"
+      end
+
+      def self.validate_algorithm!(algorithm)
+        return if SUPPORTED_ALGORITHMS.include?(algorithm)
+
+        raise ArgumentError, "unsupported algorithm: #{algorithm}. Supported: #{SUPPORTED_ALGORITHMS.join(', ')}"
+      end
+
+      def self.symbolize_keys(hash)
+        hash.transform_keys(&:to_sym)
+      end
+
+      private_class_method :validate_algorithm!, :symbolize_keys
+    end
+  end
+end

data/lib/legion/crypt/lease_manager.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+require 'singleton'
+
+module Legion
+  module Crypt
+    class LeaseManager
+      include Singleton
+
+      RENEWAL_CHECK_INTERVAL = 5
+
+      def initialize
+        @lease_cache = {}
+        @active_leases = {}
+        @refs = {}
+        @running = false
+        @renewal_thread = nil
+      end
+
+      def start(definitions)
+        return if definitions.nil? || definitions.empty?
+
+        definitions.each do |name, opts|
+          path = opts['path'] || opts[:path]
+          next unless path
+
+          begin
+            response = ::Vault.logical.read(path)
+            next unless response
+
+            @lease_cache[name] = response.data || {}
+            @active_leases[name] = {
+              lease_id:       response.lease_id,
+              lease_duration: response.lease_duration,
+              renewable:      response.renewable,
+              expires_at:     Time.now + (response.lease_duration || 0),
+              fetched_at:     Time.now
+            }
+            log_debug("LeaseManager: fetched lease for '#{name}' from #{path}")
+          rescue StandardError => e
+            log_warn("LeaseManager: failed to fetch lease '#{name}' from #{path}: #{e.message}")
+          end
+        end
+      end
+
+      def fetch(name, key)
+        data = @lease_cache[name]
+        return nil unless data
+
+        data[key.to_sym] || data[key.to_s]
+      end
+
+      def lease_data(name)
+        @lease_cache[name]
+      end
+
+      attr_reader :active_leases
+
+      def register_ref(name, key, path)
+        @refs[name] ||= {}
+        @refs[name][key] = path
+      end
+
+      def push_to_settings(name)
+        refs = @refs[name]
+        return if refs.nil? || refs.empty?
+
+        data = @lease_cache[name]
+        return unless data
+
+        refs.each do |key, path|
+          value = data[key.to_sym] || data[key.to_s]
+          write_setting(path, value)
+        end
+
+        log_debug("Lease '#{name}' rotated — updated #{refs.size} settings reference(s)")
+      end
+
+      def start_renewal_thread
+        return if renewal_thread_alive?
+
+        @running = true
+        @renewal_thread = Thread.new { renewal_loop }
+      end
+
+      def renewal_thread_alive?
+        @renewal_thread&.alive? || false
+      end
+
+      def shutdown
+        stop_renewal_thread
+
+        @active_leases.each do |name, meta|
+          lease_id = meta[:lease_id]
+          next if lease_id.nil? || lease_id.empty?
+
+          begin
+            ::Vault.sys.revoke(lease_id)
+            log_debug("LeaseManager: revoked lease '#{name}' (#{lease_id})")
+          rescue StandardError => e
+            log_warn("LeaseManager: failed to revoke lease '#{name}' (#{lease_id}): #{e.message}")
+          end
+        end
+
+        @lease_cache.clear
+        @active_leases.clear
+        @refs.clear
+      end
+
+      def reset!
+        @running = false
+        @lease_cache.clear
+        @active_leases.clear
+        @refs.clear
+      end
+
+      private
+
+      def stop_renewal_thread
+        @running = false
+        if @renewal_thread&.alive?
+          @renewal_thread.kill
+          @renewal_thread.join(2)
+        end
+        @renewal_thread = nil
+      end
+
+      def renewal_loop
+        while @running
+          sleep(RENEWAL_CHECK_INTERVAL)
+          renew_approaching_leases if @running
+        end
+      rescue StandardError => e
+        log_warn("LeaseManager: renewal loop error: #{e.message}")
+        retry if @running
+      end
+
+      def renew_approaching_leases
+        @active_leases.each do |name, lease|
+          next unless lease[:renewable]
+          next unless approaching_expiry?(lease)
+
+          renew_lease(name, lease)
+        end
+      end
+
+      def renew_lease(name, lease)
+        response = ::Vault.sys.renew(lease[:lease_id])
+        lease[:expires_at] = Time.now + (response.lease_duration || 0)
+
+        if response.data && response.data != @lease_cache[name]
+          @lease_cache[name] = response.data
+          push_to_settings(name)
+        end
+      rescue StandardError => e
+        log_warn("LeaseManager: failed to renew lease '#{name}': #{e.message}")
+      end
+
+      def approaching_expiry?(lease)
+        expires_at = lease[:expires_at]
+        lease_duration = lease[:lease_duration]
+
+        return true if expires_at.nil? || lease_duration.nil?
+
+        remaining = expires_at - Time.now
+        remaining < (lease_duration * 0.5)
+      end
+
+      def write_setting(path, value)
+        return if path.nil? || path.empty?
+
+        target = path[1..-2].reduce(Legion::Settings[path[0]]) do |node, segment|
+          break nil unless node.is_a?(Hash)
+
+          node[segment]
+        end
+        target[path.last] = value if target.is_a?(Hash)
+      rescue StandardError => e
+        log_warn("LeaseManager: failed to write setting at #{path.join('.')}: #{e.message}")
+      end
+
+      def log_debug(message)
+        if defined?(Legion::Logging)
+          Legion::Logging.debug(message)
+        else
+          $stdout.puts("[DEBUG] #{message}")
+        end
+      end
+
+      def log_warn(message)
+        if defined?(Legion::Logging)
+          Legion::Logging.warn(message)
+        else
+          warn("[WARN] #{message}")
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/settings.rb

@@ -1,30 +1,45 @@
+# frozen_string_literal: true
+
 module Legion
   module Crypt
     module Settings
       def self.default
         {
-          vault: vault,
+          vault:            vault,
+          jwt:              jwt,
           cs_encrypt_ready: false,
-          dynamic_keys: true,
-          cluster_secret: nil,
+          dynamic_keys:     true,
+          cluster_secret:   nil,
           save_private_key: true,
           read_private_key: true
         }
       end
 
+      def self.jwt
+        {
+          enabled:           true,
+          default_algorithm: 'HS256',
+          default_ttl:       3600,
+          issuer:            'legion',
+          verify_expiration: true,
+          verify_issuer:     true
+        }
+      end
+
       def self.vault
         {
-          enabled: !Gem::Specification.find_by_name('vault').nil?,
-          protocol: 'http',
-          address: 'localhost',
-          port: 8200,
-          token: ENV['VAULT_DEV_ROOT_TOKEN_ID'] || ENV['VAULT_TOKEN_ID'] || nil,
-          connected: false,
-          renewer_time: 5,
-          renewer: true,
+          enabled:             !Gem::Specification.find_by_name('vault').nil?,
+          protocol:            'http',
+          address:             'localhost',
+          port:                8200,
+          token:               ENV['VAULT_DEV_ROOT_TOKEN_ID'] || ENV['VAULT_TOKEN_ID'] || nil,
+          connected:           false,
+          renewer_time:        5,
+          renewer:             true,
           push_cluster_secret: true,
           read_cluster_secret: true,
-          kv_path: ENV['LEGION_VAULT_KV_PATH'] || 'legion'
+          kv_path:             ENV['LEGION_VAULT_KV_PATH'] || 'legion',
+          leases:              {}
         }
       end
     end

data/lib/legion/crypt/vault.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'vault'
 
 module Legion
@@ -9,7 +11,7 @@ module Legion
         Legion::Settings[:crypt][:vault]
       end
 
-      def connect_vault # rubocop:disable Metrics/AbcSize
+      def connect_vault
         @sessions = []
         ::Vault.address = "#{Legion::Settings[:crypt][:vault][:protocol]}://#{Legion::Settings[:crypt][:vault][:address]}:#{Legion::Settings[:crypt][:vault][:port]}" # rubocop:disable Layout/LineLength
 

data/lib/legion/crypt/vault_jwt_auth.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module Legion
+  module Crypt
+    # Vault JWT auth backend integration.
+    #
+    # Allows Legion workers to authenticate to Vault using JWT tokens
+    # via Vault's JWT/OIDC auth method. The worker presents a signed JWT
+    # and receives a Vault token with policies scoped to the worker's role.
+    #
+    # Vault config prerequisites:
+    #   vault auth enable jwt
+    #   vault write auth/jwt/config jwks_url="..." (or bound_issuer + jwt_validation_pubkeys)
+    #   vault write auth/jwt/role/legion-worker bound_audiences="legion" ...
+    module VaultJwtAuth
+      DEFAULT_AUTH_PATH = 'auth/jwt/login'
+      DEFAULT_ROLE      = 'legion-worker'
+
+      class AuthError < StandardError; end
+
+      # Authenticate to Vault using a JWT token.
+      # Returns a Vault token string on success.
+      #
+      # @param jwt [String] Signed JWT token (issued by Legion or Entra ID)
+      # @param role [String] Vault JWT auth role name (default: 'legion-worker')
+      # @param auth_path [String] Vault auth mount path (default: 'auth/jwt/login')
+      # @return [Hash] { token:, lease_duration:, policies:, metadata: }
+      def self.login(jwt:, role: DEFAULT_ROLE, auth_path: DEFAULT_AUTH_PATH)
+        raise AuthError, 'Vault is not connected' unless vault_connected?
+
+        response = ::Vault.logical.write(
+          auth_path,
+          role: role,
+          jwt:  jwt
+        )
+
+        raise AuthError, 'Vault JWT auth returned no auth data' unless response&.auth
+
+        {
+          token:          response.auth.client_token,
+          lease_duration: response.auth.lease_duration,
+          renewable:      response.auth.renewable,
+          policies:       response.auth.policies,
+          metadata:       response.auth.metadata
+        }
+      rescue ::Vault::HTTPClientError => e
+        raise AuthError, "Vault JWT auth failed: #{e.message}"
+      rescue ::Vault::HTTPServerError => e
+        raise AuthError, "Vault server error during JWT auth: #{e.message}"
+      end
+
+      # Authenticate and set the Vault client token for subsequent operations.
+      # This replaces the current Vault token with the JWT-authenticated one.
+      #
+      # @return [Hash] Same as login
+      def self.login!(jwt:, role: DEFAULT_ROLE, auth_path: DEFAULT_AUTH_PATH)
+        result = login(jwt: jwt, role: role, auth_path: auth_path)
+        ::Vault.token = result[:token]
+        Legion::Logging.info "[crypt:vault_jwt] authenticated via JWT auth, policies=#{result[:policies].join(',')}"
+        result
+      end
+
+      # Issue a Legion JWT and use it to authenticate to Vault in one step.
+      # Convenience method for workers that need Vault access.
+      #
+      # @param worker_id [String] Digital worker ID
+      # @param owner_msid [String] Worker's owner MSID
+      # @param role [String] Vault JWT auth role name
+      # @return [Hash] Same as login
+      def self.worker_login(worker_id:, owner_msid:, role: DEFAULT_ROLE)
+        jwt = Legion::Crypt::JWT.issue(
+          { worker_id: worker_id, sub: owner_msid, scope: 'vault', aud: 'legion' },
+          signing_key: Legion::Crypt.cluster_secret,
+          ttl:         300,
+          issuer:      'legion'
+        )
+
+        login(jwt: jwt, role: role)
+      end
+
+      def self.vault_connected?
+        defined?(::Vault) &&
+          defined?(Legion::Settings) &&
+          Legion::Settings[:crypt][:vault][:connected] == true
+      rescue StandardError
+        false
+      end
+
+      private_class_method :vault_connected?
+    end
+  end
+end

data/lib/legion/crypt/vault_renewer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'legion/extensions/actors/every'
 
 module Legion

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '0.3.0'
+    VERSION = '1.3.0'
   end
 end