legion-crypt 1.2.0 → 1.4.0

data/lib/legion/crypt/jwks_client.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'uri'
+require 'json'
+require 'openssl'
+require 'jwt'
+
+module Legion
+  module Crypt
+    module JwksClient
+      CACHE_TTL = 3600
+
+      @cache = {}
+      @mutex = Mutex.new
+
+      class << self
+        def fetch_keys(jwks_url)
+          @mutex.synchronize do
+            response = http_get(jwks_url)
+            jwks_data = parse_response(response)
+            keys = parse_jwks(jwks_data)
+
+            @cache[jwks_url] = { keys: keys, fetched_at: Time.now }
+            keys
+          end
+        end
+
+        def find_key(jwks_url, kid)
+          cached = @mutex.synchronize { @cache[jwks_url] }
+
+          if cached && !expired?(cached[:fetched_at])
+            key = cached[:keys][kid]
+            return key if key
+          end
+
+          # Re-fetch once on cache miss or expiry
+          keys = fetch_keys(jwks_url)
+          key = keys[kid]
+          return key if key
+
+          raise Legion::Crypt::JWT::InvalidTokenError, "signing key not found: #{kid}"
+        end
+
+        def clear_cache
+          @mutex.synchronize { @cache = {} }
+        end
+
+        private
+
+        def expired?(fetched_at)
+          Time.now - fetched_at > CACHE_TTL
+        end
+
+        def http_get(url)
+          uri = URI.parse(url)
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = uri.scheme == 'https'
+          http.open_timeout = 10
+          http.read_timeout = 10
+
+          request = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(request)
+
+          raise Legion::Crypt::JWT::Error, "failed to fetch JWKS: HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess)
+
+          response.body
+        rescue StandardError => e
+          raise Legion::Crypt::JWT::Error, "failed to fetch JWKS: #{e.message}" unless e.is_a?(Legion::Crypt::JWT::Error)
+
+          raise
+        end
+
+        def parse_response(body)
+          parsed = ::JSON.parse(body)
+          raise Legion::Crypt::JWT::Error, 'invalid JWKS response: missing keys' unless parsed.is_a?(Hash) && parsed['keys'].is_a?(Array)
+
+          parsed
+        rescue ::JSON::ParserError => e
+          raise Legion::Crypt::JWT::Error, "invalid JWKS response: #{e.message}"
+        end
+
+        def parse_jwks(jwks_data)
+          keys = {}
+
+          jwks_data['keys'].each do |jwk_hash|
+            kid = jwk_hash['kid']
+            next unless kid
+
+            jwk = ::JWT::JWK.new(jwk_hash)
+            keys[kid] = jwk.public_key
+          rescue StandardError
+            # Skip malformed keys, continue with valid ones
+            next
+          end
+
+          keys
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/jwt.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'securerandom'
+require 'legion/crypt/jwks_client'
+
+module Legion
+  module Crypt
+    module JWT
+      class Error < StandardError; end
+      class ExpiredTokenError < Error; end
+      class InvalidTokenError < Error; end
+      class DecodeError < Error; end
+
+      SUPPORTED_ALGORITHMS = %w[HS256 RS256].freeze
+
+      def self.issue(payload, signing_key:, algorithm: 'HS256', ttl: 3600, issuer: 'legion')
+        validate_algorithm!(algorithm)
+
+        now = Time.now.to_i
+        claims = {
+          iss: issuer,
+          iat: now,
+          exp: now + ttl,
+          jti: SecureRandom.uuid
+        }.merge(payload)
+
+        ::JWT.encode(claims, signing_key, algorithm)
+      end
+
+      def self.verify(token, verification_key:, **opts)
+        algorithm = opts.fetch(:algorithm, 'HS256')
+        verify_expiration = opts.fetch(:verify_expiration, true)
+        verify_issuer = opts.fetch(:verify_issuer, true)
+        issuer = opts.fetch(:issuer, 'legion')
+
+        validate_algorithm!(algorithm)
+
+        decode_opts = {
+          algorithm:         algorithm,
+          verify_expiration: verify_expiration,
+          verify_iss:        verify_issuer
+        }
+        decode_opts[:iss] = issuer if verify_issuer
+
+        payload, _header = ::JWT.decode(token, verification_key, true, decode_opts)
+        symbolize_keys(payload)
+      rescue ::JWT::ExpiredSignature
+        raise ExpiredTokenError, 'token has expired'
+      rescue ::JWT::VerificationError, ::JWT::IncorrectAlgorithm
+        raise InvalidTokenError, 'token signature verification failed'
+      rescue ::JWT::DecodeError => e
+        raise DecodeError, "failed to decode token: #{e.message}"
+      end
+
+      def self.decode(token)
+        payload, _header = ::JWT.decode(token, nil, false)
+        symbolize_keys(payload)
+      rescue ::JWT::DecodeError => e
+        raise DecodeError, "failed to decode token: #{e.message}"
+      end
+
+      def self.verify_with_jwks(token, jwks_url:, **opts)
+        header = decode_header(token)
+        kid = header['kid']
+        algorithm = header['alg'] || 'RS256'
+
+        raise InvalidTokenError, 'token header missing kid' unless kid
+
+        validate_algorithm!(algorithm)
+
+        public_key = Legion::Crypt::JwksClient.find_key(jwks_url, kid)
+
+        verify_expiration = opts.fetch(:verify_expiration, true)
+        issuers = opts[:issuers]
+        audience = opts[:audience]
+
+        decode_opts = {
+          algorithm:         algorithm,
+          verify_expiration: verify_expiration
+        }
+
+        if issuers
+          decode_opts[:verify_iss] = true
+          decode_opts[:iss] = issuers
+        end
+
+        if audience
+          decode_opts[:verify_aud] = true
+          decode_opts[:aud] = audience
+        end
+
+        payload, _header = ::JWT.decode(token, public_key, true, decode_opts)
+        symbolize_keys(payload)
+      rescue ::JWT::ExpiredSignature
+        raise ExpiredTokenError, 'token has expired'
+      rescue ::JWT::VerificationError, ::JWT::IncorrectAlgorithm
+        raise InvalidTokenError, 'token signature verification failed'
+      rescue ::JWT::InvalidIssuerError
+        raise InvalidTokenError, 'token issuer not allowed'
+      rescue ::JWT::InvalidAudError
+        raise InvalidTokenError, 'token audience mismatch'
+      rescue ::JWT::DecodeError => e
+        raise DecodeError, "failed to decode token: #{e.message}"
+      end
+
+      def self.decode_header(token)
+        parts = token.to_s.split('.')
+        raise DecodeError, 'invalid token format' unless parts.size == 3
+
+        header_json = Base64.urlsafe_decode64(parts[0])
+        ::JSON.parse(header_json)
+      rescue ::JSON::ParserError, ArgumentError => e
+        raise DecodeError, "failed to decode token header: #{e.message}"
+      end
+
+      def self.validate_algorithm!(algorithm)
+        return if SUPPORTED_ALGORITHMS.include?(algorithm)
+
+        raise ArgumentError, "unsupported algorithm: #{algorithm}. Supported: #{SUPPORTED_ALGORITHMS.join(', ')}"
+      end
+
+      def self.symbolize_keys(hash)
+        hash.transform_keys(&:to_sym)
+      end
+
+      private_class_method :validate_algorithm!, :symbolize_keys, :decode_header
+    end
+  end
+end

data/lib/legion/crypt/lease_manager.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+require 'singleton'
+
+module Legion
+  module Crypt
+    class LeaseManager
+      include Singleton
+
+      RENEWAL_CHECK_INTERVAL = 5
+
+      def initialize
+        @lease_cache = {}
+        @active_leases = {}
+        @refs = {}
+        @running = false
+        @renewal_thread = nil
+      end
+
+      def start(definitions)
+        return if definitions.nil? || definitions.empty?
+
+        definitions.each do |name, opts|
+          path = opts['path'] || opts[:path]
+          next unless path
+
+          begin
+            response = ::Vault.logical.read(path)
+            next unless response
+
+            @lease_cache[name] = response.data || {}
+            @active_leases[name] = {
+              lease_id:       response.lease_id,
+              lease_duration: response.lease_duration,
+              renewable:      response.renewable,
+              expires_at:     Time.now + (response.lease_duration || 0),
+              fetched_at:     Time.now
+            }
+            log_debug("LeaseManager: fetched lease for '#{name}' from #{path}")
+          rescue StandardError => e
+            log_warn("LeaseManager: failed to fetch lease '#{name}' from #{path}: #{e.message}")
+          end
+        end
+      end
+
+      def fetch(name, key)
+        data = @lease_cache[name]
+        return nil unless data
+
+        data[key.to_sym] || data[key.to_s]
+      end
+
+      def lease_data(name)
+        @lease_cache[name]
+      end
+
+      attr_reader :active_leases
+
+      def register_ref(name, key, path)
+        @refs[name] ||= {}
+        @refs[name][key] = path
+      end
+
+      def push_to_settings(name)
+        refs = @refs[name]
+        return if refs.nil? || refs.empty?
+
+        data = @lease_cache[name]
+        return unless data
+
+        refs.each do |key, path|
+          value = data[key.to_sym] || data[key.to_s]
+          write_setting(path, value)
+        end
+
+        log_debug("Lease '#{name}' rotated — updated #{refs.size} settings reference(s)")
+      end
+
+      def start_renewal_thread
+        return if renewal_thread_alive?
+
+        @running = true
+        @renewal_thread = Thread.new { renewal_loop }
+      end
+
+      def renewal_thread_alive?
+        @renewal_thread&.alive? || false
+      end
+
+      def shutdown
+        stop_renewal_thread
+
+        @active_leases.each do |name, meta|
+          lease_id = meta[:lease_id]
+          next if lease_id.nil? || lease_id.empty?
+
+          begin
+            ::Vault.sys.revoke(lease_id)
+            log_debug("LeaseManager: revoked lease '#{name}' (#{lease_id})")
+          rescue StandardError => e
+            log_warn("LeaseManager: failed to revoke lease '#{name}' (#{lease_id}): #{e.message}")
+          end
+        end
+
+        @lease_cache.clear
+        @active_leases.clear
+        @refs.clear
+      end
+
+      def reset!
+        @running = false
+        @lease_cache.clear
+        @active_leases.clear
+        @refs.clear
+      end
+
+      private
+
+      def stop_renewal_thread
+        @running = false
+        if @renewal_thread&.alive?
+          @renewal_thread.kill
+          @renewal_thread.join(2)
+        end
+        @renewal_thread = nil
+      end
+
+      def renewal_loop
+        while @running
+          sleep(RENEWAL_CHECK_INTERVAL)
+          renew_approaching_leases if @running
+        end
+      rescue StandardError => e
+        log_warn("LeaseManager: renewal loop error: #{e.message}")
+        retry if @running
+      end
+
+      def renew_approaching_leases
+        @active_leases.each do |name, lease|
+          next unless lease[:renewable]
+          next unless approaching_expiry?(lease)
+
+          renew_lease(name, lease)
+        end
+      end
+
+      def renew_lease(name, lease)
+        response = ::Vault.sys.renew(lease[:lease_id])
+        lease[:expires_at] = Time.now + (response.lease_duration || 0)
+
+        if response.data && response.data != @lease_cache[name]
+          @lease_cache[name] = response.data
+          push_to_settings(name)
+        end
+      rescue StandardError => e
+        log_warn("LeaseManager: failed to renew lease '#{name}': #{e.message}")
+      end
+
+      def approaching_expiry?(lease)
+        expires_at = lease[:expires_at]
+        lease_duration = lease[:lease_duration]
+
+        return true if expires_at.nil? || lease_duration.nil?
+
+        remaining = expires_at - Time.now
+        remaining < (lease_duration * 0.5)
+      end
+
+      def write_setting(path, value)
+        return if path.nil? || path.empty?
+
+        target = path[1..-2].reduce(Legion::Settings[path[0]]) do |node, segment|
+          break nil unless node.is_a?(Hash)
+
+          node[segment]
+        end
+        target[path.last] = value if target.is_a?(Hash)
+      rescue StandardError => e
+        log_warn("LeaseManager: failed to write setting at #{path.join('.')}: #{e.message}")
+      end
+
+      def log_debug(message)
+        if defined?(Legion::Logging)
+          Legion::Logging.debug(message)
+        else
+          $stdout.puts("[DEBUG] #{message}")
+        end
+      end
+
+      def log_warn(message)
+        if defined?(Legion::Logging)
+          Legion::Logging.warn(message)
+        else
+          warn("[WARN] #{message}")
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/settings.rb

@@ -1,30 +1,45 @@
+# frozen_string_literal: true
+
 module Legion
   module Crypt
     module Settings
       def self.default
         {
-          vault: vault,
+          vault:            vault,
+          jwt:              jwt,
           cs_encrypt_ready: false,
-          dynamic_keys: true,
-          cluster_secret: nil,
+          dynamic_keys:     true,
+          cluster_secret:   nil,
           save_private_key: true,
           read_private_key: true
         }
       end
 
+      def self.jwt
+        {
+          enabled:           true,
+          default_algorithm: 'HS256',
+          default_ttl:       3600,
+          issuer:            'legion',
+          verify_expiration: true,
+          verify_issuer:     true
+        }
+      end
+
       def self.vault
         {
-          enabled: !Gem::Specification.find_by_name('vault').nil?,
-          protocol: 'http',
-          address: 'localhost',
-          port: 8200,
-          token: ENV['VAULT_DEV_ROOT_TOKEN_ID'] || ENV['VAULT_TOKEN_ID'] || nil,
-          connected: false,
-          renewer_time: 5,
-          renewer: true,
+          enabled:             !Gem::Specification.find_by_name('vault').nil?,
+          protocol:            'http',
+          address:             'localhost',
+          port:                8200,
+          token:               ENV['VAULT_DEV_ROOT_TOKEN_ID'] || ENV['VAULT_TOKEN_ID'] || nil,
+          connected:           false,
+          renewer_time:        5,
+          renewer:             true,
           push_cluster_secret: true,
           read_cluster_secret: true,
-          kv_path: ENV['LEGION_VAULT_KV_PATH'] || 'legion'
+          kv_path:             ENV['LEGION_VAULT_KV_PATH'] || 'legion',
+          leases:              {}
         }
       end
     end

data/lib/legion/crypt/vault.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'vault'
 
 module Legion
@@ -9,7 +11,7 @@ module Legion
         Legion::Settings[:crypt][:vault]
       end
 
-      def connect_vault # rubocop:disable Metrics/AbcSize
+      def connect_vault
         @sessions = []
         ::Vault.address = "#{Legion::Settings[:crypt][:vault][:protocol]}://#{Legion::Settings[:crypt][:vault][:address]}:#{Legion::Settings[:crypt][:vault][:port]}" # rubocop:disable Layout/LineLength
 

data/lib/legion/crypt/vault_jwt_auth.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module Legion
+  module Crypt
+    # Vault JWT auth backend integration.
+    #
+    # Allows Legion workers to authenticate to Vault using JWT tokens
+    # via Vault's JWT/OIDC auth method. The worker presents a signed JWT
+    # and receives a Vault token with policies scoped to the worker's role.
+    #
+    # Vault config prerequisites:
+    #   vault auth enable jwt
+    #   vault write auth/jwt/config jwks_url="..." (or bound_issuer + jwt_validation_pubkeys)
+    #   vault write auth/jwt/role/legion-worker bound_audiences="legion" ...
+    module VaultJwtAuth
+      DEFAULT_AUTH_PATH = 'auth/jwt/login'
+      DEFAULT_ROLE      = 'legion-worker'
+
+      class AuthError < StandardError; end
+
+      # Authenticate to Vault using a JWT token.
+      # Returns a Vault token string on success.
+      #
+      # @param jwt [String] Signed JWT token (issued by Legion or Entra ID)
+      # @param role [String] Vault JWT auth role name (default: 'legion-worker')
+      # @param auth_path [String] Vault auth mount path (default: 'auth/jwt/login')
+      # @return [Hash] { token:, lease_duration:, policies:, metadata: }
+      def self.login(jwt:, role: DEFAULT_ROLE, auth_path: DEFAULT_AUTH_PATH)
+        raise AuthError, 'Vault is not connected' unless vault_connected?
+
+        response = ::Vault.logical.write(
+          auth_path,
+          role: role,
+          jwt:  jwt
+        )
+
+        raise AuthError, 'Vault JWT auth returned no auth data' unless response&.auth
+
+        {
+          token:          response.auth.client_token,
+          lease_duration: response.auth.lease_duration,
+          renewable:      response.auth.renewable,
+          policies:       response.auth.policies,
+          metadata:       response.auth.metadata
+        }
+      rescue ::Vault::HTTPClientError => e
+        raise AuthError, "Vault JWT auth failed: #{e.message}"
+      rescue ::Vault::HTTPServerError => e
+        raise AuthError, "Vault server error during JWT auth: #{e.message}"
+      end
+
+      # Authenticate and set the Vault client token for subsequent operations.
+      # This replaces the current Vault token with the JWT-authenticated one.
+      #
+      # @return [Hash] Same as login
+      def self.login!(jwt:, role: DEFAULT_ROLE, auth_path: DEFAULT_AUTH_PATH)
+        result = login(jwt: jwt, role: role, auth_path: auth_path)
+        ::Vault.token = result[:token]
+        Legion::Logging.info "[crypt:vault_jwt] authenticated via JWT auth, policies=#{result[:policies].join(',')}"
+        result
+      end
+
+      # Issue a Legion JWT and use it to authenticate to Vault in one step.
+      # Convenience method for workers that need Vault access.
+      #
+      # @param worker_id [String] Digital worker ID
+      # @param owner_msid [String] Worker's owner MSID
+      # @param role [String] Vault JWT auth role name
+      # @return [Hash] Same as login
+      def self.worker_login(worker_id:, owner_msid:, role: DEFAULT_ROLE)
+        jwt = Legion::Crypt::JWT.issue(
+          { worker_id: worker_id, sub: owner_msid, scope: 'vault', aud: 'legion' },
+          signing_key: Legion::Crypt.cluster_secret,
+          ttl:         300,
+          issuer:      'legion'
+        )
+
+        login(jwt: jwt, role: role)
+      end
+
+      def self.vault_connected?
+        defined?(::Vault) &&
+          defined?(Legion::Settings) &&
+          Legion::Settings[:crypt][:vault][:connected] == true
+      rescue StandardError
+        false
+      end
+
+      private_class_method :vault_connected?
+    end
+  end
+end

data/lib/legion/crypt/vault_renewer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'legion/extensions/actors/every'
 
 module Legion

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '1.2.0'
+    VERSION = '1.4.0'
   end
 end

data/lib/legion/crypt.rb

@@ -1,8 +1,13 @@
+# frozen_string_literal: true
+
 require 'openssl'
 require 'base64'
 require 'legion/crypt/version'
 require 'legion/crypt/settings'
 require 'legion/crypt/cipher'
+require 'legion/crypt/jwt'
+require 'legion/crypt/vault_jwt_auth'
+require 'legion/crypt/lease_manager'
 
 module Legion
   module Crypt
@@ -21,6 +26,7 @@ module Legion
         ::File.write('./legionio.key', private_key) if settings[:save_private_key]
 
         connect_vault unless settings[:vault][:token].nil?
+        start_lease_manager
       end
 
       def settings
@@ -31,10 +37,57 @@ module Legion
         end
       end
 
+      def jwt_settings
+        settings[:jwt] || Legion::Crypt::Settings.jwt
+      end
+
+      def issue_token(payload = {}, ttl: nil, algorithm: nil)
+        jwt = jwt_settings
+        algo = algorithm || jwt[:default_algorithm]
+        token_ttl = ttl || jwt[:default_ttl]
+
+        signing_key = algo == 'RS256' ? private_key : settings[:cluster_secret]
+
+        Legion::Crypt::JWT.issue(payload, signing_key: signing_key, algorithm: algo, ttl: token_ttl,
+                                          issuer: jwt[:issuer])
+      end
+
+      def verify_token(token, algorithm: nil)
+        jwt = jwt_settings
+        algo = algorithm || jwt[:default_algorithm]
+
+        verification_key = algo == 'RS256' ? OpenSSL::PKey::RSA.new(public_key) : settings[:cluster_secret]
+
+        Legion::Crypt::JWT.verify(token, verification_key: verification_key, algorithm: algo,
+                                         verify_expiration: jwt[:verify_expiration],
+                                         verify_issuer: jwt[:verify_issuer],
+                                         issuer: jwt[:issuer])
+      end
+
+      def verify_external_token(token, jwks_url:, **)
+        Legion::Crypt::JWT.verify_with_jwks(token, jwks_url: jwks_url, **)
+      end
+
       def shutdown
+        Legion::Crypt::LeaseManager.instance.shutdown
         shutdown_renewer
         close_sessions
       end
+
+      private
+
+      def start_lease_manager
+        leases = settings.dig(:vault, :leases) || {}
+        return if leases.empty?
+        return unless settings.dig(:vault, :connected)
+
+        lease_manager = Legion::Crypt::LeaseManager.instance
+        lease_manager.start(leases)
+        lease_manager.start_renewal_thread
+        Legion::Logging.info "LeaseManager: #{leases.size} lease(s) initialized"
+      rescue StandardError => e
+        Legion::Logging.warn "LeaseManager startup failed: #{e.message}"
+      end
     end
   end
 end