RubyGems - legion-crypt - Versions diffs - 1.4.13 → 1.4.15 - Mend

legion-crypt 1.4.13 → 1.4.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +13 -0
data/CLAUDE.md +1 -1
data/lib/legion/crypt/kerberos_auth.rb +23 -6
data/lib/legion/crypt/vault.rb +23 -5
data/lib/legion/crypt/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59b6f53757eb825da7b0c635589149793c015d59c422b90916706bae8e796e1d
-  data.tar.gz: 4879d7e405f5bf0da54b488ac38c1bdba708280bd63d112da3ef487c467039f2
+  metadata.gz: 5f43eee9680197c62f53f2a7ed8c77eee725f7f01744c32e5ad0115fdfb2ad21
+  data.tar.gz: 3ba3cd7da0684d8a9ec68d23797d487240035dc2f5e07fdba7ab0cfb1727dafe
 SHA512:
-  metadata.gz: 6fee90f414f31a34f7f75713c9856b2644a4a74986182d19921aa2731db4a13b6a346417bacccbf449ab2a29fe5b6562d1fd4ba77a6adbba1a9b03c8c04c93e3
-  data.tar.gz: 36042a488a032df98488493270a9976d526400981ecb62277f9454dd5d6cdeac2be9425c1c9b755004fd3c8fe5814347a55659eb32baa95fd53437859150720b
+  metadata.gz: 79fe4cd8653f9a09c3c2f6acc7da403e00d8a8e05b6fb6f488fb25a3c8fadfcbee00cc1ffa7e31319840025a5d622d2b1b6a32210ff0cd9141a04aef26c27e59
+  data.tar.gz: b691e62e093b3504d7e7da0501cda48aca9ae705429ed1d5caf97dd3ab7a9b7f87826a8d0cf4dabbff01e1f755d7cee555d74dee85754f7206feb5cadbfdd8f8

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,18 @@
 # Legion::Crypt
+## [1.4.15] - 2026-03-26
+### Fixed
+- Route `get`, `write`, `read`, `delete`, `exist?` through default cluster client when multi-cluster Vault is configured (#1)
+- Previously these methods used the global `::Vault` singleton which was never initialized when clusters were present, causing 403 errors against the wrong Vault server
+## [1.4.14] - 2026-03-26
+### Fixed
+- Vault Kerberos auth: send SPNEGO token as HTTP `Authorization` header instead of JSON body (Vault plugin reads headers, not body)
+- Vault Kerberos auth: clear client namespace before auth request (Kerberos mount is at root namespace, not child)
+- Vault Kerberos auth: use `Vault::SecretAuth#renewable?` accessor (not `#renewable`)
 ## [1.4.13] - 2026-03-25
 ### Added

data/CLAUDE.md CHANGED Viewed

@@ -8,7 +8,7 @@
 Handles encryption, decryption, secrets management, JWT token management, and HashiCorp Vault connectivity for the LegionIO framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, and Vault token lifecycle management.
 **GitHub**: https://github.com/LegionIO/legion-crypt
-**Version**: 1.4.7
+**Version**: 1.4.15
 **License**: Apache-2.0
 ## Architecture

data/lib/legion/crypt/kerberos_auth.rb CHANGED Viewed

@@ -43,17 +43,34 @@ module Legion
         end
         def exchange_token(vault_client, spnego_token, auth_path)
-          response = vault_client.logical.write(auth_path, authorization: "Negotiate #{spnego_token}")
+          # Kerberos auth is mounted at the root namespace. Temporarily
+          # clear the client namespace so the request reaches the correct
+          # mount path, then restore it for subsequent operations.
+          saved_ns = vault_client.namespace
+          vault_client.namespace = nil
+          # The Vault Kerberos plugin reads the SPNEGO token from the HTTP
+          # Authorization header, not the JSON body.
+          json = vault_client.put(
+            "/v1/#{auth_path}",
+            '{}',
+            'Authorization' => "Negotiate #{spnego_token}"
+          )
+          response = ::Vault::Secret.decode(json)
           raise AuthError, 'Vault Kerberos auth returned no auth data' unless response&.auth
+          vault_client.namespace = saved_ns
+          auth = response.auth
           {
-            token:          response.auth.client_token,
-            lease_duration: response.auth.lease_duration,
-            renewable:      response.auth.renewable,
-            policies:       response.auth.policies,
-            metadata:       response.auth.metadata
+            token:          auth.client_token,
+            lease_duration: auth.lease_duration,
+            renewable:      auth.renewable?,
+            policies:       auth.policies,
+            metadata:       auth.metadata
           }
         rescue ::Vault::HTTPClientError => e
+          vault_client.namespace = saved_ns if saved_ns
           raise AuthError, "Vault Kerberos auth failed: #{e.message}"
         end
       end

data/lib/legion/crypt/vault.rb CHANGED Viewed

@@ -45,7 +45,7 @@ module Legion
       def read(path, type = 'legion')
         full_path = type.nil? || type.empty? ? "#{type}/#{path}" : path
         Legion::Logging.debug "Vault read: #{full_path}" if defined?(Legion::Logging)
-        lease = ::Vault.logical.read(full_path)
+        lease = logical_client.read(full_path)
         add_session(path: lease.lease_id) if lease.respond_to? :lease_id
         lease.data
       rescue StandardError => e
@@ -55,7 +55,7 @@ module Legion
       def get(path)
         Legion::Logging.debug "Vault kv get: #{path}" if defined?(Legion::Logging)
-        result = ::Vault.kv(settings[:vault][:kv_path]).read(path)
+        result = kv_client.read(path)
         return nil if result.nil?
         result.data
@@ -66,14 +66,14 @@ module Legion
       def write(path, **hash)
         Legion::Logging.debug "Vault kv write: #{path}" if defined?(Legion::Logging)
-        ::Vault.kv(settings[:vault][:kv_path]).write(path, **hash)
+        kv_client.write(path, **hash)
       rescue StandardError => e
         Legion::Logging.warn "Vault kv write failed at #{path}: #{e.message}" if defined?(Legion::Logging)
         raise
       end
       def delete(path)
-        ::Vault.logical.delete(path)
+        logical_client.delete(path)
         { success: true, path: path }
       rescue StandardError => e
         Legion::Logging.warn "Vault delete failed for #{path}: #{e.message}" if defined?(Legion::Logging)
@@ -81,7 +81,7 @@ module Legion
       end
       def exist?(path)
-        !::Vault.kv(settings[:vault][:kv_path]).read_metadata(path).nil?
+        !kv_client.read_metadata(path).nil?
       end
       def add_session(path:)
@@ -140,6 +140,24 @@ module Legion
       def vault_exists?(name)
         ::Vault.sys.mounts.key?(name.to_sym)
       end
+      private
+      def kv_client
+        if respond_to?(:connected_clusters) && connected_clusters.any?
+          vault_client.kv(settings[:vault][:kv_path])
+        else
+          ::Vault.kv(settings[:vault][:kv_path])
+        end
+      end
+      def logical_client
+        if respond_to?(:connected_clusters) && connected_clusters.any?
+          vault_client.logical
+        else
+          ::Vault.logical
+        end
+      end
     end
   end
 end

data/lib/legion/crypt/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Legion
   module Crypt
-    VERSION = '1.4.13'
+    VERSION = '1.4.15'
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.13
+  version: 1.4.15
 platform: ruby
 authors:
 - Esity