legion-crypt 1.4.16 → 1.4.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +23 -0
  3. data/lib/legion/crypt/kerberos_auth.rb +11 -1
  4. data/lib/legion/crypt/ldap_auth.rb +2 -1
  5. data/lib/legion/crypt/lease_manager.rb +2 -2
  6. data/lib/legion/crypt/vault.rb +1 -0
  7. data/lib/legion/crypt/vault_cluster.rb +8 -0
  8. data/lib/legion/crypt/vault_jwt_auth.rb +1 -1
  9. data/lib/legion/crypt/vault_kerberos_auth.rb +1 -1
  10. data/lib/legion/crypt/version.rb +1 -1
  11. data/lib/legion/crypt.rb +4 -0
  12. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6ff70cf0304e424576841101c5c3399bded877b2995200049a76d7741f008bdf
4
- data.tar.gz: 7440aa2dfb8246fac7cb115bbed096a9ee7dd21b7538efdea69388a3293df313
3
+ metadata.gz: e3a746c03498b392437f0d7db81caca5f6daa84aeda465bbf0db71bb898d25f1
4
+ data.tar.gz: d27dfcdfa9032fa6bc8df4174f370c7896151c746bf8b810421d1c28d5d8e51b
5
5
  SHA512:
6
- metadata.gz: 10d2966123e6e1764e039001f8543f56abd5b2239293947ade3d0db69dcbe80e5117e8ef948b3bbbbdd42d42ce31bdf539c2f4d3a2a0007afcdcb7308286f6fd
7
- data.tar.gz: c226b7ac31c8a8dc310224c4d7fb8501da35ac4489cfa144d469ca4d1a96a4fa9337e23d43b5725c893c95a47e52f8503378cb2d9f743cf3b45b963d7b8dfe28
6
+ metadata.gz: 9e3a72a7a2fc6b78439f582b33c3c667fb40f1ef86c8a0201fb53e38d2d122e3689fa3496e11df36e5085a551753d58864a8033bc2cb028662922d87ce7afc9a
7
+ data.tar.gz: ab485a6da390007f060067bcca2863a5585fd6845f2dfc023658d48c6195364af7f99bf86f2492830d7991ae6a600a43fbd819d715412ca3f9c210fa95a830e3
data/CHANGELOG.md CHANGED
@@ -1,5 +1,28 @@
1
1
  # Legion::Crypt
2
2
 
3
+ ## [1.4.19] - 2026-03-26
4
+
5
+ ### Fixed
6
+ - `LeaseManager`, `VaultJwtAuth`, `LdapAuth`, `VaultKerberosAuth`: use `renewable?` instead of `renewable` to match Vault gem API
7
+ - `LeaseManager#fetch`: handle string/symbol key mismatch between resolver (strings) and cache (symbols)
8
+ - `VaultCluster#connect_all_clusters`: set top-level `vault.connected` flag after any cluster connects via Kerberos/LDAP
9
+ - `Vault#add_session`: guard `@sessions` with lazy init to prevent nil error when using cluster-based auth
10
+
11
+ ## [1.4.18] - 2026-03-26
12
+
13
+ ### Fixed
14
+ - `KerberosAuth.login`: clear `@kerberos_principal` at the start of each login attempt so a failed re-auth does not leave a stale principal from a previous successful login
15
+
16
+ ### Added
17
+ - `crypt_spec.rb`: delegation spec for `Legion::Crypt.kerberos_principal`
18
+ - `kerberos_auth_spec.rb`: spec verifying stale principal is cleared before a failing login attempt
19
+
20
+ ## [1.4.17] - 2026-03-26
21
+
22
+ ### Added
23
+ - Store Kerberos principal after successful SPNEGO authentication (`KerberosAuth.kerberos_principal`)
24
+ - Expose `Legion::Crypt.kerberos_principal` delegation
25
+
3
26
  ## [1.4.16] - 2026-03-26
4
27
 
5
28
  ### Changed
data/lib/legion/crypt/kerberos_auth.rb CHANGED
@@ -8,11 +8,20 @@ module Legion
8
8
 
9
9
  DEFAULT_AUTH_PATH = 'auth/kerberos/login'
10
10
 
11
+ @kerberos_principal = nil
12
+
13
+ class << self
14
+ attr_reader :kerberos_principal
15
+ end
16
+
11
17
  def self.login(vault_client:, service_principal:, auth_path: DEFAULT_AUTH_PATH)
12
18
  raise GemMissingError, 'lex-kerberos gem is required for Kerberos auth' unless spnego_available?
13
19
 
20
+ @kerberos_principal = nil
14
21
  token = obtain_token(service_principal)
15
- exchange_token(vault_client, token, auth_path)
22
+ result = exchange_token(vault_client, token, auth_path)
23
+ @kerberos_principal = result[:metadata]&.dig('username') || result[:metadata]&.dig(:username)
24
+ result
16
25
  end
17
26
 
18
27
  def self.spnego_available?
@@ -29,6 +38,7 @@ module Legion
29
38
 
30
39
  def self.reset!
31
40
  @spnego_available = nil
41
+ @kerberos_principal = nil
32
42
  end
33
43
 
34
44
  class << self
data/lib/legion/crypt/ldap_auth.rb CHANGED
@@ -12,10 +12,11 @@ module Legion
12
12
 
13
13
  clusters[cluster_name][:token] = token
14
14
  clusters[cluster_name][:connected] = true
15
+ mark_vault_connected
15
16
 
16
17
  Legion::Logging.info "LDAP login success: user=#{username}, cluster=#{cluster_name}" if defined?(Legion::Logging)
17
18
  { token: token, lease_duration: auth.lease_duration,
18
- renewable: auth.renewable, policies: auth.policies }
19
+ renewable: auth.renewable?, policies: auth.policies }
19
20
  rescue StandardError => e
20
21
  Legion::Logging.warn "LDAP login failed: user=#{username}, cluster=#{cluster_name}: #{e.message}" if defined?(Legion::Logging)
21
22
  raise
data/lib/legion/crypt/lease_manager.rb CHANGED
@@ -33,7 +33,7 @@ module Legion
33
33
  @active_leases[name] = {
34
34
  lease_id: response.lease_id,
35
35
  lease_duration: response.lease_duration,
36
- renewable: response.renewable,
36
+ renewable: response.renewable?,
37
37
  expires_at: Time.now + (response.lease_duration || 0),
38
38
  fetched_at: Time.now
39
39
  }
@@ -45,7 +45,7 @@ module Legion
45
45
  end
46
46
 
47
47
  def fetch(name, key)
48
- data = @lease_cache[name]
48
+ data = @lease_cache[name.to_sym] || @lease_cache[name.to_s]
49
49
  return nil unless data
50
50
 
51
51
  data[key.to_sym] || data[key.to_s]
data/lib/legion/crypt/vault.rb CHANGED
@@ -85,6 +85,7 @@ module Legion
85
85
  end
86
86
 
87
87
  def add_session(path:)
88
+ @sessions ||= []
88
89
  @sessions.push(path)
89
90
  end
90
91
 
data/lib/legion/crypt/vault_cluster.rb CHANGED
@@ -60,11 +60,19 @@ module Legion
60
60
  results[name] = false
61
61
  log_vault_error(name, e)
62
62
  end
63
+
64
+ mark_vault_connected if results.any? { |_, v| v }
63
65
  results
64
66
  end
65
67
 
66
68
  private
67
69
 
70
+ def mark_vault_connected
71
+ return unless defined?(Legion::Settings)
72
+
73
+ Legion::Settings[:crypt][:vault][:connected] = true
74
+ end
75
+
68
76
  def resolve_cluster_name(name)
69
77
  return name.to_sym if name
70
78
 
data/lib/legion/crypt/vault_jwt_auth.rb CHANGED
@@ -39,7 +39,7 @@ module Legion
39
39
  {
40
40
  token: response.auth.client_token,
41
41
  lease_duration: response.auth.lease_duration,
42
- renewable: response.auth.renewable,
42
+ renewable: response.auth.renewable?,
43
43
  policies: response.auth.policies,
44
44
  metadata: response.auth.metadata
45
45
  }
data/lib/legion/crypt/vault_kerberos_auth.rb CHANGED
@@ -16,7 +16,7 @@ module Legion
16
16
  {
17
17
  token: response.auth.client_token,
18
18
  lease_duration: response.auth.lease_duration,
19
- renewable: response.auth.renewable,
19
+ renewable: response.auth.renewable?,
20
20
  policies: response.auth.policies,
21
21
  metadata: response.auth.metadata
22
22
  }
data/lib/legion/crypt/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Legion
4
4
  module Crypt
5
- VERSION = '1.4.16'
5
+ VERSION = '1.4.19'
6
6
  end
7
7
  end
data/lib/legion/crypt.rb CHANGED
@@ -34,6 +34,10 @@ module Legion
34
34
  Legion::Settings[:crypt][:vault]
35
35
  end
36
36
 
37
+ def kerberos_principal
38
+ KerberosAuth.kerberos_principal
39
+ end
40
+
37
41
  def start
38
42
  Legion::Logging.debug 'Legion::Crypt is running start'
39
43
  ::File.write('./legionio.key', private_key) if settings[:save_private_key]
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: legion-crypt
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.16
4
+ version: 1.4.19
5
5
  platform: ruby
6
6
  authors:
7
7
  - Esity