legion-crypt 1.4.25 → 1.4.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37fe457155877f451f702c4de046bcf9bd5cabd8a86d9bbf51cd3c4484ab10ce
-  data.tar.gz: 642f9ddda00b7566be3001a847687bded7fc196a0e2330936f909b4753cb9eb3
+  metadata.gz: 5a67b420dc0efc26d3609c92e64fc8674c4edad3ad4bfbfeb75246f2fe641c4c
+  data.tar.gz: 70af06bd5f95c9c9e01582b64af5c4b92a79270acfc9a9d476f063e105e5c193
 SHA512:
-  metadata.gz: b98e831598f7a901502b59950e2ae46f4393ec2fb6fab9f2d576295905ebdad31187c170fdc70f304ce4ef1d3fd14470a0001b24000869c6e96ee3ab8ee269a8
-  data.tar.gz: 593f3909d5374c15cda3f69ae1697a59bb1b3c9a5f713aa91fde5d77656bb7a8b7b2062e618652afe7554a518e6251b219d8c3831bc9c82ddf5a6784cca1f56b
+  metadata.gz: afafc5438c996024c1a13e84349d14344dc1694437e67ffe4902525e88438299fa505371eaa4b85574718bbe0e42b2fc6ffa7fc56894706c9f7cdaabe8056443
+  data.tar.gz: 4cab2713f2bd9be3c5f7270fa64e2259a883a50c6f74dbad05c0f4e0034a0ce9b29f46a9e9b2003afaf501e24448ab382dd25f9f02e254c4f71368e123394c5f

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Legion::Crypt
 
+## [1.4.27] - 2026-03-31
+
+### Fixed
+- `connect_vault` now sets `::Vault.namespace` from `vault_namespace` setting, fixing 403 errors for non-cluster Vault connections in namespaced environments
+- Extracted `resolve_vault_address` and `log_vault_connection_error` to reduce `connect_vault` complexity
+
+## [1.4.26] - 2026-03-28
+
+### Fixed
+- `push_cs_to_vault` now rescues `StandardError` and returns `false` instead of propagating Vault errors (e.g. 403 permission denied), ensuring `set_cluster_secret` always stores the cluster secret in Settings even when the Vault write fails
+
+### Added
+- Specs for `push_cs_to_vault` rescue path: verifies the method returns false and does not raise on Vault errors, and logs a warning when `Legion::Logging` is available
+- Specs for `set_cluster_secret` confirming Settings assignment completes when Vault push returns false
+
 ## [1.4.25] - 2026-03-28
 
 ### Fixed

data/lib/legion/crypt/cluster_secret.rb

@@ -103,6 +103,9 @@ module Legion
 
         Legion::Logging.info 'Pushing Cluster Secret to Vault'
         Legion::Crypt.write('cluster', secret: Legion::Settings[:crypt][:cluster_secret])
+      rescue StandardError => e
+        Legion::Logging.warn("push_cs_to_vault failed: #{e.message}") if defined?(Legion::Logging)
+        false
       end
 
       def cluster_secret_timeout

data/lib/legion/crypt/vault.rb

@@ -15,35 +15,20 @@ module Legion
       def connect_vault
         @sessions = []
         vault_settings = Legion::Settings[:crypt][:vault]
-        protocol = vault_settings[:protocol] || 'http'
-        address  = vault_settings[:address] || 'localhost'
-        port     = vault_settings[:port] || 8200
-
-        if address.match?(%r{\Ahttps?://})
-          uri = URI.parse(address)
-          protocol = uri.scheme
-          address  = uri.host
-          port     = uri.port if vault_settings[:port].nil?
-        end
-
-        ::Vault.address = "#{protocol}://#{address}:#{port}"
+        ::Vault.address = resolve_vault_address(vault_settings)
 
         Legion::Settings[:crypt][:vault][:token] = ENV['VAULT_DEV_ROOT_TOKEN_ID'] if ENV.key? 'VAULT_DEV_ROOT_TOKEN_ID'
         return nil if Legion::Settings[:crypt][:vault][:token].nil?
 
         ::Vault.token = Legion::Settings[:crypt][:vault][:token]
+        namespace = vault_settings[:vault_namespace]
+        ::Vault.namespace = namespace if namespace
         if vault_healthy?
           Legion::Settings[:crypt][:vault][:connected] = true
-          Legion::Logging.info "Vault connected at #{::Vault.address}" if defined?(Legion::Logging)
+          Legion::Logging.info "Vault connected at #{::Vault.address} (namespace=#{namespace || 'none'})" if defined?(Legion::Logging)
         end
       rescue StandardError => e
-        if defined?(Legion::Logging) && Legion::Logging.respond_to?(:log_exception)
-          Legion::Logging.log_exception(e, lex: 'crypt', component_type: :helper)
-        elsif defined?(Legion::Logging) && Legion::Logging.respond_to?(:error)
-          Legion::Logging.error "Vault connection failed: #{e.class}=#{e.message}\n#{Array(e.backtrace).first(10).join("\n")}"
-        else
-          warn "Vault connection failed: #{e.class}=#{e.message}"
-        end
+        log_vault_connection_error(e)
         Legion::Settings[:crypt][:vault][:connected] = false
         false
       end
@@ -206,6 +191,31 @@ module Legion
         data[:data]
       end
 
+      def resolve_vault_address(vault_settings)
+        protocol = vault_settings[:protocol] || 'http'
+        address  = vault_settings[:address] || 'localhost'
+        port     = vault_settings[:port] || 8200
+
+        if address.match?(%r{\Ahttps?://})
+          uri = URI.parse(address)
+          protocol = uri.scheme
+          address  = uri.host
+          port     = uri.port if vault_settings[:port].nil?
+        end
+
+        "#{protocol}://#{address}:#{port}"
+      end
+
+      def log_vault_connection_error(error)
+        if defined?(Legion::Logging) && Legion::Logging.respond_to?(:log_exception)
+          Legion::Logging.log_exception(error, lex: 'crypt', component_type: :helper)
+        elsif defined?(Legion::Logging) && Legion::Logging.respond_to?(:error)
+          Legion::Logging.error "Vault connection failed: #{error.class}=#{error.message}\n#{Array(error.backtrace).first(10).join("\n")}"
+        else
+          warn "Vault connection failed: #{error.class}=#{error.message}"
+        end
+      end
+
       def log_vault_debug(message)
         Legion::Logging.debug(message) if defined?(Legion::Logging)
       end

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '1.4.25'
+    VERSION = '1.4.27'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.25
+  version: 1.4.27
 platform: ruby
 authors:
 - Esity