RubyGems - legion-crypt - Versions diffs - 1.4.28 → 1.5.0 - Mend

legion-crypt 1.4.28 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +29 -0
data/Gemfile +1 -0
data/legion-crypt.gemspec +1 -0
data/lib/legion/crypt/attestation.rb +18 -8
data/lib/legion/crypt/cert_rotation.rb +54 -42
data/lib/legion/crypt/cipher.rb +106 -15
data/lib/legion/crypt/cluster_secret.rb +41 -39
data/lib/legion/crypt/ed25519.rb +58 -18
data/lib/legion/crypt/erasure.rb +21 -8
data/lib/legion/crypt/jwks_client.rb +37 -9
data/lib/legion/crypt/jwt.rb +75 -31
data/lib/legion/crypt/kerberos_auth.rb +23 -13
data/lib/legion/crypt/ldap_auth.rb +12 -4
data/lib/legion/crypt/lease_manager.rb +126 -73
data/lib/legion/crypt/mtls.rb +14 -1
data/lib/legion/crypt/partition_keys.rb +15 -5
data/lib/legion/crypt/settings.rb +18 -12
data/lib/legion/crypt/spiffe/identity_helpers.rb +18 -11
data/lib/legion/crypt/spiffe/svid_rotation.rb +23 -33
data/lib/legion/crypt/spiffe/workload_api_client.rb +61 -17
data/lib/legion/crypt/spiffe.rb +18 -4
data/lib/legion/crypt/tls.rb +14 -10
data/lib/legion/crypt/token_renewer.rb +29 -26
data/lib/legion/crypt/vault.rb +57 -45
data/lib/legion/crypt/vault_cluster.rb +35 -17
data/lib/legion/crypt/vault_jwt_auth.rb +17 -4
data/lib/legion/crypt/vault_kerberos_auth.rb +11 -1
data/lib/legion/crypt/version.rb +1 -1
data/lib/legion/crypt.rb +69 -32
data/lib/legion/logging/helper.rb +98 -0
data/lib/legion/logging.rb +58 -0
metadata +17 -1

data/lib/legion/crypt/lease_manager.rb CHANGED Viewed

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
+require 'legion/logging/helper'
 require 'singleton'
 module Legion
   module Crypt
     class LeaseManager
       include Singleton
+      include Legion::Logging::Helper
       RENEWAL_CHECK_INTERVAL = 5
@@ -15,18 +17,20 @@ module Legion
         @refs = {}
         @running = false
         @renewal_thread = nil
+        @state_mutex = Mutex.new
       end
       def start(definitions, vault_client: nil)
-        @vault_client = vault_client
+        @state_mutex.synchronize { @vault_client = vault_client }
         return if definitions.nil? || definitions.empty?
+        log.info "LeaseManager start requested definitions=#{definitions.size}"
         definitions.each do |name, opts|
           path = opts['path'] || opts[:path]
           next unless path
           if lease_valid?(name)
-            log_debug("LeaseManager: reusing valid cached lease for '#{name}'")
+            log.debug("LeaseManager: reusing valid cached lease for '#{name}'")
             next
           end
@@ -35,52 +39,59 @@ module Legion
           begin
             response = logical.read(path)
             unless response
-              log_warn("LeaseManager: no data at '#{name}' (#{path}) — path may not exist or role not configured")
+              log.warn("LeaseManager: no data at '#{name}' (#{path}) — path may not exist or role not configured")
               next
             end
-            @lease_cache[name] = response.data || {}
-            @active_leases[name] = {
-              lease_id:       response.lease_id,
-              lease_duration: response.lease_duration,
-              renewable:      response.renewable?,
-              expires_at:     Time.now + (response.lease_duration || 0),
-              fetched_at:     Time.now
-            }
-            log_debug("LeaseManager: fetched lease for '#{name}' from #{path}")
+            @state_mutex.synchronize do
+              @lease_cache[name] = response.data || {}
+              @active_leases[name] = {
+                lease_id:       response.lease_id,
+                lease_duration: response.lease_duration,
+                renewable:      response.renewable?,
+                expires_at:     Time.now + (response.lease_duration || 0),
+                fetched_at:     Time.now
+              }
+            end
+            log.info("LeaseManager: fetched lease for '#{name}' from #{path}")
           rescue StandardError => e
-            log_warn("LeaseManager: failed to fetch lease '#{name}' from #{path}: #{e.message}")
+            handle_exception(e, level: :warn, operation: 'crypt.lease_manager.start', lease_name: name, path: path)
+            log.warn("LeaseManager: failed to fetch lease '#{name}' from #{path}: #{e.message}")
           end
         end
       end
       def fetched_count
-        @active_leases.size
+        @state_mutex.synchronize { @active_leases.size }
       end
       def fetch(name, key)
-        data = @lease_cache[name.to_sym] || @lease_cache[name.to_s]
+        data = @state_mutex.synchronize do
+          @lease_cache[name.to_sym] || @lease_cache[name.to_s]
+        end
         return nil unless data
         data[key.to_sym] || data[key.to_s]
       end
       def lease_data(name)
-        @lease_cache[name]
+        @state_mutex.synchronize { @lease_cache[name] }
       end
       attr_reader :active_leases
       def register_ref(name, key, path)
-        @refs[name] ||= {}
-        @refs[name][key] = path
+        @state_mutex.synchronize do
+          @refs[name] ||= {}
+          @refs[name][key] = path
+        end
       end
       def push_to_settings(name)
-        refs = @refs[name]
+        refs, data = @state_mutex.synchronize do
+          [@refs[name]&.dup, @lease_cache[name]&.dup]
+        end
         return if refs.nil? || refs.empty?
-        data = @lease_cache[name]
         return unless data
         refs.each do |key, path|
@@ -88,80 +99,110 @@ module Legion
           write_setting(path, value)
         end
-        log_debug("Lease '#{name}' rotated — updated #{refs.size} settings reference(s)")
+        log.info("Lease '#{name}' rotated — updated #{refs.size} settings reference(s)")
       end
       def start_renewal_thread
-        return if renewal_thread_alive?
+        @state_mutex.synchronize do
+          return if @renewal_thread&.alive?
-        @running = true
-        @renewal_thread = Thread.new { renewal_loop }
+          @running = true
+          @renewal_thread = Thread.new { renewal_loop }
+        end
+        log.info 'LeaseManager renewal thread started'
       end
       def renewal_thread_alive?
-        @renewal_thread&.alive? || false
+        @state_mutex.synchronize { @renewal_thread&.alive? || false }
       end
       def shutdown
+        log.info 'LeaseManager shutdown requested'
         stop_renewal_thread
-        @active_leases.each do |name, meta|
+        leases = @state_mutex.synchronize { @active_leases.dup }
+        leases.each do |name, meta|
           lease_id = meta[:lease_id]
           next if lease_id.nil? || lease_id.empty?
           begin
             sys.revoke(lease_id)
-            log_debug("LeaseManager: revoked lease '#{name}' (#{lease_id})")
+            log.debug("LeaseManager: revoked lease '#{name}' (#{lease_id})")
           rescue StandardError => e
-            log_warn("LeaseManager: failed to revoke lease '#{name}' (#{lease_id}): #{e.message}")
+            handle_exception(e, level: :warn, operation: 'crypt.lease_manager.shutdown', lease_name: name)
+            log.warn("LeaseManager: failed to revoke lease '#{name}' (#{lease_id}): #{e.message}")
           end
         end
-        @lease_cache.clear
-        @active_leases.clear
-        @refs.clear
-        @vault_client = nil
+        @state_mutex.synchronize do
+          @lease_cache.clear
+          @active_leases.clear
+          @refs.clear
+          @vault_client = nil
+        end
+        log.info 'LeaseManager shutdown complete'
       end
       def reset!
-        @running = false
-        @lease_cache.clear
-        @active_leases.clear
-        @refs.clear
-        @vault_client = nil
+        @state_mutex.synchronize do
+          @running = false
+          @lease_cache.clear
+          @active_leases.clear
+          @refs.clear
+          @vault_client = nil
+          @renewal_thread = nil
+        end
       end
       private
       def logical
-        @vault_client ? @vault_client.logical : ::Vault.logical
+        client = @state_mutex.synchronize { @vault_client }
+        client ? client.logical : ::Vault.logical
       end
       def sys
-        @vault_client ? @vault_client.sys : ::Vault.sys
+        client = @state_mutex.synchronize { @vault_client }
+        client ? client.sys : ::Vault.sys
       end
       def stop_renewal_thread
-        @running = false
-        if @renewal_thread&.alive?
-          @renewal_thread.kill
-          @renewal_thread.join(2)
+        thread = @state_mutex.synchronize do
+          @running = false
+          @renewal_thread
+        end
+        return unless thread
+        begin
+          thread.wakeup if thread.alive?
+        rescue ThreadError => e
+          handle_exception(e, level: :debug, operation: 'crypt.lease_manager.stop_renewal_thread')
+        end
+        thread.join(2)
+        if thread.alive?
+          log.warn 'LeaseManager renewal thread did not stop within timeout'
+        else
+          @state_mutex.synchronize { @renewal_thread = nil }
+          log.debug 'LeaseManager renewal thread stopped'
         end
-        @renewal_thread = nil
       end
       def renewal_loop
-        while @running
-          sleep(RENEWAL_CHECK_INTERVAL)
-          renew_approaching_leases if @running
+        while running?
+          interruptible_sleep(RENEWAL_CHECK_INTERVAL)
+          renew_approaching_leases if running?
         end
       rescue StandardError => e
-        log_warn("LeaseManager: renewal loop error: #{e.message}")
-        retry if @running
+        handle_exception(e, level: :error, operation: 'crypt.lease_manager.renewal_loop')
+        log.error("LeaseManager: renewal loop error: #{e.message}")
+        retry if running?
       end
       def renew_approaching_leases
-        @active_leases.each do |name, lease|
+        leases = @state_mutex.synchronize { @active_leases.keys }
+        leases.each do |name|
+          lease = @state_mutex.synchronize { @active_leases[name]&.dup }
+          next unless lease
           next unless lease[:renewable]
           next unless approaching_expiry?(lease)
@@ -171,18 +212,28 @@ module Legion
       def renew_lease(name, lease)
         response = sys.renew(lease[:lease_id])
-        lease[:expires_at] = Time.now + (response.lease_duration || 0)
+        @state_mutex.synchronize do
+          current_lease = @active_leases[name]
+          next unless current_lease
+          current_lease[:lease_duration] = response.lease_duration if response.respond_to?(:lease_duration)
+          current_lease[:renewable] = response.renewable? if response.respond_to?(:renewable?)
+          current_lease[:expires_at] = Time.now + (response.lease_duration || 0)
+        end
+        log.info("LeaseManager: renewed lease '#{name}'")
-        if response.data && response.data != @lease_cache[name]
-          @lease_cache[name] = response.data
+        cached_data = @state_mutex.synchronize { @lease_cache[name] }
+        if response.data && response.data != cached_data
+          @state_mutex.synchronize { @lease_cache[name] = response.data }
           push_to_settings(name)
         end
       rescue StandardError => e
-        log_warn("LeaseManager: failed to renew lease '#{name}': #{e.message}")
+        handle_exception(e, level: :warn, operation: 'crypt.lease_manager.renew_lease', lease_name: name)
+        log.warn("LeaseManager: failed to renew lease '#{name}': #{e.message}")
       end
       def lease_valid?(name)
-        meta = @active_leases[name]
+        meta = @state_mutex.synchronize { @active_leases[name]&.dup }
         return false unless meta
         expires_at = meta[:expires_at]
@@ -192,7 +243,7 @@ module Legion
       end
       def revoke_expired_lease(name)
-        meta = @active_leases[name]
+        meta = @state_mutex.synchronize { @active_leases[name]&.dup }
         return unless meta
         lease_id = meta[:lease_id]
@@ -200,12 +251,15 @@ module Legion
         begin
           sys.revoke(lease_id)
-          log_debug("LeaseManager: revoked expired lease '#{name}' (#{lease_id}) before re-fetch")
+          log.debug("LeaseManager: revoked expired lease '#{name}' (#{lease_id}) before re-fetch")
         rescue StandardError => e
-          log_warn("LeaseManager: failed to revoke expired lease '#{name}' (#{lease_id}): #{e.message}")
+          handle_exception(e, level: :warn, operation: 'crypt.lease_manager.revoke_expired_lease', lease_name: name)
+          log.warn("LeaseManager: failed to revoke expired lease '#{name}' (#{lease_id}): #{e.message}")
         ensure
-          @active_leases.delete(name)
-          @lease_cache.delete(name)
+          @state_mutex.synchronize do
+            @active_leases.delete(name)
+            @lease_cache.delete(name)
+          end
         end
       end
@@ -229,22 +283,21 @@ module Legion
         end
         target[path.last] = value if target.is_a?(Hash)
       rescue StandardError => e
-        log_warn("LeaseManager: failed to write setting at #{path.join('.')}: #{e.message}")
+        handle_exception(e, level: :warn, operation: 'crypt.lease_manager.write_setting', path: path.join('.'))
+        log.warn("LeaseManager: failed to write setting at #{path.join('.')}: #{e.message}")
       end
-      def log_debug(message)
-        if defined?(Legion::Logging)
-          Legion::Logging.debug(message)
-        else
-          $stdout.puts("[DEBUG] #{message}")
-        end
+      def running?
+        @state_mutex.synchronize { @running }
       end
-      def log_warn(message)
-        if defined?(Legion::Logging)
-          Legion::Logging.warn(message)
-        else
-          warn("[WARN] #{message}")
+      def interruptible_sleep(seconds)
+        deadline = ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) + seconds
+        loop do
+          remaining = deadline - ::Process.clock_gettime(::Process::CLOCK_MONOTONIC)
+          break if remaining <= 0 || !running?
+          sleep([remaining, 1.0].min)
         end
       end
     end

data/lib/legion/crypt/mtls.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require 'legion/logging/helper'
 require 'socket'
 module Legion
@@ -7,6 +8,7 @@ module Legion
     module Mtls
       DEFAULT_PKI_PATH = 'pki/issue/legion-internal'
       DEFAULT_TTL      = '24h'
+      extend Legion::Logging::Helper
       class << self
         def enabled?
@@ -29,6 +31,7 @@ module Legion
         def issue_cert(common_name:, ttl: nil)
           resolved_ttl = ttl || cert_ttl_setting || DEFAULT_TTL
+          log.info "[mTLS] certificate issue requested common_name=#{common_name} ttl=#{resolved_ttl}"
           response = ::Vault.logical.write(
             pki_path,
@@ -49,10 +52,16 @@ module Legion
             serial:   data[:serial_number],
             expiry:   Time.at(data[:expiration].to_i)
           }
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.mtls.issue_cert', common_name: common_name, ttl: resolved_ttl)
+          raise
         end
         def local_ip
           Socket.ip_address_list.find { |a| a.ipv4? && !a.ipv4_loopback? }&.ip_address || '127.0.0.1'
+        rescue StandardError => e
+          handle_exception(e, level: :warn, operation: 'crypt.mtls.local_ip')
+          '127.0.0.1'
         end
         private
@@ -61,7 +70,8 @@ module Legion
           return nil unless defined?(Legion::Settings)
           Legion::Settings[:security]
-        rescue StandardError
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'crypt.mtls.safe_security_settings')
           nil
         end
@@ -71,6 +81,9 @@ module Legion
           mtls = security[:mtls] || security['mtls'] || {}
           mtls[:cert_ttl] || mtls['cert_ttl']
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'crypt.mtls.cert_ttl_setting')
+          nil
         end
       end
     end

data/lib/legion/crypt/partition_keys.rb CHANGED Viewed

@@ -1,20 +1,27 @@
 # frozen_string_literal: true
 require 'openssl'
+require 'legion/logging/helper'
 module Legion
   module Crypt
     module PartitionKeys
+      extend Legion::Logging::Helper
       class << self
         def derive_key(master_key:, tenant_id:, context: nil)
           context ||= begin
             Legion::Settings[:crypt][:partition_keys][:derivation_context]
-          rescue StandardError
+          rescue StandardError => e
+            handle_exception(e, level: :debug, operation: 'crypt.partition_keys.derivation_context', tenant_id: tenant_id)
             nil
           end || 'legion-partition'
-          Legion::Logging.debug "PartitionKeys key derivation for tenant #{tenant_id}" if defined?(Legion::Logging)
+          log.debug "PartitionKeys deriving key for tenant #{tenant_id}"
           salt = OpenSSL::Digest::SHA256.digest(tenant_id.to_s)
           OpenSSL::KDF.hkdf(master_key, salt: salt, info: context, length: 32, hash: 'SHA256')
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.partition_keys.derive_key', tenant_id: tenant_id)
+          raise
         end
         def encrypt_for_tenant(plaintext:, tenant_id:, master_key:)
@@ -26,9 +33,10 @@ module Legion
           ciphertext = cipher.update(plaintext) + cipher.final
           auth_tag = cipher.auth_tag
+          log.debug "PartitionKeys encrypted payload for tenant #{tenant_id}"
           { ciphertext: ciphertext, iv: iv, auth_tag: auth_tag }
         rescue StandardError => e
-          Legion::Logging.warn "PartitionKeys encrypt failed for tenant #{tenant_id}: #{e.message}" if defined?(Legion::Logging)
+          handle_exception(e, level: :error, operation: 'crypt.partition_keys.encrypt_for_tenant', tenant_id: tenant_id)
           raise
         end
@@ -39,9 +47,11 @@ module Legion
           decipher.key = key
           decipher.iv = init_vector
           decipher.auth_tag = auth_tag
-          decipher.update(ciphertext) + decipher.final
+          plaintext = decipher.update(ciphertext) + decipher.final
+          log.debug "PartitionKeys decrypted payload for tenant #{tenant_id}"
+          plaintext
         rescue StandardError => e
-          Legion::Logging.warn "PartitionKeys decrypt failed for tenant #{tenant_id}: #{e.message}" if defined?(Legion::Logging)
+          handle_exception(e, level: :error, operation: 'crypt.partition_keys.decrypt_for_tenant', tenant_id: tenant_id)
           raise
         end
       end

data/lib/legion/crypt/settings.rb CHANGED Viewed

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
+require 'legion/logging/helper'
 module Legion
   module Crypt
     module Settings
+      extend Legion::Logging::Helper
       def self.tls
         {
           enabled: false,
@@ -15,11 +19,12 @@ module Legion
       def self.spiffe
         {
-          enabled:        false,
-          socket_path:    '/tmp/spire-agent/public/api.sock',
-          trust_domain:   'legion.internal',
-          workload_id:    nil,
-          renewal_window: 0.5
+          enabled:             false,
+          socket_path:         '/tmp/spire-agent/public/api.sock',
+          trust_domain:        'legion.internal',
+          workload_id:         nil,
+          renewal_window:      0.5,
+          allow_x509_fallback: false
         }
       end
@@ -57,8 +62,8 @@ module Legion
           connected:           false,
           renewer_time:        5,
           renewer:             true,
-          push_cluster_secret: true,
-          read_cluster_secret: true,
+          push_cluster_secret: false,
+          read_cluster_secret: false,
           kv_path:             ENV['LEGION_VAULT_KV_PATH'] || 'legion',
           leases:              {},
           default:             nil,
@@ -75,12 +80,13 @@ module Legion
 end
 begin
-  Legion::Settings.merge_settings('crypt', Legion::Crypt::Settings.default) if Legion.const_defined?('Settings')
+  if Legion.const_defined?('Settings')
+    Legion::Settings.merge_settings('crypt', Legion::Crypt::Settings.default)
+    Legion::Crypt::Settings.log.info('Legion::Crypt settings defaults merged')
+  end
 rescue StandardError => e
-  if Legion.const_defined?('Logging') && Legion::Logging.respond_to?(:log_exception)
-    Legion::Logging.log_exception(e, lex: 'crypt', component_type: :helper, level: :fatal)
-  elsif Legion.const_defined?('Logging') && Legion::Logging.respond_to?(:fatal)
-    Legion::Logging.fatal("crypt settings merge error: #{e.class}: #{e.message}\n#{Array(e.backtrace).join("\n")}")
+  if Legion::Crypt::Settings.respond_to?(:handle_exception)
+    Legion::Crypt::Settings.handle_exception(e, level: :fatal, operation: 'crypt.settings.merge_defaults')
   else
     puts e.message
     puts e.backtrace

data/lib/legion/crypt/spiffe/identity_helpers.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require 'legion/logging/helper'
 require 'openssl'
 require 'base64'
@@ -12,6 +13,8 @@ module Legion
       # returned by WorkloadApiClient.  No external gem is required —
       # all operations use the Ruby stdlib OpenSSL bindings.
       module IdentityHelpers
+        include Legion::Logging::Helper
         # Sign arbitrary data with the private key from an X.509 SVID.
         # Returns the signature as a Base64-encoded string.
         #
@@ -26,7 +29,11 @@ module Legion
           key       = OpenSSL::PKey.read(svid.key_pem)
           digest    = OpenSSL::Digest.new('SHA256')
           signature = key.sign(digest, data.b)
+          log.debug("SPIFFE signed payload with SVID id=#{svid.spiffe_id}")
           Base64.strict_encode64(signature)
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.spiffe.sign_with_svid', spiffe_id: svid&.spiffe_id&.to_s)
+          raise
         end
         # Verify a Base64-encoded signature produced by sign_with_svid.
@@ -43,9 +50,12 @@ module Legion
           cert      = OpenSSL::X509::Certificate.new(svid.cert_pem)
           digest    = OpenSSL::Digest.new('SHA256')
           signature = Base64.strict_decode64(signature_b64)
-          cert.public_key.verify(digest, signature, data.b)
+          result = cert.public_key.verify(digest, signature, data.b)
+          log.debug("SPIFFE signature verification completed id=#{svid.spiffe_id} valid=#{result}")
+          result
         rescue OpenSSL::PKey::PKeyError, OpenSSL::X509::CertificateError, ArgumentError => e
-          log_spiffe_warn("SVID signature verification error: #{e.message}")
+          handle_exception(e, level: :warn, operation: 'crypt.spiffe.verify_svid_signature', spiffe_id: svid&.spiffe_id&.to_s)
+          log.warn("[SPIFFE] SVID signature verification error: #{e.message}")
           false
         end
@@ -65,12 +75,14 @@ module Legion
             uri = entry.sub('URI:', '')
             return Legion::Crypt::Spiffe.parse_id(uri)
-          rescue InvalidSpiffeIdError
+          rescue InvalidSpiffeIdError => e
+            handle_exception(e, level: :debug, operation: 'crypt.spiffe.extract_spiffe_id_from_cert', san_entry: entry)
             next
           end
           nil
-        rescue OpenSSL::X509::CertificateError
+        rescue OpenSSL::X509::CertificateError => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.extract_spiffe_id_from_cert')
           nil
         end
@@ -90,7 +102,8 @@ module Legion
           leaf = OpenSSL::X509::Certificate.new(cert_pem)
           store.verify(leaf)
-        rescue OpenSSL::X509::CertificateError, OpenSSL::X509::StoreError
+        rescue OpenSSL::X509::CertificateError, OpenSSL::X509::StoreError => e
+          handle_exception(e, level: :warn, operation: 'crypt.spiffe.trusted_cert?', spiffe_id: svid&.spiffe_id&.to_s)
           false
         end
@@ -118,12 +131,6 @@ module Legion
             base
           end
         end
-        private
-        def log_spiffe_warn(message)
-          Legion::Logging.warn("[SPIFFE] #{message}") if defined?(Legion::Logging)
-        end
       end
     end
   end