legion-crypt 1.4.28 → 1.5.0

data/lib/legion/crypt/spiffe/svid_rotation.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'legion/logging/helper'
+
 module Legion
   module Crypt
     module Spiffe
@@ -10,6 +12,8 @@ module Legion
       # defaults to 60 seconds; renewal fires when the SVID is past 50%
       # of its lifetime (configurable via security.spiffe.renewal_window).
       class SvidRotation
+        include Legion::Logging::Helper
+
         DEFAULT_CHECK_INTERVAL = 60
 
         attr_reader :check_interval, :current_svid
@@ -31,19 +35,24 @@ module Legion
           @running = true
           @thread  = Thread.new { rotation_loop }
           @thread.name = 'spiffe-svid-rotation'
-          log_info('[SPIFFE] SvidRotation started')
+          log.info '[SPIFFE] SvidRotation started'
         end
 
         def stop
           @running = false
           begin
             @thread&.wakeup
-          rescue ThreadError
+          rescue ThreadError => e
+            handle_exception(e, level: :debug, operation: 'crypt.spiffe.svid_rotation.stop')
             nil
           end
           @thread&.join(3)
-          @thread = nil
-          log_debug('[SPIFFE] SvidRotation stopped')
+          if @thread&.alive?
+            log.warn '[SPIFFE] SvidRotation thread did not stop within timeout'
+          else
+            @thread = nil
+          end
+          log.info '[SPIFFE] SvidRotation stopped'
         end
 
         def running?
@@ -56,7 +65,7 @@ module Legion
             @current_svid = svid
             @issued_at    = Time.now
           end
-          log_info("[SPIFFE] SVID rotated: id=#{svid.spiffe_id} expiry=#{svid.expiry}")
+          log.info("[SPIFFE] SVID rotated: id=#{svid.spiffe_id} expiry=#{svid.expiry}")
           svid
         end
 
@@ -85,7 +94,8 @@ module Legion
           begin
             rotate!
           rescue StandardError => e
-            log_warn("[SPIFFE] Initial SVID fetch failed: #{e.message}")
+            handle_exception(e, level: :error, operation: 'crypt.spiffe.svid_rotation.rotation_loop')
+            log.error("[SPIFFE] Initial SVID fetch failed: #{e.message}")
           end
           loop_check
         end
@@ -96,13 +106,16 @@ module Legion
             next unless @running && needs_renewal?
 
             begin
+              log.info('[SPIFFE] SVID renewal window reached, rotating current SVID')
               rotate!
             rescue StandardError => e
-              log_warn("[SPIFFE] SVID rotation failed: #{e.message}")
+              handle_exception(e, level: :error, operation: 'crypt.spiffe.svid_rotation.loop_check')
+              log.error("[SPIFFE] SVID rotation failed: #{e.message}")
             end
           end
         rescue StandardError => e
-          log_warn("[SPIFFE] SvidRotation loop error: #{e.message}")
+          handle_exception(e, level: :error, operation: 'crypt.spiffe.svid_rotation.loop_check')
+          log.error("[SPIFFE] SvidRotation loop error: #{e.message}")
           retry if @running
         end
 
@@ -124,33 +137,10 @@ module Legion
 
           spiffe = security[:spiffe] || security['spiffe'] || {}
           spiffe[:renewal_window] || spiffe['renewal_window'] || SVID_RENEWAL_RATIO
-        rescue StandardError
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.svid_rotation.renewal_window')
           SVID_RENEWAL_RATIO
         end
-
-        def log_info(msg)
-          if defined?(Legion::Logging)
-            Legion::Logging.info(msg)
-          else
-            $stdout.puts(msg)
-          end
-        end
-
-        def log_debug(msg)
-          if defined?(Legion::Logging)
-            Legion::Logging.debug(msg)
-          else
-            $stdout.puts("[DEBUG] #{msg}")
-          end
-        end
-
-        def log_warn(msg)
-          if defined?(Legion::Logging)
-            Legion::Logging.warn(msg)
-          else
-            warn("[WARN] #{msg}")
-          end
-        end
       end
     end
   end

data/lib/legion/crypt/spiffe/workload_api_client.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'legion/logging/helper'
 require 'socket'
 require 'openssl'
 
@@ -17,6 +18,8 @@ module Legion
       # no socket present) the client returns a self-signed fallback SVID so
       # that callers never have to special-case the nil case.
       class WorkloadApiClient
+        include Legion::Logging::Helper
+
         # gRPC content-type and method path for the Workload API FetchX509SVID RPC.
         GRPC_CONTENT_TYPE = 'application/grpc'
         FETCH_X509_METHOD = '/spiffe.workload.SpiffeWorkloadAPI/FetchX509SVID'
@@ -24,34 +27,56 @@ module Legion
 
         # Handshake + settings frames required to open an HTTP/2 connection.
         HTTP2_PREFACE = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"
-        HTTP2_SETTINGS_FRAME = [0, 4, 0, 0, 0, 0].pack('NnCCNN')
+        HTTP2_SETTINGS_FRAME = "\x00\x00\x00\x04\x00\x00\x00\x00\x00".b
 
         CONNECT_TIMEOUT = 5
         READ_TIMEOUT    = 10
 
-        def initialize(socket_path: nil, trust_domain: nil)
-          @socket_path  = socket_path  || Legion::Crypt::Spiffe.socket_path
-          @trust_domain = trust_domain || Legion::Crypt::Spiffe.trust_domain
+        def initialize(socket_path: nil, trust_domain: nil, allow_x509_fallback: nil)
+          @socket_path         = socket_path  || Legion::Crypt::Spiffe.socket_path
+          @trust_domain        = trust_domain || Legion::Crypt::Spiffe.trust_domain
+          @allow_x509_fallback = allow_x509_fallback.nil? ? Legion::Crypt::Spiffe.allow_x509_fallback? : allow_x509_fallback
         end
 
         # Fetch an X.509 SVID from the SPIRE Workload API.
         # Returns a populated X509Svid struct.
         # Falls back to a self-signed certificate when the Workload API is unavailable.
         def fetch_x509_svid
+          log.info("[SPIFFE] Fetching X.509 SVID from Workload API socket=#{@socket_path}")
           raw = call_workload_api(FETCH_X509_METHOD, '')
           parse_x509_svid_response(raw)
         rescue WorkloadApiError, IOError, Errno::ENOENT, Errno::ECONNREFUSED, Errno::EPIPE => e
-          log_warn("[SPIFFE] Workload API unavailable (#{e.message}); using self-signed fallback")
+          handle_exception(e, level: :warn, operation: 'crypt.spiffe.workload_api_client.fetch_x509_svid',
+                           socket_path: @socket_path, fallback: @allow_x509_fallback)
+          unless @allow_x509_fallback
+            log.error("[SPIFFE] Workload API unavailable (#{e.message}); X.509 fallback disabled")
+            raise SvidError, "Failed to fetch X.509 SVID: #{e.message}"
+          end
+
+          log.warn("[SPIFFE] Workload API unavailable (#{e.message}); using self-signed fallback")
           self_signed_fallback
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.spiffe.workload_api_client.fetch_x509_svid',
+                           socket_path: @socket_path)
+          log.error("[SPIFFE] X.509 SVID fetch failed: #{e.message}")
+          raise
         end
 
         # Fetch a JWT SVID from the SPIRE Workload API for the given audience.
         def fetch_jwt_svid(audience:)
+          log.info("[SPIFFE] Fetching JWT SVID from Workload API audience=#{audience}")
           payload  = encode_jwt_request(audience)
           raw      = call_workload_api(FETCH_JWT_METHOD, payload)
           parse_jwt_svid_response(raw, audience)
         rescue WorkloadApiError, IOError, Errno::ENOENT, Errno::ECONNREFUSED, Errno::EPIPE => e
-          log_warn("[SPIFFE] JWT SVID fetch failed (#{e.message})")
+          handle_exception(e, level: :warn, operation: 'crypt.spiffe.workload_api_client.fetch_jwt_svid',
+                           socket_path: @socket_path, audience: audience)
+          log.warn("[SPIFFE] JWT SVID fetch failed (#{e.message})")
+          raise SvidError, "Failed to fetch JWT SVID for audience '#{audience}': #{e.message}"
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.spiffe.workload_api_client.fetch_jwt_svid',
+                           socket_path: @socket_path, audience: audience)
+          log.error("[SPIFFE] JWT SVID fetch failed: #{e.message}")
           raise SvidError, "Failed to fetch JWT SVID for audience '#{audience}': #{e.message}"
         end
 
@@ -62,7 +87,9 @@ module Legion
           sock = UNIXSocket.new(@socket_path)
           sock.close
           true
-        rescue StandardError
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.workload_api_client.available',
+                           socket_path: @socket_path)
           false
         end
 
@@ -71,6 +98,7 @@ module Legion
         # Minimal HTTP/2 + gRPC unary call over a Unix domain socket.
         # This is intentionally simple: one request frame, one response frame.
         def call_workload_api(method_path, request_body)
+          log.debug("[SPIFFE] Calling Workload API method=#{method_path}")
           sock = connect_socket
           begin
             send_grpc_request(sock, method_path, request_body)
@@ -89,9 +117,13 @@ module Legion
           sock.write(HTTP2_SETTINGS_FRAME)
           sock.flush
           sock
-        rescue Errno::ENOENT
+        rescue Errno::ENOENT => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.workload_api_client.connect_socket',
+                           socket_path: @socket_path)
           raise WorkloadApiError, "SPIRE agent socket not found at '#{@socket_path}'"
         rescue Errno::ECONNREFUSED, Errno::EACCES => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.workload_api_client.connect_socket',
+                           socket_path: @socket_path)
           raise WorkloadApiError, "Cannot connect to SPIRE agent socket: #{e.message}"
         end
 
@@ -250,9 +282,11 @@ module Legion
             cert_pem:   cert.to_pem,
             key_pem:    key.private_to_pem,
             bundle_pem: bundle_pem,
-            expiry:     cert.not_after
+            expiry:     cert.not_after,
+            source:     :spire
           )
         rescue OpenSSL::X509::CertificateError, OpenSSL::PKey::PKeyError => e
+          handle_exception(e, level: :error, operation: 'crypt.spiffe.workload_api_client.parse_x509_svid_response')
           raise SvidError, "Failed to parse X.509 SVID: #{e.message}"
         end
 
@@ -277,14 +311,20 @@ module Legion
             spiffe_id: spiffe_id,
             token:     token,
             audience:  audience,
-            expiry:    expiry
+            expiry:    expiry,
+            source:    :spire
           )
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.spiffe.workload_api_client.parse_jwt_svid_response',
+                           audience: audience)
+          raise
         end
 
         # Build a self-signed X.509 SVID for use when SPIRE is not available.
         # The SPIFFE ID is placed in the SAN URI extension per the SPIFFE spec.
         # The Subject CN is a plain workload name (no URI) so OpenSSL parses cleanly.
         def self_signed_fallback
+          log.info("[SPIFFE] Generating self-signed fallback SVID trust_domain=#{@trust_domain}")
           key  = OpenSSL::PKey::EC.generate('prime256v1')
           cert = OpenSSL::X509::Certificate.new
           cert.version    = 2
@@ -308,8 +348,14 @@ module Legion
             cert_pem:   cert.to_pem,
             key_pem:    key.private_to_pem,
             bundle_pem: nil,
-            expiry:     cert.not_after
+            expiry:     cert.not_after,
+            source:     :fallback
           )
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.spiffe.workload_api_client.self_signed_fallback',
+                           trust_domain: @trust_domain)
+          log.error("[SPIFFE] Self-signed fallback generation failed: #{e.message}")
+          raise
         end
 
         # --- Minimal protobuf decoder ---
@@ -373,18 +419,16 @@ module Legion
           payload_json = Base64.urlsafe_decode64("#{parts[1]}==")
           claims = begin
             Legion::JSON.parse(payload_json)
-          rescue StandardError
+          rescue StandardError => e
+            handle_exception(e, level: :debug, operation: 'crypt.spiffe.workload_api_client.extract_jwt_expiry')
             {}
           end
           exp = claims['exp'] || claims[:exp]
           exp ? Time.at(exp.to_i) : Time.now + 3600
-        rescue StandardError
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.workload_api_client.extract_jwt_expiry')
           Time.now + 3600
         end
-
-        def log_warn(message)
-          Legion::Logging.warn(message) if defined?(Legion::Logging)
-        end
       end
     end
   end

data/lib/legion/crypt/spiffe.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'legion/logging/helper'
 require 'uri'
 require 'openssl'
 
@@ -29,7 +30,7 @@ module Legion
       end
 
       # Parsed X.509 SVID (SPIFFE Verifiable Identity Document).
-      X509Svid = Struct.new(:spiffe_id, :cert_pem, :key_pem, :bundle_pem, :expiry) do
+      X509Svid = Struct.new(:spiffe_id, :cert_pem, :key_pem, :bundle_pem, :expiry, :source) do
         def expired?
           Time.now >= expiry
         end
@@ -45,7 +46,7 @@ module Legion
       end
 
       # Parsed JWT SVID.
-      JwtSvid = Struct.new(:spiffe_id, :token, :audience, :expiry) do
+      JwtSvid = Struct.new(:spiffe_id, :token, :audience, :expiry, :source) do
         def expired?
           Time.now >= expiry
         end
@@ -56,6 +57,8 @@ module Legion
       end
 
       class << self
+        include Legion::Logging::Helper
+
         # Parse a SPIFFE ID string into a SpiffeId struct.
         # Raises InvalidSpiffeIdError on malformed input.
         def parse_id(spiffe_id_string)
@@ -69,13 +72,15 @@ module Legion
             path:         uri.path.empty? ? '/' : uri.path
           )
         rescue URI::InvalidURIError => e
+          handle_exception(e, level: :warn, operation: 'crypt.spiffe.parse_id', spiffe_id: spiffe_id_string)
           raise InvalidSpiffeIdError, "Invalid SPIFFE ID '#{spiffe_id_string}': #{e.message}"
         end
 
         def valid_id?(spiffe_id_string)
           parse_id(spiffe_id_string)
           true
-        rescue InvalidSpiffeIdError
+        rescue InvalidSpiffeIdError => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.valid_id', spiffe_id: spiffe_id_string)
           false
         end
 
@@ -113,6 +118,14 @@ module Legion
           spiffe[:workload_id] || spiffe['workload_id']
         end
 
+        def allow_x509_fallback?
+          security = safe_security_settings
+          return false if security.nil?
+
+          spiffe = security[:spiffe] || security['spiffe'] || {}
+          spiffe[:allow_x509_fallback] || spiffe['allow_x509_fallback'] || false
+        end
+
         private
 
         def validate_uri!(uri, raw)
@@ -130,7 +143,8 @@ module Legion
           return nil unless defined?(Legion::Settings)
 
           Legion::Settings[:security]
-        rescue StandardError
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.safe_security_settings')
           nil
         end
       end

data/lib/legion/crypt/tls.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'legion/logging/helper'
+
 module Legion
   module Crypt
     module TLS
@@ -9,6 +11,8 @@ module Legion
         11_207 => 'memcached'
       }.freeze
 
+      extend Legion::Logging::Helper
+
       class << self
         def resolve(tls_config, port: nil)
           config = symbolize_keys(migrate_legacy(tls_config || {}))
@@ -19,7 +23,7 @@ module Legion
           if enabled.nil? && port && TLS_PORTS.key?(port.to_i)
             enabled = true
             auto_detected = true
-            log_warn("TLS auto-enabled for port #{port}")
+            log.warn("TLS auto-enabled for port #{port}")
           end
 
           enabled = false if enabled.nil?
@@ -30,10 +34,12 @@ module Legion
           key    = resolve_uri(config[:key])
 
           if verify == :mutual && (cert.nil? || key.nil?)
-            log_warn('TLS mutual requested but cert or key missing, downgrading to peer')
+            log.warn('TLS mutual requested but cert or key missing, downgrading to peer')
             verify = :peer
           end
 
+          log.info "TLS resolved enabled=#{enabled} verify=#{verify} auto_detected=#{auto_detected}"
+
           {
             enabled:       enabled,
             verify:        verify,
@@ -42,6 +48,9 @@ module Legion
             key:           key,
             auto_detected: auto_detected
           }
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.tls.resolve', port: port)
+          raise
         end
 
         def migrate_legacy(config)
@@ -79,14 +88,9 @@ module Legion
           else
             value
           end
-        end
-
-        def log_warn(msg)
-          if defined?(Legion::Logging)
-            Legion::Logging.warn(msg)
-          else
-            warn msg
-          end
+        rescue StandardError => e
+          handle_exception(e, level: :warn, operation: 'crypt.tls.resolve_uri')
+          raise
         end
       end
     end

data/lib/legion/crypt/token_renewer.rb

@@ -1,10 +1,13 @@
 # frozen_string_literal: true
 
+require 'legion/logging/helper'
 require 'legion/crypt/kerberos_auth'
 
 module Legion
   module Crypt
     class TokenRenewer
+      include Legion::Logging::Helper
+
       INITIAL_BACKOFF = 30
       MAX_BACKOFF     = 600
       MIN_SLEEP       = 30
@@ -22,16 +25,19 @@ module Legion
       end
 
       def start
+        return if running?
+
         @stop = false
         @thread = Thread.new { renewal_loop }
         @thread.name = "vault-renewer-#{@cluster_name}"
-        log_debug('token renewal thread started')
+        log.info("TokenRenewer[#{@cluster_name}]: token renewal thread started")
       end
 
       def stop
         @stop = true
         @thread&.wakeup
-      rescue ThreadError
+      rescue ThreadError => e
+        handle_exception(e, level: :debug, operation: 'crypt.token_renewer.stop', cluster_name: @cluster_name)
         nil
       ensure
         stop_thread_and_revoke
@@ -44,10 +50,12 @@ module Legion
       def renew_token
         result = @vault_client.auth_token.renew_self
         @config[:lease_duration] = result.auth.lease_duration
-        log_debug("token renewed, ttl=#{result.auth.lease_duration}s")
+        @config[:renewable] = result.auth.renewable? if result.auth.respond_to?(:renewable?)
+        log.info("TokenRenewer[#{@cluster_name}]: token renewed, ttl=#{result.auth.lease_duration}s")
         true
       rescue StandardError => e
-        log_warn("token renewal failed: #{e.message}")
+        handle_exception(e, level: :warn, operation: 'crypt.token_renewer.renew_token', cluster_name: @cluster_name)
+        log.warn("TokenRenewer[#{@cluster_name}]: token renewal failed: #{e.message}")
         false
       end
 
@@ -64,15 +72,19 @@ module Legion
         @config[:renewable]      = result[:renewable]
         @config[:connected]      = true
         @vault_client.token      = result[:token]
-        log_info('re-authenticated via Kerberos')
+        log.info("TokenRenewer[#{@cluster_name}]: re-authenticated via Kerberos")
         true
       rescue StandardError => e
-        log_warn("Kerberos re-auth failed: #{e.message}")
+        handle_exception(e, level: :warn, operation: 'crypt.token_renewer.reauth_kerberos', cluster_name: @cluster_name)
+        log.warn("TokenRenewer[#{@cluster_name}]: Kerberos re-auth failed: #{e.message}")
         false
       end
 
       def sleep_duration
-        duration = (@config[:lease_duration].to_i * RENEWAL_RATIO).to_i
+        lease_duration = @config[:lease_duration].to_i
+        duration = [(lease_duration * RENEWAL_RATIO).to_i, 1].max
+        return [duration, lease_duration - 1].min if lease_duration.positive? && lease_duration < MIN_SLEEP
+
         [duration, MIN_SLEEP].max
       end
 
@@ -99,7 +111,8 @@ module Legion
           end
         end
       rescue StandardError => e
-        log_warn("renewal loop error: #{e.message}")
+        handle_exception(e, level: :warn, operation: 'crypt.token_renewer.renewal_loop', cluster_name: @cluster_name)
+        log.warn("TokenRenewer[#{@cluster_name}]: renewal loop error: #{e.message}")
         retry unless @stop
       end
 
@@ -111,7 +124,7 @@ module Legion
       def on_renewal_failure
         @config[:connected] = false
         delay = next_backoff
-        log_warn("backoff retry in #{delay}s")
+        log.warn("TokenRenewer[#{@cluster_name}]: backoff retry in #{delay}s")
         interruptible_sleep(delay)
       end
 
@@ -128,15 +141,16 @@ module Legion
       def stop_thread_and_revoke
         return unless @thread
 
+        log.info("TokenRenewer[#{@cluster_name}]: stopping token renewal thread")
         @thread.join(5)
         thread_still_running = @thread.alive?
-        @thread = nil
 
         if thread_still_running
-          log_warn('token renewal thread did not stop within timeout; skipping token revocation')
+          log.warn("TokenRenewer[#{@cluster_name}]: token renewal thread did not stop within timeout; skipping token revocation")
         else
+          @thread = nil
           revoke_token
-          log_debug('token renewal thread stopped')
+          log.debug("TokenRenewer[#{@cluster_name}]: token renewal thread stopped")
         end
       end
 
@@ -145,21 +159,10 @@ module Legion
         return unless @config[:auth_method]&.to_s == 'kerberos'
 
         @vault_client.auth_token.revoke_self
-        log_info('Vault token revoked')
+        log.info("TokenRenewer[#{@cluster_name}]: Vault token revoked")
       rescue StandardError => e
-        log_warn("Vault token revoke failed: #{e.message}")
-      end
-
-      def log_debug(message)
-        Legion::Logging.debug("TokenRenewer[#{@cluster_name}]: #{message}") if defined?(Legion::Logging)
-      end
-
-      def log_info(message)
-        Legion::Logging.info("TokenRenewer[#{@cluster_name}]: #{message}") if defined?(Legion::Logging)
-      end
-
-      def log_warn(message)
-        Legion::Logging.warn("TokenRenewer[#{@cluster_name}]: #{message}") if defined?(Legion::Logging)
+        handle_exception(e, level: :warn, operation: 'crypt.token_renewer.revoke_token', cluster_name: @cluster_name)
+        log.warn("TokenRenewer[#{@cluster_name}]: Vault token revoke failed: #{e.message}")
       end
     end
   end