legion-crypt 1.4.28 → 1.5.0

data/lib/legion/crypt.rb

@@ -2,6 +2,7 @@
 
 require 'openssl'
 require 'base64'
+require 'legion/logging/helper'
 require 'legion/crypt/version'
 require 'legion/crypt/settings'
 require 'legion/crypt/cipher'
@@ -27,6 +28,7 @@ module Legion
     class << self
       attr_reader :sessions
 
+      include Legion::Logging::Helper
       include Legion::Crypt::Cipher
 
       unless Gem::Specification.find_by_name('vault').nil?
@@ -57,18 +59,30 @@ module Legion
       end
 
       def start
-        Legion::Logging.debug 'Legion::Crypt is running start'
-        ::File.write('./legionio.key', private_key) if settings[:save_private_key]
-        @token_renewers ||= []
-
-        if vault_settings[:clusters]&.any?
-          connect_all_clusters
-          start_token_renewers
-        else
-          connect_vault unless settings[:vault][:token].nil?
+        lifecycle_mutex.synchronize do
+          if @started
+            log.info 'Legion::Crypt start ignored because the lifecycle is already running'
+            return
+          end
+
+          log.info 'Legion::Crypt startup initiated'
+          log.debug 'Legion::Crypt start requested'
+          ::File.write('./legionio.key', private_key) if settings[:save_private_key]
+          @token_renewers ||= []
+
+          if vault_settings[:clusters]&.any?
+            log.info "Legion::Crypt connecting #{vault_settings[:clusters].size} Vault cluster(s)"
+            connect_all_clusters
+            start_token_renewers
+          else
+            log.info 'Legion::Crypt connecting primary Vault client' unless settings[:vault][:token].nil?
+            connect_vault unless settings[:vault][:token].nil?
+          end
+          start_lease_manager
+          start_svid_rotation
+          @started = true
+          log.info 'Legion::Crypt startup completed'
         end
-        start_lease_manager
-        start_svid_rotation
       end
 
       def settings
@@ -83,6 +97,16 @@ module Legion
         settings[:jwt] || Legion::Crypt::Settings.jwt
       end
 
+      def vault_connected?
+        return true if settings.dig(:vault, :connected) == true
+        return true if respond_to?(:connected_clusters) && connected_clusters.any?
+
+        false
+      rescue StandardError => e
+        handle_exception(e, level: :debug, operation: 'crypt.vault_connected?')
+        false
+      end
+
       def issue_token(payload = {}, ttl: nil, algorithm: nil)
         jwt = jwt_settings
         algo = algorithm || jwt[:default_algorithm]
@@ -111,11 +135,21 @@ module Legion
       end
 
       def shutdown
-        Legion::Crypt::LeaseManager.instance.shutdown
-        stop_token_renewers
-        shutdown_renewer
-        close_sessions
-        stop_svid_rotation
+        lifecycle_mutex.synchronize do
+          unless @started
+            log.info 'Legion::Crypt shutdown ignored because the lifecycle is not running'
+            return
+          end
+
+          log.info 'Legion::Crypt shutdown initiated'
+          Legion::Crypt::LeaseManager.instance.shutdown
+          stop_token_renewers
+          shutdown_renewer
+          close_sessions
+          stop_svid_rotation
+          @started = false
+          log.info 'Legion::Crypt shutdown completed'
+        end
       end
 
       private
@@ -123,22 +157,15 @@ module Legion
       def start_lease_manager
         leases = settings.dig(:vault, :leases) || {}
         return if leases.empty?
-        return unless settings.dig(:vault, :connected) || connected_clusters.any?
+        return unless connected_clusters.any? || settings.dig(:vault, :connected)
 
         client = nil
 
-        if settings.dig(:vault, :connected)
-          client = vault_client
-        elsif connected_clusters.any?
-          default_cluster = vault_settings[:default]
-          selected_cluster =
-            if default_cluster && connected_clusters.include?(default_cluster.to_sym)
-              default_cluster.to_sym
-            else
-              connected_clusters.keys.first
-            end
-
+        if connected_clusters.any?
+          selected_cluster = selected_connected_cluster_name
           client = selected_cluster ? vault_client(selected_cluster) : nil
+        elsif settings.dig(:vault, :connected)
+          client = vault_client
         end
         lease_manager = Legion::Crypt::LeaseManager.instance
         lease_manager.start(leases, vault_client: client)
@@ -146,15 +173,16 @@ module Legion
         fetched = lease_manager.fetched_count
         defined = leases.size
         if fetched == defined
-          Legion::Logging.info "LeaseManager: #{fetched} lease(s) initialized"
+          log.info "LeaseManager: #{fetched} lease(s) initialized"
         else
-          Legion::Logging.warn "LeaseManager: #{fetched}/#{defined} lease(s) initialized (#{defined - fetched} failed)"
+          log.warn "LeaseManager: #{fetched}/#{defined} lease(s) initialized (#{defined - fetched} failed)"
         end
       rescue StandardError => e
-        Legion::Logging.warn "LeaseManager startup failed: #{e.message}"
+        handle_exception(e, level: :warn, operation: 'crypt.start_lease_manager')
       end
 
       def start_token_renewers
+        started = 0
         clusters.each do |name, config|
           next unless config[:auth_method]&.to_s == 'kerberos' && config[:connected]
 
@@ -165,31 +193,40 @@ module Legion
           )
           renewer.start
           @token_renewers << renewer
+          started += 1
         end
+        log.info "Legion::Crypt started #{started} token renewer(s)" if started.positive?
       end
 
       def stop_token_renewers
         return unless @token_renewers
 
         @token_renewers.each(&:stop)
+        log.info "Legion::Crypt stopped #{@token_renewers.size} token renewer(s)" if @token_renewers.any?
         @token_renewers.clear
       end
 
       def start_svid_rotation
         return unless Spiffe.enabled?
 
+        log.info 'Legion::Crypt starting SPIFFE SVID rotation'
         @svid_rotation = Spiffe::SvidRotation.new
         @svid_rotation.start
       rescue StandardError => e
-        Legion::Logging.warn "SPIFFE SvidRotation startup failed: #{e.message}" if defined?(Legion::Logging)
+        handle_exception(e, level: :warn, operation: 'crypt.start_svid_rotation')
       end
 
       def stop_svid_rotation
         return unless @svid_rotation
 
+        log.info 'Legion::Crypt stopping SPIFFE SVID rotation'
         @svid_rotation.stop
         @svid_rotation = nil
       end
+
+      def lifecycle_mutex
+        @lifecycle_mutex ||= Mutex.new
+      end
     end
   end
 end

data/lib/legion/logging/helper.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+begin
+  helper_path = File.join(
+    Gem::Specification.find_by_name('legion-logging').full_gem_path,
+    'lib/legion/logging/helper.rb'
+  )
+  require helper_path if File.exist?(helper_path)
+rescue Gem::LoadError
+  nil
+end
+
+require 'legion/logging'
+
+module Legion
+  module Logging
+    module Helper
+      unless const_defined?(:CompatLogger, false)
+        CompatLogger = Class.new do
+          %i[debug info warn error fatal unknown].each do |level|
+            define_method(level) do |message = nil, &block|
+              payload = block ? block.call : message
+              return if payload.nil?
+
+              if logging_supports?(level)
+                Legion::Logging.public_send(level, payload)
+              elsif %i[error fatal warn].include?(level)
+                ::Kernel.warn(payload)
+              else
+                $stdout.puts(payload)
+              end
+            end
+          end
+
+          private
+
+          def logging_supports?(level)
+            return false unless Legion.const_defined?('Logging')
+
+            Legion::Logging.respond_to?(level)
+          rescue StandardError
+            false
+          end
+        end
+      end
+
+      def log
+        @log ||= CompatLogger.new
+      end
+
+      def handle_exception(exception, task_id: nil, level: :error, handled: true, **opts) # rubocop:disable Lint/UnusedMethodArgument,Style/ArgumentsForwarding
+        message = exception_log_message(exception, level: level, **opts) # rubocop:disable Style/ArgumentsForwarding
+
+        if logging_supports?(:log_exception)
+          Legion::Logging.log_exception(exception, lex: 'crypt', component_type: :helper)
+          return
+        end
+        if logging_supports?(level)
+          Legion::Logging.public_send(level, message)
+          return
+        end
+        if logging_supports?(:error)
+          Legion::Logging.error(message)
+          return
+        end
+        if logging_supports?(:warn)
+          Legion::Logging.warn(message)
+          return
+        end
+
+        ::Kernel.warn(message)
+      end
+
+      private
+
+      def logging_supports?(level)
+        return false unless Legion.const_defined?('Logging')
+
+        Legion::Logging.respond_to?(level)
+      rescue StandardError
+        false
+      end
+
+      def exception_log_message(exception, level:, **opts)
+        operation = opts[:operation] || opts['operation']
+        prefix = operation ? "#{operation} failed: " : ''
+        details = opts.reject { |key, _value| key.to_s == 'operation' }.map { |key, value| "#{key}=#{value}" }
+        detail_suffix = details.empty? ? '' : " (#{details.join(' ')})"
+        backtrace = Array(exception.backtrace).first(10).join("\n")
+        base = "#{prefix}#{exception.class}: #{exception.message}#{detail_suffix}"
+        return base if backtrace.empty? && level == :debug
+        return base if backtrace.empty?
+
+        "#{base}\n#{backtrace}"
+      end
+    end
+  end
+end

data/lib/legion/logging.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+begin
+  gem_root = Gem::Specification.find_by_name('legion-logging').full_gem_path
+  upstream_logging = File.join(gem_root, 'lib/legion/logging.rb')
+  require upstream_logging if File.exist?(upstream_logging)
+rescue Gem::LoadError
+  nil
+end
+
+module Legion
+  module Logging
+    class << self
+      unless method_defined?(:setup)
+        def setup(level: 'info', **_opts)
+          logger.level = normalize_level(level)
+          self
+        end
+
+        def logger
+          @logger ||= Logger.new($stdout).tap do |instance|
+            instance.progname = 'legion-crypt'
+          end
+        end
+
+        def log_exception(exception, lex: nil, component_type: nil, **_opts)
+          prefix = [lex, component_type].compact.join('.')
+          payload = prefix.empty? ? exception.message : "#{prefix}: #{exception.message}"
+          error(payload)
+        end
+
+        %i[debug info warn error fatal unknown].each do |level_name|
+          define_method(level_name) do |message = nil, &block|
+            payload = block ? block.call : message
+            return if payload.nil?
+
+            logger.public_send(level_name, payload)
+          end
+        end
+
+        private
+
+        def normalize_level(level)
+          case level.to_s.downcase
+          when 'debug' then Logger::DEBUG
+          when 'info' then Logger::INFO
+          when 'warn' then Logger::WARN
+          when 'error' then Logger::ERROR
+          when 'fatal' then Logger::FATAL
+          else Logger::UNKNOWN
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.28
+  version: 1.5.0
 platform: ruby
 authors:
 - Esity
@@ -37,6 +37,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: legion-logging
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.0
 - !ruby/object:Gem::Dependency
   name: vault
   requirement: !ruby/object:Gem::Requirement
@@ -103,6 +117,8 @@ files:
 - lib/legion/crypt/vault_kerberos_auth.rb
 - lib/legion/crypt/vault_renewer.rb
 - lib/legion/crypt/version.rb
+- lib/legion/logging.rb
+- lib/legion/logging/helper.rb
 - sonar-project.properties
 homepage: https://github.com/LegionIO/legion-crypt
 licenses: