legion-crypt 1.4.3 → 1.4.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 755c4278bc3e6f3ba845f5d46ba61b753a19b9a4fc0212f9da9827e6fefe3ac2
-  data.tar.gz: '04585ab20ddb62568949ca90c33405b61bb477cd2750503944acadcf665925b9'
+  metadata.gz: 2e448a5dd1e2c70e43cff0b6512e1b2af1d41f9a2af7b9719495ba5b10c90ec7
+  data.tar.gz: 6c270665c5a185baa844e5b7e80af9f2ac8922a520748e387a9d10363294061e
 SHA512:
-  metadata.gz: 53c5f43b6ab1ca2f0dad978a3cee6b1d3314b8aa57ffae077641d9882756f3a331b21258f3b45a9789639095facdff27baec911e6cbd066c7d2c2fc1058237bd
-  data.tar.gz: f3b542c8ca98c768ddfae7763da33ddc3638fd46dbb174abf037cd0baca348fa6127c4ad1d3efa46c86a943b2cd3d2c6f2df5d8d179e0a64a5b94d5b3ec4f35c
+  metadata.gz: bc43cab1939dee1cd1d6c28a07a2766953af52fc30230375d47e23e289f53beaf3a2be47d98c549bd9098c545d6dd540faa8a87143bb678429265a96b55d96cf
+  data.tar.gz: 1813d049d59f5bb81baeef8f10fb2e9f68d7540c8fb4858a75f2f40d881eb7b101a42ce4f89161a38ef14122da0e53e1cf0d2009716d7411ba16c0a77902504c

data/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Legion::Crypt
 
+## [1.4.5] - 2026-03-20
+
+### Changed
+- Refactored `Legion::Crypt::TLS` to standard `resolve` pattern: pure config normalizer with port auto-detect, vault URI resolution, legacy key migration, and three verification levels (none/peer/mutual)
+- Removed consumer-specific `bunny_options` and `sequel_options` methods (moved to consuming gems)
+
+### Added
+- `TLS.resolve(tls_config, port:)` — standard TLS config resolver
+- `TLS.migrate_legacy(config)` — backwards-compat mapping for transport's old TLS keys
+- `TLS::TLS_PORTS` — known TLS port auto-detection map (5671, 6380, 11207)
+- Default `tls:` settings block in `Legion::Crypt::Settings`
+
+## [1.4.4] - 2026-03-18
+
+### Added
+- Multi-cluster Vault support: named clusters with `default` pointer in `crypt.vault.clusters`
+- `VaultCluster` module: per-cluster `::Vault::Client` management, `connect_all_clusters`
+- `LdapAuth` module: LDAP authentication via Vault HTTP API (`auth/ldap/login/:username`)
+- `ldap_login_all` authenticates to all LDAP-configured clusters with single credentials
+- `VaultRenewer` now renews tokens for all connected clusters
+- Backward compatible: single-cluster config (`crypt.vault.address`) still works unchanged
+
 ## [1.4.3] - 2026-03-17
 
 ### Added

data/CLAUDE.md

@@ -8,6 +8,7 @@
 Handles encryption, decryption, secrets management, JWT token management, and HashiCorp Vault connectivity for the LegionIO framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, and Vault token lifecycle management.
 
 **GitHub**: https://github.com/LegionIO/legion-crypt
+**Version**: 1.4.4
 **License**: Apache-2.0
 
 ## Architecture

data/README.md

@@ -1,6 +1,8 @@
 # legion-crypt
 
-Encryption, secrets management, JWT token management, and HashiCorp Vault integration for the [LegionIO](https://github.com/LegionIO/LegionIO) framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, and Vault token lifecycle management.
+Encryption, secrets management, JWT token management, and HashiCorp Vault integration for the [LegionIO](https://github.com/LegionIO/LegionIO) framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, Vault token lifecycle management, and multi-cluster Vault connectivity.
+
+**Version**: 1.4.4
 
 ## Installation
 
@@ -146,6 +148,48 @@ Both `username` and `password` come from a single Vault read — one lease, one
 
 Lease names are stable across environments. The actual Vault paths are deployment-specific config.
 
+## Multi-Cluster Vault
+
+`VaultCluster` supports connecting to multiple Vault clusters simultaneously. Each cluster has its own `::Vault::Client` instance.
+
+```json
+{
+  "crypt": {
+    "vault": {
+      "default": "primary",
+      "clusters": {
+        "primary": {
+          "protocol": "https",
+          "address": "vault.example.com",
+          "port": 8200,
+          "namespace": "my-namespace",
+          "auth_method": "ldap"
+        },
+        "secondary": {
+          "protocol": "https",
+          "address": "vault2.example.com",
+          "port": 8200,
+          "auth_method": "ldap"
+        }
+      }
+    }
+  }
+}
+```
+
+```ruby
+# Authenticate to all LDAP-configured clusters at once
+Legion::Crypt.ldap_login_all(username: 'user', password: 'pass')
+
+# Read from specific cluster
+Legion::Crypt.read('secret/data/mykey', cluster: :secondary)
+
+# Get a Vault client for a specific cluster
+client = Legion::Crypt.vault_client(:primary)
+```
+
+When `clusters` is empty, the legacy single-cluster path is used (backward compatible).
+
 ## Requirements
 
 - Ruby >= 3.4

data/lib/legion/crypt/ldap_auth.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Legion
+  module Crypt
+    module LdapAuth
+      def ldap_login(cluster_name:, username:, password:)
+        cluster_name = cluster_name.to_sym
+        client = vault_client(cluster_name)
+        secret = client.logical.write("auth/ldap/login/#{username}", password: password)
+        auth = secret.auth
+        token = auth.client_token
+
+        clusters[cluster_name][:token] = token
+        clusters[cluster_name][:connected] = true
+
+        { token: token, lease_duration: auth.lease_duration,
+          renewable: auth.renewable, policies: auth.policies }
+      end
+
+      def ldap_login_all(username:, password:)
+        results = {}
+        clusters.each do |name, config|
+          next unless config[:auth_method] == 'ldap'
+
+          results[name] = ldap_login(cluster_name: name, username: username, password: password)
+        rescue StandardError => e
+          results[name] = { error: e.message }
+        end
+        results
+      end
+    end
+  end
+end

data/lib/legion/crypt/settings.rb

@@ -3,10 +3,21 @@
 module Legion
   module Crypt
     module Settings
+      def self.tls
+        {
+          enabled: false,
+          verify:  'peer',
+          ca:      nil,
+          cert:    nil,
+          key:     nil
+        }
+      end
+
       def self.default
         {
           vault:            vault,
           jwt:              jwt,
+          tls:              tls,
           cs_encrypt_ready: false,
           dynamic_keys:     true,
           cluster_secret:   nil,
@@ -39,7 +50,9 @@ module Legion
           push_cluster_secret: true,
           read_cluster_secret: true,
           kv_path:             ENV['LEGION_VAULT_KV_PATH'] || 'legion',
-          leases:              {}
+          leases:              {},
+          default:             nil,
+          clusters:            {}
         }
       end
     end

data/lib/legion/crypt/tls.rb

@@ -1,78 +1,92 @@
 # frozen_string_literal: true
 
-require 'openssl'
-
 module Legion
   module Crypt
     module TLS
-      DEFAULT_CERT_DIR = '/etc/legion/tls'
+      TLS_PORTS = {
+        5671   => 'amqp',
+        6380   => 'redis',
+        11_207 => 'memcached'
+      }.freeze
 
       class << self
-        def enabled?
-          settings_dig(:enabled) == true
-        end
+        def resolve(tls_config, port: nil)
+          config = symbolize_keys(migrate_legacy(tls_config || {}))
 
-        def ssl_context(role: :client) # rubocop:disable Lint/UnusedMethodArgument
-          ctx = OpenSSL::SSL::SSLContext.new
-          ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
-          ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          enabled       = config[:enabled]
+          auto_detected = false
 
-          ctx.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path && File.exist?(cert_path)
-          ctx.key = OpenSSL::PKey.read(File.read(key_path)) if key_path && File.exist?(key_path)
-          ctx.ca_file = ca_path if ca_path && File.exist?(ca_path)
+          if enabled.nil? && port && TLS_PORTS.key?(port.to_i)
+            enabled = true
+            auto_detected = true
+            log_warn("TLS auto-enabled for port #{port}")
+          end
 
-          ctx
-        end
+          enabled = false if enabled.nil?
 
-        def bunny_options
-          return {} unless enabled?
+          verify = normalize_verify(config[:verify])
+          ca     = resolve_uri(config[:ca])
+          cert   = resolve_uri(config[:cert])
+          key    = resolve_uri(config[:key])
+
+          if verify == :mutual && (cert.nil? || key.nil?)
+            log_warn('TLS mutual requested but cert or key missing, downgrading to peer')
+            verify = :peer
+          end
 
           {
-            tls:                 true,
-            tls_cert:            cert_path,
-            tls_key:             key_path,
-            tls_ca_certificates: [ca_path].compact,
-            verify_peer:         true
+            enabled:       enabled,
+            verify:        verify,
+            ca:            ca,
+            cert:          cert,
+            key:           key,
+            auto_detected: auto_detected
           }
         end
 
-        def sequel_options
-          return {} unless enabled?
+        def migrate_legacy(config)
+          config = symbolize_keys(config)
+          return config unless config.key?(:use_tls) && !config.key?(:enabled)
 
           {
-            sslmode:     'verify-full',
-            sslcert:     cert_path,
-            sslkey:      key_path,
-            sslrootcert: ca_path
+            enabled: config[:use_tls],
+            verify:  config[:verify_peer] ? 'peer' : 'none',
+            ca:      config[:ca_certs],
+            cert:    config[:tls_cert],
+            key:     config[:tls_key]
           }
         end
 
-        def cert_path
-          settings_dig(:cert_path) || File.join(DEFAULT_CERT_DIR, 'legion.crt')
-        end
+        private
 
-        def key_path
-          settings_dig(:key_path) || File.join(DEFAULT_CERT_DIR, 'legion.key')
+        def symbolize_keys(hash)
+          hash.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
         end
 
-        def ca_path
-          settings_dig(:ca_path) || File.join(DEFAULT_CERT_DIR, 'ca-bundle.crt')
+        def normalize_verify(value)
+          case value.to_s
+          when 'none'   then :none
+          when 'mutual' then :mutual
+          else :peer
+          end
         end
 
-        private
-
-        def settings_dig(*keys)
-          return nil unless defined?(Legion::Settings)
+        def resolve_uri(value)
+          return nil if value.nil?
 
-          result = Legion::Settings[:crypt]
-          [:tls, *keys].each do |key|
-            return nil unless result.is_a?(Hash)
+          if defined?(Legion::Settings::Resolver)
+            Legion::Settings::Resolver.resolve_value(value)
+          else
+            value
+          end
+        end
 
-            result = result[key]
+        def log_warn(msg)
+          if defined?(Legion::Logging)
+            Legion::Logging.warn(msg)
+          else
+            warn msg
           end
-          result
-        rescue StandardError
-          nil
         end
       end
     end

data/lib/legion/crypt/vault.rb

@@ -83,8 +83,21 @@ module Legion
       end
 
       def renew_sessions(**_opts)
-        @sessions.each do |session|
-          renew_session(session: session)
+        if respond_to?(:connected_clusters) && connected_clusters.any?
+          renew_cluster_tokens
+        else
+          @sessions.each do |session|
+            renew_session(session: session)
+          end
+        end
+      end
+
+      def renew_cluster_tokens
+        connected_clusters.each_key do |name|
+          client = vault_client(name)
+          client.auth_token.renew_self
+        rescue StandardError => e
+          log_vault_error(name, e)
         end
       end
 

data/lib/legion/crypt/vault_cluster.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'vault'
+
+module Legion
+  module Crypt
+    module VaultCluster
+      def vault_client(name = nil)
+        name = resolve_cluster_name(name)
+        @vault_clients ||= {}
+        @vault_clients[name] ||= build_vault_client(clusters[name])
+      end
+
+      def cluster(name = nil)
+        name = resolve_cluster_name(name)
+        clusters[name]
+      end
+
+      def default_cluster_name
+        name = vault_settings[:default]
+        name ? name.to_sym : clusters.keys.first
+      end
+
+      def clusters
+        vault_settings[:clusters] || {}
+      end
+
+      def connected_clusters
+        clusters.select { |_, config| config[:token] && config[:connected] }
+      end
+
+      def connect_all_clusters
+        results = {}
+        clusters.each do |name, config|
+          next unless config[:token]
+
+          client = vault_client(name)
+          config[:connected] = client.sys.health_status.initialized?
+          results[name] = config[:connected]
+        rescue StandardError => e
+          config[:connected] = false
+          results[name] = false
+          log_vault_error(name, e)
+        end
+        results
+      end
+
+      private
+
+      def resolve_cluster_name(name)
+        return name.to_sym if name
+
+        default_cluster_name
+      end
+
+      def build_vault_client(config)
+        return nil unless config.is_a?(Hash)
+
+        client = ::Vault::Client.new(
+          address: "#{config[:protocol]}://#{config[:address]}:#{config[:port]}",
+          token:   config[:token]
+        )
+        client.namespace = config[:namespace] if config[:namespace]
+        client
+      end
+
+      def log_vault_error(name, error)
+        if defined?(Legion::Logging)
+          Legion::Logging.error("Vault cluster #{name}: #{error.message}")
+        else
+          warn("Vault cluster #{name}: #{error.message}")
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/vault_kerberos_auth.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Legion
+  module Crypt
+    module VaultKerberosAuth
+      DEFAULT_AUTH_PATH = 'auth/kerberos/login'
+
+      class AuthError < StandardError; end
+
+      def self.login(spnego_token:, auth_path: DEFAULT_AUTH_PATH)
+        raise AuthError, 'Vault is not connected' unless vault_connected?
+
+        response = ::Vault.logical.write(auth_path, authorization: "Negotiate #{spnego_token}")
+        raise AuthError, 'Vault Kerberos auth returned no auth data' unless response&.auth
+
+        {
+          token:          response.auth.client_token,
+          lease_duration: response.auth.lease_duration,
+          renewable:      response.auth.renewable,
+          policies:       response.auth.policies,
+          metadata:       response.auth.metadata
+        }
+      rescue ::Vault::HTTPClientError => e
+        raise AuthError, "Vault Kerberos auth failed: #{e.message}"
+      end
+
+      def self.login!(spnego_token:, auth_path: DEFAULT_AUTH_PATH)
+        result = login(spnego_token: spnego_token, auth_path: auth_path)
+        ::Vault.token = result[:token]
+        result
+      end
+
+      def self.vault_connected?
+        defined?(::Vault) && defined?(Legion::Settings) &&
+          Legion::Settings[:crypt][:vault][:connected] == true
+      rescue StandardError
+        false
+      end
+
+      private_class_method :vault_connected?
+    end
+  end
+end

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '1.4.3'
+    VERSION = '1.4.5'
   end
 end

data/lib/legion/crypt.rb

@@ -8,9 +8,14 @@ require 'legion/crypt/cipher'
 require 'legion/crypt/jwt'
 require 'legion/crypt/vault_jwt_auth'
 require 'legion/crypt/lease_manager'
+require 'legion/crypt/vault_cluster'
+require 'legion/crypt/ldap_auth'
 
 module Legion
   module Crypt
+    extend Legion::Crypt::VaultCluster
+    extend Legion::Crypt::LdapAuth
+
     class << self
       attr_reader :sessions
 
@@ -21,11 +26,19 @@ module Legion
         include Legion::Crypt::Vault
       end
 
+      def vault_settings
+        Legion::Settings[:crypt][:vault]
+      end
+
       def start
         Legion::Logging.debug 'Legion::Crypt is running start'
         ::File.write('./legionio.key', private_key) if settings[:save_private_key]
 
-        connect_vault unless settings[:vault][:token].nil?
+        if vault_settings[:clusters]&.any?
+          connect_all_clusters
+        else
+          connect_vault unless settings[:vault][:token].nil?
+        end
         start_lease_manager
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.3
+  version: 1.4.5
 platform: ruby
 authors:
 - Esity
@@ -78,13 +78,16 @@ files:
 - lib/legion/crypt/erasure.rb
 - lib/legion/crypt/jwks_client.rb
 - lib/legion/crypt/jwt.rb
+- lib/legion/crypt/ldap_auth.rb
 - lib/legion/crypt/lease_manager.rb
 - lib/legion/crypt/mock_vault.rb
 - lib/legion/crypt/partition_keys.rb
 - lib/legion/crypt/settings.rb
 - lib/legion/crypt/tls.rb
 - lib/legion/crypt/vault.rb
+- lib/legion/crypt/vault_cluster.rb
 - lib/legion/crypt/vault_jwt_auth.rb
+- lib/legion/crypt/vault_kerberos_auth.rb
 - lib/legion/crypt/vault_renewer.rb
 - lib/legion/crypt/version.rb
 - sonar-project.properties