legion-crypt 1.4.7 → 1.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/lib/legion/crypt/attestation.rb +2 -1
  4. data/lib/legion/crypt/cluster_secret.rb +4 -2
  5. data/lib/legion/crypt/ed25519.rb +6 -3
  6. data/lib/legion/crypt/erasure.rb +5 -2
  7. data/lib/legion/crypt/jwks_client.rb +2 -2
  8. data/lib/legion/crypt/ldap_auth.rb +1 -0
  9. data/lib/legion/crypt/vault_jwt_auth.rb +2 -1
  10. data/lib/legion/crypt/vault_kerberos_auth.rb +2 -1
  11. data/lib/legion/crypt/version.rb +1 -1
  12. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7a91784c5d25f02bae1517ea0192185a147df4739c5f40467c4a1eaac4c5d073
4
- data.tar.gz: a5c94a7cbd0074c8b2494f0fcf7bf46eff9daa2c45fe04b86f4f7548e79e1c93
3
+ metadata.gz: f23263a49bc4e450c4c13189039e6a1324201fc31c074a59800569076c4baa40
4
+ data.tar.gz: 7c7fddeb4adb4a6d6721dea856af301f69a6b6a4c124c28195c87cf3e5e04f82
5
5
  SHA512:
6
- metadata.gz: c5695228ec9226e79cf6b14322ce944e7eb80c24450c91ddbcf4d4a93ee33ef825b92ee8f742029155b301e18d676e597e13ea33ecfbb2397b7cb13f45f0ef4e
7
- data.tar.gz: 6b37ee3075d821ec4c3bc01b44ad1450177ba6ec8aa6ea2c1ffe7fa6e44c4d40ab3e5a15c63464dd0432d15c2eaaddee13802533333e8f35011895fde47cda0a
6
+ metadata.gz: fe700545e2fe3ec3166cf14e760655e84572c5283895057d9c5f114849e89d5e00f59b13de05769c350eea9deabc0caa3cba926d89ca9121f40787c75707583c
7
+ data.tar.gz: 7b22b0a6ff01a262d44497e201c0f9fab260d5897e4be7af0a7a8c8d7a1e6c7c95ec9b422c9047ef5c6428a8ffb0ed9de066bda0d63849f45c9634eb2692ebc4
data/CHANGELOG.md CHANGED
@@ -1,5 +1,10 @@
1
1
  # Legion::Crypt
2
2
 
3
+ ## [1.4.8] - 2026-03-22
4
+
5
+ ### Changed
6
+ - Added logging to all silent rescue blocks across attestation, cluster_secret, ed25519, erasure, jwks_client, ldap_auth, vault_jwt_auth, and vault_kerberos_auth
7
+
3
8
  ## [1.4.7] - 2026-03-22
4
9
 
5
10
  ### Added
data/lib/legion/crypt/attestation.rb CHANGED
@@ -39,7 +39,8 @@ module Legion
39
39
  def fresh?(claim_hash, max_age_seconds: 300)
40
40
  timestamp = Time.parse(claim_hash[:timestamp])
41
41
  Time.now.utc - timestamp < max_age_seconds
42
- rescue StandardError
42
+ rescue StandardError => e
43
+ Legion::Logging.warn("Legion::Crypt::Attestation#fresh? failed: #{e.message}") if defined?(Legion::Logging)
43
44
  false
44
45
  end
45
46
  end
data/lib/legion/crypt/cluster_secret.rb CHANGED
@@ -32,7 +32,8 @@ module Legion
32
32
  return nil unless Legion::Crypt.exist?('crypt')
33
33
 
34
34
  get('crypt')[:cluster_secret]
35
- rescue StandardError
35
+ rescue StandardError => e
36
+ Legion::Logging.warn("Legion::Crypt::ClusterSecret#from_vault failed: #{e.message}") if defined?(Legion::Logging)
36
37
  nil
37
38
  end
38
39
 
@@ -77,7 +78,8 @@ module Legion
77
78
 
78
79
  def only_member?
79
80
  Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
80
- rescue StandardError
81
+ rescue StandardError => e
82
+ Legion::Logging.warn("Legion::Crypt::ClusterSecret#only_member? failed: #{e.message}") if defined?(Legion::Logging)
81
83
  nil
82
84
  end
83
85
 
data/lib/legion/crypt/ed25519.rb CHANGED
@@ -28,7 +28,8 @@ module Legion
28
28
  verify_key.verify(signature, message)
29
29
  Legion::Logging.debug 'Ed25519 verify success' if defined?(Legion::Logging)
30
30
  true
31
- rescue ::Ed25519::VerifyError
31
+ rescue ::Ed25519::VerifyError => e
32
+ Legion::Logging.debug("Legion::Crypt::Ed25519.verify signature mismatch: #{e.message}") if defined?(Legion::Logging)
32
33
  false
33
34
  end
34
35
 
@@ -50,7 +51,8 @@ module Legion
50
51
  Legion::Logging.debug "Ed25519 loading private key from #{vault_path}" if defined?(Legion::Logging)
51
52
  data = Legion::Crypt::Vault.read(vault_path)
52
53
  [data[:private_key]].pack('H*') if data&.dig(:private_key)
53
- rescue StandardError
54
+ rescue StandardError => e
55
+ Legion::Logging.warn("Legion::Crypt::Ed25519#load_private_key failed: #{e.message}") if defined?(Legion::Logging)
54
56
  nil
55
57
  end
56
58
 
@@ -59,7 +61,8 @@ module Legion
59
61
  def key_prefix
60
62
  begin
61
63
  Legion::Settings[:crypt][:ed25519][:vault_key_prefix]
62
- rescue StandardError
64
+ rescue StandardError => e
65
+ Legion::Logging.debug("Legion::Crypt::Ed25519#key_prefix settings lookup failed: #{e.message}") if defined?(Legion::Logging)
63
66
  nil
64
67
  end || 'secret/data/legion/keys'
65
68
  end
data/lib/legion/crypt/erasure.rb CHANGED
@@ -13,6 +13,7 @@ module Legion
13
13
 
14
14
  { erased: true, tenant_id: tenant_id, path: key_path }
15
15
  rescue StandardError => e
16
+ Legion::Logging.error("Legion::Crypt::Erasure#erase_tenant failed: #{e.message}") if defined?(Legion::Logging)
16
17
  { erased: false, tenant_id: tenant_id, error: e.message }
17
18
  end
18
19
 
@@ -20,7 +21,8 @@ module Legion
20
21
  key_path = "#{tenant_prefix}/#{tenant_id}/master_key"
21
22
  data = Legion::Crypt::Vault.read(key_path)
22
23
  { erased: data.nil?, tenant_id: tenant_id }
23
- rescue StandardError
24
+ rescue StandardError => e
25
+ Legion::Logging.warn("Legion::Crypt::Erasure#verify_erasure failed: #{e.message}") if defined?(Legion::Logging)
24
26
  { erased: true, tenant_id: tenant_id }
25
27
  end
26
28
 
@@ -33,7 +35,8 @@ module Legion
33
35
  def tenant_prefix
34
36
  begin
35
37
  Legion::Settings[:crypt][:partition_keys][:vault_tenant_prefix]
36
- rescue StandardError
38
+ rescue StandardError => e
39
+ Legion::Logging.debug("Legion::Crypt::Erasure#tenant_prefix settings lookup failed: #{e.message}") if defined?(Legion::Logging)
37
40
  nil
38
41
  end || 'secret/data/legion/tenants'
39
42
  end
data/lib/legion/crypt/jwks_client.rb CHANGED
@@ -95,8 +95,8 @@ module Legion
95
95
 
96
96
  jwk = ::JWT::JWK.new(jwk_hash)
97
97
  keys[kid] = jwk.public_key
98
- rescue StandardError
99
- # Skip malformed keys, continue with valid ones
98
+ rescue StandardError => e
99
+ Legion::Logging.debug("Legion::Crypt::JwksClient#parse_jwks skipping malformed key kid=#{kid}: #{e.message}") if defined?(Legion::Logging)
100
100
  next
101
101
  end
102
102
 
data/lib/legion/crypt/ldap_auth.rb CHANGED
@@ -28,6 +28,7 @@ module Legion
28
28
 
29
29
  results[name] = ldap_login(cluster_name: name, username: username, password: password)
30
30
  rescue StandardError => e
31
+ Legion::Logging.warn("Legion::Crypt::LdapAuth#ldap_login_all cluster=#{name} failed: #{e.message}") if defined?(Legion::Logging)
31
32
  results[name] = { error: e.message }
32
33
  end
33
34
  results
data/lib/legion/crypt/vault_jwt_auth.rb CHANGED
@@ -84,7 +84,8 @@ module Legion
84
84
  defined?(::Vault) &&
85
85
  defined?(Legion::Settings) &&
86
86
  Legion::Settings[:crypt][:vault][:connected] == true
87
- rescue StandardError
87
+ rescue StandardError => e
88
+ Legion::Logging.debug("Legion::Crypt::VaultJwtAuth#vault_connected? failed: #{e.message}") if defined?(Legion::Logging)
88
89
  false
89
90
  end
90
91
 
data/lib/legion/crypt/vault_kerberos_auth.rb CHANGED
@@ -33,7 +33,8 @@ module Legion
33
33
  def self.vault_connected?
34
34
  defined?(::Vault) && defined?(Legion::Settings) &&
35
35
  Legion::Settings[:crypt][:vault][:connected] == true
36
- rescue StandardError
36
+ rescue StandardError => e
37
+ Legion::Logging.debug("Legion::Crypt::VaultKerberosAuth#vault_connected? failed: #{e.message}") if defined?(Legion::Logging)
37
38
  false
38
39
  end
39
40
 
data/lib/legion/crypt/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Legion
4
4
  module Crypt
5
- VERSION = '1.4.7'
5
+ VERSION = '1.4.8'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: legion-crypt
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.7
4
+ version: 1.4.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - Esity