legion-crypt 1.5.0 → 1.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/AGENTS.md +9 -0
- data/CHANGELOG.md +6 -0
- data/lib/legion/crypt/lease_manager.rb +15 -0
- data/lib/legion/crypt/vault.rb +1 -1
- data/lib/legion/crypt/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a988afa9a1eca8337d8355120b5c5b7ea5a7feb5333477db6c3d22b1a9714bc2
|
|
4
|
+
data.tar.gz: '068dce6425c3bd706848b2daab7a8465b1b1a7ffe5aa207b386b6263685b2db6'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6467a8507feb5172ea8fc081ddfe30fc82fd7fff7591a24ea0e10bd822a1939e326d98b7b6e8c9efdb8efe0ae4eb7e58b1ac9973beba5bf880db77a37589183a
|
|
7
|
+
data.tar.gz: c81cadc3cdc2cbbc78d51dcc8884b1f4a3259c00383f7ead23208443bf852cf606489e980bd01b2a3887d69f0b1c9de5aff6a889c33632a2c1c4a8172daaebf5
|
data/AGENTS.md
CHANGED
|
@@ -32,6 +32,15 @@ bundle exec rubocop
|
|
|
32
32
|
- Maintain compatibility for Kerberos, LDAP, and JWT Vault auth paths.
|
|
33
33
|
- Cryptographic defaults and key lifecycle behavior are contract-sensitive; change only with test coverage.
|
|
34
34
|
|
|
35
|
+
## Known Risks
|
|
36
|
+
|
|
37
|
+
- Vault-backed cluster secret sync is inconsistent today: config key mismatch, read/write path mismatch, and push happens before the new secret is stored.
|
|
38
|
+
- External JWKS verification currently accepts tokens without issuer/audience enforcement unless the caller passes both explicitly; fail closed when touching this path.
|
|
39
|
+
- Multi-cluster Vault behavior has correctness gaps around LDAP token propagation, default-cluster routing, and lease-manager client selection.
|
|
40
|
+
- SPIFFE X.509 fetch currently falls back to a self-signed SVID on Workload API failure; treat that path as security-sensitive and avoid expanding the fallback behavior.
|
|
41
|
+
- `Ed25519` and `Erasure` include helper paths that call `Legion::Crypt::Vault.read/write` directly; verify runtime behavior before relying on those helpers.
|
|
42
|
+
- Current specs pass, but some of the highest-risk paths above are under-covered or only covered with mocks that preserve the existing behavior.
|
|
43
|
+
|
|
35
44
|
## Validation
|
|
36
45
|
|
|
37
46
|
- Run targeted specs for changed auth/crypto paths first.
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# Legion::Crypt
|
|
2
2
|
|
|
3
|
+
## [1.5.1] - 2026-04-03
|
|
4
|
+
|
|
5
|
+
### Fixed
|
|
6
|
+
- Vault `read` method no longer prepends a `legion/` mount prefix to paths — the default `type` parameter changed from `'legion'` to `nil` to match the actual KV v2 mount path in the `legionio` namespace
|
|
7
|
+
- LeaseManager now registers an `at_exit` hook to revoke active Vault leases on unclean process exit, preventing orphaned dynamic credentials (RabbitMQ users, PostgreSQL roles, Redis creds)
|
|
8
|
+
|
|
3
9
|
## [1.5.0] - 2026-04-02
|
|
4
10
|
|
|
5
11
|
### Fixed
|
|
@@ -24,6 +24,8 @@ module Legion
|
|
|
24
24
|
@state_mutex.synchronize { @vault_client = vault_client }
|
|
25
25
|
return if definitions.nil? || definitions.empty?
|
|
26
26
|
|
|
27
|
+
register_at_exit_hook
|
|
28
|
+
|
|
27
29
|
log.info "LeaseManager start requested definitions=#{definitions.size}"
|
|
28
30
|
definitions.each do |name, opts|
|
|
29
31
|
path = opts['path'] || opts[:path]
|
|
@@ -156,6 +158,19 @@ module Legion
|
|
|
156
158
|
|
|
157
159
|
private
|
|
158
160
|
|
|
161
|
+
def register_at_exit_hook
|
|
162
|
+
return if @at_exit_registered
|
|
163
|
+
|
|
164
|
+
at_exit do
|
|
165
|
+
next if @state_mutex.synchronize { @active_leases.empty? }
|
|
166
|
+
|
|
167
|
+
shutdown
|
|
168
|
+
rescue StandardError # best effort on crash
|
|
169
|
+
nil
|
|
170
|
+
end
|
|
171
|
+
@at_exit_registered = true
|
|
172
|
+
end
|
|
173
|
+
|
|
159
174
|
def logical
|
|
160
175
|
client = @state_mutex.synchronize { @vault_client }
|
|
161
176
|
client ? client.logical : ::Vault.logical
|
data/lib/legion/crypt/vault.rb
CHANGED
|
@@ -47,7 +47,7 @@ module Legion
|
|
|
47
47
|
raise
|
|
48
48
|
end
|
|
49
49
|
|
|
50
|
-
def read(path, type =
|
|
50
|
+
def read(path, type = nil, cluster_name: nil)
|
|
51
51
|
full_path = type.nil? || type.empty? ? path : "#{type}/#{path}"
|
|
52
52
|
log_read_context(full_path, cluster_name: cluster_name)
|
|
53
53
|
lease = logical_client(cluster_name: cluster_name).read(full_path)
|
data/lib/legion/crypt/version.rb
CHANGED