legion-crypt 1.5.10 → 1.5.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79ee1533023eb70b2b171f15a3961f8514e698f67681ab182a6caf1e49b1e5c5
-  data.tar.gz: bc22e48e2161f537c1930cb20893d4e84c5a65f82f5ab7c852c0bb437c416b24
+  metadata.gz: a4af81549d8e946acfc92ec4036496fce4af3d1be6fc10cba534298434f0c94a
+  data.tar.gz: 7e70028fa24e9760ff791f49f88817b37c9ee009b21fdc7dae9382a49306e8ca
 SHA512:
-  metadata.gz: 1330293b0d8aef36cc9634cca92ab3019d54e1f0e9a39feb1ecff8786fe9b55b1454e929b223b23d7df71b8c0aec194a1a32a8f628e3bfca26684f3a9fc9e18a
-  data.tar.gz: 9c8e2a8093809e44c727796dc1d1f79ba097400442b49f3bf2d216d9946e564c1c5239253599ceebd3eb99b0753fe988a97d6171729429df000ba7b4419bf16c
+  metadata.gz: 96269db0a9859015418df236468d0eff5b08490e1eb7bc55c7507199dda579924273979405d9e724b3d1237b7855ecc7b949fabdbc15dc378994ad19930112c9
+  data.tar.gz: b112f3eb47b538549e842eaa8a766e15c1934650f010082ec892a4b05fa995746dcff25ffeed90a2e625e09ee4d38d21a9d399d9787c6fd6dd1598f6895fc28f

data/.gitignore

@@ -9,6 +9,7 @@
 /tmp/
 /legion/.idea/
 /.idea/
+*.gem
 *.key
 # rspec failure tracking
 .rspec_status

data/.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+# Standard LegionIO pre-commit configuration
+# Install: pre-commit install
+# Manual:  pre-commit run --all-files
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+        exclude: Gemfile\.lock
+      - id: check-merge-conflict
+
+  - repo: local
+    hooks:
+      - id: rubocop
+        name: RuboCop (autofix)
+        entry: scripts/pre-commit-rubocop.sh
+        language: script
+        types: [ruby]
+        pass_filenames: true
+
+      - id: ruby-syntax
+        name: Ruby syntax check
+        entry: ruby -c
+        language: system
+        types: [ruby]
+        pass_filenames: true

data/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 ## [Unreleased]
 
+## [1.5.12] - 2026-04-27
+
+### Fixed
+- `LeaseManager#trigger_reconnect` for `:postgresql` now calls `Legion::Data::Connection.reconnect_with_fresh_creds` (legion-data >= 1.6.26) instead of `sequel.disconnect` + `sequel.test_connection` — Sequel bakes credentials into the pool at `Sequel.connect` time, so the old approach reused stale credentials after Vault lease rotation, causing Apollo and other DB-backed services to silently lose access to data
+- Fallback to legacy `disconnect`/`test_connection` path when `reconnect_with_fresh_creds` is not available, with explicit warning about potential stale credentials
+- Reconnect failures now log at `:error` level (was `:warn`) since a failed reconnect means Apollo and DB-backed services are unavailable until the next rotation cycle
+- Lease shutdown, logging fallback, and SPIFFE socket cleanup paths now emit warnings/debug logs instead of silently swallowing unexpected failures.
+
+## [1.5.11] - 2026-04-27
+
+### Fixed
+- Cipher decrypt now validates malformed authenticated, legacy, and keypair ciphertext inputs before Base64/OpenSSL decoding, raising actionable errors that identify missing non-secret fields such as auth tag, IV, or cluster secret instead of generic `unpack1` nil failures.
+- Crypt's logging compatibility helper now preserves full exception backtraces instead of truncating fallback log output to 10 frames.
+
 ## [1.5.10] - 2026-04-19
 
 ### Fixed

data/lib/legion/crypt/cipher.rb

@@ -113,6 +113,13 @@ module Legion
 
       def decrypt_authenticated(message, init_vector, secret)
         _, encoded_ciphertext, encoded_auth_tag = message.split(':', 3)
+        validate_authenticated_ciphertext!(
+          encoded_ciphertext: encoded_ciphertext,
+          encoded_auth_tag:   encoded_auth_tag,
+          init_vector:        init_vector,
+          secret:             secret,
+          message:            message
+        )
 
         decipher = OpenSSL::Cipher.new(AUTHENTICATED_CIPHER)
         decipher.decrypt
@@ -123,6 +130,8 @@ module Legion
       end
 
       def decrypt_legacy(message, init_vector, secret)
+        validate_legacy_ciphertext!(message: message, init_vector: init_vector, secret: secret)
+
         decipher = OpenSSL::Cipher.new(LEGACY_CIPHER)
         decipher.decrypt
         decipher.key = secret
@@ -136,12 +145,70 @@ module Legion
 
       def decrypt_oaep_from_keypair(message)
         _, encoded_message = message.split(':', 2)
+        validate_keypair_ciphertext!(encoded_message: encoded_message, message: message, scheme: RSA_OAEP_PREFIX)
+
         private_key.private_decrypt(Base64.strict_decode64(encoded_message), RSA_OAEP_PADDING)
       end
 
       def decrypt_legacy_from_keypair(message)
+        validate_keypair_ciphertext!(encoded_message: message, message: message, scheme: 'legacy')
+
         private_key.private_decrypt(Base64.decode64(message), RSA_LEGACY_PADDING)
       end
+
+      def validate_authenticated_ciphertext!(encoded_ciphertext:, encoded_auth_tag:, init_vector:, secret:, message:)
+        missing = []
+        missing << 'ciphertext' if blank?(encoded_ciphertext)
+        missing << 'auth_tag' if blank?(encoded_auth_tag)
+        missing << 'iv' if blank?(init_vector)
+        missing << 'cluster_secret' if blank?(secret)
+        return if missing.empty?
+
+        raise ArgumentError, 'invalid authenticated ciphertext: missing ' \
+                             "#{missing.join(', ')} " \
+                             "(scheme=#{AUTHENTICATED_PREFIX} " \
+                             "message_bytes=#{byte_size(message)} " \
+                             "ciphertext_present=#{present?(encoded_ciphertext)} " \
+                             "auth_tag_present=#{present?(encoded_auth_tag)} " \
+                             "iv_present=#{present?(init_vector)} " \
+                             "cluster_secret_present=#{present?(secret)})"
+      end
+
+      def validate_legacy_ciphertext!(message:, init_vector:, secret:)
+        missing = []
+        missing << 'ciphertext' if blank?(message)
+        missing << 'iv' if blank?(init_vector)
+        missing << 'cluster_secret' if blank?(secret)
+        return if missing.empty?
+
+        raise ArgumentError, 'invalid legacy ciphertext: missing ' \
+                             "#{missing.join(', ')} " \
+                             "(message_bytes=#{byte_size(message)} " \
+                             "iv_present=#{present?(init_vector)} " \
+                             "cluster_secret_present=#{present?(secret)})"
+      end
+
+      def validate_keypair_ciphertext!(encoded_message:, message:, scheme:)
+        return unless blank?(encoded_message)
+
+        raise ArgumentError, 'invalid keypair ciphertext: missing ciphertext ' \
+                             "(scheme=#{scheme} message_bytes=#{byte_size(message)})"
+      end
+
+      def blank?(value)
+        value.nil? || (value.respond_to?(:empty?) && value.empty?)
+      end
+
+      def present?(value)
+        !blank?(value)
+      end
+
+      def byte_size(value)
+        return 0 if value.nil?
+        return value.bytesize if value.respond_to?(:bytesize)
+
+        value.to_s.bytesize
+      end
     end
   end
 end

data/lib/legion/crypt/lease_manager.rb

@@ -248,10 +248,10 @@ module Legion
           next if @state_mutex.synchronize { @active_leases.empty? }
 
           Timeout.timeout(10) { shutdown }
-        rescue Timeout::Error
-          warn '[LeaseManager] at_exit shutdown timed out after 10s'
-        rescue StandardError # best effort on crash
-          nil
+        rescue Timeout::Error => e
+          log.warn("[LeaseManager] at_exit shutdown timed out after 10s: #{e.message}")
+        rescue StandardError => e # best effort on crash
+          log.warn("[LeaseManager] at_exit shutdown failed: #{e.class}: #{e.message}")
         end
         @at_exit_registered = true
       end
@@ -466,11 +466,7 @@ module Legion
           Legion::Transport::Connection.force_reconnect
           log.info("LeaseManager: triggered transport reconnect after '#{name}' reissue")
         when :postgresql
-          return unless defined?(Legion::Data::Connection) && Legion::Data::Connection.sequel
-
-          Legion::Data::Connection.sequel.disconnect
-          Legion::Data::Connection.sequel.test_connection
-          log.info("LeaseManager: triggered data pool reconnect after '#{name}' reissue")
+          trigger_postgresql_reconnect(name)
         when :redis
           return unless defined?(Legion::Cache)
 
@@ -482,8 +478,34 @@ module Legion
           log.info("LeaseManager: triggered cache reconnect after '#{name}' reissue")
         end
       rescue StandardError => e
-        handle_exception(e, level: :warn, operation: 'crypt.lease_manager.trigger_reconnect', lease_name: name)
-        log.warn("LeaseManager: reconnect for '#{name}' failed: #{e.message}")
+        handle_exception(e, level: :error, operation: 'crypt.lease_manager.trigger_reconnect', lease_name: name)
+        log.error("LeaseManager: reconnect for '#{name}' FAILED: #{e.message} — " \
+                  'services may be unavailable until the next lease rotation')
+      end
+
+      def trigger_postgresql_reconnect(name)
+        unless defined?(Legion::Data::Connection)
+          log.debug("LeaseManager: no Legion::Data::Connection loaded for '#{name}' reconnect")
+          return
+        end
+
+        if Legion::Data::Connection.respond_to?(:reconnect_with_fresh_creds)
+          success = Legion::Data::Connection.reconnect_with_fresh_creds
+          if success
+            log.info("LeaseManager: reconnected data layer with fresh credentials after '#{name}' reissue")
+          else
+            log.error("LeaseManager: FAILED to reconnect data layer after '#{name}' reissue — " \
+                      'Apollo and other DB-backed services may be unavailable')
+          end
+        elsif Legion::Data::Connection.respond_to?(:sequel) && Legion::Data::Connection.sequel
+          log.warn('LeaseManager: legion-data does not support reconnect_with_fresh_creds — ' \
+                   'falling back to pool disconnect (may use stale credentials)')
+          Legion::Data::Connection.sequel.disconnect
+          Legion::Data::Connection.sequel.test_connection
+          log.info("LeaseManager: triggered data pool reconnect after '#{name}' reissue (legacy path)")
+        else
+          log.warn("LeaseManager: no active data connection to reconnect after '#{name}' reissue")
+        end
       end
 
       def running?

data/lib/legion/crypt/spiffe/workload_api_client.rb

@@ -104,10 +104,18 @@ module Legion
             send_grpc_request(sock, method_path, request_body)
             read_grpc_response(sock)
           ensure
-            sock.close rescue nil # rubocop:disable Style/RescueModifier
+            close_workload_api_socket(sock, method_path)
           end
         end
 
+        def close_workload_api_socket(sock, method_path)
+          sock.close
+        rescue StandardError => e
+          handle_exception(e, level: :debug, operation: 'crypt.spiffe.workload_api_client.close_socket',
+                           method_path: method_path, socket_path: @socket_path)
+          nil
+        end
+
         def connect_socket
           raise WorkloadApiError, "SPIRE agent socket not found at '#{@socket_path}'" unless ::File.exist?(@socket_path)
 

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '1.5.10'
+    VERSION = '1.5.12'
   end
 end

data/lib/legion/logging/helper.rb

@@ -6,8 +6,9 @@ begin
     'lib/legion/logging/helper.rb'
   )
   require helper_path if File.exist?(helper_path)
-rescue Gem::LoadError
-  nil
+rescue Gem::LoadError => e
+  require 'legion/logging'
+  Legion::Logging.warn("legion-crypt logging helper fallback active: #{e.message}")
 end
 
 require 'legion/logging'
@@ -38,7 +39,8 @@ module Legion
             return false unless Legion.const_defined?('Logging')
 
             Legion::Logging.respond_to?(level)
-          rescue StandardError
+          rescue StandardError => e
+            Legion::Logging.warn("legion-crypt logging support check failed: #{e.message}")
             false
           end
         end
@@ -77,7 +79,8 @@ module Legion
         return false unless Legion.const_defined?('Logging')
 
         Legion::Logging.respond_to?(level)
-      rescue StandardError
+      rescue StandardError => e
+        Legion::Logging.warn("legion-crypt logging support check failed: #{e.message}")
         false
       end
 
@@ -86,7 +89,7 @@ module Legion
         prefix = operation ? "#{operation} failed: " : ''
         details = opts.reject { |key, _value| key.to_s == 'operation' }.map { |key, value| "#{key}=#{value}" }
         detail_suffix = details.empty? ? '' : " (#{details.join(' ')})"
-        backtrace = Array(exception.backtrace).first(10).join("\n")
+        backtrace = Array(exception.backtrace).join("\n")
         base = "#{prefix}#{exception.class}: #{exception.message}#{detail_suffix}"
         return base if backtrace.empty? || level == :debug
         return base if backtrace.empty?

data/scripts/pre-commit-rubocop.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Pre-commit hook: run RuboCop with autofix on staged Ruby files.
+# Tries rubocop directly, then bundle exec. If the binary is truly
+# unavailable (exit 127 / crash / Prism conflict), warns and defers
+# to CI. If rubocop runs but reports offenses, fails the commit.
+set -uo pipefail
+
+run_rubocop() {
+  output=$("$@" -A --force-exclusion "${FILES[@]}" 2>&1)
+  rc=$?
+  if [ $rc -eq 0 ] || [ $rc -eq 1 ]; then
+    # rubocop ran successfully: 0 = clean, 1 = offenses found
+    echo "$output"
+    return $rc
+  fi
+  # exit > 1 means rubocop crashed / couldn't load. Preserve the output so the
+  # local failure is visible even when CI remains the final enforcement point.
+  echo "$output" >&2
+  return 2
+}
+
+FILES=("$@")
+
+if run_rubocop rubocop; then
+  exit 0
+elif [ $? -eq 1 ]; then
+  echo "RuboCop found offenses that could not be auto-corrected."
+  exit 1
+fi
+
+if run_rubocop bundle exec rubocop; then
+  exit 0
+elif [ $? -eq 1 ]; then
+  echo "RuboCop found offenses that could not be auto-corrected."
+  exit 1
+fi
+
+echo "⚠  RuboCop not available locally (Prism conflict?) — CI will enforce."
+echo "   Run 'ruby -c' to at least verify syntax."
+ruby -c "$@" 2>&1 || exit 1
+exit 0

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.5.10
+  version: 1.5.12
 platform: ruby
 authors:
 - Esity
@@ -93,6 +93,7 @@ files:
 - ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
+- ".pre-commit-config.yaml"
 - ".rubocop.yml"
 - AGENTS.md
 - CHANGELOG.md
@@ -134,6 +135,7 @@ files:
 - lib/legion/crypt/version.rb
 - lib/legion/logging.rb
 - lib/legion/logging/helper.rb
+- scripts/pre-commit-rubocop.sh
 - sonar-project.properties
 homepage: https://github.com/LegionIO/legion-crypt
 licenses: