legion-crypt 1.5.7 → 1.5.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b695e8ac3853b730218da5e1b40b9f7bdc9c7fbffbd1ec4eddccd5539fe296a
-  data.tar.gz: 544bf702cdcc9114b7fa0b99c14141fa6f58b37ee9dbde767e953076ffaedb4c
+  metadata.gz: 42200f56d577b407725621c56af4f7d191c1ad0219c33c99f5e4adc02568aac6
+  data.tar.gz: c231674d541726ab2fa3cf381e655a67be065e2481ce4f50c39d42b52875f6fa
 SHA512:
-  metadata.gz: dcf4c2dd40eeb403ec1708be60992abf7970d73e1f084f84cd840c4a1718c70497cee70a6bfe5b3d402852a9289f8498a3afbc23973a557e3f1cca355d2fefbe
-  data.tar.gz: a90c05a4b59d770f8cd0276008e9454e15e966e570ebf0248f8d5bb8fa48c67120c91d357e8b7225d14ec98547c41cc2914c130a65022e416e6739e489d4c526
+  metadata.gz: 2ee34bea6a9a73af47707259d8b857dfc1c1eb8f9e3519ccbefd811bb43e182c734795d15732de82058acb1101f3ba14bc16c39feeae87873c290e2aad58c049
+  data.tar.gz: b4d4c72a242b0cfb229dcb27f654f41e6dfd6c3035c73901345588639ea102969e83edb31e5b9572705f674eeba8bd3a6fe89915b9db4ca2eedd33749c12fcf3

data/CHANGELOG.md

@@ -2,6 +2,29 @@
 
 ## [Unreleased]
 
+## [1.5.9] - 2026-04-10
+
+### Fixed
+- Vault lease cascade revocation: all three service credentials (RabbitMQ, PostgreSQL, Redis) died at exactly 2 hours when the Vault Kerberos auth token expired — Vault cascade-revokes all child leases when the parent token dies, regardless of individual lease TTLs (closes #29)
+- `TokenRenewer` now detects non-renewable tokens (`renewable=false`) and skips `renew_self` (which always fails for non-renewable tokens), going straight to `reauth_kerberos` before the token expires
+- `TokenRenewer#reauth_kerberos` now triggers `LeaseManager.reissue_all` after obtaining a new token, re-issuing all active leases under the new token so they are not orphaned when the old token expires
+- `LeaseManager#push_to_settings` symbol/string key mismatch: `resolve_secrets!` registers refs with string keys (`"rabbitmq"`) via `lease://` URI parsing, but `cache_lease` stores leases with symbol keys (`:rabbitmq` from `Legion::JSON.load`) — now tries both key types
+- `LeaseManager#trigger_reconnect` for `:postgresql` — uses surgical Sequel pool `disconnect` + `test_connection` instead of `Data.shutdown + Data.setup` which tore down unrelated connections (Apollo SQLite, Local cache)
+- `LeaseManager#trigger_reconnect` for `:redis` — uses `Cache.restart` (the actual method) instead of `Cache.reconnect` (which does not exist)
+
+### Added
+- `LeaseManager#reissue_all` — re-issues all active leases under the current vault client token; called by `TokenRenewer` after successful Kerberos re-authentication to prevent cascade revocation of orphaned leases
+
+## [1.5.8] - 2026-04-09
+
+### Added
+- Configurable SSL verification for Vault connections via `crypt.vault.tls.verify` setting (`peer`/`none`/`mutual`, defaults to `peer`)
+- Global Vault client (`vault.rb`) now sets `::Vault.ssl_verify` from `vault.tls.verify` setting
+- Per-cluster Vault clients (`vault_cluster.rb`) now pass `ssl_verify:` to `::Vault::Client.new` from `config[:tls][:verify]`
+- JWKS client (`jwks_client.rb`) now sets `Net::HTTP#verify_mode` from `crypt.jwt.jwks_tls_verify` setting (`peer`/`none`, defaults to `peer`)
+- `jwks_tls_verify: 'peer'` default added to JWT settings
+- `tls: { verify: 'peer' }` default added to Vault settings
+
 ## [1.5.7] - 2026-04-08
 
 ### Fixed

data/lib/legion/crypt/jwks_client.rb

@@ -112,7 +112,8 @@ module Legion
           raise Legion::Crypt::JWT::Error, 'failed to fetch JWKS: HTTPS is required' unless uri.scheme == 'https'
 
           http = Net::HTTP.new(uri.host, uri.port)
-          http.use_ssl = uri.scheme == 'https'
+          http.use_ssl = true
+          http.verify_mode = jwks_ssl_verify_mode
           http.open_timeout = 10
           http.read_timeout = 10
 
@@ -158,6 +159,15 @@ module Legion
           keys
         end
 
+        def jwks_ssl_verify_mode
+          return OpenSSL::SSL::VERIFY_PEER unless defined?(Legion::Settings)
+
+          verify = Legion::Settings[:crypt][:jwt][:jwks_tls_verify]&.to_s
+          verify == 'none' ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
+        rescue StandardError
+          OpenSSL::SSL::VERIFY_PEER
+        end
+
         def with_url_lock(jwks_url, &)
           lock = @locks_mutex.synchronize { @locks[jwks_url] ||= Mutex.new }
           lock.synchronize(&)

data/lib/legion/crypt/lease_manager.rb

@@ -86,7 +86,9 @@ module Legion
 
       def push_to_settings(name)
         refs, data = @state_mutex.synchronize do
-          [@refs[name]&.dup, @lease_cache[name]&.dup]
+          r = @refs[name] || @refs[name.to_s] || @refs[name.to_sym]
+          d = @lease_cache[name] || @lease_cache[name.to_s] || @lease_cache[name.to_sym]
+          [r&.dup, d&.dup]
         end
         return if refs.nil? || refs.empty?
         return unless data
@@ -109,6 +111,19 @@ module Legion
         sys
       end
 
+      def reissue_all
+        log.info('LeaseManager: reissue_all — re-issuing all active leases under new token')
+        lease_names = @state_mutex.synchronize { @active_leases.keys.dup }
+
+        lease_names.each do |name|
+          lease = @state_mutex.synchronize { @active_leases[name]&.dup }
+          next unless lease && lease[:path]
+
+          reissue_lease(name)
+        end
+        log.info('LeaseManager: reissue_all complete')
+      end
+
       def register_dynamic_lease(name:, path:, response:, settings_refs:)
         register_at_exit_hook
 
@@ -451,14 +466,19 @@ module Legion
           Legion::Transport::Connection.force_reconnect
           log.info("LeaseManager: triggered transport reconnect after '#{name}' reissue")
         when :postgresql
-          return unless defined?(Legion::Data) && Legion::Data.respond_to?(:reconnect)
+          return unless defined?(Legion::Data::Connection) && Legion::Data::Connection.sequel
 
-          Legion::Data.reconnect
-          log.info("LeaseManager: triggered data reconnect after '#{name}' reissue")
+          Legion::Data::Connection.sequel.disconnect
+          Legion::Data::Connection.sequel.test_connection
+          log.info("LeaseManager: triggered data pool reconnect after '#{name}' reissue")
         when :redis
-          return unless defined?(Legion::Cache) && Legion::Cache.respond_to?(:reconnect)
+          return unless defined?(Legion::Cache)
 
-          Legion::Cache.reconnect
+          if Legion::Cache.respond_to?(:restart)
+            Legion::Cache.restart
+          elsif Legion::Cache.respond_to?(:reconnect)
+            Legion::Cache.reconnect
+          end
           log.info("LeaseManager: triggered cache reconnect after '#{name}' reissue")
         end
       rescue StandardError => e

data/lib/legion/crypt/settings.rb

@@ -48,7 +48,8 @@ module Legion
           default_ttl:       3600,
           issuer:            'legion',
           verify_expiration: true,
-          verify_issuer:     true
+          verify_issuer:     true,
+          jwks_tls_verify:   'peer'
         }
       end
 
@@ -72,6 +73,9 @@ module Legion
             service_principal: nil,
             auth_path:         'auth/kerberos/login'
           },
+          tls:                 {
+            verify: 'peer'
+          },
           clusters:            {},
           bootstrap_lease_ttl: 300,
           dynamic_rmq_creds:   false,

data/lib/legion/crypt/token_renewer.rb

@@ -72,7 +72,9 @@ module Legion
         @config[:renewable]      = result[:renewable]
         @config[:connected]      = true
         @vault_client.token      = result[:token]
-        log.info("TokenRenewer[#{@cluster_name}]: re-authenticated via Kerberos")
+        log.info("TokenRenewer[#{@cluster_name}]: re-authenticated via Kerberos, ttl=#{result[:lease_duration]}s")
+
+        reissue_all_leases
         true
       rescue StandardError => e
         handle_exception(e, level: :warn, operation: 'crypt.token_renewer.reauth_kerberos', cluster_name: @cluster_name)
@@ -104,10 +106,18 @@ module Legion
         interruptible_sleep(sleep_duration)
 
         until @stop
-          if renew_token || reauth_kerberos
-            on_renewal_success
+          if @config[:renewable]
+            if renew_token || reauth_kerberos
+              on_renewal_success
+            else
+              on_renewal_failure
+            end
           else
-            on_renewal_failure
+            if reauth_kerberos # rubocop:disable Style/IfInsideElse
+              on_renewal_success
+            else
+              on_renewal_failure
+            end
           end
         end
       rescue StandardError => e
@@ -128,6 +138,15 @@ module Legion
         interruptible_sleep(delay)
       end
 
+      def reissue_all_leases
+        return unless defined?(Legion::Crypt::LeaseManager)
+
+        Legion::Crypt::LeaseManager.instance.reissue_all
+      rescue StandardError => e
+        handle_exception(e, level: :warn, operation: 'crypt.token_renewer.reissue_all_leases', cluster_name: @cluster_name)
+        log.warn("TokenRenewer[#{@cluster_name}]: failed to reissue leases after reauth: #{e.message}")
+      end
+
       def interruptible_sleep(seconds)
         deadline = ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) + seconds
         loop do
@@ -150,7 +169,7 @@ module Legion
         else
           @thread = nil
           revoke_token
-          log.debug("TokenRenewer[#{@cluster_name}]: token renewal thread stopped")
+          log.info("TokenRenewer[#{@cluster_name}]: token renewal thread stopped")
         end
       end
 

data/lib/legion/crypt/vault.rb

@@ -19,8 +19,9 @@ module Legion
         @sessions = []
         vault_settings = Legion::Settings[:crypt][:vault]
         ::Vault.address = resolve_vault_address(vault_settings)
+        ::Vault.ssl_verify = resolve_ssl_verify(vault_settings[:tls])
         namespace = vault_settings[:vault_namespace]
-        log.info "Vault connection requested address=#{::Vault.address} namespace=#{namespace || 'none'}"
+        log.info "Vault connection requested address=#{::Vault.address} namespace=#{namespace || 'none'} ssl_verify=#{::Vault.ssl_verify}"
 
         Legion::Settings[:crypt][:vault][:token] = ENV['VAULT_DEV_ROOT_TOKEN_ID'] if ENV.key? 'VAULT_DEV_ROOT_TOKEN_ID'
         return nil if Legion::Settings[:crypt][:vault][:token].nil?
@@ -209,6 +210,13 @@ module Legion
         data[:data]
       end
 
+      def resolve_ssl_verify(tls_config)
+        return true if tls_config.nil?
+
+        verify = tls_config[:verify]&.to_s
+        verify != 'none'
+      end
+
       def resolve_vault_address(vault_settings)
         protocol = vault_settings[:protocol] || 'http'
         address  = vault_settings[:address] || 'localhost'

data/lib/legion/crypt/vault_cluster.rb

@@ -118,11 +118,13 @@ module Legion
         return nil unless config.is_a?(Hash)
 
         addr = "#{config[:protocol]}://#{config[:address]}:#{config[:port]}"
-        log.info "Building Vault client address=#{addr} namespace=#{config[:namespace].inspect}"
+        ssl_verify = resolve_cluster_ssl_verify(config[:tls])
+        log.info "Building Vault client address=#{addr} namespace=#{config[:namespace].inspect} ssl_verify=#{ssl_verify}"
         log_vault_debug("build_vault_client: address=#{addr}")
         client = ::Vault::Client.new(
-          address: addr,
-          token:   config[:token]
+          address:    addr,
+          token:      config[:token],
+          ssl_verify: ssl_verify
         )
         namespace =
           if config.key?(:namespace)
@@ -136,6 +138,13 @@ module Legion
         client
       end
 
+      def resolve_cluster_ssl_verify(tls_config)
+        return true if tls_config.nil?
+
+        verify = tls_config[:verify]&.to_s
+        verify != 'none'
+      end
+
       def log_vault_error(name, error, operation: 'crypt.vault_cluster.error')
         handle_exception(error, level: :error, operation: operation, cluster_name: name)
       end

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '1.5.7'
+    VERSION = '1.5.9'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.5.7
+  version: 1.5.9
 platform: ruby
 authors:
 - Esity