RubyGems - legion-crypt - Versions diffs - 1.4.15 → 1.4.16 - Mend

legion-crypt 1.4.15 → 1.4.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +21 -0
data/CLAUDE.md +12 -0
data/README.md +30 -1
data/lib/legion/crypt/kerberos_auth.rb +2 -8
data/lib/legion/crypt/lease_manager.rb +15 -4
data/lib/legion/crypt/settings.rb +1 -0
data/lib/legion/crypt/token_renewer.rb +26 -3
data/lib/legion/crypt/vault_cluster.rb +9 -1
data/lib/legion/crypt/version.rb +1 -1
data/lib/legion/crypt.rb +18 -3
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5f43eee9680197c62f53f2a7ed8c77eee725f7f01744c32e5ad0115fdfb2ad21
-  data.tar.gz: 3ba3cd7da0684d8a9ec68d23797d487240035dc2f5e07fdba7ab0cfb1727dafe
+  metadata.gz: 6ff70cf0304e424576841101c5c3399bded877b2995200049a76d7741f008bdf
+  data.tar.gz: 7440aa2dfb8246fac7cb115bbed096a9ee7dd21b7538efdea69388a3293df313
 SHA512:
-  metadata.gz: 79fe4cd8653f9a09c3c2f6acc7da403e00d8a8e05b6fb6f488fb25a3c8fadfcbee00cc1ffa7e31319840025a5d622d2b1b6a32210ff0cd9141a04aef26c27e59
-  data.tar.gz: b691e62e093b3504d7e7da0501cda48aca9ae705429ed1d5caf97dd3ab7a9b7f87826a8d0cf4dabbff01e1f755d7cee555d74dee85754f7206feb5cadbfdd8f8
+  metadata.gz: 10d2966123e6e1764e039001f8543f56abd5b2239293947ade3d0db69dcbe80e5117e8ef948b3bbbbdd42d42ce31bdf539c2f4d3a2a0007afcdcb7308286f6fd
+  data.tar.gz: c226b7ac31c8a8dc310224c4d7fb8501da35ac4489cfa144d469ca4d1a96a4fa9337e23d43b5725c893c95a47e52f8503378cb2d9f743cf3b45b963d7b8dfe28

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,26 @@
 # Legion::Crypt
+## [1.4.16] - 2026-03-26
+### Changed
+- `KerberosAuth#exchange_token`: removed namespace clear/restore logic — Kerberos auth is now mounted inside the target namespace, client namespace is preserved so the issued token is scoped correctly
+- `VaultCluster#connect_kerberos_cluster`: set token on the cached vault_client after Kerberos auth (`vault_client(name).token = result[:token]`) so the memoized client is immediately usable
+- `VaultCluster#build_vault_client`: fall back to `Settings[:crypt][:vault][:vault_namespace]` when `config[:namespace]` is absent, guarded with `defined?(Legion::Settings)`
+- `TokenRenewer#stop`: revoke the Vault token on shutdown (only for Kerberos auth_method; token-based clusters are not revoked)
+- `LeaseManager#start`: accepts optional `vault_client:` keyword argument; stores and routes `logical.read` through it when provided
+- `LeaseManager#shutdown`: routes `sys.revoke` through the cluster vault_client when one was supplied
+- `LeaseManager#renew_lease`: routes `sys.renew` through the cluster vault_client when one was supplied
+- `Crypt#start_lease_manager`: triggers when `connected_clusters.any?` in addition to the single-cluster `vault.connected` flag; passes the default cluster client to the lease manager
+### Added
+- `vault_namespace: 'legionio'` default in `Settings.vault` — used as namespace fallback for cluster clients when `config[:namespace]` is not set
+- `TokenRenewer#revoke_token` private method: self-revokes the token via `auth_token.revoke_self`, guarded to Kerberos auth_method only
+### Fixed
+- `TokenRenewer#stop`: skip token revocation when renewal thread is still alive after join timeout to prevent racy revocation against a running thread; log warning instead
+- `Crypt#start_lease_manager`: use `vault_settings[:default]` (matching `VaultCluster#default_cluster_name`) instead of the nonexistent `:default_cluster` key so configured default cluster is honored
+- `LeaseManager#start`: always assign `@vault_client` before early return so subsequent `shutdown`/`reset!` calls do not use a stale cluster client; clear `@vault_client` in both `shutdown` and `reset!`
 ## [1.4.15] - 2026-03-26
 ### Fixed

data/CLAUDE.md CHANGED Viewed

@@ -57,6 +57,12 @@ Legion::Crypt (singleton module)
 ├── Erasure            # Cryptographic erasure via Vault master key deletion
 ├── Attestation        # Signed identity claims with Ed25519, freshness checking
 ├── LeaseManager       # Dynamic Vault lease lifecycle: fetch, cache, renew, rotate, push-back
+├── KerberosAuth       # GSSAPI SPNEGO token acquisition; `disable_gssapi_finalizers` prevents GC segfault on macOS
+├── VaultKerberosAuth  # Vault Kerberos auth: SPNEGO as `Authorization` header, namespace clear/restore, TokenRenewer wiring
+├── LdapAuth           # Vault LDAP auth backend
+├── Tls                # TLS settings (cert/key/CA/verify_peer/Vault PKI)
+├── Mtls               # mTLS cert issuance (Vault PKI) + CertRotation background thread (50% TTL renewal)
+├── TokenRenewer       # Background renewal thread: 75% TTL renew, Kerberos re-auth on failure, exponential backoff
 ├── MockVault          # In-memory Vault mock for local development mode
 ├── Settings           # Default crypt config
 └── Version
@@ -120,6 +126,12 @@ Dev dependencies: `legion-logging`, `legion-settings`
 | `lib/legion/crypt/partition_keys.rb` | HKDF per-tenant key derivation with AES-256-GCM |
 | `lib/legion/crypt/erasure.rb` | Cryptographic erasure via Vault master key deletion |
 | `lib/legion/crypt/attestation.rb` | Signed identity claims with Ed25519 signatures |
+| `lib/legion/crypt/kerberos_auth.rb` | GSSAPI/Kerberos token acquisition; `obtain_spnego_token`, `disable_gssapi_finalizers` (prevents GC segfault on macOS) |
+| `lib/legion/crypt/vault_kerberos_auth.rb` | Vault Kerberos auth backend: sends SPNEGO token as `Authorization` HTTP header, clears/restores namespace, wires `TokenRenewer` |
+| `lib/legion/crypt/ldap_auth.rb` | Vault LDAP auth backend integration |
+| `lib/legion/crypt/tls.rb` | TLS settings module (cert, key, CA paths, verify_peer, Vault PKI flag) |
+| `lib/legion/crypt/mtls.rb` | mTLS certificate issuance from Vault PKI; `CertRotation` background renewal thread (50% TTL) |
+| `lib/legion/crypt/token_renewer.rb` | Plain Thread renewer: renews at 75% TTL, re-auths via Kerberos on failure, exponential backoff |
 | `lib/legion/crypt/version.rb` | VERSION constant |
 ## Role in LegionIO

data/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 Encryption, secrets management, JWT token management, and HashiCorp Vault integration for the [LegionIO](https://github.com/LegionIO/LegionIO) framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, Vault token lifecycle management, and multi-cluster Vault connectivity.
-**Version**: 1.4.7
+**Version**: 1.4.15
 ## Installation
@@ -190,12 +190,41 @@ client = Legion::Crypt.vault_client(:primary)
 When `clusters` is empty, the legacy single-cluster path is used (backward compatible).
+## Kerberos Authentication
+When `crypt.vault.auth_method` is set to `kerberos`, `Crypt.start` performs Kerberos auto-auth to Vault using `KerberosAuth`:
+```ruby
+# Settings
+{
+  "crypt": {
+    "vault": {
+      "auth_method": "kerberos",
+      "kerberos": {
+        "service_principal": "HTTP/vault.example.com@REALM",
+        "auth_path": "auth/kerberos/login"
+      }
+    }
+  }
+}
+```
+The SPNEGO token is sent as an HTTP `Authorization` header (not JSON body). The Vault namespace is cleared before auth (Kerberos mount is at root) and restored after. Requires Homebrew MIT Kerberos (`brew install krb5`) on macOS — the system Heimdal library is not compatible.
+`TokenRenewer` keeps the Vault token alive: renews at 75% TTL, re-auths via Kerberos if renewal fails, uses exponential backoff.
+## mTLS
+`Crypt::Mtls` issues mTLS certificates from Vault PKI. `Crypt::CertRotation` runs a background thread renewing certs at 50% TTL. `Transport::Connection::Vault` applies tempfile-based Bunny mTLS. Feature-flagged via `security.mtls.enabled: false`.
 ## Requirements
 - Ruby >= 3.4
+- `ed25519` (~> 1.3)
 - `jwt` gem (>= 2.7)
 - `vault` gem (>= 0.17, optional)
 - HashiCorp Vault (optional, for secrets management)
+- `gssapi` gem (optional, required for Kerberos auth)
 ## License

data/lib/legion/crypt/kerberos_auth.rb CHANGED Viewed

@@ -43,11 +43,8 @@ module Legion
         end
         def exchange_token(vault_client, spnego_token, auth_path)
-          # Kerberos auth is mounted at the root namespace. Temporarily
-          # clear the client namespace so the request reaches the correct
-          # mount path, then restore it for subsequent operations.
-          saved_ns = vault_client.namespace
-          vault_client.namespace = nil
+          # Kerberos auth is mounted inside the target namespace. Keep the
+          # client namespace so the token is scoped to it.
           # The Vault Kerberos plugin reads the SPNEGO token from the HTTP
           # Authorization header, not the JSON body.
@@ -59,8 +56,6 @@ module Legion
           response = ::Vault::Secret.decode(json)
           raise AuthError, 'Vault Kerberos auth returned no auth data' unless response&.auth
-          vault_client.namespace = saved_ns
           auth = response.auth
           {
             token:          auth.client_token,
@@ -70,7 +65,6 @@ module Legion
             metadata:       auth.metadata
           }
         rescue ::Vault::HTTPClientError => e
-          vault_client.namespace = saved_ns if saved_ns
           raise AuthError, "Vault Kerberos auth failed: #{e.message}"
         end
       end

data/lib/legion/crypt/lease_manager.rb CHANGED Viewed

@@ -17,7 +17,8 @@ module Legion
         @renewal_thread = nil
       end
-      def start(definitions)
+      def start(definitions, vault_client: nil)
+        @vault_client = vault_client
         return if definitions.nil? || definitions.empty?
         definitions.each do |name, opts|
@@ -25,7 +26,7 @@ module Legion
           next unless path
           begin
-            response = ::Vault.logical.read(path)
+            response = logical.read(path)
             next unless response
             @lease_cache[name] = response.data || {}
@@ -95,7 +96,7 @@ module Legion
           next if lease_id.nil? || lease_id.empty?
           begin
-            ::Vault.sys.revoke(lease_id)
+            sys.revoke(lease_id)
             log_debug("LeaseManager: revoked lease '#{name}' (#{lease_id})")
           rescue StandardError => e
             log_warn("LeaseManager: failed to revoke lease '#{name}' (#{lease_id}): #{e.message}")
@@ -105,6 +106,7 @@ module Legion
         @lease_cache.clear
         @active_leases.clear
         @refs.clear
+        @vault_client = nil
       end
       def reset!
@@ -112,10 +114,19 @@ module Legion
         @lease_cache.clear
         @active_leases.clear
         @refs.clear
+        @vault_client = nil
       end
       private
+      def logical
+        @vault_client ? @vault_client.logical : ::Vault.logical
+      end
+      def sys
+        @vault_client ? @vault_client.sys : ::Vault.sys
+      end
       def stop_renewal_thread
         @running = false
         if @renewal_thread&.alive?
@@ -145,7 +156,7 @@ module Legion
       end
       def renew_lease(name, lease)
-        response = ::Vault.sys.renew(lease[:lease_id])
+        response = sys.renew(lease[:lease_id])
         lease[:expires_at] = Time.now + (response.lease_duration || 0)
         if response.data && response.data != @lease_cache[name]

data/lib/legion/crypt/settings.rb CHANGED Viewed

@@ -52,6 +52,7 @@ module Legion
           kv_path:             ENV['LEGION_VAULT_KV_PATH'] || 'legion',
           leases:              {},
           default:             nil,
+          vault_namespace:     'legionio',
           kerberos:            {
             service_principal: nil,
             auth_path:         'auth/kerberos/login'

data/lib/legion/crypt/token_renewer.rb CHANGED Viewed

@@ -34,9 +34,7 @@ module Legion
       rescue ThreadError
         nil
       ensure
-        @thread&.join(5)
-        @thread = nil
-        log_debug('token renewal thread stopped')
+        stop_thread_and_revoke
       end
       def running?
@@ -127,6 +125,31 @@ module Legion
         end
       end
+      def stop_thread_and_revoke
+        return unless @thread
+        @thread.join(5)
+        thread_still_running = @thread.alive?
+        @thread = nil
+        if thread_still_running
+          log_warn('token renewal thread did not stop within timeout; skipping token revocation')
+        else
+          revoke_token
+          log_debug('token renewal thread stopped')
+        end
+      end
+      def revoke_token
+        return unless @vault_client&.token
+        return unless @config[:auth_method]&.to_s == 'kerberos'
+        @vault_client.auth_token.revoke_self
+        log_info('Vault token revoked')
+      rescue StandardError => e
+        log_warn("Vault token revoke failed: #{e.message}")
+      end
       def log_debug(message)
         Legion::Logging.debug("TokenRenewer[#{@cluster_name}]: #{message}") if defined?(Legion::Logging)
       end

data/lib/legion/crypt/vault_cluster.rb CHANGED Viewed

@@ -78,7 +78,14 @@ module Legion
           address: "#{config[:protocol]}://#{config[:address]}:#{config[:port]}",
           token:   config[:token]
         )
-        client.namespace = config[:namespace] if config[:namespace]
+        namespace =
+          if config.key?(:namespace)
+            config[:namespace]
+          elsif defined?(Legion::Settings)
+            crypt_settings = Legion::Settings[:crypt]
+            crypt_settings.respond_to?(:dig) ? crypt_settings.dig(:vault, :vault_namespace) : nil
+          end
+        client.namespace = namespace if namespace
         client
       end
@@ -111,6 +118,7 @@ module Legion
         config[:lease_duration] = result[:lease_duration]
         config[:renewable] = result[:renewable]
         config[:connected] = true
+        vault_client(name).token = result[:token]
         log_cluster_connected(name, config)
         true
       rescue Legion::Crypt::KerberosAuth::GemMissingError => e

data/lib/legion/crypt/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Legion
   module Crypt
-    VERSION = '1.4.15'
+    VERSION = '1.4.16'
   end
 end

data/lib/legion/crypt.rb CHANGED Viewed

@@ -99,10 +99,25 @@ module Legion
       def start_lease_manager
         leases = settings.dig(:vault, :leases) || {}
         return if leases.empty?
-        return unless settings.dig(:vault, :connected)
+        return unless settings.dig(:vault, :connected) || connected_clusters.any?
+        client = nil
+        if settings.dig(:vault, :connected)
+          client = vault_client
+        elsif connected_clusters.any?
+          default_cluster = vault_settings[:default]
+          selected_cluster =
+            if default_cluster && connected_clusters.include?(default_cluster.to_sym)
+              default_cluster.to_sym
+            else
+              connected_clusters.keys.first
+            end
+          client = selected_cluster ? vault_client(selected_cluster) : nil
+        end
         lease_manager = Legion::Crypt::LeaseManager.instance
-        lease_manager.start(leases)
+        lease_manager.start(leases, vault_client: client)
         lease_manager.start_renewal_thread
         Legion::Logging.info "LeaseManager: #{leases.size} lease(s) initialized"
       rescue StandardError => e

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.15
+  version: 1.4.16
 platform: ruby
 authors:
 - Esity