legion-crypt 1.4.2 → 1.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -1
- data/lib/legion/crypt/tls.rb +80 -0
- data/lib/legion/crypt/version.rb +1 -1
- metadata +2 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 755c4278bc3e6f3ba845f5d46ba61b753a19b9a4fc0212f9da9827e6fefe3ac2
|
|
4
|
+
data.tar.gz: '04585ab20ddb62568949ca90c33405b61bb477cd2750503944acadcf665925b9'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 53c5f43b6ab1ca2f0dad978a3cee6b1d3314b8aa57ffae077641d9882756f3a331b21258f3b45a9789639095facdff27baec911e6cbd066c7d2c2fc1058237bd
|
|
7
|
+
data.tar.gz: f3b542c8ca98c768ddfae7763da33ddc3638fd46dbb174abf037cd0baca348fa6127c4ad1d3efa46c86a943b2cd3d2c6f2df5d8d179e0a64a5b94d5b3ec4f35c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
# Legion::Crypt
|
|
2
2
|
|
|
3
|
-
## [
|
|
3
|
+
## [1.4.3] - 2026-03-17
|
|
4
|
+
|
|
5
|
+
### Added
|
|
6
|
+
- `Crypt::TLS`: mTLS configuration for RabbitMQ (Bunny) and PostgreSQL (Sequel) connections
|
|
7
|
+
- `TLS.ssl_context` builds OpenSSL::SSL::SSLContext with TLS 1.2+ and VERIFY_PEER
|
|
8
|
+
- `TLS.bunny_options` and `TLS.sequel_options` generate adapter-specific TLS option hashes
|
|
9
|
+
- Configurable cert/key/ca paths via settings with sensible defaults
|
|
4
10
|
|
|
5
11
|
## [1.4.2] - 2026-03-16
|
|
6
12
|
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'openssl'
|
|
4
|
+
|
|
5
|
+
module Legion
|
|
6
|
+
module Crypt
|
|
7
|
+
module TLS
|
|
8
|
+
DEFAULT_CERT_DIR = '/etc/legion/tls'
|
|
9
|
+
|
|
10
|
+
class << self
|
|
11
|
+
def enabled?
|
|
12
|
+
settings_dig(:enabled) == true
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def ssl_context(role: :client) # rubocop:disable Lint/UnusedMethodArgument
|
|
16
|
+
ctx = OpenSSL::SSL::SSLContext.new
|
|
17
|
+
ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
|
|
18
|
+
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
19
|
+
|
|
20
|
+
ctx.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path && File.exist?(cert_path)
|
|
21
|
+
ctx.key = OpenSSL::PKey.read(File.read(key_path)) if key_path && File.exist?(key_path)
|
|
22
|
+
ctx.ca_file = ca_path if ca_path && File.exist?(ca_path)
|
|
23
|
+
|
|
24
|
+
ctx
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def bunny_options
|
|
28
|
+
return {} unless enabled?
|
|
29
|
+
|
|
30
|
+
{
|
|
31
|
+
tls: true,
|
|
32
|
+
tls_cert: cert_path,
|
|
33
|
+
tls_key: key_path,
|
|
34
|
+
tls_ca_certificates: [ca_path].compact,
|
|
35
|
+
verify_peer: true
|
|
36
|
+
}
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def sequel_options
|
|
40
|
+
return {} unless enabled?
|
|
41
|
+
|
|
42
|
+
{
|
|
43
|
+
sslmode: 'verify-full',
|
|
44
|
+
sslcert: cert_path,
|
|
45
|
+
sslkey: key_path,
|
|
46
|
+
sslrootcert: ca_path
|
|
47
|
+
}
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def cert_path
|
|
51
|
+
settings_dig(:cert_path) || File.join(DEFAULT_CERT_DIR, 'legion.crt')
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def key_path
|
|
55
|
+
settings_dig(:key_path) || File.join(DEFAULT_CERT_DIR, 'legion.key')
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def ca_path
|
|
59
|
+
settings_dig(:ca_path) || File.join(DEFAULT_CERT_DIR, 'ca-bundle.crt')
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
private
|
|
63
|
+
|
|
64
|
+
def settings_dig(*keys)
|
|
65
|
+
return nil unless defined?(Legion::Settings)
|
|
66
|
+
|
|
67
|
+
result = Legion::Settings[:crypt]
|
|
68
|
+
[:tls, *keys].each do |key|
|
|
69
|
+
return nil unless result.is_a?(Hash)
|
|
70
|
+
|
|
71
|
+
result = result[key]
|
|
72
|
+
end
|
|
73
|
+
result
|
|
74
|
+
rescue StandardError
|
|
75
|
+
nil
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
data/lib/legion/crypt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: legion-crypt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.4.
|
|
4
|
+
version: 1.4.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Esity
|
|
@@ -82,6 +82,7 @@ files:
|
|
|
82
82
|
- lib/legion/crypt/mock_vault.rb
|
|
83
83
|
- lib/legion/crypt/partition_keys.rb
|
|
84
84
|
- lib/legion/crypt/settings.rb
|
|
85
|
+
- lib/legion/crypt/tls.rb
|
|
85
86
|
- lib/legion/crypt/vault.rb
|
|
86
87
|
- lib/legion/crypt/vault_jwt_auth.rb
|
|
87
88
|
- lib/legion/crypt/vault_renewer.rb
|