RubyGems - legion-crypt - Versions diffs - 1.4.3 → 1.4.4 - Mend

legion-crypt 1.4.3 → 1.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/lib/legion/crypt/ldap_auth.rb +33 -0
data/lib/legion/crypt/settings.rb +3 -1
data/lib/legion/crypt/vault.rb +15 -2
data/lib/legion/crypt/vault_cluster.rb +76 -0
data/lib/legion/crypt/vault_kerberos_auth.rb +43 -0
data/lib/legion/crypt/version.rb +1 -1
data/lib/legion/crypt.rb +14 -1
metadata +4 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 755c4278bc3e6f3ba845f5d46ba61b753a19b9a4fc0212f9da9827e6fefe3ac2
-  data.tar.gz: '04585ab20ddb62568949ca90c33405b61bb477cd2750503944acadcf665925b9'
+  metadata.gz: 5999b5f3ac22f39690f9ee509cec95793e39619498615c6c92c28a509561d072
+  data.tar.gz: 942363ac4938f2f9f36436054d42be8202c16d81dfdfd9d5e66ed52763299fe4
 SHA512:
-  metadata.gz: 53c5f43b6ab1ca2f0dad978a3cee6b1d3314b8aa57ffae077641d9882756f3a331b21258f3b45a9789639095facdff27baec911e6cbd066c7d2c2fc1058237bd
-  data.tar.gz: f3b542c8ca98c768ddfae7763da33ddc3638fd46dbb174abf037cd0baca348fa6127c4ad1d3efa46c86a943b2cd3d2c6f2df5d8d179e0a64a5b94d5b3ec4f35c
+  metadata.gz: 2ef2a270e3cb979f98dc0e0796234841799e5a702836db38ee64aa2b16d9d467d57e850971a9260d430993cd710b1afc51562ba6efc1203d67e35ad85220a063
+  data.tar.gz: 58410cd7e95c2532f07969bc0a6150abc177249388db68080064311e9cb742633b30a45dbab5506731b30c29e520565ae53db6753d70fb5874322e8fbce4fbec

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,15 @@
 # Legion::Crypt
+## [1.4.4] - 2026-03-18
+### Added
+- Multi-cluster Vault support: named clusters with `default` pointer in `crypt.vault.clusters`
+- `VaultCluster` module: per-cluster `::Vault::Client` management, `connect_all_clusters`
+- `LdapAuth` module: LDAP authentication via Vault HTTP API (`auth/ldap/login/:username`)
+- `ldap_login_all` authenticates to all LDAP-configured clusters with single credentials
+- `VaultRenewer` now renews tokens for all connected clusters
+- Backward compatible: single-cluster config (`crypt.vault.address`) still works unchanged
 ## [1.4.3] - 2026-03-17
 ### Added

data/lib/legion/crypt/ldap_auth.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+module Legion
+  module Crypt
+    module LdapAuth
+      def ldap_login(cluster_name:, username:, password:)
+        cluster_name = cluster_name.to_sym
+        client = vault_client(cluster_name)
+        secret = client.logical.write("auth/ldap/login/#{username}", password: password)
+        auth = secret.auth
+        token = auth.client_token
+        clusters[cluster_name][:token] = token
+        clusters[cluster_name][:connected] = true
+        { token: token, lease_duration: auth.lease_duration,
+          renewable: auth.renewable, policies: auth.policies }
+      end
+      def ldap_login_all(username:, password:)
+        results = {}
+        clusters.each do |name, config|
+          next unless config[:auth_method] == 'ldap'
+          results[name] = ldap_login(cluster_name: name, username: username, password: password)
+        rescue StandardError => e
+          results[name] = { error: e.message }
+        end
+        results
+      end
+    end
+  end
+end

data/lib/legion/crypt/settings.rb CHANGED Viewed

@@ -39,7 +39,9 @@ module Legion
           push_cluster_secret: true,
           read_cluster_secret: true,
           kv_path:             ENV['LEGION_VAULT_KV_PATH'] || 'legion',
-          leases:              {}
+          leases:              {},
+          default:             nil,
+          clusters:            {}
         }
       end
     end

data/lib/legion/crypt/vault.rb CHANGED Viewed

@@ -83,8 +83,21 @@ module Legion
       end
       def renew_sessions(**_opts)
-        @sessions.each do |session|
-          renew_session(session: session)
+        if respond_to?(:connected_clusters) && connected_clusters.any?
+          renew_cluster_tokens
+        else
+          @sessions.each do |session|
+            renew_session(session: session)
+          end
+        end
+      end
+      def renew_cluster_tokens
+        connected_clusters.each_key do |name|
+          client = vault_client(name)
+          client.auth_token.renew_self
+        rescue StandardError => e
+          log_vault_error(name, e)
         end
       end

data/lib/legion/crypt/vault_cluster.rb ADDED Viewed

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+require 'vault'
+module Legion
+  module Crypt
+    module VaultCluster
+      def vault_client(name = nil)
+        name = resolve_cluster_name(name)
+        @vault_clients ||= {}
+        @vault_clients[name] ||= build_vault_client(clusters[name])
+      end
+      def cluster(name = nil)
+        name = resolve_cluster_name(name)
+        clusters[name]
+      end
+      def default_cluster_name
+        name = vault_settings[:default]
+        name ? name.to_sym : clusters.keys.first
+      end
+      def clusters
+        vault_settings[:clusters] || {}
+      end
+      def connected_clusters
+        clusters.select { |_, config| config[:token] && config[:connected] }
+      end
+      def connect_all_clusters
+        results = {}
+        clusters.each do |name, config|
+          next unless config[:token]
+          client = vault_client(name)
+          config[:connected] = client.sys.health_status.initialized?
+          results[name] = config[:connected]
+        rescue StandardError => e
+          config[:connected] = false
+          results[name] = false
+          log_vault_error(name, e)
+        end
+        results
+      end
+      private
+      def resolve_cluster_name(name)
+        return name.to_sym if name
+        default_cluster_name
+      end
+      def build_vault_client(config)
+        return nil unless config.is_a?(Hash)
+        client = ::Vault::Client.new(
+          address: "#{config[:protocol]}://#{config[:address]}:#{config[:port]}",
+          token:   config[:token]
+        )
+        client.namespace = config[:namespace] if config[:namespace]
+        client
+      end
+      def log_vault_error(name, error)
+        if defined?(Legion::Logging)
+          Legion::Logging.error("Vault cluster #{name}: #{error.message}")
+        else
+          warn("Vault cluster #{name}: #{error.message}")
+        end
+      end
+    end
+  end
+end

data/lib/legion/crypt/vault_kerberos_auth.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+module Legion
+  module Crypt
+    module VaultKerberosAuth
+      DEFAULT_AUTH_PATH = 'auth/kerberos/login'
+      class AuthError < StandardError; end
+      def self.login(spnego_token:, auth_path: DEFAULT_AUTH_PATH)
+        raise AuthError, 'Vault is not connected' unless vault_connected?
+        response = ::Vault.logical.write(auth_path, authorization: "Negotiate #{spnego_token}")
+        raise AuthError, 'Vault Kerberos auth returned no auth data' unless response&.auth
+        {
+          token:          response.auth.client_token,
+          lease_duration: response.auth.lease_duration,
+          renewable:      response.auth.renewable,
+          policies:       response.auth.policies,
+          metadata:       response.auth.metadata
+        }
+      rescue ::Vault::HTTPClientError => e
+        raise AuthError, "Vault Kerberos auth failed: #{e.message}"
+      end
+      def self.login!(spnego_token:, auth_path: DEFAULT_AUTH_PATH)
+        result = login(spnego_token: spnego_token, auth_path: auth_path)
+        ::Vault.token = result[:token]
+        result
+      end
+      def self.vault_connected?
+        defined?(::Vault) && defined?(Legion::Settings) &&
+          Legion::Settings[:crypt][:vault][:connected] == true
+      rescue StandardError
+        false
+      end
+      private_class_method :vault_connected?
+    end
+  end
+end

data/lib/legion/crypt/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Legion
   module Crypt
-    VERSION = '1.4.3'
+    VERSION = '1.4.4'
   end
 end

data/lib/legion/crypt.rb CHANGED Viewed

@@ -8,9 +8,14 @@ require 'legion/crypt/cipher'
 require 'legion/crypt/jwt'
 require 'legion/crypt/vault_jwt_auth'
 require 'legion/crypt/lease_manager'
+require 'legion/crypt/vault_cluster'
+require 'legion/crypt/ldap_auth'
 module Legion
   module Crypt
+    extend Legion::Crypt::VaultCluster
+    extend Legion::Crypt::LdapAuth
     class << self
       attr_reader :sessions
@@ -21,11 +26,19 @@ module Legion
         include Legion::Crypt::Vault
       end
+      def vault_settings
+        Legion::Settings[:crypt][:vault]
+      end
       def start
         Legion::Logging.debug 'Legion::Crypt is running start'
         ::File.write('./legionio.key', private_key) if settings[:save_private_key]
-        connect_vault unless settings[:vault][:token].nil?
+        if vault_settings[:clusters]&.any?
+          connect_all_clusters
+        else
+          connect_vault unless settings[:vault][:token].nil?
+        end
         start_lease_manager
       end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.3
+  version: 1.4.4
 platform: ruby
 authors:
 - Esity
@@ -78,13 +78,16 @@ files:
 - lib/legion/crypt/erasure.rb
 - lib/legion/crypt/jwks_client.rb
 - lib/legion/crypt/jwt.rb
+- lib/legion/crypt/ldap_auth.rb
 - lib/legion/crypt/lease_manager.rb
 - lib/legion/crypt/mock_vault.rb
 - lib/legion/crypt/partition_keys.rb
 - lib/legion/crypt/settings.rb
 - lib/legion/crypt/tls.rb
 - lib/legion/crypt/vault.rb
+- lib/legion/crypt/vault_cluster.rb
 - lib/legion/crypt/vault_jwt_auth.rb
+- lib/legion/crypt/vault_kerberos_auth.rb
 - lib/legion/crypt/vault_renewer.rb
 - lib/legion/crypt/version.rb
 - sonar-project.properties