legion-crypt 1.4.4 → 1.4.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5999b5f3ac22f39690f9ee509cec95793e39619498615c6c92c28a509561d072
-  data.tar.gz: 942363ac4938f2f9f36436054d42be8202c16d81dfdfd9d5e66ed52763299fe4
+  metadata.gz: 2e448a5dd1e2c70e43cff0b6512e1b2af1d41f9a2af7b9719495ba5b10c90ec7
+  data.tar.gz: 6c270665c5a185baa844e5b7e80af9f2ac8922a520748e387a9d10363294061e
 SHA512:
-  metadata.gz: 2ef2a270e3cb979f98dc0e0796234841799e5a702836db38ee64aa2b16d9d467d57e850971a9260d430993cd710b1afc51562ba6efc1203d67e35ad85220a063
-  data.tar.gz: 58410cd7e95c2532f07969bc0a6150abc177249388db68080064311e9cb742633b30a45dbab5506731b30c29e520565ae53db6753d70fb5874322e8fbce4fbec
+  metadata.gz: bc43cab1939dee1cd1d6c28a07a2766953af52fc30230375d47e23e289f53beaf3a2be47d98c549bd9098c545d6dd540faa8a87143bb678429265a96b55d96cf
+  data.tar.gz: 1813d049d59f5bb81baeef8f10fb2e9f68d7540c8fb4858a75f2f40d881eb7b101a42ce4f89161a38ef14122da0e53e1cf0d2009716d7411ba16c0a77902504c

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Legion::Crypt
 
+## [1.4.5] - 2026-03-20
+
+### Changed
+- Refactored `Legion::Crypt::TLS` to standard `resolve` pattern: pure config normalizer with port auto-detect, vault URI resolution, legacy key migration, and three verification levels (none/peer/mutual)
+- Removed consumer-specific `bunny_options` and `sequel_options` methods (moved to consuming gems)
+
+### Added
+- `TLS.resolve(tls_config, port:)` — standard TLS config resolver
+- `TLS.migrate_legacy(config)` — backwards-compat mapping for transport's old TLS keys
+- `TLS::TLS_PORTS` — known TLS port auto-detection map (5671, 6380, 11207)
+- Default `tls:` settings block in `Legion::Crypt::Settings`
+
 ## [1.4.4] - 2026-03-18
 
 ### Added

data/CLAUDE.md

@@ -8,6 +8,7 @@
 Handles encryption, decryption, secrets management, JWT token management, and HashiCorp Vault connectivity for the LegionIO framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, and Vault token lifecycle management.
 
 **GitHub**: https://github.com/LegionIO/legion-crypt
+**Version**: 1.4.4
 **License**: Apache-2.0
 
 ## Architecture

data/README.md

@@ -1,6 +1,8 @@
 # legion-crypt
 
-Encryption, secrets management, JWT token management, and HashiCorp Vault integration for the [LegionIO](https://github.com/LegionIO/LegionIO) framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, and Vault token lifecycle management.
+Encryption, secrets management, JWT token management, and HashiCorp Vault integration for the [LegionIO](https://github.com/LegionIO/LegionIO) framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, Vault token lifecycle management, and multi-cluster Vault connectivity.
+
+**Version**: 1.4.4
 
 ## Installation
 
@@ -146,6 +148,48 @@ Both `username` and `password` come from a single Vault read — one lease, one
 
 Lease names are stable across environments. The actual Vault paths are deployment-specific config.
 
+## Multi-Cluster Vault
+
+`VaultCluster` supports connecting to multiple Vault clusters simultaneously. Each cluster has its own `::Vault::Client` instance.
+
+```json
+{
+  "crypt": {
+    "vault": {
+      "default": "primary",
+      "clusters": {
+        "primary": {
+          "protocol": "https",
+          "address": "vault.example.com",
+          "port": 8200,
+          "namespace": "my-namespace",
+          "auth_method": "ldap"
+        },
+        "secondary": {
+          "protocol": "https",
+          "address": "vault2.example.com",
+          "port": 8200,
+          "auth_method": "ldap"
+        }
+      }
+    }
+  }
+}
+```
+
+```ruby
+# Authenticate to all LDAP-configured clusters at once
+Legion::Crypt.ldap_login_all(username: 'user', password: 'pass')
+
+# Read from specific cluster
+Legion::Crypt.read('secret/data/mykey', cluster: :secondary)
+
+# Get a Vault client for a specific cluster
+client = Legion::Crypt.vault_client(:primary)
+```
+
+When `clusters` is empty, the legacy single-cluster path is used (backward compatible).
+
 ## Requirements
 
 - Ruby >= 3.4

data/lib/legion/crypt/settings.rb

@@ -3,10 +3,21 @@
 module Legion
   module Crypt
     module Settings
+      def self.tls
+        {
+          enabled: false,
+          verify:  'peer',
+          ca:      nil,
+          cert:    nil,
+          key:     nil
+        }
+      end
+
       def self.default
         {
           vault:            vault,
           jwt:              jwt,
+          tls:              tls,
           cs_encrypt_ready: false,
           dynamic_keys:     true,
           cluster_secret:   nil,

data/lib/legion/crypt/tls.rb

@@ -1,78 +1,92 @@
 # frozen_string_literal: true
 
-require 'openssl'
-
 module Legion
   module Crypt
     module TLS
-      DEFAULT_CERT_DIR = '/etc/legion/tls'
+      TLS_PORTS = {
+        5671   => 'amqp',
+        6380   => 'redis',
+        11_207 => 'memcached'
+      }.freeze
 
       class << self
-        def enabled?
-          settings_dig(:enabled) == true
-        end
+        def resolve(tls_config, port: nil)
+          config = symbolize_keys(migrate_legacy(tls_config || {}))
 
-        def ssl_context(role: :client) # rubocop:disable Lint/UnusedMethodArgument
-          ctx = OpenSSL::SSL::SSLContext.new
-          ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
-          ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          enabled       = config[:enabled]
+          auto_detected = false
 
-          ctx.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path && File.exist?(cert_path)
-          ctx.key = OpenSSL::PKey.read(File.read(key_path)) if key_path && File.exist?(key_path)
-          ctx.ca_file = ca_path if ca_path && File.exist?(ca_path)
+          if enabled.nil? && port && TLS_PORTS.key?(port.to_i)
+            enabled = true
+            auto_detected = true
+            log_warn("TLS auto-enabled for port #{port}")
+          end
 
-          ctx
-        end
+          enabled = false if enabled.nil?
 
-        def bunny_options
-          return {} unless enabled?
+          verify = normalize_verify(config[:verify])
+          ca     = resolve_uri(config[:ca])
+          cert   = resolve_uri(config[:cert])
+          key    = resolve_uri(config[:key])
+
+          if verify == :mutual && (cert.nil? || key.nil?)
+            log_warn('TLS mutual requested but cert or key missing, downgrading to peer')
+            verify = :peer
+          end
 
           {
-            tls:                 true,
-            tls_cert:            cert_path,
-            tls_key:             key_path,
-            tls_ca_certificates: [ca_path].compact,
-            verify_peer:         true
+            enabled:       enabled,
+            verify:        verify,
+            ca:            ca,
+            cert:          cert,
+            key:           key,
+            auto_detected: auto_detected
           }
         end
 
-        def sequel_options
-          return {} unless enabled?
+        def migrate_legacy(config)
+          config = symbolize_keys(config)
+          return config unless config.key?(:use_tls) && !config.key?(:enabled)
 
           {
-            sslmode:     'verify-full',
-            sslcert:     cert_path,
-            sslkey:      key_path,
-            sslrootcert: ca_path
+            enabled: config[:use_tls],
+            verify:  config[:verify_peer] ? 'peer' : 'none',
+            ca:      config[:ca_certs],
+            cert:    config[:tls_cert],
+            key:     config[:tls_key]
           }
         end
 
-        def cert_path
-          settings_dig(:cert_path) || File.join(DEFAULT_CERT_DIR, 'legion.crt')
-        end
+        private
 
-        def key_path
-          settings_dig(:key_path) || File.join(DEFAULT_CERT_DIR, 'legion.key')
+        def symbolize_keys(hash)
+          hash.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
         end
 
-        def ca_path
-          settings_dig(:ca_path) || File.join(DEFAULT_CERT_DIR, 'ca-bundle.crt')
+        def normalize_verify(value)
+          case value.to_s
+          when 'none'   then :none
+          when 'mutual' then :mutual
+          else :peer
+          end
         end
 
-        private
-
-        def settings_dig(*keys)
-          return nil unless defined?(Legion::Settings)
+        def resolve_uri(value)
+          return nil if value.nil?
 
-          result = Legion::Settings[:crypt]
-          [:tls, *keys].each do |key|
-            return nil unless result.is_a?(Hash)
+          if defined?(Legion::Settings::Resolver)
+            Legion::Settings::Resolver.resolve_value(value)
+          else
+            value
+          end
+        end
 
-            result = result[key]
+        def log_warn(msg)
+          if defined?(Legion::Logging)
+            Legion::Logging.warn(msg)
+          else
+            warn msg
           end
-          result
-        rescue StandardError
-          nil
         end
       end
     end

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '1.4.4'
+    VERSION = '1.4.5'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.4.4
+  version: 1.4.5
 platform: ruby
 authors:
 - Esity