legion-crypt 1.4.29 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f1f8d20fa675c493f158a7c62b4950eed82ce6109b810f40d8b928b810e7adce
-  data.tar.gz: f12368e4084c501dddefdae4760c079b3c9c161e7da6f80b79a4b51ddead1a49
+  metadata.gz: 5b7ffab5835f3a3ac600a9bfe87e1e015e362d07d5814c956c13cc7552d23775
+  data.tar.gz: 18179a5915360c9f22151ec6a08ac813e580c2c2fb36dffd95b6f42aa9a4c242
 SHA512:
-  metadata.gz: 7c2d68f6d5e1d20d28129054c578cad1ac4ce793e1c4f4d798a5ef6e90be6fe4d753cade29f654501e721a4fd40066798cf2ed255d6e2fdd9ff7888261cec0f5
-  data.tar.gz: aeca51c126756fc86e7b92dd08e0dcb5f02a60ba3b0167cd69510dc0dd6abe016180a19ac811546899605e0ac42feec747199f77c45dcc8076cae79cc75c4b4e
+  metadata.gz: cce5f0d26e384c890c7117f0e710a9ff0f27da5794e8c2c9f05b3bdd81cacf3a551ffaaa9f31a75fea68e512918370b6deb8870c30cd010ea2da622a87c04611
+  data.tar.gz: acac22b254e94ccfd8ead507e014c7a619b715f8aab8000454d2e428633096ea3b251e21ab51ba67b31c879d6b07733670eb4cff1bf657ec553892262f72d199

data/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Legion::Crypt
 
+## [1.5.0] - 2026-04-02
+
+### Fixed
+- Cluster-secret Vault synchronization now uses the documented `push_cluster_secret` setting, stores the new secret before pushing it, aligns Vault read/write path and field names, and invalidates cached derived key material on rotation
+- External JWT/JWKS verification now fails closed on missing issuer or audience expectations, keeps reserved claims library-controlled, requires HTTPS JWKS transport, and avoids repeated fresh-cache re-fetches for unknown `kid` values
+- Shared symmetric encryption now emits authenticated AES-256-GCM payloads for new ciphertexts while preserving decrypt compatibility with legacy AES-256-CBC payloads
+- RSA keypair helper encryption now uses explicit OAEP padding for new ciphertexts while preserving decrypt compatibility with legacy PKCS#1 v1.5 payloads
+- Multi-cluster Vault auth and helper routing now update live LDAP client tokens, keep per-cluster LDAP state local to the addressed cluster, sync the top-level Vault connected flag from cluster connectivity checks, allow explicit cluster-targeted helper calls, refresh lease metadata on renewal, and schedule short-lived token renewals before expiry
+- SPIFFE X.509 fetch now fails closed by default, uses an explicit `allow_x509_fallback` development switch for self-signed fallback SVIDs, tags returned SVIDs with their source, and sends a valid 9-byte HTTP/2 SETTINGS frame during Workload API connection setup
+- Ed25519 helper key persistence now uses the supported `Legion::Crypt` API with normalized KV paths, and tenant erasure verification no longer reports success when Vault access itself failed
+- Background worker lifecycle is now serialized and cooperative: repeated `Legion::Crypt.start` calls no longer spawn duplicate workers, renewal/rotation threads no longer use `Thread#kill`, and timed-out joins keep their live thread references instead of dropping them
+
+### Changed
+- Adopted `Legion::Logging::Helper` across `lib/` so library logs use structured component tagging instead of direct `Legion::Logging.*` calls
+- Expanded `info`/`debug`/`error` coverage across crypt, Vault, JWT, lease, mTLS, SPIFFE, and auth flows to make background actions and failures visible without exposing secrets
+- Replaced manual rescue logging with `handle_exception(...)` across library code paths and left Sinatra/API integration untouched for a later pass
+- Removed remaining `log_info`/`log_warn`/`log_debug` wrapper methods in `lib/` so helper-backed logging is used directly throughout the library
+
+### Added
+- Runtime dependency on `legion-logging`
+- Compatibility shim for `Legion::Logging::Helper` so `handle_exception` and shared `log` access are available consistently during the uplift
+
 ## [1.4.29] - 2026-03-31
 
 ### Changed

data/Gemfile

@@ -8,6 +8,7 @@ group :test do
   gem 'rspec'
   gem 'rspec_junit_formatter'
   gem 'rubocop'
+  gem 'rubocop-legion'
   gem 'simplecov'
 end
 gem 'legion-logging'

data/legion-crypt.gemspec

@@ -27,5 +27,6 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'ed25519', '~> 1.3'
   spec.add_dependency 'jwt', '>= 2.7'
+  spec.add_dependency 'legion-logging', '>= 1.5.0'
   spec.add_dependency 'vault', '>= 0.17'
 end

data/lib/legion/crypt/attestation.rb

@@ -1,10 +1,13 @@
 # frozen_string_literal: true
 
 require 'securerandom'
+require 'legion/logging/helper'
 
 module Legion
   module Crypt
     module Attestation
+      extend Legion::Logging::Helper
+
       class << self
         def create(agent_id:, capabilities:, state:, private_key:)
           claim = {
@@ -17,30 +20,37 @@ module Legion
 
           payload = Legion::JSON.dump(claim)
           signature = Legion::Crypt::Ed25519.sign(payload, private_key)
-          Legion::Logging.debug "Attestation created for agent #{agent_id}, state=#{state}" if defined?(Legion::Logging)
+          log.info "Attestation created for agent #{agent_id}, state=#{state}"
 
           { claim: claim, signature: signature.unpack1('H*'), payload: payload }
+        rescue StandardError => e
+          handle_exception(e, level: :error, operation: 'crypt.attestation.create', agent_id: agent_id, state: state)
+          raise
         end
 
         def verify(claim_hash:, signature_hex:, public_key:)
           payload = Legion::JSON.dump(claim_hash)
           signature = [signature_hex].pack('H*')
           result = Legion::Crypt::Ed25519.verify(payload, signature, public_key)
-          if defined?(Legion::Logging)
-            if result
-              Legion::Logging.debug "Attestation verified for agent #{claim_hash[:agent_id]}"
-            else
-              Legion::Logging.warn "Attestation verification failed for agent #{claim_hash[:agent_id]}"
-            end
+          agent_id = claim_hash[:agent_id] || claim_hash['agent_id']
+          if result
+            log.info "Attestation verified for agent #{agent_id}"
+          else
+            log.warn "Attestation verification failed for agent #{agent_id}"
           end
           result
+        rescue StandardError => e
+          handle_exception(e, level: :warn, operation: 'crypt.attestation.verify',
+                              agent_id: claim_hash[:agent_id] || claim_hash['agent_id'])
+          raise
         end
 
         def fresh?(claim_hash, max_age_seconds: 300)
           timestamp = Time.parse(claim_hash[:timestamp])
           Time.now.utc - timestamp < max_age_seconds
         rescue StandardError => e
-          Legion::Logging.warn("Legion::Crypt::Attestation#fresh? failed: #{e.message}") if defined?(Legion::Logging)
+          handle_exception(e, level: :warn, operation: 'crypt.attestation.fresh?',
+                              agent_id: claim_hash[:agent_id] || claim_hash['agent_id'])
           false
         end
       end

data/lib/legion/crypt/cert_rotation.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
+require 'legion/logging/helper'
+
 module Legion
   module Crypt
     class CertRotation
+      include Legion::Logging::Helper
+
       DEFAULT_CHECK_INTERVAL = 43_200 # 12 hours
 
       attr_reader :check_interval, :current_cert, :issued_at
@@ -13,6 +17,7 @@ module Legion
         @issued_at      = nil
         @running        = false
         @thread         = nil
+        @mutex          = Mutex.new
       end
 
       def start
@@ -21,17 +26,24 @@ module Legion
 
         @running = true
         @thread  = Thread.new { rotation_loop }
-        log_info('[mTLS] CertRotation started')
+        log.info('[mTLS] CertRotation started')
       end
 
       def stop
         @running = false
+        begin
+          @thread&.wakeup
+        rescue ThreadError => e
+          handle_exception(e, level: :debug, operation: 'crypt.cert_rotation.stop')
+          nil
+        end
+        @thread&.join(2)
         if @thread&.alive?
-          @thread.kill
-          @thread.join(2)
+          log.warn '[mTLS] CertRotation thread did not stop within timeout'
+        else
+          @thread = nil
         end
-        @thread = nil
-        log_debug('[mTLS] CertRotation stopped')
+        log.info('[mTLS] CertRotation stopped')
       end
 
       def running?
@@ -41,18 +53,26 @@ module Legion
       def rotate!
         node_name = node_common_name
         new_cert = Legion::Crypt::Mtls.issue_cert(common_name: node_name)
-        @current_cert = new_cert
-        @issued_at    = Time.now
-        log_info("[mTLS] Certificate rotated: serial=#{new_cert[:serial]} expiry=#{new_cert[:expiry]}")
+        @mutex.synchronize do
+          @current_cert = new_cert
+          @issued_at    = Time.now
+        end
+        log.info("[mTLS] Certificate rotated: serial=#{new_cert[:serial]} expiry=#{new_cert[:expiry]}")
         emit_rotated_event(new_cert)
         new_cert
       end
 
       def needs_renewal?
-        return false if @current_cert.nil? || @issued_at.nil?
+        current_cert = nil
+        issued_at = nil
+        @mutex.synchronize do
+          current_cert = @current_cert
+          issued_at = @issued_at
+        end
+        return false if current_cert.nil? || issued_at.nil?
 
-        expiry = @current_cert[:expiry]
-        total  = expiry - @issued_at
+        expiry = current_cert[:expiry]
+        total  = expiry - issued_at
         return true if total <= 0
 
         remaining = expiry - Time.now
@@ -65,27 +85,40 @@ module Legion
       def rotation_loop
         rotate!
       rescue StandardError => e
-        log_warn("[mTLS] Initial rotation failed: #{e.message}")
+        handle_exception(e, level: :error, operation: 'crypt.cert_rotation.rotation_loop')
+        log.error("[mTLS] Initial rotation failed: #{e.message}")
       ensure
         loop_check
       end
 
       def loop_check
         while @running
-          sleep(@check_interval)
+          interruptible_sleep(@check_interval)
           next unless @running && needs_renewal?
 
           begin
             rotate!
           rescue StandardError => e
-            log_warn("[mTLS] Rotation check failed: #{e.message}")
+            handle_exception(e, level: :error, operation: 'crypt.cert_rotation.loop_check')
+            log.error("[mTLS] Rotation check failed: #{e.message}")
           end
         end
       rescue StandardError => e
-        log_warn("[mTLS] CertRotation loop error: #{e.message}")
+        handle_exception(e, level: :error, operation: 'crypt.cert_rotation.loop_check')
+        log.error("[mTLS] CertRotation loop error: #{e.message}")
         retry if @running
       end
 
+      def interruptible_sleep(seconds)
+        deadline = ::Process.clock_gettime(::Process::CLOCK_MONOTONIC) + seconds
+        loop do
+          remaining = deadline - ::Process.clock_gettime(::Process::CLOCK_MONOTONIC)
+          break if remaining <= 0 || !@running
+
+          sleep([remaining, 1.0].min)
+        end
+      end
+
       def renewal_window
         return 0.5 unless defined?(Legion::Settings)
 
@@ -94,7 +127,8 @@ module Legion
 
         mtls = security[:mtls] || security['mtls'] || {}
         mtls[:renewal_window] || mtls['renewal_window'] || 0.5
-      rescue StandardError
+      rescue StandardError => e
+        handle_exception(e, level: :debug, operation: 'crypt.cert_rotation.renewal_window')
         0.5
       end
 
@@ -103,7 +137,8 @@ module Legion
 
         name = Legion::Settings[:client]&.dig(:name) || Legion::Settings[:client]&.dig('name')
         name || 'legion.internal'
-      rescue StandardError
+      rescue StandardError => e
+        handle_exception(e, level: :debug, operation: 'crypt.cert_rotation.node_common_name')
         'legion.internal'
       end
 
@@ -112,31 +147,8 @@ module Legion
 
         Legion::Events.emit('cert.rotated', serial: cert[:serial], expiry: cert[:expiry])
       rescue StandardError => e
-        log_debug("[mTLS] Event emit failed: #{e.message}")
-      end
-
-      def log_info(msg)
-        if defined?(Legion::Logging)
-          Legion::Logging.info(msg)
-        else
-          $stdout.puts(msg)
-        end
-      end
-
-      def log_debug(msg)
-        if defined?(Legion::Logging)
-          Legion::Logging.debug(msg)
-        else
-          $stdout.puts("[DEBUG] #{msg}")
-        end
-      end
-
-      def log_warn(msg)
-        if defined?(Legion::Logging)
-          Legion::Logging.warn(msg)
-        else
-          warn("[WARN] #{msg}")
-        end
+        handle_exception(e, level: :warn, operation: 'crypt.cert_rotation.emit_rotated_event')
+        log.warn("[mTLS] Event emit failed: #{e.message}")
       end
     end
   end

data/lib/legion/crypt/cipher.rb

@@ -1,43 +1,78 @@
 # frozen_string_literal: true
 
 require 'securerandom'
+require 'legion/logging/helper'
 require 'legion/crypt/cluster_secret'
 
 module Legion
   module Crypt
     module Cipher
+      AUTHENTICATED_CIPHER = 'aes-256-gcm'
+      LEGACY_CIPHER = 'aes-256-cbc'
+      AUTHENTICATED_PREFIX = 'gcm'
+      RSA_OAEP_PREFIX = 'oaep'
+      RSA_OAEP_PADDING = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+      RSA_LEGACY_PADDING = OpenSSL::PKey::RSA::PKCS1_PADDING
+
       include Legion::Crypt::ClusterSecret
+      include Legion::Logging::Helper
 
       def encrypt(message)
-        cipher = OpenSSL::Cipher.new('aes-256-cbc')
+        cipher = OpenSSL::Cipher.new(AUTHENTICATED_CIPHER)
         cipher.encrypt
         cipher.key = cs
         iv = cipher.random_iv
-        { enciphered_message: Base64.encode64(cipher.update(message) + cipher.final), iv: Base64.encode64(iv) }
+        ciphertext = cipher.update(message) + cipher.final
+        encoded_ciphertext = Base64.strict_encode64(ciphertext)
+        encoded_auth_tag = Base64.strict_encode64(cipher.auth_tag)
+        result = {
+          enciphered_message: "#{AUTHENTICATED_PREFIX}:#{encoded_ciphertext}:#{encoded_auth_tag}",
+          iv:                 Base64.strict_encode64(iv)
+        }
+        log.debug 'Cipher encrypt completed'
+        result
+      rescue StandardError => e
+        handle_exception(e, level: :error, operation: 'crypt.cipher.encrypt')
+        raise
       end
 
       def decrypt(message, init_vector)
-        until cs.is_a?(String) || Legion::Settings[:client][:shutting_down]
-          Legion::Logging.debug('sleeping Legion::Crypt.decrypt due to CS not being set')
-          sleep(0.5)
-        end
-
-        decipher = OpenSSL::Cipher.new('aes-256-cbc')
-        decipher.decrypt
-        decipher.key = cs
-        decipher.iv = Base64.decode64(init_vector)
-        message = Base64.decode64(message)
-        decipher.update(message) + decipher.final
+        secret = wait_for_cluster_secret
+        result = if authenticated_ciphertext?(message)
+                   decrypt_authenticated(message, init_vector, secret)
+                 else
+                   decrypt_legacy(message, init_vector, secret)
+                 end
+        log.debug 'Cipher decrypt completed'
+        result
+      rescue StandardError => e
+        handle_exception(e, level: :error, operation: 'crypt.cipher.decrypt')
+        raise
       end
 
       def encrypt_from_keypair(message:, pub_key: public_key)
         rsa_public_key = OpenSSL::PKey::RSA.new(pub_key)
 
-        Base64.encode64(rsa_public_key.public_encrypt(message))
+        encrypted_message = rsa_public_key.public_encrypt(message, RSA_OAEP_PADDING)
+        encoded_message = "#{RSA_OAEP_PREFIX}:#{Base64.strict_encode64(encrypted_message)}"
+        log.debug 'Cipher keypair encryption completed'
+        encoded_message
+      rescue StandardError => e
+        handle_exception(e, level: :error, operation: 'crypt.cipher.encrypt_from_keypair')
+        raise
       end
 
       def decrypt_from_keypair(message:, **_opts)
-        private_key.private_decrypt(Base64.decode64(message))
+        decrypted_message = if rsa_oaep_ciphertext?(message)
+                              decrypt_oaep_from_keypair(message)
+                            else
+                              decrypt_legacy_from_keypair(message)
+                            end
+        log.debug 'Cipher keypair decryption completed'
+        decrypted_message
+      rescue StandardError => e
+        handle_exception(e, level: :error, operation: 'crypt.cipher.decrypt_from_keypair')
+        raise
       end
 
       def public_key
@@ -46,10 +81,66 @@ module Legion
 
       def private_key
         @private_key ||= if Legion::Settings[:crypt][:read_private_key] && File.exist?('./legionio.key')
+                           log.info 'Cipher loading RSA private key from disk'
                            OpenSSL::PKey::RSA.new File.read './legionio.key'
                          else
+                           log.info 'Cipher generating RSA private key'
                            OpenSSL::PKey::RSA.new 2048
                          end
+      rescue StandardError => e
+        handle_exception(e, level: :error, operation: 'crypt.cipher.private_key')
+        raise
+      end
+
+      private
+
+      def wait_for_cluster_secret
+        loop do
+          secret = cs
+          return secret if secret.is_a?(String)
+          break if Legion::Settings[:client][:shutting_down]
+
+          log.debug('sleeping Legion::Crypt.decrypt due to CS not being set')
+          sleep(0.5)
+        end
+
+        cs
+      end
+
+      def authenticated_ciphertext?(message)
+        message.start_with?("#{AUTHENTICATED_PREFIX}:")
+      end
+
+      def decrypt_authenticated(message, init_vector, secret)
+        _, encoded_ciphertext, encoded_auth_tag = message.split(':', 3)
+
+        decipher = OpenSSL::Cipher.new(AUTHENTICATED_CIPHER)
+        decipher.decrypt
+        decipher.key = secret
+        decipher.iv = Base64.strict_decode64(init_vector)
+        decipher.auth_tag = Base64.strict_decode64(encoded_auth_tag)
+        decipher.update(Base64.strict_decode64(encoded_ciphertext)) + decipher.final
+      end
+
+      def decrypt_legacy(message, init_vector, secret)
+        decipher = OpenSSL::Cipher.new(LEGACY_CIPHER)
+        decipher.decrypt
+        decipher.key = secret
+        decipher.iv = Base64.decode64(init_vector)
+        decipher.update(Base64.decode64(message)) + decipher.final
+      end
+
+      def rsa_oaep_ciphertext?(message)
+        message.start_with?("#{RSA_OAEP_PREFIX}:")
+      end
+
+      def decrypt_oaep_from_keypair(message)
+        _, encoded_message = message.split(':', 2)
+        private_key.private_decrypt(Base64.strict_decode64(encoded_message), RSA_OAEP_PADDING)
+      end
+
+      def decrypt_legacy_from_keypair(message)
+        private_key.private_decrypt(Base64.decode64(message), RSA_LEGACY_PADDING)
       end
     end
   end

data/lib/legion/crypt/cluster_secret.rb

@@ -1,17 +1,20 @@
 # frozen_string_literal: true
 
 require 'securerandom'
+require 'legion/logging/helper'
 
 module Legion
   module Crypt
     module ClusterSecret
+      include Legion::Logging::Helper
+
       def find_cluster_secret
         %i[from_settings from_vault from_transport generate_secure_random].each do |method|
           result = send(method)
           next if result.nil?
 
           unless validate_hex(result)
-            Legion::Logging.warn("Legion::Crypt.#{method} gave a value but it isn't a valid hex")
+            log.warn("Legion::Crypt.#{method} gave a value but it isn't a valid hex")
             next
           end
 
@@ -22,18 +25,22 @@ module Legion
 
         key = generate_secure_random
         set_cluster_secret(key)
+        log.info 'Cluster secret generated locally because this node is the only member'
         key
       end
 
       def from_vault
-        return nil unless method_defined? :get
+        return nil unless Legion::Crypt.respond_to?(:get) && Legion::Crypt.respond_to?(:exist?)
         return nil unless Legion::Settings[:crypt][:vault][:read_cluster_secret]
         return nil unless Legion::Settings[:crypt][:vault][:connected]
-        return nil unless Legion::Crypt.exist?('crypt')
+        return nil unless Legion::Crypt.exist?(cluster_secret_vault_path)
+
+        data = Legion::Crypt.get(cluster_secret_vault_path)
+        return nil unless data.is_a?(Hash)
 
-        get('crypt')[:cluster_secret]
+        data[:cluster_secret] || data['cluster_secret']
       rescue StandardError => e
-        Legion::Logging.warn("Legion::Crypt::ClusterSecret#from_vault failed: #{e.message}") if defined?(Legion::Logging)
+        handle_exception(e, level: :warn, operation: 'crypt.cluster_secret.from_vault')
         nil
       end
 
@@ -46,8 +53,8 @@ module Legion
         return nil unless Legion::Settings[:transport][:connected]
 
         require 'legion/transport/messages/request_cluster_secret'
-        Legion::Logging.info 'Requesting cluster secret via public key'
-        Legion::Logging.warn 'cluster_secret already set but we are requesting a new value' unless from_settings.nil?
+        log.info 'Requesting cluster secret via public key'
+        log.warn 'cluster_secret already set but we are requesting a new value' unless from_settings.nil?
         start = Time.now
         Legion::Transport::Messages::RequestClusterSecret.new.publish
         sleep_time = 0.001
@@ -57,20 +64,14 @@ module Legion
         end
 
         unless from_settings.nil?
-          Legion::Logging.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
+          log.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
           return from_settings
         end
 
-        Legion::Logging.error 'Cluster secret is still unknown!'
+        log.error 'Cluster secret is still unknown!'
         nil
       rescue StandardError => e
-        if defined?(Legion::Logging) && Legion::Logging.respond_to?(:log_exception)
-          Legion::Logging.log_exception(e, lex: 'crypt', component_type: :helper)
-        elsif defined?(Legion::Logging) && Legion::Logging.respond_to?(:error)
-          Legion::Logging.error "from_transport failed: #{e.class}=#{e.message}\n#{Array(e.backtrace).first(10).join("\n")}"
-        else
-          warn "from_transport failed: #{e.class}=#{e.message}\n#{Array(e.backtrace).first(10).join("\n")}"
-        end
+        handle_exception(e, level: :error, operation: 'crypt.cluster_secret.from_transport')
         nil
       end
 
@@ -79,32 +80,36 @@ module Legion
       end
 
       def settings_push_vault
-        Legion::Settings[:crypt][:vault].fetch(:push_cs_to_vault, false)
+        vault_settings = Legion::Settings[:crypt][:vault]
+        return vault_settings[:push_cluster_secret] unless vault_settings[:push_cluster_secret].nil?
+
+        vault_settings.fetch(:push_cs_to_vault, false)
       end
 
       def only_member?
         Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
       rescue StandardError => e
-        Legion::Logging.warn("Legion::Crypt::ClusterSecret#only_member? failed: #{e.message}") if defined?(Legion::Logging)
+        handle_exception(e, level: :warn, operation: 'crypt.cluster_secret.only_member?')
         nil
       end
 
       def set_cluster_secret(value, push_to_vault = true) # rubocop:disable Style/OptionalBooleanParameter
-        raise TypeError unless value.to_i(32).to_s(32).rjust(value.length, '0') == value.downcase
+        raise TypeError unless validate_hex(value)
 
+        Legion::Settings[:crypt][:cluster_secret] = value
+        @cs = nil
         Legion::Settings[:crypt][:cs_encrypt_ready] = true
         push_cs_to_vault if push_to_vault && settings_push_vault
-
-        Legion::Settings[:crypt][:cluster_secret] = value
+        log.info "Cluster secret loaded into settings push_to_vault=#{push_to_vault}"
       end
 
       def push_cs_to_vault
         return false unless Legion::Settings[:crypt][:vault][:connected] && Legion::Settings[:crypt][:cluster_secret]
 
-        Legion::Logging.info 'Pushing Cluster Secret to Vault'
-        Legion::Crypt.write('cluster', secret: Legion::Settings[:crypt][:cluster_secret])
+        log.info 'Pushing Cluster Secret to Vault'
+        Legion::Crypt.write(cluster_secret_vault_path, cluster_secret: Legion::Settings[:crypt][:cluster_secret])
       rescue StandardError => e
-        Legion::Logging.warn("push_cs_to_vault failed: #{e.message}") if defined?(Legion::Logging)
+        handle_exception(e, level: :warn, operation: 'crypt.cluster_secret.push_cs_to_vault')
         false
       end
 
@@ -113,7 +118,7 @@ module Legion
       end
 
       def secret_length
-        Legion::Settings[:crypt][:cluster_lenth] || 32
+        Legion::Settings[:crypt][:cluster_length] || Legion::Settings[:crypt][:cluster_lenth] || 32
       end
 
       def generate_secure_random(length = secret_length)
@@ -123,26 +128,23 @@ module Legion
       def cs
         @cs ||= Digest::SHA256.digest(find_cluster_secret)
       rescue StandardError => e
-        if defined?(Legion::Logging) && Legion::Logging.respond_to?(:log_exception)
-          Legion::Logging.log_exception(e, lex: 'crypt', component_type: :helper)
-        elsif defined?(Legion::Logging) && Legion::Logging.respond_to?(:error)
-          backtrace = Array(e.backtrace).first(10).join("\n")
-          Legion::Logging.error "Legion::Crypt::ClusterSecret#cs failed: #{e.class}: #{e.message}\n#{backtrace}"
-        elsif defined?(Legion::Logging) && Legion::Logging.respond_to?(:warn)
-          backtrace = Array(e.backtrace).first(10).join("\n")
-          Legion::Logging.warn "Legion::Crypt::ClusterSecret#cs failed: #{e.class}: #{e.message}\n#{backtrace}"
-        else
-          backtrace = Array(e.backtrace).first(10).join("\n")
-          ::Kernel.warn "Legion::Crypt::ClusterSecret#cs failed: #{e.class}: #{e.message}\n#{backtrace}"
-        end
+        handle_exception(e, level: :error, operation: 'crypt.cluster_secret.cs')
         nil
       end
 
       def validate_hex(value, length = secret_length)
         return false unless value.is_a?(String)
         return false if value.empty?
+        return false unless value.match?(/\A\h+\z/)
+
+        expected_length = length.to_i * 2
+        return true if expected_length.zero?
+
+        value.length == expected_length
+      end
 
-        value.to_i(length).to_s(length).rjust(value.length, '0') == value.downcase
+      def cluster_secret_vault_path
+        'crypt'
       end
     end
   end