RubyGems - legion-crypt - Versions diffs - 1.5.4 → 1.5.5 - Mend

legion-crypt 1.5.4 → 1.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -0
data/lib/legion/crypt/lease_manager.rb +68 -2
data/lib/legion/crypt/settings.rb +3 -1
data/lib/legion/crypt/version.rb +1 -1
data/lib/legion/crypt.rb +110 -8
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63ba23115939920477655378eaff3adacb4f37dac754cffc7e888a9eebc8ab08
-  data.tar.gz: 88960246bf06ae1e228529958d9e431693a9fa8e8279234ae1498c130bf1490d
+  metadata.gz: 85275c53d61c6172fcabf74c69df85324c94d828372894e7d29e2c550501fc88
+  data.tar.gz: 61a939f7fb79750ca314840c2c16766e7d325eb956e2d9e3d6196174bde1f0ea
 SHA512:
-  metadata.gz: abf411468507856a834cc3e06df344eaecc5deebcb552a77d4cfd30ac1c091506f8b284eea79660d3dc109f2e622816c32871d4c4eda047a51ec3a9dbb689467
-  data.tar.gz: 557b616f75af3857df71a6530ea4a7e26680163fc2274e3a09ecfb2a12de628cc9bf64b90fb8e527c8ae43b1ac741a070b3f68d281591369ab460e2e348bd4e8
+  metadata.gz: 3d7d33ed75be9d7263b32e9cb3830bff352dddd68fff8a8f060c26a7856a1962a8be31fa2955cabb76b6c961a7891890fae22b94c001e718b91ecdb5a2df3286
+  data.tar.gz: c6df0c72440d9ac6cb134bbd1498d68f51a582431d974ee42a7084e9077170125047e0d55293623109c8c14562f34b86577482d100e2d82ad06125a09ade17d1

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,22 @@
 ## [Unreleased]
+## [1.5.5] - 2026-04-07
+### Added
+- `RMQ_ROLE_MAP` constant mapping `:agent`/`:infra` → `'legionio-infra'` and `:worker` → `'legionio-worker'` for Vault RabbitMQ role selection (Phase 5 credential scoping)
+- `dynamic_rmq_creds?` helper reads `Settings[:crypt][:vault][:dynamic_rmq_creds]` flag
+- `fetch_bootstrap_rmq_creds` — fetches short-lived bootstrap RabbitMQ credentials from `rabbitmq/creds/legionio-bootstrap` and writes them to `Settings[:transport][:connection]`; gated on `vault_connected? && dynamic_rmq_creds?`; stores `@bootstrap_lease_id` for later revocation; rescue-safe
+- `swap_to_identity_creds(mode:)` — fetches identity-scoped RabbitMQ credentials from the role matching `mode`, registers them with `LeaseManager` for renewal, updates transport settings, calls `Transport::Connection.force_reconnect`, and revokes the bootstrap lease; raises if reconnect fails (before revoking bootstrap)
+- `revoke_bootstrap_lease` — revokes `@bootstrap_lease_id` via `LeaseManager#vault_sys`; non-fatal on failure; idempotent
+- `LeaseManager#register_dynamic_lease` — registers a dynamically-fetched Vault lease into the cache and active lease tracking with mutex, stores `path` for `reissue_lease`, registers settings refs for rotation push-back
+- `LeaseManager#reissue_lease(name)` — performs a full re-read (`logical.read(path)`) at credential rotation time, updates cache + active_leases in mutex, calls `push_to_settings`, triggers `Transport::Connection.force_reconnect` for `:rabbitmq` leases
+- `LeaseManager#vault_logical` and `LeaseManager#vault_sys` — public delegators to the private `logical`/`sys` methods for use by `Crypt` bootstrap/swap operations
+- `dynamic_rmq_creds: false` and `dynamic_pg_creds: false` defaults added to vault settings
+### Changed
+- `start_lease_manager` now starts the renewal thread when `dynamic_rmq_creds: true` even if no static leases are configured, ensuring the renewal loop is running before identity-scoped leases are registered post-boot
 ## [1.5.4] - 2026-04-06
 ### Added

data/lib/legion/crypt/lease_manager.rb CHANGED Viewed

@@ -97,6 +97,67 @@ module Legion
         log.info("Lease '#{name}' rotated — updated #{refs.size} settings reference(s)")
       end
+      # Public Vault client accessors used by Crypt for bootstrap/swap operations.
+      # Delegates to the configured vault_client or falls back to ::Vault.
+      def vault_logical
+        logical
+      end
+      def vault_sys
+        sys
+      end
+      def register_dynamic_lease(name:, path:, response:, settings_refs:)
+        register_at_exit_hook
+        @state_mutex.synchronize do
+          @lease_cache[name] = response.data || {}
+          @active_leases[name] = {
+            lease_id:       response.lease_id,
+            lease_duration: response.lease_duration,
+            expires_at:     Time.now + (response.lease_duration || 0),
+            fetched_at:     Time.now,
+            renewable:      response.renewable?,
+            path:           path
+          }
+        end
+        settings_refs.each do |ref|
+          register_ref(name, ref[:key], ref[:path])
+        end
+        log.info("LeaseManager: registered dynamic lease '#{name}' (path: #{path})")
+      end
+      def reissue_lease(name)
+        lease = @state_mutex.synchronize { @active_leases[name]&.dup }
+        return unless lease && lease[:path]
+        response = logical.read(lease[:path])
+        return unless response&.data
+        @state_mutex.synchronize do
+          active_lease = @active_leases[name]
+          next unless active_lease
+          @lease_cache[name] = response.data
+          active_lease.merge!(
+            lease_id:       response.lease_id,
+            lease_duration: response.lease_duration,
+            expires_at:     Time.now + (response.lease_duration || 0),
+            fetched_at:     Time.now,
+            renewable:      response.renewable?
+          )
+        end
+        push_to_settings(name)
+        return unless name == :rabbitmq && defined?(Legion::Transport::Connection)
+        Legion::Transport::Connection.force_reconnect
+        log.info("LeaseManager: reissued lease '#{name}' and triggered transport reconnect")
+      rescue StandardError => e
+        handle_exception(e, level: :warn, operation: 'crypt.lease_manager.reissue_lease', lease_name: name)
+        log.warn("LeaseManager: failed to reissue lease '#{name}': #{e.message}")
+      end
       def start_renewal_thread
         @state_mutex.synchronize do
           return if @renewal_thread&.alive?
@@ -240,10 +301,14 @@ module Legion
         leases.each do |name|
           lease = @state_mutex.synchronize { @active_leases[name]&.dup }
           next unless lease
-          next unless lease[:renewable]
           next unless approaching_expiry?(lease)
-          renew_lease(name, lease)
+          if lease[:renewable]
+            renew_lease(name, lease)
+          elsif lease[:path]
+            log.info("LeaseManager: lease '#{name}' is non-renewable and approaching expiry — re-issuing")
+            reissue_lease(name)
+          end
         end
       end
@@ -267,6 +332,7 @@ module Legion
       rescue StandardError => e
         handle_exception(e, level: :warn, operation: 'crypt.lease_manager.renew_lease', lease_name: name)
         log.warn("LeaseManager: failed to renew lease '#{name}': #{e.message}")
+        reissue_lease(name) if lease[:path]
       end
       def lease_valid?(name)

data/lib/legion/crypt/settings.rb CHANGED Viewed

@@ -73,7 +73,9 @@ module Legion
             auth_path:         'auth/kerberos/login'
           },
           clusters:            {},
-          bootstrap_lease_ttl: 300
+          bootstrap_lease_ttl: 300,
+          dynamic_rmq_creds:   false,
+          dynamic_pg_creds:    false
         }
       end
     end

data/lib/legion/crypt/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Legion
   module Crypt
-    VERSION = '1.5.4'
+    VERSION = '1.5.5'
   end
 end

data/lib/legion/crypt.rb CHANGED Viewed

@@ -25,6 +25,12 @@ module Legion
     extend Legion::Crypt::VaultCluster
     extend Legion::Crypt::LdapAuth
+    RMQ_ROLE_MAP = {
+      agent:  'legionio-infra',
+      worker: 'legionio-worker',
+      infra:  'legionio-infra'
+    }.freeze
     class << self
       attr_reader :sessions
@@ -97,6 +103,96 @@ module Legion
         settings[:jwt] || Legion::Crypt::Settings.jwt
       end
+      def dynamic_rmq_creds?
+        Legion::Settings.dig(:crypt, :vault, :dynamic_rmq_creds) == true
+      end
+      def fetch_bootstrap_rmq_creds
+        return unless vault_connected? && dynamic_rmq_creds?
+        Legion::Settings.merge_settings('transport', Legion::Transport::Settings.default) if defined?(Legion::Transport::Settings)
+        response = LeaseManager.instance.vault_logical.read('rabbitmq/creds/legionio-bootstrap')
+        return unless response&.data
+        bootstrap_lease_ttl = Legion::Settings.dig(:crypt, :vault, :bootstrap_lease_ttl).to_i
+        bootstrap_lease_ttl = 300 if bootstrap_lease_ttl <= 0
+        @bootstrap_lease_id = response.lease_id
+        @bootstrap_lease_expires = Time.now + [response.lease_duration, bootstrap_lease_ttl].min
+        settings = Legion::Settings.loader.settings
+        settings[:transport] ||= {}
+        settings[:transport][:connection] ||= {}
+        conn = settings[:transport][:connection]
+        username = response.data[:username] || response.data['username']
+        password = response.data[:password] || response.data['password']
+        unless username && password
+          log.warn 'Bootstrap RMQ credential fetch returned nil username or password — skipping settings update'
+          return
+        end
+        conn[:user]     = username
+        conn[:password] = password
+        log.info "Bootstrap RMQ credentials acquired (lease: #{@bootstrap_lease_id[0..7]}...)"
+      rescue StandardError => e
+        log.warn "Bootstrap RMQ credential fetch failed: #{e.message}"
+      end
+      def swap_to_identity_creds(mode:)
+        return unless vault_connected? && dynamic_rmq_creds?
+        return if mode == :lite
+        role = RMQ_ROLE_MAP.fetch(mode, "legionio-#{mode}")
+        response = LeaseManager.instance.vault_logical.read("rabbitmq/creds/#{role}")
+        raise "Failed to fetch identity-scoped RMQ creds for role #{role}" unless response&.data
+        LeaseManager.instance.register_dynamic_lease(
+          name:          :rabbitmq,
+          path:          "rabbitmq/creds/#{role}",
+          response:      response,
+          settings_refs: [
+            { path: %i[transport connection user],     key: :username },
+            { path: %i[transport connection password], key: :password }
+          ]
+        )
+        settings = Legion::Settings.loader.settings
+        settings[:transport] ||= {}
+        settings[:transport][:connection] ||= {}
+        conn = settings[:transport][:connection]
+        username = response.data[:username] || response.data['username']
+        password = response.data[:password] || response.data['password']
+        raise "Identity-scoped RMQ creds for role #{role} missing username or password" unless username && password
+        conn[:user]     = username
+        conn[:password] = password
+        if defined?(Legion::Transport::Connection)
+          Legion::Transport::Connection.force_reconnect
+          raise 'Transport reconnect failed after credential swap — bootstrap lease NOT revoked' unless Legion::Transport::Connection.session_open?
+          log.info "Transport reconnected with identity-scoped creds (role: #{role})"
+        end
+        revoke_bootstrap_lease
+      end
+      def revoke_bootstrap_lease
+        return unless @bootstrap_lease_id
+        LeaseManager.instance.vault_sys.revoke(@bootstrap_lease_id)
+        log.info "Bootstrap RMQ lease revoked (#{@bootstrap_lease_id[0..7]}...)"
+        @bootstrap_lease_id      = nil
+        @bootstrap_lease_expires = nil
+      rescue StandardError => e
+        log.warn "Bootstrap lease revocation failed: #{e.message} — lease will expire naturally"
+        @bootstrap_lease_id      = nil
+        @bootstrap_lease_expires = nil
+      end
       def vault_connected?
         return true if settings.dig(:vault, :connected) == true
         return true if respond_to?(:connected_clusters) && connected_clusters.any?
@@ -156,8 +252,10 @@ module Legion
       def start_lease_manager
         leases = settings.dig(:vault, :leases) || {}
-        return if leases.empty?
-        return unless connected_clusters.any? || settings.dig(:vault, :connected)
+        vault_ok = connected_clusters.any? || settings.dig(:vault, :connected)
+        return if leases.empty? && !dynamic_rmq_creds?
+        return unless vault_ok
         client = nil
@@ -167,15 +265,19 @@ module Legion
         elsif settings.dig(:vault, :connected)
           client = vault_client
         end
         lease_manager = Legion::Crypt::LeaseManager.instance
         lease_manager.start(leases, vault_client: client)
         lease_manager.start_renewal_thread
-        fetched = lease_manager.fetched_count
-        defined = leases.size
-        if fetched == defined
-          log.info "LeaseManager: #{fetched} lease(s) initialized"
-        else
-          log.warn "LeaseManager: #{fetched}/#{defined} lease(s) initialized (#{defined - fetched} failed)"
+        unless leases.empty?
+          fetched = lease_manager.fetched_count
+          defined = leases.size
+          if fetched == defined
+            log.info "LeaseManager: #{fetched} lease(s) initialized"
+          else
+            log.warn "LeaseManager: #{fetched}/#{defined} lease(s) initialized (#{defined - fetched} failed)"
+          end
         end
       rescue StandardError => e
         handle_exception(e, level: :warn, operation: 'crypt.start_lease_manager')

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 1.5.4
+  version: 1.5.5
 platform: ruby
 authors:
 - Esity