legion-crypt 1.5.7 → 1.5.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/lib/legion/crypt/jwks_client.rb +11 -1
- data/lib/legion/crypt/settings.rb +5 -1
- data/lib/legion/crypt/vault.rb +9 -1
- data/lib/legion/crypt/vault_cluster.rb +12 -3
- data/lib/legion/crypt/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b2c9243c14fe8bce1a6abb0de6a29681b08b8c8719ff592f2191581209131a38
|
|
4
|
+
data.tar.gz: 3880aee6fb5c3c82606317dd82c80f64f3f3a84c984c72fcd23402a263f262a6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1001efcac237f95827a8784886050e5047afca4830eec8cc962cf72e119c875694477c3dddad011c56dd643bdf42aab8eab8e4a027afda303ddf306c03eea7de
|
|
7
|
+
data.tar.gz: fcb5bf8a7527a65221bd917ee1574ce633609f60d00dd070135e4316f05b6c5f0b95ddf251544230e3cf7d0740aa9fa2ea1f4975c638b8e440e50fa282ff5d6c
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,16 @@
|
|
|
2
2
|
|
|
3
3
|
## [Unreleased]
|
|
4
4
|
|
|
5
|
+
## [1.5.8] - 2026-04-09
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
- Configurable SSL verification for Vault connections via `crypt.vault.tls.verify` setting (`peer`/`none`/`mutual`, defaults to `peer`)
|
|
9
|
+
- Global Vault client (`vault.rb`) now sets `::Vault.ssl_verify` from `vault.tls.verify` setting
|
|
10
|
+
- Per-cluster Vault clients (`vault_cluster.rb`) now pass `ssl_verify:` to `::Vault::Client.new` from `config[:tls][:verify]`
|
|
11
|
+
- JWKS client (`jwks_client.rb`) now sets `Net::HTTP#verify_mode` from `crypt.jwt.jwks_tls_verify` setting (`peer`/`none`, defaults to `peer`)
|
|
12
|
+
- `jwks_tls_verify: 'peer'` default added to JWT settings
|
|
13
|
+
- `tls: { verify: 'peer' }` default added to Vault settings
|
|
14
|
+
|
|
5
15
|
## [1.5.7] - 2026-04-08
|
|
6
16
|
|
|
7
17
|
### Fixed
|
|
@@ -112,7 +112,8 @@ module Legion
|
|
|
112
112
|
raise Legion::Crypt::JWT::Error, 'failed to fetch JWKS: HTTPS is required' unless uri.scheme == 'https'
|
|
113
113
|
|
|
114
114
|
http = Net::HTTP.new(uri.host, uri.port)
|
|
115
|
-
http.use_ssl =
|
|
115
|
+
http.use_ssl = true
|
|
116
|
+
http.verify_mode = jwks_ssl_verify_mode
|
|
116
117
|
http.open_timeout = 10
|
|
117
118
|
http.read_timeout = 10
|
|
118
119
|
|
|
@@ -158,6 +159,15 @@ module Legion
|
|
|
158
159
|
keys
|
|
159
160
|
end
|
|
160
161
|
|
|
162
|
+
def jwks_ssl_verify_mode
|
|
163
|
+
return OpenSSL::SSL::VERIFY_PEER unless defined?(Legion::Settings)
|
|
164
|
+
|
|
165
|
+
verify = Legion::Settings[:crypt][:jwt][:jwks_tls_verify]&.to_s
|
|
166
|
+
verify == 'none' ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
|
|
167
|
+
rescue StandardError
|
|
168
|
+
OpenSSL::SSL::VERIFY_PEER
|
|
169
|
+
end
|
|
170
|
+
|
|
161
171
|
def with_url_lock(jwks_url, &)
|
|
162
172
|
lock = @locks_mutex.synchronize { @locks[jwks_url] ||= Mutex.new }
|
|
163
173
|
lock.synchronize(&)
|
|
@@ -48,7 +48,8 @@ module Legion
|
|
|
48
48
|
default_ttl: 3600,
|
|
49
49
|
issuer: 'legion',
|
|
50
50
|
verify_expiration: true,
|
|
51
|
-
verify_issuer: true
|
|
51
|
+
verify_issuer: true,
|
|
52
|
+
jwks_tls_verify: 'peer'
|
|
52
53
|
}
|
|
53
54
|
end
|
|
54
55
|
|
|
@@ -72,6 +73,9 @@ module Legion
|
|
|
72
73
|
service_principal: nil,
|
|
73
74
|
auth_path: 'auth/kerberos/login'
|
|
74
75
|
},
|
|
76
|
+
tls: {
|
|
77
|
+
verify: 'peer'
|
|
78
|
+
},
|
|
75
79
|
clusters: {},
|
|
76
80
|
bootstrap_lease_ttl: 300,
|
|
77
81
|
dynamic_rmq_creds: false,
|
data/lib/legion/crypt/vault.rb
CHANGED
|
@@ -19,8 +19,9 @@ module Legion
|
|
|
19
19
|
@sessions = []
|
|
20
20
|
vault_settings = Legion::Settings[:crypt][:vault]
|
|
21
21
|
::Vault.address = resolve_vault_address(vault_settings)
|
|
22
|
+
::Vault.ssl_verify = resolve_ssl_verify(vault_settings[:tls])
|
|
22
23
|
namespace = vault_settings[:vault_namespace]
|
|
23
|
-
log.info "Vault connection requested address=#{::Vault.address} namespace=#{namespace || 'none'}"
|
|
24
|
+
log.info "Vault connection requested address=#{::Vault.address} namespace=#{namespace || 'none'} ssl_verify=#{::Vault.ssl_verify}"
|
|
24
25
|
|
|
25
26
|
Legion::Settings[:crypt][:vault][:token] = ENV['VAULT_DEV_ROOT_TOKEN_ID'] if ENV.key? 'VAULT_DEV_ROOT_TOKEN_ID'
|
|
26
27
|
return nil if Legion::Settings[:crypt][:vault][:token].nil?
|
|
@@ -209,6 +210,13 @@ module Legion
|
|
|
209
210
|
data[:data]
|
|
210
211
|
end
|
|
211
212
|
|
|
213
|
+
def resolve_ssl_verify(tls_config)
|
|
214
|
+
return true if tls_config.nil?
|
|
215
|
+
|
|
216
|
+
verify = tls_config[:verify]&.to_s
|
|
217
|
+
verify != 'none'
|
|
218
|
+
end
|
|
219
|
+
|
|
212
220
|
def resolve_vault_address(vault_settings)
|
|
213
221
|
protocol = vault_settings[:protocol] || 'http'
|
|
214
222
|
address = vault_settings[:address] || 'localhost'
|
|
@@ -118,11 +118,13 @@ module Legion
|
|
|
118
118
|
return nil unless config.is_a?(Hash)
|
|
119
119
|
|
|
120
120
|
addr = "#{config[:protocol]}://#{config[:address]}:#{config[:port]}"
|
|
121
|
-
|
|
121
|
+
ssl_verify = resolve_cluster_ssl_verify(config[:tls])
|
|
122
|
+
log.info "Building Vault client address=#{addr} namespace=#{config[:namespace].inspect} ssl_verify=#{ssl_verify}"
|
|
122
123
|
log_vault_debug("build_vault_client: address=#{addr}")
|
|
123
124
|
client = ::Vault::Client.new(
|
|
124
|
-
address:
|
|
125
|
-
token:
|
|
125
|
+
address: addr,
|
|
126
|
+
token: config[:token],
|
|
127
|
+
ssl_verify: ssl_verify
|
|
126
128
|
)
|
|
127
129
|
namespace =
|
|
128
130
|
if config.key?(:namespace)
|
|
@@ -136,6 +138,13 @@ module Legion
|
|
|
136
138
|
client
|
|
137
139
|
end
|
|
138
140
|
|
|
141
|
+
def resolve_cluster_ssl_verify(tls_config)
|
|
142
|
+
return true if tls_config.nil?
|
|
143
|
+
|
|
144
|
+
verify = tls_config[:verify]&.to_s
|
|
145
|
+
verify != 'none'
|
|
146
|
+
end
|
|
147
|
+
|
|
139
148
|
def log_vault_error(name, error, operation: 'crypt.vault_cluster.error')
|
|
140
149
|
handle_exception(error, level: :error, operation: operation, cluster_name: name)
|
|
141
150
|
end
|
data/lib/legion/crypt/version.rb
CHANGED