Dev v1 5 0#1
Closed
Esity wants to merge 89 commits into
Closed
Conversation
- add vault config tests (env vars, defaults, all keys) - 33 -> 52 specs
- add Legion::Crypt::JWT module with issue/verify/decode operations - support HS256 (cluster secret) and RS256 (RSA keypair) algorithms - add convenience methods on Legion::Crypt (issue_token, verify_token) - add jwt settings block with configurable defaults - add jwt gem dependency (>= 2.7) - 88 specs passing, rubocop clean
Add VaultJwtAuth module for Vault JWT auth backend login and worker login helpers. Update cluster_secret for improved key handling. Expose JWT helpers through main Legion::Crypt entry point.
runs after ci passes on push to main. calls reusable release workflow for version detection, github release, and rubygems publish.
resolves non-deterministic ordering dependency in cluster_secret_spec. adds comprehensive specs for vault_jwt_auth module.
add JwksClient module for fetching and caching JWKS public keys, JWT.verify_with_jwks for RS256 token verification with issuer/audience validation, and Crypt.verify_external_token convenience method. bump to v1.4.0.
Legion::Crypt::MockVault provides thread-safe in-memory key-value store that eliminates the Vault dependency for local development. Supports read, write, delete, list, and connected? interface.
- Ed25519: key generation, signing, verification, Vault key storage - PartitionKeys: HKDF per-tenant key derivation with AES-256-GCM - Erasure: cryptographic erasure via Vault master key deletion - Attestation: signed identity claims with freshness checking - Add ed25519 gem dependency (~> 1.3) - Bump to 1.4.2
- TokenRenewer#stop: check thread.alive? after join(5), skip revocation if thread is still running to prevent racy token revocation; extract logic to stop_thread_and_revoke private helper - Crypt#start_lease_manager: use vault_settings[:default] (not :default_cluster) to match VaultCluster#default_cluster_name key - LeaseManager#start: assign @vault_client before early return guard; clear @vault_client in shutdown and reset! to prevent stale clients
add vault namespace-aware kerberos auth, lease manager cluster routing, token revocation
* store kerberos principal after auth for identity resolution * bump to 1.4.17, update changelog * apply copilot review suggestions (#3) - clear @kerberos_principal at the start of login to prevent stale state after a failed re-auth - add Legion::Crypt.kerberos_principal delegation spec - add stale-principal-clearing spec in kerberos_auth_spec
* fix vault cluster auth pipeline bugs - use renewable? instead of renewable across LeaseManager, VaultJwtAuth, LdapAuth, and VaultKerberosAuth to match Vault gem API - handle string/symbol key mismatch in LeaseManager#fetch between resolver (strings from regex) and cache (symbols from settings) - set top-level vault.connected flag after cluster auth so the settings resolver recognizes Vault as available - guard @sessions with lazy init in Vault#add_session to prevent nil error when using cluster-based auth path (Kerberos/LDAP) * apply copilot review suggestions (#4)
Vault logical.read returns a nested {data: {keys}, metadata: {}} envelope
for KV v2 mounts. The read method now auto-detects and unwraps this pattern
so the resolver can extract secret keys correctly. Added debug logging
throughout vault auth, read, cluster connection, kerberos auth, and lease
manager code paths to aid future troubleshooting.
- expand cs rescue to full 3-branch guard matching from_transport - add truncated backtrace to from_transport and cs fallback branches - add specs for connect_vault rescue logging (false return + log branches) - add specs for from_transport and cs rescue paths (nil return + log branches)
replace split error logging with log_exception
fix vault health check to accept standby nodes (429, 472, 473)
…loses #1) When multi-cluster is configured, kv_client and logical_client already returned vault_client.kv/logical instead of the global ::Vault singleton. Add 20 specs covering both routing paths across get, write, exist?, delete, and read — verifying the cluster client is used when clusters are connected and the global singleton is used when they are not. Also ships SPIFFE/SVID support (WorkloadApiClient, SvidRotation, IdentityHelpers) behind spiffe.enabled: false feature flag, and corrects pre-existing rubocop offenses across spiffe files.
- WorkloadApiClient: Unix-domain socket Workload API client for fetching X.509 and JWT SVIDs from a local SPIRE agent; falls back to self-signed certificate when SPIRE is unavailable so callers never receive nil - SvidRotation: background thread mirroring CertRotation pattern; checks every 60s and rotates when remaining TTL fraction falls below renewal_window (default 50%) - IdentityHelpers: sign_with_svid, verify_svid_signature, extract_spiffe_id_from_cert, trusted_cert?, svid_identity — all operate on X509Svid/JwtSvid structs via stdlib OpenSSL, no new gems - Spiffe module: parse_id, valid_id?, enabled?, socket_path, trust_domain, workload_id accessors; SpiffeId/X509Svid/JwtSvid structs; full error hierarchy (InvalidSpiffeIdError, WorkloadApiError, SvidError) - Wired into Legion::Crypt.start/shutdown behind security.spiffe.enabled: false feature flag; delegation methods: spiffe_svid, fetch_svid, fetch_jwt_svid on Legion::Crypt - Fix decode_varint return value (was returning start_pos instead of bytes_consumed, breaking protobuf field extraction) - Fix self_signed_fallback subject CN (plain string, not spiffe:// URI, to satisfy OpenSSL::X509::Name.parse on Ruby 3.4) - 82 new specs, 478 total, 0 failures
connect_vault now sets ::Vault.namespace from the vault_namespace setting, fixing 403 errors for non-cluster connections. Extracted resolve_vault_address and log_vault_connection_error helpers.
Helper#vault_write now uses **data to properly forward keyword args to Legion::Crypt.write, fixing ArgumentError on Ruby 3.4.
force_cluster_secret and settings_push_vault now use fetch with explicit false default instead of || true which was impossible to override. Default settings for push_cluster_secret and read_cluster_secret changed to false.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.