Class: Legion::Crypt::CertRotation

Inherits:

Object

• Object
• Legion::Crypt::CertRotation

Includes:

Logging::Helper

Defined in:

lib/legion/crypt/cert_rotation.rb

Constant Summary

DEFAULT_CHECK_INTERVAL =

12 hours

43_200

Constants included from Logging::Helper

Logging::Helper::CompatLogger

Instance Attribute Summary

• #check_interval ⇒ Object readonly

  Returns the value of attribute check_interval.

• #current_cert ⇒ Object readonly

  Returns the value of attribute current_cert.

• #issued_at ⇒ Object readonly

  Returns the value of attribute issued_at.

Instance Method Summary

• #initialize(check_interval: DEFAULT_CHECK_INTERVAL) ⇒ CertRotation constructor

  A new instance of CertRotation.

• #needs_renewal? ⇒ Boolean
• #rotate! ⇒ Object
• #running? ⇒ Boolean
• #start ⇒ Object
• #stop ⇒ Object

Methods included from Logging::Helper

#handle_exception, #log

Constructor Details

#initialize(check_interval: DEFAULT_CHECK_INTERVAL) ⇒ CertRotation

Returns a new instance of CertRotation.

# File 'lib/legion/crypt/cert_rotation.rb', line 14

def initialize(check_interval: DEFAULT_CHECK_INTERVAL)
  @check_interval = check_interval
  @current_cert   = nil
  @issued_at      = nil
  @running        = false
  @thread         = nil
  @mutex          = Mutex.new
end

Instance Attribute Details

#check_interval ⇒ Object (readonly)

Returns the value of attribute check_interval.

# File 'lib/legion/crypt/cert_rotation.rb', line 12

def check_interval
  @check_interval
end

#current_cert ⇒ Object (readonly)

Returns the value of attribute current_cert.

# File 'lib/legion/crypt/cert_rotation.rb', line 12

def current_cert
  @current_cert
end

#issued_at ⇒ Object (readonly)

Returns the value of attribute issued_at.

# File 'lib/legion/crypt/cert_rotation.rb', line 12

def issued_at
  @issued_at
end

Instance Method Details

#needs_renewal? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/cert_rotation.rb', line 65

def needs_renewal?
  current_cert = nil
  issued_at = nil
  @mutex.synchronize do
    current_cert = @current_cert
    issued_at = @issued_at
  end
  return false if current_cert.nil? || issued_at.nil?

  expiry = current_cert[:expiry]
  total  = expiry - issued_at
  return true if total <= 0

  remaining = expiry - Time.now
  fraction  = remaining / total
  fraction < renewal_window
end

#rotate! ⇒ Object

# File 'lib/legion/crypt/cert_rotation.rb', line 53

def rotate!
  node_name = node_common_name
  new_cert = Legion::Crypt::Mtls.issue_cert(common_name: node_name)
  @mutex.synchronize do
    @current_cert = new_cert
    @issued_at    = Time.now
  end
  log.info("[mTLS] Certificate rotated: serial=#{new_cert[:serial]} expiry=#{new_cert[:expiry]}")
  emit_rotated_event(new_cert)
  new_cert
end

#running? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/cert_rotation.rb', line 49

def running?
  (@running && @thread&.alive?) || false
end

#start ⇒ Object

# File 'lib/legion/crypt/cert_rotation.rb', line 23

def start
  return unless Legion::Crypt::Mtls.enabled?
  return if running?

  @running = true
  @thread  = Thread.new { rotation_loop }
  log.info('[mTLS] CertRotation started')
end

#stop ⇒ Object

# File 'lib/legion/crypt/cert_rotation.rb', line 32

def stop
  @running = false
  begin
    @thread&.wakeup
  rescue ThreadError => e
    handle_exception(e, level: :debug, operation: 'crypt.cert_rotation.stop')
    nil
  end
  @thread&.join(2)
  if @thread&.alive?
    log.warn '[mTLS] CertRotation thread did not stop within timeout'
  else
    @thread = nil
  end
  log.info('[mTLS] CertRotation stopped')
end