Module: Legion::Crypt::Mtls

Extended by:
Logging::Helper
Defined in:
lib/legion/crypt/mtls.rb

Constant Summary collapse

DEFAULT_PKI_PATH = 
'pki/issue/legion-internal'
DEFAULT_TTL = 
'24h'

Constants included from Logging::Helper

Logging::Helper::CompatLogger

Class Method Summary collapse

Methods included from Logging::Helper

handle_exception, log

Class Method Details

.enabled?Boolean

Returns:

  • (Boolean) 


14
15
16
17
18
19
20
21
22
 
# File 'lib/legion/crypt/mtls.rb', line 14

def enabled?
  security = safe_security_settings
  return false if security.nil?

  mtls = security[:mtls] || security['mtls']
  return false if mtls.nil?

  mtls[:enabled] || mtls['enabled'] || false
end

.issue_cert(common_name:, ttl: nil) ⇒ Object 



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
# File 'lib/legion/crypt/mtls.rb', line 32

def issue_cert(common_name:, ttl: nil)
  resolved_ttl = ttl || cert_ttl_setting || DEFAULT_TTL
  log.info "[mTLS] certificate issue requested common_name=#{common_name} ttl=#{resolved_ttl}"

  response = ::Vault.logical.write(
    pki_path,
    common_name: common_name,
    ttl:         resolved_ttl,
    ip_sans:     local_ip,
    alt_names:   ''
  )

  raise "Vault PKI returned nil for #{pki_path} (common_name=#{common_name})" if response.nil?

  data = response.data

  {
    cert:     data[:certificate],
    key:      data[:private_key],
    ca_chain: Array(data[:ca_chain]),
    serial:   data[:serial_number],
    expiry:   Time.at(data[:expiration].to_i)
  }
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'crypt.mtls.issue_cert', common_name: common_name, ttl: resolved_ttl)
  raise
end

.local_ipObject 



60
61
62
63
64
65
 
# File 'lib/legion/crypt/mtls.rb', line 60

def local_ip
  Socket.ip_address_list.find { |a| a.ipv4? && !a.ipv4_loopback? }&.ip_address || '127.0.0.1'
rescue StandardError => e
  handle_exception(e, level: :warn, operation: 'crypt.mtls.local_ip')
  '127.0.0.1'
end

.pki_pathObject 



24
25
26
27
28
29
30
 
# File 'lib/legion/crypt/mtls.rb', line 24

def pki_path
  security = safe_security_settings
  return DEFAULT_PKI_PATH if security.nil?

  mtls = security[:mtls] || security['mtls'] || {}
  mtls[:vault_pki_path] || mtls['vault_pki_path'] || DEFAULT_PKI_PATH
end