Module: Legion::Crypt::Vault

Includes:

Logging::Helper

Included in:

Legion::Crypt

Defined in:

lib/legion/crypt/vault.rb,
lib/legion/crypt/vault_renewer.rb

Defined Under Namespace

Classes: Renewer

Constant Summary

Constants included from Logging::Helper

Logging::Helper::CompatLogger

Instance Attribute Summary

• #sessions ⇒ Object

  Returns the value of attribute sessions.

Instance Method Summary

• #add_session(path:) ⇒ Object
• #close_session(session:) ⇒ Object
• #close_sessions ⇒ Object
• #connect_vault ⇒ Object
• #delete(path, cluster_name: nil) ⇒ Object
• #exist?(path, cluster_name: nil) ⇒ Boolean
• #get(path, cluster_name: nil) ⇒ Object
• #read(path, type = nil, cluster_name: nil) ⇒ Object
• #renew_cluster_tokens ⇒ Object
• #renew_session(session:) ⇒ Object
• #renew_sessions(**_opts) ⇒ Object
• #settings ⇒ Object
• #shutdown_renewer ⇒ Object
• #vault_exists?(name) ⇒ Boolean
• #vault_healthy? ⇒ Boolean
• #write(path, cluster_name: nil, **hash) ⇒ Object

Methods included from Logging::Helper

#handle_exception, #log

Instance Attribute Details

#sessions ⇒ Object

Returns the value of attribute sessions.

# File 'lib/legion/crypt/vault.rb', line 12

def sessions
  @sessions
end

Instance Method Details

#add_session(path:) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 106

def add_session(path:)
  @sessions ||= []
  @sessions.push(path)
end

#close_session(session:) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 129

def close_session(session:)
  ::Vault.sys.revoke(session)
end

#close_sessions ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 111

def close_sessions
  return if @sessions.nil?

  log.info 'Closing all Legion::Crypt vault sessions'

  @sessions.each do |session|
    close_session(session: session)
  end
end

#connect_vault ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 18

def connect_vault
  @sessions = []
  vault_settings = Legion::Settings[:crypt][:vault]
  ::Vault.address = resolve_vault_address(vault_settings)
  ::Vault.ssl_verify = resolve_ssl_verify(vault_settings[:tls])
  namespace = vault_settings[:vault_namespace]
  log.info "Vault connection requested address=#{::Vault.address} namespace=#{namespace || 'none'} ssl_verify=#{::Vault.ssl_verify}"

  Legion::Settings[:crypt][:vault][:token] = ENV['VAULT_DEV_ROOT_TOKEN_ID'] if ENV.key? 'VAULT_DEV_ROOT_TOKEN_ID'
  return nil if Legion::Settings[:crypt][:vault][:token].nil?

  ::Vault.token = Legion::Settings[:crypt][:vault][:token]
  ::Vault.namespace = namespace if namespace
  if vault_healthy?
    Legion::Settings[:crypt][:vault][:connected] = true
    log.info "Vault connected at #{::Vault.address} (namespace=#{namespace || 'none'})"
  end
rescue StandardError => e
  log_vault_connection_error(e)
  Legion::Settings[:crypt][:vault][:connected] = false
  false
end

#delete(path, cluster_name: nil) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 93

def delete(path, cluster_name: nil)
  logical_client(cluster_name: cluster_name).delete(path)
  log.info "Vault delete complete path=#{path}"
  { success: true, path: path }
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'crypt.vault.delete', path: path)
  { success: false, path: path, error: e.message }
end

#exist?(path, cluster_name: nil) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/vault.rb', line 102

def exist?(path, cluster_name: nil)
  !kv_client(cluster_name: cluster_name).read_metadata(path).nil?
end

#get(path, cluster_name: nil) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 69

def get(path, cluster_name: nil)
  log.debug "Vault kv get: path=#{path}"
  result = kv_client(cluster_name: cluster_name).read(path)
  if result.nil?
    log.debug "Vault kv get: #{path} returned nil"
    return nil
  end

  log.debug "Vault kv get: #{path} returned keys=#{result.data&.keys&.inspect}"
  result.data
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'crypt.vault.get', path: path)
  raise
end

#read(path, type = nil, cluster_name: nil) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 51

def read(path, type = nil, cluster_name: nil)
  full_path = type.nil? || type.empty? ? path : "#{type}/#{path}"
  log_read_context(full_path, cluster_name: cluster_name)
  lease = logical_client(cluster_name: cluster_name).read(full_path)
  if lease.nil?
    log_vault_debug("Vault read: #{full_path} returned nil")
    return nil
  end
  add_session(path: lease.lease_id) if lease.respond_to?(:lease_id) && lease.lease_id && !lease.lease_id.empty?

  data = lease.data
  log_vault_debug("Vault read: #{full_path} returned keys=#{data&.keys&.inspect}")
  unwrap_kv_v2(data, full_path)
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'crypt.vault.read', path: full_path)
  raise
end

#renew_cluster_tokens ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 153

def renew_cluster_tokens
  connected_clusters.each_key do |name|
    client = vault_client(name)
    client.auth_token.renew_self
    log.info "Vault token renewed for cluster #{name}"
  rescue StandardError => e
    log_vault_error(name, e)
  end
end

#renew_session(session:) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 133

def renew_session(session:)
  ::Vault.sys.renew(session)
end

#renew_sessions(**_opts) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 137

def renew_sessions(**_opts)
  log.debug 'Vault renewal cycle start'
  result = if respond_to?(:connected_clusters) && connected_clusters.any?
             renew_cluster_tokens
           else
             @sessions.each do |session|
               renew_session(session: session)
             end
           end
  log.debug 'Vault renewal cycle complete'
  result
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'crypt.vault.renew_sessions')
  raise
end

#settings ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 14

def settings
  Legion::Settings[:crypt][:vault]
end

#shutdown_renewer ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 121

def shutdown_renewer
  return unless Legion::Settings[:crypt][:vault][:connected]
  return if @renewer.nil?

  log.info 'Shutting down Legion::Crypt::Vault::Renewer'
  @renewer.cancel
end

#vault_exists?(name) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/vault.rb', line 163

def vault_exists?(name)
  ::Vault.sys.mounts.key?(name.to_sym)
end

#vault_healthy? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/vault.rb', line 41

def vault_healthy?
  ::Vault.sys.health_status.initialized?
rescue ::Vault::HTTPError => e
  # 429 = standby, 472 = DR secondary, 473 = performance standby
  # All indicate an initialized, healthy Vault — just not the active node.
  return true if e.message =~ /\b(429|472|473)\b/

  raise
end

#write(path, cluster_name: nil, **hash) ⇒ Object

# File 'lib/legion/crypt/vault.rb', line 84

def write(path, cluster_name: nil, **hash)
  log.info "Vault kv write requested path=#{path}"
  kv_client(cluster_name: cluster_name).write(path, **hash)
  log.info "Vault kv write complete path=#{path}"
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'crypt.vault.write', path: path)
  raise
end