Module: Legion::Extensions::Agentic::Self::Identity::Helpers::VaultSecrets

Defined in:

lib/legion/extensions/agentic/self/identity/helpers/vault_secrets.rb

Overview

Vault secret path conventions for Digital Worker Entra ID credentials.

Secrets are stored in Vault KV v2 under a well-known path:

secret/data/legion/workers/{worker_id}/entra

Legion uses legion-crypt for Vault access. If Vault is not connected, methods return nil/false gracefully.

Constant Summary

VAULT_PATH_PREFIX =

'secret/data/legion/workers'

Class Method Summary

• .delete_client_secret(worker_id:) ⇒ Object

  Delete Entra app credentials from Vault (used during worker termination).

• .read_client_secret(worker_id:) ⇒ Object

  Read Entra app client_secret from Vault.

• .secret_path(worker_id) ⇒ Object
• .store_client_secret(worker_id:, client_secret:, entra_app_id: nil) ⇒ Object

  Store Entra app client_secret in Vault.

• .vault_available? ⇒ Boolean

Class Method Details

.delete_client_secret(worker_id:) ⇒ Object

Delete Entra app credentials from Vault (used during worker termination). Returns true on success, false if Vault is unavailable.

# File 'lib/legion/extensions/agentic/self/identity/helpers/vault_secrets.rb', line 55

def self.delete_client_secret(worker_id:)
  return false unless vault_available?

  path = secret_path(worker_id)
  Legion::Crypt.delete(path)
  Legion::Logging.info "[identity:vault] deleted Entra credentials for worker=#{worker_id}"
  true
rescue StandardError => e
  Legion::Logging.error "[identity:vault] failed to delete credentials for worker=#{worker_id}: #{e.message}"
  false
end

.read_client_secret(worker_id:) ⇒ Object

Read Entra app client_secret from Vault. Returns the secret hash on success, nil if unavailable or not found.

# File 'lib/legion/extensions/agentic/self/identity/helpers/vault_secrets.rb', line 42

def self.read_client_secret(worker_id:)
  return nil unless vault_available?

  path = secret_path(worker_id)
  result = Legion::Crypt.read(path)
  result&.dig(:data, :data) || result&.dig(:data)
rescue StandardError => e
  Legion::Logging.error "[identity:vault] failed to read credentials for worker=#{worker_id}: #{e.message}"
  nil
end

.secret_path(worker_id) ⇒ Object

# File 'lib/legion/extensions/agentic/self/identity/helpers/vault_secrets.rb', line 19

def self.secret_path(worker_id)
  "#{VAULT_PATH_PREFIX}/#{worker_id}/entra"
end

.store_client_secret(worker_id:, client_secret:, entra_app_id: nil) ⇒ Object

Store Entra app client_secret in Vault. Returns true on success, false if Vault is unavailable.

# File 'lib/legion/extensions/agentic/self/identity/helpers/vault_secrets.rb', line 25

def self.store_client_secret(worker_id:, client_secret:, entra_app_id: nil)
  return false unless vault_available?

  path = secret_path(worker_id)
  data = { client_secret: client_secret }
  data[:entra_app_id] = entra_app_id if entra_app_id

  vault_write(path, data)
  Legion::Logging.info "[identity:vault] stored Entra credentials for worker=#{worker_id}"
  true
rescue StandardError => e
  Legion::Logging.error "[identity:vault] failed to store credentials for worker=#{worker_id}: #{e.message}"
  false
end

.vault_available? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/extensions/agentic/self/identity/helpers/vault_secrets.rb', line 67

def self.vault_available?
  defined?(Legion::Crypt) &&
    defined?(Legion::Settings) &&
    Legion::Settings[:crypt][:vault][:connected] == true
rescue StandardError => _e
  false
end