diff --git a/CHANGELOG.md b/CHANGELOG.md index 448a141..3d864f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +## [1.2.11] - 2024-02-09 +### Security +- Upgrade Puma to 6.4.2 + [cyberark/conjur-service-broker#339](https://github.com/cyberark/conjur-service-broker/pull/339) + ## [1.2.10] - 2023-06-21 ### Security - Upgrade ruby to 3.2, Go image to 1.20-alpine, and golang.org/x/sys to v0.8.0 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b37fefc..6c62d62 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -11,11 +11,9 @@ environment. 1. [git][get-git] to manage source code 2. [Docker][get-docker] to manage dependencies and runtime environments -3. [Docker Compose][get-docker-compose] to orchestrate Docker environments [get-docker]: https://docs.docker.com/engine/installation [get-git]: https://git-scm.com/downloads -[get-docker-compose]: https://docs.docker.com/compose/install To test the usage of the Conjur Service Broker within a CF deployment, you can follow the demo scripts in the [Cloud Foundry demo repo](https://github.com/conjurinc/cloudfoundry-conjur-demo). @@ -101,7 +99,7 @@ Then, run the tests with the following command: _Note: The integration tests rely on having built `conjur-service-broker` and `conjur-service-broker-test`. If you make changes to your local repository and would like to see those changes reflected in the test containers, either -re-run `./dev/build` or run `docker-compose build ` to rebuild +re-run `./dev/build` or run `docker compose build ` to rebuild the source image(s) before running the tests._ ### End-to-End (E2E) Integration Testing @@ -138,7 +136,7 @@ To detect if there are any known security vulnerabilities in gem dependencies, run the following: ``` - docker-compose run tests bundle audit + docker compose run tests bundle audit ``` If any known security vulnerabilities are discovered, you will see @@ -167,19 +165,19 @@ Some examples, ranging from least conservative to most conservative: 1. To update the vulnerable gem and all of its dependencies. ``` - docker-compose run tests bundle update + docker compose run tests bundle update ``` 1. To update only the vulnerable gem (i.e. not its dependencies): ``` - docker-compose run tests bundle update --conservative + docker compose run tests bundle update --conservative ``` 1. To update only the vulnerable gem's patch version: ``` - docker-compose run tests bundle update --patch --conservative + docker compose run tests bundle update --patch --conservative ``` After running any of the above commands, you will want to test @@ -187,7 +185,7 @@ Service Broker functionality as described in the [Testing Functionality After Dependency Version Changes](#testing-functionality-after-dependency-version-changes) section below. -### Updating One Dependency at a Time +### Updating All Dependencies at Once If you are feeling especially lucky, you might be tempted to update all dependencies (direct and indirect), and then build and test to @@ -195,7 +193,7 @@ verify that Service Broker functionality has not been broken. This would be done as follows: ``` - docker-compose run tests bundle update + docker compose run tests bundle update ``` However, the chances that such a sweeping change will not break @@ -224,13 +222,13 @@ Service Broker functionality using this method may be high. For example, to update `development` dependencies for the Service Broker: ``` - docker-compose run tests bundle update --group development + docker compose run tests bundle update --group development ``` Or, to update `test` and `development` dependencies: ``` - docker-compose run tests bundle update --group test development + docker compose run tests bundle update --group test development ``` After any gem versions have been updated, you will want to test diff --git a/Gemfile b/Gemfile index 117c58d..7d47f9c 100644 --- a/Gemfile +++ b/Gemfile @@ -16,7 +16,7 @@ gem 'json-schema', '2.8.0' gem 'listen', '>= 3.0.5', '< 3.2' # Use Puma as the app server -gem 'puma', '5.6.4' +gem 'puma', '6.4.2' # Use Rack CORS for handling Cross-Origin Resource Sharing (CORS), making cross-origin AJAX possible # gem 'rack-cors' diff --git a/Gemfile.lock b/Gemfile.lock index fb85079..cb0f53b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,26 +1,26 @@ GEM remote: https://rubygems.org/ specs: - actionpack (6.1.7.3) - actionview (= 6.1.7.3) - activesupport (= 6.1.7.3) + actionpack (6.1.7.6) + actionview (= 6.1.7.6) + activesupport (= 6.1.7.6) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actionview (6.1.7.3) - activesupport (= 6.1.7.3) + actionview (6.1.7.6) + activesupport (= 6.1.7.6) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activesupport (6.1.7.3) + activesupport (6.1.7.6) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) zeitwerk (~> 2.3) - addressable (2.8.1) + addressable (2.8.6) public_suffix (>= 2.0.2, < 6.0) aruba (2.1.0) bundler (>= 1.17, < 3.0) @@ -42,7 +42,7 @@ GEM ci_reporter (~> 2.0) rspec (>= 2.14, < 4) coderay (1.1.3) - concurrent-ruby (1.2.2) + concurrent-ruby (1.2.3) conjur-api (5.3.7) activesupport (>= 4.2) addressable (~> 2.0) @@ -79,15 +79,14 @@ GEM cucumber-wire (6.2.1) cucumber-core (~> 10.1, >= 10.1.0) cucumber-cucumber-expressions (~> 14.0, >= 14.0.0) - diff-lcs (1.5.0) - domain_name (0.5.20190701) - unf (>= 0.0.5, < 1.0.0) + diff-lcs (1.5.1) + domain_name (0.6.20240107) erubi (1.12.0) - ffi (1.15.5) + ffi (1.16.3) http-accept (1.7.0) http-cookie (1.0.5) domain_name (~> 0.5) - i18n (1.12.0) + i18n (1.14.1) concurrent-ruby (~> 1.0) json-schema (2.8.0) addressable (>= 2.4) @@ -104,21 +103,19 @@ GEM listen (3.0.8) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) - loofah (2.19.1) + loofah (2.22.0) crass (~> 1.0.2) - nokogiri (>= 1.5.9) + nokogiri (>= 1.12.0) method_source (1.0.0) - mime-types (3.4.1) + mime-types (3.5.2) mime-types-data (~> 3.2015) - mime-types-data (3.2023.0218.1) - mini_portile2 (2.8.1) - minitest (5.18.0) + mime-types-data (3.2024.0206) + minitest (5.22.2) multi_json (1.15.0) multi_test (0.1.2) netrc (0.11.0) - nio4r (2.5.8) - nokogiri (1.14.3) - mini_portile2 (~> 2.8.0) + nio4r (2.7.0) + nokogiri (1.16.2-x86_64-linux) racc (~> 1.4) pry (0.14.2) coderay (~> 1.1) @@ -126,25 +123,27 @@ GEM pry-byebug (3.10.1) byebug (~> 11.0) pry (>= 0.13, < 0.15) - public_suffix (5.0.1) - puma (5.6.4) + public_suffix (5.0.4) + puma (6.4.2) nio4r (~> 2.0) - racc (1.6.2) - rack (2.2.6.4) - rack-test (2.0.2) + racc (1.7.3) + rack (2.2.8) + rack-test (2.1.0) rack (>= 1.3) - rails-dom-testing (2.0.3) - activesupport (>= 4.2.0) + rails-dom-testing (2.2.0) + activesupport (>= 5.0.0) + minitest nokogiri (>= 1.6) - rails-html-sanitizer (1.5.0) - loofah (~> 2.19, >= 2.19.1) - railties (6.1.7.3) - actionpack (= 6.1.7.3) - activesupport (= 6.1.7.3) + rails-html-sanitizer (1.6.0) + loofah (~> 2.21) + nokogiri (~> 1.14) + railties (6.1.7.6) + actionpack (= 6.1.7.6) + activesupport (= 6.1.7.6) method_source rake (>= 12.2) thor (~> 1.0) - rake (13.0.6) + rake (13.1.0) rb-fsevent (0.11.2) rb-inotify (0.10.1) ffi (~> 1.0) @@ -153,28 +152,28 @@ GEM http-cookie (>= 1.0.2, < 2.0) mime-types (>= 1.16, < 4.0) netrc (~> 0.8) - rexml (3.2.5) - rspec (3.12.0) - rspec-core (~> 3.12.0) - rspec-expectations (~> 3.12.0) - rspec-mocks (~> 3.12.0) - rspec-core (3.12.1) - rspec-support (~> 3.12.0) - rspec-expectations (3.12.2) + rexml (3.2.6) + rspec (3.13.0) + rspec-core (~> 3.13.0) + rspec-expectations (~> 3.13.0) + rspec-mocks (~> 3.13.0) + rspec-core (3.13.0) + rspec-support (~> 3.13.0) + rspec-expectations (3.13.0) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.12.0) - rspec-mocks (3.12.3) + rspec-support (~> 3.13.0) + rspec-mocks (3.13.0) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.12.0) - rspec-rails (6.0.1) + rspec-support (~> 3.13.0) + rspec-rails (6.1.1) actionpack (>= 6.1) activesupport (>= 6.1) railties (>= 6.1) - rspec-core (~> 3.11) - rspec-expectations (~> 3.11) - rspec-mocks (~> 3.11) - rspec-support (~> 3.11) - rspec-support (3.12.0) + rspec-core (~> 3.12) + rspec-expectations (~> 3.12) + rspec-mocks (~> 3.12) + rspec-support (~> 3.12) + rspec-support (3.13.0) rspec_junit_formatter (0.6.0) rspec-core (>= 2, < 4, != 2.12.0) rubyzip (2.3.2) @@ -182,22 +181,19 @@ GEM spring-watcher-listen (2.0.1) listen (>= 2.7, < 4.0) spring (>= 1.2, < 3.0) - sys-uname (1.2.2) + sys-uname (1.2.3) ffi (~> 1.1) - thor (1.2.1) + thor (1.3.0) tomlrb (2.0.3) tzinfo (2.0.6) concurrent-ruby (~> 1.0) - unf (0.1.4) - unf_ext - unf_ext (0.0.8.2) with_env (1.1.0) xml-simple (1.1.9) rexml - zeitwerk (2.6.7) + zeitwerk (2.6.13) PLATFORMS - ruby + x86_64-linux DEPENDENCIES actionview (~> 6.1) @@ -213,7 +209,7 @@ DEPENDENCIES license_finder listen (>= 3.0.5, < 3.2) pry-byebug - puma (= 5.6.4) + puma (= 6.4.2) rack (~> 2.2.6) railties (~> 6.1) rest-client @@ -224,7 +220,7 @@ DEPENDENCIES spring-watcher-listen (~> 2.0.0) RUBY VERSION - ruby 3.1.3p185 + ruby 3.2.3p157 BUNDLED WITH - 2.4.6 + 2.5.6 diff --git a/Jenkinsfile b/Jenkinsfile index 5cef50b..35a953d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -67,9 +67,9 @@ pipeline { } // The End-to-End test needs to be run separately from the integration - // tests because both use the default docker-compose network, and + // tests because both use the default docker compose network, and // both cause this network to be deleted when they clean up with - // 'docker-compose down ...'. + // 'docker compose down ...'. stage('End-to-End Testing') { steps { allocateTas('isv_ci_tas_srt_5_0') diff --git a/NOTICES.txt b/NOTICES.txt index 893c168..9c37536 100644 --- a/NOTICES.txt +++ b/NOTICES.txt @@ -12,7 +12,7 @@ SECTION 1: Apache-2.0 SECTION 2: BSD-3-Clause ->>> https://rubygems.org/gems/puma/versions/5.6.4 +>>> https://rubygems.org/gems/puma/versions/6.4.2 SECTION 3: MIT @@ -56,7 +56,7 @@ limitations under the License. BSD-3-Clause License is applicable to the following component(s). ->>> https://rubygems.org/gems/puma/versions/5.6.4 +>>> https://rubygems.org/gems/puma/versions/6.4.2 Copyright (c) 2019, Evan Phoenix. Some code by Zed Shaw, (c) 2005. All rights reserved. diff --git a/VERSION b/VERSION index 963ed7c..c114700 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.2.10 +1.2.11 diff --git a/dev/build b/dev/build index 757e94b..9a90f23 100755 --- a/dev/build +++ b/dev/build @@ -8,13 +8,13 @@ cd "$(dirname "$0")/.." || (echo "Could not cd to parent dir"; exit 1) TAG="$(< VERSION)-$(git rev-parse --short HEAD)" announce "Getting updated images (this may take a few minutes)..." -docker-compose pull -q conjur_5 +docker compose pull -q conjur_5 echo "Done!" announce "Building Buildpack Health Check executable" rm -rf bin/buildpack-health-check -docker-compose -f buildpack-health-check/docker-compose.yml build -docker-compose -f buildpack-health-check/docker-compose.yml \ +docker compose -f buildpack-health-check/docker-compose.yml build +docker compose -f buildpack-health-check/docker-compose.yml \ run --rm buildpack-health-check-builder echo "Done!" diff --git a/dev/run_tests b/dev/run_tests index f2de3d7..4413be1 100755 --- a/dev/run_tests +++ b/dev/run_tests @@ -31,7 +31,7 @@ SKIP_CONJUR_V4_TESTS="${SKIP_CONJUR_V4_TESTS:-false}" function cleanup { announce 'Cleaning up test environment' - docker-compose down --rmi 'local' --volumes + docker compose down --rmi 'local' --volumes rm -f ../tmp/pids/server*.pid } #trap cleanup EXIT @@ -53,20 +53,20 @@ function main() { function startConjur() { announce "Starting Conjur environment" - docker-compose up -d pg conjur_5 + docker compose up -d pg conjur_5 } function execConjurCLI() { conjur_cmd=$1 - docker-compose run --no-deps --rm --entrypoint bash client -c "$conjur_cmd" + docker compose run --no-deps --rm --entrypoint bash client -c "$conjur_cmd" } function loadPolicy5() { announce "Waiting for Conjur v5 to come up, and loading policy..." - docker-compose exec -T conjur_5 conjurctl wait -r 30 -p 80 + docker compose exec -T conjur_5 conjurctl wait -r 30 -p 80 - api_key=$(docker-compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:user:admin}].api_key" 2>/dev/null') + api_key=$(docker compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:user:admin}].api_key" 2>/dev/null') export CONJUR_AUTHN_API_KEY="$api_key" # load the pcf policy for the non-empty CONJUR_POLICY test @@ -81,13 +81,13 @@ function composeUp() { services=("$@") if [ "$START_SB_DEV_ENV" = "true" ]; then # Use development environment overrides for Docker Compose - docker-compose \ + docker compose \ -f ../docker-compose.yml \ -f ../docker-compose.dev-override.yml \ up -d \ "${services[@]}" else - docker-compose up -d "${services[@]}" + docker compose up -d "${services[@]}" fi } @@ -99,18 +99,18 @@ function startServiceBrokers5() { export CONJUR_FOLLOWER_URL=http://conjur_5-follower export CONJUR_SSL_CERTIFICATE="" - admin_api_key=$(docker-compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:user:admin}].api_key" 2>/dev/null') + admin_api_key=$(docker compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:user:admin}].api_key" 2>/dev/null') export CONJUR_AUTHN_API_KEY="$admin_api_key" composeUp "${SERVICE_BROKERS[@]}" export CONJUR_POLICY=cf - CONJUR_AUTHN_API_KEY="$(docker-compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:host:cf-service-broker}].api_key" 2>/dev/null')" + CONJUR_AUTHN_API_KEY="$(docker compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:host:cf-service-broker}].api_key" 2>/dev/null')" export CONJUR_AUTHN_API_KEY services=( "conjur-service-broker" "service-broker-alt-policy" ) composeUp "${services[@]}" - bad_host_api_key="$(docker-compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:host:bad-service-broker}].api_key" 2>/dev/null')" + bad_host_api_key="$(docker compose exec -T conjur_5 bash -c 'rails r "puts Role[%Q{cucumber:host:bad-service-broker}].api_key" 2>/dev/null')" export CONJUR_AUTHN_API_KEY=$bad_host_api_key services=( "service-broker-bad-host" ) composeUp "${services[@]}" @@ -120,14 +120,14 @@ function runTests() { announce "Running tests" if [ "$START_SB_DEV_ENV" = "true" ]; then - docker-compose run \ + docker compose run \ -e CONJUR_AUTHN_API_KEY="$admin_api_key" \ -e BAD_HOST_API_KEY="$bad_host_api_key" \ tests bash -c "./dev/dev_env_menu" else # Run all cucumber tests except those that require access to PCF/Tanzu. # Set BAD_HOST_API_KEY to test an error case in bin/health-check.rb - docker-compose run -e CONJUR_AUTHN_API_KEY="$admin_api_key" -e BAD_HOST_API_KEY="$bad_host_api_key" tests \ + docker compose run -e CONJUR_AUTHN_API_KEY="$admin_api_key" -e BAD_HOST_API_KEY="$bad_host_api_key" tests \ cucumber \ --format junit \ --out features/reports \ @@ -141,7 +141,7 @@ function runTests() { function cleanUpServiceBrokers() { announce "Cleaning up running service brokers..." - docker-compose rm -f -s -v "${SERVICE_BROKERS[@]}" service-broker-alt-policy + docker compose rm -f -s -v "${SERVICE_BROKERS[@]}" service-broker-alt-policy } main diff --git a/dev/test_e2e b/dev/test_e2e index a3d53d1..a48e9e4 100755 --- a/dev/test_e2e +++ b/dev/test_e2e @@ -13,7 +13,7 @@ export HAMMERFILE="${HAMMERFILE:-"${HAMMERFILE_DEFAULT}"}" function cleanup { announce "Removing test environment" - docker-compose down --rmi 'local' --volumes + docker compose down --rmi 'local' --volumes if [[ -n "${compute_ip:-}" ]]; then if bl_retry_constant 5 15 ipmanager remove "${compute_ip}"; then echo "Removed TAS Compute IP from IPManager" @@ -128,7 +128,7 @@ function runE2ETests() { announce "Running End-to-End tests" export CONJUR_VERSION=5 - docker-compose run tests \ + docker compose run tests \ cucumber \ --format junit \ --out features/reports \ diff --git a/dev/test_unit b/dev/test_unit index 832ac7b..ec21c9b 100755 --- a/dev/test_unit +++ b/dev/test_unit @@ -2,10 +2,10 @@ cd "$(dirname "$0")" -# This is run using 'docker' rather than 'docker-compose' so that this test +# This is run using 'docker' rather than 'docker compose' so that this test # can be run in parallel with the 'bin/test_integration' test. (Running both -# on the default docker-compose network could cause a conflict in that -# either test might delete the docker-compose network upon cleanup while +# on the default docker compose network could cause a conflict in that +# either test might delete the docker compose network upon cleanup while # the other test is still using the network.) docker run \ -e CONJUR_ACCOUNT=cucumber \