conjur-debify 1.10.3 → 1.11.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5d37eadc9ebb56259a7a9fbb811761eb4d9a4210b664b450e5ddcb51e3f5eeb
-  data.tar.gz: 88611983be2c6a1726b54ffac032f95ab3966e3d7cef57e50504fd3c781fce54
+  metadata.gz: 58a50a072fd2700fa612ac0a6113f2a6227787ed67ac732767443dc26a6f9e72
+  data.tar.gz: ba642699eb85c6506091ccdb8c82779a1f4daf9b5e00f45e071f910b889883e5
 SHA512:
-  metadata.gz: 4be770ae77cf5e80478fb77137b90394086d3bbede9a0d15a61b64b636a6c43ca8e1711e69d7033deb12f0ed13f9609c5c13d1eab4ececfc7a89163a530aa2d7
-  data.tar.gz: 925471e67b930d1fab9cba2484706bea504357fc3dead42cb6c3b2136036cf4ece73092b640b8fef70abf46b84bb7908f0f2189ebef0994171abc06f21d57e32
+  metadata.gz: 3674127fd6cc68ee9696f552edac2a089efe2c9ab6e1b0ac212ee78b4b282735e03ec65f15c7502592e2c31702a182756e6744c8a3bbc90a2e04b1c06ad6ffeb
+  data.tar.gz: 31b3d6dd4a7c414ea09ea97e98ef1a56963d4724b4bd637fbd0379f7f53db0c9d0be22981a1de2de748aa8925a5b15d82b6551e4eb7b4edf6c68579c7f5b9d3b

data/CHANGELOG.md

@@ -1,3 +1,41 @@
+# 1.11.5
+
+### Changed
+* Updated FPM and Test images to use a base image with FIPS-compliant Ruby and OpenSSL.
+
+# 1.11.4
+
+* Updated sandbox password to match Conjur password complexity requirements.
+
+# 1.11.3
+
+* Reverted to `bundler` v1. `bundler` v2 was creating incompatible paths for downstream
+  packages.
+* Made FPM Ruby version use `ruby2.5` instead of `ruby2.6` since that is what
+  our appliance image uses otherwise the gems bundled in the packages are unusable.
+
+# 1.11.2
+
+* Upgraded to use Ruby 2.6 and latest version of FPM
+* Update Conjur Dockerfile from Ubuntu 14.04 --> 18.04 as 14.04 repos
+  are now behind a [pay wall](https://ubuntu.com/blog/ubuntu-14-04-esm-support)
+  Ruby is installed from `ppa:brightbox/ruby-ng` however that PPA
+  [doesn't currently supply ruby2.2 for Ubuntu 18.04](https://launchpad.net/~brightbox/+archive/ubuntu/ruby-ng?field.series_filter=bionic). [The documentation](https://www.brightbox.com/docs/ruby/ubuntu/)
+  suggests this combination is available, so it may be a temporary problem.
+  To work around the problem, ruby is bumped from 2.2 to 2.3 as 2.3 is the oldest
+  version available for Ubuntu 18.04.
+
+# 1.11.1
+
+* Upgrade `docker-debify` to use Ruby 2.6.
+
+# 1.11.0
+
+* Use a Docker env-file (docker.env, by default) to pass environment
+  variables to the debify container.
+
+* Make sure `--env` variables get passed along to the Conjur container when testing, too.
+
 # 1.10.3
 
 * Fix a bug causing duplicate files between normal and dev packages when a file name contained a space.

data/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.2
+FROM ruby:2.6-stretch
 
 ### DockerInDocker support is take from
 ### https://github.com/jpetazzo/dind/blob/master/Dockerfile . I
@@ -7,7 +7,9 @@ FROM ruby:2.2
 ### docker:dind image much more complicated and didn't lend itself to
 ### also running ruby.
 
-RUN apt-get update -qq && apt-get install -qqy \
+RUN apt-get update -qq && \
+    apt-get dist-upgrade -qqy && \
+    apt-get install -qqy \
     apt-transport-https \
     ca-certificates \
     curl \
@@ -38,5 +40,7 @@ RUN gem install -N conjur-debify-${VERSION}.gem
 
 ARG CONJUR_APPLIANCE_URL
 ENV CONJUR_APPLIANCE_URL ${CONJUR_APPLIANCE_URL:-https://conjur-master-v2.itp.conjur.net/api}
+ENV CONJUR_ACCOUNT ${CONJUR_ACCOUNT:-conjur}
+ENV CONJUR_VERSION ${CONJUR_VERSION:-4}
 
 ENTRYPOINT ["/debify/distrib/entrypoint.sh"]

data/Jenkinsfile

@@ -9,6 +9,10 @@ pipeline {
     skipDefaultCheckout()
   }
 
+  triggers {
+    cron(getDailyCronString())
+  }
+
   stages {
     stage('Checkout') {
       steps {
@@ -28,6 +32,23 @@ pipeline {
       }
     }
 
+    stage('Scan Docker image') {
+      parallel {
+        stage('Scan Docker image for fixable issues') {
+          steps{
+            script {
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
+            }
+            scanAndReport("debify:${VERSION}", "HIGH", false)
+          }
+        }
+        // No all report generated because it currently adds 10-12 minutes of
+        // build time just to write the trivy report. It'll be added once we've
+        // cleaned up and/or ignored enough issues to reduce the impact
+        // on build time.
+      }
+    }
+
     stage('Run feature tests') {
       steps {
         sh './test.sh'
@@ -38,10 +59,6 @@ pipeline {
     }
 
     stage('Push Docker image') {
-      when {
-        branch 'master'
-      }
-
       steps {
         sh './tag-image.sh'
         sh './push-image.sh'
@@ -53,7 +70,7 @@ pipeline {
       when {
         allOf {
           branch 'master'
-          expression {
+          /* expression {
             boolean publish = false
 
             try {
@@ -66,7 +83,7 @@ pipeline {
             }
 
             return publish
-          }
+          }*/
         }
       }
 

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2016 Kevin Gilpin
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
 
 MIT License
 

data/README.md

@@ -293,8 +293,6 @@ root@7d4217655332:/src/example# getent hosts mydb
 
 ## Contributing
 
-1. Fork it ( https://github.com/[my-github-username]/debify/fork )
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
+For instructions on how to get started and 
+descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).

data/VERSION

@@ -1 +1 @@
-1.10.3
+1.11.5

data/debify.gemspec

@@ -19,19 +19,19 @@ Gem::Specification.new do |spec|
   
   spec.add_dependency "gli"
   spec.add_dependency "docker-api", "~> 1.33"
-  spec.add_dependency "conjur-cli" , "~> 5"
-  spec.add_dependency "conjur-api", "~> 4"
+  spec.add_dependency "conjur-cli" , "~> 6"
+  spec.add_dependency "conjur-api", "~> 5"
 
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "fakefs", "~> 0"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", "~> 12.3.3"
   
   # Pin to cucumbe v2. cucumber v3 changes (breaks) the behavior of
   # unmatched capture groups with \(d+). In v3, the value of such a
   # group is 0 instead of nil, which breaks aruba's "I successfully
   # run...." steps.
   spec.add_development_dependency "cucumber", '~> 2'
-  spec.add_development_dependency "aruba"
+  spec.add_development_dependency "aruba", "~> 0.14"
   spec.add_development_dependency 'rspec', '~> 3'
   spec.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
 end

data/image-tags

@@ -0,0 +1,23 @@
+#!/bin/bash -e
+
+: ${BRANCH_NAME:=$(git symbolic-ref --short HEAD)}
+
+show_master_tags() {
+  IFS=. read MAJOR MINOR PATCH <VERSION
+  TAG="$MAJOR.$MINOR.$PATCH"
+  echo "latest $TAG $MAJOR.$MINOR"
+}
+
+show_branch_tags() {
+  # tail and tr, to remove the grottiness from the detect-version
+  # output
+  local version="$(DEBIFY_IMAGE=debify:$(<VERSION) ./docker-debify detect-version | tail -1 | tr -d '\r')"
+  
+  echo "$BRANCH_NAME $version"
+}
+
+if [[ "$BRANCH_NAME" == "master" ]]; then
+  show_master_tags
+else
+  show_branch_tags
+fi

data/lib/conjur/debify.rb

@@ -478,9 +478,9 @@ RUN touch /etc/service/conjur/down
         'Env' => [
           "CONJUR_AUTHN_LOGIN=admin",
           "CONJUR_ENV=appliance",
-          "CONJUR_AUTHN_API_KEY=secret",
-          "CONJUR_ADMIN_PASSWORD=secret",
-        ],
+          "CONJUR_AUTHN_API_KEY=SEcret12!!!!",
+          "CONJUR_ADMIN_PASSWORD=SEcret12!!!!",
+        ] + global_options[:env],
         'HostConfig' => {
           'Binds' => [
             [ dir, "/src/#{project_name}" ].join(':')
@@ -628,8 +628,8 @@ command "sandbox" do |c|
         'Env' => [
           "CONJUR_AUTHN_LOGIN=admin",
           "CONJUR_ENV=appliance",
-          "CONJUR_AUTHN_API_KEY=secret",
-          "CONJUR_ADMIN_PASSWORD=secret",
+          "CONJUR_AUTHN_API_KEY=SEcret12!!!!",
+          "CONJUR_ADMIN_PASSWORD=SEcret12!!!!",
         ] + global_options[:env]
       }
 

data/lib/conjur/debify/action/publish.rb

@@ -71,10 +71,10 @@ module Conjur::Debify
         Conjur::Config.apply
         conjur = Conjur::Authn.connect nil, noask: true
 
-        username_var = 'ci/artifactory/users/jenkins/username'
-        password_var = 'ci/artifactory/users/jenkins/password'
-
-        [conjur.variable(username_var).value, conjur.variable(password_var).value]
+        account = Conjur.configuration.account
+        username_var = [account, "variable", "ci/artifactory/users/jenkins/username"].join(':')
+        password_var = [account, "variable", 'ci/artifactory/users/jenkins/password'].join(':')
+        [conjur.resource(username_var).value, conjur.resource(password_var).value]
       end
 
       def publish(options)

data/lib/conjur/fpm/Dockerfile

@@ -1,27 +1,23 @@
 # Build from the same version of ubuntu as phusion/baseimage
-FROM ubuntu:14.04
+FROM cyberark/phusion-ruby-fips:0.11-latest
 
 RUN apt-get update -y && \
-    apt-get install -y software-properties-common && \
-    apt-add-repository -y ppa:brightbox/ruby-ng && \
-    apt-get update -y && \
-    apt-get install -y build-essential git libpq5 libpq-dev ruby2.2 ruby2.2-dev libffi-dev
+    apt-get dist-upgrade -y && \
+    apt-get install -y build-essential \
+                       git \
+                       libffi-dev 
 
-
-# Configure bundler and gem the way the ruby:2.2 Dockerfile does, as of 
-# https://github.com/docker-library/ruby/commit/c88f3a67da720bfa9fb1717960d90fd5db11c757
-ENV BUNDLER_VERSION 1.11.2
-
-RUN gem install --no-rdoc --no-ri bundler:$BUNDLER_VERSION ruby-xz:0.2.3 fpm
+RUN gem install --no-document bundler:1.17.3 \
+                              fpm
 
 ENV GEM_HOME /usr/local/bundle
 ENV BUNDLE_PATH="$GEM_HOME" \
-	BUNDLE_BIN="$GEM_HOME/bin" \
-	BUNDLE_SILENCE_ROOT_WARNING=1 \
-	BUNDLE_APP_CONFIG="$GEM_HOME"
+    BUNDLE_BIN="$GEM_HOME/bin" \
+    BUNDLE_SILENCE_ROOT_WARNING=1 \
+    BUNDLE_APP_CONFIG="$GEM_HOME"
 ENV PATH $BUNDLE_BIN:$PATH
-RUN mkdir -p "$GEM_HOME" "$BUNDLE_BIN" \
-	&& chmod 777 "$GEM_HOME" "$BUNDLE_BIN"
+RUN mkdir -p "$GEM_HOME" "$BUNDLE_BIN" && \
+    chmod 777 "$GEM_HOME" "$BUNDLE_BIN"
 
 RUN mkdir /src
 
@@ -29,4 +25,3 @@ ENTRYPOINT [ "/package.sh" ]
 
 COPY debify_utils.sh /
 COPY package.sh      /
-

data/push-image.sh

@@ -1,9 +1,6 @@
 #!/bin/bash -ex
 
-IFS=. read MAJOR MINOR PATCH <VERSION
-
-TAGS="latest $(docker images --filter reference="registry.tld/conjurinc/debify:$MAJOR.$MINOR*" --format '{{.Tag}}')"
-for t in $TAGS; do
+for t in $(./image-tags); do
   docker push registry.tld/conjurinc/debify:$t
 done
 

data/tag-image.sh

@@ -1,8 +1,6 @@
 #!/bin/bash -ex
 
-IFS=. read MAJOR MINOR PATCH <VERSION
-TAG=$MAJOR.$MINOR.$PATCH
-
-for t in latest $TAG $MAJOR.$MINOR; do
+TAG=$(< VERSION)
+for t in $(./image-tags); do
   docker tag debify:$TAG registry.tld/conjurinc/debify:$t
 done

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-debify
 version: !ruby/object:Gem::Version
-  version: 1.10.3
+  version: 1.11.5
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-22 00:00:00.000000000 Z
+date: 2020-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
@@ -44,28 +44,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5'
+        version: '6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5'
+        version: '6'
 - !ruby/object:Gem::Dependency
   name: conjur-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
@@ -126,16 +126,16 @@ dependencies:
   name: aruba
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.14'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -177,6 +177,7 @@ files:
 - ".project"
 - ".rvmrc"
 - CHANGELOG.md
+- CONTRIBUTING.md
 - Dockerfile
 - Gemfile
 - Jenkinsfile
@@ -209,6 +210,7 @@ files:
 - features/support/hooks.rb
 - features/support/world.rb
 - features/test.feature
+- image-tags
 - lib/conjur/debify.rb
 - lib/conjur/debify/Dockerfile.fpm
 - lib/conjur/debify/action/publish.rb
@@ -248,8 +250,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Utility commands to build and package Conjur services as Debian packages