conjur-debify 1.11.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa6af330a692efe6fc340c88506e232d9118e2b3b90303d025a851b103ef58f9
-  data.tar.gz: c160e06f5a00c751c1a50f281b44f38925b9c4f03620e8f0c5203105c55af527
+  metadata.gz: 6f76a5ea0e2c4fc01e0666594176690174cf1894f478570118056908c03c5e81
+  data.tar.gz: ebdb065547d044394079979326f759118e264a640a5feb41341fdba6386de661
 SHA512:
-  metadata.gz: a0672e9057d8ac3acbce9387dccd3523c3ce3db9446a7c88fa61518d667e8cead9acf4c9af74bfb81ff89a4799d52545a7c318a30b5186e626111d9e07105076
-  data.tar.gz: 29df6653100104e47112ffdfa98b0d40133cbd8b34ab5b3cefcf7ff8aa014e4f302565c29f9793cd9add2d36e77fd95ad2ecb6925fe6ad0bcda3f52fc9f68c2e
+  metadata.gz: ed14d2fecc7c4229f8c3c59d289acd39b7defd6c046b5417d332d7adfe6b921cdc5dc16b81f95825b07e9d595f92ecc7924508fc0529f6ccce00bd182e0d8f65
+  data.tar.gz: 9c8aaaa932d2971d549a2db859c2e47c16f26890fc25ed6491c5cd854fb4d363af289312947e5f9deb950d55b044a6bc32158472445c391241bd19604d7a5725

data/.gitignore

@@ -16,5 +16,6 @@ features/reports
 results.html
 mkmf.log
 *.deb
+*.rpm
 *.gem
 docker-debify

data/CHANGELOG.md

@@ -1,3 +1,41 @@
+## [Unreleased]
+
+# 2.0.0
+### Changed
+- Debify now receives the flag `--output` as input to indicate the file type that it should package (e.g `rpm`). If this 
+  flag is not given, the default value is `deb`.
+  [conjurinc/debify#56](https://github.com/conjurinc/debify/issues/56)
+
+# 1.12.0
+
+### Added
+- Debify now packages and publishes an RPM file, alongside a debian file.
+  [conjurinc/debify#49](https://github.com/conjurinc/debify/pull/49)
+- `debify package` now offers an `--additional-files` flag to provide a comma
+  separated list of files to include in the FPM build that are not provided
+  automatically by `git ls-files`.
+  [conjurinc/debify#52](https://github.com/conjurinc/debify/pull/52)
+
+### Fixed
+- Bug causing `all` files in the git repo to be added to the debian file.
+  [conjurinc/debify#50](https://github.com/conjurinc/debify/pull/50)
+
+# 1.11.5
+
+### Changed
+* Updated FPM and Test images to use a base image with FIPS-compliant Ruby and OpenSSL.
+
+# 1.11.4
+
+* Updated sandbox password to match Conjur password complexity requirements.
+
+# 1.11.3
+
+* Reverted to `bundler` v1. `bundler` v2 was creating incompatible paths for downstream
+  packages.
+* Made FPM Ruby version use `ruby2.5` instead of `ruby2.6` since that is what
+  our appliance image uses otherwise the gems bundled in the packages are unusable.
+
 # 1.11.2
 
 * Upgraded to use Ruby 2.6 and latest version of FPM
@@ -10,6 +48,7 @@
   version available for Ubuntu 18.04.
 
 # 1.11.1
+
 * Upgrade `docker-debify` to use Ruby 2.6.
 
 # 1.11.0

data/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

data/Dockerfile

@@ -1,30 +1,18 @@
 FROM ruby:2.6-stretch
 
-### DockerInDocker support is take from
-### https://github.com/jpetazzo/dind/blob/master/Dockerfile . I
-### elected to base this image on ruby, then pull in the (slightly
-### outdated) support for DockerInDocker. Creation of the official
-### docker:dind image much more complicated and didn't lend itself to
-### also running ruby.
-
-RUN apt-get update -qq && apt-get install -qqy \
+RUN apt-get update -qq && \
+    apt-get dist-upgrade -qqy && \
+    apt-get install -qqy \
     apt-transport-https \
     ca-certificates \
-    curl \
-    lxc \
-    iptables
+    curl
     
-# Install Docker from Docker Inc. repositories.
-RUN curl -sSL https://get.docker.com/ | sh
-
-# Install the magic wrapper.
-RUN curl -sSL -o /usr/local/bin/wrapdocker https://raw.githubusercontent.com/jpetazzo/dind/master/wrapdocker
-RUN chmod +x /usr/local/bin/wrapdocker
-
-# Define additional metadata for our image.
-VOLUME /var/lib/docker
-
-### End of DockerInDocker support
+# Install Docker client tools
+ENV DOCKERVERSION=20.10.0
+RUN curl -fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKERVERSION}.tgz \
+  && tar xzvf docker-${DOCKERVERSION}.tgz --strip 1 \
+                 -C /usr/local/bin docker/docker \
+  && rm docker-${DOCKERVERSION}.tgz
 
 RUN mkdir -p /debify
 WORKDIR /debify

data/Jenkinsfile

@@ -32,6 +32,23 @@ pipeline {
       }
     }
 
+    stage('Scan Docker image') {
+      parallel {
+        stage('Scan Docker image for fixable issues') {
+          steps{
+            script {
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
+            }
+            scanAndReport("debify:${VERSION}", "HIGH", false)
+          }
+        }
+        // No all report generated because it currently adds 10-12 minutes of
+        // build time just to write the trivy report. It'll be added once we've
+        // cleaned up and/or ignored enough issues to reduce the impact
+        // on build time.
+      }
+    }
+
     stage('Run feature tests') {
       steps {
         sh './test.sh'
@@ -49,7 +66,6 @@ pipeline {
     }
 
     stage('Publish to RubyGems') {
-      agent { label 'releaser-v2' }
       when {
         allOf {
           branch 'master'

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2016 Kevin Gilpin
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
 
 MIT License
 

data/README.md

@@ -1,5 +1,10 @@
 # Debify
 
+Debify is a tool used for building and testing DAP appliance packages.
+It is mainly used to package and publish debian packages that are consumed into the
+appliance image in its build stage. However, it also packages and publishes an
+RPM package whenever it does so for a debian.
+
 ## Installation
 
 There are two different ways of installing debify: as a gem, or as a Docker image.
@@ -293,8 +298,6 @@ root@7d4217655332:/src/example# getent hosts mydb
 
 ## Contributing
 
-1. Fork it ( https://github.com/[my-github-username]/debify/fork )
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
+For instructions on how to get started and 
+descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).

data/Rakefile

@@ -33,7 +33,8 @@ if cucumber?
   Cucumber::Rake::Task.new(:features) do |t|
     opts = "features --format junit -o #{CUKE_RESULTS} --format pretty -x"
     opts += " --tags #{ENV['TAGS']}" if ENV['TAGS']
-    t.cucumber_opts =  opts
+    opts += " --tags ~@skip"
+    t.cucumber_opts = opts
     t.fork = false
   end
 

data/VERSION

@@ -1 +1 @@
-1.11.2
+2.0.0

data/ci/test.sh

@@ -2,11 +2,6 @@
 
 bundle
 
-# Some tests need to be logged in to the registry, to pull a base
-# image if it's not already available. Have entrypoint.sh do something
-# simple, and log in as a side effect.
-/debify/distrib/entrypoint.sh detect-version
-
 for target in spec cucumber; do
   bundle exec rake $target
 done

data/debify.gemspec

@@ -6,8 +6,8 @@ require 'conjur/debify/version'
 Gem::Specification.new do |spec|
   spec.name          = "conjur-debify"
   spec.version       = Conjur::Debify::VERSION
-  spec.authors       = ["Kevin Gilpin"]
-  spec.email         = ["kgilpin@conjur.net"]
+  spec.authors       = ["CyberArk Software, Inc."]
+  spec.email         = ["conj_maintainers@cyberark.com"]
   spec.summary       = %q{Utility commands to build and package Conjur services as Debian packages}
   spec.homepage      = "https://github.com/conjurinc/debify"
   spec.license       = "MIT"
@@ -24,14 +24,14 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "fakefs", "~> 0"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", "~> 12.3.3"
   
   # Pin to cucumbe v2. cucumber v3 changes (breaks) the behavior of
   # unmatched capture groups with \(d+). In v3, the value of such a
   # group is 0 instead of nil, which breaks aruba's "I successfully
   # run...." steps.
   spec.add_development_dependency "cucumber", '~> 2'
-  spec.add_development_dependency "aruba"
+  spec.add_development_dependency "aruba", "~> 0.14"
   spec.add_development_dependency 'rspec', '~> 3'
   spec.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
 end

data/distrib/entrypoint.sh

@@ -6,17 +6,14 @@ set +x
 
 creds=( $(ruby /debify/distrib/conjur_creds.rb) )
 
-# If there are creds, use them to log in to the registry. Then, run
-# the magic DockerInDocker wrapper script so debify can interact with
-# the Docker daemon.
+# If there are creds, use them to log in to the registry.
 #
-# If there are no creds, just run debify itself. Any commands that do
+# If there are no creds, any commands that do
 # Docker stuff will fail, but the non-Docker commands (e.g. the config
 # subcommands) will work fine.
 if [[ ${#creds[*]} > 0 ]]; then
   echo -n "${creds[1]}" | docker login registry.tld -u ${creds[0]} --password-stdin >/dev/null 2>&1
-  exec wrapdocker debify "$@"
-else
-  exec debify "$@"
 fi
 
+exec debify "$@"
+

data/features/package.feature

@@ -1,17 +1,23 @@
+@skip
 @announce-output
 Feature: Packaging
 
   Background:
-    Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1 example -- --post-install /distrib/postinstall.sh`
+    # We use version 0.0.1-suffix to verify that RPM converts dashes to underscores
+    # in the version as we expect
+    Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1-suffix example -- --post-install /distrib/postinstall.sh`
 
   Scenario: 'example' project can be packaged successfully
-    Then the stdout should contain "conjur-example_0.0.1_amd64.deb"
-    And the stdout should contain "conjur-example-dev_0.0.1_amd64.deb"
+    Then the stdout should contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-dev_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
+    And the stdout should contain "conjur-example-dev-0.0.1_suffix-1.x86_64.rpm"
 
   Scenario: 'clean' command will delete non-Git-managed files
     When I successfully run `env DEBUG=true GLI_DEBUG=true debify clean -d ../../example --force`
     And I successfully run `find ../../example`
-    Then the stdout from "find ../../example" should not contain "conjur-example_0.0.1_amd64.deb"
-    
+    Then the stdout from "find ../../example" should not contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout from "find ../../example" should not contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
+
   Scenario: 'example' project can be published
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1 -d ../../example 4.9 example`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1-suffix -d ../../example 4.9 example`

data/features/sandbox.feature

@@ -2,6 +2,10 @@
 Feature: Running a sandbox
   Background:
     Given I successfully run `docker pull registry.tld/conjur-appliance-cuke-master:4.9-stable`
+    # The extra containers will use the `alpine` image, so we need to pull it first on the
+    # host to use the authenticated DockerHub connection. This avoids hitting DockerHub
+    # rate limits.
+    And I successfully run `docker pull alpine`
 
   Scenario: sandbox for 'example' project be started
     Given I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull"

data/features/step_definitions/debify_steps.rb

@@ -12,11 +12,10 @@ When /^I start a container named "(.*?)"(?: on network "(.*?)")*$/ do |name, net
     networks << network
   end
   
-  alpine = Docker::Image.create('fromImage' => 'alpine')
   options = {
     'name' => name,
     'Cmd' => [ "sh", "-c", "while true; do sleep 1; done" ],
-    'Image' => alpine.id
+    'Image' => 'alpine'
   }
   options['HostConfig'] = { 'NetworkMode' => net_name } if net_name
     

data/lib/conjur/debify.rb

@@ -4,6 +4,7 @@ require 'fileutils'
 require 'gli'
 require 'json'
 require 'base64'
+require 'tmpdir'
 
 require 'conjur/debify/utils'
 
@@ -12,6 +13,8 @@ require 'active_support/core_ext'
 
 include GLI::App
 
+DEFAULT_FILE_TYPE = "deb"
+
 config_file '.debifyrc'
 
 desc 'Set an environment variable (e.g. TERM=xterm) when starting a container'
@@ -49,7 +52,7 @@ module DebugMixin
     if a.length == 2 && a[0].is_a?(Symbol)
       debug a.last
     else
-       a.each do |line|
+      a.each do |line|
         begin
           line = JSON.parse(line)
           line.keys.each do |k|
@@ -79,7 +82,7 @@ def detect_version
     base_version = File.read("VERSION").strip
     commits_since = `git log #{base_commit}..HEAD --pretty='%h'`.split("\n").size
     hash = `git rev-parse --short HEAD`.strip
-    [ [ base_version, commits_since ].join('.'), hash ].join("-")
+    [[base_version, commits_since].join('.'), hash].join("-")
   else
     `git describe --long --tags --abbrev=7 --match 'v*.*.*' | sed -e 's/^v//'`.strip.tap do |version|
       raise "No Git version (tag) for project" if version.empty?
@@ -124,15 +127,15 @@ DESC
 arg_name "project-name -- <fpm-arguments>"
 command "clean" do |c|
   c.desc "Set the current working directory"
-  c.flag [ :d, "dir" ]
+  c.flag [:d, "dir"]
 
   c.desc "Ignore (don't delete) a file or directory"
-  c.flag [ :i, :ignore ]
+  c.flag [:i, :ignore]
 
   c.desc "Force file deletion even if if this doesn't look like a Jenkins environment"
-  c.switch [ :force ]
+  c.switch [:force]
 
-  c.action do |global_options,cmd_options,args|
+  c.action do |global_options, cmd_options, args|
     def looks_like_jenkins?
       require 'etc'
       Etc.getlogin == 'jenkins' && ENV['BUILD_NUMBER']
@@ -143,10 +146,10 @@ command "clean" do |c|
     if !perform_deletion
       $stderr.puts "No --force, and this doesn't look like Jenkins. I won't actually delete anything"
     end
-    @ignore_list = Array(cmd_options[:ignore]) + [ '.', '..', '.git' ]
+    @ignore_list = Array(cmd_options[:ignore]) + ['.', '..', '.git']
 
     def ignore_file? f
-      @ignore_list.find{|ignore| f.index(ignore) == 0}
+      @ignore_list.find { |ignore| f.index(ignore) == 0 }
     end
 
     dir = cmd_options[:dir] || '.'
@@ -159,16 +162,16 @@ command "clean" do |c|
       end
       find_files.compact!
       delete_files = (find_files - git_files)
-      delete_files.delete_if{|file|
+      delete_files.delete_if { |file|
         File.directory?(file) || ignore_file?(file)
       }
       if perform_deletion
         image = Docker::Image.create 'fromImage' => "alpine:3.3"
         options = {
-          'Cmd'   => [ "sh", "-c", "while true; do sleep 1; done" ],
+          'Cmd' => ["sh", "-c", "while true; do sleep 1; done"],
           'Image' => image.id,
           'Binds' => [
-            [ dir, "/src" ].join(':'),
+            [dir, "/src"].join(':'),
           ]
         }
         options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
@@ -179,7 +182,7 @@ command "clean" do |c|
             puts file
 
             file = "/src/#{file}"
-            cmd = [ "rm", "-f", file ]
+            cmd = ["rm", "-f", file]
 
             stdout, stderr, status = container.exec cmd, &DebugMixin::DOCKER
             $stderr.puts "Failed to delete #{file}" unless status == 0
@@ -196,6 +199,17 @@ command "clean" do |c|
   end
 end
 
+def copy_packages_from_container(container, package_name, dev_package_name)
+  Conjur::Debify::Utils.copy_from_container container, "/src/#{package_name}"
+  puts "#{package_name}"
+  begin
+    Conjur::Debify::Utils.copy_from_container container, "/dev-pkg/#{dev_package_name}"
+    puts "#{dev_package_name}"
+  rescue Docker::Error::NotFoundError
+    warn "#{dev_package_name} not found. The package might not have any development dependencies."
+  end
+end
+
 desc "Build a debian package for a project"
 long_desc <<DESC
 The package is built using fpm (https://github.com/jordansissel/fpm).
@@ -220,15 +234,21 @@ DESC
 arg_name "project-name -- <fpm-arguments>"
 command "package" do |c|
   c.desc "Set the current working directory"
-  c.flag [ :d, "dir" ]
+  c.flag [:d, "dir"]
+
+  c.desc "Set the output file type of the fpm command (e.g rpm)"
+  c.flag [:o, :output]
 
   c.desc "Specify the deb version; by default, it's read from the VERSION file"
-  c.flag [ :v, :version ]
+  c.flag [:v, :version]
 
   c.desc "Specify a custom Dockerfile.fpm"
-  c.flag [ :dockerfile]
+  c.flag [:dockerfile]
+
+  c.desc "Specify files to add to the FPM image that are not included from the git repo"
+  c.flag [:'additional-files']
 
-  c.action do |global_options,cmd_options,args|
+  c.action do |global_options, cmd_options, args|
     raise "project-name is required" unless project_name = args.shift
 
     fpm_args = []
@@ -241,30 +261,52 @@ command "package" do |c|
     dir = cmd_options[:dir] || '.'
     pwd = File.dirname(__FILE__)
 
+    additional_files = []
+    if cmd_options[:'additional-files']
+      additional_files = cmd_options[:'additional-files'].split(',').map(&:strip)
+    end
+
     fpm_image = Docker::Image.build_from_dir File.expand_path('fpm', File.dirname(__FILE__)), tag: "debify-fpm", &DebugMixin::DOCKER
     DebugMixin.debug_write "Built base fpm image '#{fpm_image.id}'\n"
     dir = File.expand_path(dir)
+
     Dir.chdir dir do
       version = cmd_options[:version] || detect_version
-      dockerfile_path = cmd_options[:dockerfile] || File.expand_path("debify/Dockerfile.fpm", pwd)
-      dockerfile = File.read(dockerfile_path)
 
-      output = StringIO.new
-      Gem::Package::TarWriter.new(output) do |tar|
-        git_files.each do |fname|
-          stat = File.stat(fname)
-          tar.add_file(fname, stat.mode) { |tar_file| tar_file.write(File.read(fname)) }
-        end
-        tar.add_file('Dockerfile', 0640) { |tar_file| tar_file.write dockerfile.gsub("@@image@@", fpm_image.id) }
+      # move git files and Dockerfile to temp dir to make deb from
+      # we do this to avoid adding "non-git" files
+      # that aren't mentioned in the dockerignore to the deb
+      temp_dir = Dir.mktmpdir
+      DebugMixin.debug_write "Copying git files to tmp dir '#{temp_dir}'\n"
+      (git_files + additional_files).each do |fname|
+        original_file = File.join(dir, fname)
+        destination_path = File.join(temp_dir, fname)
+        FileUtils.mkdir_p(File.dirname(destination_path))
+        FileUtils.cp(original_file, destination_path)
       end
-      output.rewind
 
-      image = Docker::Image.build_from_tar output, &DebugMixin::DOCKER
+      # rename specified dockerfile to 'Dockerfile' during copy, incase name is different
+      dockerfile_path = cmd_options[:dockerfile] || File.expand_path("debify/Dockerfile.fpm", pwd)
+      temp_dockerfile = File.join(temp_dir, "Dockerfile")
+
+      # change image variable in specified Dockerfile
+      dockerfile = File.read(dockerfile_path)
+      replace_image = dockerfile.gsub("@@image@@", fpm_image.id)
+      File.open(temp_dockerfile, "w") { |file| file.puts replace_image }
+
+      # build image from project being debified dir
+      image = Docker::Image.build_from_dir temp_dir, &DebugMixin::DOCKER
 
       DebugMixin.debug_write "Built fpm image '#{image.id}' for project #{project_name}\n"
 
+      container_cmd_options = [project_name, version]
+
+      # Set the output file type if present
+      file_type = cmd_options[:output] || DEFAULT_FILE_TYPE
+      container_cmd_options << "--file-type=#{file_type}"
+
       options = {
-        'Cmd'   => [ project_name, version ] + fpm_args,
+        'Cmd' => container_cmd_options + fpm_args,
         'Image' => image.id
       }
       options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
@@ -276,15 +318,22 @@ command "package" do |c|
         status = container.wait
         raise "Failed to package #{project_name}" unless status['StatusCode'] == 0
 
-        pkg = "conjur-#{project_name}_#{version}_amd64.deb"
-        dev_pkg = "conjur-#{project_name}-dev_#{version}_amd64.deb"
-        Conjur::Debify::Utils.copy_from_container container, "/src/#{pkg}"
-        puts "#{pkg}"
-        begin
-          Conjur::Debify::Utils.copy_from_container container, "/dev-pkg/#{dev_pkg}"
-          puts "#{dev_pkg}"
-        rescue Docker::Error::NotFoundError
-          warn "#{dev_pkg} not found. The package might not have any development dependencies."
+        if file_type == "deb"
+          # Copy deb packages
+          copy_packages_from_container(
+            container,
+            "conjur-#{project_name}_#{version}_amd64.deb",
+            "conjur-#{project_name}-dev_#{version}_amd64.deb"
+          )
+        elsif file_type == "rpm"
+          # Copy rpm packages
+          # The rpm builder replaces dashes with underscores in the version
+          rpm_version = version.tr('-', '_')
+          copy_packages_from_container(
+            container,
+            "conjur-#{project_name}-#{rpm_version}-1.x86_64.rpm",
+            "conjur-#{project_name}-dev-#{rpm_version}-1.x86_64.rpm"
+          )
         end
       ensure
         container.delete(force: true)
@@ -308,10 +357,10 @@ end
 
 def network_options(cmd)
   cmd.desc "Specify link for test container"
-  cmd.flag [ :l, :link ], :multiple => true
-  
+  cmd.flag [:l, :link], :multiple => true
+
   cmd.desc 'Attach to the specified network'
-  cmd.flag [ :n, :net ]
+  cmd.flag [:n, :net]
 end
 
 def short_id(id)
@@ -327,7 +376,7 @@ end
 # instead. (Docker doesn't add full container ids as network aliases,
 # only short ids).
 def shorten_source_id(link)
-  src,dest = link.split(':')
+  src, dest = link.split(':')
   src && dest ? "#{short_id(src)}:#{dest}" : link
 end
 
@@ -377,32 +426,32 @@ DESC
 arg_name "project-name test-script"
 command "test" do |c|
   c.desc "Set the current working directory"
-  c.flag [ :d, :dir ]
+  c.flag [:d, :dir]
 
   c.desc "Keep the Conjur appliance container after the command finishes"
   c.default_value false
-  c.switch [ :k, :keep ]
+  c.switch [:k, :keep]
 
   c.desc "Image name"
   c.default_value "registry.tld/conjur-appliance-cuke-master"
-  c.flag [ :i, :image ]
+  c.flag [:i, :image]
 
   c.desc "Image tag, e.g. 4.5-stable, 4.6-stable"
-  c.flag [ :t, "image-tag"]
+  c.flag [:t, "image-tag"]
 
   c.desc "'docker pull' the Conjur container image"
   c.default_value true
-  c.switch [ :pull ]
+  c.switch [:pull]
 
   c.desc "Specify the deb version; by default, it's read from the VERSION file"
-  c.flag [ :v, :version ]
+  c.flag [:v, :version]
 
   c.desc "Specify volume for test container"
-  c.flag [ :'volumes-from' ], :multiple => true
+  c.flag [:'volumes-from'], :multiple => true
 
   network_options(c)
-  
-  c.action do |global_options,cmd_options,args|
+
+  c.action do |global_options, cmd_options, args|
     raise "project-name is required" unless project_name = args.shift
     raise "test-script is required" unless test_script = args.shift
     raise "Received extra command-line arguments" if args.shift
@@ -415,7 +464,7 @@ command "test" do |c|
 
     Dir.chdir dir do
       image_tag = cmd_options["image-tag"] or raise "image-tag is required"
-      appliance_image_id = [ cmd_options[:image], image_tag ].join(":")
+      appliance_image_id = [cmd_options[:image], image_tag].join(":")
       version = cmd_options[:version] || detect_version
       package_name = "conjur-#{project_name}_#{version}_amd64.deb"
       dev_package_name = "conjur-#{project_name}-dev_#{version}_amd64.deb"
@@ -423,7 +472,7 @@ command "test" do |c|
       raise "#{test_script} does not exist or is not a file" unless File.file?(test_script)
 
       begin
-        tries ||=2
+        tries ||= 2
         Docker::Image.create 'fromImage' => appliance_image_id, &DebugMixin::DOCKER if cmd_options[:pull]
       rescue
         login_to_registry appliance_image_id
@@ -462,7 +511,7 @@ RUN touch /etc/service/conjur/down
       packages << dev_package_name if File.exist? dev_package_name
 
       begin
-        tries ||=2
+        tries ||= 2
         appliance_image = build_test_image(appliance_image_id, project_name, packages)
       rescue
         login_to_registry appliance_image_id
@@ -478,34 +527,34 @@ RUN touch /etc/service/conjur/down
         'Env' => [
           "CONJUR_AUTHN_LOGIN=admin",
           "CONJUR_ENV=appliance",
-          "CONJUR_AUTHN_API_KEY=secret",
-          "CONJUR_ADMIN_PASSWORD=secret",
+          "CONJUR_AUTHN_API_KEY=SEcret12!!!!",
+          "CONJUR_ADMIN_PASSWORD=SEcret12!!!!",
         ] + global_options[:env],
         'HostConfig' => {
           'Binds' => [
-            [ dir, "/src/#{project_name}" ].join(':')
+            [dir, "/src/#{project_name}"].join(':')
           ]
         }
       }
       host_config = options['HostConfig']
-      
+
       host_config['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
       host_config['VolumesFrom'] = cmd_options[:'volumes-from'] if cmd_options[:'volumes-from'] && !cmd_options[:'volumes-from'].empty?
 
       add_network_config(options, cmd_options)
-      
+
       if global_options[:'local-bundle']
         host_config['Binds']
-          .push([ vendor_dir, "/src/#{project_name}/vendor" ].join(':'))
-          .push([ dot_bundle_dir, "/src/#{project_name}/.bundle" ].join(':'))
+          .push([vendor_dir, "/src/#{project_name}/vendor"].join(':'))
+          .push([dot_bundle_dir, "/src/#{project_name}/.bundle"].join(':'))
       end
 
-      container = Docker::Container.create(options.tap {|o| DebugMixin.debug_write "creating container with options #{o.inspect}"})
+      container = Docker::Container.create(options.tap { |o| DebugMixin.debug_write "creating container with options #{o.inspect}" })
 
       begin
         DebugMixin.debug_write "Testing #{project_name} in container #{container.id}\n"
 
-        spawn("docker logs -f #{container.id}", [ :out, :err ] => $stderr).tap do |pid|
+        spawn("docker logs -f #{container.id}", [:out, :err] => $stderr).tap do |pid|
           Process.detach pid
         end
         container.start!
@@ -556,29 +605,29 @@ Once in the container, use "/opt/conjur/evoke/bin/dev-install" to install the de
 DESC
 command "sandbox" do |c|
   c.desc "Set the current working directory"
-  c.flag [ :d, :dir ]
+  c.flag [:d, :dir]
 
   c.desc "Image name"
   c.default_value "registry.tld/conjur-appliance-cuke-master"
-  c.flag [ :i, :image ]
+  c.flag [:i, :image]
 
   c.desc "Image tag, e.g. 4.5-stable, 4.6-stable"
-  c.flag [ :t, "image-tag"]
+  c.flag [:t, "image-tag"]
 
   c.desc "Bind another source directory into the container. Use <src>:<dest>, where both are full paths."
-  c.flag [ :"bind" ], :multiple => true
+  c.flag [:"bind"], :multiple => true
 
   c.desc "'docker pull' the Conjur container image"
   c.default_value false
-  c.switch [ :pull ]
+  c.switch [:pull]
 
   network_options(c)
 
   c.desc "Specify volume for container"
-  c.flag [ :'volumes-from' ], :multiple => true
+  c.flag [:'volumes-from'], :multiple => true
 
   c.desc "Expose a port from the container to host. Use <host>:<container>."
-  c.flag [ :p, :port ], :multiple => true
+  c.flag [:p, :port], :multiple => true
 
   c.desc 'Run dev-install in /src/<project-name>'
   c.default_value false
@@ -589,9 +638,9 @@ command "sandbox" do |c|
   c.switch [:kill]
 
   c.desc 'A command to run in the sandbox'
-  c.flag [ :c, :command ]
-  
-  c.action do |global_options,cmd_options,args|
+  c.flag [:c, :command]
+
+  c.action do |global_options, cmd_options, args|
     raise "Received extra command-line arguments" if args.shift
 
     dir = cmd_options[:dir] || '.'
@@ -601,11 +650,11 @@ command "sandbox" do |c|
 
     Dir.chdir dir do
       image_tag = cmd_options["image-tag"] or raise "image-tag is required"
-      appliance_image_id = [ cmd_options[:image], image_tag ].join(":")
+      appliance_image_id = [cmd_options[:image], image_tag].join(":")
 
       appliance_image = if cmd_options[:pull]
         begin
-          tries ||=2
+          tries ||= 2
           Docker::Image.create 'fromImage' => appliance_image_id, &DebugMixin::DOCKER if cmd_options[:pull]
         rescue
           login_to_registry appliance_image_id
@@ -628,33 +677,33 @@ command "sandbox" do |c|
         'Env' => [
           "CONJUR_AUTHN_LOGIN=admin",
           "CONJUR_ENV=appliance",
-          "CONJUR_AUTHN_API_KEY=secret",
-          "CONJUR_ADMIN_PASSWORD=secret",
+          "CONJUR_AUTHN_API_KEY=SEcret12!!!!",
+          "CONJUR_ADMIN_PASSWORD=SEcret12!!!!",
         ] + global_options[:env]
       }
 
       options['HostConfig'] = host_config = {}
       host_config['Binds'] = [
-        [ File.expand_path(".ssh/id_rsa", ENV['HOME']), "/root/.ssh/id_rsa", 'ro' ].join(':'),
-        [ dir, "/src/#{project_name}" ].join(':'),
+        [File.expand_path(".ssh/id_rsa", ENV['HOME']), "/root/.ssh/id_rsa", 'ro'].join(':'),
+        [dir, "/src/#{project_name}"].join(':'),
       ] + Array(cmd_options[:bind])
 
       if global_options[:'local-bundle']
         host_config['Binds']
-          .push([ vendor_dir, "/src/#{project_name}/vendor" ].join(':'))
-          .push([ dot_bundle_dir, "/src/#{project_name}/.bundle" ].join(':'))
+          .push([vendor_dir, "/src/#{project_name}/vendor"].join(':'))
+          .push([dot_bundle_dir, "/src/#{project_name}/.bundle"].join(':'))
       end
 
       host_config['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
       host_config['VolumesFrom'] = cmd_options[:'volumes-from'] unless cmd_options[:'volumes-from'].empty?
-      
+
       add_network_config(options, cmd_options)
 
       unless cmd_options[:port].empty?
         port_bindings = Hash.new({})
         cmd_options[:port].each do |mapping|
           hport, cport = mapping.split(':')
-          port_bindings["#{cport}/tcp"] = [{ 'HostPort' => hport }]
+          port_bindings["#{cport}/tcp"] = [{'HostPort' => hport}]
         end
         host_config['PortBindings'] = port_bindings
       end
@@ -664,7 +713,7 @@ command "sandbox" do |c|
         previous.delete(:force => true) if previous
       end
 
-      container = Docker::Container.create(options.tap {|o| DebugMixin.debug_write "creating container with options #{o.inspect}"})
+      container = Docker::Container.create(options.tap { |o| DebugMixin.debug_write "creating container with options #{o.inspect}" })
       $stdout.puts container.id
       container.start!
 
@@ -700,23 +749,27 @@ DESC
 arg_name "distribution project-name"
 command "publish" do |c|
   c.desc "Set the current working directory"
-  c.flag [ :d, :dir ]
+  c.flag [:d, :dir]
 
   c.desc "Specify the deb package version; by default, it's computed automatically"
-  c.flag [ :v, :version ]
+  c.flag [:v, :version]
 
   c.desc "Component to publish to, either 'stable' or the name of the git branch"
-  c.flag [ :c, :component ]
+  c.flag [:c, :component]
 
   c.desc "Artifactory URL to publish to"
   c.default_value "https://conjurinc.jfrog.io/conjurinc"
-  c.flag [ :u, :url]
+  c.flag [:u, :url]
 
   c.desc "Artifactory Debian repo to publish package to"
   c.default_value "debian-private"
-  c.flag [ :r, :repo]
+  c.flag [:r, :repo]
+
+  c.desc "Artifactory RPM repo to publish package to"
+  c.default_value "redhat-private"
+  c.flag ['rpm-repo']
 
-  c.action do |global_options,cmd_options,args|
+  c.action do |global_options, cmd_options, args|
     require 'conjur/debify/action/publish'
     raise "distribution is required" unless distribution = args.shift
     raise "project-name is required" unless project_name = args.shift
@@ -729,8 +782,8 @@ end
 desc "Auto-detect and print the repository version"
 command "detect-version" do |c|
   c.desc "Set the current working directory"
-  c.flag [ :d, :dir ]
-  c.action do |global_options,cmd_options,args|
+  c.flag [:d, :dir]
+  c.action do |global_options, cmd_options, args|
     raise "Received extra command-line arguments" if args.shift
 
     dir = cmd_options[:dir] || '.'
@@ -747,7 +800,7 @@ end
 desc 'Show the given configuration'
 arg_name 'configuration'
 command 'config' do |c|
-  c.action do |_,_,args|
+  c.action do |_, _, args|
     raise 'no configuration provided' unless config = args.shift
     raise "Received extra command-line arguments" if args.shift
 
@@ -758,7 +811,7 @@ command 'config' do |c|
 end
 
 
-pre do |global,command,options,args|
+pre do |global, command, options, args|
   # Pre logic here
   # Return true to proceed; false to abort and not call the
   # chosen command
@@ -767,7 +820,7 @@ pre do |global,command,options,args|
   true
 end
 
-post do |global,command,options,args|
+post do |global, command, options, args|
   # Post logic here
   # Use skips_post before a command to skip this
   # block on that command only

data/lib/conjur/debify/action/publish.rb

@@ -25,14 +25,12 @@ module Conjur::Debify
 
         Dir.chdir dir do
           version = cmd_options[:version] || detect_version
-          component = cmd_options[:component] || detect_component
-          package_name = "conjur-#{project_name}_#{version}_amd64.deb"
 
           publish_image = create_image
           DebugMixin.debug_write "Built base publish image '#{publish_image.id}'\n"
 
           art_url = cmd_options[:url]
-          art_repo = cmd_options[:repo]
+          deb_art_repo = cmd_options[:repo]
 
           art_user = ENV['ARTIFACTORY_USER']
           art_password = ENV['ARTIFACTORY_PASSWORD']
@@ -40,23 +38,35 @@ module Conjur::Debify
             art_user, art_password = fetch_art_creds
           end
 
-          options = {
-            'Image' => publish_image.id,
-            'Cmd' => [
-              "jfrog", "rt", "upload",
-              "--url", art_url,
-              "--user", art_user,
-              "--password", art_password,
-              "--deb", "#{distribution}/#{component}/amd64",
-              package_name, "#{art_repo}/"
-            ],
-            'Binds' => [
-              [ dir, "/src" ].join(':')
-            ]
-          }
-          options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
-
-          publish(options)
+          # Publish deb package
+          component = cmd_options[:component] || detect_component
+          deb_info = "#{distribution}/#{component}/amd64"
+          package_name = "conjur-#{project_name}_#{version}_amd64.deb"
+          publish_package(
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
+            art_repo: deb_art_repo,
+            package_name: package_name,
+            dir: dir,
+            deb_info: deb_info
+          )
+
+          # Publish RPM package
+          # The rpm builder replaces dashes with underscores in the version
+          rpm_version = version.tr('-', '_')
+          package_name = "conjur-#{project_name}-#{rpm_version}-1.x86_64.rpm"
+          rpm_art_repo = cmd_options['rpm-repo']
+          publish_package(
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
+            art_repo: rpm_art_repo,
+            package_name: package_name,
+            dir: dir
+          )
         end
       end
 
@@ -77,6 +87,39 @@ module Conjur::Debify
         [conjur.resource(username_var).value, conjur.resource(password_var).value]
       end
 
+      def publish_package(
+        publish_image:,
+        art_url:,
+        art_user:,
+        art_password:,
+        art_repo:,
+        package_name:,
+        dir:,
+        deb_info: nil
+      )
+
+        cmd_args = [
+          "jfrog", "rt", "upload",
+          "--url", art_url,
+          "--user", art_user,
+          "--password", art_password,
+        ]
+
+        cmd_args += ["--deb", deb_info] if deb_info
+        cmd_args += [package_name, "#{art_repo}/"]
+
+        options = {
+          'Image' => publish_image.id,
+          'Cmd' => cmd_args,
+          'Binds' => [
+            [ dir, "/src" ].join(':')
+          ]
+        }
+        options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
+
+        publish(options)
+      end
+
       def publish(options)
         container = Docker::Container.create(options)
         begin

data/lib/conjur/fpm/Dockerfile

@@ -1,22 +1,24 @@
 # Build from the same version of ubuntu as phusion/baseimage
-FROM ubuntu:18.04
+FROM cyberark/phusion-ruby-fips:0.11-latest
 
 RUN apt-get update -y && \
-    apt-get install -y software-properties-common && \
-    apt-add-repository -y ppa:brightbox/ruby-ng && \
-    apt-get update -y && \
-    apt-get install -y build-essential git libpq5 libpq-dev ruby2.6 ruby2.6-dev libffi-dev
+    apt-get dist-upgrade -y && \
+    apt-get install -y build-essential \
+                       git \
+                       libffi-dev \
+                       rpm
 
-RUN gem install --no-document bundler:2.0.2 fpm
+RUN gem install --no-document bundler:1.17.3 \
+                              fpm
 
 ENV GEM_HOME /usr/local/bundle
 ENV BUNDLE_PATH="$GEM_HOME" \
-	BUNDLE_BIN="$GEM_HOME/bin" \
-	BUNDLE_SILENCE_ROOT_WARNING=1 \
-	BUNDLE_APP_CONFIG="$GEM_HOME"
+    BUNDLE_BIN="$GEM_HOME/bin" \
+    BUNDLE_SILENCE_ROOT_WARNING=1 \
+    BUNDLE_APP_CONFIG="$GEM_HOME"
 ENV PATH $BUNDLE_BIN:$PATH
-RUN mkdir -p "$GEM_HOME" "$BUNDLE_BIN" \
-	&& chmod 777 "$GEM_HOME" "$BUNDLE_BIN"
+RUN mkdir -p "$GEM_HOME" "$BUNDLE_BIN" && \
+    chmod 777 "$GEM_HOME" "$BUNDLE_BIN"
 
 RUN mkdir /src
 

data/lib/conjur/fpm/package.sh

@@ -8,19 +8,34 @@ version=$1
 shift
 
 if [ -z "$project_name" ]; then
-	echo Project name argument is required
-	exit 1
+  echo Project name argument is required
+  exit 1
 fi
 if [ -z "$version" ]; then
-	echo Version argument is required
-	exit 1
+  echo Version argument is required
+  exit 1
 fi
 
-package_name=conjur-"$project_name"_"$version"_amd64.deb
-dev_package_name=conjur-"$project_name"-dev_"$version"_amd64.deb
+for i in "$@"; do
+  case $i in
+  -ft=* | --file-type=*)
+    file_type="${i#*=}"
+    shift
+    ;;
+  esac
+done
+
+if [ -z "$file_type" ]; then
+  echo "No file type given. Using deb"
+  file_type=deb
+fi
+
+echo Project Name is $project_name
+echo Version is $version
+echo file_type is $file_type
+echo params at the end are $@
 
 # Build dev package first
-echo Building $dev_package_name
 prefix=/src/opt/conjur/project
 cp -al $prefix /dev-pkg
 cd $prefix
@@ -31,24 +46,29 @@ cd /dev-pkg
 remove_matching $prefix
 bundle_clean
 
-if [ `ls | wc -l` -eq 0 ]; then
+if [ $(ls | wc -l) -eq 0 ]; then
   echo No dev dependencies, skipping dev package
 else
-  fpm -s dir -t deb -n conjur-$project_name-dev -v $version -C . \
-    --maintainer "Conjur Inc." \
-    --vendor "Conjur Inc." \
+  echo "Building conjur-$project_name-dev $file_type package"
+
+  fpm \
+    -s dir \
+    -t $file_type \
+    -n conjur-$project_name-dev \
+    -v $version \
+    -C . \
+    --maintainer "CyberArk Software, Inc." \
+    --vendor "CyberArk Software, Inc." \
     --license "Proprietary" \
-    --url "https://www.conjur.net" \
+    --url "https://www.cyberark.com" \
     --deb-no-default-config-files \
-    --deb-user conjur \
-    --deb-group conjur \
+    --$file_type-user conjur \
+    --$file_type-group conjur \
     --depends "conjur-$project_name = $version" \
     --prefix /opt/conjur/$project_name \
     --description "Conjur $project_name service - development files"
 fi
 
-echo Building $package_name
-
 mv /src/opt/conjur/project /src/opt/conjur/$project_name
 
 cd /src/opt/conjur/$project_name
@@ -63,16 +83,23 @@ mkdir -p opt/conjur/etc
 
 [ -d opt/conjur/"$project_name"/distrib ] && mv opt/conjur/"$project_name"/distrib /
 
-fpm -s dir -t deb -n conjur-$project_name -v $version -C . \
-	--maintainer "Conjur Inc." \
-	--vendor "Conjur Inc." \
-	--license "Proprietary" \
-	--url "https://www.conjur.net" \
-	--deb-no-default-config-files \
-	--config-files opt/conjur/etc \
-	--deb-user conjur \
-	--deb-group conjur \
-	--description "Conjur $project_name service" \
-	"$@"
-
-ls -al *.deb
+echo "Building conjur-$project_name-dev $file_type package"
+
+fpm \
+  -s dir \
+  -t $file_type \
+  -n conjur-$project_name \
+  -v $version \
+  -C . \
+  --maintainer "CyberArk Software, Inc." \
+  --vendor "CyberArk Software, Inc." \
+  --license "Proprietary" \
+  --url "https://www.cyberark.com" \
+  --config-files opt/conjur/etc \
+  --deb-no-default-config-files \
+  --$file_type-user conjur \
+  --$file_type-group conjur \
+  --description "Conjur $project_name service" \
+  "$@"
+
+ls -l

data/spec/action/publish_spec.rb

@@ -31,8 +31,8 @@ describe Conjur::Debify::Action::Publish do
     end
     
     it 'runs' do
-      expect(action).to receive(:publish)
-      
+      expect(action).to receive(:publish).twice
+
       action.run
     end
     
@@ -42,8 +42,8 @@ describe Conjur::Debify::Action::Publish do
 
     it 'runs' do
       expect(action).to receive(:fetch_art_creds)
-      expect(action).to receive(:publish)
-      
+      expect(action).to receive(:publish).twice
+
       action.run
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-debify
 version: !ruby/object:Gem::Version
-  version: 1.11.2
+  version: 2.0.0
 platform: ruby
 authors:
-- Kevin Gilpin
+- CyberArk Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-03 00:00:00.000000000 Z
+date: 2020-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
@@ -126,16 +126,16 @@ dependencies:
   name: aruba
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.14'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -166,7 +166,7 @@ dependencies:
         version: '1.0'
 description: 
 email:
-- kgilpin@conjur.net
+- conj_maintainers@cyberark.com
 executables:
 - debify
 extensions: []
@@ -177,6 +177,7 @@ files:
 - ".project"
 - ".rvmrc"
 - CHANGELOG.md
+- CONTRIBUTING.md
 - Dockerfile
 - Gemfile
 - Jenkinsfile
@@ -249,7 +250,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Utility commands to build and package Conjur services as Debian packages