Authn jwt refactor v5

.dockerignore

@@ -12,6 +12,7 @@ cucumber
 
 *.deb
 .git
+.idea
 engines/conjur_audit/spec/dummy/log
 coverage
 demo

.trivyignore

@@ -1,93 +0,0 @@
-# OpenSSL CVEs
-#
-# Because of the way OpenSSL 1.0.2 has moved to premium support and our Ubuntu
-# base image, trivy flags a number of OpenSSL issues in Conjur because the fix
-# for most Ubuntu users is to move to 1.1.1 instead of having the continued support
-# in the 1.0.2 line. Additionally, trivy flages 1.0.2zf as vulnerable to issues that
-# only affect 1.1.x. As of the time of this writing, we use 1.0.2zf which either
-# has the fix or is unaffected by these issues.
-CVE-2022-2097
-CVE-2022-2068
-CVE-2022-1292
-CVE-2022-0778
-CVE-2021-23841
-CVE-2021-23840
-CVE-2021-3712
-CVE-2019-1563
-CVE-2019-1551
-CVE-2019-1549
-CVE-2019-1547
-CVE-2018-0735
-CVE-2018-0734
-
-# NULL pointer deref. OpenSSL 1.0.2 is not impacted
-CVE-2021-3449
-
-# We already use a later version than the ones listed as impacted by this
-# CVE, so we believe this is just a scanner issue.
-CVE-2014-7819
-
-# Rake vulnerability for versions < 12.3.3. The version of Rake used by Conjur
-# has been updated to 13.0.1. Some of the Conjur dependencies still declare a
-# vulnerable version of Rake in their development dependencies, but do not pose
-# a risk to Conjur.
-CVE-2020-8130
-
-# Applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake
-# may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert"
-# TLS extension. this issue was fixed in OpenSSL 1.1.1g
-#
-# In order to support fips with openssl we are required to downgrading openssl version to 1.0.2 until openssl will
-# support fips module in newer versions
-# This vulnerability this is not relevant to us as
-# 1. The installed version (1.0.2u) does not support 1.3
-# 2. Trivy detect the usage of openssl 1.0.2 (can be reproduced with
-#    docker run -v /var/run/docker.sock:/var/run/docker.sock
-#   -v $(PWD):/workspace --rm aquasec/trivy -f json -o /workspace/scan_results-conjur-unfixed.json --no-progress
-#   --ignorefile .trivyignore registry.tld/ruby-fips-base-image-phusion:1.0.0)
-#
-# Performed by @yahalomk approved by @shaharglazner
-CVE-2020-1967
-
-# CVE-2020-1971
-# The X.509 GeneralName type is a generic type for representing different types
-# of names. One of those name types is known as EDIPartyName. OpenSSL provides a
-# function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
-# to see if they are equal or not. This function behaves incorrectly when both
-# GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
-# may occur leading to a possible denial of service attack.
-# OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
-#
-# 1) Comparing CRL distribution point names between an available CRL and a CRL
-#    distribution point embedded in an X509 certificate.
-#
-# 2) When verifying that a timestamp response token signer matches the timestamp
-#    authority name (exposed via the API functions TS_RESP_verify_response and
-#    TS_RESP_verify_token) If an attacker can control both items being compared
-#    then that attacker could trigger a crash.
-#
-# All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Fixed in OpenSSL
-# 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
-#
-# In order to support FIPS with OpenSSL we are required to use OpenSSL version
-# 1.0.2 until OpenSSL supports the FIPS module in newer versions. The latest
-# available version to us is 1.0.2u, which does not include this fix.
-#
-# We've determined that we are not impacted by this vulnerability because:
-# - we do not directly perform CRL checks in the Conjur or DAP software
-# - we do not enable automatic CRL checks in openssl tools
-# - we do not call any of the impacted OpenSSL APIs or any of the APIs that expose
-#   impacted behavior.
-#
-# Performed by @micahlee, approved by @andytinkham
-CVE-2020-1971
-
-# CVE-2021-3711
-# The vulnerability is not affected Conjur's version of OpenSSL 1.0.2u (https://www.openssl.org/news/secadv/20210824.txt)
-# Conjur does not use SM2 algorithm (https://www.openssl.org/docs/manmaster/man7/SM2.html)
-CVE-2021-3711
-
-# We have the fix for CVE-2023-0286 in openssl 1.0.2zg, but because OpenSSL 1.0.2 
-# is only available in premium support, trivy thinks we should use something in the 1.1.1
-# line. We can't, due to FIPS compliance, so need to continue to ignore this issue.
-CVE-2023-0286

API_VERSION

@@ -1 +1 @@
-5.3.0
+5.3.1

CHANGELOG.md

@@ -9,7 +9,82 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [1.19.5] - 2023-05-16
+## [1.20.1] - 2023-10-13
+
+### Fixed
+- OIDC Authenticator now writes custom certs to a non-default directory instead
+  of the system default certificate store.
+  [cyberark/conjur#2988](https://github.com/cyberark/conjur/pull/2988)
+
+### Added
+- Support for the no_proxy & NO_PROXY environment variables for the k8s authenticator.
+  [CNJR-2759](https://ca-il-jira.il.cyber-ark.com:8443/browse/CNJR-2759)
+
+### Security
+- Upgrade google/cloud-sdk in ci/test_suites/authenticators_k8s/dev/Dockerfile/test
+  to use latest version (448.0.0)
+  [cyberark/conjur#2972](https://github.com/cyberark/conjur/pull/2972)
+
+## [1.20.0] - 2023-09-21
+
+### Fixed
+- Allow Factories with optional variables to save without error
+  [cyberark/conjur#2956](https://github.com/cyberark/conjur/pull/2956)
+- OIDC authenticators support `https_proxy` and `HTTPS_PROXY` environment variables
+  [cyberark/conjur#2902](https://github.com/cyberark/conjur/pull/2902)
+- Support plural syntax for revoke and deny
+  [cyberark/conjur#2901](https://github.com/cyberark/conjur/pull/2901)
+
+### Added
+- Telemetry support
+  [cyberark/conjur#2854](https://github.com/cyberark/conjur/pull/2854)
+- Introduces support for Policy Factory, which enables resource creation
+  through a new `factories` API.
+  [cyberark/conjur#2855](https://github.com/cyberark/conjur/pull/2855/files)
+
+## [1.19.6] - 2023-07-05
+
+### Added
+- Support an optional`ca-cert` variable for providing custom certs/chains to verify
+  OIDC providers or proxies when using the OIDC authenticator
+  [cyberark/conjur#2933](https://github.com/cyberark/conjur/pull/2933)
+- New flag to `conjurctl server` command called `--no-migrate` which allows for skipping
+  the database migration step when starting the server.
+  [cyberark/conjur#2895](https://github.com/cyberark/conjur/pull/2895)
+- Telemetry support
+  [cyberark/conjur#2854](https://github.com/cyberark/conjur/pull/2854)
+- Introduces support for Policy Factory, which enables resource creation
+  through a new `factories` API.
+  [cyberark/conjur#2855](https://github.com/cyberark/conjur/pull/2855/files)
+- Use base images with newer Ubuntu and UBI.
+  Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
+  [cyberark/conjur#2874](https://github.com/cyberark/conjur/pull/2874)
+
+### Changed
+- The database thread pool max connection size is now based on the number of
+  web worker threads per process, rather than an arbitrary fixed number. This
+  mitigates the possibility of a web worker becoming starved while waiting for
+  a connection to become available.
+  [cyberark/conjur#2875](https://github.com/cyberark/conjur/pull/2875)
+- Changed base-image tagging strategy
+  [cyberark/conjur#2926](https://github.com/cyberark/conjur/pull/2926)
+
+### Fixed
+- Support Authn-IAM regional requests when host value is missing from signed headers.
+  [cyberark/conjur#2827](https://github.com/cyberark/conjur/pull/2827)
+
+### Security
+- Support plural syntax for revoke and deny
+  [cyberark/conjur#2901](https://github.com/cyberark/conjur/pull/2901)
+- Previously, attempting to add and remove a privilege in the same policy load
+  resulted in only the positive privilege (grant, permit) taking effect. Now we
+  fail safe and the negative privilege statement (revoke, deny) is the final
+  outcome
+  [cyberark/conjur#2907](https://github.com/cyberark/conjur/pull/2907)
+- Update puma to 6.3.1 to address CVE-2023-40175.
+  [cyberark/conjur#2925](https://github.com/cyberark/conjur/pull/2925)
+
+## [1.19.5] - 2023-06-29
 
 ### Security
 - Update bundler to 2.2.33 to remove CVE-2021-43809
@@ -21,8 +96,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Authn-IAM now uses the host in the signed headers to determine which STS endpoint
   (global or regional) to use for validation.
 
-## [1.19.4] - 2023-05-12
-
 ### Changed
 - OIDC tokens will now have a default ttl of 60 mins
   [cyberark/conjur#2800](https://github.com/cyberark/conjur/pull/2800)
@@ -1045,7 +1118,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - The first tagged version.
 
-[Unreleased]: https://github.com/cyberark/conjur/compare/v1.19.3...HEAD
+[Unreleased]: https://github.com/cyberark/conjur/compare/v1.20.0...HEAD
+[1.20.0]: https://github.com/cyberark/conjur/compare/v1.19.5...v1.20.0
+[1.19.5]: https://github.com/cyberark/conjur/compare/v1.19.3...v1.19.5
 [1.19.3]: https://github.com/cyberark/conjur/compare/v1.19.2...v1.19.3
 [1.19.2]: https://github.com/cyberark/conjur/compare/v1.19.1...v1.19.2
 [1.19.1]: https://github.com/cyberark/conjur/compare/v1.19.0...v1.19.1

Dockerfile

@@ -1,25 +1,34 @@
-FROM cyberark/ubuntu-ruby-fips:latest
+FROM cyberark/ubuntu-ruby-builder:latest as builder
+
+ENV CONJUR_HOME=/opt/conjur-server
+
+WORKDIR ${CONJUR_HOME}
 
-ENV DEBIAN_FRONTEND=noninteractive \
-    PORT=80 \
-    LOG_DIR=/opt/conjur-server/log \
-    TMP_DIR=/opt/conjur-server/tmp \
-    SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl
+COPY Gemfile Gemfile.lock ./
+COPY ./gems/ ./gems/
 
-EXPOSE 80
+RUN bundle config set --local without 'test development' && \
+    bundle config set --local deployment true && \
+    bundle config set --local path vendor/bundle && \
+    bundle config --local jobs "$(nproc --all)" && \
+    bundle install && \
+    # Remove private keys brought in by gems in their test data
+    find / -name 'openid_connect-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
+    find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
+    find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \;
+
+FROM cyberark/ubuntu-ruby-fips:latest
 
-RUN apt-get update -y && \
-    apt-get -y dist-upgrade && \
-    apt-get install -y libz-dev
+ENV PORT=80 \
+    LOG_DIR=${CONJUR_HOME}/log \
+    TMP_DIR=${CONJUR_HOME}/tmp \
+    SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl \
+    RAILS_ENV=production \
+    CONJUR_HOME=/opt/conjur-server
 
-RUN apt-get install -y build-essential \
-                       curl \
-                       git \
-                       ldap-utils \
-                       tzdata \
-    && rm -rf /var/lib/apt/lists/*
+ENV PATH="${PATH}:${CONJUR_HOME}/bin"
 
-WORKDIR /opt/conjur-server
+WORKDIR ${CONJUR_HOME}
 
 # Ensure few required GID0-owned folders to run as a random UID (OpenShift requirement)
 RUN mkdir -p $TMP_DIR \
@@ -28,20 +37,9 @@ RUN mkdir -p $TMP_DIR \
              $SSL_CERT_DIRECTORY/cert \
              /run/authn-local
 
-COPY Gemfile \
-     Gemfile.lock ./
-COPY gems/ gems/
-
-
-RUN bundle --without test development
-
 COPY . .
+COPY --from=builder ${CONJUR_HOME} ${CONJUR_HOME}
 
-# removing CA bundle of httpclient gem
-RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
-
-RUN ln -sf /opt/conjur-server/bin/conjurctl /usr/local/bin/
-
-ENV RAILS_ENV production
+EXPOSE ${PORT}
 
 ENTRYPOINT [ "conjurctl" ]

Dockerfile.fpm

@@ -5,8 +5,7 @@ RUN apt-get update -y && \
     apt-get install -y zlib1g-dev \
                        liblzma-dev
 
-ENV BUNDLER_VERSION 2.2.33
-RUN gem install --no-document bundler:$BUNDLER_VERSION fpm
+RUN gem install --no-document fpm
 
 RUN mkdir -p /src/opt/conjur/project
 
@@ -19,7 +18,7 @@ COPY gems/ gems/
 COPY . .
 
 # removing CA bundle of httpclient gem
-RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
+RUN find / -name httpclient -type d -exec find {} -name "*.pem" -type f -delete \;
 
 ADD debify.sh /
 

Dockerfile.test

@@ -1,4 +1,34 @@
 ARG VERSION=latest
+
+FROM cyberark/ubuntu-ruby-builder:latest as builder
+
+ENV CONJUR_HOME=/opt/conjur-server \
+    GEM_HOME=/usr/local/bundle
+
+WORKDIR ${CONJUR_HOME}
+
+COPY Gemfile Gemfile.lock ./
+COPY ./gems/ ./gems/
+
+RUN bundle config unset --local without && \
+    bundle config unset --local path && \
+    bundle config set --local deployment false && \
+    bundle config --local jobs "$(nproc --all)" && \
+    bundle install && \
+    # removing CA bundle of httpclient gem
+    find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
+    find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
+    # remove the private key in the oidc_connect gem spec directory
+    find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \;
+
 FROM conjur:${VERSION}
 
-RUN bundle --no-deployment --without ''
+ENV GEM_HOME=/usr/local/bundle
+ENV PATH="${GEM_HOME}/bin:${PATH}"
+
+RUN bundle config unset --local without && \
+    bundle config unset --local path && \
+    bundle config set --local deployment false && \
+    gem install rake
+
+COPY --from=builder ${GEM_HOME} ${GEM_HOME}