Update to Ruby 3

Update Ruby to v3.1.3 to resolve CVE-2021-33621
Update Bundler to v2.3.26 to resolve CVE-2020-36327 and CVE-2021-43809
Update Rails components to v6.1
Update Rack to v2.2.5

.rubocop.yml

@@ -5,4 +5,4 @@ AllCops:
  - 'vendor/**/*'
  - 'spec/fixtures/**/*'
  - 'tmp/**/*'
- TargetRubyVersion: 2.7
+ TargetRubyVersion: 3.1

CHANGELOG.md

@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+## [1.3.0] - 2022-01-11
+### Changes
+- Upgrade supported Ruby version to 3.1.x
+ [cyberark/conjur-service-broker#306](https://github.com/cyberark/conjur-service-broker/pull/306)
+
 ### Security
 - Update conjur-api-go to v0.10.2 to udpate indirect dependency gopkg.in/yaml.v2
  [cyberark/conjur-service-broker#305](https://github.com/cyberark/conjur-service-broker/pull/305)

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.7
+FROM ruby:3.1
 MAINTAINER CyberArk Software Ltd.
 
 RUN apt-get update && \

Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM ruby:2.7
+FROM ruby:3.1
 MAINTAINER CyberArk Software Ltd.
 
 # This is a Dockerfile for the Service Broker image that is used in

Dockerfile.test

@@ -1,4 +1,4 @@
-FROM ruby:2.7
+FROM ruby:3.1
 MAINTAINER CyberArk Software Ltd.
 
 # This is a Dockerfile for a Service Broker test client image. The repository

Gemfile

@@ -5,25 +5,13 @@ git_source(:github) do |repo_name|
  "https://github.com/#{repo_name}.git"
 end
 
-# Do not use fuzzy version matching (~>) with the Ruby version. It doesn't play
-# nicely with RVM and we should be explicit since Ruby is such a fundamental
-# part of a Rails project. The Ruby version is also locked in place by the
-# Docker base image so it won't be updated with fuzzy matching.
-ruby '~> 2.7'
-
-# We currently use a version of Bundler with known vulnerabilities until we
-# can update this project to use Ruby 3.0. Currently, this Gemfile does not
-# include any gems in ways that trigger those vulnerabilities. However, any
-# changes to this file need to be reviewed to ensure they don't expose us
-# to CVE-2020-36327 or CVE-2021-43809. These CVEs are currently ignored in 
-# our Trivy scans and will not be caught. Adding Gemfile and Gemfile.lock
-# to CODEOWNERS to ensure reviews include security personnel for this reason.
+ruby '~> 3.1'
 
 gem 'conjur-api', '~> 5.3.4'
-gem 'activesupport', '~> 5.2.6'
-gem 'railties', '~> 5.2.6'
-gem 'actionview', '~> 5.2.6'
-gem 'rack', '~> 2.2.3'
+gem 'activesupport', '~> 6.1'
+gem 'railties', '~> 6.1'
+gem 'actionview', '~> 6.1'
+gem 'rack', '~> 2.2.5'
 gem 'json-schema', '2.8.0'
 gem 'listen', '>= 3.0.5', '< 3.2'
 
@@ -44,7 +32,7 @@ group :development, :test do
  gem 'pry-byebug'
  gem 'rspec_junit_formatter'
  gem 'rest-client'
- gem 'rspec-rails', '~> 3.7'
+ gem 'rspec-rails', '~> 6.0'
 end
 
 group :development do

Gemfile.lock

@@ -1,24 +1,25 @@
 GEM
  remote: https://rubygems.org/
  specs:
- actionpack (5.2.8.1)
- actionview (= 5.2.8.1)
- activesupport (= 5.2.8.1)
- rack (~> 2.0, >= 2.0.8)
+ actionpack (6.1.7)
+ actionview (= 6.1.7)
+ activesupport (= 6.1.7)
+ rack (~> 2.0, >= 2.0.9)
  rack-test (>= 0.6.3)
  rails-dom-testing (~> 2.0)
- rails-html-sanitizer (~> 1.0, >= 1.0.2)
- actionview (5.2.8.1)
- activesupport (= 5.2.8.1)
+ rails-html-sanitizer (~> 1.0, >= 1.2.0)
+ actionview (6.1.7)
+ activesupport (= 6.1.7)
  builder (~> 3.1)
  erubi (~> 1.4)
  rails-dom-testing (~> 2.0)
- rails-html-sanitizer (~> 1.0, >= 1.0.3)
- activesupport (5.2.8.1)
+ rails-html-sanitizer (~> 1.1, >= 1.2.0)
+ activesupport (6.1.7)
  concurrent-ruby (~> 1.0, >= 1.0.2)
- i18n (>= 0.7, < 2)
- minitest (~> 5.1)
- tzinfo (~> 1.1)
+ i18n (>= 1.6, < 2)
+ minitest (>= 5.1)
+ tzinfo (~> 2.0)
+ zeitwerk (~> 2.3)
  addressable (2.8.1)
  public_suffix (>= 2.0.2, < 6.0)
  aruba (2.1.0)
@@ -45,7 +46,7 @@ GEM
  activesupport (>= 4.2)
  addressable (~> 2.0)
  rest-client
- contracts (0.16.1)
+ contracts (0.17)
  crass (1.0.6)
  cucumber (7.1.0)
  builder (~> 3.2, >= 3.2.4)
@@ -80,7 +81,7 @@ GEM
  diff-lcs (1.5.0)
  domain_name (0.5.20190701)
  unf (>= 0.0.5, < 1.0.0)
- erubi (1.11.0)
+ erubi (1.12.0)
  ffi (1.15.5)
  http-accept (1.7.0)
  http-cookie (1.0.5)
@@ -92,57 +93,56 @@ GEM
  json_spec (1.1.5)
  multi_json (~> 1.0)
  rspec (>= 2.0, < 4.0)
- license_finder (7.0.1)
+ license_finder (7.1.0)
  bundler
  rubyzip (>= 1, < 3)
  thor (~> 1.2)
  tomlrb (>= 1.3, < 2.1)
  with_env (= 1.1.0)
  xml-simple (~> 1.1.9)
- listen (3.1.5)
+ listen (3.0.8)
  rb-fsevent (~> 0.9, >= 0.9.4)
  rb-inotify (~> 0.9, >= 0.9.7)
- ruby_dep (~> 1.2)
  loofah (2.19.1)
  crass (~> 1.0.2)
  nokogiri (>= 1.5.9)
  method_source (1.0.0)
  mime-types (3.4.1)
  mime-types-data (~> 3.2015)
  mime-types-data (3.2022.0105)
- mini_portile2 (2.8.0)
- minitest (5.16.3)
+ mini_portile2 (2.8.1)
+ minitest (5.17.0)
  multi_json (1.15.0)
  multi_test (0.1.2)
  netrc (0.11.0)
  nio4r (2.5.8)
  nokogiri (1.13.10)
  mini_portile2 (~> 2.8.0)
  racc (~> 1.4)
- pry (0.14.1)
+ pry (0.14.2)
  coderay (~> 1.1)
  method_source (~> 1.0)
  pry-byebug (3.10.1)
  byebug (~> 11.0)
  pry (>= 0.13, < 0.15)
- public_suffix (5.0.0)
+ public_suffix (5.0.1)
  puma (5.6.4)
  nio4r (~> 2.0)
- racc (1.6.1)
- rack (2.2.4)
+ racc (1.6.2)
+ rack (2.2.5)
  rack-test (2.0.2)
  rack (>= 1.3)
  rails-dom-testing (2.0.3)
  activesupport (>= 4.2.0)
  nokogiri (>= 1.6)
  rails-html-sanitizer (1.4.4)
  loofah (~> 2.19, >= 2.19.1)
- railties (5.2.8.1)
- actionpack (= 5.2.8.1)
- activesupport (= 5.2.8.1)
+ railties (6.1.7)
+ actionpack (= 6.1.7)
+ activesupport (= 6.1.7)
  method_source
- rake (>= 0.8.7)
- thor (>= 0.19.0, < 2.0)
+ rake (>= 12.2)
+ thor (~> 1.0)
  rake (13.0.6)
  rb-fsevent (0.11.2)
  rb-inotify (0.10.1)
@@ -153,30 +153,29 @@ GEM
  mime-types (>= 1.16, < 4.0)
  netrc (~> 0.8)
  rexml (3.2.5)
- rspec (3.9.0)
- rspec-core (~> 3.9.0)
- rspec-expectations (~> 3.9.0)
- rspec-mocks (~> 3.9.0)
- rspec-core (3.9.3)
- rspec-support (~> 3.9.3)
- rspec-expectations (3.9.4)
+ rspec (3.12.0)
+ rspec-core (~> 3.12.0)
+ rspec-expectations (~> 3.12.0)
+ rspec-mocks (~> 3.12.0)
+ rspec-core (3.12.0)
+ rspec-support (~> 3.12.0)
+ rspec-expectations (3.12.2)
  diff-lcs (>= 1.2.0, < 2.0)
- rspec-support (~> 3.9.0)
- rspec-mocks (3.9.1)
+ rspec-support (~> 3.12.0)
+ rspec-mocks (3.12.2)
  diff-lcs (>= 1.2.0, < 2.0)
- rspec-support (~> 3.9.0)
- rspec-rails (3.9.1)
- actionpack (>= 3.0)
- activesupport (>= 3.0)
- railties (>= 3.0)
- rspec-core (~> 3.9.0)
- rspec-expectations (~> 3.9.0)
- rspec-mocks (~> 3.9.0)
- rspec-support (~> 3.9.0)
- rspec-support (3.9.4)
+ rspec-support (~> 3.12.0)
+ rspec-rails (6.0.1)
+ actionpack (>= 6.1)
+ activesupport (>= 6.1)
+ railties (>= 6.1)
+ rspec-core (~> 3.11)
+ rspec-expectations (~> 3.11)
+ rspec-mocks (~> 3.11)
+ rspec-support (~> 3.11)
+ rspec-support (3.12.0)
  rspec_junit_formatter (0.6.0)
  rspec-core (>= 2, < 4, != 2.12.0)
- ruby_dep (1.5.0)
  rubyzip (2.3.2)
  spring (2.1.1)
  spring-watcher-listen (2.0.1)
@@ -185,23 +184,23 @@ GEM
  sys-uname (1.2.2)
  ffi (~> 1.1)
  thor (1.2.1)
- thread_safe (0.3.6)
  tomlrb (2.0.3)
- tzinfo (1.2.10)
- thread_safe (~> 0.1)
+ tzinfo (2.0.5)
+ concurrent-ruby (~> 1.0)
  unf (0.1.4)
  unf_ext
  unf_ext (0.0.8.2)
  with_env (1.1.0)
  xml-simple (1.1.9)
  rexml
+ zeitwerk (2.6.6)
 
 PLATFORMS
  ruby
 
 DEPENDENCIES
- actionview (~> 5.2.6)
- activesupport (~> 5.2.6)
+ actionview (~> 6.1)
+ activesupport (~> 6.1)
  aruba
  bundler-audit
  byebug
@@ -214,17 +213,17 @@ DEPENDENCIES
  listen (>= 3.0.5, < 3.2)
  pry-byebug
  puma (= 5.6.4)
- rack (~> 2.2.3)
- railties (~> 5.2.6)
+ rack (~> 2.2.5)
+ railties (~> 6.1)
  rest-client
  rspec (~> 3)
- rspec-rails (~> 3.7)
+ rspec-rails (~> 6.0)
  rspec_junit_formatter
  spring
  spring-watcher-listen (~> 2.0.0)
 
 RUBY VERSION
- ruby 2.7.5p203
+ ruby 3.1.3p185
 
 BUNDLED WITH
- 2.1.4
+ 2.3.26

config/environments/development.rb

@@ -44,4 +44,8 @@
  # Use an evented file watcher to asynchronously detect changes in source code,
  # routes, locales, etc. This feature depends on the listen gem.
  config.file_watcher = ActiveSupport::EventedFileUpdateChecker
+
+ # Rails 6 includes a new middleware, Host Authorization. In our development
+ # environment, let's allow requests from all hostnames.
+ config.hosts.clear
 end

config/environments/test.rb

@@ -39,4 +39,8 @@
 
  # Raises error for missing translations
  # config.action_view.raise_on_missing_translations = true
+
+ # Rails 6 includes a new middleware, Host Authorization. In our tests
+ # environment, let's allow requests from all hostnames.
+ config.hosts.clear
 end

dev/parse-changelog.sh

@@ -6,7 +6,7 @@ cd "$(dirname "$0")"
 docker run --rm \
  -v "$PWD/..:/work" \
  -w "/work" \
- ruby:2.5 bash -ec "
+ ruby:3.1 bash -ec "
  gem install -N parse_a_changelog
  parse ./CHANGELOG.md
  "

spec/controllers/bind_controller_spec.rb

@@ -48,7 +48,7 @@
  put('/v2/service_instances/test_instance/service_bindings/test_binding', 
  params: legacy_params, headers: headers)
 
- expect(response.content_type).to eq("application/json")
+ expect(response.content_type).to eq("application/json; charset=utf-8")
  expect(response).to have_http_status(:created)
  data = JSON.parse(response.body)
  expect(data["credentials"]).to eq("test_creds")
@@ -67,7 +67,7 @@
  put('/v2/service_instances/test_instance/service_bindings/test_binding', 
  params: params, headers: headers)
 
- expect(response.content_type).to eq("application/json")
+ expect(response.content_type).to eq("application/json; charset=utf-8")
  expect(response).to have_http_status(:created)
  end
  end
@@ -80,7 +80,7 @@
  put('/v2/service_instances/test_instance/service_bindings/test_binding', 
  params: params, headers: headers)
 
- expect(response.content_type).to eq("application/json")
+ expect(response.content_type).to eq("application/json; charset=utf-8")
  expect(response).to have_http_status(:created)
  end
  end

spec/controllers/provision_controller_spec.rb

@@ -49,7 +49,7 @@
  put('/v2/service_instances/test_instance', params: params, headers: headers)
 
  expect(response).to have_http_status(:created)
- expect(response.content_type).to eq("application/json")
+ expect(response.content_type).to eq("application/json; charset=utf-8")
  expect(response.body).to eq("{}")
  end
  end
@@ -60,7 +60,7 @@
 
  put('/v2/service_instances/test_instance', params: legacy_params, headers: headers)
 
- expect(response.content_type).to eq("application/json")
+ expect(response.content_type).to eq("application/json; charset=utf-8")
  expect(response).to have_http_status(:ok)
  expect(response.body).to eq("{}")
  end
@@ -86,7 +86,7 @@
  it 'returns with a 200 OK response' do
  delete(delete_path, params: params, headers: headers)
 
- expect(response.content_type).to eq("application/json")
+ expect(response.content_type).to eq("application/json; charset=utf-8")
  expect(response).to have_http_status(:ok)
  expect(response.body).to eq("{}")
  end