diff --git a/.dockerignore b/.dockerignore
index 0ece2222fb..c872e2e2ea 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -12,6 +12,7 @@ cucumber
*.deb
.git
+.idea
engines/conjur_audit/spec/dummy/log
coverage
demo
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 08c7c4b3d7..9e812febae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- Introduces support for Policy Factory, which enables resource creation
through a new `factories` API.
[cyberark/conjur#2855](https://github.com/cyberark/conjur/pull/2855/files)
+- Use base images with newer Ubuntu and UBI.
+ Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
+ [cyberark/conjur#2874](https://github.com/cyberark/conjur/pull/2874)
### Changed
- The database thread pool max connection size is now based on the number of
diff --git a/Dockerfile b/Dockerfile
index 14943c8e82..2fe6080e40 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,17 +30,6 @@ ENV PATH="${PATH}:${CONJUR_HOME}/bin"
WORKDIR ${CONJUR_HOME}
-RUN apt-get update -y && \
- apt-get -y dist-upgrade && \
- apt-get install -y libz-dev
-
-RUN apt-get install -y build-essential \
- curl \
- git \
- ldap-utils \
- tzdata \
- && rm -rf /var/lib/apt/lists/*
-
# Ensure few required GID0-owned folders to run as a random UID (OpenShift requirement)
RUN mkdir -p $TMP_DIR \
$LOG_DIR \
diff --git a/Dockerfile.fpm b/Dockerfile.fpm
index ca25aa6995..345c840137 100644
--- a/Dockerfile.fpm
+++ b/Dockerfile.fpm
@@ -5,8 +5,7 @@ RUN apt-get update -y && \
apt-get install -y zlib1g-dev \
liblzma-dev
-ENV BUNDLER_VERSION 2.2.33
-RUN gem install --no-document bundler:$BUNDLER_VERSION fpm
+RUN gem install --no-document fpm
RUN mkdir -p /src/opt/conjur/project
@@ -19,7 +18,7 @@ COPY gems/ gems/
COPY . .
# removing CA bundle of httpclient gem
-RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
+RUN find / -name httpclient -type d -exec find {} -name "*.pem" -type f -delete \;
ADD debify.sh /
diff --git a/Dockerfile.test b/Dockerfile.test
index 4a0c644efd..e7e11b5bd3 100644
--- a/Dockerfile.test
+++ b/Dockerfile.test
@@ -14,10 +14,12 @@ RUN bundle config unset --local without && \
bundle config unset --local path && \
bundle config set --local deployment false && \
bundle config --local jobs "$(nproc --all)" && \
- bundle install
-
-# removing CA bundle of httpclient gem
-RUN find / -name httpclient -type d -exec find {} -name "*.pem" -type f -delete \;
+ bundle install && \
+ # removing CA bundle of httpclient gem
+ find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
+ find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
+ # remove the private key in the oidc_connect gem spec directory
+ find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \;
FROM conjur:${VERSION}
diff --git a/Dockerfile.ubi b/Dockerfile.ubi
index 7e550e810d..c2f9924ede 100644
--- a/Dockerfile.ubi
+++ b/Dockerfile.ubi
@@ -8,13 +8,6 @@ WORKDIR ${CONJUR_HOME}
COPY Gemfile Gemfile.lock ./
COPY ./gems/ ./gems/
-# Install package dependencies for Conjur
-RUN INSTALL_PKGS="openldap-clients \
- tzdata" && \
- yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
- rpm -V $INSTALL_PKGS && \
- yum -y clean all --enablerepo='*'
-
RUN bundle config set --local without 'test development' && \
bundle config set --local deployment true && \
bundle config set --local path vendor/bundle && \
diff --git a/Gemfile.lock b/Gemfile.lock
index 13f53de845..be6c74648c 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -283,7 +283,7 @@ GEM
net-smtp
marcel (1.0.2)
method_source (1.0.0)
- mime-types (3.5.0)
+ mime-types (3.5.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2023.0808)
mini_mime (1.1.2)
@@ -293,14 +293,14 @@ GEM
net-imap (0.3.7)
date
net-protocol
- net-ldap (0.17.0)
+ net-ldap (0.18.0)
net-pop (0.1.2)
net-protocol
net-protocol (0.2.1)
timeout
net-smtp (0.3.3)
net-protocol
- net-ssh (6.1.0)
+ net-ssh (7.1.0)
netrc (0.11.0)
nio4r (2.5.9)
nokogiri (1.15.3-x86_64-darwin)
diff --git a/NOTICES.txt b/NOTICES.txt
index b0454a42a7..9e2a0db3ec 100644
--- a/NOTICES.txt
+++ b/NOTICES.txt
@@ -41,7 +41,7 @@ Section 4: MIT
>>> https://rubygems.org/gems/kubeclient/versions/4.11.0
>>> https://rubygems.org/gems/listen/versions/3.8.0
>>> https://rubygems.org/gems/loofah/versions/2.21.3
->>> https://rubygems.org/gems/net-ldap/versions/0.17.0
+>>> https://rubygems.org/gems/net-ldap/versions/0.18.0
>>> https://rubygems.org/gems/nokogiri/versions/1.15.3-x86_64-darwin
>>> https://rubygems.org/gems/openid_connect/versions/1.3.0
>>> https://rubygems.org/gems/rack-rewrite/versions/1.5.1
@@ -636,7 +636,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
->>> https://rubygems.org/gems/net-ldap/versions/0.17.0
+>>> https://rubygems.org/gems/net-ldap/versions/0.18.0
Copyright 2006–2011 by Francis Cianfrocca and other contributors.
@@ -1212,4 +1212,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
\ No newline at end of file
+SOFTWARE.
diff --git a/VERSION_APPLIANCE b/VERSION_APPLIANCE
index 819e07a224..f4864e5cfb 100644
--- a/VERSION_APPLIANCE
+++ b/VERSION_APPLIANCE
@@ -1 +1 @@
-5.0
+PR-57
diff --git a/app/views/status/index.html.erb b/app/views/status/index.html.erb
index a36a3c2c10..d7084d7b4f 100644
--- a/app/views/status/index.html.erb
+++ b/app/views/status/index.html.erb
@@ -58,6 +58,7 @@
Details:
Version <%= ENV["CONJUR_VERSION_DISPLAY"] %>
API Version "><%= ENV["API_VERSION"] %>
+ FIPS mode <%= ENV["FIPS_MODE_STATUS"] %>
More Info:
diff --git a/build.sh b/build.sh
index 995bac2903..ac7e101f8c 100755
--- a/build.sh
+++ b/build.sh
@@ -66,7 +66,7 @@ git rev-parse HEAD > conjur_git_commit
# 1. Always, when we're developing locally
if [[ $jenkins = false ]]; then
echo "Building image conjur-dev"
- docker build -t conjur-dev -f dev/Dockerfile.dev .
+ docker build --tag conjur-dev --file dev/Dockerfile.dev .
exit 0
fi
@@ -77,17 +77,17 @@ image_doesnt_exist() {
if image_doesnt_exist "conjur:$TAG"; then
echo "Building image conjur:$TAG"
- docker build -t "conjur:$TAG" .
+ docker build --pull --tag "conjur:$TAG" .
flatten "conjur:$TAG"
fi
if image_doesnt_exist "conjur-test:$TAG"; then
echo "Building image conjur-test:$TAG container"
- docker build --build-arg "VERSION=$TAG" -t "conjur-test:$TAG" -f Dockerfile.test .
+ docker build --build-arg "VERSION=$TAG" --tag "conjur-test:$TAG" --file Dockerfile.test .
fi
if image_doesnt_exist "conjur-ubi:$TAG"; then
echo "Building image conjur-ubi:$TAG container"
- docker build --build-arg "VERSION=$TAG" -t "conjur-ubi:$TAG" -f Dockerfile.ubi .
+ docker build --pull --build-arg "VERSION=$TAG" --tag "conjur-ubi:$TAG" --file Dockerfile.ubi .
flatten "conjur-ubi:$TAG"
fi
diff --git a/ci/coverage-report-generator/Gemfile.lock b/ci/coverage-report-generator/Gemfile.lock
index 73a8ef94c8..001365eb9c 100644
--- a/ci/coverage-report-generator/Gemfile.lock
+++ b/ci/coverage-report-generator/Gemfile.lock
@@ -17,4 +17,4 @@ DEPENDENCIES
simplecov_json_formatter (= 0.1.4)
BUNDLED WITH
- 2.2.33
+ 2.4.14
diff --git a/ci/coverage-report-generator/run.sh b/ci/coverage-report-generator/run.sh
index 4b371c070a..bce6c75d61 100755
--- a/ci/coverage-report-generator/run.sh
+++ b/ci/coverage-report-generator/run.sh
@@ -7,7 +7,7 @@
set -xeu
IMAGE="ruby:3.0"
-BUNDLER_VERSION="2.2.33"
+BUNDLER_VERSION="2.4.14"
REPO_ROOT=$(git rev-parse --show-toplevel)
diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml
index 4be46bf64a..9b206fce8f 100644
--- a/ci/docker-compose.yml
+++ b/ci/docker-compose.yml
@@ -15,7 +15,7 @@ services:
POSTGRES_HOST_AUTH_METHOD: trust
pg2:
- image: postgres:10.16
+ image: postgres:15
environment:
# To avoid the following error:
#
@@ -49,7 +49,7 @@ services:
POSTGRES_HOST_AUTH_METHOD: trust
testdb2:
- image: postgres:10.16
+ image: postgres:15
environment:
# To avoid the following error:
#
diff --git a/ci/oauth/keycloak/fetch_certificate b/ci/oauth/keycloak/fetch_certificate
index e399ff0a1c..5b103f3cfc 100755
--- a/ci/oauth/keycloak/fetch_certificate
+++ b/ci/oauth/keycloak/fetch_certificate
@@ -13,5 +13,6 @@ openssl s_client \
-outform PEM \
>/etc/ssl/certs/keycloak.pem
-hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
+hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem --noout)
+
ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0" || true
diff --git a/config/initializers/fips.rb b/config/initializers/fips.rb
index 9b018fdf41..7684bc686d 100644
--- a/config/initializers/fips.rb
+++ b/config/initializers/fips.rb
@@ -1,5 +1,6 @@
require "openssl"
require "digest"
+require "ffi"
# Suppress warning messages
original_verbose = $VERBOSE
@@ -12,9 +13,27 @@
# Activate warning messages again
$VERBOSE = original_verbose
-# by default FIPS mode is enabled
-# disable FIPS mode only if OPENSSL_FIPS_ENABLED environment variable is present and has false value
-OpenSSL.fips_mode = !(ENV["OPENSSL_FIPS_ENABLED"].present? && ENV["OPENSSL_FIPS_ENABLED"] == 'false')
+# This is a temporary workaround to support OpenSSL v3 until ruby openssl gem properly handles fips mode state
+# https://github.com/ruby/openssl/issues/369
+if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with?("OpenSSL 3")
+ module OpenSSL
+ extend FFI::Library
+ ffi_lib 'libssl.so'
+ attach_function :EVP_default_properties_is_fips_enabled, [:pointer], :int
+
+ def self.fips_mode
+ EVP_default_properties_is_fips_enabled(nil) == 1
+ end
+
+ def self.fips_mode=(mode)
+ raise "Changing FIPS state in OpenSSL 3 needs to be done with OpenSSL configuration"
+ end
+ end
+else
+ # by default FIPS mode is enabled
+ # disable FIPS mode only if OPENSSL_FIPS_ENABLED environment variable is present and has false value
+ OpenSSL.fips_mode = !(ENV.fetch('OPENSSL_FIPS_ENABLED', 'true') == 'false')
+end
# each of the following 3rd party overridden is required since a non FIPS complaint encryption method is used
# if a non-complaint FIPS method like MD5 is used or a direct use of Digest::encryption-method
diff --git a/config/initializers/status.rb b/config/initializers/status.rb
index c4fef7dcf5..01f6042526 100644
--- a/config/initializers/status.rb
+++ b/config/initializers/status.rb
@@ -4,3 +4,4 @@
ENV["CONJUR_VERSION_DISPLAY"] = File.read(File.expand_path("../../VERSION", File.dirname(__FILE__)))
ENV["API_VERSION"] = File.read(File.expand_path("../../API_VERSION", File.dirname(__FILE__)))
+ENV["FIPS_MODE_STATUS"] = OpenSSL.fips_mode ? "enabled" : "disabled"
diff --git a/cucumber/api/features/support/ca_helpers.rb b/cucumber/api/features/support/ca_helpers.rb
index df59136f18..30855bf67f 100644
--- a/cucumber/api/features/support/ca_helpers.rb
+++ b/cucumber/api/features/support/ca_helpers.rb
@@ -76,7 +76,7 @@ def key
end
def key_pem
- @password.to_s.empty? ? @key.to_pem : @key.to_pem(OpenSSL::Cipher.new('aes-256-cbc'), @password)
+ @password.to_s.empty? ? @key.to_pem : @key.private_to_pem(OpenSSL::Cipher.new('aes-256-cbc'), @password)
end
def cert
diff --git a/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature b/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature
index a61e7d8d15..5bead63997 100644
--- a/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature
+++ b/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature
@@ -22,7 +22,7 @@ Feature: JWT Authenticator - ca-cert variable tests
And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert-ONYX-15311.json"
When I GET "/authn-jwt/raw/cucumber/status"
Then the HTTP response status code is 500
- And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://jwks/ca-cert-ONYX-15311.json'. Reason: '#'>"
+ And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/jwks\/ca-cert-ONYX-15311.json'. Reason: '#'"
@sanity
@acceptance
@@ -75,7 +75,7 @@ Feature: JWT Authenticator - ca-cert variable tests
And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert-ONYX-15314.json"
When I GET "/authn-jwt/raw/cucumber/status"
Then the HTTP response status code is 500
- And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://chained.mycompany.local/ca-cert-ONYX-15314.json'. Reason: '#'>"
+ And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/chained.mycompany.local\/ca-cert-ONYX-15314.json'. Reason: '#'"
@sanity
@acceptance
@@ -116,4 +116,4 @@ Feature: JWT Authenticator - ca-cert variable tests
And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate
When I GET "/authn-jwt/raw/cucumber/status"
Then the HTTP response status code is 500
- And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://login.microsoftonline.com/common/discovery/v2.0/keys'. Reason: '#'>"
+ And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys'. Reason: '#'"
diff --git a/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature b/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature
index 6bfcc7aead..3ebb1cbc0c 100644
--- a/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature
+++ b/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature
@@ -628,9 +628,9 @@ Feature: JWT Authenticator - Fetch signing key
And I save my place in the log file
When I authenticate via authn-jwt with the ID token
Then the HTTP response status code is 401
- And The following appears in the log after my savepoint:
+ And The following matches the log after my savepoint:
"""
- CONJ00011E Failed to discover Identity Provider (Provider URI: 'https://jwks'). Reason: '#
+ CONJ00011E Failed to discover Identity Provider \(Provider URI: 'https:\/\/jwks'\). Reason: '#'
"""
@negative @acceptance
@@ -660,9 +660,9 @@ Feature: JWT Authenticator - Fetch signing key
And I save my place in the log file
When I authenticate via authn-jwt with raw service ID
Then the HTTP response status code is 401
- And The following appears in the log after my savepoint:
+ And The following matches the log after my savepoint:
"""
- CONJ00087E Failed to fetch JWKS from 'https://jwks'. Reason: '#'>
+ CONJ00087E Failed to fetch JWKS from 'https:\/\/jwks'. Reason: '#'
"""
@negative @acceptance
diff --git a/cucumber/authenticators_jwt/features/support/jwt_jwks_helper.rb b/cucumber/authenticators_jwt/features/support/jwt_jwks_helper.rb
index 412e485ab7..5c21afafdd 100644
--- a/cucumber/authenticators_jwt/features/support/jwt_jwks_helper.rb
+++ b/cucumber/authenticators_jwt/features/support/jwt_jwks_helper.rb
@@ -205,7 +205,7 @@ def token_body_with_valid_expiration(token_body)
end
def base64_x5t_from_certificate(cert)
- cert_thumbprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der)
+ cert_thumbprint = OpenSSL::Digest::SHA256.hexdigest(cert.to_der)
Base64.urlsafe_encode64(cert_thumbprint, padding: false)
end
@@ -219,7 +219,7 @@ def self_signed_certificate(rsa_key)
cert.public_key = rsa_key.public_key
cert.serial = 0x0
cert.version = 2
- cert.sign rsa_key, OpenSSL::Digest::SHA1.new
+ cert.sign(rsa_key, OpenSSL::Digest.new('SHA256'))
cert
end
diff --git a/cucumber/authenticators_status/features/step_definitions/authn_status_steps.rb b/cucumber/authenticators_status/features/step_definitions/authn_status_steps.rb
index 6c6d30f13e..08de32ff45 100644
--- a/cucumber/authenticators_status/features/step_definitions/authn_status_steps.rb
+++ b/cucumber/authenticators_status/features/step_definitions/authn_status_steps.rb
@@ -5,3 +5,7 @@
Then(/^the authenticator status check fails with error "([^"]*)"$/) do |error|
expect(@result["error"]).to include(error)
end
+
+Then(/^the authenticator status check fails with error matching "([^"]*)"$/) do |error|
+ expect(@result["error"]).to match(error)
+end
diff --git a/dev/files/authn-oidc/adfs/fetchCertificate b/dev/files/authn-oidc/adfs/fetchCertificate
index 4dd8138bf1..7f964bde13 100755
--- a/dev/files/authn-oidc/adfs/fetchCertificate
+++ b/dev/files/authn-oidc/adfs/fetchCertificate
@@ -1,5 +1,5 @@
#!/bin/sh
-httpclient_pem_location="/var/lib/gems/2.5.0/gems/httpclient-2.8.3/lib/httpclient"
+httpclient_pem_location=$(find "$GEM_HOME" -name httpclient -type d)
echo “ADFS cert” >> "$httpclient_pem_location/cacert.pem"
echo | openssl s_client -showcerts -connect adfs4win2016.northeurope.cloudapp.azure.com:443 -servername adfs4win2016.northeurope.cloudapp.azure.com 2>/dev/null | openssl x509 -outform PEM >> "$httpclient_pem_location/cacert.pem"
diff --git a/docs/Dockerfile b/docs/Dockerfile
index fa474d1f2f..b310949bc8 100644
--- a/docs/Dockerfile
+++ b/docs/Dockerfile
@@ -2,7 +2,7 @@ FROM jekyll/jekyll:4.0
ADD Gemfile Gemfile.lock /srv/jekyll/
-ENV BUNDLER_VERSION 2.2.33
+ENV BUNDLER_VERSION 2.4.14
RUN gem install bundler -v $BUNDLER_VERSION
RUN bundle --without development
diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
index 93168789b8..8ae1ffdc5b 100644
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -267,4 +267,4 @@ DEPENDENCIES
pry
BUNDLED WITH
- 2.2.33
+ 2.4.14
diff --git a/gems/policy-parser/Dockerfile.test b/gems/policy-parser/Dockerfile.test
index c5ac281ed0..cace6c815c 100644
--- a/gems/policy-parser/Dockerfile.test
+++ b/gems/policy-parser/Dockerfile.test
@@ -8,6 +8,6 @@ COPY conjur-policy-parser.gemspec conjur-policy-parser.gemspec
COPY lib/conjur-policy-parser-version.rb lib/conjur-policy-parser-version.rb
# Make sure the expected version of Bundler is available
-ENV BUNDLER_VERSION=2.2.33
+ENV BUNDLER_VERSION=2.4.14
RUN gem install bundler -v ${BUNDLER_VERSION} && \
bundle install
diff --git a/gems/policy-parser/conjur-policy-parser.gemspec b/gems/policy-parser/conjur-policy-parser.gemspec
index f727996d7b..5a653bf621 100644
--- a/gems/policy-parser/conjur-policy-parser.gemspec
+++ b/gems/policy-parser/conjur-policy-parser.gemspec
@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
spec.add_dependency("activesupport", ">= 4.2")
spec.add_dependency("safe_yaml")
- spec.add_development_dependency("bundler", "~> 2.2.33")
+ spec.add_development_dependency("bundler", "~> 2.4.14")
spec.add_development_dependency("ci_reporter_rspec")
spec.add_development_dependency("deepsort")
spec.add_development_dependency("pry")
diff --git a/spec/app/domain/authentication/authn-oidc/v2/client_spec.rb b/spec/app/domain/authentication/authn-oidc/v2/client_spec.rb
index 40f4cfd390..aadf80ba94 100644
--- a/spec/app/domain/authentication/authn-oidc/v2/client_spec.rb
+++ b/spec/app/domain/authentication/authn-oidc/v2/client_spec.rb
@@ -638,7 +638,7 @@ def client(config)
)
end.to raise_error(Errors::Authentication::AuthnOidc::InvalidCertificate) do |e|
expect(e.message).to include(cert)
- expect(e.message).to include("nested asn1 error")
+ expect(e.message).to include("Invalid certificate")
end
end
end
diff --git a/spec/app/domain/authentication/authn_k8s/web_socket_client_spec.rb b/spec/app/domain/authentication/authn_k8s/web_socket_client_spec.rb
index 0dc1700d7f..dc40aace57 100644
--- a/spec/app/domain/authentication/authn_k8s/web_socket_client_spec.rb
+++ b/spec/app/domain/authentication/authn_k8s/web_socket_client_spec.rb
@@ -84,7 +84,7 @@
expect {
@client = Authentication::AuthnK8s::WebSocketClient.connect("wss://localhost:#{@test_server.port}")
}.to raise_error(OpenSSL::SSL::SSLError, nil) { |error|
- expect(error.message).to eq("SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)")
+ expect(error.message).to eq("SSL_connect returned=1 errno=0 peeraddr=127.0.0.1:#{@test_server.port} state=error: certificate verify failed (unable to get local issuer certificate)")
}
end
@@ -156,7 +156,7 @@
expect {
@client = Authentication::AuthnK8s::WebSocketClient.connect("wss://localhost:#{@test_server.port}")
}.to raise_error(OpenSSL::SSL::SSLError, nil) { |error|
- expect(error.message).to eq("SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)")
+ expect(error.message).to eq("SSL_connect returned=1 errno=0 peeraddr=127.0.0.1:#{@test_server.port} state=error: certificate verify failed (unable to get local issuer certificate)")
}
end