Openssl 3 base images

.dockerignore

@@ -12,6 +12,7 @@ cucumber
 
 *.deb
 .git
+.idea
 engines/conjur_audit/spec/dummy/log
 coverage
 demo

CHANGELOG.md

@@ -29,6 +29,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Introduces support for Policy Factory, which enables resource creation
  through a new `factories` API.
  [cyberark/conjur#2855](https://github.com/cyberark/conjur/pull/2855/files)
+- Use base images with newer Ubuntu and UBI.
+ Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
+ [cyberark/conjur#2874](https://github.com/cyberark/conjur/pull/2874)
 
 ### Changed
 - The database thread pool max connection size is now based on the number of

Dockerfile

@@ -30,17 +30,6 @@ ENV PATH="${PATH}:${CONJUR_HOME}/bin"
 
 WORKDIR ${CONJUR_HOME}
 
-RUN apt-get update -y && \
- apt-get -y dist-upgrade && \
- apt-get install -y libz-dev
-
-RUN apt-get install -y build-essential \
- curl \
- git \
- ldap-utils \
- tzdata \
- && rm -rf /var/lib/apt/lists/*
-
 # Ensure few required GID0-owned folders to run as a random UID (OpenShift requirement)
 RUN mkdir -p $TMP_DIR \
  $LOG_DIR \

Dockerfile.fpm

@@ -5,8 +5,7 @@ RUN apt-get update -y && \
  apt-get install -y zlib1g-dev \
  liblzma-dev
 
-ENV BUNDLER_VERSION 2.2.33
-RUN gem install --no-document bundler:$BUNDLER_VERSION fpm
+RUN gem install --no-document fpm
 
 RUN mkdir -p /src/opt/conjur/project
 
@@ -19,7 +18,7 @@ COPY gems/ gems/
 COPY . .
 
 # removing CA bundle of httpclient gem
-RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
+RUN find / -name httpclient -type d -exec find {} -name "*.pem" -type f -delete \;
 
 ADD debify.sh /
 

Dockerfile.test

@@ -14,10 +14,12 @@ RUN bundle config unset --local without && \
  bundle config unset --local path && \
  bundle config set --local deployment false && \
  bundle config --local jobs "$(nproc --all)" && \
- bundle install
-
-# removing CA bundle of httpclient gem
-RUN find / -name httpclient -type d -exec find {} -name "*.pem" -type f -delete \;
+ bundle install && \
+ # removing CA bundle of httpclient gem
+ find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
+ find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
+ # remove the private key in the oidc_connect gem spec directory
+ find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \;
 
 FROM conjur:${VERSION}
 

Dockerfile.ubi

@@ -8,13 +8,6 @@ WORKDIR ${CONJUR_HOME}
 COPY Gemfile Gemfile.lock ./
 COPY ./gems/ ./gems/
 
-# Install package dependencies for Conjur
-RUN INSTALL_PKGS="openldap-clients \
- tzdata" && \
- yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
- rpm -V $INSTALL_PKGS && \
- yum -y clean all --enablerepo='*'
-
 RUN bundle config set --local without 'test development' && \
  bundle config set --local deployment true && \
  bundle config set --local path vendor/bundle && \

Gemfile.lock

@@ -283,7 +283,7 @@ GEM
  net-smtp
  marcel (1.0.2)
  method_source (1.0.0)
- mime-types (3.5.0)
+ mime-types (3.5.1)
  mime-types-data (~> 3.2015)
  mime-types-data (3.2023.0808)
  mini_mime (1.1.2)
@@ -293,14 +293,14 @@ GEM
  net-imap (0.3.7)
  date
  net-protocol
- net-ldap (0.17.0)
+ net-ldap (0.18.0)
  net-pop (0.1.2)
  net-protocol
  net-protocol (0.2.1)
  timeout
  net-smtp (0.3.3)
  net-protocol
- net-ssh (6.1.0)
+ net-ssh (7.1.0)
  netrc (0.11.0)
  nio4r (2.5.9)
  nokogiri (1.15.3-x86_64-darwin)

NOTICES.txt

@@ -41,7 +41,7 @@ Section 4: MIT
 >>> https://rubygems.org/gems/kubeclient/versions/4.11.0
 >>> https://rubygems.org/gems/listen/versions/3.8.0
 >>> https://rubygems.org/gems/loofah/versions/2.21.3
->>> https://rubygems.org/gems/net-ldap/versions/0.17.0
+>>> https://rubygems.org/gems/net-ldap/versions/0.18.0
 >>> https://rubygems.org/gems/nokogiri/versions/1.15.3-x86_64-darwin
 >>> https://rubygems.org/gems/openid_connect/versions/1.3.0
 >>> https://rubygems.org/gems/rack-rewrite/versions/1.5.1
@@ -636,7 +636,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/net-ldap/versions/0.17.0
+>>> https://rubygems.org/gems/net-ldap/versions/0.18.0
 
 Copyright 2006–2011 by Francis Cianfrocca and other contributors.
 
@@ -1212,4 +1212,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.

VERSION_APPLIANCE

@@ -1 +1 @@
-5.0
+PR-57

app/views/status/index.html.erb

@@ -58,6 +58,7 @@
  <dt>Details:</dt>
  <dd>Version <%= ENV["CONJUR_VERSION_DISPLAY"] %></dd>
  <dd>API Version <a href="https://github.com/cyberark/conjur-openapi-spec/releases/tag/v<%= ENV["API_VERSION"] %>"><%= ENV["API_VERSION"] %></a>
+ <dd>FIPS mode <%= ENV["FIPS_MODE_STATUS"] %></a>
  <dt>More Info:</dt>
  <dd>
  <ul>

build.sh

@@ -66,7 +66,7 @@ git rev-parse HEAD > conjur_git_commit
 # 1. Always, when we're developing locally
 if [[ $jenkins = false ]]; then
  echo "Building image conjur-dev"
- docker build -t conjur-dev -f dev/Dockerfile.dev .
+ docker build --tag conjur-dev --file dev/Dockerfile.dev .
  exit 0
 fi
 
@@ -77,17 +77,17 @@ image_doesnt_exist() {
 
 if image_doesnt_exist "conjur:$TAG"; then
  echo "Building image conjur:$TAG"
- docker build -t "conjur:$TAG" .
+ docker build --pull --tag "conjur:$TAG" .
  flatten "conjur:$TAG"
 fi
 
 if image_doesnt_exist "conjur-test:$TAG"; then
  echo "Building image conjur-test:$TAG container"
- docker build --build-arg "VERSION=$TAG" -t "conjur-test:$TAG" -f Dockerfile.test .
+ docker build --build-arg "VERSION=$TAG" --tag "conjur-test:$TAG" --file Dockerfile.test .
 fi
 
 if image_doesnt_exist "conjur-ubi:$TAG"; then
  echo "Building image conjur-ubi:$TAG container"
- docker build --build-arg "VERSION=$TAG" -t "conjur-ubi:$TAG" -f Dockerfile.ubi .
+ docker build --pull --build-arg "VERSION=$TAG" --tag "conjur-ubi:$TAG" --file Dockerfile.ubi .
  flatten "conjur-ubi:$TAG"
 fi

ci/coverage-report-generator/Gemfile.lock

@@ -17,4 +17,4 @@ DEPENDENCIES
  simplecov_json_formatter (= 0.1.4)
 
 BUNDLED WITH
- 2.2.33
+ 2.4.14

ci/coverage-report-generator/run.sh

@@ -7,7 +7,7 @@
 set -xeu
 
 IMAGE="ruby:3.0"
-BUNDLER_VERSION="2.2.33"
+BUNDLER_VERSION="2.4.14"
 
 REPO_ROOT=$(git rev-parse --show-toplevel)
 

ci/docker-compose.yml

@@ -15,7 +15,7 @@ services:
  POSTGRES_HOST_AUTH_METHOD: trust
 
  pg2:
- image: postgres:10.16
+ image: postgres:15
  environment:
  # To avoid the following error:
  #
@@ -49,7 +49,7 @@ services:
  POSTGRES_HOST_AUTH_METHOD: trust
 
  testdb2:
- image: postgres:10.16
+ image: postgres:15
  environment:
  # To avoid the following error:
  #

ci/oauth/keycloak/fetch_certificate

@@ -13,5 +13,6 @@ openssl s_client \
  -outform PEM \
  >/etc/ssl/certs/keycloak.pem
 
-hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
+hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem --noout)
+
 ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0" || true

config/initializers/fips.rb

@@ -1,5 +1,6 @@
 require "openssl"
 require "digest"
+require "ffi"
 
 # Suppress warning messages
 original_verbose = $VERBOSE
@@ -12,9 +13,27 @@
 # Activate warning messages again
 $VERBOSE = original_verbose
 
-# by default FIPS mode is enabled
-# disable FIPS mode only if OPENSSL_FIPS_ENABLED environment variable is present and has false value
-OpenSSL.fips_mode = !(ENV["OPENSSL_FIPS_ENABLED"].present? && ENV["OPENSSL_FIPS_ENABLED"] == 'false')
+# This is a temporary workaround to support OpenSSL v3 until ruby openssl gem properly handles fips mode state
+# https://github.com/ruby/openssl/issues/369
+if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with?("OpenSSL 3")
+ module OpenSSL
+ extend FFI::Library
+ ffi_lib 'libssl.so'
+ attach_function :EVP_default_properties_is_fips_enabled, [:pointer], :int
+
+ def self.fips_mode
+ EVP_default_properties_is_fips_enabled(nil) == 1
+ end
+
+ def self.fips_mode=(mode)
+ raise "Changing FIPS state in OpenSSL 3 needs to be done with OpenSSL configuration"
+ end
+ end
+else
+ # by default FIPS mode is enabled
+ # disable FIPS mode only if OPENSSL_FIPS_ENABLED environment variable is present and has false value
+ OpenSSL.fips_mode = !(ENV.fetch('OPENSSL_FIPS_ENABLED', 'true') == 'false')
+end
 
 # each of the following 3rd party overridden is required since a non FIPS complaint encryption method is used
 # if a non-complaint FIPS method like MD5 is used or a direct use of Digest::encryption-method

config/initializers/status.rb

@@ -4,3 +4,4 @@
 
 ENV["CONJUR_VERSION_DISPLAY"] = File.read(File.expand_path("../../VERSION", File.dirname(__FILE__)))
 ENV["API_VERSION"] = File.read(File.expand_path("../../API_VERSION", File.dirname(__FILE__)))
+ENV["FIPS_MODE_STATUS"] = OpenSSL.fips_mode ? "enabled" : "disabled"

cucumber/api/features/support/ca_helpers.rb

@@ -76,7 +76,7 @@ def key
  end
 
  def key_pem
- @password.to_s.empty? ? @key.to_pem : @key.to_pem(OpenSSL::Cipher.new('aes-256-cbc'), @password)
+ @password.to_s.empty? ? @key.to_pem : @key.private_to_pem(OpenSSL::Cipher.new('aes-256-cbc'), @password)
  end
 
  def cert

cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature

@@ -22,7 +22,7 @@ Feature: JWT Authenticator - ca-cert variable tests
  And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert-ONYX-15311.json"
  When I GET "/authn-jwt/raw/cucumber/status"
  Then the HTTP response status code is 500
- And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://jwks/ca-cert-ONYX-15311.json'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)>'>"
+ And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/jwks\/ca-cert-ONYX-15311.json'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=\d+.\d+.\d+.\d+:443 state=error: certificate verify failed \(self-signed certificate\)>'"
 
  @sanity
  @acceptance
@@ -75,7 +75,7 @@ Feature: JWT Authenticator - ca-cert variable tests
  And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert-ONYX-15314.json"
  When I GET "/authn-jwt/raw/cucumber/status"
  Then the HTTP response status code is 500
- And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://chained.mycompany.local/ca-cert-ONYX-15314.json'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)>'>"
+ And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/chained.mycompany.local\/ca-cert-ONYX-15314.json'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=\d+.\d+.\d+.\d+:443 state=error: certificate verify failed \(self-signed certificate in certificate chain\)>'"
 
  @sanity
  @acceptance
@@ -116,4 +116,4 @@ Feature: JWT Authenticator - ca-cert variable tests
  And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate
  When I GET "/authn-jwt/raw/cucumber/status"
  Then the HTTP response status code is 500
- And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'https://login.microsoftonline.com/common/discovery/v2.0/keys'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)>'>"
+ And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=\d+.\d+.\d+.\d+:443 state=error: certificate verify failed \(unable to get local issuer certificate\)>'"

cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature

@@ -628,9 +628,9 @@ Feature: JWT Authenticator - Fetch signing key
  And I save my place in the log file
  When I authenticate via authn-jwt with the ID token
  Then the HTTP response status code is 401
- And The following appears in the log after my savepoint:
+ And The following matches the log after my savepoint:
  """
- CONJ00011E Failed to discover Identity Provider (Provider URI: 'https://jwks'). Reason: '#<OpenIDConnect::Discovery::DiscoveryFailed: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)>
+ CONJ00011E Failed to discover Identity Provider \(Provider URI: 'https:\/\/jwks'\). Reason: '#<OpenIDConnect::Discovery::DiscoveryFailed: SSL_connect returned=1 errno=0 peeraddr=\d+.\d+.\d+.\d+:443 state=error: certificate verify failed \(self-signed certificate\)>'
  """
 
  @negative @acceptance
@@ -660,9 +660,9 @@ Feature: JWT Authenticator - Fetch signing key
  And I save my place in the log file
  When I authenticate via authn-jwt with raw service ID
  Then the HTTP response status code is 401
- And The following appears in the log after my savepoint:
+ And The following matches the log after my savepoint:
  """
- CONJ00087E Failed to fetch JWKS from 'https://jwks'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)>'>
+ CONJ00087E Failed to fetch JWKS from 'https:\/\/jwks'. Reason: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=\d+.\d+.\d+.\d+:443 state=error: certificate verify failed \(self-signed certificate\)>'
  """
 
  @negative @acceptance

cucumber/authenticators_jwt/features/support/jwt_jwks_helper.rb

@@ -205,7 +205,7 @@ def token_body_with_valid_expiration(token_body)
  end
 
  def base64_x5t_from_certificate(cert)
- cert_thumbprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der)
+ cert_thumbprint = OpenSSL::Digest::SHA256.hexdigest(cert.to_der)
  Base64.urlsafe_encode64(cert_thumbprint, padding: false)
  end
 
@@ -219,7 +219,7 @@ def self_signed_certificate(rsa_key)
  cert.public_key = rsa_key.public_key
  cert.serial = 0x0
  cert.version = 2
- cert.sign rsa_key, OpenSSL::Digest::SHA1.new
+ cert.sign(rsa_key, OpenSSL::Digest.new('SHA256'))
 
  cert
  end

cucumber/authenticators_status/features/step_definitions/authn_status_steps.rb

@@ -5,3 +5,7 @@
 Then(/^the authenticator status check fails with error "([^"]*)"$/) do |error|
  expect(@result["error"]).to include(error)
 end
+
+Then(/^the authenticator status check fails with error matching "([^"]*)"$/) do |error|
+ expect(@result["error"]).to match(error)
+end

dev/files/authn-oidc/adfs/fetchCertificate

@@ -1,5 +1,5 @@
 #!/bin/sh
-httpclient_pem_location="/var/lib/gems/2.5.0/gems/httpclient-2.8.3/lib/httpclient"
+httpclient_pem_location=$(find "$GEM_HOME" -name httpclient -type d)
 
 echo “ADFS cert” >> "$httpclient_pem_location/cacert.pem"
 echo | openssl s_client -showcerts -connect adfs4win2016.northeurope.cloudapp.azure.com:443 -servername adfs4win2016.northeurope.cloudapp.azure.com 2>/dev/null | openssl x509 -outform PEM >> "$httpclient_pem_location/cacert.pem"

docs/Dockerfile

@@ -2,7 +2,7 @@ FROM jekyll/jekyll:4.0
 
 ADD Gemfile Gemfile.lock /srv/jekyll/
 
-ENV BUNDLER_VERSION 2.2.33
+ENV BUNDLER_VERSION 2.4.14
 RUN gem install bundler -v $BUNDLER_VERSION
 
 RUN bundle --without development

docs/Gemfile.lock

@@ -267,4 +267,4 @@ DEPENDENCIES
  pry
 
 BUNDLED WITH
- 2.2.33
+ 2.4.14

gems/policy-parser/Dockerfile.test

@@ -8,6 +8,6 @@ COPY conjur-policy-parser.gemspec conjur-policy-parser.gemspec
 COPY lib/conjur-policy-parser-version.rb lib/conjur-policy-parser-version.rb
 
 # Make sure the expected version of Bundler is available
-ENV BUNDLER_VERSION=2.2.33
+ENV BUNDLER_VERSION=2.4.14
 RUN gem install bundler -v ${BUNDLER_VERSION} && \
  bundle install

gems/policy-parser/conjur-policy-parser.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
  spec.add_dependency("activesupport", ">= 4.2")
  spec.add_dependency("safe_yaml")
 
- spec.add_development_dependency("bundler", "~> 2.2.33")
+ spec.add_development_dependency("bundler", "~> 2.4.14")
  spec.add_development_dependency("ci_reporter_rspec")
  spec.add_development_dependency("deepsort")
  spec.add_development_dependency("pry")

spec/app/domain/authentication/authn-oidc/v2/client_spec.rb

@@ -638,7 +638,7 @@ def client(config)
  )
  end.to raise_error(Errors::Authentication::AuthnOidc::InvalidCertificate) do |e|
  expect(e.message).to include(cert)
- expect(e.message).to include("nested asn1 error")
+ expect(e.message).to include("Invalid certificate")
  end
  end
  end