Merge pull request #2994 from cyberark/conjur-cloud-merge-master-31-aug

Conjur cloud merge master 31 aug

CHANGELOG.md

@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
+## [1.0.11-cloud] - 2023-10-29
+
 ## [1.0.10-cloud] - 2023-10-22
 ### Added
 - Telemetry logs for ephemeral secrets
@@ -137,27 +139,48 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
 - Remove auto-release options to allow for a pseudo-fork development on a branch
 
-## [1.20.0] - 2023-07-11
+## [1.20.0] - 2023-08-16
+
+### Fixed
+- OIDC authenticators support `https_proxy` and `HTTPS_PROXY` environment variables
+  [cyberark/conjur#2902](https://github.com/cyberark/conjur/pull/2902)
+- Support plural syntax for revoke and deny
+  [cyberark/conjur#2901](https://github.com/cyberark/conjur/pull/2901)
 
 ### Added
-- Telemetry support
-  [cyberark/conjur#2854](https://github.com/cyberark/conjur/pull/2854)
 - New flag to `conjurctl server` command called `--no-migrate` which allows for skipping
   the database migration step when starting the server.
   [cyberark/conjur#2895](https://github.com/cyberark/conjur/pull/2895)
+- Telemetry support
+  [cyberark/conjur#2854](https://github.com/cyberark/conjur/pull/2854)
+- Introduces support for Policy Factory, which enables resource creation
+  through a new `factories` API.
+  [cyberark/conjur#2855](https://github.com/cyberark/conjur/pull/2855/files)
 
 ### Changed
 - The database thread pool max connection size is now based on the number of
   web worker threads per process, rather than an arbitrary fixed number. This
   mitigates the possibility of a web worker becoming starved while waiting for
   a connection to become available.
   [cyberark/conjur#2875](https://github.com/cyberark/conjur/pull/2875)
+- Additive policy requests submitted via POST are rejected with a 400 status if
+  they attempt to update an existing resource.
+  [cyberark/conjur#2888](https://github.com/cyberark/conjur/pull/2888)
 
 ### Fixed
 - Support Authn-IAM regional requests when host value is missing from signed headers.
   [cyberark/conjur#2827](https://github.com/cyberark/conjur/pull/2827)
+
+### Security
 - Support plural syntax for revoke and deny
-  [CONJSE-1783](https://ca-il-jira.il.cyber-ark.com:8443/browse/CONJSE-1783)
+  [cyberark/conjur#2901](https://github.com/cyberark/conjur/pull/2901)
+- Previously, attempting to add and remove a privilege in the same policy load
+  resulted in only the positive privilege (grant, permit) taking effect. Now we
+  fail safe and the negative privilege statement (revoke, deny) is the final
+  outcome
+  [cyberark/conjur#2907](https://github.com/cyberark/conjur/pull/2907)
+- Update puma to 6.3.1 to address CVE-2023-40175.
+  [cyberark/conjur#2925](https://github.com/cyberark/conjur/pull/2925)
 
 ## [1.19.5] - 2023-06-29
 

Dockerfile

@@ -33,13 +33,14 @@ COPY Gemfile \
 COPY gems/ gems/
 
 
-RUN bundle --without test development
+RUN bundle --without test development && \
+    # Remove private keys brought in by gems in their test data
+    find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \; && \
+    find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
+    find / -name httpclient -type d -exec find {} -name '*.pem' -type f -delete \;
 
 COPY . .
 
-# removing CA bundle of httpclient gem
-RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
-
 RUN ln -sf /opt/conjur-server/bin/conjurctl /usr/local/bin/
 
 ENV RAILS_ENV production

Dockerfile.ubi

@@ -76,7 +76,9 @@ RUN INSTALL_PKGS="gcc \
     yum -y clean all --enablerepo='*' && \
     # removing CA bundle of httpclient gem
     find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
-    find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \;
+    find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
+    # remove the private key in the oidc_connect gem spec directory
+    find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \;
 
 COPY . .
 

Gemfile

@@ -20,7 +20,7 @@ gem 'http', '~> 4.2.0'
 gem 'iso8601'
 gem 'jbuilder', '~> 2.7.0'
 gem 'nokogiri', '>= 1.8.2'
-gem 'puma', '~> 5.6'
+gem 'puma', '~> 6'
 gem 'rack', '~> 2.2'
 gem 'rails', '~> 6.1', '>= 6.1.4.6'
 gem 'rake'
@@ -62,6 +62,9 @@ gem 'net-ldap'
 # for AWS rotator
 gem 'aws-sdk-iam', require: false
 
+# we need this version since any newer introduces braking change that causes issues with safe_yaml: https://github.com/ruby/psych/discussions/571
+gem 'psych', '=3.3.2'
+
 group :production do
   gem 'rails_12factor'
 end
@@ -72,13 +75,14 @@ gem 'kubeclient'
 gem 'websocket'
 
 # authn-oidc, gcp, azure, jwt
-gem 'jwt', '2.2.2' # version frozen due to authn-jwt requirements
+# gem 'jwt', '2.2.2' # version frozen due to authn-jwt requirements
+gem 'jwt', '2.7.1'
 # authn-oidc
-gem 'openid_connect'
+gem 'openid_connect', '~> 2.0'
 
 gem "anyway_config"
 gem 'i18n', '~> 1.8.11'
-
+gem 'json_schemer'
 gem 'prometheus-client'
 
 group :development, :test do
@@ -90,6 +94,7 @@ group :development, :test do
   gem 'cucumber', '~> 7.1'
   gem 'database_cleaner', '~> 1.8'
   gem 'debase', '~> 0.2.5.beta2'
+  gem 'debase-ruby_core_source', '~> 3.2.1'
   gem 'json_spec', '~> 1.1'
   gem 'faye-websocket'
   gem 'net-ssh'
@@ -103,7 +108,7 @@ group :development, :test do
   gem 'rspec'
   gem 'rspec-core'
   gem 'rspec-rails'
-  gem 'ruby-debug-ide'
+  # gem 'ruby-debug-ide'
 
   # We use a post-coverage hook to sleep covered processes until we're ready to
   # collect the coverage reports in CI. Because of this, we don't want bundler