Merge pull request #2021 from cyberark/integrate-12.0

Integrate 12.0 Release Branch
cyberark · Feb 2, 2021 · e24f2e2 · e24f2e2
2 parents 8123ca2 + f5c70e3
commit e24f2e2
Show file tree

Hide file tree

Showing 12 changed files with 161 additions and 27 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.11.2] - 2021-02-02
 ### Added
 - New `edge`-tagged images are published to DockerHub on every master branch
   build.
@@ -17,15 +18,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   [Conjur Base Image](https://github.com/cyberark/conjur-base-image) project
   are included in their Conjur image.
   [cyberark/conjur#1974](https://github.com/cyberark/conjur/issues/1974)
-- Correct unit tests and integration tests for audit, and correct a couple of issues found with them.
-  [cyberark/conjur#1987](https://github.com/cyberark/conjur/issues/1987)
 - Messages for password change now have the field `role` instead of `user` under `subject`
   [cyberark/conjur#2014](https://github.com/cyberark/conjur/issues/2014)
-- When batch secret requests are sent with an `Accept: base64` header, the secret values in the response will all be
-  Base64-encoded. Sending requests with this header allows users to retrieve binary secrets encoded in Base64.
+- When batch secret requests are sent with an `Accept: base64` header, the secret
+  values in the response will all be Base64-encoded. Sending requests with this
+  header allows users to retrieve binary secrets encoded in Base64.
   [cyberark/conjur#1962](https://github.com/cyberark/conjur/issues/1962)
 - Conjur now verifies that the `offset` parameter is a valid integer value.
-  The `GET /resources` request will fail if `offset` is not an integer greater than or equal to 0.
+  The `GET /resources` request will fail if `offset` is not an integer greater
+  than or equal to 0.
   [cyberark/conjur#1997](https://github.com/cyberark/conjur/issues/1997)
 
 ### Fixed
@@ -38,16 +39,22 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Audit engine routing now correctly matches URLs that include a period (`.`)
   in the resource ID.
   [cyberark/conjur#2001](https://github.com/cyberark/conjur/issues/2001)
-- Attempts to retrieve binary secret data in a batch request without using the `Accept: base64` header now returns a
-  message explaining that improper secret encoding is the cause of the 500 response.
+- Attempts to retrieve binary secret data in a batch request without using
+  the `Accept: base64` header now returns a message explaining that improper
+  secret encoding is the cause of the 500 response.
   [cyberark/conjur#1962](https://github.com/cyberark/conjur/issues/1962)
 - `GET /resources` request with non-numeric delimiter (limit or offset) now
   returns `Error 422 Unprocessable Entity` instead of `Error 500`.
   [cyberark/conjur#1997](https://github.com/cyberark/conjur/issues/1997)
-- `POST /host_factory_tokens` request with invalid ip address or CIDR range of `cidr` parameter
-  now returns `Error 422 Unprocessable Entity` instead of `Error 500`.
+- `POST /host_factory_tokens` request with invalid ip address or CIDR range of
+  `cidr` parameter now returns `Error 422 Unprocessable Entity` instead of `Error 500`.
   [cyberark/conjur#2011](https://github.com/cyberark/conjur/issues/2011)
 
+### Security
+- Kubernetes authenticator certificate injection process now performs certificate
+  verification to prevent MitM attacks.
+  [Security Bulletin](https://github.com/cyberark/conjur/security/advisories/GHSA-hvhv-f953-rwmv)
+
 ## [1.11.1] - 2020-11-19
 ### Added
 - UBI-based Conjur image to support Conjur server running on OpenShift. Image
@@ -521,7 +528,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - The first tagged version.
 
-[Unreleased]: https://github.com/cyberark/conjur/compare/v1.11.1...HEAD
+[Unreleased]: https://github.com/cyberark/conjur/compare/v1.11.2...HEAD
+[1.11.2]: https://github.com/cyberark/conjur/compare/v1.11.1...v1.11.2
 [1.11.1]: https://github.com/cyberark/conjur/compare/v1.11.0...v1.11.1
 [1.11.0]: https://github.com/cyberark/conjur/compare/v1.10.0...v1.11.0
 [1.10.0]: https://github.com/cyberark/conjur/compare/v1.9.0...v1.10.0

diff --git a/Gemfile b/Gemfile
@@ -80,7 +80,8 @@ end
 
 # authn-k8s
 gem 'kubeclient'
-gem 'websocket-client-simple'
+gem 'websocket'
+gem 'event_emitter'
 
 # authn-oidc
 gem 'jwt'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -430,9 +430,6 @@ GEM
       activesupport
       httpclient (>= 2.4)
     websocket (1.2.8)
-    websocket-client-simple (0.3.0)
-      event_emitter
-      websocket
     websocket-driver (0.7.3)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
@@ -464,6 +461,7 @@ DEPENDENCIES
   debase
   dry-struct (~> 0.4.0)
   dry-types (~> 0.12.2)
+  event_emitter
   ffi (>= 1.9.24)
   gli
   haikunator (~> 1)
@@ -510,7 +508,7 @@ DEPENDENCIES
   spring-commands-cucumber
   spring-commands-rspec
   table_print
-  websocket-client-simple
+  websocket
 
 RUBY VERSION
    ruby 2.5.8p224

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -127,9 +127,12 @@ pipeline {
         // TODO: Add comments explaining which env vars are set here.
         stage('Prepare For CodeClimate Coverage Report Submission') {
           steps {
-            script {
-              ccCoverage.dockerPrep()
-              sh 'mkdir -p coverage'
+            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
+              script {
+                ccCoverage.dockerPrep()
+                sh 'mkdir -p coverage'
+                env.CODE_CLIMATE_PREPARED = "true"
+              }
             }
           }
         }
@@ -495,6 +498,11 @@ pipeline {
     } // end stage: build and test conjur
 
     stage('Submit Coverage Report') {
+      when {
+        expression {
+          env.CODE_CLIMATE_PREPARED == "true"
+        }
+      }
       steps{
         sh 'ci/submit-coverage'
       }
@@ -566,7 +574,7 @@ pipeline {
 def tagWithSHA() {
   sh(
     returnStdout: true,
-    script: 'echo $(< VERSION)-$(git rev-parse --short=8 HEAD)'
+    script: 'echo $(git rev-parse --short=8 HEAD)'
   )
 }
 

diff --git a/NOTICES.txt b/NOTICES.txt
@@ -55,6 +55,8 @@ Section 4: MIT
 >>> https://rubygems.org/gems/slosilo/versions/2.2.1
 >>> https://rubygems.org/gems/uglifier/versions/4.2.0
 >>> https://rubygems.org/gems/websocket-client-simple/versions/0.3.0
+>>> https://rubygems.org/gems/event_emitter/versions/0.2.6
+>>> https://rubygems.org/gems/websocket/versions/1.2.8
 
 APPENDIX: Standard License Files and Templates
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.11.1
+1.11.2
diff --git a/app/domain/authentication/authn_k8s/execute_command_in_container.rb b/app/domain/authentication/authn_k8s/execute_command_in_container.rb
@@ -6,7 +6,6 @@
 require 'rubygems/package'
 
 require 'active_support/time'
-require 'websocket-client-simple'
 require 'timeout'
 
 module Authentication
@@ -15,7 +14,7 @@ module AuthnK8s
     ExecuteCommandInContainer ||= CommandClass.new(
       dependencies: {
         timeout:                       ENV['KUBE_EXEC_COMMAND_TIMEOUT'],
-        websocket_client:              WebSocket::Client::Simple,
+        websocket_client:              WebSocketClient,
         ws_client_event_handler_class: WebSocketClientEventHandler,
         message_log_class:             MessageLog,
         validate_message:              MessageLog::ValidateMessage.new,
@@ -45,7 +44,14 @@ def init_ws_client
       end
 
       def ws_client
-        @ws_client ||= @websocket_client.connect(server_url, headers: headers)
+        @ws_client ||= @websocket_client.connect(
+          server_url,
+          {
+            headers: headers,
+            verify_mode: OpenSSL::SSL::VERIFY_PEER,
+            cert_store: @k8s_object_lookup.cert_store
+          }
+        )
       end
 
       def ws_client_event_handler

diff --git a/app/domain/authentication/authn_k8s/k8s_object_lookup.rb b/app/domain/authentication/authn_k8s/k8s_object_lookup.rb
@@ -18,6 +18,8 @@ class K8sObjectLookup
 
       class K8sForbiddenError < RuntimeError; end
 
+      attr_reader :cert_store
+
       def initialize(webservice = nil)
         @webservice = webservice
         @cert_store = OpenSSL::X509::Store.new

diff --git a/app/domain/authentication/authn_k8s/web_socket_client.rb b/app/domain/authentication/authn_k8s/web_socket_client.rb
@@ -0,0 +1,107 @@
+## This code is based on github.com/shokai/websocket-client-simple (MIT License)
+
+require "event_emitter"
+require 'websocket'
+
+# Utility class for processing WebSocket messages.
+module Authentication
+  module AuthnK8s
+    class WebSocketClient
+      include EventEmitter
+      attr_reader :url, :handshake
+
+      def self.connect(url, options = {})
+        client = WebSocketClient.new
+        yield client if block_given?
+        client.connect url, options
+        return client
+      end
+
+      def connect(url, options = {})
+        return if @socket
+        @url = url
+        uri = URI.parse url
+        @socket = TCPSocket.new(uri.host,
+                                uri.port || (uri.scheme == 'wss' ? 443 : 80))
+        if ['https', 'wss'].include? uri.scheme
+          ctx = OpenSSL::SSL::SSLContext.new
+          ctx.ssl_version = options[:ssl_version] || 'SSLv23'
+          ctx.verify_mode = options[:verify_mode] || OpenSSL::SSL::VERIFY_NONE #use VERIFY_PEER for verification
+          cert_store = options[:cert_store]
+          unless cert_store
+            cert_store = OpenSSL::X509::Store.new
+            cert_store.set_default_paths
+          end
+          ctx.cert_store = cert_store
+          @socket = ::OpenSSL::SSL::SSLSocket.new(@socket, ctx)
+          @socket.connect
+        end
+        @handshake = ::WebSocket::Handshake::Client.new :url => url, :headers => options[:headers]
+        @handshaked = false
+        @pipe_broken = false
+        frame = ::WebSocket::Frame::Incoming::Client.new
+        @closed = false
+        once :__close do |err|
+          close
+          emit :close, err
+        end
+
+        @thread = Thread.new do
+          while !@closed do
+            begin
+              unless recv_data = @socket.getc
+                sleep 1
+                next
+              end
+              unless @handshaked
+                @handshake << recv_data
+                if @handshake.finished?
+                  @handshaked = true
+                  emit :open
+                end
+              else
+                frame << recv_data
+                while msg = frame.next
+                  emit :message, msg
+                end
+              end
+            rescue => e
+              emit :error, e
+            end
+          end
+        end
+
+        @socket.write @handshake.to_s
+      end
+
+      def send(data, opt = { :type => :text })
+        return if !@handshaked or @closed
+        type = opt[:type]
+        frame = ::WebSocket::Frame::Outgoing::Client.new(:data => data, :type => type, :version => @handshake.version)
+        begin
+          @socket.write frame.to_s
+        rescue Errno::EPIPE => e
+          @pipe_broken = true
+          emit :__close, e
+        end
+      end
+
+      def close
+        return if @closed
+        if !@pipe_broken
+          send nil, :type => :close
+        end
+        @closed = true
+        @socket.close if @socket
+        @socket = nil
+        emit :__close
+        Thread.kill @thread if @thread
+      end
+
+      def open?
+        @handshake.finished? and !@closed
+      end
+
+    end
+  end
+end
diff --git a/build_utils.sh b/build_utils.sh
@@ -3,7 +3,7 @@
 # Functions to generate version numbers for this project
 
 function version_tag() {
-  echo "$(< VERSION)-$(git rev-parse --short=8 HEAD)"
+  echo "$(git rev-parse --short=8 HEAD)"
 }
 
 # generate less specific versions, eg. given 1.2.3 will print 1.2 and 1

diff --git a/ci/authn-k8s/test.sh b/ci/authn-k8s/test.sh
@@ -74,7 +74,7 @@ function createNginxCert() {
 }
 
 function buildDockerImages() {
-  conjur_version=$(echo "$(< ../../VERSION)-$(git rev-parse --short=8 HEAD)")
+  conjur_version=$(echo "$(git rev-parse --short=8 HEAD)")
   DOCKER_REGISTRY_PATH="registry.tld"
 
   docker pull $DOCKER_REGISTRY_PATH/conjur:$conjur_version

diff --git a/spec/app/domain/authentication/authn_k8s/execute_command_in_container_spec.rb b/spec/app/domain/authentication/authn_k8s/execute_command_in_container_spec.rb
@@ -26,8 +26,8 @@ def handshake
       end
     end
 
-    def connect(server_url, headers:)
-      @connect_args = [server_url, headers]
+    def connect(server_url, options)
+      @connect_args = [server_url, options]
       # In the production class, "connect" is defined on Client::Simple, and
       # calling "connect" returns an instance of Client::Simple::Client. For
       # the mock, there's not reason to make that distinction, and we can
@@ -110,6 +110,8 @@ def trigger_error(err)
     double('K8sObjectLookup').tap do |k8s_object_lookup|
       allow(k8s_object_lookup).to receive(:kube_client)
         .and_return(kube_client)
+      allow(k8s_object_lookup).to receive(:cert_store)
+        .and_return("cert_store")
     end
   end