From 0813565eae8d6df8db816ada519dde320416762c Mon Sep 17 00:00:00 2001 From: JR Conlin Date: Tue, 20 Oct 2020 08:50:25 -0700 Subject: [PATCH] chore: update circleci to use new docker auth (#85) chore: update circleci to use new docker auth NOTE: while libs and tests have been updated, audit would need to ignore RUSTSEC-2020-0052 until `slog-async` is updated Issue https://github.com/mozilla-services/services-engineering/issues/71 --- .circleci/config.yml | 21 +++++++++++++++++++-- Cargo.lock | 25 +++++++++++++++++-------- Cargo.toml | 14 +++++++------- Dockerfile | 2 -- src/auth.rs | 42 +++++++++++++++++++++++++++++++----------- src/http.rs | 20 ++++++++++---------- 6 files changed, 84 insertions(+), 40 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b1adda6..16ddf25 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,11 +5,24 @@ # DOCKER_USER # DOCKER_PASS # -version: 2 +version: 2.1 +defaults: + docker_login: &docker_login + run: + name: Login to Dockerhub + command: | + if [ "${DOCKER_USER}" == "" ] || [ "${DOCKER_PASS}" == "" ]; then + echo "Skipping Login to Dockerhub, no credentials." + else + echo "${DOCKER_PASS}" | docker login -u="${DOCKER_USER}" --password-stdin + fi jobs: build: docker: - image: docker:18.03.0-ce + auth: + username: $DOCKER_USER + password: $DOCKER_PASS working_directory: /dockerflow steps: - run: @@ -18,6 +31,7 @@ jobs: - checkout - setup_remote_docker + - *docker_login - run: name: Create a version.json @@ -47,6 +61,9 @@ jobs: deploy: docker: - image: docker:18.03.0-ce + auth: + username: $DOCKER_USER + password: $DOCKER_PASS steps: - setup_remote_docker - restore_cache: @@ -54,7 +71,7 @@ jobs: - run: name: Restore Docker image cache command: docker load -i /cache/docker.tar - + - *docker_login - run: name: Deploy to Dockerhub command: | diff --git a/Cargo.lock b/Cargo.lock index 16efa4b..8f3acf1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -931,7 +931,7 @@ dependencies = [ "failure 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)", "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", "mozsvc-common 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)", - "regex 1.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "regex 1.4.1 (registry+https://github.com/rust-lang/crates.io-index)", "rocket 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)", "rocket_contrib 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)", "serde 1.0.114 (registry+https://github.com/rust-lang/crates.io-index)", @@ -941,7 +941,7 @@ dependencies = [ "slog-mozlog-json 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)", "slog-term 2.6.0 (registry+https://github.com/rust-lang/crates.io-index)", "slog_derive 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)", - "toml 0.4.10 (registry+https://github.com/rust-lang/crates.io-index)", + "toml 0.5.7 (registry+https://github.com/rust-lang/crates.io-index)", ] [[package]] @@ -1296,7 +1296,7 @@ dependencies = [ "error-chain 0.12.2 (registry+https://github.com/rust-lang/crates.io-index)", "idna 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)", "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", - "regex 1.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "regex 1.4.1 (registry+https://github.com/rust-lang/crates.io-index)", "url 2.1.1 (registry+https://github.com/rust-lang/crates.io-index)", ] @@ -1484,18 +1484,18 @@ dependencies = [ [[package]] name = "regex" -version = "1.3.9" +version = "1.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" dependencies = [ "aho-corasick 0.7.13 (registry+https://github.com/rust-lang/crates.io-index)", "memchr 2.3.3 (registry+https://github.com/rust-lang/crates.io-index)", - "regex-syntax 0.6.18 (registry+https://github.com/rust-lang/crates.io-index)", + "regex-syntax 0.6.20 (registry+https://github.com/rust-lang/crates.io-index)", "thread_local 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)", ] [[package]] name = "regex-syntax" -version = "0.6.18" +version = "0.6.20" source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] @@ -2053,6 +2053,14 @@ dependencies = [ "serde 1.0.114 (registry+https://github.com/rust-lang/crates.io-index)", ] +[[package]] +name = "toml" +version = "0.5.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +dependencies = [ + "serde 1.0.114 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "traitobject" version = "0.1.0" @@ -2440,8 +2448,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum rdrand 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2" "checksum redox_syscall 0.1.57 (registry+https://github.com/rust-lang/crates.io-index)" = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" "checksum redox_users 0.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "09b23093265f8d200fa7b4c2c76297f47e681c655f6f1285a8780d6a022f7431" -"checksum regex 1.3.9 (registry+https://github.com/rust-lang/crates.io-index)" = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6" -"checksum regex-syntax 0.6.18 (registry+https://github.com/rust-lang/crates.io-index)" = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8" +"checksum regex 1.4.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8963b85b8ce3074fecffde43b4b0dded83ce2f367dc8d363afc56679f3ee820b" +"checksum regex-syntax 0.6.20 (registry+https://github.com/rust-lang/crates.io-index)" = "8cab7a364d15cde1e505267766a2d3c4e22a843e1a601f0fa7564c0f82ced11c" "checksum remove_dir_all 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)" = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" "checksum reqwest 0.9.24 (registry+https://github.com/rust-lang/crates.io-index)" = "f88643aea3c1343c804950d7bf983bd2067f5ab59db6d613a08e05572f2714ab" "checksum rocket 0.4.5 (registry+https://github.com/rust-lang/crates.io-index)" = "6130967b369cfb8411b0b73e96fcba1229c32a9cc6f295d144f879bfced13c6e" @@ -2498,6 +2506,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" "checksum tokio-threadpool 0.1.18 (registry+https://github.com/rust-lang/crates.io-index)" = "df720b6581784c118f0eb4310796b12b1d242a7eb95f716a8367855325c25f89" "checksum tokio-timer 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)" = "93044f2d313c95ff1cb7809ce9a7a05735b012288a888b62d4434fd58c94f296" "checksum toml 0.4.10 (registry+https://github.com/rust-lang/crates.io-index)" = "758664fc71a3a69038656bee8b6be6477d2a6c315a6b81f7081f591bffa4111f" +"checksum toml 0.5.7 (registry+https://github.com/rust-lang/crates.io-index)" = "75cf45bb0bef80604d001caaec0d09da99611b3c0fd39d3080468875cdb65645" "checksum traitobject 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "efd1f82c56340fdf16f2a953d7bda4f8fdffba13d93b00844c25572110b26079" "checksum try-lock 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" "checksum try_from 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "283d3b89e1368717881a9d51dad843cc435380d8109c9e47d38780a324698d8b" diff --git a/Cargo.toml b/Cargo.toml index 019ba03..af52936 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,15 +13,15 @@ diesel_migrations = { version = "1.4.0", features = ["mysql"] } failure = "0.1.6" lazy_static = "1.4.0" mozsvc-common = "0.1.1" -regex = "1.3.3" +regex = "1.4" rocket = "0.4.2" -rocket_contrib = "0.4.2" -serde = "1.0.104" -serde_json = "1.0.44" +rocket_contrib = "0.4" +serde = "1.0" +serde_json = "1.0" slog = { version = "2.5.2", features = ["nested-values"] } -slog-async = { version = "2.3.0", features = ["nested-values"] } +slog-async = { version = "2.5", features = ["nested-values"] } # 2.5 includes RUSTSEC-2020-0052 slog_derive = "0.2.0" slog-mozlog-json = "0.1.0" -slog-term = "2.4.2" +slog-term = "2.6" # must match the toml (minor) version rocket depends on -toml = "0.4.10" +toml = "0.5" diff --git a/Dockerfile b/Dockerfile index 8b9b8dc..7e817f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,8 +16,6 @@ RUN \ FROM debian:buster-slim -MAINTAINER - RUN \ groupadd --gid 10001 app && \ useradd --uid 10001 --gid 10001 --home /app --create-home app && \ diff --git a/src/auth.rs b/src/auth.rs index 53f526d..2cdf272 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -158,20 +158,37 @@ pub fn authorized_reader(request: &Request<'_>) -> HandlerResult { } #[cfg(test)] -mod test { - use rocket::config::{Config, Environment}; - use toml::{toml, toml_internal}; +pub(crate) mod test { + use rocket::config::{Array, Config, Environment, Value}; + use std::collections::BTreeMap; use super::{BearerTokenAuthenticator, Group}; + pub(crate) fn to_table(vals: Vec<&str>) -> BTreeMap> { + let mut table = BTreeMap::new(); + { + for val in vals { + let mut vargs: Vec = Array::new(); + let bits: Vec<&str> = val.splitn(2, "=").collect(); + let key = bits[0]; + let items = bits[1]; + for item in items.split(",") { + vargs.push(item.into()) + } + table.insert(key.into(), vargs); + } + } + table + } + #[test] fn test_basic() { let config = Config::build(Environment::Development) .extra( "broadcaster_auth", - toml! {foo = ["bar"] baz = ["quux", "wobble"]}, + to_table(["foo=bar", "baz=quux,wobble"].to_vec()), ) - .extra("reader_auth", toml! {otto = ["push"]}) + .extra("reader_auth", to_table(["otto=push"].to_vec())) .unwrap(); let authenicator = BearerTokenAuthenticator::from_config(&config).unwrap(); @@ -193,8 +210,11 @@ mod test { #[test] fn test_dupe_token() { let config = Config::build(Environment::Development) - .extra("broadcaster_auth", toml! {foo = ["bar"] baz = ["bar"]}) - .extra("reader_auth", toml! {otto = ["push"]}) + .extra( + "broadcaster_auth", + to_table(["foo=bar", "baz=bar"].to_vec()), + ) + .extra("reader_auth", to_table(["otto=push"].to_vec())) .unwrap(); assert!(BearerTokenAuthenticator::from_config(&config).is_err()); } @@ -202,8 +222,8 @@ mod test { #[test] fn test_dupe_token2() { let config = Config::build(Environment::Development) - .extra("broadcaster_auth", toml! {foo = ["bar"]}) - .extra("reader_auth", toml! {baz = ["quux", "bar"]}) + .extra("broadcaster_auth", to_table(["foo=bar"].to_vec())) + .extra("reader_auth", to_table(["baz=quux,bar"].to_vec())) .unwrap(); assert!(BearerTokenAuthenticator::from_config(&config).is_err()); } @@ -211,8 +231,8 @@ mod test { #[test] fn test_dupe_user() { let config = Config::build(Environment::Development) - .extra("broadcaster_auth", toml! {foo = ["bar"]}) - .extra("reader_auth", toml! {foo = ["baz"]}) + .extra("broadcaster_auth", to_table(["foo=bar"].to_vec())) + .extra("reader_auth", to_table(["foo=baz"].to_vec())) .unwrap(); assert!(BearerTokenAuthenticator::from_config(&config).is_err()); } diff --git a/src/http.rs b/src/http.rs index 7e98b07..9965f32 100644 --- a/src/http.rs +++ b/src/http.rs @@ -206,14 +206,14 @@ fn setup_rocket(rocket: Rocket) -> Result { #[cfg(test)] mod test { + use crate::auth::test::to_table; use rocket; - use rocket::config::{Config, Environment, RocketConfig}; + use rocket::config::{Config, Environment, RocketConfig, Value as RValue}; use rocket::http::{Header, Status}; use rocket::local::Client; use rocket::response::Response; use rocket_contrib::json; use serde_json::{self, Value}; - use toml::{toml, toml_internal}; use super::setup_rocket; @@ -247,22 +247,22 @@ mod test { let database_url = rconfig .active() .get_str("database_url") - .expect("ROCKET_DATABASE_URL undefined"); - + .expect("ROCKET_DATABASE_URL undefined").to_owned(); let config = Config::build(Environment::Development) - .extra("database_url", database_url) + .extra("database_url", RValue::String(database_url)) .extra("database_pool_max_size", 1) .extra("database_use_test_transactions", true) .extra("json_logging", false) .extra( "broadcaster_auth", - toml! { - foo = ["feedfacedeadbeef", "deadbeeffacefeed"] - baz = ["baada555deadbeef"] - }, + to_table(["foo=feedfacedeadbeef,deadbeeffacefeed", "baz=baada555deadbeef"].to_vec()) + ) + .extra( + "reader_auth", + to_table(["reader=00000000deadbeef"].to_vec()) ) - .extra("reader_auth", toml! {reader = ["00000000deadbeef"]}) .unwrap(); + dbg!(&config); let rocket = setup_rocket(rocket::custom(config)).expect("rocket failed"); Client::new(rocket).expect("rocket launch failed")