Upgrade Rails version

[izgeri]

Upgrade Conjur OSS Rails Version

The Conjur OSS web application is currently using Rails v4.2. With the release of Rails 6 in August, our version of Rails has fallen to the project's lowest maintenance level and will only receive severe security bug fixes (and bug fixes, nor regular security fixes). For more details, see Rails policy. Given that this is the core of our accounts/secrets product, we must be able to quickly apply all bug and security fixes as they are discovered and patched by the Rails project team.

Aha Cards

N/A

Team

• Product Manager: @boazmichaely
• Product Owner: @alexkalish
• Engineering Manager: @jvanderhoof
• Feature Lead: Jonah Goldstein (@jonahx)
• Engineers:
  • Jonah Goldstein (@jonahx)
• Technical Writer: N/A

SDLC Timeline

Stage	Updates	Artifact
Project Initialization
Kickoff
Feature Proposal
Functional Sign-off
Technical D&D
Solution Sign-off
Execution
Acceptance

[izgeri]

Plan notes from @alexkalish: • Examine all the change logs, determining which APIs we use that have changed. • Sometimes Rails will continue to support deprecated APis, so decide if we upgrade now or wait for later. • Which version do we go to? 5 or 6? • Examine our Rails related gems to see if they need upgrading (and can even be upgraded). • Determine what parts of the code are not covered by automated tests and the effort it will take to test for regressions. • Bump ruby versions of this project and our suite of gems

[alexkalish]

I strongly believe that we should just shoot for upgrading to 5.4.2 and NOT all the way to 6.0.1 for a few reasons:

• This reduces scope and effort.
• We gain all security fixes using previous major version and only lose bug fixes, which in my experience is rarely an issue.
• v6 has only had a single patch release, so I'm slightly concerned about stability.
• We can plan to upgrade to v6 later this year, after it has a minor release or several more patch releases.

[alexkalish]

In order to ensure this upgrade is FIPS compliant, we need to disable MD5 in Rails. @shaharglazner provided the following helpful info:

As far as I could find, the only change need to be done is change the following configuration:

Rails.application.config.active_support.use_sha1_digests = true

Which makes rails not using MD5 (which is not FIPS compliant). Sources:

• https://github.com/rails/rails/issues/31203#issuecomment-381449887
• https://github.com/rails/rails/pull/31289
• https://stackoverflow.com/questions/36577563/rails-4-2-6-disable-md5-for-fips-compliance

Also, we need to investigate and verify that any FIPS encryption algorithm changes do no degrade app performance.

[jtuttle]

I spent a few hours trying to get cyberark/conjur on Rails 5 and here is a branch with my progress: https://github.com/cyberark/conjur/compare/rails-5-again

The latest commit was an attempt to fix the Database connection being initialized twice (I think). Something's not quite right about how the Sequel database is getting initialized and I wasn't able to figure out the issue before more pressing matters came up.

[alexkalish]

@jvanderhoof, @jonahx: We should include updating both the appliance and decomposed follow with Conjur, after we have updated the Rails version.

[jtuttle]

@alexkalish We can close this, yes? Only reason I didn't is I saw @izgeri mentioned Rails 6 in the description and we only upgraded to Rails 5.

[alexkalish]

Closing! Thanks for catching this, @jtuttle!

[izgeri]

@jtuttle just to complete the circle, can you share more info about the specific rails upgrades that were done? a link to the relevant issue / epic would suffice. thanks!