FFM-12631 - Update golang & pushpin to resolve vulns (#413)

* fix: [FFM-12648] upgrade golang & pushpin version to resolve vulnerabilities (#412)

Author: jcox250

Dockerfile

@@ -1,7 +1,7 @@
 ############################
 # STEP 1 build executable binary
 ############################
-FROM golang:1.23.5 as builder
+FROM golang:1.23.12 as builder
 
 WORKDIR /app
 
@@ -15,73 +15,42 @@ COPY . .
 # Generate Code and Build
 RUN make build
 
-
 ############################
-# STEP 2 build pushpin 22.04 image - source https://github.com/fanout/docker-pushpin/blob/master/Dockerfile
-# TODO - this will rarely change - publish as an image we can consume
+# STEP 2: Grab CA certificates
 ############################
-# Pull the base image
-FROM ubuntu:24.04 as pushpin
-
-# Add private APT repository
-RUN \
-  apt-get update && \
-  apt-get install -y apt-transport-https software-properties-common && \
-  echo deb https://fanout.jfrog.io/artifactory/debian fanout-jammy main \
-    | tee /etc/apt/sources.list.d/fanout.list && \
-  apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys \
-    7D0343148157C3DF
-
-ENV PUSHPIN_VERSION 1.37.0-1~jammy
-
-# Install Pushpin
-RUN \
-  apt-get update && \
-  apt-get install -y pushpin=$PUSHPIN_VERSION curl binutils
+FROM debian:bookworm-slim as certs
+RUN apt-get update && apt-get install -y ca-certificates
+RUN mkdir /tmp/certs && cp -r /etc/ssl/certs/* /tmp/certs
 
-# Fix CVEs
-RUN \
-  apt-get upgrade -y perl openssl nghttp2
-
-# Required for the image to work on Centos7 with 3.10 kernel
-RUN \
-    strip --remove-section=.note.ABI-tag /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+############################
+# STEP 3: Add relay proxy to base pushpin image
+############################
+FROM fanout/pushpin:1.41.0
 
-# Cleanup
-RUN \
-  apt-get clean && \
-  rm -fr /var/lib/apt/lists/* && \
-  rm -fr /tmp/*
+# Use root user for setup
+USER root
 
-# Add entrypoint script
+# Copy entrypoint and binaries
 COPY docker-entrypoint.sh /usr/local/bin/
-# give permission to run entrypoint script
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh
-
-# Define default entrypoint and command
-ENTRYPOINT ["docker-entrypoint.sh"]
-CMD ["pushpin", "--merge-output"]
-
-
-############################
-# STEP 3 add relay proxy build to pushpin image
-############################
-FROM pushpin
 COPY --from=builder /app/ff-proxy /app/ff-proxy
-COPY --from=builder ./app/config/pushpin /etc/pushpin
-COPY --from=builder ./app/start.sh /start.sh
+COPY --from=builder /app/config/pushpin /etc/pushpin
+COPY --from=builder /app/start.sh /start.sh
+
+# Copy CA certificates
+COPY --from=certs /tmp/certs /etc/ssl/certs
 
-RUN mkdir /log
-RUN mkdir /pushpin
-RUN mkdir /pushpin/run
-RUN mkdir /pushpin/log
-RUN chmod -R 0500 /app/ff-proxy /usr/lib/pushpin /etc/pushpin
-RUN chmod -R 0755 /log /pushpin /usr/lib/pushpin /etc/pushpin
-RUN chown -R 65534:65534 /app/ff-proxy /log /pushpin /usr/lib/pushpin /etc/pushpin
+# Prepare directories + set permissions in a single layer
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh \
+ && mkdir -p /log /pushpin/run /pushpin/log \
+ && chmod 0500 /app/ff-proxy \
+ && chmod -R 0755 /usr/lib/pushpin /etc/pushpin \
+ && chmod -R 0775 /log /pushpin \
+ && chown -R 65534:65534 /app/ff-proxy /log /pushpin /usr/lib/pushpin /etc/pushpin
 
-# Setting this to 65534 which hould be the nodbody user
-USER 65534
+# Use nobody user for runtime
+USER 65534:65534
 
 # Expose default port pushpin listens on
 EXPOSE 7000
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["./start.sh"]

Makefile

@@ -134,7 +134,7 @@ check: lint format sec ## Runs linter, goimports and gosec
 PHONY+= lint
 lint: tools ## lint the golang code
 	@echo "Linting $(1)"
-	@golint ./...
+	golint ./...
 
 PHONY+= tools
 format: tools ## Format go code and error if any changes are made
@@ -159,17 +159,16 @@ sec: tools ## Run the security checks
 # Install golangci-lint
 $(GOBIN)/golangci-lint:
 	@echo "🔘 Installing golangci-lint... (`date '+%H:%M:%S'`)"
-	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOPATH)/bin
+	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.64.8
 
-# Install golint to lint code
 $(GOBIN)/golint:
 	@echo "🔘 Installing golint ... (`date '+%H:%M:%S'`)"
 	@go install golang.org/x/lint/golint@latest
 
 # Install goimports to format code
 $(GOBIN)/goimports:
 	@echo "🔘 Installing goimports ... (`date '+%H:%M:%S'`)"
-	@go install golang.org/x/tools/cmd/goimports@latest
+	@go install golang.org/x/tools/cmd/goimports@v0.30.0
 
 # Install gocov to parse code coverage
 $(GOBIN)/gocov:

config/pushpin/pushpin.conf

@@ -16,7 +16,7 @@ stats_connection_ttl=120
 
 [runner]
 # services to start
-services=condure,zurl,pushpin-proxy,pushpin-handler
+services=condure,pushpin-proxy,pushpin-handler
 
 # plain HTTP port that mongrel2 should listen on
 http_port=7000

docker-compose.yml

@@ -38,14 +38,4 @@ services:
   redis:
     image: "redis:latest"
     ports:
-      - "6379:6379"
-
-  pushpin:
-    image: fanout/pushpin
-    ports:
-      - "7000:7000"
-      - "5560-5563:5560-5563"
-      - "5555:5555"
-    volumes:
-      - ./config/pushpin:/etc/pushpin
-    command: "pushpin --merge-output"
+      - "6379:6379"

docker-entrypoint.sh

@@ -1,25 +1,14 @@
 #!/bin/bash
-# source - https://github.com/fanout/docker-pushpin/blob/master/docker-entrypoint.sh
 set -e
 
-# Configure Pushpin
-if [ -w /usr/lib/pushpin/internal.conf ]; then
-	sed -i \
-		-e 's/zurl_out_specs=.*/zurl_out_specs=ipc:\/\/\{rundir\}\/pushpin-zurl-in/' \
-		-e 's/zurl_out_stream_specs=.*/zurl_out_stream_specs=ipc:\/\/\{rundir\}\/pushpin-zurl-in-stream/' \
-		-e 's/zurl_in_specs=.*/zurl_in_specs=ipc:\/\/\{rundir\}\/pushpin-zurl-out/' \
-		/usr/lib/pushpin/internal.conf
-else
-	echo "docker-entrypoint.sh: unable to write to /usr/lib/pushpin/internal.conf, readonly"
-fi
-
 if [ -w /etc/pushpin/pushpin.conf ]; then
 	sed -i \
-		-e 's/services=.*/services=condure,zurl,pushpin-proxy,pushpin-handler/' \
+		-e 's/services=.*/services=condure,pushpin-proxy,pushpin-handler/' \
 		-e 's/push_in_spec=.*/push_in_spec=tcp:\/\/\*:5560/' \
 		-e 's/push_in_http_addr=.*/push_in_http_addr=0.0.0.0/' \
 		-e 's/push_in_sub_specs=.*/push_in_sub_spec=tcp:\/\/\*:5562/' \
 		-e 's/command_spec=.*/command_spec=tcp:\/\/\*:5563/' \
+		-e 's/^http_port=.*/http_port=7000/' \
 		/etc/pushpin/pushpin.conf
 else
 	echo "docker-entrypoint.sh: unable to write to /etc/pushpin/pushpin.conf, readonly"
@@ -30,50 +19,4 @@ if [ -v target ]; then
 	echo "* ${target},over_http" > /etc/pushpin/routes
 fi
 
-# Update pushpin.conf file to use $PORT for http_port
-if [ -w /etc/pushpin/pushpin.conf ]; then
-  PROTOCOL="http_port"
-  PUSHPIN_PORT=7000
-  if [ -n "${PORT}" ]; then
-      PUSHPIN_PORT=${PORT}
-  fi
-
-  if [ "${TLS_ENABLED}" = true ] ; then
-    echo "https configured"
-    PROTOCOL="https_ports"
-
-    # write ca cert to pushpin certs directory if exists
-    if [ -n "${TLS_CERT}" ]; then
-      echo "copying tls cert from ${TLS_CERT} to etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.crt"
-      cp ${TLS_CERT} etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.crt
-    fi
-
-    # write ca key to pushpin certs directory if exists
-    if [ -n "${TLS_KEY}" ]; then
-      echo "copying tls key from ${TLS_CERT} to etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.key"
-      cp ${TLS_KEY} etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.key
-    fi
-  fi
-
-  # set port and protocol for pushpin to listen on e.g. listen for https connections on port 6000
-  echo "Listening for requests on port ${PUSHPIN_PORT}"
-  sed -i \
-  -e "s/http_port=7000/${PROTOCOL}=${PUSHPIN_PORT}/" \
-  /etc/pushpin/pushpin.conf
-  export PORT=
-else
-	echo "docker-entrypoint.sh: unable to write to /etc/pushpin/pushpin.conf, readonly"
-fi
-
-# Update routes file to forward traffic using ssl if tls_enabled is true
-if [ -w /etc/pushpin/routes ]; then
-  if [ "${TLS_ENABLED}" = true ] ; then
-    sed -i \
-      -e "s/localhost:8000/localhost:8000,ssl,insecure/" \
-      /etc/pushpin/routes
-  fi
-else
-	echo "docker-entrypoint.sh: unable to write to /etc/pushpin/routes, readonly"
-fi
-
 exec "$@"

tests/e2e/stream_test.go

@@ -41,6 +41,7 @@ func TestEvent(t *testing.T) {
 			args{
 				Key: GetServerAPIKey(),
 				Operation: func() error {
+					t.Log("Patching feature flag")
 					parameters := make(map[string]interface{})
 					parameters["state"] = "on"
 					resp := PatchFeatureFlag(t, DefaultClient(), GetAccountIdentifier(), GetOrgIdentifier(), "string-flag1", GetProjectIdentifier(), GetEnvironmentIdentifier(), "setFeatureFlagState", parameters)
@@ -61,6 +62,7 @@ func TestEvent(t *testing.T) {
 			args{
 				Key: GetServerAPIKey(),
 				Operation: func() error {
+					t.Log("Patching feature flag")
 					parameters := make(map[string]interface{})
 					parameters["state"] = "off"
 					resp := PatchFeatureFlag(t, DefaultClient(), GetAccountIdentifier(), GetOrgIdentifier(), "string-flag1", GetProjectIdentifier(), GetEnvironmentIdentifier(), "setFeatureFlagState", parameters)
@@ -109,10 +111,11 @@ func TestEvent(t *testing.T) {
 			// wait for up to 10 seconds for the expected sse event to come in
 			select {
 			case msg := <-eventChan:
+				t.Log("Event received")
 				assert.Equal(t, tt.want.sseEvent.Event, msg.Event)
 				assert.Equal(t, tt.want.sseEvent.Domain, msg.Domain)
 				assert.Equal(t, tt.want.sseEvent.Identifier, msg.Identifier)
-			case <-time.After(10 * time.Second):
+			case <-time.After(20 * time.Second):
 				t.Error("Timed out waiting for event to come in")
 			}
 			result, err := client.StringVariation("string-flag1", nil, "default")