release: 3.5.2

- https://github.com/rhysd/actionlint is cool

.github/actionlint-matcher.json

@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}

.github/renovate.json5

@@ -9,6 +9,7 @@
   schedule: ["before 8am on thursday"],
   branchPrefix: "renovate-",
   dependencyDashboardHeader: "View repository job log [here](https://app.renovatebot.com/dashboard#github/cmur2/dyndnsd).",
+  separateMinorPatch: true,
   commitMessagePrefix: "project: ",
   commitMessageAction: "update",
   commitMessageTopic: "{{depName}}",

.github/workflows/cd.yml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 ---
 name: cd
 
@@ -10,11 +11,11 @@ jobs:
   release-dockerimage:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Extract dyndnsd version from tag name
       run: |
-        echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV
+        echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> "$GITHUB_ENV"
 
     - name: Wait for dyndnsd ${{ env.DYNDNSD_VERSION }} gem to be available
       run: |
@@ -22,6 +23,7 @@ jobs:
         for retry in $(seq 1 5); do
           echo "Checking if dyndnsd $DYNDNSD_VERSION gem is retrievable from rubygems.org (try #$retry)..."
           sudo gem install dyndnsd -v "$DYNDNSD_VERSION"
+          # shellcheck disable=SC2181
           if [ $? -eq 0 ]; then
             exit 0
           fi

.github/workflows/ci.yml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 ---
 name: ci
 
@@ -20,8 +21,9 @@ jobs:
         - '2.6'
         - '2.7'
         - '3.0'
+        - '3.1'
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:
@@ -32,12 +34,12 @@ jobs:
       run: |
         bundle exec rake ci
 
-    # https://github.com/marketplace/actions/build-and-push-docker-images
+  actionlint:
-    - name: Set up Docker Buildx
+    runs-on: ubuntu-latest
-      uses: docker/setup-buildx-action@v1
+    steps:
-
+    - uses: actions/checkout@v3
-    - name: Test building Docker image for dyndnsd
+    - name: Check workflow files
-      uses: docker/build-push-action@v2
+      run: |
-      with:
+        echo "::add-matcher::.github/actionlint-matcher.json"
-        context: .
+        bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
-        file: docker/ci/Dockerfile
+        ./actionlint

.github/workflows/dockerhub.yml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 ---
 name: dockerhub
 

.github/workflows/vulnscan.yml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 ---
 name: vulnscan
 
@@ -10,15 +11,14 @@ jobs:
   scan-released-dockerimages:
     runs-on: ubuntu-latest
     env:
-      TRIVY_LIGHT: 'true'
       TRIVY_IGNORE_UNFIXED: 'true'
       TRIVY_REMOVED_PKGS: 'true'
     steps:
     - name: Install Trivy
       run: |
-        mkdir -p $GITHUB_WORKSPACE/bin
+        mkdir -p "$GITHUB_WORKSPACE/bin"
         echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH"
-        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b "$GITHUB_WORKSPACE/bin"
     - name: Download Trivy DB
       run: |
         trivy image --download-db-only

.gitignore

@@ -2,3 +2,5 @@
 *.lock
 pkg/*
 .yardoc
+hadolint
+trivy

.rubocop.yml

@@ -6,6 +6,9 @@ AllCops:
   TargetRubyVersion: '2.5'
   NewCops: enable
 
+Gemspec/RequireMFA:
+  Enabled: false
+
 Layout/EmptyLineAfterGuardClause:
   Enabled: false
 

CHANGELOG.md

@@ -1,5 +1,57 @@
 # Changelog
 
+## 3.5.2 (April 7th, 2022)
+
+OTHER:
+
+- re-release 3.5.1 to rebuild Docker image with security vulnerabilities fixes
+
+## 3.5.1 (February 17th, 2022)
+
+OTHER:
+
+- re-release 3.5.0 to rebuild Docker image with security vulnerabilities fixes
+
+## 3.5.0 (January 8th, 2022)
+
+IMPROVEMENTS:
+
+- add Ruby 3.1 support
+
+OTHER:
+
+- update base of Docker image to Alpine 3.15 (from 3.13.7 before, **Note:** please be aware of the quirks around [Alpine 3.14](https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2))
+
+## 3.4.8 (December 11th, 2021)
+
+OTHER:
+
+- re-release 3.4.7 to rebuild Docker image with security vulnerabilities fixes
+
+## 3.4.7 (November 19th, 2021)
+
+OTHER:
+
+- re-release 3.4.6 to rebuild Docker image with security vulnerabilities fixes
+
+## 3.4.6 (November 19th, 2021)
+
+OTHER:
+
+- re-release 3.4.5 to rebuild Docker image with security vulnerabilities fixes
+
+## 3.4.5 (August 26th, 2021)
+
+OTHER:
+
+- re-release 3.4.4 to rebuild Docker image with security vulnerabilities fixes
+
+## 3.4.4 (August 26th, 2021)
+
+OTHER:
+
+- re-release 3.4.3 to rebuild Docker image with security vulnerabilities fixes
+
 ## 3.4.3 (August 20th, 2021)
 
 OTHER:

Rakefile

@@ -22,14 +22,60 @@ namespace :solargraph do
 end
 
 # renovate: datasource=github-tags depName=hadolint/hadolint
-hadolint_version = 'v2.6.0'
+hadolint_version = 'v2.10.0'
 
-desc 'Run hadolint for Dockerfile linting'
+# renovate: datasource=github-tags depName=aquasecurity/trivy
-task :hadolint do
+trivy_version = 'v0.25.3'
-  sh "docker run --rm -i hadolint/hadolint:#{hadolint_version} hadolint --ignore DL3018 - < docker/Dockerfile"
+
+namespace :docker do
+  ci_image = 'cmur2/dyndnsd:ci'
+
+  desc 'Lint Dockerfile'
+  task :lint do
+    sh "if [ ! -e ./hadolint ]; then wget -q -O ./hadolint https://github.com/hadolint/hadolint/releases/download/#{hadolint_version}/hadolint-Linux-x86_64; fi"
+    sh 'chmod a+x ./hadolint'
+    sh './hadolint --ignore DL3018 docker/Dockerfile'
+    sh './hadolint --ignore DL3018 --ignore DL3028 docker/ci/Dockerfile'
+  end
+
+  desc 'Build CI Docker image'
+  task :build do
+    sh 'docker build -t cmur2/dyndnsd:ci -f docker/ci/Dockerfile .'
+  end
+
+  desc 'Scan CI Docker image for vulnerabilities'
+  task :scan do
+    ver = trivy_version.gsub('v', '')
+    sh "if [ ! -e ./trivy ]; then wget -q -O - https://github.com/aquasecurity/trivy/releases/download/v#{ver}/trivy_#{ver}_Linux-64bit.tar.gz | tar -xzf - trivy; fi"
+    sh "./trivy image #{ci_image}"
+  end
+
+  desc 'End-to-end test the CI Docker image'
+  task :e2e do
+    sh <<~SCRIPT
+      echo -n '{}' > e2e/db.json
+      chmod a+w e2e/db.json
+    SCRIPT
+    sh "docker run -d --name=dyndnsd-ci -v $(pwd)/e2e:/etc/dyndnsd -p 8080:8080 -p 5353:5353 #{ci_image}"
+    sh 'sleep 1'
+    puts '----------------------------------------'
+    # `dig` needs `sudo apt-get install -y -q dnsutils`
+    sh <<~SCRIPT
+      curl -s -o /dev/null -w '%{http_code}' 'http://localhost:8080/' | grep -q '401'
+      curl -s 'http://foo:secret@localhost:8080/nic/update?hostname=foo.dyn.example.org&myip=1.2.3.4' | grep -q 'good'
+      curl -s 'http://foo:secret@localhost:8080/nic/update?hostname=foo.dyn.example.org&myip=1.2.3.4' | grep -q 'nochg'
+      dig +short AXFR 'dyn.example.org' @127.0.0.1 -p 5353 | grep -q '1.2.3.4'
+    SCRIPT
+    puts '----------------------------------------'
+    sh <<~SCRIPT
+      docker logs dyndnsd-ci
+      docker container rm -f -v dyndnsd-ci
+      rm e2e/db.json
+    SCRIPT
+  end
 end
 
 task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
 
 desc 'Run all tasks desired for CI'
-task ci: ['solargraph:init', :default, :hadolint, :build]
+task ci: ['solargraph:init', :default, 'docker:lint', :build, 'docker:build', 'docker:e2e']

docker/Dockerfile

@@ -1,10 +1,10 @@
-FROM alpine:3.13.5
+FROM alpine:3.15.4
 
 EXPOSE 5353 8080
 
 ARG DYNDNSD_VERSION
 
-RUN apk --no-cache add openssl ca-certificates apk-tools && \
+RUN apk --no-cache add openssl ca-certificates && \
     apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
     apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
     gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \

docker/ci/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13.5
+FROM alpine:3.15.4
 
 EXPOSE 5353 8080
 

dyndnsd.gemspec

@@ -27,21 +27,22 @@ Gem::Specification.new do |s|
 
   s.required_ruby_version = '>= 2.5'
 
-  s.add_runtime_dependency 'async-dns', '~> 1.2.0'
+  s.add_runtime_dependency 'async', '~> 1.30.0'
+  s.add_runtime_dependency 'async-dns', '~> 1.3.0'
   s.add_runtime_dependency 'metriks'
   s.add_runtime_dependency 'opentelemetry-exporter-jaeger', '~> 0.20.0'
-  s.add_runtime_dependency 'opentelemetry-instrumentation-rack', '~> 0.19.0'
+  s.add_runtime_dependency 'opentelemetry-instrumentation-rack', '~> 0.20.0'
   s.add_runtime_dependency 'opentelemetry-sdk', '~> 1.0.0.rc2'
   s.add_runtime_dependency 'rack', '~> 2.0'
   s.add_runtime_dependency 'webrick', '>= 1.6.1'
 
   s.add_development_dependency 'bundler'
-  s.add_development_dependency 'bundler-audit', '~> 0.8.0'
+  s.add_development_dependency 'bundler-audit', '~> 0.9.0'
   s.add_development_dependency 'rack-test'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
-  s.add_development_dependency 'rubocop', '~> 1.19.0'
+  s.add_development_dependency 'rubocop', '~> 1.26.0'
   s.add_development_dependency 'rubocop-rake', '~> 0.6.0'
-  s.add_development_dependency 'rubocop-rspec', '~> 2.4.0'
+  s.add_development_dependency 'rubocop-rspec', '~> 2.9.0'
-  s.add_development_dependency 'solargraph', '~> 0.43.0'
+  s.add_development_dependency 'solargraph', '~> 0.44.0'
 end

e2e/config.yml

@@ -0,0 +1,31 @@
+---
+host: "0.0.0.0"
+port: 8080
+
+db: /etc/dyndnsd/db.json
+debug: false
+domain: dyn.example.org
+#responder: RestStyle
+
+updater:
+  name: zone_transfer_server
+  params:
+    server_listens:
+    - 0.0.0.0@5353
+    #send_notifies:
+    #- 10.0.2.15@53
+    zone_ttl: 300  # 5m
+    zone_nameservers:
+    - dns1.example.org.
+    - dns2.example.org.
+    zone_email_address: admin.example.org.
+    zone_additional_ips:
+    - "127.0.0.1"
+    - "::1"
+
+users:
+  foo:
+    password: "secret"
+    hosts:
+    - foo.dyn.example.org
+    - bar.dyn.example.org

lib/dyndnsd.rb

@@ -106,7 +106,7 @@ module Dyndnsd
       puts "DynDNSd version #{Dyndnsd::VERSION}"
       puts "Using config file #{config_file}"
 
-      config = YAML.safe_load(File.open(config_file, 'r', &:read))
+      config = YAML.safe_load(File.read(config_file))
 
       setup_logger(config)
 

lib/dyndnsd/updater/command_with_bind_zone.rb

@@ -21,7 +21,7 @@ module Dyndnsd
           span.set_attribute('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
 
           # write zone file in bind syntax
-          File.open(@zone_file, 'w') { |f| f.write(@generator.generate(db)) }
+          File.write(@zone_file, @generator.generate(db))
           # call user-defined command
           pid = fork do
             exec @command

lib/dyndnsd/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dyndnsd
-  VERSION = '3.4.3'
+  VERSION = '3.5.2'
 end