From a485e1511d24d7399cc26bc766a2aede1617ea30 Mon Sep 17 00:00:00 2001 From: Matt Blewitt <118200221+mble-sfdc@users.noreply.github.com> Date: Wed, 15 May 2024 14:45:59 +0100 Subject: [PATCH 1/8] maint: update for heroku-24 Ref: TBD --- .github/workflows/tests.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 7025ee9..268d968 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -14,7 +14,8 @@ jobs: - heroku-18 - heroku-20 - heroku-22 + - heroku-24 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: bash support/test.sh ${{ matrix.stack }} From 747c62374dc75ece845b6df69687b803692f348e Mon Sep 17 00:00:00 2001 From: Matt Blewitt <118200221+mble-sfdc@users.noreply.github.com> Date: Wed, 15 May 2024 15:05:02 +0100 Subject: [PATCH 2/8] exit on heroku-24, add error messaging --- Dockerfile | 2 ++ bin/compile | 8 ++++++++ bin/start-stunnel | 8 ++++++++ 3 files changed, 18 insertions(+) diff --git a/Dockerfile b/Dockerfile index 5632d0c..7571fba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ FROM $BUILD_IMAGE AS builder ARG STACK # Emulate the platform where root access is not available +USER root RUN useradd -d /app non-root-user RUN mkdir -p /app /cache /env RUN chown non-root-user /app /cache /env @@ -20,6 +21,7 @@ RUN env -i PATH=$PATH HOME=$HOME STACK=$STACK /buildpack/bin/compile /app /cache FROM $RUNTIME_IMAGE +USER root RUN useradd -d /app non-root-user USER non-root-user COPY --from=builder --chown=non-root-user /app /app diff --git a/bin/compile b/bin/compile index 6119d12..f337532 100755 --- a/bin/compile +++ b/bin/compile @@ -13,6 +13,14 @@ unset GIT_DIR BUILD_DIR=$1 BUILDPACK_DIR="$(dirname $(dirname $0))" +STUNNEL=$(command -v stunnel4) + +if [ -z $STUNNEL ]; then + echo "------> stunnel not detected! stunnel not supported on heroku-24+" + echo "------> this buildpack is not required for Redis 6+: https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance" + exit 1 +fi + echo "-----> Moving the configuration generation script into app/bin" mkdir -p $BUILD_DIR/bin cp "$BUILDPACK_DIR/bin/stunnel-conf.sh" $BUILD_DIR/bin/stunnel-conf.sh diff --git a/bin/start-stunnel b/bin/start-stunnel index 3310f7f..3daf664 100755 --- a/bin/start-stunnel +++ b/bin/start-stunnel @@ -1,6 +1,14 @@ #!/usr/bin/env bash main() { + STUNNEL=$(command -v stunnel4) + + if [ -z $STUNNEL ]; then + echo "buildpack=stunnel at=error stunnel not detected! stunnel not supported on heroku-24+" + echo "buildpack=stunnel at=error this buildpack is not required for Redis 6+: https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance" + exit 1 + fi + if ! is-enabled "${STUNNEL_ENABLED:-1}"; then at stunnel-disabled exec "$@" From 0dcb1d7fa30ff9c19922fe5047fcf0c67189094a Mon Sep 17 00:00:00 2001 From: Matt Blewitt <118200221+mble-sfdc@users.noreply.github.com> Date: Wed, 15 May 2024 15:12:28 +0100 Subject: [PATCH 3/8] remove heroku-24 testing due to compile restriction --- .github/workflows/tests.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 268d968..a22f242 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -14,7 +14,6 @@ jobs: - heroku-18 - heroku-20 - heroku-22 - - heroku-24 runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 3fdae09b4e3d77f7094616eb5d26e53261a449c6 Mon Sep 17 00:00:00 2001 From: Matt Blewitt <118200221+mble-sfdc@users.noreply.github.com> Date: Fri, 17 May 2024 12:30:47 +0100 Subject: [PATCH 4/8] doc updates from feedback --- README.md | 6 +++--- bin/compile | 11 ++++++----- bin/start-stunnel | 8 -------- 3 files changed, 9 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 92bcce4..7178465 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ This is a [Heroku buildpack](http://devcenter.heroku.com/articles/buildpacks) th allows an application to use an [stunnel](http://stunnel.org) to connect securely to Heroku Redis. It is meant to be used in conjunction with other buildpacks. -**This buildpack is only for use with Heroku Redis 4 and 5. For Heroku Redis 6 and newer, use its built-in TLS support instead.** - -**For more information, see [Securing Heroku Redis](https://devcenter.heroku.com/articles/securing-heroku-redis).** +> [!WARNING] +> This buildpack is not compatible with `heroku-24`+ and is not needed for Redis 6+, which supports native TLS. +> For more information, see [Securing Heroku Redis](https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance). ## Usage diff --git a/bin/compile b/bin/compile index f337532..bc20a04 100755 --- a/bin/compile +++ b/bin/compile @@ -13,11 +13,12 @@ unset GIT_DIR BUILD_DIR=$1 BUILDPACK_DIR="$(dirname $(dirname $0))" -STUNNEL=$(command -v stunnel4) - -if [ -z $STUNNEL ]; then - echo "------> stunnel not detected! stunnel not supported on heroku-24+" - echo "------> this buildpack is not required for Redis 6+: https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance" +if ! command -v stunnel4 > /dev/null; then + echo "! stunnel not detected! stunnel not supported on heroku-24+" + echo "! This buildpack is not required for Redis 6+. Remove this buildpack using:" + echo "! $ heroku buildpacks:remove heroku/redis" + echo "! And then follow the instructions for using Redis' native TLS support:" + echo "! https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance" exit 1 fi diff --git a/bin/start-stunnel b/bin/start-stunnel index 3daf664..3310f7f 100755 --- a/bin/start-stunnel +++ b/bin/start-stunnel @@ -1,14 +1,6 @@ #!/usr/bin/env bash main() { - STUNNEL=$(command -v stunnel4) - - if [ -z $STUNNEL ]; then - echo "buildpack=stunnel at=error stunnel not detected! stunnel not supported on heroku-24+" - echo "buildpack=stunnel at=error this buildpack is not required for Redis 6+: https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance" - exit 1 - fi - if ! is-enabled "${STUNNEL_ENABLED:-1}"; then at stunnel-disabled exec "$@" From c6f696f392b03fb04712380bda6892c5fdefb0cd Mon Sep 17 00:00:00 2001 From: Daniel Bright Date: Tue, 21 May 2024 08:11:51 -0700 Subject: [PATCH 5/8] verbiage from cx --- README.md | 3 ++- bin/compile | 11 ++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7178465..d611b24 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,8 @@ allows an application to use an [stunnel](http://stunnel.org) to connect securel Heroku Redis. It is meant to be used in conjunction with other buildpacks. > [!WARNING] -> This buildpack is not compatible with `heroku-24`+ and is not needed for Redis 6+, which supports native TLS. +> This buildpack isn’t compatible with [`heroku-24`](article link?) and later. You don’t need this buildpack for Redis 6+, which supports native TLS. + > For more information, see [Securing Heroku Redis](https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance). ## Usage diff --git a/bin/compile b/bin/compile index bc20a04..36809f2 100755 --- a/bin/compile +++ b/bin/compile @@ -14,11 +14,12 @@ BUILD_DIR=$1 BUILDPACK_DIR="$(dirname $(dirname $0))" if ! command -v stunnel4 > /dev/null; then - echo "! stunnel not detected! stunnel not supported on heroku-24+" - echo "! This buildpack is not required for Redis 6+. Remove this buildpack using:" - echo "! $ heroku buildpacks:remove heroku/redis" - echo "! And then follow the instructions for using Redis' native TLS support:" - echo "! https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance" + + echo "! This buildpack uses stunnel, which isn’t supported on heroku-24 and later." + echo "! You don’t need this buildpack for Redis 6+. Remove it with the command:" + echo "! $ heroku buildpacks:remove heroku/redis" + echo "! To use Redis’ native TLS support, see https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance." + exit 1 fi From b659b4df31731274bdec15679f6c736ed76f4a23 Mon Sep 17 00:00:00 2001 From: Daniel Bright Date: Tue, 21 May 2024 08:18:45 -0700 Subject: [PATCH 6/8] no article link --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d611b24..26ff4d1 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,8 @@ allows an application to use an [stunnel](http://stunnel.org) to connect securel Heroku Redis. It is meant to be used in conjunction with other buildpacks. > [!WARNING] -> This buildpack isn’t compatible with [`heroku-24`](article link?) and later. You don’t need this buildpack for Redis 6+, which supports native TLS. - +> This buildpack isn’t compatible with `heroku-24` and later. You don’t need this buildpack for Redis 6+, which supports native TLS. +> > For more information, see [Securing Heroku Redis](https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance). ## Usage From 2f6cce88df391b51d2ec3b6e9632a966e2e07c9d Mon Sep 17 00:00:00 2001 From: Daniel <152929550+brahyt-sf@users.noreply.github.com> Date: Tue, 21 May 2024 09:16:35 -0700 Subject: [PATCH 7/8] Update bin/compile Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com> --- bin/compile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/bin/compile b/bin/compile index 36809f2..40e43a6 100755 --- a/bin/compile +++ b/bin/compile @@ -15,10 +15,11 @@ BUILDPACK_DIR="$(dirname $(dirname $0))" if ! command -v stunnel4 > /dev/null; then - echo "! This buildpack uses stunnel, which isn’t supported on heroku-24 and later." - echo "! You don’t need this buildpack for Redis 6+. Remove it with the command:" - echo "! $ heroku buildpacks:remove heroku/redis" - echo "! To use Redis’ native TLS support, see https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance." + echo "! This buildpack uses stunnel, which isn’t supported on heroku-24 and later." >&2 + echo "! You don’t need this buildpack for Redis 6+. Remove it with the command:" >&2 + echo "! $ heroku buildpacks:remove heroku/redis" >&2 + echo "! To use Redis’ native TLS support, see https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance:" >&2 + echo "! https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance" >&2 exit 1 fi From e281fbcce8b8a5f5bb0c1fde7c6cbd9650ebd605 Mon Sep 17 00:00:00 2001 From: Daniel <152929550+brahyt-sf@users.noreply.github.com> Date: Tue, 21 May 2024 09:19:06 -0700 Subject: [PATCH 8/8] Update README.md Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 26ff4d1..c67a80c 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ allows an application to use an [stunnel](http://stunnel.org) to connect securel Heroku Redis. It is meant to be used in conjunction with other buildpacks. > [!WARNING] -> This buildpack isn’t compatible with `heroku-24` and later. You don’t need this buildpack for Redis 6+, which supports native TLS. +> This buildpack isn’t compatible with the `heroku-24` [stack](https://devcenter.heroku.com/articles/stack) and later. You don’t need this buildpack for Redis 6+, which supports native TLS. > > For more information, see [Securing Heroku Redis](https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance).