TRUSTED_PROXIES environment variable is not honored in v1.6.0+

[micahlee]

Description of the Problem

Prior to v1.6.0, the TRUSTED_PROXIES environment variable for Conjur was used to inform Rack and Rails which IP addresses are "trusted" when processing the X-Forwarded-For HTTP header and the TCP remote IP. The first IP address that is not in the trusted proxies list becomes the request.ip used by Rack and Rails.

This was accomplished in versions before v1.6.0 by patching the Rack::Request#trusted_proxy? method in the conjur-rack gem: https://github.com/cyberark/conjur-rack/blob/master/lib/conjur/rack.rb

However, in version v1.6.0, specifically in upgrading our version of Rails from 4 to 5 (which also upgraded Rack), this method in Rack no longer exists at this location. It was moved to another Rack::Request::Helpers module. So this patch no longer works as expected, and only the default Rails IP safelist is used: https://github.com/rack/rack/blob/master/lib/rack/request.rb#L19

Expected Behavior

To align with the behavior pre-Rails 5, if TRUSTED_PROXIES is set in the environment, then only this list of IP address or IP address ranges (in CIDR format) are considered trusted by Rack and Rails for request.ip. If the TRUSTED_PROXIES is not set, it falls back to the default Rails behavior.