feat(builder): expose runtime configuration during slugbuilder execution

Gabriel Monroy · Gabriel Monroy · commit 88e07d44a422 · 2014-05-12T14:38:36.000-06:00
This uses a new Config API Hook to grab the latest app configuration
and expose it to slugbuilder using `-e` flags.

While this works, it is a very good mechanism for handling user-defined
inputs on the builder.  In other words, command-injection is possible
through malformed inputs.  We must consider this as we move to refactor
the builder in Go.
diff --git a/api/tests/test_hooks.py b/api/tests/test_hooks.py
@@ -118,3 +118,31 @@ def test_build_hook(self):
         self.assertIn('release', response.data)
         self.assertIn('version', response.data['release'])
         self.assertIn('domains', response.data)
+
+    def test_config_hook(self):
+        """Test creating a Config via an API Hook"""
+        url = '/api/apps'
+        body = {'cluster': 'autotest'}
+        response = self.client.post(url, json.dumps(body), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        app_id = response.data['id']
+        url = '/api/apps/{app_id}/config'.format(**locals())
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn('values', response.data)
+        values = response.data['values']
+        # prepare the config hook
+        config = {'username': 'autotest', 'app': app_id}
+        url = '/api/hooks/config'.format(**locals())
+        body = {'receive_user': 'autotest',
+                'receive_repo': app_id}
+        # post without a session
+        self.assertIsNone(self.client.logout())
+        response = self.client.post(url, json.dumps(body), content_type='application/json')
+        self.assertEqual(response.status_code, 403)
+        # post with the builder auth key
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_X_DEIS_BUILDER_AUTH=settings.BUILDER_KEY)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn('values', response.data)
+        self.assertEqual(values, response.data['values'])
diff --git a/api/urls.py b/api/urls.py
@@ -165,6 +165,10 @@
 
   Create a new :class:`~api.models.Build`.
 
+.. http:post:: /api/hooks/config/
+
+  Retrieve latest application :class:`~api.models.Config`.
+
 
 Auth
 ====
@@ -279,6 +283,8 @@
         views.PushHookViewSet.as_view({'post': 'create'})),
     url(r'^hooks/build/?',
         views.BuildHookViewSet.as_view({'post': 'create'})),
+    url(r'^hooks/config/?',
+        views.ConfigHookViewSet.as_view({'post': 'create'})),
     # authn / authz
     url(r'^auth/register/?',
         views.UserRegistrationView.as_view({'post': 'create'})),
diff --git a/api/views.py b/api/views.py
@@ -512,3 +512,21 @@ def post_save(self, build, created=False):
             release = build.app.release_set.latest()
             new_release = release.new(build.owner, build=build)
             build.app.deploy(new_release)
+
+
+class ConfigHookViewSet(BaseHookViewSet):
+    """API hook to grab latest :class:`~api.models.Config`"""
+
+    model = models.Config
+    serializer_class = serializers.ConfigSerializer
+
+    def create(self, request, *args, **kwargs):
+        app = get_object_or_404(models.App, id=request.DATA['receive_repo'])
+        user = get_object_or_404(
+            User, username=request.DATA['receive_user'])
+        # check the user is authorized for this app
+        if user == app.owner or user in get_users_with_perms(app):
+            config =  app.release_set.latest().config
+            serializer = self.get_serializer(config)
+            return Response(serializer.data, status=status.HTTP_200_OK)
+        raise PermissionDenied()
