Merge pull request #77 from buildkite/script-eval

Allow scripts sent from Buildkite to be evaluated

Author: keithpitt

buildkite/agent.go

@@ -30,6 +30,9 @@ type Agent struct {
 	// fingerprints
 	AutoSSHFingerprintVerification bool
 
+	// If this agent is allowed to perform script evaluation
+	ScriptEval bool
+
 	// Run jobs in a PTY
 	RunInPty bool
 

buildkite/agent_registration.go

@@ -15,6 +15,9 @@ type AgentRegistration struct {
 	// Operating system for this machine
 	OS string `json:"os"`
 
+	// If this agent is allowed to perform script evaluation
+	ScriptEval bool `json:"script_eval_enabled"`
+
 	// The priority of the agent
 	Priority string `json:"priority,omitempty"`
 
@@ -25,7 +28,7 @@ type AgentRegistration struct {
 	MetaData []string `json:"meta_data"`
 }
 
-func (c *Client) AgentRegister(name string, priority string, metaData []string) (string, error) {
+func (c *Client) AgentRegister(name string, priority string, metaData []string, scriptEval bool) (string, error) {
 	os, err := MachineOSDump()
 	hostname, err := MachineHostname()
 
@@ -36,6 +39,7 @@ func (c *Client) AgentRegister(name string, priority string, metaData []string)
 	registration.Hostname = hostname
 	registration.OS = os
 	registration.MetaData = metaData
+	registration.ScriptEval = scriptEval
 
 	Logger.WithFields(logrus.Fields{
 		"name":      registration.Name,

buildkite/job.go

@@ -130,41 +130,52 @@ func (j *Job) Run(agent *Agent) error {
 		// starts working during the actual build.
 	}
 
-	// This callback is called every second the build is running. This lets
-	// us do a lazy-person's method of streaming data to Buildkite.
-	callback := func(process *Process) {
-		j.Output = process.Output
+	if env["BUILDKITE_SCRIPT_MODE"] == "eval" && !agent.ScriptEval {
+		Logger.Infof("Job %s is not allowed to run, exiting.", j.ID)
 
-		// Post the update to the API
-		updatedJob, err := agent.Client.JobUpdate(j)
-		if err != nil {
-			// We don't really care if the job couldn't update at this point.
-			// This is just a partial update. We'll just let the job run
-			// and hopefully the host will fix itself before we finish.
-			Logger.Warnf("Problem with updating job %s (%s)", j.ID, err)
-		} else if updatedJob.State == "canceled" {
-			j.Kill()
+		// Show an error in the output
+		j.Output = "ERROR: This agent has not been allowed to evaluate scripts.\nRe-run this agent and remove the `--no-script-eval` option, or specify a script on the filesystem to run instead."
+
+		// Mark the build as finished
+		j.FinishedAt = time.Now().Format(time.RFC3339)
+		j.ExitStatus = "1"
+	} else {
+		// This callback is called every second the build is running. This lets
+		// us do a lazy-person's method of streaming data to Buildkite.
+		callback := func(process *Process) {
+			j.Output = process.Output
+
+			// Post the update to the API
+			updatedJob, err := agent.Client.JobUpdate(j)
+			if err != nil {
+				// We don't really care if the job couldn't update at this point.
+				// This is just a partial update. We'll just let the job run
+				// and hopefully the host will fix itself before we finish.
+				Logger.Warnf("Problem with updating job %s (%s)", j.ID, err)
+			} else if updatedJob.State == "canceled" {
+				j.Kill()
+			}
 		}
-	}
 
-	// Initialze our process to run
-	process := InitProcess(agent.BootstrapScript, envSlice, agent.RunInPty, callback)
+		// Initialze our process to run
+		process := InitProcess(agent.BootstrapScript, envSlice, agent.RunInPty, callback)
 
-	// Store the process so we can cancel it later.
-	j.process = process
+		// Store the process so we can cancel it later.
+		j.process = process
 
-	// Start the process. This will block until it finishes.
-	err = process.Start()
-	if err == nil {
-		// Store the final output
-		j.Output = j.process.Output
-	} else {
-		j.Output = fmt.Sprintf("%s", err)
-	}
+		// Start the process. This will block until it finishes.
+		err = process.Start()
+		if err == nil {
+			// Store the final output
+			j.Output = j.process.Output
+		} else {
+			j.Output = fmt.Sprintf("%s", err)
+		}
 
-	// Mark the build as finished
-	j.FinishedAt = time.Now().Format(time.RFC3339)
-	j.ExitStatus = j.process.ExitStatus
+		// Mark the build as finished
+		j.FinishedAt = time.Now().Format(time.RFC3339)
+		j.ExitStatus = j.process.ExitStatus
+	}
 
 	// Keep trying this call until it works. This is the most important one.
 	for {

command/agent_start.go

@@ -88,18 +88,23 @@ func AgentStartCommandAction(c *cli.Context) {
 		}
 	}
 
-	// Register the agent
-	agentAccessToken, err := client.AgentRegister(c.String("name"), c.String("priority"), agentMetaData)
-	if err != nil {
-		buildkite.Logger.Fatal(err)
-	}
-
 	// Set the agent options
 	var agent buildkite.Agent
 	agent.BootstrapScript = bootstrapScript
 	agent.BuildPath = buildPath
 	agent.RunInPty = !c.Bool("no-pty")
 	agent.AutoSSHFingerprintVerification = !c.Bool("no-automatic-ssh-fingerprint-verification")
+	agent.ScriptEval = !c.Bool("no-script-eval")
+
+	if !agent.ScriptEval {
+		buildkite.Logger.Info("Evaluating scripts has been disabled for this agent")
+	}
+
+	// Register the agent
+	agentAccessToken, err := client.AgentRegister(c.String("name"), c.String("priority"), agentMetaData, agent.ScriptEval)
+	if err != nil {
+		buildkite.Logger.Fatal(err)
+	}
 
 	// Client specific options
 	agent.Client.AuthorizationToken = agentAccessToken

commands.go

@@ -168,6 +168,10 @@ func init() {
 					Name:  "no-automatic-ssh-fingerprint-verification",
 					Usage: "Don't automatically verify SSH fingerprints",
 				},
+				cli.BoolFlag{
+					Name:  "no-script-eval",
+					Usage: "Don't allow this agent to evaluate scripts from Buildkite. Only scripts that exist on the file system will be allowed to run",
+				},
 				cli.StringFlag{
 					Name:   "endpoint",
 					Value:  "https://agent.buildkite.com/v2",

templates/bootstrap.sh

@@ -23,11 +23,13 @@ set -u
 
 BUILDKITE_PROMPT="\033[90m$\033[0m"
 
+# Shows the command being run, and runs it
 function buildkite-prompt-and-run {
   echo -e "$BUILDKITE_PROMPT $1"
   eval $1
 }
 
+# Shows the command about to be run, and exits if it fails
 function buildkite-run {
   echo -e "$BUILDKITE_PROMPT $1"
   eval $1
@@ -38,6 +40,28 @@ function buildkite-run {
   fi
 }
 
+# Only shows the command if DEBUG is on
+function buildkite-run-debug {
+  if [[ "$BUILDKITE_AGENT_DEBUG" == "true" ]]; then
+    echo -e "$BUILDKITE_PROMPT $1"
+    eval $1
+  else
+    eval $1
+  fi
+}
+
+# Outputs a header
+function buildkite-header {
+  echo -e "--- $1"
+}
+
+# Outputs a header only if DEBUG is on
+function buildkite-header-debug {
+  if [[ "$BUILDKITE_AGENT_DEBUG" == "true" ]]; then
+    buildkite-header "$1"
+  fi
+}
+
 ##############################################################
 #
 # PATH DEFAULTS
@@ -127,8 +151,9 @@ buildkite-run "git submodule update --init --recursive"
 buildkite-run "git submodule foreach --recursive git reset --hard"
 
 # Grab author and commit information and send it back to Buildkite
-buildkite-agent build-data set "buildkite:git:commit" "`git show "$BUILDKITE_COMMIT" -s --format=fuller --no-color`"
-buildkite-agent build-data set "buildkite:git:branch" "`git branch --contains "$BUILDKITE_COMMIT" --no-color`"
+buildkite-header-debug "Saving Git information"
+buildkite-run-debug "buildkite-agent build-data set \"buildkite:git:commit\" \"\`git show \"$BUILDKITE_COMMIT\" -s --format=fuller --no-color\`\""
+buildkite-run-debug "buildkite-agent build-data set \"buildkite:git:branch\" \"\`git branch --contains \"$BUILDKITE_COMMIT\" --no-color\`\""
 
 ##############################################################
 #
@@ -137,11 +162,22 @@ buildkite-agent build-data set "buildkite:git:branch" "`git branch --contains "$
 #
 ##############################################################
 
+# If we're evaluating a script, save it to the filesystem first
+if [[ "$BUILDKITE_SCRIPT_MODE" == "eval" ]]; then
+  BUILDKITE_SCRIPT_PATH="buildkite-script-$BUILDKITE_JOB_ID"
+
+  echo "$BUILDKITE_SCRIPT_TEXT" > $BUILDKITE_SCRIPT_PATH
+fi
+
+# Double check the file exists we want to run
 if [[ "$BUILDKITE_SCRIPT_PATH" == "" ]]; then
   echo "ERROR: No script to run. Please go to \"Project Settings\" and configure your build step's \"Script to Run\""
   exit 1
 fi
 
+# Make sure the script we're going to run is executable
+chmod +x $BUILDKITE_SCRIPT_PATH
+
 ## Docker
 if [[ ! -z "${BUILDKITE_DOCKER:-}" ]] && [[ "$BUILDKITE_DOCKER" != "" ]]; then
   DOCKER_CONTAINER="buildkite_"$BUILDKITE_JOB_ID"_container"