Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

First safety features

  • Loading branch information...
commit df542a7fb1cc41ae1b9a6490032d1b75ca60b426 1 parent 03a1457
Jeroen van Dijk authored
19 README.md
View
@@ -0,0 +1,19 @@
+# Travis-VM
+
+This is alpha work only use when you know what you are doing :)
+
+## Getting started
+
+* Install Virtualbox v4
+* Clone this directory
+* Run the following commands
+
+ gem install vagrant
+ vagrant up
+
+ # wait a bit
+
+ vagrant ssh
+ cd travis-vm/travis-runner
+ bundle exec cucumber features
+
2  Vagrantfile
View
@@ -7,7 +7,7 @@ Vagrant::Config.run do |config|
vm.memory_size = 1024
end
- config.vm.share_folder('travis-runner', 'travis-runner', 'travis-runner')
+ config.vm.share_folder('travis-runner', 'travis-vm', '.')
config.vm.forward_port("ssh", 22, 1234)
89 cookbooks/travis_runner/recipes/default.rb
View
@@ -1,13 +1,84 @@
-user "runner"
+require_recipe "rails_test_databases"
-# Add vagrant to group of runner so it can go there
-# Install RVM under the runner user
-# Backup the home dir of runner
+require_recipe "rvm"
-Add to put the following line under auto wlan0 or auto eth0 in /etc/network/interfaces
-
- pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner username -j DROP
+node[:rubies].each do |version|
+ rvm_install version
+end
-run command:
+rvm_default node[:rubies].first
- sudo iptables -A OUTPUT -p tcp -m owner --uid-owner username -j DROP
+execute "gem install bundler" do
+ user "vagrant"
+ cwd "home/vagrant"
+ not_if "gem list | bundler"
+end
+
+execute "bundle install" do
+ user "vagrant"
+ cwd "/home/vagrant/travis-vm/travis-runner"
+ not_if "bundle check"
+end
+
+
+
+travis_runner = "runner"
+
+execute "Add the worker to the runner group" do
+ command "usermod -a -G #{travis_runner} vagrant"
+ not_if "grep #{travis_runner} /etc/group | grep vagrant"
+end
+
+user travis_runner do
+ shell "/bin/bash"
+ home "/home/#{travis_runner}"
+end
+
+# Easy interface for determining permissions code
+# http://service.futurequest.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=27
+
+# Make the runners home dir readable and executable by the group, but not writable (only the workspace)
+directory "/home/#{travis_runner}" do
+ owner travis_runner
+ group travis_runner
+ mode "550"
+ action :create
+end
+
+# Copy the home directory so the runner will also have RVM installed
+execute "cp -r /home/vagrant/.rvm /home/#{travis_runner}/.rvm" do
+ not_if { File.exists?("/home/#{travis_runner}/.rvm") }
+end
+
+execute "chown -R #{travis_runner}:#{travis_runner} /home/#{travis_runner}/.rvm"
+# Only allow read and execution of the .rvm files, no changes
+execute "chmod -R 500 /home/#{travis_runner}/.rvm"
+
+# Let them do anything they want with the workspace (we will create it every time again)
+directory "/home/#{travis_runner}/workspace" do
+ owner travis_runner
+ group travis_runner
+ mode "770"
+ action :create
+end
+
+execute "cp /home/vagrant/.bash_profile /home/#{travis_runner}/.bash_profile" do
+ not_if { File.exists?("/home/#{travis_runner}/.bash_profile") }
+end
+
+# Make the following files readable and executable for both the owner and the group
+# .bashrc
+%w(.bash_profile).each do |file|
+ execute "chown #{travis_runner}:#{travis_runner} /home/#{travis_runner}/#{file}"
+ execute "chmod 550 /home/#{travis_runner}/#{file}"
+end
+
+## Network safety
+
+# Add to put the following line under auto wlan0 or auto eth0 in /etc/network/interfaces
+#
+# pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner username -j DROP
+#
+# run command:
+#
+# sudo iptables -A OUTPUT -p tcp -m owner --uid-owner username -j DROP
9 cookbooks/vagrant_main/recipes/default.rb
View
@@ -4,12 +4,5 @@
require_recipe "zlib"
require_recipe "curl"
-require_recipe "rails_test_databases"
+require_recipe "travis_runner"
-require_recipe "rvm"
-
-node[:rubies].each do |version|
- rvm_install version
-end
-
-rvm_default node[:rubies].first
8 travis-runner/Gemfile
View
@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in travis-runner.gemspec
+gemspec
+
+gem "thor"
+gem "rspec"
+gem "aruba"
2  travis-runner/Rakefile
View
@@ -0,0 +1,2 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
5 travis-runner/bin/runner
View
@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'travis-runner'
+
+Travis::Runner::Base.start
5 travis-runner/bin/safety_check
View
@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'travis-runner'
+
+Travis::Runner::Base.start
16 travis-runner/features/builds.feature
View
@@ -0,0 +1,16 @@
+Feature: Building repos
+ In order to have high code quality for open source projects
+ As a CI service provider
+ I want to run test suites for many projects
+
+Scenario: Running a custom build script
+ Given a file named "/home/runner/workspace/build.rb" with:
+ """
+ puts 'test suite is passing'
+ """
+ And a file named ".travis.yml" with:
+ """
+ script: ruby build.rb
+ """
+ When I run "runner build"
+ Then the output should contain "test suite is passing"
27 travis-runner/features/safety.feature
View
@@ -0,0 +1,27 @@
+Feature: Safety
+
+ Scenario: Running a custom build script
+ Given a file named "/home/runner/build.rb" with:
+ """
+ puts 'test suite is passing'
+ """
+ And a file named ".travis.yml" with:
+ """
+ script: ruby build.rb
+ """
+ When I run "runner build"
+ Then the output should contain "test suite is passing"
+
+
+ Scenario: Make .rvm directory not removable
+ Given a file named ".travis.yml" with:
+ """
+ script: rm -rf *
+ """
+ When I run "runner build"
+ Then the following directories should exist:
+ | /home/runner/.rvm |
+ And the following files should exist:
+ | /home/runner/.bashrc |
+ | /home/runner/.bash_login |
+
29 travis-runner/features/security.feature
View
@@ -0,0 +1,29 @@
+Feature: Secure environment
+ In order to allow builds for everyone
+ As a service provider
+ I want to prevent safety exploits
+
+ Scenario: Protect .rvm directory
+ Given a file named ".travis.yml" with:
+ """
+ script: rm -rf *
+ """
+ When I run "runner build"
+ Then the following directories should exist:
+ | /home/runner/.rvm |
+ And the following files should exist:
+ | /home/runner/.bash_profile |
+
+ Scenario: Protect all root directories
+ Given a file named ".travis.yml" with:
+ """
+ script: cd /; rm -rf *
+ """
+ When I run "runner build"
+ Then the following directories should exist:
+ | /home/runner/ |
+ | /home/vagrant/ |
+
+
+
+
13 travis-runner/features/support/env.rb
View
@@ -0,0 +1,13 @@
+
+
+require 'aruba/cucumber'
+
+module WorldExtensions
+
+ def dirs
+ @dirs ||= "/home/runner/workspace"
+ end
+
+end
+
+World(WorldExtensions)
64 travis-runner/lib/travis-runner.rb
View
@@ -1,20 +1,56 @@
-class TravisRunner < Thor::Group
- USER = "travis_runner"
- USER_HOME = "/home/#{USER}"
- BACKUP_HOME_DIR = "/home/vagrant/travis_runner.bak"
+require 'thor'
+require 'rspec-expectations'
+require 'open3'
- def run
- clean_up_runner_dir
- clean_up_runner_dir
- # su travis_runner -c "source build_file"
+module Travis
+ module Runner
+ class Base < Thor
+ USER = "runner"
+ USER_HOME = "/home/#{USER}"
+ USER_WORKSPACE = "#{USER_HOME}/workspace"
- end
+ desc "hjhkhkj", "kjhkh"
+ def safety_check
+ # "test".should == "test1"
+ end
+
+ desc "Builsad", "sadfkasd"
+ def build
+ travis_config_file = File.join(USER_WORKSPACE, ".travis.yml")
+
+ if File.exist?(travis_config_file)
+ configuration = YAML.load_file(travis_config_file)
+ build_command = configuration["script"]
+ end
+
+ build_command ||= "rake"
+ # files = Dir.glob("#{USER_HOME}/*", File::FNM_DOTMATCH).reject { |p| p =~ %r{#{USER_HOME}/\.+$} }
+ # FileUtils.rm_r(files, :force => true, :secure => true)
+
+ bash = <<-BASH
+ cd #{USER_WORKSPACE}
+ #{build_command}
+ exit
+ BASH
+
+
+ Open3.popen3("sudo su #{USER} -c '#{bash}'") do |stdin, out, err, external|
+ while line = err.gets || out.gets do
+ print line
+ end
+ end
+ # clean_up_runner_dir
+ # clean_up_runner_dir
+ # # su travis_runner -c "source build_file"
+ # sudo su runner bash -c "cd ;pwd; source ~/.bash_profile; which ruby"
+ end
- private
+ private
- def clean_up_runner_dir
- FileUtils.rm_r USER_HOME
- FileUtils.cp_r "#{BACKUP_HOME_DIR}/.", BACKUP_HOME_DIR
- FileUtils.chown_R USER, USER, USER_HOME
+ def clean_up_runner_dir
+ FileUtils.rm_r USER_HOME
+ end
+
end
+ end
end
5 travis-runner/lib/travis-runner/version.rb
View
@@ -0,0 +1,5 @@
+module Travis
+ module Runner
+ VERSION = "0.0.1"
+ end
+end
1  travis-runner/tmp/aruba/.travis.yml
View
@@ -0,0 +1 @@
+script: ruby build.rb
1  travis-runner/tmp/aruba/build.rb
View
@@ -0,0 +1 @@
+puts 'hi'
21 travis-runner/travis-runner.gemspec
View
@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "travis-runner/version"
+
+Gem::Specification.new do |s|
+ s.name = "travis-runner"
+ s.version = Travis::Runner::VERSION
+ s.platform = Gem::Platform::RUBY
+ s.authors = ["TODO: Write your name"]
+ s.email = ["TODO: Write your email address"]
+ s.homepage = ""
+ s.summary = %q{TODO: Write a gem summary}
+ s.description = %q{TODO: Write a gem description}
+
+ s.rubyforge_project = "travis-runner"
+
+ s.files = `git ls-files`.split("\n")
+ s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
+ s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+ s.require_paths = ["lib"]
+end
Please sign in to comment.
Something went wrong with that request. Please try again.