Switch to using environment variables to pass information to the build node, this closes down a security loophole with the admin endpoint of the server.

buildserver/buildserver.py

@@ -6,7 +6,7 @@ import re
 import requests
 import json
 
-from flask import Flask, request, jsonify, url_for, abort, make_response
+from flask import Flask, jsonify, url_for, abort, make_response
 from zipfile import ZipFile
 from tempfile import TemporaryFile, mkdtemp
 from uuid import uuid4
@@ -134,16 +134,19 @@ MIME_PROCESSORS = {
 }
 
 
-builds = {}
+build = {
+  'total_commands': None,
+  'total_images': None,
+  'current_command': None,
+  'current_image': None,
+  'image_completion_percent': None,
+  'status': 'waiting',
+  'message': None,
+}
 pool = ThreadPool(1)
 
 
-@app.route('/build/', methods=['POST'])
-def start_build():
-  resource_url = request.values['resource_url']
-  tag_name = request.values['tag']
-  acccess_token = request.values['token']
-
+def start_build(resource_url, tag_name, acccess_token):
   # Save the token
   host = re.match(r'([a-z0-9.:]+)/.+/.+$', tag_name)
   if host:
@@ -160,8 +163,7 @@ def start_build():
       dockercfg.write(json.dumps(payload))
 
   else:
-    logger.warning('Invalid tag name: %s' % tag_name)
-    abort(400)
+    raise Exception('Invalid tag name: %s' % tag_name)
 
   docker_resource = requests.get(resource_url)
   c_type = docker_resource.headers['content-type']
@@ -170,8 +172,7 @@ def start_build():
               (c_type, tag_name))
 
   if c_type not in MIME_PROCESSORS:
-    logger.error('Invalid dockerfile content type: %s' % c_type)
-    abort(400)
+    raise Exception('Invalid dockerfile content type: %s' % c_type)
 
   build_dir = MIME_PROCESSORS[c_type](docker_resource)
 
@@ -179,43 +180,34 @@ def start_build():
   num_steps = count_steps(dockerfile_path)
   logger.debug('Dockerfile had %s steps' % num_steps)
 
-  job_id = str(uuid4())
-  logger.info('Sending job to builder pool: %s' % job_id)
+  logger.info('Sending job to builder pool.')
+  build['total_commands'] = num_steps
 
-  result_object = {
-    'id': job_id,
-    'total_commands': num_steps,
-    'total_images': None,
-    'current_command': None,
-    'current_image': None,
-    'image_completion_percent': None,
-    'status': 'waiting',
-    'message': None,
-  }
-  builds[job_id] = result_object
   pool.apply_async(build_image, [build_dir, tag_name, num_steps,
-                                 result_object])
-
-  resp = make_response('Created', 201)
-  resp.headers['Location'] = url_for('get_status', job_id=job_id)
-  return resp
-
-
-@app.route('/build/<job_id>')
-def get_status(job_id):
-  if job_id not in builds:
-    abort(400)
-
-  return jsonify(builds[job_id])
+                                 build])
 
 
 @app.route('/build/', methods=['GET'])
-def get_all_status():
-  return jsonify({
-    'builds': builds,
-  })
+def get_status():
+  if build:
+    return jsonify(build)
+  abort(404)
+
+
+@app.route('/status/', methods=['GET'])
+def health_check():
+  return make_response('Running')
 
 
 if __name__ == '__main__':
   logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)
-  app.run(host='0.0.0.0', port=5002, debug=True, threaded=True)
+  resource_url = os.environ['RESOURCE_URL']
+  tag_name = os.environ['TAG']
+  acccess_token = os.environ['TOKEN']
+
+  logger.debug('Starting job with resource url: %s tag: %s and token: %s' %
+               (resource_url, tag_name, acccess_token))
+
+  start_build(resource_url, tag_name, acccess_token)
+
+  app.run(host='0.0.0.0', port=5002)