added the ability to prohibit network access for code submissions executed using Docker

2015-03-17 17:14:25 +01:00
parent b1218e0b80
commit 15d8984a9e
12 changed files with 41 additions and 4 deletions
--- a/spec/factories/execution_environment.rb
+++ b/spec/factories/execution_environment.rb
@@ -6,6 +6,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_coffee
    help
    name 'CoffeeScript'
+    network_enabled false
    permitted_execution_time 10.seconds
    pool_size 0
    run_command 'coffee'
@@ -19,6 +20,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_html
    help
    name 'HTML5'
+    network_enabled false
    permitted_execution_time 10.seconds
    pool_size 0
    run_command 'touch'
@@ -34,6 +36,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_java
    help
    name 'Java 8'
+    network_enabled false
    permitted_execution_time 10.seconds
    pool_size 0
    run_command 'make run'
@@ -49,6 +52,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_rb
    help
    name 'JRuby 1.7'
+    network_enabled false
    permitted_execution_time 10.seconds
    pool_size 0
    run_command 'jruby %{filename}'
@@ -64,6 +68,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_js
    help
    name 'Node.js'
+    network_enabled false
    permitted_execution_time 10.seconds
    pool_size 0
    run_command 'node %{filename}'
@@ -77,6 +82,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_py
    help
    name 'Python 3.4'
+    network_enabled false
    permitted_execution_time 10.seconds
    pool_size 0
    run_command 'python3 %{filename}'
@@ -92,6 +98,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_rb
    help
    name 'Ruby 2.2'
+    network_enabled false
    permitted_execution_time 10.seconds
    pool_size 0
    run_command 'ruby %{filename}'
@@ -108,6 +115,7 @@ FactoryGirl.define do
    exposed_ports '4567'
    help
    name 'Sinatra'
+    network_enabled true
    permitted_execution_time 15.minutes
    pool_size 0
    run_command 'ruby %{filename}'
@@ -123,6 +131,7 @@ FactoryGirl.define do
    association :file_type, factory: :dot_sql
    help
    name 'SQLite'
+    network_enabled false
    permitted_execution_time 1.minute
    pool_size 0
    run_command 'sqlite3 /database.db -init %{filename} -html'
--- a/spec/lib/docker_client_spec.rb
+++ b/spec/lib/docker_client_spec.rb
@@ -36,6 +36,10 @@ describe DockerClient, docker: true do
      expect(container_creation_options).to include('Memory' => execution_environment.memory_limit.megabytes)
    end

+    it 'specifies whether network access is enabled' do
+      expect(container_creation_options).to include('NetworkDisabled' => !execution_environment.network_enabled?)
+    end
+
    it 'specifies to open the standard input stream once' do
      expect(container_creation_options).to include('OpenStdin' => true, 'StdinOnce' => true)
    end
--- a/spec/models/execution_environment_spec.rb
+++ b/spec/models/execution_environment_spec.rb
@@ -1,7 +1,7 @@
 require 'rails_helper'

 describe ExecutionEnvironment do
-  let(:execution_environment) { described_class.create }
+  let(:execution_environment) { described_class.create.tap { |execution_environment| execution_environment.update(network_enabled: nil) } }

  it 'validates that the Docker image works', docker: true do
    expect(execution_environment).to receive(:validate_docker_image?).and_return(true)
@@ -32,6 +32,10 @@ describe ExecutionEnvironment do
    expect(execution_environment.errors[:name]).to be_present
  end

+  it 'validates the presence of the network enabled flag' do
+    expect(execution_environment.errors[:network_enabled]).to be_present
+  end
+
  it 'validates the numericality of the permitted run time' do
    execution_environment.update(permitted_execution_time: Math::PI)
    expect(execution_environment.errors[:permitted_execution_time]).to be_present