Update build artifact extraction for new enum types

Signed-off-by: Robert Detjens <github@detjens.dev>

Author: detjensrobert

src/access_handlers/docker.rs

@@ -23,6 +23,7 @@ pub async fn check(profile_name: &str) -> Result<()> {
     let registry_config = &get_config()?.registry;
 
     let client = docker().await?;
+
     // build test image string
     // registry.example.com/somerepo/testimage:pleaseignore
     let test_image = format!("{}/credstestimage", registry_config.domain);

src/builder/artifacts.rs

@@ -18,7 +18,7 @@ use crate::configparser::challenge::{ChallengeConfig, ProvideConfig};
 pub async fn extract_asset(
     chal: &ChallengeConfig,
     provide: &ProvideConfig,
-    // pod_containers:
+    profile_name: &str,
 ) -> Result<Vec<PathBuf>> {
     // This needs to handle three cases * 2 sources:
     //   - single or multiple files without renaming (no as: field)
@@ -31,36 +31,104 @@ pub async fn extract_asset(
     // TODO: since this puts artifacts in the repo source folder, this should
     // try to not overwrite any existing files.
 
-    // debug!("extracting assets from container {}", &container.name);
+    debug!(
+        "extracting assets for challenge {:?} provide {:?}",
+        chal.directory, &provide
+    );
 
     let docker = docker().await?;
 
     match provide {
+        // Repo file paths are relative to the challenge directory, so prepend chal dir
+
         // No action necessary, return path as-is
-        ProvideConfig::FromRepo { files } => Ok(files.clone()),
+        ProvideConfig::FromRepo { files } => {
+            Ok(files.iter().map(|f| chal.directory.join(f)).collect_vec())
+        }
         ProvideConfig::FromRepoRename { from, to } => {
-            std::fs::rename(from, to)?;
+            std::fs::copy(chal.directory.join(from), chal.directory.join(to))
+                .with_context(|| format!("could not copy repo file {from:?} to {to:?}"))?;
             Ok(vec![to.clone()])
         }
         ProvideConfig::FromRepoArchive {
             files,
             archive_name,
         } => {
-            zip_files(archive_name, files)?;
+            zip_files(
+                &chal.directory.join(archive_name),
+                &files.iter().map(|f| chal.directory.join(f)).collect_vec(),
+            )
+            .with_context(|| format!("could not create archive {archive_name:?}"))?;
             Ok(vec![archive_name.clone()])
         }
 
-        ProvideConfig::FromContainer { container, files } => extract_files(chal, container, files),
+        ProvideConfig::FromContainer {
+            container: container_name,
+            files,
+        } => {
+            let tag = chal.container_tag_for_pod(profile_name, container_name)?;
+
+            let name = format!(
+                "asset-container-{}-{}",
+                chal.directory.to_string_lossy().replace("/", "-"),
+                container_name
+            );
+            let container = docker::create_container(&tag, &name).await?;
+
+            let files = extract_files(chal, &container, files).await;
+
+            docker::remove_container(container).await?;
+
+            files
+        }
+        .with_context(|| format!("could not copy files {files:?} from container {container_name}")),
+
         ProvideConfig::FromContainerRename {
-            container,
+            container: container_name,
             from,
             to,
-        } => extract_rename(chal, container, from, to),
+        } => {
+            let tag = chal.container_tag_for_pod(profile_name, container_name)?;
+
+            let name = format!(
+                "asset-container-{}-{}",
+                chal.directory.to_string_lossy().replace("/", "-"),
+                container_name
+            );
+            let container = docker::create_container(&tag, &name).await?;
+
+            let files = extract_rename(chal, &container, from, &chal.directory.join(to)).await;
+
+            docker::remove_container(container).await?;
+
+            files
+        }
+        .with_context(|| format!("could not copy file {from:?} from container {container_name}")),
+
         ProvideConfig::FromContainerArchive {
-            container,
+            container: container_name,
             files,
             archive_name,
-        } => extract_archive(chal, container, files, archive_name),
+        } => {
+            let tag = chal.container_tag_for_pod(profile_name, container_name)?;
+
+            let name = format!(
+                "asset-container-{}-{}",
+                chal.directory.to_string_lossy().replace("/", "-"),
+                container_name
+            );
+            let container = docker::create_container(&tag, &name).await?;
+
+            let files =
+                extract_archive(chal, &container, files, &chal.directory.join(archive_name)).await;
+
+            docker::remove_container(container).await?;
+
+            files
+        }
+        .with_context(|| {
+            format!("could not create archive {archive_name:?} from container {container_name}")
+        }),
     }
 }
 
@@ -114,14 +182,17 @@ async fn extract_archive(
     );
 
     // copy all listed files to tempdir
-    let tempdir = tempdir_in(".")?;
+    let tempdir = tempfile::Builder::new()
+        .prefix(".beavercds-archive-")
+        .tempdir_in(".")?;
     let copied_files = try_join_all(files.iter().map(|from| async {
         let to = tempdir.path().join(from.file_name().unwrap());
         docker::copy_file(container, from, &to).await
     }))
     .await?;
 
-    zip_files(&chal.directory.join(archive_name), &copied_files)?;
+    // archive_name already has the chal dir prepended
+    zip_files(archive_name, &copied_files)?;
 
     Ok(vec![chal.directory.join(archive_name)])
 }

src/builder/docker.rs

@@ -122,7 +122,6 @@ pub async fn push_image(image_tag: &str, creds: &UserPass) -> Result<String> {
     Ok(tag.to_string())
 }
 
-#[tokio::main(flavor = "current_thread")] // make this a sync function
 pub async fn create_container(image_tag: &str, name: &str) -> Result<ContainerInfo> {
     debug!("creating container {name:?} from image {image_tag:?}");
     let client = docker().await?;
@@ -143,7 +142,6 @@ pub async fn create_container(image_tag: &str, name: &str) -> Result<ContainerIn
     })
 }
 
-#[tokio::main(flavor = "current_thread")] // make this a sync function
 pub async fn remove_container(container: ContainerInfo) -> Result<()> {
     debug!("removing container {}", &container.name);
     let client = docker().await?;
@@ -182,7 +180,10 @@ pub async fn copy_file(container: &ContainerInfo, from: &Path, to: &Path) -> Res
         });
 
     // collect byte stream chunks into full file
-    let mut temptar = Builder::new().suffix(".tar").tempfile_in(".")?;
+    let mut temptar = Builder::new()
+        .prefix(".beavercds-")
+        .suffix(".tar")
+        .tempfile_in(".")?;
     while let Some(chunk) = dl_stream.next().await {
         temptar.as_file_mut().write_all(&chunk?)?;
     }

src/builder/mod.rs

@@ -3,7 +3,8 @@
 
 use anyhow::{anyhow, Context, Error, Result};
 use bollard::image::BuildImageOptions;
-use futures::stream::Iter;
+use futures::future::try_join_all;
+use futures::stream::{FuturesOrdered, Iter};
 use itertools::Itertools;
 use simplelog::*;
 use std::default;
@@ -123,55 +124,21 @@ fn build_challenge(
     if extract_artifacts {
         info!("extracting build artifacts for chal {:?}", chal.directory);
 
-        // let (provide_container, provide_static): (Vec<_>, Vec<_>) =
-        //     chal.provide.iter().partition(|p| p.from.is_some());
-
-        // let extracted_files = provide_container
-        //     .iter()
-        //     // associate container `Provide` entries with their corresponding container image
-        //     .map(|provide| {
-        //         (
-        //             provide,
-        //             chal.container_tag_for_pod(profile_name, provide.from.as_ref().unwrap()),
-        //         )
-        //     })
-        //     // extract each container provide entry
-        //     .map(|(p, tag)| {
-        //         let tag = tag?;
-
-        //         let name = format!(
-        //             "asset-container-{}-{}",
-        //             chal.directory.to_string_lossy().replace("/", "-"),
-        //             p.from.clone().unwrap()
-        //         );
-        //         let container = docker::create_container(&tag, &name)?;
-
-        //         let asset_result =
-        //             artifacts::extract_asset(chal, p, &container).with_context(|| {
-        //                 format!(
-        //                     "failed to extract build artifacts for chal {:?} container {:?}",
-        //                     chal.directory,
-        //                     p.from.clone().unwrap()
-        //                 )
-        //             });
-
-        //         // clean up container even if it failed
-        //         docker::remove_container(container)?;
-
-        //         asset_result
-        //     })
-        //     .flatten_ok()
-        //     .collect::<Result<Vec<_>>>()?;
-
-        // // handle potentially zipping up local files as well
-        // let local_files = provide_static.iter().map(|provide| {
-        //     match provide.as_file.as_ref() {
-        //         // no archiving needed, pass files as-is
-        //         None => Ok(provide.include.clone()),
-        //         // need to archive multiple files into zip
-        //         Some(as_) => artifacts::zip_files(as_, provide.include.as_ref()).map(|z| vec![z]),
-        //     }
-        // });
+        // extract each challenge provide entry
+        // this handles both local files and from build containers
+        let extracted_files = chal
+            .provide
+            .iter()
+            .map(|p| {
+                artifacts::extract_asset(chal, p, profile_name).with_context(|| {
+                    format!(
+                        "failed to extract build artifacts for chal {:?}",
+                        chal.directory,
+                    )
+                })
+            })
+            .flatten_ok()
+            .collect::<Result<Vec<_>>>()?;
 
         info!("extracted artifacts: {:?}", built.assets);
     }

src/configparser/challenge.rs

@@ -180,6 +180,7 @@ enum FlagType {
 }
 
 // Parse each distinct kind of Provide action as a separate enum variant
+// TODO: enforce relative/absolute paths for repo/container Provide's (`validator` crate?)
 #[derive(Debug, PartialEq, Serialize, Deserialize)]
 #[serde(untagged, deny_unknown_fields)]
 #[fully_pub]

src/tests/parsing/challenges.rs

@@ -231,8 +231,7 @@ fn challenge_provide() {
 
                 - from: container
                   as: pears
-                  include:
-                    - /usr/lib/peaches
+                  include: /usr/lib/peaches
 
                 - from: container
                   as: shells.zip

tests/repo/rcds.yaml

@@ -22,9 +22,9 @@ points:
 deploy:
   # control challenge deployment status explicitly per environment/profile
   testing:
-    misc/garf: true
+    # misc/garf: true
     pwn/notsh: true
-    web/bar: true
+    # web/bar: true
 
 profiles:
   # configure per-environment credentials etc