Merge pull request #35 from dependabot/jurre/force-requests-through-p…

…roxy Only allow requests through proxy
github · Oct 25, 2021 · a4826a3 · a4826a3
2 parents 7f41a6d + e8dd707
commit a4826a3
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 28 deletions.
diff --git a/__tests__/proxy-integration.test.ts b/__tests__/proxy-integration.test.ts
@@ -44,23 +44,26 @@ describe('ProxyBuilder', () => {
     const proxy = await builder.run(jobId, credentials)
     await proxy.container.start()
 
-    expect(proxy.networkName).toBe('dependabot-job-1-network')
+    expect(proxy.networkName).toBe('dependabot-job-1-internal-network')
     expect(proxy.url).toMatch(/^http:\/\/1:.+job-1-proxy:1080$/)
 
     const containerInfo = await proxy.container.inspect()
     expect(containerInfo.Name).toBe('/dependabot-job-1-proxy')
-    expect(containerInfo.HostConfig.NetworkMode).toBe(
-      'dependabot-job-1-network'
-    )
     expect(containerInfo.Config.Entrypoint).toEqual([
       'sh',
       '-c',
       '/usr/sbin/update-ca-certificates && /update-job-proxy'
     ])
 
     const networkInfo = await proxy.network.inspect()
-    expect(networkInfo.Name).toBe('dependabot-job-1-network')
-    expect(networkInfo.Internal).toBe(false)
+    expect(networkInfo.Name).toBe('dependabot-job-1-internal-network')
+    expect(networkInfo.Internal).toBe(true)
+
+    const networkNames = Object.keys(containerInfo.NetworkSettings.Networks)
+    expect(networkNames).toEqual([
+      'dependabot-job-1-external-network',
+      'dependabot-job-1-internal-network'
+    ])
 
     // run a bash command that executes docker and returns contents of /config.json
     const id = proxy.container.id

diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/dist/main/index.js.map b/dist/main/index.js.map
diff --git a/src/proxy.ts b/src/proxy.ts
@@ -65,10 +65,19 @@ export class ProxyBuilder {
     const config = this.buildProxyConfig(credentials, jobId)
     const cert = config.ca.cert
 
-    const networkName = `dependabot-job-${jobId}-network`
-    const network = await this.ensureNetwork(networkName)
-
-    const container = await this.createContainer(jobId, name, networkName)
+    const externalNetworkName = `dependabot-job-${jobId}-external-network`
+    const externalNetwork = await this.ensureNetwork(externalNetworkName, false)
+
+    const internalNetworkName = `dependabot-job-${jobId}-internal-network`
+    const internalNetwork = await this.ensureNetwork(internalNetworkName, true)
+
+    const container = await this.createContainer(
+      jobId,
+      name,
+      externalNetwork,
+      internalNetwork,
+      internalNetworkName
+    )
 
     await ContainerService.storeInput(
       CONFIG_FILE_NAME,
@@ -105,26 +114,27 @@ export class ProxyBuilder {
     const url = `http://${config.proxy_auth.username}:${config.proxy_auth.password}@${name}:1080`
     return {
       container,
-      network,
-      networkName,
+      network: internalNetwork,
+      networkName: internalNetworkName,
       url,
       cert,
       shutdown: async () => {
         await container.stop()
         await container.remove()
-        await network.remove()
+        await externalNetwork.remove()
+        await internalNetwork.remove()
       }
     }
   }
 
-  private async ensureNetwork(name: string): Promise<Network> {
+  private async ensureNetwork(name: string, internal = true): Promise<Network> {
     const networks = await this.docker.listNetworks({
       filters: JSON.stringify({name: [name]})
     })
     if (networks.length > 0) {
       return this.docker.getNetwork(networks[0].Id)
     } else {
-      return await this.docker.createNetwork({Name: name})
+      return await this.docker.createNetwork({Name: name, Internal: internal})
     }
   }
 
@@ -169,7 +179,9 @@ export class ProxyBuilder {
   private async createContainer(
     jobId: number,
     containerName: string,
-    networkName: string
+    externalNetwork: Network,
+    internalNetwork: Network,
+    internalNetworkName: string
   ): Promise<Container> {
     const container = await this.docker.createContainer({
       Image: this.proxyImage,
@@ -184,10 +196,12 @@ export class ProxyBuilder {
       ],
 
       HostConfig: {
-        NetworkMode: networkName
+        NetworkMode: internalNetworkName
       }
     })
 
+    await externalNetwork.connect({Container: container.id})
+
     core.info(`Created proxy container: ${container.id}`)
     return container
   }