Hubot Drush me Drupal
Recently the company I work for shifted the bulk of our instant message communications over to Campfire, and established a series of rooms to discuss our various projects. This transition seemed to go fairly well, once everyone settled on their preferred client interface. I was used to using IRC and found a nice little Ruby gem that piped Campfire through my IRC client. Chatting in this environment quickly had me missing Druplicon, the friendly Drupal fueled chat bot that tirelessly serves the Drupal IRC community. I decided to look for a replacement, and after some searching I stumbled upon Hubot, a Node.js powered chat bot. It was initially built by the folks at GitHub and includes a long list of plugin scripts added by community developers. This was immediately appealing for several reasons:
- It is built using Node.js
- It is written in Coffeescript (something I have wanted to try my hand at for a while)
- Additional scripts appeared easy to write, and plugin simply
- It has built in Campfire integration
So I installed Hubot on a small server, with a handful of scripts that I thought would be useful and fun for our team. Adding the bot to our Campfire rooms was fairly painless, and after writing a small init script we were good to go. This sparked some discussion among our team about how the bot was deployed, cool ways it could be extended, and methods of use. A fellow developer, David Fells, mentioned that it would be handy if we could tell Hubot to execute Drush commands. This gave me pause, and after a quick:
"That's a great idea! You mind if I implement that?"
"Sure, go for it."
I found myself firing up my editor, trying a few test methods, and reading up on CoffeeScript. Things moved fairly quickly, once I got going. I realized
As you can imagine there were, and are, several security concerns. The early prototype actually had user commands pipe right into Drush which is a security nightmare. Any user with access to the bot could escape or pipe in any old Bash command directly through the bot. Further, any Drupal installation that Drush is aware of would be at the mercy of users who may or may not have the best intentions at heart. Needless to say this approach was quickly abandoned in favor of a hand picked list of commands made available to the bot. This caused the code to be a bit more tedious, and likely less elegant, but I needed to insure that Drush would be executing the allowed commands, and nothing more. After some discussion I also decided to weed the available commands down to a relatively innocuous set (giving information vs. actually changing something). I attempted to structure the code in a way that it would not be difficult for another developer to add commands. Overall, I'm pretty happy with the end result, and the pull request was soon accepted. You can find this script along with all of the other Hubot scripts on GitHub.