k-space/doorboy-proxy
11
0
Fork 1
Code Issues 3 Pull Requests 1 Projects Activity

fix slack-kube auth

Browse Source 
1. reorder slack auth methods
2. refactor + fix kube slack lookup
This commit is contained in:
Rasmus Kallas
2026-06-11 23:03:05 +03:00
parent 973c6ac390
commit c5d4f603e2
3 changed files with 33 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/doorboy-proxy.py
View File

@@ -171,6 +171,8 @@ async def swipe(request):
key = request.headers.get("KEY") key = request.headers.get("KEY")
data = request.json data = request.json
doors = set() doors = set()
# this mapping also duplicated to slack.py
if key == DOORBOY_SECRET_FLOOR: if key == DOORBOY_SECRET_FLOOR:
doors.update(["backdoor", "frontdoor", "grounddoor"]) doors.update(["backdoor", "frontdoor", "grounddoor"])
if key == DOORBOY_SECRET_WORKSHOP: if key == DOORBOY_SECRET_WORKSHOP:

19
app/kube.py
View File

@@ -5,6 +5,15 @@ from kubernetes import client, config
OIDC_USERS_NAMESPACE = os.environ["OIDC_USERS_NAMESPACE"] OIDC_USERS_NAMESPACE = os.environ["OIDC_USERS_NAMESPACE"]
def groupsToFullName(groups) -> List[str]:
fullName: List[str] = []
for group in groups:
fullName.append(
group.get("prefix", "") + ":" + group.get("name", "")
)
return fullName
def users_with_group(requiredGroup: str) -> List[str]: def users_with_group(requiredGroup: str) -> List[str]:
config.load_incluster_config() config.load_incluster_config()
@@ -17,16 +26,14 @@ def users_with_group(requiredGroup: str) -> List[str]:
) )
for item in ret["items"]: for item in ret["items"]:
for group in item.get("status", {}).get("groups", []): for group in groupsToFullName(item.get("status", {}).get("groups", [])):
groupName = group.get("prefix", "") + ":" + group.get("name", "") if group == requiredGroup:
if groupName == requiredGroup:
users.append(item["metadata"]["name"]) users.append(item["metadata"]["name"])
continue continue
print(f"INFO: {len(users)} users in group {requiredGroup}") print(f"INFO: {len(users)} users in group {requiredGroup}")
return users return users
# -> (groups[], username) # -> (groups[], username)
def by_slackid(slack_id: str) -> Tuple[List[str], str]: def by_slackid(slack_id: str) -> Tuple[List[str], str]:
config.load_incluster_config() config.load_incluster_config()
@@ -37,8 +44,6 @@ def by_slackid(slack_id: str) -> Tuple[List[str], str]:
) )
for item in ret["items"]: for item in ret["items"]:
if slack_id == item.get("status", {}).get("slackId", None): if slack_id == item.get("status", {}).get("slackId", None):
return item.get("status", {}).get("groups", []), item.get( return groupsToFullName(item.get("status", {}).get("groups", [])), item.get("metadata", {}).get("name", "")
"metadata", {}
).get("name", "")
return [], "" return [], ""

43
app/slack.py
View File

@@ -64,7 +64,7 @@ async def slack_log_fwd(app, loop):
print(e) print(e)
def authz_special(authzGroup, userGroups, user) -> Tuple[bool, str]: def authz_withgroup(authzGroup, userGroups, user) -> Tuple[bool, str]:
if authzGroup not in userGroups: if authzGroup not in userGroups:
return False, f"You are not in {authzGroup}. k-space.ee/membership" return False, f"You are not in {authzGroup}. k-space.ee/membership"
@@ -74,28 +74,27 @@ def authz_special(authzGroup, userGroups, user) -> Tuple[bool, str]:
# -> approved, username # -> approved, username
# -> not approved, error message # -> not approved, error message
def slack_authz(user_id: str, channel_id: str, door: str) -> Tuple[bool, str]: def slack_authz(user_id: str, channel_id: str, door: str) -> Tuple[bool, str]:
if door in ["alldoors", "backdoor", "frontdoor", "grounddoor"]: # this mapping also duplicated to doorboy-proxy.py
if channel_id == SLACK_CHANNEL_ID: authGroup = ""
return True, "Anonymous #members user 🖕" match door:
case "alldoors" | "backdoor" | "frontdoor" | "grounddoor":
groups, user = kube.by_slackid(user_id) authGroup = "k-space:floor"
if "k-space:floor" not in groups: case "workshopdoor":
return ( authGroup = "k-space:workshop"
False, case _:
"No user with slack_id %s. Try in #members or doorboy.k-space.ee.",
)
return True, user
groups, user = kube.by_slackid(user_id)
if user == "":
return False, "No user with slack_id %s. Try doorboy.k-space.ee."
if door == "workshopdoor":
return authz_special("k-space:workshop", groups, user)
return False, "Invalid door (git.k-space.ee/k-space/doorboy-proxy)" return False, "Invalid door (git.k-space.ee/k-space/doorboy-proxy)"
groups, user = kube.by_slackid(user_id)
if user is None:
if authGroup == "k-space:floor":
if channel_id == SLACK_CHANNEL_ID:
return True, "🖕 #members user {user_id}"
return False, f"No user with slack_id {user_id}. Try in #members or doorboy.k-space.ee.",
else:
return False, f"No user with slack_id {user_id}. Try doorboy.k-space.ee."
return authz_withgroup(authGroup, groups, user)
@slack_app.route("/slack-open", methods=["POST"]) @slack_app.route("/slack-open", methods=["POST"])
async def slack_open(request): async def slack_open(request):
@@ -112,7 +111,7 @@ async def slack_open(request):
door, door,
) )
if not ok: if not ok:
return userOrErrorMsg, 403 return text(userOrErrorMsg)
doors = [door] doors = [door]
if door == "alldoors": if door == "alldoors":