slack /open-xxx from inventory-app

2025-08-08 05:15:29 +03:00
parent eeeb5ecace
commit f5cfb3454a
5 changed files with 125 additions and 11 deletions
--- a/app/slack.py
+++ b/app/slack.py
@@ -1,5 +1,8 @@
 import os
+from datetime import datetime
+from typing import Tuple

+import kube
 import requests
 from pymongo.errors import PyMongoError
 from requests.exceptions import RequestException
@@ -9,6 +12,10 @@ slack_app = Blueprint("slack", __name__)

 # webhook logs to private channel or "DEV" to print to console.
 SLACK_DOORLOG_CALLBACK = os.environ["SLACK_DOORLOG_CALLBACK"]
+# used to verify (deprecated) incoming requests from slack
+SLACK_VERIFICATION_TOKEN = os.environ["SLACK_VERIFICATION_TOKEN"]
+SLACK_CHANNEL_ID = os.environ["SLACK_CHANNEL_ID"]  # TODO:
+

 def slack_post(msg):
    if SLACK_DOORLOG_CALLBACK == "DEV":
@@ -29,7 +36,8 @@ def approvedStr(approved: bool) -> str:


 # consumes SLACK_DOORLOG_CALLBACK and app.ctx.db
-async def slack_log(app, loop):
+@slack_app.listener("after_server_start")
+async def slack_log_fwd(app, loop):
    pipeline = [
        {
            "$match": {
@@ -53,3 +61,76 @@ async def slack_log(app, loop):

        except PyMongoError as e:
            print(e)
+
+
+def authz_special(authzGroup, userGroups, user) -> Tuple[bool, str]:
+    if authzGroup not in userGroups:
+        return False, f"You are not in {authzGroup}. k-space.ee/membership"
+
+    return True, user
+
+
+# -> approved, username
+# -> not approved, error message
+def slack_authz(user_id: str, channel_id: str, door: str) -> Tuple[bool, str]:
+    if door in ["alldoors", "backdoor", "frontdoor", "grounddoor"]:
+        if channel_id == SLACK_CHANNEL_ID:
+            return True
+
+        groups, user = kube.by_slackid(user_id)
+        if "k-space:floor" not in groups:
+            return (
+                False,
+                "No user with slack_id %s. Try in #members or doorboy.k-space.ee.",
+            )
+
+        return True, user
+
+    groups, user = kube.by_slackid(user_id)
+    if user == "":
+        return False, "No user with slack_id %s. Try doorboy.k-space.ee."
+
+    if door == "workshopdoor":
+        return authz_special("k-space:workshop", groups, user)
+
+    return False, "Invalid door (git.k-space.ee/k-space/doorboy-proxy)"
+
+
+@slack_app.route("/slack-open", methods=["POST"])
+async def slack_open(request):
+    if request.form.get("token") != SLACK_VERIFICATION_TOKEN:
+        return "Invalid token (are you Slack?)", 401
+
+    command = request.form.get("command")
+    door = command.removeprefix("/open-").replace("-", "")
+
+    # user may be empty if authzed to SLACK_CHANNEL_ID
+    ok, userOrErrorMsg = slack_authz(
+        request.form.get("user_id"),
+        request.form.get("channel_id"),
+        door,
+    )
+    if not ok:
+        return userOrErrorMsg, 403
+
+    doors = [door]
+    if door == "alldoors":
+        # outside non-special doors
+        doors = ["backdoor", "frontdoor", "grounddoor"]
+
+    for d in doors:
+        await request.app.ctx.db.eventlog.insert_one(
+            {
+                "component": "doorboy",
+                "method": "slack",
+                "timestamp": datetime.now(datetime.timezone.utc),
+                "door": d,
+                "approved": True,
+                "user": {
+                    "id": userOrErrorMsg,
+                    "name": request.form.get("user_name"),
+                },
+            }
+        )
+
+    return f"Opening {door}…"