8 changed files with 369 additions and 105 deletions
--- a/README.md
+++ b/README.md
@@ -34,3 +34,16 @@ docker-compose -f docker-compose.yml up --build
 On kdoorpi override `KDOORPI_API_ALLOWED`, `KDOORPI_API_LONGPOLL` environment variables
 to redirect requests to your dev instance.
 # Slack bot
 1. https://api.slack.com/apps → Create new app → From scratch
 1. Verification Token as `SLACK_VERIFICATION_TOKEN`
 1. App home → Bot user
  - `commands`
  - `users:read`
  <!-- `users:read_email` -->
  <!-- `channel:read` -->
  <!-- `groups:read` -->
  <!-- `incoming-webhook` -->
 1. Add commands. Request URL `https://doorboy-proxy.k-space.ee/slack-open`
 1. Incoming Webhooks → assign to channel -> Webhook URL as `SLACK_DOORLOG_CALLBACK`
--- a/app/doorboy-proxy.py
+++ b/app/doorboy-proxy.py
@@ -4,14 +4,13 @@ from datetime import date, datetime
 from functools import wraps
 from typing import List
 import kube
 from dateutil.parser import parse
 from motor.motor_asyncio import AsyncIOMotorClient
 from pymongo.errors import PyMongoError
 from sanic import Sanic
 from sanic.response import json, text
 from sanic_prometheus import monitor
 import kube
 from slack import slack_app
 app = Sanic(__name__)
@@ -53,6 +52,7 @@ def authenticate_door(wrapped):
    return decorator(wrapped)
 # Door controllers query uid_hashes for offline use. There is no online uid_hash authn/z, only logging.
@app.route("/allowed")
@authenticate_door
 async def view_doorboy_uids(request):
@@ -73,7 +73,7 @@ async def view_doorboy_uids(request):
        "inventory.owner.username": {"$in": users},
    }
    prj = {"token.uid_hash": True}
-    tokens = await app.ctx.db.inventory.find(flt, prj)
+    tokens = await request.app.ctx.db.inventory.find(flt, prj)
    print(f"delegating {len(tokens)} doorkey tokens")
    return json({"allowed_uids": tokens})
@@ -131,6 +131,7 @@ async def view_open_door_events(request):
    return json(transformed, default=datetime_to_json_formatting)
 # Door controllers listen for open events (web, slack).
@app.route("/longpoll", stream=True)
@authenticate_door
 async def view_longpoll(request):
@@ -144,7 +145,7 @@ async def view_longpoll(request):
        }
    ]
    try:
-        async with app.ctx.db.eventlog.watch(pipeline) as stream:
+        async with request.app.ctx.db.eventlog.watch(pipeline) as stream:
            await response.send("data: watch-stream-opened\n\n")
            async for event in stream:
                ev = event["fullDocument"]
@@ -160,7 +161,7 @@ async def view_longpoll(request):
        return
-# Called by the door to log a card swipe. Does not decide whether the door should be opened.
+# Door controller reporting a card swipe. No authn/z about the event (done offline on door controller), only logging.
@app.post("/swipe")
@authenticate_door
 async def swipe(request):
@@ -183,7 +184,7 @@ async def swipe(request):
    )
    # Update token, create if unknown
-    await app.ctx.db.inventory.update_one(
+    await request.app.ctx.db.inventory.update_one(
        {"component": "doorboy", "type": "token", "token.uid_hash": data["uid_hash"]},
        {
            "$set": {"last_seen": timestamp},
@@ -197,7 +198,7 @@ async def swipe(request):
        upsert=True,
    )
-    token = await app.ctx.db.inventory.find_one(
+    token = await request.app.ctx.db.inventory.find_one(
        {"component": "doorboy", "type": "token", "token.uid_hash": data["uid_hash"]}
    )
@@ -215,7 +216,7 @@ async def swipe(request):
        },
        "uid_hash": data["uid_hash"],
    }
-    await app.ctx.db.eventlog.insert_one(event_swipe)
+    await request.app.ctx.db.eventlog.insert_one(event_swipe)
    return text("ok")
--- a/app/kube.py
+++ b/app/kube.py
@@ -1,6 +1,7 @@
 from typing import List
 from kubernetes import client, config
 import os
 from typing import List, Tuple
 from kubernetes import client, config
 OIDC_USERS_NAMESPACE = os.getenv("OIDC_USERS_NAMESPACE")
@@ -22,3 +23,20 @@ def users_with_group(group: str) -> List[str]:
    print(f"INFO: {len(users)} users in group {group}")
    return users
 # -> (groups[], username)
 def by_slackid(slack_id: str) -> Tuple[List[str], str]:
    config.load_incluster_config()
    api_instance = client.CustomObjectsApi()
    ret = api_instance.list_namespaced_custom_object(
        "codemowers.cloud", "v1beta1", OIDC_USERS_NAMESPACE, "oidcusers"
    )
    for item in ret["items"]:
        if slack_id == item.get("status", {}).get("slackId", None):
            return item.get("status", {}).get("groups", []), item.get(
                "metadata", {}
            ).get("name", "")
    return [], ""
--- a/app/slack.py
+++ b/app/slack.py
@@ -1,5 +1,8 @@
 import os
 from datetime import datetime
 from typing import Tuple
 import kube
 import requests
 from pymongo.errors import PyMongoError
 from requests.exceptions import RequestException
@@ -9,6 +12,10 @@ slack_app = Blueprint("slack", __name__)
 # webhook logs to private channel or "DEV" to print to console.
 SLACK_DOORLOG_CALLBACK = os.environ["SLACK_DOORLOG_CALLBACK"]
 # used to verify (deprecated) incoming requests from slack
 SLACK_VERIFICATION_TOKEN = os.environ["SLACK_VERIFICATION_TOKEN"]
 SLACK_CHANNEL_ID = os.environ["SLACK_CHANNEL_ID"]  # TODO:
 def slack_post(msg):
    if SLACK_DOORLOG_CALLBACK == "DEV":
@@ -29,7 +36,8 @@ def approvedStr(approved: bool) -> str:
 # consumes SLACK_DOORLOG_CALLBACK and app.ctx.db
-async def slack_log(app, loop):
+@slack_app.listener("after_server_start")
 async def slack_log_fwd(app, loop):
    pipeline = [
        {
            "$match": {
@@ -53,3 +61,76 @@ async def slack_log(app, loop):
        except PyMongoError as e:
            print(e)
 def authz_special(authzGroup, userGroups, user) -> Tuple[bool, str]:
    if authzGroup not in userGroups:
        return False, f"You are not in {authzGroup}. k-space.ee/membership"
    return True, user
 # -> approved, username
 # -> not approved, error message
 def slack_authz(user_id: str, channel_id: str, door: str) -> Tuple[bool, str]:
    if door in ["alldoors", "backdoor", "frontdoor", "grounddoor"]:
        if channel_id == SLACK_CHANNEL_ID:
            return True
        groups, user = kube.by_slackid(user_id)
        if "k-space:floor" not in groups:
            return (
                False,
                "No user with slack_id %s. Try in #members or doorboy.k-space.ee.",
            )
        return True, user
    groups, user = kube.by_slackid(user_id)
    if user == "":
        return False, "No user with slack_id %s. Try doorboy.k-space.ee."
    if door == "workshopdoor":
        return authz_special("k-space:workshop", groups, user)
    return False, "Invalid door (git.k-space.ee/k-space/doorboy-proxy)"
@slack_app.route("/slack-open", methods=["POST"])
 async def slack_open(request):
    if request.form.get("token") != SLACK_VERIFICATION_TOKEN:
        return "Invalid token (are you Slack?)", 401
    command = request.form.get("command")
    door = command.removeprefix("/open-").replace("-", "")
    # user may be empty if authzed to SLACK_CHANNEL_ID
    ok, userOrErrorMsg = slack_authz(
        request.form.get("user_id"),
        request.form.get("channel_id"),
        door,
    )
    if not ok:
        return userOrErrorMsg, 403
    doors = [door]
    if door == "alldoors":
        # outside non-special doors
        doors = ["backdoor", "frontdoor", "grounddoor"]
    for d in doors:
        await request.app.ctx.db.eventlog.insert_one(
            {
                "component": "doorboy",
                "method": "slack",
                "timestamp": datetime.now(datetime.timezone.utc),
                "door": d,
                "approved": True,
                "user": {
                    "id": userOrErrorMsg,
                    "name": request.form.get("user_name"),
                },
            }
        )
    return f"Opening {door}…"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,6 +26,7 @@ services:
      FLOOR_ACCESS_GROUP: "k-space:floor"
      WORKSHOP_ACCESS_GROUP: "k-space:workshop"
      SLACK_DOORLOG_CALLBACK: DEV
      SLACK_CHANNEL_ID: CDL9H8Q9W
    env_file: .env
    ports:
     - "5000:5000"