From c5d4f603e279ae9d6c15a41a9f925888abff05f6 Mon Sep 17 00:00:00 2001
From: rasmus <rasmus@k-space.ee>
Date: Thu, 11 Jun 2026 23:03:05 +0300
Subject: [PATCH] fix slack-kube auth

1. reorder slack auth methods
2. refactor + fix kube slack lookup
---
 app/doorboy-proxy.py |  2 ++
 app/kube.py          | 19 ++++++++++++-------
 app/slack.py         | 39 +++++++++++++++++++--------------------
 3 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/app/doorboy-proxy.py b/app/doorboy-proxy.py
index 4dc450a..b957cd9 100755
--- a/app/doorboy-proxy.py
+++ b/app/doorboy-proxy.py
@@ -171,6 +171,8 @@ async def swipe(request):
     key = request.headers.get("KEY")
     data = request.json
     doors = set()
+
+    # this mapping also duplicated to slack.py
     if key == DOORBOY_SECRET_FLOOR:
         doors.update(["backdoor", "frontdoor", "grounddoor"])
     if key == DOORBOY_SECRET_WORKSHOP:
diff --git a/app/kube.py b/app/kube.py
index 25464f6..ea02b3f 100644
--- a/app/kube.py
+++ b/app/kube.py
@@ -5,6 +5,15 @@ from kubernetes import client, config
 
 OIDC_USERS_NAMESPACE = os.environ["OIDC_USERS_NAMESPACE"]
 
+def groupsToFullName(groups) -> List[str]:
+    fullName: List[str] = []
+
+    for group in groups:
+        fullName.append(
+            group.get("prefix", "") + ":" + group.get("name", "")
+        )
+
+    return fullName
 
 def users_with_group(requiredGroup: str) -> List[str]:
     config.load_incluster_config()
@@ -17,16 +26,14 @@ def users_with_group(requiredGroup: str) -> List[str]:
     )
 
     for item in ret["items"]:
-        for group in item.get("status", {}).get("groups", []):
-            groupName = group.get("prefix", "") + ":" + group.get("name", "")
-            if groupName == requiredGroup:
+        for group in groupsToFullName(item.get("status", {}).get("groups", [])):
+            if group == requiredGroup:
                 users.append(item["metadata"]["name"])
                 continue
 
     print(f"INFO: {len(users)} users in group {requiredGroup}")
     return users
 
-
 # -> (groups[], username)
 def by_slackid(slack_id: str) -> Tuple[List[str], str]:
     config.load_incluster_config()
@@ -37,8 +44,6 @@ def by_slackid(slack_id: str) -> Tuple[List[str], str]:
     )
     for item in ret["items"]:
         if slack_id == item.get("status", {}).get("slackId", None):
-            return item.get("status", {}).get("groups", []), item.get(
-                "metadata", {}
-            ).get("name", "")
+            return groupsToFullName(item.get("status", {}).get("groups", [])), item.get("metadata", {}).get("name", "")
 
     return [], ""
diff --git a/app/slack.py b/app/slack.py
index e6ace0e..d948e8a 100644
--- a/app/slack.py
+++ b/app/slack.py
@@ -64,7 +64,7 @@ async def slack_log_fwd(app, loop):
             print(e)
 
 
-def authz_special(authzGroup, userGroups, user) -> Tuple[bool, str]:
+def authz_withgroup(authzGroup, userGroups, user) -> Tuple[bool, str]:
     if authzGroup not in userGroups:
         return False, f"You are not in {authzGroup}. k-space.ee/membership"
 
@@ -74,28 +74,27 @@ def authz_special(authzGroup, userGroups, user) -> Tuple[bool, str]:
 # -> approved, username
 # -> not approved, error message
 def slack_authz(user_id: str, channel_id: str, door: str) -> Tuple[bool, str]:
-    if door in ["alldoors", "backdoor", "frontdoor", "grounddoor"]:
-        if channel_id == SLACK_CHANNEL_ID:
-            return True, "Anonymous #members user 🖕"
-
-        groups, user = kube.by_slackid(user_id)
-        if "k-space:floor" not in groups:
-            return (
-                False,
-                "No user with slack_id %s. Try in #members or doorboy.k-space.ee.",
-            )
-
-        return True, user
+    # this mapping also duplicated to doorboy-proxy.py
+    authGroup = ""
+    match door:
+        case "alldoors" | "backdoor" | "frontdoor" | "grounddoor":
+            authGroup = "k-space:floor"
+        case "workshopdoor":
+            authGroup = "k-space:workshop"
+        case _:
+            return False, "Invalid door (git.k-space.ee/k-space/doorboy-proxy)"
 
     groups, user = kube.by_slackid(user_id)
-    if user == "":
-        return False, "No user with slack_id %s. Try doorboy.k-space.ee."
+    if user is None:
+        if authGroup == "k-space:floor":
+            if channel_id == SLACK_CHANNEL_ID:
+                return True, "🖕 #members user {user_id}"
 
-    if door == "workshopdoor":
-        return authz_special("k-space:workshop", groups, user)
-
-    return False, "Invalid door (git.k-space.ee/k-space/doorboy-proxy)"
+            return False, f"No user with slack_id {user_id}. Try in #members or doorboy.k-space.ee.",
+        else:
+            return False, f"No user with slack_id {user_id}. Try doorboy.k-space.ee."
 
+    return authz_withgroup(authGroup, groups, user)
 
 @slack_app.route("/slack-open", methods=["POST"])
 async def slack_open(request):
@@ -112,7 +111,7 @@ async def slack_open(request):
         door,
     )
     if not ok:
-        return userOrErrorMsg, 403
+        return text(userOrErrorMsg)
 
     doors = [door]
     if door == "alldoors":