Role Based Access Control for Slack-Bolt applications
Project description
Role Based Access Control for Slack-Bolt Apps
Role Based Access Control (RBAC) is a term applied to limiting the authorization for a specific operation based on the association of a User to a "role". For example:
As an application developer, I want to ensure that only specific Users in a
given User-Group are allowed to execute the "bounce port" command.
The Slack Platform does not natively support the concept of "User Groups", but it does support the standard protcol: System for Cross-domain Identity Management (SCIM). A method for implemeting RBAC in Slack can be accomlished using the Slack SCIM API feature. For example:
As an IT administrator of Okta, I will create SCIM groups that will designate
the specific RBAC User-Groups I want to use in Slack.
This slack-scim-rbac
repository provides a Slack-Bolt middleware class.
As a developer using the SCIM protocol, you must obtain a SCIM Token from your Slack
administrator and export the environment variable SLACK_SCIM_TOKEN
.
The following code snippet is take from the example. In this example the User that entered the "bounce port" message must be a member of the SCIM group "ChatOps-foo". If they are not, then an error message is reported to the User.
from slack_scim_rbac.middleware import AsyncSlackScimRBAC
@app.message(
re.compile("bounce port", re.I),
middleware=[AsyncSlackScimRBAC(groups={"ChatOps-foo"})],
)
async def app_bounce_port(request: BoltRequest, context: BoltContext, say: Say):
await say(f"bouncing port for you <@{context.user_id}> ... standby")
Customizing the Error Response
As a developer you will want to customize the error response to the User.
There are two ways to do this. The first way is to provide an error_response
function to middleware addition. For example this code will trigger a Modal
when the User triggers the /rbacker
command that contains the text "bounce
port" when they are not part of the "ChatOps-nofuzz" SCIM group.
async def is_bounce_port_command(command: dict):
return "bounce port" in command["text"]
async def modal_no_you_cant(client: AsyncWebClient, body: dict, context: AsyncBoltContext):
msg = f"Nope! Sorry <@{context.user_id}> but you cannot do that!"
view = View(title="Permission Denied!", type="modal", close="Bummer")
view.blocks = [SectionBlock(text=MarkdownTextObject(text=msg))]
await client.views_open(trigger_id=body["trigger_id"], view=view)
@app.command(
command="/rbacker",
matchers=[is_bounce_port_command],
middleware=[
AsyncSlackScimRBAC(
app_name=app.name,
groups={"ChatOps-nofuzz"},
error_response=modal_no_you_cant,
)
],
)
async def slash_rbacker_bounce_port(ack: Ack, say: Say, context: Context):
await ack()
await say(
f"Already then, <@{context.user_id}>, let's get to bouncing that port for ya!"
)
The other approach is to sub-class the AsyncSlackScimRBAC
class and
overriding the error_response
method.
Customizing the RBAC Validation Process
By default the validate process checks the Slack User groups (name) membership
in any of the required group names. You can override this behavior (for
example if you have a default "admin" group that you want to always allow but
not require in each listener declaration) by sub-classing AsyncSlackScimRBAC
and overriding the is_member
method.
Limitations
This slack-scim-rbac
repository implements middleware for asyncio mode only.
A sync implementation should be straightforward, but has not been done since it
is not what I needed. If you do, please open an issue (or a PR). Thanks!
Resources
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file slack-scim-rbac-0.1.0.tar.gz
.
File metadata
- Download URL: slack-scim-rbac-0.1.0.tar.gz
- Upload date:
- Size: 8.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.6 CPython/3.8.8 Darwin/19.6.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | f6cc1be0023ce169bd4ee5f0a1040969a1868b5f8eea25b9807e24e93ea033bc |
|
MD5 | 673c2a5eba66eda8a1417a6c7fa983a0 |
|
BLAKE2b-256 | cc8cd16d2aab1b9ffe2553fe35e6e5224868b091fa75687b29e5ada716b347dc |
File details
Details for the file slack_scim_rbac-0.1.0-py3-none-any.whl
.
File metadata
- Download URL: slack_scim_rbac-0.1.0-py3-none-any.whl
- Upload date:
- Size: 8.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.6 CPython/3.8.8 Darwin/19.6.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2cc99f4547a8fd20b21c52f617625403f6e1073fe3238d428453ea7e3384d35a |
|
MD5 | cb6a97885bdf8cf0b22cbd47dba06fbc |
|
BLAKE2b-256 | a37d9b6f3ce0840c5fe7deb75c10a94aebaa970d227cb2b64c1e6cc2445815c2 |