banacle 0.1.1

data/lib/banacle/interactive_message/renderer.rb

@@ -0,0 +1,138 @@
+require 'banacle/slack'
+require 'banacle/slash_command/command'
+
+module Banacle
+  module InteractiveMessage
+    class Renderer
+      def self.render(params, command)
+        new(params, command).render
+      end
+
+      def initialize(params, command)
+        @params = params
+        @command = command
+      end
+
+      attr_reader :params, :command
+
+      def render
+        payload = JSON.parse(params["payload"], symbolize_names: true)
+        action = Slack::Action.new(payload[:actions].first)
+
+        if action.approved?
+          render_approved_message(payload, command)
+        elsif action.rejected?
+          render_rejected_message(payload, command)
+        elsif action.cancelled?
+          render_cancelled_message(payload, command)
+        else
+          # Do nothing
+        end
+      end
+
+      protected
+
+      # override
+      def authenticated_user?
+        true
+      end
+
+      private
+
+      def render_approved_message(payload, command)
+        unless valid_approver?
+          return render_error("you cannot approve the request by yourself")
+        end
+
+        if authenticated_user?
+          result = command.execute
+
+          text = original_message_text
+          text += ":white_check_mark: *<@#{actioner_id}> approved this request*\n"
+          text += "Result:\n"
+          text += "```\n"
+          text += result
+          text += "```"
+
+          render_replacing_message(text)
+        else
+          render_error("you are not permitted to approve the request")
+        end
+      end
+
+      def render_rejected_message(payload, command)
+        unless valid_rejector?
+          return render_error("you cannot reject the request by yourself")
+        end
+
+        if authenticated_user?
+          text = original_message_text
+          text += ":no_entry_sign: *<@#{actioner_id}> rejected this request*"
+
+          render_replacing_message(text)
+        else
+          render_error("you are not permitted to reject the request")
+        end
+      end
+
+      def render_cancelled_message(payload, command)
+        unless valid_canceller?
+          return render_error("you cannot cancel the request by other than the requester")
+        end
+
+        text = original_message_text
+        text += "\nThe request was cancelled."
+
+        render_replacing_message(text)
+      end
+
+      def render_replacing_message(text)
+        Slack::Response.new(
+          response_type: "in_channel",
+          replace_original: true,
+          text: text,
+        ).to_json
+      end
+
+      def render_error(error)
+        Slack::Response.new(
+          response_type: "ephemeral",
+          replace_original: false,
+          text: "An error occurred: #{error}",
+        ).to_json
+      end
+
+      def valid_approver?
+        ENV['BANACLE_SKIP_VALIDATION'] || !self_actioned?
+      end
+
+      def valid_rejector?
+        ENV['BANACLE_SKIP_VALIDATION'] || !self_actioned?
+      end
+
+      def valid_canceller?
+        ENV['BANACLE_SKIP_VALIDATION'] || self_actioned?
+      end
+
+      def self_actioned?
+        requester_id == actioner_id
+      end
+
+      def requester_id
+        original_message_text.match(/\A<@([^>]+)>/)[1]
+      end
+
+      def actioner_id
+        payload[:user][:id]
+      end
+
+      def original_message_text
+        payload[:original_message][:text]
+      end
+
+      def payload
+        @payload ||= JSON.parse(params["payload"], symbolize_names: true)
+      end
+    end
+  end
+end

data/lib/banacle/slack.rb

@@ -0,0 +1,191 @@
+module Banacle
+  module Slack
+    Response = Struct.new(:response_type, :replace_original, :text, :attachments, keyword_init: true) do
+      class ValidationError < StandardError; end
+
+      def initialize(*args)
+        super
+        self.set_default!
+        self.validate!
+        self
+      end
+
+      def set_default!
+        self.response_type ||= "in_channel"
+        self.replace_original = true if self.replace_original.nil?
+        self.text ||= ""
+        self.attachments ||= []
+      end
+
+      def validate!
+        unless self.replace_original.is_a?(TrueClass) || self.replace_original.is_a?(FalseClass)
+          raise ValidationError.new("replace_original must be TrueClass or FalseClass")
+        end
+
+        %i(response_type text).each do |label|
+          unless self.send(label).is_a?(String)
+            raise ValidationError.new("#{attr} must be String")
+          end
+        end
+
+        attachments.each do |a|
+          unless a.is_a?(Slack::Attachment)
+            raise ValidationError.new("One of attachments #{a.inspect} must be Slack::Attachment")
+          end
+        end
+      end
+
+      def as_json
+        self.to_h.tap { |h| h[:attachments] = h[:attachments].map(&:as_json) }
+      end
+
+      def to_json
+        as_json.to_json
+      end
+    end
+
+    Attachment = Struct.new(:text, :fallback, :callback_id, :color, \
+                            :attachment_type, :actions, keyword_init: true) do
+      class ValidationError < StandardError; end
+
+      def initialize(*args)
+        super
+        self.set_default!
+        self.validate!
+        self
+      end
+
+      def set_default!
+        self.text ||= ''
+        self.fallback ||= ''
+        self.callback_id ||= ''
+        self.color ||= ''
+        self.attachment_type ||= ''
+        self.actions ||= []
+      end
+
+      def validate!
+        %i(text fallback callback_id color attachment_type).each do |label|
+          unless self.send(label).is_a?(String)
+            raise ValidationError.new("#{attr} must be String")
+          end
+        end
+
+        self.actions.each do |a|
+          unless a.is_a?(Slack::Action)
+            raise ValidationError.new("One of actions #{a.inspect} must be Slack::Action")
+          end
+        end
+      end
+
+      def as_json
+        self.to_h.tap { |h| h[:actions] = h[:actions].map(&:as_json) }
+      end
+    end
+
+    Action = Struct.new(:name, :text, :style, :type, :value, :confirm, keyword_init: true) do
+      class ValidationError < StandardError; end
+
+      def self.approve_button
+        self.build_button('approve', style: 'primary', confirm: Confirm.approve)
+      end
+
+      def self.reject_button
+        self.build_button('reject', style: 'danger')
+      end
+
+      def self.cancel_button
+        self.build_button('cancel')
+      end
+
+      def self.build_button(value, style: 'default', confirm: nil)
+        self.build(value, style, 'button', confirm)
+      end
+
+      def self.build(value, style, type, confirm)
+        self.new(name: value, text: value.capitalize, style: style, type: type, value: value, confirm: confirm)
+      end
+
+      def initialize(*args)
+        super
+        self.set_default!
+        self.validate!
+        self
+      end
+
+      def set_default!
+        self.name ||= ''
+        self.text ||= ''
+        self.style ||= ''
+        self.type ||= ''
+        self.value ||= ''
+      end
+
+      def validate!
+        %i(name text style type value).each do |label|
+          unless self.send(label).is_a?(String)
+            raise ValidationError.new("#{attr} must be String")
+          end
+        end
+
+        if self.confirm && !self.confirm.is_a?(Confirm)
+          raise ValidationError.new("confirm must be Slack::Confirm")
+        end
+      end
+
+      def approved?
+        self.value == 'approve'
+      end
+
+      def rejected?
+        self.value == 'reject'
+      end
+
+      def cancelled?
+        self.value == 'cancel'
+      end
+
+      def as_json
+        self.to_h.tap do |h|
+          if h[:confirm]
+            h[:confirm] = h[:confirm].as_json
+          else
+            h.delete(:confirm)
+          end
+        end
+      end
+    end
+
+    Confirm = Struct.new(:title, :text, :ok_text, :dismiss_text, keyword_init: true) do
+      def self.approve
+        self.new(text: 'The operation will be performed immediately.')
+      end
+
+      def initialize(*args)
+        super
+        self.set_default!
+        self.validate!
+        self
+      end
+
+      def set_default!
+        self.title ||= 'Are you sure?'
+        self.text ||= ''
+        self.ok_text ||= 'Yes'
+        self.dismiss_text ||= 'No'
+      end
+
+      def validate!
+        %i(title text ok_text dismiss_text).each do |label|
+          unless self.send(label).is_a?(String)
+            raise ValidationError.new("#{attr} must be String")
+          end
+        end
+      end
+
+      def as_json
+        self.to_h
+      end
+    end
+  end
+end

data/lib/banacle/slack_validator.rb

@@ -0,0 +1,32 @@
+require 'base64'
+require 'openssl'
+
+module Banacle
+  class SlackValidator
+    SLACK_SIGNING_SECRET_VERSION = 'v0'.freeze
+
+    def self.valid_signature?(request)
+      new.valid_signature?(request)
+    end
+
+    def valid_signature?(request)
+      body = request.env["rack.request.form_vars"]
+      slack_signature = request.env["HTTP_X_SLACK_SIGNATURE"]
+      slack_timestamp = request.env["HTTP_X_SLACK_REQUEST_TIMESTAMP"]
+
+      # https://api.slack.com/docs/verifying-requests-from-slack#verification_token_deprecation
+      if (slack_timestamp.to_i - Time.now.to_i).abs > 60 * 5
+        return false
+      end
+
+      sig_basestring = "#{SLACK_SIGNING_SECRET_VERSION}:#{slack_timestamp}:#{body}"
+      digest = OpenSSL::HMAC.hexdigest("SHA256", signing_secret, sig_basestring)
+
+      slack_signature == "#{SLACK_SIGNING_SECRET_VERSION}=#{digest}"
+    end
+
+    def signing_secret
+      ENV.fetch('BANACLE_SLACK_SIGNING_SECRET')
+    end
+  end
+end

data/lib/banacle/slash_command/builder.rb

@@ -0,0 +1,100 @@
+require 'ipaddr'
+
+require 'banacle/aws_wrapper/vpc'
+require 'banacle/slash_command/error'
+require 'banacle/slash_command/command'
+
+module Banacle
+  module SlashCommand
+    class Builder
+      class InvalidActionError < Error; end
+      class InvalidRegionError < Error; end
+      class InvalidVpcError < Error; end
+      class InvalidCidrBlockError < Error; end
+
+      def self.build(action:, region:, vpc_id_or_name:, cidr_blocks:)
+        new(action: action, region: region, vpc_id_or_name: vpc_id_or_name, cidr_blocks: cidr_blocks).build
+      end
+
+      def initialize(action:, region:, vpc_id_or_name:, cidr_blocks:)
+        @action = action
+        @region = region
+        @vpc_id_or_name = vpc_id_or_name
+        @cidr_blocks = cidr_blocks
+      end
+
+      attr_reader :action, :region, :vpc_id_or_name, :cidr_blocks
+      attr_accessor :vpc_id
+
+      def build
+        validate!
+        set_vpc_id!
+        normalize_cidr_blocks!
+
+        Command.new(action: action, region: region, vpc_id: vpc_id, cidr_blocks: cidr_blocks)
+      end
+
+      def validate!
+        validate_action!
+        validate_region!
+        validate_vpc_id_or_name!
+        validate_cidr_blocks!
+      end
+
+      def validate_action!
+        if !action || action.empty?
+          raise InvalidActionError.new("action is required")
+        end
+
+        unless Command::PERMITTED_ACTIONS.include?(action)
+          raise InvalidActionError.new("permitted actions are: (#{Command::PERMITTED_ACTIONS.join("|")})")
+        end
+      end
+
+      def validate_region!
+        if !region || region.empty?
+          raise InvalidRegionError.new("region is required")
+        end
+      end
+
+      def validate_vpc_id_or_name!
+        unless vpc_id_or_name
+          raise InvalidVpcError.new("vpc_id or vpc_name is required with #{action} action")
+        end
+      end
+
+      def validate_cidr_blocks!
+        if !cidr_blocks || cidr_blocks.empty?
+          raise InvalidVpcError.new("at least one cidr_block is required with #{action} action")
+        end
+
+        cidr_blocks.each do |cidr_block|
+          begin
+            IPAddr.new(cidr_block)
+          rescue IPAddr::InvalidAddressError
+            raise InvalidCidrBlockError.new("#{cidr_block} is invalid address")
+          end
+        end
+      end
+
+      def set_vpc_id!
+        begin
+          self.vpc_id = AwsWrapper::Vpc.resolve_vpc_id(region, vpc_id_or_name)
+        rescue AwsWrapper::Vpc::InvalidRegionError
+          raise InvalidRegionError.new("specified region: #{region} is invalid")
+        end
+
+        unless vpc_id
+          raise InvalidVpcError.new("specified vpc: #{vpc_id_or_name} in #{region} not found")
+        end
+      end
+
+      def normalize_cidr_blocks!
+        cidr_blocks.map! do |c|
+          ip = IPAddr.new(c)
+          "#{ip}/#{ip.prefix}"
+        end
+      end
+    end
+  end
+end

data/lib/banacle/slash_command/command.rb

@@ -0,0 +1,75 @@
+require 'banacle/aws_wrapper/nacl'
+require 'banacle/aws_wrapper/vpc'
+
+module Banacle
+  module SlashCommand
+    class Command
+      CREATE_ACTION = 'create'.freeze
+      DELETE_ACTION = 'delete'.freeze
+
+      PERMITTED_ACTIONS = [CREATE_ACTION, DELETE_ACTION].freeze
+
+      def initialize(action:, region:, vpc_id:, cidr_blocks:)
+        @action = action
+        @region = region
+        @vpc_id = vpc_id
+        @cidr_blocks = cidr_blocks
+      end
+
+      attr_reader :action, :region, :vpc_id, :cidr_blocks
+
+      def execute
+        case action
+        when CREATE_ACTION
+          create_nacl
+        when DELETE_ACTION
+          delete_nacl
+        else
+          # Do nothing
+        end
+      end
+
+      def to_h
+        {
+          action: action,
+          region: region,
+          vpc_id: vpc_id,
+          cidr_blocks: cidr_blocks,
+        }
+      end
+
+      private
+
+      def create_nacl
+        results = AwsWrapper::Nacl.create_network_acl_ingress_entries(
+          region: region,
+          vpc_id: vpc_id,
+          cidr_blocks: cidr_blocks,
+        )
+
+        format_results(results)
+      end
+
+      def delete_nacl
+        results = AwsWrapper::Nacl.delete_network_acl_entries(
+          region: region,
+          vpc_id: vpc_id,
+          cidr_blocks: cidr_blocks,
+        )
+
+        format_results(results)
+      end
+
+      def format_results(results)
+        results.map do |cidr_block, result|
+          t = "#{action} DENY #{cidr_block} => "
+          if result.status
+            t += "succeeded"
+          else
+            t += "error: #{result.error}"
+          end
+        end.join("\n")
+      end
+    end
+  end
+end

data/lib/banacle/slash_command/error.rb

@@ -0,0 +1,6 @@
+module Banacle
+  module SlashCommand
+    class Error < StandardError
+    end
+  end
+end

data/lib/banacle/slash_command/parser.rb

@@ -0,0 +1,42 @@
+require 'banacle/slash_command/error'
+require 'banacle/slash_command/builder'
+
+module Banacle
+  module SlashCommand
+    class Parser
+      class ParseError < Error; end
+
+      def self.parse(text)
+        new.parse(text)
+      end
+
+      #
+      # /banacle (create|delete) [region] [vpc_id or vpc_name] [cidr_block1,cidr_block2,...]
+      #
+      def parse(text)
+        elems = text.split(" ")
+        action, region, vpc_id_or_name, cidr_blocks_str = elems
+
+        unless action
+          raise ParseError.new("action is required")
+        end
+
+        unless region
+          raise ParseError.new("region is required")
+        end
+
+        cidr_blocks = []
+        if cidr_blocks_str
+          cidr_blocks = cidr_blocks_str.split(",")
+        end
+
+        SlashCommand::Builder.build(
+          action: action,
+          region: region,
+          vpc_id_or_name: vpc_id_or_name,
+          cidr_blocks: cidr_blocks,
+        )
+      end
+    end
+  end
+end

data/lib/banacle/slash_command/renderer.rb

@@ -0,0 +1,56 @@
+require 'banacle/slack'
+require 'banacle/slash_command/builder'
+require 'banacle/slash_command/command'
+
+module Banacle
+  module SlashCommand
+    class Renderer
+      def self.render(params, command)
+        new.render(params, command)
+      end
+
+      def self.render_error(error)
+        new.render_error(error)
+      end
+
+      def render(params, command)
+        render_approval_request(params, command)
+      end
+
+      def render_error(error)
+        Slack::Response.new(
+          response_type: "ephemeral",
+          text: "An error occurred: #{error}",
+        ).to_json
+      end
+
+      def render_approval_request(params, command)
+        text = <<-EOS
+<@#{params["user_id"]}> wants to *#{command.action} NACL DENY entry* under the following conditions:
+```
+#{JSON.pretty_generate(command.to_h)}
+```
+        EOS
+
+        Slack::Response.new(
+          response_type: "in_channel",
+          text: text,
+          attachments: [
+            Slack::Attachment.new(
+              text: "*Approval Request*",
+              fallback: "TBD",
+              callback_id: "banacle_approval_request",
+              color: "#3AA3E3",
+              attachment_type: "default",
+              actions: [
+                Slack::Action.approve_button,
+                Slack::Action.reject_button,
+                Slack::Action.cancel_button,
+              ]
+            ),
+          ],
+        ).to_json
+      end
+    end
+  end
+end

data/lib/banacle/version.rb

@@ -0,0 +1,3 @@
+module Banacle
+  VERSION = "0.1.1"
+end

data/lib/banacle.rb

@@ -0,0 +1,2 @@
+require "banacle/version"
+require "banacle/app"