banacle 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac8dd15ec8a0ac5c80b7063b7aa35eb3234112814a895cd7978d74aca0b02523
-  data.tar.gz: 60225cc4f11757f0c5dc69cb2560bfbf6489c9c9ecb5b66a89a04ba9fcbe3dd2
+  metadata.gz: eefa4ead64f9bdf4ed0db630e7f916f57d59a4910de1f8170f7a5d9ebedde89f
+  data.tar.gz: e84912019edc3da37cd5d28d58e1371d12ae35fa9dd749e7d479b66c0d6e7506
 SHA512:
-  metadata.gz: 50e850965e6310789a4afb79631c16a89b29d1eba9bf20332317354f468a5ce86431047ad6804d19d85253208bb781744e49f00630b27c2a74b812e10fd10ebe
-  data.tar.gz: 3abe80594a93b4a4a1d9bdeadd28d82516d6df16f62e2bdaab10e30b320538ef137e05a56e51292fe90d1eb5878da46dc3908353fbc7fce0ef49f7de0d3c3dc7
+  metadata.gz: 148fee60c884547dbefd99baaef7866856fe93f4969100618c33fa6ee04093db0a96fd7403f70b154131db36b6766a3233ef38e78377ec39b8cfdcf5a882e933
+  data.tar.gz: 6da6d0fc243a28188f6b3d6fd1f7732d3b0c61c4ad48e9f0b8d46938809d25616e00db751bd92df3054f3681ea00f41b08a0d1d8b957b3c0bfda7d3c1399d7d3

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    banacle (0.2.0)
+    banacle (0.2.1)
       aws-sdk-ec2
       sinatra
       unicorn

data/README.md

@@ -27,7 +27,11 @@ Banacle is supposed to be run as a Sinatra server. You can run it simply by `rac
 - `/slack/command`: handle Slash Command
 - `/slack/message`: handle Interactive Message
 
-### Example: ban 1.2.3.4 from my VPC
+### Customize authentication
+You can customize Banacle by using request handler modules.
+See example directory which implements a customized authentication feature for details.
+
+## Example: ban 1.2.3.4 from my VPC
 
 Execute an command that create a DENY NACL entry for 1.2.3.4 on a VPC named "test" in ap-northeast-1.
 

data/config.ru

@@ -1,3 +1,7 @@
 require 'banacle'
 
-run Banacle::App
+config = Banacle::Config.new(
+  slack_signing_secret: ENV.fetch('BANACLE_SLACK_SIGNING_SECRET'),
+)
+
+run Banacle.app(config)

data/example/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    banacle (0.1.2)
+    banacle (0.2.1)
       aws-sdk-ec2
       sinatra
       unicorn

data/example/README.md

@@ -0,0 +1,6 @@
+## Usage
+
+```
+$ bundle install
+$ bundle exec rackup
+```

data/example/config.ru

@@ -1,62 +1,26 @@
-require 'sinatra/base'
-require 'banacle/authenticator'
+require 'banacle'
 require 'banacle/slash_command/handler'
 require 'banacle/interactive_message/handler'
 
-class App < Sinatra::Base
-  include Banacle
-
-  helpers do
-    def command_handler
-      @command_handler ||= SlashCommand::Handler.new.tap do |h|
-        h.set_authenticator!(CommandAuthenticator.new)
-        h
-      end
-    end
-
-    def message_handler
-      @message_handler ||= InteractiveMessage::Handler.new.tap do |h|
-        h.set_authenticator!(MessageAuthenticator.new)
-        h
-      end
-    end
-  end
-
-  post '/slack/command' do
-    content_type :json
-    command_handler.handle(request)
-  end
-
-  post '/slack/message' do
-    content_type :json
-    message_handler.handle(request)
-  end
-end
-
-class CommandAuthenticator < Banacle::Authenticator
-  def authenticate(request)
-    params = request.params
-
-    team_id = params["team_id"]
-    # user_id = params["user_id"]
-
-    if team_id != "T0XXXXXXX"
-      return false
+class CommandAuthenticator < Banacle::SlashCommand::Authenticator
+  def authenticate_requester!(request)
+    super
+    if request.user_id != "U0XXXXXXX"
+      raise NotAuthenticatedError.new("You are not authorized to perform this command")
     end
-
-    true
-  end
-end
-
-class MessageAuthenticator < Banacle::Authenticator
-  attr_reader :request
-  def authenticate(request)
-    payload = JSON.parse(request.params["payload"])
-    # team_id = payload["team"]["id"]
-    # user_id = payload["user"]["id"]
-
-    true
   end
 end
 
-run App
+config = Banacle::Config.new(
+  slack_signing_secret: ENV.fetch('BANACLE_SLACK_SIGNING_SECRET'),
+  slash_command: {
+    authenticator: CommandAuthenticator,
+  },
+  approval_request: {
+    attachment: {
+      text: "*Approval Request* (can be approved by only SRE members except the requester)",
+    },
+  },
+)
+
+run Banacle.app(config)

data/lib/banacle.rb

@@ -1,2 +1,3 @@
-require "banacle/version"
 require "banacle/app"
+require "banacle/config"
+require "banacle/version"

data/lib/banacle/app.rb

@@ -1,21 +1,49 @@
 require 'sinatra/base'
-require 'sinatra/reloader'
 require 'banacle/slash_command/handler'
 require 'banacle/interactive_message/handler'
 
 module Banacle
+  def self.app(*args)
+    App.rack(*args)
+  end
+
   class App < Sinatra::Base
-    configure :development do
-      register Sinatra::Reloader
+    CONTEXT_RACK_ENV_NAME = 'banacle.ctx'
+
+    def self.rack(config={})
+      klass = App
+
+      context = initialize_context(config)
+      lambda { |env|
+        env[CONTEXT_RACK_ENV_NAME] = context
+        klass.call(env)
+      }
+    end
+
+    def self.initialize_context(config)
+      {
+        config: config,
+      }
     end
 
     helpers do
+      def context
+        request.env[CONTEXT_RACK_ENV_NAME]
+      end
+
+      def config
+        context[:config]
+      end
+
       def command_handler
-        @command_handler ||= SlashCommand::Handler.new
+        @command_handler ||= SlashCommand::Handler.new(config)
       end
 
       def message_handler
-        @message_handler ||= InteractiveMessage::Handler.new
+        @message_handler ||= InteractiveMessage::Handler.new(
+          config,
+          auth: InteractiveMessage::Authenticator.new,
+        )
       end
     end
 

data/lib/banacle/aws_wrapper/nacl.rb

@@ -93,7 +93,7 @@ module Banacle
             rule_number: target.rule_number,
           )
         else
-          raise EntryDuplicatedError.new("not found")
+          raise EntryNotFoundError.new("not found")
         end
       end
 

data/lib/banacle/config.rb

@@ -0,0 +1,19 @@
+module Banacle
+  class Config
+    def initialize(hash)
+      @hash = hash
+    end
+
+    def [](k)
+      @hash[k]
+    end
+
+    def fetch(*args)
+      @hash.fetch(*args)
+    end
+
+    def dig(*args)
+      @hash.dig(*args)
+    end
+  end
+end

data/lib/banacle/interactive_message/authenticator.rb

@@ -0,0 +1,30 @@
+module Banacle
+  module InteractiveMessage
+    class Authenticator
+      class Error < StandardError; end
+      class NotAuthenticatedError < Error; end
+
+      # override to implement your own validation
+      def authenticate_approver!(request)
+        if request.self_actioned?
+          raise NotAuthenticatedError.new("you cannot approve the request by yourself")
+        end
+      end
+
+      # override to implement your own validation
+      def authenticate_rejector!(request)
+        if request.self_actioned?
+          raise NotAuthenticatedError.new("you cannot reject the request by yourself")
+        end
+      end
+
+      # override to implement your own validation
+      def authenticate_canceller!(request)
+        unless request.self_actioned?
+          raise NotAuthenticatedError.new("you cannot cancel the request by other than the requester")
+        end
+      end
+
+    end
+  end
+end

data/lib/banacle/interactive_message/handler.rb

@@ -1,23 +1,91 @@
-require 'banacle/handler'
+require 'banacle/slack_validator'
+require 'banacle/interactive_message/authenticator'
 require 'banacle/interactive_message/parser'
 require 'banacle/interactive_message/renderer'
+require 'banacle/interactive_message/request'
 
 module Banacle
   module InteractiveMessage
-    class Handler < Banacle::Handler
-      def handle_request
-        unless authenticated?
-          return Renderer.render_unauthenticated
+    class Handler
+      def initialize(config, auth: nil)
+        @config = config
+        @auth = auth
+      end
+
+      attr_reader :config, :auth
+      attr_accessor :request
+
+      def handle(raw_request)
+        unless slack_validator.valid_signature?(raw_request)
+          return [401, {}, "invalid signagure"]
         end
 
-        command = Parser.parse(JSON.parse(request_payload))
-        Renderer.render(request.params, command)
+        self.request = Request.new(raw_request)
+
+        if request.action.approved?
+          handle_approval
+        elsif request.action.rejected?
+          handle_reject
+        elsif request.action.cancelled?
+          handle_cancellation
+        end
       end
 
       private
 
-      def request_payload
-        request.params["payload"]
+      def handle_approval
+        begin
+          authenticate_approver!
+        rescue Authenticator::Error => e
+          return Renderer.render_error(e)
+        end
+
+        result = Parser.parse(request.payload).execute
+        renderer.render_approved_message(result)
+      end
+
+      def handle_reject
+        begin
+          authenticate_rejector!
+        rescue Authenticator::Error => e
+          return Renderer.render_error(e)
+        end
+
+        renderer.render_rejected_message
+      end
+
+      def handle_cancellation
+        begin
+          authenticate_canceller!
+        rescue Authenticator::Error => e
+          return Renderer.render_error(e)
+        end
+
+        renderer.render_cancelled_message
+      end
+
+      def renderer
+        Renderer.new(request, config)
+      end
+
+      def slack_validator
+        @slack_validator ||= SlackValidator.new(config[:slack_signing_secret])
+      end
+
+      def authenticate_approver!
+        auth.authenticate_approver!(request)
+      end
+
+      def authenticate_rejector!
+        auth.authenticate_rejector!(request)
+      end
+
+      def authenticate_canceller!
+        auth.authenticate_canceller!(request)
+      end
+
+      def auth
+        (config.dig(:interactive_message, :authenticator) || Authenticator).new
       end
     end
   end

data/lib/banacle/interactive_message/renderer.rb

@@ -1,17 +1,8 @@
 require 'banacle/slack'
-require 'banacle/slash_command/command'
 
 module Banacle
   module InteractiveMessage
     class Renderer
-      def self.render(params, command)
-        new(params, command).render
-      end
-
-      def self.render_unauthenticated
-        self.render_error("you are not authorized to perform this action")
-      end
-
       def self.render_error(error)
         Slack::Response.new(
           response_type: "ephemeral",
@@ -20,36 +11,14 @@ module Banacle
         ).to_json
       end
 
-      def initialize(params, command)
-        @params = params
-        @command = command
+      def initialize(request, config)
+        @request = request
+        @config = config
       end
 
-      attr_reader :params, :command
-
-      def render
-        action = Slack::Action.new(payload[:actions].first)
-
-        if action.approved?
-          render_approved_message(payload, command)
-        elsif action.rejected?
-          render_rejected_message(payload, command)
-        elsif action.cancelled?
-          render_cancelled_message(payload, command)
-        else
-          # Do nothing
-        end
-      end
-
-      private
-
-      def render_approved_message(payload, command)
-        unless valid_approver?
-          return self.render_error("you cannot approve the request by yourself")
-        end
-
-        result = command.execute
+      attr_reader :request, :config
 
+      def render_approved_message(result)
         text = original_message_text
         text += ":white_check_mark: *<@#{actioner_id}> approved this request*\n"
         text += "Result:\n"
@@ -60,22 +29,14 @@ module Banacle
         render_replacing_message(text)
       end
 
-      def render_rejected_message(payload, command)
-        unless valid_rejector?
-          return self.render_error("you cannot reject the request by yourself")
-        end
-
+      def render_rejected_message
         text = original_message_text
         text += ":no_entry_sign: *<@#{actioner_id}> rejected this request*"
 
         render_replacing_message(text)
       end
 
-      def render_cancelled_message(payload, command)
-        unless valid_canceller?
-          return self.render_error("you cannot cancel the request by other than the requester")
-        end
-
+      def render_cancelled_message
         text = original_message_text
         text += "\nThe request was cancelled."
 
@@ -90,36 +51,12 @@ module Banacle
         ).to_json
       end
 
-      def valid_approver?
-        ENV['BANACLE_SKIP_VALIDATION'] || !self_actioned?
-      end
-
-      def valid_rejector?
-        ENV['BANACLE_SKIP_VALIDATION'] || !self_actioned?
-      end
-
-      def valid_canceller?
-        ENV['BANACLE_SKIP_VALIDATION'] || self_actioned?
-      end
-
-      def self_actioned?
-        requester_id == actioner_id
-      end
-
-      def requester_id
-        original_message_text.match(/\A<@([^>]+)>/)[1]
-      end
-
-      def actioner_id
-        payload[:user][:id]
-      end
-
       def original_message_text
-        payload[:original_message][:text]
+        request.original_message_text
       end
 
-      def payload
-        @payload ||= JSON.parse(params["payload"], symbolize_names: true)
+      def actioner_id
+        request.actioner_id
       end
     end
   end

data/lib/banacle/interactive_message/request.rb

@@ -0,0 +1,37 @@
+module Banacle
+  module InteractiveMessage
+    class Request
+      REQUESTER_ID_REGEX = /\A<@([^>]+)>/.freeze
+
+      def initialize(request)
+        @request = request
+      end
+
+      attr_reader :request
+
+      def action
+        Slack::Action.new(payload["actions"].first)
+      end
+
+      def self_actioned?
+        requester_id == actioner_id
+      end
+
+      def requester_id
+        original_message_text.match(REQUESTER_ID_REGEX)[1]
+      end
+
+      def actioner_id
+        payload["user"]["id"]
+      end
+
+      def original_message_text
+        payload["original_message"]["text"]
+      end
+
+      def payload
+        @payload ||= JSON.parse(request.params["payload"])
+      end
+    end
+  end
+end

data/lib/banacle/slack_validator.rb

@@ -5,10 +5,12 @@ module Banacle
   class SlackValidator
     SLACK_SIGNING_SECRET_VERSION = 'v0'.freeze
 
-    def self.valid_signature?(request)
-      new.valid_signature?(request)
+    def initialize(signing_secret)
+      @signing_secret = signing_secret
     end
 
+    attr_reader :signing_secret
+
     def valid_signature?(request)
       body = request.env["rack.request.form_vars"]
       slack_signature = request.env["HTTP_X_SLACK_SIGNATURE"]
@@ -24,9 +26,5 @@ module Banacle
 
       slack_signature == "#{SLACK_SIGNING_SECRET_VERSION}=#{digest}"
     end
-
-    def signing_secret
-      ENV.fetch('BANACLE_SLACK_SIGNING_SECRET')
-    end
   end
 end

data/lib/banacle/slash_command/authenticator.rb

@@ -0,0 +1,13 @@
+require 'banacle/slash_command/error'
+
+module Banacle
+  module SlashCommand
+    class Authenticator
+      class NotAuthenticatedError < Error; end
+
+      # override to implement the original validation
+      def authenticate_requester!(request)
+      end
+    end
+  end
+end

data/lib/banacle/slash_command/handler.rb

@@ -1,29 +1,48 @@
-require 'banacle/handler'
+require 'banacle/slack_validator'
+require 'banacle/slash_command/authenticator'
 require 'banacle/slash_command/error'
 require 'banacle/slash_command/parser'
 require 'banacle/slash_command/renderer'
+require 'banacle/slash_command/request'
 
 module Banacle
   module SlashCommand
-    class Handler < Banacle::Handler
-      def handle_request
-        unless authenticated?
-          return Renderer.render_unauthenticated
+    class Handler
+      def initialize(config)
+        @config = config
+      end
+
+      attr_reader :config
+
+      def handle(raw_request)
+        unless slack_validator.valid_signature?(raw_request)
+          return [401, {}, "invalid signagure"]
         end
 
+        request = Request.new(raw_request)
+
         begin
-          command = Parser.parse(request_text)
+          authenticate_requester!(request)
+          command = Parser.parse(request.text)
         rescue Error => e
           return Renderer.render_error(e)
         end
 
-        Renderer.render(request.params, command)
+        Renderer.new(request, command, config).render_approval_request
       end
 
       private
 
-      def request_text
-        request.params["text"]
+      def slack_validator
+        @slack_validator ||= SlackValidator.new(config[:slack_signing_secret])
+      end
+
+      def authenticate_requester!(request)
+        auth.authenticate_requester!(request)
+      end
+
+      def auth
+        (config.dig(:slash_command, :authenticator) || Authenticator).new
       end
     end
   end

data/lib/banacle/slash_command/renderer.rb

@@ -1,18 +1,8 @@
 require 'banacle/slack'
-require 'banacle/slash_command/builder'
-require 'banacle/slash_command/command'
 
 module Banacle
   module SlashCommand
     class Renderer
-      def self.render(params, command)
-        new(params, command).render
-      end
-
-      def self.render_unauthenticated
-        render_error("you are not authorized to perform this command")
-      end
-
       def self.render_error(error)
         Slack::Response.new(
           response_type: "ephemeral",
@@ -20,16 +10,13 @@ module Banacle
         ).to_json
       end
 
-      def initialize(params, command)
-        @params = params
+      def initialize(request, command, config)
+        @request = request
         @command = command
+        @config = config
       end
 
-      attr_reader :params, :command
-
-      def render
-        render_approval_request
-      end
+      attr_reader :request, :command, :config
 
       def render_approval_request
         text = <<-EOS
@@ -44,7 +31,7 @@ module Banacle
           text: text,
           attachments: [
             Slack::Attachment.new(
-              text: "*Approval Request*",
+              text: config.dig(:approval_request, :attachment, :text) || "*Approval Request*",
               fallback: "TBD",
               callback_id: "banacle_approval_request",
               color: "#3AA3E3",
@@ -60,7 +47,7 @@ module Banacle
       end
 
       def user_id
-        params["user_id"]
+        request.user_id
       end
     end
   end

data/lib/banacle/slash_command/request.rb

@@ -0,0 +1,23 @@
+module Banacle
+  module SlashCommand
+    class Request
+      def initialize(request)
+        @request = request
+      end
+
+      attr_reader :request
+
+      def user_id
+        params["user_id"]
+      end
+
+      def text
+        params["text"]
+      end
+
+      def params
+        request.params
+      end
+    end
+  end
+end

data/lib/banacle/version.rb

@@ -1,3 +1,3 @@
 module Banacle
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: banacle
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Takuya Kosugiyama
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-12-29 00:00:00.000000000 Z
+date: 2018-12-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -147,26 +147,30 @@ files:
 - docs/nacl.png
 - example/Gemfile
 - example/Gemfile.lock
+- example/README.md
 - example/config.ru
 - lib/banacle.rb
 - lib/banacle/app.rb
-- lib/banacle/authenticator.rb
 - lib/banacle/aws_wrapper/error.rb
 - lib/banacle/aws_wrapper/nacl.rb
 - lib/banacle/aws_wrapper/result.rb
 - lib/banacle/aws_wrapper/vpc.rb
-- lib/banacle/handler.rb
+- lib/banacle/config.rb
+- lib/banacle/interactive_message/authenticator.rb
 - lib/banacle/interactive_message/handler.rb
 - lib/banacle/interactive_message/parser.rb
 - lib/banacle/interactive_message/renderer.rb
+- lib/banacle/interactive_message/request.rb
 - lib/banacle/slack.rb
 - lib/banacle/slack_validator.rb
+- lib/banacle/slash_command/authenticator.rb
 - lib/banacle/slash_command/builder.rb
 - lib/banacle/slash_command/command.rb
 - lib/banacle/slash_command/error.rb
 - lib/banacle/slash_command/handler.rb
 - lib/banacle/slash_command/parser.rb
 - lib/banacle/slash_command/renderer.rb
+- lib/banacle/slash_command/request.rb
 - lib/banacle/version.rb
 homepage: https://github.com/itkq/banacle
 licenses: []

data/lib/banacle/authenticator.rb

@@ -1,7 +0,0 @@
-module Banacle
-  class Authenticator
-    # override
-    def authenticate(request)
-    end
-  end
-end

data/lib/banacle/handler.rb

@@ -1,46 +0,0 @@
-require 'banacle/authenticator'
-require 'banacle/slack_validator'
-
-module Banacle
-  class Handler
-    class InvalidAuthenticatorError < StandardError; end
-
-    attr_reader :request, :auth
-
-    def handle(request)
-      @request = request
-
-      unless skip_validation? || SlackValidator.valid_signature?(request)
-        return [401, {}, "invalid request"]
-      end
-
-      handle_request
-    end
-
-    # override
-    def handle_request
-    end
-
-    def set_authenticator!(auth)
-      unless auth.is_a?(Banacle::Authenticator)
-        raise InvalidAuthenticatorError.new(auth.inspect)
-      end
-
-      @auth = auth
-    end
-
-    private
-
-    def authenticated?
-      if auth && !auth.authenticate(request)
-        return false
-      end
-
-      true
-    end
-
-    def skip_validation?
-      request.params["skip_validation"] || ENV["BANACLE_SKIP_VALIDATION"]
-    end
-  end
-end