@checkstack/integration-teams-backend 0.1.11 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +64 -0
- package/package.json +5 -5
- package/src/automations.ts +25 -1
- package/src/index.ts +3 -0
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,69 @@
|
|
|
1
1
|
# @checkstack/integration-teams-backend
|
|
2
2
|
|
|
3
|
+
## 0.2.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- ebef442: feat(automation): gate integration actions on the runAs service account's permissions
|
|
8
|
+
|
|
9
|
+
**BREAKING.** Integration automation actions resolve credentials through a
|
|
10
|
+
trusted service rather than the bounded `runAs` client, so they previously
|
|
11
|
+
bypassed the runAs least-privilege model entirely: anyone able to author an
|
|
12
|
+
automation could create Jira tickets, send Teams/Webex messages, etc. on any
|
|
13
|
+
configured connection, with a zero-permission service account. This closes that
|
|
14
|
+
gap.
|
|
15
|
+
|
|
16
|
+
- **Actions declare `requiredAccessRules`** and the dispatch engine enforces
|
|
17
|
+
them against the resolved `runAs` principal BEFORE the action runs (failing
|
|
18
|
+
the step if missing) - the authorization point integration actions lacked.
|
|
19
|
+
- **Each integration plugin defines per-action access rules**, e.g.
|
|
20
|
+
`integration-jira.create_issue.manage` / `search_issues.read` /
|
|
21
|
+
`transition_issue.manage` / `add_comment.manage`,
|
|
22
|
+
`integration-teams.post_message.manage`,
|
|
23
|
+
`integration-webex.post_message.manage`.
|
|
24
|
+
- **`automation.propose` checks the same up front**, surfacing a per-action
|
|
25
|
+
missing-permission error on the review card; `listActions` now exposes each
|
|
26
|
+
action's `requiredAccessRules`, and `getBindableApplications` now returns each
|
|
27
|
+
app's effective `accessRules`.
|
|
28
|
+
- **New `integration.read` rule** gates `listConnectionSummaries` /
|
|
29
|
+
`resolveConnectionOptions` (previously open to any authenticated user), so
|
|
30
|
+
discovering connections and resolving their field options requires a grant.
|
|
31
|
+
- **The AI assistant picks a capable runAs up front.**
|
|
32
|
+
`automation.listServiceAccounts` now returns each account's `accessRules` and
|
|
33
|
+
`automation.getCapabilitySchema` returns each action's `requiredAccessRules`,
|
|
34
|
+
so the model selects a service account whose permissions cover the actions it
|
|
35
|
+
uses instead of proposing and being rejected. When the operator did not name a
|
|
36
|
+
runAs and more than one account qualifies, it ASKS which to use rather than
|
|
37
|
+
choosing the automation's identity itself; when none has the needed rules it
|
|
38
|
+
says which rule(s) to grant.
|
|
39
|
+
|
|
40
|
+
**Migration:** existing automations whose service account does not hold the new
|
|
41
|
+
rules will fail at the gated action until an admin grants the matching rule(s)
|
|
42
|
+
to the service account's role (e.g. add `integration-jira.create_issue.manage`).
|
|
43
|
+
Admin (`*`) service accounts are unaffected. Grant `integration.read` to roles
|
|
44
|
+
that author integration-using automations so the editor's connection pickers and
|
|
45
|
+
dropdowns keep working for non-admins.
|
|
46
|
+
|
|
47
|
+
### Patch Changes
|
|
48
|
+
|
|
49
|
+
- Updated dependencies [ebef442]
|
|
50
|
+
- Updated dependencies [ebef442]
|
|
51
|
+
- @checkstack/integration-backend@0.6.0
|
|
52
|
+
- @checkstack/automation-backend@0.7.0
|
|
53
|
+
- @checkstack/backend-api@0.21.7
|
|
54
|
+
|
|
55
|
+
## 0.1.12
|
|
56
|
+
|
|
57
|
+
### Patch Changes
|
|
58
|
+
|
|
59
|
+
- Updated dependencies [c4bebbb]
|
|
60
|
+
- Updated dependencies [c4bebbb]
|
|
61
|
+
- Updated dependencies [c4bebbb]
|
|
62
|
+
- Updated dependencies [c4bebbb]
|
|
63
|
+
- Updated dependencies [c4bebbb]
|
|
64
|
+
- @checkstack/automation-backend@0.6.0
|
|
65
|
+
- @checkstack/integration-backend@0.5.0
|
|
66
|
+
|
|
3
67
|
## 0.1.11
|
|
4
68
|
|
|
5
69
|
### Patch Changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@checkstack/integration-teams-backend",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.2.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"main": "src/index.ts",
|
|
6
6
|
"checkstack": {
|
|
@@ -15,9 +15,9 @@
|
|
|
15
15
|
"pack": "bunx @checkstack/scripts plugin-pack"
|
|
16
16
|
},
|
|
17
17
|
"dependencies": {
|
|
18
|
-
"@checkstack/backend-api": "0.21.
|
|
19
|
-
"@checkstack/integration-backend": "0.
|
|
20
|
-
"@checkstack/automation-backend": "0.
|
|
18
|
+
"@checkstack/backend-api": "0.21.7",
|
|
19
|
+
"@checkstack/integration-backend": "0.6.0",
|
|
20
|
+
"@checkstack/automation-backend": "0.7.0",
|
|
21
21
|
"@checkstack/common": "0.15.0",
|
|
22
22
|
"zod": "^4.2.1"
|
|
23
23
|
},
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"@types/bun": "^1.0.0",
|
|
26
26
|
"typescript": "^5.0.0",
|
|
27
27
|
"@checkstack/tsconfig": "0.0.7",
|
|
28
|
-
"@checkstack/test-utils-backend": "0.1.
|
|
28
|
+
"@checkstack/test-utils-backend": "0.1.41"
|
|
29
29
|
},
|
|
30
30
|
"description": "Checkstack integration-teams-backend plugin",
|
|
31
31
|
"author": {
|
package/src/automations.ts
CHANGED
|
@@ -14,7 +14,12 @@ import {
|
|
|
14
14
|
} from "@checkstack/backend-api";
|
|
15
15
|
import type { ActionDefinition } from "@checkstack/automation-backend";
|
|
16
16
|
import { connectionStoreRef } from "@checkstack/integration-backend";
|
|
17
|
-
import {
|
|
17
|
+
import {
|
|
18
|
+
access,
|
|
19
|
+
extractErrorMessage,
|
|
20
|
+
qualifyAccessRuleId,
|
|
21
|
+
} from "@checkstack/common";
|
|
22
|
+
import { pluginMetadata } from "./plugin-metadata";
|
|
18
23
|
|
|
19
24
|
import {
|
|
20
25
|
getAppToken,
|
|
@@ -23,6 +28,22 @@ import {
|
|
|
23
28
|
type TeamsConnectionConfig,
|
|
24
29
|
} from "./provider";
|
|
25
30
|
|
|
31
|
+
/**
|
|
32
|
+
* Access rule a runAs service account must hold to post Teams messages from an
|
|
33
|
+
* automation. The dispatch engine enforces it before the action runs, so the
|
|
34
|
+
* capability is granted deliberately to a service account's role rather than
|
|
35
|
+
* implied by being able to author automations.
|
|
36
|
+
*/
|
|
37
|
+
export const teamsAccess = {
|
|
38
|
+
postMessage: access(
|
|
39
|
+
"post_message",
|
|
40
|
+
"manage",
|
|
41
|
+
"Post Microsoft Teams messages from an automation",
|
|
42
|
+
{ pluginId: pluginMetadata.pluginId },
|
|
43
|
+
),
|
|
44
|
+
};
|
|
45
|
+
export const teamsAccessRules = Object.values(teamsAccess);
|
|
46
|
+
|
|
26
47
|
const GRAPH_API_BASE = "https://graph.microsoft.com/v1.0";
|
|
27
48
|
|
|
28
49
|
const teamsMessageDataSchema = z.object({
|
|
@@ -153,6 +174,9 @@ export function createTeamsActions(): ActionDefinition<unknown, unknown>[] {
|
|
|
153
174
|
category: "Microsoft Teams",
|
|
154
175
|
icon: "MessageSquareMore",
|
|
155
176
|
connectionProviderId: TEAMS_PROVIDER_QUALIFIED_ID,
|
|
177
|
+
requiredAccessRules: [
|
|
178
|
+
qualifyAccessRuleId(pluginMetadata, teamsAccess.postMessage),
|
|
179
|
+
],
|
|
156
180
|
config: new Versioned({
|
|
157
181
|
version: 1,
|
|
158
182
|
schema: teamsPostMessageConfigSchema,
|
package/src/index.ts
CHANGED
|
@@ -8,12 +8,15 @@ import { pluginMetadata } from "./plugin-metadata";
|
|
|
8
8
|
import { teamsProvider } from "./provider";
|
|
9
9
|
import {
|
|
10
10
|
createTeamsActions,
|
|
11
|
+
teamsAccessRules,
|
|
11
12
|
teamsMessageArtifactType,
|
|
12
13
|
} from "./automations";
|
|
13
14
|
|
|
14
15
|
export default createBackendPlugin({
|
|
15
16
|
metadata: pluginMetadata,
|
|
16
17
|
register(env) {
|
|
18
|
+
// A runAs service account must hold this rule to post Teams messages.
|
|
19
|
+
env.registerAccessRules(teamsAccessRules);
|
|
17
20
|
env
|
|
18
21
|
.getExtensionPoint(providerExtensionPoint)
|
|
19
22
|
.addProvider(teamsProvider, pluginMetadata);
|