@checkstack/integration-webex-backend 0.1.11 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +64 -0
- package/package.json +5 -5
- package/src/automations.ts +23 -1
- package/src/index.ts +3 -0
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,69 @@
|
|
|
1
1
|
# @checkstack/integration-webex-backend
|
|
2
2
|
|
|
3
|
+
## 0.2.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- ebef442: feat(automation): gate integration actions on the runAs service account's permissions
|
|
8
|
+
|
|
9
|
+
**BREAKING.** Integration automation actions resolve credentials through a
|
|
10
|
+
trusted service rather than the bounded `runAs` client, so they previously
|
|
11
|
+
bypassed the runAs least-privilege model entirely: anyone able to author an
|
|
12
|
+
automation could create Jira tickets, send Teams/Webex messages, etc. on any
|
|
13
|
+
configured connection, with a zero-permission service account. This closes that
|
|
14
|
+
gap.
|
|
15
|
+
|
|
16
|
+
- **Actions declare `requiredAccessRules`** and the dispatch engine enforces
|
|
17
|
+
them against the resolved `runAs` principal BEFORE the action runs (failing
|
|
18
|
+
the step if missing) - the authorization point integration actions lacked.
|
|
19
|
+
- **Each integration plugin defines per-action access rules**, e.g.
|
|
20
|
+
`integration-jira.create_issue.manage` / `search_issues.read` /
|
|
21
|
+
`transition_issue.manage` / `add_comment.manage`,
|
|
22
|
+
`integration-teams.post_message.manage`,
|
|
23
|
+
`integration-webex.post_message.manage`.
|
|
24
|
+
- **`automation.propose` checks the same up front**, surfacing a per-action
|
|
25
|
+
missing-permission error on the review card; `listActions` now exposes each
|
|
26
|
+
action's `requiredAccessRules`, and `getBindableApplications` now returns each
|
|
27
|
+
app's effective `accessRules`.
|
|
28
|
+
- **New `integration.read` rule** gates `listConnectionSummaries` /
|
|
29
|
+
`resolveConnectionOptions` (previously open to any authenticated user), so
|
|
30
|
+
discovering connections and resolving their field options requires a grant.
|
|
31
|
+
- **The AI assistant picks a capable runAs up front.**
|
|
32
|
+
`automation.listServiceAccounts` now returns each account's `accessRules` and
|
|
33
|
+
`automation.getCapabilitySchema` returns each action's `requiredAccessRules`,
|
|
34
|
+
so the model selects a service account whose permissions cover the actions it
|
|
35
|
+
uses instead of proposing and being rejected. When the operator did not name a
|
|
36
|
+
runAs and more than one account qualifies, it ASKS which to use rather than
|
|
37
|
+
choosing the automation's identity itself; when none has the needed rules it
|
|
38
|
+
says which rule(s) to grant.
|
|
39
|
+
|
|
40
|
+
**Migration:** existing automations whose service account does not hold the new
|
|
41
|
+
rules will fail at the gated action until an admin grants the matching rule(s)
|
|
42
|
+
to the service account's role (e.g. add `integration-jira.create_issue.manage`).
|
|
43
|
+
Admin (`*`) service accounts are unaffected. Grant `integration.read` to roles
|
|
44
|
+
that author integration-using automations so the editor's connection pickers and
|
|
45
|
+
dropdowns keep working for non-admins.
|
|
46
|
+
|
|
47
|
+
### Patch Changes
|
|
48
|
+
|
|
49
|
+
- Updated dependencies [ebef442]
|
|
50
|
+
- Updated dependencies [ebef442]
|
|
51
|
+
- @checkstack/integration-backend@0.6.0
|
|
52
|
+
- @checkstack/automation-backend@0.7.0
|
|
53
|
+
- @checkstack/backend-api@0.21.7
|
|
54
|
+
|
|
55
|
+
## 0.1.12
|
|
56
|
+
|
|
57
|
+
### Patch Changes
|
|
58
|
+
|
|
59
|
+
- Updated dependencies [c4bebbb]
|
|
60
|
+
- Updated dependencies [c4bebbb]
|
|
61
|
+
- Updated dependencies [c4bebbb]
|
|
62
|
+
- Updated dependencies [c4bebbb]
|
|
63
|
+
- Updated dependencies [c4bebbb]
|
|
64
|
+
- @checkstack/automation-backend@0.6.0
|
|
65
|
+
- @checkstack/integration-backend@0.5.0
|
|
66
|
+
|
|
3
67
|
## 0.1.11
|
|
4
68
|
|
|
5
69
|
### Patch Changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@checkstack/integration-webex-backend",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.2.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"main": "src/index.ts",
|
|
6
6
|
"checkstack": {
|
|
@@ -15,9 +15,9 @@
|
|
|
15
15
|
"pack": "bunx @checkstack/scripts plugin-pack"
|
|
16
16
|
},
|
|
17
17
|
"dependencies": {
|
|
18
|
-
"@checkstack/backend-api": "0.21.
|
|
19
|
-
"@checkstack/integration-backend": "0.
|
|
20
|
-
"@checkstack/automation-backend": "0.
|
|
18
|
+
"@checkstack/backend-api": "0.21.7",
|
|
19
|
+
"@checkstack/integration-backend": "0.6.0",
|
|
20
|
+
"@checkstack/automation-backend": "0.7.0",
|
|
21
21
|
"@checkstack/common": "0.15.0",
|
|
22
22
|
"zod": "^4.2.1"
|
|
23
23
|
},
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"@types/bun": "^1.0.0",
|
|
26
26
|
"typescript": "^5.0.0",
|
|
27
27
|
"@checkstack/tsconfig": "0.0.7",
|
|
28
|
-
"@checkstack/test-utils-backend": "0.1.
|
|
28
|
+
"@checkstack/test-utils-backend": "0.1.41"
|
|
29
29
|
},
|
|
30
30
|
"description": "Checkstack integration-webex-backend plugin",
|
|
31
31
|
"author": {
|
package/src/automations.ts
CHANGED
|
@@ -13,7 +13,12 @@ import {
|
|
|
13
13
|
} from "@checkstack/backend-api";
|
|
14
14
|
import type { ActionDefinition } from "@checkstack/automation-backend";
|
|
15
15
|
import { connectionStoreRef } from "@checkstack/integration-backend";
|
|
16
|
-
import {
|
|
16
|
+
import {
|
|
17
|
+
access,
|
|
18
|
+
extractErrorMessage,
|
|
19
|
+
qualifyAccessRuleId,
|
|
20
|
+
} from "@checkstack/common";
|
|
21
|
+
import { pluginMetadata } from "./plugin-metadata";
|
|
17
22
|
|
|
18
23
|
import {
|
|
19
24
|
WEBEX_RESOLVERS,
|
|
@@ -21,6 +26,20 @@ import {
|
|
|
21
26
|
type WebexConnectionConfig,
|
|
22
27
|
} from "./provider";
|
|
23
28
|
|
|
29
|
+
/**
|
|
30
|
+
* Access rule a runAs service account must hold to post Webex messages from an
|
|
31
|
+
* automation. Enforced by the dispatch engine before the action runs.
|
|
32
|
+
*/
|
|
33
|
+
export const webexAccess = {
|
|
34
|
+
postMessage: access(
|
|
35
|
+
"post_message",
|
|
36
|
+
"manage",
|
|
37
|
+
"Post Webex messages from an automation",
|
|
38
|
+
{ pluginId: pluginMetadata.pluginId },
|
|
39
|
+
),
|
|
40
|
+
};
|
|
41
|
+
export const webexAccessRules = Object.values(webexAccess);
|
|
42
|
+
|
|
24
43
|
const WEBEX_API_BASE = "https://webexapis.com/v1";
|
|
25
44
|
|
|
26
45
|
const webexMessageDataSchema = z.object({
|
|
@@ -96,6 +115,9 @@ export function createWebexActions(): ActionDefinition<unknown, unknown>[] {
|
|
|
96
115
|
category: "Webex",
|
|
97
116
|
icon: "MessageSquare",
|
|
98
117
|
connectionProviderId: WEBEX_PROVIDER_QUALIFIED_ID,
|
|
118
|
+
requiredAccessRules: [
|
|
119
|
+
qualifyAccessRuleId(pluginMetadata, webexAccess.postMessage),
|
|
120
|
+
],
|
|
99
121
|
config: new Versioned({
|
|
100
122
|
version: 1,
|
|
101
123
|
schema: webexPostMessageConfigSchema,
|
package/src/index.ts
CHANGED
|
@@ -8,12 +8,15 @@ import { pluginMetadata } from "./plugin-metadata";
|
|
|
8
8
|
import { webexProvider } from "./provider";
|
|
9
9
|
import {
|
|
10
10
|
createWebexActions,
|
|
11
|
+
webexAccessRules,
|
|
11
12
|
webexMessageArtifactType,
|
|
12
13
|
} from "./automations";
|
|
13
14
|
|
|
14
15
|
export default createBackendPlugin({
|
|
15
16
|
metadata: pluginMetadata,
|
|
16
17
|
register(env) {
|
|
18
|
+
// A runAs service account must hold this rule to post Webex messages.
|
|
19
|
+
env.registerAccessRules(webexAccessRules);
|
|
17
20
|
env
|
|
18
21
|
.getExtensionPoint(providerExtensionPoint)
|
|
19
22
|
.addProvider(webexProvider, pluginMetadata);
|