feat(slack): add user authorization with admin commands and MongoDB persistence#917
Draft
sriaradhyula wants to merge 1 commit intomainfrom
Draft
feat(slack): add user authorization with admin commands and MongoDB persistence#917sriaradhyula wants to merge 1 commit intomainfrom
sriaradhyula wants to merge 1 commit intomainfrom
Conversation
…ersistence Introduce a UserAuthorizer that gates access to the CAIPE Slack Bot with two modes: open (default) and restricted. The deny list is always checked first, followed by the admin list, then mode-specific resolution. - Add authorization.py with open/restricted mode, static allow/deny lists, channel-level authorized_users, and dynamic grants persisted in MongoDB - Wire authz checks into handle_mention, handle_qanda_message, and handle_dm_message handlers - Add admin commands via @mention: authorize, revoke, and authz list - Add authorized_users field to ChannelConfig for per-channel access control Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Made-with: Cursor
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
🐳 Prebuild Docker Image PublishedRepository: Usagedocker pull ghcr.io/cnoe-io/prebuild/caipe-slack-bot:feat-slack-authz-2
|
Collaborator
|
I think this is fine, we personally probably would just set this to |
Collaborator
|
Also our config is handled entirely through yaml, we shouldn't mix and match with slack commands and config, that has been a somewhat confusing experience for our RAG ingestion. Maybe for now we do everything through config yaml |
sriaradhyula
moved this to In progress
in CAIPE (AI Platform Engineering) Project Backlog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
open(default, everyone allowed) andrestricted(explicit allow-list required)SLACK_INTEGRATION_AUTHORIZED_USERS,SLACK_INTEGRATION_DENIED_USERS), channel-level authorized users via config, and dynamic grants persisted in MongoDB@caipe authorize @user,@caipe revoke @user,@caipe authz listhandle_mention,handle_qanda_message, andhandle_dm_messagehandlers with appropriate ephemeral/direct denial messagesauthorized_usersfield toChannelConfigfor per-channel access controlTest plan
SLACK_INTEGRATION_AUTHZ_MODE=restrictedand verify unauthorized users receive denial messagesSLACK_INTEGRATION_AUTHZ_MODE=openand verify all users can interactSLACK_INTEGRATION_DENIED_USERSand verify they are blocked even in open mode@caipe authorize @user,@caipe revoke @user,@caipe authz listMONGODB_URIis setauthorized_usersin bot config restricts access per-channelMade with Cursor