Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new auth script using IDs over names
- Loading branch information
Showing
1 changed file
with
104 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
# Description: | ||
# Auth allows you to assign roles to users which can be used by other scripts | ||
# to restrict access to Hubot commands | ||
# | ||
# Dependencies: | ||
# None | ||
# | ||
# Configuration: | ||
# HUBOT_AUTH_ADMIN - A comma separate list of user IDs | ||
# | ||
# Commands: | ||
# hubot <user> has <role> role - Assigns a role to a user | ||
# hubot <user> doesn't have <role> role - Removes a role from a user | ||
# hubot what role does <user> have - Find out what roles are assigned to a specific user | ||
# hubot who has admin role - Find out who's an admin and can assign roles | ||
# | ||
# Notes: | ||
# * Call the method: robot.auth.hasRole(msg.envelope.user,'<role>') | ||
# * returns bool true or false | ||
# | ||
# * the 'admin' role can only be assigned through the environment variable | ||
# * roles are all transformed to lower case | ||
# | ||
# * The script assumes that user IDs will be unique on the service end as to | ||
# correctly identify a user. Names were insecure as a user could impersonate | ||
# a user | ||
# | ||
# Author: | ||
# alexwilliamsca, tombell | ||
|
||
module.exports = (robot) -> | ||
|
||
unless process.env.HUBOT_AUTH_ADMIN? | ||
robot.logger.warn 'The HUBOT_AUTH_ADMIN environment variable not set' | ||
|
||
admins = (process.env.HUBOT_AUTH_ADMIN or []).split ',' | ||
|
||
class Auth | ||
hasRole: (user, roles) -> | ||
user = robot.brain.userForId(user.id) | ||
if user? and user.roles? | ||
roles = [roles] if roles typeof String | ||
for role in roles | ||
return true if role in user.roles | ||
return false | ||
|
||
robot.auth = new Auth | ||
|
||
robot.respond /@?(.+) (has) (["'\w: -_]+) (role)/i, (msg) -> | ||
name = msg.match[1].trim() | ||
newRole = msg.match[3].trim().toLowerCase() | ||
|
||
unless name.toLowerCase() in ['', 'who', 'what', 'where', 'when', 'why'] | ||
user = robot.brain.userForName(name) | ||
return msg.reply "#{name} does not exist" unless user? | ||
user.roles or= [] | ||
|
||
if newRole in user.roles | ||
msg.reply "#{name} already has the '#{newRole}' role." | ||
else | ||
if newRole is 'admin' | ||
msg.reply "Sorry, the 'admin' role can only be defined in the HUBOT_AUTH_ADMIN env variable." | ||
else | ||
myRoles = msg.message.user.roles or [] | ||
if msg.message.user.id.toString() in admins | ||
user.roles.push(newRole) | ||
msg.reply "Ok, #{name} has the '#{newRole}' role." | ||
|
||
robot.respond /@?(.+) (doesn't have|does not have) (["'\w: -_]+) (role)/i, (msg) -> | ||
name = msg.match[1].trim() | ||
newRole = msg.match[3].trim().toLowerCase() | ||
|
||
unless name.toLowerCase() in ['', 'who', 'what', 'where', 'when', 'why'] | ||
user = robot.brain.userForName(name) | ||
return msg.reply "#{name} does not exist" unless user? | ||
user.roles or= [] | ||
|
||
if newRole is 'admin' | ||
msg.reply "Sorry, the 'admin' role can only be removed from the HUBOT_AUTH_ADMIN env variable." | ||
else | ||
myRoles = msg.message.user.roles or [] | ||
if msg.message.user.id.toString() in admins | ||
user.roles = (role for role in user.roles when role isnt newRole) | ||
msg.reply "Ok, #{name} doesn't have the '#{newRole}' role." | ||
|
||
robot.respond /(what role does|what roles does) @?(.+) (have)\?*$/i, (msg) -> | ||
name = msg.match[2].trim() | ||
user = robot.brain.userForId(msg.message.user.id) | ||
return msg.reply "#{name} does not exist" unless user? | ||
user.roles or= [] | ||
|
||
if user.id.toString() in admins | ||
isAdmin = ' and is also an admin' | ||
else | ||
isAdmin = '' | ||
msg.reply "#{name} has the following roles: #{user.roles.join(', ')}#{isAdmin}." | ||
|
||
robot.respond /who has admin role\?*$/i, (msg) -> | ||
adminNames = [] | ||
for admin in admins | ||
user = robot.brain.userForId(admin) | ||
adminNames.push user.name if user? | ||
|
||
msg.reply "The following people have the 'admin' role: #{adminNames.join(', ')}" |