-
Notifications
You must be signed in to change notification settings - Fork 248
/
oauth_flow.py
358 lines (322 loc) · 13.5 KB
/
oauth_flow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
import logging
import os
from logging import Logger
from typing import Optional, Dict, Callable, Sequence
from slack_bolt.error import BoltError
from slack_bolt.oauth.callback_options import (
FailureArgs,
SuccessArgs,
DefaultCallbackOptions,
CallbackOptions,
)
from slack_bolt.oauth.internals import _build_default_install_page_html
from slack_bolt.oauth.oauth_settings import OAuthSettings
from slack_bolt.request import BoltRequest
from slack_bolt.response import BoltResponse
from slack_sdk.errors import SlackApiError
from slack_sdk.oauth import OAuthStateUtils
from slack_sdk.oauth.installation_store import Installation
from slack_sdk.oauth.installation_store.sqlite3 import SQLite3InstallationStore
from slack_sdk.oauth.state_store.sqlite3 import SQLite3OAuthStateStore
from slack_sdk.web import WebClient, SlackResponse
from slack_bolt.util.utils import create_web_client
class OAuthFlow:
settings: OAuthSettings
client_id: str
redirect_uri: Optional[str]
install_path: str
redirect_uri_path: str
success_handler: Callable[[SuccessArgs], BoltResponse]
failure_handler: Callable[[FailureArgs], BoltResponse]
@property
def client(self) -> WebClient:
if self._client is None:
self._client = create_web_client(logger=self.logger)
return self._client
@property
def logger(self) -> Logger:
if self._logger is None:
self._logger = logging.getLogger(__name__)
return self._logger
def __init__(
self,
*,
client: Optional[WebClient] = None,
logger: Optional[Logger] = None,
settings: OAuthSettings,
):
"""The module to run the Slack app installation flow (OAuth flow).
Args:
client: The `slack_sdk.web.WebClient` instance.
logger: The logger.
settings: OAuth settings to configure this module.
"""
self._client = client
self._logger = logger
self.settings = settings
self.settings.logger = self._logger
self.client_id = self.settings.client_id
self.redirect_uri = self.settings.redirect_uri
self.install_path = self.settings.install_path
self.redirect_uri_path = self.settings.redirect_uri_path
self.default_callback_options = DefaultCallbackOptions(
logger=logger,
state_utils=self.settings.state_utils,
redirect_uri_page_renderer=self.settings.redirect_uri_page_renderer,
)
if settings.callback_options is None:
settings.callback_options = self.default_callback_options
self.success_handler = settings.callback_options.success
self.failure_handler = settings.callback_options.failure
# -----------------------------
# Factory Methods
# -----------------------------
@classmethod
def sqlite3(
cls,
database: str,
# OAuth flow parameters/credentials
client_id: Optional[str] = None, # required
client_secret: Optional[str] = None, # required
scopes: Optional[Sequence[str]] = None,
user_scopes: Optional[Sequence[str]] = None,
redirect_uri: Optional[str] = None,
# Handler configuration
install_path: Optional[str] = None,
redirect_uri_path: Optional[str] = None,
callback_options: Optional[CallbackOptions] = None,
success_url: Optional[str] = None,
failure_url: Optional[str] = None,
authorization_url: Optional[str] = None,
# Installation Management
# state parameter related configurations
state_cookie_name: str = OAuthStateUtils.default_cookie_name,
state_expiration_seconds: int = OAuthStateUtils.default_expiration_seconds,
installation_store_bot_only: bool = False,
client: Optional[WebClient] = None,
logger: Optional[Logger] = None,
) -> "OAuthFlow":
client_id = client_id or os.environ["SLACK_CLIENT_ID"] # required
client_secret = client_secret or os.environ["SLACK_CLIENT_SECRET"] # required
scopes = scopes or os.environ.get("SLACK_SCOPES", "").split(",")
user_scopes = user_scopes or os.environ.get("SLACK_USER_SCOPES", "").split(",")
redirect_uri = redirect_uri or os.environ.get("SLACK_REDIRECT_URI")
return OAuthFlow(
client=client or WebClient(),
logger=logger,
settings=OAuthSettings(
# OAuth flow parameters/credentials
client_id=client_id,
client_secret=client_secret,
scopes=scopes,
user_scopes=user_scopes,
redirect_uri=redirect_uri,
# Handler configuration
install_path=install_path,
redirect_uri_path=redirect_uri_path,
callback_options=callback_options,
success_url=success_url,
failure_url=failure_url,
authorization_url=authorization_url,
# Installation Management
installation_store=SQLite3InstallationStore(
database=database,
client_id=client_id,
logger=logger,
),
installation_store_bot_only=installation_store_bot_only,
# state parameter related configurations
state_store=SQLite3OAuthStateStore(
database=database,
expiration_seconds=state_expiration_seconds,
logger=logger,
),
state_cookie_name=state_cookie_name,
state_expiration_seconds=state_expiration_seconds,
),
)
# -----------------------------
# Installation
# -----------------------------
def handle_installation(self, request: BoltRequest) -> BoltResponse:
state = self.issue_new_state(request)
url = self.build_authorize_url(state, request)
set_cookie_value = self.settings.state_utils.build_set_cookie_for_new_state(
state
)
if self.settings.install_page_rendering_enabled:
html = self.build_install_page_html(url, request)
return BoltResponse(
status=200,
body=html,
headers={
"Content-Type": "text/html; charset=utf-8",
"Set-Cookie": [set_cookie_value],
},
)
else:
return BoltResponse(
status=302,
body="",
headers={
"Content-Type": "text/html; charset=utf-8",
"Location": url,
"Set-Cookie": [set_cookie_value],
},
)
# ----------------------
# Internal methods for Installation
def issue_new_state(self, request: BoltRequest) -> str:
return self.settings.state_store.issue()
def build_authorize_url(self, state: str, request: BoltRequest) -> str:
return self.settings.authorize_url_generator.generate(state)
def build_install_page_html(self, url: str, request: BoltRequest) -> str:
return _build_default_install_page_html(url)
# -----------------------------
# Callback
# -----------------------------
def handle_callback(self, request: BoltRequest) -> BoltResponse:
# failure due to end-user's cancellation or invalid redirection to slack.com
error = request.query.get("error", [None])[0]
if error is not None:
return self.failure_handler(
FailureArgs(
request=request,
reason=error,
suggested_status_code=200,
settings=self.settings,
default=self.default_callback_options,
)
)
# state parameter verification
state = request.query.get("state", [None])[0]
if not self.settings.state_utils.is_valid_browser(state, request.headers):
return self.failure_handler(
FailureArgs(
request=request,
reason="invalid_browser",
suggested_status_code=400,
settings=self.settings,
default=self.default_callback_options,
)
)
valid_state_consumed = self.settings.state_store.consume(state)
if not valid_state_consumed:
return self.failure_handler(
FailureArgs(
request=request,
reason="invalid_state",
suggested_status_code=401,
settings=self.settings,
default=self.default_callback_options,
)
)
# run installation
code = request.query.get("code", [None])[0]
if code is None:
return self.failure_handler(
FailureArgs(
request=request,
reason="missing_code",
suggested_status_code=401,
settings=self.settings,
default=self.default_callback_options,
)
)
installation = self.run_installation(code)
if installation is None:
# failed to run installation with the code
return self.failure_handler(
FailureArgs(
request=request,
reason="invalid_code",
suggested_status_code=401,
settings=self.settings,
default=self.default_callback_options,
)
)
# persist the installation
try:
self.store_installation(request, installation)
except BoltError as err:
return self.failure_handler(
FailureArgs(
request=request,
reason="storage_error",
error=err,
suggested_status_code=500,
settings=self.settings,
default=self.default_callback_options,
)
)
# display a successful completion page to the end-user
return self.success_handler(
SuccessArgs(
request=request,
installation=installation,
settings=self.settings,
default=self.default_callback_options,
)
)
# ----------------------
# Internal methods for Callback
def run_installation(self, code: str) -> Optional[Installation]:
try:
oauth_response: SlackResponse = self.client.oauth_v2_access(
code=code,
client_id=self.settings.client_id,
client_secret=self.settings.client_secret,
redirect_uri=self.settings.redirect_uri, # can be None
)
installed_enterprise: Dict[str, str] = (
oauth_response.get("enterprise") or {}
)
is_enterprise_install: bool = (
oauth_response.get("is_enterprise_install") or False
)
installed_team: Dict[str, str] = oauth_response.get("team") or {}
installer: Dict[str, str] = oauth_response.get("authed_user") or {}
incoming_webhook: Dict[str, str] = (
oauth_response.get("incoming_webhook") or {}
)
bot_token: Optional[str] = oauth_response.get("access_token")
# NOTE: oauth.v2.access doesn't include bot_id in response
bot_id: Optional[str] = None
enterprise_url: Optional[str] = None
if bot_token is not None:
auth_test = self.client.auth_test(token=bot_token)
bot_id = auth_test["bot_id"]
if is_enterprise_install is True:
enterprise_url = auth_test.get("url")
return Installation(
app_id=oauth_response.get("app_id"),
enterprise_id=installed_enterprise.get("id"),
enterprise_name=installed_enterprise.get("name"),
enterprise_url=enterprise_url,
team_id=installed_team.get("id"),
team_name=installed_team.get("name"),
bot_token=bot_token,
bot_id=bot_id,
bot_user_id=oauth_response.get("bot_user_id"),
bot_scopes=oauth_response.get("scope"), # comma-separated string
user_id=installer.get("id"),
user_token=installer.get("access_token"),
user_scopes=installer.get("scope"), # comma-separated string
incoming_webhook_url=incoming_webhook.get("url"),
incoming_webhook_channel=incoming_webhook.get("channel"),
incoming_webhook_channel_id=incoming_webhook.get("channel_id"),
incoming_webhook_configuration_url=incoming_webhook.get(
"configuration_url"
),
is_enterprise_install=is_enterprise_install,
token_type=oauth_response.get("token_type"),
)
except SlackApiError as e:
message = (
f"Failed to fetch oauth.v2.access result with code: {code} - error: {e}"
)
self.logger.warning(message)
return None
def store_installation(self, request: BoltRequest, installation: Installation):
# may raise BoltError
self.settings.installation_store.save(installation)