Tailscale accessbot

Co-authored-by: Anton Tolchanov <[email protected]>
Co-authored-by: Kristoffer Dalby <[email protected]>

.github/workflows/deno.yml

@@ -0,0 +1,33 @@
+name: Deno app build and testing
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  deno:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Setup repo
+        uses: actions/checkout@v3
+
+      - name: Setup Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v1.x
+
+      - name: Verify formatting
+        run: deno fmt --check
+
+      - name: Run linter
+        run: deno lint
+
+      - name: Run tests
+        run: deno task test
+
+      - name: Run type check
+        run: deno check *.ts && deno check **/*.ts && deno check **/**/*.ts

.gitignore

@@ -0,0 +1,5 @@
+dist
+package
+.DS_Store
+.slack/apps.dev.json
+.env

.slack/apps.json

@@ -0,0 +1,11 @@
+{
+  "apps": {
+    "TPQSV7ZK4": {
+      "app_id": "A06UZ165AT0",
+      "IsDev": false,
+      "team_domain": "tailscale",
+      "team_id": "TPQSV7ZK4"
+    }
+  },
+  "default": "tailscale"
+}

.slack/config.json

@@ -0,0 +1,3 @@
+{
+  "project_id": "258bfdcb-4a36-4de0-b71e-922b28a3af25"
+}

.vscode/settings.json

@@ -0,0 +1,12 @@
+{
+  "deno.enable": true,
+  "deno.lint": true,
+  "deno.suggest.imports.hosts": {
+    "https://deno.land": false
+  },
+  "[typescript]": {
+    "editor.formatOnSave": true,
+    "editor.defaultFormatter": "denoland.vscode-deno"
+  },
+  "editor.tabSize": 2
+}

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Slack Technologies, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,116 @@
+# Request Access
+
+This automation features an access request workflow where users can create a
+request (with details) that is routed to another user to approve or deny.
+
+When approved, the workflow will assign a custom device posture attribute to the
+requester's device.
+
+## Setup
+
+Before getting started, first make sure you have a development workspace where
+you have permission to install apps. **Please note that the features in this
+project require that the workspace be part of
+[a Slack paid plan](https://slack.com/pricing).**
+
+### Install the Slack CLI
+
+To use this sample, you need to install and configure the Slack CLI.
+Step-by-step instructions can be found in our
+[Quickstart Guide](https://api.slack.com/automation/quickstart).
+
+### Configuration
+
+Configure your access profiles in `config.json`. You can see configuration
+schema in `types/config.ts`.
+
+Create an OAuth client in Tailscale with the `devices:write` scope. For running
+locally, put your OAuth client credentials into the `.env` file. In production,
+configure the same variables using `slack env` commands after deploying, e.g.
+
+```bash
+slack env add TAILSCALE_CLIENT_ID ...
+slack env add TAILSCALE_CLIENT_SECRET ..
+```
+
+## Running Your Project Locally
+
+While building your app, you can see your changes appear in your workspace in
+real-time with `slack run`. You'll know an app is the development version if the
+name has the string `(local)` appended.
+
+```zsh
+# Run app locally
+$ slack run
+
+Connected, awaiting events
+```
+
+To stop running locally, press `<CTRL> + C` to end the process.
+
+## Deploying Your App
+
+Once development is complete, deploy the app to Slack infrastructure using
+`slack deploy`:
+
+```zsh
+$ slack deploy
+```
+
+When deploying for the first time, you'll be prompted to
+[create a new link trigger](#creating-triggers) for the deployed version of your
+app. When that trigger is invoked, the workflow should run just as it did when
+developing locally (but without requiring your server to be running).
+
+## Viewing Activity Logs
+
+Activity logs of your application can be viewed live and as they occur with the
+following command:
+
+```zsh
+$ slack activity --tail
+```
+
+## Project Structure
+
+### `.slack/`
+
+Contains `apps.dev.json` and `apps.json`, which include installation details for
+development and deployed apps.
+
+### `datastores/`
+
+[Datastores](https://api.slack.com/automation/datastores) securely store data
+for your application on Slack infrastructure. Required scopes to use datastores
+include `datastore:write` and `datastore:read`.
+
+### `functions/`
+
+[Functions](https://api.slack.com/automation/functions) are reusable building
+blocks of automation that accept inputs, perform calculations, and provide
+outputs. Functions can be used independently or as steps in workflows.
+
+### `triggers/`
+
+[Triggers](https://api.slack.com/automation/triggers) determine when workflows
+are run. A trigger file describes the scenario in which a workflow should be
+run, such as a user pressing a button or when a specific event occurs.
+
+### `workflows/`
+
+A [workflow](https://api.slack.com/automation/workflows) is a set of steps
+(functions) that are executed in order.
+
+Workflows can be configured to run without user input or they can collect input
+by beginning with a [form](https://api.slack.com/automation/forms) before
+continuing to the next step.
+
+### `manifest.ts`
+
+The [app manifest](https://api.slack.com/automation/manifest) contains the app's
+configuration. This file defines attributes like app name and description.
+
+### `slack.json`
+
+Used by the CLI to interact with the project's SDK dependencies. It contains
+script hooks that are executed by the CLI and implemented by the SDK.

config.ts

@@ -0,0 +1,94 @@
+export const config: Config = {
+  profiles: [
+    {
+      description: "Accessbot Test",
+      attribute: "custom:accessbotTester",
+      canSelfApprove: true,
+      confirmSelfApproval: true,
+    },
+    {
+      attribute: "custom:prodAccess",
+      description: "Production",
+      notifyChannel: "C06TH49GKHC",
+      canSelfApprove: true,
+      approverEmails: [
+        "[email protected]",
+        "[email protected]",
+        "[email protected]",
+        "[email protected]",
+        "[email protected]",
+        "[email protected]",
+      ],
+    },
+    {
+      attribute: "custom:stagingAccess",
+      description: "Staging",
+      notifyChannel: "C06TH49GKHC",
+      canSelfApprove: true,
+    },
+    {
+      attribute: "custom:bust",
+      description: "Only unrecognised reviewers",
+      notifyChannel: "C06TH49GKHC",
+      canSelfApprove: false,
+      approverEmails: [
+        "[email protected]",
+        "[email protected]",
+        "[email protected]", // :(
+      ],
+    },
+  ],
+};
+
+export type Config = {
+  /**
+   * Profiles must be a non-empty set of configuration.
+   */
+  profiles: [Profile, ...Profile[]];
+};
+
+export type Profile = {
+  /**
+   * The human-readable name for the profile being granted access to by the attribute.
+   * @example "Production"
+   */
+  description: string;
+  /**
+   * The tailscale attribute added to a device for the selected duration, upon
+   * the request being approved.
+   */
+  attribute: string;
+
+  /**
+   * The maximum duration to offer the user when they are requesting access to
+   * this profile.
+   * @default undefined (meaning offer all preset durations to the user)
+   */
+  maxSeconds?: number;
+  /**
+   * The channel identifier to post approve/deny updates to.
+   * @example "CQ12VV345"
+   * @default undefined (meaning no public channel updates)
+   */
+  notifyChannel?: string;
+
+  /**
+   * Email addresses of people who may approve an access request. These are
+   * looked-up to find the relevant slack users.
+   * @default undefined (meaning anybody can approve)
+   */
+  approverEmails?: string[];
+
+  /**
+   * Whether a user can mark themselves as the approver for a request.
+   * @default false
+   */
+  canSelfApprove?: boolean;
+
+  /**
+   * Whether a user self-approving is prompted to approve their own access
+   * request. Can be set to true to show them the prompt anyway.
+   * @default false (skip self-approval)
+   */
+  confirmSelfApproval?: boolean;
+};

datastores/tailscale.ts

@@ -0,0 +1,24 @@
+// /datastores/drafts.ts
+import { DefineDatastore, Schema } from "deno-slack-sdk/mod.ts";
+
+export const TailscaleTokenStore = DefineDatastore({
+  name: "tailscale_access_token",
+  primary_key: "client_id",
+  time_to_live_attribute: "expires_at",
+  attributes: {
+    client_id: {
+      type: Schema.types.string,
+    },
+    access_token: {
+      type: Schema.types.string,
+    },
+    expires_at: {
+      type: Schema.slack.types.timestamp,
+    },
+    refresh_token: {
+      type: Schema.types.string,
+    },
+  },
+});
+
+export type AccessToken = typeof TailscaleTokenStore.definition;

deno.jsonc

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://deno.land/x/deno/cli/schemas/config-file.v1.json",
+  "importMap": "import_map.json",
+  "lock": false,
+  "exclude": [".*"],
+  "tasks": {
+    "test": "deno fmt --check && deno lint && deno test --allow-read --allow-none"
+  }
+}