lyft
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 76 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 20 additions & 0 deletions b/‎.github/workflows/dependency-review.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.github/workflows/pull_request.yml‎
Lines changed: 15 additions & 15 deletions b/‎.github/workflows/pull_request.yml‎
Lines changed: 15 additions & 15 deletions
diff --git a/‎.github/workflows/push.yml‎
Lines changed: 12 additions & 12 deletions b/‎.github/workflows/push.yml‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 22 additions & 3 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 22 additions & 3 deletions
diff --git a/‎data/mock/interactive/view_submission_synchronous_test.json‎
Lines changed: 1 addition & 1 deletion b/‎data/mock/interactive/view_submission_synchronous_test.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎omnibot/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎omnibot/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎omnibot/authnz/__init__.py‎
Lines changed: 8 additions & 9 deletions b/‎omnibot/authnz/__init__.py‎
Lines changed: 8 additions & 9 deletions
diff --git a/‎omnibot/authnz/envoy_checks.py‎
Lines changed: 18 additions & 18 deletions b/‎omnibot/authnz/envoy_checks.py‎
Lines changed: 18 additions & 18 deletions
@@ -0,0 +1,76 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '39 14 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #     echo "Run, Build Application using script"
+    #     ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v2
@@ -3,21 +3,21 @@ jobs:
   pre-commit:
     runs-on: ubuntu-18.04
     steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Setup python 3.6
-        uses: actions/setup-python@v1
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Setup python 3.8
+        uses: actions/setup-python@v4
         with:
-          python-version: 3.6
+          python-version: 3.8
       - name: Install pre-commit
         run: pip install pre-commit
       - name: Run pre-commit
         run: pre-commit run --all-files
   license-check:
     runs-on: ubuntu-18.04
     steps:
-      - name: Checkout
-        uses: actions/checkout@v1
+      - name: Checkout repository
+        uses: actions/checkout@v3
       - name: Setup Ruby 2.x
         uses: actions/setup-ruby@v1
         with:
@@ -26,10 +26,10 @@ jobs:
         run: gem install license_finder
       - name: Allow gevent Zope license
         run: license_finder permitted_licenses add "Zope Public License"
-      - name: Setup python 3.6
-        uses: actions/setup-python@v1
+      - name: Setup python 3.8
+        uses: actions/setup-python@v4
         with:
-          python-version: 3.6
+          python-version: 3.8
       - name: Install apt dependencies
         run: sudo apt-get update -y && sudo apt-get install -y python3-dev openssl libssl-dev gcc pkg-config libffi-dev libxml2-dev libxmlsec1-dev
       - name: Install dependencies
@@ -39,12 +39,12 @@ jobs:
   test:
     runs-on: ubuntu-18.04
     steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Setup python 3.6
-        uses: actions/setup-python@v1
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Setup python 3.8
+        uses: actions/setup-python@v4
         with:
-          python-version: 3.6
+          python-version: 3.8
       - name: Install apt dependencies
         run: sudo apt-get update -y && sudo apt-get install -y python3-dev openssl libssl-dev gcc pkg-config libffi-dev libxml2-dev libxmlsec1-dev
       - name: Install dependencies
 
@@ -10,12 +10,12 @@ jobs:
     name: Build and publish docs
     runs-on: ubuntu-18.04
     steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Setup python 3.6
-        uses: actions/setup-python@v1
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Setup python 3.8
+        uses: actions/setup-python@v4
         with:
-          python-version: 3.6
+          python-version: 3.8
       - name: Install virtualenv
         run: pip install virtualenv
       - name: Build docs
@@ -33,12 +33,12 @@ jobs:
     name: Build and publish python module to pypi
     runs-on: ubuntu-18.04
     steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Setup python 3.6
-        uses: actions/setup-python@v1
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Setup python 3.8
+        uses: actions/setup-python@v4
         with:
-          python-version: 3.6
+          python-version: 3.8
       - name: Add wheel dependency
         run: pip install wheel
       - name: Generate dist
@@ -53,8 +53,8 @@ jobs:
     name: Build and publish docker image
     runs-on: ubuntu-18.04
     steps:
-      - name: Checkout
-        uses: actions/checkout@v1
+      - name: Checkout repository
+        uses: actions/checkout@v3
       - name: Publish to Registry
         uses: elgohr/[email protected]
         with:
 
@@ -1,9 +1,28 @@
 exclude: '^docs/.*$'
+default_language_version:
+    python: python3.8
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.1.0
+    rev: v4.4.0
+    hooks:
+    -   id: check-docstring-first
+    -   id: check-executables-have-shebangs
+    -   id: check-json
+    -   id: check-merge-conflict
+    -   id: check-yaml
+    -   id: debug-statements
+    -   id: end-of-file-fixer
+    -   id: trailing-whitespace
+-   repo: https://github.com/psf/black
+    rev: 23.1.0
+    hooks:
+    -   id: black
+-   repo: https://github.com/pycqa/flake8
+    rev: 5.0.4
     hooks:
     -   id: flake8
         additional_dependencies:
-        -   flake8==3.3.0
-        -   flake8-tidy-imports==1.0.6
+        -   flake8-bugbear==22.10.27
+        -   flake8-builtins==2.0.1
+        -   flake8-comprehensions==3.10.1
+        -   flake8-tidy-imports==4.8.0
@@ -1,3 +1,3 @@
 {
   "payload": "{\"type\":\"view_submission\",\"token\":\"ABCDEFGHIJKLMNOPQRSTUVWX\",\"team\":{\"id\":\"TEST_TEAM_ID\",\"domain\":\"test-team-name\"},\"user\":{\"id\":\"TEST_USER_ID\",\"name\":\"testusername\"},\"view\":{\"id\":\"VNHU13V36\",\"type\":\"modal\",\"title\":{ \"a\":\"b\" },\"submit\":{ \"a\":\"b\" },\"blocks\":[],\"private_metadata\":\"shhh-its-secret\",\"callback_id\":\"modal-with-inputs\",\"state\":{\"values\":{\"multiline\":{\"mlvalue\":{\"type\":\"plain_text_input\",\"value\":\"This is my example inputted value\"}},\"target_channel\":{\"target_select\":{\"type\":\"conversations_select\",\"selected_conversation\":\"C123B12DE\"}}}},\"hash\":\"156663117.cd33ad1f\",\"response_urls\":[{\"block_id\":\"target_channel\",\"action_id\":\"target_select\",\"channel_id\":\"C123B12DE\",\"response_url\":\"https:\\/\\/hooks.slack.com\\/app\\/ABC12312\\/1234567890\\/A100B100C100d100\"}]}}"
-}
+}
@@ -1,4 +1,4 @@
 from os import getenv
 import importlib
 
-logging = importlib.import_module(getenv('LOG_MODULE', 'logging'))
+logging = importlib.import_module(getenv("LOG_MODULE", "logging"))
@@ -14,10 +14,7 @@
 import re
 from functools import wraps
 
-from flask import (
-    abort,
-    request
-)
+from flask import abort, request
 
 from omnibot import logging
 from omnibot import settings
@@ -42,24 +39,26 @@ def enforce_checks(f):
     Checks will be executed in the order defined by the list. All checks must
     pass for a request to be accepted.
     """
+
     @wraps(f)
     def decorated(*args, **kwargs):
-        checks = settings.AUTHORIZATION.get('checks', [])
+        checks = settings.AUTHORIZATION.get("checks", [])
         if not checks:
             logger.warning(
-                'No checks set in the authorization section of the configuration;'
-                ' denying access to API calls for sanity sake'
+                "No checks set in the authorization section of the configuration;"
+                " denying access to API calls for sanity sake"
             )
             return abort(403)
         for check in checks:
-            module_name, function_name = check['module'].split(':')
+            module_name, function_name = check["module"].split(":")
             module = importlib.import_module(module_name)
             function = getattr(module, function_name)
-            func_kwargs = check.get('kwargs', {})
+            func_kwargs = check.get("kwargs", {})
             response = function(**func_kwargs)
             if not response:
                 return abort(403)
         return f(*args, **kwargs)
+
     return decorated
 
 
 
@@ -23,7 +23,7 @@ def _match_subject(subject_to_match, subject):
     return False
 
 
-def envoy_internal_check(header='x-envoy-internal'):
+def envoy_internal_check(header="x-envoy-internal"):
     """
     Perform a check to ensure that the ``x-envoy-internal`` is set to 'true'.
     By default this check will apply to all routes, if enabled. It's possible
@@ -45,44 +45,44 @@ def envoy_internal_check(header='x-envoy-internal'):
     """
     # Flask provides all headers as strings. The only acceptable string here
     # is 'true'
-    envoy_internal = request.headers.get(header) == 'true'
+    envoy_internal = request.headers.get(header) == "true"
     # Easy case. The header says the request is internal.
     if envoy_internal:
         return True
     # If the request isn't internal, let's see if we have a permission that
     # matches, which has internal_only set to False
-    permissions = settings.AUTHORIZATION.get('permissions', {})
+    permissions = settings.AUTHORIZATION.get("permissions", {})
     for policy_name, policy in permissions.items():
-        method_match = request.method in policy['methods']
-        path_match = _match_path(request.path, policy['paths'])
-        internal_only = policy.get('internal_only', True)
+        method_match = request.method in policy["methods"]
+        path_match = _match_path(request.path, policy["paths"])
+        internal_only = policy.get("internal_only", True)
         if (method_match and path_match) and not internal_only:
             return True
     logger.warning(
-        'Received an external request to internal endpoint',
+        "Received an external request to internal endpoint",
         extra={
-            'endpoint': request.path,
-            'method': request.method,
-            'header_value': envoy_internal,
+            "endpoint": request.path,
+            "method": request.method,
+            "header_value": envoy_internal,
         },
     )
     return False
 
 
 def _check_permission(permission):
-    permissions = settings.AUTHORIZATION.get('permissions', {})
+    permissions = settings.AUTHORIZATION.get("permissions", {})
     policy = permissions.get(permission, {})
     # TODO: envoy RBAC spec allows for matching methods and paths as
     # individual checks. So for instance, a permission may allow for all GETs
     # without a particular path, or may allow all methods on particular paths.
-    method_match = request.method in policy.get('methods', [])
-    path_match = _match_path(request.path, policy.get('paths', []))
+    method_match = request.method in policy.get("methods", [])
+    path_match = _match_path(request.path, policy.get("paths", []))
     if method_match and path_match:
         return True
     return False
 
 
-def envoy_permissions_check(header='x-envoy-downstream-service-cluster'):
+def envoy_permissions_check(header="x-envoy-downstream-service-cluster"):
     """
     Perform a check against the defined permissions and bindings in the
     authorization configuration to ensure the service defined in the
@@ -122,17 +122,17 @@ def envoy_permissions_check(header='x-envoy-downstream-service-cluster'):
     envoy_identity = request.headers.get(header)
     if envoy_identity is None:
         return False
-    bindings = settings.AUTHORIZATION.get('bindings', {})
+    bindings = settings.AUTHORIZATION.get("bindings", {})
     for subject, permissions in bindings.items():
         if _match_subject(envoy_identity, subject):
             for permission in permissions:
                 if _check_permission(permission):
                     return True
     logger.warning(
-        'Received an unauthorized request',
+        "Received an unauthorized request",
         extra={
-            'from': envoy_identity,
-            'endpoint': request.path,
+            "from": envoy_identity,
+            "endpoint": request.path,
         },
     )
     return False
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`{`
`2`	`2`	"payload": "{\"type\":\"view_submission\",\"token\":\"ABCDEFGHIJKLMNOPQRSTUVWX\",\"team\":{\"id\":\"TEST_TEAM_ID\",\"domain\":\"test-team-name\"},\"user\":{\"id\":\"TEST_USER_ID\",\"name\":\"testusername\"},\"view\":{\"id\":\"VNHU13V36\",\"type\":\"modal\",\"title\":{ \"a\":\"b\" },\"submit\":{ \"a\":\"b\" },\"blocks\":[],\"private_metadata\":\"shhh-its-secret\",\"callback_id\":\"modal-with-inputs\",\"state\":{\"values\":{\"multiline\":{\"mlvalue\":{\"type\":\"plain_text_input\",\"value\":\"This is my example inputted value\"}},\"target_channel\":{\"target_select\":{\"type\":\"conversations_select\",\"selected_conversation\":\"C123B12DE\"}}}},\"hash\":\"156663117.cd33ad1f\",\"response_urls\":[{\"block_id\":\"target_channel\",\"action_id\":\"target_select\",\"channel_id\":\"C123B12DE\",\"response_url\":\"https:\\/\\/hooks.slack.com\\/app\\/ABC12312\\/1234567890\\/A100B100C100d100\"}]}}"
`3`		`-}`
	`3`	`+}`