It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Hubot and/or Lita (ChatOps) integration with HipChat and other Atlassian products

I'm looking for ideas/advice on how to go about implementing Hubot integration with HipChat Server in such a manner that will allow the HipChat's user base to issue queries and actions to other internally deployed Atlassian applications, enforcing user authorisation.

To illustrate this, imagine a Hubot Script (or a Lita plug-in) was written that listened for users requesting the current  version of an application deployed in production. Let's say, all deployments take place through Bamboo Deployment Plans, I would like the script to take a user's request and look for a matching deployment plan, returning the release number of the currently deployed version in production. The dialogue could go as follows:

 

Joe Bloggs> '@hubot' get-deployed-version megabucks production

Hubot> The current deployed version of megabucks in production is v6.6.6

 

This is all good, but one absolute key consideration concerns that of user authorisation. Let's say megabucks is a sensitive application known only by a few members in an organisation, I wouldn't want any old user being able to issue this command and get the same result. I did stumble across a few articles that talked about implementing user roles and applying these in Hubot scripts, but this is not a viable solution in large enterprises which use AD/LDAP for this purpose.

 

What I would like is for Hubot to be able to determine whether the user who issued the command in HipChat has the appropriate privileges to perform this operation. Going back to the example, I'd like Hubot to look up Joe Blogg's groups in Crowd and then to check that:

  1. Joe Bloggs has at least read only permissions at the project level of a Bamboo deployment plan
  2. Joe Bloggs has at least read only permissions at the environment level of a Bamboo deployment plan

If neither of these hold true, Hubot should return with an appropriate message that gives no indication that the application even exists.

 

I can envisage many such operations that a software engineering community might want to issue using HipChat, but I only want to explore this on the basis of finding a satisfactory solution to ensuring a user's authorisation as held in Crowd and applied in other Atlassian applications is appropriately enforced.

 

Appreciate any insights/ideas on how I might go about addressing this fundamental security facet?

2 answers

1 vote
Anatoli Atlassian Team Feb 28, 2016

Hi Mark,

Let me just list some of the points that jump to mind that you should consider:

  • A Hubot based bot in HipChat is just a user who is backed by some code: it receives, processes messages and sends replies. It is different from an add-on that creates webhooks, can extend UI and call APIs. You might want to consider implementing an add-on as well.
  • The userbase in HipChat can be different from userbase in other apps (in your example Bamboo). It can be the same if both apps use crowd but in general you would need to establish that user "Bob" in HipChat is the same "Bob" in bamboo
    • we had to do this for HipChat<->Bitbucket integration, did it using oAuth. You can also guide people through oAuth to establish the mapping between the users
  • Once the mapping is established you can use products APIs to figure out who can access what.
    • i.e. you would most likely need to access APIs of the product you integrate to figure out what is permitted for a particular user.
  • When someone asks the question like
    @hubot get-deployed-version megabucks production

    everyone in the room will see the result. Keep it in mind that some people in the room might not have permissions for the other app.

 

0 votes

You might also want to consider using https://stackstorm.com/ which uses Hubot as a bot in HipChat, but allows you to define your triggers and actions from a UI... kinda like a lower level Zapier.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Hipchat Cloud

Hipchat Cloud and Stride have reached End of Life (updated)

All good things come to an end - thanks to all our customers and partners who have been along the Hipchat and Stride journey with us.  As of Feb 15th 2019, Hipchat Cloud and Stride have reached ...

33,510 views 7 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you