Hubot and/or Lita (ChatOps) integration with HipChat and other Atlassian products

I'm looking for ideas/advice on how to go about implementing Hubot integration with HipChat Server in such a manner that will allow the HipChat's user base to issue queries and actions to other internally deployed Atlassian applications, enforcing user authorisation.

To illustrate this, imagine a Hubot Script (or a Lita plug-in) was written that listened for users requesting the current  version of an application deployed in production. Let's say, all deployments take place through Bamboo Deployment Plans, I would like the script to take a user's request and look for a matching deployment plan, returning the release number of the currently deployed version in production. The dialogue could go as follows:

 

Joe Bloggs> '@hubot' get-deployed-version megabucks production

Hubot> The current deployed version of megabucks in production is v6.6.6

 

This is all good, but one absolute key consideration concerns that of user authorisation. Let's say megabucks is a sensitive application known only by a few members in an organisation, I wouldn't want any old user being able to issue this command and get the same result. I did stumble across a few articles that talked about implementing user roles and applying these in Hubot scripts, but this is not a viable solution in large enterprises which use AD/LDAP for this purpose.

 

What I would like is for Hubot to be able to determine whether the user who issued the command in HipChat has the appropriate privileges to perform this operation. Going back to the example, I'd like Hubot to look up Joe Blogg's groups in Crowd and then to check that:

  1. Joe Bloggs has at least read only permissions at the project level of a Bamboo deployment plan
  2. Joe Bloggs has at least read only permissions at the environment level of a Bamboo deployment plan

If neither of these hold true, Hubot should return with an appropriate message that gives no indication that the application even exists.

 

I can envisage many such operations that a software engineering community might want to issue using HipChat, but I only want to explore this on the basis of finding a satisfactory solution to ensuring a user's authorisation as held in Crowd and applied in other Atlassian applications is appropriately enforced.

 

Appreciate any insights/ideas on how I might go about addressing this fundamental security facet?

2 answers

This widget could not be displayed.

Hi Mark,

Let me just list some of the points that jump to mind that you should consider:

  • A Hubot based bot in HipChat is just a user who is backed by some code: it receives, processes messages and sends replies. It is different from an add-on that creates webhooks, can extend UI and call APIs. You might want to consider implementing an add-on as well.
  • The userbase in HipChat can be different from userbase in other apps (in your example Bamboo). It can be the same if both apps use crowd but in general you would need to establish that user "Bob" in HipChat is the same "Bob" in bamboo
    • we had to do this for HipChat<->Bitbucket integration, did it using oAuth. You can also guide people through oAuth to establish the mapping between the users
  • Once the mapping is established you can use products APIs to figure out who can access what.
    • i.e. you would most likely need to access APIs of the product you integrate to figure out what is permitted for a particular user.
  • When someone asks the question like
    @hubot get-deployed-version megabucks production

    everyone in the room will see the result. Keep it in mind that some people in the room might not have permissions for the other app.

 

This widget could not be displayed.

You might also want to consider using https://stackstorm.com/ which uses Hubot as a bot in HipChat, but allows you to define your triggers and actions from a UI... kinda like a lower level Zapier.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Published Aug 10, 2018 in Hipchat

What should I think about when migrating HipChat to Slack?

...from the beginning. We have built up a lot of content in HipChat, with it being a core tool in our distributed company model. While it is true that we didn’t need to move to Slack immediately, we felt it...

246 views 1 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you