I'm looking for ideas/advice on how to go about implementing Hubot integration with HipChat Server in such a manner that will allow the HipChat's user base to issue queries and actions to other internally deployed Atlassian applications, enforcing user authorisation.
To illustrate this, imagine a Hubot Script (or a Lita plug-in) was written that listened for users requesting the current version of an application deployed in production. Let's say, all deployments take place through Bamboo Deployment Plans, I would like the script to take a user's request and look for a matching deployment plan, returning the release number of the currently deployed version in production. The dialogue could go as follows:
Joe Bloggs> '@hubot' get-deployed-version megabucks production
Hubot> The current deployed version of megabucks in production is v6.6.6
This is all good, but one absolute key consideration concerns that of user authorisation. Let's say megabucks is a sensitive application known only by a few members in an organisation, I wouldn't want any old user being able to issue this command and get the same result. I did stumble across a few articles that talked about implementing user roles and applying these in Hubot scripts, but this is not a viable solution in large enterprises which use AD/LDAP for this purpose.
What I would like is for Hubot to be able to determine whether the user who issued the command in HipChat has the appropriate privileges to perform this operation. Going back to the example, I'd like Hubot to look up Joe Blogg's groups in Crowd and then to check that:
If neither of these hold true, Hubot should return with an appropriate message that gives no indication that the application even exists.
I can envisage many such operations that a software engineering community might want to issue using HipChat, but I only want to explore this on the basis of finding a satisfactory solution to ensuring a user's authorisation as held in Crowd and applied in other Atlassian applications is appropriately enforced.
Appreciate any insights/ideas on how I might go about addressing this fundamental security facet?
Let me just list some of the points that jump to mind that you should consider:
@hubot get-deployed-version megabucks production
...have mention name FirstnameLastname. Fe.: @MaartenCautreels This certainly helps to know who is being mentioned in a conversation. Imagine your colleague sends the following message...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot