testkube icon indicating copy to clipboard operation
testkube copied to clipboard

Published 20 hours ago verified publisher icon kubeshop

Slack integration permissions are scoped too broadly.

Open windowsrefund opened this issue 5 months ago • 2 comments

The Slack integration should not be asking for this permission: Send messages to channels @testkube-bot isn't a member of

windowsrefund avatar Feb 27 '24 19:02 windowsrefund

thank you @windowsrefund good point!

vsukhin avatar Feb 28 '24 14:02 vsukhin

for @nicufk to check

vsukhin avatar Mar 01 '24 14:03 vsukhin

hey @nicufk I reviewed Testkube bot permissions. First three look ok, why do we need fourth one?

Testkube is requesting permission to access the Testkube Slack workspace

What will Testkube be able to view? Content and info about channels & conversations View basic information about private channels that Testkube has been added to View basic information about public channels in your workspace

What will Testkube be able to do? Perform actions in channels & conversations Send messages as @testkubebot Send messages to channels that @testkubebot isn’t a member of this is what concerned you @windowsrefund ?

vsukhin avatar Mar 15 '24 12:03 vsukhin

yes

windowsrefund avatar Mar 15 '24 13:03 windowsrefund

Hey @windowsrefund, from what I remember it was added to fix a bug when the slack bot was not able to send/update messages in public channels despite it being the member of it. If this is a major concern for you, we can raise it and to plan some research on this topic.

nicufk avatar Mar 19 '24 14:03 nicufk

closing for nowwwww

vsukhin avatar Mar 22 '24 17:03 vsukhin

Why was this closed?

windowsrefund avatar Mar 25 '24 13:03 windowsrefund

https://github.com/kubeshop/testkube/issues/5077#issuecomment-2007355931

vsukhin avatar Mar 25 '24 14:03 vsukhin

Yes I read that but the it doesn't resolve the underlying security concern.

windowsrefund avatar Mar 26 '24 12:03 windowsrefund

hey @windowsrefund Regarding using your own bot with restricted permissions. Can you please try to create it, get Slack token and supply it in helm chart value? https://github.com/kubeshop/helm-charts/blob/develop/charts/testkube/values.yaml#L708

vsukhin avatar Apr 09 '24 13:04 vsukhin

@vsukhin Has something changed to where I might get a different result from when this issue was raised?

windowsrefund avatar Apr 11 '24 14:04 windowsrefund

hey @windowsrefund we didn't change anything, but Testkube Bot is not hardcoded in api, we pass the slack token as a helm chart value. So you can create your own bot with allowed permission set like there https://api.slack.com/start/quickstart and then just pass token value to helm chat. In this case Testkube Bot will not be involved

vsukhin avatar Apr 11 '24 16:04 vsukhin

Based on the feedback here and my understanding our team has decided to use a different approach for notifications, I'll get this closed for the time being. As always, thanks for the feedback.

windowsrefund avatar Apr 11 '24 19:04 windowsrefund