add functions to query the Slack API for oauth exchange

Author: yasunariw

lib/api.ml

@@ -10,4 +10,6 @@ end
 
 module type Slack = sig
   val send_notification : ctx:Context.t -> msg:post_message_req -> (unit, string) Result.t Lwt.t
+
+  val update_access_token_of_context : ctx:Context.t -> code:string -> (unit, string) Result.t Lwt.t
 end

lib/api_local.ml

@@ -26,6 +26,10 @@ module Slack : Api.Slack = struct
     Stdio.printf "will notify #%s\n" msg.channel;
     Stdio.printf "%s\n" json;
     Lwt.return @@ Ok ()
+
+  let update_access_token_of_context ~ctx:_ ~code:_ =
+    Stdio.printf "will generate token\n";
+    Lwt.return @@ Ok ()
 end
 
 module Slack_simple : Api.Slack = struct
@@ -38,6 +42,8 @@ module Slack_simple : Api.Slack = struct
       | Some s -> Printf.sprintf " with %S" s
       );
     Lwt.return @@ Ok ()
+
+  let update_access_token_of_context ~ctx:_ ~code:_ = Lwt.return @@ Error "undefined for local setup"
 end
 
 module Slack_json : Api.Slack = struct
@@ -51,4 +57,6 @@ module Slack_json : Api.Slack = struct
     log#info "%s" (Uri.to_string url);
     log#info "%s" json;
     Lwt.return @@ Ok ()
+
+  let update_access_token_of_context ~ctx:_ ~code:_ = Lwt.return @@ Error "undefined for local setup"
 end

lib/api_remote.ml

@@ -80,4 +80,36 @@ module Slack : Api.Slack = struct
         )
       | Error e -> Lwt.return @@ build_query_error url e
       )
+
+  let access_token_of_code ~(ctx : Context.t) ~code =
+    let secrets = Context.get_secrets_exn ctx in
+    let body = `Form [ "code", code ] in
+    match secrets.slack_client_id with
+    | None -> Lwt.return @@ Error "slack_client_id is undefined"
+    | Some client_id ->
+    match secrets.slack_client_secret with
+    | None -> Lwt.return @@ Error "slack_client_secret is undefined"
+    | Some client_secret ->
+      let auth_header = Base64.encode_string @@ sprintf "%s:%s" client_id client_secret in
+      let headers = [ Printf.sprintf "Authorization: Basic %s" auth_header ] in
+      ( match%lwt Common.http_request ~body ~headers `POST "https://slack.com/api/oauth.v2.access" with
+      | Error e -> Lwt.return @@ Error e
+      | Ok data ->
+        let response = Slack_j.oauth_access_res_of_string data in
+        ( match response.access_token, response.error with
+        | Some access_token, _ -> Lwt.return @@ Ok access_token
+        | None, Some e -> Lwt.return @@ Error e
+        | None, None -> Lwt.return @@ Error "an unknown error occurred while getting access token"
+        )
+      )
+
+  let update_access_token_of_context ~ctx ~code =
+    let secrets = Context.get_secrets_exn ctx in
+    match%lwt access_token_of_code ~ctx ~code with
+    | Error e -> Lwt.return @@ Error e
+    | Ok access_token ->
+      let secrets = { secrets with slack_access_token = Some access_token } in
+      ctx.secrets <- Some secrets;
+      let data = Config_j.string_of_secrets secrets |> Yojson.Basic.from_string |> Yojson.Basic.pretty_to_string in
+      Lwt.return @@ write_to_local_file ~data ctx.secrets_filepath
 end

lib/config.atd

@@ -47,4 +47,13 @@ type secrets = {
   ~slack_hooks <ocaml default="[]"> : webhook list;
   (* Slack bot token obtained via OAuth, enabling message posting to the workspace *)
   ?slack_access_token : string nullable;
+  (* Client ID of the Slack bot; used for OAuth authentication  *)
+  ?slack_client_id : string nullable;
+  (* Client secret of the Slack bot; used for OAuth authentication  *)
+  ?slack_client_secret : string nullable;
+  (* Slack uses this secret to sign requests; provide to verify incoming Slack requests *)
+  ?slack_signing_secret : string nullable;
+  (* if specified, maintains state b/w OAuth request and callback to prevent CSRF
+    see: https://tools.ietf.org/html/rfc6749#section-4.1.1 *)
+  ?slack_oauth_state : string nullable;
 }

lib/slack.atd

@@ -65,3 +65,10 @@ type post_message_res = {
   ?channel: string nullable;
   ?error: string nullable;
 }
+
+(* expected payload when exchanging oauth code for access token *)
+type oauth_access_res = {
+  ok: bool;
+  ?access_token: string option;
+  ?error: string option;
+}

lib/slack.ml

@@ -358,3 +358,14 @@ let generate_commit_comment_notification api_commit notification channel =
     }
   in
   { channel; text = None; attachments = Some [ attachment ]; blocks = None }
+
+let validate_state ?oauth_state ~args =
+  match oauth_state with
+  | None -> Ok ()
+  | Some expected_state ->
+  match List.Assoc.find args "state" ~equal:String.equal with
+  | None -> Error "argument `state` not found in slack authorization request"
+  | Some state ->
+  match String.equal state expected_state with
+  | false -> Error "argument `state` is present in slack authorization request but does not match expected value"
+  | true -> Ok ()