Add org-level installation support (#148)

* added initial org app support
* renamed org_dashboard_grant_access to enterprise_url
* started implementing support for find_installation
* Complete authorize implementation
* Apply other required changes
* Improve the user_token retrieval
* Add default team_Id
Co-authored-by: Kazuhiro Sera <[email protected]>

Author: stevengill

examples/oauth_sqlite3_app_org_level.py

@@ -0,0 +1,68 @@
+# ------------------------------------------------
+# instead of slack_bolt in requirements.txt
+import sys
+
+sys.path.insert(1, "..")
+# ------------------------------------------------
+
+import logging
+
+logging.basicConfig(level=logging.DEBUG)
+
+from slack_bolt import App, BoltContext
+from slack_bolt.oauth import OAuthFlow
+from slack_sdk import WebClient
+
+
+app = App(oauth_flow=OAuthFlow.sqlite3(database="./slackapp.db"))
+
+
+@app.use
+def dump(context, next, logger):
+    logger.info(context)
+    next()
+
+
+@app.use
+def call_apis_with_team_id(context: BoltContext, client: WebClient, next):
+    # client.users_list()
+    client.bots_info(bot=context.bot_id)
+    next()
+
+
+@app.event("app_mention")
+def handle_app_mentions(body, say, logger):
+    logger.info(body)
+    say("What's up?")
+
+
+@app.command("/org-level-command")
+def command(ack):
+    ack("I got it!")
+
+
+@app.shortcut("org-level-shortcut")
+def shortcut(ack):
+    ack()
+
+
+@app.event("team_access_granted")
+def team_access_granted(event):
+    pass
+
+
+@app.event("team_access_revoked")
+def team_access_revoked(event):
+    pass
+
+
+if __name__ == "__main__":
+    app.start(3000)
+
+# pip install slack_bolt
+# export SLACK_SIGNING_SECRET=***
+# export SLACK_BOT_TOKEN=xoxb-***
+# export SLACK_CLIENT_ID=111.111
+# export SLACK_CLIENT_SECRET=***
+# export SLACK_SCOPES=app_mentions:read,channels:history,im:history,chat:write
+# python oauth_app.py

setup.py

@@ -33,7 +33,7 @@
         exclude=["examples", "integration_tests", "tests", "tests.*",]
     ),
     include_package_data=True,  # MANIFEST.in
-    install_requires=["slack_sdk>=3.0.0",],
+    install_requires=["slack_sdk==3.1.0b2",],
     setup_requires=["pytest-runner==5.2"],
     tests_require=test_dependencies,
     test_suite="tests",

slack_bolt/app/app.py

@@ -774,6 +774,7 @@ def _init_context(self, req: BoltRequest):
                 ssl=self._client.ssl,
                 proxy=self._client.proxy,
                 headers=self._client.headers,
+                team_id=req.context.team_id,
             )
             req.context["client"] = client_per_request
 

slack_bolt/app/async_app.py

@@ -800,6 +800,7 @@ def _init_context(self, req: AsyncBoltRequest):
                 session=self._async_client.session,
                 trust_env_in_session=self._async_client.trust_env_in_session,
                 headers=self._async_client.headers,
+                team_id=req.context.team_id,
             )
             req.context["client"] = client_per_request
 

slack_bolt/authorization/async_authorize.py

@@ -3,7 +3,7 @@
 from typing import Optional, Callable, Awaitable, Dict, Any
 
 from slack_sdk.errors import SlackApiError
-from slack_sdk.oauth.installation_store import Bot
+from slack_sdk.oauth.installation_store import Bot, Installation
 from slack_sdk.oauth.installation_store.async_installation_store import (
     AsyncInstallationStore,
 )
@@ -92,6 +92,7 @@ async def __call__(
 
 class AsyncInstallationStoreAuthorize(AsyncAuthorize):
     authorize_result_cache: Dict[str, AuthorizeResult] = {}
+    find_installation_available: Optional[bool]
 
     def __init__(
         self,
@@ -103,6 +104,7 @@ def __init__(
         self.logger = logger
         self.installation_store = installation_store
         self.cache_enabled = cache_enabled
+        self.find_installation_available = None
 
     async def __call__(
         self,
@@ -112,31 +114,88 @@ async def __call__(
         team_id: str,
         user_id: Optional[str],
     ) -> Optional[AuthorizeResult]:
-        bot: Optional[Bot] = await self.installation_store.async_find_bot(
-            enterprise_id=enterprise_id, team_id=team_id,
-        )
-        if bot is None:
-            self.logger.debug(
-                f"No installation data found "
-                f"for enterprise_id: {enterprise_id} team_id: {team_id}"
+
+        if self.find_installation_available is None:
+            self.find_installation_available = hasattr(
+                self.installation_store, "async_find_installation"
             )
+
+        bot_token: Optional[str] = None
+        user_token: Optional[str] = None
+
+        if self.find_installation_available:
+            # since v1.1, this is the default way
+            try:
+                installation: Optional[
+                    Installation
+                ] = await self.installation_store.async_find_installation(
+                    enterprise_id=enterprise_id,
+                    team_id=team_id,
+                    is_enterprise_install=context.is_enterprise_install,
+                )
+                if installation is None:
+                    self._debug_log_for_not_found(enterprise_id, team_id)
+                    return None
+
+                if installation.user_id != user_id:
+                    # try to fetch the request user's installation
+                    # to reflect the user's access token if exists
+                    user_installation = await self.installation_store.async_find_installation(
+                        enterprise_id=enterprise_id,
+                        team_id=team_id,
+                        user_id=user_id,
+                        is_enterprise_install=context.is_enterprise_install,
+                    )
+                    if user_installation is not None:
+                        installation = user_installation
+
+                bot_token, user_token = installation.bot_token, installation.user_token
+            except NotImplementedError as _:
+                self.find_installation_available = False
+
+        if not self.find_installation_available:
+            # Use find_bot to get bot value (legacy)
+            bot: Optional[Bot] = await self.installation_store.async_find_bot(
+                enterprise_id=enterprise_id,
+                team_id=team_id,
+                is_enterprise_install=context.is_enterprise_install,
+            )
+            if bot is None:
+                self._debug_log_for_not_found(enterprise_id, team_id)
+                return None
+            bot_token, user_token = bot.bot_token, None
+
+        token: Optional[str] = bot_token or user_token
+        if token is None:
             return None
 
-        if self.cache_enabled and bot.bot_token in self.authorize_result_cache:
-            return self.authorize_result_cache[bot.bot_token]
+        # Check cache to see if the bot object already exists
+        if self.cache_enabled and token in self.authorize_result_cache:
+            return self.authorize_result_cache[token]
+
         try:
-            auth_result = await context.client.auth_test(token=bot.bot_token)
+            auth_test_api_response = await context.client.auth_test(token=token)
             authorize_result = AuthorizeResult.from_auth_test_response(
-                auth_test_response=auth_result,
-                bot_token=bot.bot_token,
-                user_token=None,  # Not yet supported
+                auth_test_response=auth_test_api_response,
+                bot_token=bot_token,
+                user_token=user_token,
             )
             if self.cache_enabled:
-                self.authorize_result_cache[bot.bot_token] = authorize_result
+                self.authorize_result_cache[token] = authorize_result
             return authorize_result
         except SlackApiError as err:
             self.logger.debug(
                 f"The stored bot token for enterprise_id: {enterprise_id} team_id: {team_id} "
                 f"is no longer valid. (response: {err.response})"
             )
             return None
+
+    # ------------------------------------------------
+
+    def _debug_log_for_not_found(
+        self, enterprise_id: Optional[str], team_id: Optional[str]
+    ):
+        self.logger.debug(
+            "No installation data found "
+            f"for enterprise_id: {enterprise_id} team_id: {team_id}"
+        )

slack_bolt/authorization/authorize.py

@@ -5,6 +5,7 @@
 from slack_sdk.errors import SlackApiError
 from slack_sdk.oauth import InstallationStore
 from slack_sdk.oauth.installation_store import Bot
+from slack_sdk.oauth.installation_store.models.installation import Installation
 
 from slack_bolt.authorization.authorize_args import AuthorizeArgs
 from slack_bolt.authorization.authorize_result import AuthorizeResult
@@ -90,6 +91,7 @@ def __call__(
 
 class InstallationStoreAuthorize(Authorize):
     authorize_result_cache: Dict[str, AuthorizeResult] = {}
+    find_installation_available: bool
 
     def __init__(
         self,
@@ -101,6 +103,9 @@ def __init__(
         self.logger = logger
         self.installation_store = installation_store
         self.cache_enabled = cache_enabled
+        self.find_installation_available = hasattr(
+            installation_store, "find_installation"
+        )
 
     def __call__(
         self,
@@ -110,31 +115,83 @@ def __call__(
         team_id: str,
         user_id: Optional[str],
     ) -> Optional[AuthorizeResult]:
-        bot: Optional[Bot] = self.installation_store.find_bot(
-            enterprise_id=enterprise_id, team_id=team_id,
-        )
-        if bot is None:
-            self.logger.debug(
-                f"No installation data found "
-                f"for enterprise_id: {enterprise_id} team_id: {team_id}"
+
+        bot_token: Optional[str] = None
+        user_token: Optional[str] = None
+
+        if self.find_installation_available:
+            # since v1.1, this is the default way
+            try:
+                installation: Optional[
+                    Installation
+                ] = self.installation_store.find_installation(
+                    enterprise_id=enterprise_id,
+                    team_id=team_id,
+                    is_enterprise_install=context.is_enterprise_install,
+                )
+                if installation is None:
+                    self._debug_log_for_not_found(enterprise_id, team_id)
+                    return None
+
+                if installation.user_id != user_id:
+                    # try to fetch the request user's installation
+                    # to reflect the user's access token if exists
+                    user_installation = self.installation_store.find_installation(
+                        enterprise_id=enterprise_id,
+                        team_id=team_id,
+                        user_id=user_id,
+                        is_enterprise_install=context.is_enterprise_install,
+                    )
+                    if user_installation is not None:
+                        installation = user_installation
+
+                bot_token, user_token = installation.bot_token, installation.user_token
+            except NotImplementedError as _:
+                self.find_installation_available = False
+
+        if not self.find_installation_available:
+            # Use find_bot to get bot value (legacy)
+            bot: Optional[Bot] = self.installation_store.find_bot(
+                enterprise_id=enterprise_id,
+                team_id=team_id,
+                is_enterprise_install=context.is_enterprise_install,
             )
+            if bot is None:
+                self._debug_log_for_not_found(enterprise_id, team_id)
+                return None
+            bot_token, user_token = bot.bot_token, None
+
+        token: Optional[str] = bot_token or user_token
+        if token is None:
             return None
 
-        if self.cache_enabled and bot.bot_token in self.authorize_result_cache:
-            return self.authorize_result_cache[bot.bot_token]
+        # Check cache to see if the bot object already exists
+        if self.cache_enabled and token in self.authorize_result_cache:
+            return self.authorize_result_cache[token]
+
         try:
-            auth_result = context.client.auth_test(token=bot.bot_token)
+            auth_test_api_response = context.client.auth_test(token=token)
             authorize_result = AuthorizeResult.from_auth_test_response(
-                auth_test_response=auth_result,
-                bot_token=bot.bot_token,
-                user_token=None,  # Not yet supported
+                auth_test_response=auth_test_api_response,
+                bot_token=bot_token,
+                user_token=user_token,
             )
             if self.cache_enabled:
-                self.authorize_result_cache[bot.bot_token] = authorize_result
+                self.authorize_result_cache[token] = authorize_result
             return authorize_result
         except SlackApiError as err:
             self.logger.debug(
                 f"The stored bot token for enterprise_id: {enterprise_id} team_id: {team_id} "
                 f"is no longer valid. (response: {err.response})"
             )
             return None
+
+    # ------------------------------------------------
+
+    def _debug_log_for_not_found(
+        self, enterprise_id: Optional[str], team_id: Optional[str]
+    ):
+        self.logger.debug(
+            "No installation data found "
+            f"for enterprise_id: {enterprise_id} team_id: {team_id}"
+        )

slack_bolt/context/base_context.py

@@ -18,8 +18,12 @@ def enterprise_id(self) -> Optional[str]:
         return self.get("enterprise_id")
 
     @property
-    def team_id(self) -> str:
-        return self["team_id"]
+    def is_enterprise_install(self) -> Optional[bool]:
+        return self.get("is_enterprise_install")
+
+    @property
+    def team_id(self) -> Optional[str]:
+        return self.get("team_id")
 
     @property
     def user_id(self) -> Optional[str]:

slack_bolt/middleware/authorization/internals.py

@@ -29,21 +29,15 @@ def _is_ssl_check(req: Union[BoltRequest, "AsyncBoltRequest"]) -> bool:  # type:
     )
 
 
-def _is_uninstallation_event(req: Union[BoltRequest, "AsyncBoltRequest"]) -> bool:  # type: ignore
-    return (
-        req is not None
-        and req.body is not None
-        and req.body.get("type") == "event_callback"
-        and req.body.get("event", {}).get("type") == "app_uninstalled"
-    )
+no_auth_test_events = ["app_uninstalled", "tokens_revoked", "team_access_revoked"]
 
 
-def _is_tokens_revoked_event(req: Union[BoltRequest, "AsyncBoltRequest"]) -> bool:  # type: ignore
+def _is_no_auth_test_events(req: Union[BoltRequest, "AsyncBoltRequest"]) -> bool:  # type: ignore
     return (
         req is not None
         and req.body is not None
         and req.body.get("type") == "event_callback"
-        and req.body.get("event", {}).get("type") == "tokens_revoked"
+        and req.body.get("event", {}).get("type") in no_auth_test_events
     )
 
 
@@ -52,7 +46,7 @@ def _is_no_auth_required(req: Union[BoltRequest, "AsyncBoltRequest"]) -> bool:
 
 
 def _is_no_auth_test_call_required(req: Union[BoltRequest, "AsyncBoltRequest"]) -> bool:  # type: ignore
-    return _is_uninstallation_event(req) or _is_tokens_revoked_event(req)
+    return _is_no_auth_test_events(req)
 
 
 def _build_error_response() -> BoltResponse: