Return user that issued the command

[kilasuit]

I have a scenario where I would like to isolate users to only be able to run a command against specific external sources like AD for thier own user accounts, things like Unlock-Account and ability to Reset their Password via a custom script that we've built to ensure that passwords are falling within required security ranges.

Expected Behaviour

User A issues !UnlockMyADAccount -Domain DomainA to get PoshBot to run a carefully wrapped command that should use internal logic in the !UnlockMyADAccount command to grab the email address of the Slack User that issued the command to then pass this to an internally wrapped version of another command as this is the easiest way that we can ensure that the user issuing the command is doing so to the same user account in specific AD being targeted

Current Behaviour

Seems that this should be possible as Slack does give the email property of users back when requested using the PSSlack module.

Possible Solution

Add a ReturnSlackUserEmail method similar to this

PoshBot/PoshBot/Implementations/Slack/SlackBackend.ps1

Lines 643 to 657 in c592cb9

	[SlackPerson]GetUser([string]$UserId) {
	$user = $this.Users[$UserId]
	if (-not $user) {
	$this.LogDebug([LogSeverity]::Warning, "User [$UserId] not found. Refreshing users")
	$this.LoadUsers()
	$user = $this.Users[$UserId]
	}
	if ($user) {
	$this.LogDebug("Resolved user [$UserId]", $user)
	} else {
	$this.LogDebug([LogSeverity]::Warning, "Could not resolve user [$UserId]")
	}
	return $user
	}

It's totally possible that on my quick scan this is something that is already there and that I've totally missed it so thought best to raise this as an issue in case could be pointed the right way

Your Environment

• Module version used: 0.10.2
• Operating System and PowerShell version: Windows 10 1709 - PS - 5.1.16299.431

[devblackops]

@kilasuit When PoshBot executes the command as a PowerShell job, it also populates a variable in the jobs' session called $global:PoshBotContext. This variable will include extra metadata about how the command was called that you can use as you see fit. This object includes two properties called From and FromName. These will hold the Slack ID and handle of the user who executed the command.

I just realized that this feature isn't documented well (at all) ☹️. I'll fix that.

{
  "Plugin": "PoshBot.PSSummit",
  "Command": "get-commandcontext",
  "From": "U4AEMSYH3",
  "FromName": "devblackops",
  "To": "D49LPDCHE",
  "ToName": "",
  "ConfigurationDirectory": "C:\\Users\\bolin\\.poshbot",
  "ParsedCommand": {
    "CommandString": "get-commandcontext",
    "Plugin": "PoshBot.PSSummit",
    "Command": "get-commandcontext",
    "Version": "",
    "NamedParameters": {},
    "PositionalParameters": [],
    "Time": "2018-06-25T15:40:02.001",
    "From": "U4AEMSYH3",
    "FromName": "devblackops",
    "To": "D49LPDCHE",
    "ToName": "",
    "OriginalMessage": "Message"
  }
}

I think it would be a good idea to extend this with the user's email address so you can perform the workflow you're proposing. We're already getting the user's email address in the LoadUsers() method so it will be simple to expose that in the $global:PoshBotContext object.

[devblackops]

@kilasuit I'm working on v0.11.0 which should make this easier.

In master, I've added more user information to $global:PoshBotContext which you can do with as you with. Specifically, the CallingUserInfo property probably has what you want. This property has what Slack makes available about users.

{
  "Plugin": "PoshBot.PSSummit",
  "Command": "get-commandcontext",
  "From": "U4AEMSYH3",
  "FromName": "devblackops",
  "To": "DBDSCP7BM",
  "ToName": "",
  "CallingUserInfo": {
    "Email": "brandon@devblackops.io",
    "IsPrimaryOwner": true,
    "Deleted": false,
    "IsBot": false,
    "Status": "",
    "Presence": "",
    "Phone": "",
    "FullName": "Brandon Olin",
    "IsUltraRestricted": false,
    "IsOwner": true,
    "ClientId": null,
    "TimeZone": "America/Los_Angeles",
    "LastName": "",
    "Skype": "",
    "Nickname": "devblackops",
    "FirstName": "Brandon",
    "IsAdmin": true,
    "TimeZoneLabel": "Pacific Daylight Time",
    "IsRestricted": false,
    "Id": "U4AEMSYH3"
  },
  "ConfigurationDirectory": "/Users/brandon/.poshbot",
  "ParsedCommand": {
    "CommandString": "get-commandcontext",
    "Plugin": "PoshBot.PSSummit",
    "Command": "get-commandcontext",
    "Version": "",
    "NamedParameters": {},
    "PositionalParameters": [],
    "Time": "2018-07-03T19:34:34"
  },
  "OriginalMessage": {
    "From": "U4AEMSYH3",
    "Text": "get-commandcontext",
    "Id": null,
    "IsDM": true,
    "Subtype": "None",
    "ToName": null,
    "Options": null,
    "FromName": "devblackops",
    "To": "DBDSCP7BM",
    "Type": "Message",
    "RawMessage": {
      "type": "message",
      "user": "U4AEMSYH3",
      "text": "!get-commandcontext",
      "client_msg_id": "3afd2e7a-23f8-4c83-9f7b-cfcd664b16f4",
      "team": "T4AEMSYG5",
      "channel": "DBDSCP7BM",
      "event_ts": "1530646474.000268",
      "ts": "1530646474.000268"
    },
    "Time": "2018-07-04 02:34:34Z"
  }
}

Combining this info and custom middleware hooks should allow a centralized custom authentication mechanism to be created so you don't have to reimplement in every command.

Let me know your throughts.