Slack app support (#4211)

* Slack app support

While it's possible to configure Slack app bot tokens using a
combination of http_configs authorization credentials and setting the
Slack API URL to the a specific endpoint, doing so at a global level
leaks the token to any other notification receiver configured, as
http_configs are not specific to notifiers. Slack has also restricted
webhook URLs to only be able to post to a single channel (with the
legacy webhooks being [marked as deprecated and not recommended][1]),
which reduces their usefulness when set at the global level.

This PR adds a way of easily setting Slack App bot tokens at the global
level, as well as overriding at the individual receiver level, while
keeping compatibility with existing configurations.

The decision to have a separate config field for the URL was to be able
to provide a default API URL for Slack apps as well as differentiate
when a webhook url is provided. Ideally we'd change the `slack_api_url`
to be `slack_webhook_url` so as to avoid confusion, but that would be an
unnecessary breaking change.

More context in issue #2513

[1]: https://api.slack.com/legacy/custom-integrations/messaging/webhooks

Signed-off-by: Pedro Araujo <[email protected]>

* Support transition from workaround to new config

The [Slack app support issue][1] suggested setting the slack API URL to
the `chat.PostMessage` endpoint instead of a webhook URL, and so people
migrating from this workaround to the the new configuration might
encounter a situation where they want to set the `slack_app_token` at
the global level while still retaining the `slack_api_url` while
dynamically configured receivers (such as those set by prometheus
operator) are migrated.

Signed-off-by: Pedro Araujo <[email protected]>

[1]: #2513

* Allow override from receiver-level webhook url

Signed-off-by: Pedro Araujo <[email protected]>

* Fix linter errors

Fixed by running `make common-lint-fix`

Signed-off-by: Pedro Araujo <[email protected]>

---------

Signed-off-by: Pedro Araujo <[email protected]>
Co-authored-by: Ben Kochie <[email protected]>

Author: pharaujo

config/config.go

@@ -380,10 +380,23 @@ func (c *Config) UnmarshalYAML(unmarshal func(any) error) error {
 		*c.Global = DefaultGlobalConfig()
 	}
 
+	if c.Global.SlackAppToken != "" && len(c.Global.SlackAppTokenFile) > 0 {
+		return errors.New("at most one of slack_app_token & slack_app_token_file must be configured")
+	}
+
 	if c.Global.SlackAPIURL != nil && len(c.Global.SlackAPIURLFile) > 0 {
 		return errors.New("at most one of slack_api_url & slack_api_url_file must be configured")
 	}
 
+	if (c.Global.SlackAppToken != "" || len(c.Global.SlackAppTokenFile) > 0) && (c.Global.SlackAPIURL != nil || len(c.Global.SlackAPIURLFile) > 0) {
+		// Support transition from workaround suggested in https://github.com/prometheus/alertmanager/issues/2513,
+		// where users might set `slack_api_url` at the top level and then have `http_config` with individual
+		// bearer tokens in the receivers.
+		if c.Global.SlackAPIURL.String() != c.Global.SlackAppURL.String() {
+			return errors.New("at most one of slack_app_token/slack_app_token_file & slack_api_url/slack_api_url_file must be configured")
+		}
+	}
+
 	if c.Global.OpsGenieAPIKey != "" && len(c.Global.OpsGenieAPIKeyFile) > 0 {
 		return errors.New("at most one of opsgenie_api_key & opsgenie_api_key_file must be configured")
 	}
@@ -453,16 +466,40 @@ func (c *Config) UnmarshalYAML(unmarshal func(any) error) error {
 			}
 		}
 		for _, sc := range rcv.SlackConfigs {
-			if sc.HTTPConfig == nil {
-				sc.HTTPConfig = c.Global.HTTPConfig
+			if sc.AppURL == nil {
+				if c.Global.SlackAppURL == nil {
+					return errors.New("no global Slack App URL set")
+				}
+				sc.AppURL = c.Global.SlackAppURL
+			}
+			// we only want to set the app token from global if there's no local authorization or webhook url
+			if sc.AppToken == "" && len(sc.AppTokenFile) == 0 && (sc.HTTPConfig == nil || sc.HTTPConfig.Authorization == nil) && sc.APIURL == nil {
+				sc.AppToken = c.Global.SlackAppToken
+				sc.AppTokenFile = c.Global.SlackAppTokenFile
 			}
 			if sc.APIURL == nil && len(sc.APIURLFile) == 0 {
-				if c.Global.SlackAPIURL == nil && len(c.Global.SlackAPIURLFile) == 0 {
-					return errors.New("no global Slack API URL set either inline or in a file")
-				}
 				sc.APIURL = c.Global.SlackAPIURL
 				sc.APIURLFile = c.Global.SlackAPIURLFile
 			}
+			if sc.APIURL == nil && len(sc.APIURLFile) == 0 && sc.AppToken == "" && len(sc.AppTokenFile) == 0 {
+				return errors.New("no Slack API URL nor App token set either inline or in a file")
+			}
+			if sc.HTTPConfig == nil {
+				// we don't want to change the global http config when setting the receiver's http config, do we do a copy
+				httpconfig := *c.Global.HTTPConfig
+				sc.HTTPConfig = &httpconfig
+			}
+			if sc.AppToken != "" || len(sc.AppTokenFile) != 0 {
+				if sc.HTTPConfig.Authorization != nil {
+					return errors.New("http authorization can't be set when using Slack App tokens")
+				}
+				sc.HTTPConfig.Authorization = &commoncfg.Authorization{
+					Type:            "Bearer",
+					Credentials:     commoncfg.Secret(sc.AppToken),
+					CredentialsFile: sc.AppTokenFile,
+				}
+				sc.APIURL = (*SecretURL)(sc.AppURL)
+			}
 		}
 		for _, poc := range rcv.PushoverConfigs {
 			if poc.HTTPConfig == nil {
@@ -749,6 +786,7 @@ func DefaultGlobalConfig() GlobalConfig {
 		TelegramAPIUrl:   mustParseURL("https://api.telegram.org"),
 		WebexAPIURL:      mustParseURL("https://webexapis.com/v1/messages"),
 		RocketchatAPIURL: mustParseURL("https://open.rocket.chat/"),
+		SlackAppURL:      mustParseURL("https://slack.com/api/chat.postMessage"),
 	}
 }
 
@@ -863,6 +901,9 @@ type GlobalConfig struct {
 	SMTPTLSConfig         *commoncfg.TLSConfig `yaml:"smtp_tls_config,omitempty" json:"smtp_tls_config,omitempty"`
 	SlackAPIURL           *SecretURL           `yaml:"slack_api_url,omitempty" json:"slack_api_url,omitempty"`
 	SlackAPIURLFile       string               `yaml:"slack_api_url_file,omitempty" json:"slack_api_url_file,omitempty"`
+	SlackAppToken         Secret               `yaml:"slack_app_token,omitempty" json:"slack_app_token,omitempty"`
+	SlackAppTokenFile     string               `yaml:"slack_app_token_file,omitempty" json:"slack_app_token_file,omitempty"`
+	SlackAppURL           *URL                 `yaml:"slack_app_url,omitempty" json:"slack_app_url,omitempty"`
 	PagerdutyURL          *URL                 `yaml:"pagerduty_url,omitempty" json:"pagerduty_url,omitempty"`
 	OpsGenieAPIURL        *URL                 `yaml:"opsgenie_api_url,omitempty" json:"opsgenie_api_url,omitempty"`
 	OpsGenieAPIKey        Secret               `yaml:"opsgenie_api_key,omitempty" json:"opsgenie_api_key,omitempty"`

config/config_test.go

@@ -934,6 +934,7 @@ func TestEmptyFieldsAndRegex(t *testing.T) {
 				InsecureSkipVerify: false,
 			},
 			SlackAPIURL:      (*SecretURL)(mustParseURL("http://slack.example.com/")),
+			SlackAppURL:      mustParseURL("https://slack.com/api/chat.postMessage"),
 			SMTPRequireTLS:   true,
 			PagerdutyURL:     mustParseURL("https://events.pagerduty.com/v2/enqueue"),
 			OpsGenieAPIURL:   mustParseURL("https://api.opsgenie.com/"),
@@ -1212,13 +1213,116 @@ func TestSlackBothAPIURLAndFile(t *testing.T) {
 	}
 }
 
+func TestSlackBothAppTokenAndFile(t *testing.T) {
+	_, err := LoadFile("testdata/conf.slack-both-file-and-token.yml")
+	if err == nil {
+		t.Fatalf("Expected an error parsing %s: %s", "testdata/conf.slack-both-file-and-token.yml", err)
+	}
+	if err.Error() != "at most one of slack_app_token & slack_app_token_file must be configured" {
+		t.Errorf("Expected: %s\nGot: %s", "at most one of slack_app_token & slack_app_token_file must be configured", err.Error())
+	}
+}
+
+func TestSlackBothAppTokenAndAPIURL(t *testing.T) {
+	_, err := LoadFile("testdata/conf.slack-both-url-and-token.yml")
+	if err == nil {
+		t.Fatalf("Expected an error parsing %s: %s", "testdata/conf.slack-both-url-and-token.yml", err)
+	}
+	if err.Error() != "at most one of slack_app_token/slack_app_token_file & slack_api_url/slack_api_url_file must be configured" {
+		t.Errorf("Expected: %s\nGot: %s", "at most one of slack_app_token/slack_app_token_file & slack_api_url/slack_api_url_file must be configured", err.Error())
+	}
+}
+
+func TestSlackGlobalAppToken(t *testing.T) {
+	conf, err := LoadFile("testdata/conf.slack-default-app-token.yml")
+	if err != nil {
+		t.Fatalf("Error parsing %s: %s", "testdata/conf.slack-default-app-token.yml", err)
+	}
+
+	// no override
+	defaultToken := conf.Global.SlackAppToken
+	firstAuth := commoncfg.Authorization{
+		Type:        "Bearer",
+		Credentials: commoncfg.Secret(defaultToken),
+	}
+	firstConfig := conf.Receivers[0].SlackConfigs[0]
+	if firstConfig.AppToken != defaultToken {
+		t.Fatalf("Invalid Slack App token: %s\nExpected: %s", firstConfig.AppToken, defaultToken)
+	}
+	if firstConfig.APIURL.String() != conf.Global.SlackAppURL.String() {
+		t.Fatalf("Expected API URL: %s\nGot: %s", conf.Global.SlackAppURL.String(), firstConfig.APIURL.String())
+	}
+	if firstConfig.HTTPConfig == nil || firstConfig.HTTPConfig.Authorization == nil {
+		t.Fatalf("Error configuring Slack App authorization: %s", firstConfig.HTTPConfig)
+	}
+	if firstConfig.HTTPConfig.Authorization.Type != firstAuth.Type {
+		t.Fatalf("Error configuring Slack App authorization type: %s\nExpected: %s", firstConfig.HTTPConfig.Authorization.Type, firstAuth.Type)
+	}
+	if firstConfig.HTTPConfig.Authorization.Credentials != firstAuth.Credentials {
+		t.Fatalf("Error configuring Slack App authorization credentials: %s\nExpected: %s", firstConfig.HTTPConfig.Authorization.Credentials, firstAuth.Credentials)
+	}
+
+	// inline override
+	inlineToken := "xoxb-1234-xxxxxx"
+	secondAuth := commoncfg.Authorization{
+		Type:        "Bearer",
+		Credentials: commoncfg.Secret(inlineToken),
+	}
+	secondConfig := conf.Receivers[0].SlackConfigs[1]
+	if secondConfig.AppToken != Secret(inlineToken) {
+		t.Fatalf("Invalid Slack App token: %s\nExpected: %s", secondConfig.AppToken, inlineToken)
+	}
+	if secondConfig.HTTPConfig == nil || secondConfig.HTTPConfig.Authorization == nil {
+		t.Fatalf("Error configuring Slack App authorization: %s", secondConfig.HTTPConfig)
+	}
+	if secondConfig.HTTPConfig.Authorization.Type != secondAuth.Type {
+		t.Fatalf("Error configuring Slack App authorization type: %s\nExpected: %s", secondConfig.HTTPConfig.Authorization.Type, secondAuth.Type)
+	}
+	if secondConfig.HTTPConfig.Authorization.Credentials != secondAuth.Credentials {
+		t.Fatalf("Error configuring Slack App authorization credentials: %s\nExpected: %s", secondConfig.HTTPConfig.Authorization.Credentials, secondAuth.Credentials)
+	}
+
+	// custom app url
+	thirdConfig := conf.Receivers[0].SlackConfigs[2]
+	if thirdConfig.AppURL.String() != "http://api.fakeslack.example/" {
+		t.Fatalf("Invalid Slack URL: %s\nExpected: %s", thirdConfig.APIURL.String(), "http://mysecret.example.com/")
+	}
+
+	// workaround override
+	workaroundToken := "xoxb-my-bot-token"
+	fourthAuth := commoncfg.Authorization{
+		Type:        "Bearer",
+		Credentials: commoncfg.Secret(workaroundToken),
+	}
+	fourthConfig := conf.Receivers[0].SlackConfigs[3]
+	if fourthConfig.AppToken != "" {
+		t.Fatalf("Invalid Slack App token: %q\nExpected: %q", fourthConfig.AppToken, "")
+	}
+	if fourthConfig.HTTPConfig == nil || fourthConfig.HTTPConfig.Authorization == nil {
+		t.Fatalf("Error configuring Slack App authorization: %s", fourthConfig.HTTPConfig)
+	}
+	if fourthConfig.HTTPConfig.Authorization.Type != fourthAuth.Type {
+		t.Fatalf("Error configuring Slack App authorization type: %s\nExpected: %s", fourthConfig.HTTPConfig.Authorization.Type, fourthAuth.Type)
+	}
+	if fourthConfig.HTTPConfig.Authorization.Credentials != fourthAuth.Credentials {
+		t.Fatalf("Error configuring Slack App authorization credentials: %s\nExpected: %s", fourthConfig.HTTPConfig.Authorization.Credentials, fourthAuth.Credentials)
+	}
+
+	// override the global file with an inline webhook URL
+	apiURL := "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
+	fifthConfig := conf.Receivers[0].SlackConfigs[4]
+	if fifthConfig.APIURL.String() != apiURL || fifthConfig.APIURLFile != "" {
+		t.Fatalf("Invalid Slack URL: %s\nExpected: %s", fifthConfig.APIURL.String(), apiURL)
+	}
+}
+
 func TestSlackNoAPIURL(t *testing.T) {
-	_, err := LoadFile("testdata/conf.slack-no-api-url.yml")
+	_, err := LoadFile("testdata/conf.slack-no-api-url-or-token.yml")
 	if err == nil {
-		t.Fatalf("Expected an error parsing %s: %s", "testdata/conf.slack-no-api-url.yml", err)
+		t.Fatalf("Expected an error parsing %s: %s", "testdata/conf.slack-no-api-url-or-token.yml", err)
 	}
-	if err.Error() != "no global Slack API URL set either inline or in a file" {
-		t.Errorf("Expected: %s\nGot: %s", "no global Slack API URL set either inline or in a file", err.Error())
+	if err.Error() != "no Slack API URL nor App token set either inline or in a file" {
+		t.Errorf("Expected: %s\nGot: %s", "no Slack API URL nor App token set either inline or in a file", err.Error())
 	}
 }
 

config/notifiers.go

@@ -502,8 +502,11 @@ type SlackConfig struct {
 
 	HTTPConfig *commoncfg.HTTPClientConfig `yaml:"http_config,omitempty" json:"http_config,omitempty"`
 
-	APIURL     *SecretURL `yaml:"api_url,omitempty" json:"api_url,omitempty"`
-	APIURLFile string     `yaml:"api_url_file,omitempty" json:"api_url_file,omitempty"`
+	APIURL       *SecretURL `yaml:"api_url,omitempty" json:"api_url,omitempty"`
+	APIURLFile   string     `yaml:"api_url_file,omitempty" json:"api_url_file,omitempty"`
+	AppToken     Secret     `yaml:"app_token,omitempty" json:"app_token,omitempty"`
+	AppTokenFile string     `yaml:"app_token_file,omitempty" json:"app_token_file,omitempty"`
+	AppURL       *URL       `yaml:"app_url,omitempty" json:"app_url,omitempty"`
 
 	// Slack channel override, (like #other-channel or @username).
 	Channel  string `yaml:"channel,omitempty" json:"channel,omitempty"`
@@ -542,6 +545,12 @@ func (c *SlackConfig) UnmarshalYAML(unmarshal func(any) error) error {
 	if c.APIURL != nil && len(c.APIURLFile) > 0 {
 		return errors.New("at most one of api_url & api_url_file must be configured")
 	}
+	if c.AppToken != "" && len(c.AppTokenFile) > 0 {
+		return errors.New("at most one of app_token & app_token_file must be configured")
+	}
+	if (c.APIURL != nil || len(c.APIURLFile) > 0) && (c.AppToken != "" || len(c.AppTokenFile) > 0) {
+		return errors.New("at most one of api_url/api_url_file & app_token/app_token_file must be configured")
+	}
 
 	return nil
 }

config/notifiers_test.go

@@ -606,6 +606,53 @@ mrkdwn_in:
 	}
 }
 
+func TestSlackAuthMethodConfigValidation(t *testing.T) {
+	tests := []struct {
+		in          string
+		expectedErr string
+	}{
+		{
+			in: `
+api_url: 'https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
+api_url_file: /slack_url
+`,
+			expectedErr: "at most one of api_url & api_url_file must be configured",
+		},
+		{
+			in: `
+app_token: 'xoxb-1234-abcdefgh'
+app_token_file: /slack_app_token
+`,
+			expectedErr: "at most one of app_token & app_token_file must be configured",
+		},
+		{
+			in: `
+app_token: 'xoxb-1234-abcdefgh'
+api_url: 'https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
+`,
+			expectedErr: "at most one of api_url/api_url_file & app_token/app_token_file must be configured",
+		},
+	}
+
+	for _, rt := range tests {
+		var cfg SlackConfig
+		err := yaml.UnmarshalStrict([]byte(rt.in), &cfg)
+
+		// Check if an error occurred when it was NOT expected to.
+		if rt.expectedErr == "" && err != nil {
+			t.Fatalf("\nerror returned when none expected, error:\n%v", err)
+		}
+		// Check that an error occurred if one was expected to.
+		if rt.expectedErr != "" && err == nil {
+			t.Fatalf("\nno error returned, expected:\n%v", rt.expectedErr)
+		}
+		// Check that the error that occurred was what was expected.
+		if err != nil && err.Error() != rt.expectedErr {
+			t.Errorf("\nexpected:\n%v\ngot:\n%v", rt.expectedErr, err.Error())
+		}
+	}
+}
+
 func TestSlackFieldConfigValidation(t *testing.T) {
 	tests := []struct {
 		in       string

config/testdata/conf.slack-both-file-and-token.yml

@@ -0,0 +1,11 @@
+global:
+  slack_app_token: 'xoxb-1234-abcdefgh'
+  slack_app_token_file: '/global_file'
+route:
+  receiver: 'slack-notifications'
+  group_by: [alertname, datacenter, app]
+receivers:
+  - name: 'slack-notifications'
+    slack_configs:
+      - channel: '#alerts1'
+        text: 'test'

config/testdata/conf.slack-both-url-and-token.yml

@@ -0,0 +1,11 @@
+global:
+  slack_app_token: 'xoxb-1234-abcdefgh'
+  slack_api_url: 'https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
+route:
+  receiver: 'slack-notifications'
+  group_by: [alertname, datacenter, app]
+receivers:
+  - name: 'slack-notifications'
+    slack_configs:
+      - channel: '#alerts1'
+        text: 'test'

config/testdata/conf.slack-default-app-token.yml

@@ -0,0 +1,29 @@
+global:
+  slack_app_token: 'xoxb-1234-abcdefgh'
+  # old workaround to use bot tokens
+  slack_api_url: 'https://slack.com/api/chat.postMessage'
+route:
+  receiver: 'slack-notifications'
+  group_by: [alertname, datacenter, app]
+receivers:
+  - name: 'slack-notifications'
+    slack_configs:
+      # use global
+      - channel: '#alerts1'
+        text: 'test'
+      # use override
+      - channel: '#alerts2'
+        text: 'test'
+        app_token: 'xoxb-1234-xxxxxx'
+      # use custom app url
+      - channel: '#alerts3'
+        text: 'test'
+        app_url: http://api.fakeslack.example/
+      # use workaround to configure bot token
+      - channel: '#alerts4'
+        text: 'test'
+        http_config:
+          authorization:
+            credentials: 'xoxb-my-bot-token'
+      - api_url: 'https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
+        send_resolved: true