refactor: share allowlist match metadata

Co-authored-by: thewilloftheshadow <thewilloftheshadow@users.noreply.github.com>
2026-01-18 01:49:13 +00:00
parent ccb30665f7
commit 62354dff9c
10 changed files with 94 additions and 55 deletions
--- a/extensions/msteams/src/monitor-handler/message-handler.ts
+++ b/extensions/msteams/src/monitor-handler/message-handler.ts
@@ -15,6 +15,7 @@ import {
 } from "../../../../src/auto-reply/reply/history.js";
 import { resolveMentionGating } from "../../../../src/channels/mention-gating.js";
 import { resolveCommandAuthorizedFromAuthorizers } from "../../../../src/channels/command-gating.js";
+import { formatAllowlistMatchMeta } from "../../../../src/channels/plugins/allowlist-match.js";
 import { danger, logVerbose, shouldLogVerbose } from "../../../../src/globals.js";
 import { enqueueSystemEvent } from "../../../../src/infra/system-events.js";
 import {
@@ -41,6 +42,7 @@ import {
 import type { MSTeamsMessageHandlerDeps } from "../monitor-handler.js";
 import {
  isMSTeamsGroupAllowed,
+  resolveMSTeamsAllowlistMatch,
  resolveMSTeamsReplyPolicy,
  resolveMSTeamsRouteConfig,
 } from "../policy.js";
@@ -141,19 +143,14 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
      }

      if (dmPolicy !== "open") {
-        const effectiveAllowFrom = [
-          ...allowFrom.map((v) => String(v).toLowerCase()),
-          ...storedAllowFrom,
-        ];
+        const effectiveAllowFrom = [...allowFrom.map((v) => String(v)), ...storedAllowFrom];
+        const allowMatch = resolveMSTeamsAllowlistMatch({
+          allowFrom: effectiveAllowFrom,
+          senderId,
+          senderName,
+        });

-        const senderLower = senderId.toLowerCase();
-        const senderNameLower = senderName.toLowerCase();
-        const allowed =
-          effectiveAllowFrom.includes("*") ||
-          effectiveAllowFrom.includes(senderLower) ||
-          effectiveAllowFrom.includes(senderNameLower);
-
-        if (!allowed) {
+        if (!allowMatch.allowed) {
          if (dmPolicy === "pairing") {
            const request = await upsertChannelPairingRequest({
              channel: "msteams",
@@ -170,6 +167,7 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
          log.debug("dropping dm (not allowlisted)", {
            sender: senderId,
            label: senderName,
+            allowlistMatch: formatAllowlistMatchMeta(allowMatch),
          });
          return;
        }
@@ -213,6 +211,10 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
        if (channelGate.allowlistConfigured && !channelGate.allowed) {
          log.debug("dropping group message (not in team/channel allowlist)", {
            conversationId,
+            teamKey: channelGate.teamKey ?? "none",
+            channelKey: channelGate.channelKey ?? "none",
+            channelMatchKey: channelGate.channelMatchKey ?? "none",
+            channelMatchSource: channelGate.channelMatchSource ?? "none",
          });
          return;
        }
@@ -223,16 +225,17 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
          return;
        }
        if (effectiveGroupAllowFrom.length > 0) {
-          const allowed = isMSTeamsGroupAllowed({
+          const allowMatch = resolveMSTeamsAllowlistMatch({
            groupPolicy,
            allowFrom: effectiveGroupAllowFrom,
            senderId,
            senderName,
          });
-          if (!allowed) {
+          if (!allowMatch.allowed) {
            log.debug("dropping group message (not in groupAllowFrom)", {
              sender: senderId,
              label: senderName,
+              allowlistMatch: formatAllowlistMatchMeta(allowMatch),
            });
            return;
          }
--- a/extensions/msteams/src/policy.ts
+++ b/extensions/msteams/src/policy.ts
@@ -11,6 +11,7 @@ import {
  resolveChannelEntryMatchWithFallback,
  resolveNestedAllowlistDecision,
 } from "../../../src/channels/plugins/channel-config.js";
+import type { AllowlistMatch } from "../../../src/channels/plugins/allowlist-match.js";

 export type MSTeamsResolvedRouteConfig = {
  teamConfig?: MSTeamsTeamConfig;
@@ -90,6 +91,31 @@ export type MSTeamsReplyPolicy = {
  replyStyle: MSTeamsReplyStyle;
 };

+export type MSTeamsAllowlistMatch = AllowlistMatch<"wildcard" | "id" | "name">;
+
+export function resolveMSTeamsAllowlistMatch(params: {
+  allowFrom: Array<string | number>;
+  senderId: string;
+  senderName?: string | null;
+}): MSTeamsAllowlistMatch {
+  const allowFrom = params.allowFrom
+    .map((entry) => String(entry).trim().toLowerCase())
+    .filter(Boolean);
+  if (allowFrom.length === 0) return { allowed: false };
+  if (allowFrom.includes("*")) {
+    return { allowed: true, matchKey: "*", matchSource: "wildcard" };
+  }
+  const senderId = params.senderId.toLowerCase();
+  if (allowFrom.includes(senderId)) {
+    return { allowed: true, matchKey: senderId, matchSource: "id" };
+  }
+  const senderName = params.senderName?.toLowerCase();
+  if (senderName && allowFrom.includes(senderName)) {
+    return { allowed: true, matchKey: senderName, matchSource: "name" };
+  }
+  return { allowed: false };
+}
+
 export function resolveMSTeamsReplyPolicy(params: {
  isDirectMessage: boolean;
  globalConfig?: MSTeamsConfig;
@@ -126,12 +152,5 @@ export function isMSTeamsGroupAllowed(params: {
  const { groupPolicy } = params;
  if (groupPolicy === "disabled") return false;
  if (groupPolicy === "open") return true;
-  const allowFrom = params.allowFrom
-    .map((entry) => String(entry).trim().toLowerCase())
-    .filter(Boolean);
-  if (allowFrom.length === 0) return false;
-  if (allowFrom.includes("*")) return true;
-  const senderId = params.senderId.toLowerCase();
-  const senderName = params.senderName?.toLowerCase();
-  return allowFrom.includes(senderId) || (senderName ? allowFrom.includes(senderName) : false);
+  return resolveMSTeamsAllowlistMatch(params).allowed;
 }