[MM-21688] Use dedicated bot account in Azure

[mickmister]

Summary

We are using the getSchedule Graph API endpoint to fetch user availabilities, and using application-level permissions to do so. The request requires us to supply a user ID, so we need a dedicated user in Azure to reference.

This PR allows the MM admin to connect the mscalendar bot to an account in Azure, using the /mscalendar connect_bot command.

Ticket Link

https://mattermost.atlassian.net/browse/MM-21688

Additional Info

Before running /mscalendar connect_bot, /mscalendar availability should fail, since we do not have a bot user to use for the user id.

Todo:

• mscalendar/oauth2.go needs to have access to IsAuthorizedAdmin so we can ensure only admins can connect the bot account

  • IsAuthorizedAdmin is now bot.IsUserAdmin and PluginAPI.IsSysAdmin. Shouldn't we want to union these two, since a sys admin should be treated as a plugin admin?

• fix command/connect_test.go and command/disconnect_test.go once ^ has been resolved

• oauth2_connect_test.go and oauth2_complete_test.go have been deleted, but there are some tests I have written to assert things pertaining to connecting the bot account

• Write README instructions for creating dedicated account in Azure

Fixes #24

[jfrerich]

@mickmister, is this PR ready for review? I usually clone the repo to make checking some of the code easier to traverse and some of the methods don't exist.

[mickmister]

@jfrerich I should have marked the PR as draft since it is not properly building at the moment. IsAuthorizedAdmin in particular does not exist anymore after the project restructure, and needs to be exposed properly to some of the oauth related files. Is this the function you are referring to?

The connect.go, disconnect.go, and oauth* files have these issues. There are traces of GetRemoteUser as well, as @levb as pointed out.

@levb I need to discuss with you how to expose this admin-checking functionality to the oauth package, as only trusted admins should be able to connect/disconnect the bot from msgraph.

The oauth.App interface is more or less isolated from the rest of the packages at the moment (on purpose), but needs to have access to these admin-checking functions, as noted in a todo in the PR description. Or we need to restructure the flow to allow for checking before the oauth package receives the request.

[mickmister]

@jfrerich I can comment out certain things that need to be restructured/added so it will properly compile, though the tests will still fail without the added functions.

[mickmister]

@jfrerich This PR is ready for review now

[mickmister]

@levb If this function is implemented as just return a.api.GetUserStatusesByIds(mattermostUserIDs), a nil error will be treated as a non-nil value to the caller.

You and I talked once about handling model.AppError and error, specifically that an interface pointer to a (nil pointer to a concrete type) is not a nil interface pointer, but I don't understand why this needs to be here in this case, and not the other functions in this file.

[jfrerich]

Thanks @mickmister! I'll get on the review soon!

[levb]

Just a couple nits/naming.

[levb]

1/5 s/index/allIDs/

[levb]

1/5 s/mmIDs/filteredIDs/

[jfrerich]

Awesome work, @mickmister! I have one question and a single suggestion on response wording to the user.

[levb]

only if you do another push anyway... a nit of a nit, but maybe inline userIndex.GetMattermostUserIDs() and just use ids for the return? :)

[jfrerich]

changes requests have been addressed and questions I had have been explained. Approving and thanks for the awesome work, @mickmister

[DHaussermann]

Spoke with @mickmister about this change. I will test post merge.