WIP: ADO permissions syncing

[indradhanush]

Halfway-ish through. Creating a draft PR for early feedback.

Implemented user permissions sync but it probably doesn't work yet, my permissions table is empty at the moment so still looking into it.

Test plan

[indradhanush]

New connection struct added. Rest of it is alphabetical reordering.

[indradhanush]

Handling for AzureDevOpsConnection. Rest of it is alphabetical reordering.

[kopancek]

This should never happen if I understand things correctly. Maybe return an error instead?

[mrnugget]

Or don't check it 😬 I don't think we should check every pointer for being nil. A lot of them are never null so if it's the case here, then I'd remove the check

[kopancek]

Can you provide docstrings on what orgs and other things here mean? I'm not sure I understand the logic in FetchUserPerms without it...

[indradhanush]

Will do. I probably need to rethink this approach a bit.

[kopancek]

As far as I understand, this just lists all orgs and all projects based on a preconfigured list. Does user token ensure that the user can actually access those that are returned?

Also, is there maybe an endpoint which would accept a list instead of us needing to fire a request for each one?

[indradhanush]

As far as I understand, this just lists all orgs and all projects based on a preconfigured list.

It will list all the repos under an org / project that the user has access to because we're going to use the user's oauth token here.

I need to not fail on error here so that we can continue onto the next org in case the user doesn't have access to one or more of the orgs from the config list.

[mrnugget]

It will list all the repos under an org / project that the user has access to because we're going to use the user's oauth token here.

Because we ran into this issue with GitLab, let's be crystal clear here: what does "has access to" mean here? Does it mean "can see that the entity exists" or "can see what's inside the entities"?

[indradhanush]

I checked on Azure and if a user has Stakeholder access to an org, then they can only see the entity exists on Azure but cannot see what's inside it. And the API will return a 401 for this scenario.

But if the user has Basic access, then they can see what's inside the org. They may have access to one or more projects in which case they will only see the contents of each project if they have the access to. This is when the API return s 200 OK.

[mrnugget]

what happened here?

[mrnugget]

Or don't check it 😬 I don't think we should check every pointer for being nil. A lot of them are never null so if it's the case here, then I'd remove the check

[mrnugget]

Is this a database error? Because the first sentence makes it sound like we're talking to an external service.

As for second sentence: it could literally be anything if it's a database error - connection error, timeout, computer dies, ... I'd simplify to

Suggested change

	"failed to get external account data external account with ID: %d, this might be related to a bad JSON in the database table user_external_accounts for this ID or a misconfigured encryption key",
	"failed load external account data from database for external account with ID: %d",

[mrnugget]

I think we need to check for this error too :)

[mrnugget]

It will list all the repos under an org / project that the user has access to because we're going to use the user's oauth token here.

Because we ran into this issue with GitLab, let's be crystal clear here: what does "has access to" mean here? Does it mean "can see that the entity exists" or "can see what's inside the entities"?

[mrnugget]

@kopancek might know?

[kopancek]

Since the field is called InvalidConnections I would expect to get all of them that are broken. So I think it might make more sense to move this error checking to the for loop or into the newAuthzProvider function and add the connection itself, not just type of the service that is broken.

Or return this error separately. Depending on where and how InvalidConnections is handled.

[indradhanush]

@kopancek, @mrnugget: I've created a new PR and addressed the suggestions / changes there. I'm going to close this. Please see #48209.