Add Microsoft Teams integration (#6410)

* Add Microsoft Teams integration

* Fix method naming error

* Expand and clean up unit test coverage

* Update with PR feedback

* Add documentation, add In Progress logic/tests for Teams

* Fixed lowercase Slack

* Added docs; Updated PR suggestions;

* Fix broken tests

src/Api/AdminConsole/Controllers/SlackIntegrationController.cs

@@ -32,7 +32,7 @@ public class SlackIntegrationController(
         }
 
         string? callbackUrl = Url.RouteUrl(
-            routeName: nameof(CreateAsync),
+            routeName: "SlackIntegration_Create",
             values: null,
             protocol: currentContext.HttpContext.Request.Scheme,
             host: currentContext.HttpContext.Request.Host.ToUriComponent()
@@ -76,7 +76,7 @@ public class SlackIntegrationController(
         return Redirect(redirectUrl);
     }
 
-    [HttpGet("integrations/slack/create", Name = nameof(CreateAsync))]
+    [HttpGet("integrations/slack/create", Name = "SlackIntegration_Create")]
     [AllowAnonymous]
     public async Task<IActionResult> CreateAsync([FromQuery] string code, [FromQuery] string state)
     {
@@ -103,7 +103,7 @@ public class SlackIntegrationController(
 
         // Fetch token from Slack and store to DB
         string? callbackUrl = Url.RouteUrl(
-            routeName: nameof(CreateAsync),
+            routeName: "SlackIntegration_Create",
             values: null,
             protocol: currentContext.HttpContext.Request.Scheme,
             host: currentContext.HttpContext.Request.Host.ToUriComponent()

src/Api/AdminConsole/Controllers/TeamsIntegrationController.cs

@@ -0,0 +1,147 @@
+using System.Text.Json;
+using Bit.Api.AdminConsole.Models.Response.Organizations;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Bot.Builder;
+using Microsoft.Bot.Builder.Integration.AspNet.Core;
+
+namespace Bit.Api.AdminConsole.Controllers;
+
+[RequireFeature(FeatureFlagKeys.EventBasedOrganizationIntegrations)]
+[Route("organizations")]
+[Authorize("Application")]
+public class TeamsIntegrationController(
+    ICurrentContext currentContext,
+    IOrganizationIntegrationRepository integrationRepository,
+    IBot bot,
+    IBotFrameworkHttpAdapter adapter,
+    ITeamsService teamsService,
+    TimeProvider timeProvider) : Controller
+{
+    [HttpGet("{organizationId:guid}/integrations/teams/redirect")]
+    public async Task<IActionResult> RedirectAsync(Guid organizationId)
+    {
+        if (!await currentContext.OrganizationOwner(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var callbackUrl = Url.RouteUrl(
+            routeName: "TeamsIntegration_Create",
+            values: null,
+            protocol: currentContext.HttpContext.Request.Scheme,
+            host: currentContext.HttpContext.Request.Host.ToUriComponent()
+        );
+        if (string.IsNullOrEmpty(callbackUrl))
+        {
+            throw new BadRequestException("Unable to build callback Url");
+        }
+
+        var integrations = await integrationRepository.GetManyByOrganizationAsync(organizationId);
+        var integration = integrations.FirstOrDefault(i => i.Type == IntegrationType.Teams);
+
+        if (integration is null)
+        {
+            // No teams integration exists, create Initiated version
+            integration = await integrationRepository.CreateAsync(new OrganizationIntegration
+            {
+                OrganizationId = organizationId,
+                Type = IntegrationType.Teams,
+                Configuration = null,
+            });
+        }
+        else if (integration.Configuration is not null)
+        {
+            // A Completed (fully configured) Teams integration already exists, throw to prevent overriding
+            throw new BadRequestException("There already exists a Teams integration for this organization");
+
+        } // An Initiated teams integration exits, re-use it and kick off a new OAuth flow
+
+        var state = IntegrationOAuthState.FromIntegration(integration, timeProvider);
+        var redirectUrl = teamsService.GetRedirectUrl(
+            callbackUrl: callbackUrl,
+            state: state.ToString()
+        );
+
+        if (string.IsNullOrEmpty(redirectUrl))
+        {
+            throw new NotFoundException();
+        }
+
+        return Redirect(redirectUrl);
+    }
+
+    [HttpGet("integrations/teams/create", Name = "TeamsIntegration_Create")]
+    [AllowAnonymous]
+    public async Task<IActionResult> CreateAsync([FromQuery] string code, [FromQuery] string state)
+    {
+        var oAuthState = IntegrationOAuthState.FromString(state: state, timeProvider: timeProvider);
+        if (oAuthState is null)
+        {
+            throw new NotFoundException();
+        }
+
+        // Fetch existing Initiated record
+        var integration = await integrationRepository.GetByIdAsync(oAuthState.IntegrationId);
+        if (integration is null ||
+            integration.Type != IntegrationType.Teams ||
+            integration.Configuration is not null)
+        {
+            throw new NotFoundException();
+        }
+
+        // Verify Organization matches hash
+        if (!oAuthState.ValidateOrg(integration.OrganizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var callbackUrl = Url.RouteUrl(
+            routeName: "TeamsIntegration_Create",
+            values: null,
+            protocol: currentContext.HttpContext.Request.Scheme,
+            host: currentContext.HttpContext.Request.Host.ToUriComponent()
+        );
+        if (string.IsNullOrEmpty(callbackUrl))
+        {
+            throw new BadRequestException("Unable to build callback Url");
+        }
+
+        var token = await teamsService.ObtainTokenViaOAuth(code, callbackUrl);
+        if (string.IsNullOrEmpty(token))
+        {
+            throw new BadRequestException("Invalid response from Teams.");
+        }
+
+        var teams = await teamsService.GetJoinedTeamsAsync(token);
+
+        if (!teams.Any())
+        {
+            throw new BadRequestException("No teams were found.");
+        }
+
+        var teamsIntegration = new TeamsIntegration(TenantId: teams[0].TenantId, Teams: teams);
+        integration.Configuration = JsonSerializer.Serialize(teamsIntegration);
+        await integrationRepository.UpsertAsync(integration);
+
+        var location = $"/organizations/{integration.OrganizationId}/integrations/{integration.Id}";
+        return Created(location, new OrganizationIntegrationResponseModel(integration));
+    }
+
+    [Route("integrations/teams/incoming")]
+    [AllowAnonymous]
+    [HttpPost]
+    public async Task IncomingPostAsync()
+    {
+        await adapter.ProcessAsync(Request, Response, bot);
+    }
+}

src/Api/AdminConsole/Models/Request/Organizations/OrganizationIntegrationConfigurationRequestModel.cs

@@ -38,6 +38,10 @@ public class OrganizationIntegrationConfigurationRequestModel
                 return !string.IsNullOrWhiteSpace(Template) &&
                        Configuration is null &&
                        IsFiltersValid();
+            case IntegrationType.Teams:
+                return !string.IsNullOrWhiteSpace(Template) &&
+                       Configuration is null &&
+                       IsFiltersValid();
             default:
                 return false;
 

src/Api/AdminConsole/Models/Request/Organizations/OrgnizationIntegrationRequestModel.cs

@@ -35,7 +35,7 @@ public class OrganizationIntegrationRequestModel : IValidatableObject
             case IntegrationType.CloudBillingSync or IntegrationType.Scim:
                 yield return new ValidationResult($"{nameof(Type)} integrations are not yet supported.", [nameof(Type)]);
                 break;
-            case IntegrationType.Slack:
+            case IntegrationType.Slack or IntegrationType.Teams:
                 yield return new ValidationResult($"{nameof(Type)} integrations cannot be created directly.", [nameof(Type)]);
                 break;
             case IntegrationType.Webhook:

src/Api/AdminConsole/Models/Response/Organizations/OrganizationIntegrationResponseModel.cs

@@ -1,4 +1,6 @@
-using Bit.Core.AdminConsole.Entities;
+using System.Text.Json;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
 using Bit.Core.Enums;
 using Bit.Core.Models.Api;
 
@@ -35,6 +37,16 @@ public class OrganizationIntegrationResponseModel : ResponseModel
             ? OrganizationIntegrationStatus.Initiated
             : OrganizationIntegrationStatus.Completed,
 
+        // If present and the configuration is null, OAuth has been initiated, and we are
+        // waiting on the return OAuth call. If Configuration is not null and IsCompleted is true,
+        // then we've received the app install bot callback, and it's Completed. Otherwise,
+        // it is In Progress while we await the app install bot callback.
+        IntegrationType.Teams => string.IsNullOrWhiteSpace(Configuration)
+            ? OrganizationIntegrationStatus.Initiated
+            : (JsonSerializer.Deserialize<TeamsIntegration>(Configuration)?.IsCompleted ?? false)
+                ? OrganizationIntegrationStatus.Completed
+                : OrganizationIntegrationStatus.InProgress,
+
         // HEC and Datadog should only be allowed to be created non-null.
         // If they are null, they are Invalid
         IntegrationType.Hec => string.IsNullOrWhiteSpace(Configuration)