Use ResourceProvisionerV2 to return the grant information (#18)

* Use ResourceProvisionerV2 to return the grant information * Use entitlement resource, not principal * Vendoring * Upgrade to baton-sdk v0.1.13
ConductorOne · Nov 30, 2023 · f820fad · f820fad
1 parent 089e1bd
commit f820fad
Show file tree

Hide file tree

Showing 7 changed files with 233 additions and 110 deletions.
diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/organizations v1.22.3
 	github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.22.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.25.4
-	github.com/conductorone/baton-sdk v0.1.11
+	github.com/conductorone/baton-sdk v0.1.13
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/spf13/cobra v1.8.0
 	go.uber.org/zap v1.26.0

diff --git a/go.sum b/go.sum
@@ -97,8 +97,10 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/conductorone/baton-sdk v0.1.11 h1:DO24e1WahpZ/Llqz01Vn1qQj3YYoj7+haGh7Ulz7hNs=
-github.com/conductorone/baton-sdk v0.1.11/go.mod h1:mxMxyna5UNmh9T+uQL4UApk0Ers0unkL1SGGnwjoCoc=
+github.com/conductorone/baton-sdk v0.1.13-0.20231129230901-6a4866e4e0ec h1:kslx2qju4psh9Em6TUhZaJXxpc9aLqzaL9ScwqgmnVA=
+github.com/conductorone/baton-sdk v0.1.13-0.20231129230901-6a4866e4e0ec/go.mod h1:mxMxyna5UNmh9T+uQL4UApk0Ers0unkL1SGGnwjoCoc=
+github.com/conductorone/baton-sdk v0.1.13 h1:FO+HzH32TSH+CragU5R/dG+07nEescHatbc+D5Sol8Y=
+github.com/conductorone/baton-sdk v0.1.13/go.mod h1:mxMxyna5UNmh9T+uQL4UApk0Ers0unkL1SGGnwjoCoc=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/pkg/connector/sso_group.go b/pkg/connector/sso_group.go
@@ -103,6 +103,28 @@ func (o *ssoGroupResourceType) Entitlements(_ context.Context, resource *v2.Reso
 	return []*v2.Entitlement{member}, "", nil, nil
 }
 
+func createUserSSOGroupMembershipGrant(region string, identityStoreID string, memberID string, membershipID *string, groupResource *v2.Resource) (*v2.Grant, error) {
+	userARN := ssoUserToARN(region, identityStoreID, memberID)
+	uID, err := resourceSdk.NewResourceID(resourceTypeSSOUser, userARN)
+	if err != nil {
+		return nil, err
+	}
+	grant := grantSdk.NewGrant(groupResource, groupMemberEntitlement, uID,
+		grantSdk.WithAnnotation(
+			&v2.V1Identifier{
+				Id: V1GrantID(V1MembershipEntitlementID(groupResource.Id), userARN),
+			},
+		),
+	)
+
+	// MembershipID should always be not-nil here but let's guard ourselves
+	// Just use the MembershipID as the grant ID so that we can easily revoke it later
+	if membershipID != nil {
+		grant.Id = *membershipID
+	}
+	return grant, nil
+}
+
 func (o *ssoGroupResourceType) Grants(ctx context.Context, resource *v2.Resource, pt *pagination.Token) ([]*v2.Grant, string, annotations.Annotations, error) {
 	bag := &pagination.Bag{}
 	err := bag.Unmarshal(pt.Token)
@@ -133,24 +155,16 @@ func (o *ssoGroupResourceType) Grants(ctx context.Context, resource *v2.Resource
 		if !ok {
 			continue
 		}
-		userARN := ssoUserToARN(o.region, awsSdk.ToString(o.identityInstance.IdentityStoreId), member.Value)
-		uID, err := resourceSdk.NewResourceID(resourceTypeSSOUser, userARN)
+		grant, err := createUserSSOGroupMembershipGrant(
+			o.region,
+			awsSdk.ToString(o.identityInstance.IdentityStoreId),
+			member.Value,
+			user.MembershipId,
+			resource,
+		)
 		if err != nil {
 			return nil, "", nil, err
 		}
-		grant := grantSdk.NewGrant(resource, groupMemberEntitlement, uID,
-			grantSdk.WithAnnotation(
-				&v2.V1Identifier{
-					Id: V1GrantID(V1MembershipEntitlementID(resource.Id), userARN),
-				},
-			),
-		)
-
-		// MembershipID should always be not-nil here but let's guard ourselves
-		// Just use the MembershipID as the grant ID so that we can easily revoke it later
-		if user.MembershipId != nil {
-			grant.Id = *user.MembershipId
-		}
 		rv = append(rv, grant)
 	}
 	nextPage, err := bag.Marshal()
@@ -170,19 +184,19 @@ func ssoGroupBuilder(region string, ssoClient *awsSsoAdmin.Client, identityStore
 	}
 }
 
-func (g *ssoGroupResourceType) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) (annotations.Annotations, error) {
+func (g *ssoGroupResourceType) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
 	if principal.Id.ResourceType != resourceTypeSSOUser.Id {
-		return nil, errors.New("baton-aws: only sso users can be added to a sso group")
+		return nil, nil, errors.New("baton-aws: only sso users can be added to a sso group")
 	}
 
 	groupID, err := ssoGroupIdFromARN(entitlement.Resource.Id.Resource)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	userID, err := ssoUserIdFromARN(principal.Id.Resource)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	input := &awsIdentityStore.CreateGroupMembershipInput{
@@ -191,11 +205,22 @@ func (g *ssoGroupResourceType) Grant(ctx context.Context, principal *v2.Resource
 		MemberId:        &awsIdentityStoreTypes.MemberIdMemberUserId{Value: userID},
 	}
 
-	if _, err := g.identityStoreClient.CreateGroupMembership(ctx, input); err != nil {
-		return nil, fmt.Errorf("baton-aws: error adding sso user to sso group: %w", err)
+	membership, err := g.identityStoreClient.CreateGroupMembership(ctx, input)
+	if err != nil {
+		return nil, nil, fmt.Errorf("baton-aws: error adding sso user to sso group: %w", err)
 	}
 
-	return nil, nil
+	grant, err := createUserSSOGroupMembershipGrant(
+		g.region,
+		awsSdk.ToString(g.identityInstance.IdentityStoreId),
+		userID,
+		membership.MembershipId,
+		entitlement.Resource,
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+	return []*v2.Grant{grant}, nil, nil
 }
 func (g *ssoGroupResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
 	if grant.Principal.Id.ResourceType != resourceTypeSSOUser.Id {

diff --git a/vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/grant.pb.go b/vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/grant.pb.go