Merge pull request #3 from ConductorOne/feat/provisioning

Feat/provisioning

Author: ggreer

.gitignore

@@ -15,3 +15,5 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 dist/
+
+.env

pkg/connector/entitlements.go

@@ -2,12 +2,12 @@ package connector
 
 const (
 	assignedEntitlement                  = "assigned"
-	readStatsAndAnalyticsEntitlement     = "read stats and analytics"
-	accessBillingEntitlement             = "access billing"
-	manageUsersAndAccountsEntitlement    = "manage users and accounts"
-	readStatsAndConfigurationEntitlement = "read stats and configuration"
-	purgeSelectedContentEntitlement      = "purge selected content"
-	purgeAllEntitlement                  = "purge all"
-	fullAccessEntitlement                = "full access"
+	readStatsAndAnalyticsEntitlement     = "read-stats-and-analytics"
+	accessBillingEntitlement             = "access-billing"
+	manageUsersAndAccountsEntitlement    = "manage-users-and-accounts"
+	readStatsAndConfigurationEntitlement = "read-stats-and-configuration"
+	purgeSelectedContentEntitlement      = "purge-selected-content"
+	purgeAllEntitlement                  = "purge-all"
+	fullAccessEntitlement                = "full-access"
 	accessEntitlement                    = "access"
 )

pkg/connector/roles.go

@@ -12,6 +12,8 @@ import (
 	grant "github.com/conductorone/baton-sdk/pkg/types/grant"
 	rs "github.com/conductorone/baton-sdk/pkg/types/resource"
 	"github.com/fastly/go-fastly/v8/fastly"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
 )
 
 const (
@@ -22,9 +24,9 @@ const (
 )
 
 var (
-	roles = []string{superUserRole, userRole, billingRole, engineerRole}
-
+	roles                        = []string{superUserRole, userRole, billingRole, engineerRole}
 	rolesWithAccessToAllServices = []string{superUserRole, userRole, billingRole}
+	revokedRole                  = userRole
 )
 
 type roleBuilder struct {
@@ -111,3 +113,73 @@ func (o *roleBuilder) Grants(ctx context.Context, resource *v2.Resource, _ *pagi
 
 	return rv, "", nil, nil
 }
+
+func (o *roleBuilder) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) (annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	if principal.Id.ResourceType != userResourceType.Id {
+		err := fmt.Errorf("baton-fastly: only users can be granted to roles")
+
+		l.Warn(
+			err.Error(),
+			zap.String("principal_id", principal.Id.Resource),
+			zap.String("principal_type", principal.Id.ResourceType),
+		)
+
+		return nil, err
+	}
+
+	role := strings.ToLower(entitlement.Resource.Id.Resource)
+
+	_, err := o.client.UpdateUser(&fastly.UpdateUserInput{
+		ID:   principal.Id.Resource,
+		Role: &role,
+	})
+	if err != nil {
+		err = wrapError(err, "failed to grant role to user")
+
+		l.Error(
+			err.Error(),
+			zap.String("role_id", entitlement.Resource.Id.Resource),
+			zap.String("user_id", principal.Id.Resource),
+		)
+	}
+
+	return nil, nil
+}
+
+func (o *roleBuilder) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	principal := grant.Principal
+
+	if principal.Id.ResourceType != userResourceType.Id {
+		err := fmt.Errorf("baton-fastly: only users can be granted to roles")
+
+		l.Warn(
+			err.Error(),
+			zap.String("principal_id", principal.Id.Resource),
+			zap.String("principal_type", principal.Id.ResourceType),
+		)
+
+		return nil, err
+	}
+
+	role := strings.ToLower(revokedRole)
+
+	_, err := o.client.UpdateUser(&fastly.UpdateUserInput{
+		ID:   principal.Id.Resource,
+		Role: &role,
+	})
+	if err != nil {
+		err = wrapError(err, "failed to grant role to user")
+
+		l.Error(
+			err.Error(),
+			zap.String("role_id", revokedRole),
+			zap.String("user_id", principal.Id.Resource),
+		)
+	}
+
+	return nil, nil
+}

pkg/connector/services.go

@@ -12,6 +12,8 @@ import (
 	grant "github.com/conductorone/baton-sdk/pkg/types/grant"
 	rs "github.com/conductorone/baton-sdk/pkg/types/resource"
 	"github.com/fastly/go-fastly/v8/fastly"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
 )
 
 type serviceBuilder struct {
@@ -20,18 +22,31 @@ type serviceBuilder struct {
 	customerId   string
 }
 
-var (
+const (
 	ReadOnlyPermission    = "read_only"
 	PurgeSelectPermission = "purge_select"
 	PurgeAllPermission    = "purge_all"
 	FullAccessPermission  = "full"
+)
 
+var (
 	permissionEntitlementMap = map[string][]string{
 		ReadOnlyPermission:    {readStatsAndConfigurationEntitlement},
 		PurgeSelectPermission: {readStatsAndConfigurationEntitlement, purgeSelectedContentEntitlement},
 		PurgeAllPermission:    {readStatsAndConfigurationEntitlement, purgeSelectedContentEntitlement, purgeAllEntitlement},
 		FullAccessPermission:  {readStatsAndConfigurationEntitlement, purgeSelectedContentEntitlement, purgeAllEntitlement, fullAccessEntitlement},
 	}
+	entitlementPermissionMap = map[string]string{
+		readStatsAndConfigurationEntitlement: ReadOnlyPermission,
+		purgeSelectedContentEntitlement:      PurgeSelectPermission,
+		purgeAllEntitlement:                  PurgeAllPermission,
+		fullAccessEntitlement:                FullAccessPermission,
+	}
+	revokeEntitlementMap = map[string]string{
+		purgeSelectedContentEntitlement: readStatsAndConfigurationEntitlement,
+		purgeAllEntitlement:             purgeSelectedContentEntitlement,
+		fullAccessEntitlement:           purgeAllEntitlement,
+	}
 )
 
 func newServiceBuilder(client *fastly.Client, customerId string) *serviceBuilder {
@@ -307,3 +322,194 @@ func (o *serviceBuilder) grantEngineer(ctx context.Context, service *v2.Resource
 
 	return rv, nil
 }
+
+func (o *serviceBuilder) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) (annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	permission, exists := entitlementPermissionMap[entitlement.Slug]
+	if !exists {
+		err := fmt.Errorf("baton-fastly: unable to grant %s entitlement", entitlement.Slug)
+
+		l.Warn(
+			err.Error(),
+			zap.String("entitlement_id", entitlement.Slug),
+		)
+
+		return nil, err
+	}
+
+	err := o.validateGrantOperation(principal, entitlement, l)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = o.upsertServiceAuthorizationForUser(entitlement.Resource.Id.Resource, principal.Id.Resource, permission, l)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}
+
+func (o *serviceBuilder) getServiceAuthorizationForUser(serviceId, userId string) (*fastly.ServiceAuthorization, error) {
+	pageNumber := 1
+
+	for {
+		serviceAuthorizations, err := o.client.ListServiceAuthorizations(&fastly.ListServiceAuthorizationsInput{
+			PageNumber: pageNumber,
+			PageSize:   resourcePageSize,
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		for _, serviceAuthorization := range serviceAuthorizations.Items {
+			if serviceAuthorization.Service.ID == serviceId && serviceAuthorization.User.ID == userId {
+				return serviceAuthorization, nil
+			}
+		}
+
+		if pageNumber >= serviceAuthorizations.Info.Meta.TotalPages {
+			break
+		}
+	}
+
+	return nil, nil
+}
+
+// Service authorization for user can already exist with different permission.
+// In this case we need to update it.
+func (o *serviceBuilder) upsertServiceAuthorizationForUser(serviceId, userId, permission string, l *zap.Logger) (*fastly.ServiceAuthorization, error) {
+	serviceAuthorization, err := o.getServiceAuthorizationForUser(serviceId, userId)
+	if err != nil {
+		return nil, wrapError(err, "failed to get service authorization")
+	}
+
+	if serviceAuthorization != nil {
+		if serviceAuthorization.Permission == permission {
+			return serviceAuthorization, nil
+		}
+
+		serviceAuthorization, err := o.client.UpdateServiceAuthorization(&fastly.UpdateServiceAuthorizationInput{
+			ID:         serviceAuthorization.ID,
+			Permission: permission,
+		})
+		if err != nil {
+			err = wrapError(err, "failed to update permission to user")
+
+			l.Error(
+				err.Error(),
+				zap.String("permission", permission),
+				zap.String("user_id", userId),
+				zap.String("service_id", serviceId),
+			)
+		}
+
+		return serviceAuthorization, nil
+	} else {
+		serviceAuthorization, err := o.client.CreateServiceAuthorization(&fastly.CreateServiceAuthorizationInput{
+			Service: &fastly.SAService{
+				ID: serviceId,
+			},
+			User: &fastly.SAUser{
+				ID: userId,
+			},
+			Permission: permission,
+		})
+		if err != nil {
+			err = wrapError(err, "failed to grant permission to user")
+
+			l.Error(
+				err.Error(),
+				zap.String("permission", permission),
+				zap.String("user_id", userId),
+				zap.String("service_id", serviceId),
+			)
+		}
+
+		return serviceAuthorization, nil
+	}
+}
+
+func (o *serviceBuilder) validateGrantOperation(principal *v2.Resource, entitlement *v2.Entitlement, l *zap.Logger) error {
+	if principal.Id.ResourceType != userResourceType.Id {
+		err := fmt.Errorf("baton-fastly: only users can be granted to service")
+
+		l.Warn(
+			err.Error(),
+			zap.String("principal_id", principal.Id.Resource),
+			zap.String("principal_type", principal.Id.ResourceType),
+		)
+
+		return err
+	}
+
+	user, err := o.client.GetUser(&fastly.GetUserInput{ID: principal.Id.Resource})
+	if err != nil {
+		err := wrapError(err, "failed to get user")
+
+		l.Error(
+			err.Error(),
+			zap.String("user_id", principal.Id.Resource),
+		)
+
+		return err
+	}
+
+	if user.Role != strings.ToLower(engineerRole) {
+		err := fmt.Errorf("baton-fastly: only users with role %s can be granted to service", engineerRole)
+
+		l.Warn(
+			err.Error(),
+			zap.String("user_id", principal.Id.Resource),
+			zap.String("user_role", user.Role),
+		)
+
+		return err
+	}
+
+	return nil
+}
+
+func (o *serviceBuilder) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	principal := grant.Principal
+	entitlement := grant.Entitlement
+
+	revokedEntitlement, exists := revokeEntitlementMap[entitlement.Slug]
+	if !exists {
+		err := fmt.Errorf("baton-fastly: unable to revoke %s entitlement", entitlement.Slug)
+
+		l.Warn(
+			err.Error(),
+			zap.String("entitlement_id", entitlement.Slug),
+		)
+
+		return nil, err
+	}
+
+	revokedPermission, exists := entitlementPermissionMap[revokedEntitlement]
+	if !exists {
+		err := fmt.Errorf("baton-fastly: unable to map %s entitlement to permission", revokedEntitlement)
+
+		l.Warn(
+			err.Error(),
+			zap.String("entitlement_id", revokedEntitlement),
+		)
+
+		return nil, err
+	}
+
+	err := o.validateGrantOperation(principal, entitlement, l)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = o.upsertServiceAuthorizationForUser(entitlement.Resource.Id.Resource, principal.Id.Resource, revokedPermission, l)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}