Merge pull request #5 from ConductorOne/jirwin/nofail-redundant-provisioning

If a user is already linked to a group, or no longer linked to a group, don't fail provisioning

Author: jirwin

.github/workflows/ci.yaml

@@ -54,9 +54,10 @@ jobs:
       # BATON_ACCESS_TOKEN: 'secret_token'
       # The following parameters are passed to grant/revoke commands
       # Change these to the correct IDs for your test data
-      CONNECTOR_GRANT: 'grant:entitlement:group:1234:member:user:9876'
-      CONNECTOR_ENTITLEMENT: 'entitlement:group:1234:member'
-      CONNECTOR_PRINCIPAL: 'user:9876'
+      BATON_FORMAL_API_KEY: ${{ secrets.BATON_FORMAL_API_KEY }}
+      CONNECTOR_GRANT: 'group:group_01hwv4ketae9vsa36rafvkn8mr:member:user:user_01hw3ydazpetds0xzgayvpc2vw'
+      CONNECTOR_ENTITLEMENT: 'group:group_01hwv4ketae9vsa36rafvkn8mr:member'
+      CONNECTOR_PRINCIPAL: 'user_01hw3ydazpetds0xzgayvpc2vw'
       CONNECTOR_PRINCIPAL_TYPE: 'user'
     steps:
       - name: Install Go
@@ -97,8 +98,11 @@ jobs:
         # Change the grant arguments to the correct IDs for your test data
         run: ./baton-formal --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" --grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"
 
-      - name: Check grant was re-granted
+      - name: resync
+        run: ./baton-formal
 
+      - name: Check grant was re-granted
         run:
-          baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\""
+          baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq  ".grants[].principal.id.resource == \"user_01hw3ydazpetds0xzgayvpc2vw\""
+
 

pkg/connector/groups.go

@@ -2,6 +2,7 @@ package connector
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	corev1 "buf.build/gen/go/formal/core/protocolbuffers/go/core/v1"
@@ -12,6 +13,8 @@ import (
 	ent "github.com/conductorone/baton-sdk/pkg/types/entitlement"
 	"github.com/conductorone/baton-sdk/pkg/types/grant"
 	"github.com/formalco/go-sdk/sdk/v2"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
 )
 
 type groupBuilder struct {
@@ -118,6 +121,7 @@ func (o *groupBuilder) Grants(ctx context.Context, resource *v2.Resource, pToken
 }
 
 func (o *groupBuilder) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) (annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
 	if principal.Id.ResourceType != userResourceType.Id {
 		return nil, fmt.Errorf("only users can have group link granted")
 	}
@@ -129,6 +133,18 @@ func (o *groupBuilder) Grant(ctx context.Context, principal *v2.Resource, entitl
 
 	response, err := o.client.GroupServiceClient.CreateUserGroupLink(ctx, request)
 	if err != nil {
+		var connectErr *connect.Error
+		if errors.As(err, &connectErr) {
+			if connectErr.Code() == connect.CodeAlreadyExists {
+				l.Debug(
+					"group link already exists, returning successfully",
+					zap.String("principal", principal.Id.Resource),
+					zap.String("entitlement", entitlement.Resource.Id.Resource),
+				)
+				return nil, nil
+			}
+		}
+
 		return nil, fmt.Errorf("GroupServiceClient.CreateUserGroupLink error: %w", err)
 	}
 
@@ -140,6 +156,7 @@ func (o *groupBuilder) Grant(ctx context.Context, principal *v2.Resource, entitl
 }
 
 func (o *groupBuilder) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
 	if grant.Principal.Id.ResourceType != userResourceType.Id {
 		return nil, fmt.Errorf("only users can have group link revoked")
 	}
@@ -189,7 +206,13 @@ func (o *groupBuilder) Revoke(ctx context.Context, grant *v2.Grant) (annotations
 	if err != nil {
 		return nil, fmt.Errorf("rateLimitAnnotations error: %w", err)
 	}
-	return rateLimit, fmt.Errorf("user is not linked to group")
+
+	l.Debug(
+		"group link not found, returning successfully",
+		zap.String("principal", grant.Principal.Id.Resource),
+		zap.String("entitlement", grant.Entitlement.Resource.Id.Resource),
+	)
+	return rateLimit, nil
 }
 
 func newGroupBuilder(client *sdk.FormalSDK) *groupBuilder {