Refactor Entitlements and Grants methods in teamResourceType to remove organization role handling. Showing the team > org_role entitlement looks good in the UI but provisioning fails since it's expecting team roles not org roles. We need to think about the right approach before emitting these entitlements

afalahi · afalahi · commit ba811ff78e20 · 2025-05-20T12:11:00.000-06:00
diff --git a/pkg/connector/team.go b/pkg/connector/team.go
@@ -3,7 +3,6 @@ package connector
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"strconv"
 	"strings"
 
@@ -129,10 +128,8 @@ func (o *teamResourceType) List(ctx context.Context, parentID *v2.ResourceId, pt
 	return rv, pageToken, reqAnnos, nil
 }
 
-func (o *teamResourceType) Entitlements(ctx context.Context, resource *v2.Resource, _ *pagination.Token) ([]*v2.Entitlement, string, annotations.Annotations, error) {
+func (o *teamResourceType) Entitlements(_ context.Context, resource *v2.Resource, _ *pagination.Token) ([]*v2.Entitlement, string, annotations.Annotations, error) {
 	rv := make([]*v2.Entitlement, 0, len(teamAccessLevels))
-
-	// Add team role entitlements
 	for _, level := range teamAccessLevels {
 		rv = append(
 			rv,
@@ -151,60 +148,6 @@ func (o *teamResourceType) Entitlements(ctx context.Context, resource *v2.Resour
 		)
 	}
 
-	// Get organization roles for this team
-	orgName, err := o.orgCache.GetOrgName(ctx, resource.ParentResourceId)
-	if err != nil {
-		return rv, "", nil, err
-	}
-
-	roles, resp, err := o.client.Organizations.ListRoles(ctx, orgName)
-	if err != nil {
-		// Handle permission errors gracefully
-		if resp != nil && (resp.StatusCode == http.StatusForbidden || resp.StatusCode == http.StatusNotFound) {
-			return rv, "", nil, nil // Return what we have so far if we don't have permission
-		}
-		return rv, "", nil, err
-	}
-
-	// Get team ID for checking role assignments
-	teamID, err := strconv.ParseInt(resource.Id.Resource, 10, 64)
-	if err != nil {
-		return rv, "", nil, err
-	}
-
-	// Add organization role entitlements only for roles the team is assigned to
-	for _, role := range roles.CustomRepoRoles {
-		// Check if team is assigned to this role
-		teams, resp, err := o.client.Organizations.ListTeamsAssignedToOrgRole(ctx, orgName, role.GetID(), nil)
-		if err != nil {
-			// Skip this role if we can't check assignments
-			if resp != nil && (resp.StatusCode == http.StatusForbidden || resp.StatusCode == http.StatusNotFound) {
-				continue
-			}
-			continue
-		}
-
-		// Check if this team is in the list of teams with this role
-		for _, team := range teams {
-			if team.GetID() == teamID {
-				rv = append(
-					rv,
-					entitlement.NewAssignmentEntitlement(
-						resource,
-						role.GetName(),
-						entitlement.WithDisplayName(role.GetName()),
-						entitlement.WithDescription(role.GetDescription()),
-						entitlement.WithAnnotation(&v2.V1Identifier{
-							Id: fmt.Sprintf("team:%s:org_role:%d", resource.Id.Resource, role.GetID()),
-						}),
-						entitlement.WithGrantableTo(resourceTypeUser),
-					),
-				)
-				break // Found the team, no need to check other teams
-			}
-		}
-	}
-
 	return rv, "", nil, nil
 }
 
@@ -278,57 +221,6 @@ func (o *teamResourceType) Grants(ctx context.Context, resource *v2.Resource, pT
 		))
 	}
 
-	// Get organization roles for this team
-	orgName, err := o.orgCache.GetOrgName(ctx, resource.ParentResourceId)
-	if err != nil {
-		return rv, pageToken, reqAnnos, err
-	}
-
-	roles, resp, err := o.client.Organizations.ListRoles(ctx, orgName)
-	if err != nil {
-		// Handle permission errors gracefully
-		if resp != nil && (resp.StatusCode == http.StatusForbidden || resp.StatusCode == http.StatusNotFound) {
-			return rv, pageToken, reqAnnos, nil // Return what we have so far if we don't have permission
-		}
-		return rv, pageToken, reqAnnos, err
-	}
-
-	// Add grants for organization roles
-	for _, role := range roles.CustomRepoRoles {
-		// Check if team is assigned to this role
-		teams, resp, err := o.client.Organizations.ListTeamsAssignedToOrgRole(ctx, orgName, role.GetID(), nil)
-		if err != nil {
-			// Skip this role if we can't check assignments
-			if resp != nil && (resp.StatusCode == http.StatusForbidden || resp.StatusCode == http.StatusNotFound) {
-				continue
-			}
-			continue
-		}
-
-		// Check if this team is in the list of teams with this role
-		for _, team := range teams {
-			if team.GetID() == githubID {
-				// Create a grant for each team member with this role
-				for _, user := range users {
-					ur, err := userResource(ctx, user, user.GetEmail(), nil)
-					if err != nil {
-						continue
-					}
-
-					rv = append(rv, grant.NewGrant(
-						resource,
-						role.GetName(),
-						ur.Id,
-						grant.WithAnnotation(&v2.V1Identifier{
-							Id: fmt.Sprintf("team-org-role-grant:%s:%d:%s", resource.Id.Resource, user.GetID(), role.GetName()),
-						}),
-					))
-				}
-				break // Found the team, no need to check other teams
-			}
-		}
-	}
-
 	return rv, pageToken, reqAnnos, nil
 }
 
