added working sync secrets

Author: aldevv

Makefile

@@ -27,3 +27,5 @@ add-dep:
 lint:
 	golangci-lint run
 
+run:
+	go run ./cmd/baton-github

README.md

@@ -45,6 +45,11 @@ baton resources
 
 By default, `baton-github` will sync information from any organizations that the provided credential has Administrator permissions on. You can specify exactly which organizations you would like to sync using the `--orgs` flag.
 
+# Sync Secrets
+in order to sync secrets, you must use a token created using a github app installed into your organization, more info here:  
+- [docs](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app)
+- [rest api](https://docs.github.com/rest/orgs/personal-access-tokens#list-fine-grained-personal-access-tokens-with-access-to-organization-resources)
+
 # Contributing, Support and Issues
 
 We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a GitHub Issue!
@@ -63,21 +68,25 @@ Usage:
 Available Commands:
   capabilities       Get connector capabilities
   completion         Generate the autocompletion script for the specified shell
+  config             Get connector config
   help               Help about any command
 
 Flags:
-      --client-id string       The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
-      --client-secret string   The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
-  -f, --file string            The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
-  -h, --help                   help for baton-github
-      --instance-url string    The GitHub instance URL to connect to. (default "https://github.com") ($BATON_INSTANCE_URL)
-      --log-format string      The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
-      --log-level string       The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
-      --orgs strings           Limit syncing to specific organizations. ($BATON_ORGS)
-  -p, --provisioning           This must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
-      --ticketing              This must be set to enable ticketing support ($BATON_TICKETING)
-      --token string           required: The GitHub access token used to connect to the GitHub API. ($BATON_TOKEN)
-  -v, --version                version for baton-github
+      --client-id string                 The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
+      --client-secret string             The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
+  -f, --file string                      The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
+  -h, --help                             help for baton-github
+      --instance-url string              The GitHub instance URL to connect to. (default "https://github.com") ($BATON_INSTANCE_URL)
+      --log-format string                The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
+      --log-level string                 The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
+      --orgs strings                     Limit syncing to specific organizations. ($BATON_ORGS)
+      --otel-collector-endpoint string   The endpoint of the OpenTelemetry collector to send observability data to ($BATON_OTEL_COLLECTOR_ENDPOINT)
+  -p, --provisioning                     This must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
+      --skip-full-sync                   This must be set to skip a full sync ($BATON_SKIP_FULL_SYNC)
+      --sync-secrets                     Whether to sync secrets or not ($BATON_SYNC_SECRETS)
+      --ticketing                        This must be set to enable ticketing support ($BATON_TICKETING)
+      --token string                     required: The GitHub access token used to connect to the GitHub API. ($BATON_TOKEN)
+  -v, --version                          version for baton-github
 
 Use "baton-github [command] --help" for more information about a command.
 ```

go.mod

@@ -7,7 +7,6 @@ toolchain go1.23.4
 require (
 	github.com/conductorone/baton-sdk v0.2.70
 	github.com/deckarep/golang-set/v2 v2.7.0
-	github.com/google/go-github/v63 v63.0.0
 	github.com/google/go-github/v69 v69.2.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/migueleliasweb/go-github-mock v0.0.23

go.sum

@@ -114,8 +114,6 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v59 v59.0.0 h1:7h6bgpF5as0YQLLkEiVqpgtJqjimMYhBkD4jT5aN3VA=
 github.com/google/go-github/v59 v59.0.0/go.mod h1:rJU4R0rQHFVFDOkqGWxfLNo6vEk4dv40oDjhV/gH6wM=
-github.com/google/go-github/v63 v63.0.0 h1:13xwK/wk9alSokujB9lJkuzdmQuVn2QCPeck76wR3nE=
-github.com/google/go-github/v63 v63.0.0/go.mod h1:IqbcrgUmIcEaioWrGYei/09o+ge5vhffGOcxrO0AfmA=
 github.com/google/go-github/v69 v69.2.0 h1:wR+Wi/fN2zdUx9YxSmYE0ktiX9IAR/BeePzeaUUbEHE=
 github.com/google/go-github/v69 v69.2.0/go.mod h1:xne4jymxLR6Uj9b7J7PyTpkMYstEMMwGZa0Aehh1azM=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=

pkg/connector/api_token.go

@@ -14,18 +14,28 @@ import (
 
 func apiTokenResource(ctx context.Context, token *github.PersonalAccessToken) (*v2.Resource, error) {
 	userId := token.Owner.GetID()
-	options := []resourceSdk.SecretTraitOption{
+
+	options := []resourceSdk.SecretTraitOption{}
+	options = append(options,
 		resourceSdk.WithSecretCreatedByID(&v2.ResourceId{
 			ResourceType:  resourceTypeUser.Id,
 			Resource:      strconv.FormatInt(userId, 10),
 			BatonResource: false,
-		}),
-		resourceSdk.WithSecretLastUsedAt(token.TokenLastUsedAt.Time),
-		resourceSdk.WithSecretCreatedAt(token.AccessGrantedAt.Time),
-		resourceSdk.WithSecretExpiresAt(token.TokenExpiresAt.Time),
+		}))
+
+	if token.TokenLastUsedAt != nil {
+		options = append(options, resourceSdk.WithSecretLastUsedAt(token.TokenLastUsedAt.Time))
+	}
+
+	if token.AccessGrantedAt != nil {
+		options = append(options, resourceSdk.WithSecretCreatedAt(token.AccessGrantedAt.Time))
+	}
+
+	if token.TokenExpiresAt != nil {
+		options = append(options, resourceSdk.WithSecretExpiresAt(token.TokenExpiresAt.Time))
 	}
 	rv, err := resourceSdk.NewSecretResource(
-		*token.TokenName,
+		token.GetTokenName(),
 		resourceTypeApiToken,
 		token.GetID(),
 		options,
@@ -113,11 +123,10 @@ func (o *apiTokenResourceType) List(
 	return rv, pageToken, annotations, nil
 }
 
-func apiTokenBuilder(client *github.Client, hasSAMLEnabled *bool, graphqlClient *githubv4.Client, orgCache *orgNameCache) *userResourceType {
-	return &userResourceType{
-		resourceType:   resourceTypeUser,
+func apiTokenBuilder(client *github.Client, hasSAMLEnabled *bool, orgCache *orgNameCache) *apiTokenResourceType {
+	return &apiTokenResourceType{
+		resourceType:   resourceTypeApiToken,
 		client:         client,
-		graphqlClient:  graphqlClient,
 		hasSAMLEnabled: hasSAMLEnabled,
 		orgCache:       orgCache,
 	}

pkg/connector/connector.go

@@ -78,14 +78,14 @@ type GitHub struct {
 
 func (gh *GitHub) ResourceSyncers(ctx context.Context) []connectorbuilder.ResourceSyncer {
 	resourceSyncers := []connectorbuilder.ResourceSyncer{
-		orgBuilder(gh.client, gh.orgCache, gh.orgs),
+		orgBuilder(gh.client, gh.orgCache, gh.orgs, gh.syncSecrets),
 		teamBuilder(gh.client, gh.orgCache),
 		userBuilder(gh.client, gh.hasSAMLEnabled, gh.graphqlClient, gh.orgCache),
 		repositoryBuilder(gh.client, gh.orgCache),
 	}
 
 	if gh.syncSecrets {
-		resourceSyncers = append(resourceSyncers, apiTokenBuilder(gh.client, gh.hasSAMLEnabled, gh.graphqlClient, gh.orgCache))
+		resourceSyncers = append(resourceSyncers, apiTokenBuilder(gh.client, gh.hasSAMLEnabled, gh.orgCache))
 	}
 	return resourceSyncers
 }

pkg/connector/org.go

@@ -16,6 +16,7 @@ import (
 	"github.com/google/go-github/v69/github"
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
 	"go.uber.org/zap"
+	"google.golang.org/protobuf/proto"
 )
 
 const (
@@ -34,25 +35,34 @@ type orgResourceType struct {
 	client       *github.Client
 	orgs         map[string]struct{}
 	orgCache     *orgNameCache
+	syncSecrets  bool
 }
 
 func organizationResource(
 	ctx context.Context,
 	org *github.Organization,
 	parentResourceID *v2.ResourceId,
+	syncSecrets bool,
 ) (*v2.Resource, error) {
+
+	annotations := []proto.Message{
+		&v2.ExternalLink{Url: org.GetHTMLURL()},
+		&v2.V1Identifier{Id: fmt.Sprintf("org:%d", org.GetID())},
+		&v2.ChildResourceType{ResourceTypeId: resourceTypeUser.Id},
+		&v2.ChildResourceType{ResourceTypeId: resourceTypeTeam.Id},
+		&v2.ChildResourceType{ResourceTypeId: resourceTypeRepository.Id},
+	}
+	if syncSecrets {
+		annotations = append(annotations, &v2.ChildResourceType{ResourceTypeId: resourceTypeApiToken.Id})
+	}
+
 	return resource.NewResource(
 		org.GetLogin(),
 		resourceTypeOrg,
 		org.GetID(),
 		resource.WithParentResourceID(parentResourceID),
 		resource.WithAnnotation(
-			&v2.ExternalLink{Url: org.GetHTMLURL()},
-			&v2.V1Identifier{Id: fmt.Sprintf("org:%d", org.GetID())},
-			&v2.ChildResourceType{ResourceTypeId: resourceTypeUser.Id},
-			&v2.ChildResourceType{ResourceTypeId: resourceTypeTeam.Id},
-			&v2.ChildResourceType{ResourceTypeId: resourceTypeRepository.Id},
-			&v2.ChildResourceType{ResourceTypeId: resourceTypeApiToken.Id},
+			annotations...,
 		),
 	)
 }
@@ -112,7 +122,7 @@ func (o *orgResourceType) List(
 			continue
 		}
 
-		orgResource, err := organizationResource(ctx, org, parentResourceID)
+		orgResource, err := organizationResource(ctx, org, parentResourceID, o.syncSecrets)
 		if err != nil {
 			return nil, "", nil, err
 		}
@@ -374,7 +384,7 @@ func (o *orgResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotati
 	return nil, nil
 }
 
-func orgBuilder(client *github.Client, orgCache *orgNameCache, orgs []string) *orgResourceType {
+func orgBuilder(client *github.Client, orgCache *orgNameCache, orgs []string, syncSecrets bool) *orgResourceType {
 	orgMap := make(map[string]struct{})
 
 	for _, o := range orgs {
@@ -386,5 +396,6 @@ func orgBuilder(client *github.Client, orgCache *orgNameCache, orgs []string) *o
 		orgs:         orgMap,
 		client:       client,
 		orgCache:     orgCache,
+		syncSecrets:  syncSecrets,
 	}
 }

pkg/connector/org_test.go

@@ -23,9 +23,9 @@ func TestOrganization(t *testing.T) {
 
 		githubClient := github.NewClient(mgh.Server())
 		cache := newOrgNameCache(githubClient)
-		client := orgBuilder(githubClient, cache, nil)
+		client := orgBuilder(githubClient, cache, nil, false)
 
-		organization, _ := organizationResource(ctx, githubOrganization, nil)
+		organization, _ := organizationResource(ctx, githubOrganization, nil, false)
 		user, _ := userResource(ctx, githubUser, *githubUser.Email, nil)
 
 		entitlement := v2.Entitlement{

pkg/connector/repository_test.go

@@ -26,7 +26,7 @@ func TestRepository(t *testing.T) {
 		cache := newOrgNameCache(githubClient)
 		client := repositoryBuilder(githubClient, cache)
 
-		organization, _ := organizationResource(ctx, githubOrganization, nil)
+		organization, _ := organizationResource(ctx, githubOrganization, nil, false)
 		repository, _ := repositoryResource(ctx, githubRepository, organization.Id)
 		user, _ := userResource(ctx, githubUser, *githubUser.Email, nil)
 

pkg/connector/team_test.go

@@ -26,7 +26,7 @@ func TestTeam(t *testing.T) {
 		cache := newOrgNameCache(githubClient)
 		client := teamBuilder(githubClient, cache)
 
-		organization, _ := organizationResource(ctx, githubOrganization, nil)
+		organization, _ := organizationResource(ctx, githubOrganization, nil, false)
 		team, _ := teamResource(githubTeam, organization.Id)
 		user, _ := userResource(ctx, githubUser, *githubUser.Email, nil)