[BB-543] Implement user provisioning for Jira Datacenter

This commit adds user provisioning capability to the Jira Datacenter connector:
- Added CreateUserRequest model for the Jira API
- Implemented CreateUser method in the client
- Added AccountManager interface in userBuilder
- Implemented secure password generation
- Updated connector metadata and capabilities
- Added automatic default group assignment for new users

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: btipling

pkg/client/client.go

@@ -92,6 +92,7 @@ const (
 	allGroupsV2           = "rest/api/2/groups/picker"
 	allPermissionSchemeV2 = "rest/api/2/permissionscheme"
 	addUserToGroup        = "rest/api/2/group/user"
+	createUserPath        = "rest/api/2/user"
 	NF                    = -1
 )
 
@@ -684,3 +685,53 @@ func (client *Client) Myself(ctx context.Context) error {
 	defer resp.Body.Close()
 	return nil
 }
+
+// CreateUser creates a new user in Jira Datacenter
+// Returns the created user information.
+// https://developer.atlassian.com/server/jira/platform/rest/v2/api-group-user/#api-api-2-user-post
+func (client *Client) CreateUser(ctx context.Context, userRequest *CreateUserRequest) (*jira.User, error) {
+	var userData UsersAPIData
+
+	// Create the URL
+	endpointUrl, err := url.JoinPath(client.BaseURL, createUserPath)
+	if err != nil {
+		return nil, err
+	}
+
+	uri, err := url.Parse(endpointUrl)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the request
+	req, err := client.httpClient.NewRequest(
+		ctx,
+		http.MethodPost,
+		uri,
+		uhttp.WithJSONBody(userRequest),
+		uhttp.WithAcceptJSONHeader(),
+		uhttp.WithContentTypeJSONHeader(),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	// Make the request
+	resp, err := client.httpClient.Do(req, uhttp.WithJSONResponse(&userData))
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	// Convert to jira.User format
+	return &jira.User{
+		Self:         userData.Self,
+		Key:          userData.Key,
+		Name:         userData.Name,
+		EmailAddress: userData.EmailAddress,
+		DisplayName:  userData.DisplayName,
+		Active:       userData.Active,
+		TimeZone:     userData.TimeZone,
+		Locale:       userData.Locale,
+	}, nil
+}

pkg/client/model.go

@@ -129,6 +129,14 @@ type BodyActors struct {
 	Name  string   `json:"name,omitempty"`
 }
 
+type CreateUserRequest struct {
+	Name         string `json:"name"`
+	Password     string `json:"password"`
+	EmailAddress string `json:"emailAddress"`
+	DisplayName  string `json:"displayName"`
+	Notification bool   `json:"notification,string"`
+}
+
 type ActorsAPIData struct {
 	Self        string   `json:"self,omitempty"`
 	Name        string   `json:"name,omitempty"`

pkg/connector/connector.go

@@ -40,6 +40,40 @@ func (d *Connector) Metadata(ctx context.Context) (*v2.ConnectorMetadata, error)
 	return &v2.ConnectorMetadata{
 		DisplayName: "Jira (Datacenter)",
 		Description: "Implements syncing, provisioning, and ticketing for Jira Datacenter instances",
+		AccountCreationSchema: &v2.ConnectorAccountCreationSchema{
+			FieldMap: map[string]*v2.ConnectorAccountCreationSchema_Field{
+				"email": {
+					DisplayName: "Email",
+					Required:    true,
+					Description: "User's email address (used for login)",
+					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
+						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
+					},
+					Placeholder: "user@example.com",
+					Order:       1,
+				},
+				"first_name": {
+					DisplayName: "First Name",
+					Required:    true,
+					Description: "User's first name",
+					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
+						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
+					},
+					Placeholder: "John",
+					Order:       2,
+				},
+				"last_name": {
+					DisplayName: "Last Name",
+					Required:    true,
+					Description: "User's last name",
+					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
+						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
+					},
+					Placeholder: "Doe",
+					Order:       3,
+				},
+			},
+		},
 	}, nil
 }
 

pkg/connector/users.go

@@ -2,14 +2,19 @@ package connector
 
 import (
 	"context"
+	"crypto/rand"
+	"fmt"
+	"math/big"
 
+	"github.com/conductorone/baton-jira-datacenter/pkg/client"
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
+	"github.com/conductorone/baton-sdk/pkg/connectorbuilder"
 	"github.com/conductorone/baton-sdk/pkg/pagination"
 	sdkResource "github.com/conductorone/baton-sdk/pkg/types/resource"
 	jira "github.com/conductorone/go-jira/v2/onpremise"
-
-	"github.com/conductorone/baton-jira-datacenter/pkg/client"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
 )
 
 type userBuilder struct {
@@ -105,3 +110,146 @@ func newUserBuilder(client *client.Client) *userBuilder {
 		client: client,
 	}
 }
+
+// CreateAccountCapabilityDetails defines what credential options are supported by this connector.
+func (u *userBuilder) CreateAccountCapabilityDetails(ctx context.Context) (*v2.CredentialDetailsAccountProvisioning, annotations.Annotations, error) {
+	return &v2.CredentialDetailsAccountProvisioning{
+		SupportedCredentialOptions: []v2.CapabilityDetailCredentialOption{
+			v2.CapabilityDetailCredentialOption_CAPABILITY_DETAIL_CREDENTIAL_OPTION_RANDOM_PASSWORD,
+		},
+		PreferredCredentialOption: v2.CapabilityDetailCredentialOption_CAPABILITY_DETAIL_CREDENTIAL_OPTION_RANDOM_PASSWORD,
+	}, nil, nil
+}
+
+// generateRandomPassword creates a secure random password for new user accounts.
+func generateRandomPassword(length int) (string, error) {
+	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]"
+	if length < 8 {
+		length = 8 // Jira typically requires at least 8 characters
+	}
+
+	password := make([]byte, length)
+	for i := 0; i < length; i++ {
+		n, err := rand.Int(rand.Reader, big.NewInt(int64(len(charset))))
+		if err != nil {
+			return "", err
+		}
+		password[i] = charset[n.Int64()]
+	}
+
+	return string(password), nil
+}
+
+// CreateAccount provisions a new user in Jira Datacenter.
+func (u *userBuilder) CreateAccount(
+	ctx context.Context,
+	accountInfo *v2.AccountInfo,
+	credentialOptions *v2.CredentialOptions,
+) (connectorbuilder.CreateAccountResponse, []*v2.PlaintextData, annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	// Extract account information from the profile
+	profile := accountInfo.Profile.AsMap()
+
+	// Get required fields
+	email, ok := profile["email"].(string)
+	if !ok || email == "" {
+		return nil, nil, nil, fmt.Errorf("email is required")
+	}
+
+	firstName, _ := profile["first_name"].(string)
+	lastName, _ := profile["last_name"].(string)
+
+	// Create a display name from the first and last name
+	displayName := firstName
+	if lastName != "" {
+		displayName += " " + lastName
+	}
+
+	// If display name is empty, use email as display name
+	if displayName == "" {
+		displayName = email
+	}
+
+	// Generate username from email (common practice in Jira)
+	username := email
+
+	// Generate a password if needed
+	var password string
+	var plaintextData []*v2.PlaintextData
+
+	if credentialOptions.GetRandomPassword() != nil {
+		// Generate a random password
+		length := int(credentialOptions.GetRandomPassword().GetLength())
+		if length <= 0 {
+			length = 12 // Default length
+		}
+
+		var err error
+		password, err = generateRandomPassword(length)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("failed to generate password: %w", err)
+		}
+
+		// Return the password as plaintext data
+		plaintextData = append(plaintextData, &v2.PlaintextData{
+			Name:        "password",
+			Description: "Generated password for the new account",
+			Bytes:       []byte(password),
+		})
+	} else {
+		return nil, nil, nil, fmt.Errorf("random password is required for Jira user creation")
+	}
+
+	// Create the user request
+	userRequest := &client.CreateUserRequest{
+		Name:         username,
+		Password:     password,
+		EmailAddress: email,
+		DisplayName:  displayName,
+		Notification: false, // Set to false to avoid sending notification emails
+	}
+
+	// Call the API to create the user
+	user, err := u.client.CreateUser(ctx, userRequest)
+	if err != nil {
+		l.Error("failed to create user", zap.Error(err), zap.String("email", email))
+		return nil, nil, nil, fmt.Errorf("failed to create user: %w", err)
+	}
+
+	l.Info("user created successfully",
+		zap.String("username", username),
+		zap.String("email", email),
+	)
+
+	// Add user to the default group if available
+	if u.client.DefaultGroupName != "" {
+		_, err = u.client.AddUserToGroup(ctx, u.client.DefaultGroupName, username)
+		if err != nil {
+			l.Warn("failed to add user to default group",
+				zap.String("group", u.client.DefaultGroupName),
+				zap.String("username", username),
+				zap.Error(err),
+			)
+			// Don't fail the whole operation if just the group assignment fails
+		} else {
+			l.Info("added user to default group",
+				zap.String("group", u.client.DefaultGroupName),
+				zap.String("username", username),
+			)
+		}
+	}
+
+	// Create a resource from the new user
+	resource, err := userResource(*user)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to create resource for new user: %w", err)
+	}
+
+	// Return success result with the new user resource
+	successResult := &v2.CreateAccountResponse_SuccessResult{
+		Resource: resource,
+	}
+
+	return successResult, plaintextData, nil, nil
+}