Upgrade baton-sdk.

[ggreer]

Use crypto.GeneratePassword() instead of one-off functions.

Summary by CodeRabbit

• New Features

  • Account creation now generates strong local credentials and returns the one-time plaintext password for immediate use.
  • Improved reliability of password generation during user setup.

• Chores

  • Updated underlying SDK dependency to the latest minor version for improved compatibility and stability.

[coderabbitai]

Walkthrough

Updated dependency to baton-sdk v0.4.2. Refactored user account creation to use centralized crypto password generation, changed credential options type to LocalCredentialOptions, and now returns plaintext password data. Added interface conformance assertion for userBuilder.

Changes

Cohort / File(s)	Summary
Dependencies go.mod	Bump github.com/conductorone/baton-sdk from v0.3.57 to v0.4.2.
User account creation flow pkg/connector/users.go	Replace custom random password logic with crypto.GeneratePassword(ctx, credentialOptions); change CreateAccount signature to accept *v2.LocalCredentialOptions; return plaintext password data; remove crypto/rand, math/big imports; add var _ connectorbuilder.AccountManager = &userBuilder{} assertion.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Caller
  participant userBuilder
  participant Crypto as crypto.GeneratePassword
  participant SDK as Baton SDK / Directory

  Caller->>userBuilder: CreateAccount(accountInfo, LocalCredentialOptions)
  userBuilder->>Crypto: GeneratePassword(ctx, options)
  Crypto-->>userBuilder: password
  userBuilder->>SDK: Provision account (accountInfo, credential)
  SDK-->>userBuilder: CreateAccountResponse
  userBuilder-->>Caller: (response, [plaintext password], annotations)
  note over userBuilder,Crypto: Password generation centralized via crypto utility

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• laurenleach
• btipling

Poem

I thump my paw—new bytes to see,
A password blooms cryptographically.
Hop, hop! The builder nods in time,
Local creds align just fine.
SDK updated, whiskers twitch—
Plaintext handed, switch by switch. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Upgrade baton-sdk." is concise and directly reflects the primary change in this PR—a dependency upgrade of the baton SDK and related code updates (notably switching to crypto.GeneratePassword and associated API adjustments), so it accurately summarizes the main intent and is clear for history scanning.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ggreer/upgrade-baton-sdk

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/connector/users.go (2)

150-160: Treat NotFound distinctly from other GetUser errors before creating an account.

Current logic may attempt creation on transient lookup errors (network, 500), risking duplicates or confusing failures.

• Only proceed to creation when the error is definitively “not found”.
• For other errors, return early.
  If the client exposes helpers (e.g., client.IsNotFound(err)), use them; otherwise map Jira’s HTTP 404 explicitly from the client layer.

Also applies to: 171-178

---

192-201: Fix: require non‑nil RandomPassword options and zero sensitive password

baton-sdk v0.4.2 crypto.GeneratePassword requires a non‑nil *v2.LocalCredentialOptions with RandomPassword set — passing nil will return an error. Ensure you supply minimal RandomPassword defaults and reduce lifetime of plaintext in memory.

Locations: pkg/connector/users.go:192-201 (also 203-217, 219-229)

• Guard/populate before call: if credentialOptions == nil || credentialOptions.RandomPassword == nil { set a minimal RandomPassword (e.g. Length = 20) }.
• After appending plaintextData, overwrite/clear the plaintext byte slice and set password = "" (best-effort to reduce sensitive-data lifetime).

🧹 Nitpick comments (4)

pkg/connector/users.go (4)

11-11: Avoid shadowing the standard library “crypto” package; alias the baton import.

Using the bare name crypto for an SDK package can confuse future maintainers if std crypto/* is later imported.

@@
-	"github.com/conductorone/baton-sdk/pkg/crypto"
+	c1crypto "github.com/conductorone/baton-sdk/pkg/crypto"
@@
-		password, err := crypto.GeneratePassword(ctx, credentialOptions)
+		password, err := c1crypto.GeneratePassword(ctx, credentialOptions)

Also applies to: 192-196

---

182-190: Trim display name to avoid leading/trailing whitespace.

When only one of first/last name is present, the current concat can produce a leading space.

@@
-		displayName := firstName
-		if lastName != "" {
-			displayName += " " + lastName
-		}
+		displayName := strings.TrimSpace(firstName + " " + lastName)
@@
 		// If display name is empty, use email as display name

And add:

@@
 import (
 	"context"
 	"fmt"
+	"strings"

---

47-52: Duplicate email trait addition; collapse to a single conditional.

WithEmail is added unconditionally and then again when non‑empty. Keep one conditional addition to avoid duplicates.

@@
 	userTraitOpts = []sdkResource.UserTraitOption{
 		sdkResource.WithUserProfile(profile),
 		sdkResource.WithStatus(userStatus),
 		sdkResource.WithUserLogin(u.EmailAddress),
-		sdkResource.WithEmail(u.EmailAddress, true),
 	}
@@
-	if u.EmailAddress != "" {
-		userTraitOpts = append(userTraitOpts, sdkResource.WithEmail(u.EmailAddress, true))
-	}
+	if u.EmailAddress != "" {
+		userTraitOpts = append(userTraitOpts, sdkResource.WithEmail(u.EmailAddress, true))
+	}

Also applies to: 62-64

---

231-247: Optional: gate default‑group add on successful creation to avoid noisy retries.

If the account pre‑exists, adding to the default group each time can spam logs on idempotent retries. Consider adding only on create, or handle AlreadyExists distinctly.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2de7a66 and fc9252f.

⛔ Files ignored due to path filters (36)

• .github/workflows/ci.yaml is excluded by none and included by none
• go.sum is excluded by !**/*.sum and included by none
• scripts/get-baton.sh is excluded by none and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/annotation_sync_id.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/annotation_sync_id.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/connector.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/resource.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/resource.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/session.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/session.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/session_grpc.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/annotations/annotations.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/cli/cli.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/cli/commands.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/cli/lambda_server__added.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/connectorbuilder/connectorbuilder.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/client_secret.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/crypto.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/password.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/providers/jwk/jwk.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/providers/registry.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/c1file.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/lambda/grpc/config/config.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/provisioner/provisioner.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sdk/version.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/README.md is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/grpc_session.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/json.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/memory.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/session.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/client_wrapper.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/syncer.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/types/session_cache.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/ugrpc/c1_credential_provider.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/ugrpc/interceptors.go is excluded by !vendor/** and included by none
• vendor/modules.txt is excluded by !vendor/** and included by none

📒 Files selected for processing (2)

• go.mod (1 hunks)
• pkg/connector/users.go (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Cursor Bugbot
• GitHub Check: test

🔇 Additional comments (3)

pkg/connector/users.go (2)

23-24: LGTM: compile‑time interface conformance assertion.

Good safeguard to track breaking changes from baton-sdk upgrades.

---

126-131: Signature shift to LocalCredentialOptions and plaintext return — verified. Repo search found only the updated CreateAccount signature in pkg/connector/users.go; no remaining references to *v2.CredentialOptions or callers expecting a two‑value return were found.

go.mod (1)

6-6: Tidy failed — resolve missing module and re-run checks.

go mod tidy aborted with: "no matching versions for query 'latest'" for github.com/conductorone/baton-jira-datacenter/pb/c1/connector/v2, so tidy didn’t complete and I could not verify the baton-sdk v0.4.2 API changes.

• Fix the missing module (add correct version, add a go.mod replace, or ensure the module is available) and run:
  • go mod tidy
  • rg -n --type go '\bLocalCredentialOptions\b|\bPlaintextData\b|\bGeneratePassword\b'
  • go list -m all | rg 'github.com/conductorone/baton-sdk'
• Confirm CreateAccount API changes (LocalCredentialOptions, PlaintextData) are adopted and update code/tests if needed.