Merge pull request #81 from ConductorOne/ggreer/group-grant-expansion

ggreer · web-flow · commit 1a4b9b8edf04 · 2024-11-19T16:44:16.000-08:00
Add support for groups being members of groups.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -88,11 +88,27 @@ jobs:
         run: node ./scripts/ldif.js && ls -la
       - name: Import ldif into openldap
         run: ./scripts/import.sh
+      - name: Install baton
+        run: ./scripts/get-baton.sh && mv baton /usr/local/bin
       - name: Build baton-ldap
         run: go build ./cmd/baton-ldap
       - name: Run baton-ldap
         run: ./baton-ldap
-      - name: Revoke grants
-        run: ./baton-ldap --revoke-grant 'group:cn=testgroup00000,dc=example,dc=org:member:user:cn=testuser00099@example.com,dc=example,dc=org' && ./baton-ldap --revoke-grant 'group:cn=othertestgroup00000,dc=example,dc=org:member:user:cn=testuser00099@example.com,dc=example,dc=org'
-      - name: Grant entitlements
-        run: ./baton-ldap --grant-entitlement 'group:cn=testgroup00000,dc=example,dc=org:member' --grant-principal 'cn=testuser00099@example.com,dc=example,dc=org' --grant-principal-type 'user' && ./baton-ldap --grant-entitlement 'group:cn=othertestgroup00000,dc=example,dc=org:member' --grant-principal 'cn=testuser00099@example.com,dc=example,dc=org' --grant-principal-type 'user'
+      - name: List grants
+        run: baton grants
+      - name: Test grant/revoking posixGroup entitlements
+        env:
+          BATON: baton
+          BATON_LDAP: ./baton-ldap
+          BATON_ENTITLEMENT: "group:cn=testgroup00000,dc=example,dc=org:member"
+          BATON_PRINCIPAL: "cn=testuser00099@example.com,dc=example,dc=org"
+          BATON_PRINCIPAL_TYPE: "user"
+        run: ./scripts/grant-revoke.sh
+      - name: Test grant/revoking groupOfUniqueNames entitlements
+        env:
+          BATON: baton
+          BATON_LDAP: ./baton-ldap
+          BATON_ENTITLEMENT: "group:cn=othertestgroup00000,dc=example,dc=org:member"
+          BATON_PRINCIPAL: "cn=testuser00099@example.com,dc=example,dc=org"
+          BATON_PRINCIPAL_TYPE: "user"
+        run: ./scripts/grant-revoke.sh
diff --git a/pkg/connector/group.go b/pkg/connector/group.go
@@ -19,6 +19,17 @@ import (
 	"golang.org/x/exp/slices"
 )
 
+var objectClassesToResourceTypes = map[string]*v2.ResourceType{
+	"group":                resourceTypeGroup,
+	"groupOfNames":         resourceTypeGroup,
+	"groupOfUniqueNames":   resourceTypeGroup,
+	"inetOrgPerson":        resourceTypeUser,
+	"posixGroup":           resourceTypeGroup,
+	"organizationalPerson": resourceTypeUser,
+	"person":               resourceTypeUser,
+	"user":                 resourceTypeUser,
+}
+
 const (
 	groupObjectClasses = "(objectClass=groupOfUniqueNames)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=group)"
 	groupFilter        = "(|" + groupObjectClasses + ")"
@@ -146,22 +157,49 @@ func (g *groupResourceType) Entitlements(ctx context.Context, resource *v2.Resou
 }
 
 // newGrantFromDN - create a `Grant` from a given group and user distinguished name.
-func newGrantFromDN(resource *v2.Resource, userDN string) *v2.Grant {
+func newGrantFromDN(groupResource *v2.Resource, dn string, resourceType *v2.ResourceType) *v2.Grant {
+	grantOpts := []grant.GrantOption{}
+	if resourceType == resourceTypeGroup {
+		grantOpts = append(grantOpts, grant.WithAnnotation(&v2.GrantExpandable{
+			EntitlementIds: []string{
+				fmt.Sprintf("group:%s:member", dn),
+			},
+		}))
+	}
 	g := grant.NewGrant(
 		// remove group profile from grant so we're not saving all group memberships in every grant
 		&v2.Resource{
-			Id: resource.Id,
+			Id: groupResource.Id,
 		},
 		groupMemberEntitlement,
 		// remove user profile from grant so we're not saving repetitive user info in every grant
 		&v2.ResourceId{
-			ResourceType: resourceTypeUser.Id,
-			Resource:     userDN,
+			ResourceType: resourceType.Id,
+			Resource:     dn,
 		},
+		grantOpts...,
 	)
 	return g
 }
 
+func newGrantFromEntry(groupResource *v2.Resource, entry *ldap3.Entry) *v2.Grant {
+	var dn string
+	parsedDN, err := ldap.CanonicalizeDN(entry.DN)
+	if err == nil {
+		dn = parsedDN.String()
+	} else {
+		dn = entry.DN
+	}
+
+	for _, objectClass := range entry.GetAttributeValues("objectClass") {
+		if resourceType, ok := objectClassesToResourceTypes[objectClass]; ok {
+			return newGrantFromDN(groupResource, dn, resourceType)
+		}
+	}
+
+	return newGrantFromDN(groupResource, dn, resourceTypeUser)
+}
+
 func (g *groupResourceType) Grants(ctx context.Context, resource *v2.Resource, token *pagination.Token) ([]*v2.Grant, string, annotations.Annotations, error) {
 	l := ctxzap.Extract(ctx)
 	groupDN, err := ldap.CanonicalizeDN(resource.Id.Resource)
@@ -196,7 +234,25 @@ func (g *groupResourceType) Grants(ctx context.Context, resource *v2.Resource, t
 	for memberId := range memberIDs.Iter() {
 		parsedDN, err := ldap.CanonicalizeDN(memberId)
 		if err == nil {
-			g := newGrantFromDN(resource, parsedDN.String())
+			member, _, err := g.client.LdapSearch(
+				ctx,
+				ldap3.ScopeWholeSubtree,
+				parsedDN,
+				"",
+				nil,
+				"",
+				1,
+			)
+			if err != nil {
+				l.Error("ldap-connector: failed to get group member", zap.String("group", groupDN.String()), zap.String("member_id", memberId), zap.Error(err))
+			}
+			var g *v2.Grant
+			if len(member) == 1 {
+				g = newGrantFromEntry(resource, member[0])
+			} else {
+				// Fall back to creating a grant and assuming it's for a user.
+				g = newGrantFromDN(resource, parsedDN.String(), resourceTypeUser)
+			}
 			rv = append(rv, g)
 			continue
 		}
@@ -208,7 +264,7 @@ func (g *groupResourceType) Grants(ctx context.Context, resource *v2.Resource, t
 		if memberDN == "" {
 			continue
 		}
-		g := newGrantFromDN(resource, memberDN)
+		g := newGrantFromDN(resource, memberDN, resourceTypeUser)
 		rv = append(rv, g)
 	}
 
@@ -238,7 +294,7 @@ func (g *groupResourceType) Grants(ctx context.Context, resource *v2.Resource, t
 				l.Error("ldap-connector: invalid user DN", zap.String("user_dn", userEntry.DN), zap.Error(err))
 				continue
 			}
-			g := newGrantFromDN(resource, userDN.String())
+			g := newGrantFromDN(resource, userDN.String(), resourceTypeUser)
 			rv = append(rv, g)
 		}
 		if nextPage == "" {
diff --git a/scripts/get-baton.sh b/scripts/get-baton.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+ARCH=$(uname -m)
+if [ "${ARCH}" = "x86_64" ]; then
+  ARCH="amd64"
+fi
+
+RELEASES_URL="https://api.github.com/repos/conductorone/baton/releases/latest"
+BASE_URL="https://github.com/conductorone/baton/releases/download"
+
+DOWNLOAD_URL=$(curl "${RELEASES_URL}" | jq --raw-output ".assets[].browser_download_url | match(\"${BASE_URL}/v[.0-9]+/baton-v[.0-9]+-${OS}-${ARCH}.*\"; \"i\").string")
+
+FILENAME=$(basename ${DOWNLOAD_URL})
+
+curl -LO ${DOWNLOAD_URL}
+tar xzf ${FILENAME}
diff --git a/scripts/grant-revoke.sh b/scripts/grant-revoke.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -exo pipefail
+
+if [ -z "$BATON_LDAP" ]; then
+  echo "BATON_LDAP not set. using baton-ldap"
+  BATON_LDAP=baton-ldap
+fi
+if [ -z "$BATON" ]; then
+  echo "BATON not set. using baton"
+  BATON=baton
+fi
+
+# Error on unbound variables now that we've set BATON & BATON_LDAP
+set -u
+
+# Sync
+$BATON_LDAP
+
+# Grant entitlement
+$BATON_LDAP --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"
+
+# Check for grant before revoking
+$BATON_LDAP
+$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" )"
+
+# Grant already-granted entitlement
+$BATON_LDAP --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"
+
+# Get grant ID
+BATON_GRANT=$($BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --raw-output --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" ).grant.id")
+
+# Revoke grant
+$BATON_LDAP --revoke-grant="$BATON_GRANT"
+
+# Revoke already-revoked grant
+$BATON_LDAP --revoke-grant="$BATON_GRANT"
+
+# Check grant was revoked
+$BATON_LDAP
+$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status "if .grants then [ .grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" ) ] | length == 0 else . end"
+
+# Re-grant entitlement
+$BATON_LDAP --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"
+
+# Check grant was re-granted
+$BATON_LDAP
+$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" )"
