[BB-686] Add User Provisioning to LDAP Connector (#116)

* Add LdapAdd

* Stub account creation

* Rough implementation

* Tweak create account parameters

* Update README.md

* add rdnValue back

* Add ci test for account provisioning

* adjust placeholders and default values

Author: johnallers

.github/workflows/ci.yaml

@@ -112,3 +112,20 @@ jobs:
           BATON_PRINCIPAL: "cn=testuser00099@example.com,dc=example,dc=org"
           BATON_PRINCIPAL_TYPE: "user"
         run: ./scripts/grant-revoke.sh
+
+      - name: Create account
+        env:
+          ACCOUNT_DISPLAYNAME: 'Example User'
+          CREATE_ACCOUNT_FLAGS: >-
+              --create-account-login="example-user"
+              --create-account-profile='{"rdnKey":"cn","rdnValue":"example-user","path":"","suffix":"dc=example,dc=org","objectClass":["top","person"],"additionalAttributes":{"cn":"Example User","sn":"User"}}'
+              
+        run: ./baton-ldap ${{ env.CREATE_ACCOUNT_FLAGS }} 
+
+      - name: Check account was created
+        id: check_account
+        run: |
+          ./baton-ldap
+          CREATED_ACCOUNT_ID=$(baton resources --output-format=json | jq -r --arg name "Example User" '.resources[] | select(.resource.displayName == $name) | .resource.id.resource')
+          echo "account_id=$CREATED_ACCOUNT_ID" >> $GITHUB_OUTPUT
+          [ -n "$CREATED_ACCOUNT_ID" ]

README.md

@@ -44,6 +44,14 @@ brew install conductorone/baton/baton conductorone/baton/baton-ldap
 
 Use `baton-ldap --help` to see all configuration flags and environment variables.
 
+## --create-account
+
+To provision an account from the command line, you'll need to provide the login, email, and account profile. For example:
+
+```
+.\baton-ldap.exe --base-dn "DC=baton-dev,DC=d2,DC=ductone,DC=com" --password "password" -p --create-account-login 'example-user' --create-account-profile "{\"rdnKey\":\"uid\",\"path\":\"cn=staged users,cn=accounts,cn=provisioning\",\"suffix\":\"dc=example,dc=test\",\"objectClass\":[\"top\",\"person\",\"organizationalperson\",\"posixAccount\"],\"additionalAttributes\":{\"cn\":\"Example User\",\"sn\":\"User\",\"homeDirectory\":\"\",\"uidNumber\":\"-1\",\"gidNumber\":\"-1\"}}"'
+```
+
 # Developing baton-ldap
 
 ## How to test with Docker Compose

pkg/connector/connector.go

@@ -57,9 +57,70 @@ func (l *LDAP) Metadata(ctx context.Context) (*v2.ConnectorMetadata, error) {
 		DisplayName: "LDAP",
 		// TODO: add better description
 		Description: "LDAP connector for Baton",
+
+		AccountCreationSchema: schema(),
 	}, nil
 }
 
+func schema() *v2.ConnectorAccountCreationSchema {
+	return &v2.ConnectorAccountCreationSchema{
+		FieldMap: map[string]*v2.ConnectorAccountCreationSchema_Field{
+			"rdnKey": {
+				DisplayName: "RDN Key",
+				Required:    true,
+				Field:       &v2.ConnectorAccountCreationSchema_Field_StringField{},
+				Description: "The RDN key to use for the user.",
+				Placeholder: "cn, uid, etc.",
+				Order:       1,
+			},
+			"rdnValue": {
+				DisplayName: "RDN Value",
+				Required:    true,
+				Field:       &v2.ConnectorAccountCreationSchema_Field_StringField{},
+				Description: "The RDN value to use for the user.",
+				Placeholder: "JaneDoe",
+				Order:       2,
+			},
+			"path": {
+				DisplayName: "Path",
+				Required:    true,
+				Field:       &v2.ConnectorAccountCreationSchema_Field_StringField{},
+				Description: "The path to create the user in.",
+				Order:       3,
+				Placeholder: "ou=users",
+			},
+			"suffix": {
+				DisplayName: "Suffix",
+				Required:    true,
+				Field:       &v2.ConnectorAccountCreationSchema_Field_StringField{},
+				Description: "The top level entry DN (naming context) to create the user in.",
+				Order:       4,
+				Placeholder: "dc=example,dc=org",
+			},
+			"objectClass": {
+				DisplayName: "Object Class(es)",
+				Required:    true,
+				Description: "A list of Object Classes to apply to the user, e.g. person, user, etc.",
+				Field: &v2.ConnectorAccountCreationSchema_Field_StringListField{
+					StringListField: &v2.ConnectorAccountCreationSchema_StringListField{
+						DefaultValue: []string{"top", "person"},
+					},
+				},
+				Order:       5,
+				Placeholder: "[\"top\", \"person\", \"organizationalPerson\", \"inetOrgPerson\"]",
+			},
+			"additionalAttributes": {
+				DisplayName: "Additional Attributes",
+				Required:    false,
+				Field:       &v2.ConnectorAccountCreationSchema_Field_MapField{},
+				Description: "A map representing additional attributes to set on the user",
+				Order:       6,
+				Placeholder: "{\"cn\":\"Jane Doe\",\"sn\":\"Doe\"}",
+			},
+		},
+	}
+}
+
 // Validates that the user has read access to all relevant tables (more information in the readme).
 func (l *LDAP) Validate(ctx context.Context) (annotations.Annotations, error) {
 	_, _, err := l.client.LdapSearch(

pkg/connector/helpers.go

@@ -1,13 +1,19 @@
 package connector
 
 import (
+	"context"
+	"fmt"
+	"strconv"
 	"strings"
 
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
 	"github.com/conductorone/baton-sdk/pkg/pagination"
 	mapset "github.com/deckarep/golang-set/v2"
 	"github.com/go-ldap/ldap/v3"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
+	"golang.org/x/exp/slices"
 )
 
 var ResourcesPageSize uint32 = 50
@@ -67,3 +73,149 @@ func parseValue(entry *ldap.Entry, targetAttrs []string) string {
 
 	return ""
 }
+
+// We assume that all values are of the same type.
+func toVals(vals []any) []string {
+	if len(vals) == 0 {
+		return nil
+	}
+
+	switch vals[0].(type) {
+	case string:
+		ret := make([]string, len(vals))
+		for i, v := range vals {
+			ret[i] = v.(string)
+		}
+		return ret
+	case []byte:
+		ret := make([]string, len(vals))
+		for i, v := range vals {
+			ret[i] = string(v.([]byte))
+		}
+		return ret
+	default:
+		ret := make([]string, len(vals))
+		for i, v := range vals {
+			ret[i] = fmt.Sprintf("%v", v)
+		}
+		return ret
+	}
+}
+
+func toAttr(k string, v interface{}) ldap.Attribute {
+	switch v := v.(type) {
+	case []string:
+		return ldap.Attribute{
+			Type: k,
+			Vals: v,
+		}
+	case []any:
+		return ldap.Attribute{
+			Type: k,
+			Vals: toVals(v),
+		}
+	case string:
+		return ldap.Attribute{
+			Type: k,
+			Vals: []string{v},
+		}
+	case []byte:
+		return ldap.Attribute{
+			Type: k,
+			Vals: []string{string(v)},
+		}
+	case bool:
+		return ldap.Attribute{
+			Type: k,
+			Vals: []string{strconv.FormatBool(v)},
+		}
+	case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
+		return ldap.Attribute{
+			Type: k,
+			Vals: []string{fmt.Sprintf("%d", v)},
+		}
+	case float32, float64:
+		return ldap.Attribute{
+			Type: k,
+			Vals: []string{fmt.Sprintf("%f", v)},
+		}
+	default:
+		// l.Warn("unsupported attribute type", zap.Any("type", v))
+		return ldap.Attribute{
+			Type: k,
+			Vals: []string{fmt.Sprintf("%v", v)},
+		}
+	}
+}
+
+func extractProfile(ctx context.Context, accountInfo *v2.AccountInfo) (string, []ldap.Attribute, error) {
+	l := ctxzap.Extract(ctx)
+
+	prof := accountInfo.GetProfile()
+	if prof == nil {
+		return "", nil, fmt.Errorf("missing profile")
+	}
+	data := prof.AsMap()
+	l.Debug("baton-ldap: create-account profile", zap.Any("data", data))
+
+	suffix, ok := data["suffix"].(string)
+	if !ok {
+		return "", nil, fmt.Errorf("invalid/missing suffix")
+	}
+	path, ok := data["path"].(string)
+	if !ok {
+		return "", nil, fmt.Errorf("invalid/missing path")
+	}
+	rdnKey, ok := data["rdnKey"].(string)
+	if !ok {
+		return "", nil, fmt.Errorf("invalid/missing rdnKey")
+	}
+	rdnValue, ok := data["rdnValue"].(string)
+	if !ok {
+		return "", nil, fmt.Errorf("invalid/missing rdnValue")
+	}
+
+	var dn string
+	if path != "" {
+		dn = strings.Join([]string{fmt.Sprintf("%s=%s", rdnKey, rdnValue), path, suffix}, ",")
+	} else {
+		dn = strings.Join([]string{fmt.Sprintf("%s=%s", rdnKey, rdnValue), suffix}, ",")
+	}
+
+	objectClass, ok := data["objectClass"].([]any)
+	if !ok {
+		return "", nil, fmt.Errorf("invalid/missing objectClass")
+	}
+	for _, oc := range objectClass {
+		if _, ok := oc.(string); !ok {
+			return "", nil, fmt.Errorf("invalid objectClass")
+		}
+	}
+
+	attrs := []ldap.Attribute{}
+
+	for k, v := range data {
+		if slices.Contains([]string{
+			"additionalAttributes",
+			"rdnKey",
+			"rdnValue",
+			"path",
+			"suffix",
+			"login",
+		}, k) {
+			continue
+		}
+		attrs = append(attrs, toAttr(k, v))
+	}
+
+	additionalAttributes, ok := data["additionalAttributes"].(map[string]interface{})
+	if ok {
+		for k, v := range additionalAttributes {
+			attrs = append(attrs, toAttr(k, v))
+		}
+	}
+
+	l.Debug("baton-ldap: create-account attributes", zap.Any("attrs", attrs))
+
+	return dn, attrs, nil
+}

pkg/connector/user.go

@@ -9,6 +9,7 @@ import (
 
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
+	builder "github.com/conductorone/baton-sdk/pkg/connectorbuilder"
 	"github.com/conductorone/baton-sdk/pkg/pagination"
 	rs "github.com/conductorone/baton-sdk/pkg/types/resource"
 	mapset "github.com/deckarep/golang-set/v2"
@@ -363,6 +364,74 @@ func (u *userResourceType) Grants(ctx context.Context, resource *v2.Resource, to
 	return nil, "", nil, nil
 }
 
+func (o *userResourceType) CreateAccountCapabilityDetails(ctx context.Context) (*v2.CredentialDetailsAccountProvisioning, annotations.Annotations, error) {
+	return &v2.CredentialDetailsAccountProvisioning{
+		SupportedCredentialOptions: []v2.CapabilityDetailCredentialOption{
+			v2.CapabilityDetailCredentialOption_CAPABILITY_DETAIL_CREDENTIAL_OPTION_NO_PASSWORD,
+		},
+		PreferredCredentialOption: v2.CapabilityDetailCredentialOption_CAPABILITY_DETAIL_CREDENTIAL_OPTION_NO_PASSWORD,
+	}, nil, nil
+}
+
+func (o *userResourceType) CreateAccount(
+	ctx context.Context,
+	accountInfo *v2.AccountInfo,
+	credentialOptions *v2.CredentialOptions,
+) (
+	builder.CreateAccountResponse,
+	[]*v2.PlaintextData,
+	annotations.Annotations,
+	error,
+) {
+	l := ctxzap.Extract(ctx)
+
+	if credentialOptions == nil {
+		return nil, nil, nil, fmt.Errorf("baton-ldap: create-account: missing credential options")
+	}
+
+	dn, attrs, err := extractProfile(ctx, accountInfo)
+	if err != nil {
+		l.Error("baton-ldap: create-account failed to extract profile", zap.Error(err), zap.Any("accountInfo", accountInfo))
+		return nil, nil, nil, err
+	}
+
+	user := &ldap3.AddRequest{
+		DN:         dn,
+		Attributes: attrs,
+	}
+
+	err = o.client.LdapAdd(ctx, user)
+	if err != nil {
+		l.Error("baton-ldap: create-account failed to create account", zap.Error(err), zap.Any("userParams", user))
+		return nil, nil, nil, err
+	}
+
+	acc, err := getAccount(ctx, o.client, dn)
+	if err != nil {
+		l.Error("baton-ldap: create-account failed to get account", zap.Error(err), zap.Any("accountInfo", accountInfo))
+		return nil, nil, nil, err
+	}
+
+	ur, err := userResource(ctx, acc)
+	if err != nil {
+		l.Error("baton-ldap: create-account failed to create resource", zap.Error(err), zap.Any("accountInfo", accountInfo))
+		return nil, nil, nil, err
+	}
+	resp := &v2.CreateAccountResponse_SuccessResult{
+		Resource: ur,
+	}
+
+	return resp, nil, nil, nil
+}
+
+func getAccount(ctx context.Context, client *ldap.Client, dn string) (*ldap.Entry, error) {
+	userEntry, err := client.LdapGetWithStringDN(ctx, dn, userFilter, allAttrs)
+	if err != nil {
+		return nil, fmt.Errorf("ldap-connector: failed to get user: %w", err)
+	}
+	return userEntry, nil
+}
+
 func userBuilder(client *ldap.Client, userSearchDN *ldap3.DN, disableOperationalAttrs bool) *userResourceType {
 	return &userResourceType{
 		resourceType:            resourceTypeUser,

pkg/ldap/client.go

@@ -277,6 +277,22 @@ func (c *Client) _ldapSearch(ctx context.Context,
 	return ret, nextPageToken, nil
 }
 
+func (c *Client) LdapAdd(ctx context.Context, addRequest *ldap.AddRequest) error {
+	l := ctxzap.Extract(ctx)
+
+	l.Debug("adding ldap entry", zap.String("DN", addRequest.DN), zap.Any("attributes", addRequest.Attributes))
+
+	err := c.getConnection(ctx, true, func(client *ldapConn) error {
+		return client.conn.Add(addRequest)
+	})
+	if err != nil {
+		l.Error("baton-ldap: client failed to add record", zap.Error(err))
+		return err
+	}
+
+	return nil
+}
+
 func (c *Client) LdapModify(ctx context.Context, modifyRequest *ldap.ModifyRequest) error {
 	l := ctxzap.Extract(ctx)