Merge pull request #17 from ConductorOne/AddAccountAndEntiltementProvision

[BB-747]Add Account & Entitlement Provision with Account Deprovision

Author: FeliLucero1

docs/images/docs-info.md

@@ -0,0 +1,61 @@
+While developing the connector, please fill out this form. This information is needed to write docs and to help other users set up the connector.
+
+## Connector capabilities
+
+1. What resources does the connector sync?
+
+    -Users
+    -Tables
+    -Servers
+    -Routines
+    -Roles
+    -Databases
+    -Columns(optional)
+
+2. Can the connector provision any resources? If so, which ones? 
+
+    -Account provision and deprovision
+    -Entitlement provision(Grant & Revoke) for all others resources
+
+
+## Connector credentials 
+
+1. What credentials or information are needed to set up the connector? (For example, API key, client ID and secret, domain, etc.)
+
+    -   --connection-string string   The connection string for connecting to MySQL, for example: "baton:baton-password@tcp(127.0.0.1:3306)/"
+    -   --expand-columns strings     Provide a table like db.table to expand the column privileges into their own entitlements. This is optional,
+     for example: baton_db.empleados
+
+2. For each item in the list above: 
+
+   * How does a user create or look up that credential or info? Please include links to (non-gated) documentation, screenshots (of the UI or of gated docs), or a video of the process. 
+
+   -Customers can create a dedicated MySQL user with appropriate privileges using the following SQL:
+    CREATE USER 'baton'@'%' IDENTIFIED BY 'baton-password';  
+    GRANT SELECT ON *.* TO 'baton'@'%'; -- for sync only
+    GRANT ALL PRIVILEGES ON *.* TO 'baton'@'%'; -- for sync and provision
+
+    https://dev.mysql.com/doc/refman/8.0/en/create-user.html
+    https://dev.mysql.com/doc/refman/8.0/en/grant.html
+
+
+   * Does the credential need any specific scopes or permissions? If so, list them here. 
+
+   -Yes:
+
+    For sync: SELECT privileges on mysql.*, information_schema.*, and all databases/tables you want to sync.
+
+    For provisioning: GRANT OPTION and ALL PRIVILEGES (or at least GRANT, SELECT, INSERT, UPDATE, DELETE, REFERENCES) on the target resources.
+
+    * If applicable: Is the list of scopes or permissions different to sync (read) versus provision (read-write)? If so, list the difference here. 
+
+    -| Purpose   | Required Privileges                                           |
+     | --------- | ------------------------------------------------------------- |
+     | Sync      | `SELECT` on `information_schema`, `mysql`, target DBs         |
+     | Provision | `GRANT OPTION`, `CREATE USER`, `DROP USER`, `GRANT`, `REVOKE` |
+
+
+     * What level of access or permissions does the user need in order to create the credentials? (For example, must be a super administrator, must have access to the admin console, etc.)  
+
+     -The credential must be created by a MySQL user with CREATE USER and GRANT OPTION privileges — typically a DBA or superuser (root or similar).
+

go.mod

@@ -5,7 +5,7 @@ go 1.23.4
 toolchain go1.23.9
 
 require (
-	github.com/conductorone/baton-sdk v0.3.9
+	github.com/conductorone/baton-sdk v0.3.10
 	github.com/go-sql-driver/mysql v1.7.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/jmoiron/sqlx v1.3.5

go.sum

@@ -58,8 +58,8 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/conductorone/baton-sdk v0.3.9 h1:D0YiYtRkpRByYsctlREqNG9pb5QAU5DW7sBlccAd3tI=
-github.com/conductorone/baton-sdk v0.3.9/go.mod h1:lWZHgu025Rsgs5jvBrhilGti0zWF2+YfaFY/bWOS/g0=
+github.com/conductorone/baton-sdk v0.3.10 h1:e1J0Y2knHTbzn9bAsjElmhv5lRpYwI6ixw0Ak+gx0JY=
+github.com/conductorone/baton-sdk v0.3.10/go.mod h1:lWZHgu025Rsgs5jvBrhilGti0zWF2+YfaFY/bWOS/g0=
 github.com/conductorone/dpop v0.2.3 h1:s91U3845GHQ6P6FWrdNr2SEOy1ES/jcFs1JtKSl2S+o=
 github.com/conductorone/dpop v0.2.3/go.mod h1:gyo8TtzB9SCFCsjsICH4IaLZ7y64CcrDXMOPBwfq/3s=
 github.com/conductorone/dpop/integrations/dpop_grpc v0.2.3 h1:kLMCNIh0Mo2vbvvkCmJ3ixsPbXEJ6HPcW53Ku9yje3s=

pkg/client/columns.go

@@ -2,6 +2,7 @@ package client
 
 import (
 	"context"
+	"fmt"
 	"strconv"
 	"strings"
 
@@ -81,3 +82,74 @@ func (c *Client) ListColumns(ctx context.Context, parentResourceID *v2.ResourceI
 
 	return ret, nextPageToken, nil
 }
+
+// If the privilege is "grant", it grants SELECT, INSERT, UPDATE, and REFERENCES privileges.
+func (c *Client) GrantColumnPrivilege(ctx context.Context, table string, column string, user string, privilege string) error {
+	userSplit := strings.Split(user, "@")
+	if len(userSplit) != 2 {
+		return fmt.Errorf("invalid user format: %s", user)
+	}
+	userGrant := fmt.Sprintf("%s'@'%s", userSplit[0], userSplit[1])
+
+	var privileges []string
+	if strings.ToLower(privilege) == "grant" {
+		privileges = []string{"SELECT", "INSERT", "UPDATE", "REFERENCES"}
+	} else {
+		privileges = []string{strings.ToUpper(privilege)}
+	}
+
+	escapedTable, err := escapeMySQLIdent(table)
+	if err != nil {
+		return err
+	}
+	escapedColumn, err := escapeMySQLIdent(column)
+	if err != nil {
+		return err
+	}
+
+	var privilegeClauses []string
+	for _, priv := range privileges {
+		privilegeClauses = append(privilegeClauses, fmt.Sprintf("%s (%s)", priv, escapedColumn))
+	}
+	privilegesSQL := strings.Join(privilegeClauses, ", ")
+
+	query := fmt.Sprintf("GRANT %s ON %s TO '%s'", privilegesSQL, escapedTable, userGrant)
+
+	_ = c.db.MustExec(query)
+	return nil
+}
+
+func (c *Client) RevokeColumnPrivilege(ctx context.Context, table string, column string, user string, privilege string) error {
+	userSplit := strings.Split(user, "@")
+	if len(userSplit) != 2 {
+		return fmt.Errorf("invalid user format: %s", user)
+	}
+	userRevoke := fmt.Sprintf("%s'@'%s", userSplit[0], userSplit[1])
+
+	var privileges []string
+	if strings.ToLower(privilege) == "grant" {
+		privileges = []string{"SELECT", "INSERT", "UPDATE", "REFERENCES"}
+	} else {
+		privileges = []string{strings.ToUpper(privilege)}
+	}
+
+	escapedTable, err := escapeMySQLIdent(table)
+	if err != nil {
+		return err
+	}
+	escapedColumn, err := escapeMySQLIdent(column)
+	if err != nil {
+		return err
+	}
+
+	var privilegeClauses []string
+	for _, priv := range privileges {
+		privilegeClauses = append(privilegeClauses, fmt.Sprintf("%s (%s)", priv, escapedColumn))
+	}
+	privilegesSQL := strings.Join(privilegeClauses, ", ")
+
+	query := fmt.Sprintf("REVOKE %s ON %s FROM '%s'", privilegesSQL, escapedTable, userRevoke)
+
+	_ = c.db.MustExec(query)
+	return nil
+}

pkg/client/databases.go

@@ -2,6 +2,7 @@ package client
 
 import (
 	"context"
+	"fmt"
 	"strconv"
 	"strings"
 
@@ -71,3 +72,53 @@ func (c *Client) ListDatabases(ctx context.Context, pager *Pager) ([]*DbModel, s
 
 	return ret, nextPageToken, nil
 }
+
+func (c *Client) GrantDatabasePrivilege(ctx context.Context, database string, user string, privilege string) error {
+	userSplit := strings.Split(user, "@")
+	if len(userSplit) != 2 {
+		return fmt.Errorf("invalid user format, expected user@host")
+	}
+	userEsc, err := escapeMySQLUserHost(userSplit[0])
+	if err != nil {
+		return err
+	}
+	hostEsc, err := escapeMySQLUserHost(userSplit[1])
+	if err != nil {
+		return err
+	}
+	userGrant := fmt.Sprintf("'%s'@'%s'", userEsc, hostEsc)
+
+	escapedDB, err := escapeMySQLIdent(database)
+	if err != nil {
+		return err
+	}
+
+	query := fmt.Sprintf("GRANT %s ON %s.* TO %s", strings.ToUpper(privilege), escapedDB, userGrant)
+	_ = c.db.MustExec(query)
+	return nil
+}
+
+func (c *Client) RevokeDatabasePrivilege(ctx context.Context, database string, user string, privilege string) error {
+	userSplit := strings.Split(user, "@")
+	if len(userSplit) != 2 {
+		return fmt.Errorf("invalid user format, expected user@host")
+	}
+	userEsc, err := escapeMySQLUserHost(userSplit[0])
+	if err != nil {
+		return err
+	}
+	hostEsc, err := escapeMySQLUserHost(userSplit[1])
+	if err != nil {
+		return err
+	}
+	userRevoke := fmt.Sprintf("'%s'@'%s'", userEsc, hostEsc)
+
+	escapedDB, err := escapeMySQLIdent(database)
+	if err != nil {
+		return err
+	}
+
+	query := fmt.Sprintf("REVOKE %s ON %s.* FROM %s", strings.ToUpper(privilege), escapedDB, userRevoke)
+	_ = c.db.MustExec(query)
+	return nil
+}

pkg/client/helper.go

@@ -0,0 +1,31 @@
+package client
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// Helper for identifiers (tables, columns, databases).
+var validIdent = regexp.MustCompile(`^[a-zA-Z0-9_]+$`)
+
+func escapeMySQLIdent(ident string) (string, error) {
+	parts := strings.Split(ident, ".")
+	for i, part := range parts {
+		if !validIdent.MatchString(part) {
+			return "", fmt.Errorf("invalid identifier: %s", ident)
+		}
+		parts[i] = "`" + strings.ReplaceAll(part, "`", "``") + "`"
+	}
+	return strings.Join(parts, "."), nil
+}
+
+// Helper for user/host.
+var validUserHost = regexp.MustCompile(`^[a-zA-Z0-9_%\\.\\-]+$`)
+
+func escapeMySQLUserHost(ident string) (string, error) {
+	if !validUserHost.MatchString(ident) {
+		return "", fmt.Errorf("invalid user/host: %s", ident)
+	}
+	return ident, nil
+}

pkg/client/roles.go

@@ -0,0 +1,95 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"strings"
+)
+
+func (c *Client) GrantRolePrivilege(ctx context.Context, role, user, privilege string) error {
+	roleParts := strings.Split(role, "@")
+	if len(roleParts) != 2 {
+		return fmt.Errorf("invalid role format: %s", role)
+	}
+
+	userParts := strings.Split(user, "@")
+	if len(userParts) != 2 {
+		return fmt.Errorf("invalid user format: %s", user)
+	}
+
+	roleUser, err := escapeMySQLUserHost(roleParts[0])
+	if err != nil {
+		return err
+	}
+	roleHost, err := escapeMySQLUserHost(roleParts[1])
+	if err != nil {
+		return err
+	}
+	targetUser, err := escapeMySQLUserHost(userParts[0])
+	if err != nil {
+		return err
+	}
+	targetHost, err := escapeMySQLUserHost(userParts[1])
+	if err != nil {
+		return err
+	}
+
+	var grantStmt string
+	switch privilege {
+	case "role_assignment":
+		grantStmt = fmt.Sprintf("GRANT '%s'@'%s' TO '%s'@'%s'", roleUser, roleHost, targetUser, targetHost)
+	case "role_assignment_with_grant":
+		grantStmt = fmt.Sprintf("GRANT '%s'@'%s' TO '%s'@'%s' WITH ADMIN OPTION", roleUser, roleHost, targetUser, targetHost)
+	case "proxy":
+		grantStmt = fmt.Sprintf("GRANT PROXY ON '%s'@'%s' TO '%s'@'%s'", roleUser, roleHost, targetUser, targetHost)
+	case "proxy_with_grant":
+		grantStmt = fmt.Sprintf("GRANT PROXY ON '%s'@'%s' TO '%s'@'%s' WITH GRANT OPTION", roleUser, roleHost, targetUser, targetHost)
+	default:
+		return fmt.Errorf("unknown privilege: %s", privilege)
+	}
+
+	_ = c.db.MustExec(grantStmt)
+	return nil
+}
+
+func (c *Client) RevokeRolePrivilege(ctx context.Context, role, user, privilege string) error {
+	roleParts := strings.Split(role, "@")
+	if len(roleParts) != 2 {
+		return fmt.Errorf("invalid role format: %s", role)
+	}
+
+	userParts := strings.Split(user, "@")
+	if len(userParts) != 2 {
+		return fmt.Errorf("invalid user format: %s", user)
+	}
+
+	roleUser, err := escapeMySQLUserHost(roleParts[0])
+	if err != nil {
+		return err
+	}
+	roleHost, err := escapeMySQLUserHost(roleParts[1])
+	if err != nil {
+		return err
+	}
+	targetUser, err := escapeMySQLUserHost(userParts[0])
+	if err != nil {
+		return err
+	}
+	targetHost, err := escapeMySQLUserHost(userParts[1])
+	if err != nil {
+		return err
+	}
+
+	var revokeStmt string
+	switch privilege {
+	case "role_assignment", "role_assignment_with_grant":
+		revokeStmt = fmt.Sprintf("REVOKE '%s'@'%s' FROM '%s'@'%s'", roleUser, roleHost, targetUser, targetHost)
+	case "proxy", "proxy_with_grant":
+		revokeStmt = fmt.Sprintf("REVOKE PROXY ON '%s'@'%s' FROM '%s'@'%s'", roleUser, roleHost, targetUser, targetHost)
+	default:
+		return fmt.Errorf("unknown privilege: %s", privilege)
+	}
+
+	_ = c.db.MustExec(revokeStmt)
+	return nil
+}