Skip to content

[BB-1829] business plus support #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aldevv merged 19 commits into from
Dec 11, 2025
Merged

[BB-1829] business plus support #64

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
ba778af
add support for business plus, fix actions
aldevv Dec 4, 2025
61c81d2
remove dead code
aldevv Dec 4, 2025
a9287de
remove dead resource types
aldevv Dec 4, 2025
832aebf
update ci, remove more dead code
aldevv Dec 4, 2025
c9759dd
add business plus
aldevv Dec 5, 2025
a9712c7
refactor wraperrors
aldevv Dec 5, 2025
9d838fe
refactor ci
aldevv Dec 6, 2025
8fe7253
fix lint
aldevv Dec 6, 2025
fc9aac2
Merge branch 'main' into business_plus_and_actions_fix
aldevv Dec 6, 2025
4c737f2
update ci
aldevv Dec 6, 2025
5d8f7d3
Merge branch 'business_plus_and_actions_fix' of github.com:ConductorO…
aldevv Dec 6, 2025
8382115
fix ci code
aldevv Dec 6, 2025
531a523
remove dead code
aldevv Dec 6, 2025
c5c1976
handle rate limit
aldevv Dec 6, 2025
d82caf6
update wraperrors
aldevv Dec 6, 2025
3db22a7
fix repeated user_id
aldevv Dec 9, 2025
a555432
fix log body
aldevv Dec 9, 2025
a3d8409
remove useless logBody
aldevv Dec 9, 2025
855c277
remove ssoenabled
aldevv Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
252 changes: 10 additions & 242 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,256 +35,24 @@ jobs:
uses: guyarb/[email protected]
with:
test-results: test.json
test-member:
ci:
runs-on: ubuntu-latest
env:
BATON_LOG_LEVEL: debug

CONNECTOR_GRANT: 'workspaceRole:T08101AQL31:member:assigned:user:U083SJ36LCD'
CONNECTOR_ENTITLEMENT: 'workspaceRole:T08101AQL31:member:assigned'
CONNECTOR_PRINCIPAL: 'U083SJ36LCD'
CONNECTOR_PRINCIPAL_TYPE: 'user'

BATON_TOKEN: "${{ secrets.BATON_TOKEN }}"
BATON_ENTERPRISE_TOKEN: "${{ secrets.BATON_ENTERPRISE_TOKEN }}"

BATON_TOKEN: ${{ secrets.BATON_TOKEN }}
BATON_BUSINESS_PLUS_TOKEN: ${{ secrets.BATON_BUSINESS_PLUS_TOKEN }}
steps:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: 1.25.x
- name: Checkout code
uses: actions/checkout@v4
- name: Build baton-slack
run: go build ./cmd/baton-slack
- name: Run baton-slack
run: ./baton-slack
- name: Install baton
run: ./scripts/get-baton.sh && mv baton /usr/local/bin

- name: Grant entitlement first time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Check for grant before revoking
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep true

- name: Revoke grants
run: ./baton-slack --revoke-grant="${{ env.CONNECTOR_GRANT }}"

- name: Check grant was revoked
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status "if .grants then .grants[]?.principal.id.resource != \"${{ env.CONNECTOR_PRINCIPAL }}\" else . end"

- name: Grant entitlement second time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Wait 10 seconds
run: sleep 10

- name: Check grant was re-granted
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep true

test-admin:
needs: [test-member]
runs-on: ubuntu-latest
env:
# Logging level for Baton
BATON_LOG_LEVEL: debug

# Connector-specific details
CONNECTOR_GRANT: 'workspaceRole:T08101AQL31:admin:assigned:user:U083SJ36LCD'
CONNECTOR_ENTITLEMENT: 'workspaceRole:T08101AQL31:admin:assigned'
CONNECTOR_PRINCIPAL: 'U083SJ36LCD'
CONNECTOR_PRINCIPAL_TYPE: 'user'

# Secrets for Baton authentication
BATON_TOKEN: "${{ secrets.BATON_TOKEN }}"
BATON_ENTERPRISE_TOKEN: "${{ secrets.BATON_ENTERPRISE_TOKEN }}"

steps:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: 1.25.x
- name: Checkout code
uses: actions/checkout@v4
go-version-file: go.mod
- name: Build baton-slack
run: go build ./cmd/baton-slack

- name: Run baton-slack
run: ./baton-slack
- name: Install baton
run: ./scripts/get-baton.sh && mv baton /usr/local/bin

- name: Grant entitlement first time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Check for grant before revoking
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep true

- name: Revoke grants
run: ./baton-slack --revoke-grant="${{ env.CONNECTOR_GRANT }}"

- name: Check grant was revoked
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status "if .grants then .grants[]?.principal.id.resource != \"${{ env.CONNECTOR_PRINCIPAL }}\" else . end"
#
- name: Grant entitlement second time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Check grant was re-granted
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep true


test-owner:
needs: [test-member, test-admin]
runs-on: ubuntu-latest
env:
BATON_LOG_LEVEL: debug

CONNECTOR_GRANT: 'workspaceRole:T08101AQL31:owner:assigned:user:U083SJ36LCD'
CONNECTOR_ENTITLEMENT: 'workspaceRole:T08101AQL31:owner:assigned'
CONNECTOR_PRINCIPAL: 'U083SJ36LCD'
CONNECTOR_PRINCIPAL_TYPE: 'user'

BATON_TOKEN: "${{ secrets.BATON_TOKEN }}"
BATON_ENTERPRISE_TOKEN: "${{ secrets.BATON_ENTERPRISE_TOKEN }}"

steps:
- name: Install Go
uses: actions/setup-go@v5
- name: Grant/revoke
uses: ConductorOne/github-workflows/actions/sync-test@v2
Copy link
Contributor

@ggreer ggreer Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's a newer version of the sync test now.

with:
go-version: 1.25.x
- name: Checkout code
uses: actions/checkout@v4
- name: Build baton-slack
run: go build ./cmd/baton-slack

- name: Run baton-slack
run: ./baton-slack
- name: Install baton
run: ./scripts/get-baton.sh && mv baton /usr/local/bin

- name: Grant entitlement first time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Check for grant before revoking
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep true

- name: Revoke grants
run: ./baton-slack --revoke-grant="${{ env.CONNECTOR_GRANT }}"

- name: Check grant was revoked
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status "if .grants then .grants[]?.principal.id.resource != \"${{ env.CONNECTOR_PRINCIPAL }}\" else . end"

- name: Grant entitlement second time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Check grant was re-granted
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep -q "true"

test-enterprise-roles:
runs-on: ubuntu-latest
env:
BATON_LOG_LEVEL: debug

CONNECTOR_GRANT: 'enterpriseRole:Rl0K:assigned:user:U083SJ36LCD'
CONNECTOR_ENTITLEMENT: 'enterpriseRole:Rl0K:assigned'
CONNECTOR_PRINCIPAL: 'U083SJ36LCD'
CONNECTOR_PRINCIPAL_TYPE: 'user'

BATON_TOKEN: "${{ secrets.BATON_TOKEN }}"
BATON_ENTERPRISE_TOKEN: "${{ secrets.BATON_ENTERPRISE_TOKEN }}"

steps:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: 1.25.x
- name: Checkout code
uses: actions/checkout@v4
- name: Build baton-slack
run: go build ./cmd/baton-slack

- name: Run baton-slack
run: ./baton-slack
- name: Install baton
run: ./scripts/get-baton.sh && mv baton /usr/local/bin

- name: Grant enterprise role first time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Check for enterprise role grant before revoking
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep -q "true"

- name: Revoke enterprise role grant
run: ./baton-slack --revoke-grant="${{ env.CONNECTOR_GRANT }}"

- name: Check enterprise role grant was revoked
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status "if .grants then .grants[]?.principal.id.resource != \"${{ env.CONNECTOR_PRINCIPAL }}\" else . end"

- name: Grant enterprise role second time
run: |
./baton-slack --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" \
--grant-principal="${{ env.CONNECTOR_PRINCIPAL }}" \
--grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}"

- name: Check enterprise role was re-granted
run: |
./baton-slack && \
baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | \
jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\"" | grep -q "true"


connector: ./baton-slack
baton-entitlement: 'group:S0A1RHL4CP5:member'
baton-principal: 'U0847EPUZ0R'
baton-principal-type: 'user'
37 changes: 17 additions & 20 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

Check out [Baton](https://github.com/conductorone/baton) to learn more the project in general.

> **Note**: For grant and revoke operations on roles, and account creation/management features, please use [`baton-slack-enterprise`](https://github.com/conductorone/baton-slack-enterprise) instead. This connector focuses on read-only syncing of Slack resources.

# Getting Started

## Prerequisites
Expand All @@ -19,10 +21,10 @@ Check out [Baton](https://github.com/conductorone/baton) to learn more the proje
3. Install the app to your workspace.
4. Use Bot User OAuth Token as token in `baton-slack`.

For the enterprise grid plan the same rules apply for creating an app. There is
a difference in setting scopes, for applications that will be installed on
organization level, User Token Scopes should be set as well as bot scopes. User
Token is used for Admin API needed to sync additional resources in the enterprise.
For the Business+ plan the same rules apply for creating an app. There is
a difference in setting scopes, for applications that will be installed on
organization level, User Token Scopes should be set as well as bot scopes. User
Token is used for Admin API needed to sync additional resources in Business+ organizations.
Additional scopes for User Token are:
- admin
- admin.roles:read
Expand All @@ -34,17 +36,12 @@ For provisioning you will need this scope.
- admin.users:write

5. **Permissions for User Activation/Deactivation Actions**: To use the enable_user and disable_user actions, you need:
- An Enterprise Grid token with admin permissions in order to access the SCIM API
- A Business+ token with admin permissions in order to access the SCIM API
- See [Slack SCIM API Permissions](https://docs.slack.dev/admins/scim-api/#permissions) for more details

Other difference is in the way the application is installed, on enterprise grid
app should be installed on the Organization level and on all the Workspaces from
which you want to sync the resources. The installation has to be done by Admin
or Owner of an Enterprise Grid organization. More info with an example is
available in the [Slack API Docs](https://api.slack.com/methods/admin.teams.list#markdown).
To work with Enterprise Grid APIs use User OAuth Token passed as
`--enterprise-token` along with the Bot User OAuth Token passed via `--token` flag.
To work with GovSlack instances use `--gov-env` flag along with the `--enterprise-token`.
To work with Business+ APIs use User OAuth Token passed as
`--business-plus-token` along with the Bot User OAuth Token passed via `--token` flag.
To work with GovSlack instances use `--gov-env` flag along with the `--business-plus-token`.

## brew

Expand Down Expand Up @@ -80,13 +77,13 @@ baton resources
- Channels
- Workspace roles

Enterprise grid additional resources:
- Enterprise roles
Business+ additional resources:
- Business+ roles

With SSO configured (enterprise grid):
With SSO configured (Business+ plan):
- IDP groups

If you have SSO configured for your enterprise grid organization you can also
If you have SSO configured for your Business+ organization you can also
sync IDP groups and provision them. Just pass the `--sso-enabled=true` flag.

# Contributing, Support, and Issues
Expand All @@ -113,9 +110,9 @@ Available Commands:
help Help about any command

Flags:
--client-id string The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
--client-secret string The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
--enterprise-token string The Slack user oauth token used to connect to the Slack Enterprise Grid Admin API ($BATON_ENTERPRISE_TOKEN)
--business-plus-token string The Slack user oauth token used to connect to the Slack Business+ Admin API ($BATON_BUSINESS_PLUS_TOKEN)
--client-id string The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
--client-secret string The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
-f, --file string The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
-h, --help help for baton-slack
--log-format string The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
Expand Down
4 changes: 1 addition & 3 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ require (
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/slack-go/slack v0.14.0
github.com/stretchr/testify v1.11.1
go.uber.org/zap v1.27.0
google.golang.org/grpc v1.71.0
google.golang.org/protobuf v1.36.5
Expand Down Expand Up @@ -44,7 +43,6 @@ require (
github.com/conductorone/dpop v0.2.3 // indirect
github.com/conductorone/dpop/integrations/dpop_grpc v0.2.3 // indirect
github.com/conductorone/dpop/integrations/dpop_oauth2 v0.2.3 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/deckarep/golang-set/v2 v2.7.0 // indirect
github.com/doug-martin/goqu/v9 v9.19.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
Expand All @@ -71,7 +69,6 @@ require (
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/ncruces/go-strftime v0.1.9 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
github.com/pquerna/cachecontrol v0.2.0 // indirect
github.com/pquerna/xjwt v0.3.0 // indirect
Expand All @@ -87,6 +84,7 @@ require (
github.com/spf13/cobra v1.8.1 // indirect
github.com/spf13/pflag v1.0.6 // indirect
github.com/spf13/viper v1.19.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/tklauser/go-sysconf v0.3.15 // indirect
github.com/tklauser/numcpus v0.10.0 // indirect
Expand Down
Loading
Loading