[BB-690] Baton ID support for matching AD users and groups (#33)

johnallers · web-flow · commit 11a4664bb525 · 2025-08-28T08:50:20.000-04:00
* Create group resource for groups

* fix group trait

* add group trait

* Apply group and user traits to groups

* back to syncing just as a group

* fix grantableTo

* give groups user traits

* Undo combing user trait on groups

* Comment principal types

* Configure AD group grant expansion for server roles via Baton ID

* Update server_role.go

* fix server role matching for AD group

* wire in AD baton ID matching for server role users

* Wire in BatonID matching for database roles

* Wire baton ID into database grants

* Wire in baton ID into server grants
diff --git a/pkg/connector/database.go b/pkg/connector/database.go
@@ -72,15 +72,15 @@ func (d *databaseSyncer) Entitlements(ctx context.Context, resource *v2.Resource
 				Slug:        name,
 				Purpose:     v2.Entitlement_PURPOSE_VALUE_PERMISSION,
 				Resource:    resource,
-				GrantableTo: []*v2.ResourceType{resourceTypeUser},
+				GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeDatabaseRole},
 			},
 			&v2.Entitlement{
 				Id:          enTypes.NewEntitlementID(resource, key+"-grant"),
 				DisplayName: grantSlug,
 				Slug:        grantSlug,
 				Purpose:     v2.Entitlement_PURPOSE_VALUE_PERMISSION,
 				Resource:    resource,
-				GrantableTo: []*v2.ResourceType{resourceTypeUser},
+				GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeDatabaseRole},
 			})
 	}
 
@@ -143,15 +143,20 @@ func (d *databaseSyncer) Grants(ctx context.Context, resource *v2.Resource, pTok
 					return nil, "", nil, fmt.Errorf("unexpected resource type: %s", rt.Id)
 				}
 
+				grantOpts, err := BuildBatonIDGrantOptions(resourceID, p.PrincipalType, p.PrincipalName)
+				if err != nil {
+					return nil, "", nil, err
+				}
+
 				switch p.State {
 				case "G":
 					ret = append(ret, grTypes.NewGrant(resource, perm, &v2.Resource{
 						Id: resourceID,
-					}))
+					}, grantOpts...))
 				case "W":
 					ret = append(ret, grTypes.NewGrant(resource, perm+"-grant", &v2.Resource{
 						Id: resourceID,
-					}))
+					}, grantOpts...))
 				}
 			}
 		}
diff --git a/pkg/connector/database_role.go b/pkg/connector/database_role.go
@@ -74,7 +74,8 @@ func (d *databaseRolePrincipalSyncer) List(ctx context.Context, parentResourceID
 func (d *databaseRolePrincipalSyncer) Entitlements(ctx context.Context, resource *v2.Resource, pToken *pagination.Token) ([]*v2.Entitlement, string, annotations.Annotations, error) {
 	var ret []*v2.Entitlement
 
-	ret = append(ret, enTypes.NewAssignmentEntitlement(resource, "member"))
+	grantableTo := enTypes.WithGrantableTo(resourceTypeUser, resourceTypeGroup, resourceTypeDatabaseRole)
+	ret = append(ret, enTypes.NewAssignmentEntitlement(resource, "member", grantableTo))
 
 	return ret, "", nil, nil
 }
@@ -216,7 +217,12 @@ func (d *databaseRolePrincipalSyncer) Grants(
 				return nil, "", nil, fmt.Errorf("invalid state: principalID is nil")
 			}
 
-			ret = append(ret, grTypes.NewGrant(resource, "member", principalID))
+			grantOpts, err := BuildBatonIDGrantOptions(principalID, dbPrincipal.Type, dbPrincipal.Name)
+			if err != nil {
+				return nil, "", nil, err
+			}
+
+			ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...))
 		}
 
 		visited[b.ResourceID()] = true
diff --git a/pkg/connector/group.go b/pkg/connector/group.go
@@ -32,13 +32,14 @@ func (d *groupPrincipalSyncer) List(ctx context.Context, parentResourceID *v2.Re
 
 	var ret []*v2.Resource
 	for _, principalModel := range principals {
-		r, err := resource.NewUserResource(
+		r, err := resource.NewGroupResource(
 			principalModel.Name,
 			d.ResourceType(ctx),
 			principalModel.ID,
 			nil,
 			resource.WithParentResourceID(parentResourceID),
 		)
+
 		if err != nil {
 			return nil, "", nil, err
 		}
diff --git a/pkg/connector/helpers.go b/pkg/connector/helpers.go
@@ -23,9 +23,9 @@ func resourceTypeFromDatabasePrincipal(pType string) (*v2.ResourceType, error) {
 	switch pType {
 	case "R":
 		return resourceTypeDatabaseRole, nil
-	case "G", "X":
+	case "G", "X": // Windows group, External group from Microsoft Entra ID
 		return resourceTypeGroup, nil
-	case "S", "U", "C", "E", "K":
+	case "S", "U", "C", "E", "K", "A": // SQL login, Windows login, Certificate, External login from Microsoft Entra ID, Asymmetric key, Application role?
 		return resourceTypeUser, nil
 	default:
 		return nil, fmt.Errorf("unknown principal type: %s", pType)
diff --git a/pkg/connector/resource_types.go b/pkg/connector/resource_types.go
@@ -23,7 +23,7 @@ var (
 	resourceTypeGroup = &v2.ResourceType{
 		Id:          mssqldb.GroupType,
 		DisplayName: "Group",
-		Traits:      []v2.ResourceType_Trait{v2.ResourceType_TRAIT_USER},
+		Traits:      []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP},
 	}
 	resourceTypeServerRole = &v2.ResourceType{
 		Id:          mssqldb.ServerRoleType,
diff --git a/pkg/connector/server.go b/pkg/connector/server.go
@@ -99,13 +99,15 @@ func (d *serverSyncer) Entitlements(ctx context.Context, resource *v2.Resource,
 			Slug:        name,
 			Purpose:     v2.Entitlement_PURPOSE_VALUE_PERMISSION,
 			Resource:    resource,
+			GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeServerRole},
 		})
 		ret = append(ret, &v2.Entitlement{
 			Id:          enTypes.NewEntitlementID(resource, key+"-grant"),
 			DisplayName: fmt.Sprintf("%s (With Grant)", name),
 			Slug:        fmt.Sprintf("%s (With Grant)", name),
 			Purpose:     v2.Entitlement_PURPOSE_VALUE_PERMISSION,
 			Resource:    resource,
+			GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeServerRole},
 		})
 	}
 
@@ -129,17 +131,22 @@ func (d *serverSyncer) Grants(ctx context.Context, resource *v2.Resource, pToken
 				if err != nil {
 					return nil, "", nil, err
 				}
+
+				principal := &v2.ResourceId{
+					ResourceType: rt.Id,
+					Resource:     strconv.FormatInt(p.PrincipalID, 10),
+				}
+
+				grantOpts, err := BuildBatonIDGrantOptions(principal, p.PrincipalType, p.PrincipalName)
+				if err != nil {
+					return nil, "", nil, err
+				}
+
 				switch p.State {
 				case "G":
-					ret = append(ret, grTypes.NewGrant(resource, perm, &v2.ResourceId{
-						ResourceType: rt.Id,
-						Resource:     strconv.FormatInt(p.PrincipalID, 10),
-					}))
+					ret = append(ret, grTypes.NewGrant(resource, perm, principal, grantOpts...))
 				case "W":
-					ret = append(ret, grTypes.NewGrant(resource, perm+"-grant", &v2.ResourceId{
-						ResourceType: rt.Id,
-						Resource:     strconv.FormatInt(p.PrincipalID, 10),
-					}))
+					ret = append(ret, grTypes.NewGrant(resource, perm+"-grant", principal, grantOpts...))
 				}
 			}
 		}
diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go
@@ -10,6 +10,7 @@ import (
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
 	_ "github.com/conductorone/baton-sdk/pkg/annotations"
+	bid "github.com/conductorone/baton-sdk/pkg/bid"
 	"github.com/conductorone/baton-sdk/pkg/pagination"
 	enTypes "github.com/conductorone/baton-sdk/pkg/types/entitlement"
 	grTypes "github.com/conductorone/baton-sdk/pkg/types/grant"
@@ -62,7 +63,7 @@ func (d *serverRolePrincipalSyncer) Entitlements(ctx context.Context, resource *
 	ret = append(ret, enTypes.NewAssignmentEntitlement(
 		resource,
 		"member",
-		enTypes.WithGrantableTo(resourceTypeUser),
+		enTypes.WithGrantableTo(resourceTypeUser, resourceTypeGroup, resourceTypeServerRole),
 	))
 
 	return ret, "", nil, nil
@@ -178,7 +179,12 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res
 				return nil, "", nil, err
 			}
 
-			ret = append(ret, grTypes.NewGrant(resource, "member", principalID))
+			grantOpts, err := BuildBatonIDGrantOptions(principalID, principal.Type, principal.Name)
+			if err != nil {
+				return nil, "", nil, err
+			}
+
+			ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...))
 		}
 
 		visited[b.ResourceID()] = true
@@ -195,6 +201,45 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res
 	return ret, npt, nil, nil
 }
 
+func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principalType string, principalName string) ([]grTypes.GrantOption, error) {
+	grantOpts := []grTypes.GrantOption{}
+
+	switch principalType {
+	case "G": // Configure BatonID matching for Active Directory groups
+		gr := &v2.Resource{
+			Id: principalID,
+		}
+
+		ent := enTypes.NewAssignmentEntitlement(gr, "member")
+		bidEnt, err := bid.MakeBid(ent)
+		if err != nil {
+			return nil, err
+		}
+
+		grantOpts = append(grantOpts,
+			grTypes.WithAnnotation(&v2.ExternalResourceMatch{
+				ResourceType: v2.ResourceType_TRAIT_GROUP,
+				Key:          "downlevel_logon_name",
+				Value:        principalName,
+			}),
+			grTypes.WithAnnotation(&v2.GrantExpandable{
+				EntitlementIds: []string{bidEnt},
+				Shallow:        true,
+			}),
+		)
+	case "U": // Configure BatonID matching for Active Directory users
+		grantOpts = append(grantOpts,
+			grTypes.WithAnnotation(&v2.ExternalResourceMatch{
+				ResourceType: v2.ResourceType_TRAIT_USER,
+				Key:          "downlevel_logon_name",
+				Value:        principalName,
+			}),
+		)
+	}
+
+	return grantOpts, nil
+}
+
 func (d *serverRolePrincipalSyncer) Grant(ctx context.Context, resource *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
 	var err error
 

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,8 @@ func (d *databaseRolePrincipalSyncer) List(ctx context.Context, parentResourceID`
`74`	`74`	`func (d databaseRolePrincipalSyncer) Entitlements(ctx context.Context, resource v2.Resource, pToken pagination.Token) ([]v2.Entitlement, string, annotations.Annotations, error) {`
`75`	`75`	`var ret []*v2.Entitlement`
`76`	`76`
`77`		`- ret = append(ret, enTypes.NewAssignmentEntitlement(resource, "member"))`
	`77`	`+ grantableTo := enTypes.WithGrantableTo(resourceTypeUser, resourceTypeGroup, resourceTypeDatabaseRole)`
	`78`	`+ ret = append(ret, enTypes.NewAssignmentEntitlement(resource, "member", grantableTo))`
`78`	`79`
`79`	`80`	`return ret, "", nil, nil`
`80`	`81`	`}`
`@@ -216,7 +217,12 @@ func (d *databaseRolePrincipalSyncer) Grants(`
`216`	`217`	`return nil, "", nil, fmt.Errorf("invalid state: principalID is nil")`
`217`	`218`	`}`
`218`	`219`
`219`		`- ret = append(ret, grTypes.NewGrant(resource, "member", principalID))`
	`220`	`+ grantOpts, err := BuildBatonIDGrantOptions(principalID, dbPrincipal.Type, dbPrincipal.Name)`
	`221`	`+ if err != nil {`
	`222`	`+ return nil, "", nil, err`
	`223`	`+ }`
	`224`	`+`
	`225`	`+ ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...))`
`220`	`226`	`}`
`221`	`227`
`222`	`228`	`visited[b.ResourceID()] = true`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ var (`
`23`	`23`	`resourceTypeGroup = &v2.ResourceType{`
`24`	`24`	`Id: mssqldb.GroupType,`
`25`	`25`	`DisplayName: "Group",`
`26`		`- Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_USER},`
	`26`	`+ Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP},`
`27`	`27`	`}`
`28`	`28`	`resourceTypeServerRole = &v2.ResourceType{`
`29`	`29`	`Id: mssqldb.ServerRoleType,`