fix revoke for database roles

MarcusGoldschmidt · MarcusGoldschmidt · commit 40627a08dc44 · 2025-05-01T15:19:12.000-03:00
diff --git a/pkg/connector/database_role.go b/pkg/connector/database_role.go
@@ -233,6 +233,95 @@ func (d *databaseRolePrincipalSyncer) Grants(
 	return ret, npt, nil, nil
 }
 
+func (d *databaseRolePrincipalSyncer) Grant(ctx context.Context, resource *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
+	var err error
+
+	l := ctxzap.Extract(ctx)
+
+	if resource.Id.ResourceType != resourceTypeUser.Id {
+		return nil, nil, fmt.Errorf("resource type %s is not supported for granting", resource.Id.ResourceType)
+	}
+
+	// database-role:baton_test:6:member
+	splitId := strings.Split(entitlement.Id, ":")
+	if len(splitId) != 4 {
+		return nil, nil, fmt.Errorf("unexpected entitlement id: %s", entitlement.Id)
+	}
+
+	dbName := splitId[1]
+	roleId := splitId[2]
+
+	var role *mssqldb.RoleModel
+
+	role, err = d.client.GetDatabaseRole(ctx, dbName, roleId)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	dbUser, err := d.client.GetUserFromDb(ctx, dbName, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if dbUser == nil {
+		l.Info("user not found in database, creating user for principal", zap.String("user", resource.Id.Resource))
+
+		user, err := d.client.GetUserPrincipal(ctx, resource.Id.Resource)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		err = d.client.CreateDatabaseUserForPrincipal(ctx, dbName, user.Name)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	err = d.client.AddUserToDatabaseRole(ctx, role.Name, dbName, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	grants := []*v2.Grant{
+		grTypes.NewGrant(resource, "member", &v2.ResourceId{
+			Resource:     resource.Id.Resource,
+			ResourceType: resourceTypeUser.Id,
+		}),
+	}
+
+	return grants, nil, nil
+}
+
+func (d *databaseRolePrincipalSyncer) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	userId := grant.Principal.Id.Resource
+
+	user, err := d.client.GetUserPrincipal(ctx, userId)
+	if err != nil {
+		return nil, err
+	}
+
+	// database-role:baton_test:6:member
+	splitId := strings.Split(grant.Entitlement.Id, ":")
+	if len(splitId) != 4 {
+		return nil, fmt.Errorf("unexpected entitlement id: %s", grant.Entitlement.Id)
+	}
+
+	dbName := splitId[1]
+	roleId := splitId[2]
+
+	role, err := d.client.GetDatabaseRole(ctx, dbName, roleId)
+	if err != nil {
+		return nil, err
+	}
+
+	err = d.client.RevokeUserToDatabaseRole(ctx, role.Name, dbName, user.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, err
+}
+
 func newDatabaseRolePrincipalSyncer(ctx context.Context, c *mssqldb.Client) *databaseRolePrincipalSyncer {
 	return &databaseRolePrincipalSyncer{
 		resourceType: resourceTypeDatabaseRole,
diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go
@@ -198,8 +198,6 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res
 func (d *serverRolePrincipalSyncer) Grant(ctx context.Context, resource *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
 	var err error
 
-	l := ctxzap.Extract(ctx)
-
 	if resource.Id.ResourceType != resourceTypeUser.Id {
 		return nil, nil, fmt.Errorf("resource type %s is not supported for granting", resource.Id.ResourceType)
 	}
@@ -210,58 +208,18 @@ func (d *serverRolePrincipalSyncer) Grant(ctx context.Context, resource *v2.Reso
 		return nil, nil, fmt.Errorf("unexpected entitlement id: %s", entitlement.Id)
 	}
 
-	dbName := splitId[1]
 	roleId := splitId[2]
 
 	var role *mssqldb.RoleModel
 
-	switch entitlement.Resource.Id.ResourceType {
-	case resourceTypeServerRole.Id:
-		role, err = d.client.GetServerRole(ctx, roleId)
-		if err != nil {
-			return nil, nil, err
-		}
-	case resourceTypeDatabaseRole.Id:
-		role, err = d.client.GetDatabaseRole(ctx, dbName, roleId)
-		if err != nil {
-			return nil, nil, err
-		}
-	default:
-		return nil, nil, fmt.Errorf("unexpected resource type: %s", entitlement.Resource.Id.ResourceType)
-	}
-
-	dbUser, err := d.client.GetUserFromDb(ctx, dbName, resource.Id.Resource)
+	role, err = d.client.GetServerRole(ctx, roleId)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	if dbUser == nil {
-		l.Info("user not found in database, creating user for principal", zap.String("user", resource.Id.Resource))
-
-		user, err := d.client.GetUserPrincipal(ctx, resource.Id.Resource)
-		if err != nil {
-			return nil, nil, err
-		}
-
-		err = d.client.CreateDatabaseUserForPrincipal(ctx, dbName, user.Name)
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-
-	switch entitlement.Resource.Id.ResourceType {
-	case resourceTypeServerRole.Id:
-		err = d.client.AddUserToServerRole(ctx, role.Name, resource.Id.Resource)
-		if err != nil {
-			return nil, nil, err
-		}
-	case resourceTypeDatabaseRole.Id:
-		err = d.client.AddUserToDatabaseRole(ctx, role.Name, dbName, resource.Id.Resource)
-		if err != nil {
-			return nil, nil, err
-		}
-	default:
-		return nil, nil, fmt.Errorf("unexpected resource type: %s", entitlement.Resource.Id.ResourceType)
+	err = d.client.AddUserToServerRole(ctx, role.Name, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
 	}
 
 	grants := []*v2.Grant{
@@ -288,32 +246,16 @@ func (d *serverRolePrincipalSyncer) Revoke(ctx context.Context, grant *v2.Grant)
 		return nil, fmt.Errorf("unexpected entitlement id: %s", grant.Entitlement.Id)
 	}
 
-	dbName := splitId[1]
 	roleId := splitId[2]
 
-	switch grant.Entitlement.Resource.Id.ResourceType {
-	case resourceTypeServerRole.Id:
-		role, err := d.client.GetServerRole(ctx, roleId)
-		if err != nil {
-			return nil, err
-		}
-
-		err = d.client.RevokeUserToServerRole(ctx, role.Name, user.Name)
-		if err != nil {
-			return nil, err
-		}
-	case resourceTypeDatabaseRole.Id:
-		role, err := d.client.GetDatabaseRole(ctx, dbName, roleId)
-		if err != nil {
-			return nil, err
-		}
+	role, err := d.client.GetServerRole(ctx, roleId)
+	if err != nil {
+		return nil, err
+	}
 
-		err = d.client.RevokeUserToDatabaseRole(ctx, role.Name, dbName, user.Name)
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return nil, fmt.Errorf("unexpected resource type: %s", grant.Entitlement.Resource.Id.ResourceType)
+	err = d.client.RevokeUserToServerRole(ctx, role.Name, user.Name)
+	if err != nil {
+		return nil, err
 	}
 
 	return nil, err
diff --git a/pkg/mssqldb/roles.go b/pkg/mssqldb/roles.go
@@ -286,7 +286,7 @@ WHERE type = 'R' AND principal_id = @p1
 		return nil, err
 	}
 
-	return nil, err
+	return &roleModel, err
 }
 
 func (c *Client) GetDatabaseRole(ctx context.Context, dbName string, id string) (*RoleModel, error) {
@@ -321,7 +321,7 @@ WHERE type = 'R' AND principal_id = @p1
 		return nil, err
 	}
 
-	return nil, err
+	return &roleModel, err
 }
 
 func (c *Client) AddUserToServerRole(ctx context.Context, role string, user string) error {
@@ -349,7 +349,7 @@ func (c *Client) AddUserToDatabaseRole(ctx context.Context, role string, db stri
 		return fmt.Errorf("invalid characters in role or user")
 	}
 
-	query := fmt.Sprintf(`ALTER ROLE [%s] ADD MEMBER [%s];`, role, user)
+	query := fmt.Sprintf(`USE [%s]; ALTER ROLE [%s] ADD MEMBER [%s];`, db, role, user)
 	_, err := c.db.ExecContext(ctx, query)
 	if err != nil {
 		return err
@@ -360,14 +360,16 @@ func (c *Client) AddUserToDatabaseRole(ctx context.Context, role string, db stri
 
 func (c *Client) RevokeUserToServerRole(ctx context.Context, role string, user string) error {
 	l := ctxzap.Extract(ctx)
-	l.Debug("adding user to database role", zap.String("role", role), zap.String("user", user))
+	l.Debug("revoking user to database role", zap.String("role", role), zap.String("user", user))
 
 	if strings.ContainsAny(role, "[]\"';") || strings.ContainsAny(user, "[]\"';") {
 		return fmt.Errorf("invalid characters in role or user")
 	}
 
 	query := fmt.Sprintf(`ALTER SERVER ROLE [%s] DROP MEMBER [%s];`, role, user)
 
+	l.Debug("RevokeUserToServerRole", zap.String("sql query", query))
+
 	_, err := c.db.ExecContext(ctx, query)
 	if err != nil {
 		return err
@@ -377,13 +379,18 @@ func (c *Client) RevokeUserToServerRole(ctx context.Context, role string, user s
 
 func (c *Client) RevokeUserToDatabaseRole(ctx context.Context, role string, db string, user string) error {
 	l := ctxzap.Extract(ctx)
-	l.Debug("adding user to database role", zap.String("role", role), zap.String("user", user), zap.String("db", db))
+	l.Debug("revoking user to database role", zap.String("role", role), zap.String("user", user), zap.String("db", db))
 
 	if strings.ContainsAny(role, "[]\"';") || strings.ContainsAny(user, "[]\"';") || strings.ContainsAny(db, "[]\"';") {
 		return fmt.Errorf("invalid characters in role or user")
 	}
 
-	query := fmt.Sprintf(`ALTER ROLE [%s] DROP MEMBER [%s];`, role, user)
+	query := fmt.Sprintf(`
+USE [%s];
+ALTER ROLE [%s] DROP MEMBER [%s];`, db, role, user)
+
+	l.Debug("RevokeUserToDatabaseRole", zap.String("sql query", query))
+
 	_, err := c.db.ExecContext(ctx, query)
 	if err != nil {
 		return err
