[BB-610] Add support for multiple authentication types

btipling · claude · btipling · commit 68bac578d0a0 · 2025-05-06T15:05:21.000-07:00
- Add support for different login types: Windows, SQL Server, Azure AD, and Entra ID - Use FROM EXTERNAL PROVIDER for Azure AD and Entra ID authentication - Improve error handling and validation for different authentication types - Refactor code to use switch statement for better organization 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/pkg/connector/connector.go b/pkg/connector/connector.go
@@ -37,25 +37,45 @@ func (o *Mssqldb) Metadata(ctx context.Context) (*v2.ConnectorMetadata, error) {
 		Description: "Baton connector for Microsoft SQL Server connector",
 		AccountCreationSchema: &v2.ConnectorAccountCreationSchema{
 			FieldMap: map[string]*v2.ConnectorAccountCreationSchema_Field{
+				"login_type": {
+					DisplayName: "Login Type",
+					Required:    true,
+					Description: "The type of SQL Server authentication to use (WINDOWS, SQL, AZURE_AD, or ENTRA_ID).",
+					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
+						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
+					},
+					Placeholder: "WINDOWS",
+					Order:       1,
+				},
 				"domain": {
 					DisplayName: "Active Directory Domain",
 					Required:    false,
-					Description: "The Active Directory domain for the user (optional). If provided, the login will be created as [DOMAIN\\Username].",
+					Description: "The Active Directory domain for the user. Only used for Windows Authentication.",
 					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
 						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
 					},
 					Placeholder: "DOMAIN",
-					Order:       1,
+					Order:       2,
 				},
 				"username": {
 					DisplayName: "Username",
 					Required:    true,
-					Description: "The Active Directory username for which to create a SQL Server login.",
+					Description: "The username for which to create a SQL Server login.",
 					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
 						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
 					},
 					Placeholder: "username",
-					Order:       2,
+					Order:       3,
+				},
+				"password": {
+					DisplayName: "Password",
+					Required:    false,
+					Description: "The password for SQL Server authentication. Required when using SQL Server Authentication.",
+					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
+						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
+					},
+					Placeholder: "password",
+					Order:       4,
 				},
 			},
 		},
diff --git a/pkg/connector/server_user.go b/pkg/connector/server_user.go
@@ -87,7 +87,7 @@ func (d *userPrincipalSyncer) Grants(ctx context.Context, resource *v2.Resource,
 	return nil, "", nil, nil
 }
 
-// CreateAccount creates a SQL Server login for an Active Directory user without adding database users.
+// CreateAccount creates a SQL Server login based on the specified login type.
 // It implements the AccountManager interface.
 func (d *userPrincipalSyncer) CreateAccount(
 	ctx context.Context,
@@ -96,42 +96,72 @@ func (d *userPrincipalSyncer) CreateAccount(
 ) (connectorbuilder.CreateAccountResponse, []*v2.PlaintextData, annotations.Annotations, error) {
 	l := ctxzap.Extract(ctx)
 
+	// Extract required login_type field from profile
+	loginTypeVal := accountInfo.Profile.GetFields()["login_type"]
+	if loginTypeVal == nil || loginTypeVal.GetStringValue() == "" {
+		return nil, nil, nil, fmt.Errorf("missing required login_type field")
+	}
+	loginTypeStr := loginTypeVal.GetStringValue()
+	loginType := mssqldb.LoginType(loginTypeStr)
+
 	// Extract required username field from profile
 	usernameVal := accountInfo.Profile.GetFields()["username"]
 	if usernameVal == nil || usernameVal.GetStringValue() == "" {
 		return nil, nil, nil, fmt.Errorf("missing required username field")
 	}
 	username := usernameVal.GetStringValue()
 
-	// Extract optional domain field from profile
-	var domain string
-	domainVal := accountInfo.Profile.GetFields()["domain"]
-	if domainVal != nil && domainVal.GetStringValue() != "" {
-		domain = domainVal.GetStringValue()
-	}
+	// Extract optional domain field (for Windows auth) or password (for SQL auth)
+	var domain, password string
+	var formattedUsername string
 
-	// Create the Windows login
-	err := d.client.CreateWindowsLogin(ctx, domain, username)
-	if err != nil {
-		l.Error("Failed to create Windows login", zap.Error(err))
-		return nil, nil, nil, fmt.Errorf("failed to create Windows login: %w", err)
-	}
+	switch loginType {
+	case mssqldb.LoginTypeWindows:
+		// For Windows auth, extract domain
+		domainVal := accountInfo.Profile.GetFields()["domain"]
+		if domainVal != nil && domainVal.GetStringValue() != "" {
+			domain = domainVal.GetStringValue()
+		}
 
-	// Determine the formatted username for the login
-	var formattedUsername string
-	if domain != "" {
-		formattedUsername = fmt.Sprintf("%s\\%s", domain, username)
-	} else {
+		if domain != "" {
+			formattedUsername = fmt.Sprintf("%s\\%s", domain, username)
+		} else {
+			formattedUsername = username
+		}
+	case mssqldb.LoginTypeSQL:
+		// For SQL auth, extract password
+		passwordVal := accountInfo.Profile.GetFields()["password"]
+		if passwordVal == nil || passwordVal.GetStringValue() == "" {
+			return nil, nil, nil, fmt.Errorf("missing required password field for SQL Server authentication")
+		}
+		password = passwordVal.GetStringValue()
+		formattedUsername = username
+	case mssqldb.LoginTypeAzureAD, mssqldb.LoginTypeEntraID:
+		// For Azure AD or Entra ID, just use the username as is
 		formattedUsername = username
+	default:
+		return nil, nil, nil, fmt.Errorf("unsupported login type: %s", loginType)
+	}
+
+	// Create the login
+	err := d.client.CreateLogin(ctx, loginType, domain, username, password)
+	if err != nil {
+		l.Error("Failed to create login", zap.Error(err), zap.String("loginType", string(loginType)))
+		return nil, nil, nil, fmt.Errorf("failed to create login: %w", err)
 	}
 
 	// Create a resource for the newly created login
 	profile := map[string]interface{}{
 		"username":        username,
-		"domain":          domain,
+		"login_type":      string(loginType),
 		"formatted_login": formattedUsername,
 	}
 
+	// Add domain if it exists (for Windows auth)
+	if domain != "" {
+		profile["domain"] = domain
+	}
+
 	// Use email as name if it looks like an email address
 	var userOpts []resource.UserTraitOption
 	userOpts = append(userOpts, resource.WithUserProfile(profile))
diff --git a/pkg/mssqldb/users.go b/pkg/mssqldb/users.go
@@ -307,34 +307,87 @@ CREATE USER [%s] FOR LOGIN [%s];
 	return nil
 }
 
-// CreateWindowsLogin creates a SQL Server login from Windows AD for the specified domain and username.
-// If domain is provided, it will create the login in the format [DOMAIN\Username],
-// otherwise it will use just [Username].
-func (c *Client) CreateWindowsLogin(ctx context.Context, domain, username string) error {
+// LoginType represents the SQL Server login type.
+type LoginType string
+
+const (
+	// LoginTypeWindows represents Windows authentication.
+	LoginTypeWindows LoginType = "WINDOWS"
+	// LoginTypeSQL represents SQL Server authentication.
+	LoginTypeSQL LoginType = "SQL"
+	// LoginTypeAzureAD represents Azure AD authentication.
+	LoginTypeAzureAD LoginType = "AZURE_AD"
+	// LoginTypeEntraID represents Azure Entra ID authentication.
+	LoginTypeEntraID LoginType = "ENTRA_ID"
+)
+
+// CreateLogin creates a SQL Server login with the specified authentication type.
+// For Windows authentication (loginType=WINDOWS):
+//   - If domain is provided, it will create the login in the format [DOMAIN\Username]
+//   - otherwise it will use just [Username]
+//
+// For SQL authentication (loginType=SQL):
+//   - It requires a password
+//   - Domain is ignored
+//
+// For Azure AD authentication (loginType=AZURE_AD):
+//   - It creates from EXTERNAL PROVIDER
+//   - Username should be the full Azure AD username/email
+//
+// For Entra ID authentication (loginType=ENTRA_ID):
+//   - It creates from EXTERNAL PROVIDER
+//   - Username should be the full Entra ID username/email
+func (c *Client) CreateLogin(ctx context.Context, loginType LoginType, domain, username, password string) error {
 	l := ctxzap.Extract(ctx)
 
 	// Check for invalid characters to prevent SQL injection
 	if (domain != "" && strings.ContainsAny(domain, "[]\"';")) || strings.ContainsAny(username, "[]\"';") {
 		return fmt.Errorf("invalid characters in domain or username")
 	}
 
-	var loginName string
-	if domain != "" {
-		loginName = fmt.Sprintf("[%s\\%s]", domain, username)
-		l.Debug("creating windows login with domain", zap.String("login", loginName))
-	} else {
-		loginName = fmt.Sprintf("[%s]", username)
-		l.Debug("creating windows login without domain", zap.String("login", loginName))
+	var query string
+	switch loginType {
+	case LoginTypeWindows:
+		var loginName string
+		if domain != "" {
+			loginName = fmt.Sprintf("[%s\\%s]", domain, username)
+			l.Debug("creating windows login with domain", zap.String("login", loginName))
+		} else {
+			loginName = fmt.Sprintf("[%s]", username)
+			l.Debug("creating windows login without domain", zap.String("login", loginName))
+		}
+		query = fmt.Sprintf("CREATE LOGIN %s FROM WINDOWS;", loginName)
+	case LoginTypeSQL:
+		if password == "" {
+			return fmt.Errorf("password is required for SQL Server authentication")
+		}
+		// For SQL Server authentication, only username and password are used
+		loginName := fmt.Sprintf("[%s]", username)
+		l.Debug("creating SQL login", zap.String("login", loginName))
+		query = fmt.Sprintf("CREATE LOGIN %s WITH PASSWORD = '%s';", loginName, password)
+	case LoginTypeAzureAD, LoginTypeEntraID:
+		// Azure AD and Entra ID use external provider
+		loginName := fmt.Sprintf("[%s]", username)
+		l.Debug("creating external provider login", zap.String("login", loginName), zap.String("type", string(loginType)))
+		query = fmt.Sprintf("CREATE LOGIN %s FROM EXTERNAL PROVIDER;", loginName)
+	default:
+		return fmt.Errorf("unsupported login type: %s", loginType)
 	}
 
-	query := fmt.Sprintf("CREATE LOGIN %s FROM WINDOWS;", loginName)
-
 	l.Debug("SQL QUERY", zap.String("q", query))
 
 	_, err := c.db.ExecContext(ctx, query)
 	if err != nil {
-		return fmt.Errorf("failed to create Windows login: %w", err)
+		return fmt.Errorf("failed to create login: %w", err)
 	}
 
 	return nil
 }
+
+// CreateWindowsLogin creates a SQL Server login from Windows AD for the specified domain and username.
+// If domain is provided, it will create the login in the format [DOMAIN\Username],
+// otherwise it will use just [Username].
+// This is a convenience method that calls CreateLogin with LoginTypeWindows.
+func (c *Client) CreateWindowsLogin(ctx context.Context, domain, username string) error {
+	return c.CreateLogin(ctx, LoginTypeWindows, domain, username, "")
+}
