[BB-610] Add account provisioning capability for SQL Server users

This commit adds the ability to create SQL Server logins from Windows AD accounts:
- Add CreateWindowsLogin method to create SQL Server logins from Windows authentication
- Implement AccountManager interface in userPrincipalSyncer
- Update baton_capabilities.json to include CREATE_ACCOUNT capability
- Add account creation schema with domain and username fields
- Update SDK dependencies

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: btipling

.gitignore

@@ -15,3 +15,5 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 dist/
+
+**/.claude/settings.local.json

baton_capabilities.json

@@ -67,13 +67,15 @@
         ]
       },
       "capabilities":  [
-        "CAPABILITY_SYNC"
+        "CAPABILITY_SYNC",
+        "CAPABILITY_CREATE_ACCOUNT"
       ]
     }
   ],
   "connectorCapabilities":  [
     "CAPABILITY_PROVISION",
-    "CAPABILITY_SYNC"
+    "CAPABILITY_SYNC",
+    "CAPABILITY_CREATE_ACCOUNT"
   ],
   "credentialDetails":  {}
 }

go.mod

@@ -3,7 +3,7 @@ module github.com/conductorone/baton-sql-server
 go 1.24.1
 
 require (
-	github.com/conductorone/baton-sdk v0.2.98
+	github.com/conductorone/baton-sdk v0.2.99
 	github.com/ennyjfrick/ruleguard-logfatal v0.0.2
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/jmoiron/sqlx v1.3.5

go.sum

@@ -64,6 +64,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/conductorone/baton-sdk v0.2.98 h1:4kyfOPpujnZ3ZaNfxTY/LfFd41nHXBeek6APyyjSr4M=
 github.com/conductorone/baton-sdk v0.2.98/go.mod h1:nUgHSAf9P0lfamti5NlOSpeh1t99UNzMjIwf0I7n4/g=
+github.com/conductorone/baton-sdk v0.2.99 h1:klXBM3Qn8XmieDuV/ZVGa2k2ZlsrfK2gh5ygIsqrYsw=
+github.com/conductorone/baton-sdk v0.2.99/go.mod h1:nUgHSAf9P0lfamti5NlOSpeh1t99UNzMjIwf0I7n4/g=
 github.com/conductorone/dpop v0.2.3 h1:s91U3845GHQ6P6FWrdNr2SEOy1ES/jcFs1JtKSl2S+o=
 github.com/conductorone/dpop v0.2.3/go.mod h1:gyo8TtzB9SCFCsjsICH4IaLZ7y64CcrDXMOPBwfq/3s=
 github.com/conductorone/dpop/integrations/dpop_grpc v0.2.3 h1:kLMCNIh0Mo2vbvvkCmJ3ixsPbXEJ6HPcW53Ku9yje3s=

pkg/connector/connector.go

@@ -35,6 +35,30 @@ func (o *Mssqldb) Metadata(ctx context.Context) (*v2.ConnectorMetadata, error) {
 		DisplayName: fmt.Sprintf("Microsoft SQL Server (%s)", serverInfo.Name),
 		Annotations: annos,
 		Description: "Baton connector for Microsoft SQL Server connector",
+		AccountCreationSchema: &v2.ConnectorAccountCreationSchema{
+			FieldMap: map[string]*v2.ConnectorAccountCreationSchema_Field{
+				"domain": {
+					DisplayName: "Active Directory Domain",
+					Required:    false,
+					Description: "The Active Directory domain for the user (optional). If provided, the login will be created as [DOMAIN\\Username].",
+					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
+						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
+					},
+					Placeholder: "DOMAIN",
+					Order:       1,
+				},
+				"username": {
+					DisplayName: "Username",
+					Required:    true,
+					Description: "The Active Directory username for which to create a SQL Server login.",
+					Field: &v2.ConnectorAccountCreationSchema_Field_StringField{
+						StringField: &v2.ConnectorAccountCreationSchema_StringField{},
+					},
+					Placeholder: "username",
+					Order:       2,
+				},
+			},
+		},
 	}, nil
 }
 

pkg/connector/server_user.go

@@ -2,17 +2,22 @@ package connector
 
 import (
 	"context"
+	"fmt"
 	"net/mail"
 
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
 	_ "github.com/conductorone/baton-sdk/pkg/annotations"
+	"github.com/conductorone/baton-sdk/pkg/connectorbuilder"
 	"github.com/conductorone/baton-sdk/pkg/pagination"
 	enTypes "github.com/conductorone/baton-sdk/pkg/types/entitlement"
 	"github.com/conductorone/baton-sdk/pkg/types/resource"
 	"github.com/conductorone/baton-sql-server/pkg/mssqldb"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
 )
 
+// userPrincipalSyncer implements both ResourceSyncer and AccountManager.
 type userPrincipalSyncer struct {
 	resourceType *v2.ResourceType
 	client       *mssqldb.Client
@@ -82,6 +87,130 @@ func (d *userPrincipalSyncer) Grants(ctx context.Context, resource *v2.Resource,
 	return nil, "", nil, nil
 }
 
+// CreateAccount creates a SQL Server login and database user for an Active Directory user.
+// It implements the AccountManager interface.
+func (d *userPrincipalSyncer) CreateAccount(
+	ctx context.Context,
+	accountInfo *v2.AccountInfo,
+	credentialOptions *v2.CredentialOptions,
+) (connectorbuilder.CreateAccountResponse, []*v2.PlaintextData, annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	// Extract required username field from profile
+	usernameVal := accountInfo.Profile.GetFields()["username"]
+	if usernameVal == nil || usernameVal.GetStringValue() == "" {
+		return nil, nil, nil, fmt.Errorf("missing required username field")
+	}
+	username := usernameVal.GetStringValue()
+
+	// Extract optional domain field from profile
+	var domain string
+	domainVal := accountInfo.Profile.GetFields()["domain"]
+	if domainVal != nil && domainVal.GetStringValue() != "" {
+		domain = domainVal.GetStringValue()
+	}
+
+	// Create the Windows login
+	err := d.client.CreateWindowsLogin(ctx, domain, username)
+	if err != nil {
+		l.Error("Failed to create Windows login", zap.Error(err))
+		return nil, nil, nil, fmt.Errorf("failed to create Windows login: %w", err)
+	}
+
+	// Determine the formatted username for the database user
+	var formattedUsername string
+	if domain != "" {
+		formattedUsername = fmt.Sprintf("%s\\%s", domain, username)
+	} else {
+		formattedUsername = username
+	}
+
+	// Get list of databases to create users in
+	databases, _, err := d.client.ListDatabases(ctx, &mssqldb.Pager{})
+	if err != nil {
+		l.Error("Failed to retrieve databases", zap.Error(err))
+		errMsg := fmt.Sprintf("Login created successfully, but failed to retrieve databases: %v", err)
+		result := &v2.CreateAccountResponse_ActionRequiredResult{
+			Message:               errMsg,
+			IsCreateAccountResult: true,
+		}
+		return result, nil, nil, nil
+	}
+
+	// Create user in each database
+	var dbsCreated []string
+	for _, db := range databases {
+		// Skip system databases
+		if db.Name == "master" || db.Name == "tempdb" || db.Name == "model" || db.Name == "msdb" {
+			continue
+		}
+
+		err = d.client.CreateDatabaseUserForPrincipal(ctx, db.Name, formattedUsername)
+		if err != nil {
+			l.Error("Failed to create user in database",
+				zap.String("database", db.Name),
+				zap.String("user", formattedUsername),
+				zap.Error(err))
+			errMsg := fmt.Sprintf("Login created successfully, but failed to create user in some databases: %v", err)
+			result := &v2.CreateAccountResponse_ActionRequiredResult{
+				Message:               errMsg,
+				IsCreateAccountResult: true,
+			}
+			return result, nil, nil, nil
+		}
+		dbsCreated = append(dbsCreated, db.Name)
+	}
+
+	// Create a resource for the newly created login
+	profile := map[string]interface{}{
+		"username":        username,
+		"domain":          domain,
+		"formatted_login": formattedUsername,
+		"databases":       dbsCreated,
+	}
+
+	// Use email as name if it looks like an email address
+	var userOpts []resource.UserTraitOption
+	userOpts = append(userOpts, resource.WithUserProfile(profile))
+	userOpts = append(userOpts, resource.WithStatus(v2.UserTrait_Status_STATUS_ENABLED))
+
+	if _, err = mail.ParseAddress(username); err == nil {
+		userOpts = append(userOpts, resource.WithEmail(username, true))
+	}
+
+	// Create a resource object to represent the user
+	resource, err := resource.NewUserResource(
+		formattedUsername,
+		d.ResourceType(ctx),
+		formattedUsername, // Use the formatted username as the ID
+		userOpts,
+	)
+	if err != nil {
+		l.Error("Failed to create resource for new user", zap.Error(err))
+		return nil, nil, nil, fmt.Errorf("failed to create resource for new user: %w", err)
+	}
+
+	// Return success result with the new user resource
+	successResult := &v2.CreateAccountResponse_SuccessResult{
+		Resource:              resource,
+		IsCreateAccountResult: true,
+	}
+
+	return successResult, nil, nil, nil
+}
+
+// CreateAccountCapabilityDetails returns the capability details for account creation.
+func (d *userPrincipalSyncer) CreateAccountCapabilityDetails(
+	ctx context.Context,
+) (*v2.CredentialDetailsAccountProvisioning, annotations.Annotations, error) {
+	return &v2.CredentialDetailsAccountProvisioning{
+		SupportedCredentialOptions: []v2.CapabilityDetailCredentialOption{
+			v2.CapabilityDetailCredentialOption_CAPABILITY_DETAIL_CREDENTIAL_OPTION_NO_PASSWORD,
+		},
+		PreferredCredentialOption: v2.CapabilityDetailCredentialOption_CAPABILITY_DETAIL_CREDENTIAL_OPTION_NO_PASSWORD,
+	}, nil, nil
+}
+
 func newUserPrincipalSyncer(ctx context.Context, c *mssqldb.Client) *userPrincipalSyncer {
 	return &userPrincipalSyncer{
 		resourceType: resourceTypeUser,

pkg/mssqldb/users.go

@@ -306,3 +306,35 @@ CREATE USER [%s] FOR LOGIN [%s];
 
 	return nil
 }
+
+// CreateWindowsLogin creates a SQL Server login from Windows AD for the specified domain and username.
+// If domain is provided, it will create the login in the format [DOMAIN\Username],
+// otherwise it will use just [Username].
+func (c *Client) CreateWindowsLogin(ctx context.Context, domain, username string) error {
+	l := ctxzap.Extract(ctx)
+
+	// Check for invalid characters to prevent SQL injection
+	if (domain != "" && strings.ContainsAny(domain, "[]\"';")) || strings.ContainsAny(username, "[]\"';") {
+		return fmt.Errorf("invalid characters in domain or username")
+	}
+
+	var loginName string
+	if domain != "" {
+		loginName = fmt.Sprintf("[%s\\%s]", domain, username)
+		l.Debug("creating windows login with domain", zap.String("login", loginName))
+	} else {
+		loginName = fmt.Sprintf("[%s]", username)
+		l.Debug("creating windows login without domain", zap.String("login", loginName))
+	}
+
+	query := fmt.Sprintf("CREATE LOGIN %s FROM WINDOWS;", loginName)
+
+	l.Debug("SQL QUERY", zap.String("q", query))
+
+	_, err := c.db.ExecContext(ctx, query)
+	if err != nil {
+		return fmt.Errorf("failed to create Windows login: %w", err)
+	}
+
+	return nil
+}