Wire in BatonID matching for database roles

johnallers · johnallers · commit 903fc1b61798 · 2025-07-30T11:54:53.000-04:00
diff --git a/pkg/connector/database_role.go b/pkg/connector/database_role.go
@@ -217,7 +217,12 @@ func (d *databaseRolePrincipalSyncer) Grants(
 				return nil, "", nil, fmt.Errorf("invalid state: principalID is nil")
 			}
 
-			ret = append(ret, grTypes.NewGrant(resource, "member", principalID))
+			grantOpts, err := BuildBatonIDGrantOptions(principalID, dbPrincipal.Type, dbPrincipal.Name)
+			if err != nil {
+				return nil, "", nil, err
+			}
+
+			ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...))
 		}
 
 		visited[b.ResourceID()] = true
diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go
@@ -179,7 +179,7 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res
 				return nil, "", nil, err
 			}
 
-			grantOpts, err := BuildBatonIDGrantOptions(principalID, principal)
+			grantOpts, err := BuildBatonIDGrantOptions(principalID, principal.Type, principal.Name)
 			if err != nil {
 				return nil, "", nil, err
 			}
@@ -201,10 +201,10 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res
 	return ret, npt, nil, nil
 }
 
-func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principal *mssqldb.RolePrincipalModel) ([]grTypes.GrantOption, error) {
+func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principalType string, principalName string) ([]grTypes.GrantOption, error) {
 	grantOpts := []grTypes.GrantOption{}
 
-	switch principal.Type {
+	switch principalType {
 	case "G": // Configure BatonID matching for Active Directory groups
 		gr := &v2.Resource{
 			Id: principalID,
@@ -220,7 +220,7 @@ func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principal *mssqldb.Rol
 			grTypes.WithAnnotation(&v2.ExternalResourceMatch{
 				ResourceType: v2.ResourceType_TRAIT_GROUP,
 				Key:          "downlevel_logon_name",
-				Value:        principal.Name,
+				Value:        principalName,
 			}),
 			grTypes.WithAnnotation(&v2.GrantExpandable{
 				EntitlementIds: []string{bidEnt},
@@ -232,7 +232,7 @@ func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principal *mssqldb.Rol
 			grTypes.WithAnnotation(&v2.ExternalResourceMatch{
 				ResourceType: v2.ResourceType_TRAIT_USER,
 				Key:          "downlevel_logon_name",
-				Value:        principal.Name,
+				Value:        principalName,
 			}),
 		)
 	}

Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,12 @@ func (d *databaseRolePrincipalSyncer) Grants(`
`217`	`217`	`return nil, "", nil, fmt.Errorf("invalid state: principalID is nil")`
`218`	`218`	`}`
`219`	`219`
`220`		`- ret = append(ret, grTypes.NewGrant(resource, "member", principalID))`
	`220`	`+ grantOpts, err := BuildBatonIDGrantOptions(principalID, dbPrincipal.Type, dbPrincipal.Name)`
	`221`	`+ if err != nil {`
	`222`	`+ return nil, "", nil, err`
	`223`	`+ }`
	`224`	`+`
	`225`	`+ ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...))`
`221`	`226`	`}`
`222`	`227`
`223`	`228`	`visited[b.ResourceID()] = true`