Merge pull request #20 from ConductorOne/goldschmidt/provisioning

Author: btipling

go.mod

@@ -2,8 +2,6 @@ module github.com/conductorone/baton-sql-server
 
 go 1.23.4
 
-toolchain go1.24.2
-
 require (
 	github.com/conductorone/baton-sdk v0.2.98
 	github.com/ennyjfrick/ruleguard-logfatal v0.0.2

pkg/connector/database.go

@@ -24,80 +24,6 @@ type databaseSyncer struct {
 	client       *mssqldb.Client
 }
 
-var databasePermissions = map[string]string{
-	"AADS": "Alter Any Database Event Session",
-	"AAMK": "Alter Any Mask",
-	"AEDS": "Alter Any External Data Source",
-	"AEFF": "Alter Any External File Format",
-	"AL":   "Alter",
-	"ALAK": "Alter Any Asymmetric Key",
-	"ALAR": "Alter Any Application Role",
-	"ALAS": "Alter Any Assembly",
-	"ALCF": "Alter Any Certificate",
-	"ALDS": "Alter Any Dataspace",
-	"ALED": "Alter Any Database Event Notification",
-	"ALFT": "Alter Any Fulltext Catalog",
-	"ALMT": "Alter Any Message Type",
-	"ALRL": "Alter Any Role",
-	"ALRT": "Alter Any Route",
-	"ALSB": "Alter Any Remote Service Binding",
-	"ALSC": "Alter Any Contract",
-	"ALSK": "Alter Any Symmetric Key",
-	"ALSM": "Alter Any Schema",
-	"ALSV": "Alter Any Service",
-	"ALTG": "Alter Any Database DDL Trigger",
-	"ALUS": "Alter Any User",
-	"AUTH": "Authenticate",
-	"BADB": "Backup Database",
-	"BALO": "Backup Log",
-	"CL":   "Control",
-	"CO":   "Connect",
-	"CORP": "Connect Replication",
-	"CP":   "Checkpoint",
-	"CRAG": "Create Aggregate",
-	"CRAK": "Create Asymmetric Key",
-	"CRAS": "Create Certificate",
-	"CRDB": "Create Fatabase",
-	"CRDF": "Create Default",
-	"CRED": "Create Database DDL Event Notification",
-	"CRFN": "Create Function",
-	"CRFT": "Create Fulltext Catalog",
-	"CRMT": "Create Message Type",
-	"CRPR": "Create Procedure",
-	"CRQU": "Create Queue",
-	"CRRL": "Create Role",
-	"CRRT": "Create Route",
-	"CRRU": "Create Rule",
-	"CRSB": "Create Remote Service Binding",
-	"CRSC": "Create contract",
-	"CRSK": "Create symmetric key",
-	"CRSM": "Create Schema",
-	"CRSN": "Create Synonym",
-	"CRSO": "Create Sequence",
-	"CRSV": "Create Service",
-	"CRTB": "Create Table",
-	"CRTY": "Create Type",
-	"CRVW": "Create View",
-	"CRXS": "Create XML Schema Collection",
-	"DL":   "Delete",
-	"DABO": "Administer Database Bulk Operations",
-	"EAES": "Execute Any External Script",
-	"EX":   "Execute",
-	"IN":   "Insert",
-	"RC":   "Receive Object",
-	"RF":   "References",
-	"SL":   "Select",
-	"SPLN": "Showplan",
-	"SUQN": "Subscribe Query Notifications",
-	"TO":   "Take Ownership",
-	"UP":   "Update",
-	"VW":   "View Definition",
-	"VWCK": "View Any Column Encryption Key Definition",
-	"VWCM": "View Any Column Master Key Definition",
-	"VWCT": "View Change Tracking",
-	"VWDS": "View Database State Database",
-}
-
 func (d *databaseSyncer) ResourceType(ctx context.Context) *v2.ResourceType {
 	return d.resourceType
 }
@@ -137,7 +63,7 @@ func (d *databaseSyncer) List(ctx context.Context, parentResourceID *v2.Resource
 func (d *databaseSyncer) Entitlements(ctx context.Context, resource *v2.Resource, pToken *pagination.Token) ([]*v2.Entitlement, string, annotations.Annotations, error) {
 	var ret []*v2.Entitlement
 
-	for key, name := range databasePermissions {
+	for key, name := range mssqldb.DatabasePermissions {
 		grantSlug := fmt.Sprintf("%s (With Grant)", name)
 		ret = append(ret,
 			&v2.Entitlement{
@@ -146,13 +72,15 @@ func (d *databaseSyncer) Entitlements(ctx context.Context, resource *v2.Resource
 				Slug:        name,
 				Purpose:     v2.Entitlement_PURPOSE_VALUE_PERMISSION,
 				Resource:    resource,
+				GrantableTo: []*v2.ResourceType{resourceTypeUser},
 			},
 			&v2.Entitlement{
 				Id:          enTypes.NewEntitlementID(resource, key+"-grant"),
 				DisplayName: grantSlug,
 				Slug:        grantSlug,
 				Purpose:     v2.Entitlement_PURPOSE_VALUE_PERMISSION,
 				Resource:    resource,
+				GrantableTo: []*v2.ResourceType{resourceTypeUser},
 			})
 	}
 
@@ -182,7 +110,7 @@ func (d *databaseSyncer) Grants(ctx context.Context, resource *v2.Resource, pTok
 		perms := strings.Split(p.Permissions, ",")
 		for _, perm := range perms {
 			perm = strings.TrimSpace(perm)
-			if _, ok := databasePermissions[perm]; ok {
+			if _, ok := mssqldb.DatabasePermissions[perm]; ok {
 				rt, err := resourceTypeFromDatabasePrincipal(p.PrincipalType)
 				if err != nil {
 					l.Error("unexpected principal type", zap.String("principal_type", p.PrincipalType))
@@ -232,6 +160,106 @@ func (d *databaseSyncer) Grants(ctx context.Context, resource *v2.Resource, pTok
 	return ret, nextPageToken, nil, nil
 }
 
+func (d *databaseSyncer) Grant(ctx context.Context, resource *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	if resource.Id.ResourceType != resourceTypeUser.Id {
+		return nil, nil, fmt.Errorf("resource type %s is not supported for granting", resource.Id.ResourceType)
+	}
+
+	splitId := strings.Split(entitlement.Id, ":")
+	if len(splitId) != 3 {
+		return nil, nil, fmt.Errorf("unexpected entitlement id: %s", entitlement.Id)
+	}
+
+	dbId, err := strconv.ParseInt(splitId[1], 10, 64)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unexpected database id: %s", splitId[1])
+	}
+
+	permission := splitId[2]
+	isGrant := strings.Contains(permission, "-grant")
+	if isGrant {
+		permission = strings.Replace(permission, "-grant", "", 1)
+	}
+
+	database, err := d.client.GetDatabase(ctx, dbId)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	user, err := d.client.GetUserPrincipal(ctx, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	dbUser, err := d.client.GetUserFromDb(ctx, database.Name, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if dbUser == nil {
+		l.Info("user not found in database, creating user for principal", zap.String("user", resource.Id.Resource))
+
+		err = d.client.CreateDatabaseUserForPrincipal(ctx, database.Name, user.Name)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	err = d.client.GrantPermissionOnDatabase(ctx, permission, database.Name, user.Name)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	entitlementName := permission
+	if isGrant {
+		entitlementName = permission + "-grant"
+	}
+
+	newGrant := grTypes.NewGrant(resource, entitlementName, &v2.ResourceId{
+		Resource:     user.ID,
+		ResourceType: resourceTypeUser.Id,
+	})
+
+	return []*v2.Grant{newGrant}, nil, nil
+}
+
+func (d *databaseSyncer) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+
+	if grant.Principal.Id.ResourceType != resourceTypeUser.Id {
+		return nil, fmt.Errorf("resource type %s is not supported for revoking", grant.Principal.Id.ResourceType)
+	}
+
+	splitId := strings.Split(grant.Entitlement.Id, ":")
+
+	dbId, err := strconv.ParseInt(splitId[1], 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("unexpected database id: %s", splitId[1])
+	}
+
+	permission := strings.Replace(splitId[2], "-grant", "", 1)
+
+	database, err := d.client.GetDatabase(ctx, dbId)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := d.client.GetUserPrincipal(ctx, grant.Principal.Id.Resource)
+	if err != nil {
+		return nil, err
+	}
+
+	err = d.client.RevokePermissionOnDatabase(ctx, permission, database.Name, user.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	l.Debug("revoked permission", zap.String("permission", permission), zap.String("user", user.Name), zap.String("database", database.Name))
+	return nil, nil
+}
+
 func newDatabaseSyncer(ctx context.Context, c *mssqldb.Client) *databaseSyncer {
 	return &databaseSyncer{
 		resourceType: resourceTypeDatabase,

pkg/connector/database_role.go

@@ -233,6 +233,95 @@ func (d *databaseRolePrincipalSyncer) Grants(
 	return ret, npt, nil, nil
 }
 
+func (d *databaseRolePrincipalSyncer) Grant(ctx context.Context, resource *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
+	var err error
+
+	l := ctxzap.Extract(ctx)
+
+	if resource.Id.ResourceType != resourceTypeUser.Id {
+		return nil, nil, fmt.Errorf("resource type %s is not supported for granting", resource.Id.ResourceType)
+	}
+
+	// database-role:baton_test:6:member
+	splitId := strings.Split(entitlement.Id, ":")
+	if len(splitId) != 4 {
+		return nil, nil, fmt.Errorf("unexpected entitlement id: %s", entitlement.Id)
+	}
+
+	dbName := splitId[1]
+	roleId := splitId[2]
+
+	var role *mssqldb.RoleModel
+
+	role, err = d.client.GetDatabaseRole(ctx, dbName, roleId)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	dbUser, err := d.client.GetUserFromDb(ctx, dbName, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if dbUser == nil {
+		l.Info("user not found in database, creating user for principal", zap.String("user", resource.Id.Resource))
+
+		user, err := d.client.GetUserPrincipal(ctx, resource.Id.Resource)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		err = d.client.CreateDatabaseUserForPrincipal(ctx, dbName, user.Name)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	err = d.client.AddUserToDatabaseRole(ctx, role.Name, dbName, resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	grants := []*v2.Grant{
+		grTypes.NewGrant(resource, "member", &v2.ResourceId{
+			Resource:     resource.Id.Resource,
+			ResourceType: resourceTypeUser.Id,
+		}),
+	}
+
+	return grants, nil, nil
+}
+
+func (d *databaseRolePrincipalSyncer) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	userId := grant.Principal.Id.Resource
+
+	user, err := d.client.GetUserPrincipal(ctx, userId)
+	if err != nil {
+		return nil, err
+	}
+
+	// database-role:baton_test:6:member
+	splitId := strings.Split(grant.Entitlement.Id, ":")
+	if len(splitId) != 4 {
+		return nil, fmt.Errorf("unexpected entitlement id: %s", grant.Entitlement.Id)
+	}
+
+	dbName := splitId[1]
+	roleId := splitId[2]
+
+	role, err := d.client.GetDatabaseRole(ctx, dbName, roleId)
+	if err != nil {
+		return nil, err
+	}
+
+	err = d.client.RevokeUserToDatabaseRole(ctx, role.Name, dbName, user.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, err
+}
+
 func newDatabaseRolePrincipalSyncer(ctx context.Context, c *mssqldb.Client) *databaseRolePrincipalSyncer {
 	return &databaseRolePrincipalSyncer{
 		resourceType: resourceTypeDatabaseRole,