Merge pull request #24 from ConductorOne/jirwin/multiple-entitlements-grants

Add support for multiple entitlements or grants per query

Author: jirwin

examples/wordpress.yml

@@ -77,10 +77,10 @@ resource_types:
           WHERE um.meta_key = 'wp_capabilities'
           LIMIT ?<Limit> OFFSET ?<Offset>
         map:
-          skip_if: "(size(phpDeserializeStringArray(string(.role_name))) < 1 || phpDeserializeStringArray(string(.role_name))[0] != resource.ID)"
-          principal_id: ".user_id"
-          principal_type: "user"
-          entitlement_id: "member"
+          - skip_if: "(size(phpDeserializeStringArray(string(.role_name))) < 1 || phpDeserializeStringArray(string(.role_name))[0] != resource.ID)"
+            principal_id: ".user_id"
+            principal_type: "user"
+            entitlement_id: "member"
         pagination:
           strategy: "offset"
           primary_key: "user_id"

pkg/bsql/config.go

@@ -9,9 +9,10 @@ import (
 )
 
 type Config struct {
-	AppName       string                  `yaml:"app_name" json:"app_name"`
-	Connect       DatabaseConfig          `yaml:"connect" json:"connect"`
-	ResourceTypes map[string]ResourceType `yaml:"resource_types" json:"resource_types"`
+	AppName        string                  `yaml:"app_name" json:"app_name"`
+	AppDescription string                  `yaml:"app_description" json:"app_description"`
+	Connect        DatabaseConfig          `yaml:"connect" json:"connect"`
+	ResourceTypes  map[string]ResourceType `yaml:"resource_types" json:"resource_types"`
 }
 
 type DatabaseConfig struct {
@@ -86,9 +87,9 @@ type Pagination struct {
 }
 
 type EntitlementsQuery struct {
-	Query      string              `yaml:"query" json:"query"`
-	Pagination *Pagination         `yaml:"pagination" json:"pagination"`
-	Map        *EntitlementMapping `yaml:"map" json:"map"`
+	Query      string                `yaml:"query" json:"query"`
+	Pagination *Pagination           `yaml:"pagination" json:"pagination"`
+	Map        []*EntitlementMapping `yaml:"map" json:"map"`
 }
 
 type EntitlementMapping struct {
@@ -103,9 +104,9 @@ type EntitlementMapping struct {
 }
 
 type GrantsQuery struct {
-	Query      string        `yaml:"query" json:"query"`
-	Pagination *Pagination   `yaml:"pagination" json:"pagination"`
-	Map        *GrantMapping `yaml:"map" json:"map"`
+	Query      string          `yaml:"query" json:"query"`
+	Pagination *Pagination     `yaml:"pagination" json:"pagination"`
+	Map        []*GrantMapping `yaml:"map" json:"map"`
 }
 
 type GrantMapping struct {

pkg/bsql/config_test.go

@@ -93,9 +93,9 @@ func TestParse(t *testing.T) {
 				// Validate `roleResourceType` grants
 				require.NotNil(t, roleResourceType.Grants)
 				require.Len(t, roleResourceType.Grants, 1)
-				require.Equal(t, ".user_id", roleResourceType.Grants[0].Map.PrincipalId)
-				require.Equal(t, "user", roleResourceType.Grants[0].Map.PrincipalType)
-				require.Equal(t, "member", roleResourceType.Grants[0].Map.Entitlement)
+				require.Equal(t, ".user_id", roleResourceType.Grants[0].Map[0].PrincipalId)
+				require.Equal(t, "user", roleResourceType.Grants[0].Map[0].PrincipalType)
+				require.Equal(t, "member", roleResourceType.Grants[0].Map[0].Entitlement)
 				require.Equal(t, "offset", roleResourceType.Grants[0].Pagination.Strategy)
 				require.Equal(t, "user_id", roleResourceType.Grants[0].Pagination.PrimaryKey)
 			},

pkg/bsql/entitlements.go

@@ -80,17 +80,17 @@ func (s *SQLSyncer) dynamicEntitlements(ctx context.Context, resource *v2.Resour
 	var ret []*v2.Entitlement
 
 	npt, err := s.runQuery(ctx, pToken, s.config.Entitlements.Query, s.config.Entitlements.Pagination, func(ctx context.Context, rowMap map[string]any) (bool, error) {
-		r, err := s.mapEntitlement(ctx, resource, rowMap)
-		if err != nil {
-			return false, err
-		}
-		// No error and no entitlement means we should skip this row
-		if r == nil {
-			return true, nil
-		}
+		for _, mapping := range s.config.Entitlements.Map {
+			r, ok, err := s.mapEntitlement(ctx, resource, mapping, rowMap)
+			if err != nil {
+				return false, err
+			}
 
-		r.Resource = resource
-		ret = append(ret, r)
+			if ok {
+				r.Resource = resource
+				ret = append(ret, r)
+			}
+		}
 		return true, nil
 	})
 	if err != nil {
@@ -100,7 +100,7 @@ func (s *SQLSyncer) dynamicEntitlements(ctx context.Context, resource *v2.Resour
 	return ret, npt, nil, nil
 }
 
-func (s *SQLSyncer) mapEntitlement(ctx context.Context, resource *v2.Resource, rowMap map[string]any) (*v2.Entitlement, error) {
+func (s *SQLSyncer) mapEntitlement(ctx context.Context, resource *v2.Resource, mappings *EntitlementMapping, rowMap map[string]any) (*v2.Entitlement, bool, error) {
 	ret := &v2.Entitlement{}
 
 	inputs := s.env.BaseInputsWithResource(rowMap, resource)
@@ -111,48 +111,46 @@ func (s *SQLSyncer) mapEntitlement(ctx context.Context, resource *v2.Resource, r
 		"DisplayName":    resource.DisplayName,
 	}
 
-	mappings := s.config.Entitlements.Map
-
 	if mappings.SkipIf != "" {
 		skip, err := s.env.EvaluateBool(ctx, mappings.SkipIf, inputs)
 		if err != nil {
-			return nil, err
+			return nil, false, err
 		}
 
 		if skip {
-			return nil, nil
+			return nil, false, nil
 		}
 	}
 
 	if mappings.Id == "" {
-		return nil, fmt.Errorf("entitlements mapping id is required")
+		return nil, false, fmt.Errorf("entitlements mapping id is required")
 	}
 	v, err := s.env.EvaluateString(ctx, mappings.Id, inputs)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	ret.Id = sdkEntitlement.NewEntitlementID(resource, v)
 
 	if mappings.DisplayName == "" {
-		return nil, fmt.Errorf("entitlements mapping display_name is required")
+		return nil, false, fmt.Errorf("entitlements mapping display_name is required")
 	}
 	v, err = s.env.EvaluateString(ctx, mappings.DisplayName, inputs)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	ret.DisplayName = v
 
 	if mappings.Description != "" {
 		v, err = s.env.EvaluateString(ctx, mappings.Description, inputs)
 		if err != nil {
-			return nil, err
+			return nil, false, err
 		}
 		ret.Description = v
 	}
 
 	resourceTypes, err := s.fullConfig.GetResourceTypes(ctx)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	for _, rt := range mappings.GrantableTo {
 		for _, r := range resourceTypes {
@@ -164,19 +162,19 @@ func (s *SQLSyncer) mapEntitlement(ctx context.Context, resource *v2.Resource, r
 
 	// TODO(jirwin): Should entitlement slugs be required?
 	if mappings.Slug == "" {
-		return nil, fmt.Errorf("entitlements mapping slug is required")
+		return nil, false, fmt.Errorf("entitlements mapping slug is required")
 	}
 	v, err = s.env.EvaluateString(ctx, mappings.Slug, inputs)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	ret.Slug = v
 
 	var purpose string
 	if mappings.Purpose != "" {
 		purpose, err = s.env.EvaluateString(ctx, mappings.Purpose, inputs)
 		if err != nil {
-			return nil, err
+			return nil, false, err
 		}
 	}
 	switch purpose {
@@ -194,5 +192,5 @@ func (s *SQLSyncer) mapEntitlement(ctx context.Context, resource *v2.Resource, r
 	}
 	ret.Annotations = annos
 
-	return ret, nil
+	return ret, true, nil
 }

pkg/bsql/grants.go

@@ -76,12 +76,15 @@ func (s *SQLSyncer) listGrants(ctx context.Context, resource *v2.Resource, pToke
 	var ret []*v2.Grant
 
 	npt, err := s.runQuery(ctx, pToken, grantConfig.Query, grantConfig.Pagination, func(ctx context.Context, rowMap map[string]any) (bool, error) {
-		g, ok, err := s.mapGrant(ctx, resource, grantConfig.Map, rowMap)
-		if err != nil {
-			return false, err
-		}
-		if ok {
-			ret = append(ret, g)
+		for _, mapping := range grantConfig.Map {
+			g, ok, err := s.mapGrant(ctx, resource, mapping, rowMap)
+			if err != nil {
+				return false, err
+			}
+
+			if ok {
+				ret = append(ret, g)
+			}
 		}
 		return true, nil
 	})

pkg/connector/connector.go

@@ -51,10 +51,19 @@ func (c *Connector) Asset(ctx context.Context, asset *v2.AssetRef) (string, io.R
 
 // Metadata returns metadata about the connector.
 func (c *Connector) Metadata(ctx context.Context) (*v2.ConnectorMetadata, error) {
-	return &v2.ConnectorMetadata{
+	md := &v2.ConnectorMetadata{
 		DisplayName: "Generic SQL Connector",
 		Description: "A baton connector that allows you to sync from an arbitrary SQL database",
-	}, nil
+	}
+
+	if c.config.AppName != "" {
+		md.DisplayName = c.config.AppName
+	}
+
+	if c.config.AppDescription != "" {
+		md.Description = c.config.AppDescription
+	}
+	return md, nil
 }
 
 // Validate is called to ensure that the connector is properly configured. It should exercise any API credentials