fix namespace entitlement grant logic (#32)

ennyjfrick · web-flow · commit b049fb390eec · 2025-01-06T11:53:14.000-08:00
* use entitlement ID for namespace roles

* do not attempt to grant an additional account role when a user has an immutable role
diff --git a/pkg/connector/account_roles.go b/pkg/connector/account_roles.go
@@ -147,6 +147,12 @@ func (o *accountRoleBuilder) Grant(ctx context.Context, principal *v2.Resource,
 		return nil, nil, fmt.Errorf("temporalcloud-connnector: couldn't retrieve user: %w", err)
 	}
 
+	currRole := userResp.GetUser().GetSpec().GetAccess().GetAccountAccess().GetRole()
+	if slices.Contains(immutableAccountRoles, currRole) {
+		zap.L().Info("temporalcloud-connector: user has immutable role, skipping grant", zap.String("user_id", userID))
+		return nil, nil, nil
+	}
+
 	newRole := accountAccessRoleFromID(accountRoleID, accountID)
 	if newRole == identityv1.AccountAccess_ROLE_UNSPECIFIED {
 		return nil, nil, fmt.Errorf("temporalcloud-connector: invalid account role %s", strings.TrimPrefix(accountRoleID, accountID+"-"))
diff --git a/pkg/connector/namespaces.go b/pkg/connector/namespaces.go
@@ -3,6 +3,7 @@ package connector
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
@@ -128,14 +129,20 @@ func (o *namespaceBuilder) Grants(ctx context.Context, resource *v2.Resource, pT
 }
 
 func (o *namespaceBuilder) Grant(ctx context.Context, principal *v2.Resource, e *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
-	nsRole := e.GetSlug()
 	entitlementID := e.GetId()
 	userID := principal.GetId().GetResource()
 	userType := principal.GetId().GetResourceType()
 	namespace := e.GetResource()
 	namespaceID := namespace.GetId().GetResource()
 	namespaceType := namespace.GetId().GetResourceType()
 
+	enIDParts := strings.Split(entitlementID, ":")
+	if len(enIDParts) != 3 {
+		return nil, nil, fmt.Errorf("temporalcloud-connector: invalid entitlement ID %s", entitlementID)
+	}
+
+	nsRole := enIDParts[2]
+
 	namespaceRole := namespaceAccessPermissionFromString(nsRole)
 	if namespaceRole == identityv1.NamespaceAccess_PERMISSION_UNSPECIFIED {
 		return nil, nil, fmt.Errorf("temporalcloud-connector: invalid namespace permission %s", nsRole)
