[BB-1029] Additional logging and improved Workato API error handling (#5)

* More debug logging

* Handle supported API errors

* Add sections for required client role permissions

* Stub disable-custom-roles-sync flag

* Only sync base roles with custom roles  sync is disabled

* fixup

* Handle folder sync when custom roles sync is disabled

* Update README.md

* Disable custom roles sync in ci

* Documention list custom roles permission

Author: johnallers

.github/workflows/ci.yaml

@@ -53,6 +53,7 @@ jobs:
       BATON_WORKATO_API_KEY: ${{ secrets.BATON_WORKATO_API_KEY }}
       BATON_CONNECTOR: ./baton-workato
       BATON_WORKATO_ENV: dev
+      BATON_DISABLE_CUSTOM_ROLES_SYNC: true
 
     steps:
       - name: Install Go

README.md

@@ -14,6 +14,18 @@ Check out [Baton](https://github.com/conductorone/baton) to learn more the proje
 
 You must be an Admin or have a role with access to API Clients.
 
+### Required Client Role permissions
+
+| Area         | Section              | Action                      | API Endpoint                       |
+|--------------|----------------------|-----------------------------|------------------------------------|
+| **Projects** | Projects & Folders   | List projects               | `GET /api/projects`                |
+|              | Projects & Folders   | List folders                | `GET /api/folders`                 |
+|              |                      | List custom roles           | `GET /api/roles`                   |
+| **Admin**    | Collaborators        | Get collaborators           | `GET /api/members`                 |
+|              | Collaborators        | Get collaborator            | `GET /api/members/:id`             |
+|              | Collaborators        | Update collaborator’s roles | `PUT /api/members/:id`             |
+|              | Collaborators        | Get collaborator privileges | `GET /api/members/:id/privileges`  |
+
 ### Using Workato commercial platform:
 
 Generate an API KEY:
@@ -91,6 +103,7 @@ Available Commands:
 Flags:
       --client-id string             The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
       --client-secret string         The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
+      --disable-custom-roles-sync    Disable custom roles sync ($BATON_DISABLE_CUSTOM_ROLES_SYNC)
   -f, --file string                  The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
   -h, --help                         help for baton-workato
       --log-format string            The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")

cmd/baton-workato/conf/config.go

@@ -29,13 +29,20 @@ var (
 		field.WithDefaultValue("dev"),
 	)
 
+	DisableCustomRolesSync = field.BoolField(
+		"disable-custom-roles-sync",
+		field.WithDescription("Disable custom roles sync"),
+		field.WithDefaultValue(false),
+	)
+
 	// ConfigurationFields defines the external configuration required for the
 	// connector to run. Note: these fields can be marked as optional or
 	// required.
 	ConfigurationFields = []field.SchemaField{
 		ApiKeyField,
 		WorkatoDataCenterFiekd,
 		WorkatoEnv,
+		DisableCustomRolesSync,
 	}
 
 	// FieldRelationships defines relationships between the fields listed in

cmd/baton-workato/main.go

@@ -62,12 +62,14 @@ func getConnector(ctx context.Context, v *viper.Viper) (types.ConnectorServer, e
 		return nil, err
 	}
 
+	disableCustomRolesSync := v.GetBool(conf.DisableCustomRolesSync.FieldName)
+
 	workatoClient, err := client.NewWorkatoClient(ctx, key, dataCenterUrl)
 	if err != nil {
 		return nil, err
 	}
 
-	cb, err := connector.New(ctx, workatoClient, env)
+	cb, err := connector.New(ctx, workatoClient, env, disableCustomRolesSync)
 	if err != nil {
 		l.Error("error creating connector", zap.Error(err))
 		return nil, err

pkg/connector/client/colaborator.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -21,8 +23,8 @@ func (c *WorkatoClient) GetCollaborators(ctx context.Context) ([]Collaborator, e
 }
 
 func (c *WorkatoClient) GetCollaboratorPrivileges(ctx context.Context, id int) ([]*CollaboratorPrivilege, error) {
+	l := ctxzap.Extract(ctx)
 	var response CommonPagination[*CollaboratorPrivilege]
-
 	pathString := fmt.Sprintf(GetCollaboratorByIdPath, id)
 
 	err := c.doRequest(ctx, http.MethodGet, c.getPath(pathString), &response, nil)
@@ -31,6 +33,7 @@ func (c *WorkatoClient) GetCollaboratorPrivileges(ctx context.Context, id int) (
 	}
 
 	if len(response.Data) != 1 {
+		l.Warn("expected 1 collaborator, got %d. API client may have insufficient permissions", zap.Int("count", len(response.Data)))
 		return nil, status.Errorf(codes.NotFound, "baton-workato: expected 1 collaborator, got %d", len(response.Data))
 	}
 

pkg/connector/client/helpers.go

@@ -80,7 +80,9 @@ func (c *WorkatoClient) doRequest(ctx context.Context, method string, urlAddress
 
 	defer resp.Body.Close()
 
-	if resp.StatusCode == http.StatusNotFound || resp.StatusCode == http.StatusBadRequest {
+	// Handle supported API errors https://docs.workato.com/en/workato-api.html#http-response-codes
+	switch resp.StatusCode {
+	case http.StatusNotFound, http.StatusBadRequest, http.StatusUnauthorized, http.StatusForbidden, http.StatusInternalServerError:
 		return getError(err, resp)
 	}
 

pkg/connector/collaborator.go

@@ -9,6 +9,8 @@ import (
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
 	"github.com/conductorone/baton-sdk/pkg/pagination"
+
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
 )
 
 type collaboratorBuilder struct {
@@ -22,6 +24,9 @@ func (o *collaboratorBuilder) ResourceType(ctx context.Context) *v2.ResourceType
 // List returns all the users from the database as resource objects.
 // Users include a UserTrait because they are the 'shape' of a standard user.
 func (o *collaboratorBuilder) List(ctx context.Context, parentResourceID *v2.ResourceId, pToken *pagination.Token) ([]*v2.Resource, string, annotations.Annotations, error) {
+	l := ctxzap.Extract(ctx)
+	l.Debug("Listing collaborators")
+
 	collaborators, err := o.client.GetCollaborators(ctx)
 	if err != nil {
 		return nil, "", nil, err

pkg/connector/connector.go

@@ -14,17 +14,18 @@ import (
 )
 
 type Connector struct {
-	client *client.WorkatoClient
-	env    workato.Environment
+	client                 *client.WorkatoClient
+	env                    workato.Environment
+	disableCustomRolesSync bool
 }
 
 // ResourceSyncers returns a ResourceSyncer for each resource type that should be synced from the upstream service.
 func (d *Connector) ResourceSyncers(ctx context.Context) []connectorbuilder.ResourceSyncer {
 	return []connectorbuilder.ResourceSyncer{
 		newCollaboratorBuilder(d.client),
 		newPrivilegeBuilder(d.client, d.env),
-		newRoleBuilder(d.client, d.env),
-		newFolderBuilder(d.client, d.env),
+		newRoleBuilder(d.client, d.env, d.disableCustomRolesSync),
+		newFolderBuilder(d.client, d.env, d.disableCustomRolesSync),
 		newProjectBuilder(d.client),
 	}
 }
@@ -50,9 +51,10 @@ func (d *Connector) Validate(ctx context.Context) (annotations.Annotations, erro
 }
 
 // New returns a new instance of the connector.
-func New(ctx context.Context, workatoClient *client.WorkatoClient, env workato.Environment) (*Connector, error) {
+func New(ctx context.Context, workatoClient *client.WorkatoClient, env workato.Environment, disableCustomRolesSync bool) (*Connector, error) {
 	return &Connector{
-		client: workatoClient,
-		env:    env,
+		client:                 workatoClient,
+		env:                    env,
+		disableCustomRolesSync: disableCustomRolesSync,
 	}, nil
 }

pkg/connector/folder.go

@@ -26,9 +26,10 @@ const (
 )
 
 type folderBuilder struct {
-	client    *client.WorkatoClient
-	cache     *collaboratorCache
-	roleCache *roleCache
+	client                 *client.WorkatoClient
+	cache                  *collaboratorCache
+	roleCache              *roleCache
+	disableCustomRolesSync bool
 }
 
 func (o *folderBuilder) ResourceType(ctx context.Context) *v2.ResourceType {
@@ -39,6 +40,7 @@ func (o *folderBuilder) ResourceType(ctx context.Context) *v2.ResourceType {
 // Users include a UserTrait because they are the 'shape' of a standard user.
 func (o *folderBuilder) List(ctx context.Context, parentResourceID *v2.ResourceId, pToken *pagination.Token) ([]*v2.Resource, string, annotations.Annotations, error) {
 	l := ctxzap.Extract(ctx)
+	l.Debug("Listing folders")
 
 	// Init cache
 	if pToken.Token == "" && parentResourceID == nil {
@@ -47,9 +49,11 @@ func (o *folderBuilder) List(ctx context.Context, parentResourceID *v2.ResourceI
 			return nil, "", nil, err
 		}
 
-		err = o.roleCache.buildCache(ctx)
-		if err != nil {
-			return nil, "", nil, err
+		if !o.disableCustomRolesSync {
+			err = o.roleCache.buildCache(ctx)
+			if err != nil {
+				return nil, "", nil, err
+			}
 		}
 	}
 
@@ -179,7 +183,7 @@ func (o *folderBuilder) Grants(ctx context.Context, resource *v2.Resource, pToke
 		}
 	}
 
-	if state.ResourceTypeID == roleResourceType.Id {
+	if state.ResourceTypeID == roleResourceType.Id && !o.disableCustomRolesSync {
 		folderId, err := strconv.Atoi(resource.Id.Resource)
 		if err != nil {
 			return nil, "", nil, err
@@ -213,11 +217,12 @@ func (o *folderBuilder) Grants(ctx context.Context, resource *v2.Resource, pToke
 	return rv, nextToken, nil, nil
 }
 
-func newFolderBuilder(client *client.WorkatoClient, env workato.Environment) *folderBuilder {
+func newFolderBuilder(client *client.WorkatoClient, env workato.Environment, disableCustomRolesSync bool) *folderBuilder {
 	return &folderBuilder{
-		client:    client,
-		cache:     newCollaboratorCache(client, env),
-		roleCache: newRoleCache(client),
+		client:                 client,
+		cache:                  newCollaboratorCache(client, env),
+		roleCache:              newRoleCache(client),
+		disableCustomRolesSync: disableCustomRolesSync,
 	}
 }
 

pkg/connector/privilege.go

@@ -34,6 +34,7 @@ func (o *privilegeBuilder) ResourceType(ctx context.Context) *v2.ResourceType {
 // Users include a UserTrait because they are the 'shape' of a standard user.
 func (o *privilegeBuilder) List(ctx context.Context, parentResourceID *v2.ResourceId, pToken *pagination.Token) ([]*v2.Resource, string, annotations.Annotations, error) {
 	l := ctxzap.Extract(ctx)
+	l.Debug("Listing privileges")
 
 	if pToken == nil || pToken.Token == "" {
 		err := o.cache.buildCache(ctx)
@@ -62,7 +63,7 @@ func (o *privilegeBuilder) List(ctx context.Context, parentResourceID *v2.Resour
 func (o *privilegeBuilder) Entitlements(_ context.Context, resource *v2.Resource, _ *pagination.Token) ([]*v2.Entitlement, string, annotations.Annotations, error) {
 	var rv []*v2.Entitlement
 	assigmentOptions := []entitlement.EntitlementOption{
-		entitlement.WithGrantableTo(collaboratorResourceType, roleResourceType),
+		entitlement.WithGrantableTo(collaboratorResourceType),
 		entitlement.WithDescription(fmt.Sprintf("Assigned %s to scopes", collaboratorResourceType.DisplayName)),
 		entitlement.WithDisplayName(fmt.Sprintf("%s have %s`", collaboratorResourceType.DisplayName, resource.DisplayName)),
 	}