From ca7d8c2dcb88832b8c685ad059d3fb7d103dd945 Mon Sep 17 00:00:00 2001 From: John Allers Date: Mon, 19 May 2025 14:32:31 -0400 Subject: [PATCH 01/16] Create group resource for groups --- pkg/connector/group.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/connector/group.go b/pkg/connector/group.go index 139e7859..847f955b 100644 --- a/pkg/connector/group.go +++ b/pkg/connector/group.go @@ -32,7 +32,7 @@ func (d *groupPrincipalSyncer) List(ctx context.Context, parentResourceID *v2.Re var ret []*v2.Resource for _, principalModel := range principals { - r, err := resource.NewUserResource( + r, err := resource.NewGroupResource( principalModel.Name, d.ResourceType(ctx), principalModel.ID, From cbd9b14b7ce5190bc257a8a05f09b7d44da37e42 Mon Sep 17 00:00:00 2001 From: John Allers Date: Tue, 22 Jul 2025 13:44:26 -0400 Subject: [PATCH 02/16] fix group trait --- pkg/connector/resource_types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/connector/resource_types.go b/pkg/connector/resource_types.go index c58a57d2..bfba5672 100644 --- a/pkg/connector/resource_types.go +++ b/pkg/connector/resource_types.go @@ -23,7 +23,7 @@ var ( resourceTypeGroup = &v2.ResourceType{ Id: mssqldb.GroupType, DisplayName: "Group", - Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_USER}, + Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP}, } resourceTypeServerRole = &v2.ResourceType{ Id: mssqldb.ServerRoleType, From 12b8ae3c518de52d569985d987b78b3f836df767 Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 23 Jul 2025 08:25:46 -0400 Subject: [PATCH 03/16] add group trait --- pkg/connector/resource_types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/connector/resource_types.go b/pkg/connector/resource_types.go index bfba5672..3dba2a44 100644 --- a/pkg/connector/resource_types.go +++ b/pkg/connector/resource_types.go @@ -23,7 +23,7 @@ var ( resourceTypeGroup = &v2.ResourceType{ Id: mssqldb.GroupType, DisplayName: "Group", - Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP}, + Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_USER, v2.ResourceType_TRAIT_GROUP}, } resourceTypeServerRole = &v2.ResourceType{ Id: mssqldb.ServerRoleType, From 67a39195ca0715ac10d590139890e5002ccefe7a Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 23 Jul 2025 13:22:17 -0400 Subject: [PATCH 04/16] Apply group and user traits to groups --- pkg/connector/group.go | 23 +++++++++++++++++++++-- pkg/connector/resource_types.go | 2 +- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/pkg/connector/group.go b/pkg/connector/group.go index 847f955b..8879f1a5 100644 --- a/pkg/connector/group.go +++ b/pkg/connector/group.go @@ -32,13 +32,32 @@ func (d *groupPrincipalSyncer) List(ctx context.Context, parentResourceID *v2.Re var ret []*v2.Resource for _, principalModel := range principals { - r, err := resource.NewGroupResource( + var annos annotations.Annotations + + traitOptions := []resource.UserTraitOption{ + resource.WithStatus(v2.UserTrait_Status_STATUS_ENABLED), + } + + ut, err := resource.NewUserTrait(traitOptions...) + if err != nil { + return nil, "", nil, err + } + annos.Update(ut) + + gt, err := resource.NewGroupTrait() + if err != nil { + return nil, "", nil, err + } + annos.Update(gt) + + r, err := resource.NewResource( principalModel.Name, d.ResourceType(ctx), principalModel.ID, - nil, resource.WithParentResourceID(parentResourceID), ) + r.Annotations = annos + if err != nil { return nil, "", nil, err } diff --git a/pkg/connector/resource_types.go b/pkg/connector/resource_types.go index 3dba2a44..4e91fc26 100644 --- a/pkg/connector/resource_types.go +++ b/pkg/connector/resource_types.go @@ -23,7 +23,7 @@ var ( resourceTypeGroup = &v2.ResourceType{ Id: mssqldb.GroupType, DisplayName: "Group", - Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_USER, v2.ResourceType_TRAIT_GROUP}, + Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP, v2.ResourceType_TRAIT_USER}, } resourceTypeServerRole = &v2.ResourceType{ Id: mssqldb.ServerRoleType, From bf97d6aff7845dbc95bf905bcb2a05cbe9fc08cb Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 23 Jul 2025 13:50:41 -0400 Subject: [PATCH 05/16] back to syncing just as a group --- pkg/connector/group.go | 22 ++-------------------- pkg/connector/resource_types.go | 2 +- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/pkg/connector/group.go b/pkg/connector/group.go index 8879f1a5..9fb3ce6d 100644 --- a/pkg/connector/group.go +++ b/pkg/connector/group.go @@ -32,31 +32,13 @@ func (d *groupPrincipalSyncer) List(ctx context.Context, parentResourceID *v2.Re var ret []*v2.Resource for _, principalModel := range principals { - var annos annotations.Annotations - - traitOptions := []resource.UserTraitOption{ - resource.WithStatus(v2.UserTrait_Status_STATUS_ENABLED), - } - - ut, err := resource.NewUserTrait(traitOptions...) - if err != nil { - return nil, "", nil, err - } - annos.Update(ut) - - gt, err := resource.NewGroupTrait() - if err != nil { - return nil, "", nil, err - } - annos.Update(gt) - - r, err := resource.NewResource( + r, err := resource.NewGroupResource( principalModel.Name, d.ResourceType(ctx), principalModel.ID, + nil, resource.WithParentResourceID(parentResourceID), ) - r.Annotations = annos if err != nil { return nil, "", nil, err diff --git a/pkg/connector/resource_types.go b/pkg/connector/resource_types.go index 4e91fc26..bfba5672 100644 --- a/pkg/connector/resource_types.go +++ b/pkg/connector/resource_types.go @@ -23,7 +23,7 @@ var ( resourceTypeGroup = &v2.ResourceType{ Id: mssqldb.GroupType, DisplayName: "Group", - Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP, v2.ResourceType_TRAIT_USER}, + Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP}, } resourceTypeServerRole = &v2.ResourceType{ Id: mssqldb.ServerRoleType, From 8d019c4c9d6278aae3963ce0cf312077f953da6d Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 23 Jul 2025 15:44:59 -0400 Subject: [PATCH 06/16] fix grantableTo --- pkg/connector/database.go | 4 ++-- pkg/connector/database_role.go | 3 ++- pkg/connector/server.go | 2 ++ pkg/connector/server_role.go | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/connector/database.go b/pkg/connector/database.go index 24c3dc42..b1f05bf6 100644 --- a/pkg/connector/database.go +++ b/pkg/connector/database.go @@ -72,7 +72,7 @@ func (d *databaseSyncer) Entitlements(ctx context.Context, resource *v2.Resource Slug: name, Purpose: v2.Entitlement_PURPOSE_VALUE_PERMISSION, Resource: resource, - GrantableTo: []*v2.ResourceType{resourceTypeUser}, + GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeDatabaseRole}, }, &v2.Entitlement{ Id: enTypes.NewEntitlementID(resource, key+"-grant"), @@ -80,7 +80,7 @@ func (d *databaseSyncer) Entitlements(ctx context.Context, resource *v2.Resource Slug: grantSlug, Purpose: v2.Entitlement_PURPOSE_VALUE_PERMISSION, Resource: resource, - GrantableTo: []*v2.ResourceType{resourceTypeUser}, + GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeDatabaseRole}, }) } diff --git a/pkg/connector/database_role.go b/pkg/connector/database_role.go index 8130d549..b1184afd 100644 --- a/pkg/connector/database_role.go +++ b/pkg/connector/database_role.go @@ -74,7 +74,8 @@ func (d *databaseRolePrincipalSyncer) List(ctx context.Context, parentResourceID func (d *databaseRolePrincipalSyncer) Entitlements(ctx context.Context, resource *v2.Resource, pToken *pagination.Token) ([]*v2.Entitlement, string, annotations.Annotations, error) { var ret []*v2.Entitlement - ret = append(ret, enTypes.NewAssignmentEntitlement(resource, "member")) + grantableTo := enTypes.WithGrantableTo(resourceTypeUser, resourceTypeGroup, resourceTypeDatabaseRole) + ret = append(ret, enTypes.NewAssignmentEntitlement(resource, "member", grantableTo)) return ret, "", nil, nil } diff --git a/pkg/connector/server.go b/pkg/connector/server.go index 64ee8ca4..cb0e0358 100644 --- a/pkg/connector/server.go +++ b/pkg/connector/server.go @@ -99,6 +99,7 @@ func (d *serverSyncer) Entitlements(ctx context.Context, resource *v2.Resource, Slug: name, Purpose: v2.Entitlement_PURPOSE_VALUE_PERMISSION, Resource: resource, + GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeServerRole}, }) ret = append(ret, &v2.Entitlement{ Id: enTypes.NewEntitlementID(resource, key+"-grant"), @@ -106,6 +107,7 @@ func (d *serverSyncer) Entitlements(ctx context.Context, resource *v2.Resource, Slug: fmt.Sprintf("%s (With Grant)", name), Purpose: v2.Entitlement_PURPOSE_VALUE_PERMISSION, Resource: resource, + GrantableTo: []*v2.ResourceType{resourceTypeUser, resourceTypeGroup, resourceTypeServerRole}, }) } diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go index e5829e37..cd85db71 100644 --- a/pkg/connector/server_role.go +++ b/pkg/connector/server_role.go @@ -62,7 +62,7 @@ func (d *serverRolePrincipalSyncer) Entitlements(ctx context.Context, resource * ret = append(ret, enTypes.NewAssignmentEntitlement( resource, "member", - enTypes.WithGrantableTo(resourceTypeUser), + enTypes.WithGrantableTo(resourceTypeUser, resourceTypeGroup, resourceTypeServerRole), )) return ret, "", nil, nil From 12e42844bc15243d5d07dabacfdc3b02510bc824 Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 23 Jul 2025 16:37:18 -0400 Subject: [PATCH 07/16] give groups user traits --- pkg/connector/group.go | 1 + pkg/connector/resource_types.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/connector/group.go b/pkg/connector/group.go index 9fb3ce6d..70787f6b 100644 --- a/pkg/connector/group.go +++ b/pkg/connector/group.go @@ -38,6 +38,7 @@ func (d *groupPrincipalSyncer) List(ctx context.Context, parentResourceID *v2.Re principalModel.ID, nil, resource.WithParentResourceID(parentResourceID), + resource.WithUserTrait(resource.WithStatus(v2.UserTrait_Status_STATUS_ENABLED)), ) if err != nil { diff --git a/pkg/connector/resource_types.go b/pkg/connector/resource_types.go index bfba5672..4e91fc26 100644 --- a/pkg/connector/resource_types.go +++ b/pkg/connector/resource_types.go @@ -23,7 +23,7 @@ var ( resourceTypeGroup = &v2.ResourceType{ Id: mssqldb.GroupType, DisplayName: "Group", - Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP}, + Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP, v2.ResourceType_TRAIT_USER}, } resourceTypeServerRole = &v2.ResourceType{ Id: mssqldb.ServerRoleType, From eaebf4fa8e67e3b33776c4b4c1d1fb89d39fe488 Mon Sep 17 00:00:00 2001 From: John Allers Date: Thu, 24 Jul 2025 08:53:32 -0400 Subject: [PATCH 08/16] Undo combing user trait on groups --- pkg/connector/group.go | 1 - pkg/connector/resource_types.go | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/connector/group.go b/pkg/connector/group.go index 70787f6b..9fb3ce6d 100644 --- a/pkg/connector/group.go +++ b/pkg/connector/group.go @@ -38,7 +38,6 @@ func (d *groupPrincipalSyncer) List(ctx context.Context, parentResourceID *v2.Re principalModel.ID, nil, resource.WithParentResourceID(parentResourceID), - resource.WithUserTrait(resource.WithStatus(v2.UserTrait_Status_STATUS_ENABLED)), ) if err != nil { diff --git a/pkg/connector/resource_types.go b/pkg/connector/resource_types.go index 4e91fc26..bfba5672 100644 --- a/pkg/connector/resource_types.go +++ b/pkg/connector/resource_types.go @@ -23,7 +23,7 @@ var ( resourceTypeGroup = &v2.ResourceType{ Id: mssqldb.GroupType, DisplayName: "Group", - Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP, v2.ResourceType_TRAIT_USER}, + Traits: []v2.ResourceType_Trait{v2.ResourceType_TRAIT_GROUP}, } resourceTypeServerRole = &v2.ResourceType{ Id: mssqldb.ServerRoleType, From 3bf16221df919d619ffb64cc422f1a45be9c6200 Mon Sep 17 00:00:00 2001 From: John Allers Date: Thu, 24 Jul 2025 11:04:25 -0400 Subject: [PATCH 09/16] Comment principal types --- pkg/connector/helpers.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/connector/helpers.go b/pkg/connector/helpers.go index ac7bf0ad..5e928b42 100644 --- a/pkg/connector/helpers.go +++ b/pkg/connector/helpers.go @@ -23,9 +23,9 @@ func resourceTypeFromDatabasePrincipal(pType string) (*v2.ResourceType, error) { switch pType { case "R": return resourceTypeDatabaseRole, nil - case "G", "X": + case "G", "X": // Windows group, External group from Microsoft Entra ID return resourceTypeGroup, nil - case "S", "U", "C", "E", "K": + case "S", "U", "C", "E", "K", "A": // SQL login, Windows login, Certificate, External login from Microsoft Entra ID, Asymmetric key, Application role? return resourceTypeUser, nil default: return nil, fmt.Errorf("unknown principal type: %s", pType) From 7d47104dd89b128778e11a34d0045127a9745552 Mon Sep 17 00:00:00 2001 From: John Allers Date: Thu, 24 Jul 2025 11:05:14 -0400 Subject: [PATCH 10/16] Configure AD group grant expansion for server roles via Baton ID --- pkg/connector/server_role.go | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go index cd85db71..1cbb4f71 100644 --- a/pkg/connector/server_role.go +++ b/pkg/connector/server_role.go @@ -10,6 +10,7 @@ import ( v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2" "github.com/conductorone/baton-sdk/pkg/annotations" _ "github.com/conductorone/baton-sdk/pkg/annotations" + bid "github.com/conductorone/baton-sdk/pkg/bid" "github.com/conductorone/baton-sdk/pkg/pagination" enTypes "github.com/conductorone/baton-sdk/pkg/types/entitlement" grTypes "github.com/conductorone/baton-sdk/pkg/types/grant" @@ -178,7 +179,33 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res return nil, "", nil, err } - ret = append(ret, grTypes.NewGrant(resource, "member", principalID)) + if principal.Type == "G" { + gr := &v2.Resource{ + Id: principalID, + } + + ent := enTypes.NewAssignmentEntitlement(gr, "member") + bidEnt, err := bid.MakeBid(ent) + if err != nil { + return nil, "", nil, err + } + + // Configure BatonID matching for Active Directory groups + grantOpts := []grTypes.GrantOption{ + grTypes.WithAnnotation(&v2.ExternalResourceMatch{ + Key: "netbios_name", + Value: principal.Name, + }), + grTypes.WithAnnotation(&v2.GrantExpandable{ + EntitlementIds: []string{bidEnt}, + Shallow: true, + }), + } + + ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...)) + } else { + ret = append(ret, grTypes.NewGrant(resource, "member", principalID)) + } } visited[b.ResourceID()] = true From 0ce04b14c94ebf820e7ae7b9028ca93f727bb325 Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 30 Jul 2025 09:10:26 -0400 Subject: [PATCH 11/16] Update server_role.go --- pkg/connector/server_role.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go index 1cbb4f71..64dd0f65 100644 --- a/pkg/connector/server_role.go +++ b/pkg/connector/server_role.go @@ -193,7 +193,7 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res // Configure BatonID matching for Active Directory groups grantOpts := []grTypes.GrantOption{ grTypes.WithAnnotation(&v2.ExternalResourceMatch{ - Key: "netbios_name", + Key: "downlevel_logon_name", Value: principal.Name, }), grTypes.WithAnnotation(&v2.GrantExpandable{ From 390489bb84fcd496634c5c3013da563ab2f6800c Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 30 Jul 2025 09:20:53 -0400 Subject: [PATCH 12/16] fix server role matching for AD group --- pkg/connector/server_role.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go index 64dd0f65..b621a145 100644 --- a/pkg/connector/server_role.go +++ b/pkg/connector/server_role.go @@ -193,8 +193,9 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res // Configure BatonID matching for Active Directory groups grantOpts := []grTypes.GrantOption{ grTypes.WithAnnotation(&v2.ExternalResourceMatch{ - Key: "downlevel_logon_name", - Value: principal.Name, + ResourceType: v2.ResourceType_TRAIT_GROUP, + Key: "downlevel_logon_name", + Value: principal.Name, }), grTypes.WithAnnotation(&v2.GrantExpandable{ EntitlementIds: []string{bidEnt}, From 14c216674a4f4c50241304783a7b9c25a1c52ca2 Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 30 Jul 2025 11:35:17 -0400 Subject: [PATCH 13/16] wire in AD baton ID matching for server role users --- pkg/connector/server_role.go | 71 ++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 27 deletions(-) diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go index b621a145..4b491ebc 100644 --- a/pkg/connector/server_role.go +++ b/pkg/connector/server_role.go @@ -179,34 +179,12 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res return nil, "", nil, err } - if principal.Type == "G" { - gr := &v2.Resource{ - Id: principalID, - } - - ent := enTypes.NewAssignmentEntitlement(gr, "member") - bidEnt, err := bid.MakeBid(ent) - if err != nil { - return nil, "", nil, err - } - - // Configure BatonID matching for Active Directory groups - grantOpts := []grTypes.GrantOption{ - grTypes.WithAnnotation(&v2.ExternalResourceMatch{ - ResourceType: v2.ResourceType_TRAIT_GROUP, - Key: "downlevel_logon_name", - Value: principal.Name, - }), - grTypes.WithAnnotation(&v2.GrantExpandable{ - EntitlementIds: []string{bidEnt}, - Shallow: true, - }), - } - - ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...)) - } else { - ret = append(ret, grTypes.NewGrant(resource, "member", principalID)) + grantOpts, err := BuildBatonIDGrantOptions(principalID, principal) + if err != nil { + return nil, "", nil, err } + + ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...)) } visited[b.ResourceID()] = true @@ -223,6 +201,45 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res return ret, npt, nil, nil } +func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principal *mssqldb.RolePrincipalModel) ([]grTypes.GrantOption, error) { + grantOpts := []grTypes.GrantOption{} + + switch principal.Type { + case "G": // Configure BatonID matching for Active Directory groups + gr := &v2.Resource{ + Id: principalID, + } + + ent := enTypes.NewAssignmentEntitlement(gr, "member") + bidEnt, err := bid.MakeBid(ent) + if err != nil { + return nil, err + } + + grantOpts = append(grantOpts, + grTypes.WithAnnotation(&v2.ExternalResourceMatch{ + ResourceType: v2.ResourceType_TRAIT_GROUP, + Key: "downlevel_logon_name", + Value: principal.Name, + }), + grTypes.WithAnnotation(&v2.GrantExpandable{ + EntitlementIds: []string{bidEnt}, + Shallow: true, + }), + ) + case "U": // Configure BatonID matching for Active Directory users + grantOpts = append(grantOpts, + grTypes.WithAnnotation(&v2.ExternalResourceMatch{ + ResourceType: v2.ResourceType_TRAIT_USER, + Key: "downlevel_logon_name", + Value: principal.Name, + }), + ) + } + + return grantOpts, nil +} + func (d *serverRolePrincipalSyncer) Grant(ctx context.Context, resource *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) { var err error From 903fc1b61798786fd37e25e426c91422d5aacf33 Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 30 Jul 2025 11:54:53 -0400 Subject: [PATCH 14/16] Wire in BatonID matching for database roles --- pkg/connector/database_role.go | 7 ++++++- pkg/connector/server_role.go | 10 +++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/pkg/connector/database_role.go b/pkg/connector/database_role.go index b1184afd..b10089e7 100644 --- a/pkg/connector/database_role.go +++ b/pkg/connector/database_role.go @@ -217,7 +217,12 @@ func (d *databaseRolePrincipalSyncer) Grants( return nil, "", nil, fmt.Errorf("invalid state: principalID is nil") } - ret = append(ret, grTypes.NewGrant(resource, "member", principalID)) + grantOpts, err := BuildBatonIDGrantOptions(principalID, dbPrincipal.Type, dbPrincipal.Name) + if err != nil { + return nil, "", nil, err + } + + ret = append(ret, grTypes.NewGrant(resource, "member", principalID, grantOpts...)) } visited[b.ResourceID()] = true diff --git a/pkg/connector/server_role.go b/pkg/connector/server_role.go index 4b491ebc..bda2ecde 100644 --- a/pkg/connector/server_role.go +++ b/pkg/connector/server_role.go @@ -179,7 +179,7 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res return nil, "", nil, err } - grantOpts, err := BuildBatonIDGrantOptions(principalID, principal) + grantOpts, err := BuildBatonIDGrantOptions(principalID, principal.Type, principal.Name) if err != nil { return nil, "", nil, err } @@ -201,10 +201,10 @@ func (d *serverRolePrincipalSyncer) Grants(ctx context.Context, resource *v2.Res return ret, npt, nil, nil } -func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principal *mssqldb.RolePrincipalModel) ([]grTypes.GrantOption, error) { +func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principalType string, principalName string) ([]grTypes.GrantOption, error) { grantOpts := []grTypes.GrantOption{} - switch principal.Type { + switch principalType { case "G": // Configure BatonID matching for Active Directory groups gr := &v2.Resource{ Id: principalID, @@ -220,7 +220,7 @@ func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principal *mssqldb.Rol grTypes.WithAnnotation(&v2.ExternalResourceMatch{ ResourceType: v2.ResourceType_TRAIT_GROUP, Key: "downlevel_logon_name", - Value: principal.Name, + Value: principalName, }), grTypes.WithAnnotation(&v2.GrantExpandable{ EntitlementIds: []string{bidEnt}, @@ -232,7 +232,7 @@ func BuildBatonIDGrantOptions(principalID *v2.ResourceId, principal *mssqldb.Rol grTypes.WithAnnotation(&v2.ExternalResourceMatch{ ResourceType: v2.ResourceType_TRAIT_USER, Key: "downlevel_logon_name", - Value: principal.Name, + Value: principalName, }), ) } From f311f67f47769ca8c7cefccd85180cd32086d2af Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 30 Jul 2025 12:03:53 -0400 Subject: [PATCH 15/16] Wire baton ID into database grants --- pkg/connector/database.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/connector/database.go b/pkg/connector/database.go index b1f05bf6..2492be8e 100644 --- a/pkg/connector/database.go +++ b/pkg/connector/database.go @@ -143,15 +143,20 @@ func (d *databaseSyncer) Grants(ctx context.Context, resource *v2.Resource, pTok return nil, "", nil, fmt.Errorf("unexpected resource type: %s", rt.Id) } + grantOpts, err := BuildBatonIDGrantOptions(resourceID, p.PrincipalType, p.PrincipalName) + if err != nil { + return nil, "", nil, err + } + switch p.State { case "G": ret = append(ret, grTypes.NewGrant(resource, perm, &v2.Resource{ Id: resourceID, - })) + }, grantOpts...)) case "W": ret = append(ret, grTypes.NewGrant(resource, perm+"-grant", &v2.Resource{ Id: resourceID, - })) + }, grantOpts...)) } } } From 9297e2e7af851c081dce98b48ec3460e8ee5cefe Mon Sep 17 00:00:00 2001 From: John Allers Date: Wed, 30 Jul 2025 12:15:34 -0400 Subject: [PATCH 16/16] Wire in baton ID into server grants --- pkg/connector/server.go | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/pkg/connector/server.go b/pkg/connector/server.go index cb0e0358..2270888e 100644 --- a/pkg/connector/server.go +++ b/pkg/connector/server.go @@ -131,17 +131,22 @@ func (d *serverSyncer) Grants(ctx context.Context, resource *v2.Resource, pToken if err != nil { return nil, "", nil, err } + + principal := &v2.ResourceId{ + ResourceType: rt.Id, + Resource: strconv.FormatInt(p.PrincipalID, 10), + } + + grantOpts, err := BuildBatonIDGrantOptions(principal, p.PrincipalType, p.PrincipalName) + if err != nil { + return nil, "", nil, err + } + switch p.State { case "G": - ret = append(ret, grTypes.NewGrant(resource, perm, &v2.ResourceId{ - ResourceType: rt.Id, - Resource: strconv.FormatInt(p.PrincipalID, 10), - })) + ret = append(ret, grTypes.NewGrant(resource, perm, principal, grantOpts...)) case "W": - ret = append(ret, grTypes.NewGrant(resource, perm+"-grant", &v2.ResourceId{ - ResourceType: rt.Id, - Resource: strconv.FormatInt(p.PrincipalID, 10), - })) + ret = append(ret, grTypes.NewGrant(resource, perm+"-grant", principal, grantOpts...)) } } }