Add Provisioning of IAM Users to IAM Groups (#32)

* work on provisioning iam users to iam groups * lint fix
ConductorOne · Feb 12, 2024 · 6278d99 · 6278d99
1 parent 6dde690
commit 6278d99
Show file tree

Hide file tree

Showing 3 changed files with 131 additions and 4 deletions.
diff --git a/pkg/connector/account.go b/pkg/connector/account.go
@@ -527,7 +527,7 @@ func (o *accountResourceType) getGroupMembers(ctx context.Context, groupId strin
 		IdentityStoreId: o.identityInstance.IdentityStoreId,
 		GroupId:         awsSdk.String(groupId),
 	}
-	userIds := make([]string, 0, 16)
+	userIDs := make([]string, 0, 16)
 	paginator := awsIdentityStore.NewListGroupMembershipsPaginator(o.identityClient, input)
 	for {
 		resp, err := paginator.NextPage(ctx)
@@ -539,14 +539,14 @@ func (o *accountResourceType) getGroupMembers(ctx context.Context, groupId strin
 			if !ok {
 				continue
 			}
-			userIds = append(userIds, member.Value)
+			userIDs = append(userIDs, member.Value)
 		}
 		if !paginator.HasMorePages() {
 			break
 		}
 	}
-	o._groupMembersCache.Store(groupId, userIds)
-	return userIds, nil
+	o._groupMembersCache.Store(groupId, userIDs)
+	return userIDs, nil
 }
 
 func (o *accountResourceType) getPermissionSets(ctx context.Context) ([]*awsSsoAdminTypes.PermissionSet, error) {

diff --git a/pkg/connector/helpers.go b/pkg/connector/helpers.go
@@ -5,8 +5,10 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/smithy-go/middleware"
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
+	"google.golang.org/protobuf/proto"
 )
 
 const (
@@ -72,6 +74,21 @@ func ssoGroupIdFromARN(input string) (string, error) {
 	return after, nil
 }
 
+func iamGroupNameFromARN(input string) (string, error) {
+	id, err := arn.Parse(input)
+	if err != nil {
+		return "", fmt.Errorf("iamGroupIdFromARN: ARN Parse failed: %w", err)
+	}
+	_, after, found := strings.Cut(id.Resource, "group/")
+	if !found {
+		return "", fmt.Errorf("iamGroupIdFromARN: invalid resource '%s' in ARN", input)
+	}
+	if after == "" {
+		return "", fmt.Errorf("iamGroupIdFromARN: invalid resource '%s' in ARN", input)
+	}
+	return after, nil
+}
+
 func ssoUserIdFromARN(input string) (string, error) {
 	id, err := arn.Parse(input)
 	if err != nil {
@@ -86,3 +103,37 @@ func ssoUserIdFromARN(input string) (string, error) {
 	}
 	return after, nil
 }
+
+func iamUserNameFromARN(input string) (string, error) {
+	id, err := arn.Parse(input)
+	if err != nil {
+		return "", fmt.Errorf("iamUserNameFromARN: ARN Parse failed: %w", err)
+	}
+	_, after, found := strings.Cut(id.Resource, "user/")
+	if !found {
+		return "", fmt.Errorf("iamUserNameFromARN: invalid resource '%s' in ARN", input)
+	}
+	if after == "" {
+		return "", fmt.Errorf("iamUserNameFromARN: invalid resource '%s' in ARN", input)
+	}
+	return after, nil
+}
+
+func extractRequestID(md *middleware.Metadata) proto.Message {
+	if md == nil {
+		return nil
+	}
+
+	if !md.Has("RequestId") {
+		return nil
+	}
+
+	reqId, ok := md.Get("RequestId").(string)
+	if !ok {
+		return nil
+	}
+
+	return &v2.RequestId{
+		RequestId: reqId,
+	}
+}
diff --git a/pkg/connector/iam_group.go b/pkg/connector/iam_group.go
@@ -2,6 +2,7 @@ package connector
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	awsSdk "github.com/aws/aws-sdk-go-v2/aws"
@@ -143,3 +144,78 @@ func iamGroupProfile(ctx context.Context, group iamTypes.Group) map[string]inter
 
 	return profile
 }
+
+func (o *iamGroupResourceType) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) ([]*v2.Grant, annotations.Annotations, error) {
+	if principal.Id.ResourceType != resourceTypeIAMUser.Id {
+		return nil, nil, errors.New("baton-aws: only iam users can be removed from iam group")
+	}
+
+	groupName, err := iamGroupNameFromARN(entitlement.Resource.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	userName, err := iamUserNameFromARN(principal.Id.Resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	resp, err := o.iamClient.AddUserToGroup(ctx, &iam.AddUserToGroupInput{
+		GroupName: awsSdk.String(groupName),
+		UserName:  awsSdk.String(userName),
+	})
+	if err != nil {
+		return nil, nil, fmt.Errorf("baton-aws: error adding iam user to iam group: %w", err)
+	}
+
+	grant := grantSdk.NewGrant(
+		entitlement.Resource,
+		groupMemberEntitlement, principal.Id,
+		grantSdk.WithAnnotation(
+			&v2.V1Identifier{
+				Id: V1GrantID(
+					V1MembershipEntitlementID(entitlement.Resource.Id),
+					principal.Id.Resource,
+				),
+			},
+		),
+	)
+
+	rv := annotations.New()
+	if reqId := extractRequestID(&resp.ResultMetadata); reqId != nil {
+		rv.Append(reqId)
+	}
+
+	return []*v2.Grant{grant}, nil, nil
+}
+
+func (o *iamGroupResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotations.Annotations, error) {
+	if grant.Principal.Id.ResourceType != resourceTypeIAMUser.Id {
+		return nil, errors.New("baton-aws: only iam users can be removed from iam group")
+	}
+
+	groupName, err := iamGroupNameFromARN(grant.Entitlement.Resource.Id.Resource)
+	if err != nil {
+		return nil, err
+	}
+
+	userName, err := iamUserNameFromARN(grant.Principal.Id.Resource)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := o.iamClient.RemoveUserFromGroup(ctx, &iam.RemoveUserFromGroupInput{
+		GroupName: awsSdk.String(groupName),
+		UserName:  awsSdk.String(userName),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("baton-aws: error removing iam user from iam group: %w", err)
+	}
+
+	rv := annotations.New()
+	if reqId := extractRequestID(&resp.ResultMetadata); reqId != nil {
+		rv.Append(reqId)
+	}
+
+	return rv, nil
+}