Normalize object classes. Add groupOfNames to group query.

[ggreer]

Summary by CodeRabbit

• New Features

  • Expanded LDAP filtering capabilities for group entries by recognizing an additional object class.
  • Enhanced user account type detection to include new object classes.

• Bug Fixes

  • Improved error handling for user last login timestamp parsing.

• Chores

  • Updated dependency version for github.com/conductorone/baton-sdk.

[coderabbitai]

Walkthrough

The pull request includes updates to the go.mod file, specifically increasing the version of the github.com/conductorone/baton-sdk dependency from v0.2.42 to v0.2.43. Additionally, changes were made to the pkg/connector/group.go file to expand the groupObjectClasses constant by adding the groupOfNames LDAP object class. In the pkg/connector/user.go file, modifications were made to enhance the handling of LDAP user object classes and improve error handling in the parseUserLastLogin function.

Changes

File	Change Summary
go.mod	Updated github.com/conductorone/baton-sdk version from v0.2.42 to v0.2.43.
pkg/connector/group.go	Modified groupObjectClasses constant to include groupOfNames, expanding LDAP object classes.
pkg/connector/user.go	Updated userResource function to handle LDAP user object classes and improved error handling.

Possibly related PRs

• Bump github.com/conductorone/baton-sdk from 0.2.8 to 0.2.20 #56: This PR also updates the go.mod file for the github.com/conductorone/baton-sdk dependency, indicating a direct relationship through the shared dependency management context.
• Set user login and aliases. Set all single-valued ldap attributes on user profile. #62: Changes in this PR affect the pkg/connector/user.go file, which is relevant to user handling, but it does not directly relate to the version update of the baton-sdk dependency in the main PR. However, it shows ongoing modifications in the same module, which may be indirectly relevant.

Suggested labels

dependencies

Poem

In the code where rabbits play,
A version change has come our way.
With groups and users, we refine,
LDAP's magic, oh so fine!
Hopping forward, we embrace,
New object classes in our space! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

pkg/connector/group.go (2)

Line range hint 391-392: Consider implementing attribute-specific membership handling.

The TODO comment suggests checking membership attributes, but the current implementation only handles memberUid for posixGroups and defaults to uniqueMember for others. For groupOfNames, the standard attribute is member rather than uniqueMember.

Consider refactoring the attribute selection logic:

 if slices.Contains(group.GetAttributeValues("objectClass"), "posixGroup") {
     dn, err := ldap.CanonicalizeDN(principal.Id.Resource)
     if err != nil {
         return nil, err
     }
     username := []string{dn.RDNs[0].Attributes[0].Value}
     modifyRequest.Delete(attrGroupMemberPosix, username)
 } else {
-    principalDNArr := []string{principal.Id.Resource}
-    modifyRequest.Delete(attrGroupUniqueMember, principalDNArr)
+    // Check which membership attribute is in use
+    principalDN := []string{principal.Id.Resource}
+    if slices.Contains(group.GetAttributeValues("objectClass"), "groupOfUniqueNames") {
+        modifyRequest.Delete(attrGroupUniqueMember, principalDN)
+    } else {
+        modifyRequest.Delete(attrGroupMember, principalDN)
+    }
 }

Similar changes should be applied to the Grant method.

Also applies to: 393-394, 395-396

---

Line range hint 361-362: Consider adding attribute-exists error handling in Grant.

The Revoke method handles the case where the attribute doesn't exist, but Grant doesn't handle the case where the attribute already exists. This could lead to unnecessary errors when trying to add an existing member.

Consider adding similar error handling to Grant:

 err = g.client.LdapModify(
     ctx,
     modifyRequest,
 )
 if err != nil {
+    var lerr *ldap3.Error
+    if errors.As(err, &lerr) {
+        if lerr.ResultCode == ldap3.LDAPResultAttributeOrValueExists {
+            return nil, nil
+        }
+    }
     return nil, fmt.Errorf("ldap-connector: failed to grant group membership to user: %w", err)
 }

Also applies to: 363-364, 365-366

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 4cef9ab and 0d0e7cb.

⛔ Files ignored due to path filters (21)

• go.sum is excluded by !**/*.sum and included by none
• vendor/github.com/conductorone/baton-sdk/internal/connector/noop_ticketing.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/ticket.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/ticket.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/ticket_grpc.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/baton.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/baton.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/cli/commands.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/connectorbuilder/connectorbuilder.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/connectorrunner/runner.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/field/default_relationships.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/field/defaults.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sdk/version.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/c1api/bulk_create_tickets.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/c1api/bulk_get_tickets.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/c1api/manager.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/local/ticket.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/tasks.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/types/tasks/tasks.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/uhttp/wrapper.go is excluded by !vendor/** and included by none
• vendor/modules.txt is excluded by !vendor/** and included by none

📒 Files selected for processing (3)

• go.mod (1 hunks)
• pkg/connector/group.go (1 hunks)
• pkg/connector/user.go (1 hunks)

🔇 Additional comments (4)

go.mod (1)

8-8: Verify the impact of baton-sdk upgrade.

The update from v0.2.42 to v0.2.43 appears to be a patch version increment, which should be backward compatible. However, since this change is related to LDAP object class handling, we should verify the changes in the affected files.

✅ Verification successful

SDK update v0.2.43 is safe to proceed

The verification shows:

• The release notes confirm no breaking changes in v0.2.43, only improvements to JSON response readability and bulk ticket task operations
• The codebase already includes groupOfNames in the group object classes filter
• Object class handling in both group.go and user.go appears to be properly implemented

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the changes in related files that might be affected by the SDK update

# Test 1: Check for changes in group.go related to groupOfNames
echo "Checking group.go for groupOfNames changes:"
rg -A 5 "groupOfNames" "pkg/connector/group.go"

# Test 2: Check for changes in user.go related to object class handling
echo "Checking user.go for object class changes:"
rg -A 5 "objectClass" "pkg/connector/user.go"

# Test 3: Verify if there are any breaking changes in the SDK update
echo "Checking git history for breaking changes:"
gh release view v0.2.43 --repo conductorone/baton-sdk

Length of output: 2517

pkg/connector/user.go (2)

196-200: LGTM: Proper object class normalization implementation.

The implementation correctly normalizes LDAP object classes to lowercase, ensuring consistent case-insensitive comparisons. The pre-allocation of slice capacity is an efficient approach.

---

202-202: LGTM: Enhanced service account detection.

The addition of "msds-managedserviceaccount" check improves the accuracy of service account detection.

Let's verify if we've covered all possible service account object classes:

✅ Verification successful

Let me search for more specific AD-related service account classes to ensure comprehensive coverage.

---

LGTM: Service account detection is comprehensive

The implementation correctly handles both standard computer accounts and managed service accounts (computer and msds-managedserviceaccount object classes). No other AD-specific service account object classes were found in the codebase that would need to be included in this check.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for any other potential service account related object classes in the codebase
rg -i "managed.*service.*account|computer.*account|service.*account" --type-add 'schema:*.{ldif,schema,txt,md}'

Length of output: 17952

---

Script:

#!/bin/bash
# Search for AD-specific service account related patterns in the codebase
rg -i "msds-|serviceprincipal|service.*principal|managed.*service" --type go

Length of output: 3085

pkg/connector/group.go (1)

23-23: LGTM! Verify LDAP server compatibility.

The addition of groupOfNames to supported object classes is correct and the implementation properly handles both groupOfNames and groupOfUniqueNames group types.

Let's verify that the LDAP server supports the groupOfNames object class:

✅ Verification successful

Let me gather more context about how these group types are handled in the codebase.

---

Let me try a different approach to check the group handling implementation.

---

Let me check how these group attributes are used in the implementation.

---

Let me try one final search to understand the group membership handling.

---

Addition of groupOfNames object class is properly implemented

The code correctly handles both groupOfNames and groupOfUniqueNames group types:

• Both object classes are included in the LDAP search filter via groupObjectClasses
• The implementation properly handles membership attributes:
  • For posixGroup: uses memberUid attribute
  • For other group types (including groupOfNames): uses uniqueMember attribute
• The change is backward compatible and consistent with LDAP standards

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the LDAP server schema includes groupOfNames
# Note: This is a defensive check to ensure compatibility

# Search for references to groupOfNames in code and tests
rg -i "groupOfNames" --type go

Length of output: 179

---

Script:

#!/bin/bash
# Check how groupOfNames is handled in the codebase
ast-grep --pattern 'func ($var *GroupConnector) $func($$$) $ret {
  $$$
}'  pkg/connector/group.go

Length of output: 99

---

Script:

#!/bin/bash
# Check the implementation details around group handling
rg -A 10 -B 10 "groupObjectClasses" pkg/connector/group.go

Length of output: 981

---

Script:

#!/bin/bash
# Check how member attributes are handled for different group types
rg -A 15 "func \(g \*GroupConnector\) (Grant|Revoke)" pkg/connector/group.go

Length of output: 78

---

Script:

#!/bin/bash
# Search for group membership related code
rg -A 10 "uniqueMember|memberUid|gidNumber" pkg/connector/group.go

Length of output: 1239