Add enterprise role provisioning

pkg/connector/client/path.go

@@ -7,20 +7,22 @@ import (
 )
 
 const (
-	UrlPathGetRoleAssignments  = "/api/admin.roles.listAssignments"
-	UrlPathGetTeams            = "/api/admin.teams.list"
-	UrlPathGetUserGroupMembers = "/api/usergroups.users.list"
-	UrlPathGetUserGroups       = "/api/usergroups.list"
-	UrlPathGetUserInfo         = "/api/users.info"
-	UrlPathGetUsers            = "/api/users.list"
-	UrlPathGetUsersAdmin       = "/api/admin.users.list"
-	UrlPathIDPGroup            = "/scim/v2/Groups/%s"
-	UrlPathIDPGroups           = "/scim/v2/Groups"
-	UrlPathSetAdmin            = "/api/admin.users.setAdmin"
-	UrlPathSetOwner            = "/api/admin.users.setOwner"
-	UrlPathSetRegular          = "/api/admin.users.setRegular"
-	baseScimUrl                = "https://api.slack.com"
-	baseUrl                    = "https://slack.com"
+	UrlPathGetRoleAssignments    = "/api/admin.roles.listAssignments"
+	UrlPathAddRoleAssignments    = "/api/admin.roles.addAssignments"
+	UrlPathRemoveRoleAssignments = "/api/admin.roles.removeAssignments"
+	UrlPathGetTeams              = "/api/admin.teams.list"
+	UrlPathGetUserGroupMembers   = "/api/usergroups.users.list"
+	UrlPathGetUserGroups         = "/api/usergroups.list"
+	UrlPathGetUserInfo           = "/api/users.info"
+	UrlPathGetUsers              = "/api/users.list"
+	UrlPathGetUsersAdmin         = "/api/admin.users.list"
+	UrlPathIDPGroup              = "/scim/v2/Groups/%s"
+	UrlPathIDPGroups             = "/scim/v2/Groups"
+	UrlPathSetAdmin              = "/api/admin.users.setAdmin"
+	UrlPathSetOwner              = "/api/admin.users.setOwner"
+	UrlPathSetRegular            = "/api/admin.users.setRegular"
+	baseScimUrl                  = "https://api.slack.com"
+	baseUrl                      = "https://slack.com"
 )
 
 func getWorkspaceUrlPathByRole(roleID string) (string, error) {

pkg/connector/client/slack.go

@@ -297,6 +297,60 @@ func (c *Client) GetRoleAssignments(
 		nil
 }
 
+func (c *Client) AddRoleAssignment(
+	ctx context.Context,
+	userID string,
+	roleID string,
+) (
+	*v2.RateLimitDescription,
+	error,
+) {
+	var response BaseResponse
+	ratelimitData, err := c.post(
+		ctx,
+		UrlPathAddRoleAssignments,
+		&response,
+		map[string]interface{}{
+			"entity_ids": []string{},
+			"role_id":    roleID,
+			"user_ids":   []string{userID},
+		},
+		false,
+	)
+	if err := response.handleError(err, "adding role assignments"); err != nil {
+		return ratelimitData, err
+	}
+
+	return ratelimitData, nil
+}
+
+func (c *Client) RemoveRoleAssignment(
+	ctx context.Context,
+	userID string,
+	roleID string,
+) (
+	*v2.RateLimitDescription,
+	error,
+) {
+	var response BaseResponse
+	ratelimitData, err := c.post(
+		ctx,
+		UrlPathRemoveRoleAssignments,
+		&response,
+		map[string]interface{}{
+			"entity_ids": []string{},
+			"role_id":    roleID,
+			"user_ids":   []string{userID},
+		},
+		false,
+	)
+	if err := response.handleError(err, "removing role assignments"); err != nil {
+		return ratelimitData, err
+	}
+
+	return ratelimitData, nil
+}
+
 // GetUserGroups returns the user groups for the given team.
 func (c *Client) GetUserGroups(
 	ctx context.Context,

pkg/connector/enterprise_roles.go

@@ -12,6 +12,8 @@ import (
 	resources "github.com/conductorone/baton-sdk/pkg/types/resource"
 	"github.com/conductorone/baton-slack/pkg"
 	enterprise "github.com/conductorone/baton-slack/pkg/connector/client"
+	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
+	"go.uber.org/zap"
 )
 
 const (
@@ -223,7 +225,8 @@ func (o *enterpriseRoleType) Grants(
 ) {
 	var rv []*v2.Grant
 
-	bag, err := pkg.ParsePageToken(pt.Token, &v2.ResourceId{ResourceType: resourceTypeEnterpriseRole.Id})
+	resourceId := &v2.ResourceId{ResourceType: resourceTypeEnterpriseRole.Id}
+	bag, err := pkg.ParsePageToken(pt.Token, resourceId)
 	if err != nil {
 		return nil, "", nil, err
 	}
@@ -261,3 +264,73 @@ func (o *enterpriseRoleType) Grants(
 
 	return rv, pageToken, outputAnnotations, nil
 }
+
+func (o *enterpriseRoleType) Grant(
+	ctx context.Context,
+	principal *v2.Resource,
+	entitlement *v2.Entitlement,
+) (
+	annotations.Annotations,
+	error,
+) {
+	logger := ctxzap.Extract(ctx)
+
+	if principal.Id.ResourceType != resourceTypeUser.Id {
+		logger.Warn(
+			"baton-slack: only users can be assigned an enterprise role",
+			zap.String("principal_type", principal.Id.ResourceType),
+			zap.String("principal_id", principal.Id.Resource),
+		)
+		return nil, fmt.Errorf("baton-slack: only users can be assigned a role")
+	}
+
+	outputAnnotations := annotations.New()
+	ratelimitData, err := o.enterpriseClient.AddRoleAssignment(
+		ctx,
+		principal.Id.Resource,
+		entitlement.Resource.Id.Resource,
+	)
+	outputAnnotations.WithRateLimiting(ratelimitData)
+	if err != nil {
+		return outputAnnotations, fmt.Errorf("baton-slack: failed to add role: %w", err)
+	}
+
+	return outputAnnotations, nil
+}
+
+func (o *enterpriseRoleType) Revoke(
+	ctx context.Context,
+	grant *v2.Grant,
+) (
+	annotations.Annotations,
+	error,
+) {
+	logger := ctxzap.Extract(ctx)
+
+	principal := grant.Principal
+	entitlement := grant.Entitlement
+
+	if principal.Id.ResourceType != resourceTypeUser.Id {
+		logger.Warn(
+			"baton-slack: only users can have enterprise role revoked",
+			zap.String("principal_type", principal.Id.ResourceType),
+			zap.String("principal_id", principal.Id.Resource),
+		)
+		return nil, fmt.Errorf("baton-slack: only users can have role revoked")
+	}
+	outputAnnotations := annotations.New()
+
+	// empty role type means regular user
+	ratelimitData, err := o.enterpriseClient.RemoveRoleAssignment(
+		ctx,
+		principal.Id.Resource,
+		entitlement.Resource.Id.Resource,
+	)
+	outputAnnotations.WithRateLimiting(ratelimitData)
+
+	if err != nil {
+		return outputAnnotations, fmt.Errorf("baton-slack: failed to revoke user role: %w", err)
+	}
+
+	return outputAnnotations, nil
+}