dont error if permission error for role grants

ConductorOne · Nov 26, 2024 · 9f78e35 · 9f78e35
1 parent 8d30e4c
commit 9f78e35
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/pkg/connector/connector.go b/pkg/connector/connector.go
@@ -19,6 +19,7 @@ import (
 
 const awsApp = "amazon_aws"
 const ResourceNotFoundExceptionErrorCode = "E0000007"
+const AccessDeniedErrorCode = "E0000006"
 const ExpectedIdentityProviderArnRegexCaptureGroups = 2
 const ExpectedGroupNameCaptureGroupsWithGroupFilterForMultipleAWSInstances = 3
 

diff --git a/pkg/connector/custom_role.go b/pkg/connector/custom_role.go
@@ -98,7 +98,7 @@ func listGroupAssignedRoles(ctx context.Context, client *okta.Client, groupId st
 	var role []*Roles
 	resp, err := doRequest(ctx, reqUrl.String(), http.MethodGet, &role, client)
 	if err != nil {
-		return nil, nil, err
+		return nil, resp, err
 	}
 
 	return role, resp, nil

diff --git a/pkg/connector/group.go b/pkg/connector/group.go
@@ -175,7 +175,24 @@ func (o *groupResourceType) Grants(
 	case resourceTypeRole.Id:
 		roles, resp, err := listGroupAssignedRoles(ctx, o.connector.client, groupID, nil)
 		if err != nil {
-			return nil, "", nil, err
+			if resp != nil {
+				defer resp.Body.Close()
+				errOkta, err := getError(resp)
+				if err != nil {
+					return nil, "", nil, err
+				}
+				if errOkta.ErrorCode == AccessDeniedErrorCode {
+					err = bag.Next("")
+					pageToken, err := bag.Marshal()
+					if err != nil {
+						return nil, "", nil, err
+					}
+					return nil, pageToken, nil, nil
+				} else {
+					return nil, "", nil, fmt.Errorf("okta-connectorv2: failed to list group roles: %v", errOkta)
+				}
+			}
+			return nil, "", nil, fmt.Errorf("okta-connectorv2: failed to list group roles: %w", err)
 		}
 
 		for _, role := range roles {