Refactoring code

ConductorOne · May 28, 2024 · e0ae67e · e0ae67e
1 parent 11c2449
commit e0ae67e
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 26 deletions.
diff --git a/pkg/connector/app.go b/pkg/connector/app.go
@@ -408,9 +408,25 @@ func (g *appResourceType) Grant(ctx context.Context, principal *v2.Resource, ent
 	switch principal.Id.ResourceType {
 	case resourceTypeUser.Id:
 		userID := principal.Id.Resource
-		appUser, _, err := g.client.Application.GetApplicationUser(ctx, appID, userID, nil)
-		if err != nil && !strings.Contains(err.Error(), "Resource not found") {
-			return nil, fmt.Errorf("okta-connector: %s", err.Error())
+		appUser, response, err := g.client.Application.GetApplicationUser(ctx, appID, userID, nil)
+		if err != nil {
+			defer response.Body.Close()
+			errOkta, err := getError(response)
+			if err != nil {
+				return nil, err
+			}
+
+			if errOkta.ErrorCode != "E0000007" {
+				l.Warn(
+					"okta-connector: ",
+					zap.String("principal_id", principal.Id.String()),
+					zap.String("principal_type", principal.Id.ResourceType),
+					zap.String("ErrorCode", errOkta.ErrorCode),
+					zap.String("ErrorSummary", errOkta.ErrorSummary),
+				)
+
+				return nil, fmt.Errorf("okta-connector: %v", errOkta)
+			}
 		}
 
 		if appUser != nil && userID == appUser.Id {
@@ -459,9 +475,25 @@ func (g *appResourceType) Grant(ctx context.Context, principal *v2.Resource, ent
 		)
 	case resourceTypeGroup.Id:
 		groupID := principal.Id.Resource
-		appGroup, _, err := g.client.Application.GetApplicationGroupAssignment(ctx, appID, groupID, nil)
-		if err != nil && !strings.Contains(err.Error(), "Resource not found") {
-			return nil, fmt.Errorf("okta-connector: %s", err.Error())
+		appGroup, response, err := g.client.Application.GetApplicationGroupAssignment(ctx, appID, groupID, nil)
+		if err != nil {
+			defer response.Body.Close()
+			errOkta, err := getError(response)
+			if err != nil {
+				return nil, err
+			}
+
+			if errOkta.ErrorCode != "E0000007" {
+				l.Warn(
+					"okta-connector: ",
+					zap.String("principal_id", principal.Id.String()),
+					zap.String("principal_type", principal.Id.ResourceType),
+					zap.String("ErrorCode", errOkta.ErrorCode),
+					zap.String("ErrorSummary", errOkta.ErrorSummary),
+				)
+
+				return nil, fmt.Errorf("okta-connector: %v", errOkta)
+			}
 		}
 
 		if appGroup != nil && groupID == appGroup.Id {
@@ -515,7 +547,7 @@ func (g *appResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotati
 				zap.String("principal_id", principal.Id.String()),
 				zap.String("principal_type", principal.Id.ResourceType),
 			)
-			return nil, fmt.Errorf("okta-connector: user does not have app membership: %s", err.Error())
+			return nil, fmt.Errorf("okta-connector: user does not have app membership: %v", err)
 		}
 
 		response, err := g.client.Application.DeleteApplicationUser(ctx, appID, userID, nil)

diff --git a/pkg/connector/helpers.go b/pkg/connector/helpers.go
@@ -1,7 +1,9 @@
 package connector
 
 import (
+	"encoding/json"
 	"fmt"
+	"io"
 	"net/url"
 	"time"
 
@@ -107,3 +109,18 @@ func responseToContext(token *pagination.Token, resp *okta.Response) (*responseC
 
 	return ret, nil
 }
+
+func getError(response *okta.Response) (okta.Error, error) {
+	var errOkta okta.Error
+	bytes, err := io.ReadAll(response.Body)
+	if err != nil {
+		return okta.Error{}, err
+	}
+
+	err = json.Unmarshal(bytes, &errOkta)
+	if err != nil {
+		return okta.Error{}, err
+	}
+
+	return errOkta, nil
+}
diff --git a/pkg/connector/role.go b/pkg/connector/role.go
@@ -345,13 +345,23 @@ func (g *roleResourceType) Grant(ctx context.Context, principal *v2.Resource, en
 		}
 		createdRole, response, err := g.client.User.AssignRoleToUser(ctx, userID, role, nil)
 		if err != nil {
-			l.Warn(
-				"okta-connector: The role specified is already assigned to the user",
-				zap.String("principal_id", principal.Id.String()),
-				zap.String("principal_type", principal.Id.ResourceType),
-			)
-			return nil, fmt.Errorf("okta-connector: The role specified is already assigned to the user %s %s",
-				err.Error(), response.Body)
+			defer response.Body.Close()
+			errOkta, err := getError(response)
+			if err != nil {
+				return nil, err
+			}
+
+			if errOkta.ErrorCode == "E0000090" {
+				l.Warn(
+					"okta-connector: The role specified is already assigned to the user",
+					zap.String("principal_id", principal.Id.String()),
+					zap.String("principal_type", principal.Id.ResourceType),
+					zap.String("ErrorCode", errOkta.ErrorCode),
+					zap.String("ErrorSummary", errOkta.ErrorSummary),
+				)
+			}
+
+			return nil, fmt.Errorf("okta-connector: %v", errOkta)
 		}
 
 		l.Warn("Role Membership has been created.",
@@ -369,13 +379,23 @@ func (g *roleResourceType) Grant(ctx context.Context, principal *v2.Resource, en
 		}
 		createdRole, response, err := g.client.Group.AssignRoleToGroup(ctx, groupID, role, nil)
 		if err != nil {
-			l.Warn(
-				"okta-connector: The role specified is already assigned to the group",
-				zap.String("principal_id", principal.Id.String()),
-				zap.String("principal_type", principal.Id.ResourceType),
-			)
-			return nil, fmt.Errorf("okta-connector: The role specified is already assigned to the group %s %s",
-				err.Error(), response.Body)
+			defer response.Body.Close()
+			errOkta, err := getError(response)
+			if err != nil {
+				return nil, err
+			}
+
+			if errOkta.ErrorCode == "E0000090" {
+				l.Warn(
+					"okta-connector: The role specified is already assigned to the group",
+					zap.String("principal_id", principal.Id.String()),
+					zap.String("principal_type", principal.Id.ResourceType),
+					zap.String("ErrorCode", errOkta.ErrorCode),
+					zap.String("ErrorSummary", errOkta.ErrorSummary),
+				)
+			}
+
+			return nil, fmt.Errorf("okta-connector: %v", errOkta)
 		}
 
 		l.Warn("Role Membership has been created.",
@@ -397,7 +417,7 @@ func (g *roleResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotat
 	l := ctxzap.Extract(ctx)
 	entitlement := grant.Entitlement
 	principal := grant.Principal
-	createdRoleId := ""
+	roleId := ""
 	if principal.Id.ResourceType != resourceTypeUser.Id {
 		l.Warn(
 			"okta-connector: only users or groups can have role membership revoked",
@@ -429,7 +449,8 @@ func (g *roleResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotat
 			return nil, fmt.Errorf("okta-connector: user does not have role membership")
 		}
 
-		response, err = g.client.User.RemoveRoleFromUser(ctx, userId, createdRoleId)
+		roleId = roles[rolePos].Id
+		response, err = g.client.User.RemoveRoleFromUser(ctx, userId, roleId)
 		if err != nil {
 			return nil, fmt.Errorf("okta-connector: failed to remove role: %s %s", err.Error(), response.Body)
 		}
@@ -451,15 +472,16 @@ func (g *roleResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annotat
 		})
 		if rolePos == NF {
 			l.Warn(
-				"okta-connector: user does not have role membership",
+				"okta-connector: group does not have role membership",
 				zap.String("principal_id", principal.Id.String()),
 				zap.String("principal_type", principal.Id.ResourceType),
 				zap.String("role_type", entitlement.Resource.Id.Resource),
 			)
-			return nil, fmt.Errorf("okta-connector: user does not have role membership")
+			return nil, fmt.Errorf("okta-connector: group does not have role membership")
 		}
 
-		response, err = g.client.Group.RemoveRoleFromGroup(ctx, groupId, createdRoleId)
+		roleId = roles[rolePos].Id
+		response, err = g.client.Group.RemoveRoleFromGroup(ctx, groupId, roleId)
 		if err != nil {
 			return nil, fmt.Errorf("okta-connector: failed to remove role: %s %s", err.Error(), response.Body)
 		}