Add IsScopeToResource

examples/postgres-test-exclusion-group.yml

@@ -380,6 +380,7 @@ resource_types:
           id: "'role-group'"
           order: "1"
           is_default: "'reader' == resource.ID"
+          is_scope_to_resource: "true"
         provisioning:
           vars:
             username: "principal.ID"

go.mod

@@ -4,7 +4,7 @@ go 1.25.2
 
 require (
 	github.com/SAP/go-hdb v1.14.5
-	github.com/conductorone/baton-sdk v0.9.15
+	github.com/conductorone/baton-sdk v0.9.20
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/ennyjfrick/ruleguard-logfatal v0.0.2
 	github.com/go-sql-driver/mysql v1.9.2

go.sum

@@ -80,8 +80,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/conductorone/baton-sdk v0.9.15 h1:xChC/4JwN2Vmk8uTVv2owQV3ubh3w3G4gIOPug8pYQU=
-github.com/conductorone/baton-sdk v0.9.15/go.mod h1:treFEoFwbzu9hgPqpCRD+Sr+p71xkeH98Y4ofDGrjSg=
+github.com/conductorone/baton-sdk v0.9.20 h1:yPQ4v/6YRj7Yk2Kl2w18JeGezyfz64MAfL/v5wl3f6w=
+github.com/conductorone/baton-sdk v0.9.20/go.mod h1:treFEoFwbzu9hgPqpCRD+Sr+p71xkeH98Y4ofDGrjSg=
 github.com/conductorone/dpop v0.2.6 h1:fakwai/Xm2b/fcDUwJN41WtcSI/2UhQOyRIVvnnrrNA=
 github.com/conductorone/dpop v0.2.6/go.mod h1:gyo8TtzB9SCFCsjsICH4IaLZ7y64CcrDXMOPBwfq/3s=
 github.com/conductorone/dpop/integrations/dpop_grpc v0.2.4 h1:lYxYi9/WTSL9sE96CO0QF2BY3kehs8dTTApI134TGCA=

pkg/bsql/config.go

@@ -338,6 +338,9 @@ type ExclusionGroupMapping struct {
 
 	// IsDefault marks this entitlement as the group's default (proto field 3, bool).
 	IsDefault string `yaml:"is_default,omitempty" json:"is_default,omitempty"`
+
+	// ScopeToResource indicates whether to scope the exclusion group to a resource on static entitlement (proto field 4, bool).
+	IsScopeToResource string `yaml:"is_scope_to_resource,omitempty" json:"is_scope_to_resource,omitempty"`
 }
 
 // EntitlementProvisioning defines settings and queries for entitlement provisioning.

pkg/bsql/exclusion_group.go

@@ -56,5 +56,14 @@ func (s *SQLSyncer) buildExclusionGroupAny(ctx context.Context, cfg *ExclusionGr
 
 	group.SetIsDefault(isDefault)
 
+	var isScopeToResource bool
+	if cfg.IsScopeToResource != "" {
+		isScopeToResource, err = s.env.EvaluateBool(ctx, cfg.IsScopeToResource, inputs)
+		if err != nil {
+			return nil, fmt.Errorf("exclusion_group.is_scoped_to_resource evaluation failed: %w", err)
+		}
+	}
+	group.SetScopeToResource(isScopeToResource)
+
 	return anypb.New(group)
 }

pkg/bsql/exclusion_group_test.go

@@ -55,9 +55,10 @@ func TestBuildExclusionGroupAny(t *testing.T) {
 	t.Run("order and is_default are evaluated", func(t *testing.T) {
 		s := newTestSyncerWithEnv(t)
 		mapping := &ExclusionGroupMapping{
-			Id:        "'license'",
-			Order:     "'2'",
-			IsDefault: "true",
+			Id:                "'license'",
+			Order:             "'2'",
+			IsDefault:         "true",
+			IsScopeToResource: "true",
 		}
 		anyv, err := s.buildExclusionGroupAny(ctx, mapping, map[string]any{})
 		require.NoError(t, err)
@@ -67,6 +68,7 @@ func TestBuildExclusionGroupAny(t *testing.T) {
 		require.Equal(t, "license", got.GetExclusionGroupId())
 		require.Equal(t, uint32(2), got.GetOrder())
 		require.True(t, got.GetIsDefault())
+		require.True(t, got.GetScopeToResource())
 	})
 
 	t.Run("order reads from row inputs", func(t *testing.T) {