[BB-1613] - Add Wrap Errors - Crowdstrike Connector

[mateoHernandez123]

Description

• Bug fix
• New feature

Golang-based SDK to CrowdStrike's Falcon APIs:

• https://pkg.go.dev/github.com/crowdstrike/gofalcon#section-readme
• https://developer.crowdstrike.com/docs/sdks/

Useful links:

• Baton SDK coding guidelines
• New contributor guide

Summary by CodeRabbit

• New Features

  • Added predefined "User" and "Role" resource types for the connector.

• Refactor

  • Public connector type and API surface renamed.
  • Error handling standardized and enriched across operations, including clearer region validation and unified error mapping.

• Bug Fixes

  • Grant/revoke flows now detect conflict conditions and return appropriate annotations instead of generic failures.

• Chores

  • Updated gRPC dependency to v1.71.0.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Rename primary type from CrowdStrike to Connector, add centralized CrowdStrike SDK/HTTP→gRPC error mapping, introduce package-level resource type definitions, promote grpc to a direct dependency, and standardize error wrapping and pagination error returns across connector files.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Promote google.golang.org/grpc to a direct require (v1.71.0); remove the indirect entry.
Core Type Refactor pkg/connector/connector.go	Rename exported type CrowdStrike → Connector; update constructor return type and method receivers; adjust region handling and return gRPC/uhttp-wrapped errors; add uhttp and grpc/codes imports.
Error Handling Infrastructure pkg/connector/errors.go	Add wrapCrowdStrikeError and helpers to extract MsaAPIError details, map HTTP/status/text patterns to gRPC codes, detect conflict (409), and produce consistent wrapped errors.
Pagination & Helpers pkg/connector/helpers.go	Remove unused annotation helper; make parse/convert/next-page functions return wrapped errors with context on failure.
Resource Type Definitions pkg/connector/resource_types.go	Add package-scoped resourceTypeUser and resourceTypeRole (*v2.ResourceType) with ids, display names, traits, and user annotations.
Error Integration in Logic pkg/connector/role.go, pkg/connector/user.go	Replace plain fmt.Errorf returns with wrapCrowdStrikeError or uhttp.WrapErrors where appropriate; change profile maps from map[string]interface{} → map[string]any; add 409 conflict handling paths emitting grant-specific annotations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Pay special attention to:
  • All renames from CrowdStrike → Connector and any remaining references/tests.
  • Correctness of wrapCrowdStrikeError mappings (HTTP codes, message extraction, timeouts/network detection).
  • Call sites of parsePageToken / pagination to ensure new error returns are handled.
  • Grant/revoke 409 conflict handling and returned annotations.

Suggested reviewers

• JavierCarnelli-ConductorOne
• sergiocorral-conductorone
• FeliLucero1
• mateovespConductor

Poem

🐰 I hopped through types and wrapped each err,

Connector now stands where CrowdStrike once were,
grpc grew taller and errors learned to say,
Pages parse clearer as I bound the way.
A carrot for CI — then off I play 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.73% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: introducing error wrapping functionality for the CrowdStrike connector, which aligns with the substantial changes across multiple files implementing centralized error handling.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mateoHernandez123/add-wrap-errors

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 21b0695 and be3c35e.

📒 Files selected for processing (7)

• go.mod (1 hunks)
• pkg/connector/connector.go (6 hunks)
• pkg/connector/errors.go (1 hunks)
• pkg/connector/helpers.go (4 hunks)
• pkg/connector/resource_types.go (1 hunks)
• pkg/connector/role.go (12 hunks)
• pkg/connector/user.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• go.mod
• pkg/connector/resource_types.go

🔇 Additional comments (17)

pkg/connector/user.go (2)

29-29: LGTM: Modern Go type alias.

The change from map[string]interface{} to map[string]any is idiomatic for Go 1.18+.

---

90-90: LGTM: Consistent error wrapping.

The use of wrapCrowdStrikeError provides centralized HTTP-to-gRPC error mapping with clear operation context.

Also applies to: 126-126

pkg/connector/helpers.go (1)

25-25: LGTM: Clear error context for pagination.

The error messages provide clear context for pagination and token parsing failures, following Go error wrapping conventions.

Also applies to: 35-35, 47-47, 61-61

pkg/connector/role.go (6)

39-39: LGTM: Consistent with user.go.

Modern Go type alias, consistent with the change in user.go.

---

70-70: LGTM: Appropriate error wrapping.

Correctly uses wrapCrowdStrikeError for SDK errors (lines 70, 81) and fmt.Errorf for internal resource creation errors (line 89).

Also applies to: 81-81, 89-89

---

298-305: Good addition: Conflict detection for grants.

This addresses the previous review comment about handling 409 conflicts. The implementation correctly returns GrantAlreadyExists annotation instead of an error when the grant already exists.

---

345-352: Good addition: Conflict detection for revokes.

Consistent with the grant handling. Correctly returns GrantAlreadyRevoked when attempting to revoke an already-revoked role.

---

282-282: LGTM: Appropriate error codes.

Correctly uses InvalidArgument for principal type validation failures.

Also applies to: 331-331

---

140-140: LGTM: Consistent error wrapping throughout.

All error paths provide clear context and use appropriate wrapping functions.

Also applies to: 178-178, 236-236, 253-253

pkg/connector/errors.go (4)

14-73: LGTM: Comprehensive error mapping with appropriate defaults.

The dual approach (structured extraction + fallback string matching) is necessary given the SDK's inconsistent error handling. The default to Unknown (line 72) is correct as it avoids unintended retries.

---

76-101: LGTM: Correct error extraction with proper unwrapping.

Uses errors.As to properly handle wrapped errors (addresses previous review feedback) and includes appropriate nil checks.

---

104-117: LGTM: Dual conflict detection approach.

The combination of structured code check and string fallback is consistent with the overall error handling strategy. False positives from the string match are unlikely in practice.

---

120-151: LGTM: Standard HTTP to gRPC code mapping.

The mappings are correct and comprehensive, with appropriate defaults for unhandled ranges.

pkg/connector/connector.go (4)

17-17: LGTM: Type rename to Connector.

Renaming from CrowdStrike to Connector follows conventional patterns used in other baton connectors. This is a breaking change for consumers but aligns with standard naming.

Also applies to: 21-21, 28-28, 36-36, 75-75, 100-100

---

47-47: LGTM: Consistent validation error wrapping.

The wrapCrowdStrikeError calls provide clear context for validation failures.

Also applies to: 57-57, 68-68

---

87-87: LGTM: Proper error code for invalid region.

Using InvalidArgument correctly signals client-side configuration error.

---

97-97: LGTM: Appropriate error wrapping for SDK initialization.

Using fmt.Errorf is correct here since this is an SDK initialization error, not an API response error.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/connector/errors.go (1)

33-51: String-based error detection may produce false positives.

The substring matching on error messages could incorrectly classify errors. For example, an error containing "user ID 401234" would match "401" and be treated as an authentication error. Consider using word boundaries or more precise patterns.

-	if strings.Contains(errMsg, "401") || strings.Contains(errMsg, "unauthorized") {
+	if strings.Contains(errMsg, " 401 ") || strings.Contains(errMsg, "401:") || 
+		strings.Contains(errMsg, "unauthorized") {
		return uhttp.WrapErrors(codes.Unauthenticated, fmt.Sprintf("%s: authentication failed", operation), err)
	}

Alternatively, consider using a regex pattern like \b401\b for stricter matching, or rely more heavily on the structured error extraction path.

pkg/connector/connector.go (1)

97-97: Consider wrapping SDK initialization error for consistency.

The SDK initialization error uses fmt.Errorf while other errors in this file use wrapper functions (wrapCrowdStrikeError for API errors, uhttp.WrapErrors for validation). For consistency with the error handling pattern established in this PR, consider wrapping this error as well.

If this is intentional (treating SDK initialization errors differently from CrowdStrike API errors), this can be ignored. Otherwise, consider applying a consistent error wrapping approach:

-	return nil, fmt.Errorf("failed to initialize SDK client: %w", err)
+	return nil, wrapCrowdStrikeError(err, "failed to initialize SDK client")

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 99b0aae and b27e052.

📒 Files selected for processing (7)

• go.mod (1 hunks)
• pkg/connector/connector.go (6 hunks)
• pkg/connector/errors.go (1 hunks)
• pkg/connector/helpers.go (4 hunks)
• pkg/connector/resource_types.go (1 hunks)
• pkg/connector/role.go (12 hunks)
• pkg/connector/user.go (3 hunks)

🔇 Additional comments (20)

go.mod (1)

12-12: LGTM - grpc promoted to direct dependency.

The promotion of google.golang.org/grpc from indirect to direct is appropriate since the new errors.go directly imports google.golang.org/grpc/codes.

pkg/connector/helpers.go (3)

27-35: LGTM - Improved error wrapping.

The error wrapping in handleNextPage now provides context with fmt.Errorf and the %w verb for proper error chaining.

---

37-57: LGTM - Error handling in parsePageToken.

The function properly returns errors with contextual messages for both unmarshal and conversion failures. Using fmt.Errorf here is appropriate since these are pagination errors, not CrowdStrike API errors.

---

60-71: LGTM - Error context in convertPageToken.

Error wrapping with descriptive message aids debugging when page token parsing fails.

pkg/connector/resource_types.go (1)

7-23: LGTM - Clean extraction of resource type definitions.

The resource type variables are well-defined with appropriate traits. Extracting these to a dedicated file improves code organization and makes the resource types easily discoverable.

pkg/connector/errors.go (1)

100-131: LGTM - Comprehensive HTTP to gRPC code mapping.

The mapping covers common HTTP status codes appropriately, with sensible defaults for 4xx and 5xx ranges.

pkg/connector/user.go (3)

29-35: LGTM - Updated to map[string]any.

Using any instead of interface{} is the idiomatic choice for Go 1.18+.

---

88-91: LGTM - Proper error wrapping for API call.

The wrapCrowdStrikeError wrapper provides consistent error handling with appropriate gRPC codes for the user query operation.

---

124-127: LGTM - Consistent error wrapping pattern.

The error wrapping for RetrieveUsersGETV1 follows the same pattern, maintaining consistency across API calls.

pkg/connector/role.go (8)

39-43: LGTM - Updated to map[string]any.

Consistent with the same change in user.go.

---

69-71: LGTM - Error wrapping for role ID query.

Properly wraps the CrowdStrike API error with context.

---

80-82: LGTM - Error wrapping for role details retrieval.

Consistent error handling pattern for the API call.

---

88-90: Appropriate use of fmt.Errorf for internal error.

This error originates from SDK resource creation, not from CrowdStrike API, so using fmt.Errorf instead of wrapCrowdStrikeError is correct.

---

272-283: LGTM - Grant validation with proper error code.

The validation rejects non-user principals with InvalidArgument, which is the correct gRPC code for invalid input. The warning log provides useful debugging context.

---

312-326: LGTM - Revoke validation mirrors Grant.

Consistent validation pattern with Grant method, using the same error code and logging approach.

---

297-299: LGTM - Grant API error wrapped properly.

---

338-340: LGTM - Revoke API error wrapped properly.

pkg/connector/connector.go (3)

17-17: LGTM! Consistent type rename refactoring.

The rename from CrowdStrike to Connector is consistently applied across the type declaration, method receivers, constructor signature, and return statement. This improves code clarity and follows Go naming conventions for connector implementations.

Also applies to: 21-21, 28-28, 36-36, 75-75, 100-102

---

47-47: Error wrapping in Validate method is properly implemented.

The three error wrapping calls on lines 47, 57, and 68 correctly use wrapCrowdStrikeError with descriptive operation messages. The function extracts CrowdStrike-specific error details and converts HTTP status codes to gRPC error codes with clear context for each failure point, which improves debuggability.

---

87-87: No issues found. The uhttp.WrapErrors usage at line 87 is correct and follows the established pattern in the codebase for input validation errors using the 2-argument form (code, message).

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/connector/role.go (1)

128-160: Slice initialized with length instead of capacity.

Line 129 creates rateLimitInfo with make([]RateLimitInfo, len(userIDs)), which initializes len(userIDs) zero-value elements. Then more elements are appended in the loop, resulting in the slice containing unwanted zero values at the beginning.

If the intent is to pre-allocate capacity, use:

-	rateLimitInfo := make([]RateLimitInfo, len(userIDs))
+	rateLimitInfo := make([]RateLimitInfo, 0, len(userIDs))

🧹 Nitpick comments (1)

pkg/connector/connector.go (1)

74-75: Update stale comment.

The comment references "CrowdStrike connector" but the type has been renamed to Connector. Consider updating for consistency.

-// New returns the CrowdStrike connector.
+// New returns the Connector.
 func New(ctx context.Context, clientId, clientSecret string, region string) (*Connector, error) {

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b27e052 and 0a38f04.

📒 Files selected for processing (7)

• go.mod (1 hunks)
• pkg/connector/connector.go (6 hunks)
• pkg/connector/errors.go (1 hunks)
• pkg/connector/helpers.go (4 hunks)
• pkg/connector/resource_types.go (1 hunks)
• pkg/connector/role.go (12 hunks)
• pkg/connector/user.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/connector/user.go
• pkg/connector/resource_types.go
• pkg/connector/errors.go

🔇 Additional comments (14)

go.mod (1)

12-12: LGTM!

Promoting google.golang.org/grpc to a direct dependency is appropriate given the new imports of google.golang.org/grpc/codes in connector.go and role.go for standardized error handling.

pkg/connector/helpers.go (3)

27-35: LGTM!

The error wrapping in handleNextPage provides useful context for debugging pagination issues.

---

37-57: LGTM!

The updated parsePageToken function now properly returns errors with context. The signature change to include an error return is a good improvement for error propagation.

---

59-71: LGTM!

Consistent error wrapping in convertPageToken aligns with the pattern used throughout this file.

pkg/connector/role.go (6)

13-19: LGTM!

The new imports for uhttp and grpc/codes are required for the standardized error handling pattern.

---

36-61: LGTM!

Using map[string]any is the idiomatic Go 1.18+ style, preferred over map[string]interface{}.

---

63-108: LGTM!

The List method correctly differentiates between CrowdStrike API errors (using wrapCrowdStrikeError) and internal errors (using fmt.Errorf). Error messages include operation context ("role list:").

---

162-270: LGTM!

The Grants method properly handles the new error return from parsePageToken and consistently uses wrapCrowdStrikeError for API errors while using fmt.Errorf for internal resource creation errors.

---

272-310: LGTM!

The Grant method properly uses uhttp.WrapErrors with codes.InvalidArgument for validation errors and wrapCrowdStrikeError for API errors. The warning log provides useful context for debugging.

---

312-351: LGTM!

The Revoke method follows the same error handling pattern as Grant, maintaining consistency across the codebase.

pkg/connector/connector.go (4)

10-14: LGTM!

The new imports support the standardized error handling pattern introduced in this PR.

---

17-33: LGTM!

The type rename from CrowdStrike to Connector is a cleaner naming convention. This is a breaking change if external code references the type directly, though typical usage through the New constructor and connectorbuilder interfaces should be unaffected.

---

35-72: LGTM!

The Validate method consistently uses wrapCrowdStrikeError for API errors with descriptive prefixes ("validate:") that provide clear operational context.

---

86-102: LGTM!

The error handling in New appropriately uses codes.InvalidArgument for invalid region input and fmt.Errorf for SDK client initialization failures.

[ggreer]

I noticed a few unrelated improvements that could be done, but that shouldn't block merging this.

[ggreer]

uhttp does this, but unfortunately it's not in its own utility function. You have to use uhttp to do the request to get http status -> grpc status conversion. We should probably fix that at some point.

[ggreer]

Why would they write an SDK and then mess up the errors this bad? 😭

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/connector/errors.go (1)

30-72: Add test coverage for error message pattern matching to catch SDK changes early.

String-based error detection in the fallback path is necessary due to inconsistent SDK error structures but remains fragile. Currently there is no test coverage for wrapCrowdStrikeError or its error message patterns. If the gofalcon SDK changes error message formats, these patterns will fail silently. The same brittle pattern also appears in isConflictError() (lines 113-115).

Add unit tests that verify each error pattern (401, "unauthorized", 403, "forbidden", etc.) maps to the correct gRPC code, ensuring SDK changes are caught early.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0a38f04 and 21b0695.

📒 Files selected for processing (7)

• go.mod (1 hunks)
• pkg/connector/connector.go (6 hunks)
• pkg/connector/errors.go (1 hunks)
• pkg/connector/helpers.go (4 hunks)
• pkg/connector/resource_types.go (1 hunks)
• pkg/connector/role.go (12 hunks)
• pkg/connector/user.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/connector/user.go

🔇 Additional comments (11)

go.mod (1)

12-12: LGTM! Dependency promotion is appropriate.

Promoting google.golang.org/grpc to a direct dependency is correct, as the connector now directly imports google.golang.org/grpc/codes in the new error handling utilities.

pkg/connector/helpers.go (1)

21-65: LGTM! Error wrapping is clear and follows best practices.

The added error wrapping provides clear context for pagination failures while maintaining proper error chains with %w. The removal of annotationsForUserResourceType() addresses the previous review feedback about unnecessary indirection.

pkg/connector/role.go (3)

298-305: Excellent implementation of conflict handling!

The grant flow now properly detects 409 Conflict responses and returns the GrantAlreadyExists annotation instead of an error, which aligns with the previous review feedback and the expected idempotent behavior.

---

345-352: Proper revoke conflict handling.

The revoke flow correctly handles already-revoked grants by returning the GrantAlreadyRevoked annotation for 409 Conflict responses, maintaining consistency with the grant implementation.

---

39-43: Good modernization to map[string]any.

The change from map[string]interface{} to map[string]any is a nice idiomatic improvement that leverages Go 1.18+ syntax.

pkg/connector/resource_types.go (1)

1-24: LGTM! Clean resource type definitions.

Moving resource type definitions to a dedicated file improves code organization. The inline annotations address the previous review feedback about removing unnecessary indirection from the annotationsForUserResourceType() helper.

pkg/connector/errors.go (2)

85-96: LGTM! Proper error unwrapping with errors.As.

The implementation correctly uses errors.As to detect the csError interface in the error chain, addressing the previous review feedback about wrapped error handling.

---

118-150: Comprehensive HTTP-to-gRPC status mapping.

The mapping covers common HTTP status codes and includes sensible fallback logic for status code ranges. This provides consistent error handling across the connector.

pkg/connector/connector.go (3)

17-26: Type rename improves clarity.

Renaming from CrowdStrike to Connector provides better semantic clarity and aligns with common naming conventions for connector implementations.

---

36-72: Consistent validation error handling.

The validation logic now properly wraps CrowdStrike SDK errors with contextual operation names, making it easier to diagnose authentication and permission issues during connector setup.

---

75-103: Region handling and SDK initialization look good.

The expanded region support and proper error wrapping for invalid regions and SDK initialization failures provide clear feedback to users.

[luisina-santos]

should we default to Unknown just as uhttp does on baton-sdk?

https://github.com/ConductorOne/baton-sdk/blob/main/pkg/uhttp/wrapper.go#L466

[luisina-santos]

remember Unavailable retries the operation and we don't want that sometimes if we are not sure about the incoming error