Containerize baton-jamf connector

[laurenleach]

Containerizes the connector following baton-databricks#35 and baton-contentful#48.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to 1.25.2 and refreshed core dependencies for security, stability, and performance.
• New Features
  • Configuration UI/metadata improved: clearer display names, secret marking for credentials, help and icon links.
• Refactor
  • Unified synchronization APIs and upgraded syncer interfaces for more consistent and extensible resource sync behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

Updated Go toolchain and module graph; added a generated Jamf config with reflection-based getters; refactored connector constructor and multiple resource-type APIs to use rs.SyncOpAttrs/*rs.SyncOpResults in place of pagination tokens and annotations.

Changes

Cohort / File(s)	Summary
Dependency Upgrade go.mod	Bumped Go toolchain to 1.25.2 and upgraded github.com/conductorone/baton-sdk (v0.2.46 → v0.7.10) with extensive transitive dependency updates (gRPC, AWS SDK v2 components, grpc-gateway, OpenTelemetry, x/* packages, etc.).
Configuration Infrastructure pkg/config/conf.gen.go, pkg/config/schema.go	Adds generated Jamf struct with mapstructure tags and reflection-based getters (GetString, GetInt, GetBool, GetStringSlice, GetStringMap). Exports ConfigurationFields, FieldRelationships, and initializes public Config with display/help metadata and go:generate directive.
Connector Core pkg/connector/connector.go	Constructor New signature changed to accept *cfg.Jamf and *cli.ConnectorOpts, now returning connectorbuilder.ConnectorBuilderV2, []connectorbuilder.Opt, error; error returns adjusted to (nil, nil, err). ResourceSyncers now returns []connectorbuilder.ResourceSyncerV2 and includes additional syncers.
Resource Type APIs pkg/connector/user.go, pkg/connector/userAccount.go, pkg/connector/userGroup.go, pkg/connector/group.go, pkg/connector/role.go, pkg/connector/site.go	Unified API change: List, Entitlements, and Grants now accept rs.SyncOpAttrs (replacing pagination.Token) and return *rs.SyncOpResults (replacing string/annotations). Error-return patterns and imports updated accordingly across all resource types.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through modules, shiny and spry,
A Jamf with reflectors caught my eye,
Tokens traded for SyncOpAttrs' tune,
Sync results hum beneath the moon,
A tiny rabbit cheers this code renewal 🥕✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'Containerize baton-jamf connector' is vague and does not accurately reflect the actual changes, which are primarily SDK API migration updates (pagination/annotations to SyncOpAttrs), configuration refactoring, and code generation—not containerization.	Update the title to reflect the main changes, such as 'Update to Baton SDK v0.7.10 with ResourceSyncerV2 and SyncOpAttrs migration' or 'Migrate resource syncers to v2 API and update dependency versions'.
Docstring Coverage	⚠️ Warning	Docstring coverage is 46.15% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch containerize-baton-jamf

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/connector/group.go (1)

85-112: Build failure: Return statements not migrated to new API.

The pipeline failure at line 90 is caused by return statements that still use the old 4-value return pattern (nil, "", nil, err) instead of the new 3-value pattern (nil, nil, err).

Lines 90 and 105 need to be updated to match the new Grants method signature.

🐛 Proposed fix for the return statements

 	groupId, err := strconv.Atoi(resource.Id.Resource)
 	if err != nil {
-		return nil, "", nil, err
+		return nil, nil, err
 	}

 	// HACK: the endpoint to get group details returns a members list, but it comes back empty
 	// sometimes when it shouldn't. This is a bug in the Jamf API.
 	// This is a workaround to get the members list as of 22/05/2025 and is not 100% reliable.
 	// but from what's i've seen, it will return the members list after 2-3 tries. (if there are
 	// any members at all in that group)
 	// https://developer.jamf.com/jamf-pro/reference/findgroupsbyid
 	// if this endpoint becomes reliable again, we can remove this for loop
 	var group *jamf.Group
 	count := 0
 	for count < 5 {
 		group, err = g.client.GetGroupDetails(ctx, groupId)
 		if err != nil {
-			return nil, "", nil, err
+			return nil, nil, err
 		}
 		if len(group.Members) > 0 {
 			break
 		}
 		count++
 		time.Sleep(time.Second)
 	}

🤖 Fix all issues with AI agents

In `@go.mod`:
- Around line 104-107: Update the vulnerable module versions in go.mod by
bumping golang.org/x/crypto to at least v0.35.0 (preferably latest v0.47.0) and
golang.org/x/oauth2 to at least v0.27.0 (preferably latest v0.34.0); then run
the go tooling to apply the changes (go get golang.org/x/crypto@v0.47.0
golang.org/x/oauth2@v0.34.0), run go mod tidy to refresh go.sum, and run the
test suite/build to ensure no breakages; also check for any replace directives
or indirect consumers that might pin older versions and update them accordingly.

🧹 Nitpick comments (1)

pkg/connector/site.go (1)

25-36: Unused parentResourceID parameter.

The parentResourceID parameter is declared but never used in the siteResource function. Consider either using it or removing it if not needed.

♻️ Suggested fix

-func siteResource(site *jamf.Site, parentResourceID *v2.ResourceId) (*v2.Resource, error) {
+func siteResource(site *jamf.Site) (*v2.Resource, error) {

Note: If you remove the parameter, you'll also need to update the call site at line 47 to siteResource(&siteCopy).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if crypto/ssh or oauth2 packages are used directly or transitively
echo "=== Checking for ssh usage ==="
rg 'golang.org/x/crypto/ssh' --type go -l || echo "No direct ssh imports found"

echo ""
echo "=== Checking for oauth2 usage ==="
rg 'golang.org/x/oauth2' --type go -l || echo "No direct oauth2 imports found"

echo ""
echo "=== Checking go.sum for affected packages ==="
grep -E 'golang.org/x/(crypto|oauth2)' go.sum | head -20

echo ""
echo "=== Checking baton-sdk dependency for transitive usage ==="
# Look for what baton-sdk depends on
grep -A 5 -B 5 'baton-sdk' go.mod

Repository: ConductorOne/baton-jamf

Length of output: 2815

---

🌐 Web query:

latest patched versions golang.org/x/crypto golang.org/x/oauth2 2025 vulnerabilities security

💡 Result:

golang.org/x/oauth2 (2025 security vuln + latest)

• 2025 vuln: CVE-2025-22868 / GO-2025-3488 (unexpected memory consumption in golang.org/x/oauth2/jws) — fixed in v0.27.0 (tagged Feb 24, 2025). [1] [2]
• Latest module version (as of 2026-01-29): v0.34.0 (Dec 1, 2025). [3]

Action: use golang.org/x/oauth2@v0.27.0 or newer (prefer latest):

go get golang.org/x/oauth2@v0.34.0

golang.org/x/crypto (2025 security vuln + latest)

• 2025 vuln: CVE-2025-22869 / GO-2025-3487 (DoS in golang.org/x/crypto/ssh) — fixed in v0.35.0 (tagged Feb 24, 2025). [4] [5]
• Additional 2025 ssh/agent vulns appear on pkg.go.dev for versions <= v0.44.0, and are no longer flagged starting v0.45.0. [6]
• Latest module version (as of 2026-01-29): v0.47.0 (Jan 12, 2026). [6]

Action: use golang.org/x/crypto@v0.35.0 or newer (prefer latest):

go get golang.org/x/crypto@v0.47.0

Sources

[1] https://groups.google.com/g/golang-announce/c/wImnF7NFhJE
[2] https://pkg.go.dev/vuln/GO-2025-3488
[3] https://pkg.go.dev/golang.org/x/oauth2?tab=versions
[4] https://groups.google.com/g/golang-announce/c/qN_GDasRQSA
[5] https://pkg.go.dev/vuln/GO-2025-3487
[6] https://pkg.go.dev/golang.org/x/crypto?tab=versions

---

Upgrade golang.org/x/crypto and golang.org/x/oauth2 to patched versions immediately.

Both packages contain confirmed 2025 security vulnerabilities and are actively used in the codebase:

1. golang.org/x/crypto v0.34.0 (Line 104):

   • CVE-2025-22869 / GO-2025-3487: DoS vulnerability in SSH package
   • Additional SSH/agent vulnerabilities flagged for versions ≤ v0.44.0
   • Patched in: v0.35.0 (Feb 24, 2025) | Latest: v0.47.0 (Jan 12, 2026)
   • Current usage: SSH/agent code is actively used via baton-sdk's JWK providers and age package

2. golang.org/x/oauth2 v0.26.0 (Line 107):

   • CVE-2025-22868 / GO-2025-3488: Unexpected memory consumption during token parsing
   • Patched in: v0.27.0 (Feb 24, 2025) | Latest: v0.34.0 (Dec 1, 2025)
   • Current usage: OAuth2 is actively used throughout baton-sdk and dependency chain

Upgrade to at least the patched versions, or preferably the latest stable releases available.

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 104-104: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 104-104: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4116)

---

[HIGH] 104-104: golang.org/x/crypto 0.34.0: Unbounded memory consumption in golang.org/x/crypto/ssh

(GO-2025-4134)

---

[HIGH] 104-104: golang.org/x/crypto 0.34.0: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4135)

---

[HIGH] 104-104: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

(GHSA-f6x5-jh6r-wrfv)

---

[HIGH] 104-104: golang.org/x/crypto 0.34.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 104-104: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

(GHSA-j5w8-q4qc-rx2x)

---

[HIGH] 107-107: golang.org/x/oauth2 0.26.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 107-107: golang.org/x/oauth2 0.26.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In `@go.mod` around lines 104 - 107, Update the vulnerable module versions in
go.mod by bumping golang.org/x/crypto to at least v0.35.0 (preferably latest
v0.47.0) and golang.org/x/oauth2 to at least v0.27.0 (preferably latest
v0.34.0); then run the go tooling to apply the changes (go get
golang.org/x/crypto@v0.47.0 golang.org/x/oauth2@v0.34.0), run go mod tidy to
refresh go.sum, and run the test suite/build to ensure no breakages; also check
for any replace directives or indirect consumers that might pin older versions
and update them accordingly.