[CXH-1571] - Add License management - Zoom Connector by mateoHernandez123 · Pull Request #28 · ConductorOne/baton-zoom

mateoHernandez123 · 2026-06-01T20:26:11Z

Description

Bug fix
New feature

Adds a license resource type that models Zoom's three license tiers (Basic, Licensed, On-Prem) as static resources, with user grants emitted principal-side from userBuilder.Grants and seat counts surfaced via LicenseProfileTrait for the C1 App Utilization feature (CE-720).

Closes CXH-1571.

Implementation

License resources are static (no /licenses endpoint in Zoom) — tiers are fixed integer codes on User.type: Basic (1), Licensed (2), On-Prem (3).
License is a derived resource type: grants are emitted from userBuilder.Grants (principal-side) using User.type stashed in the user resource profile during List(). licenseResourceType.Grants is a no-op. This keeps sync at O(users) instead of O(users × tiers).
Grant / Revoke: PATCH /v2/users/{userId} with {"type": N}. Revoke downgrades to Basic (Zoom has no "no license" state — Basic is the floor tier).
Idempotency uses a triple short-circuit, each backed by a single pre-flight GetUser (no extra PATCH):
- Grant of the user's current tier → GrantAlreadyExists
- Revoke of a tier the user no longer holds → GrantAlreadyRevoked
- Revoke of the floor tier (Basic) → GrantAlreadyRevoked
LicenseProfileTrait is wired on every tier (LicenseName + EntitlementIDs = license:<id>:assigned so App Utilization can correlate consumed_seats to user grants). Seat counts (WithLicenseSeats) are added only on Licensed when purchased > 0 — Basic is uncapped (Zoom doesn't track it) and On-Prem is provisioned outside Zoom Cloud (no billing-API visibility).
Seat counts come from GET /v2/accounts/me/plans/usage (plan_base.hosts / plan_base.usage) — best-effort: if the billing scope is missing or the call fails, the three tiers still emit, just without seat numbers on Licensed.
The full reasoning (how Zoom licensing maps onto C1, why tiers are static, what's deliberately out of scope) lives in the header comment of pkg/connector/license.go:1-72.

Scopes required

Granular Server-to-Server OAuth scopes:

user:update:user:admin — PATCH /v2/users/{userId} (required for Grant/Revoke).
billing:read:plan_usage:admin — GET /v2/accounts/me/plans/usage (optional; enables seat-count enrichment on Licensed).

Validation

End-to-end against a live Business-Monthly tenant: sync, Grant, idempotent re-Grant, Revoke, idempotent re-Revoke (non-held tier and floor tier), and license assignment from the C1 platform UI after email-invitation acceptance. plan_base.usage matches count(User.type == 2) on every state transition.

Useful links

Zoom — Update a user
Zoom — Get plan usage
baton-microsoft-entra/pkg/connector/licenses.go (reference implementation)
Zoom Postman workspace

linear-code · 2026-06-01T20:26:15Z

CXH-1571

github-actions · 2026-06-01T20:34:53Z

Connector PR Review: [CXH-1571] - Add License management - Zoom Connector

Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a license resource type modeling Zoom's three user license tiers (Basic, Licensed, On-Prem) as static resources with principal-side grant emission from userBuilder.Grants, provisioning via PATCH /v2/users/{userId}, and optional seat-count enrichment from the billing API. The implementation is clean: resource type definitions are correctly extracted to resource_types.go, the SkipEntitlementsAndGrants → SkipEntitlements annotation change on User is consistent with the new grant emission, idempotency is properly handled with pre-flight GETs and GrantAlreadyExists/GrantAlreadyRevoked annotations, HTTP response nil checks follow the established codebase patterns, and the baton_capabilities.json accurately reflects the new resource type and annotation changes. No blocking issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

None.

github-actions

No blocking issues found.

mateoHernandez123 · 2026-06-01T20:49:45Z

Thanks for the review. Triage of the 2 suggestions + the N2 finding in the summary:

pkg/zoom/client.go:455 (url.JoinPath consistency) — not applying. The 12 read endpoints in the client all use fmt.Sprint; url.JoinPath is only used by mutating endpoints (InviteUser, DeleteUser, PatchUserLicense). Standardizing on url.JoinPath everywhere is a separate refactor.
pkg/connector/license.go:277-281 (Revoke Basic short-circuit) — not applying. Returning GrantAlreadyRevoked when the user still holds Basic would contradict the connector-wide principle of "don't pre-judge user state". The fall-through PatchUserLicense(..., BasicUser) is one harmless PATCH (204) and keeps all four Grant/Revoke entry points symmetric.
pkg/connector/connector.go:51 (Metadata().Description) — applied in 63055c2: now reads "Connector syncing users, groups, roles, contact groups, and license tiers from Zoom to Baton.".

github-actions

Blocking issues found — see review comments.

Bot re-review reasserted the same 2 suggestions already triaged: both inline threads are resolved with rationale (url.JoinPath consistency belongs to a separate refactor; Revoke-Basic short-circuit would contradict the connector-wide "don't pre-judge user state" principle). The third finding (Metadata().Description) was applied in 63055c2. No new findings.

github-actions

No blocking issues found.

FeliLucero1 · 2026-06-02T13:44:46Z

+// counts from GET /v2/accounts/me/plans/usage. Requires the
+// `billing:read:plan_usage:admin` scope (or the legacy `billing:read`).
+func (c *Client) GetAccountPlanUsage(ctx context.Context) (*PlanUsage, *http.Response, error) {
+	requestURL := fmt.Sprint(c.baseURL, "/accounts/me/plans/usage")


Use url.JoinPath IMO

Not applying in this PR — keeping consistency with the existing client. All 12 read endpoints in pkg/zoom/client.go use fmt.Sprint(c.baseURL, "/path") (GetUsers, GetGroups, GetRoles, GetUser, etc.); url.JoinPath is only used by the 3 mutating endpoints (InviteUser, DeleteUser, PatchUserLicense) where it pre-existed. Migrating GetAccountPlanUsage alone would be inconsistent — it's a GET, so it follows the GET convention. If we want to standardize on url.JoinPath across the whole client, happy to do it as a separate refactor PR (touches all 12 GET callsites).

github-actions

No blocking issues found.

github-actions

No blocking issues found.

FeliLucero1 · 2026-06-02T17:02:01Z

+	if user.Type != grantedType {
+		return annotations.New(&v2.GrantAlreadyRevoked{}), nil
+	}
+


What if grantedType == 1 (Basic) and user.Type == 1 ? the guard does not fire in that case IMO

github-actions

No blocking issues found.

github-actions

No blocking issues found.

github-actions

No blocking issues found.

luisina-santos · 2026-06-03T18:24:02Z

+			"baton-zoom: failed to fetch plan usage; emitting licenses without seat counts",
+			zap.Error(err),
+		)
+	} else if usage != nil {


no usage specified by license? how it works?

Good catch — explained in detail in the header comment of pkg/connector/license.go:1-72. Short version: LicenseProfileTrait was wired in ec305db and each tier gets a different shape depending on what Zoom actually exposes.

Tier Seats surfaced? Why

Basic (type=1) No Uncapped — Zoom doesn't track it.

Licensed (type=2) purchased / consumed from plan_base.hosts / plan_base.usage Paid base-plan seats.

On-Prem (type=3) No Self-hosted via Meeting Connector; the billing API has no visibility into it.

WithLicenseSeats is only added on Licensed when purchased > 0. The plan_base fetch is best-effort — if the billing:read:plan_usage:admin scope is missing the tiers still emit, just without seat numbers. EntitlementIDs are set to license:<id>:assigned so the C1 App Utilization feature (CE-720) can correlate consumed_seats to user grants. Validated against a live Business-Monthly tenant: plan_base.usage matches count(User.type == 2) on every state transition.

luisina-santos · 2026-06-03T18:25:29Z

+// and emits one grant per user whose User.type matches the license tier
+// being synced. The same status-stack pagination pattern used by userResourceType
+// is used here to avoid an extra GET /v2/users/{id} per user.
+func (l *licenseResourceType) Grants(ctx context.Context, res *v2.Resource, opts resource.SyncOpAttrs) ([]*v2.Grant, *resource.SyncOpResults, error) {


could we emit license grants from users?

Done in ec305db

luisina-santos · 2026-06-03T18:26:38Z

+	logger := ctxzap.Extract(ctx)
+
+	if principal.Id.ResourceType != resourceTypeUser.Id {
+		logger.Warn(


we don't need this warn log here. let's keep connectors clean from logs that are not giving us extra information

Done in ec305db

github-actions

No blocking issues found.

github-actions

No blocking issues found.

…le trait

github-actions

No blocking issues found.

mateoHernandez123 requested a review from a team June 1, 2026 20:26

mateoHernandez123 requested review from FeliLucero1, JavierCarnelli-ConductorOne, agustin-conductor, al-conductorone, btipling, luisina-santos, madison-c-evans, mateovespConductor and sergiocorral-conductorone June 1, 2026 20:26

mateoHernandez123 assigned btipling Jun 1, 2026

github-actions Bot reviewed Jun 1, 2026

View reviewed changes

Comment thread pkg/zoom/client.go

github-actions Bot reviewed Jun 1, 2026

View reviewed changes

Comment thread pkg/connector/license.go

github-actions Bot reviewed Jun 1, 2026

View reviewed changes

github-actions Bot previously requested changes Jun 1, 2026

View reviewed changes