just use native group expansion in baton rather than listing group me…

…mbers inline

cmd/baton-1password/main.go

@@ -42,7 +42,6 @@ func main() {
 		fmt.Fprintln(os.Stderr, err.Error())
 		os.Exit(1)
 	}
-
 }
 
 func getConnector(ctx context.Context, v *viper.Viper) (types.ConnectorServer, error) {
@@ -63,9 +62,10 @@ func getConnector(ctx context.Context, v *viper.Viper) (types.ConnectorServer, e
 		l.Error("failed to login: ", zap.Error(err))
 		return nil, err
 	}
+
 	cb, err := connector.New(
 		ctx,
-		string(token),
+		token,
 		limitVaultPerms,
 	)
 	if err != nil {

pkg/connector/vault.go

@@ -251,45 +251,54 @@ func (g *vaultResourceType) Grants(ctx context.Context, resource *v2.Resource, p
 
 		for _, group := range vaultGroups {
 			groupCopy := group
-			groupMembers, err := g.cli.ListGroupMembers(ctx, groupCopy.ID)
-			if err != nil {
-				return nil, "", nil, err
+			rid := &v2.ResourceId{
+				Resource:     groupCopy.ID,
+				ResourceType: resourceTypeGroup.Id,
 			}
 
-			for _, member := range groupMembers {
-				memberCopy := member
-				ur, err := userResource(memberCopy, resource.Id)
-				if err != nil {
-					return nil, "", nil, err
+			membershipGrant := grant.NewGrant(resource, memberEntitlement, rid,
+				grant.WithAnnotation(&v2.GrantExpandable{
+					EntitlementIds: []string{
+						fmt.Sprintf("group:%s:member", groupCopy.ID),
+					},
+					Shallow:         true,
+					ResourceTypeIds: []string{resourceTypeUser.Id},
+				}),
+			)
+			if g.limitVaultPermissions != nil {
+				if g.limitVaultPermissions.Contains(memberEntitlement) {
+					rv = append(rv, membershipGrant)
 				}
+			} else {
+				rv = append(rv, membershipGrant)
+			}
 
-				membershipGrant := grant.NewGrant(resource, memberEntitlement, ur.Id)
+			// add group permissions to all users in the group.
+			for _, permission := range group.Permissions {
 				if g.limitVaultPermissions != nil {
-					if g.limitVaultPermissions.Contains(memberEntitlement) {
-						rv = append(rv, membershipGrant)
+					if !g.limitVaultPermissions.Contains(permission) {
+						continue
 					}
-				} else {
-					rv = append(rv, membershipGrant)
 				}
 
-				// add group permissions to all users in the group.
-				for _, permission := range group.Permissions {
-					if g.limitVaultPermissions != nil {
-						if !g.limitVaultPermissions.Contains(permission) {
-							continue
-						}
-					}
-
-					var groupPermissionGrant *v2.Grant
-					if account.Type == businessAccountType {
-						groupPermissionGrant = grant.NewGrant(resource, businessPermissions[permission], ur.Id)
-					} else {
-						groupPermissionGrant = grant.NewGrant(resource, basicPermissions[permission], ur.Id)
-					}
-					rv = append(rv, groupPermissionGrant)
+				var perm string
+				if account.Type == businessAccountType {
+					perm = businessPermissions[permission]
+				} else {
+					perm = basicPermissions[permission]
 				}
-			}
 
+				groupPermissionGrant := grant.NewGrant(resource, perm, rid,
+					grant.WithAnnotation(&v2.GrantExpandable{
+						EntitlementIds: []string{
+							fmt.Sprintf("group:%s:member", groupCopy.ID),
+						},
+						Shallow:         true,
+						ResourceTypeIds: []string{resourceTypeUser.Id},
+					}),
+				)
+				rv = append(rv, groupPermissionGrant)
+			}
 		}
 	default:
 		ctxzap.Extract(ctx).Warn("unexpected resource type while listing vault grants", zap.String("resource_type", bag.Current().ResourceTypeID))