@backstage-community/plugin-rbac-backend 5.2.3

package/dist/validation/policies-validation.cjs.js

@@ -0,0 +1,194 @@
+'use strict';
+
+var catalogModel = require('@backstage/catalog-model');
+var errors = require('@backstage/errors');
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+var pluginRbacCommon = require('@backstage-community/plugin-rbac-common');
+
+const validateSource = async (source, roleMetadata) => {
+  if (!roleMetadata) {
+    return void 0;
+  }
+  if (roleMetadata.source !== source && roleMetadata.source !== "legacy") {
+    return new Error(
+      `source does not match originating role ${roleMetadata.roleEntityRef}, consider making changes to the '${roleMetadata.source.toLocaleUpperCase()}'`
+    );
+  }
+  return void 0;
+};
+function validatePolicy(policy) {
+  const err = validateEntityReference(policy.entityReference);
+  if (err) {
+    return err;
+  }
+  if (!policy.permission) {
+    return new Error(`'permission' field must not be empty`);
+  }
+  if (!policy.policy) {
+    return new Error(`'policy' field must not be empty`);
+  } else if (!pluginRbacCommon.isValidPermissionAction(policy.policy)) {
+    return new Error(
+      `'policy' has invalid value: '${policy.policy}'. It should be one of: ${pluginRbacCommon.PermissionActionValues.join(", ")}`
+    );
+  }
+  if (!policy.effect) {
+    return new Error(`'effect' field must not be empty`);
+  } else if (!isValidEffectValue(policy.effect)) {
+    return new Error(
+      `'effect' has invalid value: '${policy.effect}'. It should be: '${pluginPermissionCommon.AuthorizeResult.ALLOW.toLocaleLowerCase()}' or '${pluginPermissionCommon.AuthorizeResult.DENY.toLocaleLowerCase()}'`
+    );
+  }
+  return void 0;
+}
+function validateRole(role) {
+  if (!role.name) {
+    return new Error(`'name' field must not be empty`);
+  }
+  let err = validateEntityReference(role.name, true);
+  if (err) {
+    return err;
+  }
+  if (!role.memberReferences || role.memberReferences.length === 0) {
+    return new Error(`'memberReferences' field must not be empty`);
+  }
+  for (const member of role.memberReferences) {
+    err = validateEntityReference(member);
+    if (err) {
+      return err;
+    }
+  }
+  return void 0;
+}
+function isValidEffectValue(effect) {
+  return effect === pluginPermissionCommon.AuthorizeResult.ALLOW.toLocaleLowerCase() || effect === pluginPermissionCommon.AuthorizeResult.DENY.toLocaleLowerCase();
+}
+function isValidEntityName(name) {
+  const validNamePattern = /^[a-zA-Z0-9]+([._-][a-zA-Z0-9]+)*$/;
+  return validNamePattern.test(name) && name.length <= 63;
+}
+function isValidEntityNamespace(namespace) {
+  const validNamespacePattern = /^[a-z0-9]+(-[a-z0-9]+)*$/;
+  return validNamespacePattern.test(namespace) && namespace.length <= 63;
+}
+function validateEntityReference(entityRef, role) {
+  if (!entityRef) {
+    return new Error(`'entityReference' must not be empty`);
+  }
+  let entityRefCompound;
+  try {
+    entityRefCompound = catalogModel.parseEntityRef(entityRef);
+  } catch (err) {
+    return err;
+  }
+  const entityRefFull = `${entityRefCompound.kind}:${entityRefCompound.namespace}/${entityRefCompound.name}`;
+  if (entityRefFull !== entityRef) {
+    return new Error(
+      `entity reference '${entityRef}' does not match the required format [<kind>:][<namespace>/]<name>. Provide, please, full entity reference.`
+    );
+  }
+  if (role && entityRefCompound.kind !== "role") {
+    return new Error(
+      `Unsupported kind ${entityRefCompound.kind}. Supported value should be "role"`
+    );
+  }
+  if (entityRefCompound.kind !== "user" && entityRefCompound.kind !== "group" && entityRefCompound.kind !== "role") {
+    return new Error(
+      `Unsupported kind ${entityRefCompound.kind}. List supported values ["user", "group", "role"]`
+    );
+  }
+  if (!isValidEntityName(entityRefCompound.name)) {
+    return new Error(
+      `The name '${entityRefCompound.name}' in the entity reference must be a string that is sequences of [a-zA-Z0-9] separated by any of [-_.], at most 63 characters in total`
+    );
+  }
+  if (!isValidEntityNamespace(entityRefCompound.namespace)) {
+    return new Error(
+      `The namespace '${entityRefCompound.namespace}' in the entity reference must be a string that is sequences of [a-z0-9] separated by [-], at most 63 characters in total`
+    );
+  }
+  return void 0;
+}
+async function validateGroupingPolicy(groupPolicy, roleMetadataStorage, source) {
+  if (groupPolicy.length !== 2) {
+    return new Error(`Group policy should have length 2`);
+  }
+  const member = groupPolicy[0];
+  let err = validateEntityReference(member);
+  if (err) {
+    return new Error(
+      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`
+    );
+  }
+  const parent = groupPolicy[1];
+  err = validateEntityReference(parent);
+  if (err) {
+    return new Error(
+      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`
+    );
+  }
+  if (member.startsWith(`role:`)) {
+    return new Error(
+      `Group policy is invalid: ${groupPolicy}. rbac-backend plugin doesn't support role inheritance.`
+    );
+  }
+  if (member.startsWith(`group:`) && parent.startsWith(`group:`)) {
+    return new Error(
+      `Group policy is invalid: ${groupPolicy}. Group inheritance information could be provided only with help of Catalog API.`
+    );
+  }
+  if (member.startsWith(`user:`) && parent.startsWith(`group:`)) {
+    return new Error(
+      `Group policy is invalid: ${groupPolicy}. User membership information could be provided only with help of Catalog API.`
+    );
+  }
+  const metadata = await roleMetadataStorage.findRoleMetadata(parent);
+  err = await validateSource(source, metadata);
+  if (metadata && err) {
+    return new errors.NotAllowedError(
+      `Unable to validate role ${groupPolicy}. Cause: ${err.message}`
+    );
+  }
+  return void 0;
+}
+const checkForDuplicatePolicies = async (fileEnf, policy, policyFile) => {
+  const duplicates = await fileEnf.getFilteredPolicy(0, ...policy);
+  if (duplicates.length > 1) {
+    return new Error(
+      `Duplicate policy: ${policy} found in the file ${policyFile}`
+    );
+  }
+  const flipPolicyEffect = [
+    policy[0],
+    policy[1],
+    policy[2],
+    policy[3] === "deny" ? "allow" : "deny"
+  ];
+  const dupWithDifferentEffect = await fileEnf.getFilteredPolicy(
+    0,
+    ...flipPolicyEffect
+  );
+  if (dupWithDifferentEffect.length > 0) {
+    return new Error(
+      `Duplicate policy: ${policy[0]}, ${policy[1]}, ${policy[2]} with different effect found in the file ${policyFile}`
+    );
+  }
+  return void 0;
+};
+const checkForDuplicateGroupPolicies = async (fileEnf, policy, policyFile) => {
+  const duplicates = await fileEnf.getFilteredGroupingPolicy(0, ...policy);
+  if (duplicates.length > 1) {
+    return new Error(
+      `Duplicate role: ${policy} found in the file ${policyFile}`
+    );
+  }
+  return void 0;
+};
+
+exports.checkForDuplicateGroupPolicies = checkForDuplicateGroupPolicies;
+exports.checkForDuplicatePolicies = checkForDuplicatePolicies;
+exports.validateEntityReference = validateEntityReference;
+exports.validateGroupingPolicy = validateGroupingPolicy;
+exports.validatePolicy = validatePolicy;
+exports.validateRole = validateRole;
+exports.validateSource = validateSource;
+//# sourceMappingURL=policies-validation.cjs.js.map

package/dist/validation/policies-validation.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies-validation.cjs.js","sources":["../../src/validation/policies-validation.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { CompoundEntityRef, parseEntityRef } from '@backstage/catalog-model';\nimport { NotAllowedError } from '@backstage/errors';\nimport { AuthorizeResult } from '@backstage/plugin-permission-common';\n\nimport { Enforcer } from 'casbin';\n\nimport {\n  isValidPermissionAction,\n  PermissionActionValues,\n  Role,\n  RoleBasedPolicy,\n  Source,\n} from '@backstage-community/plugin-rbac-common';\n\nimport {\n  RoleMetadataDao,\n  RoleMetadataStorage,\n} from '../database/role-metadata';\n\n/**\n * validateSource validates the source to the role that is being modified. This includes comparing the source from the\n * originating role to the source that the modification is coming from.\n * We do this to ensure consistency between permissions and roles and where they are originally defined.\n * This is a strict comparison where the source of all new roles (grouping policies) and permissions must match\n * the source of the first role that was created.\n * We are not strict for permission policies defined with an originating role source of configuration.\n * @param source The source in which the modification is coming from\n * @param roleMetadata The original role that was created\n * @returns An error in the event that the source does not match the originating role\n */\nexport const validateSource = async (\n  source: Source,\n  roleMetadata: RoleMetadataDao | undefined,\n): Promise<Error | undefined> => {\n  if (!roleMetadata) {\n    return undefined; // Role does not exist yet, there is no conflict with the source\n  }\n\n  if (roleMetadata.source !== source && roleMetadata.source !== 'legacy') {\n    return new Error(\n      `source does not match originating role ${\n        roleMetadata.roleEntityRef\n      }, consider making changes to the '${roleMetadata.source.toLocaleUpperCase()}'`,\n    );\n  }\n\n  return undefined;\n};\n\n// This should be called on add and edit and delete\nexport function validatePolicy(policy: RoleBasedPolicy): Error | undefined {\n  const err = validateEntityReference(policy.entityReference);\n  if (err) {\n    return err;\n  }\n\n  if (!policy.permission) {\n    return new Error(`'permission' field must not be empty`);\n  }\n\n  if (!policy.policy) {\n    return new Error(`'policy' field must not be empty`);\n  } else if (!isValidPermissionAction(policy.policy)) {\n    return new Error(\n      `'policy' has invalid value: '${\n        policy.policy\n      }'. It should be one of: ${PermissionActionValues.join(', ')}`,\n    );\n  }\n\n  if (!policy.effect) {\n    return new Error(`'effect' field must not be empty`);\n  } else if (!isValidEffectValue(policy.effect)) {\n    return new Error(\n      `'effect' has invalid value: '${\n        policy.effect\n      }'. It should be: '${AuthorizeResult.ALLOW.toLocaleLowerCase()}' or '${AuthorizeResult.DENY.toLocaleLowerCase()}'`,\n    );\n  }\n\n  return undefined;\n}\n\nexport function validateRole(role: Role): Error | undefined {\n  if (!role.name) {\n    return new Error(`'name' field must not be empty`);\n  }\n\n  let err = validateEntityReference(role.name, true);\n  if (err) {\n    return err;\n  }\n\n  if (!role.memberReferences || role.memberReferences.length === 0) {\n    return new Error(`'memberReferences' field must not be empty`);\n  }\n\n  for (const member of role.memberReferences) {\n    err = validateEntityReference(member);\n    if (err) {\n      return err;\n    }\n  }\n  return undefined;\n}\n\nfunction isValidEffectValue(effect: string): boolean {\n  return (\n    effect === AuthorizeResult.ALLOW.toLocaleLowerCase() ||\n    effect === AuthorizeResult.DENY.toLocaleLowerCase()\n  );\n}\n\nfunction isValidEntityName(name: string): boolean {\n  const validNamePattern = /^[a-zA-Z0-9]+([._-][a-zA-Z0-9]+)*$/;\n  return validNamePattern.test(name) && name.length <= 63;\n}\n\nfunction isValidEntityNamespace(namespace: string): boolean {\n  const validNamespacePattern = /^[a-z0-9]+(-[a-z0-9]+)*$/;\n  return validNamespacePattern.test(namespace) && namespace.length <= 63;\n}\n\n// We supports only full form entity reference: [<kind>:][<namespace>/]<name>\nexport function validateEntityReference(\n  entityRef?: string,\n  role?: boolean,\n): Error | undefined {\n  if (!entityRef) {\n    return new Error(`'entityReference' must not be empty`);\n  }\n\n  let entityRefCompound: CompoundEntityRef;\n  try {\n    entityRefCompound = parseEntityRef(entityRef);\n  } catch (err) {\n    return err as Error;\n  }\n\n  const entityRefFull = `${entityRefCompound.kind}:${entityRefCompound.namespace}/${entityRefCompound.name}`;\n  if (entityRefFull !== entityRef) {\n    return new Error(\n      `entity reference '${entityRef}' does not match the required format [<kind>:][<namespace>/]<name>. Provide, please, full entity reference.`,\n    );\n  }\n\n  if (role && entityRefCompound.kind !== 'role') {\n    return new Error(\n      `Unsupported kind ${entityRefCompound.kind}. Supported value should be \"role\"`,\n    );\n  }\n\n  if (\n    entityRefCompound.kind !== 'user' &&\n    entityRefCompound.kind !== 'group' &&\n    entityRefCompound.kind !== 'role'\n  ) {\n    return new Error(\n      `Unsupported kind ${entityRefCompound.kind}. List supported values [\"user\", \"group\", \"role\"]`,\n    );\n  }\n\n  if (!isValidEntityName(entityRefCompound.name)) {\n    return new Error(\n      `The name '${entityRefCompound.name}' in the entity reference must be a string that is sequences of [a-zA-Z0-9] separated by any of [-_.], at most 63 characters in total`,\n    );\n  }\n\n  if (!isValidEntityNamespace(entityRefCompound.namespace)) {\n    return new Error(\n      `The namespace '${entityRefCompound.namespace}' in the entity reference must be a string that is sequences of [a-z0-9] separated by [-], at most 63 characters in total`,\n    );\n  }\n\n  return undefined;\n}\n\nexport async function validateGroupingPolicy(\n  groupPolicy: string[],\n  roleMetadataStorage: RoleMetadataStorage,\n  source: Source,\n): Promise<Error | undefined> {\n  if (groupPolicy.length !== 2) {\n    return new Error(`Group policy should have length 2`);\n  }\n\n  const member = groupPolicy[0];\n  let err = validateEntityReference(member);\n  if (err) {\n    return new Error(\n      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n  const parent = groupPolicy[1];\n  err = validateEntityReference(parent);\n  if (err) {\n    return new Error(\n      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n  if (member.startsWith(`role:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. rbac-backend plugin doesn't support role inheritance.`,\n    );\n  }\n  if (member.startsWith(`group:`) && parent.startsWith(`group:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. Group inheritance information could be provided only with help of Catalog API.`,\n    );\n  }\n  if (member.startsWith(`user:`) && parent.startsWith(`group:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. User membership information could be provided only with help of Catalog API.`,\n    );\n  }\n\n  const metadata = await roleMetadataStorage.findRoleMetadata(parent);\n\n  err = await validateSource(source, metadata);\n  if (metadata && err) {\n    return new NotAllowedError(\n      `Unable to validate role ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n\n  return undefined;\n}\n\nexport const checkForDuplicatePolicies = async (\n  fileEnf: Enforcer,\n  policy: string[],\n  policyFile: string,\n): Promise<Error | undefined> => {\n  const duplicates = await fileEnf.getFilteredPolicy(0, ...policy);\n  if (duplicates.length > 1) {\n    return new Error(\n      `Duplicate policy: ${policy} found in the file ${policyFile}`,\n    );\n  }\n\n  const flipPolicyEffect = [\n    policy[0],\n    policy[1],\n    policy[2],\n    policy[3] === 'deny' ? 'allow' : 'deny',\n  ];\n\n  // Check if the same policy exists but with a different effect\n  const dupWithDifferentEffect = await fileEnf.getFilteredPolicy(\n    0,\n    ...flipPolicyEffect,\n  );\n\n  if (dupWithDifferentEffect.length > 0) {\n    return new Error(\n      `Duplicate policy: ${policy[0]}, ${policy[1]}, ${policy[2]} with different effect found in the file ${policyFile}`,\n    );\n  }\n\n  return undefined;\n};\n\nexport const checkForDuplicateGroupPolicies = async (\n  fileEnf: Enforcer,\n  policy: string[],\n  policyFile: string,\n): Promise<Error | undefined> => {\n  const duplicates = await fileEnf.getFilteredGroupingPolicy(0, ...policy);\n\n  if (duplicates.length > 1) {\n    return new Error(\n      `Duplicate role: ${policy} found in the file ${policyFile}`,\n    );\n  }\n  return undefined;\n};\n"],"names":["isValidPermissionAction","PermissionActionValues","AuthorizeResult","parseEntityRef","NotAllowedError"],"mappings":";;;;;;;AA6Ca,MAAA,cAAA,GAAiB,OAC5B,MAAA,EACA,YAC+B,KAAA;AAC/B,EAAA,IAAI,CAAC,YAAc,EAAA;AACjB,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AAEA,EAAA,IAAI,YAAa,CAAA,MAAA,KAAW,MAAU,IAAA,YAAA,CAAa,WAAW,QAAU,EAAA;AACtE,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,0CACE,YAAa,CAAA,aACf,qCAAqC,YAAa,CAAA,MAAA,CAAO,mBAAmB,CAAA,CAAA,CAAA;AAAA,KAC9E,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,KAAA,CAAA,CAAA;AACT,EAAA;AAGO,SAAS,eAAe,MAA4C,EAAA;AACzE,EAAM,MAAA,GAAA,GAAM,uBAAwB,CAAA,MAAA,CAAO,eAAe,CAAA,CAAA;AAC1D,EAAA,IAAI,GAAK,EAAA;AACP,IAAO,OAAA,GAAA,CAAA;AAAA,GACT;AAEA,EAAI,IAAA,CAAC,OAAO,UAAY,EAAA;AACtB,IAAO,OAAA,IAAI,MAAM,CAAsC,oCAAA,CAAA,CAAA,CAAA;AAAA,GACzD;AAEA,EAAI,IAAA,CAAC,OAAO,MAAQ,EAAA;AAClB,IAAO,OAAA,IAAI,MAAM,CAAkC,gCAAA,CAAA,CAAA,CAAA;AAAA,GAC1C,MAAA,IAAA,CAACA,wCAAwB,CAAA,MAAA,CAAO,MAAM,CAAG,EAAA;AAClD,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,gCACE,MAAO,CAAA,MACT,2BAA2BC,uCAAuB,CAAA,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,KAC9D,CAAA;AAAA,GACF;AAEA,EAAI,IAAA,CAAC,OAAO,MAAQ,EAAA;AAClB,IAAO,OAAA,IAAI,MAAM,CAAkC,gCAAA,CAAA,CAAA,CAAA;AAAA,GAC1C,MAAA,IAAA,CAAC,kBAAmB,CAAA,MAAA,CAAO,MAAM,CAAG,EAAA;AAC7C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CACE,6BAAA,EAAA,MAAA,CAAO,MACT,CAAA,kBAAA,EAAqBC,sCAAgB,CAAA,KAAA,CAAM,iBAAkB,EAAC,CAAS,MAAA,EAAAA,sCAAA,CAAgB,IAAK,CAAA,iBAAA,EAAmB,CAAA,CAAA,CAAA;AAAA,KACjH,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,KAAA,CAAA,CAAA;AACT,CAAA;AAEO,SAAS,aAAa,IAA+B,EAAA;AAC1D,EAAI,IAAA,CAAC,KAAK,IAAM,EAAA;AACd,IAAO,OAAA,IAAI,MAAM,CAAgC,8BAAA,CAAA,CAAA,CAAA;AAAA,GACnD;AAEA,EAAA,IAAI,GAAM,GAAA,uBAAA,CAAwB,IAAK,CAAA,IAAA,EAAM,IAAI,CAAA,CAAA;AACjD,EAAA,IAAI,GAAK,EAAA;AACP,IAAO,OAAA,GAAA,CAAA;AAAA,GACT;AAEA,EAAA,IAAI,CAAC,IAAK,CAAA,gBAAA,IAAoB,IAAK,CAAA,gBAAA,CAAiB,WAAW,CAAG,EAAA;AAChE,IAAO,OAAA,IAAI,MAAM,CAA4C,0CAAA,CAAA,CAAA,CAAA;AAAA,GAC/D;AAEA,EAAW,KAAA,MAAA,MAAA,IAAU,KAAK,gBAAkB,EAAA;AAC1C,IAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA,CAAA;AACpC,IAAA,IAAI,GAAK,EAAA;AACP,MAAO,OAAA,GAAA,CAAA;AAAA,KACT;AAAA,GACF;AACA,EAAO,OAAA,KAAA,CAAA,CAAA;AACT,CAAA;AAEA,SAAS,mBAAmB,MAAyB,EAAA;AACnD,EACE,OAAA,MAAA,KAAWA,uCAAgB,KAAM,CAAA,iBAAA,MACjC,MAAW,KAAAA,sCAAA,CAAgB,KAAK,iBAAkB,EAAA,CAAA;AAEtD,CAAA;AAEA,SAAS,kBAAkB,IAAuB,EAAA;AAChD,EAAA,MAAM,gBAAmB,GAAA,oCAAA,CAAA;AACzB,EAAA,OAAO,gBAAiB,CAAA,IAAA,CAAK,IAAI,CAAA,IAAK,KAAK,MAAU,IAAA,EAAA,CAAA;AACvD,CAAA;AAEA,SAAS,uBAAuB,SAA4B,EAAA;AAC1D,EAAA,MAAM,qBAAwB,GAAA,0BAAA,CAAA;AAC9B,EAAA,OAAO,qBAAsB,CAAA,IAAA,CAAK,SAAS,CAAA,IAAK,UAAU,MAAU,IAAA,EAAA,CAAA;AACtE,CAAA;AAGgB,SAAA,uBAAA,CACd,WACA,IACmB,EAAA;AACnB,EAAA,IAAI,CAAC,SAAW,EAAA;AACd,IAAO,OAAA,IAAI,MAAM,CAAqC,mCAAA,CAAA,CAAA,CAAA;AAAA,GACxD;AAEA,EAAI,IAAA,iBAAA,CAAA;AACJ,EAAI,IAAA;AACF,IAAA,iBAAA,GAAoBC,4BAAe,SAAS,CAAA,CAAA;AAAA,WACrC,GAAK,EAAA;AACZ,IAAO,OAAA,GAAA,CAAA;AAAA,GACT;AAEA,EAAM,MAAA,aAAA,GAAgB,GAAG,iBAAkB,CAAA,IAAI,IAAI,iBAAkB,CAAA,SAAS,CAAI,CAAA,EAAA,iBAAA,CAAkB,IAAI,CAAA,CAAA,CAAA;AACxG,EAAA,IAAI,kBAAkB,SAAW,EAAA;AAC/B,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,qBAAqB,SAAS,CAAA,2GAAA,CAAA;AAAA,KAChC,CAAA;AAAA,GACF;AAEA,EAAI,IAAA,IAAA,IAAQ,iBAAkB,CAAA,IAAA,KAAS,MAAQ,EAAA;AAC7C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,iBAAA,EAAoB,kBAAkB,IAAI,CAAA,kCAAA,CAAA;AAAA,KAC5C,CAAA;AAAA,GACF;AAEA,EACE,IAAA,iBAAA,CAAkB,SAAS,MAC3B,IAAA,iBAAA,CAAkB,SAAS,OAC3B,IAAA,iBAAA,CAAkB,SAAS,MAC3B,EAAA;AACA,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,iBAAA,EAAoB,kBAAkB,IAAI,CAAA,iDAAA,CAAA;AAAA,KAC5C,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,iBAAA,CAAkB,iBAAkB,CAAA,IAAI,CAAG,EAAA;AAC9C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,UAAA,EAAa,kBAAkB,IAAI,CAAA,qIAAA,CAAA;AAAA,KACrC,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,sBAAA,CAAuB,iBAAkB,CAAA,SAAS,CAAG,EAAA;AACxD,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,eAAA,EAAkB,kBAAkB,SAAS,CAAA,yHAAA,CAAA;AAAA,KAC/C,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,KAAA,CAAA,CAAA;AACT,CAAA;AAEsB,eAAA,sBAAA,CACpB,WACA,EAAA,mBAAA,EACA,MAC4B,EAAA;AAC5B,EAAI,IAAA,WAAA,CAAY,WAAW,CAAG,EAAA;AAC5B,IAAO,OAAA,IAAI,MAAM,CAAmC,iCAAA,CAAA,CAAA,CAAA;AAAA,GACtD;AAEA,EAAM,MAAA,MAAA,GAAS,YAAY,CAAC,CAAA,CAAA;AAC5B,EAAI,IAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA,CAAA;AACxC,EAAA,IAAI,GAAK,EAAA;AACP,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAmC,gCAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA,CAAA;AAAA,KACvE,CAAA;AAAA,GACF;AACA,EAAM,MAAA,MAAA,GAAS,YAAY,CAAC,CAAA,CAAA;AAC5B,EAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA,CAAA;AACpC,EAAA,IAAI,GAAK,EAAA;AACP,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAmC,gCAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA,CAAA;AAAA,KACvE,CAAA;AAAA,GACF;AACA,EAAI,IAAA,MAAA,CAAO,UAAW,CAAA,CAAA,KAAA,CAAO,CAAG,EAAA;AAC9B,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,uDAAA,CAAA;AAAA,KACzC,CAAA;AAAA,GACF;AACA,EAAA,IAAI,OAAO,UAAW,CAAA,CAAA,MAAA,CAAQ,KAAK,MAAO,CAAA,UAAA,CAAW,QAAQ,CAAG,EAAA;AAC9D,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,gFAAA,CAAA;AAAA,KACzC,CAAA;AAAA,GACF;AACA,EAAA,IAAI,OAAO,UAAW,CAAA,CAAA,KAAA,CAAO,KAAK,MAAO,CAAA,UAAA,CAAW,QAAQ,CAAG,EAAA;AAC7D,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,8EAAA,CAAA;AAAA,KACzC,CAAA;AAAA,GACF;AAEA,EAAA,MAAM,QAAW,GAAA,MAAM,mBAAoB,CAAA,gBAAA,CAAiB,MAAM,CAAA,CAAA;AAElE,EAAM,GAAA,GAAA,MAAM,cAAe,CAAA,MAAA,EAAQ,QAAQ,CAAA,CAAA;AAC3C,EAAA,IAAI,YAAY,GAAK,EAAA;AACnB,IAAA,OAAO,IAAIC,sBAAA;AAAA,MACT,CAA2B,wBAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA,CAAA;AAAA,KAC/D,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,KAAA,CAAA,CAAA;AACT,CAAA;AAEO,MAAM,yBAA4B,GAAA,OACvC,OACA,EAAA,MAAA,EACA,UAC+B,KAAA;AAC/B,EAAA,MAAM,aAAa,MAAM,OAAA,CAAQ,iBAAkB,CAAA,CAAA,EAAG,GAAG,MAAM,CAAA,CAAA;AAC/D,EAAI,IAAA,UAAA,CAAW,SAAS,CAAG,EAAA;AACzB,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,kBAAA,EAAqB,MAAM,CAAA,mBAAA,EAAsB,UAAU,CAAA,CAAA;AAAA,KAC7D,CAAA;AAAA,GACF;AAEA,EAAA,MAAM,gBAAmB,GAAA;AAAA,IACvB,OAAO,CAAC,CAAA;AAAA,IACR,OAAO,CAAC,CAAA;AAAA,IACR,OAAO,CAAC,CAAA;AAAA,IACR,MAAO,CAAA,CAAC,CAAM,KAAA,MAAA,GAAS,OAAU,GAAA,MAAA;AAAA,GACnC,CAAA;AAGA,EAAM,MAAA,sBAAA,GAAyB,MAAM,OAAQ,CAAA,iBAAA;AAAA,IAC3C,CAAA;AAAA,IACA,GAAG,gBAAA;AAAA,GACL,CAAA;AAEA,EAAI,IAAA,sBAAA,CAAuB,SAAS,CAAG,EAAA;AACrC,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAqB,kBAAA,EAAA,MAAA,CAAO,CAAC,CAAC,CAAK,EAAA,EAAA,MAAA,CAAO,CAAC,CAAC,CAAK,EAAA,EAAA,MAAA,CAAO,CAAC,CAAC,4CAA4C,UAAU,CAAA,CAAA;AAAA,KAClH,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,KAAA,CAAA,CAAA;AACT,EAAA;AAEO,MAAM,8BAAiC,GAAA,OAC5C,OACA,EAAA,MAAA,EACA,UAC+B,KAAA;AAC/B,EAAA,MAAM,aAAa,MAAM,OAAA,CAAQ,yBAA0B,CAAA,CAAA,EAAG,GAAG,MAAM,CAAA,CAAA;AAEvE,EAAI,IAAA,UAAA,CAAW,SAAS,CAAG,EAAA;AACzB,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,gBAAA,EAAmB,MAAM,CAAA,mBAAA,EAAsB,UAAU,CAAA,CAAA;AAAA,KAC3D,CAAA;AAAA,GACF;AACA,EAAO,OAAA,KAAA,CAAA,CAAA;AACT;;;;;;;;;;"}

package/migrations/20231015161232_migrations.js

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+exports.up = async function up(knex) {
+  await knex.schema.createTable('policy-conditions', table => {
+    table.increments('id').primary();
+    table.string('result');
+    table.string('pluginId');
+    table.string('resourceType');
+    // Conditions is potentially long json.
+    // In the future maybe we can use `json` or `jsonb` type instead of `text`:
+    // table.json('conditions') or table.jsonb('conditions').
+    // But let's start with text type.
+    // Data type "text" can be unlimited by size for Postgres.
+    // Also postgres has a lot of build in features for this data type.
+    table.text('conditionsJson');
+  });
+};
+
+/**
+ * down - reverts(undo) migration.
+ *
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTable('policy-conditions');
+};

package/migrations/20231212224526_migrations.js

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+exports.up = async function up(knex) {
+  const casbinDoesExist = await knex.schema.hasTable('casbin_rule');
+  const policyMetadataDoesExist = await knex.schema.hasTable('policy-metadata');
+  let policies = [];
+  let groupPolicies = [];
+
+  if (casbinDoesExist) {
+    policies = await knex
+      .select('*')
+      .from('casbin_rule')
+      .where('ptype', 'p')
+      .then(listPolicies => {
+        const allPolicies = [];
+        for (const policy of listPolicies) {
+          const { v0, v1, v2, v3 } = policy;
+          allPolicies.push(`[${v0}, ${v1}, ${v2}, ${v3}]`);
+        }
+        return allPolicies;
+      });
+    groupPolicies = await knex
+      .select('*')
+      .from('casbin_rule')
+      .where('ptype', 'g')
+      .then(listGroupPolicies => {
+        const allGroupPolicies = [];
+        for (const groupPolicy of listGroupPolicies) {
+          const { v0, v1 } = groupPolicy;
+          allGroupPolicies.push(`[${v0}, ${v1}]`);
+        }
+        return allGroupPolicies;
+      });
+  }
+
+  if (!policyMetadataDoesExist) {
+    await knex.schema
+      .createTable('policy-metadata', table => {
+        table.increments('id').primary();
+        table.string('policy').primary();
+        table.string('source');
+      })
+      .then(async () => {
+        const metadata = [];
+        for (const policy of policies) {
+          metadata.push({ source: 'legacy', policy: policy });
+        }
+        if (metadata.length > 0) {
+          await knex.table('policy-metadata').insert(metadata);
+        }
+      })
+      .then(async () => {
+        const metadata = [];
+        for (const groupPolicy of groupPolicies) {
+          metadata.push({ source: 'legacy', policy: groupPolicy });
+        }
+        if (metadata.length > 0) {
+          await knex.table('policy-metadata').insert(metadata);
+        }
+      });
+  }
+};
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTable('policy-metadata');
+};

package/migrations/20231221113214_migrations.js

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+exports.up = async function up(knex) {
+  const casbinDoesExist = await knex.schema.hasTable('casbin_rule');
+  const roleMetadataDoesExist = await knex.schema.hasTable('role-metadata');
+  const groupPolicies = new Set();
+
+  if (casbinDoesExist) {
+    await knex
+      .select('*')
+      .from('casbin_rule')
+      .where('ptype', 'g')
+      .then(listGroupPolicies => {
+        for (const groupPolicy of listGroupPolicies) {
+          const { v1 } = groupPolicy;
+          groupPolicies.add(v1);
+        }
+      });
+  }
+
+  if (!roleMetadataDoesExist) {
+    await knex.schema
+      .createTable('role-metadata', table => {
+        table.increments('id').primary();
+        table.string('roleEntityRef').primary();
+        table.string('source');
+      })
+      .then(async () => {
+        const metadata = [];
+        for (const groupPolicy of groupPolicies) {
+          metadata.push({ source: 'legacy', roleEntityRef: groupPolicy });
+        }
+        if (metadata.length > 0) {
+          await knex.table('role-metadata').insert(metadata);
+        }
+      });
+  }
+};
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTable('role-metadata');
+};

package/migrations/20240201144429_migrations.js

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+exports.up = async function up(knex) {
+  const isRoleMetaDataExist = await knex.schema.hasTable('role-metadata');
+  if (isRoleMetaDataExist) {
+    await knex.schema.alterTable('role-metadata', table => {
+      table.string('description');
+    });
+  }
+};
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = async function down(knex) {
+  const isRoleMetaDataExist = await knex.schema.hasTable('role-metadata');
+  if (isRoleMetaDataExist) {
+    await knex.schema.alterTable('role-metadata', table => {
+      table.dropColumn('description');
+    });
+  }
+};

package/migrations/20240215154456_migrations.js

@@ -0,0 +1,143 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+exports.up = async function up(knex) {
+  const casbinDoesExist = await knex.schema.hasTable('casbin_rule');
+  const policyMetadataExist = await knex.schema.hasTable('policy-metadata');
+  const roleMetadataExist = await knex.schema.hasTable('role-metadata');
+
+  if (casbinDoesExist && policyMetadataExist) {
+    const policyMetadataColumns = await knex('policy-metadata').select(
+      'id',
+      'policy',
+    );
+
+    const policiesToCheck = policyMetadataColumns.map(metadataColumn => {
+      const policy = metadataColumn.policy
+        .replace(/\[/g, '')
+        .replace(/\]/g, '')
+        .split(',')
+        .map(str => str.trim());
+      return { policy, id: metadataColumn.id };
+    });
+
+    const existingPolicies = await knex('casbin_rule')
+      .whereIn(
+        'v0',
+        policiesToCheck.map(policyToCheck => policyToCheck.policy[0]),
+      )
+      .whereIn(
+        'v1',
+        policiesToCheck.map(policyToCheck => policyToCheck.policy[1]),
+      )
+      .andWhere(query => {
+        query
+          .where(innerQuery => {
+            innerQuery.whereNotNull('v2').whereIn(
+              'v2',
+              policiesToCheck
+                .filter(policy => policy.policy.length === 4)
+                .map(policy => policy.policy[2]),
+            );
+          })
+          .orWhereNull('v2');
+      })
+      .andWhere(query => {
+        query
+          .where(innerQuery => {
+            innerQuery.whereNotNull('v3').whereIn(
+              'v3',
+              policiesToCheck
+                .filter(policy => policy.policy.length === 4)
+                .map(policy => policy.policy[3]),
+            );
+          })
+          .orWhereNull('v3');
+      })
+      .select('v0', 'v1', 'v2', 'v3');
+
+    const existingPoliciesSet = new Set(
+      existingPolicies.map(policy =>
+        policy.v2
+          ? `${policy.v0},${policy.v1},${policy.v2},${policy.v3}`
+          : `${policy.v0},${policy.v1}`,
+      ),
+    );
+
+    const policiesToDelete = policiesToCheck.filter(
+      policyToCheck => !existingPoliciesSet.has(policyToCheck.policy.join(',')),
+    );
+
+    if (policiesToDelete.length > 0) {
+      await knex('policy-metadata')
+        .whereIn(
+          'id',
+          policiesToDelete.map(policyToDel => policyToDel.id),
+        )
+        .del();
+      console.log(
+        `Deleted inconsistent policy metadata ${JSON.stringify(
+          policiesToDelete,
+        )} from 'policy-metadata' table.`,
+      );
+    }
+  }
+
+  if (casbinDoesExist && roleMetadataExist) {
+    const roleMetadataColumns = await knex('role-metadata').select(
+      'id',
+      'roleEntityRef',
+    );
+    const roleMetadata = roleMetadataColumns.map(rm => {
+      return { roleEntityRef: rm.roleEntityRef, id: rm.id };
+    });
+    const existingPoliciesForRoles = await knex('casbin_rule')
+      .orWhereIn(
+        'v1',
+        roleMetadata.map(rm => rm.roleEntityRef),
+      )
+      .select('v1');
+
+    const existingRoles = new Set(
+      existingPoliciesForRoles.map(policy => policy.v1),
+    );
+    const rolesMetadataToDelete = roleMetadata.filter(
+      rm => !existingRoles.has(rm.roleEntityRef),
+    );
+
+    if (rolesMetadataToDelete.length > 0) {
+      await knex('role-metadata')
+        .whereIn(
+          'id',
+          rolesMetadataToDelete.map(rm => rm.id),
+        )
+        .del();
+      console.log(
+        `Deleted inconsistent role metadata ${JSON.stringify(
+          rolesMetadataToDelete,
+        )} from 'role-metadata' table.`,
+      );
+    }
+  }
+};
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function down(_knex) {
+  // do nothing
+};

package/migrations/20240308134410_migrations.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+exports.up = async function up(knex) {
+  const policyConditionsExist = await knex.schema.hasTable('policy-conditions');
+
+  if (policyConditionsExist) {
+    // We drop policy condition table, because we decided to rework this feature
+    // and bound policy condition to the role
+    await knex.schema.dropTable('policy-conditions');
+  }
+};
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = async function down(_knex) {};

package/migrations/20240308134941_migrations.js

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+exports.up = async function up(knex) {
+  await knex.schema.createTable('role-condition-policies', table => {
+    table.increments('id').primary();
+    table.string('roleEntityRef');
+    table.string('result');
+    table.string('pluginId');
+    table.string('resourceType');
+    table.string('permissions');
+    // Conditions is potentially long json.
+    // In the future maybe we can use `json` or `jsonb` type instead of `text`:
+    // table.json('conditions') or table.jsonb('conditions').
+    // But let's start with text type.
+    // Data type "text" can be unlimited by size for Postgres.
+    // Also postgres has a lot of build in features for this data type.
+    table.text('conditionsJson');
+  });
+};
+
+/**
+ * down - reverts(undo) migration.
+ *
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTable('policy-conditions');
+};