@backstage-community/plugin-rbac-backend 5.2.3

package/README.md

@@ -0,0 +1,220 @@
+# RBAC backend plugin for Backstage
+
+This plugin seamlessly integrates with the [Backstage permission framework](https://backstage.io/docs/permissions/overview/) to empower you with robust role-based access control capabilities within your Backstage environment.
+
+The Backstage permission framework is a core component of the Backstage project, designed to provide meticulous control over resource and action access. Our RBAC plugin harnesses the power of this framework, allowing you to tailor access permissions without the need for coding. Instead, you can effortlessly manage your access policies through User interface embedded within Backstage or via the configuration files.
+
+With the RBAC plugin, you'll have the means to efficiently administer permissions within your Backstage instance by assigning them to users and groups.
+
+## Prerequisites
+
+Before you dive into utilizing the RBAC plugin for Backstage, there are a few essential prerequisites to ensure a seamless experience. Please review the following requirements to make sure your environment is properly set up
+
+### Setup Permission Framework
+
+**NOTE**: This section is only relevant if you are still on the old backend system.
+
+To effectively utilize the RBAC plugin, you must have the Backstage permission framework in place. If you're using the Red Hat Developer Hub, some of these steps may have already been completed for you. However, for other Backstage application instances, please verify that the following prerequisites are satisfied:
+
+You need to [set up the permission framework in Backstage](https://backstage.io/docs/permissions/getting-started/).Since this plugin provides a dynamic policy that replaces the traditional one, there's no need to create a policy manually. Please note that one of the requirements for permission framework is enabling the [service-to-service authentication](https://backstage.io/docs/auth/service-to-service-auth/#setup). Ensure that you complete these authentication setup steps as well.
+
+### Identity resolver
+
+The permission framework, and consequently, this RBAC plugin, rely on the concept of group membership. To ensure smooth operation, please follow the [Sign-in identities and resolvers](https://backstage.io/docs/auth/identity-resolver/) documentation. It's crucial that when populating groups, you include any groups that you plan to assign permissions to.
+
+## Installation
+
+To integrate the RBAC plugin into your Backstage instance, follow these steps.
+
+### Installing the plugin
+
+Add the RBAC plugin packages as dependencies by running the following command.
+
+```SHELL
+yarn workspace backend add @backstage-community/plugin-rbac-backend
+```
+
+**NOTE**: If you are using Red Hat Developer Hub backend plugin is pre-installed and you do not need this step.
+
+### Configuring the Backend
+
+#### New Backend System
+
+The RBAC plugin supports the integration with the new backend system.
+
+Add the RBAC plugin to the `packages/backend/src/index.ts` file and remove the Permission backend plugin and Allow All Permission policy module.
+
+```diff
+// permission plugin
+- backend.add(import('@backstage/plugin-permission-backend/alpha'));
+- backend.add(
+-    import('@backstage/plugin-permission-backend-module-allow-all-policy'),
+-  );
++ backend.add(import('@backstage-community/plugin-rbac-backend'));
+```
+
+### Configure policy admins
+
+The RBAC plugin empowers you to manage permission policies for users and groups with a designated group of individuals known as policy administrators. These administrators are granted access to the RBAC plugin's REST API and user interface as well as the ability to read from the catalog.
+
+You can specify the policy administrators in your application configuration as follows:
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    admin:
+      users:
+        - name: user:default/alice
+        - name: group:default/admins
+```
+
+The RBAC plugin also enables you to grant users the title of 'super user,' which provides them with unrestricted access throughout the Backstage instance.
+
+You can specify the super users in your application configuration as follows:
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    admin:
+      superUsers:
+        - name: user:default/alice
+        - name: user:default/mike
+```
+
+For more information on the available API endpoints accessible to the policy administrators, refer to the [API documentation](./docs/apis.md).
+
+### Configuring policies via file
+
+The RBAC plugin also allows you to import policies from an external file. These policies are defined in the [Casbin rules format](https://casbin.org/docs/category/the-basics), known for its simplicity and clarity. For a quick start, please refer to the format details in the provided link.
+
+Here's an example of an external permission policies configuration file named `rbac-policy.csv`:
+
+```CSV
+p, role:default/team_a, catalog-entity, read, deny
+p, role:default/team_b, catalog.entity.create, create, deny
+
+g, user:default/bob, role:default/team_a
+
+g, group:default/team_b, role:default/team_b
+```
+
+---
+
+**NOTE**: When you add a role in the permission policies configuration file, ensure that the role is associated with at least one permission policy with the `allow` effect.
+
+---
+
+You can specify the path to this configuration file in your application configuration:
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    policies-csv-file: /some/path/rbac-policy.csv
+```
+
+Also, there is an additional configuration value that allows for the reloading of the CSV file without the need to restart.
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    policies-csv-file: /some/path/rbac-policy.csv
+    policyFileReload: true
+```
+
+For more information on the available permissions within Showcase and RHDH, refer to the [permissions documentation](./docs/permissions.md).
+
+We also have a fairly strict validation for permission policies and roles based on the originating role's source information, refer to the [api documentation](./docs/apis.md).
+
+### Configuring conditional policies via file
+
+The RBAC plugin allows you to import conditional policies from an external file. User can defined conditional policies for roles created with the help of the policies-csv-file. Conditional policies should be defined as object sequences in the YAML format.
+
+You can specify the path to this configuration file in your application configuration:
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    conditionalPoliciesFile: /some/path/conditional-policies.yaml
+    policies-csv-file: /some/path/rbac-policy.csv
+```
+
+Also, there is an additional configuration value that allows for the reloading of the file without the need to restart.
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    conditionalPoliciesFile: /some/path/conditional-policies.yaml
+    policies-csv-file: /some/path/rbac-policy.csv
+    policyFileReload: true
+```
+
+This feature supports nested conditional policies.
+
+Example of the conditional policies file:
+
+```yaml
+---
+result: CONDITIONAL
+roleEntityRef: 'role:default/test'
+pluginId: catalog
+resourceType: catalog-entity
+permissionMapping:
+  - read
+  - update
+conditions:
+  rule: IS_ENTITY_OWNER
+  resourceType: catalog-entity
+  params:
+    claims:
+      - 'group:default/team-a'
+      - 'group:default/team-b'
+---
+result: CONDITIONAL
+roleEntityRef: 'role:default/test'
+pluginId: catalog
+resourceType: catalog-entity
+permissionMapping:
+  - delete
+conditions:
+  rule: IS_ENTITY_OWNER
+  resourceType: catalog-entity
+  params:
+    claims:
+      - 'group:default/team-a'
+```
+
+Information about condition policies format you can find in the doc: [Conditional policies documentation](./docs/conditions.md). There is only one difference: yaml format compare to json. But yaml and json are back convertiable.
+
+### Configuring Database Storage for policies
+
+The RBAC plugin offers the option to store policies in a database. It supports two database storage options:
+
+- sqlite3: Suitable for development environments.
+- postgres: Recommended for production environments.
+
+Ensure that you have already configured the database backend for your Backstage instance, as the RBAC plugin utilizes the same database configuration.
+
+### Optional maximum depth
+
+The RBAC plugin also includes an option max depth feature for organizations with potentially complex group hierarchy, this configuration value will ensure that the RBAC plugin will stop at a certain depth when building user graphs.
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    maxDepth: 1
+```
+
+The maxDepth must be greater than 0 to ensure that the graphs are built correctly. Also the graph will be built with a hierarchy of 1 + maxDepth.
+
+More information about group hierarchy can be found in the doc: [Group hierarchy](./docs/group-hierarchy.md).
+
+### Optional RBAC provider module support
+
+We also include the ability to create and load in RBAC backend plugin modules that can be used to make connections to third part access management tools. For more information, consult the [RBAC Providers documentation](./docs/providers.md).

package/config.d.ts

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export interface Config {
+  permission: {
+    rbac: {
+      'policies-csv-file'?: string;
+      /**
+       * The path to the yaml file containing the conditional policies
+       * @visibility frontend
+       */
+      conditionalPoliciesFile?: string;
+      /**
+       * Allow for reloading of the CSV and conditional policies files.
+       * @visibility frontend
+       */
+      policyFileReload?: boolean;
+      /**
+       * Optional configuration for admins
+       * @visibility frontend
+       */
+      admin?: {
+        /**
+         * The list of users and / or groups with admin access
+         * @visibility frontend
+         */
+        users?: Array<{
+          /**
+           * @visibility frontend
+           */
+          name: string;
+        }>;
+        /**
+         * The list of super users that will have allow all access, should be a list of only users
+         * @visibility frontend
+         */
+        superUsers?: Array<{
+          /**
+           * @visibility frontend
+           */
+          name: string;
+        }>;
+      };
+      /**
+       * An optional list of plugin IDs.
+       * The RBAC plugin will handle access control for plugins included in this list.
+       */
+      pluginsWithPermission?: string[];
+      /**
+       * An optional value that limits the depth when building the hierarchy group graph
+       * @visibility frontend
+       */
+      maxDepth?: number;
+    };
+  };
+}

package/dist/admin-permissions/admin-creation.cjs.js

@@ -0,0 +1,117 @@
+'use strict';
+
+var auditLogger = require('../audit-log/audit-logger.cjs.js');
+var helper = require('../helper.cjs.js');
+var policiesValidation = require('../validation/policies-validation.cjs.js');
+
+const ADMIN_ROLE_NAME = "role:default/rbac_admin";
+const ADMIN_ROLE_AUTHOR = "application configuration";
+const DEF_ADMIN_ROLE_DESCRIPTION = "The default permission policy for the admin role allows for the creation, deletion, updating, and reading of roles and permission policies.";
+const getAdminRoleMetadata = () => {
+  const currentDate = /* @__PURE__ */ new Date();
+  return {
+    source: "configuration",
+    roleEntityRef: ADMIN_ROLE_NAME,
+    description: DEF_ADMIN_ROLE_DESCRIPTION,
+    author: ADMIN_ROLE_AUTHOR,
+    modifiedBy: ADMIN_ROLE_AUTHOR,
+    lastModified: currentDate.toUTCString(),
+    createdAt: currentDate.toUTCString()
+  };
+};
+const useAdminsFromConfig = async (admins, enf, auditLogger$1, roleMetadataStorage, knex) => {
+  const addedGroupPolicies = /* @__PURE__ */ new Map();
+  const newGroupPolicies = /* @__PURE__ */ new Map();
+  for (const admin of admins) {
+    const entityRef = admin.getString("name");
+    policiesValidation.validateEntityReference(entityRef);
+    addedGroupPolicies.set(entityRef, ADMIN_ROLE_NAME);
+    if (!await enf.hasGroupingPolicy(...[entityRef, ADMIN_ROLE_NAME])) {
+      newGroupPolicies.set(entityRef, ADMIN_ROLE_NAME);
+    }
+  }
+  const adminRoleMeta = await roleMetadataStorage.findRoleMetadata(
+    ADMIN_ROLE_NAME
+  );
+  const trx = await knex.transaction();
+  let addedRoleMembers;
+  try {
+    if (!adminRoleMeta) {
+      await roleMetadataStorage.createRoleMetadata(getAdminRoleMetadata(), trx);
+    } else if (adminRoleMeta.source === "legacy") {
+      await roleMetadataStorage.updateRoleMetadata(
+        getAdminRoleMetadata(),
+        ADMIN_ROLE_NAME,
+        trx
+      );
+    }
+    addedRoleMembers = Array.from(newGroupPolicies.entries());
+    await enf.addGroupingPolicies(
+      addedRoleMembers,
+      getAdminRoleMetadata(),
+      trx
+    );
+    await trx.commit();
+  } catch (error) {
+    await trx.rollback(error);
+    throw error;
+  }
+  await auditLogger$1.auditLog({
+    actorId: auditLogger.RBAC_BACKEND,
+    message: `Created or updated role`,
+    eventName: auditLogger.RoleEvents.CREATE_OR_UPDATE_ROLE,
+    metadata: {
+      ...getAdminRoleMetadata(),
+      members: addedRoleMembers.map((gp) => gp[0])
+    },
+    stage: auditLogger.HANDLE_RBAC_DATA_STAGE,
+    status: "succeeded"
+  });
+  const configGroupPolicies = await enf.getFilteredGroupingPolicy(
+    1,
+    ADMIN_ROLE_NAME
+  );
+  await helper.removeTheDifference(
+    configGroupPolicies.map((gp) => gp[0]),
+    Array.from(addedGroupPolicies.keys()),
+    "configuration",
+    ADMIN_ROLE_NAME,
+    enf,
+    auditLogger$1,
+    ADMIN_ROLE_AUTHOR
+  );
+};
+const addAdminPermissions = async (policies, enf, auditLogger$1) => {
+  const policiesToAdd = [];
+  for (const policy of policies) {
+    if (!await enf.hasPolicy(...policy)) {
+      policiesToAdd.push(policy);
+    }
+  }
+  await enf.addPolicies(policiesToAdd);
+  await auditLogger$1.auditLog({
+    actorId: auditLogger.RBAC_BACKEND,
+    message: `Created RBAC admin permissions`,
+    eventName: auditLogger.PermissionEvents.CREATE_POLICY,
+    metadata: { policies, source: "configuration" },
+    stage: auditLogger.HANDLE_RBAC_DATA_STAGE,
+    status: "succeeded"
+  });
+};
+const setAdminPermissions = async (enf, auditLogger) => {
+  const adminPermissions = [
+    [ADMIN_ROLE_NAME, "policy-entity", "read", "allow"],
+    [ADMIN_ROLE_NAME, "policy-entity", "create", "allow"],
+    [ADMIN_ROLE_NAME, "policy-entity", "delete", "allow"],
+    [ADMIN_ROLE_NAME, "policy-entity", "update", "allow"],
+    // Needed for the RBAC frontend plugin.
+    [ADMIN_ROLE_NAME, "catalog-entity", "read", "allow"]
+  ];
+  await addAdminPermissions(adminPermissions, enf, auditLogger);
+};
+
+exports.ADMIN_ROLE_AUTHOR = ADMIN_ROLE_AUTHOR;
+exports.ADMIN_ROLE_NAME = ADMIN_ROLE_NAME;
+exports.setAdminPermissions = setAdminPermissions;
+exports.useAdminsFromConfig = useAdminsFromConfig;
+//# sourceMappingURL=admin-creation.cjs.js.map

package/dist/admin-permissions/admin-creation.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-creation.cjs.js","sources":["../../src/admin-permissions/admin-creation.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { Config } from '@backstage/config';\n\nimport { AuditLogger } from '@janus-idp/backstage-plugin-audit-log-node';\nimport { Knex } from 'knex';\n\nimport {\n  HANDLE_RBAC_DATA_STAGE,\n  PermissionAuditInfo,\n  PermissionEvents,\n  RBAC_BACKEND,\n  RoleAuditInfo,\n  RoleEvents,\n} from '../audit-log/audit-logger';\nimport {\n  RoleMetadataDao,\n  RoleMetadataStorage,\n} from '../database/role-metadata';\nimport { removeTheDifference } from '../helper';\nimport { EnforcerDelegate } from '../service/enforcer-delegate';\nimport { validateEntityReference } from '../validation/policies-validation';\n\nexport const ADMIN_ROLE_NAME = 'role:default/rbac_admin';\nexport const ADMIN_ROLE_AUTHOR = 'application configuration';\nconst DEF_ADMIN_ROLE_DESCRIPTION =\n  'The default permission policy for the admin role allows for the creation, deletion, updating, and reading of roles and permission policies.';\n\nconst getAdminRoleMetadata = (): RoleMetadataDao => {\n  const currentDate: Date = new Date();\n  return {\n    source: 'configuration',\n    roleEntityRef: ADMIN_ROLE_NAME,\n    description: DEF_ADMIN_ROLE_DESCRIPTION,\n    author: ADMIN_ROLE_AUTHOR,\n    modifiedBy: ADMIN_ROLE_AUTHOR,\n    lastModified: currentDate.toUTCString(),\n    createdAt: currentDate.toUTCString(),\n  };\n};\n\nexport const useAdminsFromConfig = async (\n  admins: Config[],\n  enf: EnforcerDelegate,\n  auditLogger: AuditLogger,\n  roleMetadataStorage: RoleMetadataStorage,\n  knex: Knex,\n) => {\n  const addedGroupPolicies = new Map<string, string>();\n  const newGroupPolicies = new Map<string, string>();\n\n  for (const admin of admins) {\n    const entityRef = admin.getString('name');\n    validateEntityReference(entityRef);\n\n    addedGroupPolicies.set(entityRef, ADMIN_ROLE_NAME);\n\n    if (!(await enf.hasGroupingPolicy(...[entityRef, ADMIN_ROLE_NAME]))) {\n      newGroupPolicies.set(entityRef, ADMIN_ROLE_NAME);\n    }\n  }\n\n  const adminRoleMeta = await roleMetadataStorage.findRoleMetadata(\n    ADMIN_ROLE_NAME,\n  );\n\n  const trx = await knex.transaction();\n  let addedRoleMembers;\n  try {\n    if (!adminRoleMeta) {\n      // even if there are no user, we still create default role metadata for admins\n      await roleMetadataStorage.createRoleMetadata(getAdminRoleMetadata(), trx);\n    } else if (adminRoleMeta.source === 'legacy') {\n      await roleMetadataStorage.updateRoleMetadata(\n        getAdminRoleMetadata(),\n        ADMIN_ROLE_NAME,\n        trx,\n      );\n    }\n\n    addedRoleMembers = Array.from<string[]>(newGroupPolicies.entries());\n    await enf.addGroupingPolicies(\n      addedRoleMembers,\n      getAdminRoleMetadata(),\n      trx,\n    );\n\n    await trx.commit();\n  } catch (error) {\n    await trx.rollback(error);\n    throw error;\n  }\n\n  await auditLogger.auditLog<RoleAuditInfo>({\n    actorId: RBAC_BACKEND,\n    message: `Created or updated role`,\n    eventName: RoleEvents.CREATE_OR_UPDATE_ROLE,\n    metadata: {\n      ...getAdminRoleMetadata(),\n      members: addedRoleMembers.map(gp => gp[0]),\n    },\n    stage: HANDLE_RBAC_DATA_STAGE,\n    status: 'succeeded',\n  });\n\n  const configGroupPolicies = await enf.getFilteredGroupingPolicy(\n    1,\n    ADMIN_ROLE_NAME,\n  );\n\n  await removeTheDifference(\n    configGroupPolicies.map(gp => gp[0]),\n    Array.from<string>(addedGroupPolicies.keys()),\n    'configuration',\n    ADMIN_ROLE_NAME,\n    enf,\n    auditLogger,\n    ADMIN_ROLE_AUTHOR,\n  );\n};\n\nconst addAdminPermissions = async (\n  policies: string[][],\n  enf: EnforcerDelegate,\n  auditLogger: AuditLogger,\n) => {\n  const policiesToAdd: string[][] = [];\n  for (const policy of policies) {\n    if (!(await enf.hasPolicy(...policy))) {\n      policiesToAdd.push(policy);\n    }\n  }\n  await enf.addPolicies(policiesToAdd);\n\n  await auditLogger.auditLog<PermissionAuditInfo>({\n    actorId: RBAC_BACKEND,\n    message: `Created RBAC admin permissions`,\n    eventName: PermissionEvents.CREATE_POLICY,\n    metadata: { policies: policies, source: 'configuration' },\n    stage: HANDLE_RBAC_DATA_STAGE,\n    status: 'succeeded',\n  });\n};\n\nexport const setAdminPermissions = async (\n  enf: EnforcerDelegate,\n  auditLogger: AuditLogger,\n) => {\n  const adminPermissions = [\n    [ADMIN_ROLE_NAME, 'policy-entity', 'read', 'allow'],\n    [ADMIN_ROLE_NAME, 'policy-entity', 'create', 'allow'],\n    [ADMIN_ROLE_NAME, 'policy-entity', 'delete', 'allow'],\n    [ADMIN_ROLE_NAME, 'policy-entity', 'update', 'allow'],\n    // Needed for the RBAC frontend plugin.\n    [ADMIN_ROLE_NAME, 'catalog-entity', 'read', 'allow'],\n  ];\n  await addAdminPermissions(adminPermissions, enf, auditLogger);\n};\n"],"names":["auditLogger","validateEntityReference","RBAC_BACKEND","RoleEvents","HANDLE_RBAC_DATA_STAGE","removeTheDifference","PermissionEvents"],"mappings":";;;;;;AAoCO,MAAM,eAAkB,GAAA,0BAAA;AACxB,MAAM,iBAAoB,GAAA,4BAAA;AACjC,MAAM,0BACJ,GAAA,6IAAA,CAAA;AAEF,MAAM,uBAAuB,MAAuB;AAClD,EAAM,MAAA,WAAA,uBAAwB,IAAK,EAAA,CAAA;AACnC,EAAO,OAAA;AAAA,IACL,MAAQ,EAAA,eAAA;AAAA,IACR,aAAe,EAAA,eAAA;AAAA,IACf,WAAa,EAAA,0BAAA;AAAA,IACb,MAAQ,EAAA,iBAAA;AAAA,IACR,UAAY,EAAA,iBAAA;AAAA,IACZ,YAAA,EAAc,YAAY,WAAY,EAAA;AAAA,IACtC,SAAA,EAAW,YAAY,WAAY,EAAA;AAAA,GACrC,CAAA;AACF,CAAA,CAAA;AAEO,MAAM,sBAAsB,OACjC,MAAA,EACA,GACA,EAAAA,aAAA,EACA,qBACA,IACG,KAAA;AACH,EAAM,MAAA,kBAAA,uBAAyB,GAAoB,EAAA,CAAA;AACnD,EAAM,MAAA,gBAAA,uBAAuB,GAAoB,EAAA,CAAA;AAEjD,EAAA,KAAA,MAAW,SAAS,MAAQ,EAAA;AAC1B,IAAM,MAAA,SAAA,GAAY,KAAM,CAAA,SAAA,CAAU,MAAM,CAAA,CAAA;AACxC,IAAAC,0CAAA,CAAwB,SAAS,CAAA,CAAA;AAEjC,IAAmB,kBAAA,CAAA,GAAA,CAAI,WAAW,eAAe,CAAA,CAAA;AAEjD,IAAI,IAAA,CAAE,MAAM,GAAI,CAAA,iBAAA,CAAkB,GAAG,CAAC,SAAA,EAAW,eAAe,CAAC,CAAI,EAAA;AACnE,MAAiB,gBAAA,CAAA,GAAA,CAAI,WAAW,eAAe,CAAA,CAAA;AAAA,KACjD;AAAA,GACF;AAEA,EAAM,MAAA,aAAA,GAAgB,MAAM,mBAAoB,CAAA,gBAAA;AAAA,IAC9C,eAAA;AAAA,GACF,CAAA;AAEA,EAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,WAAY,EAAA,CAAA;AACnC,EAAI,IAAA,gBAAA,CAAA;AACJ,EAAI,IAAA;AACF,IAAA,IAAI,CAAC,aAAe,EAAA;AAElB,MAAA,MAAM,mBAAoB,CAAA,kBAAA,CAAmB,oBAAqB,EAAA,EAAG,GAAG,CAAA,CAAA;AAAA,KAC1E,MAAA,IAAW,aAAc,CAAA,MAAA,KAAW,QAAU,EAAA;AAC5C,MAAA,MAAM,mBAAoB,CAAA,kBAAA;AAAA,QACxB,oBAAqB,EAAA;AAAA,QACrB,eAAA;AAAA,QACA,GAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAA,gBAAA,GAAmB,KAAM,CAAA,IAAA,CAAe,gBAAiB,CAAA,OAAA,EAAS,CAAA,CAAA;AAClE,IAAA,MAAM,GAAI,CAAA,mBAAA;AAAA,MACR,gBAAA;AAAA,MACA,oBAAqB,EAAA;AAAA,MACrB,GAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,WACV,KAAO,EAAA;AACd,IAAM,MAAA,GAAA,CAAI,SAAS,KAAK,CAAA,CAAA;AACxB,IAAM,MAAA,KAAA,CAAA;AAAA,GACR;AAEA,EAAA,MAAMD,cAAY,QAAwB,CAAA;AAAA,IACxC,OAAS,EAAAE,wBAAA;AAAA,IACT,OAAS,EAAA,CAAA,uBAAA,CAAA;AAAA,IACT,WAAWC,sBAAW,CAAA,qBAAA;AAAA,IACtB,QAAU,EAAA;AAAA,MACR,GAAG,oBAAqB,EAAA;AAAA,MACxB,SAAS,gBAAiB,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC,CAAA;AAAA,KAC3C;AAAA,IACA,KAAO,EAAAC,kCAAA;AAAA,IACP,MAAQ,EAAA,WAAA;AAAA,GACT,CAAA,CAAA;AAED,EAAM,MAAA,mBAAA,GAAsB,MAAM,GAAI,CAAA,yBAAA;AAAA,IACpC,CAAA;AAAA,IACA,eAAA;AAAA,GACF,CAAA;AAEA,EAAM,MAAAC,0BAAA;AAAA,IACJ,mBAAoB,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC,CAAA;AAAA,IACnC,KAAM,CAAA,IAAA,CAAa,kBAAmB,CAAA,IAAA,EAAM,CAAA;AAAA,IAC5C,eAAA;AAAA,IACA,eAAA;AAAA,IACA,GAAA;AAAA,IACAL,aAAA;AAAA,IACA,iBAAA;AAAA,GACF,CAAA;AACF,EAAA;AAEA,MAAM,mBAAsB,GAAA,OAC1B,QACA,EAAA,GAAA,EACAA,aACG,KAAA;AACH,EAAA,MAAM,gBAA4B,EAAC,CAAA;AACnC,EAAA,KAAA,MAAW,UAAU,QAAU,EAAA;AAC7B,IAAA,IAAI,CAAE,MAAM,GAAA,CAAI,SAAU,CAAA,GAAG,MAAM,CAAI,EAAA;AACrC,MAAA,aAAA,CAAc,KAAK,MAAM,CAAA,CAAA;AAAA,KAC3B;AAAA,GACF;AACA,EAAM,MAAA,GAAA,CAAI,YAAY,aAAa,CAAA,CAAA;AAEnC,EAAA,MAAMA,cAAY,QAA8B,CAAA;AAAA,IAC9C,OAAS,EAAAE,wBAAA;AAAA,IACT,OAAS,EAAA,CAAA,8BAAA,CAAA;AAAA,IACT,WAAWI,4BAAiB,CAAA,aAAA;AAAA,IAC5B,QAAU,EAAA,EAAE,QAAoB,EAAA,MAAA,EAAQ,eAAgB,EAAA;AAAA,IACxD,KAAO,EAAAF,kCAAA;AAAA,IACP,MAAQ,EAAA,WAAA;AAAA,GACT,CAAA,CAAA;AACH,CAAA,CAAA;AAEa,MAAA,mBAAA,GAAsB,OACjC,GAAA,EACA,WACG,KAAA;AACH,EAAA,MAAM,gBAAmB,GAAA;AAAA,IACvB,CAAC,eAAA,EAAiB,eAAiB,EAAA,MAAA,EAAQ,OAAO,CAAA;AAAA,IAClD,CAAC,eAAA,EAAiB,eAAiB,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,IACpD,CAAC,eAAA,EAAiB,eAAiB,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,IACpD,CAAC,eAAA,EAAiB,eAAiB,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA;AAAA,IAEpD,CAAC,eAAA,EAAiB,gBAAkB,EAAA,MAAA,EAAQ,OAAO,CAAA;AAAA,GACrD,CAAA;AACA,EAAM,MAAA,mBAAA,CAAoB,gBAAkB,EAAA,GAAA,EAAK,WAAW,CAAA,CAAA;AAC9D;;;;;;;"}

package/dist/audit-log/audit-logger.cjs.js

@@ -0,0 +1,108 @@
+'use strict';
+
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+var pluginRbacCommon = require('@backstage-community/plugin-rbac-common');
+
+const RoleEvents = {
+  CREATE_ROLE: "CreateRole",
+  UPDATE_ROLE: "UpdateRole",
+  DELETE_ROLE: "DeleteRole",
+  CREATE_OR_UPDATE_ROLE: "CreateOrUpdateRole",
+  GET_ROLE: "GetRole",
+  CREATE_ROLE_ERROR: "CreateRoleError",
+  UPDATE_ROLE_ERROR: "UpdateRoleError",
+  DELETE_ROLE_ERROR: "DeleteRoleError",
+  GET_ROLE_ERROR: "GetRoleError"
+};
+const PermissionEvents = {
+  CREATE_POLICY: "CreatePolicy",
+  UPDATE_POLICY: "UpdatePolicy",
+  DELETE_POLICY: "DeletePolicy",
+  GET_POLICY: "GetPolicy",
+  CREATE_POLICY_ERROR: "CreatePolicyError",
+  UPDATE_POLICY_ERROR: "UpdatePolicyError",
+  DELETE_POLICY_ERROR: "DeletePolicyError",
+  GET_POLICY_ERROR: "GetPolicyError"
+};
+const EvaluationEvents = {
+  PERMISSION_EVALUATION_STARTED: "PermissionEvaluationStarted",
+  PERMISSION_EVALUATION_COMPLETED: "PermissionEvaluationCompleted",
+  CONDITION_EVALUATION_COMPLETED: "ConditionEvaluationCompleted",
+  PERMISSION_EVALUATION_FAILED: "PermissionEvaluationFailed"
+};
+const ListPluginPoliciesEvents = {
+  GET_PLUGINS_POLICIES: "GetPluginsPolicies",
+  GET_PLUGINS_POLICIES_ERROR: "GetPluginsPoliciesError"
+};
+const ListConditionEvents = {
+  GET_CONDITION_RULES: "GetConditionRules",
+  GET_CONDITION_RULES_ERROR: "GetConditionRulesError"
+};
+const ConditionEvents = {
+  CREATE_CONDITION: "CreateCondition",
+  UPDATE_CONDITION: "UpdateCondition",
+  DELETE_CONDITION: "DeleteCondition",
+  GET_CONDITION: "GetCondition",
+  CREATE_CONDITION_ERROR: "CreateConditionError",
+  UPDATE_CONDITION_ERROR: "UpdateConditionError",
+  DELETE_CONDITION_ERROR: "DeleteConditionError",
+  GET_CONDITION_ERROR: "GetConditionError",
+  PARSE_CONDITION_ERROR: "ParseConditionError",
+  CHANGE_CONDITIONAL_POLICIES_FILE_ERROR: "ChangeConditionalPoliciesError",
+  CONDITIONAL_POLICIES_FILE_NOT_FOUND: "ConditionalPoliciesFileNotFound"
+};
+const RBAC_BACKEND = "rbac-backend";
+const HANDLE_RBAC_DATA_STAGE = "handleRBACData";
+const EVALUATE_PERMISSION_ACCESS_STAGE = "evaluatePermissionAccess";
+const SEND_RESPONSE_STAGE = "sendResponse";
+const RESPONSE_ERROR = "responseError";
+function createPermissionEvaluationOptions(message, userEntityRef, request, policyDecision) {
+  const auditInfo = {
+    userEntityRef,
+    permissionName: request.permission.name,
+    action: pluginRbacCommon.toPermissionAction(request.permission.attributes)
+  };
+  const resourceType = request.permission.resourceType;
+  if (resourceType) {
+    auditInfo.resourceType = resourceType;
+  }
+  let eventName;
+  if (!policyDecision) {
+    eventName = EvaluationEvents.PERMISSION_EVALUATION_STARTED;
+  } else {
+    auditInfo.decision = policyDecision;
+    switch (policyDecision.result) {
+      case pluginPermissionCommon.AuthorizeResult.DENY:
+      case pluginPermissionCommon.AuthorizeResult.ALLOW:
+        eventName = EvaluationEvents.PERMISSION_EVALUATION_COMPLETED;
+        break;
+      case pluginPermissionCommon.AuthorizeResult.CONDITIONAL:
+        eventName = EvaluationEvents.CONDITION_EVALUATION_COMPLETED;
+        break;
+      default:
+        throw new Error("Unknown policy decision result");
+    }
+  }
+  return {
+    actorId: userEntityRef,
+    message,
+    eventName,
+    metadata: auditInfo,
+    stage: EVALUATE_PERMISSION_ACCESS_STAGE,
+    status: "succeeded"
+  };
+}
+
+exports.ConditionEvents = ConditionEvents;
+exports.EVALUATE_PERMISSION_ACCESS_STAGE = EVALUATE_PERMISSION_ACCESS_STAGE;
+exports.EvaluationEvents = EvaluationEvents;
+exports.HANDLE_RBAC_DATA_STAGE = HANDLE_RBAC_DATA_STAGE;
+exports.ListConditionEvents = ListConditionEvents;
+exports.ListPluginPoliciesEvents = ListPluginPoliciesEvents;
+exports.PermissionEvents = PermissionEvents;
+exports.RBAC_BACKEND = RBAC_BACKEND;
+exports.RESPONSE_ERROR = RESPONSE_ERROR;
+exports.RoleEvents = RoleEvents;
+exports.SEND_RESPONSE_STAGE = SEND_RESPONSE_STAGE;
+exports.createPermissionEvaluationOptions = createPermissionEvaluationOptions;
+//# sourceMappingURL=audit-logger.cjs.js.map

package/dist/audit-log/audit-logger.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.cjs.js","sources":["../../src/audit-log/audit-logger.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  AuthorizeResult,\n  PolicyDecision,\n  ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport type { PolicyQuery } from '@backstage/plugin-permission-node';\n\nimport type { AuditLogOptions } from '@janus-idp/backstage-plugin-audit-log-node';\n\nimport {\n  PermissionAction,\n  RoleConditionalPolicyDecision,\n  Source,\n  toPermissionAction,\n} from '@backstage-community/plugin-rbac-common';\n\nexport const RoleEvents = {\n  CREATE_ROLE: 'CreateRole',\n  UPDATE_ROLE: 'UpdateRole',\n  DELETE_ROLE: 'DeleteRole',\n  CREATE_OR_UPDATE_ROLE: 'CreateOrUpdateRole',\n  GET_ROLE: 'GetRole',\n\n  CREATE_ROLE_ERROR: 'CreateRoleError',\n  UPDATE_ROLE_ERROR: 'UpdateRoleError',\n  DELETE_ROLE_ERROR: 'DeleteRoleError',\n  GET_ROLE_ERROR: 'GetRoleError',\n} as const;\n\nexport const PermissionEvents = {\n  CREATE_POLICY: 'CreatePolicy',\n  UPDATE_POLICY: 'UpdatePolicy',\n  DELETE_POLICY: 'DeletePolicy',\n  GET_POLICY: 'GetPolicy',\n\n  CREATE_POLICY_ERROR: 'CreatePolicyError',\n  UPDATE_POLICY_ERROR: 'UpdatePolicyError',\n  DELETE_POLICY_ERROR: 'DeletePolicyError',\n  GET_POLICY_ERROR: 'GetPolicyError',\n} as const;\n\nexport type RoleAuditInfo = {\n  roleEntityRef: string;\n  description?: string;\n  source: Source;\n\n  members: string[];\n};\n\nexport type PermissionAuditInfo = {\n  policies: string[][];\n  source: Source;\n};\n\nexport const EvaluationEvents = {\n  PERMISSION_EVALUATION_STARTED: 'PermissionEvaluationStarted',\n  PERMISSION_EVALUATION_COMPLETED: 'PermissionEvaluationCompleted',\n  CONDITION_EVALUATION_COMPLETED: 'ConditionEvaluationCompleted',\n  PERMISSION_EVALUATION_FAILED: 'PermissionEvaluationFailed',\n} as const;\n\nexport const ListPluginPoliciesEvents = {\n  GET_PLUGINS_POLICIES: 'GetPluginsPolicies',\n  GET_PLUGINS_POLICIES_ERROR: 'GetPluginsPoliciesError',\n};\n\nexport const ListConditionEvents = {\n  GET_CONDITION_RULES: 'GetConditionRules',\n  GET_CONDITION_RULES_ERROR: 'GetConditionRulesError',\n};\n\nexport type EvaluationAuditInfo = {\n  userEntityRef: string;\n  permissionName: string;\n  action: PermissionAction;\n  resourceType?: string;\n  decision?: PolicyDecision;\n};\n\nexport const ConditionEvents = {\n  CREATE_CONDITION: 'CreateCondition',\n  UPDATE_CONDITION: 'UpdateCondition',\n  DELETE_CONDITION: 'DeleteCondition',\n  GET_CONDITION: 'GetCondition',\n\n  CREATE_CONDITION_ERROR: 'CreateConditionError',\n  UPDATE_CONDITION_ERROR: 'UpdateConditionError',\n  DELETE_CONDITION_ERROR: 'DeleteConditionError',\n  GET_CONDITION_ERROR: 'GetConditionError',\n  PARSE_CONDITION_ERROR: 'ParseConditionError',\n  CHANGE_CONDITIONAL_POLICIES_FILE_ERROR: 'ChangeConditionalPoliciesError',\n  CONDITIONAL_POLICIES_FILE_NOT_FOUND: 'ConditionalPoliciesFileNotFound',\n};\n\nexport type ConditionAuditInfo = {\n  condition: RoleConditionalPolicyDecision<PermissionAction>;\n};\n\nexport const RBAC_BACKEND = 'rbac-backend';\n\n// Audit log stage for processing Role-Based Access Control (RBAC) data\nexport const HANDLE_RBAC_DATA_STAGE = 'handleRBACData';\n\n// Audit log stage for determining access rights based on user permissions and resource information\nexport const EVALUATE_PERMISSION_ACCESS_STAGE = 'evaluatePermissionAccess';\n\n// Audit log stage for sending the response to the client about handled permission policies, roles, and condition policies\nexport const SEND_RESPONSE_STAGE = 'sendResponse';\nexport const RESPONSE_ERROR = 'responseError';\n\nexport function createPermissionEvaluationOptions(\n  message: string,\n  userEntityRef: string,\n  request: PolicyQuery,\n  policyDecision?: PolicyDecision,\n): AuditLogOptions<EvaluationAuditInfo> {\n  const auditInfo: EvaluationAuditInfo = {\n    userEntityRef,\n    permissionName: request.permission.name,\n    action: toPermissionAction(request.permission.attributes),\n  };\n\n  const resourceType = (request.permission as ResourcePermission).resourceType;\n  if (resourceType) {\n    auditInfo.resourceType = resourceType;\n  }\n\n  let eventName;\n  if (!policyDecision) {\n    eventName = EvaluationEvents.PERMISSION_EVALUATION_STARTED;\n  } else {\n    auditInfo.decision = policyDecision;\n\n    switch (policyDecision.result) {\n      case AuthorizeResult.DENY:\n      case AuthorizeResult.ALLOW:\n        eventName = EvaluationEvents.PERMISSION_EVALUATION_COMPLETED;\n        break;\n      case AuthorizeResult.CONDITIONAL:\n        eventName = EvaluationEvents.CONDITION_EVALUATION_COMPLETED;\n        break;\n      default:\n        throw new Error('Unknown policy decision result');\n    }\n  }\n\n  return {\n    actorId: userEntityRef,\n    message,\n    eventName,\n    metadata: auditInfo,\n    stage: EVALUATE_PERMISSION_ACCESS_STAGE,\n    status: 'succeeded',\n  };\n}\n"],"names":["toPermissionAction","AuthorizeResult"],"mappings":";;;;;AA+BO,MAAM,UAAa,GAAA;AAAA,EACxB,WAAa,EAAA,YAAA;AAAA,EACb,WAAa,EAAA,YAAA;AAAA,EACb,WAAa,EAAA,YAAA;AAAA,EACb,qBAAuB,EAAA,oBAAA;AAAA,EACvB,QAAU,EAAA,SAAA;AAAA,EAEV,iBAAmB,EAAA,iBAAA;AAAA,EACnB,iBAAmB,EAAA,iBAAA;AAAA,EACnB,iBAAmB,EAAA,iBAAA;AAAA,EACnB,cAAgB,EAAA,cAAA;AAClB,EAAA;AAEO,MAAM,gBAAmB,GAAA;AAAA,EAC9B,aAAe,EAAA,cAAA;AAAA,EACf,aAAe,EAAA,cAAA;AAAA,EACf,aAAe,EAAA,cAAA;AAAA,EACf,UAAY,EAAA,WAAA;AAAA,EAEZ,mBAAqB,EAAA,mBAAA;AAAA,EACrB,mBAAqB,EAAA,mBAAA;AAAA,EACrB,mBAAqB,EAAA,mBAAA;AAAA,EACrB,gBAAkB,EAAA,gBAAA;AACpB,EAAA;AAeO,MAAM,gBAAmB,GAAA;AAAA,EAC9B,6BAA+B,EAAA,6BAAA;AAAA,EAC/B,+BAAiC,EAAA,+BAAA;AAAA,EACjC,8BAAgC,EAAA,8BAAA;AAAA,EAChC,4BAA8B,EAAA,4BAAA;AAChC,EAAA;AAEO,MAAM,wBAA2B,GAAA;AAAA,EACtC,oBAAsB,EAAA,oBAAA;AAAA,EACtB,0BAA4B,EAAA,yBAAA;AAC9B,EAAA;AAEO,MAAM,mBAAsB,GAAA;AAAA,EACjC,mBAAqB,EAAA,mBAAA;AAAA,EACrB,yBAA2B,EAAA,wBAAA;AAC7B,EAAA;AAUO,MAAM,eAAkB,GAAA;AAAA,EAC7B,gBAAkB,EAAA,iBAAA;AAAA,EAClB,gBAAkB,EAAA,iBAAA;AAAA,EAClB,gBAAkB,EAAA,iBAAA;AAAA,EAClB,aAAe,EAAA,cAAA;AAAA,EAEf,sBAAwB,EAAA,sBAAA;AAAA,EACxB,sBAAwB,EAAA,sBAAA;AAAA,EACxB,sBAAwB,EAAA,sBAAA;AAAA,EACxB,mBAAqB,EAAA,mBAAA;AAAA,EACrB,qBAAuB,EAAA,qBAAA;AAAA,EACvB,sCAAwC,EAAA,gCAAA;AAAA,EACxC,mCAAqC,EAAA,iCAAA;AACvC,EAAA;AAMO,MAAM,YAAe,GAAA,eAAA;AAGrB,MAAM,sBAAyB,GAAA,iBAAA;AAG/B,MAAM,gCAAmC,GAAA,2BAAA;AAGzC,MAAM,mBAAsB,GAAA,eAAA;AAC5B,MAAM,cAAiB,GAAA,gBAAA;AAEvB,SAAS,iCACd,CAAA,OAAA,EACA,aACA,EAAA,OAAA,EACA,cACsC,EAAA;AACtC,EAAA,MAAM,SAAiC,GAAA;AAAA,IACrC,aAAA;AAAA,IACA,cAAA,EAAgB,QAAQ,UAAW,CAAA,IAAA;AAAA,IACnC,MAAQ,EAAAA,mCAAA,CAAmB,OAAQ,CAAA,UAAA,CAAW,UAAU,CAAA;AAAA,GAC1D,CAAA;AAEA,EAAM,MAAA,YAAA,GAAgB,QAAQ,UAAkC,CAAA,YAAA,CAAA;AAChE,EAAA,IAAI,YAAc,EAAA;AAChB,IAAA,SAAA,CAAU,YAAe,GAAA,YAAA,CAAA;AAAA,GAC3B;AAEA,EAAI,IAAA,SAAA,CAAA;AACJ,EAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,IAAA,SAAA,GAAY,gBAAiB,CAAA,6BAAA,CAAA;AAAA,GACxB,MAAA;AACL,IAAA,SAAA,CAAU,QAAW,GAAA,cAAA,CAAA;AAErB,IAAA,QAAQ,eAAe,MAAQ;AAAA,MAC7B,KAAKC,sCAAgB,CAAA,IAAA,CAAA;AAAA,MACrB,KAAKA,sCAAgB,CAAA,KAAA;AACnB,QAAA,SAAA,GAAY,gBAAiB,CAAA,+BAAA,CAAA;AAC7B,QAAA,MAAA;AAAA,MACF,KAAKA,sCAAgB,CAAA,WAAA;AACnB,QAAA,SAAA,GAAY,gBAAiB,CAAA,8BAAA,CAAA;AAC7B,QAAA,MAAA;AAAA,MACF;AACE,QAAM,MAAA,IAAI,MAAM,gCAAgC,CAAA,CAAA;AAAA,KACpD;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,OAAS,EAAA,aAAA;AAAA,IACT,OAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAU,EAAA,SAAA;AAAA,IACV,KAAO,EAAA,gCAAA;AAAA,IACP,MAAQ,EAAA,WAAA;AAAA,GACV,CAAA;AACF;;;;;;;;;;;;;;;"}

package/dist/audit-log/rest-errors-interceptor.cjs.js

@@ -0,0 +1,100 @@
+'use strict';
+
+var auditLogger = require('./audit-logger.cjs.js');
+
+const eventMap = {
+  "/policies": {
+    POST: {
+      event: auditLogger.PermissionEvents.CREATE_POLICY_ERROR,
+      message: "Failed to create permission policies"
+    },
+    PUT: {
+      event: auditLogger.PermissionEvents.UPDATE_POLICY_ERROR,
+      message: "Failed to update permission policies"
+    },
+    DELETE: {
+      event: auditLogger.PermissionEvents.DELETE_POLICY_ERROR,
+      message: "Failed to delete permission policies"
+    },
+    GET: {
+      event: auditLogger.PermissionEvents.GET_POLICY_ERROR,
+      message: "Failed to get permission policies"
+    }
+  },
+  "/roles": {
+    POST: {
+      event: auditLogger.RoleEvents.CREATE_ROLE_ERROR,
+      message: "Failed to create role"
+    },
+    PUT: {
+      event: auditLogger.RoleEvents.UPDATE_ROLE_ERROR,
+      message: "Failed to update role"
+    },
+    DELETE: {
+      event: auditLogger.RoleEvents.DELETE_ROLE_ERROR,
+      message: "Failed to delete role"
+    },
+    GET: { event: auditLogger.RoleEvents.GET_ROLE_ERROR, message: "Failed to get role" }
+  },
+  "/roles/conditions": {
+    POST: {
+      event: auditLogger.ConditionEvents.CREATE_CONDITION_ERROR,
+      message: "Failed to create condition"
+    },
+    PUT: {
+      event: auditLogger.ConditionEvents.UPDATE_CONDITION_ERROR,
+      message: "Failed to update condition"
+    },
+    DELETE: {
+      event: auditLogger.ConditionEvents.DELETE_CONDITION_ERROR,
+      message: "Failed to delete condition"
+    },
+    GET: {
+      event: auditLogger.ConditionEvents.GET_CONDITION_ERROR,
+      message: "Failed to get condition"
+    }
+  },
+  "/plugins/policies": {
+    GET: {
+      event: auditLogger.ListPluginPoliciesEvents.GET_PLUGINS_POLICIES_ERROR,
+      message: "Failed to get list permission policies"
+    }
+  },
+  "/plugins/condition-rules": {
+    GET: {
+      event: auditLogger.ListConditionEvents.GET_CONDITION_RULES_ERROR,
+      message: "Failed to get list condition rules and schemas"
+    }
+  }
+};
+function auditError(auditLogger$1) {
+  return async (err, req, _resp, next) => {
+    const matchedPath = Object.keys(eventMap).find(
+      (path) => req.path.startsWith(path)
+    );
+    if (matchedPath) {
+      const methodEvents = eventMap[matchedPath][req.method];
+      if (methodEvents) {
+        const { event, message } = methodEvents;
+        try {
+          await auditLogger$1.auditLog({
+            message,
+            eventName: event,
+            stage: auditLogger.RESPONSE_ERROR,
+            status: "failed",
+            request: req,
+            errors: [err]
+          });
+          next(err);
+        } catch (auditLogError) {
+          next(auditLogError);
+        }
+        return;
+      }
+    }
+    next(err);
+  };
+}
+
+exports.auditError = auditError;
+//# sourceMappingURL=rest-errors-interceptor.cjs.js.map

package/dist/audit-log/rest-errors-interceptor.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rest-errors-interceptor.cjs.js","sources":["../../src/audit-log/rest-errors-interceptor.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuditLogger } from '@janus-idp/backstage-plugin-audit-log-node';\nimport type {\n  ErrorRequestHandler,\n  NextFunction,\n  Request,\n  Response,\n} from 'express';\n\nimport {\n  ConditionEvents,\n  ListConditionEvents,\n  ListPluginPoliciesEvents,\n  PermissionEvents,\n  RESPONSE_ERROR,\n  RoleEvents,\n} from './audit-logger';\n\n// Mapping paths and methods to corresponding events and messages\nconst eventMap: {\n  [key: string]: { [key: string]: { event: string; message: string } };\n} = {\n  '/policies': {\n    POST: {\n      event: PermissionEvents.CREATE_POLICY_ERROR,\n      message: 'Failed to create permission policies',\n    },\n    PUT: {\n      event: PermissionEvents.UPDATE_POLICY_ERROR,\n      message: 'Failed to update permission policies',\n    },\n    DELETE: {\n      event: PermissionEvents.DELETE_POLICY_ERROR,\n      message: 'Failed to delete permission policies',\n    },\n    GET: {\n      event: PermissionEvents.GET_POLICY_ERROR,\n      message: 'Failed to get permission policies',\n    },\n  },\n  '/roles': {\n    POST: {\n      event: RoleEvents.CREATE_ROLE_ERROR,\n      message: 'Failed to create role',\n    },\n    PUT: {\n      event: RoleEvents.UPDATE_ROLE_ERROR,\n      message: 'Failed to update role',\n    },\n    DELETE: {\n      event: RoleEvents.DELETE_ROLE_ERROR,\n      message: 'Failed to delete role',\n    },\n    GET: { event: RoleEvents.GET_ROLE_ERROR, message: 'Failed to get role' },\n  },\n  '/roles/conditions': {\n    POST: {\n      event: ConditionEvents.CREATE_CONDITION_ERROR,\n      message: 'Failed to create condition',\n    },\n    PUT: {\n      event: ConditionEvents.UPDATE_CONDITION_ERROR,\n      message: 'Failed to update condition',\n    },\n    DELETE: {\n      event: ConditionEvents.DELETE_CONDITION_ERROR,\n      message: 'Failed to delete condition',\n    },\n    GET: {\n      event: ConditionEvents.GET_CONDITION_ERROR,\n      message: 'Failed to get condition',\n    },\n  },\n  '/plugins/policies': {\n    GET: {\n      event: ListPluginPoliciesEvents.GET_PLUGINS_POLICIES_ERROR,\n      message: 'Failed to get list permission policies',\n    },\n  },\n  '/plugins/condition-rules': {\n    GET: {\n      event: ListConditionEvents.GET_CONDITION_RULES_ERROR,\n      message: 'Failed to get list condition rules and schemas',\n    },\n  },\n};\n\n// Audit log REST api errors interceptor.\nexport function auditError(auditLogger: AuditLogger): ErrorRequestHandler {\n  return async (\n    err: Error,\n    req: Request,\n    _resp: Response,\n    next: NextFunction,\n  ) => {\n    const matchedPath = Object.keys(eventMap).find(path =>\n      req.path.startsWith(path),\n    );\n    if (matchedPath) {\n      const methodEvents = eventMap[matchedPath][req.method];\n      if (methodEvents) {\n        const { event, message } = methodEvents;\n        try {\n          await auditLogger.auditLog({\n            message,\n            eventName: event,\n            stage: RESPONSE_ERROR,\n            status: 'failed',\n            request: req,\n            errors: [err],\n          });\n          next(err);\n        } catch (auditLogError) {\n          next(auditLogError);\n        }\n        return;\n      }\n    }\n    next(err);\n  };\n}\n"],"names":["PermissionEvents","RoleEvents","ConditionEvents","ListPluginPoliciesEvents","ListConditionEvents","auditLogger","RESPONSE_ERROR"],"mappings":";;;;AAiCA,MAAM,QAEF,GAAA;AAAA,EACF,WAAa,EAAA;AAAA,IACX,IAAM,EAAA;AAAA,MACJ,OAAOA,4BAAiB,CAAA,mBAAA;AAAA,MACxB,OAAS,EAAA,sCAAA;AAAA,KACX;AAAA,IACA,GAAK,EAAA;AAAA,MACH,OAAOA,4BAAiB,CAAA,mBAAA;AAAA,MACxB,OAAS,EAAA,sCAAA;AAAA,KACX;AAAA,IACA,MAAQ,EAAA;AAAA,MACN,OAAOA,4BAAiB,CAAA,mBAAA;AAAA,MACxB,OAAS,EAAA,sCAAA;AAAA,KACX;AAAA,IACA,GAAK,EAAA;AAAA,MACH,OAAOA,4BAAiB,CAAA,gBAAA;AAAA,MACxB,OAAS,EAAA,mCAAA;AAAA,KACX;AAAA,GACF;AAAA,EACA,QAAU,EAAA;AAAA,IACR,IAAM,EAAA;AAAA,MACJ,OAAOC,sBAAW,CAAA,iBAAA;AAAA,MAClB,OAAS,EAAA,uBAAA;AAAA,KACX;AAAA,IACA,GAAK,EAAA;AAAA,MACH,OAAOA,sBAAW,CAAA,iBAAA;AAAA,MAClB,OAAS,EAAA,uBAAA;AAAA,KACX;AAAA,IACA,MAAQ,EAAA;AAAA,MACN,OAAOA,sBAAW,CAAA,iBAAA;AAAA,MAClB,OAAS,EAAA,uBAAA;AAAA,KACX;AAAA,IACA,KAAK,EAAE,KAAA,EAAOA,sBAAW,CAAA,cAAA,EAAgB,SAAS,oBAAqB,EAAA;AAAA,GACzE;AAAA,EACA,mBAAqB,EAAA;AAAA,IACnB,IAAM,EAAA;AAAA,MACJ,OAAOC,2BAAgB,CAAA,sBAAA;AAAA,MACvB,OAAS,EAAA,4BAAA;AAAA,KACX;AAAA,IACA,GAAK,EAAA;AAAA,MACH,OAAOA,2BAAgB,CAAA,sBAAA;AAAA,MACvB,OAAS,EAAA,4BAAA;AAAA,KACX;AAAA,IACA,MAAQ,EAAA;AAAA,MACN,OAAOA,2BAAgB,CAAA,sBAAA;AAAA,MACvB,OAAS,EAAA,4BAAA;AAAA,KACX;AAAA,IACA,GAAK,EAAA;AAAA,MACH,OAAOA,2BAAgB,CAAA,mBAAA;AAAA,MACvB,OAAS,EAAA,yBAAA;AAAA,KACX;AAAA,GACF;AAAA,EACA,mBAAqB,EAAA;AAAA,IACnB,GAAK,EAAA;AAAA,MACH,OAAOC,oCAAyB,CAAA,0BAAA;AAAA,MAChC,OAAS,EAAA,wCAAA;AAAA,KACX;AAAA,GACF;AAAA,EACA,0BAA4B,EAAA;AAAA,IAC1B,GAAK,EAAA;AAAA,MACH,OAAOC,+BAAoB,CAAA,yBAAA;AAAA,MAC3B,OAAS,EAAA,gDAAA;AAAA,KACX;AAAA,GACF;AACF,CAAA,CAAA;AAGO,SAAS,WAAWC,aAA+C,EAAA;AACxE,EAAA,OAAO,OACL,GAAA,EACA,GACA,EAAA,KAAA,EACA,IACG,KAAA;AACH,IAAA,MAAM,WAAc,GAAA,MAAA,CAAO,IAAK,CAAA,QAAQ,CAAE,CAAA,IAAA;AAAA,MAAK,CAC7C,IAAA,KAAA,GAAA,CAAI,IAAK,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,KAC1B,CAAA;AACA,IAAA,IAAI,WAAa,EAAA;AACf,MAAA,MAAM,YAAe,GAAA,QAAA,CAAS,WAAW,CAAA,CAAE,IAAI,MAAM,CAAA,CAAA;AACrD,MAAA,IAAI,YAAc,EAAA;AAChB,QAAM,MAAA,EAAE,KAAO,EAAA,OAAA,EAAY,GAAA,YAAA,CAAA;AAC3B,QAAI,IAAA;AACF,UAAA,MAAMA,cAAY,QAAS,CAAA;AAAA,YACzB,OAAA;AAAA,YACA,SAAW,EAAA,KAAA;AAAA,YACX,KAAO,EAAAC,0BAAA;AAAA,YACP,MAAQ,EAAA,QAAA;AAAA,YACR,OAAS,EAAA,GAAA;AAAA,YACT,MAAA,EAAQ,CAAC,GAAG,CAAA;AAAA,WACb,CAAA,CAAA;AACD,UAAA,IAAA,CAAK,GAAG,CAAA,CAAA;AAAA,iBACD,aAAe,EAAA;AACtB,UAAA,IAAA,CAAK,aAAa,CAAA,CAAA;AAAA,SACpB;AACA,QAAA,OAAA;AAAA,OACF;AAAA,KACF;AACA,IAAA,IAAA,CAAK,GAAG,CAAA,CAAA;AAAA,GACV,CAAA;AACF;;;;"}