@backstage-community/plugin-rbac-backend 5.2.3

package/dist/policies/permission-policy.cjs.js

@@ -0,0 +1,243 @@
+'use strict';
+
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+var pluginRbacCommon = require('@backstage-community/plugin-rbac-common');
+var adminCreation = require('../admin-permissions/admin-creation.cjs.js');
+var auditLogger = require('../audit-log/audit-logger.cjs.js');
+var aliasResolver = require('../conditional-aliases/alias-resolver.cjs.js');
+var csvFileWatcher = require('../file-permissions/csv-file-watcher.cjs.js');
+var yamlConditionalFileWatcher = require('../file-permissions/yaml-conditional-file-watcher.cjs.js');
+
+const evaluatePermMsg = (userEntityRef, result, permission) => `${userEntityRef} is ${result} for permission '${permission.name}'${pluginPermissionCommon.isResourcePermission(permission) ? `, resource type '${permission.resourceType}'` : ""} and action '${pluginRbacCommon.toPermissionAction(permission.attributes)}'`;
+class RBACPermissionPolicy {
+  constructor(enforcer, auditLogger, conditionStorage, superUserList) {
+    this.enforcer = enforcer;
+    this.auditLogger = auditLogger;
+    this.conditionStorage = conditionStorage;
+    this.superUserList = superUserList;
+  }
+  superUserList;
+  static async build(logger, auditLogger, configApi, conditionalStorage, enforcerDelegate, roleMetadataStorage, knex, pluginMetadataCollector, auth) {
+    const superUserList = [];
+    const adminUsers = configApi.getOptionalConfigArray(
+      "permission.rbac.admin.users"
+    );
+    const superUsers = configApi.getOptionalConfigArray(
+      "permission.rbac.admin.superUsers"
+    );
+    const policiesFile = configApi.getOptionalString(
+      "permission.rbac.policies-csv-file"
+    );
+    const allowReload = configApi.getOptionalBoolean("permission.rbac.policyFileReload") || false;
+    const conditionalPoliciesFile = configApi.getOptionalString(
+      "permission.rbac.conditionalPoliciesFile"
+    );
+    if (superUsers && superUsers.length > 0) {
+      for (const user of superUsers) {
+        const userName = user.getString("name");
+        superUserList.push(userName);
+      }
+    }
+    await adminCreation.useAdminsFromConfig(
+      adminUsers || [],
+      enforcerDelegate,
+      auditLogger,
+      roleMetadataStorage,
+      knex
+    );
+    await adminCreation.setAdminPermissions(enforcerDelegate, auditLogger);
+    if ((!adminUsers || adminUsers.length === 0) && (!superUsers || superUsers.length === 0)) {
+      logger.warn(
+        "There are no admins or super admins configured for the RBAC-backend plugin."
+      );
+    }
+    const csvFile = new csvFileWatcher.CSVFileWatcher(
+      policiesFile,
+      allowReload,
+      logger,
+      enforcerDelegate,
+      roleMetadataStorage,
+      auditLogger
+    );
+    await csvFile.initialize();
+    const conditionalFile = new yamlConditionalFileWatcher.YamlConditinalPoliciesFileWatcher(
+      conditionalPoliciesFile,
+      allowReload,
+      logger,
+      conditionalStorage,
+      auditLogger,
+      auth,
+      pluginMetadataCollector,
+      roleMetadataStorage,
+      enforcerDelegate
+    );
+    await conditionalFile.initialize();
+    if (!conditionalPoliciesFile) {
+      logger.info("conditional policies file feature was disabled");
+      await conditionalFile.cleanUpConditionalPolicies();
+    }
+    if (!policiesFile) {
+      logger.info("csv policies file feature was disabled");
+      await csvFile.cleanUpRolesAndPolicies();
+    }
+    return new RBACPermissionPolicy(
+      enforcerDelegate,
+      auditLogger,
+      conditionalStorage,
+      superUserList
+    );
+  }
+  async handle(request, user) {
+    const userEntityRef = user?.info.userEntityRef ?? `user without entity`;
+    let auditOptions = auditLogger.createPermissionEvaluationOptions(
+      `Policy check for ${userEntityRef}`,
+      userEntityRef,
+      request
+    );
+    this.auditLogger.auditLog(auditOptions);
+    try {
+      let status = false;
+      const action = pluginRbacCommon.toPermissionAction(request.permission.attributes);
+      if (!user) {
+        const msg2 = evaluatePermMsg(
+          userEntityRef,
+          pluginPermissionCommon.AuthorizeResult.DENY,
+          request.permission
+        );
+        auditOptions = auditLogger.createPermissionEvaluationOptions(
+          msg2,
+          userEntityRef,
+          request,
+          { result: pluginPermissionCommon.AuthorizeResult.DENY }
+        );
+        await this.auditLogger.auditLog(auditOptions);
+        return { result: pluginPermissionCommon.AuthorizeResult.DENY };
+      }
+      const permissionName = request.permission.name;
+      const roles = await this.enforcer.getRolesForUser(userEntityRef);
+      if (pluginPermissionCommon.isResourcePermission(request.permission)) {
+        const resourceType = request.permission.resourceType;
+        if (user) {
+          const conditionResult = await this.handleConditions(
+            userEntityRef,
+            request,
+            roles,
+            user.info
+          );
+          if (conditionResult) {
+            return conditionResult;
+          }
+        }
+        const hasNamedPermission = await this.hasImplicitPermissionSpecifiedByName(
+          userEntityRef,
+          permissionName,
+          action
+        );
+        const obj = hasNamedPermission ? permissionName : resourceType;
+        status = await this.isAuthorized(userEntityRef, obj, action, roles);
+      } else {
+        status = await this.isAuthorized(
+          userEntityRef,
+          permissionName,
+          action,
+          roles
+        );
+      }
+      const result = status ? pluginPermissionCommon.AuthorizeResult.ALLOW : pluginPermissionCommon.AuthorizeResult.DENY;
+      const msg = evaluatePermMsg(userEntityRef, result, request.permission);
+      auditOptions = auditLogger.createPermissionEvaluationOptions(
+        msg,
+        userEntityRef,
+        request,
+        { result }
+      );
+      await this.auditLogger.auditLog(auditOptions);
+      return { result };
+    } catch (error) {
+      await this.auditLogger.auditLog({
+        message: "Permission policy check failed",
+        eventName: auditLogger.EvaluationEvents.PERMISSION_EVALUATION_FAILED,
+        stage: auditLogger.EVALUATE_PERMISSION_ACCESS_STAGE,
+        status: "failed",
+        errors: [error]
+      });
+      return { result: pluginPermissionCommon.AuthorizeResult.DENY };
+    }
+  }
+  async hasImplicitPermissionSpecifiedByName(userEntityRef, permissionName, action) {
+    const userPerms = await this.enforcer.getImplicitPermissionsForUser(
+      userEntityRef
+    );
+    for (const perm of userPerms) {
+      if (permissionName === perm[1] && action === perm[2]) {
+        return true;
+      }
+    }
+    return false;
+  }
+  isAuthorized = async (userIdentity, permission, action, roles) => {
+    if (this.superUserList.includes(userIdentity)) {
+      return true;
+    }
+    return await this.enforcer.enforce(userIdentity, permission, action, roles);
+  };
+  async handleConditions(userEntityRef, request, roles, userInfo) {
+    const permissionName = request.permission.name;
+    const resourceType = request.permission.resourceType;
+    const action = pluginRbacCommon.toPermissionAction(request.permission.attributes);
+    const conditions = [];
+    let pluginId = "";
+    for (const role of roles) {
+      const conditionalDecisions = await this.conditionStorage.filterConditions(
+        role,
+        void 0,
+        resourceType,
+        [action],
+        [permissionName]
+      );
+      if (conditionalDecisions.length === 1) {
+        pluginId = conditionalDecisions[0].pluginId;
+        conditions.push(conditionalDecisions[0].conditions);
+      }
+      if (conditionalDecisions.length > 1) {
+        const msg = `Detected ${JSON.stringify(
+          conditionalDecisions
+        )} collisions for conditional policies. Expected to find a stored single condition for permission with name ${permissionName}, resource type ${resourceType}, action ${action} for user ${userEntityRef}`;
+        const auditOptions = auditLogger.createPermissionEvaluationOptions(
+          msg,
+          userEntityRef,
+          request,
+          { result: pluginPermissionCommon.AuthorizeResult.DENY }
+        );
+        await this.auditLogger.auditLog(auditOptions);
+        return {
+          result: pluginPermissionCommon.AuthorizeResult.DENY
+        };
+      }
+    }
+    if (conditions.length > 0) {
+      const result = {
+        pluginId,
+        result: pluginPermissionCommon.AuthorizeResult.CONDITIONAL,
+        resourceType,
+        conditions: {
+          anyOf: conditions
+        }
+      };
+      aliasResolver.replaceAliases(result.conditions, userInfo);
+      const msg = `Send condition to plugin with id ${pluginId} to evaluate permission ${permissionName} with resource type ${resourceType} and action ${action} for user ${userEntityRef}`;
+      const auditOptions = auditLogger.createPermissionEvaluationOptions(
+        msg,
+        userEntityRef,
+        request,
+        result
+      );
+      await this.auditLogger.auditLog(auditOptions);
+      return result;
+    }
+    return void 0;
+  }
+}
+
+exports.RBACPermissionPolicy = RBACPermissionPolicy;
+//# sourceMappingURL=permission-policy.cjs.js.map

package/dist/policies/permission-policy.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-policy.cjs.js","sources":["../../src/policies/permission-policy.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type {\n  AuthService,\n  BackstageUserInfo,\n  LoggerService,\n} from '@backstage/backend-plugin-api';\nimport type { ConfigApi } from '@backstage/core-plugin-api';\nimport {\n  AuthorizeResult,\n  ConditionalPolicyDecision,\n  isResourcePermission,\n  Permission,\n  PermissionCondition,\n  PermissionCriteria,\n  PermissionRuleParams,\n  PolicyDecision,\n  ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport type {\n  PermissionPolicy,\n  PolicyQuery,\n  PolicyQueryUser,\n} from '@backstage/plugin-permission-node';\n\nimport type { AuditLogger } from '@janus-idp/backstage-plugin-audit-log-node';\nimport type { Knex } from 'knex';\n\nimport {\n  NonEmptyArray,\n  toPermissionAction,\n} from '@backstage-community/plugin-rbac-common';\n\nimport {\n  setAdminPermissions,\n  useAdminsFromConfig,\n} from '../admin-permissions/admin-creation';\nimport {\n  createPermissionEvaluationOptions,\n  EVALUATE_PERMISSION_ACCESS_STAGE,\n  EvaluationEvents,\n} from '../audit-log/audit-logger';\nimport { replaceAliases } from '../conditional-aliases/alias-resolver';\nimport { ConditionalStorage } from '../database/conditional-storage';\nimport { RoleMetadataStorage } from '../database/role-metadata';\nimport { CSVFileWatcher } from '../file-permissions/csv-file-watcher';\nimport { YamlConditinalPoliciesFileWatcher } from '../file-permissions/yaml-conditional-file-watcher';\nimport { EnforcerDelegate } from '../service/enforcer-delegate';\nimport { PluginPermissionMetadataCollector } from '../service/plugin-endpoints';\n\nconst evaluatePermMsg = (\n  userEntityRef: string | undefined,\n  result: AuthorizeResult,\n  permission: Permission,\n) =>\n  `${userEntityRef} is ${result} for permission '${permission.name}'${\n    isResourcePermission(permission)\n      ? `, resource type '${permission.resourceType}'`\n      : ''\n  } and action '${toPermissionAction(permission.attributes)}'`;\n\nexport class RBACPermissionPolicy implements PermissionPolicy {\n  private readonly superUserList?: string[];\n\n  public static async build(\n    logger: LoggerService,\n    auditLogger: AuditLogger,\n    configApi: ConfigApi,\n    conditionalStorage: ConditionalStorage,\n    enforcerDelegate: EnforcerDelegate,\n    roleMetadataStorage: RoleMetadataStorage,\n    knex: Knex,\n    pluginMetadataCollector: PluginPermissionMetadataCollector,\n    auth: AuthService,\n  ): Promise<RBACPermissionPolicy> {\n    const superUserList: string[] = [];\n    const adminUsers = configApi.getOptionalConfigArray(\n      'permission.rbac.admin.users',\n    );\n\n    const superUsers = configApi.getOptionalConfigArray(\n      'permission.rbac.admin.superUsers',\n    );\n\n    const policiesFile = configApi.getOptionalString(\n      'permission.rbac.policies-csv-file',\n    );\n\n    const allowReload =\n      configApi.getOptionalBoolean('permission.rbac.policyFileReload') || false;\n\n    const conditionalPoliciesFile = configApi.getOptionalString(\n      'permission.rbac.conditionalPoliciesFile',\n    );\n\n    if (superUsers && superUsers.length > 0) {\n      for (const user of superUsers) {\n        const userName = user.getString('name');\n        superUserList.push(userName);\n      }\n    }\n\n    await useAdminsFromConfig(\n      adminUsers || [],\n      enforcerDelegate,\n      auditLogger,\n      roleMetadataStorage,\n      knex,\n    );\n    await setAdminPermissions(enforcerDelegate, auditLogger);\n\n    if (\n      (!adminUsers || adminUsers.length === 0) &&\n      (!superUsers || superUsers.length === 0)\n    ) {\n      logger.warn(\n        'There are no admins or super admins configured for the RBAC-backend plugin.',\n      );\n    }\n\n    const csvFile = new CSVFileWatcher(\n      policiesFile,\n      allowReload,\n      logger,\n      enforcerDelegate,\n      roleMetadataStorage,\n      auditLogger,\n    );\n    await csvFile.initialize();\n\n    const conditionalFile = new YamlConditinalPoliciesFileWatcher(\n      conditionalPoliciesFile,\n      allowReload,\n      logger,\n      conditionalStorage,\n      auditLogger,\n      auth,\n      pluginMetadataCollector,\n      roleMetadataStorage,\n      enforcerDelegate,\n    );\n    await conditionalFile.initialize();\n\n    if (!conditionalPoliciesFile) {\n      // clean up conditional policies corresponding to roles from csv file\n      logger.info('conditional policies file feature was disabled');\n      await conditionalFile.cleanUpConditionalPolicies();\n    }\n    if (!policiesFile) {\n      // remove roles and policies from csv file\n      logger.info('csv policies file feature was disabled');\n      await csvFile.cleanUpRolesAndPolicies();\n    }\n\n    return new RBACPermissionPolicy(\n      enforcerDelegate,\n      auditLogger,\n      conditionalStorage,\n      superUserList,\n    );\n  }\n\n  private constructor(\n    private readonly enforcer: EnforcerDelegate,\n    private readonly auditLogger: AuditLogger,\n    private readonly conditionStorage: ConditionalStorage,\n    superUserList?: string[],\n  ) {\n    this.superUserList = superUserList;\n  }\n\n  async handle(\n    request: PolicyQuery,\n    user?: PolicyQueryUser,\n  ): Promise<PolicyDecision> {\n    const userEntityRef = user?.info.userEntityRef ?? `user without entity`;\n\n    let auditOptions = createPermissionEvaluationOptions(\n      `Policy check for ${userEntityRef}`,\n      userEntityRef,\n      request,\n    );\n    this.auditLogger.auditLog(auditOptions);\n\n    try {\n      let status = false;\n\n      const action = toPermissionAction(request.permission.attributes);\n      if (!user) {\n        const msg = evaluatePermMsg(\n          userEntityRef,\n          AuthorizeResult.DENY,\n          request.permission,\n        );\n        auditOptions = createPermissionEvaluationOptions(\n          msg,\n          userEntityRef,\n          request,\n          { result: AuthorizeResult.DENY },\n        );\n        await this.auditLogger.auditLog(auditOptions);\n        return { result: AuthorizeResult.DENY };\n      }\n\n      const permissionName = request.permission.name;\n      const roles = await this.enforcer.getRolesForUser(userEntityRef);\n\n      if (isResourcePermission(request.permission)) {\n        const resourceType = request.permission.resourceType;\n\n        // handle conditions if they are present\n        if (user) {\n          const conditionResult = await this.handleConditions(\n            userEntityRef,\n            request,\n            roles,\n            user.info,\n          );\n          if (conditionResult) {\n            return conditionResult;\n          }\n        }\n\n        // handle permission with 'resource' type\n        const hasNamedPermission =\n          await this.hasImplicitPermissionSpecifiedByName(\n            userEntityRef,\n            permissionName,\n            action,\n          );\n        // Let's set up higher priority for permission specified by name, than by resource type\n        const obj = hasNamedPermission ? permissionName : resourceType;\n\n        status = await this.isAuthorized(userEntityRef, obj, action, roles);\n      } else {\n        // handle permission with 'basic' type\n        status = await this.isAuthorized(\n          userEntityRef,\n          permissionName,\n          action,\n          roles,\n        );\n      }\n\n      const result = status ? AuthorizeResult.ALLOW : AuthorizeResult.DENY;\n\n      const msg = evaluatePermMsg(userEntityRef, result, request.permission);\n      auditOptions = createPermissionEvaluationOptions(\n        msg,\n        userEntityRef,\n        request,\n        { result },\n      );\n      await this.auditLogger.auditLog(auditOptions);\n      return { result };\n    } catch (error) {\n      await this.auditLogger.auditLog({\n        message: 'Permission policy check failed',\n        eventName: EvaluationEvents.PERMISSION_EVALUATION_FAILED,\n        stage: EVALUATE_PERMISSION_ACCESS_STAGE,\n        status: 'failed',\n        errors: [error],\n      });\n      return { result: AuthorizeResult.DENY };\n    }\n  }\n\n  private async hasImplicitPermissionSpecifiedByName(\n    userEntityRef: string,\n    permissionName: string,\n    action: string,\n  ): Promise<boolean> {\n    const userPerms = await this.enforcer.getImplicitPermissionsForUser(\n      userEntityRef,\n    );\n    for (const perm of userPerms) {\n      if (permissionName === perm[1] && action === perm[2]) {\n        return true;\n      }\n    }\n    return false;\n  }\n\n  private isAuthorized = async (\n    userIdentity: string,\n    permission: string,\n    action: string,\n    roles: string[],\n  ): Promise<boolean> => {\n    if (this.superUserList!.includes(userIdentity)) {\n      return true;\n    }\n\n    return await this.enforcer.enforce(userIdentity, permission, action, roles);\n  };\n\n  private async handleConditions(\n    userEntityRef: string,\n    request: PolicyQuery,\n    roles: string[],\n    userInfo: BackstageUserInfo,\n  ): Promise<PolicyDecision | undefined> {\n    const permissionName = request.permission.name;\n    const resourceType = (request.permission as ResourcePermission)\n      .resourceType;\n    const action = toPermissionAction(request.permission.attributes);\n\n    const conditions: PermissionCriteria<\n      PermissionCondition<string, PermissionRuleParams>\n    >[] = [];\n    let pluginId = '';\n    for (const role of roles) {\n      const conditionalDecisions = await this.conditionStorage.filterConditions(\n        role,\n        undefined,\n        resourceType,\n        [action],\n        [permissionName],\n      );\n\n      if (conditionalDecisions.length === 1) {\n        pluginId = conditionalDecisions[0].pluginId;\n        conditions.push(conditionalDecisions[0].conditions);\n      }\n\n      // this error is unexpected and should not happen, but just in case handle it.\n      if (conditionalDecisions.length > 1) {\n        const msg = `Detected ${JSON.stringify(\n          conditionalDecisions,\n        )} collisions for conditional policies. Expected to find a stored single condition for permission with name ${permissionName}, resource type ${resourceType}, action ${action} for user ${userEntityRef}`;\n        const auditOptions = createPermissionEvaluationOptions(\n          msg,\n          userEntityRef,\n          request,\n          { result: AuthorizeResult.DENY },\n        );\n        await this.auditLogger.auditLog(auditOptions);\n        return {\n          result: AuthorizeResult.DENY,\n        };\n      }\n    }\n\n    if (conditions.length > 0) {\n      const result: ConditionalPolicyDecision = {\n        pluginId,\n        result: AuthorizeResult.CONDITIONAL,\n        resourceType,\n        conditions: {\n          anyOf: conditions as NonEmptyArray<\n            PermissionCriteria<\n              PermissionCondition<string, PermissionRuleParams>\n            >\n          >,\n        },\n      };\n\n      replaceAliases(result.conditions, userInfo);\n\n      const msg = `Send condition to plugin with id ${pluginId} to evaluate permission ${permissionName} with resource type ${resourceType} and action ${action} for user ${userEntityRef}`;\n      const auditOptions = createPermissionEvaluationOptions(\n        msg,\n        userEntityRef,\n        request,\n        result,\n      );\n      await this.auditLogger.auditLog(auditOptions);\n      return result;\n    }\n    return undefined;\n  }\n}\n"],"names":["isResourcePermission","toPermissionAction","useAdminsFromConfig","setAdminPermissions","CSVFileWatcher","YamlConditinalPoliciesFileWatcher","createPermissionEvaluationOptions","msg","AuthorizeResult","EvaluationEvents","EVALUATE_PERMISSION_ACCESS_STAGE","replaceAliases"],"mappings":";;;;;;;;;;AA+DA,MAAM,eAAA,GAAkB,CACtB,aAAA,EACA,MACA,EAAA,UAAA,KAEA,GAAG,aAAa,CAAA,IAAA,EAAO,MAAM,CAAA,iBAAA,EAAoB,UAAW,CAAA,IAAI,IAC9DA,2CAAqB,CAAA,UAAU,CAC3B,GAAA,CAAA,iBAAA,EAAoB,UAAW,CAAA,YAAY,CAC3C,CAAA,CAAA,GAAA,EACN,CAAgB,aAAA,EAAAC,mCAAA,CAAmB,UAAW,CAAA,UAAU,CAAC,CAAA,CAAA,CAAA,CAAA;AAEpD,MAAM,oBAAiD,CAAA;AAAA,EAqGpD,WACW,CAAA,QAAA,EACA,WACA,EAAA,gBAAA,EACjB,aACA,EAAA;AAJiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA,CAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA,CAAA;AACA,IAAA,IAAA,CAAA,gBAAA,GAAA,gBAAA,CAAA;AAGjB,IAAA,IAAA,CAAK,aAAgB,GAAA,aAAA,CAAA;AAAA,GACvB;AAAA,EA3GiB,aAAA,CAAA;AAAA,EAEjB,aAAoB,KAClB,CAAA,MAAA,EACA,WACA,EAAA,SAAA,EACA,oBACA,gBACA,EAAA,mBAAA,EACA,IACA,EAAA,uBAAA,EACA,IAC+B,EAAA;AAC/B,IAAA,MAAM,gBAA0B,EAAC,CAAA;AACjC,IAAA,MAAM,aAAa,SAAU,CAAA,sBAAA;AAAA,MAC3B,6BAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,aAAa,SAAU,CAAA,sBAAA;AAAA,MAC3B,kCAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,eAAe,SAAU,CAAA,iBAAA;AAAA,MAC7B,mCAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,WACJ,GAAA,SAAA,CAAU,kBAAmB,CAAA,kCAAkC,CAAK,IAAA,KAAA,CAAA;AAEtE,IAAA,MAAM,0BAA0B,SAAU,CAAA,iBAAA;AAAA,MACxC,yCAAA;AAAA,KACF,CAAA;AAEA,IAAI,IAAA,UAAA,IAAc,UAAW,CAAA,MAAA,GAAS,CAAG,EAAA;AACvC,MAAA,KAAA,MAAW,QAAQ,UAAY,EAAA;AAC7B,QAAM,MAAA,QAAA,GAAW,IAAK,CAAA,SAAA,CAAU,MAAM,CAAA,CAAA;AACtC,QAAA,aAAA,CAAc,KAAK,QAAQ,CAAA,CAAA;AAAA,OAC7B;AAAA,KACF;AAEA,IAAM,MAAAC,iCAAA;AAAA,MACJ,cAAc,EAAC;AAAA,MACf,gBAAA;AAAA,MACA,WAAA;AAAA,MACA,mBAAA;AAAA,MACA,IAAA;AAAA,KACF,CAAA;AACA,IAAM,MAAAC,iCAAA,CAAoB,kBAAkB,WAAW,CAAA,CAAA;AAEvD,IACG,IAAA,CAAA,CAAC,cAAc,UAAW,CAAA,MAAA,KAAW,OACrC,CAAC,UAAA,IAAc,UAAW,CAAA,MAAA,KAAW,CACtC,CAAA,EAAA;AACA,MAAO,MAAA,CAAA,IAAA;AAAA,QACL,6EAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAA,MAAM,UAAU,IAAIC,6BAAA;AAAA,MAClB,YAAA;AAAA,MACA,WAAA;AAAA,MACA,MAAA;AAAA,MACA,gBAAA;AAAA,MACA,mBAAA;AAAA,MACA,WAAA;AAAA,KACF,CAAA;AACA,IAAA,MAAM,QAAQ,UAAW,EAAA,CAAA;AAEzB,IAAA,MAAM,kBAAkB,IAAIC,4DAAA;AAAA,MAC1B,uBAAA;AAAA,MACA,WAAA;AAAA,MACA,MAAA;AAAA,MACA,kBAAA;AAAA,MACA,WAAA;AAAA,MACA,IAAA;AAAA,MACA,uBAAA;AAAA,MACA,mBAAA;AAAA,MACA,gBAAA;AAAA,KACF,CAAA;AACA,IAAA,MAAM,gBAAgB,UAAW,EAAA,CAAA;AAEjC,IAAA,IAAI,CAAC,uBAAyB,EAAA;AAE5B,MAAA,MAAA,CAAO,KAAK,gDAAgD,CAAA,CAAA;AAC5D,MAAA,MAAM,gBAAgB,0BAA2B,EAAA,CAAA;AAAA,KACnD;AACA,IAAA,IAAI,CAAC,YAAc,EAAA;AAEjB,MAAA,MAAA,CAAO,KAAK,wCAAwC,CAAA,CAAA;AACpD,MAAA,MAAM,QAAQ,uBAAwB,EAAA,CAAA;AAAA,KACxC;AAEA,IAAA,OAAO,IAAI,oBAAA;AAAA,MACT,gBAAA;AAAA,MACA,WAAA;AAAA,MACA,kBAAA;AAAA,MACA,aAAA;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAWA,MAAM,MACJ,CAAA,OAAA,EACA,IACyB,EAAA;AACzB,IAAM,MAAA,aAAA,GAAgB,IAAM,EAAA,IAAA,CAAK,aAAiB,IAAA,CAAA,mBAAA,CAAA,CAAA;AAElD,IAAA,IAAI,YAAe,GAAAC,6CAAA;AAAA,MACjB,oBAAoB,aAAa,CAAA,CAAA;AAAA,MACjC,aAAA;AAAA,MACA,OAAA;AAAA,KACF,CAAA;AACA,IAAK,IAAA,CAAA,WAAA,CAAY,SAAS,YAAY,CAAA,CAAA;AAEtC,IAAI,IAAA;AACF,MAAA,IAAI,MAAS,GAAA,KAAA,CAAA;AAEb,MAAA,MAAM,MAAS,GAAAL,mCAAA,CAAmB,OAAQ,CAAA,UAAA,CAAW,UAAU,CAAA,CAAA;AAC/D,MAAA,IAAI,CAAC,IAAM,EAAA;AACT,QAAA,MAAMM,IAAM,GAAA,eAAA;AAAA,UACV,aAAA;AAAA,UACAC,sCAAgB,CAAA,IAAA;AAAA,UAChB,OAAQ,CAAA,UAAA;AAAA,SACV,CAAA;AACA,QAAe,YAAA,GAAAF,6CAAA;AAAA,UACbC,IAAAA;AAAA,UACA,aAAA;AAAA,UACA,OAAA;AAAA,UACA,EAAE,MAAQ,EAAAC,sCAAA,CAAgB,IAAK,EAAA;AAAA,SACjC,CAAA;AACA,QAAM,MAAA,IAAA,CAAK,WAAY,CAAA,QAAA,CAAS,YAAY,CAAA,CAAA;AAC5C,QAAO,OAAA,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,IAAK,EAAA,CAAA;AAAA,OACxC;AAEA,MAAM,MAAA,cAAA,GAAiB,QAAQ,UAAW,CAAA,IAAA,CAAA;AAC1C,MAAA,MAAM,KAAQ,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,gBAAgB,aAAa,CAAA,CAAA;AAE/D,MAAI,IAAAR,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC5C,QAAM,MAAA,YAAA,GAAe,QAAQ,UAAW,CAAA,YAAA,CAAA;AAGxC,QAAA,IAAI,IAAM,EAAA;AACR,UAAM,MAAA,eAAA,GAAkB,MAAM,IAAK,CAAA,gBAAA;AAAA,YACjC,aAAA;AAAA,YACA,OAAA;AAAA,YACA,KAAA;AAAA,YACA,IAAK,CAAA,IAAA;AAAA,WACP,CAAA;AACA,UAAA,IAAI,eAAiB,EAAA;AACnB,YAAO,OAAA,eAAA,CAAA;AAAA,WACT;AAAA,SACF;AAGA,QAAM,MAAA,kBAAA,GACJ,MAAM,IAAK,CAAA,oCAAA;AAAA,UACT,aAAA;AAAA,UACA,cAAA;AAAA,UACA,MAAA;AAAA,SACF,CAAA;AAEF,QAAM,MAAA,GAAA,GAAM,qBAAqB,cAAiB,GAAA,YAAA,CAAA;AAElD,QAAA,MAAA,GAAS,MAAM,IAAK,CAAA,YAAA,CAAa,aAAe,EAAA,GAAA,EAAK,QAAQ,KAAK,CAAA,CAAA;AAAA,OAC7D,MAAA;AAEL,QAAA,MAAA,GAAS,MAAM,IAAK,CAAA,YAAA;AAAA,UAClB,aAAA;AAAA,UACA,cAAA;AAAA,UACA,MAAA;AAAA,UACA,KAAA;AAAA,SACF,CAAA;AAAA,OACF;AAEA,MAAA,MAAM,MAAS,GAAA,MAAA,GAASQ,sCAAgB,CAAA,KAAA,GAAQA,sCAAgB,CAAA,IAAA,CAAA;AAEhE,MAAA,MAAM,GAAM,GAAA,eAAA,CAAgB,aAAe,EAAA,MAAA,EAAQ,QAAQ,UAAU,CAAA,CAAA;AACrE,MAAe,YAAA,GAAAF,6CAAA;AAAA,QACb,GAAA;AAAA,QACA,aAAA;AAAA,QACA,OAAA;AAAA,QACA,EAAE,MAAO,EAAA;AAAA,OACX,CAAA;AACA,MAAM,MAAA,IAAA,CAAK,WAAY,CAAA,QAAA,CAAS,YAAY,CAAA,CAAA;AAC5C,MAAA,OAAO,EAAE,MAAO,EAAA,CAAA;AAAA,aACT,KAAO,EAAA;AACd,MAAM,MAAA,IAAA,CAAK,YAAY,QAAS,CAAA;AAAA,QAC9B,OAAS,EAAA,gCAAA;AAAA,QACT,WAAWG,4BAAiB,CAAA,4BAAA;AAAA,QAC5B,KAAO,EAAAC,4CAAA;AAAA,QACP,MAAQ,EAAA,QAAA;AAAA,QACR,MAAA,EAAQ,CAAC,KAAK,CAAA;AAAA,OACf,CAAA,CAAA;AACD,MAAO,OAAA,EAAE,MAAQ,EAAAF,sCAAA,CAAgB,IAAK,EAAA,CAAA;AAAA,KACxC;AAAA,GACF;AAAA,EAEA,MAAc,oCAAA,CACZ,aACA,EAAA,cAAA,EACA,MACkB,EAAA;AAClB,IAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,QAAS,CAAA,6BAAA;AAAA,MACpC,aAAA;AAAA,KACF,CAAA;AACA,IAAA,KAAA,MAAW,QAAQ,SAAW,EAAA;AAC5B,MAAA,IAAI,mBAAmB,IAAK,CAAA,CAAC,KAAK,MAAW,KAAA,IAAA,CAAK,CAAC,CAAG,EAAA;AACpD,QAAO,OAAA,IAAA,CAAA;AAAA,OACT;AAAA,KACF;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAAA,EAEQ,YAAe,GAAA,OACrB,YACA,EAAA,UAAA,EACA,QACA,KACqB,KAAA;AACrB,IAAA,IAAI,IAAK,CAAA,aAAA,CAAe,QAAS,CAAA,YAAY,CAAG,EAAA;AAC9C,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAEA,IAAA,OAAO,MAAM,IAAK,CAAA,QAAA,CAAS,QAAQ,YAAc,EAAA,UAAA,EAAY,QAAQ,KAAK,CAAA,CAAA;AAAA,GAC5E,CAAA;AAAA,EAEA,MAAc,gBAAA,CACZ,aACA,EAAA,OAAA,EACA,OACA,QACqC,EAAA;AACrC,IAAM,MAAA,cAAA,GAAiB,QAAQ,UAAW,CAAA,IAAA,CAAA;AAC1C,IAAM,MAAA,YAAA,GAAgB,QAAQ,UAC3B,CAAA,YAAA,CAAA;AACH,IAAA,MAAM,MAAS,GAAAP,mCAAA,CAAmB,OAAQ,CAAA,UAAA,CAAW,UAAU,CAAA,CAAA;AAE/D,IAAA,MAAM,aAEA,EAAC,CAAA;AACP,IAAA,IAAI,QAAW,GAAA,EAAA,CAAA;AACf,IAAA,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,MAAM,MAAA,oBAAA,GAAuB,MAAM,IAAA,CAAK,gBAAiB,CAAA,gBAAA;AAAA,QACvD,IAAA;AAAA,QACA,KAAA,CAAA;AAAA,QACA,YAAA;AAAA,QACA,CAAC,MAAM,CAAA;AAAA,QACP,CAAC,cAAc,CAAA;AAAA,OACjB,CAAA;AAEA,MAAI,IAAA,oBAAA,CAAqB,WAAW,CAAG,EAAA;AACrC,QAAW,QAAA,GAAA,oBAAA,CAAqB,CAAC,CAAE,CAAA,QAAA,CAAA;AACnC,QAAA,UAAA,CAAW,IAAK,CAAA,oBAAA,CAAqB,CAAC,CAAA,CAAE,UAAU,CAAA,CAAA;AAAA,OACpD;AAGA,MAAI,IAAA,oBAAA,CAAqB,SAAS,CAAG,EAAA;AACnC,QAAM,MAAA,GAAA,GAAM,YAAY,IAAK,CAAA,SAAA;AAAA,UAC3B,oBAAA;AAAA,SACD,6GAA6G,cAAc,CAAA,gBAAA,EAAmB,YAAY,CAAY,SAAA,EAAA,MAAM,aAAa,aAAa,CAAA,CAAA,CAAA;AACvM,QAAA,MAAM,YAAe,GAAAK,6CAAA;AAAA,UACnB,GAAA;AAAA,UACA,aAAA;AAAA,UACA,OAAA;AAAA,UACA,EAAE,MAAQ,EAAAE,sCAAA,CAAgB,IAAK,EAAA;AAAA,SACjC,CAAA;AACA,QAAM,MAAA,IAAA,CAAK,WAAY,CAAA,QAAA,CAAS,YAAY,CAAA,CAAA;AAC5C,QAAO,OAAA;AAAA,UACL,QAAQA,sCAAgB,CAAA,IAAA;AAAA,SAC1B,CAAA;AAAA,OACF;AAAA,KACF;AAEA,IAAI,IAAA,UAAA,CAAW,SAAS,CAAG,EAAA;AACzB,MAAA,MAAM,MAAoC,GAAA;AAAA,QACxC,QAAA;AAAA,QACA,QAAQA,sCAAgB,CAAA,WAAA;AAAA,QACxB,YAAA;AAAA,QACA,UAAY,EAAA;AAAA,UACV,KAAO,EAAA,UAAA;AAAA,SAKT;AAAA,OACF,CAAA;AAEA,MAAeG,4BAAA,CAAA,MAAA,CAAO,YAAY,QAAQ,CAAA,CAAA;AAE1C,MAAM,MAAA,GAAA,GAAM,CAAoC,iCAAA,EAAA,QAAQ,CAA2B,wBAAA,EAAA,cAAc,uBAAuB,YAAY,CAAA,YAAA,EAAe,MAAM,CAAA,UAAA,EAAa,aAAa,CAAA,CAAA,CAAA;AACnL,MAAA,MAAM,YAAe,GAAAL,6CAAA;AAAA,QACnB,GAAA;AAAA,QACA,aAAA;AAAA,QACA,OAAA;AAAA,QACA,MAAA;AAAA,OACF,CAAA;AACA,MAAM,MAAA,IAAA,CAAK,WAAY,CAAA,QAAA,CAAS,YAAY,CAAA,CAAA;AAC5C,MAAO,OAAA,MAAA,CAAA;AAAA,KACT;AACA,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AACF;;;;"}

package/dist/providers/connect-providers.cjs.js

@@ -0,0 +1,211 @@
+'use strict';
+
+var casbin = require('casbin');
+var auditLogger = require('../audit-log/audit-logger.cjs.js');
+var helper = require('../helper.cjs.js');
+var permissionModel = require('../service/permission-model.cjs.js');
+var policiesValidation = require('../validation/policies-validation.cjs.js');
+
+class Connection {
+  constructor(id, enforcer, roleMetadataStorage, logger, auditLogger) {
+    this.id = id;
+    this.enforcer = enforcer;
+    this.roleMetadataStorage = roleMetadataStorage;
+    this.logger = logger;
+    this.auditLogger = auditLogger;
+  }
+  async applyRoles(roles) {
+    const stringPolicy = helper.typedPoliciesToString(roles, "g");
+    const providerRolesforRemoval = [];
+    const tempEnforcer = await casbin.newEnforcer(
+      casbin.newModelFromString(permissionModel.MODEL),
+      new casbin.StringAdapter(stringPolicy)
+    );
+    const providerRoles = await this.getProviderRoles();
+    for (const providerRole of providerRoles) {
+      providerRolesforRemoval.push(
+        ...await this.enforcer.getFilteredGroupingPolicy(1, providerRole)
+      );
+    }
+    await this.removeRoles(providerRolesforRemoval, tempEnforcer);
+    await this.addRoles(roles);
+  }
+  async applyPermissions(permissions) {
+    const stringPolicy = helper.typedPoliciesToString(permissions, "p");
+    const providerPermissions = [];
+    const tempEnforcer = await casbin.newEnforcer(
+      casbin.newModelFromString(permissionModel.MODEL),
+      new casbin.StringAdapter(stringPolicy)
+    );
+    const providerRoles = await this.getProviderRoles();
+    for (const providerRole of providerRoles) {
+      providerPermissions.push(
+        ...await this.enforcer.getFilteredPolicy(0, providerRole)
+      );
+    }
+    await this.removePermissions(providerPermissions, tempEnforcer);
+    await this.addPermissions(permissions);
+  }
+  async addRoles(roles) {
+    for (const role of roles) {
+      if (!await this.enforcer.hasGroupingPolicy(...role)) {
+        const err = await policiesValidation.validateGroupingPolicy(
+          role,
+          this.roleMetadataStorage,
+          this.id
+        );
+        if (err) {
+          this.logger.warn(err.message);
+          continue;
+        }
+        let roleMeta = await this.roleMetadataStorage.findRoleMetadata(role[1]);
+        const eventName = roleMeta ? auditLogger.RoleEvents.UPDATE_ROLE : auditLogger.RoleEvents.CREATE_ROLE;
+        const message = roleMeta ? "Updated role" : "Created role";
+        if (!roleMeta) {
+          roleMeta = {
+            modifiedBy: this.id,
+            source: this.id,
+            roleEntityRef: role[1]
+          };
+        }
+        await this.enforcer.addGroupingPolicy(role, roleMeta);
+        await this.auditLogger.auditLog({
+          actorId: auditLogger.RBAC_BACKEND,
+          message,
+          eventName,
+          metadata: { ...roleMeta, members: [role[0]] },
+          stage: auditLogger.HANDLE_RBAC_DATA_STAGE,
+          status: "succeeded"
+        });
+      }
+    }
+  }
+  async removeRoles(providerRoles, tempEnforcer) {
+    for (const role of providerRoles) {
+      if (!await tempEnforcer.hasGroupingPolicy(...role)) {
+        const roleMeta = await this.roleMetadataStorage.findRoleMetadata(
+          role[1]
+        );
+        const currentRole = await this.enforcer.getFilteredGroupingPolicy(
+          1,
+          role[1]
+        );
+        if (!roleMeta) {
+          this.logger.warn("role does not exist");
+          continue;
+        }
+        const singleRole = roleMeta && currentRole.length === 1;
+        let eventName;
+        let message;
+        if (singleRole) {
+          eventName = auditLogger.RoleEvents.DELETE_ROLE;
+          message = "Deleted role";
+          await this.enforcer.removeGroupingPolicy(role, roleMeta);
+          await this.auditLogger.auditLog({
+            actorId: auditLogger.RBAC_BACKEND,
+            message,
+            eventName,
+            metadata: { ...roleMeta, members: [role[0]] },
+            stage: auditLogger.HANDLE_RBAC_DATA_STAGE,
+            status: "succeeded"
+          });
+          continue;
+        }
+        eventName = auditLogger.RoleEvents.UPDATE_ROLE;
+        message = "Updated role: deleted members";
+        await this.enforcer.removeGroupingPolicy(role, roleMeta, true);
+        await this.auditLogger.auditLog({
+          actorId: auditLogger.RBAC_BACKEND,
+          message,
+          eventName,
+          metadata: { ...roleMeta, members: [role[0]] },
+          stage: auditLogger.HANDLE_RBAC_DATA_STAGE,
+          status: "succeeded"
+        });
+      }
+    }
+  }
+  async addPermissions(permissions) {
+    for (const permission of permissions) {
+      if (!await this.enforcer.hasPolicy(...permission)) {
+        const transformedPolicy = helper.transformArrayToPolicy(permission);
+        const metadata = await this.roleMetadataStorage.findRoleMetadata(
+          permission[0]
+        );
+        let err = policiesValidation.validatePolicy(transformedPolicy);
+        if (err) {
+          this.logger.warn(`Invalid permission policy, ${err}`);
+          continue;
+        }
+        err = await policiesValidation.validateSource(this.id, metadata);
+        if (err) {
+          this.logger.warn(
+            `Unable to add policy ${permission}. Cause: ${err.message}`
+          );
+          continue;
+        }
+        await this.enforcer.addPolicy(permission);
+        await this.auditLogger.auditLog({
+          actorId: auditLogger.RBAC_BACKEND,
+          message: `Created policy`,
+          eventName: auditLogger.PermissionEvents.CREATE_POLICY,
+          metadata: { policies: [permission], source: this.id },
+          stage: auditLogger.HANDLE_RBAC_DATA_STAGE,
+          status: "succeeded"
+        });
+      }
+    }
+  }
+  async removePermissions(providerPermissions, tempEnforcer) {
+    const removedPermissions = [];
+    for (const permission of providerPermissions) {
+      if (!await tempEnforcer.hasPolicy(...permission)) {
+        this.enforcer.removePolicy(permission);
+        removedPermissions.push(permission);
+      }
+      if (removedPermissions.length > 0) {
+        await this.auditLogger.auditLog({
+          actorId: auditLogger.RBAC_BACKEND,
+          message: `Deleted policies`,
+          eventName: auditLogger.PermissionEvents.DELETE_POLICY,
+          metadata: {
+            policies: removedPermissions,
+            source: this.id
+          },
+          stage: auditLogger.HANDLE_RBAC_DATA_STAGE,
+          status: "succeeded"
+        });
+      }
+    }
+  }
+  async getProviderRoles() {
+    const currentRoles = await this.roleMetadataStorage.filterRoleMetadata(
+      this.id
+    );
+    return currentRoles.map((meta) => meta.roleEntityRef);
+  }
+}
+async function connectRBACProviders(providers, enforcer, roleMetadataStorage, logger, auditLogger) {
+  await Promise.all(
+    providers.map(async (provider) => {
+      try {
+        const connection = new Connection(
+          provider.getProviderName(),
+          enforcer,
+          roleMetadataStorage,
+          logger,
+          auditLogger
+        );
+        return provider.connect(connection);
+      } catch (error) {
+        throw new Error(
+          `Unable to connect provider ${provider.getProviderName()}, ${error}`
+        );
+      }
+    })
+  );
+}
+
+exports.Connection = Connection;
+exports.connectRBACProviders = connectRBACProviders;
+//# sourceMappingURL=connect-providers.cjs.js.map

package/dist/providers/connect-providers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect-providers.cjs.js","sources":["../../src/providers/connect-providers.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { LoggerService } from '@backstage/backend-plugin-api';\n\nimport type { AuditLogger } from '@janus-idp/backstage-plugin-audit-log-node';\nimport {\n  Enforcer,\n  newEnforcer,\n  newModelFromString,\n  StringAdapter,\n} from 'casbin';\n\nimport type {\n  RBACProvider,\n  RBACProviderConnection,\n} from '@backstage-community/plugin-rbac-node';\n\nimport {\n  HANDLE_RBAC_DATA_STAGE,\n  PermissionAuditInfo,\n  PermissionEvents,\n  RBAC_BACKEND,\n  RoleAuditInfo,\n  RoleEvents,\n} from '../audit-log/audit-logger';\nimport { RoleMetadataStorage } from '../database/role-metadata';\nimport { transformArrayToPolicy, typedPoliciesToString } from '../helper';\nimport { EnforcerDelegate } from '../service/enforcer-delegate';\nimport { MODEL } from '../service/permission-model';\nimport {\n  validateGroupingPolicy,\n  validatePolicy,\n  validateSource,\n} from '../validation/policies-validation';\n\nexport class Connection implements RBACProviderConnection {\n  constructor(\n    private readonly id: string,\n    private readonly enforcer: EnforcerDelegate,\n    private readonly roleMetadataStorage: RoleMetadataStorage,\n    private readonly logger: LoggerService,\n    private readonly auditLogger: AuditLogger,\n  ) {}\n\n  async applyRoles(roles: string[][]): Promise<void> {\n    const stringPolicy = typedPoliciesToString(roles, 'g');\n\n    const providerRolesforRemoval: string[][] = [];\n\n    const tempEnforcer = await newEnforcer(\n      newModelFromString(MODEL),\n      new StringAdapter(stringPolicy),\n    );\n\n    const providerRoles = await this.getProviderRoles();\n\n    // Get the roles for this provider coming from rbac plugin\n    for (const providerRole of providerRoles) {\n      providerRolesforRemoval.push(\n        ...(await this.enforcer.getFilteredGroupingPolicy(1, providerRole)),\n      );\n    }\n\n    // Remove role\n    // role exists in rbac but does not exist in provider\n    await this.removeRoles(providerRolesforRemoval, tempEnforcer);\n\n    // Add the role\n    // role exists in provider but does not exist in rbac\n    await this.addRoles(roles);\n  }\n\n  async applyPermissions(permissions: string[][]): Promise<void> {\n    const stringPolicy = typedPoliciesToString(permissions, 'p');\n\n    const providerPermissions: string[][] = [];\n\n    const tempEnforcer = await newEnforcer(\n      newModelFromString(MODEL),\n      new StringAdapter(stringPolicy),\n    );\n\n    const providerRoles = await this.getProviderRoles();\n\n    // Get the roles for this provider coming from rbac plugin\n    for (const providerRole of providerRoles) {\n      providerPermissions.push(\n        ...(await this.enforcer.getFilteredPolicy(0, providerRole)),\n      );\n    }\n\n    await this.removePermissions(providerPermissions, tempEnforcer);\n\n    await this.addPermissions(permissions);\n  }\n\n  private async addRoles(roles: string[][]): Promise<void> {\n    for (const role of roles) {\n      if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n        const err = await validateGroupingPolicy(\n          role,\n          this.roleMetadataStorage,\n          this.id,\n        );\n\n        if (err) {\n          this.logger.warn(err.message);\n          continue; // Skip adding this role as there was an error\n        }\n\n        let roleMeta = await this.roleMetadataStorage.findRoleMetadata(role[1]);\n\n        const eventName = roleMeta\n          ? RoleEvents.UPDATE_ROLE\n          : RoleEvents.CREATE_ROLE;\n        const message = roleMeta ? 'Updated role' : 'Created role';\n\n        // role does not exist in rbac, create the metadata for it\n        if (!roleMeta) {\n          roleMeta = {\n            modifiedBy: this.id,\n            source: this.id,\n            roleEntityRef: role[1],\n          };\n        }\n\n        await this.enforcer.addGroupingPolicy(role, roleMeta);\n\n        await this.auditLogger.auditLog<RoleAuditInfo>({\n          actorId: RBAC_BACKEND,\n          message,\n          eventName,\n          metadata: { ...roleMeta, members: [role[0]] },\n          stage: HANDLE_RBAC_DATA_STAGE,\n          status: 'succeeded',\n        });\n      }\n    }\n  }\n\n  private async removeRoles(\n    providerRoles: string[][],\n    tempEnforcer: Enforcer,\n  ): Promise<void> {\n    // Remove role\n    // role exists in rbac but does not exist in provider\n    for (const role of providerRoles) {\n      if (!(await tempEnforcer.hasGroupingPolicy(...role))) {\n        const roleMeta = await this.roleMetadataStorage.findRoleMetadata(\n          role[1],\n        );\n\n        const currentRole = await this.enforcer.getFilteredGroupingPolicy(\n          1,\n          role[1],\n        );\n\n        if (!roleMeta) {\n          this.logger.warn('role does not exist');\n          continue;\n        }\n\n        const singleRole = roleMeta && currentRole.length === 1;\n\n        let eventName: string;\n        let message: string;\n\n        // Only one role exists in rbac remove role metadata as well\n        if (singleRole) {\n          eventName = RoleEvents.DELETE_ROLE;\n          message = 'Deleted role';\n          await this.enforcer.removeGroupingPolicy(role, roleMeta);\n\n          await this.auditLogger.auditLog<RoleAuditInfo>({\n            actorId: RBAC_BACKEND,\n            message,\n            eventName,\n            metadata: { ...roleMeta, members: [role[0]] },\n            stage: HANDLE_RBAC_DATA_STAGE,\n            status: 'succeeded',\n          });\n          continue; // Move on to the next role\n        }\n\n        eventName = RoleEvents.UPDATE_ROLE;\n        message = 'Updated role: deleted members';\n        await this.enforcer.removeGroupingPolicy(role, roleMeta, true);\n\n        await this.auditLogger.auditLog<RoleAuditInfo>({\n          actorId: RBAC_BACKEND,\n          message,\n          eventName,\n          metadata: { ...roleMeta, members: [role[0]] },\n          stage: HANDLE_RBAC_DATA_STAGE,\n          status: 'succeeded',\n        });\n      }\n    }\n  }\n\n  private async addPermissions(permissions: string[][]): Promise<void> {\n    for (const permission of permissions) {\n      if (!(await this.enforcer.hasPolicy(...permission))) {\n        const transformedPolicy = transformArrayToPolicy(permission);\n        const metadata = await this.roleMetadataStorage.findRoleMetadata(\n          permission[0],\n        );\n\n        let err = validatePolicy(transformedPolicy);\n        if (err) {\n          this.logger.warn(`Invalid permission policy, ${err}`);\n          continue; // Skip this invalid permission policy\n        }\n\n        err = await validateSource(this.id, metadata);\n        if (err) {\n          this.logger.warn(\n            `Unable to add policy ${permission}. Cause: ${err.message}`,\n          );\n          continue;\n        }\n\n        await this.enforcer.addPolicy(permission);\n\n        await this.auditLogger.auditLog<PermissionAuditInfo>({\n          actorId: RBAC_BACKEND,\n          message: `Created policy`,\n          eventName: PermissionEvents.CREATE_POLICY,\n          metadata: { policies: [permission], source: this.id },\n          stage: HANDLE_RBAC_DATA_STAGE,\n          status: 'succeeded',\n        });\n      }\n    }\n  }\n\n  private async removePermissions(\n    providerPermissions: string[][],\n    tempEnforcer: Enforcer,\n  ): Promise<void> {\n    const removedPermissions: string[][] = [];\n    for (const permission of providerPermissions) {\n      if (!(await tempEnforcer.hasPolicy(...permission))) {\n        this.enforcer.removePolicy(permission);\n        removedPermissions.push(permission);\n      }\n\n      if (removedPermissions.length > 0) {\n        await this.auditLogger.auditLog<PermissionAuditInfo>({\n          actorId: RBAC_BACKEND,\n          message: `Deleted policies`,\n          eventName: PermissionEvents.DELETE_POLICY,\n          metadata: {\n            policies: removedPermissions,\n            source: this.id,\n          },\n          stage: HANDLE_RBAC_DATA_STAGE,\n          status: 'succeeded',\n        });\n      }\n    }\n  }\n\n  private async getProviderRoles(): Promise<string[]> {\n    const currentRoles = await this.roleMetadataStorage.filterRoleMetadata(\n      this.id,\n    );\n    return currentRoles.map(meta => meta.roleEntityRef);\n  }\n}\n\nexport async function connectRBACProviders(\n  providers: RBACProvider[],\n  enforcer: EnforcerDelegate,\n  roleMetadataStorage: RoleMetadataStorage,\n  logger: LoggerService,\n  auditLogger: AuditLogger,\n) {\n  await Promise.all(\n    providers.map(async provider => {\n      try {\n        const connection = new Connection(\n          provider.getProviderName(),\n          enforcer,\n          roleMetadataStorage,\n          logger,\n          auditLogger,\n        );\n        return provider.connect(connection);\n      } catch (error) {\n        throw new Error(\n          `Unable to connect provider ${provider.getProviderName()}, ${error}`,\n        );\n      }\n    }),\n  );\n}\n"],"names":["typedPoliciesToString","newEnforcer","newModelFromString","MODEL","StringAdapter","validateGroupingPolicy","RoleEvents","RBAC_BACKEND","HANDLE_RBAC_DATA_STAGE","transformArrayToPolicy","validatePolicy","validateSource","PermissionEvents"],"mappings":";;;;;;;;AAgDO,MAAM,UAA6C,CAAA;AAAA,EACxD,WACmB,CAAA,EAAA,EACA,QACA,EAAA,mBAAA,EACA,QACA,WACjB,EAAA;AALiB,IAAA,IAAA,CAAA,EAAA,GAAA,EAAA,CAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA,CAAA;AACA,IAAA,IAAA,CAAA,mBAAA,GAAA,mBAAA,CAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA,CAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA,CAAA;AAAA,GAChB;AAAA,EAEH,MAAM,WAAW,KAAkC,EAAA;AACjD,IAAM,MAAA,YAAA,GAAeA,4BAAsB,CAAA,KAAA,EAAO,GAAG,CAAA,CAAA;AAErD,IAAA,MAAM,0BAAsC,EAAC,CAAA;AAE7C,IAAA,MAAM,eAAe,MAAMC,kBAAA;AAAA,MACzBC,0BAAmBC,qBAAK,CAAA;AAAA,MACxB,IAAIC,qBAAc,YAAY,CAAA;AAAA,KAChC,CAAA;AAEA,IAAM,MAAA,aAAA,GAAgB,MAAM,IAAA,CAAK,gBAAiB,EAAA,CAAA;AAGlD,IAAA,KAAA,MAAW,gBAAgB,aAAe,EAAA;AACxC,MAAwB,uBAAA,CAAA,IAAA;AAAA,QACtB,GAAI,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA,CAA0B,GAAG,YAAY,CAAA;AAAA,OACnE,CAAA;AAAA,KACF;AAIA,IAAM,MAAA,IAAA,CAAK,WAAY,CAAA,uBAAA,EAAyB,YAAY,CAAA,CAAA;AAI5D,IAAM,MAAA,IAAA,CAAK,SAAS,KAAK,CAAA,CAAA;AAAA,GAC3B;AAAA,EAEA,MAAM,iBAAiB,WAAwC,EAAA;AAC7D,IAAM,MAAA,YAAA,GAAeJ,4BAAsB,CAAA,WAAA,EAAa,GAAG,CAAA,CAAA;AAE3D,IAAA,MAAM,sBAAkC,EAAC,CAAA;AAEzC,IAAA,MAAM,eAAe,MAAMC,kBAAA;AAAA,MACzBC,0BAAmBC,qBAAK,CAAA;AAAA,MACxB,IAAIC,qBAAc,YAAY,CAAA;AAAA,KAChC,CAAA;AAEA,IAAM,MAAA,aAAA,GAAgB,MAAM,IAAA,CAAK,gBAAiB,EAAA,CAAA;AAGlD,IAAA,KAAA,MAAW,gBAAgB,aAAe,EAAA;AACxC,MAAoB,mBAAA,CAAA,IAAA;AAAA,QAClB,GAAI,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,GAAG,YAAY,CAAA;AAAA,OAC3D,CAAA;AAAA,KACF;AAEA,IAAM,MAAA,IAAA,CAAK,iBAAkB,CAAA,mBAAA,EAAqB,YAAY,CAAA,CAAA;AAE9D,IAAM,MAAA,IAAA,CAAK,eAAe,WAAW,CAAA,CAAA;AAAA,GACvC;AAAA,EAEA,MAAc,SAAS,KAAkC,EAAA;AACvD,IAAA,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,MAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,QAAA,MAAM,MAAM,MAAMC,yCAAA;AAAA,UAChB,IAAA;AAAA,UACA,IAAK,CAAA,mBAAA;AAAA,UACL,IAAK,CAAA,EAAA;AAAA,SACP,CAAA;AAEA,QAAA,IAAI,GAAK,EAAA;AACP,UAAK,IAAA,CAAA,MAAA,CAAO,IAAK,CAAA,GAAA,CAAI,OAAO,CAAA,CAAA;AAC5B,UAAA,SAAA;AAAA,SACF;AAEA,QAAA,IAAI,WAAW,MAAM,IAAA,CAAK,oBAAoB,gBAAiB,CAAA,IAAA,CAAK,CAAC,CAAC,CAAA,CAAA;AAEtE,QAAA,MAAM,SAAY,GAAA,QAAA,GACdC,sBAAW,CAAA,WAAA,GACXA,sBAAW,CAAA,WAAA,CAAA;AACf,QAAM,MAAA,OAAA,GAAU,WAAW,cAAiB,GAAA,cAAA,CAAA;AAG5C,QAAA,IAAI,CAAC,QAAU,EAAA;AACb,UAAW,QAAA,GAAA;AAAA,YACT,YAAY,IAAK,CAAA,EAAA;AAAA,YACjB,QAAQ,IAAK,CAAA,EAAA;AAAA,YACb,aAAA,EAAe,KAAK,CAAC,CAAA;AAAA,WACvB,CAAA;AAAA,SACF;AAEA,QAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,IAAA,EAAM,QAAQ,CAAA,CAAA;AAEpD,QAAM,MAAA,IAAA,CAAK,YAAY,QAAwB,CAAA;AAAA,UAC7C,OAAS,EAAAC,wBAAA;AAAA,UACT,OAAA;AAAA,UACA,SAAA;AAAA,UACA,QAAA,EAAU,EAAE,GAAG,QAAA,EAAU,SAAS,CAAC,IAAA,CAAK,CAAC,CAAC,CAAE,EAAA;AAAA,UAC5C,KAAO,EAAAC,kCAAA;AAAA,UACP,MAAQ,EAAA,WAAA;AAAA,SACT,CAAA,CAAA;AAAA,OACH;AAAA,KACF;AAAA,GACF;AAAA,EAEA,MAAc,WACZ,CAAA,aAAA,EACA,YACe,EAAA;AAGf,IAAA,KAAA,MAAW,QAAQ,aAAe,EAAA;AAChC,MAAA,IAAI,CAAE,MAAM,YAAA,CAAa,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACpD,QAAM,MAAA,QAAA,GAAW,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,UAC9C,KAAK,CAAC,CAAA;AAAA,SACR,CAAA;AAEA,QAAM,MAAA,WAAA,GAAc,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,UACtC,CAAA;AAAA,UACA,KAAK,CAAC,CAAA;AAAA,SACR,CAAA;AAEA,QAAA,IAAI,CAAC,QAAU,EAAA;AACb,UAAK,IAAA,CAAA,MAAA,CAAO,KAAK,qBAAqB,CAAA,CAAA;AACtC,UAAA,SAAA;AAAA,SACF;AAEA,QAAM,MAAA,UAAA,GAAa,QAAY,IAAA,WAAA,CAAY,MAAW,KAAA,CAAA,CAAA;AAEtD,QAAI,IAAA,SAAA,CAAA;AACJ,QAAI,IAAA,OAAA,CAAA;AAGJ,QAAA,IAAI,UAAY,EAAA;AACd,UAAA,SAAA,GAAYF,sBAAW,CAAA,WAAA,CAAA;AACvB,UAAU,OAAA,GAAA,cAAA,CAAA;AACV,UAAA,MAAM,IAAK,CAAA,QAAA,CAAS,oBAAqB,CAAA,IAAA,EAAM,QAAQ,CAAA,CAAA;AAEvD,UAAM,MAAA,IAAA,CAAK,YAAY,QAAwB,CAAA;AAAA,YAC7C,OAAS,EAAAC,wBAAA;AAAA,YACT,OAAA;AAAA,YACA,SAAA;AAAA,YACA,QAAA,EAAU,EAAE,GAAG,QAAA,EAAU,SAAS,CAAC,IAAA,CAAK,CAAC,CAAC,CAAE,EAAA;AAAA,YAC5C,KAAO,EAAAC,kCAAA;AAAA,YACP,MAAQ,EAAA,WAAA;AAAA,WACT,CAAA,CAAA;AACD,UAAA,SAAA;AAAA,SACF;AAEA,QAAA,SAAA,GAAYF,sBAAW,CAAA,WAAA,CAAA;AACvB,QAAU,OAAA,GAAA,+BAAA,CAAA;AACV,QAAA,MAAM,IAAK,CAAA,QAAA,CAAS,oBAAqB,CAAA,IAAA,EAAM,UAAU,IAAI,CAAA,CAAA;AAE7D,QAAM,MAAA,IAAA,CAAK,YAAY,QAAwB,CAAA;AAAA,UAC7C,OAAS,EAAAC,wBAAA;AAAA,UACT,OAAA;AAAA,UACA,SAAA;AAAA,UACA,QAAA,EAAU,EAAE,GAAG,QAAA,EAAU,SAAS,CAAC,IAAA,CAAK,CAAC,CAAC,CAAE,EAAA;AAAA,UAC5C,KAAO,EAAAC,kCAAA;AAAA,UACP,MAAQ,EAAA,WAAA;AAAA,SACT,CAAA,CAAA;AAAA,OACH;AAAA,KACF;AAAA,GACF;AAAA,EAEA,MAAc,eAAe,WAAwC,EAAA;AACnE,IAAA,KAAA,MAAW,cAAc,WAAa,EAAA;AACpC,MAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,UAAU,CAAI,EAAA;AACnD,QAAM,MAAA,iBAAA,GAAoBC,8BAAuB,UAAU,CAAA,CAAA;AAC3D,QAAM,MAAA,QAAA,GAAW,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,UAC9C,WAAW,CAAC,CAAA;AAAA,SACd,CAAA;AAEA,QAAI,IAAA,GAAA,GAAMC,kCAAe,iBAAiB,CAAA,CAAA;AAC1C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,IAAA,CAAK,MAAO,CAAA,IAAA,CAAK,CAA8B,2BAAA,EAAA,GAAG,CAAE,CAAA,CAAA,CAAA;AACpD,UAAA,SAAA;AAAA,SACF;AAEA,QAAA,GAAA,GAAM,MAAMC,iCAAA,CAAe,IAAK,CAAA,EAAA,EAAI,QAAQ,CAAA,CAAA;AAC5C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,YACV,CAAwB,qBAAA,EAAA,UAAU,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA,CAAA;AAAA,WAC3D,CAAA;AACA,UAAA,SAAA;AAAA,SACF;AAEA,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AAExC,QAAM,MAAA,IAAA,CAAK,YAAY,QAA8B,CAAA;AAAA,UACnD,OAAS,EAAAJ,wBAAA;AAAA,UACT,OAAS,EAAA,CAAA,cAAA,CAAA;AAAA,UACT,WAAWK,4BAAiB,CAAA,aAAA;AAAA,UAC5B,QAAA,EAAU,EAAE,QAAU,EAAA,CAAC,UAAU,CAAG,EAAA,MAAA,EAAQ,KAAK,EAAG,EAAA;AAAA,UACpD,KAAO,EAAAJ,kCAAA;AAAA,UACP,MAAQ,EAAA,WAAA;AAAA,SACT,CAAA,CAAA;AAAA,OACH;AAAA,KACF;AAAA,GACF;AAAA,EAEA,MAAc,iBACZ,CAAA,mBAAA,EACA,YACe,EAAA;AACf,IAAA,MAAM,qBAAiC,EAAC,CAAA;AACxC,IAAA,KAAA,MAAW,cAAc,mBAAqB,EAAA;AAC5C,MAAA,IAAI,CAAE,MAAM,YAAA,CAAa,SAAU,CAAA,GAAG,UAAU,CAAI,EAAA;AAClD,QAAK,IAAA,CAAA,QAAA,CAAS,aAAa,UAAU,CAAA,CAAA;AACrC,QAAA,kBAAA,CAAmB,KAAK,UAAU,CAAA,CAAA;AAAA,OACpC;AAEA,MAAI,IAAA,kBAAA,CAAmB,SAAS,CAAG,EAAA;AACjC,QAAM,MAAA,IAAA,CAAK,YAAY,QAA8B,CAAA;AAAA,UACnD,OAAS,EAAAD,wBAAA;AAAA,UACT,OAAS,EAAA,CAAA,gBAAA,CAAA;AAAA,UACT,WAAWK,4BAAiB,CAAA,aAAA;AAAA,UAC5B,QAAU,EAAA;AAAA,YACR,QAAU,EAAA,kBAAA;AAAA,YACV,QAAQ,IAAK,CAAA,EAAA;AAAA,WACf;AAAA,UACA,KAAO,EAAAJ,kCAAA;AAAA,UACP,MAAQ,EAAA,WAAA;AAAA,SACT,CAAA,CAAA;AAAA,OACH;AAAA,KACF;AAAA,GACF;AAAA,EAEA,MAAc,gBAAsC,GAAA;AAClD,IAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,mBAAoB,CAAA,kBAAA;AAAA,MAClD,IAAK,CAAA,EAAA;AAAA,KACP,CAAA;AACA,IAAA,OAAO,YAAa,CAAA,GAAA,CAAI,CAAQ,IAAA,KAAA,IAAA,CAAK,aAAa,CAAA,CAAA;AAAA,GACpD;AACF,CAAA;AAEA,eAAsB,oBACpB,CAAA,SAAA,EACA,QACA,EAAA,mBAAA,EACA,QACA,WACA,EAAA;AACA,EAAA,MAAM,OAAQ,CAAA,GAAA;AAAA,IACZ,SAAA,CAAU,GAAI,CAAA,OAAM,QAAY,KAAA;AAC9B,MAAI,IAAA;AACF,QAAA,MAAM,aAAa,IAAI,UAAA;AAAA,UACrB,SAAS,eAAgB,EAAA;AAAA,UACzB,QAAA;AAAA,UACA,mBAAA;AAAA,UACA,MAAA;AAAA,UACA,WAAA;AAAA,SACF,CAAA;AACA,QAAO,OAAA,QAAA,CAAS,QAAQ,UAAU,CAAA,CAAA;AAAA,eAC3B,KAAO,EAAA;AACd,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAA8B,2BAAA,EAAA,QAAA,CAAS,eAAgB,EAAC,KAAK,KAAK,CAAA,CAAA;AAAA,SACpE,CAAA;AAAA,OACF;AAAA,KACD,CAAA;AAAA,GACH,CAAA;AACF;;;;;"}