@backstage-community/plugin-rbac-backend 5.2.3

package/dist/service/policies-rest-api.cjs.js

@@ -0,0 +1,949 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+var pluginPermissionBackend = require('@backstage/plugin-permission-backend');
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
+var lodash = require('lodash');
+var pluginRbacCommon = require('@backstage-community/plugin-rbac-common');
+var auditLogger = require('../audit-log/audit-logger.cjs.js');
+var restErrorsInterceptor = require('../audit-log/rest-errors-interceptor.cjs.js');
+var roleMetadata = require('../database/role-metadata.cjs.js');
+var helper = require('../helper.cjs.js');
+var conditionValidation = require('../validation/condition-validation.cjs.js');
+var policiesValidation = require('../validation/policies-validation.cjs.js');
+
+class PoliciesServer {
+  constructor(permissions, options, enforcer, conditionalStorage, pluginPermMetaData, roleMetadata, aLog, rbacProviders) {
+    this.permissions = permissions;
+    this.options = options;
+    this.enforcer = enforcer;
+    this.conditionalStorage = conditionalStorage;
+    this.pluginPermMetaData = pluginPermMetaData;
+    this.roleMetadata = roleMetadata;
+    this.aLog = aLog;
+    this.rbacProviders = rbacProviders;
+  }
+  async authorize(request, permission) {
+    const credentials = await this.options.httpAuth.credentials(request, {
+      allow: ["user", "service"]
+    });
+    if (this.options.auth.isPrincipal(credentials, "service") && permission !== pluginRbacCommon.policyEntityReadPermission) {
+      throw new errors.NotAllowedError(
+        `Only creadential principal with type 'user' permitted to modify permissions`
+      );
+    }
+    const decision = (await this.permissions.authorize(
+      [{ permission, resourceRef: permission.resourceType }],
+      { credentials }
+    ))[0];
+    return decision;
+  }
+  async serve() {
+    const router = await pluginPermissionBackend.createRouter(this.options);
+    const { httpAuth } = this.options;
+    if (!httpAuth) {
+      throw new errors.ServiceUnavailableError(
+        "httpAuth not found, ensure the correct configuration for the RBAC plugin"
+      );
+    }
+    const permissionsIntegrationRouter = pluginPermissionNode.createPermissionIntegrationRouter({
+      resourceType: pluginRbacCommon.RESOURCE_TYPE_POLICY_ENTITY,
+      permissions: pluginRbacCommon.policyEntityPermissions
+    });
+    router.use(permissionsIntegrationRouter);
+    const isPluginEnabled = this.options.config.getOptionalBoolean("permission.enabled");
+    if (!isPluginEnabled) {
+      return router;
+    }
+    router.get("/", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      response.send({ status: "Authorized" });
+    });
+    router.get("/policies", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      let policies;
+      if (this.isPolicyFilterEnabled(request)) {
+        const entityRef = this.getFirstQuery(request.query.entityRef);
+        const permission = this.getFirstQuery(request.query.permission);
+        const policy = this.getFirstQuery(request.query.policy);
+        const effect = this.getFirstQuery(request.query.effect);
+        const filter = [entityRef, permission, policy, effect];
+        policies = await this.enforcer.getFilteredPolicy(0, ...filter);
+      } else {
+        policies = await this.enforcer.getPolicy();
+      }
+      const body = await this.transformPolicyArray(...policies);
+      await this.aLog.auditLog({
+        message: `Return list permission policies`,
+        eventName: auditLogger.PermissionEvents.GET_POLICY,
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200, body }
+      });
+      response.json(body);
+    });
+    router.get(
+      "/policies/:kind/:namespace/:name",
+      async (request, response) => {
+        const decision = await this.authorize(
+          request,
+          pluginRbacCommon.policyEntityReadPermission
+        );
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+          throw new errors.NotAllowedError();
+        }
+        const entityRef = this.getEntityReference(request);
+        const policy = await this.enforcer.getFilteredPolicy(0, entityRef);
+        if (policy.length !== 0) {
+          const body = await this.transformPolicyArray(...policy);
+          await this.aLog.auditLog({
+            message: `Return permission policy`,
+            eventName: auditLogger.PermissionEvents.GET_POLICY,
+            stage: auditLogger.SEND_RESPONSE_STAGE,
+            status: "succeeded",
+            request,
+            response: { status: 200, body }
+          });
+          response.json(body);
+        } else {
+          throw new errors.NotFoundError();
+        }
+      }
+    );
+    router.delete(
+      "/policies/:kind/:namespace/:name",
+      async (request, response) => {
+        const decision = await this.authorize(
+          request,
+          pluginRbacCommon.policyEntityDeletePermission
+        );
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+          throw new errors.NotAllowedError();
+        }
+        const entityRef = this.getEntityReference(request);
+        const policyRaw = request.body;
+        if (lodash.isEmpty(policyRaw)) {
+          throw new errors.InputError(`permission policy must be present`);
+        }
+        policyRaw.forEach((element) => {
+          element.entityReference = entityRef;
+        });
+        const processedPolicies = await this.processPolicies(policyRaw, true);
+        await this.enforcer.removePolicies(processedPolicies);
+        await this.aLog.auditLog({
+          message: `Deleted permission policies`,
+          eventName: auditLogger.PermissionEvents.DELETE_POLICY,
+          metadata: { policies: processedPolicies, source: "rest" },
+          stage: auditLogger.SEND_RESPONSE_STAGE,
+          status: "succeeded",
+          request,
+          response: { status: 204 }
+        });
+        response.status(204).end();
+      }
+    );
+    router.post("/policies", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityCreatePermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const policyRaw = request.body;
+      if (lodash.isEmpty(policyRaw)) {
+        throw new errors.InputError(`permission policy must be present`);
+      }
+      const processedPolicies = await this.processPolicies(policyRaw);
+      const entityRef = processedPolicies[0][0];
+      const roleMetadata = await this.roleMetadata.findRoleMetadata(entityRef);
+      if (entityRef.startsWith("role:default") && !roleMetadata) {
+        throw new Error(`Corresponding role ${entityRef} was not found`);
+      }
+      await this.enforcer.addPolicies(processedPolicies);
+      await this.aLog.auditLog({
+        message: `Created permission policies`,
+        eventName: auditLogger.PermissionEvents.CREATE_POLICY,
+        metadata: { policies: processedPolicies, source: "rest" },
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 201 }
+      });
+      response.status(201).end();
+    });
+    router.put(
+      "/policies/:kind/:namespace/:name",
+      async (request, response) => {
+        const decision = await this.authorize(
+          request,
+          pluginRbacCommon.policyEntityUpdatePermission
+        );
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+          throw new errors.NotAllowedError();
+        }
+        const entityRef = this.getEntityReference(request);
+        const oldPolicyRaw = request.body.oldPolicy;
+        if (lodash.isEmpty(oldPolicyRaw)) {
+          throw new errors.InputError(`'oldPolicy' object must be present`);
+        }
+        const newPolicyRaw = request.body.newPolicy;
+        if (lodash.isEmpty(newPolicyRaw)) {
+          throw new errors.InputError(`'newPolicy' object must be present`);
+        }
+        [...oldPolicyRaw, ...newPolicyRaw].forEach((element) => {
+          element.entityReference = entityRef;
+        });
+        const processedOldPolicy = await this.processPolicies(
+          oldPolicyRaw,
+          true,
+          "old policy"
+        );
+        oldPolicyRaw.sort(
+          (a, b) => a.permission === b.permission ? this.nameSort(a.policy, b.policy) : this.nameSort(a.permission, b.permission)
+        );
+        newPolicyRaw.sort(
+          (a, b) => a.permission === b.permission ? this.nameSort(a.policy, b.policy) : this.nameSort(a.permission, b.permission)
+        );
+        if (lodash.isEqual(oldPolicyRaw, newPolicyRaw) && !oldPolicyRaw.some(lodash.isEmpty)) {
+          response.status(204).end();
+        } else if (oldPolicyRaw.length > newPolicyRaw.length) {
+          throw new errors.InputError(
+            `'oldPolicy' object has more permission policies compared to 'newPolicy' object`
+          );
+        }
+        const processedNewPolicy = await this.processPolicies(
+          newPolicyRaw,
+          false,
+          "new policy"
+        );
+        const roleMetadata = await this.roleMetadata.findRoleMetadata(
+          entityRef
+        );
+        if (entityRef.startsWith("role:default") && !roleMetadata) {
+          throw new Error(`Corresponding role ${entityRef} was not found`);
+        }
+        await this.enforcer.updatePolicies(
+          processedOldPolicy,
+          processedNewPolicy
+        );
+        await this.aLog.auditLog({
+          message: `Updated permission policies`,
+          eventName: auditLogger.PermissionEvents.UPDATE_POLICY,
+          metadata: { policies: processedNewPolicy, source: "rest" },
+          stage: auditLogger.SEND_RESPONSE_STAGE,
+          status: "succeeded",
+          request,
+          response: { status: 200 }
+        });
+        response.status(200).end();
+      }
+    );
+    router.get("/roles", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const roles = await this.enforcer.getGroupingPolicy();
+      const body = await this.transformRoleArray(...roles);
+      await this.aLog.auditLog({
+        message: `Return list roles`,
+        eventName: auditLogger.RoleEvents.GET_ROLE,
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200, body }
+      });
+      response.json(body);
+    });
+    router.get("/roles/:kind/:namespace/:name", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const roleEntityRef = this.getEntityReference(request, true);
+      const role = await this.enforcer.getFilteredGroupingPolicy(
+        1,
+        roleEntityRef
+      );
+      if (role.length !== 0) {
+        const body = await this.transformRoleArray(...role);
+        await this.aLog.auditLog({
+          message: `Return ${body[0].name}`,
+          eventName: auditLogger.RoleEvents.GET_ROLE,
+          stage: auditLogger.SEND_RESPONSE_STAGE,
+          status: "succeeded",
+          request,
+          response: { status: 200, body }
+        });
+        response.json(body);
+      } else {
+        throw new errors.NotFoundError();
+      }
+    });
+    router.post("/roles", async (request, response) => {
+      const uniqueItems = /* @__PURE__ */ new Set();
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityCreatePermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const roleRaw = request.body;
+      let err = policiesValidation.validateRole(roleRaw);
+      if (err) {
+        throw new errors.InputError(
+          // 400
+          `Invalid role definition. Cause: ${err.message}`
+        );
+      }
+      const rMetadata = await this.roleMetadata.findRoleMetadata(roleRaw.name);
+      err = await policiesValidation.validateSource("rest", rMetadata);
+      if (err) {
+        throw new errors.NotAllowedError(`Unable to add role: ${err.message}`);
+      }
+      const roles = this.transformRoleToArray(roleRaw);
+      for (const role of roles) {
+        if (await this.enforcer.hasGroupingPolicy(...role)) {
+          throw new errors.ConflictError();
+        }
+        const roleString = JSON.stringify(role);
+        if (uniqueItems.has(roleString)) {
+          throw new errors.ConflictError(
+            `Duplicate role members found; ${role.at(0)}, ${role.at(
+              1
+            )} is a duplicate`
+          );
+        } else {
+          uniqueItems.add(roleString);
+        }
+      }
+      const credentials = await httpAuth.credentials(request, {
+        allow: ["user"]
+      });
+      const modifiedBy = credentials.principal.userEntityRef;
+      const metadata = {
+        roleEntityRef: roleRaw.name,
+        source: "rest",
+        description: roleRaw.metadata?.description ?? "",
+        author: modifiedBy,
+        modifiedBy
+      };
+      await this.enforcer.addGroupingPolicies(roles, metadata);
+      await this.aLog.auditLog({
+        message: `Created ${metadata.roleEntityRef}`,
+        eventName: auditLogger.RoleEvents.CREATE_ROLE,
+        metadata: {
+          ...metadata,
+          members: roles.map((gp) => gp[0])
+        },
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 201 }
+      });
+      response.status(201).end();
+    });
+    router.put("/roles/:kind/:namespace/:name", async (request, response) => {
+      const uniqueItems = /* @__PURE__ */ new Set();
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityUpdatePermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const roleEntityRef = this.getEntityReference(request, true);
+      const oldRoleRaw = request.body.oldRole;
+      if (!oldRoleRaw) {
+        throw new errors.InputError(`'oldRole' object must be present`);
+      }
+      const newRoleRaw = request.body.newRole;
+      if (!newRoleRaw) {
+        throw new errors.InputError(`'newRole' object must be present`);
+      }
+      oldRoleRaw.name = roleEntityRef;
+      let err = policiesValidation.validateRole(oldRoleRaw);
+      if (err) {
+        throw new errors.InputError(
+          // 400
+          `Invalid old role object. Cause: ${err.message}`
+        );
+      }
+      err = policiesValidation.validateRole(newRoleRaw);
+      if (err) {
+        throw new errors.InputError(
+          // 400
+          `Invalid new role object. Cause: ${err.message}`
+        );
+      }
+      const oldRole = this.transformRoleToArray(oldRoleRaw);
+      const newRole = this.transformRoleToArray(newRoleRaw);
+      const credentials = await httpAuth.credentials(request, {
+        allow: ["user"]
+      });
+      const newMetadata = {
+        ...newRoleRaw.metadata,
+        source: newRoleRaw.metadata?.source ?? "rest",
+        roleEntityRef: newRoleRaw.name,
+        modifiedBy: credentials.principal.userEntityRef
+      };
+      const oldMetadata = await this.roleMetadata.findRoleMetadata(
+        roleEntityRef
+      );
+      if (!oldMetadata) {
+        throw new errors.NotFoundError(`Unable to find metadata for ${roleEntityRef}`);
+      }
+      err = await policiesValidation.validateSource("rest", oldMetadata);
+      if (err) {
+        throw new errors.NotAllowedError(`Unable to edit role: ${err.message}`);
+      }
+      if (lodash.isEqual(oldRole, newRole) && helper.deepSortedEqual(oldMetadata, newMetadata, [
+        "author",
+        "modifiedBy",
+        "createdAt",
+        "lastModified"
+      ])) {
+        response.status(204).end();
+        return;
+      }
+      for (const role of newRole) {
+        const hasRole = oldRole.some((element) => {
+          return lodash.isEqual(element, role);
+        });
+        if (await this.enforcer.hasGroupingPolicy(...role)) {
+          if (!hasRole) {
+            throw new errors.ConflictError();
+          }
+        }
+        const roleString = JSON.stringify(role);
+        if (uniqueItems.has(roleString)) {
+          throw new errors.ConflictError(
+            `Duplicate role members found; ${role.at(0)}, ${role.at(
+              1
+            )} is a duplicate`
+          );
+        } else {
+          uniqueItems.add(roleString);
+        }
+      }
+      uniqueItems.clear();
+      for (const role of oldRole) {
+        if (!await this.enforcer.hasGroupingPolicy(...role)) {
+          throw new errors.NotFoundError(
+            `Member reference: ${role[0]} was not found for role ${roleEntityRef}`
+          );
+        }
+        const roleString = JSON.stringify(role);
+        if (uniqueItems.has(roleString)) {
+          throw new errors.ConflictError(
+            `Duplicate role members found; ${role.at(0)}, ${role.at(
+              1
+            )} is a duplicate`
+          );
+        } else {
+          uniqueItems.add(roleString);
+        }
+      }
+      await this.enforcer.updateGroupingPolicies(oldRole, newRole, newMetadata);
+      let message = `Updated ${oldMetadata.roleEntityRef}.`;
+      if (newMetadata.roleEntityRef !== oldMetadata.roleEntityRef) {
+        message = `${message}. Role entity reference renamed to ${newMetadata.roleEntityRef}`;
+      }
+      await this.aLog.auditLog({
+        message,
+        eventName: auditLogger.RoleEvents.UPDATE_ROLE,
+        metadata: {
+          ...newMetadata,
+          members: newRole.map((gp) => gp[0])
+        },
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200 }
+      });
+      response.status(200).end();
+    });
+    router.delete(
+      "/roles/:kind/:namespace/:name",
+      async (request, response) => {
+        const decision = await this.authorize(
+          request,
+          pluginRbacCommon.policyEntityDeletePermission
+        );
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+          throw new errors.NotAllowedError();
+        }
+        const roleEntityRef = this.getEntityReference(request, true);
+        let roleMembers = [];
+        if (request.query.memberReferences) {
+          const memberReference = this.getFirstQuery(
+            request.query.memberReferences
+          );
+          const gp = await this.enforcer.getFilteredGroupingPolicy(
+            0,
+            memberReference,
+            roleEntityRef
+          );
+          if (gp.length > 0) {
+            roleMembers.push(gp[0]);
+          } else {
+            throw new errors.NotFoundError(
+              `role member '${memberReference}' was not found`
+            );
+          }
+        } else {
+          roleMembers = await this.enforcer.getFilteredGroupingPolicy(
+            1,
+            roleEntityRef
+          );
+        }
+        for (const role of roleMembers) {
+          if (!await this.enforcer.hasGroupingPolicy(...role)) {
+            throw new errors.NotFoundError(`role member '${role[0]}' was not found`);
+          }
+        }
+        const currentMetadata = await this.roleMetadata.findRoleMetadata(
+          roleEntityRef
+        );
+        const err = await policiesValidation.validateSource("rest", currentMetadata);
+        if (err) {
+          throw new errors.NotAllowedError(`Unable to delete role: ${err.message}`);
+        }
+        const credentials = await httpAuth.credentials(request, {
+          allow: ["user"]
+        });
+        const metadata = {
+          roleEntityRef,
+          source: "rest",
+          modifiedBy: credentials.principal.userEntityRef
+        };
+        await this.enforcer.removeGroupingPolicies(
+          roleMembers,
+          metadata,
+          false
+        );
+        await this.aLog.auditLog({
+          message: `Deleted ${metadata.roleEntityRef}`,
+          eventName: auditLogger.RoleEvents.DELETE_ROLE,
+          metadata: {
+            ...metadata,
+            members: roleMembers.map((gp) => gp[0])
+          },
+          stage: auditLogger.SEND_RESPONSE_STAGE,
+          status: "succeeded",
+          request,
+          response: { status: 204 }
+        });
+        response.status(204).end();
+      }
+    );
+    router.get("/plugins/policies", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const body = await this.pluginPermMetaData.getPluginPolicies(
+        this.options.auth
+      );
+      await this.aLog.auditLog({
+        message: `Return list plugin policies`,
+        eventName: auditLogger.ListPluginPoliciesEvents.GET_PLUGINS_POLICIES,
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200, body }
+      });
+      response.json(body);
+    });
+    router.get("/plugins/condition-rules", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const body = await this.pluginPermMetaData.getPluginConditionRules(
+        this.options.auth
+      );
+      await this.aLog.auditLog({
+        message: `Return list conditional rules and schemas`,
+        eventName: auditLogger.ListConditionEvents.GET_CONDITION_RULES,
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200, body }
+      });
+      response.json(body);
+    });
+    router.get("/roles/conditions", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const conditions = await this.conditionalStorage.filterConditions(
+        this.getFirstQuery(request.query.roleEntityRef),
+        this.getFirstQuery(request.query.pluginId),
+        this.getFirstQuery(request.query.resourceType),
+        this.getActionQueries(request.query.actions)
+      );
+      const body = conditions.map((condition) => {
+        return {
+          ...condition,
+          permissionMapping: condition.permissionMapping.map((pm) => pm.action)
+        };
+      });
+      await this.aLog.auditLog({
+        message: `Return list conditional permission policies`,
+        eventName: auditLogger.ConditionEvents.GET_CONDITION,
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200, body }
+      });
+      response.json(body);
+    });
+    router.post("/roles/conditions", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityCreatePermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const roleConditionPolicy = request.body;
+      conditionValidation.validateRoleCondition(roleConditionPolicy);
+      const conditionToCreate = await helper.processConditionMapping(
+        roleConditionPolicy,
+        this.pluginPermMetaData,
+        this.options.auth
+      );
+      const id = await this.conditionalStorage.createCondition(
+        conditionToCreate
+      );
+      const body = { id };
+      await this.aLog.auditLog({
+        message: `Created conditional permission policy`,
+        eventName: auditLogger.ConditionEvents.CREATE_CONDITION,
+        metadata: { condition: roleConditionPolicy },
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 201, body }
+      });
+      response.status(201).json(body);
+    });
+    router.get("/roles/conditions/:id", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityReadPermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const id = parseInt(request.params.id, 10);
+      if (isNaN(id)) {
+        throw new errors.InputError("Id is not a valid number.");
+      }
+      const condition = await this.conditionalStorage.getCondition(id);
+      if (!condition) {
+        throw new errors.NotFoundError();
+      }
+      const body = {
+        ...condition,
+        permissionMapping: condition.permissionMapping.map((pm) => pm.action)
+      };
+      await this.aLog.auditLog({
+        message: `Return conditional permission policy by id`,
+        eventName: auditLogger.ConditionEvents.GET_CONDITION,
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200, body }
+      });
+      response.json(body);
+    });
+    router.delete("/roles/conditions/:id", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityDeletePermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const id = parseInt(request.params.id, 10);
+      if (isNaN(id)) {
+        throw new errors.InputError("Id is not a valid number.");
+      }
+      const condition = await this.conditionalStorage.getCondition(id);
+      if (!condition) {
+        throw new errors.NotFoundError(`Condition with id ${id} was not found`);
+      }
+      const conditionToDelete = {
+        ...condition,
+        permissionMapping: condition.permissionMapping.map((pm) => pm.action)
+      };
+      await this.conditionalStorage.deleteCondition(id);
+      await this.aLog.auditLog({
+        message: `Deleted conditional permission policy`,
+        eventName: auditLogger.ConditionEvents.DELETE_CONDITION,
+        metadata: { condition: conditionToDelete },
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 204 }
+      });
+      response.status(204).end();
+    });
+    router.put("/roles/conditions/:id", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityUpdatePermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      const id = parseInt(request.params.id, 10);
+      if (isNaN(id)) {
+        throw new errors.InputError("Id is not a valid number.");
+      }
+      const roleConditionPolicy = request.body;
+      conditionValidation.validateRoleCondition(roleConditionPolicy);
+      const conditionToUpdate = await helper.processConditionMapping(
+        roleConditionPolicy,
+        this.pluginPermMetaData,
+        this.options.auth
+      );
+      await this.conditionalStorage.updateCondition(id, conditionToUpdate);
+      await this.aLog.auditLog({
+        message: `Updated conditional permission policy`,
+        eventName: auditLogger.ConditionEvents.UPDATE_CONDITION,
+        metadata: { condition: roleConditionPolicy },
+        stage: auditLogger.SEND_RESPONSE_STAGE,
+        status: "succeeded",
+        request,
+        response: { status: 200 }
+      });
+      response.status(200).end();
+    });
+    router.post("/refresh/:id", async (request, response) => {
+      const decision = await this.authorize(
+        request,
+        pluginRbacCommon.policyEntityCreatePermission
+      );
+      if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+        throw new errors.NotAllowedError();
+      }
+      if (!this.rbacProviders) {
+        throw new errors.NotFoundError(`No RBAC providers were found`);
+      }
+      const idProvider = this.rbacProviders.find((provider) => {
+        const id = provider.getProviderName();
+        return id === request.params.id;
+      });
+      if (!idProvider) {
+        throw new errors.NotFoundError(
+          `The RBAC provider ${request.params.id} was not found`
+        );
+      }
+      await idProvider.refresh();
+      response.status(200).end();
+    });
+    router.use(restErrorsInterceptor.auditError(this.aLog));
+    return router;
+  }
+  getEntityReference(request, role) {
+    const kind = request.params.kind;
+    const namespace = request.params.namespace;
+    const name = request.params.name;
+    const entityRef = `${kind}:${namespace}/${name}`;
+    const err = policiesValidation.validateEntityReference(entityRef, role);
+    if (err) {
+      throw new errors.InputError(err.message);
+    }
+    return entityRef;
+  }
+  async transformPolicyArray(...policies) {
+    const roleToSourceMap = await helper.buildRoleSourceMap(
+      policies,
+      this.roleMetadata
+    );
+    const roleBasedPolices = [];
+    for (const p of policies) {
+      const [entityReference, permission, policy, effect] = p;
+      roleBasedPolices.push({
+        entityReference,
+        permission,
+        policy,
+        effect,
+        metadata: { source: roleToSourceMap.get(entityReference) }
+      });
+    }
+    return roleBasedPolices;
+  }
+  async transformRoleArray(...roles) {
+    const combinedRoles = {};
+    roles.forEach(([value, role]) => {
+      if (combinedRoles.hasOwnProperty(role)) {
+        combinedRoles[role].push(value);
+      } else {
+        combinedRoles[role] = [value];
+      }
+    });
+    const result = await Promise.all(
+      Object.entries(combinedRoles).map(async ([role, value]) => {
+        const metadataDao = await this.roleMetadata.findRoleMetadata(role);
+        const metadata = metadataDao ? roleMetadata.daoToMetadata(metadataDao) : void 0;
+        return Promise.resolve({
+          memberReferences: value,
+          name: role,
+          metadata
+        });
+      })
+    );
+    return result;
+  }
+  transformPolicyToArray(policy) {
+    return [
+      policy.entityReference,
+      policy.permission,
+      policy.policy,
+      policy.effect
+    ];
+  }
+  transformRoleToArray(role) {
+    const roles = [];
+    for (const entity of role.memberReferences) {
+      roles.push([entity, role.name]);
+    }
+    return roles;
+  }
+  getActionQueries(queryValue) {
+    if (!queryValue) {
+      return void 0;
+    }
+    if (Array.isArray(queryValue)) {
+      const permissionNames = [];
+      for (const permissionQuery of queryValue) {
+        if (typeof permissionQuery === "string" && helper.isPermissionAction(permissionQuery)) {
+          permissionNames.push(permissionQuery);
+        } else {
+          throw new errors.InputError(
+            `Invalid permission action query value: ${permissionQuery}. Permission name should be string.`
+          );
+        }
+      }
+      return permissionNames;
+    }
+    if (typeof queryValue === "string" && helper.isPermissionAction(queryValue)) {
+      return [queryValue];
+    }
+    throw new errors.InputError(
+      `Invalid permission action query value: ${queryValue}. Permission name should be string.`
+    );
+  }
+  getFirstQuery(queryValue) {
+    if (!queryValue) {
+      return "";
+    }
+    if (Array.isArray(queryValue)) {
+      if (typeof queryValue[0] === "string") {
+        return queryValue[0].toString();
+      }
+      throw new errors.InputError(`This api doesn't support nested query`);
+    }
+    if (typeof queryValue === "string") {
+      return queryValue;
+    }
+    throw new errors.InputError(`This api doesn't support nested query`);
+  }
+  isPolicyFilterEnabled(request) {
+    return !!request.query.entityRef || !!request.query.permission || !!request.query.policy || !!request.query.effect;
+  }
+  async processPolicies(policyArray, isOld, errorMessage) {
+    const policies = [];
+    const uniqueItems = /* @__PURE__ */ new Set();
+    for (const policy of policyArray) {
+      let err = policiesValidation.validatePolicy(policy);
+      if (err) {
+        throw new errors.InputError(
+          `Invalid ${errorMessage ?? "policy"} definition. Cause: ${err.message}`
+        );
+      }
+      const metadata = await this.roleMetadata.findRoleMetadata(
+        policy.entityReference
+      );
+      let action = errorMessage ? "edit" : "delete";
+      action = isOld ? action : "add";
+      err = await policiesValidation.validateSource("rest", metadata);
+      if (err) {
+        throw new errors.NotAllowedError(
+          `Unable to ${action} policy ${policy.entityReference},${policy.permission},${policy.policy},${policy.effect}: ${err.message}`
+        );
+      }
+      const transformedPolicy = this.transformPolicyToArray(policy);
+      if (isOld && !await this.enforcer.hasPolicy(...transformedPolicy)) {
+        throw new errors.NotFoundError(
+          `Policy '${helper.policyToString(transformedPolicy)}' not found`
+        );
+      }
+      if (!isOld && await this.enforcer.hasPolicy(...transformedPolicy)) {
+        throw new errors.ConflictError(
+          `Policy '${helper.policyToString(
+            transformedPolicy
+          )}' has been already stored`
+        );
+      }
+      const rowString = JSON.stringify(transformedPolicy);
+      if (uniqueItems.has(rowString)) {
+        throw new errors.ConflictError(
+          `Duplicate polices found; ${policy.entityReference}, ${policy.permission}, ${policy.policy}, ${policy.effect} is a duplicate`
+        );
+      } else {
+        uniqueItems.add(rowString);
+        policies.push(transformedPolicy);
+      }
+    }
+    return policies;
+  }
+  nameSort(nameA, nameB) {
+    if (nameA.toLocaleUpperCase("en-US") < nameB.toLocaleUpperCase("en-US")) {
+      return -1;
+    }
+    if (nameA.toLocaleUpperCase("en-US") > nameB.toLocaleUpperCase("en-US")) {
+      return 1;
+    }
+    return 0;
+  }
+}
+
+exports.PoliciesServer = PoliciesServer;
+//# sourceMappingURL=policies-rest-api.cjs.js.map