@backstage-community/plugin-rbac-backend 6.2.1 → 6.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/dist/admin-permissions/admin-creation.cjs.js +1 -0
- package/dist/admin-permissions/admin-creation.cjs.js.map +1 -1
- package/dist/database/conditional-storage.cjs.js +18 -10
- package/dist/database/conditional-storage.cjs.js.map +1 -1
- package/dist/database/role-metadata.cjs.js.map +1 -1
- package/dist/service/enforcer-delegate.cjs.js +48 -9
- package/dist/service/enforcer-delegate.cjs.js.map +1 -1
- package/dist/service/policies-rest-api.cjs.js +29 -113
- package/dist/service/policies-rest-api.cjs.js.map +1 -1
- package/dist/service/policy-builder.cjs.js +1 -0
- package/dist/service/policy-builder.cjs.js.map +1 -1
- package/package.json +1 -1
|
@@ -31,7 +31,7 @@ class PoliciesServer {
|
|
|
31
31
|
});
|
|
32
32
|
if (this.options.auth.isPrincipal(credentials, "service") && permission !== pluginRbacCommon.policyEntityReadPermission) {
|
|
33
33
|
throw new errors.NotAllowedError(
|
|
34
|
-
`Only
|
|
34
|
+
`Only credential principal with type 'user' permitted to modify permissions`
|
|
35
35
|
);
|
|
36
36
|
}
|
|
37
37
|
let decision;
|
|
@@ -44,16 +44,14 @@ class PoliciesServer {
|
|
|
44
44
|
credentials
|
|
45
45
|
}))[0];
|
|
46
46
|
}
|
|
47
|
-
|
|
47
|
+
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
48
|
+
throw new errors.NotAllowedError();
|
|
49
|
+
}
|
|
50
|
+
return { decision, credentials };
|
|
48
51
|
}
|
|
49
52
|
async serve() {
|
|
50
53
|
const router = await pluginPermissionBackend.createRouter(this.options);
|
|
51
|
-
const {
|
|
52
|
-
if (!httpAuth) {
|
|
53
|
-
throw new errors.ServiceUnavailableError(
|
|
54
|
-
"httpAuth not found, ensure the correct configuration for the RBAC plugin"
|
|
55
|
-
);
|
|
56
|
-
}
|
|
54
|
+
const { logger } = this.options;
|
|
57
55
|
const policyPermissionsIntegrationRouter = pluginPermissionNode.createPermissionIntegrationRouter({
|
|
58
56
|
resourceType: pluginRbacCommon.RESOURCE_TYPE_POLICY_ENTITY,
|
|
59
57
|
getResources: (resourceRefs) => Promise.all(
|
|
@@ -70,13 +68,7 @@ class PoliciesServer {
|
|
|
70
68
|
return router;
|
|
71
69
|
}
|
|
72
70
|
router.get("/", async (request, response) => {
|
|
73
|
-
|
|
74
|
-
request,
|
|
75
|
-
pluginRbacCommon.policyEntityReadPermission
|
|
76
|
-
);
|
|
77
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
78
|
-
throw new errors.NotAllowedError();
|
|
79
|
-
}
|
|
71
|
+
await this.authorizeConditional(request, pluginRbacCommon.policyEntityReadPermission);
|
|
80
72
|
response.send({ status: "Authorized" });
|
|
81
73
|
});
|
|
82
74
|
router.get(
|
|
@@ -84,13 +76,10 @@ class PoliciesServer {
|
|
|
84
76
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
85
77
|
async (request, response) => {
|
|
86
78
|
let conditionsFilter;
|
|
87
|
-
const decision = await this.authorizeConditional(
|
|
79
|
+
const { decision } = await this.authorizeConditional(
|
|
88
80
|
request,
|
|
89
81
|
pluginRbacCommon.policyEntityReadPermission
|
|
90
82
|
);
|
|
91
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
92
|
-
throw new errors.NotAllowedError();
|
|
93
|
-
}
|
|
94
83
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
95
84
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
96
85
|
}
|
|
@@ -133,13 +122,10 @@ class PoliciesServer {
|
|
|
133
122
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
134
123
|
async (request, response) => {
|
|
135
124
|
let conditionsFilter;
|
|
136
|
-
const decision = await this.authorizeConditional(
|
|
125
|
+
const { decision } = await this.authorizeConditional(
|
|
137
126
|
request,
|
|
138
127
|
pluginRbacCommon.policyEntityReadPermission
|
|
139
128
|
);
|
|
140
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
141
|
-
throw new errors.NotAllowedError();
|
|
142
|
-
}
|
|
143
129
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
144
130
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
145
131
|
}
|
|
@@ -170,13 +156,10 @@ class PoliciesServer {
|
|
|
170
156
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
171
157
|
async (request, response) => {
|
|
172
158
|
let conditionsFilter;
|
|
173
|
-
const decision = await this.authorizeConditional(
|
|
159
|
+
const { decision } = await this.authorizeConditional(
|
|
174
160
|
request,
|
|
175
161
|
pluginRbacCommon.policyEntityDeletePermission
|
|
176
162
|
);
|
|
177
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
178
|
-
throw new errors.NotAllowedError();
|
|
179
|
-
}
|
|
180
163
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
181
164
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
182
165
|
}
|
|
@@ -203,13 +186,7 @@ class PoliciesServer {
|
|
|
203
186
|
"/policies",
|
|
204
187
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
205
188
|
async (request, response) => {
|
|
206
|
-
|
|
207
|
-
request,
|
|
208
|
-
pluginRbacCommon.policyEntityCreatePermission
|
|
209
|
-
);
|
|
210
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
211
|
-
throw new errors.NotAllowedError();
|
|
212
|
-
}
|
|
189
|
+
await this.authorizeConditional(request, pluginRbacCommon.policyEntityCreatePermission);
|
|
213
190
|
const policyRaw = request.body;
|
|
214
191
|
if (lodash.isEmpty(policyRaw)) {
|
|
215
192
|
throw new errors.InputError(`permission policy must be present`);
|
|
@@ -234,13 +211,10 @@ class PoliciesServer {
|
|
|
234
211
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
235
212
|
async (request, response) => {
|
|
236
213
|
let conditionsFilter;
|
|
237
|
-
const decision = await this.authorizeConditional(
|
|
214
|
+
const { decision } = await this.authorizeConditional(
|
|
238
215
|
request,
|
|
239
216
|
pluginRbacCommon.policyEntityUpdatePermission
|
|
240
217
|
);
|
|
241
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
242
|
-
throw new errors.NotAllowedError();
|
|
243
|
-
}
|
|
244
218
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
245
219
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
246
220
|
}
|
|
@@ -298,13 +272,10 @@ class PoliciesServer {
|
|
|
298
272
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
299
273
|
async (request, response) => {
|
|
300
274
|
let conditionsFilter;
|
|
301
|
-
const decision = await this.authorizeConditional(
|
|
275
|
+
const { decision } = await this.authorizeConditional(
|
|
302
276
|
request,
|
|
303
277
|
pluginRbacCommon.policyEntityReadPermission
|
|
304
278
|
);
|
|
305
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
306
|
-
throw new errors.NotAllowedError();
|
|
307
|
-
}
|
|
308
279
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
309
280
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
310
281
|
}
|
|
@@ -318,13 +289,10 @@ class PoliciesServer {
|
|
|
318
289
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
319
290
|
async (request, response) => {
|
|
320
291
|
let conditionsFilter;
|
|
321
|
-
const decision = await this.authorizeConditional(
|
|
292
|
+
const { decision } = await this.authorizeConditional(
|
|
322
293
|
request,
|
|
323
294
|
pluginRbacCommon.policyEntityReadPermission
|
|
324
295
|
);
|
|
325
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
326
|
-
throw new errors.NotAllowedError();
|
|
327
|
-
}
|
|
328
296
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
329
297
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
330
298
|
}
|
|
@@ -346,13 +314,10 @@ class PoliciesServer {
|
|
|
346
314
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
347
315
|
async (request, response) => {
|
|
348
316
|
const uniqueItems = /* @__PURE__ */ new Set();
|
|
349
|
-
const
|
|
317
|
+
const { credentials } = await this.authorizeConditional(
|
|
350
318
|
request,
|
|
351
319
|
pluginRbacCommon.policyEntityCreatePermission
|
|
352
320
|
);
|
|
353
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
354
|
-
throw new errors.NotAllowedError();
|
|
355
|
-
}
|
|
356
321
|
const roleRaw = request.body;
|
|
357
322
|
let err = policiesValidation.validateRole(roleRaw);
|
|
358
323
|
if (err) {
|
|
@@ -385,9 +350,6 @@ class PoliciesServer {
|
|
|
385
350
|
uniqueItems.add(roleString);
|
|
386
351
|
}
|
|
387
352
|
}
|
|
388
|
-
const credentials = await httpAuth.credentials(request, {
|
|
389
|
-
allow: ["user"]
|
|
390
|
-
});
|
|
391
353
|
const modifiedBy = credentials.principal.userEntityRef;
|
|
392
354
|
const metadata = {
|
|
393
355
|
roleEntityRef: roleRaw.name,
|
|
@@ -408,13 +370,10 @@ class PoliciesServer {
|
|
|
408
370
|
async (request, response) => {
|
|
409
371
|
const uniqueItems = /* @__PURE__ */ new Set();
|
|
410
372
|
let conditionsFilter;
|
|
411
|
-
const decision = await this.authorizeConditional(
|
|
373
|
+
const { decision, credentials } = await this.authorizeConditional(
|
|
412
374
|
request,
|
|
413
375
|
pluginRbacCommon.policyEntityUpdatePermission
|
|
414
376
|
);
|
|
415
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
416
|
-
throw new errors.NotAllowedError();
|
|
417
|
-
}
|
|
418
377
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
419
378
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
420
379
|
}
|
|
@@ -446,14 +405,12 @@ class PoliciesServer {
|
|
|
446
405
|
this.transformMemberReferencesToLowercase(newRoleRaw);
|
|
447
406
|
const oldRole = this.transformRoleToArray(oldRoleRaw);
|
|
448
407
|
const newRole = this.transformRoleToArray(newRoleRaw);
|
|
449
|
-
const
|
|
450
|
-
allow: ["user"]
|
|
451
|
-
});
|
|
408
|
+
const modifiedBy = credentials.principal.userEntityRef;
|
|
452
409
|
const newMetadata = {
|
|
453
410
|
...newRoleRaw.metadata,
|
|
454
411
|
source: newRoleRaw.metadata?.source ?? "rest",
|
|
455
412
|
roleEntityRef: newRoleRaw.name,
|
|
456
|
-
modifiedBy
|
|
413
|
+
modifiedBy,
|
|
457
414
|
owner: newRoleRaw.metadata?.owner ?? ""
|
|
458
415
|
};
|
|
459
416
|
const oldMetadata = await this.roleMetadata.findRoleMetadata(roleEntityRef);
|
|
@@ -538,13 +495,10 @@ class PoliciesServer {
|
|
|
538
495
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
539
496
|
async (request, response) => {
|
|
540
497
|
let conditionsFilter;
|
|
541
|
-
const decision = await this.authorizeConditional(
|
|
498
|
+
const { decision, credentials } = await this.authorizeConditional(
|
|
542
499
|
request,
|
|
543
500
|
pluginRbacCommon.policyEntityDeletePermission
|
|
544
501
|
);
|
|
545
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
546
|
-
throw new errors.NotAllowedError();
|
|
547
|
-
}
|
|
548
502
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
549
503
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
550
504
|
}
|
|
@@ -585,13 +539,11 @@ class PoliciesServer {
|
|
|
585
539
|
throw new errors.NotFoundError(`role member '${role[0]}' was not found`);
|
|
586
540
|
}
|
|
587
541
|
}
|
|
588
|
-
const
|
|
589
|
-
allow: ["user"]
|
|
590
|
-
});
|
|
542
|
+
const modifiedBy = credentials.principal.userEntityRef;
|
|
591
543
|
const metadata = {
|
|
592
544
|
roleEntityRef,
|
|
593
545
|
source: "rest",
|
|
594
|
-
modifiedBy
|
|
546
|
+
modifiedBy
|
|
595
547
|
};
|
|
596
548
|
await this.enforcer.removeGroupingPolicies(
|
|
597
549
|
roleMembers,
|
|
@@ -609,13 +561,7 @@ class PoliciesServer {
|
|
|
609
561
|
"/plugins/policies",
|
|
610
562
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
611
563
|
async (request, response) => {
|
|
612
|
-
|
|
613
|
-
request,
|
|
614
|
-
pluginRbacCommon.policyEntityReadPermission
|
|
615
|
-
);
|
|
616
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
617
|
-
throw new errors.NotAllowedError();
|
|
618
|
-
}
|
|
564
|
+
await this.authorizeConditional(request, pluginRbacCommon.policyEntityReadPermission);
|
|
619
565
|
const body = await this.pluginPermMetaData.getPluginPolicies(
|
|
620
566
|
this.options.auth
|
|
621
567
|
);
|
|
@@ -626,13 +572,7 @@ class PoliciesServer {
|
|
|
626
572
|
"/plugins/condition-rules",
|
|
627
573
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
628
574
|
async (request, response) => {
|
|
629
|
-
|
|
630
|
-
request,
|
|
631
|
-
pluginRbacCommon.policyEntityReadPermission
|
|
632
|
-
);
|
|
633
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
634
|
-
throw new errors.NotAllowedError();
|
|
635
|
-
}
|
|
575
|
+
await this.authorizeConditional(request, pluginRbacCommon.policyEntityReadPermission);
|
|
636
576
|
const body = await this.pluginPermMetaData.getPluginConditionRules(
|
|
637
577
|
this.options.auth
|
|
638
578
|
);
|
|
@@ -644,13 +584,10 @@ class PoliciesServer {
|
|
|
644
584
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
645
585
|
async (request, response) => {
|
|
646
586
|
let conditionsFilter;
|
|
647
|
-
const decision = await this.authorizeConditional(
|
|
587
|
+
const { decision } = await this.authorizeConditional(
|
|
648
588
|
request,
|
|
649
589
|
pluginRbacCommon.policyEntityReadPermission
|
|
650
590
|
);
|
|
651
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
652
|
-
throw new errors.NotAllowedError();
|
|
653
|
-
}
|
|
654
591
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
655
592
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
656
593
|
}
|
|
@@ -681,13 +618,7 @@ class PoliciesServer {
|
|
|
681
618
|
"/roles/conditions",
|
|
682
619
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
683
620
|
async (request, response) => {
|
|
684
|
-
|
|
685
|
-
request,
|
|
686
|
-
pluginRbacCommon.policyEntityCreatePermission
|
|
687
|
-
);
|
|
688
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
689
|
-
throw new errors.NotAllowedError();
|
|
690
|
-
}
|
|
621
|
+
await this.authorizeConditional(request, pluginRbacCommon.policyEntityCreatePermission);
|
|
691
622
|
const roleConditionPolicy = request.body;
|
|
692
623
|
conditionValidation.validateRoleCondition(roleConditionPolicy);
|
|
693
624
|
const conditionToCreate = await helper.processConditionMapping(
|
|
@@ -706,13 +637,10 @@ class PoliciesServer {
|
|
|
706
637
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
707
638
|
async (request, response) => {
|
|
708
639
|
let conditionsFilter;
|
|
709
|
-
const decision = await this.authorizeConditional(
|
|
640
|
+
const { decision } = await this.authorizeConditional(
|
|
710
641
|
request,
|
|
711
642
|
pluginRbacCommon.policyEntityReadPermission
|
|
712
643
|
);
|
|
713
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
714
|
-
throw new errors.NotAllowedError();
|
|
715
|
-
}
|
|
716
644
|
const id = parseInt(request.params.id, 10);
|
|
717
645
|
if (isNaN(id)) {
|
|
718
646
|
throw new errors.InputError("Id is not a valid number.");
|
|
@@ -742,13 +670,10 @@ class PoliciesServer {
|
|
|
742
670
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
743
671
|
async (request, response) => {
|
|
744
672
|
let conditionsFilter;
|
|
745
|
-
const decision = await this.authorizeConditional(
|
|
673
|
+
const { decision } = await this.authorizeConditional(
|
|
746
674
|
request,
|
|
747
675
|
pluginRbacCommon.policyEntityDeletePermission
|
|
748
676
|
);
|
|
749
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
750
|
-
throw new errors.NotAllowedError();
|
|
751
|
-
}
|
|
752
677
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
753
678
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
754
679
|
}
|
|
@@ -780,13 +705,10 @@ class PoliciesServer {
|
|
|
780
705
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
781
706
|
async (request, response) => {
|
|
782
707
|
let conditionsFilter;
|
|
783
|
-
const decision = await this.authorizeConditional(
|
|
708
|
+
const { decision } = await this.authorizeConditional(
|
|
784
709
|
request,
|
|
785
710
|
pluginRbacCommon.policyEntityUpdatePermission
|
|
786
711
|
);
|
|
787
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
788
|
-
throw new errors.NotAllowedError();
|
|
789
|
-
}
|
|
790
712
|
if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
|
|
791
713
|
conditionsFilter = conditions.transformConditions(decision.conditions);
|
|
792
714
|
}
|
|
@@ -820,13 +742,7 @@ class PoliciesServer {
|
|
|
820
742
|
"/refresh/:id",
|
|
821
743
|
restInterceptor.logAuditorEvent(this.auditor),
|
|
822
744
|
async (request, response) => {
|
|
823
|
-
|
|
824
|
-
request,
|
|
825
|
-
pluginRbacCommon.policyEntityCreatePermission
|
|
826
|
-
);
|
|
827
|
-
if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
|
|
828
|
-
throw new errors.NotAllowedError();
|
|
829
|
-
}
|
|
745
|
+
await this.authorizeConditional(request, pluginRbacCommon.policyEntityCreatePermission);
|
|
830
746
|
if (!this.rbacProviders) {
|
|
831
747
|
throw new errors.NotFoundError(`No RBAC providers were found`);
|
|
832
748
|
}
|