@backstage-community/plugin-rbac-backend 6.2.3 → 6.2.4

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 ### Dependencies
 
+## 6.2.4
+
+### Patch Changes
+
+- 298b1d4: Avoid unnecessary query to check 'relations' table in the role manager
+
 ## 6.2.3
 
 ### Patch Changes

package/dist/role-manager/ancestor-search-factory.cjs.js

@@ -0,0 +1,26 @@
+'use strict';
+
+var ancestorSearchMemoPg = require('./ancestor-search-memo-pg.cjs.js');
+var ancestorSearchMemoSqlite = require('./ancestor-search-memo-sqlite.cjs.js');
+
+class AncestorSearchFactory {
+  static async createAncestorSearchMemo(userEntityRef, config, catalogAPI, catalogDBClient, authService, maxDepth) {
+    const databaseConfig = config.getOptionalConfig("backend.database");
+    const client = databaseConfig?.getOptionalString("client");
+    if (client === "pg") {
+      return new ancestorSearchMemoPg.AncestorSearchMemoPG(userEntityRef, catalogDBClient, maxDepth);
+    }
+    if (client === "better-sqlite3") {
+      return new ancestorSearchMemoSqlite.AncestorSearchMemoSQLite(
+        userEntityRef,
+        catalogAPI,
+        authService,
+        maxDepth
+      );
+    }
+    throw new Error(`Unsupported database: ${client}`);
+  }
+}
+
+exports.AncestorSearchFactory = AncestorSearchFactory;
+//# sourceMappingURL=ancestor-search-factory.cjs.js.map

package/dist/role-manager/ancestor-search-factory.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ancestor-search-factory.cjs.js","sources":["../../src/role-manager/ancestor-search-factory.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { Knex } from 'knex';\nimport { AncestorSearchMemo, ASMGroup } from './ancestor-search-memo';\nimport { AncestorSearchMemoPG } from './ancestor-search-memo-pg';\nimport { AncestorSearchMemoSQLite } from './ancestor-search-memo-sqlite';\nimport type { AuthService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport type { Config } from '@backstage/config';\n\nexport class AncestorSearchFactory {\n  static async createAncestorSearchMemo(\n    userEntityRef: string,\n    config: Config,\n    catalogAPI: CatalogApi,\n    catalogDBClient: Knex,\n    authService: AuthService,\n    maxDepth?: number,\n  ): Promise<AncestorSearchMemo<ASMGroup>> {\n    const databaseConfig = config.getOptionalConfig('backend.database');\n    const client = databaseConfig?.getOptionalString('client');\n\n    if (client === 'pg') {\n      return new AncestorSearchMemoPG(userEntityRef, catalogDBClient, maxDepth);\n    }\n\n    if (client === 'better-sqlite3') {\n      return new AncestorSearchMemoSQLite(\n        userEntityRef,\n        catalogAPI,\n        authService,\n        maxDepth,\n      );\n    }\n\n    throw new Error(`Unsupported database: ${client}`);\n  }\n}\n"],"names":["AncestorSearchMemoPG","AncestorSearchMemoSQLite"],"mappings":";;;;;AAuBO,MAAM,qBAAsB,CAAA;AAAA,EACjC,aAAa,wBACX,CAAA,aAAA,EACA,QACA,UACA,EAAA,eAAA,EACA,aACA,QACuC,EAAA;AACvC,IAAM,MAAA,cAAA,GAAiB,MAAO,CAAA,iBAAA,CAAkB,kBAAkB,CAAA;AAClE,IAAM,MAAA,MAAA,GAAS,cAAgB,EAAA,iBAAA,CAAkB,QAAQ,CAAA;AAEzD,IAAA,IAAI,WAAW,IAAM,EAAA;AACnB,MAAA,OAAO,IAAIA,yCAAA,CAAqB,aAAe,EAAA,eAAA,EAAiB,QAAQ,CAAA;AAAA;AAG1E,IAAA,IAAI,WAAW,gBAAkB,EAAA;AAC/B,MAAA,OAAO,IAAIC,iDAAA;AAAA,QACT,aAAA;AAAA,QACA,UAAA;AAAA,QACA,WAAA;AAAA,QACA;AAAA,OACF;AAAA;AAGF,IAAA,MAAM,IAAI,KAAA,CAAM,CAAyB,sBAAA,EAAA,MAAM,CAAE,CAAA,CAAA;AAAA;AAErD;;;;"}

package/dist/role-manager/ancestor-search-memo-pg.cjs.js

@@ -0,0 +1,54 @@
+'use strict';
+
+var ancestorSearchMemo = require('./ancestor-search-memo.cjs.js');
+
+class AncestorSearchMemoPG extends ancestorSearchMemo.AncestorSearchMemo {
+  constructor(userEntityRef, catalogDBClient, maxDepth) {
+    super();
+    this.userEntityRef = userEntityRef;
+    this.catalogDBClient = catalogDBClient;
+    this.maxDepth = maxDepth;
+  }
+  async getAllASMGroups() {
+    try {
+      const rows = await this.catalogDBClient("relations").select("source_entity_ref", "target_entity_ref").where("type", "childOf");
+      return rows;
+    } catch (error) {
+      return [];
+    }
+  }
+  async getUserASMGroups() {
+    try {
+      const rows = await this.catalogDBClient("relations").select("source_entity_ref", "target_entity_ref").where({ type: "memberOf", source_entity_ref: this.userEntityRef });
+      return rows;
+    } catch (error) {
+      return [];
+    }
+  }
+  traverse(relation, allRelations, current_depth) {
+    if (this.maxDepth !== undefined && current_depth >= this.maxDepth + 1) {
+      return;
+    }
+    const depth = current_depth + 1;
+    if (!super.hasEntityRef(relation.source_entity_ref)) {
+      super.setNode(relation.source_entity_ref);
+    }
+    super.setEdge(relation.target_entity_ref, relation.source_entity_ref);
+    const parentGroup = allRelations.find(
+      (g) => g.source_entity_ref === relation.target_entity_ref
+    );
+    if (parentGroup && super.isAcyclic()) {
+      this.traverse(parentGroup, allRelations, depth);
+    }
+  }
+  async buildUserGraph() {
+    const userRelations = await this.getUserASMGroups();
+    const allRelations = await this.getAllASMGroups();
+    userRelations.forEach(
+      (group) => this.traverse(group, allRelations, 0)
+    );
+  }
+}
+
+exports.AncestorSearchMemoPG = AncestorSearchMemoPG;
+//# sourceMappingURL=ancestor-search-memo-pg.cjs.js.map

package/dist/role-manager/ancestor-search-memo-pg.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ancestor-search-memo-pg.cjs.js","sources":["../../src/role-manager/ancestor-search-memo-pg.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Knex } from 'knex';\nimport { AncestorSearchMemo, Relation } from './ancestor-search-memo';\n\nexport class AncestorSearchMemoPG extends AncestorSearchMemo<Relation> {\n  constructor(\n    private readonly userEntityRef: string,\n    private readonly catalogDBClient: Knex,\n    private readonly maxDepth?: number,\n  ) {\n    super();\n  }\n\n  async getAllASMGroups(): Promise<Relation[]> {\n    try {\n      const rows = await this.catalogDBClient('relations')\n        .select('source_entity_ref', 'target_entity_ref')\n        .where('type', 'childOf');\n      return rows;\n    } catch (error) {\n      return [];\n    }\n  }\n\n  async getUserASMGroups(): Promise<Relation[]> {\n    try {\n      const rows = await this.catalogDBClient('relations')\n        .select('source_entity_ref', 'target_entity_ref')\n        .where({ type: 'memberOf', source_entity_ref: this.userEntityRef });\n      return rows;\n    } catch (error) {\n      return [];\n    }\n  }\n\n  traverse(\n    relation: Relation,\n    allRelations: Relation[],\n    current_depth: number,\n  ) {\n    // We add one to the maxDepth here because the user is considered the starting node\n    if (this.maxDepth !== undefined && current_depth >= this.maxDepth + 1) {\n      return;\n    }\n    const depth = current_depth + 1;\n\n    if (!super.hasEntityRef(relation.source_entity_ref)) {\n      super.setNode(relation.source_entity_ref);\n    }\n\n    super.setEdge(relation.target_entity_ref, relation.source_entity_ref);\n\n    const parentGroup = allRelations.find(\n      g => g.source_entity_ref === relation.target_entity_ref,\n    );\n\n    if (parentGroup && super.isAcyclic()) {\n      this.traverse(parentGroup, allRelations, depth);\n    }\n  }\n\n  async buildUserGraph() {\n    const userRelations = await this.getUserASMGroups();\n    const allRelations = await this.getAllASMGroups();\n    userRelations.forEach(group =>\n      this.traverse(group as Relation, allRelations as Relation[], 0),\n    );\n  }\n}\n"],"names":["AncestorSearchMemo"],"mappings":";;;;AAmBO,MAAM,6BAA6BA,qCAA6B,CAAA;AAAA,EACrE,WAAA,CACmB,aACA,EAAA,eAAA,EACA,QACjB,EAAA;AACA,IAAM,KAAA,EAAA;AAJW,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAAA;AAGnB,EAEA,MAAM,eAAuC,GAAA;AAC3C,IAAI,IAAA;AACF,MAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,eAAA,CAAgB,WAAW,CAAA,CAChD,MAAO,CAAA,mBAAA,EAAqB,mBAAmB,CAAA,CAC/C,KAAM,CAAA,MAAA,EAAQ,SAAS,CAAA;AAC1B,MAAO,OAAA,IAAA;AAAA,aACA,KAAO,EAAA;AACd,MAAA,OAAO,EAAC;AAAA;AACV;AACF,EAEA,MAAM,gBAAwC,GAAA;AAC5C,IAAI,IAAA;AACF,MAAA,MAAM,OAAO,MAAM,IAAA,CAAK,eAAgB,CAAA,WAAW,EAChD,MAAO,CAAA,mBAAA,EAAqB,mBAAmB,CAAA,CAC/C,MAAM,EAAE,IAAA,EAAM,YAAY,iBAAmB,EAAA,IAAA,CAAK,eAAe,CAAA;AACpE,MAAO,OAAA,IAAA;AAAA,aACA,KAAO,EAAA;AACd,MAAA,OAAO,EAAC;AAAA;AACV;AACF,EAEA,QAAA,CACE,QACA,EAAA,YAAA,EACA,aACA,EAAA;AAEA,IAAA,IAAI,KAAK,QAAa,KAAA,SAAA,IAAa,aAAiB,IAAA,IAAA,CAAK,WAAW,CAAG,EAAA;AACrE,MAAA;AAAA;AAEF,IAAA,MAAM,QAAQ,aAAgB,GAAA,CAAA;AAE9B,IAAA,IAAI,CAAC,KAAA,CAAM,YAAa,CAAA,QAAA,CAAS,iBAAiB,CAAG,EAAA;AACnD,MAAM,KAAA,CAAA,OAAA,CAAQ,SAAS,iBAAiB,CAAA;AAAA;AAG1C,IAAA,KAAA,CAAM,OAAQ,CAAA,QAAA,CAAS,iBAAmB,EAAA,QAAA,CAAS,iBAAiB,CAAA;AAEpE,IAAA,MAAM,cAAc,YAAa,CAAA,IAAA;AAAA,MAC/B,CAAA,CAAA,KAAK,CAAE,CAAA,iBAAA,KAAsB,QAAS,CAAA;AAAA,KACxC;AAEA,IAAI,IAAA,WAAA,IAAe,KAAM,CAAA,SAAA,EAAa,EAAA;AACpC,MAAK,IAAA,CAAA,QAAA,CAAS,WAAa,EAAA,YAAA,EAAc,KAAK,CAAA;AAAA;AAChD;AACF,EAEA,MAAM,cAAiB,GAAA;AACrB,IAAM,MAAA,aAAA,GAAgB,MAAM,IAAA,CAAK,gBAAiB,EAAA;AAClD,IAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,eAAgB,EAAA;AAChD,IAAc,aAAA,CAAA,OAAA;AAAA,MAAQ,CACpB,KAAA,KAAA,IAAA,CAAK,QAAS,CAAA,KAAA,EAAmB,cAA4B,CAAC;AAAA,KAChE;AAAA;AAEJ;;;;"}

package/dist/role-manager/ancestor-search-memo-sqlite.cjs.js

@@ -0,0 +1,74 @@
+'use strict';
+
+var ancestorSearchMemo = require('./ancestor-search-memo.cjs.js');
+
+class AncestorSearchMemoSQLite extends ancestorSearchMemo.AncestorSearchMemo {
+  constructor(userEntityRef, catalogApi, auth, maxDepth) {
+    super();
+    this.userEntityRef = userEntityRef;
+    this.catalogApi = catalogApi;
+    this.auth = auth;
+    this.maxDepth = maxDepth;
+  }
+  async getAllASMGroups() {
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const { items } = await this.catalogApi.getEntities(
+      {
+        filter: { kind: "Group" },
+        fields: ["metadata.name", "metadata.namespace", "spec.parent"]
+      },
+      { token }
+    );
+    return items;
+  }
+  async getUserASMGroups() {
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const { items } = await this.catalogApi.getEntities(
+      {
+        filter: { kind: "Group", "relations.hasMember": this.userEntityRef },
+        fields: ["metadata.name", "metadata.namespace", "spec.parent"]
+      },
+      { token }
+    );
+    return items;
+  }
+  traverse(group, allGroups, current_depth) {
+    const groupName = `group:${group.metadata.namespace?.toLocaleLowerCase(
+      "en-US"
+    )}/${group.metadata.name.toLocaleLowerCase("en-US")}`;
+    if (!super.hasEntityRef(groupName)) {
+      super.setNode(groupName);
+    }
+    if (this.maxDepth !== undefined && current_depth >= this.maxDepth) {
+      return;
+    }
+    const depth = current_depth + 1;
+    const parent = group.spec?.parent;
+    const parentGroup = allGroups.find((g) => g.metadata.name === parent);
+    if (parentGroup) {
+      const parentName = `group:${group.metadata.namespace?.toLocaleLowerCase(
+        "en-US"
+      )}/${parentGroup.metadata.name.toLocaleLowerCase("en-US")}`;
+      super.setEdge(parentName, groupName);
+      if (super.isAcyclic()) {
+        this.traverse(parentGroup, allGroups, depth);
+      }
+    }
+  }
+  async buildUserGraph() {
+    const userGroups = await this.getUserASMGroups();
+    const allGroups = await this.getAllASMGroups();
+    userGroups.forEach(
+      (group) => this.traverse(group, allGroups, 0)
+    );
+  }
+}
+
+exports.AncestorSearchMemoSQLite = AncestorSearchMemoSQLite;
+//# sourceMappingURL=ancestor-search-memo-sqlite.cjs.js.map

package/dist/role-manager/ancestor-search-memo-sqlite.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ancestor-search-memo-sqlite.cjs.js","sources":["../../src/role-manager/ancestor-search-memo-sqlite.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport type { Entity } from '@backstage/catalog-model';\n\nimport { AncestorSearchMemo } from './ancestor-search-memo';\n\nexport class AncestorSearchMemoSQLite extends AncestorSearchMemo<Entity> {\n  constructor(\n    private readonly userEntityRef: string,\n    private readonly catalogApi: CatalogApi,\n    private readonly auth: AuthService,\n    private readonly maxDepth?: number,\n  ) {\n    super();\n  }\n\n  async getAllASMGroups(): Promise<Entity[]> {\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n\n    const { items } = await this.catalogApi.getEntities(\n      {\n        filter: { kind: 'Group' },\n        fields: ['metadata.name', 'metadata.namespace', 'spec.parent'],\n      },\n      { token },\n    );\n    return items;\n  }\n\n  async getUserASMGroups(): Promise<Entity[]> {\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n    const { items } = await this.catalogApi.getEntities(\n      {\n        filter: { kind: 'Group', 'relations.hasMember': this.userEntityRef },\n        fields: ['metadata.name', 'metadata.namespace', 'spec.parent'],\n      },\n      { token },\n    );\n    return items;\n  }\n\n  traverse(group: Entity, allGroups: Entity[], current_depth: number) {\n    const groupName = `group:${group.metadata.namespace?.toLocaleLowerCase(\n      'en-US',\n    )}/${group.metadata.name.toLocaleLowerCase('en-US')}`;\n    if (!super.hasEntityRef(groupName)) {\n      super.setNode(groupName);\n    }\n\n    if (this.maxDepth !== undefined && current_depth >= this.maxDepth) {\n      return;\n    }\n    const depth = current_depth + 1;\n\n    const parent = group.spec?.parent as string;\n    const parentGroup = allGroups.find(g => g.metadata.name === parent);\n\n    if (parentGroup) {\n      const parentName = `group:${group.metadata.namespace?.toLocaleLowerCase(\n        'en-US',\n      )}/${parentGroup.metadata.name.toLocaleLowerCase('en-US')}`;\n      super.setEdge(parentName, groupName);\n\n      if (super.isAcyclic()) {\n        this.traverse(parentGroup, allGroups, depth);\n      }\n    }\n  }\n\n  async buildUserGraph() {\n    const userGroups = await this.getUserASMGroups();\n    const allGroups = await this.getAllASMGroups();\n    userGroups.forEach(group =>\n      this.traverse(group as Entity, allGroups as Entity[], 0),\n    );\n  }\n}\n"],"names":["AncestorSearchMemo"],"mappings":";;;;AAqBO,MAAM,iCAAiCA,qCAA2B,CAAA;AAAA,EACvE,WACmB,CAAA,aAAA,EACA,UACA,EAAA,IAAA,EACA,QACjB,EAAA;AACA,IAAM,KAAA,EAAA;AALW,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AACA,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAAA;AAGnB,EAEA,MAAM,eAAqC,GAAA;AACzC,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA;AAAA,KACjB,CAAA;AAED,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,UAAW,CAAA,WAAA;AAAA,MACtC;AAAA,QACE,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAQ,EAAA;AAAA,QACxB,MAAQ,EAAA,CAAC,eAAiB,EAAA,oBAAA,EAAsB,aAAa;AAAA,OAC/D;AAAA,MACA,EAAE,KAAM;AAAA,KACV;AACA,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,MAAM,gBAAsC,GAAA;AAC1C,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA;AAAA,KACjB,CAAA;AACD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,UAAW,CAAA,WAAA;AAAA,MACtC;AAAA,QACE,QAAQ,EAAE,IAAA,EAAM,OAAS,EAAA,qBAAA,EAAuB,KAAK,aAAc,EAAA;AAAA,QACnE,MAAQ,EAAA,CAAC,eAAiB,EAAA,oBAAA,EAAsB,aAAa;AAAA,OAC/D;AAAA,MACA,EAAE,KAAM;AAAA,KACV;AACA,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,QAAA,CAAS,KAAe,EAAA,SAAA,EAAqB,aAAuB,EAAA;AAClE,IAAA,MAAM,SAAY,GAAA,CAAA,MAAA,EAAS,KAAM,CAAA,QAAA,CAAS,SAAW,EAAA,iBAAA;AAAA,MACnD;AAAA,KACD,CAAI,CAAA,EAAA,KAAA,CAAM,SAAS,IAAK,CAAA,iBAAA,CAAkB,OAAO,CAAC,CAAA,CAAA;AACnD,IAAA,IAAI,CAAC,KAAA,CAAM,YAAa,CAAA,SAAS,CAAG,EAAA;AAClC,MAAA,KAAA,CAAM,QAAQ,SAAS,CAAA;AAAA;AAGzB,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,SAAa,IAAA,aAAA,IAAiB,KAAK,QAAU,EAAA;AACjE,MAAA;AAAA;AAEF,IAAA,MAAM,QAAQ,aAAgB,GAAA,CAAA;AAE9B,IAAM,MAAA,MAAA,GAAS,MAAM,IAAM,EAAA,MAAA;AAC3B,IAAA,MAAM,cAAc,SAAU,CAAA,IAAA,CAAK,OAAK,CAAE,CAAA,QAAA,CAAS,SAAS,MAAM,CAAA;AAElE,IAAA,IAAI,WAAa,EAAA;AACf,MAAA,MAAM,UAAa,GAAA,CAAA,MAAA,EAAS,KAAM,CAAA,QAAA,CAAS,SAAW,EAAA,iBAAA;AAAA,QACpD;AAAA,OACD,CAAI,CAAA,EAAA,WAAA,CAAY,SAAS,IAAK,CAAA,iBAAA,CAAkB,OAAO,CAAC,CAAA,CAAA;AACzD,MAAM,KAAA,CAAA,OAAA,CAAQ,YAAY,SAAS,CAAA;AAEnC,MAAI,IAAA,KAAA,CAAM,WAAa,EAAA;AACrB,QAAK,IAAA,CAAA,QAAA,CAAS,WAAa,EAAA,SAAA,EAAW,KAAK,CAAA;AAAA;AAC7C;AACF;AACF,EAEA,MAAM,cAAiB,GAAA;AACrB,IAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,gBAAiB,EAAA;AAC/C,IAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,eAAgB,EAAA;AAC7C,IAAW,UAAA,CAAA,OAAA;AAAA,MAAQ,CACjB,KAAA,KAAA,IAAA,CAAK,QAAS,CAAA,KAAA,EAAiB,WAAuB,CAAC;AAAA,KACzD;AAAA;AAEJ;;;;"}

package/dist/role-manager/ancestor-search-memo.cjs.js

@@ -4,18 +4,8 @@ var graphlib = require('@dagrejs/graphlib');
 
 class AncestorSearchMemo {
   graph;
-  catalogApi;
-  catalogDBClient;
-  auth;
-  userEntityRef;
-  maxDepth;
-  constructor(userEntityRef, catalogApi, catalogDBClient, auth, maxDepth) {
+  constructor() {
     this.graph = new graphlib.Graph({ directed: true });
-    this.userEntityRef = userEntityRef;
-    this.catalogApi = catalogApi;
-    this.catalogDBClient = catalogDBClient;
-    this.auth = auth;
-    this.maxDepth = maxDepth;
   }
   isAcyclic() {
     return graphlib.alg.isAcyclic(this.graph);
@@ -43,116 +33,6 @@ class AncestorSearchMemo {
   getNodes() {
     return this.graph.nodes();
   }
-  async doesRelationTableExist() {
-    try {
-      return await this.catalogDBClient.schema.hasTable("relations");
-    } catch (error) {
-      return false;
-    }
-  }
-  async getAllGroups() {
-    const { token } = await this.auth.getPluginRequestToken({
-      onBehalfOf: await this.auth.getOwnServiceCredentials(),
-      targetPluginId: "catalog"
-    });
-    const { items } = await this.catalogApi.getEntities(
-      {
-        filter: { kind: "Group" },
-        fields: ["metadata.name", "metadata.namespace", "spec.parent"]
-      },
-      { token }
-    );
-    return items;
-  }
-  async getAllRelations() {
-    try {
-      const rows = await this.catalogDBClient("relations").select("source_entity_ref", "target_entity_ref").where("type", "childOf");
-      return rows;
-    } catch (error) {
-      return [];
-    }
-  }
-  async getUserGroups() {
-    const { token } = await this.auth.getPluginRequestToken({
-      onBehalfOf: await this.auth.getOwnServiceCredentials(),
-      targetPluginId: "catalog"
-    });
-    const { items } = await this.catalogApi.getEntities(
-      {
-        filter: { kind: "Group", "relations.hasMember": this.userEntityRef },
-        fields: ["metadata.name", "metadata.namespace", "spec.parent"]
-      },
-      { token }
-    );
-    return items;
-  }
-  async getUserRelations() {
-    try {
-      const rows = await this.catalogDBClient("relations").select("source_entity_ref", "target_entity_ref").where({ type: "memberOf", source_entity_ref: this.userEntityRef });
-      return rows;
-    } catch (error) {
-      return [];
-    }
-  }
-  traverseGroups(memo, group, allGroups, current_depth) {
-    const groupName = `group:${group.metadata.namespace?.toLocaleLowerCase(
-      "en-US"
-    )}/${group.metadata.name.toLocaleLowerCase("en-US")}`;
-    if (!memo.hasEntityRef(groupName)) {
-      memo.setNode(groupName);
-    }
-    if (this.maxDepth !== undefined && current_depth >= this.maxDepth) {
-      return;
-    }
-    const depth = current_depth + 1;
-    const parent = group.spec?.parent;
-    const parentGroup = allGroups.find((g) => g.metadata.name === parent);
-    if (parentGroup) {
-      const parentName = `group:${group.metadata.namespace?.toLocaleLowerCase(
-        "en-US"
-      )}/${parentGroup.metadata.name.toLocaleLowerCase("en-US")}`;
-      memo.setEdge(parentName, groupName);
-      if (memo.isAcyclic()) {
-        this.traverseGroups(memo, parentGroup, allGroups, depth);
-      }
-    }
-  }
-  traverseRelations(memo, relation, allRelations, current_depth) {
-    if (this.maxDepth !== undefined && current_depth >= this.maxDepth + 1) {
-      return;
-    }
-    const depth = current_depth + 1;
-    if (!memo.hasEntityRef(relation.source_entity_ref)) {
-      memo.setNode(relation.source_entity_ref);
-    }
-    memo.setEdge(relation.target_entity_ref, relation.source_entity_ref);
-    const parentGroup = allRelations.find(
-      (g) => g.source_entity_ref === relation.target_entity_ref
-    );
-    if (parentGroup && memo.isAcyclic()) {
-      this.traverseRelations(memo, parentGroup, allRelations, depth);
-    }
-  }
-  async buildUserGraph(memo) {
-    if (await this.doesRelationTableExist()) {
-      const userRelations = await this.getUserRelations();
-      const allRelations = await this.getAllRelations();
-      userRelations.forEach(
-        (group) => this.traverseRelations(
-          memo,
-          group,
-          allRelations,
-          0
-        )
-      );
-    } else {
-      const userGroups = await this.getUserGroups();
-      const allGroups = await this.getAllGroups();
-      userGroups.forEach(
-        (group) => this.traverseGroups(memo, group, allGroups, 0)
-      );
-    }
-  }
 }
 
 exports.AncestorSearchMemo = AncestorSearchMemo;

package/dist/role-manager/ancestor-search-memo.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"ancestor-search-memo.cjs.js","sources":["../../src/role-manager/ancestor-search-memo.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport type { Entity } from '@backstage/catalog-model';\n\nimport { alg, Graph } from '@dagrejs/graphlib';\nimport { Knex } from 'knex';\n\nexport interface Relation {\n  source_entity_ref: string;\n  target_entity_ref: string;\n}\n\nexport type ASMGroup = Relation | Entity;\n\n// AncestorSearchMemo - should be used to build group hierarchy graph for User entity reference.\n// It supports search group entity reference link in the graph.\n// Also AncestorSearchMemo supports detection cycle dependencies between groups in the graph.\n//\nexport class AncestorSearchMemo {\n  private graph: Graph;\n\n  private catalogApi: CatalogApi;\n  private catalogDBClient: Knex;\n  private auth: AuthService;\n\n  private userEntityRef: string;\n  private maxDepth?: number;\n\n  constructor(\n    userEntityRef: string,\n    catalogApi: CatalogApi,\n    catalogDBClient: Knex,\n    auth: AuthService,\n    maxDepth?: number,\n  ) {\n    this.graph = new Graph({ directed: true });\n    this.userEntityRef = userEntityRef;\n    this.catalogApi = catalogApi;\n    this.catalogDBClient = catalogDBClient;\n    this.auth = auth;\n    this.maxDepth = maxDepth;\n  }\n\n  isAcyclic(): boolean {\n    return alg.isAcyclic(this.graph);\n  }\n\n  findCycles(): string[][] {\n    return alg.findCycles(this.graph);\n  }\n\n  setEdge(parentEntityRef: string, childEntityRef: string) {\n    this.graph.setEdge(parentEntityRef, childEntityRef);\n  }\n\n  setNode(entityRef: string): void {\n    this.graph.setNode(entityRef);\n  }\n\n  hasEntityRef(groupRef: string): boolean {\n    return this.graph.hasNode(groupRef);\n  }\n\n  debugNodesAndEdges(logger: LoggerService, userEntity: string): void {\n    logger.debug(\n      `SubGraph edges: ${JSON.stringify(this.graph.edges())} for ${userEntity}`,\n    );\n    logger.debug(\n      `SubGraph nodes: ${JSON.stringify(this.graph.nodes())} for ${userEntity}`,\n    );\n  }\n\n  getNodes(): string[] {\n    return this.graph.nodes();\n  }\n\n  async doesRelationTableExist(): Promise<boolean> {\n    try {\n      return await this.catalogDBClient.schema.hasTable('relations');\n    } catch (error) {\n      return false;\n    }\n  }\n\n  async getAllGroups(): Promise<ASMGroup[]> {\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n\n    const { items } = await this.catalogApi.getEntities(\n      {\n        filter: { kind: 'Group' },\n        fields: ['metadata.name', 'metadata.namespace', 'spec.parent'],\n      },\n      { token },\n    );\n    return items;\n  }\n\n  async getAllRelations(): Promise<ASMGroup[]> {\n    try {\n      const rows = await this.catalogDBClient('relations')\n        .select('source_entity_ref', 'target_entity_ref')\n        .where('type', 'childOf');\n      return rows;\n    } catch (error) {\n      return [];\n    }\n  }\n\n  async getUserGroups(): Promise<ASMGroup[]> {\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n    const { items } = await this.catalogApi.getEntities(\n      {\n        filter: { kind: 'Group', 'relations.hasMember': this.userEntityRef },\n        fields: ['metadata.name', 'metadata.namespace', 'spec.parent'],\n      },\n      { token },\n    );\n    return items;\n  }\n\n  async getUserRelations(): Promise<ASMGroup[]> {\n    try {\n      const rows = await this.catalogDBClient('relations')\n        .select('source_entity_ref', 'target_entity_ref')\n        .where({ type: 'memberOf', source_entity_ref: this.userEntityRef });\n      return rows;\n    } catch (error) {\n      return [];\n    }\n  }\n\n  traverseGroups(\n    memo: AncestorSearchMemo,\n    group: Entity,\n    allGroups: Entity[],\n    current_depth: number,\n  ) {\n    const groupName = `group:${group.metadata.namespace?.toLocaleLowerCase(\n      'en-US',\n    )}/${group.metadata.name.toLocaleLowerCase('en-US')}`;\n    if (!memo.hasEntityRef(groupName)) {\n      memo.setNode(groupName);\n    }\n\n    if (this.maxDepth !== undefined && current_depth >= this.maxDepth) {\n      return;\n    }\n    const depth = current_depth + 1;\n\n    const parent = group.spec?.parent as string;\n    const parentGroup = allGroups.find(g => g.metadata.name === parent);\n\n    if (parentGroup) {\n      const parentName = `group:${group.metadata.namespace?.toLocaleLowerCase(\n        'en-US',\n      )}/${parentGroup.metadata.name.toLocaleLowerCase('en-US')}`;\n      memo.setEdge(parentName, groupName);\n\n      if (memo.isAcyclic()) {\n        this.traverseGroups(memo, parentGroup, allGroups, depth);\n      }\n    }\n  }\n\n  traverseRelations(\n    memo: AncestorSearchMemo,\n    relation: Relation,\n    allRelations: Relation[],\n    current_depth: number,\n  ) {\n    // We add one to the maxDepth here because the user is considered the starting node\n    if (this.maxDepth !== undefined && current_depth >= this.maxDepth + 1) {\n      return;\n    }\n    const depth = current_depth + 1;\n\n    if (!memo.hasEntityRef(relation.source_entity_ref)) {\n      memo.setNode(relation.source_entity_ref);\n    }\n\n    memo.setEdge(relation.target_entity_ref, relation.source_entity_ref);\n\n    const parentGroup = allRelations.find(\n      g => g.source_entity_ref === relation.target_entity_ref,\n    );\n\n    if (parentGroup && memo.isAcyclic()) {\n      this.traverseRelations(memo, parentGroup, allRelations, depth);\n    }\n  }\n\n  async buildUserGraph(memo: AncestorSearchMemo) {\n    if (await this.doesRelationTableExist()) {\n      const userRelations = await this.getUserRelations();\n      const allRelations = await this.getAllRelations();\n      userRelations.forEach(group =>\n        this.traverseRelations(\n          memo,\n          group as Relation,\n          allRelations as Relation[],\n          0,\n        ),\n      );\n    } else {\n      const userGroups = await this.getUserGroups();\n      const allGroups = await this.getAllGroups();\n      userGroups.forEach(group =>\n        this.traverseGroups(memo, group as Entity, allGroups as Entity[], 0),\n      );\n    }\n  }\n}\n"],"names":["Graph","alg"],"mappings":";;;;AAiCO,MAAM,kBAAmB,CAAA;AAAA,EACtB,KAAA;AAAA,EAEA,UAAA;AAAA,EACA,eAAA;AAAA,EACA,IAAA;AAAA,EAEA,aAAA;AAAA,EACA,QAAA;AAAA,EAER,WACE,CAAA,aAAA,EACA,UACA,EAAA,eAAA,EACA,MACA,QACA,EAAA;AACA,IAAA,IAAA,CAAK,QAAQ,IAAIA,cAAA,CAAM,EAAE,QAAA,EAAU,MAAM,CAAA;AACzC,IAAA,IAAA,CAAK,aAAgB,GAAA,aAAA;AACrB,IAAA,IAAA,CAAK,UAAa,GAAA,UAAA;AAClB,IAAA,IAAA,CAAK,eAAkB,GAAA,eAAA;AACvB,IAAA,IAAA,CAAK,IAAO,GAAA,IAAA;AACZ,IAAA,IAAA,CAAK,QAAW,GAAA,QAAA;AAAA;AAClB,EAEA,SAAqB,GAAA;AACnB,IAAO,OAAAC,YAAA,CAAI,SAAU,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA;AACjC,EAEA,UAAyB,GAAA;AACvB,IAAO,OAAAA,YAAA,CAAI,UAAW,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA;AAClC,EAEA,OAAA,CAAQ,iBAAyB,cAAwB,EAAA;AACvD,IAAK,IAAA,CAAA,KAAA,CAAM,OAAQ,CAAA,eAAA,EAAiB,cAAc,CAAA;AAAA;AACpD,EAEA,QAAQ,SAAyB,EAAA;AAC/B,IAAK,IAAA,CAAA,KAAA,CAAM,QAAQ,SAAS,CAAA;AAAA;AAC9B,EAEA,aAAa,QAA2B,EAAA;AACtC,IAAO,OAAA,IAAA,CAAK,KAAM,CAAA,OAAA,CAAQ,QAAQ,CAAA;AAAA;AACpC,EAEA,kBAAA,CAAmB,QAAuB,UAA0B,EAAA;AAClE,IAAO,MAAA,CAAA,KAAA;AAAA,MACL,CAAA,gBAAA,EAAmB,KAAK,SAAU,CAAA,IAAA,CAAK,MAAM,KAAM,EAAC,CAAC,CAAA,KAAA,EAAQ,UAAU,CAAA;AAAA,KACzE;AACA,IAAO,MAAA,CAAA,KAAA;AAAA,MACL,CAAA,gBAAA,EAAmB,KAAK,SAAU,CAAA,IAAA,CAAK,MAAM,KAAM,EAAC,CAAC,CAAA,KAAA,EAAQ,UAAU,CAAA;AAAA,KACzE;AAAA;AACF,EAEA,QAAqB,GAAA;AACnB,IAAO,OAAA,IAAA,CAAK,MAAM,KAAM,EAAA;AAAA;AAC1B,EAEA,MAAM,sBAA2C,GAAA;AAC/C,IAAI,IAAA;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,eAAgB,CAAA,MAAA,CAAO,SAAS,WAAW,CAAA;AAAA,aACtD,KAAO,EAAA;AACd,MAAO,OAAA,KAAA;AAAA;AACT;AACF,EAEA,MAAM,YAAoC,GAAA;AACxC,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA;AAAA,KACjB,CAAA;AAED,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,UAAW,CAAA,WAAA;AAAA,MACtC;AAAA,QACE,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAQ,EAAA;AAAA,QACxB,MAAQ,EAAA,CAAC,eAAiB,EAAA,oBAAA,EAAsB,aAAa;AAAA,OAC/D;AAAA,MACA,EAAE,KAAM;AAAA,KACV;AACA,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,MAAM,eAAuC,GAAA;AAC3C,IAAI,IAAA;AACF,MAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,eAAA,CAAgB,WAAW,CAAA,CAChD,MAAO,CAAA,mBAAA,EAAqB,mBAAmB,CAAA,CAC/C,KAAM,CAAA,MAAA,EAAQ,SAAS,CAAA;AAC1B,MAAO,OAAA,IAAA;AAAA,aACA,KAAO,EAAA;AACd,MAAA,OAAO,EAAC;AAAA;AACV;AACF,EAEA,MAAM,aAAqC,GAAA;AACzC,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA;AAAA,KACjB,CAAA;AACD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,UAAW,CAAA,WAAA;AAAA,MACtC;AAAA,QACE,QAAQ,EAAE,IAAA,EAAM,OAAS,EAAA,qBAAA,EAAuB,KAAK,aAAc,EAAA;AAAA,QACnE,MAAQ,EAAA,CAAC,eAAiB,EAAA,oBAAA,EAAsB,aAAa;AAAA,OAC/D;AAAA,MACA,EAAE,KAAM;AAAA,KACV;AACA,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,MAAM,gBAAwC,GAAA;AAC5C,IAAI,IAAA;AACF,MAAA,MAAM,OAAO,MAAM,IAAA,CAAK,eAAgB,CAAA,WAAW,EAChD,MAAO,CAAA,mBAAA,EAAqB,mBAAmB,CAAA,CAC/C,MAAM,EAAE,IAAA,EAAM,YAAY,iBAAmB,EAAA,IAAA,CAAK,eAAe,CAAA;AACpE,MAAO,OAAA,IAAA;AAAA,aACA,KAAO,EAAA;AACd,MAAA,OAAO,EAAC;AAAA;AACV;AACF,EAEA,cACE,CAAA,IAAA,EACA,KACA,EAAA,SAAA,EACA,aACA,EAAA;AACA,IAAA,MAAM,SAAY,GAAA,CAAA,MAAA,EAAS,KAAM,CAAA,QAAA,CAAS,SAAW,EAAA,iBAAA;AAAA,MACnD;AAAA,KACD,CAAI,CAAA,EAAA,KAAA,CAAM,SAAS,IAAK,CAAA,iBAAA,CAAkB,OAAO,CAAC,CAAA,CAAA;AACnD,IAAA,IAAI,CAAC,IAAA,CAAK,YAAa,CAAA,SAAS,CAAG,EAAA;AACjC,MAAA,IAAA,CAAK,QAAQ,SAAS,CAAA;AAAA;AAGxB,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,SAAa,IAAA,aAAA,IAAiB,KAAK,QAAU,EAAA;AACjE,MAAA;AAAA;AAEF,IAAA,MAAM,QAAQ,aAAgB,GAAA,CAAA;AAE9B,IAAM,MAAA,MAAA,GAAS,MAAM,IAAM,EAAA,MAAA;AAC3B,IAAA,MAAM,cAAc,SAAU,CAAA,IAAA,CAAK,OAAK,CAAE,CAAA,QAAA,CAAS,SAAS,MAAM,CAAA;AAElE,IAAA,IAAI,WAAa,EAAA;AACf,MAAA,MAAM,UAAa,GAAA,CAAA,MAAA,EAAS,KAAM,CAAA,QAAA,CAAS,SAAW,EAAA,iBAAA;AAAA,QACpD;AAAA,OACD,CAAI,CAAA,EAAA,WAAA,CAAY,SAAS,IAAK,CAAA,iBAAA,CAAkB,OAAO,CAAC,CAAA,CAAA;AACzD,MAAK,IAAA,CAAA,OAAA,CAAQ,YAAY,SAAS,CAAA;AAElC,MAAI,IAAA,IAAA,CAAK,WAAa,EAAA;AACpB,QAAA,IAAA,CAAK,cAAe,CAAA,IAAA,EAAM,WAAa,EAAA,SAAA,EAAW,KAAK,CAAA;AAAA;AACzD;AACF;AACF,EAEA,iBACE,CAAA,IAAA,EACA,QACA,EAAA,YAAA,EACA,aACA,EAAA;AAEA,IAAA,IAAI,KAAK,QAAa,KAAA,SAAA,IAAa,aAAiB,IAAA,IAAA,CAAK,WAAW,CAAG,EAAA;AACrE,MAAA;AAAA;AAEF,IAAA,MAAM,QAAQ,aAAgB,GAAA,CAAA;AAE9B,IAAA,IAAI,CAAC,IAAA,CAAK,YAAa,CAAA,QAAA,CAAS,iBAAiB,CAAG,EAAA;AAClD,MAAK,IAAA,CAAA,OAAA,CAAQ,SAAS,iBAAiB,CAAA;AAAA;AAGzC,IAAA,IAAA,CAAK,OAAQ,CAAA,QAAA,CAAS,iBAAmB,EAAA,QAAA,CAAS,iBAAiB,CAAA;AAEnE,IAAA,MAAM,cAAc,YAAa,CAAA,IAAA;AAAA,MAC/B,CAAA,CAAA,KAAK,CAAE,CAAA,iBAAA,KAAsB,QAAS,CAAA;AAAA,KACxC;AAEA,IAAI,IAAA,WAAA,IAAe,IAAK,CAAA,SAAA,EAAa,EAAA;AACnC,MAAA,IAAA,CAAK,iBAAkB,CAAA,IAAA,EAAM,WAAa,EAAA,YAAA,EAAc,KAAK,CAAA;AAAA;AAC/D;AACF,EAEA,MAAM,eAAe,IAA0B,EAAA;AAC7C,IAAI,IAAA,MAAM,IAAK,CAAA,sBAAA,EAA0B,EAAA;AACvC,MAAM,MAAA,aAAA,GAAgB,MAAM,IAAA,CAAK,gBAAiB,EAAA;AAClD,MAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,eAAgB,EAAA;AAChD,MAAc,aAAA,CAAA,OAAA;AAAA,QAAQ,WACpB,IAAK,CAAA,iBAAA;AAAA,UACH,IAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA;AACF,OACF;AAAA,KACK,MAAA;AACL,MAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,aAAc,EAAA;AAC5C,MAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,YAAa,EAAA;AAC1C,MAAW,UAAA,CAAA,OAAA;AAAA,QAAQ,WACjB,IAAK,CAAA,cAAA,CAAe,IAAM,EAAA,KAAA,EAAiB,WAAuB,CAAC;AAAA,OACrE;AAAA;AACF;AAEJ;;;;"}
+{"version":3,"file":"ancestor-search-memo.cjs.js","sources":["../../src/role-manager/ancestor-search-memo.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { LoggerService } from '@backstage/backend-plugin-api';\nimport type { Entity } from '@backstage/catalog-model';\n\nimport { alg, Graph } from '@dagrejs/graphlib';\n\nexport interface Relation {\n  source_entity_ref: string;\n  target_entity_ref: string;\n}\n\nexport type ASMGroup = Relation | Entity;\n\n// AncestorSearchMemo - should be used to build group hierarchy graph for User entity reference.\n// It supports search group entity reference link in the graph.\n// Also AncestorSearchMemo supports detection cycle dependencies between groups in the graph.\n//\nexport abstract class AncestorSearchMemo<T extends ASMGroup> {\n  protected graph: Graph;\n\n  constructor() {\n    this.graph = new Graph({ directed: true });\n  }\n\n  isAcyclic(): boolean {\n    return alg.isAcyclic(this.graph);\n  }\n\n  findCycles(): string[][] {\n    return alg.findCycles(this.graph);\n  }\n\n  setEdge(parentEntityRef: string, childEntityRef: string) {\n    this.graph.setEdge(parentEntityRef, childEntityRef);\n  }\n\n  setNode(entityRef: string): void {\n    this.graph.setNode(entityRef);\n  }\n\n  hasEntityRef(groupRef: string): boolean {\n    return this.graph.hasNode(groupRef);\n  }\n\n  debugNodesAndEdges(logger: LoggerService, userEntity: string): void {\n    logger.debug(\n      `SubGraph edges: ${JSON.stringify(this.graph.edges())} for ${userEntity}`,\n    );\n    logger.debug(\n      `SubGraph nodes: ${JSON.stringify(this.graph.nodes())} for ${userEntity}`,\n    );\n  }\n\n  getNodes(): string[] {\n    return this.graph.nodes();\n  }\n\n  abstract traverse(\n    relation: T,\n    allRelations: T[],\n    current_depth: number,\n  ): void;\n\n  abstract buildUserGraph(): Promise<void>;\n\n  abstract getUserASMGroups(): Promise<T[]>;\n\n  abstract getAllASMGroups(): Promise<T[]>;\n}\n"],"names":["Graph","alg"],"mappings":";;;;AA+BO,MAAe,kBAAuC,CAAA;AAAA,EACjD,KAAA;AAAA,EAEV,WAAc,GAAA;AACZ,IAAA,IAAA,CAAK,QAAQ,IAAIA,cAAA,CAAM,EAAE,QAAA,EAAU,MAAM,CAAA;AAAA;AAC3C,EAEA,SAAqB,GAAA;AACnB,IAAO,OAAAC,YAAA,CAAI,SAAU,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA;AACjC,EAEA,UAAyB,GAAA;AACvB,IAAO,OAAAA,YAAA,CAAI,UAAW,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA;AAClC,EAEA,OAAA,CAAQ,iBAAyB,cAAwB,EAAA;AACvD,IAAK,IAAA,CAAA,KAAA,CAAM,OAAQ,CAAA,eAAA,EAAiB,cAAc,CAAA;AAAA;AACpD,EAEA,QAAQ,SAAyB,EAAA;AAC/B,IAAK,IAAA,CAAA,KAAA,CAAM,QAAQ,SAAS,CAAA;AAAA;AAC9B,EAEA,aAAa,QAA2B,EAAA;AACtC,IAAO,OAAA,IAAA,CAAK,KAAM,CAAA,OAAA,CAAQ,QAAQ,CAAA;AAAA;AACpC,EAEA,kBAAA,CAAmB,QAAuB,UAA0B,EAAA;AAClE,IAAO,MAAA,CAAA,KAAA;AAAA,MACL,CAAA,gBAAA,EAAmB,KAAK,SAAU,CAAA,IAAA,CAAK,MAAM,KAAM,EAAC,CAAC,CAAA,KAAA,EAAQ,UAAU,CAAA;AAAA,KACzE;AACA,IAAO,MAAA,CAAA,KAAA;AAAA,MACL,CAAA,gBAAA,EAAmB,KAAK,SAAU,CAAA,IAAA,CAAK,MAAM,KAAM,EAAC,CAAC,CAAA,KAAA,EAAQ,UAAU,CAAA;AAAA,KACzE;AAAA;AACF,EAEA,QAAqB,GAAA;AACnB,IAAO,OAAA,IAAA,CAAK,MAAM,KAAM,EAAA;AAAA;AAc5B;;;;"}

package/dist/role-manager/role-manager.cjs.js

@@ -1,8 +1,8 @@
 'use strict';
 
 var catalogModel = require('@backstage/catalog-model');
-var ancestorSearchMemo = require('./ancestor-search-memo.cjs.js');
 var memberList = require('./member-list.cjs.js');
+var ancestorSearchFactory = require('./ancestor-search-factory.cjs.js');
 
 class BackstageRoleManager {
   constructor(catalogApi, logger, catalogDBClient, rbacDBClient, config, auth) {
@@ -97,14 +97,15 @@ class BackstageRoleManager {
       return false;
     }
     if (kind.toLocaleLowerCase() === "group") {
-      const memo = new ancestorSearchMemo.AncestorSearchMemo(
+      const memo = await ancestorSearchFactory.AncestorSearchFactory.createAncestorSearchMemo(
         name1,
+        this.config,
         this.catalogApi,
         this.catalogDBClient,
         this.auth,
         this.maxDepth
       );
-      await memo.buildUserGraph(memo);
+      await memo.buildUserGraph();
       memo.debugNodesAndEdges(this.logger, name1);
       if (!memo.isAcyclic()) {
         const cycles = memo.findCycles();
@@ -157,14 +158,15 @@ class BackstageRoleManager {
   async getRoles(name, ..._domain) {
     const { kind } = catalogModel.parseEntityRef(name);
     if (kind === "user") {
-      const memo = new ancestorSearchMemo.AncestorSearchMemo(
+      const memo = await ancestorSearchFactory.AncestorSearchFactory.createAncestorSearchMemo(
         name,
+        this.config,
         this.catalogApi,
         this.catalogDBClient,
         this.auth,
         this.maxDepth
       );
-      await memo.buildUserGraph(memo);
+      await memo.buildUserGraph();
       memo.debugNodesAndEdges(this.logger, name);
       memo.setNode(name);
       if (!memo.isAcyclic()) {

package/dist/role-manager/role-manager.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"role-manager.cjs.js","sources":["../../src/role-manager/role-manager.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport type { Config } from '@backstage/config';\n\nimport { RoleManager } from 'casbin';\nimport { Knex } from 'knex';\n\nimport { AncestorSearchMemo } from './ancestor-search-memo';\nimport { RoleMemberList } from './member-list';\n\nexport class BackstageRoleManager implements RoleManager {\n  private allRoles: Map<string, RoleMemberList>;\n  private maxDepth?: number;\n  constructor(\n    private readonly catalogApi: CatalogApi,\n    private readonly logger: LoggerService,\n    private readonly catalogDBClient: Knex,\n    private readonly rbacDBClient: Knex,\n    private readonly config: Config,\n    private readonly auth: AuthService,\n  ) {\n    this.allRoles = new Map<string, RoleMemberList>();\n    const rbacConfig = this.config.getOptionalConfig('permission.rbac');\n    this.maxDepth = rbacConfig?.getOptionalNumber('maxDepth');\n    if (this.maxDepth !== undefined && this.maxDepth! < 0) {\n      throw new Error(\n        'Max Depth for RBAC group hierarchy must be greater than or equal to zero',\n      );\n    }\n  }\n\n  /**\n   * clear clears all stored data and resets the role manager to the initial state.\n   */\n  async clear(): Promise<void> {\n    // do nothing\n  }\n\n  /**\n   * addLink adds the inheritance link between name1 and role: name2.\n   * aka name1 inherits role: name2.\n   * The link that is established is based on the defined grouping policies that are added by the enforcer.\n   *\n   * ex. `g, name1, name2`.\n   * @param name1 User or group that will be assigned to a role.\n   * @param name2 The role that will be created or updated.\n   * @param _domain Unimplemented prefix to the role.\n   */\n  async addLink(\n    name1: string,\n    name2: string,\n    ..._domain: string[]\n  ): Promise<void> {\n    if (!this.isPGClient()) {\n      const role1 = this.getOrCreateRole(name2);\n      role1.addMember(name1);\n    }\n  }\n\n  /**\n   * deleteLink deletes the inheritance link between name1 and role: name2.\n   * aka name1 does not inherit role: name2 any more.\n   * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.\n   *\n   * ex. `g, name1, name2`.\n   * @param name1 User or group that will be removed from assignment of a role.\n   * @param name2 The role that will be deleted or updated.\n   * @param _domain Unimplemented.\n   */\n  async deleteLink(\n    name1: string,\n    name2: string,\n    ..._domain: string[]\n  ): Promise<void> {\n    if (!this.isPGClient()) {\n      const role1 = this.getOrCreateRole(name2);\n      role1.deleteMember(name1);\n\n      // Clean up in the event that there are no more members in the role\n      if (role1.getMembers().length === 0) {\n        this.allRoles.delete(name2);\n      }\n    }\n  }\n\n  /**\n   * hasLink determines whether name1 inherits role: name2.\n   * Before this check is called in the background by the enforcer,\n   * we filter out all roles that the user is not connected to\n   * directly or indirectly through the use of retrieving roles through\n   * enforcer.getRolesForUser and apply those roles to a tempEnforcer.\n   *\n   * This means that hasLink will almost always be true in the event that a user\n   * is assigned to a role (either directly or indirectly)\n   *\n   * In the event that a user or group is not assigned to a role and instead\n   * are assigned directly to permissions, then name2 will become either that\n   * user or group through the filtering. In this case we will build the graph\n   * if necessary for name2 group presence or evaulate based on the names matching.\n   * @param name1 The user that we are authorizing.\n   * @param name2 The name of the role that we are checking against.\n   * @param domain Unimplemented.\n   * @returns True if the user is directly or indirectly attached to the role.\n   */\n  async hasLink(\n    name1: string,\n    name2: string,\n    ...domain: string[]\n  ): Promise<boolean> {\n    if (domain.length > 0) {\n      throw new Error('domain argument is not supported.');\n    }\n\n    // Name2 can be an empty string in the event that there is not a role associated with the user\n    // This happens because of the filtering of the roles reduces the number of roles that we iterate through.\n    if (name2.length === 0) {\n      return false;\n    }\n\n    if (name1 === name2) {\n      return true;\n    }\n\n    // name1 is always user in our case.\n    // name2 is user or group.\n    // user(name1) couldn't inherit user(name2).\n    // We can use this fact for optimization.\n    const { kind } = parseEntityRef(name2);\n    if (kind.toLocaleLowerCase() === 'user') {\n      return false;\n    }\n\n    // if it is a group, then we will have to build the graph,\n    if (kind.toLocaleLowerCase() === 'group') {\n      const memo = new AncestorSearchMemo(\n        name1,\n        this.catalogApi,\n        this.catalogDBClient,\n        this.auth,\n        this.maxDepth,\n      );\n      await memo.buildUserGraph(memo);\n      memo.debugNodesAndEdges(this.logger, name1);\n\n      if (!memo.isAcyclic()) {\n        const cycles = memo.findCycles();\n\n        this.logger.warn(\n          `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n            cycles,\n          )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n            cycles,\n          )}`,\n        );\n        return false;\n      }\n\n      return memo.hasEntityRef(name2);\n    }\n\n    return true;\n  }\n\n  /**\n   * syncedHasLink determines whether role: name1 inherits role: name2.\n   * domain is a prefix to the roles.\n   */\n  syncedHasLink?(\n    _name1: string,\n    _name2: string,\n    ..._domain: string[]\n  ): boolean {\n    throw new Error('Method \"syncedHasLink\" not implemented.');\n  }\n\n  /**\n   * getRoles gets the roles that a subject inherits.\n   *\n   * name - is a string entity reference, for example: user:default/tom, role:default/dev,\n   * so format is <kind>:<namespace>/<entity-name>.\n   * GetRoles method supports only two kind values: 'user' and 'role'.\n   *\n   * domain - is a prefix to the roles, unused parameter.\n   *\n   * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.\n   * if name's kind === 'role' we return empty array, because we don't support role inheritance.\n   * Case kind === 'group' - should not happen, because:\n   * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this\n   * method again to ask about name with kind \"group\".\n   * 2) We implemented getRoles method only to use:\n   * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n   * so name argument can be only with kind 'user' or 'role'.\n   *\n   * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n   * then casbin engine executes 'getRoles' method few times.\n   * Firstly casbin asks about roles for 'userEntityRef'.\n   * Let's imagine, that 'getRoles' returned two roles for userEntityRef.\n   * Then casbin calls 'getRoles' two more times to\n   * find parent roles. But we return empty array for each such call,\n   * because we don't support role inheritance and we notify casbin about end of the role sub-tree.\n   */\n  async getRoles(name: string, ..._domain: string[]): Promise<string[]> {\n    const { kind } = parseEntityRef(name);\n    if (kind === 'user') {\n      const memo = new AncestorSearchMemo(\n        name,\n        this.catalogApi,\n        this.catalogDBClient,\n        this.auth,\n        this.maxDepth,\n      );\n      await memo.buildUserGraph(memo);\n      memo.debugNodesAndEdges(this.logger, name);\n\n      // Account for the user not being in the graph (this can happen during direct assignment to roles)\n      memo.setNode(name);\n\n      if (!memo.isAcyclic()) {\n        const cycles = memo.findCycles();\n\n        this.logger.warn(\n          `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n            cycles,\n          )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n            cycles,\n          )}`,\n        );\n        return Promise.resolve([]);\n      }\n\n      if (this.isPGClient()) {\n        const currentRole = new RoleMemberList(name);\n        await currentRole.buildRoles(\n          currentRole,\n          memo.getNodes(),\n          this.rbacDBClient,\n        );\n        return Promise.resolve(currentRole.getRoles());\n      }\n\n      const allRoles: string[] = [];\n      for (const value of this.allRoles.values()) {\n        if (this.hasMember(value, memo)) {\n          allRoles.push(value.name);\n        }\n      }\n\n      return Promise.resolve(allRoles);\n    }\n\n    return [];\n  }\n\n  /**\n   * getUsers gets the users that inherits a subject.\n   * domain is an unreferenced parameter here, may be used in other implementations.\n   */\n  async getUsers(_name: string, ..._domain: string[]): Promise<string[]> {\n    throw new Error('Method \"getUsers\" not implemented.');\n  }\n\n  /**\n   * printRoles prints all the roles to log.\n   */\n  async printRoles(): Promise<void> {\n    // do nothing\n  }\n\n  /**\n   * getOrCreateRole will get a role if it has already been cached\n   * or it will create a new role to be cached.\n   * This cache is a simple tree that is used to quickly compare\n   * users and groups to roles.\n   * @param name The user or group whose cache we will be getting / creating.\n   * @returns The cached role as a RoleList.\n   */\n  private getOrCreateRole(name: string): RoleMemberList {\n    const role = this.allRoles.get(name);\n    if (role) {\n      return role;\n    }\n    const newRole = new RoleMemberList(name);\n    this.allRoles.set(name, newRole);\n\n    return newRole;\n  }\n\n  /**\n   * isPGClient checks what the current database client is at them time.\n   * This is to ensure that we are querying the database in the event of postgres\n   * or using in memory cache for better sqlite3.\n   * @returns True if the database client is pg.\n   */\n  isPGClient(): boolean {\n    const client = this.rbacDBClient.client.config.client;\n    return client === 'pg';\n  }\n\n  /**\n   * hasMember checks if the members from a particular role is associated with the user\n   * that the AncestorSearchMemo graph is built for.\n   * @param role The role that we are getting the members from.\n   * @param memo The user graph that we are comparing members with.\n   * @returns True if a member from the role is also associated with the user.\n   */\n  private hasMember(\n    role: RoleMemberList | undefined,\n    memo: AncestorSearchMemo,\n  ): boolean {\n    if (role === undefined) {\n      return false;\n    }\n\n    for (const member of role.getMembers()) {\n      if (memo.hasEntityRef(member)) {\n        return true;\n      }\n    }\n    return false;\n  }\n}\n"],"names":["parseEntityRef","AncestorSearchMemo","RoleMemberList"],"mappings":";;;;;;AA0BO,MAAM,oBAA4C,CAAA;AAAA,EAGvD,YACmB,UACA,EAAA,MAAA,EACA,eACA,EAAA,YAAA,EACA,QACA,IACjB,EAAA;AANiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAEjB,IAAK,IAAA,CAAA,QAAA,uBAAe,GAA4B,EAAA;AAChD,IAAA,MAAM,UAAa,GAAA,IAAA,CAAK,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAK,IAAA,CAAA,QAAA,GAAW,UAAY,EAAA,iBAAA,CAAkB,UAAU,CAAA;AACxD,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,SAAa,IAAA,IAAA,CAAK,WAAY,CAAG,EAAA;AACrD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AACF;AACF,EAlBQ,QAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA;AAAA,EAsBR,MAAM,KAAuB,GAAA;AAAA;AAE7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,UAAU,KAAK,CAAA;AAAA;AACvB;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,aAAa,KAAK,CAAA;AAGxB,MAAA,IAAI,KAAM,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACnC,QAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA;AAAA;AAC5B;AACF;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,MACe,EAAA;AAClB,IAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA;AAAA;AAKrD,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAA,IAAI,UAAU,KAAO,EAAA;AACnB,MAAO,OAAA,IAAA;AAAA;AAOT,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAA,2BAAA,CAAe,KAAK,CAAA;AACrC,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,MAAQ,EAAA;AACvC,MAAO,OAAA,KAAA;AAAA;AAIT,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,OAAS,EAAA;AACxC,MAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,QACf,KAAA;AAAA,QACA,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AACA,MAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA;AAC9B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,KAAK,CAAA;AAE1C,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,KAAA;AAAA;AAGT,MAAO,OAAA,IAAA,CAAK,aAAa,KAAK,CAAA;AAAA;AAGhC,IAAO,OAAA,IAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA,EAMA,aAAA,CACE,MACA,EAAA,MAAA,EAAA,GACG,OACM,EAAA;AACT,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA;AAAA;AAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,QAAS,CAAA,IAAA,EAAA,GAAiB,OAAsC,EAAA;AACpE,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAD,2BAAA,CAAe,IAAI,CAAA;AACpC,IAAA,IAAI,SAAS,MAAQ,EAAA;AACnB,MAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,QACf,IAAA;AAAA,QACA,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AACA,MAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA;AAC9B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,IAAI,CAAA;AAGzC,MAAA,IAAA,CAAK,QAAQ,IAAI,CAAA;AAEjB,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,OAAA,CAAQ,OAAQ,CAAA,EAAE,CAAA;AAAA;AAG3B,MAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,QAAM,MAAA,WAAA,GAAc,IAAIC,yBAAA,CAAe,IAAI,CAAA;AAC3C,QAAA,MAAM,WAAY,CAAA,UAAA;AAAA,UAChB,WAAA;AAAA,UACA,KAAK,QAAS,EAAA;AAAA,UACd,IAAK,CAAA;AAAA,SACP;AACA,QAAA,OAAO,OAAQ,CAAA,OAAA,CAAQ,WAAY,CAAA,QAAA,EAAU,CAAA;AAAA;AAG/C,MAAA,MAAM,WAAqB,EAAC;AAC5B,MAAA,KAAA,MAAW,KAAS,IAAA,IAAA,CAAK,QAAS,CAAA,MAAA,EAAU,EAAA;AAC1C,QAAA,IAAI,IAAK,CAAA,SAAA,CAAU,KAAO,EAAA,IAAI,CAAG,EAAA;AAC/B,UAAS,QAAA,CAAA,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA;AAC1B;AAGF,MAAO,OAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAAA;AAGjC,IAAA,OAAO,EAAC;AAAA;AACV;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAS,CAAA,KAAA,EAAA,GAAkB,OAAsC,EAAA;AACrE,IAAM,MAAA,IAAI,MAAM,oCAAoC,CAAA;AAAA;AACtD;AAAA;AAAA;AAAA,EAKA,MAAM,UAA4B,GAAA;AAAA;AAElC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAgB,IAA8B,EAAA;AACpD,IAAA,MAAM,IAAO,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA;AACnC,IAAA,IAAI,IAAM,EAAA;AACR,MAAO,OAAA,IAAA;AAAA;AAET,IAAM,MAAA,OAAA,GAAU,IAAIA,yBAAA,CAAe,IAAI,CAAA;AACvC,IAAK,IAAA,CAAA,QAAA,CAAS,GAAI,CAAA,IAAA,EAAM,OAAO,CAAA;AAE/B,IAAO,OAAA,OAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAsB,GAAA;AACpB,IAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAa,CAAA,MAAA,CAAO,MAAO,CAAA,MAAA;AAC/C,IAAA,OAAO,MAAW,KAAA,IAAA;AAAA;AACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,SAAA,CACN,MACA,IACS,EAAA;AACT,IAAA,IAAI,SAAS,SAAW,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAW,KAAA,MAAA,MAAA,IAAU,IAAK,CAAA,UAAA,EAAc,EAAA;AACtC,MAAI,IAAA,IAAA,CAAK,YAAa,CAAA,MAAM,CAAG,EAAA;AAC7B,QAAO,OAAA,IAAA;AAAA;AACT;AAEF,IAAO,OAAA,KAAA;AAAA;AAEX;;;;"}
+{"version":3,"file":"role-manager.cjs.js","sources":["../../src/role-manager/role-manager.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport type { Config } from '@backstage/config';\n\nimport { RoleManager } from 'casbin';\nimport { Knex } from 'knex';\n\nimport { AncestorSearchMemo, ASMGroup } from './ancestor-search-memo';\nimport { RoleMemberList } from './member-list';\nimport { AncestorSearchFactory } from './ancestor-search-factory';\n\nexport class BackstageRoleManager implements RoleManager {\n  private allRoles: Map<string, RoleMemberList>;\n  private maxDepth?: number;\n  constructor(\n    private readonly catalogApi: CatalogApi,\n    private readonly logger: LoggerService,\n    private readonly catalogDBClient: Knex,\n    private readonly rbacDBClient: Knex,\n    private readonly config: Config,\n    private readonly auth: AuthService,\n  ) {\n    this.allRoles = new Map<string, RoleMemberList>();\n    const rbacConfig = this.config.getOptionalConfig('permission.rbac');\n    this.maxDepth = rbacConfig?.getOptionalNumber('maxDepth');\n    if (this.maxDepth !== undefined && this.maxDepth! < 0) {\n      throw new Error(\n        'Max Depth for RBAC group hierarchy must be greater than or equal to zero',\n      );\n    }\n  }\n\n  /**\n   * clear clears all stored data and resets the role manager to the initial state.\n   */\n  async clear(): Promise<void> {\n    // do nothing\n  }\n\n  /**\n   * addLink adds the inheritance link between name1 and role: name2.\n   * aka name1 inherits role: name2.\n   * The link that is established is based on the defined grouping policies that are added by the enforcer.\n   *\n   * ex. `g, name1, name2`.\n   * @param name1 User or group that will be assigned to a role.\n   * @param name2 The role that will be created or updated.\n   * @param _domain Unimplemented prefix to the role.\n   */\n  async addLink(\n    name1: string,\n    name2: string,\n    ..._domain: string[]\n  ): Promise<void> {\n    if (!this.isPGClient()) {\n      const role1 = this.getOrCreateRole(name2);\n      role1.addMember(name1);\n    }\n  }\n\n  /**\n   * deleteLink deletes the inheritance link between name1 and role: name2.\n   * aka name1 does not inherit role: name2 any more.\n   * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.\n   *\n   * ex. `g, name1, name2`.\n   * @param name1 User or group that will be removed from assignment of a role.\n   * @param name2 The role that will be deleted or updated.\n   * @param _domain Unimplemented.\n   */\n  async deleteLink(\n    name1: string,\n    name2: string,\n    ..._domain: string[]\n  ): Promise<void> {\n    if (!this.isPGClient()) {\n      const role1 = this.getOrCreateRole(name2);\n      role1.deleteMember(name1);\n\n      // Clean up in the event that there are no more members in the role\n      if (role1.getMembers().length === 0) {\n        this.allRoles.delete(name2);\n      }\n    }\n  }\n\n  /**\n   * hasLink determines whether name1 inherits role: name2.\n   * Before this check is called in the background by the enforcer,\n   * we filter out all roles that the user is not connected to\n   * directly or indirectly through the use of retrieving roles through\n   * enforcer.getRolesForUser and apply those roles to a tempEnforcer.\n   *\n   * This means that hasLink will almost always be true in the event that a user\n   * is assigned to a role (either directly or indirectly)\n   *\n   * In the event that a user or group is not assigned to a role and instead\n   * are assigned directly to permissions, then name2 will become either that\n   * user or group through the filtering. In this case we will build the graph\n   * if necessary for name2 group presence or evaulate based on the names matching.\n   * @param name1 The user that we are authorizing.\n   * @param name2 The name of the role that we are checking against.\n   * @param domain Unimplemented.\n   * @returns True if the user is directly or indirectly attached to the role.\n   */\n  async hasLink(\n    name1: string,\n    name2: string,\n    ...domain: string[]\n  ): Promise<boolean> {\n    if (domain.length > 0) {\n      throw new Error('domain argument is not supported.');\n    }\n\n    // Name2 can be an empty string in the event that there is not a role associated with the user\n    // This happens because of the filtering of the roles reduces the number of roles that we iterate through.\n    if (name2.length === 0) {\n      return false;\n    }\n\n    if (name1 === name2) {\n      return true;\n    }\n\n    // name1 is always user in our case.\n    // name2 is user or group.\n    // user(name1) couldn't inherit user(name2).\n    // We can use this fact for optimization.\n    const { kind } = parseEntityRef(name2);\n    if (kind.toLocaleLowerCase() === 'user') {\n      return false;\n    }\n\n    // if it is a group, then we will have to build the graph,\n    if (kind.toLocaleLowerCase() === 'group') {\n      const memo = await AncestorSearchFactory.createAncestorSearchMemo(\n        name1,\n        this.config,\n        this.catalogApi,\n        this.catalogDBClient,\n        this.auth,\n        this.maxDepth,\n      );\n\n      await memo.buildUserGraph();\n      memo.debugNodesAndEdges(this.logger, name1);\n\n      if (!memo.isAcyclic()) {\n        const cycles = memo.findCycles();\n\n        this.logger.warn(\n          `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n            cycles,\n          )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n            cycles,\n          )}`,\n        );\n        return false;\n      }\n\n      return memo.hasEntityRef(name2);\n    }\n\n    return true;\n  }\n\n  /**\n   * syncedHasLink determines whether role: name1 inherits role: name2.\n   * domain is a prefix to the roles.\n   */\n  syncedHasLink?(\n    _name1: string,\n    _name2: string,\n    ..._domain: string[]\n  ): boolean {\n    throw new Error('Method \"syncedHasLink\" not implemented.');\n  }\n\n  /**\n   * getRoles gets the roles that a subject inherits.\n   *\n   * name - is a string entity reference, for example: user:default/tom, role:default/dev,\n   * so format is <kind>:<namespace>/<entity-name>.\n   * GetRoles method supports only two kind values: 'user' and 'role'.\n   *\n   * domain - is a prefix to the roles, unused parameter.\n   *\n   * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.\n   * if name's kind === 'role' we return empty array, because we don't support role inheritance.\n   * Case kind === 'group' - should not happen, because:\n   * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this\n   * method again to ask about name with kind \"group\".\n   * 2) We implemented getRoles method only to use:\n   * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n   * so name argument can be only with kind 'user' or 'role'.\n   *\n   * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n   * then casbin engine executes 'getRoles' method few times.\n   * Firstly casbin asks about roles for 'userEntityRef'.\n   * Let's imagine, that 'getRoles' returned two roles for userEntityRef.\n   * Then casbin calls 'getRoles' two more times to\n   * find parent roles. But we return empty array for each such call,\n   * because we don't support role inheritance and we notify casbin about end of the role sub-tree.\n   */\n  async getRoles(name: string, ..._domain: string[]): Promise<string[]> {\n    const { kind } = parseEntityRef(name);\n    if (kind === 'user') {\n      const memo = await AncestorSearchFactory.createAncestorSearchMemo(\n        name,\n        this.config,\n        this.catalogApi,\n        this.catalogDBClient,\n        this.auth,\n        this.maxDepth,\n      );\n      await memo.buildUserGraph();\n      memo.debugNodesAndEdges(this.logger, name);\n\n      // Account for the user not being in the graph (this can happen during direct assignment to roles)\n      memo.setNode(name);\n\n      if (!memo.isAcyclic()) {\n        const cycles = memo.findCycles();\n\n        this.logger.warn(\n          `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n            cycles,\n          )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n            cycles,\n          )}`,\n        );\n        return Promise.resolve([]);\n      }\n\n      if (this.isPGClient()) {\n        const currentRole = new RoleMemberList(name);\n        await currentRole.buildRoles(\n          currentRole,\n          memo.getNodes(),\n          this.rbacDBClient,\n        );\n        return Promise.resolve(currentRole.getRoles());\n      }\n\n      const allRoles: string[] = [];\n      for (const value of this.allRoles.values()) {\n        if (this.hasMember(value, memo)) {\n          allRoles.push(value.name);\n        }\n      }\n\n      return Promise.resolve(allRoles);\n    }\n\n    return [];\n  }\n\n  /**\n   * getUsers gets the users that inherits a subject.\n   * domain is an unreferenced parameter here, may be used in other implementations.\n   */\n  async getUsers(_name: string, ..._domain: string[]): Promise<string[]> {\n    throw new Error('Method \"getUsers\" not implemented.');\n  }\n\n  /**\n   * printRoles prints all the roles to log.\n   */\n  async printRoles(): Promise<void> {\n    // do nothing\n  }\n\n  /**\n   * getOrCreateRole will get a role if it has already been cached\n   * or it will create a new role to be cached.\n   * This cache is a simple tree that is used to quickly compare\n   * users and groups to roles.\n   * @param name The user or group whose cache we will be getting / creating.\n   * @returns The cached role as a RoleList.\n   */\n  private getOrCreateRole(name: string): RoleMemberList {\n    const role = this.allRoles.get(name);\n    if (role) {\n      return role;\n    }\n    const newRole = new RoleMemberList(name);\n    this.allRoles.set(name, newRole);\n\n    return newRole;\n  }\n\n  /**\n   * isPGClient checks what the current database client is at them time.\n   * This is to ensure that we are querying the database in the event of postgres\n   * or using in memory cache for better sqlite3.\n   * @returns True if the database client is pg.\n   */\n  isPGClient(): boolean {\n    const client = this.rbacDBClient.client.config.client;\n    return client === 'pg';\n  }\n\n  /**\n   * hasMember checks if the members from a particular role is associated with the user\n   * that the AncestorSearchMemo graph is built for.\n   * @param role The role that we are getting the members from.\n   * @param memo The user graph that we are comparing members with.\n   * @returns True if a member from the role is also associated with the user.\n   */\n  private hasMember(\n    role: RoleMemberList | undefined,\n    memo: AncestorSearchMemo<ASMGroup>,\n  ): boolean {\n    if (role === undefined) {\n      return false;\n    }\n\n    for (const member of role.getMembers()) {\n      if (memo.hasEntityRef(member)) {\n        return true;\n      }\n    }\n    return false;\n  }\n}\n"],"names":["parseEntityRef","AncestorSearchFactory","RoleMemberList"],"mappings":";;;;;;AA2BO,MAAM,oBAA4C,CAAA;AAAA,EAGvD,YACmB,UACA,EAAA,MAAA,EACA,eACA,EAAA,YAAA,EACA,QACA,IACjB,EAAA;AANiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAEjB,IAAK,IAAA,CAAA,QAAA,uBAAe,GAA4B,EAAA;AAChD,IAAA,MAAM,UAAa,GAAA,IAAA,CAAK,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAK,IAAA,CAAA,QAAA,GAAW,UAAY,EAAA,iBAAA,CAAkB,UAAU,CAAA;AACxD,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,SAAa,IAAA,IAAA,CAAK,WAAY,CAAG,EAAA;AACrD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AACF;AACF,EAlBQ,QAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA;AAAA,EAsBR,MAAM,KAAuB,GAAA;AAAA;AAE7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,UAAU,KAAK,CAAA;AAAA;AACvB;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,aAAa,KAAK,CAAA;AAGxB,MAAA,IAAI,KAAM,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACnC,QAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA;AAAA;AAC5B;AACF;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,MACe,EAAA;AAClB,IAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA;AAAA;AAKrD,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAA,IAAI,UAAU,KAAO,EAAA;AACnB,MAAO,OAAA,IAAA;AAAA;AAOT,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAA,2BAAA,CAAe,KAAK,CAAA;AACrC,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,MAAQ,EAAA;AACvC,MAAO,OAAA,KAAA;AAAA;AAIT,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,OAAS,EAAA;AACxC,MAAM,MAAA,IAAA,GAAO,MAAMC,2CAAsB,CAAA,wBAAA;AAAA,QACvC,KAAA;AAAA,QACA,IAAK,CAAA,MAAA;AAAA,QACL,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AAEA,MAAA,MAAM,KAAK,cAAe,EAAA;AAC1B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,KAAK,CAAA;AAE1C,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,KAAA;AAAA;AAGT,MAAO,OAAA,IAAA,CAAK,aAAa,KAAK,CAAA;AAAA;AAGhC,IAAO,OAAA,IAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA,EAMA,aAAA,CACE,MACA,EAAA,MAAA,EAAA,GACG,OACM,EAAA;AACT,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA;AAAA;AAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,QAAS,CAAA,IAAA,EAAA,GAAiB,OAAsC,EAAA;AACpE,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAD,2BAAA,CAAe,IAAI,CAAA;AACpC,IAAA,IAAI,SAAS,MAAQ,EAAA;AACnB,MAAM,MAAA,IAAA,GAAO,MAAMC,2CAAsB,CAAA,wBAAA;AAAA,QACvC,IAAA;AAAA,QACA,IAAK,CAAA,MAAA;AAAA,QACL,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AACA,MAAA,MAAM,KAAK,cAAe,EAAA;AAC1B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,IAAI,CAAA;AAGzC,MAAA,IAAA,CAAK,QAAQ,IAAI,CAAA;AAEjB,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,OAAA,CAAQ,OAAQ,CAAA,EAAE,CAAA;AAAA;AAG3B,MAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,QAAM,MAAA,WAAA,GAAc,IAAIC,yBAAA,CAAe,IAAI,CAAA;AAC3C,QAAA,MAAM,WAAY,CAAA,UAAA;AAAA,UAChB,WAAA;AAAA,UACA,KAAK,QAAS,EAAA;AAAA,UACd,IAAK,CAAA;AAAA,SACP;AACA,QAAA,OAAO,OAAQ,CAAA,OAAA,CAAQ,WAAY,CAAA,QAAA,EAAU,CAAA;AAAA;AAG/C,MAAA,MAAM,WAAqB,EAAC;AAC5B,MAAA,KAAA,MAAW,KAAS,IAAA,IAAA,CAAK,QAAS,CAAA,MAAA,EAAU,EAAA;AAC1C,QAAA,IAAI,IAAK,CAAA,SAAA,CAAU,KAAO,EAAA,IAAI,CAAG,EAAA;AAC/B,UAAS,QAAA,CAAA,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA;AAC1B;AAGF,MAAO,OAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAAA;AAGjC,IAAA,OAAO,EAAC;AAAA;AACV;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAS,CAAA,KAAA,EAAA,GAAkB,OAAsC,EAAA;AACrE,IAAM,MAAA,IAAI,MAAM,oCAAoC,CAAA;AAAA;AACtD;AAAA;AAAA;AAAA,EAKA,MAAM,UAA4B,GAAA;AAAA;AAElC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAgB,IAA8B,EAAA;AACpD,IAAA,MAAM,IAAO,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA;AACnC,IAAA,IAAI,IAAM,EAAA;AACR,MAAO,OAAA,IAAA;AAAA;AAET,IAAM,MAAA,OAAA,GAAU,IAAIA,yBAAA,CAAe,IAAI,CAAA;AACvC,IAAK,IAAA,CAAA,QAAA,CAAS,GAAI,CAAA,IAAA,EAAM,OAAO,CAAA;AAE/B,IAAO,OAAA,OAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAsB,GAAA;AACpB,IAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAa,CAAA,MAAA,CAAO,MAAO,CAAA,MAAA;AAC/C,IAAA,OAAO,MAAW,KAAA,IAAA;AAAA;AACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,SAAA,CACN,MACA,IACS,EAAA;AACT,IAAA,IAAI,SAAS,SAAW,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAW,KAAA,MAAA,MAAA,IAAU,IAAK,CAAA,UAAA,EAAc,EAAA;AACtC,MAAI,IAAA,IAAA,CAAK,YAAa,CAAA,MAAM,CAAG,EAAA;AAC7B,QAAO,OAAA,IAAA;AAAA;AACT;AAEF,IAAO,OAAA,KAAA;AAAA;AAEX;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage-community/plugin-rbac-backend",
-  "version": "6.2.3",
+  "version": "6.2.4",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",