@backstage-community/plugin-rbac-backend 7.10.0 → 7.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/CHANGELOG.md +26 -0
  2. package/README.md +24 -0
  3. package/config.d.ts +23 -0
  4. package/dist/database/role-metadata.cjs.js +49 -3
  5. package/dist/database/role-metadata.cjs.js.map +1 -1
  6. package/dist/default-permissions/default-permissions.cjs.js +133 -0
  7. package/dist/default-permissions/default-permissions.cjs.js.map +1 -0
  8. package/dist/helper.cjs.js +19 -0
  9. package/dist/helper.cjs.js.map +1 -1
  10. package/dist/permissions/resource.cjs.js.map +1 -1
  11. package/dist/permissions/rules.cjs.js +3 -0
  12. package/dist/permissions/rules.cjs.js.map +1 -1
  13. package/dist/role-manager/role-manager.cjs.js +7 -2
  14. package/dist/role-manager/role-manager.cjs.js.map +1 -1
  15. package/dist/service/policies-rest-api.cjs.js +29 -12
  16. package/dist/service/policies-rest-api.cjs.js.map +1 -1
  17. package/dist/service/policy-builder.cjs.js +13 -1
  18. package/dist/service/policy-builder.cjs.js.map +1 -1
  19. package/migrations/20260216100000_add_is_default_to_role_metadata.js +43 -0
  20. package/package.json +4 -8
package/dist/service/policy-builder.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"policy-builder.cjs.js","sources":["../../src/service/policy-builder.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { DatabaseManager } from '@backstage/backend-defaults/database';\nimport type {\n AuditorService,\n AuthService,\n DiscoveryService,\n HttpAuthService,\n LifecycleService,\n LoggerService,\n PermissionsRegistryService,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport { CatalogClient } from '@backstage/catalog-client';\nimport type { Config } from '@backstage/config';\nimport type { PermissionEvaluator } from '@backstage/plugin-permission-common';\n\nimport { newEnforcer, newModelFromString } from 'casbin';\nimport type { Router } from 'express';\n\nimport type {\n PluginIdProvider,\n RBACProvider,\n} from '@backstage-community/plugin-rbac-node';\n\nimport { CasbinDBAdapterFactory } from '../database/casbin-adapter-factory';\nimport { DataBaseConditionalStorage } from '../database/conditional-storage';\nimport { migrate } from '../database/migration';\nimport { DataBaseRoleMetadataStorage } from '../database/role-metadata';\nimport { AllowAllPolicy } from '../policies/allow-all-policy';\nimport { RBACPermissionPolicy } from '../policies/permission-policy';\nimport { connectRBACProviders } from '../providers/connect-providers';\nimport { BackstageRoleManager } from '../role-manager/role-manager';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { MODEL } from './permission-model';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { PoliciesServer } from './policies-rest-api';\nimport { policyEntityPermissions } from '@backstage-community/plugin-rbac-common';\nimport { rules } from '../permissions';\nimport { permissionMetadataResourceRef } from '../permissions/resource';\nimport { PermissionDependentPluginDatabaseStore } from '../database/extra-permission-enabled-plugins-storage';\nimport { ExtendablePluginIdProvider } from './extendable-id-provider';\nimport { PolicyExtensionPoint } from '@backstage/plugin-permission-node/alpha';\n\n/**\n * @public\n */\nexport type EnvOptions = {\n config: Config;\n logger: LoggerService;\n discovery: DiscoveryService;\n permissions: PermissionEvaluator;\n auth: AuthService;\n httpAuth: HttpAuthService;\n auditor: AuditorService;\n lifecycle: LifecycleService;\n permissionsRegistry: PermissionsRegistryService;\n policy: PolicyExtensionPoint;\n};\n\n/**\n * @public\n */\nexport type RBACRouterOptions = {\n config: Config;\n logger: LoggerService;\n auth: AuthService;\n httpAuth: HttpAuthService;\n permissions: PermissionsService;\n permissionsRegistry: PermissionsRegistryService;\n auditor: AuditorService;\n};\n\n/**\n * @public\n */\nexport class PolicyBuilder {\n public static async build(\n env: EnvOptions,\n pluginIdProvider: PluginIdProvider = { getPluginIds: () => [] },\n rbacProviders?: Array<RBACProvider>,\n ): Promise<Router> {\n const databaseManager = DatabaseManager.fromConfig(env.config).forPlugin(\n 'permission',\n { logger: env.logger, lifecycle: env.lifecycle },\n );\n\n const databaseClient = await databaseManager.getClient();\n\n const adapter = await new CasbinDBAdapterFactory(\n env.config,\n databaseClient,\n ).createAdapter();\n\n const enf = await newEnforcer(newModelFromString(MODEL), adapter);\n await enf.loadPolicy();\n enf.enableAutoSave(true);\n\n const catalogClient = new CatalogClient({ discoveryApi: env.discovery });\n const catalogDBClient = await DatabaseManager.fromConfig(env.config)\n .forPlugin('catalog', { logger: env.logger, lifecycle: env.lifecycle })\n .getClient();\n\n const rm = new BackstageRoleManager(\n catalogClient,\n env.logger,\n catalogDBClient,\n databaseClient,\n env.config,\n env.auth,\n );\n enf.setRoleManager(rm);\n enf.enableAutoBuildRoleLinks(false);\n await enf.buildRoleLinks();\n\n await migrate(databaseManager);\n\n const conditionStorage = new DataBaseConditionalStorage(databaseClient);\n\n const roleMetadataStorage = new DataBaseRoleMetadataStorage(databaseClient);\n const enforcerDelegate = new EnforcerDelegate(\n enf,\n env.auditor,\n conditionStorage,\n roleMetadataStorage,\n databaseClient,\n );\n\n env.permissionsRegistry.addResourceType({\n resourceRef: permissionMetadataResourceRef,\n getResources: resourceRefs =>\n Promise.all(\n resourceRefs.map(ref => {\n return roleMetadataStorage.findRoleMetadata(ref);\n }),\n ),\n permissions: policyEntityPermissions,\n rules: Object.values(rules),\n });\n\n if (rbacProviders) {\n await connectRBACProviders(\n rbacProviders,\n enforcerDelegate,\n roleMetadataStorage,\n conditionStorage,\n env.logger,\n env.auditor,\n );\n }\n\n const extraPluginsIdStorage = new PermissionDependentPluginDatabaseStore(\n databaseClient,\n );\n const extendablePluginIdProvider = new ExtendablePluginIdProvider(\n extraPluginsIdStorage,\n pluginIdProvider,\n env.config,\n );\n await extendablePluginIdProvider.handleConflictedPluginIds();\n const pluginPermMetaData = new PluginPermissionMetadataCollector({\n deps: {\n discovery: env.discovery,\n pluginIdProvider: extendablePluginIdProvider,\n logger: env.logger,\n config: env.config,\n },\n });\n\n const isPluginEnabled = env.config.getOptionalBoolean('permission.enabled');\n if (isPluginEnabled) {\n env.logger.info('RBAC backend plugin was enabled');\n\n env.policy.setPolicy(\n await RBACPermissionPolicy.build(\n env.logger,\n env.auditor,\n env.config,\n conditionStorage,\n enforcerDelegate,\n roleMetadataStorage,\n databaseClient,\n pluginPermMetaData,\n env.auth,\n ),\n );\n } else {\n env.logger.warn(\n 'RBAC backend plugin was disabled by application config permission.enabled: false',\n );\n\n env.policy.setPolicy(new AllowAllPolicy());\n }\n\n const options: RBACRouterOptions = {\n config: env.config,\n logger: env.logger,\n auth: env.auth,\n httpAuth: env.httpAuth,\n permissions: env.permissions,\n permissionsRegistry: env.permissionsRegistry,\n auditor: env.auditor,\n };\n\n const server = new PoliciesServer(\n options,\n enforcerDelegate,\n conditionStorage,\n pluginPermMetaData,\n roleMetadataStorage,\n extraPluginsIdStorage,\n extendablePluginIdProvider,\n rbacProviders,\n );\n return server.serve();\n }\n}\n"],"names":["DatabaseManager","CasbinDBAdapterFactory","newEnforcer","newModelFromString","MODEL","catalogClient","CatalogClient","BackstageRoleManager","migrate","DataBaseConditionalStorage","DataBaseRoleMetadataStorage","enforcerDelegate","EnforcerDelegate","permissionMetadataResourceRef","policyEntityPermissions","rules","connectRBACProviders","PermissionDependentPluginDatabaseStore","ExtendablePluginIdProvider","PluginPermissionMetadataCollector","RBACPermissionPolicy","AllowAllPolicy","PoliciesServer"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAyFO,MAAM,aAAc,CAAA;AAAA,EACzB,aAAoB,KAClB,CAAA,GAAA,EACA,gBAAqC,GAAA,EAAE,cAAc,MAAM,EAAG,EAAA,EAC9D,aACiB,EAAA;AACjB,IAAA,MAAM,eAAkB,GAAAA,wBAAA,CAAgB,UAAW,CAAA,GAAA,CAAI,MAAM,CAAE,CAAA,SAAA;AAAA,MAC7D,YAAA;AAAA,MACA,EAAE,MAAQ,EAAA,GAAA,CAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU;AAAA,KACjD;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAM,eAAA,CAAgB,SAAU,EAAA;AAEvD,IAAM,MAAA,OAAA,GAAU,MAAM,IAAIC,2CAAA;AAAA,MACxB,GAAI,CAAA,MAAA;AAAA,MACJ;AAAA,MACA,aAAc,EAAA;AAEhB,IAAA,MAAM,MAAM,MAAMC,kBAAA,CAAYC,yBAAmB,CAAAC,qBAAK,GAAG,OAAO,CAAA;AAChE,IAAA,MAAM,IAAI,UAAW,EAAA;AACrB,IAAA,GAAA,CAAI,eAAe,IAAI,CAAA;AAEvB,IAAA,MAAMC,kBAAgB,IAAIC,2BAAA,CAAc,EAAE,YAAc,EAAA,GAAA,CAAI,WAAW,CAAA;AACvE,IAAA,MAAM,kBAAkB,MAAMN,wBAAA,CAAgB,WAAW,GAAI,CAAA,MAAM,EAChE,SAAU,CAAA,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU,EAAC,EACrE,SAAU,EAAA;AAEb,IAAA,MAAM,KAAK,IAAIO,gCAAA;AAAA,MACbF,eAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,eAAA;AAAA,MACA,cAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,GAAI,CAAA;AAAA,KACN;AACA,IAAA,GAAA,CAAI,eAAe,EAAE,CAAA;AACrB,IAAA,GAAA,CAAI,yBAAyB,KAAK,CAAA;AAClC,IAAA,MAAM,IAAI,cAAe,EAAA;AAEzB,IAAA,MAAMG,kBAAQ,eAAe,CAAA;AAE7B,IAAM,MAAA,gBAAA,GAAmB,IAAIC,6CAAA,CAA2B,cAAc,CAAA;AAEtE,IAAM,MAAA,mBAAA,GAAsB,IAAIC,wCAAA,CAA4B,cAAc,CAAA;AAC1E,IAAA,MAAMC,qBAAmB,IAAIC,iCAAA;AAAA,MAC3B,GAAA;AAAA,MACA,GAAI,CAAA,OAAA;AAAA,MACJ,gBAAA;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,GAAA,CAAI,oBAAoB,eAAgB,CAAA;AAAA,MACtC,WAAa,EAAAC,sCAAA;AAAA,MACb,YAAA,EAAc,kBACZ,OAAQ,CAAA,GAAA;AAAA,QACN,YAAA,CAAa,IAAI,CAAO,GAAA,KAAA;AACtB,UAAO,OAAA,mBAAA,CAAoB,iBAAiB,GAAG,CAAA;AAAA,SAChD;AAAA,OACH;AAAA,MACF,WAAa,EAAAC,wCAAA;AAAA,MACb,KAAA,EAAO,MAAO,CAAA,MAAA,CAAOC,WAAK;AAAA,KAC3B,CAAA;AAED,IAAA,IAAI,aAAe,EAAA;AACjB,MAAM,MAAAC,qCAAA;AAAA,QACJ,aAAA;AAAA,QACAL,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,gBAAA;AAAA,QACA,GAAI,CAAA,MAAA;AAAA,QACJ,GAAI,CAAA;AAAA,OACN;AAAA;AAGF,IAAA,MAAM,wBAAwB,IAAIM,2EAAA;AAAA,MAChC;AAAA,KACF;AACA,IAAA,MAAM,6BAA6B,IAAIC,+CAAA;AAAA,MACrC,qBAAA;AAAA,MACA,gBAAA;AAAA,MACA,GAAI,CAAA;AAAA,KACN;AACA,IAAA,MAAM,2BAA2B,yBAA0B,EAAA;AAC3D,IAAM,MAAA,kBAAA,GAAqB,IAAIC,iDAAkC,CAAA;AAAA,MAC/D,IAAM,EAAA;AAAA,QACJ,WAAW,GAAI,CAAA,SAAA;AAAA,QACf,gBAAkB,EAAA,0BAAA;AAAA,QAClB,QAAQ,GAAI,CAAA,MAAA;AAAA,QACZ,QAAQ,GAAI,CAAA;AAAA;AACd,KACD,CAAA;AAED,IAAA,MAAM,eAAkB,GAAA,GAAA,CAAI,MAAO,CAAA,kBAAA,CAAmB,oBAAoB,CAAA;AAC1E,IAAA,IAAI,eAAiB,EAAA;AACnB,MAAI,GAAA,CAAA,MAAA,CAAO,KAAK,iCAAiC,CAAA;AAEjD,MAAA,GAAA,CAAI,MAAO,CAAA,SAAA;AAAA,QACT,MAAMC,qCAAqB,CAAA,KAAA;AAAA,UACzB,GAAI,CAAA,MAAA;AAAA,UACJ,GAAI,CAAA,OAAA;AAAA,UACJ,GAAI,CAAA,MAAA;AAAA,UACJ,gBAAA;AAAA,UACAT,kBAAA;AAAA,UACA,mBAAA;AAAA,UACA,cAAA;AAAA,UACA,kBAAA;AAAA,UACA,GAAI,CAAA;AAAA;AACN,OACF;AAAA,KACK,MAAA;AACL,MAAA,GAAA,CAAI,MAAO,CAAA,IAAA;AAAA,QACT;AAAA,OACF;AAEA,MAAA,GAAA,CAAI,MAAO,CAAA,SAAA,CAAU,IAAIU,6BAAA,EAAgB,CAAA;AAAA;AAG3C,IAAA,MAAM,OAA6B,GAAA;AAAA,MACjC,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,MAAM,GAAI,CAAA,IAAA;AAAA,MACV,UAAU,GAAI,CAAA,QAAA;AAAA,MACd,aAAa,GAAI,CAAA,WAAA;AAAA,MACjB,qBAAqB,GAAI,CAAA,mBAAA;AAAA,MACzB,SAAS,GAAI,CAAA;AAAA,KACf;AAEA,IAAA,MAAM,SAAS,IAAIC,8BAAA;AAAA,MACjB,OAAA;AAAA,MACAX,kBAAA;AAAA,MACA,gBAAA;AAAA,MACA,kBAAA;AAAA,MACA,mBAAA;AAAA,MACA,qBAAA;AAAA,MACA,0BAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,OAAO,KAAM,EAAA;AAAA;AAExB;;;;"}
1
+ {"version":3,"file":"policy-builder.cjs.js","sources":["../../src/service/policy-builder.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { DatabaseManager } from '@backstage/backend-defaults/database';\nimport type {\n AuditorService,\n AuthService,\n DiscoveryService,\n HttpAuthService,\n LifecycleService,\n LoggerService,\n PermissionsRegistryService,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport { CatalogClient } from '@backstage/catalog-client';\nimport type { Config } from '@backstage/config';\nimport type { PermissionEvaluator } from '@backstage/plugin-permission-common';\n\nimport { newEnforcer, newModelFromString } from 'casbin';\nimport type { Router } from 'express';\n\nimport type {\n PluginIdProvider,\n RBACProvider,\n} from '@backstage-community/plugin-rbac-node';\n\nimport { CasbinDBAdapterFactory } from '../database/casbin-adapter-factory';\nimport { DataBaseConditionalStorage } from '../database/conditional-storage';\nimport { migrate } from '../database/migration';\nimport { DataBaseRoleMetadataStorage } from '../database/role-metadata';\nimport { AllowAllPolicy } from '../policies/allow-all-policy';\nimport { RBACPermissionPolicy } from '../policies/permission-policy';\nimport { connectRBACProviders } from '../providers/connect-providers';\nimport { BackstageRoleManager } from '../role-manager/role-manager';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { MODEL } from './permission-model';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { PoliciesServer } from './policies-rest-api';\nimport { policyEntityPermissions } from '@backstage-community/plugin-rbac-common';\nimport { rules } from '../permissions';\nimport { permissionMetadataResourceRef } from '../permissions/resource';\nimport { PermissionDependentPluginDatabaseStore } from '../database/extra-permission-enabled-plugins-storage';\nimport { ExtendablePluginIdProvider } from './extendable-id-provider';\nimport { PolicyExtensionPoint } from '@backstage/plugin-permission-node/alpha';\nimport {\n DefaultPermissionsReader,\n DefaultPermissionsSyncher,\n} from '../default-permissions/default-permissions';\n\n/**\n * @public\n */\nexport type EnvOptions = {\n config: Config;\n logger: LoggerService;\n discovery: DiscoveryService;\n permissions: PermissionEvaluator;\n auth: AuthService;\n httpAuth: HttpAuthService;\n auditor: AuditorService;\n lifecycle: LifecycleService;\n permissionsRegistry: PermissionsRegistryService;\n policy: PolicyExtensionPoint;\n};\n\n/**\n * @public\n */\nexport type RBACRouterOptions = {\n config: Config;\n logger: LoggerService;\n auth: AuthService;\n httpAuth: HttpAuthService;\n permissions: PermissionsService;\n permissionsRegistry: PermissionsRegistryService;\n auditor: AuditorService;\n};\n\n/**\n * @public\n */\nexport class PolicyBuilder {\n public static async build(\n env: EnvOptions,\n pluginIdProvider: PluginIdProvider = { getPluginIds: () => [] },\n rbacProviders?: Array<RBACProvider>,\n ): Promise<Router> {\n const databaseManager = DatabaseManager.fromConfig(env.config).forPlugin(\n 'permission',\n { logger: env.logger, lifecycle: env.lifecycle },\n );\n\n const databaseClient = await databaseManager.getClient();\n\n const adapter = await new CasbinDBAdapterFactory(\n env.config,\n databaseClient,\n ).createAdapter();\n\n const enf = await newEnforcer(newModelFromString(MODEL), adapter);\n await enf.loadPolicy();\n enf.enableAutoSave(true);\n\n const catalogClient = new CatalogClient({ discoveryApi: env.discovery });\n const catalogDBClient = await DatabaseManager.fromConfig(env.config)\n .forPlugin('catalog', { logger: env.logger, lifecycle: env.lifecycle })\n .getClient();\n\n const defPermReader = new DefaultPermissionsReader(env.config);\n\n const rm = new BackstageRoleManager(\n catalogClient,\n env.logger,\n catalogDBClient,\n databaseClient,\n env.config,\n env.auth,\n defPermReader,\n );\n enf.setRoleManager(rm);\n enf.enableAutoBuildRoleLinks(false);\n await enf.buildRoleLinks();\n\n await migrate(databaseManager);\n\n const conditionStorage = new DataBaseConditionalStorage(databaseClient);\n\n const roleMetadataStorage = new DataBaseRoleMetadataStorage(databaseClient);\n const enforcerDelegate = new EnforcerDelegate(\n enf,\n env.auditor,\n conditionStorage,\n roleMetadataStorage,\n databaseClient,\n );\n\n const defPermSyncher = new DefaultPermissionsSyncher(\n roleMetadataStorage,\n enforcerDelegate,\n defPermReader,\n );\n await defPermSyncher.sync();\n\n env.permissionsRegistry.addResourceType({\n resourceRef: permissionMetadataResourceRef,\n getResources: resourceRefs =>\n Promise.all(\n resourceRefs.map(ref => {\n if (\n ref ===\n roleMetadataStorage.getCachedDefaultRoleMetadata()?.roleEntityRef\n ) {\n return roleMetadataStorage.getCachedDefaultRoleMetadata();\n }\n return roleMetadataStorage.findRoleMetadata(ref);\n }),\n ),\n permissions: policyEntityPermissions,\n rules: Object.values(rules),\n });\n\n if (rbacProviders) {\n await connectRBACProviders(\n rbacProviders,\n enforcerDelegate,\n roleMetadataStorage,\n conditionStorage,\n env.logger,\n env.auditor,\n );\n }\n\n const extraPluginsIdStorage = new PermissionDependentPluginDatabaseStore(\n databaseClient,\n );\n const extendablePluginIdProvider = new ExtendablePluginIdProvider(\n extraPluginsIdStorage,\n pluginIdProvider,\n env.config,\n );\n await extendablePluginIdProvider.handleConflictedPluginIds();\n const pluginPermMetaData = new PluginPermissionMetadataCollector({\n deps: {\n discovery: env.discovery,\n pluginIdProvider: extendablePluginIdProvider,\n logger: env.logger,\n config: env.config,\n },\n });\n\n const isPluginEnabled = env.config.getOptionalBoolean('permission.enabled');\n if (isPluginEnabled) {\n env.logger.info('RBAC backend plugin was enabled');\n\n env.policy.setPolicy(\n await RBACPermissionPolicy.build(\n env.logger,\n env.auditor,\n env.config,\n conditionStorage,\n enforcerDelegate,\n roleMetadataStorage,\n databaseClient,\n pluginPermMetaData,\n env.auth,\n ),\n );\n } else {\n env.logger.warn(\n 'RBAC backend plugin was disabled by application config permission.enabled: false',\n );\n\n env.policy.setPolicy(new AllowAllPolicy());\n }\n\n const options: RBACRouterOptions = {\n config: env.config,\n logger: env.logger,\n auth: env.auth,\n httpAuth: env.httpAuth,\n permissions: env.permissions,\n permissionsRegistry: env.permissionsRegistry,\n auditor: env.auditor,\n };\n\n const server = new PoliciesServer(\n options,\n enforcerDelegate,\n conditionStorage,\n pluginPermMetaData,\n roleMetadataStorage,\n extraPluginsIdStorage,\n extendablePluginIdProvider,\n rbacProviders,\n );\n return server.serve();\n }\n}\n"],"names":["DatabaseManager","CasbinDBAdapterFactory","newEnforcer","newModelFromString","MODEL","catalogClient","CatalogClient","DefaultPermissionsReader","BackstageRoleManager","migrate","DataBaseConditionalStorage","DataBaseRoleMetadataStorage","enforcerDelegate","EnforcerDelegate","DefaultPermissionsSyncher","permissionMetadataResourceRef","policyEntityPermissions","rules","connectRBACProviders","PermissionDependentPluginDatabaseStore","ExtendablePluginIdProvider","PluginPermissionMetadataCollector","RBACPermissionPolicy","AllowAllPolicy","PoliciesServer"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA6FO,MAAM,aAAc,CAAA;AAAA,EACzB,aAAoB,KAClB,CAAA,GAAA,EACA,gBAAqC,GAAA,EAAE,cAAc,MAAM,EAAG,EAAA,EAC9D,aACiB,EAAA;AACjB,IAAA,MAAM,eAAkB,GAAAA,wBAAA,CAAgB,UAAW,CAAA,GAAA,CAAI,MAAM,CAAE,CAAA,SAAA;AAAA,MAC7D,YAAA;AAAA,MACA,EAAE,MAAQ,EAAA,GAAA,CAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU;AAAA,KACjD;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAM,eAAA,CAAgB,SAAU,EAAA;AAEvD,IAAM,MAAA,OAAA,GAAU,MAAM,IAAIC,2CAAA;AAAA,MACxB,GAAI,CAAA,MAAA;AAAA,MACJ;AAAA,MACA,aAAc,EAAA;AAEhB,IAAA,MAAM,MAAM,MAAMC,kBAAA,CAAYC,yBAAmB,CAAAC,qBAAK,GAAG,OAAO,CAAA;AAChE,IAAA,MAAM,IAAI,UAAW,EAAA;AACrB,IAAA,GAAA,CAAI,eAAe,IAAI,CAAA;AAEvB,IAAA,MAAMC,kBAAgB,IAAIC,2BAAA,CAAc,EAAE,YAAc,EAAA,GAAA,CAAI,WAAW,CAAA;AACvE,IAAA,MAAM,kBAAkB,MAAMN,wBAAA,CAAgB,WAAW,GAAI,CAAA,MAAM,EAChE,SAAU,CAAA,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU,EAAC,EACrE,SAAU,EAAA;AAEb,IAAA,MAAM,aAAgB,GAAA,IAAIO,2CAAyB,CAAA,GAAA,CAAI,MAAM,CAAA;AAE7D,IAAA,MAAM,KAAK,IAAIC,gCAAA;AAAA,MACbH,eAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,eAAA;AAAA,MACA,cAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,GAAI,CAAA,IAAA;AAAA,MACJ;AAAA,KACF;AACA,IAAA,GAAA,CAAI,eAAe,EAAE,CAAA;AACrB,IAAA,GAAA,CAAI,yBAAyB,KAAK,CAAA;AAClC,IAAA,MAAM,IAAI,cAAe,EAAA;AAEzB,IAAA,MAAMI,kBAAQ,eAAe,CAAA;AAE7B,IAAM,MAAA,gBAAA,GAAmB,IAAIC,6CAAA,CAA2B,cAAc,CAAA;AAEtE,IAAM,MAAA,mBAAA,GAAsB,IAAIC,wCAAA,CAA4B,cAAc,CAAA;AAC1E,IAAA,MAAMC,qBAAmB,IAAIC,iCAAA;AAAA,MAC3B,GAAA;AAAA,MACA,GAAI,CAAA,OAAA;AAAA,MACJ,gBAAA;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,iBAAiB,IAAIC,4CAAA;AAAA,MACzB,mBAAA;AAAA,MACAF,kBAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAM,eAAe,IAAK,EAAA;AAE1B,IAAA,GAAA,CAAI,oBAAoB,eAAgB,CAAA;AAAA,MACtC,WAAa,EAAAG,sCAAA;AAAA,MACb,YAAA,EAAc,kBACZ,OAAQ,CAAA,GAAA;AAAA,QACN,YAAA,CAAa,IAAI,CAAO,GAAA,KAAA;AACtB,UAAA,IACE,GACA,KAAA,mBAAA,CAAoB,4BAA6B,EAAA,EAAG,aACpD,EAAA;AACA,YAAA,OAAO,oBAAoB,4BAA6B,EAAA;AAAA;AAE1D,UAAO,OAAA,mBAAA,CAAoB,iBAAiB,GAAG,CAAA;AAAA,SAChD;AAAA,OACH;AAAA,MACF,WAAa,EAAAC,wCAAA;AAAA,MACb,KAAA,EAAO,MAAO,CAAA,MAAA,CAAOC,WAAK;AAAA,KAC3B,CAAA;AAED,IAAA,IAAI,aAAe,EAAA;AACjB,MAAM,MAAAC,qCAAA;AAAA,QACJ,aAAA;AAAA,QACAN,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,gBAAA;AAAA,QACA,GAAI,CAAA,MAAA;AAAA,QACJ,GAAI,CAAA;AAAA,OACN;AAAA;AAGF,IAAA,MAAM,wBAAwB,IAAIO,2EAAA;AAAA,MAChC;AAAA,KACF;AACA,IAAA,MAAM,6BAA6B,IAAIC,+CAAA;AAAA,MACrC,qBAAA;AAAA,MACA,gBAAA;AAAA,MACA,GAAI,CAAA;AAAA,KACN;AACA,IAAA,MAAM,2BAA2B,yBAA0B,EAAA;AAC3D,IAAM,MAAA,kBAAA,GAAqB,IAAIC,iDAAkC,CAAA;AAAA,MAC/D,IAAM,EAAA;AAAA,QACJ,WAAW,GAAI,CAAA,SAAA;AAAA,QACf,gBAAkB,EAAA,0BAAA;AAAA,QAClB,QAAQ,GAAI,CAAA,MAAA;AAAA,QACZ,QAAQ,GAAI,CAAA;AAAA;AACd,KACD,CAAA;AAED,IAAA,MAAM,eAAkB,GAAA,GAAA,CAAI,MAAO,CAAA,kBAAA,CAAmB,oBAAoB,CAAA;AAC1E,IAAA,IAAI,eAAiB,EAAA;AACnB,MAAI,GAAA,CAAA,MAAA,CAAO,KAAK,iCAAiC,CAAA;AAEjD,MAAA,GAAA,CAAI,MAAO,CAAA,SAAA;AAAA,QACT,MAAMC,qCAAqB,CAAA,KAAA;AAAA,UACzB,GAAI,CAAA,MAAA;AAAA,UACJ,GAAI,CAAA,OAAA;AAAA,UACJ,GAAI,CAAA,MAAA;AAAA,UACJ,gBAAA;AAAA,UACAV,kBAAA;AAAA,UACA,mBAAA;AAAA,UACA,cAAA;AAAA,UACA,kBAAA;AAAA,UACA,GAAI,CAAA;AAAA;AACN,OACF;AAAA,KACK,MAAA;AACL,MAAA,GAAA,CAAI,MAAO,CAAA,IAAA;AAAA,QACT;AAAA,OACF;AAEA,MAAA,GAAA,CAAI,MAAO,CAAA,SAAA,CAAU,IAAIW,6BAAA,EAAgB,CAAA;AAAA;AAG3C,IAAA,MAAM,OAA6B,GAAA;AAAA,MACjC,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,MAAM,GAAI,CAAA,IAAA;AAAA,MACV,UAAU,GAAI,CAAA,QAAA;AAAA,MACd,aAAa,GAAI,CAAA,WAAA;AAAA,MACjB,qBAAqB,GAAI,CAAA,mBAAA;AAAA,MACzB,SAAS,GAAI,CAAA;AAAA,KACf;AAEA,IAAA,MAAM,SAAS,IAAIC,8BAAA;AAAA,MACjB,OAAA;AAAA,MACAZ,kBAAA;AAAA,MACA,gBAAA;AAAA,MACA,kBAAA;AAAA,MACA,mBAAA;AAAA,MACA,qBAAA;AAAA,MACA,0BAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,OAAO,KAAM,EAAA;AAAA;AAExB;;;;"}
package/migrations/20260216100000_add_is_default_to_role_metadata.js ADDED
@@ -0,0 +1,43 @@
1
+ /*
2
+ * Copyright 2024 The Backstage Authors
3
+ *
4
+ * Licensed under the Apache License, Version 2.0 (the "License");
5
+ * you may not use this file except in compliance with the License.
6
+ * You may obtain a copy of the License at
7
+ *
8
+ * http://www.apache.org/licenses/LICENSE-2.0
9
+ *
10
+ * Unless required by applicable law or agreed to in writing, software
11
+ * distributed under the License is distributed on an "AS IS" BASIS,
12
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+ * See the License for the specific language governing permissions and
14
+ * limitations under the License.
15
+ */
16
+
17
+ exports.up = async function up(knex) {
18
+ const roleMetadataExist = await knex.schema.hasTable('role-metadata');
19
+ if (roleMetadataExist) {
20
+ const hasColumn = await knex.schema.hasColumn('role-metadata', 'isDefault');
21
+ if (!hasColumn) {
22
+ await knex.schema.alterTable('role-metadata', table => {
23
+ table.boolean('isDefault').defaultTo(false);
24
+ });
25
+ }
26
+ }
27
+ };
28
+
29
+ /**
30
+ * @param { import("knex").Knex } knex
31
+ * @returns { Promise<void> }
32
+ */
33
+ exports.down = async function down(knex) {
34
+ const roleMetadataExist = await knex.schema.hasTable('role-metadata');
35
+ if (roleMetadataExist) {
36
+ const hasColumn = await knex.schema.hasColumn('role-metadata', 'isDefault');
37
+ if (hasColumn) {
38
+ await knex.schema.alterTable('role-metadata', table => {
39
+ table.dropColumn('isDefault');
40
+ });
41
+ }
42
+ }
43
+ };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage-community/plugin-rbac-backend",
3
- "version": "7.10.0",
3
+ "version": "7.11.0",
4
4
  "main": "dist/index.cjs.js",
5
5
  "types": "dist/index.d.ts",
6
6
  "license": "Apache-2.0",
@@ -36,15 +36,14 @@
36
36
  "postpack": "backstage-cli package postpack"
37
37
  },
38
38
  "dependencies": {
39
- "@backstage-community/plugin-rbac-common": "^1.24.1",
40
- "@backstage-community/plugin-rbac-node": "^1.19.0",
39
+ "@backstage-community/plugin-rbac-common": "^1.25.0",
40
+ "@backstage-community/plugin-rbac-node": "^1.19.1",
41
41
  "@backstage/backend-defaults": "^0.15.2",
42
42
  "@backstage/backend-plugin-api": "^1.7.0",
43
43
  "@backstage/catalog-client": "^1.13.0",
44
44
  "@backstage/catalog-model": "^1.7.6",
45
+ "@backstage/config": "^1.3.6",
45
46
  "@backstage/errors": "^1.2.7",
46
- "@backstage/plugin-auth-node": "^0.6.13",
47
- "@backstage/plugin-permission-backend": "^0.7.9",
48
47
  "@backstage/plugin-permission-common": "^0.9.6",
49
48
  "@backstage/plugin-permission-node": "^0.10.10",
50
49
  "@dagrejs/graphlib": "^2.1.13",
@@ -63,18 +62,15 @@
63
62
  "devDependencies": {
64
63
  "@backstage/backend-test-utils": "^1.11.0",
65
64
  "@backstage/cli": "^0.35.4",
66
- "@backstage/config": "^1.3.6",
67
65
  "@backstage/core-plugin-api": "^1.12.3",
68
66
  "@backstage/plugin-catalog-node": "^2.0.0",
69
67
  "@backstage/types": "^1.2.2",
70
68
  "@types/express": "4.17.25",
71
69
  "@types/js-yaml": "^4.0.9",
72
- "@types/knex": "^0.16.1",
73
70
  "@types/lodash": "^4.14.151",
74
71
  "@types/node": "22.19.11",
75
72
  "@types/supertest": "7.2.0",
76
73
  "knex-mock-client": "3.0.2",
77
- "msw": "1.3.5",
78
74
  "qs": "6.14.1",
79
75
  "supertest": "7.2.2"
80
76
  },