@backstage/backend-defaults 0.3.0-next.2 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,67 @@
 # @backstage/backend-defaults
 
+## 0.3.0
+
+### Minor Changes
+
+- 662dce8: **BREAKING**: The `workdir` argument have been removed from The `GerritUrlReader` constructor.
+
+  **BREAKING**: The Gerrit `readTree` implementation will now only use the Gitiles api. Support
+  for using git to clone the repo has been removed.
+
+- 02103be: Deprecated and moved over core services to `@backstage/backend-defaults`
+
+### Patch Changes
+
+- 1897169: Exposed `DefaultSchedulerService`
+- b5bc997: Refactor cache manager inline types.
+- e171620: Remove dependency with `@backstage/backend-commons` package.
+- 6551b3d: Added core service factories and implementations from
+  `@backstage/backend-app-api`. They are now available as subpath exports, e.g.
+  `@backstage/backend-defaults/scheduler` is where the service factory and default
+  implementation of `coreServices.scheduler` now lives. They have been marked as
+  deprecated in their old locations.
+- 8aab451: Internal minor refactors of the database connectors
+- 0634fdc: Deprecated `dropDatabase`
+- b2ee7f3: Moved over all URL reader functionality from `@backstage/backend-common` to `@backstage/backend-defaults/urlReader`. Please update your imports.
+- 9539a0b: Added `@backstage/backend-defaults/auth`, `@backstage/backend-defaults/httpAuth`, and `@backstage/backend-defaults/userInfo` to house their respective backend service factories. You should now import these services from those new locations, instead of `@backstage/backend-app-api`.
+- Updated dependencies
+  - @backstage/backend-app-api@0.7.6
+  - @backstage/backend-common@0.23.0
+  - @backstage/backend-plugin-api@0.6.19
+  - @backstage/plugin-auth-node@0.4.14
+  - @backstage/integration@1.12.0
+  - @backstage/plugin-events-node@0.3.5
+  - @backstage/plugin-permission-node@0.7.30
+  - @backstage/cli-common@0.1.14
+  - @backstage/config-loader@1.8.1
+  - @backstage/backend-dev-utils@0.1.4
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/integration-aws-node@0.1.12
+  - @backstage/types@1.1.1
+
+## 0.3.0-next.3
+
+### Patch Changes
+
+- 1897169: Exposed `DefaultSchedulerService`
+- 8aab451: Internal minor refactors of the database connectors
+- b2ee7f3: Moved over all URL reader functionality from `@backstage/backend-common` to `@backstage/backend-defaults/urlReader`. Please update your imports.
+- Updated dependencies
+  - @backstage/backend-plugin-api@0.6.19-next.3
+  - @backstage/integration@1.12.0-next.1
+  - @backstage/plugin-permission-node@0.7.30-next.3
+  - @backstage/plugin-events-node@0.3.5-next.2
+  - @backstage/backend-common@0.23.0-next.3
+  - @backstage/backend-app-api@0.7.6-next.3
+  - @backstage/config-loader@1.8.1-next.0
+  - @backstage/backend-dev-utils@0.1.4
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/integration-aws-node@0.1.12
+  - @backstage/types@1.1.1
+
 ## 0.3.0-next.2
 
 ### Patch Changes

package/auth/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "@backstage/backend-defaults",
+  "version": "0.3.0",
+  "main": "../dist/auth.cjs.js",
+  "types": "../dist/auth.d.ts"
+}

package/cache/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/backend-defaults",
-  "version": "0.3.0-next.2",
+  "version": "0.3.0",
   "main": "../dist/cache.cjs.js",
   "types": "../dist/cache.d.ts"
 }

package/config.d.ts

@@ -15,6 +15,283 @@
  */
 
 export interface Config {
+  backend?: {
+    /**
+     * Options used by the default auth, httpAuth and userInfo services.
+     */
+    auth?: {
+      /**
+       * This disables the otherwise default auth policy, which requires all
+       * requests to be authenticated with either user or service credentials.
+       *
+       * Disabling this check means that the backend will no longer block
+       * unauthenticated requests, but instead allow them to pass through to
+       * plugins.
+       *
+       * If permissions are enabled, unauthenticated requests will be treated
+       * exactly as such, leaving it to the permission policy to determine what
+       * permissions should be allowed for an unauthenticated identity. Note
+       * that this will also apply to service-to-service calls between plugins
+       * unless you configure credentials for service calls.
+       */
+      dangerouslyDisableDefaultAuthPolicy?: boolean;
+
+      /** Controls how to store keys for plugin-to-plugin auth */
+      pluginKeyStore?:
+        | { type: 'database' }
+        | {
+            type: 'static';
+            static: {
+              /**
+               * Must be declared at least once and the first one will be used for signing.
+               */
+              keys: Array<{
+                /**
+                 * Path to the public key file in the SPKI format. Should be an absolute path.
+                 */
+                publicKeyFile: string;
+                /**
+                 * Path to the matching private key file in the PKCS#8 format. Should be an absolute path.
+                 *
+                 * The first array entry must specify a private key file, the rest must not.
+                 */
+                privateKeyFile?: string;
+                /**
+                 * ID to uniquely identify this key within the JWK set.
+                 */
+                keyId: string;
+                /**
+                 * JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256.
+                 * Must match the algorithm used to generate the keys in the provided files
+                 */
+                algorithm?: string;
+              }>;
+            };
+          };
+
+      /**
+       * Configures methods of external access, ie ways for callers outside of
+       * the Backstage ecosystem to get authorized for access to APIs that do
+       * not permit unauthorized access.
+       */
+      externalAccess: Array<
+        | {
+            /**
+             * This is the legacy service-to-service access method, where a set
+             * of static keys were shared among plugins and used for symmetric
+             * signing and verification. These correspond to the old
+             * `backend.auth.keys` set and retain their behavior for backwards
+             * compatibility. Please migrate to other access methods when
+             * possible.
+             *
+             * Callers generate JWT tokens with the following payload:
+             *
+             * ```json
+             * {
+             *   "sub": "backstage-plugin",
+             *   "exp": <epoch seconds one hour in the future>
+             * }
+             * ```
+             *
+             * And sign them with HS256, using the base64 decoded secret. The
+             * tokens are then passed along with requests in the Authorization
+             * header:
+             *
+             * ```
+             * Authorization: Bearer eyJhbGciOiJIUzI...
+             * ```
+             */
+            type: 'legacy';
+            options: {
+              /**
+               * Any set of base64 encoded random bytes to be used as both the
+               * signing and verification key. Should be sufficiently long so as
+               * not to be easy to guess by brute force.
+               *
+               * Can be generated eg using
+               *
+               * ```sh
+               * node -p 'require("crypto").randomBytes(24).toString("base64")'
+               * ```
+               *
+               * @visibility secret
+               */
+              secret: string;
+
+              /**
+               * Sets the subject of the principal, when matching this token.
+               * Useful for debugging and tracking purposes.
+               */
+              subject: string;
+            };
+            /**
+             * Restricts what types of access that are permitted for this access
+             * method. If no access restrictions are given, it'll have unlimited
+             * access. This access restriction applies for the framework level;
+             * individual plugins may have their own access control mechanisms
+             * on top of this.
+             */
+            accessRestrictions?: Array<{
+              /**
+               * Permit access to make requests to this plugin.
+               *
+               * Can be further refined by setting additional fields below.
+               */
+              plugin: string;
+              /**
+               * If given, this method is limited to only performing actions
+               * with these named permissions in this plugin.
+               *
+               * Note that this only applies where permissions checks are
+               * enabled in the first place. Endpoints that are not protected by
+               * the permissions system at all, are not affected by this
+               * setting.
+               */
+              permission?: string | Array<string>;
+              /**
+               * If given, this method is limited to only performing actions
+               * whose permissions have these attributes.
+               *
+               * Note that this only applies where permissions checks are
+               * enabled in the first place. Endpoints that are not protected by
+               * the permissions system at all, are not affected by this
+               * setting.
+               */
+              permissionAttribute?: {
+                /**
+                 * One of more of 'create', 'read', 'update', or 'delete'.
+                 */
+                action?: string | Array<string>;
+              };
+            }>;
+          }
+        | {
+            /**
+             * This access method consists of random static tokens that can be
+             * handed out to callers.
+             *
+             * The tokens are then passed along verbatim with requests in the
+             * Authorization header:
+             *
+             * ```
+             * Authorization: Bearer eZv5o+fW3KnR3kVabMW4ZcDNLPl8nmMW
+             * ```
+             */
+            type: 'static';
+            options: {
+              /**
+               * A raw token that can be any string, but for security reasons
+               * should be sufficiently long so as not to be easy to guess by
+               * brute force.
+               *
+               * Can be generated eg using
+               *
+               * ```sh
+               * node -p 'require("crypto").randomBytes(24).toString("base64")'
+               * ```
+               *
+               * Since the tokens can be any string, you are free to add
+               * additional identifying data to them if you like. For example,
+               * adding a `freben-local-dev-` prefix for debugging purposes to a
+               * token that you know will be handed out for use as a personal
+               * access token during development.
+               *
+               * @visibility secret
+               */
+              token: string;
+
+              /**
+               * Sets the subject of the principal, when matching this token.
+               * Useful for debugging and tracking purposes.
+               */
+              subject: string;
+            };
+            /**
+             * Restricts what types of access that are permitted for this access
+             * method. If no access restrictions are given, it'll have unlimited
+             * access. This access restriction applies for the framework level;
+             * individual plugins may have their own access control mechanisms
+             * on top of this.
+             */
+            accessRestrictions?: Array<{
+              /**
+               * Permit access to make requests to this plugin.
+               *
+               * Can be further refined by setting additional fields below.
+               */
+              plugin: string;
+              /**
+               * If given, this method is limited to only performing actions
+               * with these named permissions in this plugin.
+               *
+               * Note that this only applies where permissions checks are
+               * enabled in the first place. Endpoints that are not protected by
+               * the permissions system at all, are not affected by this
+               * setting.
+               */
+              permission?: string | Array<string>;
+              /**
+               * If given, this method is limited to only performing actions
+               * whose permissions have these attributes.
+               *
+               * Note that this only applies where permissions checks are
+               * enabled in the first place. Endpoints that are not protected by
+               * the permissions system at all, are not affected by this
+               * setting.
+               */
+              permissionAttribute?: {
+                /**
+                 * One of more of 'create', 'read', 'update', or 'delete'.
+                 */
+                action?: string | Array<string>;
+              };
+            }>;
+          }
+        | {
+            /**
+             * This access method consists of a JWKS endpoint that can be used to
+             * verify JWT tokens.
+             *
+             * Callers generate JWT tokens via 3rd party tooling
+             * and pass them in the Authorization header:
+             *
+             * ```
+             * Authorization: Bearer eZv5o+fW3KnR3kVabMW4ZcDNLPl8nmMW
+             * ```
+             */
+            type: 'jwks';
+            options: {
+              /**
+               * The full URL of the JWKS endpoint.
+               */
+              url: string;
+              /**
+               * Sets the algorithm(s) that should be used to verify the JWT tokens.
+               * The passed JWTs must have been signed using one of the listed algorithms.
+               */
+              algorithm?: string | string[];
+              /**
+               * Sets the issuer(s) that should be used to verify the JWT tokens.
+               * Passed JWTs must have an `iss` claim which matches one of the specified issuers.
+               */
+              issuer?: string | string[];
+              /**
+               * Sets the audience(s) that should be used to verify the JWT tokens.
+               * The passed JWTs must have an "aud" claim that matches one of the audiences specified,
+               * or have no audience specified.
+               */
+              audience?: string | string[];
+              /**
+               * Sets an optional subject prefix. Passes the subject to called plugins.
+               * Useful for debugging and tracking purposes.
+               */
+              subjectPrefix?: string;
+            };
+          }
+      >;
+    };
+  };
+
   /**
    * Options used by the default discovery service.
    */

package/database/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/backend-defaults",
-  "version": "0.3.0-next.2",
+  "version": "0.3.0",
   "main": "../dist/database.cjs.js",
   "types": "../dist/database.d.ts"
 }

package/discovery/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/backend-defaults",
-  "version": "0.3.0-next.2",
+  "version": "0.3.0",
   "main": "../dist/discovery.cjs.js",
   "types": "../dist/discovery.d.ts"
 }