@backstage/backend-defaults 0.9.0-next.1 → 0.9.0

package/CHANGELOG.md

@@ -1,5 +1,66 @@
 # @backstage/backend-defaults
 
+## 0.9.0
+
+### Minor Changes
+
+- 1daedce: Remove Throttle of Bitbucket Server API calls
+- 01edf6e: Allow pass through of redis client and cluster options to Cache core service
+- cf4eb13: Added `actor` property to `BackstageUserPrincipal` containing the subject of the last service (if any) who performed authentication on behalf of the user.
+
+### Patch Changes
+
+- 7c6740e: Implemented SRV lookup support in the default `HostDiscovery`. You can now specify internal URLs on the form `http+srv://some-srv-name/api/{{pluginId}}` and they will be resolved in real time.
+- 939116c: Added an optional `backend.trustProxy` app config value, which sets the
+  corresponding [Express.js `trust proxy`](https://expressjs.com/en/guide/behind-proxies.html) setting. This lets
+  you easily configure proxy trust without making a custom `configure` callback
+  for the `rootHttpRouter` service.
+
+  If you already are using a custom `configure` callback, and if that also _does not_ call `applyDefaults()`, you may want to add the following to it:
+
+  ```ts
+  const trustProxy = config.getOptional('backend.trustProxy');
+  if (trustProxy !== undefined) {
+    app.set('trust proxy', trustProxy);
+  }
+  ```
+
+- 175528c: Adds `backend.auditor.severityLogLevelMappings` to map severity levels to log levels.
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.3.0
+  - @backstage/integration@1.16.3
+  - @backstage/backend-app-api@1.2.2
+  - @backstage/plugin-auth-node@0.6.2
+  - @backstage/plugin-permission-node@0.9.1
+  - @backstage/backend-dev-utils@0.1.5
+  - @backstage/cli-node@0.2.13
+  - @backstage/config@1.3.2
+  - @backstage/config-loader@1.10.0
+  - @backstage/errors@1.2.7
+  - @backstage/integration-aws-node@0.1.15
+  - @backstage/types@1.2.1
+  - @backstage/plugin-events-node@0.4.10
+
+## 0.9.0-next.2
+
+### Patch Changes
+
+- 175528c: Adds `backend.auditor.severityLogLevelMappings` to map severity levels to log levels.
+- Updated dependencies
+  - @backstage/backend-app-api@1.2.1
+  - @backstage/backend-dev-utils@0.1.5
+  - @backstage/backend-plugin-api@1.2.1
+  - @backstage/cli-node@0.2.13
+  - @backstage/config@1.3.2
+  - @backstage/config-loader@1.10.0
+  - @backstage/errors@1.2.7
+  - @backstage/integration@1.16.3-next.0
+  - @backstage/integration-aws-node@0.1.15
+  - @backstage/types@1.2.1
+  - @backstage/plugin-auth-node@0.6.1
+  - @backstage/plugin-events-node@0.4.9
+  - @backstage/plugin-permission-node@0.9.0
+
 ## 0.9.0-next.1
 
 ### Patch Changes

package/config.d.ts

@@ -51,6 +51,19 @@ export interface Config {
       serverShutdownDelay?: string | HumanDuration;
     };
 
+    /**
+     * Corresponds to the Express `trust proxy` setting.
+     *
+     * @see https://expressjs.com/en/guide/behind-proxies.html
+     * @remarks
+     *
+     * This setting is used to determine whether the backend should trust the
+     * `X-Forwarded-*` headers that are set by proxies. This is important for
+     * determining the original client IP address and protocol (HTTP/HTTPS) when
+     * the backend is behind a reverse proxy or load balancer.
+     */
+    trustProxy?: boolean | number | string | string[];
+
     /** Address that the backend should listen to. */
     listen?:
       | string
@@ -82,6 +95,32 @@ export interface Config {
           };
         };
 
+    /**
+     * Options used by the default auditor service.
+     */
+    auditor?: {
+      /**
+       * Defines how audit event severity levels are mapped to log levels.
+       * This allows you to control the verbosity of audit logs based on the
+       * severity of the event. For example, you might want to log 'low' severity
+       * events as 'debug' messages, while logging 'critical' events as 'error'
+       * messages. Each severity level ('low', 'medium', 'high', 'critical')
+       * can be mapped to one of the standard log levels ('debug', 'info', 'warn', 'error').
+       *
+       * By default, audit events are mapped to log levels as follows:
+       * - `low`: `debug`
+       * - `medium`: `info`
+       * - `high`: `info`
+       * - `critical`: `info`
+       */
+      severityLogLevelMappings?: {
+        low?: 'debug' | 'info' | 'warn' | 'error';
+        medium?: 'debug' | 'info' | 'warn' | 'error';
+        high?: 'debug' | 'info' | 'warn' | 'error';
+        critical?: 'debug' | 'info' | 'warn' | 'error';
+      };
+    };
+
     /**
      * Options used by the default auth, httpAuth and userInfo services.
      */
@@ -704,18 +743,62 @@ export interface Config {
    */
   discovery?: {
     /**
-     * A list of target baseUrls and the associated plugins.
+     * A list of target base URLs and their associated plugins.
+     *
+     * @example
+     *
+     * ```yaml
+     * discovery:
+     *   endpoints:
+     *     - target: https://internal.example.com/internal-catalog
+     *       plugins: [catalog]
+     *     - target: https://internal.example.com/secure/api/{{pluginId}}
+     *       plugins: [auth, permission]
+     *     - target:
+     *         internal: http+srv://backstage-plugin-{{pluginId}}.http.${SERVICE_DOMAIN}/search
+     *         external: https://example.com/search
+     *       plugins: [search]
+     * ```
      */
     endpoints: Array<{
       /**
-       * The target base URL to use for the plugin.
+       * The target base URL to use for the given set of plugins. Note that this
+       * needs to be a full URL including the protocol and path parts that fully
+       * address the root of a plugin's API endpoints.
+       *
+       * @remarks
+       *
+       * Can be either a single URL or an object where you can explicitly give a
+       * dedicated URL for internal (as seen from the backend) and/or external (as
+       * seen from the frontend) lookups.
        *
-       * Can be either a string or an object with internal and external keys.
-       * Targets with `{{pluginId}}` or `{{ pluginId }} in the URL will be replaced with the plugin ID.
+       * The default behavior is to use the backend base URL for external lookups,
+       * and a URL formed from the `.listen` and `.https` configs for internal
+       * lookups. Adding discovery endpoints as described here overrides one or both
+       * of those behaviors for a given set of plugins.
+       *
+       * URLs can be in the form of a regular HTTP or HTTPS URL if you are using
+       * A/AAAA/CNAME records or IP addresses. Specifically for internal URLs, if
+       * you add `+src` to the protocol part then the hostname is treated as an SRV
+       * record name and resolved. For example, if you pass in
+       * `http+srv://<srv-record>/path` then the record part is resolved into an
+       * actual host and port (with random weighted choice as usual when there is
+       * more than one match).
+       *
+       * Any strings with `{{pluginId}}` or `{{ pluginId }}` placeholders in them
+       * will have them replaced with the plugin ID.
+       *
+       * Example URLs:
+       *
+       * - `https://internal.example.com/secure/api/{{pluginId}}`
+       * - `http+srv://backstage-plugin-{{pluginId}}.http.${SERVICE_DOMAIN}/api/{{pluginId}}`
+       *   (can only be used in the `internal` key)
        */
       target: string | { internal?: string; external?: string };
       /**
-       * Array of plugins which use the target base URL.
+       * Array of plugins which use that target base URL.
+       *
+       * The special value `*` can be used to match all plugins.
        */
       plugins: string[];
     }>;

package/dist/discovery.d.ts

@@ -1,5 +1,5 @@
 import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
-import { DiscoveryService, RootConfigService } from '@backstage/backend-plugin-api';
+import { LoggerService, DiscoveryService, RootConfigService } from '@backstage/backend-plugin-api';
 
 /**
  * Service discovery for inter-plugin communication.
@@ -13,49 +13,118 @@ import { DiscoveryService, RootConfigService } from '@backstage/backend-plugin-a
 declare const discoveryServiceFactory: _backstage_backend_plugin_api.ServiceFactory<_backstage_backend_plugin_api.DiscoveryService, "plugin", "singleton">;
 
 /**
- * HostDiscovery is a basic DiscoveryService implementation
- * that can handle plugins that are hosted in a single or multiple deployments.
+ * A list of target base URLs and their associated plugins.
  *
- * The deployment may be scaled horizontally, as long as the external URL
- * is the same for all instances. However, internal URLs will always be
- * resolved to the same host, so there won't be any balancing of internal traffic.
+ * @public
+ */
+interface HostDiscoveryEndpoint {
+    /**
+     * The target base URL to use for the given set of plugins. Note that this
+     * needs to be a full URL _including_ the protocol and path parts that fully
+     * address the root of a plugin's API endpoints.
+     *
+     * @remarks
+     *
+     * Can be either a single URL or an object where you can explicitly give a
+     * dedicated URL for internal (as seen from the backend) and/or external (as
+     * seen from the frontend) lookups.
+     *
+     * The default behavior is to use the backend base URL for external lookups,
+     * and a URL formed from the `.listen` and `.https` configs for internal
+     * lookups. Adding discovery endpoints as described here overrides one or both
+     * of those behaviors for a given set of plugins.
+     *
+     * URLs can be in the form of a regular HTTP or HTTPS URL if you are using
+     * A/AAAA/CNAME records or IP addresses. Specifically for internal URLs, if
+     * you add `+src` to the protocol part then the hostname is treated as an SRV
+     * record name and resolved. For example, if you pass in
+     * `http+srv://<record>/path` then the record part is resolved into an
+     * actual host and port (with random weighted choice as usual when there is
+     * more than one match).
+     *
+     * Any strings with `{{pluginId}}` or `{{ pluginId }}` placeholders in them
+     * will have them replaced with the plugin ID.
+     *
+     * Example URLs:
+     *
+     * - `https://internal.example.com/secure/api/{{ pluginId }}`
+     * - `http+srv://backstage-plugin-{{pluginId}}.http.services.company.net/api/{{pluginId}}`
+     *   (can only be used in the `internal` key)
+     */
+    target: string | {
+        internal?: string;
+        external?: string;
+    };
+    /**
+     * Array of plugins which use that target base URL.
+     *
+     * The special value `*` can be used to match all plugins.
+     */
+    plugins: string[];
+}
+/**
+ * Options for the {@link HostDiscovery} class.
  *
  * @public
  */
-declare class HostDiscovery implements DiscoveryService {
-    private readonly internalBaseUrl;
-    private readonly externalBaseUrl;
-    private readonly discoveryConfig;
+interface HostDiscoveryOptions {
+    /**
+     * The logger to use.
+     */
+    logger: LoggerService;
     /**
-     * Creates a new HostDiscovery discovery instance by reading
-     * from the `backend` config section, specifically the `.baseUrl` for
-     * discovering the external URL, and the `.listen` and `.https` config
-     * for the internal one.
-     *
-     * Can be overridden in config by providing a target and corresponding plugins in `discovery.endpoints`.
-     * eg.
-     *
-     * ```yaml
-     * discovery:
-     *  endpoints:
-     *    - target: https://internal.example.com/internal-catalog
-     *      plugins: [catalog]
-     *    - target: https://internal.example.com/secure/api/{{pluginId}}
-     *      plugins: [auth, permission]
-     *    - target:
-     *        internal: https://internal.example.com/search
-     *        external: https://example.com/search
-     *      plugins: [search]
-     * ```
-     *
-     * The fixed base path is `/api`, meaning the default full internal
-     * path for the `catalog` plugin will be `http://localhost:7007/api/catalog`.
+     * A default set of endpoints to use.
+     *
+     * @remarks
+     *
+     * These endpoints have lower priority than any that are defined in
+     * app-config, but higher priority than the fallback ones.
+     *
+     * This parameter is usedful for example if you want to provide a shared
+     * library of core services to your plugin developers, which is set up for the
+     * default behaviors in your org. This alleviates the need for replicating any
+     * given set of endpoint config in every backend that you deploy.
      */
-    static fromConfig(config: RootConfigService): HostDiscovery;
+    defaultEndpoints?: HostDiscoveryEndpoint[];
+}
+/**
+ * A basic {@link @backstage/backend-plugin-api#DiscoveryService} implementation
+ * that can handle plugins that are hosted in a single or multiple deployments.
+ *
+ * @public
+ * @remarks
+ *
+ * Configuration is read from the `backend` config section, specifically the
+ * `.baseUrl` for discovering the external URL, and the `.listen` and `.https`
+ * config for the internal one. The fixed base path for these is `/api`, meaning
+ * for example the default full internal path for the `catalog` plugin typically
+ * will be `http://localhost:7007/api/catalog`.
+ *
+ * Those defaults can be overridden by providing a target and corresponding
+ * plugins in `discovery.endpoints`, e.g.:
+ *
+ * ```yaml
+ * discovery:
+ *   endpoints:
+ *     # Set a static internal and external base URL for a plugin
+ *     - target: https://internal.example.com/internal-catalog
+ *       plugins: [catalog]
+ *     # Sets a dynamic internal and external base URL pattern for two plugins
+ *     - target: https://internal.example.com/secure/api/{{pluginId}}
+ *       plugins: [auth, permission]
+ *     # Sets a dynamic base URL pattern for only the internal resolution for all
+ *     # other plugins, while leaving the external resolution unaffected
+ *     - target:
+ *         internal: http+srv://backstage-plugin-{{pluginId}}.http.${SERVICE_DOMAIN}/api/{{pluginId}}
+ *       plugins: [*]
+ * ```
+ */
+declare class HostDiscovery implements DiscoveryService {
+    #private;
+    static fromConfig(config: RootConfigService, options?: HostDiscoveryOptions): HostDiscovery;
     private constructor();
-    private getTargetFromConfig;
     getBaseUrl(pluginId: string): Promise<string>;
     getExternalBaseUrl(pluginId: string): Promise<string>;
 }
 
-export { HostDiscovery, discoveryServiceFactory };
+export { HostDiscovery, type HostDiscoveryEndpoint, type HostDiscoveryOptions, discoveryServiceFactory };

package/dist/entrypoints/auditor/auditorServiceFactory.cjs.js

@@ -2,25 +2,51 @@
 
 var backendPluginApi = require('@backstage/backend-plugin-api');
 var DefaultAuditorService = require('./DefaultAuditorService.cjs.js');
+var zod = require('zod');
+var errors = require('@backstage/errors');
 
+const CONFIG_ROOT_KEY = "backend.auditor";
+const severityLogLevelMappingsSchema = zod.z.record(
+  zod.z.enum(["low", "medium", "high", "critical"]),
+  zod.z.enum(["debug", "info", "warn", "error"])
+);
 const auditorServiceFactory = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.auditor,
   deps: {
+    config: backendPluginApi.coreServices.rootConfig,
     logger: backendPluginApi.coreServices.logger,
     auth: backendPluginApi.coreServices.auth,
     httpAuth: backendPluginApi.coreServices.httpAuth,
     plugin: backendPluginApi.coreServices.pluginMetadata
   },
-  factory({ logger, plugin, auth, httpAuth }) {
+  factory({ config, logger, plugin, auth, httpAuth }) {
     const auditLogger = logger.child({ isAuditEvent: true });
+    const auditorConfig = config.getOptionalConfig(CONFIG_ROOT_KEY);
+    const severityLogLevelMappings = {
+      low: auditorConfig?.getOptionalString("severityLogLevelMappings.low") ?? "debug",
+      medium: auditorConfig?.getOptionalString("severityLogLevelMappings.medium") ?? "info",
+      high: auditorConfig?.getOptionalString("severityLogLevelMappings.high") ?? "info",
+      critical: auditorConfig?.getOptionalString("severityLogLevelMappings.critical") ?? "info"
+    };
+    const res = severityLogLevelMappingsSchema.safeParse(
+      severityLogLevelMappings
+    );
+    if (!res.success) {
+      const key = res.error.issues.at(0)?.path.at(0);
+      const value = res.error.issues.at(0).received;
+      const validKeys = res.error.issues.at(0).options;
+      throw new errors.InputError(
+        `The configuration value for 'backend.auditor.severityLogLevelMappings.${key}' was given an invalid value: '${value}'. Expected one of the following valid values: '${validKeys.join(
+          ", "
+        )}'.`
+      );
+    }
     return DefaultAuditorService.DefaultAuditorService.create(
       (event) => {
-        const message = `${event.plugin}.${event.eventId}`;
-        if (event.severityLevel === "low") {
-          auditLogger.debug(message, event);
-        } else {
-          auditLogger.info(message, event);
-        }
+        auditLogger[severityLogLevelMappings[event.severityLevel]](
+          `${event.plugin}.${event.eventId}`,
+          event
+        );
       },
       { plugin, auth, httpAuth }
     );

package/dist/entrypoints/auditor/auditorServiceFactory.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"auditorServiceFactory.cjs.js","sources":["../../../src/entrypoints/auditor/auditorServiceFactory.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createServiceFactory,\n} from '@backstage/backend-plugin-api';\nimport { DefaultAuditorService } from './DefaultAuditorService';\n\n/**\n * Plugin-level auditing.\n *\n * See {@link @backstage/code-plugin-api#AuditorService}\n * and {@link https://backstage.io/docs/backend-system/core-services/auditor | the service docs}\n * for more information.\n *\n * @public\n */\nexport const auditorServiceFactory = createServiceFactory({\n  service: coreServices.auditor,\n  deps: {\n    logger: coreServices.logger,\n    auth: coreServices.auth,\n    httpAuth: coreServices.httpAuth,\n    plugin: coreServices.pluginMetadata,\n  },\n  factory({ logger, plugin, auth, httpAuth }) {\n    const auditLogger = logger.child({ isAuditEvent: true });\n    return DefaultAuditorService.create(\n      event => {\n        const message = `${event.plugin}.${event.eventId}`;\n        if (event.severityLevel === 'low') {\n          auditLogger.debug(message, event);\n        } else {\n          auditLogger.info(message, event);\n        }\n      },\n      { plugin, auth, httpAuth },\n    );\n  },\n});\n"],"names":["createServiceFactory","coreServices","DefaultAuditorService"],"mappings":";;;;;AA+BO,MAAM,wBAAwBA,qCAAqB,CAAA;AAAA,EACxD,SAASC,6BAAa,CAAA,OAAA;AAAA,EACtB,IAAM,EAAA;AAAA,IACJ,QAAQA,6BAAa,CAAA,MAAA;AAAA,IACrB,MAAMA,6BAAa,CAAA,IAAA;AAAA,IACnB,UAAUA,6BAAa,CAAA,QAAA;AAAA,IACvB,QAAQA,6BAAa,CAAA;AAAA,GACvB;AAAA,EACA,QAAQ,EAAE,MAAA,EAAQ,MAAQ,EAAA,IAAA,EAAM,UAAY,EAAA;AAC1C,IAAA,MAAM,cAAc,MAAO,CAAA,KAAA,CAAM,EAAE,YAAA,EAAc,MAAM,CAAA;AACvD,IAAA,OAAOC,2CAAsB,CAAA,MAAA;AAAA,MAC3B,CAAS,KAAA,KAAA;AACP,QAAA,MAAM,UAAU,CAAG,EAAA,KAAA,CAAM,MAAM,CAAA,CAAA,EAAI,MAAM,OAAO,CAAA,CAAA;AAChD,QAAI,IAAA,KAAA,CAAM,kBAAkB,KAAO,EAAA;AACjC,UAAY,WAAA,CAAA,KAAA,CAAM,SAAS,KAAK,CAAA;AAAA,SAC3B,MAAA;AACL,UAAY,WAAA,CAAA,IAAA,CAAK,SAAS,KAAK,CAAA;AAAA;AACjC,OACF;AAAA,MACA,EAAE,MAAQ,EAAA,IAAA,EAAM,QAAS;AAAA,KAC3B;AAAA;AAEJ,CAAC;;;;"}
+{"version":3,"file":"auditorServiceFactory.cjs.js","sources":["../../../src/entrypoints/auditor/auditorServiceFactory.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createServiceFactory,\n} from '@backstage/backend-plugin-api';\nimport { DefaultAuditorService } from './DefaultAuditorService';\nimport { z } from 'zod';\nimport { InputError } from '@backstage/errors';\n\nconst CONFIG_ROOT_KEY = 'backend.auditor';\n\nconst severityLogLevelMappingsSchema = z.record(\n  z.enum(['low', 'medium', 'high', 'critical']),\n  z.enum(['debug', 'info', 'warn', 'error']),\n);\n\n/**\n * Plugin-level auditing.\n *\n * See {@link @backstage/code-plugin-api#AuditorService}\n * and {@link https://backstage.io/docs/backend-system/core-services/auditor | the service docs}\n * for more information.\n *\n * @public\n */\nexport const auditorServiceFactory = createServiceFactory({\n  service: coreServices.auditor,\n  deps: {\n    config: coreServices.rootConfig,\n    logger: coreServices.logger,\n    auth: coreServices.auth,\n    httpAuth: coreServices.httpAuth,\n    plugin: coreServices.pluginMetadata,\n  },\n  factory({ config, logger, plugin, auth, httpAuth }) {\n    const auditLogger = logger.child({ isAuditEvent: true });\n    const auditorConfig = config.getOptionalConfig(CONFIG_ROOT_KEY);\n\n    const severityLogLevelMappings = {\n      low:\n        auditorConfig?.getOptionalString('severityLogLevelMappings.low') ??\n        'debug',\n      medium:\n        auditorConfig?.getOptionalString('severityLogLevelMappings.medium') ??\n        'info',\n      high:\n        auditorConfig?.getOptionalString('severityLogLevelMappings.high') ??\n        'info',\n      critical:\n        auditorConfig?.getOptionalString('severityLogLevelMappings.critical') ??\n        'info',\n    } as Required<z.infer<typeof severityLogLevelMappingsSchema>>;\n\n    const res = severityLogLevelMappingsSchema.safeParse(\n      severityLogLevelMappings,\n    );\n    if (!res.success) {\n      const key = res.error.issues.at(0)?.path.at(0) as string;\n      const value = (\n        res.error.issues.at(0) as unknown as Record<PropertyKey, unknown>\n      ).received as string;\n      const validKeys = (\n        res.error.issues.at(0) as unknown as Record<PropertyKey, unknown>\n      ).options as string[];\n      throw new InputError(\n        `The configuration value for 'backend.auditor.severityLogLevelMappings.${key}' was given an invalid value: '${value}'. Expected one of the following valid values: '${validKeys.join(\n          ', ',\n        )}'.`,\n      );\n    }\n\n    return DefaultAuditorService.create(\n      event => {\n        auditLogger[severityLogLevelMappings[event.severityLevel]](\n          `${event.plugin}.${event.eventId}`,\n          event,\n        );\n      },\n      { plugin, auth, httpAuth },\n    );\n  },\n});\n"],"names":["z","createServiceFactory","coreServices","InputError","DefaultAuditorService"],"mappings":";;;;;;;AAwBA,MAAM,eAAkB,GAAA,iBAAA;AAExB,MAAM,iCAAiCA,KAAE,CAAA,MAAA;AAAA,EACvCA,MAAE,IAAK,CAAA,CAAC,OAAO,QAAU,EAAA,MAAA,EAAQ,UAAU,CAAC,CAAA;AAAA,EAC5CA,MAAE,IAAK,CAAA,CAAC,SAAS,MAAQ,EAAA,MAAA,EAAQ,OAAO,CAAC;AAC3C,CAAA;AAWO,MAAM,wBAAwBC,qCAAqB,CAAA;AAAA,EACxD,SAASC,6BAAa,CAAA,OAAA;AAAA,EACtB,IAAM,EAAA;AAAA,IACJ,QAAQA,6BAAa,CAAA,UAAA;AAAA,IACrB,QAAQA,6BAAa,CAAA,MAAA;AAAA,IACrB,MAAMA,6BAAa,CAAA,IAAA;AAAA,IACnB,UAAUA,6BAAa,CAAA,QAAA;AAAA,IACvB,QAAQA,6BAAa,CAAA;AAAA,GACvB;AAAA,EACA,QAAQ,EAAE,MAAA,EAAQ,QAAQ,MAAQ,EAAA,IAAA,EAAM,UAAY,EAAA;AAClD,IAAA,MAAM,cAAc,MAAO,CAAA,KAAA,CAAM,EAAE,YAAA,EAAc,MAAM,CAAA;AACvD,IAAM,MAAA,aAAA,GAAgB,MAAO,CAAA,iBAAA,CAAkB,eAAe,CAAA;AAE9D,IAAA,MAAM,wBAA2B,GAAA;AAAA,MAC/B,GACE,EAAA,aAAA,EAAe,iBAAkB,CAAA,8BAA8B,CAC/D,IAAA,OAAA;AAAA,MACF,MACE,EAAA,aAAA,EAAe,iBAAkB,CAAA,iCAAiC,CAClE,IAAA,MAAA;AAAA,MACF,IACE,EAAA,aAAA,EAAe,iBAAkB,CAAA,+BAA+B,CAChE,IAAA,MAAA;AAAA,MACF,QACE,EAAA,aAAA,EAAe,iBAAkB,CAAA,mCAAmC,CACpE,IAAA;AAAA,KACJ;AAEA,IAAA,MAAM,MAAM,8BAA+B,CAAA,SAAA;AAAA,MACzC;AAAA,KACF;AACA,IAAI,IAAA,CAAC,IAAI,OAAS,EAAA;AAChB,MAAM,MAAA,GAAA,GAAM,IAAI,KAAM,CAAA,MAAA,CAAO,GAAG,CAAC,CAAA,EAAG,IAAK,CAAA,EAAA,CAAG,CAAC,CAAA;AAC7C,MAAA,MAAM,QACJ,GAAI,CAAA,KAAA,CAAM,MAAO,CAAA,EAAA,CAAG,CAAC,CACrB,CAAA,QAAA;AACF,MAAA,MAAM,YACJ,GAAI,CAAA,KAAA,CAAM,MAAO,CAAA,EAAA,CAAG,CAAC,CACrB,CAAA,OAAA;AACF,MAAA,MAAM,IAAIC,iBAAA;AAAA,QACR,CAAyE,sEAAA,EAAA,GAAG,CAAkC,+BAAA,EAAA,KAAK,mDAAmD,SAAU,CAAA,IAAA;AAAA,UAC9K;AAAA,SACD,CAAA,EAAA;AAAA,OACH;AAAA;AAGF,IAAA,OAAOC,2CAAsB,CAAA,MAAA;AAAA,MAC3B,CAAS,KAAA,KAAA;AACP,QAAY,WAAA,CAAA,wBAAA,CAAyB,KAAM,CAAA,aAAa,CAAC,CAAA;AAAA,UACvD,CAAG,EAAA,KAAA,CAAM,MAAM,CAAA,CAAA,EAAI,MAAM,OAAO,CAAA,CAAA;AAAA,UAChC;AAAA,SACF;AAAA,OACF;AAAA,MACA,EAAE,MAAQ,EAAA,IAAA,EAAM,QAAS;AAAA,KAC3B;AAAA;AAEJ,CAAC;;;;"}

package/dist/entrypoints/auth/DefaultAuthService.cjs.js

@@ -28,7 +28,8 @@ class DefaultAuthService {
         return helpers.createCredentialsWithUserPrincipal(
           userResult2.userEntityRef,
           pluginResult.limitedUserToken,
-          this.#getJwtExpiration(pluginResult.limitedUserToken)
+          this.#getJwtExpiration(pluginResult.limitedUserToken),
+          pluginResult.subject
         );
       }
       return helpers.createCredentialsWithServicePrincipal(pluginResult.subject);

package/dist/entrypoints/auth/DefaultAuthService.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultAuthService.cjs.js","sources":["../../../src/entrypoints/auth/DefaultAuthService.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstagePrincipalTypes,\n  BackstageServicePrincipal,\n  BackstageUserPrincipal,\n} from '@backstage/backend-plugin-api';\nimport { AuthenticationError } from '@backstage/errors';\nimport { JsonObject } from '@backstage/types';\nimport { decodeJwt } from 'jose';\nimport { ExternalTokenHandler } from './external/ExternalTokenHandler';\nimport {\n  createCredentialsWithNonePrincipal,\n  createCredentialsWithServicePrincipal,\n  createCredentialsWithUserPrincipal,\n  toInternalBackstageCredentials,\n} from './helpers';\nimport { PluginTokenHandler } from './plugin/PluginTokenHandler';\nimport { PluginKeySource } from './plugin/keys/types';\nimport { UserTokenHandler } from './user/UserTokenHandler';\n\n/** @internal */\nexport class DefaultAuthService implements AuthService {\n  constructor(\n    private readonly userTokenHandler: UserTokenHandler,\n    private readonly pluginTokenHandler: PluginTokenHandler,\n    private readonly externalTokenHandler: ExternalTokenHandler,\n    private readonly pluginId: string,\n    private readonly disableDefaultAuthPolicy: boolean,\n    private readonly pluginKeySource: PluginKeySource,\n  ) {}\n\n  async authenticate(\n    token: string,\n    options?: {\n      allowLimitedAccess?: boolean;\n    },\n  ): Promise<BackstageCredentials> {\n    const pluginResult = await this.pluginTokenHandler.verifyToken(token);\n    if (pluginResult) {\n      if (pluginResult.limitedUserToken) {\n        const userResult = await this.userTokenHandler.verifyToken(\n          pluginResult.limitedUserToken,\n        );\n        if (!userResult) {\n          throw new AuthenticationError(\n            'Invalid user token in plugin token obo claim',\n          );\n        }\n        return createCredentialsWithUserPrincipal(\n          userResult.userEntityRef,\n          pluginResult.limitedUserToken,\n          this.#getJwtExpiration(pluginResult.limitedUserToken),\n        );\n      }\n      return createCredentialsWithServicePrincipal(pluginResult.subject);\n    }\n\n    const userResult = await this.userTokenHandler.verifyToken(token);\n    if (userResult) {\n      if (\n        !options?.allowLimitedAccess &&\n        this.userTokenHandler.isLimitedUserToken(token)\n      ) {\n        throw new AuthenticationError('Illegal limited user token');\n      }\n\n      return createCredentialsWithUserPrincipal(\n        userResult.userEntityRef,\n        token,\n        this.#getJwtExpiration(token),\n      );\n    }\n\n    const externalResult = await this.externalTokenHandler.verifyToken(token);\n    if (externalResult) {\n      return createCredentialsWithServicePrincipal(\n        externalResult.subject,\n        undefined,\n        externalResult.accessRestrictions,\n      );\n    }\n\n    throw new AuthenticationError('Illegal token');\n  }\n\n  isPrincipal<TType extends keyof BackstagePrincipalTypes>(\n    credentials: BackstageCredentials,\n    type: TType,\n  ): credentials is BackstageCredentials<BackstagePrincipalTypes[TType]> {\n    const principal = credentials.principal as\n      | BackstageUserPrincipal\n      | BackstageServicePrincipal;\n\n    if (type === 'unknown') {\n      return true;\n    }\n\n    if (principal.type !== type) {\n      return false;\n    }\n\n    return true;\n  }\n\n  async getNoneCredentials(): Promise<\n    BackstageCredentials<BackstageNonePrincipal>\n  > {\n    return createCredentialsWithNonePrincipal();\n  }\n\n  async getOwnServiceCredentials(): Promise<\n    BackstageCredentials<BackstageServicePrincipal>\n  > {\n    return createCredentialsWithServicePrincipal(`plugin:${this.pluginId}`);\n  }\n\n  async getPluginRequestToken(options: {\n    onBehalfOf: BackstageCredentials;\n    targetPluginId: string;\n  }): Promise<{ token: string }> {\n    const { targetPluginId } = options;\n    const internalForward = toInternalBackstageCredentials(options.onBehalfOf);\n    const { type } = internalForward.principal;\n\n    // Since disabling the default policy means we'll be allowing\n    // unauthenticated requests through, we might have unauthenticated\n    // credentials from service calls that reach this point. If that's the case,\n    // we'll want to keep \"forwarding\" the unauthenticated credentials, which we\n    // do by returning an empty token.\n    if (type === 'none' && this.disableDefaultAuthPolicy) {\n      return { token: '' };\n    }\n\n    // check whether a plugin support the new auth system\n    // by checking the public keys endpoint existance.\n    switch (type) {\n      // TODO: Check whether the principal is ourselves\n      case 'service':\n        return this.pluginTokenHandler.issueToken({\n          pluginId: this.pluginId,\n          targetPluginId,\n        });\n      case 'user': {\n        const { token } = internalForward;\n        if (!token) {\n          throw new Error('User credentials is unexpectedly missing token');\n        }\n        const onBehalfOf = await this.userTokenHandler.createLimitedUserToken(\n          token,\n        );\n        return this.pluginTokenHandler.issueToken({\n          pluginId: this.pluginId,\n          targetPluginId,\n          onBehalfOf: {\n            limitedUserToken: onBehalfOf.token,\n            expiresAt: onBehalfOf.expiresAt,\n          },\n        });\n      }\n      default:\n        throw new AuthenticationError(\n          `Refused to issue service token for credential type '${type}'`,\n        );\n    }\n  }\n\n  async getLimitedUserToken(\n    credentials: BackstageCredentials<BackstageUserPrincipal>,\n  ): Promise<{ token: string; expiresAt: Date }> {\n    const { token: backstageToken } =\n      toInternalBackstageCredentials(credentials);\n    if (!backstageToken) {\n      throw new AuthenticationError(\n        'User credentials is unexpectedly missing token',\n      );\n    }\n\n    return this.userTokenHandler.createLimitedUserToken(backstageToken);\n  }\n\n  async listPublicServiceKeys(): Promise<{ keys: JsonObject[] }> {\n    const { keys } = await this.pluginKeySource.listKeys();\n    return { keys: keys.map(({ key }) => key) };\n  }\n\n  #getJwtExpiration(token: string) {\n    const { exp } = decodeJwt(token);\n    if (!exp) {\n      throw new AuthenticationError('User token is missing expiration');\n    }\n    return new Date(exp * 1000);\n  }\n}\n"],"names":["userResult","AuthenticationError","createCredentialsWithUserPrincipal","createCredentialsWithServicePrincipal","createCredentialsWithNonePrincipal","toInternalBackstageCredentials","decodeJwt"],"mappings":";;;;;;AAuCO,MAAM,kBAA0C,CAAA;AAAA,EACrD,YACmB,gBACA,EAAA,kBAAA,EACA,oBACA,EAAA,QAAA,EACA,0BACA,eACjB,EAAA;AANiB,IAAA,IAAA,CAAA,gBAAA,GAAA,gBAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,oBAAA,GAAA,oBAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,wBAAA,GAAA,wBAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AAAA;AAChB,EAEH,MAAM,YACJ,CAAA,KAAA,EACA,OAG+B,EAAA;AAC/B,IAAA,MAAM,YAAe,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,YAAY,KAAK,CAAA;AACpE,IAAA,IAAI,YAAc,EAAA;AAChB,MAAA,IAAI,aAAa,gBAAkB,EAAA;AACjC,QAAMA,MAAAA,WAAAA,GAAa,MAAM,IAAA,CAAK,gBAAiB,CAAA,WAAA;AAAA,UAC7C,YAAa,CAAA;AAAA,SACf;AACA,QAAA,IAAI,CAACA,WAAY,EAAA;AACf,UAAA,MAAM,IAAIC,0BAAA;AAAA,YACR;AAAA,WACF;AAAA;AAEF,QAAO,OAAAC,0CAAA;AAAA,UACLF,WAAW,CAAA,aAAA;AAAA,UACX,YAAa,CAAA,gBAAA;AAAA,UACb,IAAA,CAAK,iBAAkB,CAAA,YAAA,CAAa,gBAAgB;AAAA,SACtD;AAAA;AAEF,MAAO,OAAAG,6CAAA,CAAsC,aAAa,OAAO,CAAA;AAAA;AAGnE,IAAA,MAAM,UAAa,GAAA,MAAM,IAAK,CAAA,gBAAA,CAAiB,YAAY,KAAK,CAAA;AAChE,IAAA,IAAI,UAAY,EAAA;AACd,MAAA,IACE,CAAC,OAAS,EAAA,kBAAA,IACV,KAAK,gBAAiB,CAAA,kBAAA,CAAmB,KAAK,CAC9C,EAAA;AACA,QAAM,MAAA,IAAIF,2BAAoB,4BAA4B,CAAA;AAAA;AAG5D,MAAO,OAAAC,0CAAA;AAAA,QACL,UAAW,CAAA,aAAA;AAAA,QACX,KAAA;AAAA,QACA,IAAA,CAAK,kBAAkB,KAAK;AAAA,OAC9B;AAAA;AAGF,IAAA,MAAM,cAAiB,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,YAAY,KAAK,CAAA;AACxE,IAAA,IAAI,cAAgB,EAAA;AAClB,MAAO,OAAAC,6CAAA;AAAA,QACL,cAAe,CAAA,OAAA;AAAA,QACf,KAAA,CAAA;AAAA,QACA,cAAe,CAAA;AAAA,OACjB;AAAA;AAGF,IAAM,MAAA,IAAIF,2BAAoB,eAAe,CAAA;AAAA;AAC/C,EAEA,WAAA,CACE,aACA,IACqE,EAAA;AACrE,IAAA,MAAM,YAAY,WAAY,CAAA,SAAA;AAI9B,IAAA,IAAI,SAAS,SAAW,EAAA;AACtB,MAAO,OAAA,IAAA;AAAA;AAGT,IAAI,IAAA,SAAA,CAAU,SAAS,IAAM,EAAA;AAC3B,MAAO,OAAA,KAAA;AAAA;AAGT,IAAO,OAAA,IAAA;AAAA;AACT,EAEA,MAAM,kBAEJ,GAAA;AACA,IAAA,OAAOG,0CAAmC,EAAA;AAAA;AAC5C,EAEA,MAAM,wBAEJ,GAAA;AACA,IAAA,OAAOD,6CAAsC,CAAA,CAAA,OAAA,EAAU,IAAK,CAAA,QAAQ,CAAE,CAAA,CAAA;AAAA;AACxE,EAEA,MAAM,sBAAsB,OAGG,EAAA;AAC7B,IAAM,MAAA,EAAE,gBAAmB,GAAA,OAAA;AAC3B,IAAM,MAAA,eAAA,GAAkBE,sCAA+B,CAAA,OAAA,CAAQ,UAAU,CAAA;AACzE,IAAM,MAAA,EAAE,IAAK,EAAA,GAAI,eAAgB,CAAA,SAAA;AAOjC,IAAI,IAAA,IAAA,KAAS,MAAU,IAAA,IAAA,CAAK,wBAA0B,EAAA;AACpD,MAAO,OAAA,EAAE,OAAO,EAAG,EAAA;AAAA;AAKrB,IAAA,QAAQ,IAAM;AAAA;AAAA,MAEZ,KAAK,SAAA;AACH,QAAO,OAAA,IAAA,CAAK,mBAAmB,UAAW,CAAA;AAAA,UACxC,UAAU,IAAK,CAAA,QAAA;AAAA,UACf;AAAA,SACD,CAAA;AAAA,MACH,KAAK,MAAQ,EAAA;AACX,QAAM,MAAA,EAAE,OAAU,GAAA,eAAA;AAClB,QAAA,IAAI,CAAC,KAAO,EAAA;AACV,UAAM,MAAA,IAAI,MAAM,gDAAgD,CAAA;AAAA;AAElE,QAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,gBAAiB,CAAA,sBAAA;AAAA,UAC7C;AAAA,SACF;AACA,QAAO,OAAA,IAAA,CAAK,mBAAmB,UAAW,CAAA;AAAA,UACxC,UAAU,IAAK,CAAA,QAAA;AAAA,UACf,cAAA;AAAA,UACA,UAAY,EAAA;AAAA,YACV,kBAAkB,UAAW,CAAA,KAAA;AAAA,YAC7B,WAAW,UAAW,CAAA;AAAA;AACxB,SACD,CAAA;AAAA;AACH,MACA;AACE,QAAA,MAAM,IAAIJ,0BAAA;AAAA,UACR,uDAAuD,IAAI,CAAA,CAAA;AAAA,SAC7D;AAAA;AACJ;AACF,EAEA,MAAM,oBACJ,WAC6C,EAAA;AAC7C,IAAA,MAAM,EAAE,KAAA,EAAO,cAAe,EAAA,GAC5BI,uCAA+B,WAAW,CAAA;AAC5C,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAA,MAAM,IAAIJ,0BAAA;AAAA,QACR;AAAA,OACF;AAAA;AAGF,IAAO,OAAA,IAAA,CAAK,gBAAiB,CAAA,sBAAA,CAAuB,cAAc,CAAA;AAAA;AACpE,EAEA,MAAM,qBAAyD,GAAA;AAC7D,IAAA,MAAM,EAAE,IAAK,EAAA,GAAI,MAAM,IAAA,CAAK,gBAAgB,QAAS,EAAA;AACrD,IAAO,OAAA,EAAE,MAAM,IAAK,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AAC5C,EAEA,kBAAkB,KAAe,EAAA;AAC/B,IAAA,MAAM,EAAE,GAAA,EAAQ,GAAAK,cAAA,CAAU,KAAK,CAAA;AAC/B,IAAA,IAAI,CAAC,GAAK,EAAA;AACR,MAAM,MAAA,IAAIL,2BAAoB,kCAAkC,CAAA;AAAA;AAElE,IAAO,OAAA,IAAI,IAAK,CAAA,GAAA,GAAM,GAAI,CAAA;AAAA;AAE9B;;;;"}
+{"version":3,"file":"DefaultAuthService.cjs.js","sources":["../../../src/entrypoints/auth/DefaultAuthService.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstagePrincipalTypes,\n  BackstageServicePrincipal,\n  BackstageUserPrincipal,\n} from '@backstage/backend-plugin-api';\nimport { AuthenticationError } from '@backstage/errors';\nimport { JsonObject } from '@backstage/types';\nimport { decodeJwt } from 'jose';\nimport { ExternalTokenHandler } from './external/ExternalTokenHandler';\nimport {\n  createCredentialsWithNonePrincipal,\n  createCredentialsWithServicePrincipal,\n  createCredentialsWithUserPrincipal,\n  toInternalBackstageCredentials,\n} from './helpers';\nimport { PluginTokenHandler } from './plugin/PluginTokenHandler';\nimport { PluginKeySource } from './plugin/keys/types';\nimport { UserTokenHandler } from './user/UserTokenHandler';\n\n/** @internal */\nexport class DefaultAuthService implements AuthService {\n  constructor(\n    private readonly userTokenHandler: UserTokenHandler,\n    private readonly pluginTokenHandler: PluginTokenHandler,\n    private readonly externalTokenHandler: ExternalTokenHandler,\n    private readonly pluginId: string,\n    private readonly disableDefaultAuthPolicy: boolean,\n    private readonly pluginKeySource: PluginKeySource,\n  ) {}\n\n  async authenticate(\n    token: string,\n    options?: {\n      allowLimitedAccess?: boolean;\n    },\n  ): Promise<BackstageCredentials> {\n    const pluginResult = await this.pluginTokenHandler.verifyToken(token);\n    if (pluginResult) {\n      if (pluginResult.limitedUserToken) {\n        const userResult = await this.userTokenHandler.verifyToken(\n          pluginResult.limitedUserToken,\n        );\n        if (!userResult) {\n          throw new AuthenticationError(\n            'Invalid user token in plugin token obo claim',\n          );\n        }\n        return createCredentialsWithUserPrincipal(\n          userResult.userEntityRef,\n          pluginResult.limitedUserToken,\n          this.#getJwtExpiration(pluginResult.limitedUserToken),\n          pluginResult.subject,\n        );\n      }\n      return createCredentialsWithServicePrincipal(pluginResult.subject);\n    }\n\n    const userResult = await this.userTokenHandler.verifyToken(token);\n    if (userResult) {\n      if (\n        !options?.allowLimitedAccess &&\n        this.userTokenHandler.isLimitedUserToken(token)\n      ) {\n        throw new AuthenticationError('Illegal limited user token');\n      }\n\n      return createCredentialsWithUserPrincipal(\n        userResult.userEntityRef,\n        token,\n        this.#getJwtExpiration(token),\n      );\n    }\n\n    const externalResult = await this.externalTokenHandler.verifyToken(token);\n    if (externalResult) {\n      return createCredentialsWithServicePrincipal(\n        externalResult.subject,\n        undefined,\n        externalResult.accessRestrictions,\n      );\n    }\n\n    throw new AuthenticationError('Illegal token');\n  }\n\n  isPrincipal<TType extends keyof BackstagePrincipalTypes>(\n    credentials: BackstageCredentials,\n    type: TType,\n  ): credentials is BackstageCredentials<BackstagePrincipalTypes[TType]> {\n    const principal = credentials.principal as\n      | BackstageUserPrincipal\n      | BackstageServicePrincipal;\n\n    if (type === 'unknown') {\n      return true;\n    }\n\n    if (principal.type !== type) {\n      return false;\n    }\n\n    return true;\n  }\n\n  async getNoneCredentials(): Promise<\n    BackstageCredentials<BackstageNonePrincipal>\n  > {\n    return createCredentialsWithNonePrincipal();\n  }\n\n  async getOwnServiceCredentials(): Promise<\n    BackstageCredentials<BackstageServicePrincipal>\n  > {\n    return createCredentialsWithServicePrincipal(`plugin:${this.pluginId}`);\n  }\n\n  async getPluginRequestToken(options: {\n    onBehalfOf: BackstageCredentials;\n    targetPluginId: string;\n  }): Promise<{ token: string }> {\n    const { targetPluginId } = options;\n    const internalForward = toInternalBackstageCredentials(options.onBehalfOf);\n    const { type } = internalForward.principal;\n\n    // Since disabling the default policy means we'll be allowing\n    // unauthenticated requests through, we might have unauthenticated\n    // credentials from service calls that reach this point. If that's the case,\n    // we'll want to keep \"forwarding\" the unauthenticated credentials, which we\n    // do by returning an empty token.\n    if (type === 'none' && this.disableDefaultAuthPolicy) {\n      return { token: '' };\n    }\n\n    // check whether a plugin support the new auth system\n    // by checking the public keys endpoint existance.\n    switch (type) {\n      // TODO: Check whether the principal is ourselves\n      case 'service':\n        return this.pluginTokenHandler.issueToken({\n          pluginId: this.pluginId,\n          targetPluginId,\n        });\n      case 'user': {\n        const { token } = internalForward;\n        if (!token) {\n          throw new Error('User credentials is unexpectedly missing token');\n        }\n        const onBehalfOf = await this.userTokenHandler.createLimitedUserToken(\n          token,\n        );\n        return this.pluginTokenHandler.issueToken({\n          pluginId: this.pluginId,\n          targetPluginId,\n          onBehalfOf: {\n            limitedUserToken: onBehalfOf.token,\n            expiresAt: onBehalfOf.expiresAt,\n          },\n        });\n      }\n      default:\n        throw new AuthenticationError(\n          `Refused to issue service token for credential type '${type}'`,\n        );\n    }\n  }\n\n  async getLimitedUserToken(\n    credentials: BackstageCredentials<BackstageUserPrincipal>,\n  ): Promise<{ token: string; expiresAt: Date }> {\n    const { token: backstageToken } =\n      toInternalBackstageCredentials(credentials);\n    if (!backstageToken) {\n      throw new AuthenticationError(\n        'User credentials is unexpectedly missing token',\n      );\n    }\n\n    return this.userTokenHandler.createLimitedUserToken(backstageToken);\n  }\n\n  async listPublicServiceKeys(): Promise<{ keys: JsonObject[] }> {\n    const { keys } = await this.pluginKeySource.listKeys();\n    return { keys: keys.map(({ key }) => key) };\n  }\n\n  #getJwtExpiration(token: string) {\n    const { exp } = decodeJwt(token);\n    if (!exp) {\n      throw new AuthenticationError('User token is missing expiration');\n    }\n    return new Date(exp * 1000);\n  }\n}\n"],"names":["userResult","AuthenticationError","createCredentialsWithUserPrincipal","createCredentialsWithServicePrincipal","createCredentialsWithNonePrincipal","toInternalBackstageCredentials","decodeJwt"],"mappings":";;;;;;AAuCO,MAAM,kBAA0C,CAAA;AAAA,EACrD,YACmB,gBACA,EAAA,kBAAA,EACA,oBACA,EAAA,QAAA,EACA,0BACA,eACjB,EAAA;AANiB,IAAA,IAAA,CAAA,gBAAA,GAAA,gBAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,oBAAA,GAAA,oBAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,wBAAA,GAAA,wBAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AAAA;AAChB,EAEH,MAAM,YACJ,CAAA,KAAA,EACA,OAG+B,EAAA;AAC/B,IAAA,MAAM,YAAe,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,YAAY,KAAK,CAAA;AACpE,IAAA,IAAI,YAAc,EAAA;AAChB,MAAA,IAAI,aAAa,gBAAkB,EAAA;AACjC,QAAMA,MAAAA,WAAAA,GAAa,MAAM,IAAA,CAAK,gBAAiB,CAAA,WAAA;AAAA,UAC7C,YAAa,CAAA;AAAA,SACf;AACA,QAAA,IAAI,CAACA,WAAY,EAAA;AACf,UAAA,MAAM,IAAIC,0BAAA;AAAA,YACR;AAAA,WACF;AAAA;AAEF,QAAO,OAAAC,0CAAA;AAAA,UACLF,WAAW,CAAA,aAAA;AAAA,UACX,YAAa,CAAA,gBAAA;AAAA,UACb,IAAA,CAAK,iBAAkB,CAAA,YAAA,CAAa,gBAAgB,CAAA;AAAA,UACpD,YAAa,CAAA;AAAA,SACf;AAAA;AAEF,MAAO,OAAAG,6CAAA,CAAsC,aAAa,OAAO,CAAA;AAAA;AAGnE,IAAA,MAAM,UAAa,GAAA,MAAM,IAAK,CAAA,gBAAA,CAAiB,YAAY,KAAK,CAAA;AAChE,IAAA,IAAI,UAAY,EAAA;AACd,MAAA,IACE,CAAC,OAAS,EAAA,kBAAA,IACV,KAAK,gBAAiB,CAAA,kBAAA,CAAmB,KAAK,CAC9C,EAAA;AACA,QAAM,MAAA,IAAIF,2BAAoB,4BAA4B,CAAA;AAAA;AAG5D,MAAO,OAAAC,0CAAA;AAAA,QACL,UAAW,CAAA,aAAA;AAAA,QACX,KAAA;AAAA,QACA,IAAA,CAAK,kBAAkB,KAAK;AAAA,OAC9B;AAAA;AAGF,IAAA,MAAM,cAAiB,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,YAAY,KAAK,CAAA;AACxE,IAAA,IAAI,cAAgB,EAAA;AAClB,MAAO,OAAAC,6CAAA;AAAA,QACL,cAAe,CAAA,OAAA;AAAA,QACf,KAAA,CAAA;AAAA,QACA,cAAe,CAAA;AAAA,OACjB;AAAA;AAGF,IAAM,MAAA,IAAIF,2BAAoB,eAAe,CAAA;AAAA;AAC/C,EAEA,WAAA,CACE,aACA,IACqE,EAAA;AACrE,IAAA,MAAM,YAAY,WAAY,CAAA,SAAA;AAI9B,IAAA,IAAI,SAAS,SAAW,EAAA;AACtB,MAAO,OAAA,IAAA;AAAA;AAGT,IAAI,IAAA,SAAA,CAAU,SAAS,IAAM,EAAA;AAC3B,MAAO,OAAA,KAAA;AAAA;AAGT,IAAO,OAAA,IAAA;AAAA;AACT,EAEA,MAAM,kBAEJ,GAAA;AACA,IAAA,OAAOG,0CAAmC,EAAA;AAAA;AAC5C,EAEA,MAAM,wBAEJ,GAAA;AACA,IAAA,OAAOD,6CAAsC,CAAA,CAAA,OAAA,EAAU,IAAK,CAAA,QAAQ,CAAE,CAAA,CAAA;AAAA;AACxE,EAEA,MAAM,sBAAsB,OAGG,EAAA;AAC7B,IAAM,MAAA,EAAE,gBAAmB,GAAA,OAAA;AAC3B,IAAM,MAAA,eAAA,GAAkBE,sCAA+B,CAAA,OAAA,CAAQ,UAAU,CAAA;AACzE,IAAM,MAAA,EAAE,IAAK,EAAA,GAAI,eAAgB,CAAA,SAAA;AAOjC,IAAI,IAAA,IAAA,KAAS,MAAU,IAAA,IAAA,CAAK,wBAA0B,EAAA;AACpD,MAAO,OAAA,EAAE,OAAO,EAAG,EAAA;AAAA;AAKrB,IAAA,QAAQ,IAAM;AAAA;AAAA,MAEZ,KAAK,SAAA;AACH,QAAO,OAAA,IAAA,CAAK,mBAAmB,UAAW,CAAA;AAAA,UACxC,UAAU,IAAK,CAAA,QAAA;AAAA,UACf;AAAA,SACD,CAAA;AAAA,MACH,KAAK,MAAQ,EAAA;AACX,QAAM,MAAA,EAAE,OAAU,GAAA,eAAA;AAClB,QAAA,IAAI,CAAC,KAAO,EAAA;AACV,UAAM,MAAA,IAAI,MAAM,gDAAgD,CAAA;AAAA;AAElE,QAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,gBAAiB,CAAA,sBAAA;AAAA,UAC7C;AAAA,SACF;AACA,QAAO,OAAA,IAAA,CAAK,mBAAmB,UAAW,CAAA;AAAA,UACxC,UAAU,IAAK,CAAA,QAAA;AAAA,UACf,cAAA;AAAA,UACA,UAAY,EAAA;AAAA,YACV,kBAAkB,UAAW,CAAA,KAAA;AAAA,YAC7B,WAAW,UAAW,CAAA;AAAA;AACxB,SACD,CAAA;AAAA;AACH,MACA;AACE,QAAA,MAAM,IAAIJ,0BAAA;AAAA,UACR,uDAAuD,IAAI,CAAA,CAAA;AAAA,SAC7D;AAAA;AACJ;AACF,EAEA,MAAM,oBACJ,WAC6C,EAAA;AAC7C,IAAA,MAAM,EAAE,KAAA,EAAO,cAAe,EAAA,GAC5BI,uCAA+B,WAAW,CAAA;AAC5C,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAA,MAAM,IAAIJ,0BAAA;AAAA,QACR;AAAA,OACF;AAAA;AAGF,IAAO,OAAA,IAAA,CAAK,gBAAiB,CAAA,sBAAA,CAAuB,cAAc,CAAA;AAAA;AACpE,EAEA,MAAM,qBAAyD,GAAA;AAC7D,IAAA,MAAM,EAAE,IAAK,EAAA,GAAI,MAAM,IAAA,CAAK,gBAAgB,QAAS,EAAA;AACrD,IAAO,OAAA,EAAE,MAAM,IAAK,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AAC5C,EAEA,kBAAkB,KAAe,EAAA;AAC/B,IAAA,MAAM,EAAE,GAAA,EAAQ,GAAAK,cAAA,CAAU,KAAK,CAAA;AAC/B,IAAA,IAAI,CAAC,GAAK,EAAA;AACR,MAAM,MAAA,IAAIL,2BAAoB,kCAAkC,CAAA;AAAA;AAElE,IAAO,OAAA,IAAI,IAAK,CAAA,GAAA,GAAM,GAAI,CAAA;AAAA;AAE9B;;;;"}

package/dist/entrypoints/auth/helpers.cjs.js

@@ -19,7 +19,7 @@ function createCredentialsWithServicePrincipal(sub, token, accessRestrictions) {
     }
   );
 }
-function createCredentialsWithUserPrincipal(sub, token, expiresAt) {
+function createCredentialsWithUserPrincipal(sub, token, expiresAt, actor) {
   return Object.defineProperty(
     {
       $$type: "@backstage/BackstageCredentials",
@@ -27,7 +27,10 @@ function createCredentialsWithUserPrincipal(sub, token, expiresAt) {
       expiresAt,
       principal: {
         type: "user",
-        userEntityRef: sub
+        userEntityRef: sub,
+        ...actor && {
+          actor: { type: "service", subject: actor }
+        }
       }
     },
     "token",

package/dist/entrypoints/auth/helpers.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.cjs.js","sources":["../../../src/entrypoints/auth/helpers.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstagePrincipalAccessRestrictions,\n  BackstageServicePrincipal,\n  BackstageUserPrincipal,\n} from '@backstage/backend-plugin-api';\nimport { InternalBackstageCredentials } from './types';\n\nexport function createCredentialsWithServicePrincipal(\n  sub: string,\n  token?: string,\n  accessRestrictions?: BackstagePrincipalAccessRestrictions,\n): InternalBackstageCredentials<BackstageServicePrincipal> {\n  return Object.defineProperty(\n    {\n      $$type: '@backstage/BackstageCredentials',\n      version: 'v1',\n      principal: {\n        type: 'service',\n        subject: sub,\n        accessRestrictions,\n      },\n    },\n    'token',\n    {\n      enumerable: false,\n      configurable: true,\n      value: token,\n    },\n  );\n}\n\nexport function createCredentialsWithUserPrincipal(\n  sub: string,\n  token: string,\n  expiresAt?: Date,\n): InternalBackstageCredentials<BackstageUserPrincipal> {\n  return Object.defineProperty(\n    {\n      $$type: '@backstage/BackstageCredentials',\n      version: 'v1',\n      expiresAt,\n      principal: {\n        type: 'user',\n        userEntityRef: sub,\n      },\n    },\n    'token',\n    {\n      enumerable: false,\n      configurable: true,\n      value: token,\n    },\n  );\n}\n\nexport function createCredentialsWithNonePrincipal(): InternalBackstageCredentials<BackstageNonePrincipal> {\n  return {\n    $$type: '@backstage/BackstageCredentials',\n    version: 'v1',\n    principal: {\n      type: 'none',\n    },\n  };\n}\n\nexport function toInternalBackstageCredentials(\n  credentials: BackstageCredentials,\n): InternalBackstageCredentials<\n  BackstageUserPrincipal | BackstageServicePrincipal | BackstageNonePrincipal\n> {\n  if (credentials.$$type !== '@backstage/BackstageCredentials') {\n    throw new Error('Invalid credential type');\n  }\n\n  const internalCredentials = credentials as InternalBackstageCredentials<\n    BackstageUserPrincipal | BackstageServicePrincipal | BackstageNonePrincipal\n  >;\n\n  if (internalCredentials.version !== 'v1') {\n    throw new Error(\n      `Invalid credential version ${internalCredentials.version}`,\n    );\n  }\n\n  return internalCredentials;\n}\n"],"names":[],"mappings":";;AAyBgB,SAAA,qCAAA,CACd,GACA,EAAA,KAAA,EACA,kBACyD,EAAA;AACzD,EAAA,OAAO,MAAO,CAAA,cAAA;AAAA,IACZ;AAAA,MACE,MAAQ,EAAA,iCAAA;AAAA,MACR,OAAS,EAAA,IAAA;AAAA,MACT,SAAW,EAAA;AAAA,QACT,IAAM,EAAA,SAAA;AAAA,QACN,OAAS,EAAA,GAAA;AAAA,QACT;AAAA;AACF,KACF;AAAA,IACA,OAAA;AAAA,IACA;AAAA,MACE,UAAY,EAAA,KAAA;AAAA,MACZ,YAAc,EAAA,IAAA;AAAA,MACd,KAAO,EAAA;AAAA;AACT,GACF;AACF;AAEgB,SAAA,kCAAA,CACd,GACA,EAAA,KAAA,EACA,SACsD,EAAA;AACtD,EAAA,OAAO,MAAO,CAAA,cAAA;AAAA,IACZ;AAAA,MACE,MAAQ,EAAA,iCAAA;AAAA,MACR,OAAS,EAAA,IAAA;AAAA,MACT,SAAA;AAAA,MACA,SAAW,EAAA;AAAA,QACT,IAAM,EAAA,MAAA;AAAA,QACN,aAAe,EAAA;AAAA;AACjB,KACF;AAAA,IACA,OAAA;AAAA,IACA;AAAA,MACE,UAAY,EAAA,KAAA;AAAA,MACZ,YAAc,EAAA,IAAA;AAAA,MACd,KAAO,EAAA;AAAA;AACT,GACF;AACF;AAEO,SAAS,kCAA2F,GAAA;AACzG,EAAO,OAAA;AAAA,IACL,MAAQ,EAAA,iCAAA;AAAA,IACR,OAAS,EAAA,IAAA;AAAA,IACT,SAAW,EAAA;AAAA,MACT,IAAM,EAAA;AAAA;AACR,GACF;AACF;AAEO,SAAS,+BACd,WAGA,EAAA;AACA,EAAI,IAAA,WAAA,CAAY,WAAW,iCAAmC,EAAA;AAC5D,IAAM,MAAA,IAAI,MAAM,yBAAyB,CAAA;AAAA;AAG3C,EAAA,MAAM,mBAAsB,GAAA,WAAA;AAI5B,EAAI,IAAA,mBAAA,CAAoB,YAAY,IAAM,EAAA;AACxC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,2BAAA,EAA8B,oBAAoB,OAAO,CAAA;AAAA,KAC3D;AAAA;AAGF,EAAO,OAAA,mBAAA;AACT;;;;;;;"}
+{"version":3,"file":"helpers.cjs.js","sources":["../../../src/entrypoints/auth/helpers.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstagePrincipalAccessRestrictions,\n  BackstageServicePrincipal,\n  BackstageUserPrincipal,\n} from '@backstage/backend-plugin-api';\nimport { InternalBackstageCredentials } from './types';\n\nexport function createCredentialsWithServicePrincipal(\n  sub: string,\n  token?: string,\n  accessRestrictions?: BackstagePrincipalAccessRestrictions,\n): InternalBackstageCredentials<BackstageServicePrincipal> {\n  return Object.defineProperty(\n    {\n      $$type: '@backstage/BackstageCredentials',\n      version: 'v1',\n      principal: {\n        type: 'service',\n        subject: sub,\n        accessRestrictions,\n      },\n    },\n    'token',\n    {\n      enumerable: false,\n      configurable: true,\n      value: token,\n    },\n  );\n}\n\nexport function createCredentialsWithUserPrincipal(\n  sub: string,\n  token: string,\n  expiresAt?: Date,\n  actor?: string,\n): InternalBackstageCredentials<BackstageUserPrincipal> {\n  return Object.defineProperty(\n    {\n      $$type: '@backstage/BackstageCredentials',\n      version: 'v1',\n      expiresAt,\n      principal: {\n        type: 'user',\n        userEntityRef: sub,\n        ...(actor && {\n          actor: { type: 'service', subject: actor },\n        }),\n      },\n    },\n    'token',\n    {\n      enumerable: false,\n      configurable: true,\n      value: token,\n    },\n  );\n}\n\nexport function createCredentialsWithNonePrincipal(): InternalBackstageCredentials<BackstageNonePrincipal> {\n  return {\n    $$type: '@backstage/BackstageCredentials',\n    version: 'v1',\n    principal: {\n      type: 'none',\n    },\n  };\n}\n\nexport function toInternalBackstageCredentials(\n  credentials: BackstageCredentials,\n): InternalBackstageCredentials<\n  BackstageUserPrincipal | BackstageServicePrincipal | BackstageNonePrincipal\n> {\n  if (credentials.$$type !== '@backstage/BackstageCredentials') {\n    throw new Error('Invalid credential type');\n  }\n\n  const internalCredentials = credentials as InternalBackstageCredentials<\n    BackstageUserPrincipal | BackstageServicePrincipal | BackstageNonePrincipal\n  >;\n\n  if (internalCredentials.version !== 'v1') {\n    throw new Error(\n      `Invalid credential version ${internalCredentials.version}`,\n    );\n  }\n\n  return internalCredentials;\n}\n"],"names":[],"mappings":";;AAyBgB,SAAA,qCAAA,CACd,GACA,EAAA,KAAA,EACA,kBACyD,EAAA;AACzD,EAAA,OAAO,MAAO,CAAA,cAAA;AAAA,IACZ;AAAA,MACE,MAAQ,EAAA,iCAAA;AAAA,MACR,OAAS,EAAA,IAAA;AAAA,MACT,SAAW,EAAA;AAAA,QACT,IAAM,EAAA,SAAA;AAAA,QACN,OAAS,EAAA,GAAA;AAAA,QACT;AAAA;AACF,KACF;AAAA,IACA,OAAA;AAAA,IACA;AAAA,MACE,UAAY,EAAA,KAAA;AAAA,MACZ,YAAc,EAAA,IAAA;AAAA,MACd,KAAO,EAAA;AAAA;AACT,GACF;AACF;AAEO,SAAS,kCACd,CAAA,GAAA,EACA,KACA,EAAA,SAAA,EACA,KACsD,EAAA;AACtD,EAAA,OAAO,MAAO,CAAA,cAAA;AAAA,IACZ;AAAA,MACE,MAAQ,EAAA,iCAAA;AAAA,MACR,OAAS,EAAA,IAAA;AAAA,MACT,SAAA;AAAA,MACA,SAAW,EAAA;AAAA,QACT,IAAM,EAAA,MAAA;AAAA,QACN,aAAe,EAAA,GAAA;AAAA,QACf,GAAI,KAAS,IAAA;AAAA,UACX,KAAO,EAAA,EAAE,IAAM,EAAA,SAAA,EAAW,SAAS,KAAM;AAAA;AAC3C;AACF,KACF;AAAA,IACA,OAAA;AAAA,IACA;AAAA,MACE,UAAY,EAAA,KAAA;AAAA,MACZ,YAAc,EAAA,IAAA;AAAA,MACd,KAAO,EAAA;AAAA;AACT,GACF;AACF;AAEO,SAAS,kCAA2F,GAAA;AACzG,EAAO,OAAA;AAAA,IACL,MAAQ,EAAA,iCAAA;AAAA,IACR,OAAS,EAAA,IAAA;AAAA,IACT,SAAW,EAAA;AAAA,MACT,IAAM,EAAA;AAAA;AACR,GACF;AACF;AAEO,SAAS,+BACd,WAGA,EAAA;AACA,EAAI,IAAA,WAAA,CAAY,WAAW,iCAAmC,EAAA;AAC5D,IAAM,MAAA,IAAI,MAAM,yBAAyB,CAAA;AAAA;AAG3C,EAAA,MAAM,mBAAsB,GAAA,WAAA;AAI5B,EAAI,IAAA,mBAAA,CAAoB,YAAY,IAAM,EAAA;AACxC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,2BAAA,EAA8B,oBAAoB,OAAO,CAAA;AAAA,KAC3D;AAAA;AAGF,EAAO,OAAA,mBAAA;AACT;;;;;;;"}