npm - @backstage/integration - Versions diffs - 1.4.5 → 1.5.0 - Mend

@backstage/integration 1.4.5 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,44 @@
 # @backstage/integration
+## 1.5.0
+### Minor Changes
+- a316d226c780: Add credential provider for GitLab.
+- c7f848bcea3c: Support authentication with a service principal or managed identity for Azure DevOps
+  Azure DevOps recently released support, in public preview, for authenticating with a service principal or managed identity instead of a personal access token (PAT): https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/. With this change the Azure integration now supports service principals and managed identities for Azure AD backed Azure DevOps organizations. Service principal and managed identity authentication is not supported on Azure DevOps Server (on-premises) organizations.
+### Patch Changes
+- 3c83550fdb62: Renamed ClientSecret to AzureClientSecretCredential and ManagedIdentity to AzureManagedIdentityCredential
+- df8411779da1: Add support for Repository Variables and Secrets to the `publish:github` and `github:repo:create` scaffolder actions. You will need to add `read/write` permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository `Secrets` and `Variables`
+  Upgrade octokit introduces some breaking changes.
+- Updated dependencies
+  - @backstage/errors@1.2.0
+  - @backstage/config@1.0.8
+## 1.5.0-next.0
+### Minor Changes
+- a316d226c780: Add credential provider for GitLab.
+- c7f848bcea3c: Support authentication with a service principal or managed identity for Azure DevOps
+  Azure DevOps recently released support, in public preview, for authenticating with a service principal or managed identity instead of a personal access token (PAT): https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/. With this change the Azure integration now supports service principals and managed identities for Azure AD backed Azure DevOps organizations. Service principal and managed identity authentication is not supported on Azure DevOps Server (on-premises) organizations.
+### Patch Changes
+- df8411779da1: Add support for Repository Variables and Secrets to the `publish:github` and `github:repo:create` scaffolder actions. You will need to add `read/write` permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository `Secrets` and `Variables`
+  Upgrade octokit introduces some breaking changes.
+- Updated dependencies
+  - @backstage/errors@1.2.0-next.0
+  - @backstage/config@1.0.7
 ## 1.4.5
 ### Patch Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -4,6 +4,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var parseGitUrl = require('git-url-parse');
 var lodash = require('lodash');
+var identity = require('@azure/identity');
 var fetch = require('cross-fetch');
 var authApp = require('@octokit/auth-app');
 var rest = require('@octokit/rest');
@@ -343,16 +344,43 @@ _ref = new WeakMap();
 _baseUrl = new WeakMap();
 const AZURE_HOST = "dev.azure.com";
+const isAzureClientSecretCredential = (credential) => {
+  const clientSecretCredential = credential;
+  return Object.keys(credential).length === 3 && clientSecretCredential.clientId !== void 0 && clientSecretCredential.clientSecret !== void 0 && clientSecretCredential.tenantId !== void 0;
+};
+const isAzureManagedIdentityCredential = (credential) => {
+  return Object.keys(credential).length === 1 && credential.clientId !== void 0;
+};
 function readAzureIntegrationConfig(config) {
   var _a;
   const host = (_a = config.getOptionalString("host")) != null ? _a : AZURE_HOST;
   const token = config.getOptionalString("token");
+  const credential = config.getOptional("credential") ? {
+    tenantId: config.getOptionalString("credential.tenantId"),
+    clientId: config.getOptionalString("credential.clientId"),
+    clientSecret: config.getOptionalString("credential.clientSecret")
+  } : void 0;
   if (!isValidHost(host)) {
     throw new Error(
       `Invalid Azure integration config, '${host}' is not a valid host`
     );
   }
-  return { host, token };
+  if (credential && !isAzureClientSecretCredential(credential) && !isAzureManagedIdentityCredential(credential)) {
+    throw new Error(
+      `Invalid Azure integration config, credential is not valid`
+    );
+  }
+  if (credential && host !== AZURE_HOST) {
+    throw new Error(
+      `Invalid Azure integration config, credential can only be used with ${AZURE_HOST}`
+    );
+  }
+  if (credential && token) {
+    throw new Error(
+      `Invalid Azure integration config, specify either a token or a credential but not both`
+    );
+  }
+  return { host, token, credential };
 }
 function readAzureIntegrationConfigs(configs) {
   const result = configs.map(readAzureIntegrationConfig);
@@ -428,9 +456,27 @@ function getAzureDownloadUrl(url) {
 function getAzureCommitsUrl(url) {
   return AzureUrl.fromRepoUrl(url).toCommitsUrl();
 }
-function getAzureRequestOptions(config, additionalHeaders) {
+async function getAzureRequestOptions(config, additionalHeaders) {
+  const azureDevOpsScope = "499b84ac-1321-427f-aa17-267ca6975798/.default";
   const headers = additionalHeaders ? { ...additionalHeaders } : {};
-  if (config.token) {
+  const { token, credential } = config;
+  if (credential) {
+    if (isAzureClientSecretCredential(credential)) {
+      const servicePrincipal = new identity.ClientSecretCredential(
+        credential.tenantId,
+        credential.clientId,
+        credential.clientSecret
+      );
+      const accessToken = await servicePrincipal.getToken(azureDevOpsScope);
+      headers.Authorization = `Bearer ${accessToken.token}`;
+    } else if (isAzureManagedIdentityCredential(credential)) {
+      const managedIdentity = new identity.ManagedIdentityCredential(
+        credential.clientId
+      );
+      const accessToken = await managedIdentity.getToken(azureDevOpsScope);
+      headers.Authorization = `Bearer ${accessToken.token}`;
+    }
+  } else if (token) {
     const buffer = Buffer.from(`:${config.token}`, "utf8");
     headers.Authorization = `Basic ${buffer.toString("base64")}`;
   }
@@ -1313,8 +1359,8 @@ class GithubAppManager {
     const allInstallations = await this.getInstallations();
     const installation = allInstallations.find(
       (inst) => {
-        var _a, _b;
-        return ((_b = (_a = inst.account) == null ? void 0 : _a.login) == null ? void 0 : _b.toLocaleLowerCase("en-US")) === owner.toLocaleLowerCase("en-US");
+        var _a;
+        return inst.account && "login" in inst.account && ((_a = inst.account.login) == null ? void 0 : _a.toLocaleLowerCase("en-US")) === owner.toLocaleLowerCase("en-US");
       }
     );
     if (installation) {
@@ -1675,6 +1721,51 @@ function replaceGitLabUrlType(url, type) {
   return url.replace(/\/\-\/(blob|tree|edit)\//, `/-/${type}/`);
 }
+const _SingleInstanceGitlabCredentialsProvider = class {
+  constructor(token) {
+    this.token = token;
+  }
+  async getCredentials(_opts) {
+    if (!this.token) {
+      return {};
+    }
+    return {
+      headers: {
+        Authorization: `Bearer ${this.token}`
+      },
+      token: this.token
+    };
+  }
+};
+let SingleInstanceGitlabCredentialsProvider = _SingleInstanceGitlabCredentialsProvider;
+SingleInstanceGitlabCredentialsProvider.create = (config) => {
+  return new _SingleInstanceGitlabCredentialsProvider(config.token);
+};
+class DefaultGitlabCredentialsProvider {
+  constructor(providers) {
+    this.providers = providers;
+  }
+  static fromIntegrations(integrations) {
+    const credentialsProviders = /* @__PURE__ */ new Map();
+    integrations.gitlab.list().forEach((integration) => {
+      const credentialsProvider = SingleInstanceGitlabCredentialsProvider.create(integration.config);
+      credentialsProviders.set(integration.config.host, credentialsProvider);
+    });
+    return new DefaultGitlabCredentialsProvider(credentialsProviders);
+  }
+  async getCredentials(opts) {
+    const parsed = new URL(opts.url);
+    const provider = this.providers.get(parsed.host);
+    if (!provider) {
+      throw new Error(
+        `There is no GitLab integration that matches ${opts.url}. Please add a configuration for an integration.`
+      );
+    }
+    return provider.getCredentials(opts);
+  }
+}
 function readGoogleGcsIntegrationConfig(config) {
   if (!config) {
     return {};
@@ -1776,6 +1867,7 @@ exports.BitbucketCloudIntegration = BitbucketCloudIntegration;
 exports.BitbucketIntegration = BitbucketIntegration;
 exports.BitbucketServerIntegration = BitbucketServerIntegration;
 exports.DefaultGithubCredentialsProvider = DefaultGithubCredentialsProvider;
+exports.DefaultGitlabCredentialsProvider = DefaultGitlabCredentialsProvider;
 exports.GerritIntegration = GerritIntegration;
 exports.GitHubIntegration = GitHubIntegration;
 exports.GitLabIntegration = GitLabIntegration;