@backstage/integration 1.6.0 → 1.7.0-next.0

package/dist/index.esm.js

@@ -1,6 +1,6 @@
 import parseGitUrl from 'git-url-parse';
 import { trimEnd, trimStart } from 'lodash';
-import { ClientSecretCredential, ManagedIdentityCredential } from '@azure/identity';
+import { ManagedIdentityCredential, ClientSecretCredential, DefaultAzureCredential } from '@azure/identity';
 import fetch from 'cross-fetch';
 import { createAppAuth } from '@octokit/auth-app';
 import { Octokit } from '@octokit/rest';
@@ -112,10 +112,10 @@ function readAwsS3IntegrationConfigs(configs) {
   return result;
 }
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const _AwsS3Integration = class _AwsS3Integration {
@@ -139,7 +139,7 @@ const _AwsS3Integration = class _AwsS3Integration {
     return url;
   }
 };
-__publicField$c(_AwsS3Integration, "factory", ({ config }) => {
+__publicField$d(_AwsS3Integration, "factory", ({ config }) => {
   var _a;
   const configs = readAwsS3IntegrationConfigs(
     (_a = config.getOptionalConfigArray("integrations.awsS3")) != null ? _a : []
@@ -341,43 +341,146 @@ _baseUrl = new WeakMap();
 let AzureUrl = _AzureUrl;
 
 const AZURE_HOST = "dev.azure.com";
-const isAzureClientSecretCredential = (credential) => {
-  const clientSecretCredential = credential;
-  return Object.keys(credential).length === 3 && clientSecretCredential.clientId !== void 0 && clientSecretCredential.clientSecret !== void 0 && clientSecretCredential.tenantId !== void 0;
-};
-const isAzureManagedIdentityCredential = (credential) => {
-  return Object.keys(credential).length === 1 && credential.clientId !== void 0;
-};
+const AzureDevOpsCredentialFields = [
+  "clientId",
+  "clientSecret",
+  "tenantId",
+  "personalAccessToken"
+];
+const AzureDevopsCredentialFieldMap = /* @__PURE__ */ new Map([
+  ["ClientSecret", ["clientId", "clientSecret", "tenantId"]],
+  ["ManagedIdentity", ["clientId"]],
+  ["PersonalAccessToken", ["personalAccessToken"]]
+]);
+function asAzureDevOpsCredential(credential) {
+  for (const entry of AzureDevopsCredentialFieldMap.entries()) {
+    const [kind, requiredFields] = entry;
+    const forbiddenFields = AzureDevOpsCredentialFields.filter(
+      (field) => !requiredFields.includes(field)
+    );
+    if (requiredFields.every((field) => credential[field] !== void 0) && forbiddenFields.every((field) => credential[field] === void 0)) {
+      return {
+        kind,
+        organizations: credential.organizations,
+        ...requiredFields.reduce((acc, field) => {
+          acc[field] = credential[field];
+          return acc;
+        }, {})
+      };
+    }
+  }
+  throw new Error("is not a valid credential");
+}
 function readAzureIntegrationConfig(config) {
-  var _a;
+  var _a, _b, _c, _d;
   const host = (_a = config.getOptionalString("host")) != null ? _a : AZURE_HOST;
+  let credentialConfigs = (_b = config.getOptionalConfigArray("credentials")) == null ? void 0 : _b.map((credential) => {
+    const result = {
+      organizations: credential.getOptionalStringArray("organizations"),
+      personalAccessToken: credential.getOptionalString(
+        "personalAccessToken"
+      ),
+      tenantId: credential.getOptionalString("tenantId"),
+      clientId: credential.getOptionalString("clientId"),
+      clientSecret: credential.getOptionalString("clientSecret")
+    };
+    return result;
+  });
   const token = config.getOptionalString("token");
-  const credential = config.getOptional("credential") ? {
-    tenantId: config.getOptionalString("credential.tenantId"),
-    clientId: config.getOptionalString("credential.clientId"),
-    clientSecret: config.getOptionalString("credential.clientSecret")
-  } : void 0;
-  if (!isValidHost(host)) {
+  if (config.getOptional("credential") !== void 0 && config.getOptional("credentials") !== void 0) {
     throw new Error(
-      `Invalid Azure integration config, '${host}' is not a valid host`
+      `Invalid Azure integration config, 'credential' and 'credentials' cannot be used together. Use 'credentials' instead.`
     );
   }
-  if (credential && !isAzureClientSecretCredential(credential) && !isAzureManagedIdentityCredential(credential)) {
+  if (config.getOptional("token") !== void 0 && config.getOptional("credentials") !== void 0) {
     throw new Error(
-      `Invalid Azure integration config, credential is not valid`
+      `Invalid Azure integration config, 'token' and 'credentials' cannot be used together. Use 'credentials' instead.`
     );
   }
-  if (credential && host !== AZURE_HOST) {
+  if (token !== void 0) {
+    const mapped = [{ personalAccessToken: token }];
+    credentialConfigs = (_c = credentialConfigs == null ? void 0 : credentialConfigs.concat(mapped)) != null ? _c : mapped;
+  }
+  if (config.getOptional("credential") !== void 0) {
+    const mapped = [
+      {
+        organizations: config.getOptionalStringArray(
+          "credential.organizations"
+        ),
+        token: config.getOptionalString("credential.token"),
+        tenantId: config.getOptionalString("credential.tenantId"),
+        clientId: config.getOptionalString("credential.clientId"),
+        clientSecret: config.getOptionalString("credential.clientSecret")
+      }
+    ];
+    credentialConfigs = (_d = credentialConfigs == null ? void 0 : credentialConfigs.concat(mapped)) != null ? _d : mapped;
+  }
+  if (!isValidHost(host)) {
     throw new Error(
-      `Invalid Azure integration config, credential can only be used with ${AZURE_HOST}`
+      `Invalid Azure integration config, '${host}' is not a valid host`
     );
   }
-  if (credential && token) {
-    throw new Error(
-      `Invalid Azure integration config, specify either a token or a credential but not both`
+  let credentials = void 0;
+  if (credentialConfigs !== void 0) {
+    const errors = credentialConfigs == null ? void 0 : credentialConfigs.reduce((acc, credentialConfig, index) => {
+      let error = void 0;
+      try {
+        asAzureDevOpsCredential(credentialConfig);
+      } catch (e) {
+        error = e.message;
+      }
+      if (error !== void 0) {
+        acc.push(`credential at position ${index + 1} ${error}`);
+      }
+      return acc;
+    }, Array.of()).concat(
+      Object.entries(
+        credentialConfigs.filter(
+          (credential) => credential.organizations !== void 0 && credential.organizations.length > 0
+        ).reduce((acc, credential, index) => {
+          var _a2;
+          (_a2 = credential.organizations) == null ? void 0 : _a2.forEach((organization) => {
+            if (!acc[organization]) {
+              acc[organization] = [];
+            }
+            acc[organization].push(index + 1);
+          });
+          return acc;
+        }, {})
+      ).filter(([_, indexes]) => indexes.length > 1).reduce((acc, [org, indexes]) => {
+        acc.push(
+          `organization ${org} is specified multiple times in credentials at positions ${indexes.slice(0, indexes.length - 1).join(", ")} and ${indexes[indexes.length - 1]}`
+        );
+        return acc;
+      }, Array.of())
+    );
+    if ((errors == null ? void 0 : errors.length) > 0) {
+      throw new Error(
+        `Invalid Azure integration config for ${host}: ${errors.join("; ")}`
+      );
+    }
+    credentials = credentialConfigs.map(
+      (credentialConfig) => asAzureDevOpsCredential(credentialConfig)
     );
+    if (credentials.some(
+      (credential) => credential.kind !== "PersonalAccessToken"
+    ) && host !== AZURE_HOST) {
+      throw new Error(
+        `Invalid Azure integration config for ${host}, only personal access tokens can be used with hosts other than ${AZURE_HOST}`
+      );
+    }
+    if (credentials.filter(
+      (credential) => credential.organizations === void 0 || credential.organizations.length === 0
+    ).length > 1) {
+      throw new Error(
+        `Invalid Azure integration config for ${host}, you cannot specify multiple credentials without organizations`
+      );
+    }
   }
-  return { host, token, credential };
+  return {
+    host,
+    credentials
+  };
 }
 function readAzureIntegrationConfigs(configs) {
   const result = configs.map(readAzureIntegrationConfig);
@@ -387,10 +490,10 @@ function readAzureIntegrationConfigs(configs) {
   return result;
 }
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const _AzureIntegration = class _AzureIntegration {
@@ -438,7 +541,7 @@ const _AzureIntegration = class _AzureIntegration {
     return url;
   }
 };
-__publicField$b(_AzureIntegration, "factory", ({ config }) => {
+__publicField$c(_AzureIntegration, "factory", ({ config }) => {
   var _a;
   const configs = readAzureIntegrationConfigs(
     (_a = config.getOptionalConfigArray("integrations.azure")) != null ? _a : []
@@ -459,29 +562,171 @@ function getAzureDownloadUrl(url) {
 function getAzureCommitsUrl(url) {
   return AzureUrl.fromRepoUrl(url).toCommitsUrl();
 }
+
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+const tenMinutes = 1e3 * 60 * 10;
+class CachedAzureDevOpsCredentialsProvider {
+  constructor(credential) {
+    this.credential = credential;
+    __publicField$b(this, "azureDevOpsScope", "499b84ac-1321-427f-aa17-267ca6975798/.default");
+    __publicField$b(this, "cached");
+  }
+  static fromAzureDevOpsCredential(credential) {
+    switch (credential.kind) {
+      case "PersonalAccessToken":
+        return CachedAzureDevOpsCredentialsProvider.fromPersonalAccessTokenCredential(
+          credential
+        );
+      case "ClientSecret":
+        return CachedAzureDevOpsCredentialsProvider.fromTokenCredential(
+          new ClientSecretCredential(
+            credential.tenantId,
+            credential.clientId,
+            credential.clientSecret
+          )
+        );
+      case "ManagedIdentity":
+        return CachedAzureDevOpsCredentialsProvider.fromTokenCredential(
+          new ManagedIdentityCredential(credential.clientId)
+        );
+      default:
+        throw new Error(
+          `Credential kind '${credential.kind}' not supported`
+        );
+    }
+  }
+  static fromTokenCredential(credential) {
+    return new CachedAzureDevOpsCredentialsProvider(credential);
+  }
+  static fromPersonalAccessTokenCredential(credential) {
+    return new CachedAzureDevOpsCredentialsProvider(
+      credential.personalAccessToken
+    );
+  }
+  async getCredentials() {
+    if (this.cached === void 0 || this.cached.expiresAt !== void 0 && Date.now() > this.cached.expiresAt) {
+      if (typeof this.credential === "string") {
+        this.cached = {
+          headers: {
+            Authorization: `Basic ${btoa(`:${this.credential}`)}`
+          },
+          type: "pat",
+          token: this.credential
+        };
+      } else {
+        const accessToken = await this.credential.getToken(
+          this.azureDevOpsScope
+        );
+        if (!accessToken) {
+          throw new Error("Failed to retrieve access token");
+        }
+        this.cached = {
+          expiresAt: accessToken.expiresOnTimestamp - tenMinutes,
+          headers: {
+            Authorization: `Bearer ${accessToken.token}`
+          },
+          type: "bearer",
+          token: accessToken.token
+        };
+      }
+    }
+    return this.cached;
+  }
+}
+
+class DefaultAzureDevOpsCredentialsProvider {
+  constructor(providers) {
+    this.providers = providers;
+  }
+  static fromIntegrations(integrations) {
+    const providers = integrations.azure.list().reduce((acc, integration) => {
+      var _a;
+      (_a = integration.config.credentials) == null ? void 0 : _a.forEach((credential) => {
+        var _a2;
+        if (credential.organizations === void 0 || credential.organizations.length === 0) {
+          if (acc.get(integration.config.host) === void 0) {
+            acc.set(
+              integration.config.host,
+              CachedAzureDevOpsCredentialsProvider.fromAzureDevOpsCredential(
+                credential
+              )
+            );
+          }
+        } else {
+          const provider = CachedAzureDevOpsCredentialsProvider.fromAzureDevOpsCredential(
+            credential
+          );
+          (_a2 = credential.organizations) == null ? void 0 : _a2.forEach((organization) => {
+            acc.set(`${integration.config.host}/${organization}`, provider);
+          });
+        }
+      });
+      if (integration.config.host === "dev.azure.com" && acc.get(integration.config.host) === void 0) {
+        acc.set(
+          integration.config.host,
+          CachedAzureDevOpsCredentialsProvider.fromTokenCredential(
+            new DefaultAzureCredential()
+          )
+        );
+      }
+      return acc;
+    }, /* @__PURE__ */ new Map());
+    return new DefaultAzureDevOpsCredentialsProvider(providers);
+  }
+  forAzureDevOpsServerOrganization(url) {
+    const parts = url.pathname.split("/").filter((part) => part !== "");
+    if (url.host !== "dev.azure.com" && parts.length > 0) {
+      if (parts[0] !== "tfs") {
+        return this.providers.get(`${url.host}/${parts[0]}`);
+      } else if (parts[0] === "tfs" && parts.length > 1) {
+        return this.providers.get(`${url.host}/${parts[1]}`);
+      }
+    }
+    return void 0;
+  }
+  forAzureDevOpsOrganization(url) {
+    const parts = url.pathname.split("/").filter((part) => part !== "");
+    if (url.host === "dev.azure.com" && parts.length > 0) {
+      return this.providers.get(`${url.host}/${parts[0]}`);
+    }
+    return void 0;
+  }
+  forHost(url) {
+    return this.providers.get(url.host);
+  }
+  async getCredentials(opts) {
+    var _a, _b;
+    const url = new URL(opts.url);
+    const provider = (_b = (_a = this.forAzureDevOpsOrganization(url)) != null ? _a : this.forAzureDevOpsServerOrganization(url)) != null ? _b : this.forHost(url);
+    if (provider === void 0) {
+      return void 0;
+    }
+    return provider.getCredentials(opts);
+  }
+}
+
 async function getAzureRequestOptions(config, additionalHeaders) {
-  const azureDevOpsScope = "499b84ac-1321-427f-aa17-267ca6975798/.default";
+  var _a;
   const headers = additionalHeaders ? { ...additionalHeaders } : {};
-  const { token, credential } = config;
-  if (credential) {
-    if (isAzureClientSecretCredential(credential)) {
-      const servicePrincipal = new ClientSecretCredential(
-        credential.tenantId,
-        credential.clientId,
-        credential.clientSecret
-      );
-      const accessToken = await servicePrincipal.getToken(azureDevOpsScope);
-      headers.Authorization = `Bearer ${accessToken.token}`;
-    } else if (isAzureManagedIdentityCredential(credential)) {
-      const managedIdentity = new ManagedIdentityCredential(
-        credential.clientId
-      );
-      const accessToken = await managedIdentity.getToken(azureDevOpsScope);
-      headers.Authorization = `Bearer ${accessToken.token}`;
-    }
-  } else if (token) {
-    const buffer = Buffer.from(`:${config.token}`, "utf8");
-    headers.Authorization = `Basic ${buffer.toString("base64")}`;
+  const credentialConfig = (_a = config.credentials) == null ? void 0 : _a.filter(
+    (credential) => credential.organizations === void 0 || credential.organizations.length === 0
+  )[0];
+  if (credentialConfig) {
+    const credentialsProvider = CachedAzureDevOpsCredentialsProvider.fromAzureDevOpsCredential(
+      credentialConfig
+    );
+    const credentials = await credentialsProvider.getCredentials();
+    return {
+      headers: {
+        ...credentials == null ? void 0 : credentials.headers,
+        ...headers
+      }
+    };
   }
   return { headers };
 }
@@ -1029,9 +1274,12 @@ function getAuthenticationPrefix(config) {
 }
 function getGitilesAuthenticationUrl(config) {
   const parsedUrl = new URL(config.gitilesBaseUrl);
-  return `${parsedUrl.protocol}//${parsedUrl.host}${getAuthenticationPrefix(
-    config
-  )}${parsedUrl.pathname.substring(1)}`;
+  parsedUrl.pathname = parsedUrl.pathname.replace(/\/?$/, "");
+  parsedUrl.pathname = parsedUrl.pathname.replace(
+    /\/([^\/]*)$/,
+    `${getAuthenticationPrefix(config)}$1`
+  );
+  return parsedUrl.toString();
 }
 function getGerritBranchApiUrl(config, url) {
   const { branch, project } = parseGerritGitilesUrl(config, url);
@@ -1950,5 +2198,5 @@ class ScmIntegrations {
   }
 }
 
-export { AwsS3Integration, AzureIntegration, BitbucketCloudIntegration, BitbucketIntegration, BitbucketServerIntegration, DefaultGithubCredentialsProvider, DefaultGitlabCredentialsProvider, GerritIntegration, GitHubIntegration, GitLabIntegration, GiteaIntegration, GithubAppCredentialsMux, GithubIntegration, ScmIntegrations, SingleInstanceGithubCredentialsProvider, buildGerritGitilesArchiveUrl, defaultScmResolveUrl, getAzureCommitsUrl, getAzureDownloadUrl, getAzureFileFetchUrl, getAzureRequestOptions, getBitbucketCloudDefaultBranch, getBitbucketCloudDownloadUrl, getBitbucketCloudFileFetchUrl, getBitbucketCloudRequestOptions, getBitbucketDefaultBranch, getBitbucketDownloadUrl, getBitbucketFileFetchUrl, getBitbucketRequestOptions, getBitbucketServerDefaultBranch, getBitbucketServerDownloadUrl, getBitbucketServerFileFetchUrl, getBitbucketServerRequestOptions, getGerritBranchApiUrl, getGerritCloneRepoUrl, getGerritFileContentsApiUrl, getGerritProjectsApiUrl, getGerritRequestOptions, getGitHubFileFetchUrl, getGitHubRequestOptions, getGitLabFileFetchUrl, getGitLabIntegrationRelativePath, getGitLabRequestOptions, getGiteaFileContentsUrl, getGiteaRequestOptions, getGithubFileFetchUrl, parseGerritGitilesUrl, parseGerritJsonResponse, readAwsS3IntegrationConfig, readAwsS3IntegrationConfigs, readAzureIntegrationConfig, readAzureIntegrationConfigs, readBitbucketCloudIntegrationConfig, readBitbucketCloudIntegrationConfigs, readBitbucketIntegrationConfig, readBitbucketIntegrationConfigs, readBitbucketServerIntegrationConfig, readBitbucketServerIntegrationConfigs, readGerritIntegrationConfig, readGerritIntegrationConfigs, readGitHubIntegrationConfig, readGitHubIntegrationConfigs, readGitLabIntegrationConfig, readGitLabIntegrationConfigs, readGiteaConfig, readGithubIntegrationConfig, readGithubIntegrationConfigs, readGoogleGcsIntegrationConfig, replaceGitHubUrlType, replaceGitLabUrlType, replaceGithubUrlType };
+export { AwsS3Integration, AzureIntegration, BitbucketCloudIntegration, BitbucketIntegration, BitbucketServerIntegration, DefaultAzureDevOpsCredentialsProvider, DefaultGithubCredentialsProvider, DefaultGitlabCredentialsProvider, GerritIntegration, GitHubIntegration, GitLabIntegration, GiteaIntegration, GithubAppCredentialsMux, GithubIntegration, ScmIntegrations, SingleInstanceGithubCredentialsProvider, buildGerritGitilesArchiveUrl, defaultScmResolveUrl, getAzureCommitsUrl, getAzureDownloadUrl, getAzureFileFetchUrl, getAzureRequestOptions, getBitbucketCloudDefaultBranch, getBitbucketCloudDownloadUrl, getBitbucketCloudFileFetchUrl, getBitbucketCloudRequestOptions, getBitbucketDefaultBranch, getBitbucketDownloadUrl, getBitbucketFileFetchUrl, getBitbucketRequestOptions, getBitbucketServerDefaultBranch, getBitbucketServerDownloadUrl, getBitbucketServerFileFetchUrl, getBitbucketServerRequestOptions, getGerritBranchApiUrl, getGerritCloneRepoUrl, getGerritFileContentsApiUrl, getGerritProjectsApiUrl, getGerritRequestOptions, getGitHubFileFetchUrl, getGitHubRequestOptions, getGitLabFileFetchUrl, getGitLabIntegrationRelativePath, getGitLabRequestOptions, getGiteaFileContentsUrl, getGiteaRequestOptions, getGithubFileFetchUrl, parseGerritGitilesUrl, parseGerritJsonResponse, readAwsS3IntegrationConfig, readAwsS3IntegrationConfigs, readAzureIntegrationConfig, readAzureIntegrationConfigs, readBitbucketCloudIntegrationConfig, readBitbucketCloudIntegrationConfigs, readBitbucketIntegrationConfig, readBitbucketIntegrationConfigs, readBitbucketServerIntegrationConfig, readBitbucketServerIntegrationConfigs, readGerritIntegrationConfig, readGerritIntegrationConfigs, readGitHubIntegrationConfig, readGitHubIntegrationConfigs, readGitLabIntegrationConfig, readGitLabIntegrationConfigs, readGiteaConfig, readGithubIntegrationConfig, readGithubIntegrationConfigs, readGoogleGcsIntegrationConfig, replaceGitHubUrlType, replaceGitLabUrlType, replaceGithubUrlType };
 //# sourceMappingURL=index.esm.js.map