@backstage/integration 1.6.2 → 1.7.0-next.1

package/CHANGELOG.md

@@ -1,19 +1,41 @@
 # @backstage/integration
 
-## 1.6.2
+## 1.7.0-next.1
 
 ### Patch Changes
 
-- cf196443d8da: Additional fix for Gitiles auth links
+- 2d2fc9d20ebb: Additional fix for Gitiles auth links
 - Updated dependencies
-  - @backstage/config@1.0.8
+  - @backstage/config@1.1.0-next.0
   - @backstage/errors@1.2.1
 
-## 1.6.1
+## 1.7.0-next.0
+
+### Minor Changes
+
+- 5f1a92b9f19f: Added `AzureDevOpsCredentialsProvider` to support multiple Azure DevOps organizations and **deprecated** `AzureIntegrationConfig.credential` and `AzureIntegrationConfig.token` in favour of `AzureIntegrationConfig.credentials`. You can now use specific credentials for different Azure DevOps (Server) organizations by specifying the `organizations` field on a credential:
+
+  ```yaml
+  integrations:
+    azure:
+      - host: dev.azure.com
+        credentials:
+          - organizations:
+              - my-org
+              - my-other-org
+            clientId: ${AZURE_CLIENT_ID}
+            clientSecret: ${AZURE_CLIENT_SECRET}
+            tenantId: ${AZURE_TENANT_ID}
+          - organizations:
+              - yet-another-org
+            personalAccessToken: ${PERSONAL_ACCESS_TOKEN}
+  ```
+
+  See the [Azure integration documentation](https://backstage.io/docs/integrations/azure/locations) for more information.
 
 ### Patch Changes
 
-- 842eb24ef5e8: Gitiles: Fixed auth prefix issue
+- cb2e19d82d95: Gitiles: Fixed auth prefix issue
 - Updated dependencies
   - @backstage/config@1.0.8
   - @backstage/errors@1.2.1

package/config.d.ts

@@ -30,8 +30,38 @@ export interface Config {
       /**
        * Token used to authenticate requests.
        * @visibility secret
+       * @deprecated Use `credentials` instead.
        */
       token?: string;
+
+      /**
+       * The credential to use for requests.
+       *
+       * If no credential is specified anonymous access is used.
+       *
+       * @visibility secret
+       * @deprecated Use `credentials` instead.
+       */
+      credential?: {
+        clientId?: string;
+        clientSecret?: string;
+        tenantId?: string;
+        personalAccessToken?: string;
+      };
+
+      /**
+       * The credentials to use for requests. If multiple credentials are specified the first one that matches the organization is used.
+       * If not organization matches the first credential without an organization is used.
+       *
+       * If no credentials are specified at all, either a default credential (for Azure DevOps) or anonymous access (for Azure DevOps Server) is used.
+       * @visibility secret
+       */
+      credentials?: {
+        clientId?: string;
+        clientSecret?: string;
+        tenantId?: string;
+        personalAccessToken?: string;
+      }[];
     }>;
 
     /**

package/dist/index.cjs.js

@@ -121,10 +121,10 @@ function readAwsS3IntegrationConfigs(configs) {
   return result;
 }
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const _AwsS3Integration = class _AwsS3Integration {
@@ -148,7 +148,7 @@ const _AwsS3Integration = class _AwsS3Integration {
     return url;
   }
 };
-__publicField$c(_AwsS3Integration, "factory", ({ config }) => {
+__publicField$d(_AwsS3Integration, "factory", ({ config }) => {
   var _a;
   const configs = readAwsS3IntegrationConfigs(
     (_a = config.getOptionalConfigArray("integrations.awsS3")) != null ? _a : []
@@ -350,43 +350,146 @@ _baseUrl = new WeakMap();
 let AzureUrl = _AzureUrl;
 
 const AZURE_HOST = "dev.azure.com";
-const isAzureClientSecretCredential = (credential) => {
-  const clientSecretCredential = credential;
-  return Object.keys(credential).length === 3 && clientSecretCredential.clientId !== void 0 && clientSecretCredential.clientSecret !== void 0 && clientSecretCredential.tenantId !== void 0;
-};
-const isAzureManagedIdentityCredential = (credential) => {
-  return Object.keys(credential).length === 1 && credential.clientId !== void 0;
-};
+const AzureDevOpsCredentialFields = [
+  "clientId",
+  "clientSecret",
+  "tenantId",
+  "personalAccessToken"
+];
+const AzureDevopsCredentialFieldMap = /* @__PURE__ */ new Map([
+  ["ClientSecret", ["clientId", "clientSecret", "tenantId"]],
+  ["ManagedIdentity", ["clientId"]],
+  ["PersonalAccessToken", ["personalAccessToken"]]
+]);
+function asAzureDevOpsCredential(credential) {
+  for (const entry of AzureDevopsCredentialFieldMap.entries()) {
+    const [kind, requiredFields] = entry;
+    const forbiddenFields = AzureDevOpsCredentialFields.filter(
+      (field) => !requiredFields.includes(field)
+    );
+    if (requiredFields.every((field) => credential[field] !== void 0) && forbiddenFields.every((field) => credential[field] === void 0)) {
+      return {
+        kind,
+        organizations: credential.organizations,
+        ...requiredFields.reduce((acc, field) => {
+          acc[field] = credential[field];
+          return acc;
+        }, {})
+      };
+    }
+  }
+  throw new Error("is not a valid credential");
+}
 function readAzureIntegrationConfig(config) {
-  var _a;
+  var _a, _b, _c, _d;
   const host = (_a = config.getOptionalString("host")) != null ? _a : AZURE_HOST;
+  let credentialConfigs = (_b = config.getOptionalConfigArray("credentials")) == null ? void 0 : _b.map((credential) => {
+    const result = {
+      organizations: credential.getOptionalStringArray("organizations"),
+      personalAccessToken: credential.getOptionalString(
+        "personalAccessToken"
+      ),
+      tenantId: credential.getOptionalString("tenantId"),
+      clientId: credential.getOptionalString("clientId"),
+      clientSecret: credential.getOptionalString("clientSecret")
+    };
+    return result;
+  });
   const token = config.getOptionalString("token");
-  const credential = config.getOptional("credential") ? {
-    tenantId: config.getOptionalString("credential.tenantId"),
-    clientId: config.getOptionalString("credential.clientId"),
-    clientSecret: config.getOptionalString("credential.clientSecret")
-  } : void 0;
-  if (!isValidHost(host)) {
+  if (config.getOptional("credential") !== void 0 && config.getOptional("credentials") !== void 0) {
     throw new Error(
-      `Invalid Azure integration config, '${host}' is not a valid host`
+      `Invalid Azure integration config, 'credential' and 'credentials' cannot be used together. Use 'credentials' instead.`
     );
   }
-  if (credential && !isAzureClientSecretCredential(credential) && !isAzureManagedIdentityCredential(credential)) {
+  if (config.getOptional("token") !== void 0 && config.getOptional("credentials") !== void 0) {
     throw new Error(
-      `Invalid Azure integration config, credential is not valid`
+      `Invalid Azure integration config, 'token' and 'credentials' cannot be used together. Use 'credentials' instead.`
     );
   }
-  if (credential && host !== AZURE_HOST) {
+  if (token !== void 0) {
+    const mapped = [{ personalAccessToken: token }];
+    credentialConfigs = (_c = credentialConfigs == null ? void 0 : credentialConfigs.concat(mapped)) != null ? _c : mapped;
+  }
+  if (config.getOptional("credential") !== void 0) {
+    const mapped = [
+      {
+        organizations: config.getOptionalStringArray(
+          "credential.organizations"
+        ),
+        token: config.getOptionalString("credential.token"),
+        tenantId: config.getOptionalString("credential.tenantId"),
+        clientId: config.getOptionalString("credential.clientId"),
+        clientSecret: config.getOptionalString("credential.clientSecret")
+      }
+    ];
+    credentialConfigs = (_d = credentialConfigs == null ? void 0 : credentialConfigs.concat(mapped)) != null ? _d : mapped;
+  }
+  if (!isValidHost(host)) {
     throw new Error(
-      `Invalid Azure integration config, credential can only be used with ${AZURE_HOST}`
+      `Invalid Azure integration config, '${host}' is not a valid host`
     );
   }
-  if (credential && token) {
-    throw new Error(
-      `Invalid Azure integration config, specify either a token or a credential but not both`
+  let credentials = void 0;
+  if (credentialConfigs !== void 0) {
+    const errors = credentialConfigs == null ? void 0 : credentialConfigs.reduce((acc, credentialConfig, index) => {
+      let error = void 0;
+      try {
+        asAzureDevOpsCredential(credentialConfig);
+      } catch (e) {
+        error = e.message;
+      }
+      if (error !== void 0) {
+        acc.push(`credential at position ${index + 1} ${error}`);
+      }
+      return acc;
+    }, Array.of()).concat(
+      Object.entries(
+        credentialConfigs.filter(
+          (credential) => credential.organizations !== void 0 && credential.organizations.length > 0
+        ).reduce((acc, credential, index) => {
+          var _a2;
+          (_a2 = credential.organizations) == null ? void 0 : _a2.forEach((organization) => {
+            if (!acc[organization]) {
+              acc[organization] = [];
+            }
+            acc[organization].push(index + 1);
+          });
+          return acc;
+        }, {})
+      ).filter(([_, indexes]) => indexes.length > 1).reduce((acc, [org, indexes]) => {
+        acc.push(
+          `organization ${org} is specified multiple times in credentials at positions ${indexes.slice(0, indexes.length - 1).join(", ")} and ${indexes[indexes.length - 1]}`
+        );
+        return acc;
+      }, Array.of())
     );
+    if ((errors == null ? void 0 : errors.length) > 0) {
+      throw new Error(
+        `Invalid Azure integration config for ${host}: ${errors.join("; ")}`
+      );
+    }
+    credentials = credentialConfigs.map(
+      (credentialConfig) => asAzureDevOpsCredential(credentialConfig)
+    );
+    if (credentials.some(
+      (credential) => credential.kind !== "PersonalAccessToken"
+    ) && host !== AZURE_HOST) {
+      throw new Error(
+        `Invalid Azure integration config for ${host}, only personal access tokens can be used with hosts other than ${AZURE_HOST}`
+      );
+    }
+    if (credentials.filter(
+      (credential) => credential.organizations === void 0 || credential.organizations.length === 0
+    ).length > 1) {
+      throw new Error(
+        `Invalid Azure integration config for ${host}, you cannot specify multiple credentials without organizations`
+      );
+    }
   }
-  return { host, token, credential };
+  return {
+    host,
+    credentials
+  };
 }
 function readAzureIntegrationConfigs(configs) {
   const result = configs.map(readAzureIntegrationConfig);
@@ -396,10 +499,10 @@ function readAzureIntegrationConfigs(configs) {
   return result;
 }
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const _AzureIntegration = class _AzureIntegration {
@@ -447,7 +550,7 @@ const _AzureIntegration = class _AzureIntegration {
     return url;
   }
 };
-__publicField$b(_AzureIntegration, "factory", ({ config }) => {
+__publicField$c(_AzureIntegration, "factory", ({ config }) => {
   var _a;
   const configs = readAzureIntegrationConfigs(
     (_a = config.getOptionalConfigArray("integrations.azure")) != null ? _a : []
@@ -468,29 +571,171 @@ function getAzureDownloadUrl(url) {
 function getAzureCommitsUrl(url) {
   return AzureUrl.fromRepoUrl(url).toCommitsUrl();
 }
+
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+const tenMinutes = 1e3 * 60 * 10;
+class CachedAzureDevOpsCredentialsProvider {
+  constructor(credential) {
+    this.credential = credential;
+    __publicField$b(this, "azureDevOpsScope", "499b84ac-1321-427f-aa17-267ca6975798/.default");
+    __publicField$b(this, "cached");
+  }
+  static fromAzureDevOpsCredential(credential) {
+    switch (credential.kind) {
+      case "PersonalAccessToken":
+        return CachedAzureDevOpsCredentialsProvider.fromPersonalAccessTokenCredential(
+          credential
+        );
+      case "ClientSecret":
+        return CachedAzureDevOpsCredentialsProvider.fromTokenCredential(
+          new identity.ClientSecretCredential(
+            credential.tenantId,
+            credential.clientId,
+            credential.clientSecret
+          )
+        );
+      case "ManagedIdentity":
+        return CachedAzureDevOpsCredentialsProvider.fromTokenCredential(
+          new identity.ManagedIdentityCredential(credential.clientId)
+        );
+      default:
+        throw new Error(
+          `Credential kind '${credential.kind}' not supported`
+        );
+    }
+  }
+  static fromTokenCredential(credential) {
+    return new CachedAzureDevOpsCredentialsProvider(credential);
+  }
+  static fromPersonalAccessTokenCredential(credential) {
+    return new CachedAzureDevOpsCredentialsProvider(
+      credential.personalAccessToken
+    );
+  }
+  async getCredentials() {
+    if (this.cached === void 0 || this.cached.expiresAt !== void 0 && Date.now() > this.cached.expiresAt) {
+      if (typeof this.credential === "string") {
+        this.cached = {
+          headers: {
+            Authorization: `Basic ${btoa(`:${this.credential}`)}`
+          },
+          type: "pat",
+          token: this.credential
+        };
+      } else {
+        const accessToken = await this.credential.getToken(
+          this.azureDevOpsScope
+        );
+        if (!accessToken) {
+          throw new Error("Failed to retrieve access token");
+        }
+        this.cached = {
+          expiresAt: accessToken.expiresOnTimestamp - tenMinutes,
+          headers: {
+            Authorization: `Bearer ${accessToken.token}`
+          },
+          type: "bearer",
+          token: accessToken.token
+        };
+      }
+    }
+    return this.cached;
+  }
+}
+
+class DefaultAzureDevOpsCredentialsProvider {
+  constructor(providers) {
+    this.providers = providers;
+  }
+  static fromIntegrations(integrations) {
+    const providers = integrations.azure.list().reduce((acc, integration) => {
+      var _a;
+      (_a = integration.config.credentials) == null ? void 0 : _a.forEach((credential) => {
+        var _a2;
+        if (credential.organizations === void 0 || credential.organizations.length === 0) {
+          if (acc.get(integration.config.host) === void 0) {
+            acc.set(
+              integration.config.host,
+              CachedAzureDevOpsCredentialsProvider.fromAzureDevOpsCredential(
+                credential
+              )
+            );
+          }
+        } else {
+          const provider = CachedAzureDevOpsCredentialsProvider.fromAzureDevOpsCredential(
+            credential
+          );
+          (_a2 = credential.organizations) == null ? void 0 : _a2.forEach((organization) => {
+            acc.set(`${integration.config.host}/${organization}`, provider);
+          });
+        }
+      });
+      if (integration.config.host === "dev.azure.com" && acc.get(integration.config.host) === void 0) {
+        acc.set(
+          integration.config.host,
+          CachedAzureDevOpsCredentialsProvider.fromTokenCredential(
+            new identity.DefaultAzureCredential()
+          )
+        );
+      }
+      return acc;
+    }, /* @__PURE__ */ new Map());
+    return new DefaultAzureDevOpsCredentialsProvider(providers);
+  }
+  forAzureDevOpsServerOrganization(url) {
+    const parts = url.pathname.split("/").filter((part) => part !== "");
+    if (url.host !== "dev.azure.com" && parts.length > 0) {
+      if (parts[0] !== "tfs") {
+        return this.providers.get(`${url.host}/${parts[0]}`);
+      } else if (parts[0] === "tfs" && parts.length > 1) {
+        return this.providers.get(`${url.host}/${parts[1]}`);
+      }
+    }
+    return void 0;
+  }
+  forAzureDevOpsOrganization(url) {
+    const parts = url.pathname.split("/").filter((part) => part !== "");
+    if (url.host === "dev.azure.com" && parts.length > 0) {
+      return this.providers.get(`${url.host}/${parts[0]}`);
+    }
+    return void 0;
+  }
+  forHost(url) {
+    return this.providers.get(url.host);
+  }
+  async getCredentials(opts) {
+    var _a, _b;
+    const url = new URL(opts.url);
+    const provider = (_b = (_a = this.forAzureDevOpsOrganization(url)) != null ? _a : this.forAzureDevOpsServerOrganization(url)) != null ? _b : this.forHost(url);
+    if (provider === void 0) {
+      return void 0;
+    }
+    return provider.getCredentials(opts);
+  }
+}
+
 async function getAzureRequestOptions(config, additionalHeaders) {
-  const azureDevOpsScope = "499b84ac-1321-427f-aa17-267ca6975798/.default";
+  var _a;
   const headers = additionalHeaders ? { ...additionalHeaders } : {};
-  const { token, credential } = config;
-  if (credential) {
-    if (isAzureClientSecretCredential(credential)) {
-      const servicePrincipal = new identity.ClientSecretCredential(
-        credential.tenantId,
-        credential.clientId,
-        credential.clientSecret
-      );
-      const accessToken = await servicePrincipal.getToken(azureDevOpsScope);
-      headers.Authorization = `Bearer ${accessToken.token}`;
-    } else if (isAzureManagedIdentityCredential(credential)) {
-      const managedIdentity = new identity.ManagedIdentityCredential(
-        credential.clientId
-      );
-      const accessToken = await managedIdentity.getToken(azureDevOpsScope);
-      headers.Authorization = `Bearer ${accessToken.token}`;
-    }
-  } else if (token) {
-    const buffer = Buffer.from(`:${config.token}`, "utf8");
-    headers.Authorization = `Basic ${buffer.toString("base64")}`;
+  const credentialConfig = (_a = config.credentials) == null ? void 0 : _a.filter(
+    (credential) => credential.organizations === void 0 || credential.organizations.length === 0
+  )[0];
+  if (credentialConfig) {
+    const credentialsProvider = CachedAzureDevOpsCredentialsProvider.fromAzureDevOpsCredential(
+      credentialConfig
+    );
+    const credentials = await credentialsProvider.getCredentials();
+    return {
+      headers: {
+        ...credentials == null ? void 0 : credentials.headers,
+        ...headers
+      }
+    };
   }
   return { headers };
 }
@@ -1977,6 +2222,7 @@ exports.AzureIntegration = AzureIntegration;
 exports.BitbucketCloudIntegration = BitbucketCloudIntegration;
 exports.BitbucketIntegration = BitbucketIntegration;
 exports.BitbucketServerIntegration = BitbucketServerIntegration;
+exports.DefaultAzureDevOpsCredentialsProvider = DefaultAzureDevOpsCredentialsProvider;
 exports.DefaultGithubCredentialsProvider = DefaultGithubCredentialsProvider;
 exports.DefaultGitlabCredentialsProvider = DefaultGitlabCredentialsProvider;
 exports.GerritIntegration = GerritIntegration;