@backstage/plugin-auth-backend 0.0.0-nightly-202191922036 → 0.0.0-nightly-2021101122259

package/CHANGELOG.md

@@ -1,16 +1,47 @@
 # @backstage/plugin-auth-backend
 
-## 0.0.0-nightly-202191922036
+## 0.0.0-nightly-2021101122259
 
 ### Patch Changes
 
+- 5ee31f860b: Only use settings that have a value when creating a new FirestoreKeyStore instance
+- 3e0e2f09d5: Added forwarding of the `audience` option for the SAML provider, making it possible to enable `audience` verification.
+- Updated dependencies
+  - @backstage/backend-common@0.0.0-nightly-2021101122259
+  - @backstage/test-utils@0.0.0-nightly-2021101122259
+  - @backstage/catalog-client@0.0.0-nightly-2021101122259
+
+## 0.4.6
+
+### Patch Changes
+
+- 3b767f19c9: Allow OAuth state to be encoded by a stateEncoder.
+- Updated dependencies
+  - @backstage/test-utils@0.1.20
+  - @backstage/config@0.1.11
+  - @backstage/errors@0.1.4
+  - @backstage/backend-common@0.9.8
+  - @backstage/catalog-model@0.9.6
+
+## 0.4.5
+
+### Patch Changes
+
+- 9322e632e9: Require that audience URLs for Okta authentication start with https
 - de3e26aecc: Fix a bug preventing an access token to be refreshed a second time with the GitHub provider.
+- ab9b4a6ea6: Add Firestore as key-store provider.
+  Add `auth.keyStore` section to application config.
+- 202f322927: Atlassian auth provider
+
+  - AtlassianAuth added to core-app-api
+  - Atlassian provider added to plugin-auth-backend
+  - Updated user-settings with Atlassian connection
+
+- 36e67d2f24: Internal updates to apply more strict checks to throw errors.
 - Updated dependencies
-  - @backstage/backend-common@0.0.0-nightly-202191922036
-  - @backstage/catalog-client@0.0.0-nightly-202191922036
-  - @backstage/catalog-model@0.0.0-nightly-202191922036
-  - @backstage/errors@0.0.0-nightly-202191922036
-  - @backstage/test-utils@0.0.0-nightly-202191922036
+  - @backstage/backend-common@0.9.7
+  - @backstage/errors@0.1.3
+  - @backstage/catalog-model@0.9.5
 
 ## 0.4.4
 

package/config.d.ts

@@ -31,6 +31,32 @@ export interface Config {
       secret?: string;
     };
 
+    /** To control how to store JWK data in auth-backend */
+    keyStore?: {
+      provider?: 'database' | 'memory' | 'firestore';
+      firestore?: {
+        /** The host to connect to */
+        host?: string;
+        /** The port to connect to */
+        port?: number;
+        /** Whether to use SSL when connecting. */
+        ssl?: boolean;
+        /** The Google Cloud Project ID */
+        projectId?: string;
+        /**
+         * Local file containing the Service Account credentials.
+         * You can omit this value to automatically read from
+         * GOOGLE_APPLICATION_CREDENTIALS env which is useful for local
+         * development.
+         */
+        keyFilename?: string;
+        /** The path to use for the collection. Defaults to 'sessions' */
+        path?: string;
+        /** Timeout used for database operations. Defaults to 10000ms */
+        timeout?: number;
+      };
+    };
+
     /**
      * The available auth-provider options and attributes
      */
@@ -49,6 +75,7 @@ export interface Config {
         logoutUrl?: string;
         issuer: string;
         cert: string;
+        audience?: string;
         privateKey?: string;
         authnContext?: string[];
         identifierFormat?: string;

package/dist/index.cjs.js

@@ -29,6 +29,8 @@ var catalogClient = require('@backstage/catalog-client');
 var uuid = require('uuid');
 var luxon = require('luxon');
 var backendCommon = require('@backstage/backend-common');
+var firestore = require('@google-cloud/firestore');
+var lodash = require('lodash');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -417,12 +419,10 @@ class OAuthAdapter {
         response
       });
     } catch (error) {
+      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, appOrigin, {
         type: "authorization_response",
-        error: {
-          name: error.name,
-          message: error.message
-        }
+        error: {name, message}
       });
     }
   }
@@ -458,7 +458,7 @@ class OAuthAdapter {
       }
       res.status(200).json(response);
     } catch (error) {
-      res.status(401).send(`${error.message}`);
+      res.status(401).send(String(error));
     }
   }
   async populateIdentity(identity) {
@@ -551,6 +551,7 @@ class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
@@ -568,7 +569,7 @@ class GithubAuthProvider {
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
       scope: req.scope,
-      state: encodeState(req.state)
+      state: (await this.stateEncoder(req)).encodedState
     });
   }
   async handler(req) {
@@ -634,7 +635,7 @@ const createGithubProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
@@ -656,6 +657,9 @@ const createGithubProvider = (options) => {
       tokenIssuer,
       logger
     });
+    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
+      return {encodedState: encodeState(req.state)};
+    };
     const provider = new GithubAuthProvider({
       clientId,
       clientSecret,
@@ -667,6 +671,7 @@ const createGithubProvider = (options) => {
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
+      stateEncoder,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
@@ -1384,6 +1389,9 @@ const createOktaProvider = (_options) => {
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    if (!audience.startsWith("https://")) {
+      throw new Error("URL for 'audience' must start with 'https://'.");
+    }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
@@ -1555,6 +1563,177 @@ const createBitbucketProvider = (options) => {
   });
 };
 
+const defaultScopes = ["offline_access", "read:me"];
+class AtlassianStrategy extends OAuth2Strategy__default['default'] {
+  constructor(options, verify) {
+    if (!options.scope) {
+      throw new TypeError("Atlassian requires a scope option");
+    }
+    const scopes = options.scope.split(" ");
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://auth.atlassian.com/authorize`,
+      tokenURL: `https://auth.atlassian.com/oauth/token`,
+      scope: Array.from(new Set([...defaultScopes, ...scopes]))
+    };
+    super(optionsWithURLs, verify);
+    this.profileURL = "https://api.atlassian.com/me";
+    this.name = "atlassian";
+    this._oauth2.useAuthorizationHeaderforGET(true);
+  }
+  authorizationParams() {
+    return {
+      audience: "api.atlassian.com",
+      prompt: "consent"
+    };
+  }
+  userProfile(accessToken, done) {
+    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
+      if (err) {
+        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
+      }
+      if (!body) {
+        return done(new Error("Failed to fetch user profile, body cannot be empty"));
+      }
+      try {
+        const json = typeof body !== "string" ? body.toString() : body;
+        const profile = AtlassianStrategy.parse(json);
+        return done(null, profile);
+      } catch (e) {
+        return done(new Error("Failed to parse user profile"));
+      }
+    });
+  }
+  static parse(json) {
+    const resp = JSON.parse(json);
+    return {
+      id: resp.account_id,
+      provider: "atlassian",
+      username: resp.nickname,
+      displayName: resp.name,
+      emails: [{value: resp.email}],
+      photos: [{value: resp.picture}]
+    };
+  }
+}
+
+const atlassianDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class AtlassianAuthProvider {
+  constructor(options) {
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new AtlassianStrategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      scope: options.scopes
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    var _a;
+    const {result} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: (_a = result.refreshToken) != null ? _a : ""
+    };
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+  async refresh(req) {
+    const {
+      accessToken,
+      params,
+      refreshToken: newRefreshToken
+    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: newRefreshToken
+    });
+  }
+}
+const createAtlassianProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const scopes = envConfig.getString("scopes");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
+    const provider = new AtlassianAuthProvider({
+      clientId,
+      clientSecret,
+      scopes,
+      callbackUrl,
+      authHandler,
+      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+      catalogIdentityClient,
+      logger,
+      tokenIssuer
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: true,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
 const getJWTHeaders = (input) => {
@@ -1835,12 +2014,10 @@ class SamlAuthProvider {
         }
       });
     } catch (error) {
+      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
-        error: {
-          name: error.name,
-          message: error.message
-        }
+        error: {name, message}
       });
     }
   }
@@ -1857,6 +2034,7 @@ const createSamlProvider = (_options) => {
       callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
       entryPoint: config.getString("entryPoint"),
       logoutUrl: config.getOptionalString("logoutUrl"),
+      audience: config.getOptionalString("audience"),
       issuer: config.getString("issuer"),
       cert: config.getString("cert"),
       privateCert: config.getOptionalString("privateKey"),
@@ -2070,7 +2248,8 @@ const factories = {
   oidc: createOidcProvider(),
   onelogin: createOneLoginProvider(),
   awsalb: createAwsAlbProvider(),
-  bitbucket: createBitbucketProvider()
+  bitbucket: createBitbucketProvider(),
+  atlassian: createAtlassianProvider()
 };
 
 function createOidcRouter(options) {
@@ -2289,6 +2468,121 @@ class DatabaseKeyStore {
   }
 }
 
+class MemoryKeyStore {
+  constructor() {
+    this.keys = new Map();
+  }
+  async addKey(key) {
+    this.keys.set(key.kid, {
+      createdAt: luxon.DateTime.utc().toJSDate(),
+      key: JSON.stringify(key)
+    });
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      this.keys.delete(kid);
+    }
+  }
+  async listKeys() {
+    return {
+      items: Array.from(this.keys).map(([, {createdAt, key: keyStr}]) => ({
+        createdAt,
+        key: JSON.parse(keyStr)
+      }))
+    };
+  }
+}
+
+const DEFAULT_TIMEOUT_MS = 1e4;
+const DEFAULT_DOCUMENT_PATH = "sessions";
+class FirestoreKeyStore {
+  constructor(database, path, timeout) {
+    this.database = database;
+    this.path = path;
+    this.timeout = timeout;
+  }
+  static async create(settings) {
+    const {path, timeout, ...firestoreSettings} = settings != null ? settings : {};
+    const database = new firestore.Firestore(firestoreSettings);
+    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+  }
+  static async verifyConnection(keyStore, logger) {
+    try {
+      await keyStore.verify();
+    } catch (error) {
+      if (process.env.NODE_ENV !== "development") {
+        throw new Error(`Failed to connect to database: ${error.message}`);
+      }
+      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
+    }
+  }
+  async addKey(key) {
+    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    }));
+  }
+  async listKeys() {
+    const keys = await this.withTimeout(this.database.collection(this.path).get());
+    return {
+      items: keys.docs.map((key) => ({
+        key: key.data(),
+        createdAt: key.createTime.toDate()
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
+    }
+  }
+  async withTimeout(operation) {
+    const timer = new Promise((_, reject) => setTimeout(() => {
+      reject(new Error(`Operation timed out after ${this.timeout}ms`));
+    }, this.timeout));
+    return Promise.race([operation, timer]);
+  }
+  async verify() {
+    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+  }
+}
+
+class KeyStores {
+  static async fromConfig(config, options) {
+    var _a;
+    const {logger, database} = options != null ? options : {};
+    const ks = config.getOptionalConfig("auth.keyStore");
+    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
+    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
+    if (provider === "database") {
+      if (!database) {
+        throw new Error("This KeyStore provider requires a database");
+      }
+      return await DatabaseKeyStore.create({
+        database: await database.getClient()
+      });
+    }
+    if (provider === "memory") {
+      return new MemoryKeyStore();
+    }
+    if (provider === "firestore") {
+      const settings = ks == null ? void 0 : ks.getConfig(provider);
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
+        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
+        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
+        host: settings == null ? void 0 : settings.getOptionalString("host"),
+        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
+        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
+        path: settings == null ? void 0 : settings.getOptionalString("path"),
+        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
+      }, (value) => value !== void 0));
+      await FirestoreKeyStore.verifyConnection(keyStore, logger);
+      return keyStore;
+    }
+    throw new Error(`Unknown KeyStore provider: ${provider}`);
+  }
+}
+
 async function createRouter({
   logger,
   config,
@@ -2299,10 +2593,8 @@ async function createRouter({
   const router = Router__default['default']();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
+  const keyStore = await KeyStores.fromConfig(config, {logger, database});
   const keyDurationSeconds = 3600;
-  const keyStore = await DatabaseKeyStore.create({
-    database: await database.getClient()
-  });
   const tokenIssuer = new TokenFactory({
     issuer: authUrl,
     keyStore,
@@ -2353,6 +2645,7 @@ async function createRouter({
         }
         router.use(`/${providerId}`, r);
       } catch (e) {
+        errors.assertError(e);
         if (process.env.NODE_ENV !== "development") {
           throw new Error(`Failed to initialize ${providerId} auth provider, ${e.message}`);
         }
@@ -2396,6 +2689,7 @@ exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
 exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
 exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
+exports.createAtlassianProvider = createAtlassianProvider;
 exports.createAwsAlbProvider = createAwsAlbProvider;
 exports.createBitbucketProvider = createBitbucketProvider;
 exports.createGithubProvider = createGithubProvider;