npm - @backstage/plugin-auth-backend - Versions diffs - 0.10.2 → 0.12.1-next.0 - Mend

@backstage/plugin-auth-backend 0.10.2 → 0.12.1-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +60 -0
package/dist/index.cjs.js +78 -18
package/dist/index.cjs.js.map +1 -1
package/migrations/20210326100300_timestamptz.js +2 -2
package/package.json +10 -10

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,65 @@
 # @backstage/plugin-auth-backend
+## 0.12.1-next.0
+### Patch Changes
+- ab7cd7d70e: Do some groundwork for supporting the `better-sqlite3` driver, to maybe eventually replace `@vscode/sqlite3` (#9912)
+- e0a69ba49f: build(deps): bump `fs-extra` from 9.1.0 to 10.0.1
+- bf95bb806c: Remove usages of now-removed `CatalogApi.getEntityByName`
+- 3c2bc73901: Use `setupRequestMockHandlers` from `@backstage/backend-test-utils`
+- Updated dependencies
+  - @backstage/backend-common@0.13.0-next.0
+  - @backstage/catalog-model@0.13.0-next.0
+  - @backstage/catalog-client@0.9.0-next.0
+  - @backstage/plugin-auth-node@0.1.5-next.0
+## 0.12.0
+### Minor Changes
+- 0c8ba31d72: **BREAKING**: The `TokenFactory.issueToken` used by custom sign-in resolvers now ensures that the sub claim given is a full entity reference of the format `<kind>:<namespace>/<name>`. Any existing custom sign-in resolver functions that do not supply a full entity reference must be updated.
+### Patch Changes
+- 899f196af5: Use `getEntityByRef` instead of `getEntityByName` in the catalog client
+- 36aa63022b: Use `CompoundEntityRef` instead of `EntityName`, and `getCompoundEntityRef` instead of `getEntityName`, from `@backstage/catalog-model`.
+- Updated dependencies
+  - @backstage/catalog-model@0.12.0
+  - @backstage/catalog-client@0.8.0
+  - @backstage/backend-common@0.12.0
+  - @backstage/plugin-auth-node@0.1.4
+## 0.11.0
+### Minor Changes
+- 3884bf0348: **BREAKING**: The default sign-in resolvers for all providers, if you choose to
+  use them, now emit the token `sub` and `ent` claims on the standard,
+  all-lowercase form, instead of the mixed-case form. The mixed-case form causes
+  problems for implementations that naively do string comparisons on refs. The end
+  result is that you may for example see your Backstage token `sub` claim now
+  become `'user:default/my-id'` instead of `'user:default/My-ID'`.
+  On a related note, specifically the SAML provider now correctly issues both
+  `sub` and `ent` claims, and on the full entity ref form instead of the short
+  form with only the ID.
+  **NOTE**: For a long time, it has been strongly recommended that you provide
+  your own sign-in resolver instead of using the builtin ones, and that will
+  become mandatory in the future.
+### Patch Changes
+- d64b8d3678: chore(deps): bump `minimatch` from 3.0.4 to 5.0.0
+- 6e1cbc12a6: Updated according to the new `getEntityFacets` catalog API method
+- 919cf2f836: Minor updates to match the new `targetRef` field of relations, and to stop consuming the `target` field
+- Updated dependencies
+  - @backstage/backend-common@0.11.0
+  - @backstage/catalog-model@0.11.0
+  - @backstage/catalog-client@0.7.2
+  - @backstage/plugin-auth-node@0.1.3
 ## 0.10.2
 ### Patch Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -607,10 +607,10 @@ class CatalogIdentityClient {
     }
     const memberOf = entities.flatMap((e) => {
       var _a, _b;
-      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
+      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef)) != null ? _b : [];
     });
     const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
+      ...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
     ];
     logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
     return newEntityRefs;
@@ -620,7 +620,7 @@ class CatalogIdentityClient {
 function getEntityClaims(entity) {
   var _a, _b;
   const userRef = catalogModel.stringifyEntityRef(entity);
-  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.target.kind.toLocaleLowerCase("en-US") === "group").map((r) => catalogModel.stringifyEntityRef(r.target))) != null ? _b : [];
+  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
   return {
     sub: userRef,
     ent: [userRef, ...membershipRefs]
@@ -1261,10 +1261,15 @@ class GithubAuthProvider {
 const githubDefaultSignInResolver = async (info, ctx) => {
   const { fullProfile } = info.result;
   const userId = fullProfile.username || fullProfile.id;
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: userId
+  });
   const token = await ctx.tokenIssuer.issueToken({
     claims: {
-      sub: `user:default/${userId}`,
-      ent: [`user:default/${userId}`]
+      sub: entityRef,
+      ent: [entityRef]
     }
   });
   return { id: userId, token };
@@ -1333,8 +1338,16 @@ const gitlabDefaultSignInResolver = async (info, ctx) => {
   if (profile.email) {
     id = profile.email.split("@")[0];
   }
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: id
+  });
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: `user:default/${id}`, ent: [`user:default/${id}`] }
+    claims: {
+      sub: entityRef,
+      ent: [entityRef]
+    }
   });
   return { id, token };
 };
@@ -1566,8 +1579,16 @@ const googleDefaultSignInResolver = async (info, ctx) => {
     ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
     userId = profile.email.split("@")[0];
   }
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: userId
+  });
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
+    claims: {
+      sub: entityRef,
+      ent: [entityRef]
+    }
   });
   return { id: userId, token };
 };
@@ -1723,10 +1744,15 @@ const microsoftDefaultSignInResolver = async (info, ctx) => {
     throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: userId
+  });
   const token = await ctx.tokenIssuer.issueToken({
     claims: {
-      sub: `user:default/${userId}`,
-      ent: [`user:default/${userId}`]
+      sub: entityRef,
+      ent: [entityRef]
     }
   });
   return { id: userId, token };
@@ -1868,14 +1894,22 @@ class OAuth2AuthProvider {
     return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
   }
 }
-const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
     throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: userId
+  });
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
+    claims: {
+      sub: entityRef,
+      ent: [entityRef]
+    }
   });
   return { id: userId, token };
 };
@@ -1906,7 +1940,7 @@ const createOAuth2Provider = (options) => {
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
@@ -2102,16 +2136,21 @@ class OidcAuthProvider {
     return response;
   }
 }
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
+const oidcDefaultSignInResolver = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
     throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: userId
+  });
   const token = await ctx.tokenIssuer.issueToken({
     claims: {
-      sub: `user:default/${userId}`,
-      ent: [`user:default/${userId}`]
+      sub: entityRef,
+      ent: [entityRef]
     }
   });
   return { id: userId, token };
@@ -2146,7 +2185,7 @@ const createOidcProvider = (options) => {
         picture: userinfo.picture
       }
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oidcDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
@@ -2281,8 +2320,16 @@ const oktaDefaultSignInResolver = async (info, ctx) => {
     throw new Error("Okta profile contained no email");
   }
   const userId = profile.email.split("@")[0];
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: userId
+  });
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
+    claims: {
+      sub: entityRef,
+      ent: [entityRef]
+    }
   });
   return { id: userId, token };
 };
@@ -2520,8 +2567,16 @@ class SamlAuthProvider {
 }
 const samlDefaultSignInResolver = async (info, ctx) => {
   const id = info.result.fullProfile.nameID;
+  const entityRef = catalogModel.stringifyEntityRef({
+    kind: "User",
+    namespace: catalogModel.DEFAULT_NAMESPACE,
+    name: id
+  });
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: id }
+    claims: {
+      sub: entityRef,
+      ent: [entityRef]
+    }
   });
   return { id, token };
 };
@@ -2731,6 +2786,11 @@ class TokenFactory {
     const aud = "backstage";
     const iat = Math.floor(Date.now() / MS_IN_S);
     const exp = iat + this.keyDurationSeconds;
+    try {
+      catalogModel.parseEntityRef(sub);
+    } catch (error) {
+      throw new Error('"sub" claim provided by the auth resolver is not a valid EntityRef.');
+    }
     this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
     return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
       alg: key.alg,