npm - @backstage/plugin-auth-backend - Versions diffs - 0.14.2-next.0 → 0.15.0-next.1 - Mend

@backstage/plugin-auth-backend 0.14.2-next.0 → 0.15.0-next.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,27 @@
 # @backstage/plugin-auth-backend
+## 0.15.0-next.1
+### Minor Changes
+- 9d4040777e: **BREAKING**: Removed all directly exported auth provider factories, option types, and sign-in resolvers. For example: `AwsAlbProviderOptions`, `bitbucketUserIdSignInResolver`, `createGithubProvider`. These are all still accessible via the `providers` export. For example, use `providers.github.create()` rather than `createGithubProvider()`, and `providers.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()` rather than `bitbucketUserIdSignInResolver`.
+  **BREAKING**: Removed the exported `AuthProviderFactoryOptions` type as well as the deprecated option fields of the `AuthProviderFactory` callback. This includes the `tokenManager`, `tokenIssuer`, `discovery`, and `catalogApi` fields. Existing usage of these should be replaced with the new utilities in the `resolverContext` field. The deprecated `TokenIssuer` type is now also removed, since it is no longer used.
+  **BREAKING**: Removed `getEntityClaims`, use `getDefaultOwnershipEntityRefs` instead.
+  **DEPRECATION**: Deprecated `AtlassianAuthProvider` as it was unintentionally exported.
+### Patch Changes
+- f2cf79d62e: Added an option for the auth backend router to select the algorithm for the JWT token signing keys
+- Updated dependencies
+  - @backstage/catalog-model@1.1.0-next.1
+  - @backstage/backend-common@0.14.1-next.1
+  - @backstage/errors@1.1.0-next.0
+  - @backstage/catalog-client@1.0.4-next.1
+  - @backstage/plugin-auth-node@0.2.3-next.1
 ## 0.14.2-next.0
 ### Patch Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -15,6 +15,7 @@ var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
+var googleAuthLibrary = require('google-auth-library');
 var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
 var passportGoogleOauth20 = require('passport-google-oauth20');
@@ -24,7 +25,6 @@ var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
-var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
 var catalogModel = require('@backstage/catalog-model');
 var luxon = require('luxon');
@@ -645,7 +645,6 @@ const atlassian = createAuthProviderIntegration({
     });
   }
 });
-const createAtlassianProvider = atlassian.create;
 class Auth0Strategy extends OAuth2Strategy__default["default"] {
   constructor(options, verify) {
@@ -758,7 +757,6 @@ const auth0 = createAuthProviderIntegration({
     });
   }
 });
-const createAuth0Provider = auth0.create;
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
@@ -872,7 +870,6 @@ const awsAlb = createAuthProviderIntegration({
     };
   }
 });
-const createAwsAlbProvider = awsAlb.create;
 class BitbucketAuthProvider {
   constructor(options) {
@@ -997,9 +994,86 @@ const bitbucket = createAuthProviderIntegration({
     }
   }
 });
-const createBitbucketProvider = bitbucket.create;
-const bitbucketUsernameSignInResolver = bitbucket.resolvers.usernameMatchingUserEntityAnnotation();
-const bitbucketUserIdSignInResolver = bitbucket.resolvers.userIdMatchingUserEntityAnnotation();
+const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
+    }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
+  }
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
+  }
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
+  }
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
+    }
+  };
+}
+const defaultAuthHandler$1 = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
+class GcpIapProvider {
+  constructor(options) {
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.resolverContext = options.resolverContext;
+  }
+  async start() {
+  }
+  async frameHandler() {
+  }
+  async refresh(req, res) {
+    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const backstageIdentity = await this.signInResolver({ profile, result }, this.resolverContext);
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+    };
+    res.json(response);
+  }
+}
+const gcpIap = createAuthProviderIntegration({
+  create(options) {
+    return ({ config, resolverContext }) => {
+      var _a;
+      const audience = config.getString("audience");
+      const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler$1;
+      const signInResolver = options.signIn.resolver;
+      const tokenValidator = createTokenValidator(audience);
+      return new GcpIapProvider({
+        authHandler,
+        signInResolver,
+        tokenValidator,
+        resolverContext
+      });
+    };
+  }
+});
 const ACCESS_TOKEN_PREFIX = "access-token.";
 const BACKSTAGE_SESSION_EXPIRATION = 3600;
@@ -1144,7 +1218,6 @@ const github = createAuthProviderIntegration({
     }
   }
 });
-const createGithubProvider = github.create;
 const gitlabDefaultAuthHandler = async ({
   fullProfile,
@@ -1240,7 +1313,6 @@ const gitlab = createAuthProviderIntegration({
     });
   }
 });
-const createGitlabProvider = gitlab.create;
 const commonByEmailLocalPartResolver = async (info, ctx) => {
   const { profile } = info;
@@ -1375,8 +1447,6 @@ const google = createAuthProviderIntegration({
     }
   }
 });
-const createGoogleProvider = google.create;
-const googleEmailSignInResolver = google.resolvers.emailMatchingUserEntityAnnotation();
 class MicrosoftAuthProvider {
   constructor(options) {
@@ -1505,8 +1575,6 @@ const microsoft = createAuthProviderIntegration({
     }
   }
 });
-const createMicrosoftProvider = microsoft.create;
-const microsoftEmailSignInResolver = microsoft.resolvers.emailMatchingUserEntityAnnotation();
 class OAuth2AuthProvider {
   constructor(options) {
@@ -1627,7 +1695,6 @@ const oauth2 = createAuthProviderIntegration({
     });
   }
 });
-const createOAuth2Provider = oauth2.create;
 const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
 class Oauth2ProxyAuthProvider {
@@ -1679,7 +1746,7 @@ class Oauth2ProxyAuthProvider {
     };
   }
 }
-async function defaultAuthHandler$1(result) {
+async function defaultAuthHandler(result) {
   return {
     profile: {
       email: result.getHeader("x-forwarded-email"),
@@ -1695,12 +1762,11 @@ const oauth2Proxy = createAuthProviderIntegration({
       return new Oauth2ProxyAuthProvider({
         resolverContext,
         signInResolver,
-        authHandler: authHandler != null ? authHandler : defaultAuthHandler$1
+        authHandler: authHandler != null ? authHandler : defaultAuthHandler
       });
     };
   }
 });
-const createOauth2ProxyProvider = oauth2Proxy.create;
 class OidcAuthProvider {
   constructor(options) {
@@ -1826,7 +1892,6 @@ const oidc = createAuthProviderIntegration({
     });
   }
 });
-const createOidcProvider = oidc.create;
 class OktaAuthProvider {
   constructor(options) {
@@ -1955,8 +2020,6 @@ const okta = createAuthProviderIntegration({
     }
   }
 });
-const createOktaProvider = okta.create;
-const oktaEmailSignInResolver = okta.resolvers.emailMatchingUserEntityAnnotation();
 class OneLoginProvider {
   constructor(options) {
@@ -2055,7 +2118,6 @@ const onelogin = createAuthProviderIntegration({
     });
   }
 });
-const createOneLoginProvider = onelogin.create;
 class SamlAuthProvider {
   constructor(options) {
@@ -2147,89 +2209,6 @@ const saml = createAuthProviderIntegration({
     }
   }
 });
-const createSamlProvider = saml.create;
-const samlNameIdEntityNameSignInResolver = saml.resolvers.nameIdMatchingUserEntityName();
-const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
-function createTokenValidator(audience, mockClient) {
-  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
-  return async function tokenValidator(token) {
-    const response = await client.getIapPublicKeys();
-    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
-    const payload = ticket.getPayload();
-    if (!payload) {
-      throw new TypeError("Token had no payload");
-    }
-    return payload;
-  };
-}
-async function parseRequestToken(jwtToken, tokenValidator) {
-  if (typeof jwtToken !== "string" || !jwtToken) {
-    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
-  }
-  let payload;
-  try {
-    payload = await tokenValidator(jwtToken);
-  } catch (e) {
-    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
-  }
-  if (!payload.sub || !payload.email) {
-    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
-  }
-  return {
-    iapToken: {
-      ...payload,
-      sub: payload.sub,
-      email: payload.email
-    }
-  };
-}
-const defaultAuthHandler = async ({
-  iapToken
-}) => ({ profile: { email: iapToken.email } });
-class GcpIapProvider {
-  constructor(options) {
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.tokenValidator = options.tokenValidator;
-    this.resolverContext = options.resolverContext;
-  }
-  async start() {
-  }
-  async frameHandler() {
-  }
-  async refresh(req, res) {
-    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver({ profile, result }, this.resolverContext);
-    const response = {
-      providerInfo: { iapToken: result.iapToken },
-      profile,
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
-    };
-    res.json(response);
-  }
-}
-const gcpIap = createAuthProviderIntegration({
-  create(options) {
-    return ({ config, resolverContext }) => {
-      var _a;
-      const audience = config.getString("audience");
-      const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
-      const signInResolver = options.signIn.resolver;
-      const tokenValidator = createTokenValidator(audience);
-      return new GcpIapProvider({
-        authHandler,
-        signInResolver,
-        tokenValidator,
-        resolverContext
-      });
-    };
-  }
-});
-const createGcpIapProvider = gcpIap.create;
 const providers = Object.freeze({
   atlassian,
@@ -2248,21 +2227,20 @@ const providers = Object.freeze({
   onelogin,
   saml
 });
-const factories = {
-  google: createGoogleProvider(),
-  github: createGithubProvider(),
-  gitlab: createGitlabProvider(),
-  saml: createSamlProvider(),
-  okta: createOktaProvider(),
-  auth0: createAuth0Provider(),
-  microsoft: createMicrosoftProvider(),
-  oauth2: createOAuth2Provider(),
-  oidc: createOidcProvider(),
-  onelogin: createOneLoginProvider(),
-  awsalb: createAwsAlbProvider(),
-  bitbucket: createBitbucketProvider(),
-  atlassian: createAtlassianProvider()
+const defaultAuthProviderFactories = {
+  google: google.create(),
+  github: github.create(),
+  gitlab: gitlab.create(),
+  saml: saml.create(),
+  okta: okta.create(),
+  auth0: auth0.create(),
+  microsoft: microsoft.create(),
+  oauth2: oauth2.create(),
+  oidc: oidc.create(),
+  onelogin: onelogin.create(),
+  awsalb: awsAlb.create(),
+  bitbucket: bitbucket.create(),
+  atlassian: atlassian.create()
 };
 function createOidcRouter(options) {
@@ -2598,16 +2576,6 @@ class CatalogIdentityClient {
   }
 }
-function getEntityClaims(entity) {
-  var _a, _b;
-  const userRef = catalogModel.stringifyEntityRef(entity);
-  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
-  return {
-    sub: userRef,
-    ent: [userRef, ...membershipRefs]
-  };
-}
 function getDefaultOwnershipEntityRefs(entity) {
   var _a, _b;
   const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
@@ -2687,6 +2655,7 @@ async function createRouter(options) {
     discovery,
     database,
     tokenManager,
+    tokenFactoryAlgorithm,
     providerFactories
   } = options;
   const router = Router__default["default"]();
@@ -2698,7 +2667,8 @@ async function createRouter(options) {
     issuer: authUrl,
     keyStore,
     keyDurationSeconds,
-    logger: logger.child({ component: "token-factory" })
+    logger: logger.child({ component: "token-factory" }),
+    algorithm: tokenFactoryAlgorithm
   });
   const catalogApi = new catalogClient.CatalogClient({ discoveryApi: discovery });
   const secret = config.getOptionalString("auth.session.secret");
@@ -2719,7 +2689,7 @@ async function createRouter(options) {
   router.use(express__default["default"].urlencoded({ extended: false }));
   router.use(express__default["default"].json());
   const allProviderFactories = {
-    ...factories,
+    ...defaultAuthProviderFactories,
     ...providerFactories
   };
   const providersConfig = config.getConfig("auth.providers");
@@ -2738,10 +2708,6 @@ async function createRouter(options) {
           },
           config: providersConfig.getConfig(providerId),
           logger,
-          tokenManager,
-          tokenIssuer,
-          discovery,
-          catalogApi,
           resolverContext: CatalogAuthResolverContext.create({
             logger,
             catalogApi,
@@ -2800,40 +2766,19 @@ function createOriginFilter(config) {
   };
 }
+exports.AtlassianAuthProvider = AtlassianAuthProvider;
 exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
-exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
-exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
-exports.createAtlassianProvider = createAtlassianProvider;
-exports.createAuth0Provider = createAuth0Provider;
-exports.createAwsAlbProvider = createAwsAlbProvider;
-exports.createBitbucketProvider = createBitbucketProvider;
-exports.createGcpIapProvider = createGcpIapProvider;
-exports.createGithubProvider = createGithubProvider;
-exports.createGitlabProvider = createGitlabProvider;
-exports.createGoogleProvider = createGoogleProvider;
-exports.createMicrosoftProvider = createMicrosoftProvider;
-exports.createOAuth2Provider = createOAuth2Provider;
-exports.createOauth2ProxyProvider = createOauth2ProxyProvider;
-exports.createOidcProvider = createOidcProvider;
-exports.createOktaProvider = createOktaProvider;
-exports.createOneLoginProvider = createOneLoginProvider;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
-exports.createSamlProvider = createSamlProvider;
-exports.defaultAuthProviderFactories = factories;
+exports.defaultAuthProviderFactories = defaultAuthProviderFactories;
 exports.encodeState = encodeState;
 exports.ensuresXRequestedWith = ensuresXRequestedWith;
 exports.getDefaultOwnershipEntityRefs = getDefaultOwnershipEntityRefs;
-exports.getEntityClaims = getEntityClaims;
-exports.googleEmailSignInResolver = googleEmailSignInResolver;
-exports.microsoftEmailSignInResolver = microsoftEmailSignInResolver;
-exports.oktaEmailSignInResolver = oktaEmailSignInResolver;
 exports.postMessageResponse = postMessageResponse;
 exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
 exports.providers = providers;
 exports.readState = readState;
-exports.samlNameIdEntityNameSignInResolver = samlNameIdEntityNameSignInResolver;
 exports.verifyNonce = verifyNonce;
 //# sourceMappingURL=index.cjs.js.map