@backstage/plugin-auth-backend 0.19.3 → 0.20.0-next.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +25 -0
- package/README.md +4 -0
- package/config.d.ts +28 -1
- package/dist/index.cjs.js +490 -170
- package/dist/index.cjs.js.map +1 -1
- package/dist/index.d.ts +3 -3
- package/package.json +13 -14
package/dist/index.cjs.js
CHANGED
|
@@ -22,7 +22,7 @@ var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-back
|
|
|
22
22
|
var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
|
|
23
23
|
var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
|
|
24
24
|
var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
|
|
25
|
-
var
|
|
25
|
+
var passportMicrosoft = require('passport-microsoft');
|
|
26
26
|
var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-backend-module-oauth2-provider');
|
|
27
27
|
var openidClient = require('openid-client');
|
|
28
28
|
var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
|
|
@@ -34,6 +34,7 @@ var luxon = require('luxon');
|
|
|
34
34
|
var uuid = require('uuid');
|
|
35
35
|
var firestore = require('@google-cloud/firestore');
|
|
36
36
|
var lodash = require('lodash');
|
|
37
|
+
var fs = require('fs');
|
|
37
38
|
var session = require('express-session');
|
|
38
39
|
var connectSessionKnex = require('connect-session-knex');
|
|
39
40
|
var passport = require('passport');
|
|
@@ -75,10 +76,10 @@ var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
|
|
|
75
76
|
var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
|
|
76
77
|
var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
|
|
77
78
|
|
|
78
|
-
var __defProp$
|
|
79
|
-
var __defNormalProp$
|
|
80
|
-
var __publicField$
|
|
81
|
-
__defNormalProp$
|
|
79
|
+
var __defProp$j = Object.defineProperty;
|
|
80
|
+
var __defNormalProp$j = (obj, key, value) => key in obj ? __defProp$j(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
81
|
+
var __publicField$j = (obj, key, value) => {
|
|
82
|
+
__defNormalProp$j(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
82
83
|
return value;
|
|
83
84
|
};
|
|
84
85
|
const defaultScopes = ["offline_access", "read:me"];
|
|
@@ -95,7 +96,7 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
|
|
|
95
96
|
scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
|
|
96
97
|
};
|
|
97
98
|
super(optionsWithURLs, verify);
|
|
98
|
-
__publicField$
|
|
99
|
+
__publicField$j(this, "profileURL");
|
|
99
100
|
this.profileURL = "https://api.atlassian.com/me";
|
|
100
101
|
this.name = "atlassian";
|
|
101
102
|
this._oauth2.useAuthorizationHeaderforGET(true);
|
|
@@ -210,10 +211,10 @@ const ensuresXRequestedWith = (req) => {
|
|
|
210
211
|
|
|
211
212
|
const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
|
|
212
213
|
|
|
213
|
-
var __defProp$
|
|
214
|
-
var __defNormalProp$
|
|
215
|
-
var __publicField$
|
|
216
|
-
__defNormalProp$
|
|
214
|
+
var __defProp$i = Object.defineProperty;
|
|
215
|
+
var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
216
|
+
var __publicField$i = (obj, key, value) => {
|
|
217
|
+
__defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
217
218
|
return value;
|
|
218
219
|
};
|
|
219
220
|
const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
|
|
@@ -222,8 +223,8 @@ class OAuthAdapter {
|
|
|
222
223
|
constructor(handlers, options) {
|
|
223
224
|
this.handlers = handlers;
|
|
224
225
|
this.options = options;
|
|
225
|
-
__publicField$
|
|
226
|
-
__publicField$
|
|
226
|
+
__publicField$i(this, "baseCookieOptions");
|
|
227
|
+
__publicField$i(this, "setNonceCookie", (res, nonce, cookieConfig) => {
|
|
227
228
|
res.cookie(`${this.options.providerId}-nonce`, nonce, {
|
|
228
229
|
maxAge: TEN_MINUTES_MS,
|
|
229
230
|
...this.baseCookieOptions,
|
|
@@ -231,34 +232,34 @@ class OAuthAdapter {
|
|
|
231
232
|
path: `${cookieConfig.path}/handler`
|
|
232
233
|
});
|
|
233
234
|
});
|
|
234
|
-
__publicField$
|
|
235
|
+
__publicField$i(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
|
|
235
236
|
res.cookie(`${this.options.providerId}-granted-scope`, scope, {
|
|
236
237
|
maxAge: THOUSAND_DAYS_MS,
|
|
237
238
|
...this.baseCookieOptions,
|
|
238
239
|
...cookieConfig
|
|
239
240
|
});
|
|
240
241
|
});
|
|
241
|
-
__publicField$
|
|
242
|
+
__publicField$i(this, "getRefreshTokenFromCookie", (req) => {
|
|
242
243
|
return req.cookies[`${this.options.providerId}-refresh-token`];
|
|
243
244
|
});
|
|
244
|
-
__publicField$
|
|
245
|
+
__publicField$i(this, "getGrantedScopeFromCookie", (req) => {
|
|
245
246
|
return req.cookies[`${this.options.providerId}-granted-scope`];
|
|
246
247
|
});
|
|
247
|
-
__publicField$
|
|
248
|
+
__publicField$i(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
|
|
248
249
|
res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
|
|
249
250
|
maxAge: THOUSAND_DAYS_MS,
|
|
250
251
|
...this.baseCookieOptions,
|
|
251
252
|
...cookieConfig
|
|
252
253
|
});
|
|
253
254
|
});
|
|
254
|
-
__publicField$
|
|
255
|
+
__publicField$i(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
|
|
255
256
|
res.cookie(`${this.options.providerId}-refresh-token`, "", {
|
|
256
257
|
maxAge: 0,
|
|
257
258
|
...this.baseCookieOptions,
|
|
258
259
|
...cookieConfig
|
|
259
260
|
});
|
|
260
261
|
});
|
|
261
|
-
__publicField$
|
|
262
|
+
__publicField$i(this, "getCookieConfig", (origin) => {
|
|
262
263
|
return this.options.cookieConfigurer({
|
|
263
264
|
providerId: this.options.providerId,
|
|
264
265
|
baseUrl: this.options.baseUrl,
|
|
@@ -564,10 +565,10 @@ function createAuthProviderIntegration(config) {
|
|
|
564
565
|
});
|
|
565
566
|
}
|
|
566
567
|
|
|
567
|
-
var __defProp$
|
|
568
|
-
var __defNormalProp$
|
|
569
|
-
var __publicField$
|
|
570
|
-
__defNormalProp$
|
|
568
|
+
var __defProp$h = Object.defineProperty;
|
|
569
|
+
var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
570
|
+
var __publicField$h = (obj, key, value) => {
|
|
571
|
+
__defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
571
572
|
return value;
|
|
572
573
|
};
|
|
573
574
|
const atlassianDefaultAuthHandler = async ({
|
|
@@ -578,10 +579,10 @@ const atlassianDefaultAuthHandler = async ({
|
|
|
578
579
|
});
|
|
579
580
|
class AtlassianAuthProvider {
|
|
580
581
|
constructor(options) {
|
|
581
|
-
__publicField$
|
|
582
|
-
__publicField$
|
|
583
|
-
__publicField$
|
|
584
|
-
__publicField$
|
|
582
|
+
__publicField$h(this, "_strategy");
|
|
583
|
+
__publicField$h(this, "signInResolver");
|
|
584
|
+
__publicField$h(this, "authHandler");
|
|
585
|
+
__publicField$h(this, "resolverContext");
|
|
585
586
|
this.resolverContext = options.resolverContext;
|
|
586
587
|
this.authHandler = options.authHandler;
|
|
587
588
|
this.signInResolver = options.signInResolver;
|
|
@@ -699,21 +700,21 @@ class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
|
|
|
699
700
|
}
|
|
700
701
|
}
|
|
701
702
|
|
|
702
|
-
var __defProp$
|
|
703
|
-
var __defNormalProp$
|
|
704
|
-
var __publicField$
|
|
705
|
-
__defNormalProp$
|
|
703
|
+
var __defProp$g = Object.defineProperty;
|
|
704
|
+
var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
705
|
+
var __publicField$g = (obj, key, value) => {
|
|
706
|
+
__defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
706
707
|
return value;
|
|
707
708
|
};
|
|
708
709
|
class Auth0AuthProvider {
|
|
709
710
|
constructor(options) {
|
|
710
|
-
__publicField$
|
|
711
|
-
__publicField$
|
|
712
|
-
__publicField$
|
|
713
|
-
__publicField$
|
|
714
|
-
__publicField$
|
|
715
|
-
__publicField$
|
|
716
|
-
__publicField$
|
|
711
|
+
__publicField$g(this, "_strategy");
|
|
712
|
+
__publicField$g(this, "signInResolver");
|
|
713
|
+
__publicField$g(this, "authHandler");
|
|
714
|
+
__publicField$g(this, "resolverContext");
|
|
715
|
+
__publicField$g(this, "audience");
|
|
716
|
+
__publicField$g(this, "connection");
|
|
717
|
+
__publicField$g(this, "connectionScope");
|
|
717
718
|
/**
|
|
718
719
|
* Due to passport-auth0 forcing options.state = true,
|
|
719
720
|
* passport-oauth2 requires express-session to be installed
|
|
@@ -722,7 +723,7 @@ class Auth0AuthProvider {
|
|
|
722
723
|
* passport-oauth2, which is the StateStore implementation used when options.state = false,
|
|
723
724
|
* allowing us to avoid using express-session in order to integrate with auth0.
|
|
724
725
|
*/
|
|
725
|
-
__publicField$
|
|
726
|
+
__publicField$g(this, "store", {
|
|
726
727
|
store(_req, cb) {
|
|
727
728
|
cb(null, null);
|
|
728
729
|
},
|
|
@@ -863,23 +864,23 @@ const auth0 = createAuthProviderIntegration({
|
|
|
863
864
|
}
|
|
864
865
|
});
|
|
865
866
|
|
|
866
|
-
var __defProp$
|
|
867
|
-
var __defNormalProp$
|
|
868
|
-
var __publicField$
|
|
869
|
-
__defNormalProp$
|
|
867
|
+
var __defProp$f = Object.defineProperty;
|
|
868
|
+
var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
869
|
+
var __publicField$f = (obj, key, value) => {
|
|
870
|
+
__defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
870
871
|
return value;
|
|
871
872
|
};
|
|
872
873
|
const ALB_JWT_HEADER = "x-amzn-oidc-data";
|
|
873
874
|
const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
|
|
874
875
|
class AwsAlbAuthProvider {
|
|
875
876
|
constructor(options) {
|
|
876
|
-
__publicField$
|
|
877
|
-
__publicField$
|
|
878
|
-
__publicField$
|
|
879
|
-
__publicField$
|
|
880
|
-
__publicField$
|
|
881
|
-
__publicField$
|
|
882
|
-
__publicField$
|
|
877
|
+
__publicField$f(this, "region");
|
|
878
|
+
__publicField$f(this, "issuer");
|
|
879
|
+
__publicField$f(this, "resolverContext");
|
|
880
|
+
__publicField$f(this, "keyCache");
|
|
881
|
+
__publicField$f(this, "authHandler");
|
|
882
|
+
__publicField$f(this, "signInResolver");
|
|
883
|
+
__publicField$f(this, "getKey", async (header) => {
|
|
883
884
|
if (!header.kid) {
|
|
884
885
|
throw new errors.AuthenticationError("No key id was specified in header");
|
|
885
886
|
}
|
|
@@ -1007,18 +1008,18 @@ const awsAlb = createAuthProviderIntegration({
|
|
|
1007
1008
|
}
|
|
1008
1009
|
});
|
|
1009
1010
|
|
|
1010
|
-
var __defProp$
|
|
1011
|
-
var __defNormalProp$
|
|
1012
|
-
var __publicField$
|
|
1013
|
-
__defNormalProp$
|
|
1011
|
+
var __defProp$e = Object.defineProperty;
|
|
1012
|
+
var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1013
|
+
var __publicField$e = (obj, key, value) => {
|
|
1014
|
+
__defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1014
1015
|
return value;
|
|
1015
1016
|
};
|
|
1016
1017
|
class BitbucketAuthProvider {
|
|
1017
1018
|
constructor(options) {
|
|
1018
|
-
__publicField$
|
|
1019
|
-
__publicField$
|
|
1020
|
-
__publicField$
|
|
1021
|
-
__publicField$
|
|
1019
|
+
__publicField$e(this, "_strategy");
|
|
1020
|
+
__publicField$e(this, "signInResolver");
|
|
1021
|
+
__publicField$e(this, "authHandler");
|
|
1022
|
+
__publicField$e(this, "resolverContext");
|
|
1022
1023
|
this.signInResolver = options.signInResolver;
|
|
1023
1024
|
this.authHandler = options.authHandler;
|
|
1024
1025
|
this.resolverContext = options.resolverContext;
|
|
@@ -1186,10 +1187,10 @@ const commonByEmailResolver = async (info, ctx) => {
|
|
|
1186
1187
|
});
|
|
1187
1188
|
};
|
|
1188
1189
|
|
|
1189
|
-
var __defProp$
|
|
1190
|
-
var __defNormalProp$
|
|
1191
|
-
var __publicField$
|
|
1192
|
-
__defNormalProp$
|
|
1190
|
+
var __defProp$d = Object.defineProperty;
|
|
1191
|
+
var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1192
|
+
var __publicField$d = (obj, key, value) => {
|
|
1193
|
+
__defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1193
1194
|
return value;
|
|
1194
1195
|
};
|
|
1195
1196
|
const CF_JWT_HEADER = "cf-access-jwt-assertion";
|
|
@@ -1197,12 +1198,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
|
|
|
1197
1198
|
const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
|
|
1198
1199
|
class CloudflareAccessAuthProvider {
|
|
1199
1200
|
constructor(options) {
|
|
1200
|
-
__publicField$
|
|
1201
|
-
__publicField$
|
|
1202
|
-
__publicField$
|
|
1203
|
-
__publicField$
|
|
1204
|
-
__publicField$
|
|
1205
|
-
__publicField$
|
|
1201
|
+
__publicField$d(this, "teamName");
|
|
1202
|
+
__publicField$d(this, "resolverContext");
|
|
1203
|
+
__publicField$d(this, "authHandler");
|
|
1204
|
+
__publicField$d(this, "signInResolver");
|
|
1205
|
+
__publicField$d(this, "jwtKeySet");
|
|
1206
|
+
__publicField$d(this, "cache");
|
|
1206
1207
|
this.teamName = options.teamName;
|
|
1207
1208
|
this.authHandler = options.authHandler;
|
|
1208
1209
|
this.signInResolver = options.signInResolver;
|
|
@@ -1496,20 +1497,184 @@ const google = createAuthProviderIntegration({
|
|
|
1496
1497
|
})
|
|
1497
1498
|
});
|
|
1498
1499
|
|
|
1500
|
+
const BACKSTAGE_SESSION_EXPIRATION = 3600;
|
|
1501
|
+
|
|
1502
|
+
var __defProp$c = Object.defineProperty;
|
|
1503
|
+
var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1504
|
+
var __publicField$c = (obj, key, value) => {
|
|
1505
|
+
__defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1506
|
+
return value;
|
|
1507
|
+
};
|
|
1508
|
+
class MicrosoftAuthProvider {
|
|
1509
|
+
constructor(options) {
|
|
1510
|
+
__publicField$c(this, "_strategy");
|
|
1511
|
+
__publicField$c(this, "signInResolver");
|
|
1512
|
+
__publicField$c(this, "authHandler");
|
|
1513
|
+
__publicField$c(this, "logger");
|
|
1514
|
+
__publicField$c(this, "resolverContext");
|
|
1515
|
+
__publicField$c(this, "skipUserProfile", (accessToken) => {
|
|
1516
|
+
const { aud, scp } = jose.decodeJwt(accessToken);
|
|
1517
|
+
const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
|
|
1518
|
+
return !hasGraphReadScope;
|
|
1519
|
+
});
|
|
1520
|
+
this.signInResolver = options.signInResolver;
|
|
1521
|
+
this.authHandler = options.authHandler;
|
|
1522
|
+
this.logger = options.logger;
|
|
1523
|
+
this.resolverContext = options.resolverContext;
|
|
1524
|
+
this._strategy = new passportMicrosoft.Strategy(
|
|
1525
|
+
{
|
|
1526
|
+
clientID: options.clientId,
|
|
1527
|
+
clientSecret: options.clientSecret,
|
|
1528
|
+
callbackURL: options.callbackUrl,
|
|
1529
|
+
authorizationURL: options.authorizationUrl,
|
|
1530
|
+
tokenURL: options.tokenUrl,
|
|
1531
|
+
passReqToCallback: false,
|
|
1532
|
+
skipUserProfile: (accessToken, done) => {
|
|
1533
|
+
done(null, this.skipUserProfile(accessToken));
|
|
1534
|
+
}
|
|
1535
|
+
},
|
|
1536
|
+
(accessToken, refreshToken, params, fullProfile, done) => {
|
|
1537
|
+
done(void 0, { fullProfile, accessToken, params }, { refreshToken });
|
|
1538
|
+
}
|
|
1539
|
+
);
|
|
1540
|
+
}
|
|
1541
|
+
async start(req) {
|
|
1542
|
+
return await executeRedirectStrategy(req, this._strategy, {
|
|
1543
|
+
scope: req.scope,
|
|
1544
|
+
state: encodeState(req.state)
|
|
1545
|
+
});
|
|
1546
|
+
}
|
|
1547
|
+
async handler(req) {
|
|
1548
|
+
const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
|
|
1549
|
+
return {
|
|
1550
|
+
response: await this.handleResult(result),
|
|
1551
|
+
refreshToken: privateInfo.refreshToken
|
|
1552
|
+
};
|
|
1553
|
+
}
|
|
1554
|
+
async refresh(req) {
|
|
1555
|
+
const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
|
|
1556
|
+
this._strategy,
|
|
1557
|
+
req.refreshToken,
|
|
1558
|
+
req.scope
|
|
1559
|
+
);
|
|
1560
|
+
return {
|
|
1561
|
+
response: await this.handleResult({
|
|
1562
|
+
params,
|
|
1563
|
+
accessToken,
|
|
1564
|
+
...!this.skipUserProfile(accessToken) && {
|
|
1565
|
+
fullProfile: await executeFetchUserProfileStrategy(
|
|
1566
|
+
this._strategy,
|
|
1567
|
+
accessToken
|
|
1568
|
+
)
|
|
1569
|
+
}
|
|
1570
|
+
}),
|
|
1571
|
+
refreshToken
|
|
1572
|
+
};
|
|
1573
|
+
}
|
|
1574
|
+
async handleResult(result) {
|
|
1575
|
+
let profile = {};
|
|
1576
|
+
if (result.fullProfile) {
|
|
1577
|
+
const photo = await this.getUserPhoto(result.accessToken);
|
|
1578
|
+
result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
|
|
1579
|
+
({ profile } = await this.authHandler(
|
|
1580
|
+
result,
|
|
1581
|
+
this.resolverContext
|
|
1582
|
+
));
|
|
1583
|
+
}
|
|
1584
|
+
const expiresInSeconds = result.params.expires_in === void 0 ? BACKSTAGE_SESSION_EXPIRATION : Math.min(result.params.expires_in, BACKSTAGE_SESSION_EXPIRATION);
|
|
1585
|
+
return {
|
|
1586
|
+
providerInfo: {
|
|
1587
|
+
accessToken: result.accessToken,
|
|
1588
|
+
scope: result.params.scope,
|
|
1589
|
+
expiresInSeconds,
|
|
1590
|
+
...{ idToken: result.params.id_token }
|
|
1591
|
+
},
|
|
1592
|
+
profile,
|
|
1593
|
+
...result.fullProfile && this.signInResolver && {
|
|
1594
|
+
backstageIdentity: await this.signInResolver(
|
|
1595
|
+
{ result, profile },
|
|
1596
|
+
this.resolverContext
|
|
1597
|
+
)
|
|
1598
|
+
}
|
|
1599
|
+
};
|
|
1600
|
+
}
|
|
1601
|
+
async getUserPhoto(accessToken) {
|
|
1602
|
+
try {
|
|
1603
|
+
const res = await fetch__default["default"](
|
|
1604
|
+
"https://graph.microsoft.com/v1.0/me/photos/48x48/$value",
|
|
1605
|
+
{
|
|
1606
|
+
headers: {
|
|
1607
|
+
Authorization: `Bearer ${accessToken}`
|
|
1608
|
+
}
|
|
1609
|
+
}
|
|
1610
|
+
);
|
|
1611
|
+
const data = await res.buffer();
|
|
1612
|
+
return `data:image/jpeg;base64,${data.toString("base64")}`;
|
|
1613
|
+
} catch (error) {
|
|
1614
|
+
this.logger.warn(
|
|
1615
|
+
`Could not retrieve user profile photo from Microsoft Graph API: ${error}`
|
|
1616
|
+
);
|
|
1617
|
+
return void 0;
|
|
1618
|
+
}
|
|
1619
|
+
}
|
|
1620
|
+
}
|
|
1499
1621
|
const microsoft = createAuthProviderIntegration({
|
|
1500
1622
|
create(options) {
|
|
1501
|
-
|
|
1502
|
-
|
|
1503
|
-
|
|
1504
|
-
|
|
1505
|
-
|
|
1623
|
+
return ({ providerId, globalConfig, config, logger, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
1624
|
+
var _a;
|
|
1625
|
+
const clientId = envConfig.getString("clientId");
|
|
1626
|
+
const clientSecret = envConfig.getString("clientSecret");
|
|
1627
|
+
const tenantId = envConfig.getString("tenantId");
|
|
1628
|
+
const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
|
|
1629
|
+
const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
1630
|
+
const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
|
|
1631
|
+
const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
|
|
1632
|
+
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
1633
|
+
profile: makeProfileInfo(fullProfile != null ? fullProfile : {}, params.id_token)
|
|
1634
|
+
});
|
|
1635
|
+
const provider = new MicrosoftAuthProvider({
|
|
1636
|
+
clientId,
|
|
1637
|
+
clientSecret,
|
|
1638
|
+
callbackUrl,
|
|
1639
|
+
authorizationUrl,
|
|
1640
|
+
tokenUrl,
|
|
1641
|
+
authHandler,
|
|
1642
|
+
signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
|
|
1643
|
+
logger,
|
|
1644
|
+
resolverContext
|
|
1645
|
+
});
|
|
1646
|
+
return OAuthAdapter.fromConfig(globalConfig, provider, {
|
|
1647
|
+
providerId,
|
|
1648
|
+
callbackUrl
|
|
1649
|
+
});
|
|
1506
1650
|
});
|
|
1507
1651
|
},
|
|
1508
|
-
resolvers:
|
|
1509
|
-
|
|
1510
|
-
|
|
1511
|
-
|
|
1512
|
-
|
|
1652
|
+
resolvers: {
|
|
1653
|
+
/**
|
|
1654
|
+
* Looks up the user by matching their email local part to the entity name.
|
|
1655
|
+
*/
|
|
1656
|
+
emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
|
|
1657
|
+
/**
|
|
1658
|
+
* Looks up the user by matching their email to the entity email.
|
|
1659
|
+
*/
|
|
1660
|
+
emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
|
|
1661
|
+
/**
|
|
1662
|
+
* Looks up the user by matching their email to the `microsoft.com/email` annotation.
|
|
1663
|
+
*/
|
|
1664
|
+
emailMatchingUserEntityAnnotation() {
|
|
1665
|
+
return async (info, ctx) => {
|
|
1666
|
+
const { profile } = info;
|
|
1667
|
+
if (!profile.email) {
|
|
1668
|
+
throw new Error("Microsoft profile contained no email");
|
|
1669
|
+
}
|
|
1670
|
+
return ctx.signInWithCatalogUser({
|
|
1671
|
+
annotations: {
|
|
1672
|
+
"microsoft.com/email": profile.email
|
|
1673
|
+
}
|
|
1674
|
+
});
|
|
1675
|
+
};
|
|
1676
|
+
}
|
|
1677
|
+
}
|
|
1513
1678
|
});
|
|
1514
1679
|
|
|
1515
1680
|
const oauth2 = createAuthProviderIntegration({
|
|
@@ -1523,18 +1688,18 @@ const oauth2 = createAuthProviderIntegration({
|
|
|
1523
1688
|
}
|
|
1524
1689
|
});
|
|
1525
1690
|
|
|
1526
|
-
var __defProp$
|
|
1527
|
-
var __defNormalProp$
|
|
1528
|
-
var __publicField$
|
|
1529
|
-
__defNormalProp$
|
|
1691
|
+
var __defProp$b = Object.defineProperty;
|
|
1692
|
+
var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1693
|
+
var __publicField$b = (obj, key, value) => {
|
|
1694
|
+
__defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1530
1695
|
return value;
|
|
1531
1696
|
};
|
|
1532
1697
|
const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
|
|
1533
1698
|
class Oauth2ProxyAuthProvider {
|
|
1534
1699
|
constructor(options) {
|
|
1535
|
-
__publicField$
|
|
1536
|
-
__publicField$
|
|
1537
|
-
__publicField$
|
|
1700
|
+
__publicField$b(this, "resolverContext");
|
|
1701
|
+
__publicField$b(this, "signInResolver");
|
|
1702
|
+
__publicField$b(this, "authHandler");
|
|
1538
1703
|
this.resolverContext = options.resolverContext;
|
|
1539
1704
|
this.signInResolver = options.signInResolver;
|
|
1540
1705
|
this.authHandler = options.authHandler;
|
|
@@ -1609,22 +1774,20 @@ const oauth2Proxy = createAuthProviderIntegration({
|
|
|
1609
1774
|
}
|
|
1610
1775
|
});
|
|
1611
1776
|
|
|
1612
|
-
|
|
1613
|
-
|
|
1614
|
-
var
|
|
1615
|
-
|
|
1616
|
-
var __publicField$8 = (obj, key, value) => {
|
|
1617
|
-
__defNormalProp$8(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1777
|
+
var __defProp$a = Object.defineProperty;
|
|
1778
|
+
var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1779
|
+
var __publicField$a = (obj, key, value) => {
|
|
1780
|
+
__defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1618
1781
|
return value;
|
|
1619
1782
|
};
|
|
1620
1783
|
class OidcAuthProvider {
|
|
1621
1784
|
constructor(options) {
|
|
1622
|
-
__publicField$
|
|
1623
|
-
__publicField$
|
|
1624
|
-
__publicField$
|
|
1625
|
-
__publicField$
|
|
1626
|
-
__publicField$
|
|
1627
|
-
__publicField$
|
|
1785
|
+
__publicField$a(this, "implementation");
|
|
1786
|
+
__publicField$a(this, "scope");
|
|
1787
|
+
__publicField$a(this, "prompt");
|
|
1788
|
+
__publicField$a(this, "signInResolver");
|
|
1789
|
+
__publicField$a(this, "authHandler");
|
|
1790
|
+
__publicField$a(this, "resolverContext");
|
|
1628
1791
|
this.implementation = this.setupStrategy(options);
|
|
1629
1792
|
this.scope = options.scope;
|
|
1630
1793
|
this.prompt = options.prompt;
|
|
@@ -1785,18 +1948,18 @@ const oidc = createAuthProviderIntegration({
|
|
|
1785
1948
|
}
|
|
1786
1949
|
});
|
|
1787
1950
|
|
|
1788
|
-
var __defProp$
|
|
1789
|
-
var __defNormalProp$
|
|
1790
|
-
var __publicField$
|
|
1791
|
-
__defNormalProp$
|
|
1951
|
+
var __defProp$9 = Object.defineProperty;
|
|
1952
|
+
var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1953
|
+
var __publicField$9 = (obj, key, value) => {
|
|
1954
|
+
__defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1792
1955
|
return value;
|
|
1793
1956
|
};
|
|
1794
1957
|
class OktaAuthProvider {
|
|
1795
1958
|
constructor(options) {
|
|
1796
|
-
__publicField$
|
|
1797
|
-
__publicField$
|
|
1798
|
-
__publicField$
|
|
1799
|
-
__publicField$
|
|
1959
|
+
__publicField$9(this, "strategy");
|
|
1960
|
+
__publicField$9(this, "signInResolver");
|
|
1961
|
+
__publicField$9(this, "authHandler");
|
|
1962
|
+
__publicField$9(this, "resolverContext");
|
|
1800
1963
|
/**
|
|
1801
1964
|
* Due to passport-okta-oauth forcing options.state = true,
|
|
1802
1965
|
* passport-oauth2 requires express-session to be installed
|
|
@@ -1805,7 +1968,7 @@ class OktaAuthProvider {
|
|
|
1805
1968
|
* passport-oauth2, which is the StateStore implementation used when options.state = false,
|
|
1806
1969
|
* allowing us to avoid using express-session in order to integrate with Okta.
|
|
1807
1970
|
*/
|
|
1808
|
-
__publicField$
|
|
1971
|
+
__publicField$9(this, "store", {
|
|
1809
1972
|
store(_req, cb) {
|
|
1810
1973
|
cb(null, null);
|
|
1811
1974
|
},
|
|
@@ -1963,18 +2126,18 @@ const okta = createAuthProviderIntegration({
|
|
|
1963
2126
|
}
|
|
1964
2127
|
});
|
|
1965
2128
|
|
|
1966
|
-
var __defProp$
|
|
1967
|
-
var __defNormalProp$
|
|
1968
|
-
var __publicField$
|
|
1969
|
-
__defNormalProp$
|
|
2129
|
+
var __defProp$8 = Object.defineProperty;
|
|
2130
|
+
var __defNormalProp$8 = (obj, key, value) => key in obj ? __defProp$8(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2131
|
+
var __publicField$8 = (obj, key, value) => {
|
|
2132
|
+
__defNormalProp$8(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1970
2133
|
return value;
|
|
1971
2134
|
};
|
|
1972
2135
|
class OneLoginProvider {
|
|
1973
2136
|
constructor(options) {
|
|
1974
|
-
__publicField$
|
|
1975
|
-
__publicField$
|
|
1976
|
-
__publicField$
|
|
1977
|
-
__publicField$
|
|
2137
|
+
__publicField$8(this, "_strategy");
|
|
2138
|
+
__publicField$8(this, "signInResolver");
|
|
2139
|
+
__publicField$8(this, "authHandler");
|
|
2140
|
+
__publicField$8(this, "resolverContext");
|
|
1978
2141
|
this.signInResolver = options.signInResolver;
|
|
1979
2142
|
this.authHandler = options.authHandler;
|
|
1980
2143
|
this.resolverContext = options.resolverContext;
|
|
@@ -2088,19 +2251,19 @@ const onelogin = createAuthProviderIntegration({
|
|
|
2088
2251
|
}
|
|
2089
2252
|
});
|
|
2090
2253
|
|
|
2091
|
-
var __defProp$
|
|
2092
|
-
var __defNormalProp$
|
|
2093
|
-
var __publicField$
|
|
2094
|
-
__defNormalProp$
|
|
2254
|
+
var __defProp$7 = Object.defineProperty;
|
|
2255
|
+
var __defNormalProp$7 = (obj, key, value) => key in obj ? __defProp$7(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2256
|
+
var __publicField$7 = (obj, key, value) => {
|
|
2257
|
+
__defNormalProp$7(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2095
2258
|
return value;
|
|
2096
2259
|
};
|
|
2097
2260
|
class SamlAuthProvider {
|
|
2098
2261
|
constructor(options) {
|
|
2099
|
-
__publicField$
|
|
2100
|
-
__publicField$
|
|
2101
|
-
__publicField$
|
|
2102
|
-
__publicField$
|
|
2103
|
-
__publicField$
|
|
2262
|
+
__publicField$7(this, "strategy");
|
|
2263
|
+
__publicField$7(this, "signInResolver");
|
|
2264
|
+
__publicField$7(this, "authHandler");
|
|
2265
|
+
__publicField$7(this, "resolverContext");
|
|
2266
|
+
__publicField$7(this, "appUrl");
|
|
2104
2267
|
this.appUrl = options.appUrl;
|
|
2105
2268
|
this.signInResolver = options.signInResolver;
|
|
2106
2269
|
this.authHandler = options.authHandler;
|
|
@@ -2199,19 +2362,19 @@ const saml = createAuthProviderIntegration({
|
|
|
2199
2362
|
}
|
|
2200
2363
|
});
|
|
2201
2364
|
|
|
2202
|
-
var __defProp$
|
|
2203
|
-
var __defNormalProp$
|
|
2204
|
-
var __publicField$
|
|
2205
|
-
__defNormalProp$
|
|
2365
|
+
var __defProp$6 = Object.defineProperty;
|
|
2366
|
+
var __defNormalProp$6 = (obj, key, value) => key in obj ? __defProp$6(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2367
|
+
var __publicField$6 = (obj, key, value) => {
|
|
2368
|
+
__defNormalProp$6(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2206
2369
|
return value;
|
|
2207
2370
|
};
|
|
2208
2371
|
class BitbucketServerAuthProvider {
|
|
2209
2372
|
constructor(options) {
|
|
2210
|
-
__publicField$
|
|
2211
|
-
__publicField$
|
|
2212
|
-
__publicField$
|
|
2213
|
-
__publicField$
|
|
2214
|
-
__publicField$
|
|
2373
|
+
__publicField$6(this, "signInResolver");
|
|
2374
|
+
__publicField$6(this, "authHandler");
|
|
2375
|
+
__publicField$6(this, "resolverContext");
|
|
2376
|
+
__publicField$6(this, "strategy");
|
|
2377
|
+
__publicField$6(this, "host");
|
|
2215
2378
|
this.signInResolver = options.signInResolver;
|
|
2216
2379
|
this.authHandler = options.authHandler;
|
|
2217
2380
|
this.resolverContext = options.resolverContext;
|
|
@@ -2376,19 +2539,19 @@ const bitbucketServer = createAuthProviderIntegration({
|
|
|
2376
2539
|
}
|
|
2377
2540
|
});
|
|
2378
2541
|
|
|
2379
|
-
var __defProp$
|
|
2380
|
-
var __defNormalProp$
|
|
2381
|
-
var __publicField$
|
|
2382
|
-
__defNormalProp$
|
|
2542
|
+
var __defProp$5 = Object.defineProperty;
|
|
2543
|
+
var __defNormalProp$5 = (obj, key, value) => key in obj ? __defProp$5(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2544
|
+
var __publicField$5 = (obj, key, value) => {
|
|
2545
|
+
__defNormalProp$5(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2383
2546
|
return value;
|
|
2384
2547
|
};
|
|
2385
2548
|
const ID_TOKEN_HEADER = "x-ms-token-aad-id-token";
|
|
2386
2549
|
const ACCESS_TOKEN_HEADER = "x-ms-token-aad-access-token";
|
|
2387
2550
|
class EasyAuthAuthProvider {
|
|
2388
2551
|
constructor(options) {
|
|
2389
|
-
__publicField$
|
|
2390
|
-
__publicField$
|
|
2391
|
-
__publicField$
|
|
2552
|
+
__publicField$5(this, "resolverContext");
|
|
2553
|
+
__publicField$5(this, "authHandler");
|
|
2554
|
+
__publicField$5(this, "signInResolver");
|
|
2392
2555
|
this.authHandler = options.authHandler;
|
|
2393
2556
|
this.signInResolver = options.signInResolver;
|
|
2394
2557
|
this.resolverContext = options.resolverContext;
|
|
@@ -2553,22 +2716,22 @@ function createOidcRouter(options) {
|
|
|
2553
2716
|
return router;
|
|
2554
2717
|
}
|
|
2555
2718
|
|
|
2556
|
-
var __defProp$
|
|
2557
|
-
var __defNormalProp$
|
|
2558
|
-
var __publicField$
|
|
2559
|
-
__defNormalProp$
|
|
2719
|
+
var __defProp$4 = Object.defineProperty;
|
|
2720
|
+
var __defNormalProp$4 = (obj, key, value) => key in obj ? __defProp$4(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2721
|
+
var __publicField$4 = (obj, key, value) => {
|
|
2722
|
+
__defNormalProp$4(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2560
2723
|
return value;
|
|
2561
2724
|
};
|
|
2562
|
-
const MS_IN_S = 1e3;
|
|
2725
|
+
const MS_IN_S$1 = 1e3;
|
|
2563
2726
|
class TokenFactory {
|
|
2564
2727
|
constructor(options) {
|
|
2565
|
-
__publicField$
|
|
2566
|
-
__publicField$
|
|
2567
|
-
__publicField$
|
|
2568
|
-
__publicField$
|
|
2569
|
-
__publicField$
|
|
2570
|
-
__publicField$
|
|
2571
|
-
__publicField$
|
|
2728
|
+
__publicField$4(this, "issuer");
|
|
2729
|
+
__publicField$4(this, "logger");
|
|
2730
|
+
__publicField$4(this, "keyStore");
|
|
2731
|
+
__publicField$4(this, "keyDurationSeconds");
|
|
2732
|
+
__publicField$4(this, "algorithm");
|
|
2733
|
+
__publicField$4(this, "keyExpiry");
|
|
2734
|
+
__publicField$4(this, "privateKeyPromise");
|
|
2572
2735
|
var _a;
|
|
2573
2736
|
this.issuer = options.issuer;
|
|
2574
2737
|
this.logger = options.logger;
|
|
@@ -2581,7 +2744,7 @@ class TokenFactory {
|
|
|
2581
2744
|
const iss = this.issuer;
|
|
2582
2745
|
const { sub, ent, ...additionalClaims } = params.claims;
|
|
2583
2746
|
const aud = "backstage";
|
|
2584
|
-
const iat = Math.floor(Date.now() / MS_IN_S);
|
|
2747
|
+
const iat = Math.floor(Date.now() / MS_IN_S$1);
|
|
2585
2748
|
const exp = iat + this.keyDurationSeconds;
|
|
2586
2749
|
try {
|
|
2587
2750
|
catalogModel.parseEntityRef(sub);
|
|
@@ -2689,15 +2852,15 @@ class DatabaseKeyStore {
|
|
|
2689
2852
|
}
|
|
2690
2853
|
}
|
|
2691
2854
|
|
|
2692
|
-
var __defProp$
|
|
2693
|
-
var __defNormalProp$
|
|
2694
|
-
var __publicField$
|
|
2695
|
-
__defNormalProp$
|
|
2855
|
+
var __defProp$3 = Object.defineProperty;
|
|
2856
|
+
var __defNormalProp$3 = (obj, key, value) => key in obj ? __defProp$3(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2857
|
+
var __publicField$3 = (obj, key, value) => {
|
|
2858
|
+
__defNormalProp$3(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2696
2859
|
return value;
|
|
2697
2860
|
};
|
|
2698
2861
|
class MemoryKeyStore {
|
|
2699
2862
|
constructor() {
|
|
2700
|
-
__publicField$
|
|
2863
|
+
__publicField$3(this, "keys", /* @__PURE__ */ new Map());
|
|
2701
2864
|
}
|
|
2702
2865
|
async addKey(key) {
|
|
2703
2866
|
this.keys.set(key.kid, {
|
|
@@ -2802,6 +2965,97 @@ class FirestoreKeyStore {
|
|
|
2802
2965
|
}
|
|
2803
2966
|
}
|
|
2804
2967
|
|
|
2968
|
+
var __defProp$2 = Object.defineProperty;
|
|
2969
|
+
var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2970
|
+
var __publicField$2 = (obj, key, value) => {
|
|
2971
|
+
__defNormalProp$2(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2972
|
+
return value;
|
|
2973
|
+
};
|
|
2974
|
+
const DEFAULT_ALGORITHM = "ES256";
|
|
2975
|
+
class StaticKeyStore {
|
|
2976
|
+
constructor(keyPairs) {
|
|
2977
|
+
__publicField$2(this, "keyPairs");
|
|
2978
|
+
__publicField$2(this, "createdAt");
|
|
2979
|
+
if (keyPairs.length === 0) {
|
|
2980
|
+
throw new Error("Should provide at least one key pair");
|
|
2981
|
+
}
|
|
2982
|
+
this.keyPairs = keyPairs;
|
|
2983
|
+
this.createdAt = /* @__PURE__ */ new Date();
|
|
2984
|
+
}
|
|
2985
|
+
static async fromConfig(config) {
|
|
2986
|
+
const keyConfigs = config.getConfigArray("auth.keyStore.static.keys").map((c) => {
|
|
2987
|
+
var _a;
|
|
2988
|
+
const staticKeyConfig = {
|
|
2989
|
+
publicKeyFile: c.getString("publicKeyFile"),
|
|
2990
|
+
privateKeyFile: c.getString("privateKeyFile"),
|
|
2991
|
+
keyId: c.getString("keyId"),
|
|
2992
|
+
algorithm: (_a = c.getOptionalString("algorithm")) != null ? _a : DEFAULT_ALGORITHM
|
|
2993
|
+
};
|
|
2994
|
+
return staticKeyConfig;
|
|
2995
|
+
});
|
|
2996
|
+
const keyPairs = await Promise.all(
|
|
2997
|
+
keyConfigs.map(async (k) => await this.loadKeyPair(k))
|
|
2998
|
+
);
|
|
2999
|
+
return new StaticKeyStore(keyPairs);
|
|
3000
|
+
}
|
|
3001
|
+
addKey(_key) {
|
|
3002
|
+
throw new Error("Cannot add keys to the static key store");
|
|
3003
|
+
}
|
|
3004
|
+
listKeys() {
|
|
3005
|
+
const keys = this.keyPairs.map((k) => this.keyPairToStoredKey(k));
|
|
3006
|
+
return Promise.resolve({ items: keys });
|
|
3007
|
+
}
|
|
3008
|
+
getPrivateKey(keyId) {
|
|
3009
|
+
const keyPair = this.keyPairs.find((k) => k.publicKey.kid === keyId);
|
|
3010
|
+
if (keyPair === void 0) {
|
|
3011
|
+
throw new Error(`Could not find key with keyId: ${keyId}`);
|
|
3012
|
+
}
|
|
3013
|
+
return keyPair.privateKey;
|
|
3014
|
+
}
|
|
3015
|
+
removeKeys(_kids) {
|
|
3016
|
+
throw new Error("Cannot remove keys from the static key store");
|
|
3017
|
+
}
|
|
3018
|
+
keyPairToStoredKey(keyPair) {
|
|
3019
|
+
const publicKey = {
|
|
3020
|
+
...keyPair.publicKey,
|
|
3021
|
+
use: "sig"
|
|
3022
|
+
};
|
|
3023
|
+
return {
|
|
3024
|
+
key: publicKey,
|
|
3025
|
+
createdAt: this.createdAt
|
|
3026
|
+
};
|
|
3027
|
+
}
|
|
3028
|
+
static async loadKeyPair(options) {
|
|
3029
|
+
const algorithm = options.algorithm;
|
|
3030
|
+
const keyId = options.keyId;
|
|
3031
|
+
const publicKey = await this.loadPublicKeyFromFile(
|
|
3032
|
+
options.publicKeyFile,
|
|
3033
|
+
keyId,
|
|
3034
|
+
algorithm
|
|
3035
|
+
);
|
|
3036
|
+
const privateKey = await this.loadPrivateKeyFromFile(
|
|
3037
|
+
options.privateKeyFile,
|
|
3038
|
+
keyId,
|
|
3039
|
+
algorithm
|
|
3040
|
+
);
|
|
3041
|
+
return { publicKey, privateKey };
|
|
3042
|
+
}
|
|
3043
|
+
static async loadPublicKeyFromFile(path, keyId, algorithm) {
|
|
3044
|
+
return this.loadKeyFromFile(path, keyId, algorithm, jose.importSPKI);
|
|
3045
|
+
}
|
|
3046
|
+
static async loadPrivateKeyFromFile(path, keyId, algorithm) {
|
|
3047
|
+
return this.loadKeyFromFile(path, keyId, algorithm, jose.importPKCS8);
|
|
3048
|
+
}
|
|
3049
|
+
static async loadKeyFromFile(path, keyId, algorithm, importer) {
|
|
3050
|
+
const content = await fs.promises.readFile(path, { encoding: "utf8", flag: "r" });
|
|
3051
|
+
const key = await importer(content, algorithm);
|
|
3052
|
+
const jwk = await jose.exportJWK(key);
|
|
3053
|
+
jwk.kid = keyId;
|
|
3054
|
+
jwk.alg = algorithm;
|
|
3055
|
+
return jwk;
|
|
3056
|
+
}
|
|
3057
|
+
}
|
|
3058
|
+
|
|
2805
3059
|
class KeyStores {
|
|
2806
3060
|
/**
|
|
2807
3061
|
* Looks at the `auth.keyStore` section in the application configuration
|
|
@@ -2840,20 +3094,23 @@ class KeyStores {
|
|
|
2840
3094
|
await FirestoreKeyStore.verifyConnection(keyStore, logger);
|
|
2841
3095
|
return keyStore;
|
|
2842
3096
|
}
|
|
3097
|
+
if (provider === "static") {
|
|
3098
|
+
await StaticKeyStore.fromConfig(config);
|
|
3099
|
+
}
|
|
2843
3100
|
throw new Error(`Unknown KeyStore provider: ${provider}`);
|
|
2844
3101
|
}
|
|
2845
3102
|
}
|
|
2846
3103
|
|
|
2847
|
-
var __defProp = Object.defineProperty;
|
|
2848
|
-
var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2849
|
-
var __publicField = (obj, key, value) => {
|
|
2850
|
-
__defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
3104
|
+
var __defProp$1 = Object.defineProperty;
|
|
3105
|
+
var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
3106
|
+
var __publicField$1 = (obj, key, value) => {
|
|
3107
|
+
__defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2851
3108
|
return value;
|
|
2852
3109
|
};
|
|
2853
3110
|
class CatalogIdentityClient {
|
|
2854
3111
|
constructor(options) {
|
|
2855
|
-
__publicField(this, "catalogApi");
|
|
2856
|
-
__publicField(this, "tokenManager");
|
|
3112
|
+
__publicField$1(this, "catalogApi");
|
|
3113
|
+
__publicField$1(this, "tokenManager");
|
|
2857
3114
|
this.catalogApi = options.catalogApi;
|
|
2858
3115
|
this.tokenManager = options.tokenManager;
|
|
2859
3116
|
}
|
|
@@ -3077,6 +3334,57 @@ _database = new WeakMap();
|
|
|
3077
3334
|
_promise = new WeakMap();
|
|
3078
3335
|
let AuthDatabase = _AuthDatabase;
|
|
3079
3336
|
|
|
3337
|
+
var __defProp = Object.defineProperty;
|
|
3338
|
+
var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
3339
|
+
var __publicField = (obj, key, value) => {
|
|
3340
|
+
__defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
3341
|
+
return value;
|
|
3342
|
+
};
|
|
3343
|
+
const MS_IN_S = 1e3;
|
|
3344
|
+
class StaticTokenIssuer {
|
|
3345
|
+
constructor(options, keyStore) {
|
|
3346
|
+
__publicField(this, "issuer");
|
|
3347
|
+
__publicField(this, "logger");
|
|
3348
|
+
__publicField(this, "keyStore");
|
|
3349
|
+
__publicField(this, "sessionExpirationSeconds");
|
|
3350
|
+
this.issuer = options.issuer;
|
|
3351
|
+
this.logger = options.logger;
|
|
3352
|
+
this.sessionExpirationSeconds = options.sessionExpirationSeconds;
|
|
3353
|
+
this.keyStore = keyStore;
|
|
3354
|
+
}
|
|
3355
|
+
async issueToken(params) {
|
|
3356
|
+
const key = await this.getSigningKey();
|
|
3357
|
+
const iss = this.issuer;
|
|
3358
|
+
const { sub, ent, ...additionalClaims } = params.claims;
|
|
3359
|
+
const aud = "backstage";
|
|
3360
|
+
const iat = Math.floor(Date.now() / MS_IN_S);
|
|
3361
|
+
const exp = iat + this.sessionExpirationSeconds;
|
|
3362
|
+
try {
|
|
3363
|
+
catalogModel.parseEntityRef(sub);
|
|
3364
|
+
} catch (error) {
|
|
3365
|
+
throw new Error(
|
|
3366
|
+
'"sub" claim provided by the auth resolver is not a valid EntityRef.'
|
|
3367
|
+
);
|
|
3368
|
+
}
|
|
3369
|
+
this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
|
|
3370
|
+
if (!key.alg) {
|
|
3371
|
+
throw new errors.AuthenticationError("No algorithm was provided in the key");
|
|
3372
|
+
}
|
|
3373
|
+
return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
|
|
3374
|
+
}
|
|
3375
|
+
async getSigningKey() {
|
|
3376
|
+
const { items: keys } = await this.keyStore.listKeys();
|
|
3377
|
+
if (keys.length >= 1) {
|
|
3378
|
+
return this.keyStore.getPrivateKey(keys[0].key.kid);
|
|
3379
|
+
}
|
|
3380
|
+
throw new Error("Keystore should hold at least 1 key");
|
|
3381
|
+
}
|
|
3382
|
+
async listPublicKeys() {
|
|
3383
|
+
const { items: keys } = await this.keyStore.listKeys();
|
|
3384
|
+
return { keys: keys.map(({ key }) => key) };
|
|
3385
|
+
}
|
|
3386
|
+
}
|
|
3387
|
+
|
|
3080
3388
|
async function createRouter(options) {
|
|
3081
3389
|
const {
|
|
3082
3390
|
logger,
|
|
@@ -3092,18 +3400,30 @@ async function createRouter(options) {
|
|
|
3092
3400
|
const appUrl = config.getString("app.baseUrl");
|
|
3093
3401
|
const authUrl = await discovery.getExternalBaseUrl("auth");
|
|
3094
3402
|
const authDb = AuthDatabase.create(database);
|
|
3403
|
+
const sessionExpirationSeconds = BACKSTAGE_SESSION_EXPIRATION;
|
|
3095
3404
|
const keyStore = await KeyStores.fromConfig(config, {
|
|
3096
3405
|
logger,
|
|
3097
3406
|
database: authDb
|
|
3098
3407
|
});
|
|
3099
|
-
|
|
3100
|
-
|
|
3101
|
-
|
|
3102
|
-
|
|
3103
|
-
|
|
3104
|
-
|
|
3105
|
-
|
|
3106
|
-
|
|
3408
|
+
let tokenIssuer;
|
|
3409
|
+
if (keyStore instanceof StaticKeyStore) {
|
|
3410
|
+
tokenIssuer = new StaticTokenIssuer(
|
|
3411
|
+
{
|
|
3412
|
+
logger: logger.child({ component: "token-factory" }),
|
|
3413
|
+
issuer: authUrl,
|
|
3414
|
+
sessionExpirationSeconds
|
|
3415
|
+
},
|
|
3416
|
+
keyStore
|
|
3417
|
+
);
|
|
3418
|
+
} else {
|
|
3419
|
+
tokenIssuer = new TokenFactory({
|
|
3420
|
+
issuer: authUrl,
|
|
3421
|
+
keyStore,
|
|
3422
|
+
keyDurationSeconds: sessionExpirationSeconds,
|
|
3423
|
+
logger: logger.child({ component: "token-factory" }),
|
|
3424
|
+
algorithm: tokenFactoryAlgorithm != null ? tokenFactoryAlgorithm : config.getOptionalString("auth.identityTokenAlgorithm")
|
|
3425
|
+
});
|
|
3426
|
+
}
|
|
3107
3427
|
const secret = config.getOptionalString("auth.session.secret");
|
|
3108
3428
|
if (secret) {
|
|
3109
3429
|
router.use(cookieParser__default["default"](secret));
|