@backstage/plugin-auth-backend 0.22.6-next.2 → 0.22.6

package/CHANGELOG.md

@@ -1,5 +1,75 @@
 # @backstage/plugin-auth-backend
 
+## 0.22.6
+
+### Patch Changes
+
+- 3e823d3: Limited user tokens will no longer include the `ent` field in its payload. Ownership claims will now be fetched from the user info service.
+
+  NOTE: Limited tokens issued prior to this change will no longer be valid. Users may have to clear their browser cookies in order to refresh their auth tokens.
+
+- 8869b8e: Updated local development setup.
+- 78a0b08: Internal refactor to handle `BackendFeature` contract change.
+- d44a20a: Added additional plugin metadata to `package.json`.
+- 3e1bb15: Updated to use the new `@backstage/plugin-auth-backend-module-onelogin-provider` implementation
+- Updated dependencies
+  - @backstage/backend-common@0.23.0
+  - @backstage/plugin-auth-backend-module-onelogin-provider@0.1.0
+  - @backstage/backend-plugin-api@0.6.19
+  - @backstage/plugin-auth-node@0.4.14
+  - @backstage/plugin-auth-backend-module-cloudflare-access-provider@0.1.2
+  - @backstage/plugin-auth-backend-module-azure-easyauth-provider@0.1.2
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.12
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.2.0
+  - @backstage/plugin-auth-backend-module-bitbucket-provider@0.1.2
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.14
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.11
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.14
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.16
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.16
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.16
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.2.0
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.2.0
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.12
+  - @backstage/plugin-catalog-node@1.12.1
+  - @backstage/catalog-client@1.6.5
+  - @backstage/catalog-model@1.5.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+
+## 0.22.6-next.3
+
+### Patch Changes
+
+- d44a20a: Added additional plugin metadata to `package.json`.
+- 3e1bb15: Updated to use the new `@backstage/plugin-auth-backend-module-onelogin-provider` implementation
+- Updated dependencies
+  - @backstage/plugin-auth-backend-module-onelogin-provider@0.1.0-next.0
+  - @backstage/backend-plugin-api@0.6.19-next.3
+  - @backstage/plugin-auth-node@0.4.14-next.3
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.2.0-next.2
+  - @backstage/plugin-auth-backend-module-bitbucket-provider@0.1.2-next.2
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.16-next.2
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.16-next.2
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.16-next.2
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.14-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.2.0-next.2
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.2.0-next.3
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.12-next.2
+  - @backstage/plugin-auth-backend-module-cloudflare-access-provider@0.1.2-next.3
+  - @backstage/plugin-auth-backend-module-azure-easyauth-provider@0.1.2-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.12-next.2
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.11-next.3
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.14-next.2
+  - @backstage/plugin-catalog-node@1.12.1-next.2
+  - @backstage/backend-common@0.23.0-next.3
+  - @backstage/catalog-client@1.6.5
+  - @backstage/catalog-model@1.5.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+
 ## 0.22.6-next.2
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -26,7 +26,7 @@ var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-back
 var pluginAuthBackendModuleOauth2ProxyProvider = require('@backstage/plugin-auth-backend-module-oauth2-proxy-provider');
 var pluginAuthBackendModuleOidcProvider = require('@backstage/plugin-auth-backend-module-oidc-provider');
 var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backend-module-okta-provider');
-var passportOneloginOauth = require('passport-onelogin-oauth');
+var pluginAuthBackendModuleOneloginProvider = require('@backstage/plugin-auth-backend-module-onelogin-provider');
 var passportSaml = require('@node-saml/passport-saml');
 var passportOauth2 = require('passport-oauth2');
 var fetch = require('node-fetch');
@@ -35,10 +35,10 @@ var catalogClient = require('@backstage/catalog-client');
 var minimatch = require('minimatch');
 var catalogModel = require('@backstage/catalog-model');
 var backendCommon = require('@backstage/backend-common');
+var lodash = require('lodash');
 var luxon = require('luxon');
 var uuid = require('uuid');
 var firestore = require('@google-cloud/firestore');
-var lodash = require('lodash');
 var fs = require('fs');
 var session = require('express-session');
 var connectSessionKnex = require('connect-session-knex');
@@ -952,120 +952,12 @@ const okta = createAuthProviderIntegration({
   }
 });
 
-class OneLoginProvider {
-  _strategy;
-  signInResolver;
-  authHandler;
-  resolverContext;
-  constructor(options) {
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.resolverContext = options.resolverContext;
-    this._strategy = new passportOneloginOauth.Strategy(
-      {
-        issuer: options.issuer,
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        passReqToCallback: false
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(
-          void 0,
-          {
-            accessToken,
-            refreshToken,
-            params,
-            fullProfile
-          },
-          {
-            refreshToken
-          }
-        );
-      }
-    );
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: "openid",
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
-      this._strategy,
-      req.refreshToken,
-      "openid"
-    );
-    const fullProfile = await executeFetchUserProfileStrategy(
-      this._strategy,
-      accessToken
-    );
-    return {
-      response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
-      }),
-      refreshToken
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-    }
-    return response;
-  }
-}
 const onelogin = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const issuer = envConfig.getString("issuer");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const authHandler = options?.authHandler ? options.authHandler : async ({ fullProfile, params }) => ({
-        profile: makeProfileInfo(fullProfile, params.id_token)
-      });
-      const provider = new OneLoginProvider({
-        clientId,
-        clientSecret,
-        callbackUrl,
-        issuer,
-        authHandler,
-        signInResolver: options?.signIn?.resolver,
-        resolverContext
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleOneloginProvider.oneLoginAuthenticator,
+      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
+      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
     });
   }
 });
@@ -1687,7 +1579,7 @@ function createOriginFilter(config) {
 }
 
 function bindOidcRouter(targetRouter, options) {
-  const { baseUrl, auth, tokenIssuer } = options;
+  const { baseUrl, auth, tokenIssuer, userInfoDatabaseHandler } = options;
   const router = Router__default.default();
   targetRouter.use(router);
   const config = {
@@ -1738,16 +1630,16 @@ function bindOidcRouter(targetRouter, options) {
         "Userinfo endpoint must be called with a token that represents a user principal"
       );
     }
-    const { sub: userEntityRef, ent: ownershipEntityRefs = [] } = jose.decodeJwt(token);
+    const { sub: userEntityRef } = jose.decodeJwt(token);
     if (typeof userEntityRef !== "string") {
       throw new Error("Invalid user token, user entity ref must be a string");
     }
-    if (!Array.isArray(ownershipEntityRefs) || ownershipEntityRefs.some((ref) => typeof ref !== "string")) {
-      throw new Error(
-        "Invalid user token, ownership entity refs must be an array of strings"
-      );
+    const userInfo = await userInfoDatabaseHandler.getUserInfo(userEntityRef);
+    if (!userInfo) {
+      res.status(404).send("User info not found");
+      return;
     }
-    res.json({ sub: userEntityRef, ent: ownershipEntityRefs });
+    res.json(userInfo);
   });
 }
 
@@ -1759,6 +1651,7 @@ class TokenFactory {
   keyStore;
   keyDurationSeconds;
   algorithm;
+  userInfoDatabaseHandler;
   keyExpiry;
   privateKeyPromise;
   constructor(options) {
@@ -1767,6 +1660,7 @@ class TokenFactory {
     this.keyStore = options.keyStore;
     this.keyDurationSeconds = options.keyDurationSeconds;
     this.algorithm = options.algorithm ?? "ES256";
+    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
   }
   async issueToken(params) {
     const key = await this.getKey();
@@ -1793,7 +1687,7 @@ class TokenFactory {
         alg: key.alg,
         kid: key.kid
       },
-      payload: { sub, ent, iat, exp },
+      payload: { sub, iat, exp },
       key: signingKey
     });
     const claims = {
@@ -1818,6 +1712,9 @@ class TokenFactory {
         )}'`
       );
     }
+    await this.userInfoDatabaseHandler.addUserInfo({
+      claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
+    });
     return token;
   }
   // This will be called by other services that want to verify ID tokens.
@@ -1888,7 +1785,6 @@ class TokenFactory {
     };
     const payload = {
       sub: options.payload.sub,
-      ent: options.payload.ent,
       iat: options.payload.iat,
       exp: options.payload.exp
     };
@@ -1899,7 +1795,7 @@ class TokenFactory {
   }
 }
 
-const TABLE = "signing_keys";
+const TABLE$1 = "signing_keys";
 const parseDate = (date) => {
   const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
   if (!parsedDate.isValid) {
@@ -1914,13 +1810,13 @@ class DatabaseKeyStore {
     this.client = client;
   }
   async addKey(key) {
-    await this.client(TABLE).insert({
+    await this.client(TABLE$1).insert({
       kid: key.kid,
       key: JSON.stringify(key)
     });
   }
   async listKeys() {
-    const rows = await this.client(TABLE).select();
+    const rows = await this.client(TABLE$1).select();
     return {
       items: rows.map((row) => ({
         key: JSON.parse(row.key),
@@ -1929,7 +1825,7 @@ class DatabaseKeyStore {
     };
   }
   async removeKeys(kids) {
-    await this.client(TABLE).delete().whereIn("kid", kids);
+    await this.client(TABLE$1).delete().whereIn("kid", kids);
   }
 }
 
@@ -2166,6 +2062,30 @@ class KeyStores {
   }
 }
 
+const TABLE = "user_info";
+class UserInfoDatabaseHandler {
+  constructor(client) {
+    this.client = client;
+  }
+  async addUserInfo(userInfo) {
+    await this.client(TABLE).insert({
+      user_entity_ref: userInfo.claims.sub,
+      user_info: JSON.stringify(userInfo),
+      exp: luxon.DateTime.fromSeconds(userInfo.claims.exp, {
+        zone: "utc"
+      }).toSQL({ includeOffset: false })
+    }).onConflict("user_entity_ref").merge();
+  }
+  async getUserInfo(userEntityRef) {
+    const info = await this.client(TABLE).where({ user_entity_ref: userEntityRef }).first();
+    if (!info) {
+      return void 0;
+    }
+    const userInfo = JSON.parse(info.user_info);
+    return userInfo;
+  }
+}
+
 const migrationsDir = backendPluginApi.resolvePackagePath(
   "@backstage/plugin-auth-backend",
   "migrations"
@@ -2293,6 +2213,9 @@ async function createRouter(options) {
     logger,
     database: authDb
   });
+  const userInfoDatabaseHandler = new UserInfoDatabaseHandler(
+    await authDb.get()
+  );
   let tokenIssuer;
   if (keyStore instanceof StaticKeyStore) {
     tokenIssuer = new StaticTokenIssuer(
@@ -2309,7 +2232,8 @@ async function createRouter(options) {
       keyStore,
       keyDurationSeconds: backstageTokenExpiration,
       logger: logger.child({ component: "token-factory" }),
-      algorithm: tokenFactoryAlgorithm ?? config.getOptionalString("auth.identityTokenAlgorithm")
+      algorithm: tokenFactoryAlgorithm ?? config.getOptionalString("auth.identityTokenAlgorithm"),
+      userInfoDatabaseHandler
     });
   }
   const secret = config.getOptionalString("auth.session.secret");
@@ -2352,7 +2276,8 @@ async function createRouter(options) {
   bindOidcRouter(router, {
     auth,
     tokenIssuer,
-    baseUrl: authUrl
+    baseUrl: authUrl,
+    userInfoDatabaseHandler
   });
   router.use("/:provider/", (req) => {
     const { provider } = req.params;