@backstage/plugin-auth-backend 0.23.1-next.0 → 0.23.1-next.1

package/dist/identity/TokenFactory.cjs.js

@@ -0,0 +1,164 @@
+'use strict';
+
+var catalogModel = require('@backstage/catalog-model');
+var errors = require('@backstage/errors');
+var jose = require('jose');
+var lodash = require('lodash');
+var luxon = require('luxon');
+var uuid = require('uuid');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+
+const MS_IN_S = 1e3;
+const MAX_TOKEN_LENGTH = 32768;
+class TokenFactory {
+  issuer;
+  logger;
+  keyStore;
+  keyDurationSeconds;
+  algorithm;
+  userInfoDatabaseHandler;
+  keyExpiry;
+  privateKeyPromise;
+  constructor(options) {
+    this.issuer = options.issuer;
+    this.logger = options.logger;
+    this.keyStore = options.keyStore;
+    this.keyDurationSeconds = options.keyDurationSeconds;
+    this.algorithm = options.algorithm ?? "ES256";
+    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
+  }
+  async issueToken(params) {
+    const key = await this.getKey();
+    const iss = this.issuer;
+    const { sub, ent = [sub], ...additionalClaims } = params.claims;
+    const aud = pluginAuthNode.tokenTypes.user.audClaim;
+    const iat = Math.floor(Date.now() / MS_IN_S);
+    const exp = iat + this.keyDurationSeconds;
+    try {
+      catalogModel.parseEntityRef(sub);
+    } catch (error) {
+      throw new Error(
+        '"sub" claim provided by the auth resolver is not a valid EntityRef.'
+      );
+    }
+    if (!key.alg) {
+      throw new errors.AuthenticationError("No algorithm was provided in the key");
+    }
+    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);
+    const signingKey = await jose.importJWK(key);
+    const uip = await this.createUserIdentityClaim({
+      header: {
+        typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
+        alg: key.alg,
+        kid: key.kid
+      },
+      payload: { sub, iat, exp },
+      key: signingKey
+    });
+    const claims = {
+      ...additionalClaims,
+      iss,
+      sub,
+      ent,
+      aud,
+      iat,
+      exp,
+      uip
+    };
+    const token = await new jose.SignJWT(claims).setProtectedHeader({
+      typ: pluginAuthNode.tokenTypes.user.typParam,
+      alg: key.alg,
+      kid: key.kid
+    }).sign(signingKey);
+    if (token.length > MAX_TOKEN_LENGTH) {
+      throw new Error(
+        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
+          claims
+        )}'`
+      );
+    }
+    await this.userInfoDatabaseHandler.addUserInfo({
+      claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
+    });
+    return token;
+  }
+  // This will be called by other services that want to verify ID tokens.
+  // It is important that it returns a list of all public keys that could
+  // have been used to sign tokens that have not yet expired.
+  async listPublicKeys() {
+    const { items: keys } = await this.keyStore.listKeys();
+    const validKeys = [];
+    const expiredKeys = [];
+    for (const key of keys) {
+      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
+        seconds: 3 * this.keyDurationSeconds
+      });
+      if (expireAt < luxon.DateTime.local()) {
+        expiredKeys.push(key);
+      } else {
+        validKeys.push(key);
+      }
+    }
+    if (expiredKeys.length > 0) {
+      const kids = expiredKeys.map(({ key }) => key.kid);
+      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
+      this.keyStore.removeKeys(kids).catch((error) => {
+        this.logger.error(`Failed to remove expired keys, ${error}`);
+      });
+    }
+    return { keys: validKeys.map(({ key }) => key) };
+  }
+  async getKey() {
+    if (this.privateKeyPromise) {
+      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
+        return this.privateKeyPromise;
+      }
+      this.logger.info(`Signing key has expired, generating new key`);
+      delete this.privateKeyPromise;
+    }
+    this.keyExpiry = luxon.DateTime.utc().plus({
+      seconds: this.keyDurationSeconds
+    }).toJSDate();
+    const promise = (async () => {
+      const key = await jose.generateKeyPair(this.algorithm);
+      const publicKey = await jose.exportJWK(key.publicKey);
+      const privateKey = await jose.exportJWK(key.privateKey);
+      publicKey.kid = privateKey.kid = uuid.v4();
+      publicKey.alg = privateKey.alg = this.algorithm;
+      this.logger.info(`Created new signing key ${publicKey.kid}`);
+      await this.keyStore.addKey(publicKey);
+      return privateKey;
+    })();
+    this.privateKeyPromise = promise;
+    try {
+      await promise;
+    } catch (error) {
+      this.logger.error(`Failed to generate new signing key, ${error}`);
+      delete this.keyExpiry;
+      delete this.privateKeyPromise;
+    }
+    return promise;
+  }
+  // Creates a string claim that can be used as part of reconstructing a limited
+  // user token. The output of this function is only the signature part of a
+  // JWS.
+  async createUserIdentityClaim(options) {
+    const header = {
+      typ: options.header.typ,
+      alg: options.header.alg,
+      ...options.header.kid ? { kid: options.header.kid } : {}
+    };
+    const payload = {
+      sub: options.payload.sub,
+      iat: options.payload.iat,
+      exp: options.payload.exp
+    };
+    const jws = await new jose.GeneralSign(
+      new TextEncoder().encode(JSON.stringify(payload))
+    ).addSignature(options.key).setProtectedHeader(header).done().sign();
+    return jws.signatures[0].signature;
+  }
+}
+
+exports.TokenFactory = TokenFactory;
+//# sourceMappingURL=TokenFactory.cjs.js.map

package/dist/identity/TokenFactory.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n  exportJWK,\n  generateKeyPair,\n  importJWK,\n  JWK,\n  SignJWT,\n  GeneralSign,\n  KeyLike,\n} from 'jose';\nimport { omit } from 'lodash';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { TokenParams, tokenTypes } from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\n\nconst MS_IN_S = 1000;\nconst MAX_TOKEN_LENGTH = 32768; // At 64 bytes per entity ref this still leaves room for about 500 entities\n\n/**\n * The payload contents of a valid Backstage JWT token\n */\nexport interface BackstageTokenPayload {\n  /**\n   * The issuer of the token, currently the discovery URL of the auth backend\n   */\n  iss: string;\n\n  /**\n   * The entity ref of the user\n   */\n  sub: string;\n\n  /**\n   * The entity refs that the user claims ownership througg\n   */\n  ent: string[];\n\n  /**\n   * A hard coded audience string\n   */\n  aud: typeof tokenTypes.user.audClaim;\n\n  /**\n   * Standard expiry in epoch seconds\n   */\n  exp: number;\n\n  /**\n   * Standard issue time in epoch seconds\n   */\n  iat: number;\n\n  /**\n   * A separate user identity proof that the auth service can convert to a limited user token\n   */\n  uip: string;\n\n  /**\n   * Any other custom claims that the adopter may have added\n   */\n  [claim: string]: JsonValue;\n}\n\n/**\n * The payload contents of a valid Backstage user identity claim token\n *\n * @internal\n */\ninterface BackstageUserIdentityProofPayload {\n  /**\n   * The entity ref of the user\n   */\n  sub: string;\n\n  /**\n   * Standard expiry in epoch seconds\n   */\n  exp: number;\n\n  /**\n   * Standard issue time in epoch seconds\n   */\n  iat: number;\n}\n\ntype Options = {\n  logger: LoggerService;\n  /** Value of the issuer claim in issued tokens */\n  issuer: string;\n  /** Key store used for storing signing keys */\n  keyStore: KeyStore;\n  /** Expiration time of signing keys in seconds */\n  keyDurationSeconds: number;\n  /** JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n   * Must match one of the algorithms defined for IdentityClient.\n   * When setting a different algorithm, check if the `key` field\n   * of the `signing_keys` table can fit the length of the generated keys.\n   * If not, add a knex migration file in the migrations folder.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithm?: string;\n  userInfoDatabaseHandler: UserInfoDatabaseHandler;\n};\n\n/**\n * A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n *\n * The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n *\n * Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n */\nexport class TokenFactory implements TokenIssuer {\n  private readonly issuer: string;\n  private readonly logger: LoggerService;\n  private readonly keyStore: KeyStore;\n  private readonly keyDurationSeconds: number;\n  private readonly algorithm: string;\n  private readonly userInfoDatabaseHandler: UserInfoDatabaseHandler;\n\n  private keyExpiry?: Date;\n  private privateKeyPromise?: Promise<JWK>;\n\n  constructor(options: Options) {\n    this.issuer = options.issuer;\n    this.logger = options.logger;\n    this.keyStore = options.keyStore;\n    this.keyDurationSeconds = options.keyDurationSeconds;\n    this.algorithm = options.algorithm ?? 'ES256';\n    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;\n  }\n\n  async issueToken(params: TokenParams): Promise<string> {\n    const key = await this.getKey();\n\n    const iss = this.issuer;\n    const { sub, ent = [sub], ...additionalClaims } = params.claims;\n    const aud = tokenTypes.user.audClaim;\n    const iat = Math.floor(Date.now() / MS_IN_S);\n    const exp = iat + this.keyDurationSeconds;\n\n    try {\n      // The subject must be a valid entity ref\n      parseEntityRef(sub);\n    } catch (error) {\n      throw new Error(\n        '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n      );\n    }\n\n    if (!key.alg) {\n      throw new AuthenticationError('No algorithm was provided in the key');\n    }\n\n    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);\n\n    const signingKey = await importJWK(key);\n\n    const uip = await this.createUserIdentityClaim({\n      header: {\n        typ: tokenTypes.limitedUser.typParam,\n        alg: key.alg,\n        kid: key.kid,\n      },\n      payload: { sub, iat, exp },\n      key: signingKey,\n    });\n\n    const claims: BackstageTokenPayload = {\n      ...additionalClaims,\n      iss,\n      sub,\n      ent,\n      aud,\n      iat,\n      exp,\n      uip,\n    };\n\n    const token = await new SignJWT(claims)\n      .setProtectedHeader({\n        typ: tokenTypes.user.typParam,\n        alg: key.alg,\n        kid: key.kid,\n      })\n      .sign(signingKey);\n\n    if (token.length > MAX_TOKEN_LENGTH) {\n      throw new Error(\n        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(\n          claims,\n        )}'`,\n      );\n    }\n\n    // Store the user info in the database upon successful token\n    // issuance so that it can be retrieved later by limited user tokens\n    await this.userInfoDatabaseHandler.addUserInfo({\n      claims: omit(claims, ['aud', 'iat', 'iss', 'uip']),\n    });\n\n    return token;\n  }\n\n  // This will be called by other services that want to verify ID tokens.\n  // It is important that it returns a list of all public keys that could\n  // have been used to sign tokens that have not yet expired.\n  async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n    const { items: keys } = await this.keyStore.listKeys();\n\n    const validKeys = [];\n    const expiredKeys = [];\n\n    for (const key of keys) {\n      // Allow for a grace period of another full key duration before we remove the keys from the database\n      const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n        seconds: 3 * this.keyDurationSeconds,\n      });\n      if (expireAt < DateTime.local()) {\n        expiredKeys.push(key);\n      } else {\n        validKeys.push(key);\n      }\n    }\n\n    // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n    if (expiredKeys.length > 0) {\n      const kids = expiredKeys.map(({ key }) => key.kid);\n\n      this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n      // We don't await this, just let it run in the background\n      this.keyStore.removeKeys(kids).catch(error => {\n        this.logger.error(`Failed to remove expired keys, ${error}`);\n      });\n    }\n\n    // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n    return { keys: validKeys.map(({ key }) => key) };\n  }\n\n  private async getKey(): Promise<JWK> {\n    // Make sure that we only generate one key at a time\n    if (this.privateKeyPromise) {\n      if (\n        this.keyExpiry &&\n        DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n      ) {\n        return this.privateKeyPromise;\n      }\n      this.logger.info(`Signing key has expired, generating new key`);\n      delete this.privateKeyPromise;\n    }\n\n    this.keyExpiry = DateTime.utc()\n      .plus({\n        seconds: this.keyDurationSeconds,\n      })\n      .toJSDate();\n    const promise = (async () => {\n      // This generates a new signing key to be used to sign tokens until the next key rotation\n      const key = await generateKeyPair(this.algorithm);\n      const publicKey = await exportJWK(key.publicKey);\n      const privateKey = await exportJWK(key.privateKey);\n      publicKey.kid = privateKey.kid = uuid();\n      publicKey.alg = privateKey.alg = this.algorithm;\n\n      // We're not allowed to use the key until it has been successfully stored\n      // TODO: some token verification implementations aggressively cache the list of keys, and\n      //       don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n      //       may want to keep using the existing key for some period of time until we switch to\n      //       the new one. This also needs to be implemented cross-service though, meaning new services\n      //       that boot up need to be able to grab an existing key to use for signing.\n      this.logger.info(`Created new signing key ${publicKey.kid}`);\n      await this.keyStore.addKey(publicKey as AnyJWK);\n\n      // At this point we are allowed to start using the new key\n      return privateKey;\n    })();\n\n    this.privateKeyPromise = promise;\n\n    try {\n      // If we fail to generate a new key, we need to clear the state so that\n      // the next caller will try to generate another key.\n      await promise;\n    } catch (error) {\n      this.logger.error(`Failed to generate new signing key, ${error}`);\n      delete this.keyExpiry;\n      delete this.privateKeyPromise;\n    }\n\n    return promise;\n  }\n\n  // Creates a string claim that can be used as part of reconstructing a limited\n  // user token. The output of this function is only the signature part of a\n  // JWS.\n  private async createUserIdentityClaim(options: {\n    header: {\n      typ: string;\n      alg: string;\n      kid?: string;\n    };\n    payload: BackstageUserIdentityProofPayload;\n    key: KeyLike | Uint8Array;\n  }): Promise<string> {\n    // NOTE: We reconstruct the header and payload structures carefully to\n    // perfectly guarantee ordering. The reason for this is that we store only\n    // the signature part of these to reduce duplication within the Backstage\n    // token. Anyone who wants to make an actual JWT based on all this must be\n    // able to do the EXACT reconstruction of the header and payload parts, to\n    // then append the signature.\n\n    const header = {\n      typ: options.header.typ,\n      alg: options.header.alg,\n      ...(options.header.kid ? { kid: options.header.kid } : {}),\n    };\n\n    const payload = {\n      sub: options.payload.sub,\n      iat: options.payload.iat,\n      exp: options.payload.exp,\n    };\n\n    const jws = await new GeneralSign(\n      new TextEncoder().encode(JSON.stringify(payload)),\n    )\n      .addSignature(options.key)\n      .setProtectedHeader(header)\n      .done()\n      .sign();\n\n    return jws.signatures[0].signature;\n  }\n}\n"],"names":["tokenTypes","parseEntityRef","AuthenticationError","importJWK","SignJWT","omit","DateTime","generateKeyPair","exportJWK","uuid","GeneralSign"],"mappings":";;;;;;;;;;AAoCA,MAAM,OAAU,GAAA,GAAA,CAAA;AAChB,MAAM,gBAAmB,GAAA,KAAA,CAAA;AAqGlB,MAAM,YAAoC,CAAA;AAAA,EAC9B,MAAA,CAAA;AAAA,EACA,MAAA,CAAA;AAAA,EACA,QAAA,CAAA;AAAA,EACA,kBAAA,CAAA;AAAA,EACA,SAAA,CAAA;AAAA,EACA,uBAAA,CAAA;AAAA,EAET,SAAA,CAAA;AAAA,EACA,iBAAA,CAAA;AAAA,EAER,YAAY,OAAkB,EAAA;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAQ,CAAA,QAAA,CAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,kBAAA,CAAA;AAClC,IAAK,IAAA,CAAA,SAAA,GAAY,QAAQ,SAAa,IAAA,OAAA,CAAA;AACtC,IAAA,IAAA,CAAK,0BAA0B,OAAQ,CAAA,uBAAA,CAAA;AAAA,GACzC;AAAA,EAEA,MAAM,WAAW,MAAsC,EAAA;AACrD,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAO,EAAA,CAAA;AAE9B,IAAA,MAAM,MAAM,IAAK,CAAA,MAAA,CAAA;AACjB,IAAM,MAAA,EAAE,KAAK,GAAM,GAAA,CAAC,GAAG,CAAG,EAAA,GAAG,gBAAiB,EAAA,GAAI,MAAO,CAAA,MAAA,CAAA;AACzD,IAAM,MAAA,GAAA,GAAMA,0BAAW,IAAK,CAAA,QAAA,CAAA;AAC5B,IAAA,MAAM,MAAM,IAAK,CAAA,KAAA,CAAM,IAAK,CAAA,GAAA,KAAQ,OAAO,CAAA,CAAA;AAC3C,IAAM,MAAA,GAAA,GAAM,MAAM,IAAK,CAAA,kBAAA,CAAA;AAEvB,IAAI,IAAA;AAEF,MAAAC,2BAAA,CAAe,GAAG,CAAA,CAAA;AAAA,aACX,KAAO,EAAA;AACd,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,qEAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAI,IAAA,CAAC,IAAI,GAAK,EAAA;AACZ,MAAM,MAAA,IAAIC,2BAAoB,sCAAsC,CAAA,CAAA;AAAA,KACtE;AAEA,IAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,kBAAA,EAAqB,GAAG,CAAA,gBAAA,EAAmB,GAAG,CAAE,CAAA,CAAA,CAAA;AAEjE,IAAM,MAAA,UAAA,GAAa,MAAMC,cAAA,CAAU,GAAG,CAAA,CAAA;AAEtC,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,uBAAwB,CAAA;AAAA,MAC7C,MAAQ,EAAA;AAAA,QACN,GAAA,EAAKH,0BAAW,WAAY,CAAA,QAAA;AAAA,QAC5B,KAAK,GAAI,CAAA,GAAA;AAAA,QACT,KAAK,GAAI,CAAA,GAAA;AAAA,OACX;AAAA,MACA,OAAS,EAAA,EAAE,GAAK,EAAA,GAAA,EAAK,GAAI,EAAA;AAAA,MACzB,GAAK,EAAA,UAAA;AAAA,KACN,CAAA,CAAA;AAED,IAAA,MAAM,MAAgC,GAAA;AAAA,MACpC,GAAG,gBAAA;AAAA,MACH,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,QAAQ,MAAM,IAAII,YAAQ,CAAA,MAAM,EACnC,kBAAmB,CAAA;AAAA,MAClB,GAAA,EAAKJ,0BAAW,IAAK,CAAA,QAAA;AAAA,MACrB,KAAK,GAAI,CAAA,GAAA;AAAA,MACT,KAAK,GAAI,CAAA,GAAA;AAAA,KACV,CACA,CAAA,IAAA,CAAK,UAAU,CAAA,CAAA;AAElB,IAAI,IAAA,KAAA,CAAM,SAAS,gBAAkB,EAAA;AACnC,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,6PAA6P,IAAK,CAAA,SAAA;AAAA,UAChQ,MAAA;AAAA,SACD,CAAA,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAIA,IAAM,MAAA,IAAA,CAAK,wBAAwB,WAAY,CAAA;AAAA,MAC7C,MAAA,EAAQK,YAAK,MAAQ,EAAA,CAAC,OAAO,KAAO,EAAA,KAAA,EAAO,KAAK,CAAC,CAAA;AAAA,KAClD,CAAA,CAAA;AAED,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAA8C,GAAA;AAClD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA,CAAA;AAErD,IAAA,MAAM,YAAY,EAAC,CAAA;AACnB,IAAA,MAAM,cAAc,EAAC,CAAA;AAErB,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AAEtB,MAAA,MAAM,WAAWC,cAAS,CAAA,UAAA,CAAW,GAAI,CAAA,SAAS,EAAE,IAAK,CAAA;AAAA,QACvD,OAAA,EAAS,IAAI,IAAK,CAAA,kBAAA;AAAA,OACnB,CAAA,CAAA;AACD,MAAI,IAAA,QAAA,GAAWA,cAAS,CAAA,KAAA,EAAS,EAAA;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA,CAAA;AAAA,OACf,MAAA;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA,CAAA;AAAA,OACpB;AAAA,KACF;AAGA,IAAI,IAAA,WAAA,CAAY,SAAS,CAAG,EAAA;AAC1B,MAAM,MAAA,IAAA,GAAO,YAAY,GAAI,CAAA,CAAC,EAAE,GAAI,EAAA,KAAM,IAAI,GAAG,CAAA,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,gCAAA,EAAmC,KAAK,IAAK,CAAA,MAAM,CAAC,CAAG,CAAA,CAAA,CAAA,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAS,KAAA,KAAA;AAC5C,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAkC,+BAAA,EAAA,KAAK,CAAE,CAAA,CAAA,CAAA;AAAA,OAC5D,CAAA,CAAA;AAAA,KACH;AAGA,IAAO,OAAA,EAAE,MAAM,SAAU,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA,CAAA;AAAA,GACjD;AAAA,EAEA,MAAc,MAAuB,GAAA;AAEnC,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MACE,IAAA,IAAA,CAAK,aACLA,cAAS,CAAA,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAS,CAAA,KAAA,EAC/C,EAAA;AACA,QAAA,OAAO,IAAK,CAAA,iBAAA,CAAA;AAAA,OACd;AACA,MAAK,IAAA,CAAA,MAAA,CAAO,KAAK,CAA6C,2CAAA,CAAA,CAAA,CAAA;AAC9D,MAAA,OAAO,IAAK,CAAA,iBAAA,CAAA;AAAA,KACd;AAEA,IAAA,IAAA,CAAK,SAAY,GAAAA,cAAA,CAAS,GAAI,EAAA,CAC3B,IAAK,CAAA;AAAA,MACJ,SAAS,IAAK,CAAA,kBAAA;AAAA,KACf,EACA,QAAS,EAAA,CAAA;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAM,GAAA,MAAMC,oBAAgB,CAAA,IAAA,CAAK,SAAS,CAAA,CAAA;AAChD,MAAA,MAAM,SAAY,GAAA,MAAMC,cAAU,CAAA,GAAA,CAAI,SAAS,CAAA,CAAA;AAC/C,MAAA,MAAM,UAAa,GAAA,MAAMA,cAAU,CAAA,GAAA,CAAI,UAAU,CAAA,CAAA;AACjD,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAMC,OAAK,EAAA,CAAA;AACtC,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAM,IAAK,CAAA,SAAA,CAAA;AAQtC,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA,CAAK,CAA2B,wBAAA,EAAA,SAAA,CAAU,GAAG,CAAE,CAAA,CAAA,CAAA;AAC3D,MAAM,MAAA,IAAA,CAAK,QAAS,CAAA,MAAA,CAAO,SAAmB,CAAA,CAAA;AAG9C,MAAO,OAAA,UAAA,CAAA;AAAA,KACN,GAAA,CAAA;AAEH,IAAA,IAAA,CAAK,iBAAoB,GAAA,OAAA,CAAA;AAEzB,IAAI,IAAA;AAGF,MAAM,MAAA,OAAA,CAAA;AAAA,aACC,KAAO,EAAA;AACd,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAuC,oCAAA,EAAA,KAAK,CAAE,CAAA,CAAA,CAAA;AAChE,MAAA,OAAO,IAAK,CAAA,SAAA,CAAA;AACZ,MAAA,OAAO,IAAK,CAAA,iBAAA,CAAA;AAAA,KACd;AAEA,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,wBAAwB,OAQlB,EAAA;AAQlB,IAAA,MAAM,MAAS,GAAA;AAAA,MACb,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,MACpB,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,MACpB,GAAI,OAAQ,CAAA,MAAA,CAAO,GAAM,GAAA,EAAE,KAAK,OAAQ,CAAA,MAAA,CAAO,GAAI,EAAA,GAAI,EAAC;AAAA,KAC1D,CAAA;AAEA,IAAA,MAAM,OAAU,GAAA;AAAA,MACd,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,MACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,MACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,KACvB,CAAA;AAEA,IAAM,MAAA,GAAA,GAAM,MAAM,IAAIC,gBAAA;AAAA,MACpB,IAAI,WAAY,EAAA,CAAE,OAAO,IAAK,CAAA,SAAA,CAAU,OAAO,CAAC,CAAA;AAAA,KAClD,CACG,YAAa,CAAA,OAAA,CAAQ,GAAG,CAAA,CACxB,mBAAmB,MAAM,CAAA,CACzB,IAAK,EAAA,CACL,IAAK,EAAA,CAAA;AAER,IAAO,OAAA,GAAA,CAAI,UAAW,CAAA,CAAC,CAAE,CAAA,SAAA,CAAA;AAAA,GAC3B;AACF;;;;"}

package/dist/identity/UserInfoDatabaseHandler.cjs.js

@@ -0,0 +1,30 @@
+'use strict';
+
+var luxon = require('luxon');
+
+const TABLE = "user_info";
+class UserInfoDatabaseHandler {
+  constructor(client) {
+    this.client = client;
+  }
+  async addUserInfo(userInfo) {
+    await this.client(TABLE).insert({
+      user_entity_ref: userInfo.claims.sub,
+      user_info: JSON.stringify(userInfo),
+      exp: luxon.DateTime.fromSeconds(userInfo.claims.exp, {
+        zone: "utc"
+      }).toSQL({ includeOffset: false })
+    }).onConflict("user_entity_ref").merge();
+  }
+  async getUserInfo(userEntityRef) {
+    const info = await this.client(TABLE).where({ user_entity_ref: userEntityRef }).first();
+    if (!info) {
+      return void 0;
+    }
+    const userInfo = JSON.parse(info.user_info);
+    return userInfo;
+  }
+}
+
+exports.UserInfoDatabaseHandler = UserInfoDatabaseHandler;
+//# sourceMappingURL=UserInfoDatabaseHandler.cjs.js.map

package/dist/identity/UserInfoDatabaseHandler.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserInfoDatabaseHandler.cjs.js","sources":["../../src/identity/UserInfoDatabaseHandler.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DateTime } from 'luxon';\nimport { Knex } from 'knex';\n\nimport { BackstageTokenPayload } from './TokenFactory';\n\nconst TABLE = 'user_info';\n\ntype Row = {\n  user_entity_ref: string;\n  user_info: string;\n  exp: string;\n};\n\ntype UserInfo = {\n  claims: Omit<BackstageTokenPayload, 'aud' | 'iat' | 'iss' | 'uip'>;\n};\n\nexport class UserInfoDatabaseHandler {\n  constructor(private readonly client: Knex) {}\n\n  async addUserInfo(userInfo: UserInfo): Promise<void> {\n    await this.client<Row>(TABLE)\n      .insert({\n        user_entity_ref: userInfo.claims.sub as string,\n        user_info: JSON.stringify(userInfo),\n        exp: DateTime.fromSeconds(userInfo.claims.exp as number, {\n          zone: 'utc',\n        }).toSQL({ includeOffset: false }),\n      })\n      .onConflict('user_entity_ref')\n      .merge();\n  }\n\n  async getUserInfo(userEntityRef: string): Promise<UserInfo | undefined> {\n    const info = await this.client<Row>(TABLE)\n      .where({ user_entity_ref: userEntityRef })\n      .first();\n\n    if (!info) {\n      return undefined;\n    }\n\n    const userInfo = JSON.parse(info.user_info);\n    return userInfo;\n  }\n}\n"],"names":["DateTime"],"mappings":";;;;AAqBA,MAAM,KAAQ,GAAA,WAAA,CAAA;AAYP,MAAM,uBAAwB,CAAA;AAAA,EACnC,YAA6B,MAAc,EAAA;AAAd,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA,CAAA;AAAA,GAAe;AAAA,EAE5C,MAAM,YAAY,QAAmC,EAAA;AACnD,IAAA,MAAM,IAAK,CAAA,MAAA,CAAY,KAAK,CAAA,CACzB,MAAO,CAAA;AAAA,MACN,eAAA,EAAiB,SAAS,MAAO,CAAA,GAAA;AAAA,MACjC,SAAA,EAAW,IAAK,CAAA,SAAA,CAAU,QAAQ,CAAA;AAAA,MAClC,GAAK,EAAAA,cAAA,CAAS,WAAY,CAAA,QAAA,CAAS,OAAO,GAAe,EAAA;AAAA,QACvD,IAAM,EAAA,KAAA;AAAA,OACP,CAAE,CAAA,KAAA,CAAM,EAAE,aAAA,EAAe,OAAO,CAAA;AAAA,KAClC,CAAA,CACA,UAAW,CAAA,iBAAiB,EAC5B,KAAM,EAAA,CAAA;AAAA,GACX;AAAA,EAEA,MAAM,YAAY,aAAsD,EAAA;AACtE,IAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,MAAA,CAAY,KAAK,CAAA,CACtC,KAAM,CAAA,EAAE,eAAiB,EAAA,aAAA,EAAe,CAAA,CACxC,KAAM,EAAA,CAAA;AAET,IAAA,IAAI,CAAC,IAAM,EAAA;AACT,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AAEA,IAAA,MAAM,QAAW,GAAA,IAAA,CAAK,KAAM,CAAA,IAAA,CAAK,SAAS,CAAA,CAAA;AAC1C,IAAO,OAAA,QAAA,CAAA;AAAA,GACT;AACF;;;;"}

package/dist/identity/router.cjs.js

@@ -0,0 +1,77 @@
+'use strict';
+
+var Router = require('express-promise-router');
+var jose = require('jose');
+var errors = require('@backstage/errors');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);
+
+function bindOidcRouter(targetRouter, options) {
+  const { baseUrl, auth, tokenIssuer, userInfoDatabaseHandler } = options;
+  const router = Router__default.default();
+  targetRouter.use(router);
+  const config = {
+    issuer: baseUrl,
+    token_endpoint: `${baseUrl}/v1/token`,
+    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
+    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+    response_types_supported: ["id_token"],
+    subject_types_supported: ["public"],
+    id_token_signing_alg_values_supported: [
+      "RS256",
+      "RS384",
+      "RS512",
+      "ES256",
+      "ES384",
+      "ES512",
+      "PS256",
+      "PS384",
+      "PS512",
+      "EdDSA"
+    ],
+    scopes_supported: ["openid"],
+    token_endpoint_auth_methods_supported: [],
+    claims_supported: ["sub", "ent"],
+    grant_types_supported: []
+  };
+  router.get("/.well-known/openid-configuration", (_req, res) => {
+    res.json(config);
+  });
+  router.get("/.well-known/jwks.json", async (_req, res) => {
+    const { keys } = await tokenIssuer.listPublicKeys();
+    res.json({ keys });
+  });
+  router.get("/v1/token", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  router.get("/v1/userinfo", async (req, res) => {
+    const matches = req.headers.authorization?.match(/^Bearer[ ]+(\S+)$/i);
+    const token = matches?.[1];
+    if (!token) {
+      throw new errors.AuthenticationError("No token provided");
+    }
+    const credentials = await auth.authenticate(token, {
+      allowLimitedAccess: true
+    });
+    if (!auth.isPrincipal(credentials, "user")) {
+      throw new errors.InputError(
+        "Userinfo endpoint must be called with a token that represents a user principal"
+      );
+    }
+    const { sub: userEntityRef } = jose.decodeJwt(token);
+    if (typeof userEntityRef !== "string") {
+      throw new Error("Invalid user token, user entity ref must be a string");
+    }
+    const userInfo = await userInfoDatabaseHandler.getUserInfo(userEntityRef);
+    if (!userInfo) {
+      res.status(404).send("User info not found");
+      return;
+    }
+    res.json(userInfo);
+  });
+}
+
+exports.bindOidcRouter = bindOidcRouter;
+//# sourceMappingURL=router.cjs.js.map

package/dist/identity/router.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.cjs.js","sources":["../../src/identity/router.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport { TokenIssuer } from './types';\nimport { AuthService } from '@backstage/backend-plugin-api';\nimport { decodeJwt } from 'jose';\nimport { AuthenticationError, InputError } from '@backstage/errors';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\n\nexport function bindOidcRouter(\n  targetRouter: express.Router,\n  options: {\n    baseUrl: string;\n    auth: AuthService;\n    tokenIssuer: TokenIssuer;\n    userInfoDatabaseHandler: UserInfoDatabaseHandler;\n  },\n) {\n  const { baseUrl, auth, tokenIssuer, userInfoDatabaseHandler } = options;\n\n  const router = Router();\n  targetRouter.use(router);\n\n  const config = {\n    issuer: baseUrl,\n    token_endpoint: `${baseUrl}/v1/token`,\n    userinfo_endpoint: `${baseUrl}/v1/userinfo`,\n    jwks_uri: `${baseUrl}/.well-known/jwks.json`,\n    response_types_supported: ['id_token'],\n    subject_types_supported: ['public'],\n    id_token_signing_alg_values_supported: [\n      'RS256',\n      'RS384',\n      'RS512',\n      'ES256',\n      'ES384',\n      'ES512',\n      'PS256',\n      'PS384',\n      'PS512',\n      'EdDSA',\n    ],\n    scopes_supported: ['openid'],\n    token_endpoint_auth_methods_supported: [],\n    claims_supported: ['sub', 'ent'],\n    grant_types_supported: [],\n  };\n\n  router.get('/.well-known/openid-configuration', (_req, res) => {\n    res.json(config);\n  });\n\n  router.get('/.well-known/jwks.json', async (_req, res) => {\n    const { keys } = await tokenIssuer.listPublicKeys();\n    res.json({ keys });\n  });\n\n  router.get('/v1/token', (_req, res) => {\n    res.status(501).send('Not Implemented');\n  });\n\n  // This endpoint doesn't use the regular HttpAuthService, since the contract\n  // is specifically for the header to be communicated in the Authorization\n  // header, regardless of token type\n  router.get('/v1/userinfo', async (req, res) => {\n    const matches = req.headers.authorization?.match(/^Bearer[ ]+(\\S+)$/i);\n    const token = matches?.[1];\n    if (!token) {\n      throw new AuthenticationError('No token provided');\n    }\n\n    const credentials = await auth.authenticate(token, {\n      allowLimitedAccess: true,\n    });\n    if (!auth.isPrincipal(credentials, 'user')) {\n      throw new InputError(\n        'Userinfo endpoint must be called with a token that represents a user principal',\n      );\n    }\n\n    const { sub: userEntityRef } = decodeJwt(token);\n\n    if (typeof userEntityRef !== 'string') {\n      throw new Error('Invalid user token, user entity ref must be a string');\n    }\n\n    const userInfo = await userInfoDatabaseHandler.getUserInfo(userEntityRef);\n    if (!userInfo) {\n      res.status(404).send('User info not found');\n      return;\n    }\n\n    res.json(userInfo);\n  });\n}\n"],"names":["Router","AuthenticationError","InputError","decodeJwt"],"mappings":";;;;;;;;;;AAwBgB,SAAA,cAAA,CACd,cACA,OAMA,EAAA;AACA,EAAA,MAAM,EAAE,OAAA,EAAS,IAAM,EAAA,WAAA,EAAa,yBAA4B,GAAA,OAAA,CAAA;AAEhE,EAAA,MAAM,SAASA,uBAAO,EAAA,CAAA;AACtB,EAAA,YAAA,CAAa,IAAI,MAAM,CAAA,CAAA;AAEvB,EAAA,MAAM,MAAS,GAAA;AAAA,IACb,MAAQ,EAAA,OAAA;AAAA,IACR,cAAA,EAAgB,GAAG,OAAO,CAAA,SAAA,CAAA;AAAA,IAC1B,iBAAA,EAAmB,GAAG,OAAO,CAAA,YAAA,CAAA;AAAA,IAC7B,QAAA,EAAU,GAAG,OAAO,CAAA,sBAAA,CAAA;AAAA,IACpB,wBAAA,EAA0B,CAAC,UAAU,CAAA;AAAA,IACrC,uBAAA,EAAyB,CAAC,QAAQ,CAAA;AAAA,IAClC,qCAAuC,EAAA;AAAA,MACrC,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,KACF;AAAA,IACA,gBAAA,EAAkB,CAAC,QAAQ,CAAA;AAAA,IAC3B,uCAAuC,EAAC;AAAA,IACxC,gBAAA,EAAkB,CAAC,KAAA,EAAO,KAAK,CAAA;AAAA,IAC/B,uBAAuB,EAAC;AAAA,GAC1B,CAAA;AAEA,EAAA,MAAA,CAAO,GAAI,CAAA,mCAAA,EAAqC,CAAC,IAAA,EAAM,GAAQ,KAAA;AAC7D,IAAA,GAAA,CAAI,KAAK,MAAM,CAAA,CAAA;AAAA,GAChB,CAAA,CAAA;AAED,EAAA,MAAA,CAAO,GAAI,CAAA,wBAAA,EAA0B,OAAO,IAAA,EAAM,GAAQ,KAAA;AACxD,IAAA,MAAM,EAAE,IAAA,EAAS,GAAA,MAAM,YAAY,cAAe,EAAA,CAAA;AAClD,IAAI,GAAA,CAAA,IAAA,CAAK,EAAE,IAAA,EAAM,CAAA,CAAA;AAAA,GAClB,CAAA,CAAA;AAED,EAAA,MAAA,CAAO,GAAI,CAAA,WAAA,EAAa,CAAC,IAAA,EAAM,GAAQ,KAAA;AACrC,IAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,iBAAiB,CAAA,CAAA;AAAA,GACvC,CAAA,CAAA;AAKD,EAAA,MAAA,CAAO,GAAI,CAAA,cAAA,EAAgB,OAAO,GAAA,EAAK,GAAQ,KAAA;AAC7C,IAAA,MAAM,OAAU,GAAA,GAAA,CAAI,OAAQ,CAAA,aAAA,EAAe,MAAM,oBAAoB,CAAA,CAAA;AACrE,IAAM,MAAA,KAAA,GAAQ,UAAU,CAAC,CAAA,CAAA;AACzB,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAM,MAAA,IAAIC,2BAAoB,mBAAmB,CAAA,CAAA;AAAA,KACnD;AAEA,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,KAAO,EAAA;AAAA,MACjD,kBAAoB,EAAA,IAAA;AAAA,KACrB,CAAA,CAAA;AACD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAY,CAAA,WAAA,EAAa,MAAM,CAAG,EAAA;AAC1C,MAAA,MAAM,IAAIC,iBAAA;AAAA,QACR,gFAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAA,MAAM,EAAE,GAAA,EAAK,aAAc,EAAA,GAAIC,eAAU,KAAK,CAAA,CAAA;AAE9C,IAAI,IAAA,OAAO,kBAAkB,QAAU,EAAA;AACrC,MAAM,MAAA,IAAI,MAAM,sDAAsD,CAAA,CAAA;AAAA,KACxE;AAEA,IAAA,MAAM,QAAW,GAAA,MAAM,uBAAwB,CAAA,WAAA,CAAY,aAAa,CAAA,CAAA;AACxE,IAAA,IAAI,CAAC,QAAU,EAAA;AACb,MAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,qBAAqB,CAAA,CAAA;AAC1C,MAAA,OAAA;AAAA,KACF;AAEA,IAAA,GAAA,CAAI,KAAK,QAAQ,CAAA,CAAA;AAAA,GAClB,CAAA,CAAA;AACH;;;;"}