@backstage/plugin-auth-backend 0.3.24 → 0.4.3

package/CHANGELOG.md

@@ -1,5 +1,64 @@
 # @backstage/plugin-auth-backend
 
+## 0.4.3
+
+### Patch Changes
+
+- 4c3eea7788: Bitbucket Cloud authentication - based on the existing GitHub authentication + changes around BB apis and updated scope.
+
+  - BitbucketAuth added to core-app-api.
+  - Bitbucket provider added to plugin-auth-backend.
+  - Cosmetic entry for Bitbucket connection in user-settings Authentication Providers tab.
+
+- Updated dependencies
+  - @backstage/test-utils@0.1.18
+  - @backstage/catalog-model@0.9.4
+  - @backstage/backend-common@0.9.6
+  - @backstage/catalog-client@0.5.0
+
+## 0.4.2
+
+### Patch Changes
+
+- 88622e6422: Allow users to override callback url of GitHub provider
+- c46396ebb0: Update OAuth refresh handler to pass updated refresh token to ensure cookie is updated with new value.
+- Updated dependencies
+  - @backstage/backend-common@0.9.5
+
+## 0.4.1
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/catalog-client@0.4.0
+  - @backstage/catalog-model@0.9.3
+  - @backstage/backend-common@0.9.4
+  - @backstage/config@0.1.10
+
+## 0.4.0
+
+### Minor Changes
+
+- 19f45179a5: Bump `passport-saml` to version 3. This is a breaking change, in that it [now requires](https://github.com/node-saml/passport-saml/pull/548) the `auth.saml.cert` parameter to be set. If you are not using SAML auth, you can ignore this.
+
+  To update your settings, add something similar to the following to your app-config:
+
+  ```yaml
+  auth:
+    saml:
+      # ... other settings ...
+      cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='
+  ```
+
+  For more information, see the [library README](https://github.com/node-saml/passport-saml#security-and-signatures).
+
+### Patch Changes
+
+- 560d6810f0: Fix a bug preventing an access token to be refreshed a second time with the GitLab provider.
+- de5717872d: Use a more informative error message if the configured OIDC identity provider does not provide a `userinfo_endpoint` in its metadata.
+- Updated dependencies
+  - @backstage/backend-common@0.9.3
+
 ## 0.3.24
 
 ### Patch Changes

package/config.d.ts

@@ -48,7 +48,7 @@ export interface Config {
         entryPoint: string;
         logoutUrl?: string;
         issuer: string;
-        cert?: string;
+        cert: string;
         privateKey?: string;
         decryptionPvk?: string;
         signatureAlgorithm?: 'sha256' | 'sha512';

package/dist/index.cjs.js

@@ -18,6 +18,7 @@ var passportMicrosoft = require('passport-microsoft');
 var got = require('got');
 var OAuth2Strategy = require('passport-oauth2');
 var passportOktaOauth = require('passport-okta-oauth');
+var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
 var openidClient = require('openid-client');
 var passportSaml = require('passport-saml');
 var passportOneloginOauth = require('passport-onelogin-oauth');
@@ -285,7 +286,7 @@ const postMessageResponse = (res, appOrigin, response) => {
     (window.opener || window.parent).postMessage(JSON.parse(authResponse), origin);
     setTimeout(() => {
       window.close();
-    }, 100); // same as the interval of the core-api lib/loginPopup.ts (to address race conditions)
+    }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)
   `;
   const hash = crypto__default['default'].createHash("sha256").update(script).digest("base64");
   res.setHeader("Content-Type", "text/html");
@@ -632,10 +633,11 @@ const createGithubProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
     const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
     const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
     const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
@@ -738,6 +740,7 @@ class GitlabAuthProvider {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: result.params.expires_in
       },
@@ -1174,7 +1177,8 @@ class OAuth2AuthProvider {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
+        expiresInSeconds: result.params.expires_in,
+        refreshToken: result.refreshToken
       },
       profile
     };
@@ -1407,6 +1411,145 @@ const createOktaProvider = (_options) => {
   });
 };
 
+class BitbucketAuthProvider {
+  constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this._strategy = new passportBitbucketOauth2.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        params,
+        accessToken,
+        refreshToken
+      }, {
+        refreshToken
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: req.refreshToken
+    });
+  }
+  async handleResult(result) {
+    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const bitbucketUsernameSignInResolver = async (info, ctx) => {
+  const {result} = info;
+  if (!result.fullProfile.username) {
+    throw new Error("Bitbucket profile contained no Username");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/username": result.fullProfile.username
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({claims});
+  return {id: entity.metadata.name, entity, token};
+};
+const bitbucketUserIdSignInResolver = async (info, ctx) => {
+  const {result} = info;
+  if (!result.fullProfile.id) {
+    throw new Error("Bitbucket profile contained no User ID");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/user-id": result.fullProfile.id
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({claims});
+  return {id: entity.metadata.name, entity, token};
+};
+const createBitbucketProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const provider = new BitbucketAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+      authHandler,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
 class OidcAuthProvider {
   constructor(options) {
     this.implementation = this.setupStrategy(options);
@@ -1483,6 +1626,9 @@ class OidcAuthProvider {
       client,
       passReqToCallback: false
     }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
+      }
       done(void 0, {tokenset, userinfo}, {
         refreshToken: tokenset.refresh_token
       });
@@ -1573,13 +1719,13 @@ class SamlAuthProvider {
   }
 }
 const createSamlProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer, logger}) => {
+  return ({providerId, globalConfig, config, tokenIssuer}) => {
     const opts = {
       callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
       entryPoint: config.getString("entryPoint"),
       logoutUrl: config.getOptionalString("logoutUrl"),
       issuer: config.getString("issuer"),
-      cert: config.getOptionalString("cert"),
+      cert: config.getString("cert"),
       privateCert: config.getOptionalString("privateKey"),
       decryptionPvk: config.getOptionalString("decryptionPvk"),
       signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
@@ -1588,10 +1734,6 @@ const createSamlProvider = (_options) => {
       tokenIssuer,
       appUrl: globalConfig.appUrl
     };
-    if (!opts.cert) {
-      logger.warn('SamlAuthProvider was initialized without a cert configuration parameter. This will soon be required by the underlying passport-saml library, which may soon lead to failures to start the auth backend. Please add an "auth.saml.cert" config parameter.');
-      delete opts.cert;
-    }
     return new SamlAuthProvider(opts);
   };
 };
@@ -1863,7 +2005,8 @@ const factories = {
   oauth2: createOAuth2Provider(),
   oidc: createOidcProvider(),
   onelogin: createOneLoginProvider(),
-  awsalb: createAwsAlbProvider()
+  awsalb: createAwsAlbProvider(),
+  bitbucket: createBitbucketProvider()
 };
 
 function createOidcRouter(options) {
@@ -2187,6 +2330,9 @@ function createOriginFilter(config) {
 exports.IdentityClient = IdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
+exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
+exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
+exports.createBitbucketProvider = createBitbucketProvider;
 exports.createGithubProvider = createGithubProvider;
 exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;