npm - @backstage/plugin-auth-backend - Versions diffs - 0.4.4 → 0.4.8 - Mend

@backstage/plugin-auth-backend 0.4.4 → 0.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,59 @@
 # @backstage/plugin-auth-backend
+## 0.4.8
+### Patch Changes
+- 892c1d9202: Update OAuthAdapter to create identity.token from identity.idToken if it does not exist, and prevent overwrites to identity.toke. Update login page commonProvider to prefer .token over .idToken
+- Updated dependencies
+  - @backstage/catalog-client@0.5.2
+  - @backstage/catalog-model@0.9.7
+  - @backstage/backend-common@0.9.10
+  - @backstage/test-utils@0.1.22
+## 0.4.7
+### Patch Changes
+- 5ee31f860b: Only use settings that have a value when creating a new FirestoreKeyStore instance
+- 3e0e2f09d5: Added forwarding of the `audience` option for the SAML provider, making it possible to enable `audience` verification.
+- Updated dependencies
+  - @backstage/backend-common@0.9.9
+  - @backstage/test-utils@0.1.21
+  - @backstage/catalog-client@0.5.1
+## 0.4.6
+### Patch Changes
+- 3b767f19c9: Allow OAuth state to be encoded by a stateEncoder.
+- Updated dependencies
+  - @backstage/test-utils@0.1.20
+  - @backstage/config@0.1.11
+  - @backstage/errors@0.1.4
+  - @backstage/backend-common@0.9.8
+  - @backstage/catalog-model@0.9.6
+## 0.4.5
+### Patch Changes
+- 9322e632e9: Require that audience URLs for Okta authentication start with https
+- de3e26aecc: Fix a bug preventing an access token to be refreshed a second time with the GitHub provider.
+- ab9b4a6ea6: Add Firestore as key-store provider.
+  Add `auth.keyStore` section to application config.
+- 202f322927: Atlassian auth provider
+  - AtlassianAuth added to core-app-api
+  - Atlassian provider added to plugin-auth-backend
+  - Updated user-settings with Atlassian connection
+- 36e67d2f24: Internal updates to apply more strict checks to throw errors.
+- Updated dependencies
+  - @backstage/backend-common@0.9.7
+  - @backstage/errors@0.1.3
+  - @backstage/catalog-model@0.9.5
 ## 0.4.4
 ### Patch Changes

package/config.d.ts CHANGED Viewed

@@ -31,6 +31,32 @@ export interface Config {
       secret?: string;
     };
+    /** To control how to store JWK data in auth-backend */
+    keyStore?: {
+      provider?: 'database' | 'memory' | 'firestore';
+      firestore?: {
+        /** The host to connect to */
+        host?: string;
+        /** The port to connect to */
+        port?: number;
+        /** Whether to use SSL when connecting. */
+        ssl?: boolean;
+        /** The Google Cloud Project ID */
+        projectId?: string;
+        /**
+         * Local file containing the Service Account credentials.
+         * You can omit this value to automatically read from
+         * GOOGLE_APPLICATION_CREDENTIALS env which is useful for local
+         * development.
+         */
+        keyFilename?: string;
+        /** The path to use for the collection. Defaults to 'sessions' */
+        path?: string;
+        /** Timeout used for database operations. Defaults to 10000ms */
+        timeout?: number;
+      };
+    };
     /**
      * The available auth-provider options and attributes
      */
@@ -49,6 +75,7 @@ export interface Config {
         logoutUrl?: string;
         issuer: string;
         cert: string;
+        audience?: string;
         privateKey?: string;
         authnContext?: string[];
         identifierFormat?: string;

package/dist/index.cjs.js CHANGED Viewed

@@ -29,6 +29,8 @@ var catalogClient = require('@backstage/catalog-client');
 var uuid = require('uuid');
 var luxon = require('luxon');
 var backendCommon = require('@backstage/backend-common');
+var firestore = require('@google-cloud/firestore');
+var lodash = require('lodash');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -417,12 +419,10 @@ class OAuthAdapter {
         response
       });
     } catch (error) {
+      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, appOrigin, {
         type: "authorization_response",
-        error: {
-          name: error.name,
-          message: error.message
-        }
+        error: {name, message}
       });
     }
   }
@@ -458,17 +458,19 @@ class OAuthAdapter {
       }
       res.status(200).json(response);
     } catch (error) {
-      res.status(401).send(`${error.message}`);
+      res.status(401).send(String(error));
     }
   }
   async populateIdentity(identity) {
     if (!identity) {
       return;
     }
-    if (!identity.idToken) {
-      identity.idToken = await this.options.tokenIssuer.issueToken({
+    if (!(identity.token || identity.idToken)) {
+      identity.token = await this.options.tokenIssuer.issueToken({
         claims: {sub: identity.id}
       });
+    } else if (!identity.token && identity.idToken) {
+      identity.token = identity.idToken;
     }
   }
 }
@@ -551,6 +553,7 @@ class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
@@ -568,7 +571,7 @@ class GithubAuthProvider {
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
       scope: req.scope,
-      state: encodeState(req.state)
+      state: (await this.stateEncoder(req)).encodedState
     });
   }
   async handler(req) {
@@ -579,13 +582,17 @@ class GithubAuthProvider {
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const {
+      accessToken,
+      refreshToken: newRefreshToken,
+      params
+    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     return this.handleResult({
       fullProfile,
       params,
       accessToken,
-      refreshToken: req.refreshToken
+      refreshToken: newRefreshToken
     });
   }
   async handleResult(result) {
@@ -594,6 +601,7 @@ class GithubAuthProvider {
     const response = {
       providerInfo: {
         accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
       },
@@ -629,7 +637,7 @@ const createGithubProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
@@ -651,6 +659,9 @@ const createGithubProvider = (options) => {
       tokenIssuer,
       logger
     });
+    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
+      return {encodedState: encodeState(req.state)};
+    };
     const provider = new GithubAuthProvider({
       clientId,
       clientSecret,
@@ -662,6 +673,7 @@ const createGithubProvider = (options) => {
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
+      stateEncoder,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
@@ -1379,6 +1391,9 @@ const createOktaProvider = (_options) => {
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    if (!audience.startsWith("https://")) {
+      throw new Error("URL for 'audience' must start with 'https://'.");
+    }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
@@ -1550,6 +1565,177 @@ const createBitbucketProvider = (options) => {
   });
 };
+const defaultScopes = ["offline_access", "read:me"];
+class AtlassianStrategy extends OAuth2Strategy__default['default'] {
+  constructor(options, verify) {
+    if (!options.scope) {
+      throw new TypeError("Atlassian requires a scope option");
+    }
+    const scopes = options.scope.split(" ");
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://auth.atlassian.com/authorize`,
+      tokenURL: `https://auth.atlassian.com/oauth/token`,
+      scope: Array.from(new Set([...defaultScopes, ...scopes]))
+    };
+    super(optionsWithURLs, verify);
+    this.profileURL = "https://api.atlassian.com/me";
+    this.name = "atlassian";
+    this._oauth2.useAuthorizationHeaderforGET(true);
+  }
+  authorizationParams() {
+    return {
+      audience: "api.atlassian.com",
+      prompt: "consent"
+    };
+  }
+  userProfile(accessToken, done) {
+    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
+      if (err) {
+        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
+      }
+      if (!body) {
+        return done(new Error("Failed to fetch user profile, body cannot be empty"));
+      }
+      try {
+        const json = typeof body !== "string" ? body.toString() : body;
+        const profile = AtlassianStrategy.parse(json);
+        return done(null, profile);
+      } catch (e) {
+        return done(new Error("Failed to parse user profile"));
+      }
+    });
+  }
+  static parse(json) {
+    const resp = JSON.parse(json);
+    return {
+      id: resp.account_id,
+      provider: "atlassian",
+      username: resp.nickname,
+      displayName: resp.name,
+      emails: [{value: resp.email}],
+      photos: [{value: resp.picture}]
+    };
+  }
+}
+const atlassianDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class AtlassianAuthProvider {
+  constructor(options) {
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new AtlassianStrategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      scope: options.scopes
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    var _a;
+    const {result} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: (_a = result.refreshToken) != null ? _a : ""
+    };
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+  async refresh(req) {
+    const {
+      accessToken,
+      params,
+      refreshToken: newRefreshToken
+    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: newRefreshToken
+    });
+  }
+}
+const createAtlassianProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const scopes = envConfig.getString("scopes");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
+    const provider = new AtlassianAuthProvider({
+      clientId,
+      clientSecret,
+      scopes,
+      callbackUrl,
+      authHandler,
+      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+      catalogIdentityClient,
+      logger,
+      tokenIssuer
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: true,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
 const getJWTHeaders = (input) => {
@@ -1830,12 +2016,10 @@ class SamlAuthProvider {
         }
       });
     } catch (error) {
+      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
-        error: {
-          name: error.name,
-          message: error.message
-        }
+        error: {name, message}
       });
     }
   }
@@ -1852,6 +2036,7 @@ const createSamlProvider = (_options) => {
       callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
       entryPoint: config.getString("entryPoint"),
       logoutUrl: config.getOptionalString("logoutUrl"),
+      audience: config.getOptionalString("audience"),
       issuer: config.getString("issuer"),
       cert: config.getString("cert"),
       privateCert: config.getOptionalString("privateKey"),
@@ -2065,7 +2250,8 @@ const factories = {
   oidc: createOidcProvider(),
   onelogin: createOneLoginProvider(),
   awsalb: createAwsAlbProvider(),
-  bitbucket: createBitbucketProvider()
+  bitbucket: createBitbucketProvider(),
+  atlassian: createAtlassianProvider()
 };
 function createOidcRouter(options) {
@@ -2284,6 +2470,121 @@ class DatabaseKeyStore {
   }
 }
+class MemoryKeyStore {
+  constructor() {
+    this.keys = new Map();
+  }
+  async addKey(key) {
+    this.keys.set(key.kid, {
+      createdAt: luxon.DateTime.utc().toJSDate(),
+      key: JSON.stringify(key)
+    });
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      this.keys.delete(kid);
+    }
+  }
+  async listKeys() {
+    return {
+      items: Array.from(this.keys).map(([, {createdAt, key: keyStr}]) => ({
+        createdAt,
+        key: JSON.parse(keyStr)
+      }))
+    };
+  }
+}
+const DEFAULT_TIMEOUT_MS = 1e4;
+const DEFAULT_DOCUMENT_PATH = "sessions";
+class FirestoreKeyStore {
+  constructor(database, path, timeout) {
+    this.database = database;
+    this.path = path;
+    this.timeout = timeout;
+  }
+  static async create(settings) {
+    const {path, timeout, ...firestoreSettings} = settings != null ? settings : {};
+    const database = new firestore.Firestore(firestoreSettings);
+    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+  }
+  static async verifyConnection(keyStore, logger) {
+    try {
+      await keyStore.verify();
+    } catch (error) {
+      if (process.env.NODE_ENV !== "development") {
+        throw new Error(`Failed to connect to database: ${error.message}`);
+      }
+      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
+    }
+  }
+  async addKey(key) {
+    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    }));
+  }
+  async listKeys() {
+    const keys = await this.withTimeout(this.database.collection(this.path).get());
+    return {
+      items: keys.docs.map((key) => ({
+        key: key.data(),
+        createdAt: key.createTime.toDate()
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
+    }
+  }
+  async withTimeout(operation) {
+    const timer = new Promise((_, reject) => setTimeout(() => {
+      reject(new Error(`Operation timed out after ${this.timeout}ms`));
+    }, this.timeout));
+    return Promise.race([operation, timer]);
+  }
+  async verify() {
+    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+  }
+}
+class KeyStores {
+  static async fromConfig(config, options) {
+    var _a;
+    const {logger, database} = options != null ? options : {};
+    const ks = config.getOptionalConfig("auth.keyStore");
+    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
+    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
+    if (provider === "database") {
+      if (!database) {
+        throw new Error("This KeyStore provider requires a database");
+      }
+      return await DatabaseKeyStore.create({
+        database: await database.getClient()
+      });
+    }
+    if (provider === "memory") {
+      return new MemoryKeyStore();
+    }
+    if (provider === "firestore") {
+      const settings = ks == null ? void 0 : ks.getConfig(provider);
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
+        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
+        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
+        host: settings == null ? void 0 : settings.getOptionalString("host"),
+        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
+        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
+        path: settings == null ? void 0 : settings.getOptionalString("path"),
+        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
+      }, (value) => value !== void 0));
+      await FirestoreKeyStore.verifyConnection(keyStore, logger);
+      return keyStore;
+    }
+    throw new Error(`Unknown KeyStore provider: ${provider}`);
+  }
+}
 async function createRouter({
   logger,
   config,
@@ -2294,10 +2595,8 @@ async function createRouter({
   const router = Router__default['default']();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
+  const keyStore = await KeyStores.fromConfig(config, {logger, database});
   const keyDurationSeconds = 3600;
-  const keyStore = await DatabaseKeyStore.create({
-    database: await database.getClient()
-  });
   const tokenIssuer = new TokenFactory({
     issuer: authUrl,
     keyStore,
@@ -2348,6 +2647,7 @@ async function createRouter({
         }
         router.use(`/${providerId}`, r);
       } catch (e) {
+        errors.assertError(e);
         if (process.env.NODE_ENV !== "development") {
           throw new Error(`Failed to initialize ${providerId} auth provider, ${e.message}`);
         }
@@ -2391,6 +2691,7 @@ exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
 exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
 exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
+exports.createAtlassianProvider = createAtlassianProvider;
 exports.createAwsAlbProvider = createAwsAlbProvider;
 exports.createBitbucketProvider = createBitbucketProvider;
 exports.createGithubProvider = createGithubProvider;