@backstage/plugin-auth-backend 0.4.6 → 0.4.10

package/dist/index.cjs.js

@@ -17,12 +17,12 @@ var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
 var got = require('got');
 var OAuth2Strategy = require('passport-oauth2');
+var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
-var fetch = require('cross-fetch');
+var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
-var openidClient = require('openid-client');
 var passportSaml = require('passport-saml');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var catalogClient = require('@backstage/catalog-client');
@@ -30,6 +30,7 @@ var uuid = require('uuid');
 var luxon = require('luxon');
 var backendCommon = require('@backstage/backend-common');
 var firestore = require('@google-cloud/firestore');
+var lodash = require('lodash');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -226,22 +227,22 @@ class OAuthEnvironmentHandler {
     return new OAuthEnvironmentHandler(handlers);
   }
   async start(req, res) {
-    const provider = this.getProviderForEnv(req, res);
-    await (provider == null ? void 0 : provider.start(req, res));
+    const provider = this.getProviderForEnv(req);
+    await provider.start(req, res);
   }
   async frameHandler(req, res) {
-    const provider = this.getProviderForEnv(req, res);
-    await (provider == null ? void 0 : provider.frameHandler(req, res));
+    const provider = this.getProviderForEnv(req);
+    await provider.frameHandler(req, res);
   }
   async refresh(req, res) {
     var _a;
-    const provider = this.getProviderForEnv(req, res);
-    await ((_a = provider == null ? void 0 : provider.refresh) == null ? void 0 : _a.call(provider, req, res));
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.refresh) == null ? void 0 : _a.call(provider, req, res));
   }
   async logout(req, res) {
     var _a;
-    const provider = this.getProviderForEnv(req, res);
-    await ((_a = provider == null ? void 0 : provider.logout) == null ? void 0 : _a.call(provider, req, res));
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.logout) == null ? void 0 : _a.call(provider, req, res));
   }
   getRequestFromEnv(req) {
     var _a, _b;
@@ -256,19 +257,16 @@ class OAuthEnvironmentHandler {
     const env = readState(stateParams).env;
     return env;
   }
-  getProviderForEnv(req, res) {
+  getProviderForEnv(req) {
     const env = this.getRequestFromEnv(req);
     if (!env) {
       throw new errors.InputError(`Must specify 'env' query to select environment`);
     }
-    if (!this.handlers.has(env)) {
-      res.status(404).send(`Missing configuration.
-    <br>
-    <br>
-    For this flow to work you need to supply a valid configuration for the "${env}" environment of provider.`);
-      return void 0;
+    const handler = this.handlers.get(env);
+    if (!handler) {
+      throw new errors.NotFoundError(`No configuration available for the '${env}' environment of this provider.`);
     }
-    return this.handlers.get(env);
+    return handler;
   }
 }
 
@@ -427,26 +425,23 @@ class OAuthAdapter {
   }
   async logout(req, res) {
     if (!ensuresXRequestedWith(req)) {
-      res.status(401).send("Invalid X-Requested-With header");
-      return;
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
     this.removeRefreshTokenCookie(res);
-    res.status(200).send("logout!");
+    res.status(200).end();
   }
   async refresh(req, res) {
     var _a, _b;
     if (!ensuresXRequestedWith(req)) {
-      res.status(401).send("Invalid X-Requested-With header");
-      return;
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
     if (!this.handlers.refresh || this.options.disableRefresh) {
-      res.status(400).send(`Refresh token not supported for provider: ${this.options.providerId}`);
-      return;
+      throw new errors.InputError(`Refresh token is not supported for provider ${this.options.providerId}`);
     }
     try {
       const refreshToken = req.cookies[`${this.options.providerId}-refresh-token`];
       if (!refreshToken) {
-        throw new Error("Missing session cookie");
+        throw new errors.InputError("Missing session cookie");
       }
       const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
       const forwardReq = Object.assign(req, {scope, refreshToken});
@@ -457,17 +452,19 @@ class OAuthAdapter {
       }
       res.status(200).json(response);
     } catch (error) {
-      res.status(401).send(String(error));
+      throw new errors.AuthenticationError("Refresh failed", error);
     }
   }
   async populateIdentity(identity) {
     if (!identity) {
       return;
     }
-    if (!identity.idToken) {
-      identity.idToken = await this.options.tokenIssuer.issueToken({
+    if (!(identity.token || identity.idToken)) {
+      identity.token = await this.options.tokenIssuer.issueToken({
         claims: {sub: identity.id}
       });
+    } else if (!identity.token && identity.idToken) {
+      identity.token = identity.idToken;
     }
   }
 }
@@ -1137,7 +1134,10 @@ class OAuth2AuthProvider {
       authorizationURL: options.authorizationUrl,
       tokenURL: options.tokenUrl,
       passReqToCallback: false,
-      scope: options.scope
+      scope: options.scope,
+      customHeaders: {
+        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
+      }
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
         fullProfile,
@@ -1203,8 +1203,11 @@ class OAuth2AuthProvider {
     }
     return response;
   }
+  encodeClientCredentials(clientID, clientSecret) {
+    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
+  }
 }
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
+const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
   const {profile} = info;
   if (!profile.email) {
     throw new Error("Profile contained no email");
@@ -1239,7 +1242,7 @@ const createOAuth2Provider = (options) => {
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
@@ -1266,6 +1269,168 @@ const createOAuth2Provider = (options) => {
   });
 };
 
+class OidcAuthProvider {
+  constructor(options) {
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+  }
+  async start(req) {
+    const {strategy} = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
+      state: encodeState(req.state)
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
+    }
+    return await executeRedirectStrategy(req, strategy, options);
+  }
+  async handler(req) {
+    const {strategy} = await this.implementation;
+    const strategyResponse = await executeFrameHandlerStrategy(req, strategy);
+    const {
+      result: {userinfo, tokenset},
+      privateInfo
+    } = strategyResponse;
+    const identityResponse = await this.handleResult({tokenset, userinfo});
+    return {
+      response: identityResponse,
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const {client} = await this.implementation;
+    const tokenset = await client.refresh(req.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    const profile = await client.userinfo(tokenset.access_token);
+    return this.handleResult({tokenset, userinfo: profile});
+  }
+  async setupStrategy(options) {
+    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
+    const client = new issuer.Client({
+      access_type: "offline",
+      client_id: options.clientId,
+      client_secret: options.clientSecret,
+      redirect_uris: [options.callbackUrl],
+      response_types: ["code"],
+      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
+      scope: options.scope || ""
+    });
+    const strategy = new openidClient.Strategy({
+      client,
+      passReqToCallback: false
+    }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
+      }
+      done(void 0, {tokenset, userinfo}, {
+        refreshToken: tokenset.refresh_token
+      });
+    });
+    strategy.error = console.error;
+    return {strategy, client};
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.tokenset.id_token,
+        accessToken: result.tokenset.access_token,
+        refreshToken: result.tokenset.refresh_token,
+        scope: result.tokenset.scope,
+        expiresInSeconds: result.tokenset.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
+  const {profile} = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: {sub: userId, ent: [`user:default/${userId}`]}
+  });
+  return {id: userId, token};
+};
+const createOidcProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const metadataUrl = envConfig.getString("metadataUrl");
+    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
+    const scope = envConfig.getOptionalString("scope");
+    const prompt = envConfig.getOptionalString("prompt");
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({userinfo}) => ({
+      profile: {
+        displayName: userinfo.name,
+        email: userinfo.email,
+        picture: userinfo.picture
+      }
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OidcAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      tokenSignedResponseAlg,
+      metadataUrl,
+      scope,
+      prompt,
+      signInResolver,
+      authHandler,
+      logger,
+      tokenIssuer,
+      catalogIdentityClient
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
 class OktaAuthProvider {
   constructor(options) {
     this._store = {
@@ -1861,131 +2026,14 @@ const createAwsAlbProvider = (options) => {
   };
 };
 
-class OidcAuthProvider {
-  constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
-  }
-  async start(req) {
-    const {strategy} = await this.implementation;
-    const options = {
-      accessType: "offline",
-      scope: req.scope || this.scope || "openid profile email",
-      state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
-  }
-  async handler(req) {
-    const {strategy} = await this.implementation;
-    const strategyResponse = await executeFrameHandlerStrategy(req, strategy);
-    const {
-      result: {userinfo, tokenset},
-      privateInfo
-    } = strategyResponse;
-    const identityResponse = await this.populateIdentity({
-      profile: {
-        displayName: userinfo.name,
-        email: userinfo.email,
-        picture: userinfo.picture
-      },
-      providerInfo: {
-        idToken: tokenset.id_token,
-        accessToken: tokenset.access_token || "",
-        scope: tokenset.scope || "",
-        expiresInSeconds: tokenset.expires_in
-      }
-    });
-    return {
-      response: identityResponse,
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const {client} = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
-    }
-    const profile = await client.userinfo(tokenset.access_token);
-    return this.populateIdentity({
-      providerInfo: {
-        accessToken: tokenset.access_token,
-        refreshToken: tokenset.refresh_token,
-        expiresInSeconds: tokenset.expires_in,
-        idToken: tokenset.id_token,
-        scope: tokenset.scope || ""
-      },
-      profile
-    });
-  }
-  async setupStrategy(options) {
-    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
-    const client = new issuer.Client({
-      client_id: options.clientId,
-      client_secret: options.clientSecret,
-      redirect_uris: [options.callbackUrl],
-      response_types: ["code"],
-      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
-      scope: options.scope || ""
-    });
-    const strategy = new openidClient.Strategy({
-      client,
-      passReqToCallback: false
-    }, (tokenset, userinfo, done) => {
-      if (typeof done !== "function") {
-        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
-      }
-      done(void 0, {tokenset, userinfo}, {
-        refreshToken: tokenset.refresh_token
-      });
-    });
-    strategy.error = console.error;
-    return {strategy, client};
-  }
-  async populateIdentity(response) {
-    const {profile} = response;
-    if (!profile.email) {
-      throw new Error("Profile does not contain an email");
-    }
-    const id = profile.email.split("@")[0];
-    return {...response, backstageIdentity: {id}};
-  }
-}
-const createOidcProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const metadataUrl = envConfig.getString("metadataUrl");
-    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
-    const scope = envConfig.getOptionalString("scope");
-    const prompt = envConfig.getOptionalString("prompt");
-    const provider = new OidcAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      tokenSignedResponseAlg,
-      metadataUrl,
-      scope,
-      prompt
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
-
 class SamlAuthProvider {
   constructor(options) {
     this.appUrl = options.appUrl;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
     this.strategy = new passportSaml.Strategy({...options}, (fullProfile, done) => {
       done(void 0, {fullProfile});
     });
@@ -1997,20 +2045,24 @@ class SamlAuthProvider {
   async frameHandler(req, res) {
     try {
       const {result} = await executeFrameHandlerStrategy(req, this.strategy);
-      const id = result.fullProfile.nameID;
-      const idToken = await this.tokenIssuer.issueToken({
-        claims: {sub: id}
-      });
+      const {profile} = await this.authHandler(result);
+      const response = {
+        profile,
+        providerInfo: {}
+      };
+      if (this.signInResolver) {
+        response.backstageIdentity = await this.signInResolver({
+          result,
+          profile
+        }, {
+          tokenIssuer: this.tokenIssuer,
+          catalogIdentityClient: this.catalogIdentityClient,
+          logger: this.logger
+        });
+      }
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
-        response: {
-          profile: {
-            email: result.fullProfile.email,
-            displayName: result.fullProfile.displayName
-          },
-          providerInfo: {},
-          backstageIdentity: {id, idToken}
-        }
+        response
       });
     } catch (error) {
       const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
@@ -2021,21 +2073,50 @@ class SamlAuthProvider {
     }
   }
   async logout(_req, res) {
-    res.send("noop");
-  }
-  identifyEnv() {
-    return void 0;
+    res.end();
   }
 }
-const createSamlProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => {
-    const opts = {
+const samlDefaultSignInResolver = async (info, ctx) => {
+  const id = info.result.fullProfile.nameID;
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: {sub: id}
+  });
+  return {id, token};
+};
+const createSamlProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => {
+    var _a, _b;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
+      profile: {
+        email: fullProfile.email,
+        displayName: fullProfile.displayName
+      }
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    return new SamlAuthProvider({
       callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
       entryPoint: config.getString("entryPoint"),
       logoutUrl: config.getOptionalString("logoutUrl"),
+      audience: config.getOptionalString("audience"),
       issuer: config.getString("issuer"),
       cert: config.getString("cert"),
-      privateCert: config.getOptionalString("privateKey"),
+      privateKey: config.getOptionalString("privateKey"),
       authnContext: config.getOptionalStringArray("authnContext"),
       identifierFormat: config.getOptionalString("identifierFormat"),
       decryptionPvk: config.getOptionalString("decryptionPvk"),
@@ -2043,9 +2124,12 @@ const createSamlProvider = (_options) => {
       digestAlgorithm: config.getOptionalString("digestAlgorithm"),
       acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
       tokenIssuer,
-      appUrl: globalConfig.appUrl
-    };
-    return new SamlAuthProvider(opts);
+      appUrl: globalConfig.appUrl,
+      authHandler,
+      signInResolver,
+      logger,
+      catalogIdentityClient
+    });
   };
 };
 
@@ -2565,7 +2649,7 @@ class KeyStores {
     }
     if (provider === "firestore") {
       const settings = ks == null ? void 0 : ks.getConfig(provider);
-      const keyStore = await FirestoreKeyStore.create({
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
         projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
         keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
         host: settings == null ? void 0 : settings.getOptionalString("host"),
@@ -2573,7 +2657,7 @@ class KeyStores {
         ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
         path: settings == null ? void 0 : settings.getOptionalString("path"),
         timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
-      });
+      }, (value) => value !== void 0));
       await FirestoreKeyStore.verifyConnection(keyStore, logger);
       return keyStore;
     }
@@ -2682,6 +2766,7 @@ function createOriginFilter(config) {
   };
 }
 
+exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.IdentityClient = IdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
@@ -2695,12 +2780,15 @@ exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;
 exports.createMicrosoftProvider = createMicrosoftProvider;
 exports.createOAuth2Provider = createOAuth2Provider;
+exports.createOidcProvider = createOidcProvider;
 exports.createOktaProvider = createOktaProvider;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
+exports.createSamlProvider = createSamlProvider;
 exports.defaultAuthProviderFactories = factories;
 exports.encodeState = encodeState;
 exports.ensuresXRequestedWith = ensuresXRequestedWith;
+exports.getEntityClaims = getEntityClaims;
 exports.googleEmailSignInResolver = googleEmailSignInResolver;
 exports.microsoftEmailSignInResolver = microsoftEmailSignInResolver;
 exports.oktaEmailSignInResolver = oktaEmailSignInResolver;