npm - @backstage/plugin-auth-backend - Versions diffs - 0.6.0 → 0.6.1 - Mend

@backstage/plugin-auth-backend 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # @backstage/plugin-auth-backend
+## 0.6.1
+### Patch Changes
+- e0e57817d2: Added Google Cloud Identity-Aware Proxy as an identity provider.
+- Updated dependencies
+  - @backstage/backend-common@0.10.2
 ## 0.6.0
 ### Minor Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -24,6 +24,7 @@ var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
+var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
 var uuid = require('uuid');
 var luxon = require('luxon');
@@ -865,7 +866,7 @@ const createAuth0Provider = (options) => {
 };
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
+const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
 const getJWTHeaders = (input) => {
   const encoded = input.split(".")[0];
   return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
@@ -900,12 +901,12 @@ class AwsAlbAuthProvider {
   }
   async getResult(req) {
     const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESSTOKEN_HEADER);
+    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
     if (jwt === void 0) {
       throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
     }
     if (accessToken === void 0) {
-      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESSTOKEN_HEADER}`);
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`);
     }
     try {
       const headers = getJWTHeaders(jwt);
@@ -2404,6 +2405,96 @@ const createSamlProvider = (options) => {
   };
 };
+const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
+    }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
+  }
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
+  }
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
+  }
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
+    }
+  };
+}
+const defaultAuthHandler = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
+class GcpIapProvider {
+  constructor(options) {
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+  }
+  async start() {
+  }
+  async frameHandler() {
+  }
+  async refresh(req, res) {
+    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
+    const { profile } = await this.authHandler(result);
+    const backstageIdentity = await this.signInResolver({ profile, result }, {
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient,
+      logger: this.logger
+    });
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+    };
+    res.json(response);
+  }
+}
+function createGcpIapProvider(options) {
+  return ({ config, tokenIssuer, catalogApi, logger }) => {
+    var _a;
+    const audience = config.getString("audience");
+    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
+    const signInResolver = options.signIn.resolver;
+    const tokenValidator = createTokenValidator(audience);
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    return new GcpIapProvider({
+      authHandler,
+      signInResolver,
+      tokenValidator,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+  };
+}
 const factories = {
   google: createGoogleProvider(),
   github: createGithubProvider(),
@@ -2872,6 +2963,7 @@ exports.createAtlassianProvider = createAtlassianProvider;
 exports.createAuth0Provider = createAuth0Provider;
 exports.createAwsAlbProvider = createAwsAlbProvider;
 exports.createBitbucketProvider = createBitbucketProvider;
+exports.createGcpIapProvider = createGcpIapProvider;
 exports.createGithubProvider = createGithubProvider;
 exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;