@backstage/plugin-catalog-backend 0.19.4 → 0.20.0

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # @backstage/plugin-catalog-backend
 
+## 0.20.0
+
+### Minor Changes
+
+- cd529c4094: In order to integrate the permissions system with the refresh endpoint in catalog-backend, a new AuthorizedRefreshService was created as a thin wrapper around the existing refresh service which performs authorization and handles the case when authorization is denied. In order to instantiate AuthorizedRefreshService, a permission client is required, which was added as a new field to `CatalogEnvironment`.
+
+  The new `permissions` field in `CatalogEnvironment` should already receive the permission client from the `PluginEnvrionment`, so there should be no changes required to the catalog backend setup. See [the create-app changelog](https://github.com/backstage/backstage/blob/master/packages/create-app/CHANGELOG.md) for more details.
+
+### Patch Changes
+
+- 0ae759dad4: Add catalog permission rules.
+- 3b4d8caff6: Allow a custom GithubCredentialsProvider to be passed to the GitHub processors.
+- 6fd70f8bc8: Provide support for Bitbucket servers with custom BaseURLs.
+- 5333451def: Cleaned up API exports
+- 730d01ab1a: Add apply-conditions endpoint for evaluating conditional permissions in catalog backend.
+- 0a6c68582a: Add authorization to catalog-backend entities GET endpoints
+- Updated dependencies
+  - @backstage/config@0.1.12
+  - @backstage/integration@0.7.1
+  - @backstage/backend-common@0.10.3
+  - @backstage/plugin-permission-node@0.3.0
+  - @backstage/errors@0.2.0
+  - @backstage/catalog-client@0.5.4
+  - @backstage/catalog-model@0.9.9
+  - @backstage/plugin-permission-common@0.3.1
+
 ## 0.19.4
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -30,6 +30,9 @@ var luxon = require('luxon');
 var promClient = require('prom-client');
 var stableStringify = require('fast-json-stable-stringify');
 var catalogClient = require('@backstage/catalog-client');
+var pluginCatalogCommon = require('@backstage/plugin-catalog-common');
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
@@ -604,12 +607,13 @@ async function readBitbucketCloud(client, target) {
 }
 function parseUrl$3(urlString) {
   const url = new URL(urlString);
-  const path = url.pathname.substr(1).split("/");
+  const indexOfProjectSegment = url.pathname.toLowerCase().indexOf("/projects/") + 1;
+  const path = url.pathname.substr(indexOfProjectSegment).split("/");
   if (path.length > 3 && path[1].length && path[3].length) {
     return {
       projectSearchPath: escapeRegExp$1(decodeURIComponent(path[1])),
       repoSearchPath: escapeRegExp$1(decodeURIComponent(path[3])),
-      catalogPath: `/${decodeURIComponent(path.slice(4).join("/"))}`
+      catalogPath: `/${decodeURIComponent(path.slice(4).join("/") + url.search)}`
     };
   }
   throw new Error(`Failed to parse ${urlString}`);
@@ -1104,6 +1108,7 @@ class GithubDiscoveryProcessor {
   constructor(options) {
     this.integrations = options.integrations;
     this.logger = options.logger;
+    this.githubCredentialsProvider = options.githubCredentialsProvider || integration.DefaultGithubCredentialsProvider.fromIntegrations(this.integrations);
   }
   async readLocation(location$1, _optional, emit) {
     var _a, _b;
@@ -1116,7 +1121,9 @@ class GithubDiscoveryProcessor {
     }
     const { org, repoSearchPath, catalogPath, branch, host } = parseUrl$2(location$1.target);
     const orgUrl = `https://${host}/${org}`;
-    const { headers } = await integration.SingleInstanceGithubCredentialsProvider.create(gitHubConfig).getCredentials({ url: orgUrl });
+    const { headers } = await this.githubCredentialsProvider.getCredentials({
+      url: orgUrl
+    });
     const client = graphql.graphql.defaults({
       baseUrl: gitHubConfig.apiBaseUrl,
       headers
@@ -1301,6 +1308,7 @@ class GithubOrgReaderProcessor {
   }
   constructor(options) {
     this.integrations = options.integrations;
+    this.githubCredentialsProvider = options.githubCredentialsProvider || integration.DefaultGithubCredentialsProvider.fromIntegrations(this.integrations);
     this.logger = options.logger;
   }
   async readLocation(location, _optional, emit) {
@@ -1331,8 +1339,7 @@ class GithubOrgReaderProcessor {
     if (!gitHubConfig) {
       throw new Error(`There is no GitHub Org provider that matches ${orgUrl}. Please add a configuration for an integration.`);
     }
-    const credentialsProvider = integration.SingleInstanceGithubCredentialsProvider.create(gitHubConfig);
-    const { headers, type: tokenType } = await credentialsProvider.getCredentials({
+    const { headers, type: tokenType } = await this.githubCredentialsProvider.getCredentials({
       url: orgUrl
     });
     const client = graphql.graphql.defaults({
@@ -1357,6 +1364,7 @@ class GithubMultiOrgReaderProcessor {
     this.integrations = options.integrations;
     this.logger = options.logger;
     this.orgs = options.orgs;
+    this.githubCredentialsProvider = options.githubCredentialsProvider || integration.DefaultGithubCredentialsProvider.fromIntegrations(this.integrations);
   }
   async readLocation(location, _optional, emit) {
     var _a, _b;
@@ -1369,11 +1377,10 @@ class GithubMultiOrgReaderProcessor {
     }
     const allUsersMap = /* @__PURE__ */ new Map();
     const baseUrl = new URL(location.target).origin;
-    const credentialsProvider = integration.SingleInstanceGithubCredentialsProvider.create(gitHubConfig);
     const orgsToProcess = this.orgs.length ? this.orgs : await this.getAllOrgs(gitHubConfig);
     for (const orgConfig of orgsToProcess) {
       try {
-        const { headers, type: tokenType } = await credentialsProvider.getCredentials({
+        const { headers, type: tokenType } = await this.githubCredentialsProvider.getCredentials({
           url: `${baseUrl}/${orgConfig.name}`
         });
         const client = graphql.graphql.defaults({
@@ -1839,7 +1846,7 @@ const defaultEntityDataParser = async function* defaultEntityDataParser2({ data,
 class GitHubOrgEntityProvider {
   constructor(options) {
     this.options = options;
-    this.credentialsProvider = integration.SingleInstanceGithubCredentialsProvider.create(options.gitHubConfig);
+    this.githubCredentialsProvider = options.githubCredentialsProvider || integration.SingleInstanceGithubCredentialsProvider.create(options.gitHubConfig);
   }
   static fromConfig(config, options) {
     var _a;
@@ -1855,7 +1862,8 @@ class GitHubOrgEntityProvider {
       id: options.id,
       orgUrl: options.orgUrl,
       logger,
-      gitHubConfig
+      gitHubConfig,
+      githubCredentialsProvider: options.githubCredentialsProvider || integration.DefaultGithubCredentialsProvider.fromIntegrations(integrations)
     });
   }
   getProviderName() {
@@ -1869,7 +1877,7 @@ class GitHubOrgEntityProvider {
       throw new Error("Not initialized");
     }
     const { markReadComplete } = trackProgress(this.options.logger);
-    const { headers, type: tokenType } = await this.credentialsProvider.getCredentials({
+    const { headers, type: tokenType } = await this.githubCredentialsProvider.getCredentials({
       url: this.options.orgUrl
     });
     const client = graphql.graphql.defaults({
@@ -3102,7 +3110,8 @@ async function createNextRouter(options) {
     locationService,
     refreshService,
     config,
-    logger
+    logger,
+    permissionIntegrationRouter
   } = options;
   const router = Router__default["default"]();
   router.use(express__default["default"].json());
@@ -3113,16 +3122,21 @@ async function createNextRouter(options) {
   if (refreshService) {
     router.post("/refresh", async (req, res) => {
       const refreshOptions = req.body;
+      refreshOptions.authorizationToken = getBearerToken(req.header("authorization"));
       await refreshService.refresh(refreshOptions);
       res.status(200).send();
     });
   }
+  if (permissionIntegrationRouter) {
+    router.use(permissionIntegrationRouter);
+  }
   if (entitiesCatalog) {
     router.get("/entities", async (req, res) => {
       const { entities, pageInfo } = await entitiesCatalog.entities({
         filter: parseEntityFilterParams(req.query),
         fields: parseEntityTransformParams(req.query),
-        pagination: parseEntityPaginationParams(req.query)
+        pagination: parseEntityPaginationParams(req.query),
+        authorizationToken: getBearerToken(req.header("authorization"))
       });
       if (pageInfo.hasNextPage) {
         const url = new URL(`http://ignored${req.url}`);
@@ -3134,7 +3148,8 @@ async function createNextRouter(options) {
     }).get("/entities/by-uid/:uid", async (req, res) => {
       const { uid } = req.params;
       const { entities } = await entitiesCatalog.entities({
-        filter: basicEntityFilter({ "metadata.uid": uid })
+        filter: basicEntityFilter({ "metadata.uid": uid }),
+        authorizationToken: getBearerToken(req.header("authorization"))
       });
       if (!entities.length) {
         throw new errors.NotFoundError(`No entity with uid ${uid}`);
@@ -3151,7 +3166,8 @@ async function createNextRouter(options) {
           kind,
           "metadata.namespace": namespace,
           "metadata.name": name
-        })
+        }),
+        authorizationToken: getBearerToken(req.header("authorization"))
       });
       if (!entities.length) {
         throw new errors.NotFoundError(`No entity named '${name}' found, with kind '${kind}' in namespace '${namespace}'`);
@@ -3197,6 +3213,13 @@ async function createNextRouter(options) {
   router.use(backendCommon.errorHandler());
   return router;
 }
+function getBearerToken(authorizationHeader) {
+  if (typeof authorizationHeader !== "string") {
+    return void 0;
+  }
+  const matches = authorizationHeader.match(/Bearer\s+(\S+)/i);
+  return matches == null ? void 0 : matches[1];
+}
 
 function isLocationEntity(entity) {
   return entity.kind === "Location";
@@ -4858,6 +4881,25 @@ class DefaultRefreshService {
   }
 }
 
+class AuthorizedRefreshService {
+  constructor(service, permissionApi) {
+    this.service = service;
+    this.permissionApi = permissionApi;
+  }
+  async refresh(options) {
+    const authorizeResponse = (await this.permissionApi.authorize([
+      {
+        permission: pluginCatalogCommon.catalogEntityRefreshPermission,
+        resourceRef: options.entityRef
+      }
+    ], { token: options.authorizationToken }))[0];
+    if (authorizeResponse.result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+      throw new errors.NotAllowedError();
+    }
+    await this.service.refresh(options);
+  }
+}
+
 class Connection {
   constructor(config) {
     this.config = config;
@@ -4907,6 +4949,122 @@ async function connectEntityProviders(db, providers) {
   }));
 }
 
+const createCatalogPermissionRule = pluginPermissionNode.makeCreatePermissionRule();
+
+const hasAnnotation = createCatalogPermissionRule({
+  name: "HAS_ANNOTATION",
+  description: "Allow entities which are annotated with the specified annotation",
+  apply: (resource, annotation) => {
+    var _a;
+    return !!((_a = resource.metadata.annotations) == null ? void 0 : _a.hasOwnProperty(annotation));
+  },
+  toQuery: (annotation) => ({
+    key: `metadata.annotations.${annotation}`
+  })
+});
+
+const isEntityKind = createCatalogPermissionRule({
+  name: "IS_ENTITY_KIND",
+  description: "Allow entities with the specified kind",
+  apply(resource, kinds) {
+    const resourceKind = resource.kind.toLocaleLowerCase("en-US");
+    return kinds.some((kind) => kind.toLocaleLowerCase("en-US") === resourceKind);
+  },
+  toQuery(kinds) {
+    return {
+      key: "kind",
+      values: kinds.map((kind) => kind.toLocaleLowerCase("en-US"))
+    };
+  }
+});
+
+const isEntityOwner = createCatalogPermissionRule({
+  name: "IS_ENTITY_OWNER",
+  description: "Allow entities owned by the current user",
+  apply: (resource, claims) => {
+    if (!resource.relations) {
+      return false;
+    }
+    return resource.relations.filter((relation) => relation.type === catalogModel.RELATION_OWNED_BY).some((relation) => claims.includes(catalogModel.stringifyEntityRef(relation.target)));
+  },
+  toQuery: (claims) => ({
+    key: "relations.ownedBy",
+    values: claims
+  })
+});
+
+const hasLabel = createCatalogPermissionRule({
+  name: "HAS_LABEL",
+  description: "Allow entities which have the specified label metadata.",
+  apply: (resource, label) => {
+    var _a;
+    return !!((_a = resource.metadata.labels) == null ? void 0 : _a.hasOwnProperty(label));
+  },
+  toQuery: (label) => ({
+    key: `metadata.labels.${label}`
+  })
+});
+
+const createPropertyRule = (propertyType) => createCatalogPermissionRule({
+  name: `HAS_${propertyType.toUpperCase()}`,
+  description: `Allow entities which have the specified ${propertyType} subfield.`,
+  apply: (resource, key, value) => {
+    const foundValue = lodash.get(resource[propertyType], key);
+    if (value !== void 0) {
+      return value === foundValue;
+    }
+    return !!foundValue;
+  },
+  toQuery: (key, value) => ({
+    key: `${propertyType}.${key}`,
+    ...value !== void 0 && { values: [value] }
+  })
+});
+
+const hasMetadata = createPropertyRule("metadata");
+
+const hasSpec = createPropertyRule("spec");
+
+const permissionRules = {
+  hasAnnotation,
+  hasLabel,
+  hasMetadata,
+  hasSpec,
+  isEntityKind,
+  isEntityOwner
+};
+
+class AuthorizedEntitiesCatalog {
+  constructor(entitiesCatalog, permissionApi, transformConditions) {
+    this.entitiesCatalog = entitiesCatalog;
+    this.permissionApi = permissionApi;
+    this.transformConditions = transformConditions;
+  }
+  async entities(request) {
+    const authorizeResponse = (await this.permissionApi.authorize([{ permission: pluginCatalogCommon.catalogEntityReadPermission }], { token: request == null ? void 0 : request.authorizationToken }))[0];
+    if (authorizeResponse.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+      return {
+        entities: [],
+        pageInfo: { hasNextPage: false }
+      };
+    }
+    if (authorizeResponse.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+      const permissionFilter = this.transformConditions(authorizeResponse.conditions);
+      return this.entitiesCatalog.entities({
+        ...request,
+        filter: (request == null ? void 0 : request.filter) ? { allOf: [permissionFilter, request.filter] } : permissionFilter
+      });
+    }
+    return this.entitiesCatalog.entities(request);
+  }
+  removeEntityByUid(uid) {
+    return this.entitiesCatalog.removeEntityByUid(uid);
+  }
+  entityAncestry(entityRef) {
+    return this.entitiesCatalog.entityAncestry(entityRef);
+  }
+}
+
 class NextCatalogBuilder {
   constructor(env) {
     this.refreshInterval = createRandomRefreshInterval({
@@ -4923,6 +5081,7 @@ class NextCatalogBuilder {
     this.processors = [];
     this.processorsReplace = false;
     this.parser = void 0;
+    this.permissionRules = Object.values(permissionRules);
   }
   addEntityPolicy(...policies) {
     this.entityPolicies.push(...policies);
@@ -4972,12 +5131,19 @@ class NextCatalogBuilder {
   getDefaultProcessors() {
     const { config, logger, reader } = this.env;
     const integrations = integration.ScmIntegrations.fromConfig(config);
+    const githubCredentialsProvider = integration.DefaultGithubCredentialsProvider.fromIntegrations(integrations);
     return [
       new FileReaderProcessor(),
       BitbucketDiscoveryProcessor.fromConfig(config, { logger }),
       AzureDevOpsDiscoveryProcessor.fromConfig(config, { logger }),
-      GithubDiscoveryProcessor.fromConfig(config, { logger }),
-      GithubOrgReaderProcessor.fromConfig(config, { logger }),
+      GithubDiscoveryProcessor.fromConfig(config, {
+        logger,
+        githubCredentialsProvider
+      }),
+      GithubOrgReaderProcessor.fromConfig(config, {
+        logger,
+        githubCredentialsProvider
+      }),
       GitLabDiscoveryProcessor.fromConfig(config, { logger }),
       new UrlReaderProcessor({ reader, logger }),
       CodeOwnersProcessor.fromConfig(config, { logger, reader }),
@@ -4988,9 +5154,12 @@ class NextCatalogBuilder {
     this.parser = parser;
     return this;
   }
+  addPermissionRules(...permissionRules) {
+    this.permissionRules.push(...permissionRules);
+  }
   async build() {
     var _a, _b;
-    const { config, database, logger } = this.env;
+    const { config, database, logger, permissions } = this.env;
     const policy = this.buildEntityPolicy();
     const processors = this.buildProcessors();
     const parser = this.parser || defaultEntityDataParser;
@@ -5015,7 +5184,28 @@ class NextCatalogBuilder {
       parser,
       policy
     });
-    const entitiesCatalog = new NextEntitiesCatalog(dbClient);
+    const unauthorizedEntitiesCatalog = new NextEntitiesCatalog(dbClient);
+    const entitiesCatalog = new AuthorizedEntitiesCatalog(unauthorizedEntitiesCatalog, permissions, pluginPermissionNode.createConditionTransformer(this.permissionRules));
+    const permissionIntegrationRouter = pluginPermissionNode.createPermissionIntegrationRouter({
+      resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+      getResources: async (resourceRefs) => {
+        const { entities } = await entitiesCatalog.entities({
+          filter: {
+            anyOf: resourceRefs.map((resourceRef) => {
+              const { kind, namespace, name } = catalogModel.parseEntityRef(resourceRef);
+              return basicEntityFilter({
+                kind,
+                "metadata.namespace": namespace,
+                "metadata.name": name
+              });
+            })
+          }
+        });
+        const entitiesByRef = lodash.keyBy(entities, catalogModel.stringifyEntityRef);
+        return resourceRefs.map((resourceRef) => entitiesByRef[catalogModel.stringifyEntityRef(catalogModel.parseEntityRef(resourceRef))]);
+      },
+      rules: this.permissionRules
+    });
     const stitcher = new Stitcher(dbClient, logger);
     const locationStore = new DefaultLocationStore(dbClient);
     const configLocationProvider = new ConfigLocationEntityProvider(config);
@@ -5024,16 +5214,15 @@ class NextCatalogBuilder {
     const locationsCatalog = new DatabaseLocationsCatalog(db);
     const locationAnalyzer = (_b = this.locationAnalyzer) != null ? _b : new RepoLocationAnalyzer(logger, integrations);
     const locationService = new DefaultLocationService(locationStore, orchestrator);
-    const refreshService = new DefaultRefreshService({
-      database: processingDatabase
-    });
+    const refreshService = new AuthorizedRefreshService(new DefaultRefreshService({ database: processingDatabase }), permissions);
     const router = await createNextRouter({
       entitiesCatalog,
       locationAnalyzer,
       locationService,
       refreshService,
       logger,
-      config
+      config,
+      permissionIntegrationRouter
     });
     await connectEntityProviders(processingDatabase, entityProviders);
     return {
@@ -5180,6 +5369,7 @@ class CatalogBuilder {
   buildProcessors() {
     const { config, logger, reader } = this.env;
     const integrations = integration.ScmIntegrations.fromConfig(config);
+    const githubCredentialsProvider = integration.DefaultGithubCredentialsProvider.fromIntegrations(integrations);
     this.checkDeprecatedReaderProcessors();
     const placeholderResolvers = {
       json: jsonPlaceholderResolver,
@@ -5197,7 +5387,13 @@ class CatalogBuilder {
       new BuiltinKindsEntityProcessor()
     ];
     if (!this.processorsReplace) {
-      processors.push(new FileReaderProcessor(), BitbucketDiscoveryProcessor.fromConfig(config, { logger }), GithubDiscoveryProcessor.fromConfig(config, { logger }), AzureDevOpsDiscoveryProcessor.fromConfig(config, { logger }), GithubOrgReaderProcessor.fromConfig(config, { logger }), GitLabDiscoveryProcessor.fromConfig(config, { logger }), new UrlReaderProcessor({ reader, logger }), CodeOwnersProcessor.fromConfig(config, { logger, reader }), new LocationEntityProcessor({ integrations }), new AnnotateLocationEntityProcessor({ integrations }));
+      processors.push(new FileReaderProcessor(), BitbucketDiscoveryProcessor.fromConfig(config, { logger }), GithubDiscoveryProcessor.fromConfig(config, {
+        logger,
+        githubCredentialsProvider
+      }), AzureDevOpsDiscoveryProcessor.fromConfig(config, { logger }), GithubOrgReaderProcessor.fromConfig(config, {
+        logger,
+        githubCredentialsProvider
+      }), GitLabDiscoveryProcessor.fromConfig(config, { logger }), new UrlReaderProcessor({ reader, logger }), CodeOwnersProcessor.fromConfig(config, { logger, reader }), new LocationEntityProcessor({ integrations }), new AnnotateLocationEntityProcessor({ integrations }));
     }
     processors.push(...this.processors);
     return processors;
@@ -5451,11 +5647,13 @@ exports.NextCatalogBuilder = NextCatalogBuilder;
 exports.PlaceholderProcessor = PlaceholderProcessor;
 exports.StaticLocationProcessor = StaticLocationProcessor;
 exports.UrlReaderProcessor = UrlReaderProcessor;
+exports.createCatalogPermissionRule = createCatalogPermissionRule;
 exports.createNextRouter = createNextRouter;
 exports.createRandomRefreshInterval = createRandomRefreshInterval;
 exports.createRouter = createRouter;
 exports.durationText = durationText;
 exports.parseEntityYaml = parseEntityYaml;
+exports.permissionRules = permissionRules;
 exports.results = results;
 exports.runPeriodically = runPeriodically;
 //# sourceMappingURL=index.cjs.js.map