@backstage/plugin-catalog-backend 0.21.0-next.0 → 0.21.2-next.1

package/CHANGELOG.md

@@ -1,5 +1,127 @@
 # @backstage/plugin-catalog-backend
 
+## 0.21.2-next.1
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-catalog-common@0.1.2-next.0
+  - @backstage/backend-common@0.10.6-next.0
+  - @backstage/plugin-permission-node@0.4.2-next.1
+
+## 0.21.2-next.0
+
+### Patch Changes
+
+- fac5f112b4: chore(deps): bump `prom-client` from 13.2.0 to 14.0.1
+- 5bbffa60be: Pass authorization token to location service inside location api routes
+- Updated dependencies
+  - @backstage/plugin-permission-node@0.4.2-next.0
+
+## 0.21.1
+
+### Patch Changes
+
+- 4f5bde47e9: Add support for permissions to the DefaultCatalogCollator.
+- Updated dependencies
+  - @backstage/search-common@0.2.2
+  - @backstage/backend-common@0.10.5
+  - @backstage/plugin-permission-node@0.4.1
+
+## 0.21.0
+
+### Minor Changes
+
+- 9f2a8dc423: **BREAKING**: Removed all remnants of the old catalog engine implementation.
+
+  The old implementation has been deprecated for over half a year. To ensure that
+  you are not using the old implementation, check that your
+  `packages/backend/src/plugins/catalog.ts` creates the catalog builder using
+  `CatalogBuilder.create`. If you instead call `new CatalogBuilder`, you are on
+  the old implementation and will experience breakage if you upgrade to this
+  version. If you are still on the old version, see [the relevant change log
+  entry](https://github.com/backstage/backstage/blob/master/plugins/catalog-backend/CHANGELOG.md#patch-changes-27)
+  for migration instructions.
+
+  The minimal `packages/backend/src/plugins/catalog.ts` file is now:
+
+  ```ts
+  export default async function createPlugin(
+    env: PluginEnvironment,
+  ): Promise<Router> {
+    const builder = await CatalogBuilder.create(env);
+    builder.addProcessor(new ScaffolderEntitiesProcessor());
+    const { processingEngine, router } = await builder.build();
+    await processingEngine.start();
+    return router;
+  }
+  ```
+
+  The following classes and interfaces have been removed:
+
+  - The `CatalogBuilder` constructor (see above; use `CatalogBuilder.create`
+    instead)
+  - `AddLocationResult`
+  - `CommonDatabase`
+  - `CreateDatabaseOptions`
+  - `createNextRouter` (use `createRouter` instead - or preferably, use the
+    `router` field returned for you by `catalogBuilder.build()`)
+  - `Database`
+  - `DatabaseEntitiesCatalog` (use `EntitiesCatalog` instead)
+  - `DatabaseLocationsCatalog` (use `LocationService` instead)
+  - `DatabaseLocationUpdateLogEvent`
+  - `DatabaseLocationUpdateLogStatus`
+  - `DatabaseManager`
+  - `DbEntitiesRequest`
+  - `DbEntitiesResponse`
+  - `DbEntityRequest`
+  - `DbEntityResponse`
+  - `DbLocationsRow`
+  - `DbLocationsRowWithStatus`
+  - `DbPageInfo`
+  - `EntitiesCatalog.batchAddOrUpdateEntities` (was only used by the legacy
+    engine)
+  - `EntityUpsertRequest`
+  - `EntityUpsertResponse`
+  - `HigherOrderOperation`
+  - `HigherOrderOperations`
+  - `LocationReader`
+  - `LocationReaders`
+  - `LocationResponse`
+  - `LocationsCatalog`
+  - `LocationUpdateLogEvent`
+  - `LocationUpdateStatus`
+  - `NextCatalogBuilder` (use `CatalogBuilder.create` instead)
+  - `NextRouterOptions` (use `RouterOptions` instead)
+  - `ReadLocationEntity`
+  - `ReadLocationError`
+  - `ReadLocationResult`
+  - `Transaction`
+
+  The `RouterOptions` interface has been un-deprecated, and has instead found use
+  for passing into `createRouter`. Its shape has been significantly changed to
+  accommodate the new router.
+
+### Patch Changes
+
+- e15ce5c16e: Integrate authorization into the delete entities endpoint
+- dce98a92f7: Now when entities are deleted, the parent entity state is updated such that it will "heal" accidental deletes on the next refresh round.
+- 02687954ca: Fixed a typo and made a little clarification to a warning message
+- 48248e2db5: Integrate permissions into entity ancestry endpoint in catalog-backend
+- 68edbbeafd: Fix bug with resource loading in permission integration
+- 7e38acaa9e: Integrate permissions into catalog-backend location endpoints
+- 6680853e0c: Export conditional permission policy helpers from catalog-backend
+- 2b27e49eb1: Internal update to match status field changes in `@backstage/catalog-model`.
+- Updated dependencies
+  - @backstage/integration@0.7.2
+  - @backstage/plugin-permission-common@0.4.0
+  - @backstage/backend-common@0.10.4
+  - @backstage/config@0.1.13
+  - @backstage/plugin-permission-node@0.4.0
+  - @backstage/plugin-catalog-common@0.1.1
+  - @backstage/catalog-model@0.9.10
+  - @backstage/catalog-client@0.5.5
+
 ## 0.21.0-next.0
 
 ### Minor Changes

package/dist/index.cjs.js

@@ -21,6 +21,7 @@ var graphql = require('@octokit/graphql');
 var backendCommon = require('@backstage/backend-common');
 var yaml = require('yaml');
 var catalogClient = require('@backstage/catalog-client');
+var pluginCatalogCommon = require('@backstage/plugin-catalog-common');
 var crypto = require('crypto');
 var express = require('express');
 var Router = require('express-promise-router');
@@ -29,7 +30,6 @@ var uuid = require('uuid');
 var luxon = require('luxon');
 var promClient = require('prom-client');
 var stableStringify = require('fast-json-stable-stringify');
-var pluginCatalogCommon = require('@backstage/plugin-catalog-common');
 var pluginPermissionCommon = require('@backstage/plugin-permission-common');
 var pluginPermissionNode = require('@backstage/plugin-permission-node');
 
@@ -1930,6 +1930,7 @@ function withLocations(baseUrl, org, entity) {
 class DefaultCatalogCollator {
   constructor(options) {
     this.type = "software-catalog";
+    this.visibilityPermission = pluginCatalogCommon.catalogEntityReadPermission;
     const { discovery, locationTemplate, filter, catalogClient: catalogClient$1, tokenManager } = options;
     this.discovery = discovery;
     this.locationTemplate = locationTemplate || "/catalog/:namespace/:kind/:name";
@@ -1984,7 +1985,10 @@ class DefaultCatalogCollator {
         namespace: entity.metadata.namespace || "default",
         kind: entity.kind,
         lifecycle: ((_d = entity.spec) == null ? void 0 : _d.lifecycle) || "",
-        owner: ((_e = entity.spec) == null ? void 0 : _e.owner) || ""
+        owner: ((_e = entity.spec) == null ? void 0 : _e.owner) || "",
+        authorization: {
+          resourceRef: catalogModel.stringifyEntityRef(entity)
+        }
       };
     });
   }
@@ -2662,19 +2666,27 @@ async function createRouter(options) {
       if (!dryRun) {
         disallowReadonlyMode(readonlyEnabled);
       }
-      const output = await locationService.createLocation(input, dryRun);
+      const output = await locationService.createLocation(input, dryRun, {
+        authorizationToken: getBearerToken(req.header("authorization"))
+      });
       res.status(201).json(output);
-    }).get("/locations", async (_req, res) => {
-      const locations = await locationService.listLocations();
+    }).get("/locations", async (req, res) => {
+      const locations = await locationService.listLocations({
+        authorizationToken: getBearerToken(req.header("authorization"))
+      });
       res.status(200).json(locations.map((l) => ({ data: l })));
     }).get("/locations/:id", async (req, res) => {
       const { id } = req.params;
-      const output = await locationService.getLocation(id);
+      const output = await locationService.getLocation(id, {
+        authorizationToken: getBearerToken(req.header("authorization"))
+      });
       res.status(200).json(output);
     }).delete("/locations/:id", async (req, res) => {
       disallowReadonlyMode(readonlyEnabled);
       const { id } = req.params;
-      await locationService.deleteLocation(id);
+      await locationService.deleteLocation(id, {
+        authorizationToken: getBearerToken(req.header("authorization"))
+      });
       res.status(204).end();
     });
   }
@@ -4235,6 +4247,41 @@ class AuthorizedEntitiesCatalog {
   }
 }
 
+class AuthorizedLocationService {
+  constructor(locationService, permissionApi) {
+    this.locationService = locationService;
+    this.permissionApi = permissionApi;
+  }
+  async createLocation(spec, dryRun, options) {
+    const authorizationResponse = (await this.permissionApi.authorize([{ permission: pluginCatalogCommon.catalogLocationCreatePermission }], { token: options == null ? void 0 : options.authorizationToken }))[0];
+    if (authorizationResponse.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+      throw new errors.NotAllowedError();
+    }
+    return this.locationService.createLocation(spec, dryRun);
+  }
+  async listLocations(options) {
+    const authorizationResponse = (await this.permissionApi.authorize([{ permission: pluginCatalogCommon.catalogLocationReadPermission }], { token: options == null ? void 0 : options.authorizationToken }))[0];
+    if (authorizationResponse.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+      return [];
+    }
+    return this.locationService.listLocations();
+  }
+  async getLocation(id, options) {
+    const authorizationResponse = (await this.permissionApi.authorize([{ permission: pluginCatalogCommon.catalogLocationReadPermission }], { token: options == null ? void 0 : options.authorizationToken }))[0];
+    if (authorizationResponse.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+      throw new errors.NotFoundError(`Found no location with ID ${id}`);
+    }
+    return this.locationService.getLocation(id);
+  }
+  async deleteLocation(id, options) {
+    const authorizationResponse = (await this.permissionApi.authorize([{ permission: pluginCatalogCommon.catalogLocationDeletePermission }], { token: options == null ? void 0 : options.authorizationToken }))[0];
+    if (authorizationResponse.result === pluginPermissionCommon.AuthorizeResult.DENY) {
+      throw new errors.NotAllowedError();
+    }
+    return this.locationService.deleteLocation(id);
+  }
+}
+
 class CatalogBuilder {
   constructor(env) {
     this.refreshInterval = createRandomRefreshInterval({
@@ -4384,7 +4431,7 @@ class CatalogBuilder {
     const entityProviders = lodash__default["default"].uniqBy([...this.entityProviders, locationStore, configLocationProvider], (provider) => provider.getProviderName());
     const processingEngine = new DefaultCatalogProcessingEngine(logger, processingDatabase, orchestrator, stitcher, () => crypto.createHash("sha1"));
     const locationAnalyzer = (_b = this.locationAnalyzer) != null ? _b : new RepoLocationAnalyzer(logger, integrations);
-    const locationService = new DefaultLocationService(locationStore, orchestrator);
+    const locationService = new AuthorizedLocationService(new DefaultLocationService(locationStore, orchestrator), permissions);
     const refreshService = new AuthorizedRefreshService(new DefaultRefreshService({ database: processingDatabase }), permissions);
     const router = await createRouter({
       entitiesCatalog,
@@ -4455,6 +4502,14 @@ class CatalogBuilder {
   }
 }
 
+const conditionExports = pluginPermissionNode.createConditionExports({
+  pluginId: "catalog",
+  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+  rules: permissionRules
+});
+const catalogConditions = conditionExports.conditions;
+const createCatalogPolicyDecision = conditionExports.createPolicyDecision;
+
 exports.AnnotateLocationEntityProcessor = AnnotateLocationEntityProcessor;
 exports.AnnotateScmSlugEntityProcessor = AnnotateScmSlugEntityProcessor;
 exports.AwsOrganizationCloudAccountProcessor = AwsOrganizationCloudAccountProcessor;
@@ -4477,7 +4532,9 @@ exports.LocationEntityProcessor = LocationEntityProcessor;
 exports.PlaceholderProcessor = PlaceholderProcessor;
 exports.StaticLocationProcessor = StaticLocationProcessor;
 exports.UrlReaderProcessor = UrlReaderProcessor;
+exports.catalogConditions = catalogConditions;
 exports.createCatalogPermissionRule = createCatalogPermissionRule;
+exports.createCatalogPolicyDecision = createCatalogPolicyDecision;
 exports.createRandomRefreshInterval = createRandomRefreshInterval;
 exports.createRouter = createRouter;
 exports.durationText = durationText;