@backstage/plugin-catalog-backend 1.0.1-next.0 → 1.1.0-next.1

package/CHANGELOG.md

@@ -1,5 +1,56 @@
 # @backstage/plugin-catalog-backend
 
+## 1.1.0-next.1
+
+### Minor Changes
+
+- 8012ac46a0: **BREAKING (alpha api):** Replace `createCatalogPolicyDecision` export with `createCatalogConditionalDecision`, which accepts a permission parameter of type `ResourcePermission<'catalog-entity'>` along with conditions. The permission passed is expected to be the handled permission in `PermissionPolicy#handle`, whose type must first be narrowed using methods like `isPermission` and `isResourcePermission`:
+
+  ```typescript
+  class TestPermissionPolicy implements PermissionPolicy {
+    async handle(
+      request: PolicyQuery<Permission>,
+      _user?: BackstageIdentityResponse,
+    ): Promise<PolicyDecision> {
+      if (
+        // Narrow type of `request.permission` to `ResourcePermission<'catalog-entity'>
+        isResourcePermission(request.permission, RESOURCE_TYPE_CATALOG_ENTITY)
+      ) {
+        return createCatalogConditionalDecision(
+          request.permission,
+          catalogConditions.isEntityOwner(
+            _user?.identity.ownershipEntityRefs ?? [],
+          ),
+        );
+      }
+
+      return {
+        result: AuthorizeResult.ALLOW,
+      };
+  ```
+
+- 8012ac46a0: **BREAKING:** Mark CatalogBuilder#addPermissionRules as @alpha.
+- fb02d2d94d: export `locationSpecToLocationEntity`
+
+### Patch Changes
+
+- ada4446733: Specify type of `visibilityPermission` property on collators and collator factories.
+- 1691c6c5c2: Clarify that config locations that emit User and Group kinds now need to declare so in the `catalog.locations.[].rules`
+- 8012ac46a0: Handle changes to @alpha permission-related types.
+
+  - All exported permission rules and conditions now have a `resourceType`.
+  - `createCatalogConditionalDecision` now expects supplied conditions to have the appropriate `resourceType`.
+  - `createCatalogPermissionRule` now expects `resourceType` as part of the supplied rule object.
+  - Introduce new `CatalogPermissionRule` convenience type.
+
+- Updated dependencies
+  - @backstage/integration@1.1.0-next.1
+  - @backstage/plugin-permission-common@0.6.0-next.0
+  - @backstage/plugin-permission-node@0.6.0-next.1
+  - @backstage/plugin-catalog-common@1.0.1-next.1
+  - @backstage/backend-common@0.13.2-next.1
+  - @backstage/plugin-search-common@0.3.3-next.1
+
 ## 1.0.1-next.0
 
 ### Patch Changes
@@ -1394,6 +1445,8 @@
     locations:
       - type: github-multi-org
         target: https://github.myorg.com
+        rules:
+          - allow: [User, Group]
 
     processors:
       githubMultiOrg:

package/alpha/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-catalog-backend",
-  "version": "1.0.1-next.0",
+  "version": "1.1.0-next.1",
   "main": "../dist/index.cjs.js",
   "types": "../dist/index.alpha.d.ts"
 }

package/dist/index.alpha.d.ts

@@ -9,7 +9,7 @@
 import { CatalogApi } from '@backstage/catalog-client';
 import { CatalogEntityDocument } from '@backstage/plugin-catalog-common';
 import { CompoundEntityRef } from '@backstage/catalog-model';
-import { ConditionalPolicyDecision } from '@backstage/plugin-permission-node';
+import { ConditionalPolicyDecision } from '@backstage/plugin-permission-common';
 import { Conditions } from '@backstage/plugin-permission-node';
 import { Config } from '@backstage/config';
 import { DocumentCollatorFactory } from '@backstage/plugin-search-common';
@@ -17,6 +17,7 @@ import { Entity } from '@backstage/catalog-model';
 import { EntityPolicy } from '@backstage/catalog-model';
 import { GetEntitiesRequest } from '@backstage/catalog-client';
 import { JsonValue } from '@backstage/types';
+import { LocationEntityV1alpha1 } from '@backstage/catalog-model';
 import { Logger } from 'winston';
 import { Permission } from '@backstage/plugin-permission-common';
 import { PermissionAuthorizer } from '@backstage/plugin-permission-common';
@@ -26,6 +27,7 @@ import { PermissionRule } from '@backstage/plugin-permission-node';
 import { PluginDatabaseManager } from '@backstage/backend-common';
 import { PluginEndpointDiscovery } from '@backstage/backend-common';
 import { Readable } from 'stream';
+import { ResourcePermission } from '@backstage/plugin-permission-common';
 import { Router } from 'express';
 import { ScmIntegrationRegistry } from '@backstage/integration';
 import { TokenManager } from '@backstage/backend-common';
@@ -269,8 +271,9 @@ export declare class CatalogBuilder {
      * {@link @backstage/plugin-permission-node#PermissionRule}.
      *
      * @param permissionRules - Additional permission rules
+     * @alpha
      */
-    addPermissionRules(...permissionRules: PermissionRule<Entity, EntitiesSearchFilter, unknown[]>[]): void;
+    addPermissionRules(...permissionRules: CatalogPermissionRule[]): void;
     /**
      * Wires up and returns all of the component parts of the catalog
      */
@@ -285,18 +288,18 @@ export declare class CatalogBuilder {
 }
 
 /**
- * These conditions are used when creating conditional decisions that are returned
- * by authorization policies.
+ * These conditions are used when creating conditional decisions for catalog
+ * entities that are returned by authorization policies.
  *
  * @alpha
  */
 export declare const catalogConditions: Conditions<    {
-hasAnnotation: PermissionRule<Entity, EntitiesSearchFilter, [annotation: string]>;
-hasLabel: PermissionRule<Entity, EntitiesSearchFilter, [label: string]>;
-hasMetadata: PermissionRule<Entity, EntitiesSearchFilter, [key: string, value?: string | undefined]>;
-hasSpec: PermissionRule<Entity, EntitiesSearchFilter, [key: string, value?: string | undefined]>;
-isEntityKind: PermissionRule<Entity, EntitiesSearchFilter, [kinds: string[]]>;
-isEntityOwner: PermissionRule<Entity, EntitiesSearchFilter, [claims: string[]]>;
+hasAnnotation: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [annotation: string]>;
+hasLabel: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [label: string]>;
+hasMetadata: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [key: string, value?: string | undefined]>;
+hasSpec: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [key: string, value?: string | undefined]>;
+isEntityKind: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [kinds: string[]]>;
+isEntityOwner: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [claims: string[]]>;
 }>;
 
 /** @public */
@@ -308,6 +311,15 @@ export declare type CatalogEnvironment = {
     permissions: PermissionAuthorizer;
 };
 
+/**
+ * Convenience type for {@link @backstage/plugin-permission-node#PermissionRule}
+ * instances with the correct resource type, resource, and filter to work with
+ * the catalog.
+ *
+ * @alpha
+ */
+export declare type CatalogPermissionRule<TParams extends unknown[] = unknown[]> = PermissionRule<Entity, EntitiesSearchFilter, 'catalog-entity', TParams>;
+
 /** @public */
 export declare interface CatalogProcessingEngine {
     start(): Promise<void>;
@@ -465,37 +477,46 @@ export declare class CodeOwnersProcessor implements CatalogProcessor {
 }
 
 /**
- * Helper function for creating correctly-typed
- * {@link @backstage/plugin-permission-node#PermissionRule}s for the
- * catalog-backend.
- *
- * @alpha
- */
-export declare const createCatalogPermissionRule: <TParams extends unknown[]>(rule: PermissionRule<Entity, EntitiesSearchFilter, TParams>) => PermissionRule<Entity, EntitiesSearchFilter, TParams>;
-
-/**
- * `createCatalogPolicyDecision` can be used when authoring policies to create
- * conditional decisions.
+ * `createCatalogConditionalDecision` can be used when authoring policies to
+ * create conditional decisions. It requires a permission of type
+ * `ResourcePermission<'catalog-entity'>` to be passed as the first parameter.
+ * It's recommended that you use the provided `isResourcePermission` and
+ * `isPermission` helper methods to narrow the type of the permission passed to
+ * the handle method as shown below.
  *
  * ```
  * // MyAuthorizationPolicy.ts
  * ...
  * import { createCatalogPolicyDecision } from '@backstage/plugin-catalog-backend';
+ * import { RESOURCE_TYPE_CATALOG_ENTITY } from '@backstage/plugin-catalog-common';
  *
  * class MyAuthorizationPolicy implements PermissionPolicy {
  *   async handle(request, user) {
  *     ...
  *
- *     return createCatalogPolicyDecision({
- *       anyOf: [...insert conditions here...],
- *     });
- *   }
+ *     if (isResourcePermission(request.permission, RESOURCE_TYPE_CATALOG_ENTITY)) {
+ *       return createCatalogConditionalDecision(
+ *         request.permission,
+ *         { anyOf: [...insert conditions here...] }
+ *       );
+ *     }
+ *
+ *     ...
  * }
  * ```
  *
  * @alpha
  */
-export declare const createCatalogPolicyDecision: (conditions: PermissionCriteria<PermissionCondition<unknown[]>>) => ConditionalPolicyDecision;
+export declare const createCatalogConditionalDecision: (permission: ResourcePermission<"catalog-entity">, conditions: PermissionCriteria<PermissionCondition<"catalog-entity", unknown[]>>) => ConditionalPolicyDecision;
+
+/**
+ * Helper function for creating correctly-typed
+ * {@link @backstage/plugin-permission-node#PermissionRule}s for the
+ * catalog-backend.
+ *
+ * @alpha
+ */
+export declare const createCatalogPermissionRule: <TParams extends unknown[]>(rule: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", TParams>) => PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", TParams>;
 
 /**
  * Creates a function that returns a random processing interval between minSeconds and maxSeconds.
@@ -716,6 +737,12 @@ export declare type LocationSpec = {
     presence?: 'optional' | 'required';
 };
 
+/** @public */
+export declare function locationSpecToLocationEntity(opts: {
+    location: LocationSpec;
+    parentEntity?: Entity;
+}): LocationEntityV1alpha1;
+
 /** @public */
 export declare function parseEntityYaml(data: Buffer, location: LocationSpec): Iterable<CatalogProcessorResult>;
 
@@ -726,12 +753,12 @@ export declare function parseEntityYaml(data: Buffer, location: LocationSpec): I
  * @alpha
  */
 export declare const permissionRules: {
-    hasAnnotation: PermissionRule<Entity, EntitiesSearchFilter, [annotation: string]>;
-    hasLabel: PermissionRule<Entity, EntitiesSearchFilter, [label: string]>;
-    hasMetadata: PermissionRule<Entity, EntitiesSearchFilter, [key: string, value?: string | undefined]>;
-    hasSpec: PermissionRule<Entity, EntitiesSearchFilter, [key: string, value?: string | undefined]>;
-    isEntityKind: PermissionRule<Entity, EntitiesSearchFilter, [kinds: string[]]>;
-    isEntityOwner: PermissionRule<Entity, EntitiesSearchFilter, [claims: string[]]>;
+    hasAnnotation: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [annotation: string]>;
+    hasLabel: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [label: string]>;
+    hasMetadata: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [key: string, value?: string | undefined]>;
+    hasSpec: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [key: string, value?: string | undefined]>;
+    isEntityKind: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [kinds: string[]]>;
+    isEntityOwner: PermissionRule<Entity, EntitiesSearchFilter, "catalog-entity", [claims: string[]]>;
 };
 
 /**

package/dist/index.beta.d.ts

@@ -9,7 +9,7 @@
 import { CatalogApi } from '@backstage/catalog-client';
 import { CatalogEntityDocument } from '@backstage/plugin-catalog-common';
 import { CompoundEntityRef } from '@backstage/catalog-model';
-import { ConditionalPolicyDecision } from '@backstage/plugin-permission-node';
+import { ConditionalPolicyDecision } from '@backstage/plugin-permission-common';
 import { Conditions } from '@backstage/plugin-permission-node';
 import { Config } from '@backstage/config';
 import { DocumentCollatorFactory } from '@backstage/plugin-search-common';
@@ -17,6 +17,7 @@ import { Entity } from '@backstage/catalog-model';
 import { EntityPolicy } from '@backstage/catalog-model';
 import { GetEntitiesRequest } from '@backstage/catalog-client';
 import { JsonValue } from '@backstage/types';
+import { LocationEntityV1alpha1 } from '@backstage/catalog-model';
 import { Logger } from 'winston';
 import { Permission } from '@backstage/plugin-permission-common';
 import { PermissionAuthorizer } from '@backstage/plugin-permission-common';
@@ -26,6 +27,7 @@ import { PermissionRule } from '@backstage/plugin-permission-node';
 import { PluginDatabaseManager } from '@backstage/backend-common';
 import { PluginEndpointDiscovery } from '@backstage/backend-common';
 import { Readable } from 'stream';
+import { ResourcePermission } from '@backstage/plugin-permission-common';
 import { Router } from 'express';
 import { ScmIntegrationRegistry } from '@backstage/integration';
 import { TokenManager } from '@backstage/backend-common';
@@ -263,14 +265,7 @@ export declare class CatalogBuilder {
      * @param parser - The custom parser
      */
     setEntityDataParser(parser: CatalogProcessorParser): CatalogBuilder;
-    /**
-     * Adds additional permission rules. Permission rules are used to evaluate
-     * catalog resources against queries. See
-     * {@link @backstage/plugin-permission-node#PermissionRule}.
-     *
-     * @param permissionRules - Additional permission rules
-     */
-    addPermissionRules(...permissionRules: PermissionRule<Entity, EntitiesSearchFilter, unknown[]>[]): void;
+    /* Excluded from this release type: addPermissionRules */
     /**
      * Wires up and returns all of the component parts of the catalog
      */
@@ -295,6 +290,8 @@ export declare type CatalogEnvironment = {
     permissions: PermissionAuthorizer;
 };
 
+/* Excluded from this release type: CatalogPermissionRule */
+
 /** @public */
 export declare interface CatalogProcessingEngine {
     start(): Promise<void>;
@@ -451,9 +448,9 @@ export declare class CodeOwnersProcessor implements CatalogProcessor {
     preProcessEntity(entity: Entity, location: LocationSpec): Promise<Entity>;
 }
 
-/* Excluded from this release type: createCatalogPermissionRule */
+/* Excluded from this release type: createCatalogConditionalDecision */
 
-/* Excluded from this release type: createCatalogPolicyDecision */
+/* Excluded from this release type: createCatalogPermissionRule */
 
 /**
  * Creates a function that returns a random processing interval between minSeconds and maxSeconds.
@@ -674,6 +671,12 @@ export declare type LocationSpec = {
     presence?: 'optional' | 'required';
 };
 
+/** @public */
+export declare function locationSpecToLocationEntity(opts: {
+    location: LocationSpec;
+    parentEntity?: Entity;
+}): LocationEntityV1alpha1;
+
 /** @public */
 export declare function parseEntityYaml(data: Buffer, location: LocationSpec): Iterable<CatalogProcessorResult>;
 

package/dist/index.cjs.js

@@ -16,8 +16,9 @@ var path = require('path');
 var util = require('util');
 var yaml = require('yaml');
 var limiterFactory = require('p-limit');
-var catalogClient = require('@backstage/catalog-client');
 var pluginCatalogCommon = require('@backstage/plugin-catalog-common');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
+var catalogClient = require('@backstage/catalog-client');
 var stream = require('stream');
 var crypto = require('crypto');
 var uuid = require('uuid');
@@ -30,7 +31,6 @@ var Router = require('express-promise-router');
 var yn = require('yn');
 var zod = require('zod');
 var pluginPermissionCommon = require('@backstage/plugin-permission-common');
-var pluginPermissionNode = require('@backstage/plugin-permission-node');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
@@ -676,6 +676,111 @@ const defaultEntityDataParser = async function* defaultEntityDataParser2({ data,
   }
 };
 
+const createCatalogPermissionRule = pluginPermissionNode.makeCreatePermissionRule();
+
+const hasAnnotation = createCatalogPermissionRule({
+  name: "HAS_ANNOTATION",
+  description: "Allow entities which are annotated with the specified annotation",
+  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+  apply: (resource, annotation) => {
+    var _a;
+    return !!((_a = resource.metadata.annotations) == null ? void 0 : _a.hasOwnProperty(annotation));
+  },
+  toQuery: (annotation) => ({
+    key: `metadata.annotations.${annotation}`
+  })
+});
+
+const isEntityKind = createCatalogPermissionRule({
+  name: "IS_ENTITY_KIND",
+  description: "Allow entities with the specified kind",
+  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+  apply(resource, kinds) {
+    const resourceKind = resource.kind.toLocaleLowerCase("en-US");
+    return kinds.some((kind) => kind.toLocaleLowerCase("en-US") === resourceKind);
+  },
+  toQuery(kinds) {
+    return {
+      key: "kind",
+      values: kinds.map((kind) => kind.toLocaleLowerCase("en-US"))
+    };
+  }
+});
+
+const isEntityOwner = createCatalogPermissionRule({
+  name: "IS_ENTITY_OWNER",
+  description: "Allow entities owned by the current user",
+  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+  apply: (resource, claims) => {
+    if (!resource.relations) {
+      return false;
+    }
+    return resource.relations.filter((relation) => relation.type === catalogModel.RELATION_OWNED_BY).some((relation) => claims.includes(relation.targetRef));
+  },
+  toQuery: (claims) => ({
+    key: "relations.ownedBy",
+    values: claims
+  })
+});
+
+const hasLabel = createCatalogPermissionRule({
+  name: "HAS_LABEL",
+  description: "Allow entities which have the specified label metadata.",
+  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+  apply: (resource, label) => {
+    var _a;
+    return !!((_a = resource.metadata.labels) == null ? void 0 : _a.hasOwnProperty(label));
+  },
+  toQuery: (label) => ({
+    key: `metadata.labels.${label}`
+  })
+});
+
+const createPropertyRule = (propertyType) => createCatalogPermissionRule({
+  name: `HAS_${propertyType.toUpperCase()}`,
+  description: `Allow entities which have the specified ${propertyType} subfield.`,
+  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+  apply: (resource, key, value) => {
+    const foundValue = lodash.get(resource[propertyType], key);
+    if (value !== void 0) {
+      return value === foundValue;
+    }
+    return !!foundValue;
+  },
+  toQuery: (key, value) => ({
+    key: `${propertyType}.${key}`,
+    ...value !== void 0 && { values: [value] }
+  })
+});
+
+const hasMetadata = createPropertyRule("metadata");
+
+const hasSpec = createPropertyRule("spec");
+
+const permissionRules = {
+  hasAnnotation,
+  hasLabel,
+  hasMetadata,
+  hasSpec,
+  isEntityKind,
+  isEntityOwner
+};
+
+const { conditions, createConditionalDecision } = pluginPermissionNode.createConditionExports({
+  pluginId: "catalog",
+  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
+  rules: permissionRules
+});
+const catalogConditions = conditions;
+const createCatalogConditionalDecision = createConditionalDecision;
+
+function createRandomProcessingInterval(options) {
+  const { minSeconds, maxSeconds } = options;
+  return () => {
+    return Math.random() * (maxSeconds - minSeconds) + minSeconds;
+  };
+}
+
 class DefaultCatalogCollatorFactory {
   constructor(options) {
     this.type = "software-catalog";
@@ -828,13 +933,6 @@ class DefaultCatalogCollator {
   }
 }
 
-function createRandomProcessingInterval(options) {
-  const { minSeconds, maxSeconds } = options;
-  return () => {
-    return Math.random() * (maxSeconds - minSeconds) + minSeconds;
-  };
-}
-
 function isLocationEntity(entity) {
   return entity.kind === "Location";
 }
@@ -884,8 +982,10 @@ function locationSpecToMetadataName(location) {
   const hash = crypto.createHash("sha1").update(`${location.type}:${location.target}`).digest("hex");
   return `generated-${hash}`;
 }
-function locationSpecToLocationEntity(location, parentEntity) {
+function locationSpecToLocationEntity(opts) {
   var _a, _b;
+  const location = opts.location;
+  const parentEntity = opts.parentEntity;
   let ownLocation;
   let originLocation;
   if (parentEntity) {
@@ -957,8 +1057,10 @@ class ConfigLocationEntityProvider {
       const type = location.getString("type");
       const target = location.getString("target");
       const entity = locationSpecToLocationEntity({
-        type,
-        target: type === "file" ? path__default["default"].resolve(target) : target
+        location: {
+          type,
+          target: type === "file" ? path__default["default"].resolve(target) : target
+        }
       });
       const locationKey = getEntityLocationRef(entity);
       return { entity, locationKey };
@@ -988,7 +1090,7 @@ class DefaultLocationStore {
       await tx("locations").insert(inner);
       return inner;
     });
-    const entity = locationSpecToLocationEntity(location);
+    const entity = locationSpecToLocationEntity({ location });
     await this.connection.applyMutation({
       type: "delta",
       added: [{ entity, locationKey: getEntityLocationRef(entity) }],
@@ -1018,7 +1120,7 @@ class DefaultLocationStore {
       await tx("locations").where({ id }).del();
       return location;
     });
-    const entity = locationSpecToLocationEntity(deleted);
+    const entity = locationSpecToLocationEntity({ location: deleted });
     await this.connection.applyMutation({
       type: "delta",
       added: [],
@@ -1035,7 +1137,7 @@ class DefaultLocationStore {
     this._connection = connection;
     const locations = await this.locations();
     const entities = locations.map((location) => {
-      const entity = locationSpecToLocationEntity(location);
+      const entity = locationSpecToLocationEntity({ location });
       return { entity, locationKey: getEntityLocationRef(entity) };
     });
     await this.connection.applyMutation({
@@ -2136,7 +2238,10 @@ class ProcessorOutputCollector {
       }
       this.deferredEntities.push({ entity, locationKey: location });
     } else if (i.type === "location") {
-      const entity = locationSpecToLocationEntity(i.location, this.parentEntity);
+      const entity = locationSpecToLocationEntity({
+        location: i.location,
+        parentEntity: this.parentEntity
+      });
       const locationKey = getEntityLocationRef(entity);
       this.deferredEntities.push({ entity, locationKey });
     } else if (i.type === "relation") {
@@ -3067,91 +3172,6 @@ async function connectEntityProviders(db, providers) {
   }));
 }
 
-const createCatalogPermissionRule = pluginPermissionNode.makeCreatePermissionRule();
-
-const hasAnnotation = createCatalogPermissionRule({
-  name: "HAS_ANNOTATION",
-  description: "Allow entities which are annotated with the specified annotation",
-  apply: (resource, annotation) => {
-    var _a;
-    return !!((_a = resource.metadata.annotations) == null ? void 0 : _a.hasOwnProperty(annotation));
-  },
-  toQuery: (annotation) => ({
-    key: `metadata.annotations.${annotation}`
-  })
-});
-
-const isEntityKind = createCatalogPermissionRule({
-  name: "IS_ENTITY_KIND",
-  description: "Allow entities with the specified kind",
-  apply(resource, kinds) {
-    const resourceKind = resource.kind.toLocaleLowerCase("en-US");
-    return kinds.some((kind) => kind.toLocaleLowerCase("en-US") === resourceKind);
-  },
-  toQuery(kinds) {
-    return {
-      key: "kind",
-      values: kinds.map((kind) => kind.toLocaleLowerCase("en-US"))
-    };
-  }
-});
-
-const isEntityOwner = createCatalogPermissionRule({
-  name: "IS_ENTITY_OWNER",
-  description: "Allow entities owned by the current user",
-  apply: (resource, claims) => {
-    if (!resource.relations) {
-      return false;
-    }
-    return resource.relations.filter((relation) => relation.type === catalogModel.RELATION_OWNED_BY).some((relation) => claims.includes(relation.targetRef));
-  },
-  toQuery: (claims) => ({
-    key: "relations.ownedBy",
-    values: claims
-  })
-});
-
-const hasLabel = createCatalogPermissionRule({
-  name: "HAS_LABEL",
-  description: "Allow entities which have the specified label metadata.",
-  apply: (resource, label) => {
-    var _a;
-    return !!((_a = resource.metadata.labels) == null ? void 0 : _a.hasOwnProperty(label));
-  },
-  toQuery: (label) => ({
-    key: `metadata.labels.${label}`
-  })
-});
-
-const createPropertyRule = (propertyType) => createCatalogPermissionRule({
-  name: `HAS_${propertyType.toUpperCase()}`,
-  description: `Allow entities which have the specified ${propertyType} subfield.`,
-  apply: (resource, key, value) => {
-    const foundValue = lodash.get(resource[propertyType], key);
-    if (value !== void 0) {
-      return value === foundValue;
-    }
-    return !!foundValue;
-  },
-  toQuery: (key, value) => ({
-    key: `${propertyType}.${key}`,
-    ...value !== void 0 && { values: [value] }
-  })
-});
-
-const hasMetadata = createPropertyRule("metadata");
-
-const hasSpec = createPropertyRule("spec");
-
-const permissionRules = {
-  hasAnnotation,
-  hasLabel,
-  hasMetadata,
-  hasSpec,
-  isEntityKind,
-  isEntityOwner
-};
-
 class AuthorizedEntitiesCatalog {
   constructor(entitiesCatalog, permissionApi, transformConditions) {
     this.entitiesCatalog = entitiesCatalog;
@@ -3515,14 +3535,6 @@ class CatalogBuilder {
   }
 }
 
-const conditionExports = pluginPermissionNode.createConditionExports({
-  pluginId: "catalog",
-  resourceType: pluginCatalogCommon.RESOURCE_TYPE_CATALOG_ENTITY,
-  rules: permissionRules
-});
-const catalogConditions = conditionExports.conditions;
-const createCatalogPolicyDecision = conditionExports.createPolicyDecision;
-
 exports.AnnotateLocationEntityProcessor = AnnotateLocationEntityProcessor;
 exports.AnnotateScmSlugEntityProcessor = AnnotateScmSlugEntityProcessor;
 exports.BuiltinKindsEntityProcessor = BuiltinKindsEntityProcessor;
@@ -3535,9 +3547,10 @@ exports.LocationEntityProcessor = LocationEntityProcessor;
 exports.PlaceholderProcessor = PlaceholderProcessor;
 exports.UrlReaderProcessor = UrlReaderProcessor;
 exports.catalogConditions = catalogConditions;
+exports.createCatalogConditionalDecision = createCatalogConditionalDecision;
 exports.createCatalogPermissionRule = createCatalogPermissionRule;
-exports.createCatalogPolicyDecision = createCatalogPolicyDecision;
 exports.createRandomProcessingInterval = createRandomProcessingInterval;
+exports.locationSpecToLocationEntity = locationSpecToLocationEntity;
 exports.parseEntityYaml = parseEntityYaml;
 exports.permissionRules = permissionRules;
 exports.processingResult = processingResult;