@backstage/plugin-permission-backend 0.0.0-nightly-202111222339

package/CHANGELOG.md

@@ -0,0 +1,26 @@
+# @backstage/plugin-permission-backend
+
+## 0.0.0-nightly-202111222339
+
+### Patch Changes
+
+- e7851efa9e: Rename and adjust permission policy return type to reduce nesting
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.0.0-nightly-202111222339
+  - @backstage/plugin-permission-node@0.0.0-nightly-202111222339
+  - @backstage/backend-common@0.0.0-nightly-202111222339
+  - @backstage/plugin-permission-common@0.0.0-nightly-202111222339
+
+## 0.1.0
+
+### Minor Changes
+
+- 7a8312f126: New package containing the backend for authorization and permissions. For more information, see the [authorization PRFC](https://github.com/backstage/backstage/pull/7761).
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.4.9
+  - @backstage/plugin-permission-node@0.1.0
+  - @backstage/backend-common@0.9.11
+  - @backstage/plugin-permission-common@0.2.0

package/README.md

@@ -0,0 +1,6 @@
+# @backstage/plugin-permission-backend
+
+> NOTE: THIS PACKAGE IS EXPERIMENTAL, HERE BE DRAGONS
+
+Backend for Backstage authorization and permissions. For more information, see
+the [authorization PRFC](https://github.com/backstage/backstage/pull/7761).

package/dist/index.cjs.js

@@ -0,0 +1,115 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var zod = require('zod');
+var express = require('express');
+var Router = require('express-promise-router');
+var backendCommon = require('@backstage/backend-common');
+var pluginAuthBackend = require('@backstage/plugin-auth-backend');
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+var fetch = require('node-fetch');
+
+function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
+
+var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
+var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
+var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
+
+const responseSchema = zod.z.object({
+  result: zod.z.literal(pluginPermissionCommon.AuthorizeResult.ALLOW).or(zod.z.literal(pluginPermissionCommon.AuthorizeResult.DENY))
+});
+class PermissionIntegrationClient {
+  constructor(options) {
+    this.discovery = options.discovery;
+  }
+  async applyConditions({
+    pluginId,
+    resourceRef,
+    resourceType,
+    conditions
+  }, authHeader) {
+    const endpoint = `${await this.discovery.getBaseUrl(pluginId)}/permissions/apply-conditions`;
+    const request = {
+      resourceRef,
+      resourceType,
+      conditions
+    };
+    const response = await fetch__default['default'](endpoint, {
+      method: "POST",
+      body: JSON.stringify(request),
+      headers: {
+        ...authHeader ? {authorization: authHeader} : {},
+        "content-type": "application/json"
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`);
+    }
+    return responseSchema.parse(await response.json());
+  }
+}
+
+const requestSchema = zod.z.array(zod.z.object({
+  id: zod.z.string(),
+  resourceRef: zod.z.string().optional(),
+  permission: zod.z.object({
+    name: zod.z.string(),
+    resourceType: zod.z.string().optional(),
+    attributes: zod.z.object({
+      action: zod.z.union([
+        zod.z.literal("create"),
+        zod.z.literal("read"),
+        zod.z.literal("update"),
+        zod.z.literal("delete")
+      ]).optional()
+    })
+  })
+}));
+const handleRequest = async ({id, resourceRef, ...request}, user, policy, permissionIntegrationClient, authHeader) => {
+  const response = await policy.handle(request, user);
+  if (response.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+    if (request.permission.resourceType !== response.resourceType) {
+      throw new Error(`Invalid resource conditions returned from permission policy for permission ${request.permission.name}`);
+    }
+    if (resourceRef) {
+      return {
+        id,
+        ...await permissionIntegrationClient.applyConditions({
+          resourceRef,
+          pluginId: response.pluginId,
+          resourceType: response.resourceType,
+          conditions: response.conditions
+        }, authHeader)
+      };
+    }
+    return {
+      id,
+      result: pluginPermissionCommon.AuthorizeResult.CONDITIONAL,
+      conditions: response.conditions
+    };
+  }
+  return {id, ...response};
+};
+async function createRouter(options) {
+  const {policy, discovery, identity} = options;
+  const permissionIntegrationClient = new PermissionIntegrationClient({
+    discovery
+  });
+  const router = Router__default['default']();
+  router.use(express__default['default'].json());
+  router.get("/health", (_, response) => {
+    response.send({status: "ok"});
+  });
+  router.post("/authorize", async (req, res) => {
+    const token = pluginAuthBackend.IdentityClient.getBearerToken(req.header("authorization"));
+    const user = token ? await identity.authenticate(token) : void 0;
+    const body = requestSchema.parse(req.body);
+    res.json(await Promise.all(body.map((request) => handleRequest(request, user, policy, permissionIntegrationClient, req.header("authorization")))));
+  });
+  router.use(backendCommon.errorHandler());
+  return router;
+}
+
+exports.createRouter = createRouter;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs.js","sources":["../src/service/PermissionIntegrationClient.ts","../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'node-fetch';\nimport { z } from 'zod';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport {\n  AuthorizeResult,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequest,\n  ApplyConditionsResponse,\n} from '@backstage/plugin-permission-node';\n\nconst responseSchema = z.object({\n  result: z.literal(AuthorizeResult.ALLOW).or(z.literal(AuthorizeResult.DENY)),\n});\n\nexport class PermissionIntegrationClient {\n  private readonly discovery: PluginEndpointDiscovery;\n\n  constructor(options: { discovery: PluginEndpointDiscovery }) {\n    this.discovery = options.discovery;\n  }\n\n  async applyConditions(\n    {\n      pluginId,\n      resourceRef,\n      resourceType,\n      conditions,\n    }: {\n      resourceRef: string;\n      pluginId: string;\n      resourceType: string;\n      conditions: PermissionCriteria<PermissionCondition>;\n    },\n    authHeader?: string,\n  ): Promise<ApplyConditionsResponse> {\n    const endpoint = `${await this.discovery.getBaseUrl(\n      pluginId,\n    )}/permissions/apply-conditions`;\n\n    const request: ApplyConditionsRequest = {\n      resourceRef,\n      resourceType,\n      conditions,\n    };\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify(request),\n      headers: {\n        ...(authHeader ? { authorization: authHeader } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(\n        `Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`,\n      );\n    }\n\n    return responseSchema.parse(await response.json());\n  }\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { Logger } from 'winston';\nimport {\n  errorHandler,\n  PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport {\n  BackstageIdentity,\n  IdentityClient,\n} from '@backstage/plugin-auth-backend';\nimport {\n  AuthorizeResult,\n  AuthorizeResponse,\n  AuthorizeRequest,\n  Identified,\n} from '@backstage/plugin-permission-common';\nimport { PermissionPolicy } from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\n\nconst requestSchema: z.ZodSchema<Identified<AuthorizeRequest>[]> = z.array(\n  z.object({\n    id: z.string(),\n    resourceRef: z.string().optional(),\n    permission: z.object({\n      name: z.string(),\n      resourceType: z.string().optional(),\n      attributes: z.object({\n        action: z\n          .union([\n            z.literal('create'),\n            z.literal('read'),\n            z.literal('update'),\n            z.literal('delete'),\n          ])\n          .optional(),\n      }),\n    }),\n  }),\n);\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n */\nexport interface RouterOptions {\n  logger: Logger;\n  discovery: PluginEndpointDiscovery;\n  policy: PermissionPolicy;\n  identity: IdentityClient;\n}\n\nconst handleRequest = async (\n  { id, resourceRef, ...request }: Identified<AuthorizeRequest>,\n  user: BackstageIdentity | undefined,\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  authHeader?: string,\n): Promise<Identified<AuthorizeResponse>> => {\n  const response = await policy.handle(request, user);\n\n  if (response.result === AuthorizeResult.CONDITIONAL) {\n    // Sanity check that any resource provided matches the one expected by the permission\n    if (request.permission.resourceType !== response.resourceType) {\n      throw new Error(\n        `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n      );\n    }\n\n    if (resourceRef) {\n      return {\n        id,\n        ...(await permissionIntegrationClient.applyConditions(\n          {\n            resourceRef,\n            pluginId: response.pluginId,\n            resourceType: response.resourceType,\n            conditions: response.conditions,\n          },\n          authHeader,\n        )),\n      };\n    }\n\n    return {\n      id,\n      result: AuthorizeResult.CONDITIONAL,\n      conditions: response.conditions,\n    };\n  }\n\n  return { id, ...response };\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, identity } = options;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.send({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<Identified<AuthorizeRequest>[]>,\n      res: Response<Identified<AuthorizeResponse>[]>,\n    ) => {\n      const token = IdentityClient.getBearerToken(req.header('authorization'));\n      const user = token ? await identity.authenticate(token) : undefined;\n\n      const body = requestSchema.parse(req.body);\n\n      res.json(\n        await Promise.all(\n          body.map(request =>\n            handleRequest(\n              request,\n              user,\n              policy,\n              permissionIntegrationClient,\n              req.header('authorization'),\n            ),\n          ),\n        ),\n      );\n    },\n  );\n\n  router.use(errorHandler());\n  return router;\n}\n"],"names":["z","AuthorizeResult","fetch","Router","express","IdentityClient","errorHandler"],"mappings":";;;;;;;;;;;;;;;;;;AA6BA,MAAM,iBAAiBA,MAAE,OAAO;AAAA,EAC9B,QAAQA,MAAE,QAAQC,uCAAgB,OAAO,GAAGD,MAAE,QAAQC,uCAAgB;AAAA;kCAG/B;AAAA,EAGvC,YAAY,SAAiD;AAC3D,SAAK,YAAY,QAAQ;AAAA;AAAA,QAGrB,gBACJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,KAOF,YACkC;AAClC,UAAM,WAAW,GAAG,MAAM,KAAK,UAAU,WACvC;AAGF,UAAM,UAAkC;AAAA,MACtC;AAAA,MACA;AAAA,MACA;AAAA;AAGF,UAAM,WAAW,MAAMC,0BAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACH,aAAa,CAAE,eAAe,cAAe;AAAA,QACjD,gBAAgB;AAAA;AAAA;AAIpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MACR,2FAA2F,SAAS,YAAY,SAAS;AAAA;AAI7H,WAAO,eAAe,MAAM,MAAM,SAAS;AAAA;AAAA;;AC1C/C,MAAM,gBAA6DF,MAAE,MACnEA,MAAE,OAAO;AAAA,EACP,IAAIA,MAAE;AAAA,EACN,aAAaA,MAAE,SAAS;AAAA,EACxB,YAAYA,MAAE,OAAO;AAAA,IACnB,MAAMA,MAAE;AAAA,IACR,cAAcA,MAAE,SAAS;AAAA,IACzB,YAAYA,MAAE,OAAO;AAAA,MACnB,QAAQA,MACL,MAAM;AAAA,QACLA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,SAEX;AAAA;AAAA;AAAA;AAmBX,MAAM,gBAAgB,OACpB,CAAE,IAAI,gBAAgB,UACtB,MACA,QACA,6BACA,eAC2C;AAC3C,QAAM,WAAW,MAAM,OAAO,OAAO,SAAS;AAE9C,MAAI,SAAS,WAAWC,uCAAgB,aAAa;AAEnD,QAAI,QAAQ,WAAW,iBAAiB,SAAS,cAAc;AAC7D,YAAM,IAAI,MACR,8EAA8E,QAAQ,WAAW;AAAA;AAIrG,QAAI,aAAa;AACf,aAAO;AAAA,QACL;AAAA,WACI,MAAM,4BAA4B,gBACpC;AAAA,UACE;AAAA,UACA,UAAU,SAAS;AAAA,UACnB,cAAc,SAAS;AAAA,UACvB,YAAY,SAAS;AAAA,WAEvB;AAAA;AAAA;AAKN,WAAO;AAAA,MACL;AAAA,MACA,QAAQA,uCAAgB;AAAA,MACxB,YAAY,SAAS;AAAA;AAAA;AAIzB,SAAO,CAAE,OAAO;AAAA;4BAUhB,SACyB;AACzB,QAAM,CAAE,QAAQ,WAAW,YAAa;AAExC,QAAM,8BAA8B,IAAI,4BAA4B;AAAA,IAClE;AAAA;AAGF,QAAM,SAASE;AACf,SAAO,IAAIC,4BAAQ;AAEnB,SAAO,IAAI,WAAW,CAAC,GAAG,aAAa;AACrC,aAAS,KAAK,CAAE,QAAQ;AAAA;AAG1B,SAAO,KACL,cACA,OACE,KACA,QACG;AACH,UAAM,QAAQC,iCAAe,eAAe,IAAI,OAAO;AACvD,UAAM,OAAO,QAAQ,MAAM,SAAS,aAAa,SAAS;AAE1D,UAAM,OAAO,cAAc,MAAM,IAAI;AAErC,QAAI,KACF,MAAM,QAAQ,IACZ,KAAK,IAAI,aACP,cACE,SACA,MACA,QACA,6BACA,IAAI,OAAO;AAAA;AAQvB,SAAO,IAAIC;AACX,SAAO;AAAA;;;;"}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+import express from 'express';
+import { Logger } from 'winston';
+import { PluginEndpointDiscovery } from '@backstage/backend-common';
+import { IdentityClient } from '@backstage/plugin-auth-backend';
+import { PermissionPolicy } from '@backstage/plugin-permission-node';
+
+/**
+ * Options required when constructing a new {@link express#Router} using
+ * {@link createRouter}.
+ *
+ * @public
+ */
+interface RouterOptions {
+    logger: Logger;
+    discovery: PluginEndpointDiscovery;
+    policy: PermissionPolicy;
+    identity: IdentityClient;
+}
+/**
+ * Creates a new {@link express#Router} which provides the backend API
+ * for the permission system.
+ *
+ * @public
+ */
+declare function createRouter(options: RouterOptions): Promise<express.Router>;
+
+export { RouterOptions, createRouter };

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@backstage/plugin-permission-backend",
+  "version": "0.0.0-nightly-202111222339",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "scripts": {
+    "start": "backstage-cli backend:dev",
+    "build": "backstage-cli backend:build",
+    "lint": "backstage-cli lint",
+    "test": "backstage-cli test",
+    "prepack": "backstage-cli prepack",
+    "postpack": "backstage-cli postpack",
+    "clean": "backstage-cli clean"
+  },
+  "dependencies": {
+    "@backstage/backend-common": "^0.0.0-nightly-202111222339",
+    "@backstage/config": "^0.1.11",
+    "@backstage/plugin-auth-backend": "^0.0.0-nightly-202111222339",
+    "@backstage/plugin-permission-common": "^0.0.0-nightly-202111222339",
+    "@backstage/plugin-permission-node": "^0.0.0-nightly-202111222339",
+    "@types/express": "*",
+    "express": "^4.17.1",
+    "express-promise-router": "^4.1.0",
+    "node-fetch": "^2.6.1",
+    "winston": "^3.2.1",
+    "yn": "^4.0.0",
+    "zod": "^3.11.6"
+  },
+  "devDependencies": {
+    "@backstage/cli": "^0.0.0-nightly-202111222339",
+    "@types/supertest": "^2.0.8",
+    "supertest": "^4.0.2",
+    "msw": "^0.35.0"
+  },
+  "files": [
+    "dist"
+  ]
+}