@backstage/plugin-permission-backend 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,58 @@
 # @backstage/plugin-permission-backend
 
+## 0.3.0
+
+### Minor Changes
+
+- 419ca637c0: Optimizations to the integration between the permission backend and plugin-backends using createPermissionIntegrationRouter:
+
+  - The permission backend already supported batched requests to authorize, but would make calls to plugin backend to apply conditions serially. Now, after applying the policy for each authorization request, the permission backend makes a single batched /apply-conditions request to each plugin backend referenced in policy decisions.
+  - The `getResource` method accepted by `createPermissionIntegrationRouter` has been replaced with `getResources`, to allow consumers to make batch requests to upstream data stores. When /apply-conditions is called with a batch of requests, all required resources are requested in a single invocation of `getResources`.
+
+  Plugin owners consuming `createPermissionIntegrationRouter` should replace the `getResource` method in the options with a `getResources` method, accepting an array of resourceRefs, and returning an array of the corresponding resources.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/config@0.1.12
+  - @backstage/backend-common@0.10.3
+  - @backstage/plugin-permission-node@0.3.0
+  - @backstage/plugin-auth-backend@0.6.2
+  - @backstage/errors@0.2.0
+  - @backstage/plugin-permission-common@0.3.1
+
+## 0.2.3
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.6.0
+  - @backstage/backend-common@0.10.1
+  - @backstage/plugin-permission-node@0.2.3
+
+## 0.2.2
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.10.0
+  - @backstage/plugin-auth-backend@0.5.2
+  - @backstage/plugin-permission-common@0.3.0
+  - @backstage/plugin-permission-node@0.2.2
+
+## 0.2.1
+
+### Patch Changes
+
+- a036b65c2f: Updated to use the new `BackstageIdentityResponse` type from `@backstage/plugin-auth-backend`.
+
+  The `BackstageIdentityResponse` type is backwards compatible with the `BackstageIdentity`, and provides an additional `identity` field with the claims of the user.
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.5.0
+  - @backstage/backend-common@0.9.13
+  - @backstage/plugin-permission-node@0.2.1
+
 ## 0.2.0
 
 ### Minor Changes

package/dist/index.cjs.js

@@ -6,47 +6,52 @@ var zod = require('zod');
 var express = require('express');
 var Router = require('express-promise-router');
 var backendCommon = require('@backstage/backend-common');
+var errors = require('@backstage/errors');
 var pluginAuthBackend = require('@backstage/plugin-auth-backend');
 var pluginPermissionCommon = require('@backstage/plugin-permission-common');
 var fetch = require('node-fetch');
+var lodash = require('lodash');
+var DataLoader = require('dataloader');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
+var DataLoader__default = /*#__PURE__*/_interopDefaultLegacy(DataLoader);
 
 const responseSchema = zod.z.object({
-  result: zod.z.literal(pluginPermissionCommon.AuthorizeResult.ALLOW).or(zod.z.literal(pluginPermissionCommon.AuthorizeResult.DENY))
+  items: zod.z.array(zod.z.object({
+    id: zod.z.string(),
+    result: zod.z.literal(pluginPermissionCommon.AuthorizeResult.ALLOW).or(zod.z.literal(pluginPermissionCommon.AuthorizeResult.DENY))
+  }))
 });
 class PermissionIntegrationClient {
   constructor(options) {
     this.discovery = options.discovery;
   }
-  async applyConditions({
-    pluginId,
-    resourceRef,
-    resourceType,
-    conditions
-  }, authHeader) {
+  async applyConditions(pluginId, decisions, authHeader) {
     const endpoint = `${await this.discovery.getBaseUrl(pluginId)}/.well-known/backstage/permissions/apply-conditions`;
-    const request = {
-      resourceRef,
-      resourceType,
-      conditions
-    };
-    const response = await fetch__default['default'](endpoint, {
+    const response = await fetch__default["default"](endpoint, {
       method: "POST",
-      body: JSON.stringify(request),
+      body: JSON.stringify({
+        items: decisions.map(({ id, resourceRef, resourceType, conditions }) => ({
+          id,
+          resourceRef,
+          resourceType,
+          conditions
+        }))
+      }),
       headers: {
-        ...authHeader ? {authorization: authHeader} : {},
+        ...authHeader ? { authorization: authHeader } : {},
         "content-type": "application/json"
       }
     });
     if (!response.ok) {
       throw new Error(`Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`);
     }
-    return responseSchema.parse(await response.json());
+    const result = responseSchema.parse(await response.json());
+    return result.items;
   }
 }
 
@@ -66,46 +71,52 @@ const requestSchema = zod.z.array(zod.z.object({
     })
   })
 }));
-const handleRequest = async ({id, resourceRef, ...request}, user, policy, permissionIntegrationClient, authHeader) => {
-  const response = await policy.handle(request, user);
-  if (response.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
-    if (request.permission.resourceType !== response.resourceType) {
+const handleRequest = async (requests, user, policy, permissionIntegrationClient, authHeader) => {
+  const applyConditionsLoaderFor = lodash.memoize((pluginId) => {
+    return new DataLoader__default["default"]((batch) => permissionIntegrationClient.applyConditions(pluginId, batch, authHeader));
+  });
+  return Promise.all(requests.map(({ id, resourceRef, ...request }) => policy.handle(request, user).then((decision) => {
+    if (decision.result !== pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+      return {
+        id,
+        ...decision
+      };
+    }
+    if (decision.resourceType !== request.permission.resourceType) {
       throw new Error(`Invalid resource conditions returned from permission policy for permission ${request.permission.name}`);
     }
-    if (resourceRef) {
+    if (!resourceRef) {
       return {
         id,
-        ...await permissionIntegrationClient.applyConditions({
-          resourceRef,
-          pluginId: response.pluginId,
-          resourceType: response.resourceType,
-          conditions: response.conditions
-        }, authHeader)
+        ...decision
       };
     }
-    return {
+    return applyConditionsLoaderFor(decision.pluginId).load({
       id,
-      result: pluginPermissionCommon.AuthorizeResult.CONDITIONAL,
-      conditions: response.conditions
-    };
-  }
-  return {id, ...response};
+      resourceRef,
+      ...decision
+    });
+  })));
 };
 async function createRouter(options) {
-  const {policy, discovery, identity} = options;
+  const { policy, discovery, identity } = options;
   const permissionIntegrationClient = new PermissionIntegrationClient({
     discovery
   });
-  const router = Router__default['default']();
-  router.use(express__default['default'].json());
+  const router = Router__default["default"]();
+  router.use(express__default["default"].json());
   router.get("/health", (_, response) => {
-    response.send({status: "ok"});
+    response.send({ status: "ok" });
   });
   router.post("/authorize", async (req, res) => {
     const token = pluginAuthBackend.IdentityClient.getBearerToken(req.header("authorization"));
     const user = token ? await identity.authenticate(token) : void 0;
-    const body = requestSchema.parse(req.body);
-    res.json(await Promise.all(body.map((request) => handleRequest(request, user, policy, permissionIntegrationClient, req.header("authorization")))));
+    const parseResult = requestSchema.safeParse(req.body);
+    if (!parseResult.success) {
+      throw new errors.InputError(parseResult.error.toString());
+    }
+    const body = parseResult.data;
+    res.json(await handleRequest(body, user, policy, permissionIntegrationClient, req.header("authorization")));
   });
   router.use(backendCommon.errorHandler());
   return router;

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/service/PermissionIntegrationClient.ts","../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'node-fetch';\nimport { z } from 'zod';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport {\n  AuthorizeResult,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequest,\n  ApplyConditionsResponse,\n} from '@backstage/plugin-permission-node';\n\nconst responseSchema = z.object({\n  result: z.literal(AuthorizeResult.ALLOW).or(z.literal(AuthorizeResult.DENY)),\n});\n\nexport class PermissionIntegrationClient {\n  private readonly discovery: PluginEndpointDiscovery;\n\n  constructor(options: { discovery: PluginEndpointDiscovery }) {\n    this.discovery = options.discovery;\n  }\n\n  async applyConditions(\n    {\n      pluginId,\n      resourceRef,\n      resourceType,\n      conditions,\n    }: {\n      resourceRef: string;\n      pluginId: string;\n      resourceType: string;\n      conditions: PermissionCriteria<PermissionCondition>;\n    },\n    authHeader?: string,\n  ): Promise<ApplyConditionsResponse> {\n    const endpoint = `${await this.discovery.getBaseUrl(\n      pluginId,\n    )}/.well-known/backstage/permissions/apply-conditions`;\n\n    const request: ApplyConditionsRequest = {\n      resourceRef,\n      resourceType,\n      conditions,\n    };\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify(request),\n      headers: {\n        ...(authHeader ? { authorization: authHeader } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(\n        `Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`,\n      );\n    }\n\n    return responseSchema.parse(await response.json());\n  }\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { Logger } from 'winston';\nimport {\n  errorHandler,\n  PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport {\n  BackstageIdentity,\n  IdentityClient,\n} from '@backstage/plugin-auth-backend';\nimport {\n  AuthorizeResult,\n  AuthorizeResponse,\n  AuthorizeRequest,\n  Identified,\n} from '@backstage/plugin-permission-common';\nimport { PermissionPolicy } from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\n\nconst requestSchema: z.ZodSchema<Identified<AuthorizeRequest>[]> = z.array(\n  z.object({\n    id: z.string(),\n    resourceRef: z.string().optional(),\n    permission: z.object({\n      name: z.string(),\n      resourceType: z.string().optional(),\n      attributes: z.object({\n        action: z\n          .union([\n            z.literal('create'),\n            z.literal('read'),\n            z.literal('update'),\n            z.literal('delete'),\n          ])\n          .optional(),\n      }),\n    }),\n  }),\n);\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n */\nexport interface RouterOptions {\n  logger: Logger;\n  discovery: PluginEndpointDiscovery;\n  policy: PermissionPolicy;\n  identity: IdentityClient;\n}\n\nconst handleRequest = async (\n  { id, resourceRef, ...request }: Identified<AuthorizeRequest>,\n  user: BackstageIdentity | undefined,\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  authHeader?: string,\n): Promise<Identified<AuthorizeResponse>> => {\n  const response = await policy.handle(request, user);\n\n  if (response.result === AuthorizeResult.CONDITIONAL) {\n    // Sanity check that any resource provided matches the one expected by the permission\n    if (request.permission.resourceType !== response.resourceType) {\n      throw new Error(\n        `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n      );\n    }\n\n    if (resourceRef) {\n      return {\n        id,\n        ...(await permissionIntegrationClient.applyConditions(\n          {\n            resourceRef,\n            pluginId: response.pluginId,\n            resourceType: response.resourceType,\n            conditions: response.conditions,\n          },\n          authHeader,\n        )),\n      };\n    }\n\n    return {\n      id,\n      result: AuthorizeResult.CONDITIONAL,\n      conditions: response.conditions,\n    };\n  }\n\n  return { id, ...response };\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, identity } = options;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.send({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<Identified<AuthorizeRequest>[]>,\n      res: Response<Identified<AuthorizeResponse>[]>,\n    ) => {\n      const token = IdentityClient.getBearerToken(req.header('authorization'));\n      const user = token ? await identity.authenticate(token) : undefined;\n\n      const body = requestSchema.parse(req.body);\n\n      res.json(\n        await Promise.all(\n          body.map(request =>\n            handleRequest(\n              request,\n              user,\n              policy,\n              permissionIntegrationClient,\n              req.header('authorization'),\n            ),\n          ),\n        ),\n      );\n    },\n  );\n\n  router.use(errorHandler());\n  return router;\n}\n"],"names":["z","AuthorizeResult","fetch","Router","express","IdentityClient","errorHandler"],"mappings":";;;;;;;;;;;;;;;;;;AA6BA,MAAM,iBAAiBA,MAAE,OAAO;AAAA,EAC9B,QAAQA,MAAE,QAAQC,uCAAgB,OAAO,GAAGD,MAAE,QAAQC,uCAAgB;AAAA;kCAG/B;AAAA,EAGvC,YAAY,SAAiD;AAC3D,SAAK,YAAY,QAAQ;AAAA;AAAA,QAGrB,gBACJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,KAOF,YACkC;AAClC,UAAM,WAAW,GAAG,MAAM,KAAK,UAAU,WACvC;AAGF,UAAM,UAAkC;AAAA,MACtC;AAAA,MACA;AAAA,MACA;AAAA;AAGF,UAAM,WAAW,MAAMC,0BAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACH,aAAa,CAAE,eAAe,cAAe;AAAA,QACjD,gBAAgB;AAAA;AAAA;AAIpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MACR,2FAA2F,SAAS,YAAY,SAAS;AAAA;AAI7H,WAAO,eAAe,MAAM,MAAM,SAAS;AAAA;AAAA;;AC1C/C,MAAM,gBAA6DF,MAAE,MACnEA,MAAE,OAAO;AAAA,EACP,IAAIA,MAAE;AAAA,EACN,aAAaA,MAAE,SAAS;AAAA,EACxB,YAAYA,MAAE,OAAO;AAAA,IACnB,MAAMA,MAAE;AAAA,IACR,cAAcA,MAAE,SAAS;AAAA,IACzB,YAAYA,MAAE,OAAO;AAAA,MACnB,QAAQA,MACL,MAAM;AAAA,QACLA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,SAEX;AAAA;AAAA;AAAA;AAmBX,MAAM,gBAAgB,OACpB,CAAE,IAAI,gBAAgB,UACtB,MACA,QACA,6BACA,eAC2C;AAC3C,QAAM,WAAW,MAAM,OAAO,OAAO,SAAS;AAE9C,MAAI,SAAS,WAAWC,uCAAgB,aAAa;AAEnD,QAAI,QAAQ,WAAW,iBAAiB,SAAS,cAAc;AAC7D,YAAM,IAAI,MACR,8EAA8E,QAAQ,WAAW;AAAA;AAIrG,QAAI,aAAa;AACf,aAAO;AAAA,QACL;AAAA,WACI,MAAM,4BAA4B,gBACpC;AAAA,UACE;AAAA,UACA,UAAU,SAAS;AAAA,UACnB,cAAc,SAAS;AAAA,UACvB,YAAY,SAAS;AAAA,WAEvB;AAAA;AAAA;AAKN,WAAO;AAAA,MACL;AAAA,MACA,QAAQA,uCAAgB;AAAA,MACxB,YAAY,SAAS;AAAA;AAAA;AAIzB,SAAO,CAAE,OAAO;AAAA;4BAUhB,SACyB;AACzB,QAAM,CAAE,QAAQ,WAAW,YAAa;AAExC,QAAM,8BAA8B,IAAI,4BAA4B;AAAA,IAClE;AAAA;AAGF,QAAM,SAASE;AACf,SAAO,IAAIC,4BAAQ;AAEnB,SAAO,IAAI,WAAW,CAAC,GAAG,aAAa;AACrC,aAAS,KAAK,CAAE,QAAQ;AAAA;AAG1B,SAAO,KACL,cACA,OACE,KACA,QACG;AACH,UAAM,QAAQC,iCAAe,eAAe,IAAI,OAAO;AACvD,UAAM,OAAO,QAAQ,MAAM,SAAS,aAAa,SAAS;AAE1D,UAAM,OAAO,cAAc,MAAM,IAAI;AAErC,QAAI,KACF,MAAM,QAAQ,IACZ,KAAK,IAAI,aACP,cACE,SACA,MACA,QACA,6BACA,IAAI,OAAO;AAAA;AAQvB,SAAO,IAAIC;AACX,SAAO;AAAA;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/service/PermissionIntegrationClient.ts","../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'node-fetch';\nimport { z } from 'zod';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthorizeResult } from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  ConditionalPolicyDecision,\n} from '@backstage/plugin-permission-node';\n\nconst responseSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n  ),\n});\n\nexport type ResourcePolicyDecision = ConditionalPolicyDecision & {\n  resourceRef: string;\n};\n\nexport class PermissionIntegrationClient {\n  private readonly discovery: PluginEndpointDiscovery;\n\n  constructor(options: { discovery: PluginEndpointDiscovery }) {\n    this.discovery = options.discovery;\n  }\n\n  async applyConditions(\n    pluginId: string,\n    decisions: readonly ApplyConditionsRequestEntry[],\n    authHeader?: string,\n  ): Promise<ApplyConditionsResponseEntry[]> {\n    const endpoint = `${await this.discovery.getBaseUrl(\n      pluginId,\n    )}/.well-known/backstage/permissions/apply-conditions`;\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify({\n        items: decisions.map(\n          ({ id, resourceRef, resourceType, conditions }) => ({\n            id,\n            resourceRef,\n            resourceType,\n            conditions,\n          }),\n        ),\n      }),\n      headers: {\n        ...(authHeader ? { authorization: authHeader } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(\n        `Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`,\n      );\n    }\n\n    const result = responseSchema.parse(await response.json());\n\n    return result.items;\n  }\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { Logger } from 'winston';\nimport {\n  errorHandler,\n  PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport {\n  BackstageIdentityResponse,\n  IdentityClient,\n} from '@backstage/plugin-auth-backend';\nimport {\n  AuthorizeResult,\n  AuthorizeResponse,\n  AuthorizeRequest,\n  Identified,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\n\nconst requestSchema: z.ZodSchema<Identified<AuthorizeRequest>[]> = z.array(\n  z.object({\n    id: z.string(),\n    resourceRef: z.string().optional(),\n    permission: z.object({\n      name: z.string(),\n      resourceType: z.string().optional(),\n      attributes: z.object({\n        action: z\n          .union([\n            z.literal('create'),\n            z.literal('read'),\n            z.literal('update'),\n            z.literal('delete'),\n          ])\n          .optional(),\n      }),\n    }),\n  }),\n);\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n */\nexport interface RouterOptions {\n  logger: Logger;\n  discovery: PluginEndpointDiscovery;\n  policy: PermissionPolicy;\n  identity: IdentityClient;\n}\n\nconst handleRequest = async (\n  requests: Identified<AuthorizeRequest>[],\n  user: BackstageIdentityResponse | undefined,\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  authHeader?: string,\n): Promise<Identified<AuthorizeResponse>[]> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, batch, authHeader),\n    );\n  });\n\n  return Promise.all(\n    requests.map(({ id, resourceRef, ...request }) =>\n      policy.handle(request, user).then(decision => {\n        if (decision.result !== AuthorizeResult.CONDITIONAL) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        if (decision.resourceType !== request.permission.resourceType) {\n          throw new Error(\n            `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n          );\n        }\n\n        if (!resourceRef) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        return applyConditionsLoaderFor(decision.pluginId).load({\n          id,\n          resourceRef,\n          ...decision,\n        });\n      }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, identity } = options;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.send({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<Identified<AuthorizeRequest>[]>,\n      res: Response<Identified<AuthorizeResponse>[]>,\n    ) => {\n      const token = IdentityClient.getBearerToken(req.header('authorization'));\n      const user = token ? await identity.authenticate(token) : undefined;\n\n      const parseResult = requestSchema.safeParse(req.body);\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      res.json(\n        await handleRequest(\n          body,\n          user,\n          policy,\n          permissionIntegrationClient,\n          req.header('authorization'),\n        ),\n      );\n    },\n  );\n\n  router.use(errorHandler());\n\n  return router;\n}\n"],"names":["z","AuthorizeResult","fetch","memoize","DataLoader","Router","express","IdentityClient","InputError","errorHandler"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AA0BA,MAAM,iBAAiBA,MAAE,OAAO;AAAA,EAC9B,OAAOA,MAAE,MACPA,MAAE,OAAO;AAAA,IACP,IAAIA,MAAE;AAAA,IACN,QAAQA,MACL,QAAQC,uCAAgB,OACxB,GAAGD,MAAE,QAAQC,uCAAgB;AAAA;AAAA;kCASG;AAAA,EAGvC,YAAY,SAAiD;AAC3D,SAAK,YAAY,QAAQ;AAAA;AAAA,QAGrB,gBACJ,UACA,WACA,YACyC;AACzC,UAAM,WAAW,GAAG,MAAM,KAAK,UAAU,WACvC;AAGF,UAAM,WAAW,MAAMC,0BAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,QACnB,OAAO,UAAU,IACf,CAAC,EAAE,IAAI,aAAa,cAAc;AAAkB,UAClD;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA;AAAA;AAAA,MAIN,SAAS;AAAA,WACH,aAAa,EAAE,eAAe,eAAe;AAAA,QACjD,gBAAgB;AAAA;AAAA;AAIpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MACR,2FAA2F,SAAS,YAAY,SAAS;AAAA;AAI7H,UAAM,SAAS,eAAe,MAAM,MAAM,SAAS;AAEnD,WAAO,OAAO;AAAA;AAAA;;ACvClB,MAAM,gBAA6DF,MAAE,MACnEA,MAAE,OAAO;AAAA,EACP,IAAIA,MAAE;AAAA,EACN,aAAaA,MAAE,SAAS;AAAA,EACxB,YAAYA,MAAE,OAAO;AAAA,IACnB,MAAMA,MAAE;AAAA,IACR,cAAcA,MAAE,SAAS;AAAA,IACzB,YAAYA,MAAE,OAAO;AAAA,MACnB,QAAQA,MACL,MAAM;AAAA,QACLA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,SAEX;AAAA;AAAA;AAAA;AAmBX,MAAM,gBAAgB,OACpB,UACA,MACA,QACA,6BACA,eAC6C;AAC7C,QAAM,2BAA2BG,eAAQ,CAAC,aAAqB;AAC7D,WAAO,IAAIC,+BAGT,WACA,4BAA4B,gBAAgB,UAAU,OAAO;AAAA;AAIjE,SAAO,QAAQ,IACb,SAAS,IAAI,CAAC,EAAE,IAAI,gBAAgB,cAClC,OAAO,OAAO,SAAS,MAAM,KAAK,cAAY;AAC5C,QAAI,SAAS,WAAWH,uCAAgB,aAAa;AACnD,aAAO;AAAA,QACL;AAAA,WACG;AAAA;AAAA;AAIP,QAAI,SAAS,iBAAiB,QAAQ,WAAW,cAAc;AAC7D,YAAM,IAAI,MACR,8EAA8E,QAAQ,WAAW;AAAA;AAIrG,QAAI,CAAC,aAAa;AAChB,aAAO;AAAA,QACL;AAAA,WACG;AAAA;AAAA;AAIP,WAAO,yBAAyB,SAAS,UAAU,KAAK;AAAA,MACtD;AAAA,MACA;AAAA,SACG;AAAA;AAAA;AAAA;4BAcX,SACyB;AACzB,QAAM,EAAE,QAAQ,WAAW,aAAa;AAExC,QAAM,8BAA8B,IAAI,4BAA4B;AAAA,IAClE;AAAA;AAGF,QAAM,SAASI;AACf,SAAO,IAAIC,4BAAQ;AAEnB,SAAO,IAAI,WAAW,CAAC,GAAG,aAAa;AACrC,aAAS,KAAK,EAAE,QAAQ;AAAA;AAG1B,SAAO,KACL,cACA,OACE,KACA,QACG;AACH,UAAM,QAAQC,iCAAe,eAAe,IAAI,OAAO;AACvD,UAAM,OAAO,QAAQ,MAAM,SAAS,aAAa,SAAS;AAE1D,UAAM,cAAc,cAAc,UAAU,IAAI;AAEhD,QAAI,CAAC,YAAY,SAAS;AACxB,YAAM,IAAIC,kBAAW,YAAY,MAAM;AAAA;AAGzC,UAAM,OAAO,YAAY;AAEzB,QAAI,KACF,MAAM,cACJ,MACA,MACA,QACA,6BACA,IAAI,OAAO;AAAA;AAMnB,SAAO,IAAIC;AAEX,SAAO;AAAA;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-backend",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -19,27 +19,31 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.9.12",
-    "@backstage/config": "^0.1.11",
-    "@backstage/plugin-auth-backend": "^0.4.10",
-    "@backstage/plugin-permission-common": "^0.2.0",
-    "@backstage/plugin-permission-node": "^0.2.0",
+    "@backstage/backend-common": "^0.10.3",
+    "@backstage/config": "^0.1.12",
+    "@backstage/errors": "^0.2.0",
+    "@backstage/plugin-auth-backend": "^0.6.2",
+    "@backstage/plugin-permission-common": "^0.3.1",
+    "@backstage/plugin-permission-node": "^0.3.0",
     "@types/express": "*",
+    "dataloader": "^2.0.0",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
+    "lodash": "^4.17.21",
     "node-fetch": "^2.6.1",
     "winston": "^3.2.1",
     "yn": "^4.0.0",
     "zod": "^3.11.6"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.10.0",
+    "@backstage/cli": "^0.11.0",
+    "@types/lodash": "^4.14.151",
     "@types/supertest": "^2.0.8",
     "msw": "^0.35.0",
-    "supertest": "^4.0.2"
+    "supertest": "^6.1.6"
   },
   "files": [
     "dist"
   ],
-  "gitHead": "a05e7081b805006e3f0b2960a08a7753357f532f"
+  "gitHead": "da66c61bdd63cdb3f0f0cd2e26dc9e6454d93c7b"
 }