@backstage/plugin-permission-backend 0.3.0 → 0.4.2-next.0

package/CHANGELOG.md

@@ -1,5 +1,52 @@
 # @backstage/plugin-permission-backend
 
+## 0.4.2-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.9.0-next.0
+  - @backstage/plugin-permission-node@0.4.2-next.0
+
+## 0.4.1
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.8.0
+  - @backstage/backend-common@0.10.5
+  - @backstage/plugin-permission-node@0.4.1
+
+## 0.4.0
+
+### Minor Changes
+
+- b768259244: **BREAKING**: Wrap batched requests and responses to /authorize in an envelope object. The latest version of the PermissionClient in @backstage/permission-common uses the new format - as long as the permission-backend is consumed using this client, no other changes are necessary.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.7.0
+  - @backstage/plugin-permission-common@0.4.0
+  - @backstage/backend-common@0.10.4
+  - @backstage/config@0.1.13
+  - @backstage/plugin-permission-node@0.4.0
+
+## 0.4.0-next.0
+
+### Minor Changes
+
+- b768259244: **BREAKING**: Wrap batched requests and responses to /authorize in an envelope object. The latest version of the PermissionClient in @backstage/permission-common uses the new format - as long as the permission-backend is consumed using this client, no other changes are necessary.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.7.0-next.0
+  - @backstage/plugin-permission-common@0.4.0-next.0
+  - @backstage/backend-common@0.10.4-next.0
+  - @backstage/config@0.1.13-next.0
+  - @backstage/plugin-permission-node@0.4.0-next.0
+
 ## 0.3.0
 
 ### Minor Changes

package/dist/index.cjs.js

@@ -55,7 +55,7 @@ class PermissionIntegrationClient {
   }
 }
 
-const requestSchema = zod.z.array(zod.z.object({
+const querySchema = zod.z.object({
   id: zod.z.string(),
   resourceRef: zod.z.string().optional(),
   permission: zod.z.object({
@@ -70,7 +70,10 @@ const requestSchema = zod.z.array(zod.z.object({
       ]).optional()
     })
   })
-}));
+});
+const requestSchema = zod.z.object({
+  items: zod.z.array(querySchema)
+});
 const handleRequest = async (requests, user, policy, permissionIntegrationClient, authHeader) => {
   const applyConditionsLoaderFor = lodash.memoize((pluginId) => {
     return new DataLoader__default["default"]((batch) => permissionIntegrationClient.applyConditions(pluginId, batch, authHeader));
@@ -116,7 +119,9 @@ async function createRouter(options) {
       throw new errors.InputError(parseResult.error.toString());
     }
     const body = parseResult.data;
-    res.json(await handleRequest(body, user, policy, permissionIntegrationClient, req.header("authorization")));
+    res.json({
+      items: await handleRequest(body.items, user, policy, permissionIntegrationClient, req.header("authorization"))
+    });
   });
   router.use(backendCommon.errorHandler());
   return router;

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/service/PermissionIntegrationClient.ts","../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'node-fetch';\nimport { z } from 'zod';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthorizeResult } from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  ConditionalPolicyDecision,\n} from '@backstage/plugin-permission-node';\n\nconst responseSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n  ),\n});\n\nexport type ResourcePolicyDecision = ConditionalPolicyDecision & {\n  resourceRef: string;\n};\n\nexport class PermissionIntegrationClient {\n  private readonly discovery: PluginEndpointDiscovery;\n\n  constructor(options: { discovery: PluginEndpointDiscovery }) {\n    this.discovery = options.discovery;\n  }\n\n  async applyConditions(\n    pluginId: string,\n    decisions: readonly ApplyConditionsRequestEntry[],\n    authHeader?: string,\n  ): Promise<ApplyConditionsResponseEntry[]> {\n    const endpoint = `${await this.discovery.getBaseUrl(\n      pluginId,\n    )}/.well-known/backstage/permissions/apply-conditions`;\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify({\n        items: decisions.map(\n          ({ id, resourceRef, resourceType, conditions }) => ({\n            id,\n            resourceRef,\n            resourceType,\n            conditions,\n          }),\n        ),\n      }),\n      headers: {\n        ...(authHeader ? { authorization: authHeader } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(\n        `Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`,\n      );\n    }\n\n    const result = responseSchema.parse(await response.json());\n\n    return result.items;\n  }\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { Logger } from 'winston';\nimport {\n  errorHandler,\n  PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport {\n  BackstageIdentityResponse,\n  IdentityClient,\n} from '@backstage/plugin-auth-backend';\nimport {\n  AuthorizeResult,\n  AuthorizeResponse,\n  AuthorizeRequest,\n  Identified,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\n\nconst requestSchema: z.ZodSchema<Identified<AuthorizeRequest>[]> = z.array(\n  z.object({\n    id: z.string(),\n    resourceRef: z.string().optional(),\n    permission: z.object({\n      name: z.string(),\n      resourceType: z.string().optional(),\n      attributes: z.object({\n        action: z\n          .union([\n            z.literal('create'),\n            z.literal('read'),\n            z.literal('update'),\n            z.literal('delete'),\n          ])\n          .optional(),\n      }),\n    }),\n  }),\n);\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n */\nexport interface RouterOptions {\n  logger: Logger;\n  discovery: PluginEndpointDiscovery;\n  policy: PermissionPolicy;\n  identity: IdentityClient;\n}\n\nconst handleRequest = async (\n  requests: Identified<AuthorizeRequest>[],\n  user: BackstageIdentityResponse | undefined,\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  authHeader?: string,\n): Promise<Identified<AuthorizeResponse>[]> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, batch, authHeader),\n    );\n  });\n\n  return Promise.all(\n    requests.map(({ id, resourceRef, ...request }) =>\n      policy.handle(request, user).then(decision => {\n        if (decision.result !== AuthorizeResult.CONDITIONAL) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        if (decision.resourceType !== request.permission.resourceType) {\n          throw new Error(\n            `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n          );\n        }\n\n        if (!resourceRef) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        return applyConditionsLoaderFor(decision.pluginId).load({\n          id,\n          resourceRef,\n          ...decision,\n        });\n      }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, identity } = options;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.send({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<Identified<AuthorizeRequest>[]>,\n      res: Response<Identified<AuthorizeResponse>[]>,\n    ) => {\n      const token = IdentityClient.getBearerToken(req.header('authorization'));\n      const user = token ? await identity.authenticate(token) : undefined;\n\n      const parseResult = requestSchema.safeParse(req.body);\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      res.json(\n        await handleRequest(\n          body,\n          user,\n          policy,\n          permissionIntegrationClient,\n          req.header('authorization'),\n        ),\n      );\n    },\n  );\n\n  router.use(errorHandler());\n\n  return router;\n}\n"],"names":["z","AuthorizeResult","fetch","memoize","DataLoader","Router","express","IdentityClient","InputError","errorHandler"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AA0BA,MAAM,iBAAiBA,MAAE,OAAO;AAAA,EAC9B,OAAOA,MAAE,MACPA,MAAE,OAAO;AAAA,IACP,IAAIA,MAAE;AAAA,IACN,QAAQA,MACL,QAAQC,uCAAgB,OACxB,GAAGD,MAAE,QAAQC,uCAAgB;AAAA;AAAA;kCASG;AAAA,EAGvC,YAAY,SAAiD;AAC3D,SAAK,YAAY,QAAQ;AAAA;AAAA,QAGrB,gBACJ,UACA,WACA,YACyC;AACzC,UAAM,WAAW,GAAG,MAAM,KAAK,UAAU,WACvC;AAGF,UAAM,WAAW,MAAMC,0BAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,QACnB,OAAO,UAAU,IACf,CAAC,EAAE,IAAI,aAAa,cAAc;AAAkB,UAClD;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA;AAAA;AAAA,MAIN,SAAS;AAAA,WACH,aAAa,EAAE,eAAe,eAAe;AAAA,QACjD,gBAAgB;AAAA;AAAA;AAIpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MACR,2FAA2F,SAAS,YAAY,SAAS;AAAA;AAI7H,UAAM,SAAS,eAAe,MAAM,MAAM,SAAS;AAEnD,WAAO,OAAO;AAAA;AAAA;;ACvClB,MAAM,gBAA6DF,MAAE,MACnEA,MAAE,OAAO;AAAA,EACP,IAAIA,MAAE;AAAA,EACN,aAAaA,MAAE,SAAS;AAAA,EACxB,YAAYA,MAAE,OAAO;AAAA,IACnB,MAAMA,MAAE;AAAA,IACR,cAAcA,MAAE,SAAS;AAAA,IACzB,YAAYA,MAAE,OAAO;AAAA,MACnB,QAAQA,MACL,MAAM;AAAA,QACLA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,SAEX;AAAA;AAAA;AAAA;AAmBX,MAAM,gBAAgB,OACpB,UACA,MACA,QACA,6BACA,eAC6C;AAC7C,QAAM,2BAA2BG,eAAQ,CAAC,aAAqB;AAC7D,WAAO,IAAIC,+BAGT,WACA,4BAA4B,gBAAgB,UAAU,OAAO;AAAA;AAIjE,SAAO,QAAQ,IACb,SAAS,IAAI,CAAC,EAAE,IAAI,gBAAgB,cAClC,OAAO,OAAO,SAAS,MAAM,KAAK,cAAY;AAC5C,QAAI,SAAS,WAAWH,uCAAgB,aAAa;AACnD,aAAO;AAAA,QACL;AAAA,WACG;AAAA;AAAA;AAIP,QAAI,SAAS,iBAAiB,QAAQ,WAAW,cAAc;AAC7D,YAAM,IAAI,MACR,8EAA8E,QAAQ,WAAW;AAAA;AAIrG,QAAI,CAAC,aAAa;AAChB,aAAO;AAAA,QACL;AAAA,WACG;AAAA;AAAA;AAIP,WAAO,yBAAyB,SAAS,UAAU,KAAK;AAAA,MACtD;AAAA,MACA;AAAA,SACG;AAAA;AAAA;AAAA;4BAcX,SACyB;AACzB,QAAM,EAAE,QAAQ,WAAW,aAAa;AAExC,QAAM,8BAA8B,IAAI,4BAA4B;AAAA,IAClE;AAAA;AAGF,QAAM,SAASI;AACf,SAAO,IAAIC,4BAAQ;AAEnB,SAAO,IAAI,WAAW,CAAC,GAAG,aAAa;AACrC,aAAS,KAAK,EAAE,QAAQ;AAAA;AAG1B,SAAO,KACL,cACA,OACE,KACA,QACG;AACH,UAAM,QAAQC,iCAAe,eAAe,IAAI,OAAO;AACvD,UAAM,OAAO,QAAQ,MAAM,SAAS,aAAa,SAAS;AAE1D,UAAM,cAAc,cAAc,UAAU,IAAI;AAEhD,QAAI,CAAC,YAAY,SAAS;AACxB,YAAM,IAAIC,kBAAW,YAAY,MAAM;AAAA;AAGzC,UAAM,OAAO,YAAY;AAEzB,QAAI,KACF,MAAM,cACJ,MACA,MACA,QACA,6BACA,IAAI,OAAO;AAAA;AAMnB,SAAO,IAAIC;AAEX,SAAO;AAAA;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/service/PermissionIntegrationClient.ts","../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'node-fetch';\nimport { z } from 'zod';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthorizeResult } from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  ConditionalPolicyDecision,\n} from '@backstage/plugin-permission-node';\n\nconst responseSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n  ),\n});\n\nexport type ResourcePolicyDecision = ConditionalPolicyDecision & {\n  resourceRef: string;\n};\n\nexport class PermissionIntegrationClient {\n  private readonly discovery: PluginEndpointDiscovery;\n\n  constructor(options: { discovery: PluginEndpointDiscovery }) {\n    this.discovery = options.discovery;\n  }\n\n  async applyConditions(\n    pluginId: string,\n    decisions: readonly ApplyConditionsRequestEntry[],\n    authHeader?: string,\n  ): Promise<ApplyConditionsResponseEntry[]> {\n    const endpoint = `${await this.discovery.getBaseUrl(\n      pluginId,\n    )}/.well-known/backstage/permissions/apply-conditions`;\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify({\n        items: decisions.map(\n          ({ id, resourceRef, resourceType, conditions }) => ({\n            id,\n            resourceRef,\n            resourceType,\n            conditions,\n          }),\n        ),\n      }),\n      headers: {\n        ...(authHeader ? { authorization: authHeader } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(\n        `Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`,\n      );\n    }\n\n    const result = responseSchema.parse(await response.json());\n\n    return result.items;\n  }\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { Logger } from 'winston';\nimport {\n  errorHandler,\n  PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport {\n  BackstageIdentityResponse,\n  IdentityClient,\n} from '@backstage/plugin-auth-backend';\nimport {\n  AuthorizeResult,\n  AuthorizeDecision,\n  AuthorizeQuery,\n  Identified,\n  AuthorizeRequest,\n  AuthorizeResponse,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\n\nconst querySchema: z.ZodSchema<Identified<AuthorizeQuery>> = z.object({\n  id: z.string(),\n  resourceRef: z.string().optional(),\n  permission: z.object({\n    name: z.string(),\n    resourceType: z.string().optional(),\n    attributes: z.object({\n      action: z\n        .union([\n          z.literal('create'),\n          z.literal('read'),\n          z.literal('update'),\n          z.literal('delete'),\n        ])\n        .optional(),\n    }),\n  }),\n});\n\nconst requestSchema: z.ZodSchema<AuthorizeRequest> = z.object({\n  items: z.array(querySchema),\n});\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n */\nexport interface RouterOptions {\n  logger: Logger;\n  discovery: PluginEndpointDiscovery;\n  policy: PermissionPolicy;\n  identity: IdentityClient;\n}\n\nconst handleRequest = async (\n  requests: Identified<AuthorizeQuery>[],\n  user: BackstageIdentityResponse | undefined,\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  authHeader?: string,\n): Promise<Identified<AuthorizeDecision>[]> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, batch, authHeader),\n    );\n  });\n\n  return Promise.all(\n    requests.map(({ id, resourceRef, ...request }) =>\n      policy.handle(request, user).then(decision => {\n        if (decision.result !== AuthorizeResult.CONDITIONAL) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        if (decision.resourceType !== request.permission.resourceType) {\n          throw new Error(\n            `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n          );\n        }\n\n        if (!resourceRef) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        return applyConditionsLoaderFor(decision.pluginId).load({\n          id,\n          resourceRef,\n          ...decision,\n        });\n      }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, identity } = options;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.send({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<AuthorizeRequest>,\n      res: Response<AuthorizeResponse>,\n    ) => {\n      const token = IdentityClient.getBearerToken(req.header('authorization'));\n      const user = token ? await identity.authenticate(token) : undefined;\n\n      const parseResult = requestSchema.safeParse(req.body);\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      res.json({\n        items: await handleRequest(\n          body.items,\n          user,\n          policy,\n          permissionIntegrationClient,\n          req.header('authorization'),\n        ),\n      });\n    },\n  );\n\n  router.use(errorHandler());\n\n  return router;\n}\n"],"names":["z","AuthorizeResult","fetch","memoize","DataLoader","Router","express","IdentityClient","InputError","errorHandler"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AA0BA,MAAM,iBAAiBA,MAAE,OAAO;AAAA,EAC9B,OAAOA,MAAE,MACPA,MAAE,OAAO;AAAA,IACP,IAAIA,MAAE;AAAA,IACN,QAAQA,MACL,QAAQC,uCAAgB,OACxB,GAAGD,MAAE,QAAQC,uCAAgB;AAAA;AAAA;kCASG;AAAA,EAGvC,YAAY,SAAiD;AAC3D,SAAK,YAAY,QAAQ;AAAA;AAAA,QAGrB,gBACJ,UACA,WACA,YACyC;AACzC,UAAM,WAAW,GAAG,MAAM,KAAK,UAAU,WACvC;AAGF,UAAM,WAAW,MAAMC,0BAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,QACnB,OAAO,UAAU,IACf,CAAC,EAAE,IAAI,aAAa,cAAc;AAAkB,UAClD;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA;AAAA;AAAA,MAIN,SAAS;AAAA,WACH,aAAa,EAAE,eAAe,eAAe;AAAA,QACjD,gBAAgB;AAAA;AAAA;AAIpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MACR,2FAA2F,SAAS,YAAY,SAAS;AAAA;AAI7H,UAAM,SAAS,eAAe,MAAM,MAAM,SAAS;AAEnD,WAAO,OAAO;AAAA;AAAA;;ACrClB,MAAM,cAAuDF,MAAE,OAAO;AAAA,EACpE,IAAIA,MAAE;AAAA,EACN,aAAaA,MAAE,SAAS;AAAA,EACxB,YAAYA,MAAE,OAAO;AAAA,IACnB,MAAMA,MAAE;AAAA,IACR,cAAcA,MAAE,SAAS;AAAA,IACzB,YAAYA,MAAE,OAAO;AAAA,MACnB,QAAQA,MACL,MAAM;AAAA,QACLA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,QACVA,MAAE,QAAQ;AAAA,SAEX;AAAA;AAAA;AAAA;AAKT,MAAM,gBAA+CA,MAAE,OAAO;AAAA,EAC5D,OAAOA,MAAE,MAAM;AAAA;AAgBjB,MAAM,gBAAgB,OACpB,UACA,MACA,QACA,6BACA,eAC6C;AAC7C,QAAM,2BAA2BG,eAAQ,CAAC,aAAqB;AAC7D,WAAO,IAAIC,+BAGT,WACA,4BAA4B,gBAAgB,UAAU,OAAO;AAAA;AAIjE,SAAO,QAAQ,IACb,SAAS,IAAI,CAAC,EAAE,IAAI,gBAAgB,cAClC,OAAO,OAAO,SAAS,MAAM,KAAK,cAAY;AAC5C,QAAI,SAAS,WAAWH,uCAAgB,aAAa;AACnD,aAAO;AAAA,QACL;AAAA,WACG;AAAA;AAAA;AAIP,QAAI,SAAS,iBAAiB,QAAQ,WAAW,cAAc;AAC7D,YAAM,IAAI,MACR,8EAA8E,QAAQ,WAAW;AAAA;AAIrG,QAAI,CAAC,aAAa;AAChB,aAAO;AAAA,QACL;AAAA,WACG;AAAA;AAAA;AAIP,WAAO,yBAAyB,SAAS,UAAU,KAAK;AAAA,MACtD;AAAA,MACA;AAAA,SACG;AAAA;AAAA;AAAA;4BAcX,SACyB;AACzB,QAAM,EAAE,QAAQ,WAAW,aAAa;AAExC,QAAM,8BAA8B,IAAI,4BAA4B;AAAA,IAClE;AAAA;AAGF,QAAM,SAASI;AACf,SAAO,IAAIC,4BAAQ;AAEnB,SAAO,IAAI,WAAW,CAAC,GAAG,aAAa;AACrC,aAAS,KAAK,EAAE,QAAQ;AAAA;AAG1B,SAAO,KACL,cACA,OACE,KACA,QACG;AACH,UAAM,QAAQC,iCAAe,eAAe,IAAI,OAAO;AACvD,UAAM,OAAO,QAAQ,MAAM,SAAS,aAAa,SAAS;AAE1D,UAAM,cAAc,cAAc,UAAU,IAAI;AAEhD,QAAI,CAAC,YAAY,SAAS;AACxB,YAAM,IAAIC,kBAAW,YAAY,MAAM;AAAA;AAGzC,UAAM,OAAO,YAAY;AAEzB,QAAI,KAAK;AAAA,MACP,OAAO,MAAM,cACX,KAAK,OACL,MACA,QACA,6BACA,IAAI,OAAO;AAAA;AAAA;AAMnB,SAAO,IAAIC;AAEX,SAAO;AAAA;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-backend",
-  "version": "0.3.0",
+  "version": "0.4.2-next.0",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -19,12 +19,12 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.10.3",
-    "@backstage/config": "^0.1.12",
+    "@backstage/backend-common": "^0.10.5",
+    "@backstage/config": "^0.1.13",
     "@backstage/errors": "^0.2.0",
-    "@backstage/plugin-auth-backend": "^0.6.2",
-    "@backstage/plugin-permission-common": "^0.3.1",
-    "@backstage/plugin-permission-node": "^0.3.0",
+    "@backstage/plugin-auth-backend": "^0.9.0-next.0",
+    "@backstage/plugin-permission-common": "^0.4.0",
+    "@backstage/plugin-permission-node": "^0.4.2-next.0",
     "@types/express": "*",
     "dataloader": "^2.0.0",
     "express": "^4.17.1",
@@ -36,7 +36,7 @@
     "zod": "^3.11.6"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.11.0",
+    "@backstage/cli": "^0.13.1-next.0",
     "@types/lodash": "^4.14.151",
     "@types/supertest": "^2.0.8",
     "msw": "^0.35.0",
@@ -45,5 +45,5 @@
   "files": [
     "dist"
   ],
-  "gitHead": "da66c61bdd63cdb3f0f0cd2e26dc9e6454d93c7b"
+  "gitHead": "a28838ac5c80c7332caa6ca0569d2ec85151784f"
 }