@backstage/plugin-permission-backend 0.5.12-next.0 → 0.5.12-next.2

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # @backstage/plugin-permission-backend
 
+## 0.5.12-next.2
+
+### Patch Changes
+
+- 2d3a5f09ab: Use `response.json` rather than `response.send` where appropriate, as outlined in `SECURITY.md`
+- Updated dependencies
+  - @backstage/backend-common@0.15.2-next.2
+  - @backstage/plugin-permission-common@0.7.0-next.2
+  - @backstage/plugin-permission-node@0.7.0-next.2
+  - @backstage/plugin-auth-node@0.2.6-next.2
+  - @backstage/config@1.0.3-next.2
+  - @backstage/errors@1.1.2-next.2
+
+## 0.5.12-next.1
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.15.2-next.1
+  - @backstage/config@1.0.3-next.1
+  - @backstage/errors@1.1.2-next.1
+  - @backstage/plugin-auth-node@0.2.6-next.1
+  - @backstage/plugin-permission-common@0.6.5-next.1
+  - @backstage/plugin-permission-node@0.6.6-next.1
+
 ## 0.5.12-next.0
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -144,7 +144,7 @@ async function createRouter(options) {
   const router = Router__default["default"]();
   router.use(express__default["default"].json());
   router.get("/health", (_, response) => {
-    response.send({ status: "ok" });
+    response.json({ status: "ok" });
   });
   router.post(
     "/authorize",

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/service/PermissionIntegrationClient.ts","../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'node-fetch';\nimport { z } from 'zod';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport {\n  AuthorizeResult,\n  ConditionalPolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n} from '@backstage/plugin-permission-node';\n\nconst responseSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n  ),\n});\n\nexport type ResourcePolicyDecision = ConditionalPolicyDecision & {\n  resourceRef: string;\n};\n\nexport class PermissionIntegrationClient {\n  private readonly discovery: PluginEndpointDiscovery;\n\n  constructor(options: { discovery: PluginEndpointDiscovery }) {\n    this.discovery = options.discovery;\n  }\n\n  async applyConditions(\n    pluginId: string,\n    decisions: readonly ApplyConditionsRequestEntry[],\n    authHeader?: string,\n  ): Promise<ApplyConditionsResponseEntry[]> {\n    const endpoint = `${await this.discovery.getBaseUrl(\n      pluginId,\n    )}/.well-known/backstage/permissions/apply-conditions`;\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify({\n        items: decisions.map(\n          ({ id, resourceRef, resourceType, conditions }) => ({\n            id,\n            resourceRef,\n            resourceType,\n            conditions,\n          }),\n        ),\n      }),\n      headers: {\n        ...(authHeader ? { authorization: authHeader } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(\n        `Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`,\n      );\n    }\n\n    const result = responseSchema.parse(await response.json());\n\n    return result.items;\n  }\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { Logger } from 'winston';\nimport {\n  errorHandler,\n  PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport {\n  BackstageIdentityResponse,\n  IdentityApi,\n} from '@backstage/plugin-auth-node';\nimport {\n  AuthorizeResult,\n  EvaluatePermissionResponse,\n  EvaluatePermissionRequest,\n  IdentifiedPermissionMessage,\n  EvaluatePermissionRequestBatch,\n  EvaluatePermissionResponseBatch,\n  isResourcePermission,\n  PermissionAttributes,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport { Config } from '@backstage/config';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n  action: z\n    .union([\n      z.literal('create'),\n      z.literal('read'),\n      z.literal('update'),\n      z.literal('delete'),\n    ])\n    .optional(),\n});\n\nconst permissionSchema = z.union([\n  z.object({\n    type: z.literal('basic'),\n    name: z.string(),\n    attributes: attributesSchema,\n  }),\n  z.object({\n    type: z.literal('resource'),\n    name: z.string(),\n    attributes: attributesSchema,\n    resourceType: z.string(),\n  }),\n]);\n\nconst evaluatePermissionRequestSchema: z.ZodSchema<\n  IdentifiedPermissionMessage<EvaluatePermissionRequest>\n> = z.object({\n  id: z.string(),\n  resourceRef: z.string().optional(),\n  permission: permissionSchema,\n});\n\nconst evaluatePermissionRequestBatchSchema: z.ZodSchema<EvaluatePermissionRequestBatch> =\n  z.object({\n    items: z.array(evaluatePermissionRequestSchema),\n  });\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n */\nexport interface RouterOptions {\n  logger: Logger;\n  discovery: PluginEndpointDiscovery;\n  policy: PermissionPolicy;\n  identity: IdentityApi;\n  config: Config;\n}\n\nconst handleRequest = async (\n  requests: IdentifiedPermissionMessage<EvaluatePermissionRequest>[],\n  user: BackstageIdentityResponse | undefined,\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  authHeader?: string,\n): Promise<IdentifiedPermissionMessage<EvaluatePermissionResponse>[]> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, batch, authHeader),\n    );\n  });\n\n  return Promise.all(\n    requests.map(({ id, resourceRef, ...request }) =>\n      policy.handle(request, user).then(decision => {\n        if (decision.result !== AuthorizeResult.CONDITIONAL) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        if (!isResourcePermission(request.permission)) {\n          throw new Error(\n            `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n          );\n        }\n\n        if (decision.resourceType !== request.permission.resourceType) {\n          throw new Error(\n            `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n          );\n        }\n\n        if (!resourceRef) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        return applyConditionsLoaderFor(decision.pluginId).load({\n          id,\n          resourceRef,\n          ...decision,\n        });\n      }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, identity, config, logger } = options;\n\n  if (!config.getOptionalBoolean('permission.enabled')) {\n    logger.warn(\n      'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n    );\n  }\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.send({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<EvaluatePermissionRequestBatch>,\n      res: Response<EvaluatePermissionResponseBatch>,\n    ) => {\n      const user = await identity.getIdentity({ request: req });\n\n      const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n        req.body,\n      );\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      res.json({\n        items: await handleRequest(\n          body.items,\n          user,\n          policy,\n          permissionIntegrationClient,\n          req.header('authorization'),\n        ),\n      });\n    },\n  );\n\n  router.use(errorHandler());\n\n  return router;\n}\n"],"names":["z","AuthorizeResult","fetch","memoize","DataLoader","isResourcePermission","Router","express","InputError","errorHandler"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA4BA,MAAM,cAAA,GAAiBA,MAAE,MAAO,CAAA;AAAA,EAC9B,OAAOA,KAAE,CAAA,KAAA;AAAA,IACPA,MAAE,MAAO,CAAA;AAAA,MACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,MACb,MAAA,EAAQA,KACL,CAAA,OAAA,CAAQC,sCAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAGD,KAAE,CAAA,OAAA,CAAQC,sCAAgB,CAAA,IAAI,CAAC,CAAA;AAAA,KACtC,CAAA;AAAA,GACH;AACF,CAAC,CAAA,CAAA;AAMM,MAAM,2BAA4B,CAAA;AAAA,EAGvC,YAAY,OAAiD,EAAA;AAC3D,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AAAA,GAC3B;AAAA,EAEA,MAAM,eAAA,CACJ,QACA,EAAA,SAAA,EACA,UACyC,EAAA;AACzC,IAAA,MAAM,QAAW,GAAA,CAAA,EAAG,MAAM,IAAA,CAAK,SAAU,CAAA,UAAA;AAAA,MACvC,QAAA;AAAA,KACF,CAAA,mDAAA,CAAA,CAAA;AAEA,IAAM,MAAA,QAAA,GAAW,MAAMC,yBAAA,CAAM,QAAU,EAAA;AAAA,MACrC,MAAQ,EAAA,MAAA;AAAA,MACR,IAAA,EAAM,KAAK,SAAU,CAAA;AAAA,QACnB,OAAO,SAAU,CAAA,GAAA;AAAA,UACf,CAAC,EAAE,EAAA,EAAI,WAAa,EAAA,YAAA,EAAc,YAAkB,MAAA;AAAA,YAClD,EAAA;AAAA,YACA,WAAA;AAAA,YACA,YAAA;AAAA,YACA,UAAA;AAAA,WACF,CAAA;AAAA,SACF;AAAA,OACD,CAAA;AAAA,MACD,OAAS,EAAA;AAAA,QACP,GAAI,UAAa,GAAA,EAAE,aAAe,EAAA,UAAA,KAAe,EAAC;AAAA,QAClD,cAAgB,EAAA,kBAAA;AAAA,OAClB;AAAA,KACD,CAAA,CAAA;AAED,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,wFAAA,EAA2F,QAAS,CAAA,MAAA,CAAA,GAAA,EAAY,QAAS,CAAA,UAAA,CAAA,CAAA;AAAA,OAC3H,CAAA;AAAA,KACF;AAEA,IAAA,MAAM,SAAS,cAAe,CAAA,KAAA,CAAM,MAAM,QAAA,CAAS,MAAM,CAAA,CAAA;AAEzD,IAAA,OAAO,MAAO,CAAA,KAAA,CAAA;AAAA,GAChB;AACF;;ACtCA,MAAM,gBAAA,GAAsDF,MAAE,MAAO,CAAA;AAAA,EACnE,MAAA,EAAQA,MACL,KAAM,CAAA;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,GACnB,EACA,QAAS,EAAA;AACd,CAAC,CAAA,CAAA;AAED,MAAM,gBAAA,GAAmBA,MAAE,KAAM,CAAA;AAAA,EAC/BA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA,gBAAA;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,UAAU,CAAA;AAAA,IAC1B,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA,gBAAA;AAAA,IACZ,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,GACxB,CAAA;AACH,CAAC,CAAA,CAAA;AAED,MAAM,+BAAA,GAEFA,MAAE,MAAO,CAAA;AAAA,EACX,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,EACb,WAAa,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,QAAS,EAAA;AAAA,EACjC,UAAY,EAAA,gBAAA;AACd,CAAC,CAAA,CAAA;AAED,MAAM,oCAAA,GACJA,MAAE,MAAO,CAAA;AAAA,EACP,KAAA,EAAOA,KAAE,CAAA,KAAA,CAAM,+BAA+B,CAAA;AAChD,CAAC,CAAA,CAAA;AAgBH,MAAM,gBAAgB,OACpB,QAAA,EACA,IACA,EAAA,MAAA,EACA,6BACA,UACuE,KAAA;AACvE,EAAM,MAAA,wBAAA,GAA2BG,cAAQ,CAAA,CAAC,QAAqB,KAAA;AAC7D,IAAA,OAAO,IAAIC,8BAAA;AAAA,MAGT,CACA,KAAA,KAAA,2BAAA,CAA4B,eAAgB,CAAA,QAAA,EAAU,OAAO,UAAU,CAAA;AAAA,KACzE,CAAA;AAAA,GACD,CAAA,CAAA;AAED,EAAA,OAAO,OAAQ,CAAA,GAAA;AAAA,IACb,QAAS,CAAA,GAAA;AAAA,MAAI,CAAC,EAAE,EAAI,EAAA,WAAA,EAAA,GAAgB,OAAQ,EAAA,KAC1C,MAAO,CAAA,MAAA,CAAO,OAAS,EAAA,IAAI,CAAE,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA;AAC5C,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAH,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG,QAAA;AAAA,WACL,CAAA;AAAA,SACF;AAEA,QAAA,IAAI,CAACI,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,QAAQ,UAAW,CAAA,IAAA,CAAA,CAAA;AAAA,WACzG,CAAA;AAAA,SACF;AAEA,QAAA,IAAI,QAAS,CAAA,YAAA,KAAiB,OAAQ,CAAA,UAAA,CAAW,YAAc,EAAA;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,QAAQ,UAAW,CAAA,IAAA,CAAA,CAAA;AAAA,WACnG,CAAA;AAAA,SACF;AAEA,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG,QAAA;AAAA,WACL,CAAA;AAAA,SACF;AAEA,QAAA,OAAO,wBAAyB,CAAA,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAK,CAAA;AAAA,UACtD,EAAA;AAAA,UACA,WAAA;AAAA,UACA,GAAG,QAAA;AAAA,SACJ,CAAA,CAAA;AAAA,OACF,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AACF,CAAA,CAAA;AAQA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAA,MAAM,EAAE,MAAQ,EAAA,SAAA,EAAW,QAAU,EAAA,MAAA,EAAQ,QAAW,GAAA,OAAA,CAAA;AAExD,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAG,EAAA;AACpD,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,8GAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,2BAAA,GAA8B,IAAI,2BAA4B,CAAA;AAAA,IAClE,SAAA;AAAA,GACD,CAAA,CAAA;AAED,EAAA,MAAM,SAASC,0BAAO,EAAA,CAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,2BAAQ,CAAA,IAAA,EAAM,CAAA,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,SAAA,EAAW,CAAC,CAAA,EAAG,QAAa,KAAA;AACrC,IAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,IAAA,EAAM,CAAA,CAAA;AAAA,GAC/B,CAAA,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GACG,KAAA;AACH,MAAA,MAAM,OAAO,MAAM,QAAA,CAAS,YAAY,EAAE,OAAA,EAAS,KAAK,CAAA,CAAA;AAExD,MAAA,MAAM,cAAc,oCAAqC,CAAA,SAAA;AAAA,QACvD,GAAI,CAAA,IAAA;AAAA,OACN,CAAA;AAEA,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA,CAAA;AAAA,OACnD;AAEA,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA,CAAA;AAEzB,MAAA,GAAA,CAAI,IAAK,CAAA;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAK,CAAA,KAAA;AAAA,UACL,IAAA;AAAA,UACA,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,GAAA,CAAI,OAAO,eAAe,CAAA;AAAA,SAC5B;AAAA,OACD,CAAA,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AAEA,EAAO,MAAA,CAAA,GAAA,CAAIC,4BAAc,CAAA,CAAA;AAEzB,EAAO,OAAA,MAAA,CAAA;AACT;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/service/PermissionIntegrationClient.ts","../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport fetch from 'node-fetch';\nimport { z } from 'zod';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport {\n  AuthorizeResult,\n  ConditionalPolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n} from '@backstage/plugin-permission-node';\n\nconst responseSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n  ),\n});\n\nexport type ResourcePolicyDecision = ConditionalPolicyDecision & {\n  resourceRef: string;\n};\n\nexport class PermissionIntegrationClient {\n  private readonly discovery: PluginEndpointDiscovery;\n\n  constructor(options: { discovery: PluginEndpointDiscovery }) {\n    this.discovery = options.discovery;\n  }\n\n  async applyConditions(\n    pluginId: string,\n    decisions: readonly ApplyConditionsRequestEntry[],\n    authHeader?: string,\n  ): Promise<ApplyConditionsResponseEntry[]> {\n    const endpoint = `${await this.discovery.getBaseUrl(\n      pluginId,\n    )}/.well-known/backstage/permissions/apply-conditions`;\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify({\n        items: decisions.map(\n          ({ id, resourceRef, resourceType, conditions }) => ({\n            id,\n            resourceRef,\n            resourceType,\n            conditions,\n          }),\n        ),\n      }),\n      headers: {\n        ...(authHeader ? { authorization: authHeader } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw new Error(\n        `Unexpected response from plugin upstream when applying conditions. Expected 200 but got ${response.status} - ${response.statusText}`,\n      );\n    }\n\n    const result = responseSchema.parse(await response.json());\n\n    return result.items;\n  }\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { Logger } from 'winston';\nimport {\n  errorHandler,\n  PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport {\n  BackstageIdentityResponse,\n  IdentityApi,\n} from '@backstage/plugin-auth-node';\nimport {\n  AuthorizeResult,\n  EvaluatePermissionResponse,\n  EvaluatePermissionRequest,\n  IdentifiedPermissionMessage,\n  EvaluatePermissionRequestBatch,\n  EvaluatePermissionResponseBatch,\n  isResourcePermission,\n  PermissionAttributes,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport { Config } from '@backstage/config';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n  action: z\n    .union([\n      z.literal('create'),\n      z.literal('read'),\n      z.literal('update'),\n      z.literal('delete'),\n    ])\n    .optional(),\n});\n\nconst permissionSchema = z.union([\n  z.object({\n    type: z.literal('basic'),\n    name: z.string(),\n    attributes: attributesSchema,\n  }),\n  z.object({\n    type: z.literal('resource'),\n    name: z.string(),\n    attributes: attributesSchema,\n    resourceType: z.string(),\n  }),\n]);\n\nconst evaluatePermissionRequestSchema: z.ZodSchema<\n  IdentifiedPermissionMessage<EvaluatePermissionRequest>\n> = z.object({\n  id: z.string(),\n  resourceRef: z.string().optional(),\n  permission: permissionSchema,\n});\n\nconst evaluatePermissionRequestBatchSchema: z.ZodSchema<EvaluatePermissionRequestBatch> =\n  z.object({\n    items: z.array(evaluatePermissionRequestSchema),\n  });\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n */\nexport interface RouterOptions {\n  logger: Logger;\n  discovery: PluginEndpointDiscovery;\n  policy: PermissionPolicy;\n  identity: IdentityApi;\n  config: Config;\n}\n\nconst handleRequest = async (\n  requests: IdentifiedPermissionMessage<EvaluatePermissionRequest>[],\n  user: BackstageIdentityResponse | undefined,\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  authHeader?: string,\n): Promise<IdentifiedPermissionMessage<EvaluatePermissionResponse>[]> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, batch, authHeader),\n    );\n  });\n\n  return Promise.all(\n    requests.map(({ id, resourceRef, ...request }) =>\n      policy.handle(request, user).then(decision => {\n        if (decision.result !== AuthorizeResult.CONDITIONAL) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        if (!isResourcePermission(request.permission)) {\n          throw new Error(\n            `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n          );\n        }\n\n        if (decision.resourceType !== request.permission.resourceType) {\n          throw new Error(\n            `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n          );\n        }\n\n        if (!resourceRef) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        return applyConditionsLoaderFor(decision.pluginId).load({\n          id,\n          resourceRef,\n          ...decision,\n        });\n      }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, identity, config, logger } = options;\n\n  if (!config.getOptionalBoolean('permission.enabled')) {\n    logger.warn(\n      'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n    );\n  }\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.json({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<EvaluatePermissionRequestBatch>,\n      res: Response<EvaluatePermissionResponseBatch>,\n    ) => {\n      const user = await identity.getIdentity({ request: req });\n\n      const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n        req.body,\n      );\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      res.json({\n        items: await handleRequest(\n          body.items,\n          user,\n          policy,\n          permissionIntegrationClient,\n          req.header('authorization'),\n        ),\n      });\n    },\n  );\n\n  router.use(errorHandler());\n\n  return router;\n}\n"],"names":["z","AuthorizeResult","fetch","memoize","DataLoader","isResourcePermission","Router","express","InputError","errorHandler"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA4BA,MAAM,cAAA,GAAiBA,MAAE,MAAO,CAAA;AAAA,EAC9B,OAAOA,KAAE,CAAA,KAAA;AAAA,IACPA,MAAE,MAAO,CAAA;AAAA,MACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,MACb,MAAA,EAAQA,KACL,CAAA,OAAA,CAAQC,sCAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAGD,KAAE,CAAA,OAAA,CAAQC,sCAAgB,CAAA,IAAI,CAAC,CAAA;AAAA,KACtC,CAAA;AAAA,GACH;AACF,CAAC,CAAA,CAAA;AAMM,MAAM,2BAA4B,CAAA;AAAA,EAGvC,YAAY,OAAiD,EAAA;AAC3D,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AAAA,GAC3B;AAAA,EAEA,MAAM,eAAA,CACJ,QACA,EAAA,SAAA,EACA,UACyC,EAAA;AACzC,IAAA,MAAM,QAAW,GAAA,CAAA,EAAG,MAAM,IAAA,CAAK,SAAU,CAAA,UAAA;AAAA,MACvC,QAAA;AAAA,KACF,CAAA,mDAAA,CAAA,CAAA;AAEA,IAAM,MAAA,QAAA,GAAW,MAAMC,yBAAA,CAAM,QAAU,EAAA;AAAA,MACrC,MAAQ,EAAA,MAAA;AAAA,MACR,IAAA,EAAM,KAAK,SAAU,CAAA;AAAA,QACnB,OAAO,SAAU,CAAA,GAAA;AAAA,UACf,CAAC,EAAE,EAAA,EAAI,WAAa,EAAA,YAAA,EAAc,YAAkB,MAAA;AAAA,YAClD,EAAA;AAAA,YACA,WAAA;AAAA,YACA,YAAA;AAAA,YACA,UAAA;AAAA,WACF,CAAA;AAAA,SACF;AAAA,OACD,CAAA;AAAA,MACD,OAAS,EAAA;AAAA,QACP,GAAI,UAAa,GAAA,EAAE,aAAe,EAAA,UAAA,KAAe,EAAC;AAAA,QAClD,cAAgB,EAAA,kBAAA;AAAA,OAClB;AAAA,KACD,CAAA,CAAA;AAED,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,wFAAA,EAA2F,QAAS,CAAA,MAAA,CAAA,GAAA,EAAY,QAAS,CAAA,UAAA,CAAA,CAAA;AAAA,OAC3H,CAAA;AAAA,KACF;AAEA,IAAA,MAAM,SAAS,cAAe,CAAA,KAAA,CAAM,MAAM,QAAA,CAAS,MAAM,CAAA,CAAA;AAEzD,IAAA,OAAO,MAAO,CAAA,KAAA,CAAA;AAAA,GAChB;AACF;;ACtCA,MAAM,gBAAA,GAAsDF,MAAE,MAAO,CAAA;AAAA,EACnE,MAAA,EAAQA,MACL,KAAM,CAAA;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,GACnB,EACA,QAAS,EAAA;AACd,CAAC,CAAA,CAAA;AAED,MAAM,gBAAA,GAAmBA,MAAE,KAAM,CAAA;AAAA,EAC/BA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA,gBAAA;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,UAAU,CAAA;AAAA,IAC1B,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA,gBAAA;AAAA,IACZ,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,GACxB,CAAA;AACH,CAAC,CAAA,CAAA;AAED,MAAM,+BAAA,GAEFA,MAAE,MAAO,CAAA;AAAA,EACX,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,EACb,WAAa,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,QAAS,EAAA;AAAA,EACjC,UAAY,EAAA,gBAAA;AACd,CAAC,CAAA,CAAA;AAED,MAAM,oCAAA,GACJA,MAAE,MAAO,CAAA;AAAA,EACP,KAAA,EAAOA,KAAE,CAAA,KAAA,CAAM,+BAA+B,CAAA;AAChD,CAAC,CAAA,CAAA;AAgBH,MAAM,gBAAgB,OACpB,QAAA,EACA,IACA,EAAA,MAAA,EACA,6BACA,UACuE,KAAA;AACvE,EAAM,MAAA,wBAAA,GAA2BG,cAAQ,CAAA,CAAC,QAAqB,KAAA;AAC7D,IAAA,OAAO,IAAIC,8BAAA;AAAA,MAGT,CACA,KAAA,KAAA,2BAAA,CAA4B,eAAgB,CAAA,QAAA,EAAU,OAAO,UAAU,CAAA;AAAA,KACzE,CAAA;AAAA,GACD,CAAA,CAAA;AAED,EAAA,OAAO,OAAQ,CAAA,GAAA;AAAA,IACb,QAAS,CAAA,GAAA;AAAA,MAAI,CAAC,EAAE,EAAI,EAAA,WAAA,EAAA,GAAgB,OAAQ,EAAA,KAC1C,MAAO,CAAA,MAAA,CAAO,OAAS,EAAA,IAAI,CAAE,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA;AAC5C,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAH,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG,QAAA;AAAA,WACL,CAAA;AAAA,SACF;AAEA,QAAA,IAAI,CAACI,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,QAAQ,UAAW,CAAA,IAAA,CAAA,CAAA;AAAA,WACzG,CAAA;AAAA,SACF;AAEA,QAAA,IAAI,QAAS,CAAA,YAAA,KAAiB,OAAQ,CAAA,UAAA,CAAW,YAAc,EAAA;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,QAAQ,UAAW,CAAA,IAAA,CAAA,CAAA;AAAA,WACnG,CAAA;AAAA,SACF;AAEA,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG,QAAA;AAAA,WACL,CAAA;AAAA,SACF;AAEA,QAAA,OAAO,wBAAyB,CAAA,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAK,CAAA;AAAA,UACtD,EAAA;AAAA,UACA,WAAA;AAAA,UACA,GAAG,QAAA;AAAA,SACJ,CAAA,CAAA;AAAA,OACF,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AACF,CAAA,CAAA;AAQA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAA,MAAM,EAAE,MAAQ,EAAA,SAAA,EAAW,QAAU,EAAA,MAAA,EAAQ,QAAW,GAAA,OAAA,CAAA;AAExD,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAG,EAAA;AACpD,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,8GAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,2BAAA,GAA8B,IAAI,2BAA4B,CAAA;AAAA,IAClE,SAAA;AAAA,GACD,CAAA,CAAA;AAED,EAAA,MAAM,SAASC,0BAAO,EAAA,CAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,2BAAQ,CAAA,IAAA,EAAM,CAAA,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,SAAA,EAAW,CAAC,CAAA,EAAG,QAAa,KAAA;AACrC,IAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,IAAA,EAAM,CAAA,CAAA;AAAA,GAC/B,CAAA,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GACG,KAAA;AACH,MAAA,MAAM,OAAO,MAAM,QAAA,CAAS,YAAY,EAAE,OAAA,EAAS,KAAK,CAAA,CAAA;AAExD,MAAA,MAAM,cAAc,oCAAqC,CAAA,SAAA;AAAA,QACvD,GAAI,CAAA,IAAA;AAAA,OACN,CAAA;AAEA,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA,CAAA;AAAA,OACnD;AAEA,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA,CAAA;AAEzB,MAAA,GAAA,CAAI,IAAK,CAAA;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAK,CAAA,KAAA;AAAA,UACL,IAAA;AAAA,UACA,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,GAAA,CAAI,OAAO,eAAe,CAAA;AAAA,SAC5B;AAAA,OACD,CAAA,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AAEA,EAAO,MAAA,CAAA,GAAA,CAAIC,4BAAc,CAAA,CAAA;AAEzB,EAAO,OAAA,MAAA,CAAA;AACT;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-backend",
-  "version": "0.5.12-next.0",
+  "version": "0.5.12-next.2",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -22,12 +22,12 @@
     "clean": "backstage-cli package clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.15.2-next.0",
-    "@backstage/config": "^1.0.3-next.0",
-    "@backstage/errors": "^1.1.2-next.0",
-    "@backstage/plugin-auth-node": "^0.2.6-next.0",
-    "@backstage/plugin-permission-common": "^0.6.5-next.0",
-    "@backstage/plugin-permission-node": "^0.6.6-next.0",
+    "@backstage/backend-common": "^0.15.2-next.2",
+    "@backstage/config": "^1.0.3-next.2",
+    "@backstage/errors": "^1.1.2-next.2",
+    "@backstage/plugin-auth-node": "^0.2.6-next.2",
+    "@backstage/plugin-permission-common": "^0.7.0-next.2",
+    "@backstage/plugin-permission-node": "^0.7.0-next.2",
     "@types/express": "*",
     "dataloader": "^2.0.0",
     "express": "^4.17.1",
@@ -39,7 +39,7 @@
     "zod": "^3.11.6"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.20.0-next.0",
+    "@backstage/cli": "^0.20.0-next.2",
     "@types/lodash": "^4.14.151",
     "@types/supertest": "^2.0.8",
     "msw": "^0.47.0",