@backstage/plugin-permission-backend 0.5.55-next.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/dist/service/router.cjs.js +30 -13
  3. package/dist/service/router.cjs.js.map +1 -1
  4. package/package.json +13 -13
package/CHANGELOG.md CHANGED
@@ -1,5 +1,33 @@
1
1
  # @backstage/plugin-permission-backend
2
2
 
3
+ ## 0.6.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 78eaa50: Improved validation for the `/authorize` endpoint when a `resourceRef` is provided alongside a basic permission. Additionally, introduced a clearer error message for cases where users attempt to directly evaluate conditional permissions.
8
+
9
+ ### Patch Changes
10
+
11
+ - Updated dependencies
12
+ - @backstage/backend-plugin-api@1.3.0
13
+ - @backstage/plugin-auth-node@0.6.2
14
+ - @backstage/plugin-permission-node@0.9.1
15
+ - @backstage/config@1.3.2
16
+ - @backstage/errors@1.2.7
17
+ - @backstage/plugin-permission-common@0.8.4
18
+
19
+ ## 0.5.55
20
+
21
+ ### Patch Changes
22
+
23
+ - Updated dependencies
24
+ - @backstage/plugin-permission-node@0.9.0
25
+ - @backstage/plugin-auth-node@0.6.1
26
+ - @backstage/backend-plugin-api@1.2.1
27
+ - @backstage/config@1.3.2
28
+ - @backstage/errors@1.2.7
29
+ - @backstage/plugin-permission-common@0.8.4
30
+
3
31
  ## 0.5.55-next.1
4
32
 
5
33
  ### Patch Changes
package/dist/service/router.cjs.js CHANGED
@@ -24,24 +24,29 @@ const attributesSchema = zod.z.object({
24
24
  zod.z.literal("delete")
25
25
  ]).optional()
26
26
  });
27
- const permissionSchema = zod.z.union([
27
+ const basicPermissionSchema = zod.z.object({
28
+ type: zod.z.literal("basic"),
29
+ name: zod.z.string(),
30
+ attributes: attributesSchema
31
+ });
32
+ const resourcePermissionSchema = zod.z.object({
33
+ type: zod.z.literal("resource"),
34
+ name: zod.z.string(),
35
+ attributes: attributesSchema,
36
+ resourceType: zod.z.string()
37
+ });
38
+ const evaluatePermissionRequestSchema = zod.z.union([
28
39
  zod.z.object({
29
- type: zod.z.literal("basic"),
30
- name: zod.z.string(),
31
- attributes: attributesSchema
40
+ id: zod.z.string(),
41
+ resourceRef: zod.z.undefined().optional(),
42
+ permission: basicPermissionSchema
32
43
  }),
33
44
  zod.z.object({
34
- type: zod.z.literal("resource"),
35
- name: zod.z.string(),
36
- attributes: attributesSchema,
37
- resourceType: zod.z.string()
45
+ id: zod.z.string(),
46
+ resourceRef: zod.z.string().optional(),
47
+ permission: resourcePermissionSchema
38
48
  })
39
49
  ]);
40
- const evaluatePermissionRequestSchema = zod.z.object({
41
- id: zod.z.string(),
42
- resourceRef: zod.z.string().optional(),
43
- permission: permissionSchema
44
- });
45
50
  const evaluatePermissionRequestBatchSchema = zod.z.object({
46
51
  items: zod.z.array(evaluatePermissionRequestSchema)
47
52
  });
@@ -112,6 +117,9 @@ async function createRouter(options) {
112
117
  "Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true."
113
118
  );
114
119
  }
120
+ const disabledDefaultAuthPolicy = config.getOptionalBoolean(
121
+ "backend.auth.dangerouslyDisableDefaultAuthPolicy"
122
+ ) ?? false;
115
123
  const permissionIntegrationClient = new PermissionIntegrationClient.PermissionIntegrationClient({
116
124
  discovery,
117
125
  auth
@@ -134,6 +142,15 @@ async function createRouter(options) {
134
142
  throw new errors.InputError(parseResult.error.toString());
135
143
  }
136
144
  const body = parseResult.data;
145
+ if (auth.isPrincipal(credentials, "none") && !disabledDefaultAuthPolicy || auth.isPrincipal(credentials, "user") && !credentials.principal.actor) {
146
+ if (body.items.some(
147
+ (r) => pluginPermissionCommon.isResourcePermission(r.permission) && r.resourceRef === void 0
148
+ )) {
149
+ throw new errors.InputError(
150
+ "Resource permissions require a resourceRef to be set. Direct user requests without a resourceRef are not allowed."
151
+ );
152
+ }
153
+ }
137
154
  res.json({
138
155
  items: await handleRequest(
139
156
  body.items,
package/dist/service/router.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { createLegacyAuthAdapters } from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport { IdentityApi } from '@backstage/plugin-auth-node';\nimport {\n AuthorizeResult,\n EvaluatePermissionRequest,\n EvaluatePermissionRequestBatch,\n EvaluatePermissionResponse,\n EvaluatePermissionResponseBatch,\n IdentifiedPermissionMessage,\n isResourcePermission,\n PermissionAttributes,\n} from '@backstage/plugin-permission-common';\nimport {\n ApplyConditionsRequestEntry,\n ApplyConditionsResponseEntry,\n PermissionPolicy,\n PolicyQueryUser,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport {\n AuthService,\n BackstageCredentials,\n BackstageNonePrincipal,\n BackstageUserPrincipal,\n DiscoveryService,\n HttpAuthService,\n LoggerService,\n RootConfigService,\n UserInfoService,\n} from '@backstage/backend-plugin-api';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n action: z\n .union([\n z.literal('create'),\n z.literal('read'),\n z.literal('update'),\n z.literal('delete'),\n ])\n .optional(),\n});\n\nconst permissionSchema = z.union([\n z.object({\n type: z.literal('basic'),\n name: z.string(),\n attributes: attributesSchema,\n }),\n z.object({\n type: z.literal('resource'),\n name: z.string(),\n attributes: attributesSchema,\n resourceType: z.string(),\n }),\n]);\n\nconst evaluatePermissionRequestSchema: z.ZodSchema<\n IdentifiedPermissionMessage<EvaluatePermissionRequest>\n> = z.object({\n id: z.string(),\n resourceRef: z.string().optional(),\n permission: permissionSchema,\n});\n\nconst evaluatePermissionRequestBatchSchema: z.ZodSchema<EvaluatePermissionRequestBatch> =\n z.object({\n items: z.array(evaluatePermissionRequestSchema),\n });\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n * @deprecated Please migrate to the new backend system as this will be removed in the future.\n */\nexport interface RouterOptions {\n logger: LoggerService;\n discovery: DiscoveryService;\n policy: PermissionPolicy;\n identity?: IdentityApi;\n config: RootConfigService;\n auth?: AuthService;\n httpAuth?: HttpAuthService;\n userInfo?: UserInfoService;\n}\n\nconst handleRequest = async (\n requests: IdentifiedPermissionMessage<EvaluatePermissionRequest>[],\n policy: PermissionPolicy,\n permissionIntegrationClient: PermissionIntegrationClient,\n credentials: BackstageCredentials<\n BackstageNonePrincipal | BackstageUserPrincipal\n >,\n auth: AuthService,\n userInfo: UserInfoService,\n): Promise<IdentifiedPermissionMessage<EvaluatePermissionResponse>[]> => {\n const applyConditionsLoaderFor = memoize((pluginId: string) => {\n return new DataLoader<\n ApplyConditionsRequestEntry,\n ApplyConditionsResponseEntry\n >(batch =>\n permissionIntegrationClient.applyConditions(pluginId, credentials, batch),\n );\n });\n\n let user: PolicyQueryUser | undefined;\n if (auth.isPrincipal(credentials, 'user')) {\n const info = await userInfo.getUserInfo(credentials);\n const { token } = await auth.getPluginRequestToken({\n onBehalfOf: credentials,\n targetPluginId: 'catalog', // TODO: unknown at this point\n });\n user = {\n identity: {\n type: 'user',\n userEntityRef: credentials.principal.userEntityRef,\n ownershipEntityRefs: info.ownershipEntityRefs,\n },\n token,\n credentials,\n info,\n };\n }\n\n return Promise.all(\n requests.map(({ id, resourceRef, ...request }) =>\n policy.handle(request, user).then(decision => {\n if (decision.result !== AuthorizeResult.CONDITIONAL) {\n return {\n id,\n ...decision,\n };\n }\n\n if (!isResourcePermission(request.permission)) {\n throw new Error(\n `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n );\n }\n\n if (decision.resourceType !== request.permission.resourceType) {\n throw new Error(\n `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n );\n }\n\n if (!resourceRef) {\n return {\n id,\n ...decision,\n };\n }\n\n return applyConditionsLoaderFor(decision.pluginId).load({\n id,\n resourceRef,\n ...decision,\n });\n }),\n ),\n );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @deprecated Please migrate to the new backend system as this will be removed in the future.\n * @public\n */\nexport async function createRouter(\n options: RouterOptions,\n): Promise<express.Router> {\n const { policy, discovery, config, logger } = options;\n const { auth, httpAuth, userInfo } = createLegacyAuthAdapters(options);\n\n if (!config.getOptionalBoolean('permission.enabled')) {\n logger.warn(\n 'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n );\n }\n\n const permissionIntegrationClient = new PermissionIntegrationClient({\n discovery,\n auth,\n });\n\n const router = Router();\n router.use(express.json());\n\n router.get('/health', (_, response) => {\n response.json({ status: 'ok' });\n });\n\n router.post(\n '/authorize',\n async (\n req: Request<EvaluatePermissionRequestBatch>,\n res: Response<EvaluatePermissionResponseBatch>,\n ) => {\n const credentials = await httpAuth.credentials(req, {\n allow: ['user', 'none'],\n });\n\n const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n req.body,\n );\n\n if (!parseResult.success) {\n throw new InputError(parseResult.error.toString());\n }\n\n const body = parseResult.data;\n\n res.json({\n items: await handleRequest(\n body.items,\n policy,\n permissionIntegrationClient,\n credentials,\n auth,\n userInfo,\n ),\n });\n },\n );\n\n return router;\n}\n"],"names":["z","memoize","DataLoader","AuthorizeResult","isResourcePermission","createLegacyAuthAdapters","PermissionIntegrationClient","Router","express","InputError"],"mappings":";;;;;;;;;;;;;;;;;;AAqDA,MAAM,gBAAA,GAAsDA,MAAE,MAAO,CAAA;AAAA,EACnE,MAAA,EAAQA,MACL,KAAM,CAAA;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ;AAAA,GACnB,EACA,QAAS;AACd,CAAC,CAAA;AAED,MAAM,gBAAA,GAAmBA,MAAE,KAAM,CAAA;AAAA,EAC/BA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,UAAU,CAAA;AAAA,IAC1B,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA,gBAAA;AAAA,IACZ,YAAA,EAAcA,MAAE,MAAO;AAAA,GACxB;AACH,CAAC,CAAA;AAED,MAAM,+BAAA,GAEFA,MAAE,MAAO,CAAA;AAAA,EACX,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,EACb,WAAa,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,QAAS,EAAA;AAAA,EACjC,UAAY,EAAA;AACd,CAAC,CAAA;AAED,MAAM,oCAAA,GACJA,MAAE,MAAO,CAAA;AAAA,EACP,KAAA,EAAOA,KAAE,CAAA,KAAA,CAAM,+BAA+B;AAChD,CAAC,CAAA;AAoBH,MAAM,gBAAgB,OACpB,QAAA,EACA,QACA,2BACA,EAAA,WAAA,EAGA,MACA,QACuE,KAAA;AACvE,EAAM,MAAA,wBAAA,GAA2BC,cAAQ,CAAA,CAAC,QAAqB,KAAA;AAC7D,IAAA,OAAO,IAAIC,2BAAA;AAAA,MAGT,CACA,KAAA,KAAA,2BAAA,CAA4B,eAAgB,CAAA,QAAA,EAAU,aAAa,KAAK;AAAA,KAC1E;AAAA,GACD,CAAA;AAED,EAAI,IAAA,IAAA;AACJ,EAAA,IAAI,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,CAAG,EAAA;AACzC,IAAA,MAAM,IAAO,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,WAAW,CAAA;AACnD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,qBAAsB,CAAA;AAAA,MACjD,UAAY,EAAA,WAAA;AAAA,MACZ,cAAgB,EAAA;AAAA;AAAA,KACjB,CAAA;AACD,IAAO,IAAA,GAAA;AAAA,MACL,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,YAAY,SAAU,CAAA,aAAA;AAAA,QACrC,qBAAqB,IAAK,CAAA;AAAA,OAC5B;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA,KACF;AAAA;AAGF,EAAA,OAAO,OAAQ,CAAA,GAAA;AAAA,IACb,QAAS,CAAA,GAAA;AAAA,MAAI,CAAC,EAAE,EAAI,EAAA,WAAA,EAAa,GAAG,OAAA,EAClC,KAAA,MAAA,CAAO,MAAO,CAAA,OAAA,EAAS,IAAI,CAAA,CAAE,KAAK,CAAY,QAAA,KAAA;AAC5C,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,IAAI,CAACC,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WAC7G;AAAA;AAGF,QAAA,IAAI,QAAS,CAAA,YAAA,KAAiB,OAAQ,CAAA,UAAA,CAAW,YAAc,EAAA;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WACvG;AAAA;AAGF,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,OAAO,wBAAyB,CAAA,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAK,CAAA;AAAA,UACtD,EAAA;AAAA,UACA,WAAA;AAAA,UACA,GAAG;AAAA,SACJ,CAAA;AAAA,OACF;AAAA;AACH,GACF;AACF,CAAA;AASA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAA,MAAM,EAAE,MAAA,EAAQ,SAAW,EAAA,MAAA,EAAQ,QAAW,GAAA,OAAA;AAC9C,EAAA,MAAM,EAAE,IAAM,EAAA,QAAA,EAAU,QAAS,EAAA,GAAIC,uCAAyB,OAAO,CAAA;AAErE,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAG,EAAA;AACpD,IAAO,MAAA,CAAA,IAAA;AAAA,MACL;AAAA,KACF;AAAA;AAGF,EAAM,MAAA,2BAAA,GAA8B,IAAIC,uDAA4B,CAAA;AAAA,IAClE,SAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,SAASC,uBAAO,EAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,wBAAQ,CAAA,IAAA,EAAM,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,SAAA,EAAW,CAAC,CAAA,EAAG,QAAa,KAAA;AACrC,IAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,IAAA,EAAM,CAAA;AAAA,GAC/B,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GACG,KAAA;AACH,MAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,GAAK,EAAA;AAAA,QAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAM;AAAA,OACvB,CAAA;AAED,MAAA,MAAM,cAAc,oCAAqC,CAAA,SAAA;AAAA,QACvD,GAAI,CAAA;AAAA,OACN;AAEA,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA;AAAA;AAGnD,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA;AAEzB,MAAA,GAAA,CAAI,IAAK,CAAA;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAK,CAAA,KAAA;AAAA,UACL,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,WAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA;AACH,GACF;AAEA,EAAO,OAAA,MAAA;AACT;;;;"}
1
+ {"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { createLegacyAuthAdapters } from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport { IdentityApi } from '@backstage/plugin-auth-node';\nimport {\n AuthorizeResult,\n EvaluatePermissionRequest,\n EvaluatePermissionRequestBatch,\n EvaluatePermissionResponse,\n EvaluatePermissionResponseBatch,\n IdentifiedPermissionMessage,\n isResourcePermission,\n PermissionAttributes,\n} from '@backstage/plugin-permission-common';\nimport {\n ApplyConditionsRequestEntry,\n ApplyConditionsResponseEntry,\n PermissionPolicy,\n PolicyQueryUser,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport {\n AuthService,\n BackstageCredentials,\n BackstageNonePrincipal,\n BackstageUserPrincipal,\n DiscoveryService,\n HttpAuthService,\n LoggerService,\n RootConfigService,\n UserInfoService,\n} from '@backstage/backend-plugin-api';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n action: z\n .union([\n z.literal('create'),\n z.literal('read'),\n z.literal('update'),\n z.literal('delete'),\n ])\n .optional(),\n});\n\nconst basicPermissionSchema = z.object({\n type: z.literal('basic'),\n name: z.string(),\n attributes: attributesSchema,\n});\n\nconst resourcePermissionSchema = z.object({\n type: z.literal('resource'),\n name: z.string(),\n attributes: attributesSchema,\n resourceType: z.string(),\n});\n\nconst evaluatePermissionRequestSchema: z.ZodSchema<\n IdentifiedPermissionMessage<EvaluatePermissionRequest>\n> = z.union([\n z.object({\n id: z.string(),\n resourceRef: z.undefined().optional(),\n permission: basicPermissionSchema,\n }),\n z.object({\n id: z.string(),\n resourceRef: z.string().optional(),\n permission: resourcePermissionSchema,\n }),\n]);\n\nconst evaluatePermissionRequestBatchSchema: z.ZodSchema<EvaluatePermissionRequestBatch> =\n z.object({\n items: z.array(evaluatePermissionRequestSchema),\n });\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n * @deprecated Please migrate to the new backend system as this will be removed in the future.\n */\nexport interface RouterOptions {\n logger: LoggerService;\n discovery: DiscoveryService;\n policy: PermissionPolicy;\n identity?: IdentityApi;\n config: RootConfigService;\n auth?: AuthService;\n httpAuth?: HttpAuthService;\n userInfo?: UserInfoService;\n}\n\nconst handleRequest = async (\n requests: IdentifiedPermissionMessage<EvaluatePermissionRequest>[],\n policy: PermissionPolicy,\n permissionIntegrationClient: PermissionIntegrationClient,\n credentials: BackstageCredentials<\n BackstageNonePrincipal | BackstageUserPrincipal\n >,\n auth: AuthService,\n userInfo: UserInfoService,\n): Promise<IdentifiedPermissionMessage<EvaluatePermissionResponse>[]> => {\n const applyConditionsLoaderFor = memoize((pluginId: string) => {\n return new DataLoader<\n ApplyConditionsRequestEntry,\n ApplyConditionsResponseEntry\n >(batch =>\n permissionIntegrationClient.applyConditions(pluginId, credentials, batch),\n );\n });\n\n let user: PolicyQueryUser | undefined;\n if (auth.isPrincipal(credentials, 'user')) {\n const info = await userInfo.getUserInfo(credentials);\n const { token } = await auth.getPluginRequestToken({\n onBehalfOf: credentials,\n targetPluginId: 'catalog', // TODO: unknown at this point\n });\n user = {\n identity: {\n type: 'user',\n userEntityRef: credentials.principal.userEntityRef,\n ownershipEntityRefs: info.ownershipEntityRefs,\n },\n token,\n credentials,\n info,\n };\n }\n\n return Promise.all(\n requests.map(({ id, resourceRef, ...request }) =>\n policy.handle(request, user).then(decision => {\n if (decision.result !== AuthorizeResult.CONDITIONAL) {\n return {\n id,\n ...decision,\n };\n }\n\n if (!isResourcePermission(request.permission)) {\n throw new Error(\n `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n );\n }\n\n if (decision.resourceType !== request.permission.resourceType) {\n throw new Error(\n `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n );\n }\n\n if (!resourceRef) {\n return {\n id,\n ...decision,\n };\n }\n\n return applyConditionsLoaderFor(decision.pluginId).load({\n id,\n resourceRef,\n ...decision,\n });\n }),\n ),\n );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @deprecated Please migrate to the new backend system as this will be removed in the future.\n * @public\n */\nexport async function createRouter(\n options: RouterOptions,\n): Promise<express.Router> {\n const { policy, discovery, config, logger } = options;\n const { auth, httpAuth, userInfo } = createLegacyAuthAdapters(options);\n\n if (!config.getOptionalBoolean('permission.enabled')) {\n logger.warn(\n 'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n );\n }\n\n const disabledDefaultAuthPolicy =\n config.getOptionalBoolean(\n 'backend.auth.dangerouslyDisableDefaultAuthPolicy',\n ) ?? false;\n\n const permissionIntegrationClient = new PermissionIntegrationClient({\n discovery,\n auth,\n });\n\n const router = Router();\n router.use(express.json());\n\n router.get('/health', (_, response) => {\n response.json({ status: 'ok' });\n });\n\n router.post(\n '/authorize',\n async (\n req: Request<EvaluatePermissionRequestBatch>,\n res: Response<EvaluatePermissionResponseBatch>,\n ) => {\n const credentials = await httpAuth.credentials(req, {\n allow: ['user', 'none'],\n });\n\n const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n req.body,\n );\n\n if (!parseResult.success) {\n throw new InputError(parseResult.error.toString());\n }\n\n const body = parseResult.data;\n\n if (\n (auth.isPrincipal(credentials, 'none') && !disabledDefaultAuthPolicy) ||\n (auth.isPrincipal(credentials, 'user') && !credentials.principal.actor)\n ) {\n if (\n body.items.some(\n r =>\n isResourcePermission(r.permission) && r.resourceRef === undefined,\n )\n ) {\n throw new InputError(\n 'Resource permissions require a resourceRef to be set. Direct user requests without a resourceRef are not allowed.',\n );\n }\n }\n\n res.json({\n items: await handleRequest(\n body.items,\n policy,\n permissionIntegrationClient,\n credentials,\n auth,\n userInfo,\n ),\n });\n },\n );\n\n return router;\n}\n"],"names":["z","memoize","DataLoader","AuthorizeResult","isResourcePermission","createLegacyAuthAdapters","PermissionIntegrationClient","Router","express","InputError"],"mappings":";;;;;;;;;;;;;;;;;;AAqDA,MAAM,gBAAA,GAAsDA,MAAE,MAAO,CAAA;AAAA,EACnE,MAAA,EAAQA,MACL,KAAM,CAAA;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ;AAAA,GACnB,EACA,QAAS;AACd,CAAC,CAAA;AAED,MAAM,qBAAA,GAAwBA,MAAE,MAAO,CAAA;AAAA,EACrC,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,OAAO,CAAA;AAAA,EACvB,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,EACf,UAAY,EAAA;AACd,CAAC,CAAA;AAED,MAAM,wBAAA,GAA2BA,MAAE,MAAO,CAAA;AAAA,EACxC,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,EACf,UAAY,EAAA,gBAAA;AAAA,EACZ,YAAA,EAAcA,MAAE,MAAO;AACzB,CAAC,CAAA;AAED,MAAM,+BAAA,GAEFA,MAAE,KAAM,CAAA;AAAA,EACVA,MAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,WAAa,EAAAA,KAAA,CAAE,SAAU,EAAA,CAAE,QAAS,EAAA;AAAA,IACpC,UAAY,EAAA;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,WAAa,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,QAAS,EAAA;AAAA,IACjC,UAAY,EAAA;AAAA,GACb;AACH,CAAC,CAAA;AAED,MAAM,oCAAA,GACJA,MAAE,MAAO,CAAA;AAAA,EACP,KAAA,EAAOA,KAAE,CAAA,KAAA,CAAM,+BAA+B;AAChD,CAAC,CAAA;AAoBH,MAAM,gBAAgB,OACpB,QAAA,EACA,QACA,2BACA,EAAA,WAAA,EAGA,MACA,QACuE,KAAA;AACvE,EAAM,MAAA,wBAAA,GAA2BC,cAAQ,CAAA,CAAC,QAAqB,KAAA;AAC7D,IAAA,OAAO,IAAIC,2BAAA;AAAA,MAGT,CACA,KAAA,KAAA,2BAAA,CAA4B,eAAgB,CAAA,QAAA,EAAU,aAAa,KAAK;AAAA,KAC1E;AAAA,GACD,CAAA;AAED,EAAI,IAAA,IAAA;AACJ,EAAA,IAAI,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,CAAG,EAAA;AACzC,IAAA,MAAM,IAAO,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,WAAW,CAAA;AACnD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,qBAAsB,CAAA;AAAA,MACjD,UAAY,EAAA,WAAA;AAAA,MACZ,cAAgB,EAAA;AAAA;AAAA,KACjB,CAAA;AACD,IAAO,IAAA,GAAA;AAAA,MACL,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,YAAY,SAAU,CAAA,aAAA;AAAA,QACrC,qBAAqB,IAAK,CAAA;AAAA,OAC5B;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA,KACF;AAAA;AAGF,EAAA,OAAO,OAAQ,CAAA,GAAA;AAAA,IACb,QAAS,CAAA,GAAA;AAAA,MAAI,CAAC,EAAE,EAAI,EAAA,WAAA,EAAa,GAAG,OAAA,EAClC,KAAA,MAAA,CAAO,MAAO,CAAA,OAAA,EAAS,IAAI,CAAA,CAAE,KAAK,CAAY,QAAA,KAAA;AAC5C,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,IAAI,CAACC,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WAC7G;AAAA;AAGF,QAAA,IAAI,QAAS,CAAA,YAAA,KAAiB,OAAQ,CAAA,UAAA,CAAW,YAAc,EAAA;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WACvG;AAAA;AAGF,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,OAAO,wBAAyB,CAAA,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAK,CAAA;AAAA,UACtD,EAAA;AAAA,UACA,WAAA;AAAA,UACA,GAAG;AAAA,SACJ,CAAA;AAAA,OACF;AAAA;AACH,GACF;AACF,CAAA;AASA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAA,MAAM,EAAE,MAAA,EAAQ,SAAW,EAAA,MAAA,EAAQ,QAAW,GAAA,OAAA;AAC9C,EAAA,MAAM,EAAE,IAAM,EAAA,QAAA,EAAU,QAAS,EAAA,GAAIC,uCAAyB,OAAO,CAAA;AAErE,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAG,EAAA;AACpD,IAAO,MAAA,CAAA,IAAA;AAAA,MACL;AAAA,KACF;AAAA;AAGF,EAAA,MAAM,4BACJ,MAAO,CAAA,kBAAA;AAAA,IACL;AAAA,GACG,IAAA,KAAA;AAEP,EAAM,MAAA,2BAAA,GAA8B,IAAIC,uDAA4B,CAAA;AAAA,IAClE,SAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,SAASC,uBAAO,EAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,wBAAQ,CAAA,IAAA,EAAM,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,SAAA,EAAW,CAAC,CAAA,EAAG,QAAa,KAAA;AACrC,IAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,IAAA,EAAM,CAAA;AAAA,GAC/B,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GACG,KAAA;AACH,MAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,GAAK,EAAA;AAAA,QAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAM;AAAA,OACvB,CAAA;AAED,MAAA,MAAM,cAAc,oCAAqC,CAAA,SAAA;AAAA,QACvD,GAAI,CAAA;AAAA,OACN;AAEA,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA;AAAA;AAGnD,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA;AAEzB,MAAA,IACG,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,KAAK,CAAC,yBAAA,IAC1C,IAAK,CAAA,WAAA,CAAY,aAAa,MAAM,CAAA,IAAK,CAAC,WAAA,CAAY,UAAU,KACjE,EAAA;AACA,QAAA,IACE,KAAK,KAAM,CAAA,IAAA;AAAA,UACT,OACEL,2CAAqB,CAAA,CAAA,CAAE,UAAU,CAAA,IAAK,EAAE,WAAgB,KAAA,KAAA;AAAA,SAE5D,EAAA;AACA,UAAA,MAAM,IAAIK,iBAAA;AAAA,YACR;AAAA,WACF;AAAA;AACF;AAGF,MAAA,GAAA,CAAI,IAAK,CAAA;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAK,CAAA,KAAA;AAAA,UACL,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,WAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA;AACH,GACF;AAEA,EAAO,OAAA,MAAA;AACT;;;;"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage/plugin-permission-backend",
3
- "version": "0.5.55-next.1",
3
+ "version": "0.6.0",
4
4
  "backstage": {
5
5
  "role": "backend-plugin",
6
6
  "pluginId": "permission",
@@ -44,11 +44,11 @@
44
44
  "types": "./dist/index.d.ts",
45
45
  "typesVersions": {
46
46
  "*": {
47
- "index": [
48
- "dist/index.d.ts"
49
- ],
50
47
  "alpha": [
51
48
  "dist/alpha.d.ts"
49
+ ],
50
+ "package.json": [
51
+ "package.json"
52
52
  ]
53
53
  }
54
54
  },
@@ -66,12 +66,12 @@
66
66
  },
67
67
  "dependencies": {
68
68
  "@backstage/backend-common": "^0.25.0",
69
- "@backstage/backend-plugin-api": "1.2.1-next.1",
70
- "@backstage/config": "1.3.2",
71
- "@backstage/errors": "1.2.7",
72
- "@backstage/plugin-auth-node": "0.6.1-next.1",
73
- "@backstage/plugin-permission-common": "0.8.4",
74
- "@backstage/plugin-permission-node": "0.8.9-next.1",
69
+ "@backstage/backend-plugin-api": "^1.3.0",
70
+ "@backstage/config": "^1.3.2",
71
+ "@backstage/errors": "^1.2.7",
72
+ "@backstage/plugin-auth-node": "^0.6.2",
73
+ "@backstage/plugin-permission-common": "^0.8.4",
74
+ "@backstage/plugin-permission-node": "^0.9.1",
75
75
  "@types/express": "^4.17.6",
76
76
  "dataloader": "^2.0.0",
77
77
  "express": "^4.17.1",
@@ -81,9 +81,9 @@
81
81
  "zod": "^3.22.4"
82
82
  },
83
83
  "devDependencies": {
84
- "@backstage/backend-defaults": "0.8.2-next.1",
85
- "@backstage/backend-test-utils": "1.3.1-next.1",
86
- "@backstage/cli": "0.30.1-next.0",
84
+ "@backstage/backend-defaults": "^0.9.0",
85
+ "@backstage/backend-test-utils": "^1.4.0",
86
+ "@backstage/cli": "^0.32.0",
87
87
  "@types/lodash": "^4.14.151",
88
88
  "@types/supertest": "^2.0.8",
89
89
  "msw": "^1.0.0",