@backstage/plugin-permission-backend 0.5.55 → 0.7.0-next.0

package/CHANGELOG.md

@@ -1,5 +1,37 @@
 # @backstage/plugin-permission-backend
 
+## 0.7.0-next.0
+
+### Minor Changes
+
+- cf8fd51: **BREAKING** Removed support for the legacy backend system, please [migrate to the new backend system](https://backstage.io/docs/backend-system/building-backends/migrating)
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.3.1-next.0
+  - @backstage/plugin-auth-node@0.6.3-next.0
+  - @backstage/plugin-permission-node@0.9.2-next.0
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/plugin-permission-common@0.8.4
+
+## 0.6.0
+
+### Minor Changes
+
+- 78eaa50: Improved validation for the `/authorize` endpoint when a `resourceRef` is provided alongside a basic permission. Additionally, introduced a clearer error message for cases where users attempt to directly evaluate conditional permissions.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.3.0
+  - @backstage/plugin-auth-node@0.6.2
+  - @backstage/plugin-permission-node@0.9.1
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/plugin-permission-common@0.8.4
+
 ## 0.5.55
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -3,10 +3,8 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var plugin = require('./plugin.cjs.js');
-var router = require('./service/router.cjs.js');
 
 
 
 exports.default = plugin.permissionPlugin;
-exports.createRouter = router.createRouter;
 //# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;"}

package/dist/index.d.ts

@@ -1,8 +1,4 @@
 import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
-import { LoggerService, DiscoveryService, RootConfigService, AuthService, HttpAuthService, UserInfoService } from '@backstage/backend-plugin-api';
-import express from 'express';
-import { IdentityApi } from '@backstage/plugin-auth-node';
-import { PermissionPolicy } from '@backstage/plugin-permission-node';
 
 /**
  * Permission plugin
@@ -11,30 +7,4 @@ import { PermissionPolicy } from '@backstage/plugin-permission-node';
  */
 declare const permissionPlugin: _backstage_backend_plugin_api.BackendFeature;
 
-/**
- * Options required when constructing a new {@link express#Router} using
- * {@link createRouter}.
- *
- * @public
- * @deprecated Please migrate to the new backend system as this will be removed in the future.
- */
-interface RouterOptions {
-    logger: LoggerService;
-    discovery: DiscoveryService;
-    policy: PermissionPolicy;
-    identity?: IdentityApi;
-    config: RootConfigService;
-    auth?: AuthService;
-    httpAuth?: HttpAuthService;
-    userInfo?: UserInfoService;
-}
-/**
- * Creates a new {@link express#Router} which provides the backend API
- * for the permission system.
- *
- * @deprecated Please migrate to the new backend system as this will be removed in the future.
- * @public
- */
-declare function createRouter(options: RouterOptions): Promise<express.Router>;
-
-export { type RouterOptions, createRouter, permissionPlugin as default };
+export { permissionPlugin as default };

package/dist/service/router.cjs.js

@@ -3,7 +3,6 @@
 var zod = require('zod');
 var express = require('express');
 var Router = require('express-promise-router');
-var backendCommon = require('@backstage/backend-common');
 var errors = require('@backstage/errors');
 var pluginPermissionCommon = require('@backstage/plugin-permission-common');
 var PermissionIntegrationClient = require('./PermissionIntegrationClient.cjs.js');
@@ -24,24 +23,29 @@ const attributesSchema = zod.z.object({
     zod.z.literal("delete")
   ]).optional()
 });
-const permissionSchema = zod.z.union([
+const basicPermissionSchema = zod.z.object({
+  type: zod.z.literal("basic"),
+  name: zod.z.string(),
+  attributes: attributesSchema
+});
+const resourcePermissionSchema = zod.z.object({
+  type: zod.z.literal("resource"),
+  name: zod.z.string(),
+  attributes: attributesSchema,
+  resourceType: zod.z.string()
+});
+const evaluatePermissionRequestSchema = zod.z.union([
   zod.z.object({
-    type: zod.z.literal("basic"),
-    name: zod.z.string(),
-    attributes: attributesSchema
+    id: zod.z.string(),
+    resourceRef: zod.z.undefined().optional(),
+    permission: basicPermissionSchema
   }),
   zod.z.object({
-    type: zod.z.literal("resource"),
-    name: zod.z.string(),
-    attributes: attributesSchema,
-    resourceType: zod.z.string()
+    id: zod.z.string(),
+    resourceRef: zod.z.string().optional(),
+    permission: resourcePermissionSchema
   })
 ]);
-const evaluatePermissionRequestSchema = zod.z.object({
-  id: zod.z.string(),
-  resourceRef: zod.z.string().optional(),
-  permission: permissionSchema
-});
 const evaluatePermissionRequestBatchSchema = zod.z.object({
   items: zod.z.array(evaluatePermissionRequestSchema)
 });
@@ -105,13 +109,15 @@ const handleRequest = async (requests, policy, permissionIntegrationClient, cred
   );
 };
 async function createRouter(options) {
-  const { policy, discovery, config, logger } = options;
-  const { auth, httpAuth, userInfo } = backendCommon.createLegacyAuthAdapters(options);
+  const { policy, discovery, config, logger, auth, httpAuth, userInfo } = options;
   if (!config.getOptionalBoolean("permission.enabled")) {
     logger.warn(
       "Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true."
     );
   }
+  const disabledDefaultAuthPolicy = config.getOptionalBoolean(
+    "backend.auth.dangerouslyDisableDefaultAuthPolicy"
+  ) ?? false;
   const permissionIntegrationClient = new PermissionIntegrationClient.PermissionIntegrationClient({
     discovery,
     auth
@@ -134,6 +140,15 @@ async function createRouter(options) {
         throw new errors.InputError(parseResult.error.toString());
       }
       const body = parseResult.data;
+      if (auth.isPrincipal(credentials, "none") && !disabledDefaultAuthPolicy || auth.isPrincipal(credentials, "user") && !credentials.principal.actor) {
+        if (body.items.some(
+          (r) => pluginPermissionCommon.isResourcePermission(r.permission) && r.resourceRef === void 0
+        )) {
+          throw new errors.InputError(
+            "Resource permissions require a resourceRef to be set. Direct user requests without a resourceRef are not allowed."
+          );
+        }
+      }
       res.json({
         items: await handleRequest(
           body.items,

package/dist/service/router.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { createLegacyAuthAdapters } from '@backstage/backend-common';\nimport { InputError } from '@backstage/errors';\nimport { IdentityApi } from '@backstage/plugin-auth-node';\nimport {\n  AuthorizeResult,\n  EvaluatePermissionRequest,\n  EvaluatePermissionRequestBatch,\n  EvaluatePermissionResponse,\n  EvaluatePermissionResponseBatch,\n  IdentifiedPermissionMessage,\n  isResourcePermission,\n  PermissionAttributes,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n  PolicyQueryUser,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstageUserPrincipal,\n  DiscoveryService,\n  HttpAuthService,\n  LoggerService,\n  RootConfigService,\n  UserInfoService,\n} from '@backstage/backend-plugin-api';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n  action: z\n    .union([\n      z.literal('create'),\n      z.literal('read'),\n      z.literal('update'),\n      z.literal('delete'),\n    ])\n    .optional(),\n});\n\nconst permissionSchema = z.union([\n  z.object({\n    type: z.literal('basic'),\n    name: z.string(),\n    attributes: attributesSchema,\n  }),\n  z.object({\n    type: z.literal('resource'),\n    name: z.string(),\n    attributes: attributesSchema,\n    resourceType: z.string(),\n  }),\n]);\n\nconst evaluatePermissionRequestSchema: z.ZodSchema<\n  IdentifiedPermissionMessage<EvaluatePermissionRequest>\n> = z.object({\n  id: z.string(),\n  resourceRef: z.string().optional(),\n  permission: permissionSchema,\n});\n\nconst evaluatePermissionRequestBatchSchema: z.ZodSchema<EvaluatePermissionRequestBatch> =\n  z.object({\n    items: z.array(evaluatePermissionRequestSchema),\n  });\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @public\n * @deprecated Please migrate to the new backend system as this will be removed in the future.\n */\nexport interface RouterOptions {\n  logger: LoggerService;\n  discovery: DiscoveryService;\n  policy: PermissionPolicy;\n  identity?: IdentityApi;\n  config: RootConfigService;\n  auth?: AuthService;\n  httpAuth?: HttpAuthService;\n  userInfo?: UserInfoService;\n}\n\nconst handleRequest = async (\n  requests: IdentifiedPermissionMessage<EvaluatePermissionRequest>[],\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  credentials: BackstageCredentials<\n    BackstageNonePrincipal | BackstageUserPrincipal\n  >,\n  auth: AuthService,\n  userInfo: UserInfoService,\n): Promise<IdentifiedPermissionMessage<EvaluatePermissionResponse>[]> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, credentials, batch),\n    );\n  });\n\n  let user: PolicyQueryUser | undefined;\n  if (auth.isPrincipal(credentials, 'user')) {\n    const info = await userInfo.getUserInfo(credentials);\n    const { token } = await auth.getPluginRequestToken({\n      onBehalfOf: credentials,\n      targetPluginId: 'catalog', // TODO: unknown at this point\n    });\n    user = {\n      identity: {\n        type: 'user',\n        userEntityRef: credentials.principal.userEntityRef,\n        ownershipEntityRefs: info.ownershipEntityRefs,\n      },\n      token,\n      credentials,\n      info,\n    };\n  }\n\n  return Promise.all(\n    requests.map(({ id, resourceRef, ...request }) =>\n      policy.handle(request, user).then(decision => {\n        if (decision.result !== AuthorizeResult.CONDITIONAL) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        if (!isResourcePermission(request.permission)) {\n          throw new Error(\n            `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n          );\n        }\n\n        if (decision.resourceType !== request.permission.resourceType) {\n          throw new Error(\n            `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n          );\n        }\n\n        if (!resourceRef) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        return applyConditionsLoaderFor(decision.pluginId).load({\n          id,\n          resourceRef,\n          ...decision,\n        });\n      }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @deprecated Please migrate to the new backend system as this will be removed in the future.\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, config, logger } = options;\n  const { auth, httpAuth, userInfo } = createLegacyAuthAdapters(options);\n\n  if (!config.getOptionalBoolean('permission.enabled')) {\n    logger.warn(\n      'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n    );\n  }\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n    auth,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.json({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<EvaluatePermissionRequestBatch>,\n      res: Response<EvaluatePermissionResponseBatch>,\n    ) => {\n      const credentials = await httpAuth.credentials(req, {\n        allow: ['user', 'none'],\n      });\n\n      const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n        req.body,\n      );\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      res.json({\n        items: await handleRequest(\n          body.items,\n          policy,\n          permissionIntegrationClient,\n          credentials,\n          auth,\n          userInfo,\n        ),\n      });\n    },\n  );\n\n  return router;\n}\n"],"names":["z","memoize","DataLoader","AuthorizeResult","isResourcePermission","createLegacyAuthAdapters","PermissionIntegrationClient","Router","express","InputError"],"mappings":";;;;;;;;;;;;;;;;;;AAqDA,MAAM,gBAAA,GAAsDA,MAAE,MAAO,CAAA;AAAA,EACnE,MAAA,EAAQA,MACL,KAAM,CAAA;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ;AAAA,GACnB,EACA,QAAS;AACd,CAAC,CAAA;AAED,MAAM,gBAAA,GAAmBA,MAAE,KAAM,CAAA;AAAA,EAC/BA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAO,CAAA;AAAA,IACP,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,UAAU,CAAA;AAAA,IAC1B,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,UAAY,EAAA,gBAAA;AAAA,IACZ,YAAA,EAAcA,MAAE,MAAO;AAAA,GACxB;AACH,CAAC,CAAA;AAED,MAAM,+BAAA,GAEFA,MAAE,MAAO,CAAA;AAAA,EACX,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,EACb,WAAa,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,QAAS,EAAA;AAAA,EACjC,UAAY,EAAA;AACd,CAAC,CAAA;AAED,MAAM,oCAAA,GACJA,MAAE,MAAO,CAAA;AAAA,EACP,KAAA,EAAOA,KAAE,CAAA,KAAA,CAAM,+BAA+B;AAChD,CAAC,CAAA;AAoBH,MAAM,gBAAgB,OACpB,QAAA,EACA,QACA,2BACA,EAAA,WAAA,EAGA,MACA,QACuE,KAAA;AACvE,EAAM,MAAA,wBAAA,GAA2BC,cAAQ,CAAA,CAAC,QAAqB,KAAA;AAC7D,IAAA,OAAO,IAAIC,2BAAA;AAAA,MAGT,CACA,KAAA,KAAA,2BAAA,CAA4B,eAAgB,CAAA,QAAA,EAAU,aAAa,KAAK;AAAA,KAC1E;AAAA,GACD,CAAA;AAED,EAAI,IAAA,IAAA;AACJ,EAAA,IAAI,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,CAAG,EAAA;AACzC,IAAA,MAAM,IAAO,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,WAAW,CAAA;AACnD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,qBAAsB,CAAA;AAAA,MACjD,UAAY,EAAA,WAAA;AAAA,MACZ,cAAgB,EAAA;AAAA;AAAA,KACjB,CAAA;AACD,IAAO,IAAA,GAAA;AAAA,MACL,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,YAAY,SAAU,CAAA,aAAA;AAAA,QACrC,qBAAqB,IAAK,CAAA;AAAA,OAC5B;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA,KACF;AAAA;AAGF,EAAA,OAAO,OAAQ,CAAA,GAAA;AAAA,IACb,QAAS,CAAA,GAAA;AAAA,MAAI,CAAC,EAAE,EAAI,EAAA,WAAA,EAAa,GAAG,OAAA,EAClC,KAAA,MAAA,CAAO,MAAO,CAAA,OAAA,EAAS,IAAI,CAAA,CAAE,KAAK,CAAY,QAAA,KAAA;AAC5C,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,IAAI,CAACC,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WAC7G;AAAA;AAGF,QAAA,IAAI,QAAS,CAAA,YAAA,KAAiB,OAAQ,CAAA,UAAA,CAAW,YAAc,EAAA;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WACvG;AAAA;AAGF,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,OAAO,wBAAyB,CAAA,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAK,CAAA;AAAA,UACtD,EAAA;AAAA,UACA,WAAA;AAAA,UACA,GAAG;AAAA,SACJ,CAAA;AAAA,OACF;AAAA;AACH,GACF;AACF,CAAA;AASA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAA,MAAM,EAAE,MAAA,EAAQ,SAAW,EAAA,MAAA,EAAQ,QAAW,GAAA,OAAA;AAC9C,EAAA,MAAM,EAAE,IAAM,EAAA,QAAA,EAAU,QAAS,EAAA,GAAIC,uCAAyB,OAAO,CAAA;AAErE,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAG,EAAA;AACpD,IAAO,MAAA,CAAA,IAAA;AAAA,MACL;AAAA,KACF;AAAA;AAGF,EAAM,MAAA,2BAAA,GAA8B,IAAIC,uDAA4B,CAAA;AAAA,IAClE,SAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,SAASC,uBAAO,EAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,wBAAQ,CAAA,IAAA,EAAM,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,SAAA,EAAW,CAAC,CAAA,EAAG,QAAa,KAAA;AACrC,IAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,IAAA,EAAM,CAAA;AAAA,GAC/B,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GACG,KAAA;AACH,MAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,GAAK,EAAA;AAAA,QAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAM;AAAA,OACvB,CAAA;AAED,MAAA,MAAM,cAAc,oCAAqC,CAAA,SAAA;AAAA,QACvD,GAAI,CAAA;AAAA,OACN;AAEA,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA;AAAA;AAGnD,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA;AAEzB,MAAA,GAAA,CAAI,IAAK,CAAA;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAK,CAAA,KAAA;AAAA,UACL,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,WAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA;AACH,GACF;AAEA,EAAO,OAAA,MAAA;AACT;;;;"}
+{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { InputError } from '@backstage/errors';\nimport { IdentityApi } from '@backstage/plugin-auth-node';\nimport {\n  AuthorizeResult,\n  EvaluatePermissionRequest,\n  EvaluatePermissionRequestBatch,\n  EvaluatePermissionResponse,\n  EvaluatePermissionResponseBatch,\n  IdentifiedPermissionMessage,\n  isResourcePermission,\n  PermissionAttributes,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n  PolicyQueryUser,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstageUserPrincipal,\n  DiscoveryService,\n  HttpAuthService,\n  LoggerService,\n  RootConfigService,\n  UserInfoService,\n} from '@backstage/backend-plugin-api';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n  action: z\n    .union([\n      z.literal('create'),\n      z.literal('read'),\n      z.literal('update'),\n      z.literal('delete'),\n    ])\n    .optional(),\n});\n\nconst basicPermissionSchema = z.object({\n  type: z.literal('basic'),\n  name: z.string(),\n  attributes: attributesSchema,\n});\n\nconst resourcePermissionSchema = z.object({\n  type: z.literal('resource'),\n  name: z.string(),\n  attributes: attributesSchema,\n  resourceType: z.string(),\n});\n\nconst evaluatePermissionRequestSchema: z.ZodSchema<\n  IdentifiedPermissionMessage<EvaluatePermissionRequest>\n> = z.union([\n  z.object({\n    id: z.string(),\n    resourceRef: z.undefined().optional(),\n    permission: basicPermissionSchema,\n  }),\n  z.object({\n    id: z.string(),\n    resourceRef: z.string().optional(),\n    permission: resourcePermissionSchema,\n  }),\n]);\n\nconst evaluatePermissionRequestBatchSchema: z.ZodSchema<EvaluatePermissionRequestBatch> =\n  z.object({\n    items: z.array(evaluatePermissionRequestSchema),\n  });\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @internal\n */\nexport interface RouterOptions {\n  logger: LoggerService;\n  discovery: DiscoveryService;\n  policy: PermissionPolicy;\n  identity?: IdentityApi;\n  config: RootConfigService;\n  auth: AuthService;\n  httpAuth: HttpAuthService;\n  userInfo: UserInfoService;\n}\n\nconst handleRequest = async (\n  requests: IdentifiedPermissionMessage<EvaluatePermissionRequest>[],\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  credentials: BackstageCredentials<\n    BackstageNonePrincipal | BackstageUserPrincipal\n  >,\n  auth: AuthService,\n  userInfo: UserInfoService,\n): Promise<IdentifiedPermissionMessage<EvaluatePermissionResponse>[]> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, credentials, batch),\n    );\n  });\n\n  let user: PolicyQueryUser | undefined;\n  if (auth.isPrincipal(credentials, 'user')) {\n    const info = await userInfo.getUserInfo(credentials);\n    const { token } = await auth.getPluginRequestToken({\n      onBehalfOf: credentials,\n      targetPluginId: 'catalog', // TODO: unknown at this point\n    });\n    user = {\n      identity: {\n        type: 'user',\n        userEntityRef: credentials.principal.userEntityRef,\n        ownershipEntityRefs: info.ownershipEntityRefs,\n      },\n      token,\n      credentials,\n      info,\n    };\n  }\n\n  return Promise.all(\n    requests.map(({ id, resourceRef, ...request }) =>\n      policy.handle(request, user).then(decision => {\n        if (decision.result !== AuthorizeResult.CONDITIONAL) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        if (!isResourcePermission(request.permission)) {\n          throw new Error(\n            `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n          );\n        }\n\n        if (decision.resourceType !== request.permission.resourceType) {\n          throw new Error(\n            `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n          );\n        }\n\n        if (!resourceRef) {\n          return {\n            id,\n            ...decision,\n          };\n        }\n\n        return applyConditionsLoaderFor(decision.pluginId).load({\n          id,\n          resourceRef,\n          ...decision,\n        });\n      }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @internal\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, config, logger, auth, httpAuth, userInfo } =\n    options;\n\n  if (!config.getOptionalBoolean('permission.enabled')) {\n    logger.warn(\n      'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n    );\n  }\n\n  const disabledDefaultAuthPolicy =\n    config.getOptionalBoolean(\n      'backend.auth.dangerouslyDisableDefaultAuthPolicy',\n    ) ?? false;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n    auth,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.json({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request<EvaluatePermissionRequestBatch>,\n      res: Response<EvaluatePermissionResponseBatch>,\n    ) => {\n      const credentials = await httpAuth.credentials(req, {\n        allow: ['user', 'none'],\n      });\n\n      const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n        req.body,\n      );\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      if (\n        (auth.isPrincipal(credentials, 'none') && !disabledDefaultAuthPolicy) ||\n        (auth.isPrincipal(credentials, 'user') && !credentials.principal.actor)\n      ) {\n        if (\n          body.items.some(\n            r =>\n              isResourcePermission(r.permission) && r.resourceRef === undefined,\n          )\n        ) {\n          throw new InputError(\n            'Resource permissions require a resourceRef to be set. Direct user requests without a resourceRef are not allowed.',\n          );\n        }\n      }\n\n      res.json({\n        items: await handleRequest(\n          body.items,\n          policy,\n          permissionIntegrationClient,\n          credentials,\n          auth,\n          userInfo,\n        ),\n      });\n    },\n  );\n\n  return router;\n}\n"],"names":["z","memoize","DataLoader","AuthorizeResult","isResourcePermission","PermissionIntegrationClient","Router","express","InputError"],"mappings":";;;;;;;;;;;;;;;;;AAoDA,MAAM,gBAAA,GAAsDA,MAAE,MAAO,CAAA;AAAA,EACnE,MAAA,EAAQA,MACL,KAAM,CAAA;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ;AAAA,GACnB,EACA,QAAS;AACd,CAAC,CAAA;AAED,MAAM,qBAAA,GAAwBA,MAAE,MAAO,CAAA;AAAA,EACrC,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,OAAO,CAAA;AAAA,EACvB,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,EACf,UAAY,EAAA;AACd,CAAC,CAAA;AAED,MAAM,wBAAA,GAA2BA,MAAE,MAAO,CAAA;AAAA,EACxC,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,EACf,UAAY,EAAA,gBAAA;AAAA,EACZ,YAAA,EAAcA,MAAE,MAAO;AACzB,CAAC,CAAA;AAED,MAAM,+BAAA,GAEFA,MAAE,KAAM,CAAA;AAAA,EACVA,MAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,WAAa,EAAAA,KAAA,CAAE,SAAU,EAAA,CAAE,QAAS,EAAA;AAAA,IACpC,UAAY,EAAA;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,WAAa,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,QAAS,EAAA;AAAA,IACjC,UAAY,EAAA;AAAA,GACb;AACH,CAAC,CAAA;AAED,MAAM,oCAAA,GACJA,MAAE,MAAO,CAAA;AAAA,EACP,KAAA,EAAOA,KAAE,CAAA,KAAA,CAAM,+BAA+B;AAChD,CAAC,CAAA;AAmBH,MAAM,gBAAgB,OACpB,QAAA,EACA,QACA,2BACA,EAAA,WAAA,EAGA,MACA,QACuE,KAAA;AACvE,EAAM,MAAA,wBAAA,GAA2BC,cAAQ,CAAA,CAAC,QAAqB,KAAA;AAC7D,IAAA,OAAO,IAAIC,2BAAA;AAAA,MAGT,CACA,KAAA,KAAA,2BAAA,CAA4B,eAAgB,CAAA,QAAA,EAAU,aAAa,KAAK;AAAA,KAC1E;AAAA,GACD,CAAA;AAED,EAAI,IAAA,IAAA;AACJ,EAAA,IAAI,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,CAAG,EAAA;AACzC,IAAA,MAAM,IAAO,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,WAAW,CAAA;AACnD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,qBAAsB,CAAA;AAAA,MACjD,UAAY,EAAA,WAAA;AAAA,MACZ,cAAgB,EAAA;AAAA;AAAA,KACjB,CAAA;AACD,IAAO,IAAA,GAAA;AAAA,MACL,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,YAAY,SAAU,CAAA,aAAA;AAAA,QACrC,qBAAqB,IAAK,CAAA;AAAA,OAC5B;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA,KACF;AAAA;AAGF,EAAA,OAAO,OAAQ,CAAA,GAAA;AAAA,IACb,QAAS,CAAA,GAAA;AAAA,MAAI,CAAC,EAAE,EAAI,EAAA,WAAA,EAAa,GAAG,OAAA,EAClC,KAAA,MAAA,CAAO,MAAO,CAAA,OAAA,EAAS,IAAI,CAAA,CAAE,KAAK,CAAY,QAAA,KAAA;AAC5C,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,IAAI,CAACC,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WAC7G;AAAA;AAGF,QAAA,IAAI,QAAS,CAAA,YAAA,KAAiB,OAAQ,CAAA,UAAA,CAAW,YAAc,EAAA;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WACvG;AAAA;AAGF,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAO,OAAA;AAAA,YACL,EAAA;AAAA,YACA,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,OAAO,wBAAyB,CAAA,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAK,CAAA;AAAA,UACtD,EAAA;AAAA,UACA,WAAA;AAAA,UACA,GAAG;AAAA,SACJ,CAAA;AAAA,OACF;AAAA;AACH,GACF;AACF,CAAA;AAQA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAM,MAAA,EAAE,QAAQ,SAAW,EAAA,MAAA,EAAQ,QAAQ,IAAM,EAAA,QAAA,EAAU,UACzD,GAAA,OAAA;AAEF,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAG,EAAA;AACpD,IAAO,MAAA,CAAA,IAAA;AAAA,MACL;AAAA,KACF;AAAA;AAGF,EAAA,MAAM,4BACJ,MAAO,CAAA,kBAAA;AAAA,IACL;AAAA,GACG,IAAA,KAAA;AAEP,EAAM,MAAA,2BAAA,GAA8B,IAAIC,uDAA4B,CAAA;AAAA,IAClE,SAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,SAASC,uBAAO,EAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,wBAAQ,CAAA,IAAA,EAAM,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,SAAA,EAAW,CAAC,CAAA,EAAG,QAAa,KAAA;AACrC,IAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,IAAA,EAAM,CAAA;AAAA,GAC/B,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GACG,KAAA;AACH,MAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,GAAK,EAAA;AAAA,QAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAM;AAAA,OACvB,CAAA;AAED,MAAA,MAAM,cAAc,oCAAqC,CAAA,SAAA;AAAA,QACvD,GAAI,CAAA;AAAA,OACN;AAEA,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA;AAAA;AAGnD,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA;AAEzB,MAAA,IACG,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,KAAK,CAAC,yBAAA,IAC1C,IAAK,CAAA,WAAA,CAAY,aAAa,MAAM,CAAA,IAAK,CAAC,WAAA,CAAY,UAAU,KACjE,EAAA;AACA,QAAA,IACE,KAAK,KAAM,CAAA,IAAA;AAAA,UACT,OACEJ,2CAAqB,CAAA,CAAA,CAAE,UAAU,CAAA,IAAK,EAAE,WAAgB,KAAA,KAAA;AAAA,SAE5D,EAAA;AACA,UAAA,MAAM,IAAII,iBAAA;AAAA,YACR;AAAA,WACF;AAAA;AACF;AAGF,MAAA,GAAA,CAAI,IAAK,CAAA;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAK,CAAA,KAAA;AAAA,UACL,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,WAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA;AACH,GACF;AAEA,EAAO,OAAA,MAAA;AACT;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-backend",
-  "version": "0.5.55",
+  "version": "0.7.0-next.0",
   "backstage": {
     "role": "backend-plugin",
     "pluginId": "permission",
@@ -44,11 +44,11 @@
   "types": "./dist/index.d.ts",
   "typesVersions": {
     "*": {
-      "*": [
-        "dist/index.d.ts"
-      ],
       "alpha": [
         "dist/alpha.d.ts"
+      ],
+      "package.json": [
+        "package.json"
       ]
     }
   },
@@ -65,14 +65,12 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.25.0",
-    "@backstage/backend-plugin-api": "^1.2.1",
-    "@backstage/config": "^1.3.2",
-    "@backstage/errors": "^1.2.7",
-    "@backstage/plugin-auth-node": "^0.6.1",
-    "@backstage/plugin-permission-common": "^0.8.4",
-    "@backstage/plugin-permission-node": "^0.9.0",
-    "@types/express": "^4.17.6",
+    "@backstage/backend-plugin-api": "1.3.1-next.0",
+    "@backstage/config": "1.3.2",
+    "@backstage/errors": "1.2.7",
+    "@backstage/plugin-auth-node": "0.6.3-next.0",
+    "@backstage/plugin-permission-common": "0.8.4",
+    "@backstage/plugin-permission-node": "0.9.2-next.0",
     "dataloader": "^2.0.0",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
@@ -81,9 +79,10 @@
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "^0.8.2",
-    "@backstage/backend-test-utils": "^1.3.1",
-    "@backstage/cli": "^0.31.0",
+    "@backstage/backend-defaults": "0.9.1-next.0",
+    "@backstage/backend-test-utils": "1.5.0-next.0",
+    "@backstage/cli": "0.32.1-next.0",
+    "@types/express": "^4.17.6",
     "@types/lodash": "^4.14.151",
     "@types/supertest": "^2.0.8",
     "msw": "^1.0.0",