@backstage/plugin-permission-backend 0.7.2 → 0.7.3

package/CHANGELOG.md

@@ -1,5 +1,26 @@
 # @backstage/plugin-permission-backend
 
+## 0.7.3
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.6.6
+  - @backstage/plugin-permission-node@0.10.3
+  - @backstage/backend-plugin-api@1.4.2
+
+## 0.7.3-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.6.6-next.0
+  - @backstage/plugin-permission-node@0.10.3-next.0
+  - @backstage/backend-plugin-api@1.4.2-next.0
+  - @backstage/config@1.3.3
+  - @backstage/errors@1.2.7
+  - @backstage/plugin-permission-common@0.9.1
+
 ## 0.7.2
 
 ### Patch Changes

package/dist/alpha.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"alpha.cjs.js","sources":["../src/alpha.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { permissionPlugin as feature } from './plugin';\n\n/** @alpha */\nconst _feature = feature;\nexport default _feature;\n"],"names":["feature"],"mappings":";;;;;;AAmBA,MAAM,QAAW,GAAAA;;;;"}
+{"version":3,"file":"alpha.cjs.js","sources":["../src/alpha.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { permissionPlugin as feature } from './plugin';\n\n/** @alpha */\nconst _feature = feature;\nexport default _feature;\n"],"names":["feature"],"mappings":";;;;;;AAmBA,MAAM,QAAA,GAAWA;;;;"}

package/dist/plugin.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"plugin.cjs.js","sources":["../src/plugin.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport { PermissionPolicy } from '@backstage/plugin-permission-node';\nimport {\n  policyExtensionPoint,\n  PolicyExtensionPoint,\n} from '@backstage/plugin-permission-node/alpha';\nimport { createRouter } from './service';\n\nclass PolicyExtensionPointImpl implements PolicyExtensionPoint {\n  public policy: PermissionPolicy | undefined;\n\n  setPolicy(policy: PermissionPolicy): void {\n    if (this.policy) {\n      throw new Error('Policy already set');\n    }\n    this.policy = policy;\n  }\n}\n\n/**\n * Permission plugin\n *\n * @public\n */\nexport const permissionPlugin = createBackendPlugin({\n  pluginId: 'permission',\n  register(env) {\n    const policies = new PolicyExtensionPointImpl();\n\n    env.registerExtensionPoint(policyExtensionPoint, policies);\n\n    env.registerInit({\n      deps: {\n        http: coreServices.httpRouter,\n        config: coreServices.rootConfig,\n        logger: coreServices.logger,\n        discovery: coreServices.discovery,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        userInfo: coreServices.userInfo,\n      },\n      async init({\n        http,\n        config,\n        logger,\n        discovery,\n        auth,\n        httpAuth,\n        userInfo,\n      }) {\n        if (!policies.policy) {\n          throw new Error(\n            'No policy module installed! Please install a policy module. If you want to allow all requests, use @backstage/plugin-permission-backend-module-allow-all-policy permissionModuleAllowAllPolicy',\n          );\n        }\n\n        http.use(\n          await createRouter({\n            config,\n            discovery,\n            logger,\n            policy: policies.policy,\n            auth,\n            httpAuth,\n            userInfo,\n          }),\n        );\n        http.addAuthPolicy({\n          path: '/health',\n          allow: 'unauthenticated',\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","policyExtensionPoint","coreServices","createRouter"],"mappings":";;;;;;AA2BA,MAAM,wBAAyD,CAAA;AAAA,EACtD,MAAA;AAAA,EAEP,UAAU,MAAgC,EAAA;AACxC,IAAA,IAAI,KAAK,MAAQ,EAAA;AACf,MAAM,MAAA,IAAI,MAAM,oBAAoB,CAAA;AAAA;AAEtC,IAAA,IAAA,CAAK,MAAS,GAAA,MAAA;AAAA;AAElB;AAOO,MAAM,mBAAmBA,oCAAoB,CAAA;AAAA,EAClD,QAAU,EAAA,YAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAM,MAAA,QAAA,GAAW,IAAI,wBAAyB,EAAA;AAE9C,IAAI,GAAA,CAAA,sBAAA,CAAuBC,4BAAsB,QAAQ,CAAA;AAEzD,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,MAAMC,6BAAa,CAAA,UAAA;AAAA,QACnB,QAAQA,6BAAa,CAAA,UAAA;AAAA,QACrB,QAAQA,6BAAa,CAAA,MAAA;AAAA,QACrB,WAAWA,6BAAa,CAAA,SAAA;AAAA,QACxB,MAAMA,6BAAa,CAAA,IAAA;AAAA,QACnB,UAAUA,6BAAa,CAAA,QAAA;AAAA,QACvB,UAAUA,6BAAa,CAAA;AAAA,OACzB;AAAA,MACA,MAAM,IAAK,CAAA;AAAA,QACT,IAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACC,EAAA;AACD,QAAI,IAAA,CAAC,SAAS,MAAQ,EAAA;AACpB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR;AAAA,WACF;AAAA;AAGF,QAAK,IAAA,CAAA,GAAA;AAAA,UACH,MAAMC,mBAAa,CAAA;AAAA,YACjB,MAAA;AAAA,YACA,SAAA;AAAA,YACA,MAAA;AAAA,YACA,QAAQ,QAAS,CAAA,MAAA;AAAA,YACjB,IAAA;AAAA,YACA,QAAA;AAAA,YACA;AAAA,WACD;AAAA,SACH;AACA,QAAA,IAAA,CAAK,aAAc,CAAA;AAAA,UACjB,IAAM,EAAA,SAAA;AAAA,UACN,KAAO,EAAA;AAAA,SACR,CAAA;AAAA;AACH,KACD,CAAA;AAAA;AAEL,CAAC;;;;"}
+{"version":3,"file":"plugin.cjs.js","sources":["../src/plugin.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport { PermissionPolicy } from '@backstage/plugin-permission-node';\nimport {\n  policyExtensionPoint,\n  PolicyExtensionPoint,\n} from '@backstage/plugin-permission-node/alpha';\nimport { createRouter } from './service';\n\nclass PolicyExtensionPointImpl implements PolicyExtensionPoint {\n  public policy: PermissionPolicy | undefined;\n\n  setPolicy(policy: PermissionPolicy): void {\n    if (this.policy) {\n      throw new Error('Policy already set');\n    }\n    this.policy = policy;\n  }\n}\n\n/**\n * Permission plugin\n *\n * @public\n */\nexport const permissionPlugin = createBackendPlugin({\n  pluginId: 'permission',\n  register(env) {\n    const policies = new PolicyExtensionPointImpl();\n\n    env.registerExtensionPoint(policyExtensionPoint, policies);\n\n    env.registerInit({\n      deps: {\n        http: coreServices.httpRouter,\n        config: coreServices.rootConfig,\n        logger: coreServices.logger,\n        discovery: coreServices.discovery,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        userInfo: coreServices.userInfo,\n      },\n      async init({\n        http,\n        config,\n        logger,\n        discovery,\n        auth,\n        httpAuth,\n        userInfo,\n      }) {\n        if (!policies.policy) {\n          throw new Error(\n            'No policy module installed! Please install a policy module. If you want to allow all requests, use @backstage/plugin-permission-backend-module-allow-all-policy permissionModuleAllowAllPolicy',\n          );\n        }\n\n        http.use(\n          await createRouter({\n            config,\n            discovery,\n            logger,\n            policy: policies.policy,\n            auth,\n            httpAuth,\n            userInfo,\n          }),\n        );\n        http.addAuthPolicy({\n          path: '/health',\n          allow: 'unauthenticated',\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","policyExtensionPoint","coreServices","createRouter"],"mappings":";;;;;;AA2BA,MAAM,wBAAA,CAAyD;AAAA,EACtD,MAAA;AAAA,EAEP,UAAU,MAAA,EAAgC;AACxC,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,MAAM,IAAI,MAAM,oBAAoB,CAAA;AAAA,IACtC;AACA,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAOO,MAAM,mBAAmBA,oCAAA,CAAoB;AAAA,EAClD,QAAA,EAAU,YAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,QAAA,GAAW,IAAI,wBAAA,EAAyB;AAE9C,IAAA,GAAA,CAAI,sBAAA,CAAuBC,4BAAsB,QAAQ,CAAA;AAEzD,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,MAAMC,6BAAA,CAAa,UAAA;AAAA,QACnB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,QAAQA,6BAAA,CAAa,MAAA;AAAA,QACrB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,UAAUA,6BAAA,CAAa;AAAA,OACzB;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,IAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,IAAI,CAAC,SAAS,MAAA,EAAQ;AACpB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR;AAAA,WACF;AAAA,QACF;AAEA,QAAA,IAAA,CAAK,GAAA;AAAA,UACH,MAAMC,mBAAA,CAAa;AAAA,YACjB,MAAA;AAAA,YACA,SAAA;AAAA,YACA,MAAA;AAAA,YACA,QAAQ,QAAA,CAAS,MAAA;AAAA,YACjB,IAAA;AAAA,YACA,QAAA;AAAA,YACA;AAAA,WACD;AAAA,SACH;AACA,QAAA,IAAA,CAAK,aAAA,CAAc;AAAA,UACjB,IAAA,EAAM,SAAA;AAAA,UACN,KAAA,EAAO;AAAA,SACR,CAAA;AAAA,MACH;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}

package/dist/service/PermissionIntegrationClient.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"PermissionIntegrationClient.cjs.js","sources":["../../src/service/PermissionIntegrationClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  ConditionalPolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n} from '@backstage/plugin-permission-node';\nimport {\n  AuthService,\n  BackstageCredentials,\n  DiscoveryService,\n} from '@backstage/backend-plugin-api';\nimport { ResponseError } from '@backstage/errors';\n\nconst responseSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      result: z.union([\n        z.literal(AuthorizeResult.ALLOW),\n        z.literal(AuthorizeResult.DENY),\n        z.array(\n          z.union([\n            z.literal(AuthorizeResult.ALLOW),\n            z.literal(AuthorizeResult.DENY),\n          ]),\n        ),\n      ]),\n    }),\n  ),\n});\n\nexport type ResourcePolicyDecision = ConditionalPolicyDecision & {\n  resourceRef: string;\n};\n\n/**\n * @internal\n */\nexport class PermissionIntegrationClient {\n  private readonly discovery: DiscoveryService;\n  private readonly auth: AuthService;\n\n  constructor(options: { discovery: DiscoveryService; auth: AuthService }) {\n    this.discovery = options.discovery;\n    this.auth = options.auth;\n  }\n\n  async applyConditions(\n    pluginId: string,\n    credentials: BackstageCredentials,\n    decisions: readonly ApplyConditionsRequestEntry[],\n  ): Promise<ApplyConditionsResponseEntry[]> {\n    const baseUrl = await this.discovery.getBaseUrl(pluginId);\n    const endpoint = `${baseUrl}/.well-known/backstage/permissions/apply-conditions`;\n\n    const token = this.auth.isPrincipal(credentials, 'none')\n      ? undefined\n      : await this.auth\n          .getPluginRequestToken({\n            onBehalfOf: credentials,\n            targetPluginId: pluginId,\n          })\n          .then(t => t.token);\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify({\n        items: decisions,\n      }),\n      headers: {\n        ...(token ? { authorization: `Bearer ${token}` } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw await ResponseError.fromResponse(response);\n    }\n\n    const result = responseSchema.parse(await response.json());\n\n    return result.items;\n  }\n}\n"],"names":["z","AuthorizeResult","ResponseError"],"mappings":";;;;;;AAgCA,MAAM,cAAA,GAAiBA,MAAE,MAAO,CAAA;AAAA,EAC9B,OAAOA,KAAE,CAAA,KAAA;AAAA,IACPA,MAAE,MAAO,CAAA;AAAA,MACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,MACb,MAAA,EAAQA,MAAE,KAAM,CAAA;AAAA,QACdA,KAAA,CAAE,OAAQ,CAAAC,sCAAA,CAAgB,KAAK,CAAA;AAAA,QAC/BD,KAAA,CAAE,OAAQ,CAAAC,sCAAA,CAAgB,IAAI,CAAA;AAAA,QAC9BD,KAAE,CAAA,KAAA;AAAA,UACAA,MAAE,KAAM,CAAA;AAAA,YACNA,KAAA,CAAE,OAAQ,CAAAC,sCAAA,CAAgB,KAAK,CAAA;AAAA,YAC/BD,KAAA,CAAE,OAAQ,CAAAC,sCAAA,CAAgB,IAAI;AAAA,WAC/B;AAAA;AACH,OACD;AAAA,KACF;AAAA;AAEL,CAAC,CAAA;AASM,MAAM,2BAA4B,CAAA;AAAA,EACtB,SAAA;AAAA,EACA,IAAA;AAAA,EAEjB,YAAY,OAA6D,EAAA;AACvE,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA;AACzB,IAAA,IAAA,CAAK,OAAO,OAAQ,CAAA,IAAA;AAAA;AACtB,EAEA,MAAM,eAAA,CACJ,QACA,EAAA,WAAA,EACA,SACyC,EAAA;AACzC,IAAA,MAAM,OAAU,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,QAAQ,CAAA;AACxD,IAAM,MAAA,QAAA,GAAW,GAAG,OAAO,CAAA,mDAAA,CAAA;AAE3B,IAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,IAAA,CAAK,WAAY,CAAA,WAAA,EAAa,MAAM,CAAA,GACnD,KACA,CAAA,GAAA,MAAM,IAAK,CAAA,IAAA,CACR,qBAAsB,CAAA;AAAA,MACrB,UAAY,EAAA,WAAA;AAAA,MACZ,cAAgB,EAAA;AAAA,KACjB,CAAA,CACA,IAAK,CAAA,CAAA,CAAA,KAAK,EAAE,KAAK,CAAA;AAExB,IAAM,MAAA,QAAA,GAAW,MAAM,KAAA,CAAM,QAAU,EAAA;AAAA,MACrC,MAAQ,EAAA,MAAA;AAAA,MACR,IAAA,EAAM,KAAK,SAAU,CAAA;AAAA,QACnB,KAAO,EAAA;AAAA,OACR,CAAA;AAAA,MACD,OAAS,EAAA;AAAA,QACP,GAAI,QAAQ,EAAE,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA,KAAO,EAAC;AAAA,QACpD,cAAgB,EAAA;AAAA;AAClB,KACD,CAAA;AAED,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAM,MAAA,MAAMC,oBAAc,CAAA,YAAA,CAAa,QAAQ,CAAA;AAAA;AAGjD,IAAA,MAAM,SAAS,cAAe,CAAA,KAAA,CAAM,MAAM,QAAA,CAAS,MAAM,CAAA;AAEzD,IAAA,OAAO,MAAO,CAAA,KAAA;AAAA;AAElB;;;;"}
+{"version":3,"file":"PermissionIntegrationClient.cjs.js","sources":["../../src/service/PermissionIntegrationClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  ConditionalPolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n} from '@backstage/plugin-permission-node';\nimport {\n  AuthService,\n  BackstageCredentials,\n  DiscoveryService,\n} from '@backstage/backend-plugin-api';\nimport { ResponseError } from '@backstage/errors';\n\nconst responseSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      result: z.union([\n        z.literal(AuthorizeResult.ALLOW),\n        z.literal(AuthorizeResult.DENY),\n        z.array(\n          z.union([\n            z.literal(AuthorizeResult.ALLOW),\n            z.literal(AuthorizeResult.DENY),\n          ]),\n        ),\n      ]),\n    }),\n  ),\n});\n\nexport type ResourcePolicyDecision = ConditionalPolicyDecision & {\n  resourceRef: string;\n};\n\n/**\n * @internal\n */\nexport class PermissionIntegrationClient {\n  private readonly discovery: DiscoveryService;\n  private readonly auth: AuthService;\n\n  constructor(options: { discovery: DiscoveryService; auth: AuthService }) {\n    this.discovery = options.discovery;\n    this.auth = options.auth;\n  }\n\n  async applyConditions(\n    pluginId: string,\n    credentials: BackstageCredentials,\n    decisions: readonly ApplyConditionsRequestEntry[],\n  ): Promise<ApplyConditionsResponseEntry[]> {\n    const baseUrl = await this.discovery.getBaseUrl(pluginId);\n    const endpoint = `${baseUrl}/.well-known/backstage/permissions/apply-conditions`;\n\n    const token = this.auth.isPrincipal(credentials, 'none')\n      ? undefined\n      : await this.auth\n          .getPluginRequestToken({\n            onBehalfOf: credentials,\n            targetPluginId: pluginId,\n          })\n          .then(t => t.token);\n\n    const response = await fetch(endpoint, {\n      method: 'POST',\n      body: JSON.stringify({\n        items: decisions,\n      }),\n      headers: {\n        ...(token ? { authorization: `Bearer ${token}` } : {}),\n        'content-type': 'application/json',\n      },\n    });\n\n    if (!response.ok) {\n      throw await ResponseError.fromResponse(response);\n    }\n\n    const result = responseSchema.parse(await response.json());\n\n    return result.items;\n  }\n}\n"],"names":["z","AuthorizeResult","ResponseError"],"mappings":";;;;;;AAgCA,MAAM,cAAA,GAAiBA,MAAE,MAAA,CAAO;AAAA,EAC9B,OAAOA,KAAA,CAAE,KAAA;AAAA,IACPA,MAAE,MAAA,CAAO;AAAA,MACP,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,MACb,MAAA,EAAQA,MAAE,KAAA,CAAM;AAAA,QACdA,KAAA,CAAE,OAAA,CAAQC,sCAAA,CAAgB,KAAK,CAAA;AAAA,QAC/BD,KAAA,CAAE,OAAA,CAAQC,sCAAA,CAAgB,IAAI,CAAA;AAAA,QAC9BD,KAAA,CAAE,KAAA;AAAA,UACAA,MAAE,KAAA,CAAM;AAAA,YACNA,KAAA,CAAE,OAAA,CAAQC,sCAAA,CAAgB,KAAK,CAAA;AAAA,YAC/BD,KAAA,CAAE,OAAA,CAAQC,sCAAA,CAAgB,IAAI;AAAA,WAC/B;AAAA;AACH,OACD;AAAA,KACF;AAAA;AAEL,CAAC,CAAA;AASM,MAAM,2BAAA,CAA4B;AAAA,EACtB,SAAA;AAAA,EACA,IAAA;AAAA,EAEjB,YAAY,OAAA,EAA6D;AACvE,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,SAAA;AACzB,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AAAA,EACtB;AAAA,EAEA,MAAM,eAAA,CACJ,QAAA,EACA,WAAA,EACA,SAAA,EACyC;AACzC,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,SAAA,CAAU,WAAW,QAAQ,CAAA;AACxD,IAAA,MAAM,QAAA,GAAW,GAAG,OAAO,CAAA,mDAAA,CAAA;AAE3B,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA,GACnD,MAAA,GACA,MAAM,IAAA,CAAK,IAAA,CACR,qBAAA,CAAsB;AAAA,MACrB,UAAA,EAAY,WAAA;AAAA,MACZ,cAAA,EAAgB;AAAA,KACjB,CAAA,CACA,IAAA,CAAK,CAAA,CAAA,KAAK,EAAE,KAAK,CAAA;AAExB,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,QAAA,EAAU;AAAA,MACrC,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACnB,KAAA,EAAO;AAAA,OACR,CAAA;AAAA,MACD,OAAA,EAAS;AAAA,QACP,GAAI,QAAQ,EAAE,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA,KAAO,EAAC;AAAA,QACpD,cAAA,EAAgB;AAAA;AAClB,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,MAAMC,oBAAA,CAAc,YAAA,CAAa,QAAQ,CAAA;AAAA,IACjD;AAEA,IAAA,MAAM,SAAS,cAAA,CAAe,KAAA,CAAM,MAAM,QAAA,CAAS,MAAM,CAAA;AAEzD,IAAA,OAAO,MAAA,CAAO,KAAA;AAAA,EAChB;AACF;;;;"}

package/dist/service/router.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { InputError } from '@backstage/errors';\nimport { IdentityApi } from '@backstage/plugin-auth-node';\nimport {\n  AuthorizeResult,\n  EvaluatePermissionResponse,\n  IdentifiedPermissionMessage,\n  isResourcePermission,\n  PermissionAttributes,\n  PermissionMessageBatch,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n  PolicyQueryUser,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstageUserPrincipal,\n  DiscoveryService,\n  HttpAuthService,\n  LoggerService,\n  RootConfigService,\n  UserInfoService,\n} from '@backstage/backend-plugin-api';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n  action: z\n    .union([\n      z.literal('create'),\n      z.literal('read'),\n      z.literal('update'),\n      z.literal('delete'),\n    ])\n    .optional(),\n});\n\nconst basicPermissionSchema = z.object({\n  type: z.literal('basic'),\n  name: z.string(),\n  attributes: attributesSchema,\n});\n\nconst resourcePermissionSchema = z.object({\n  type: z.literal('resource'),\n  name: z.string(),\n  attributes: attributesSchema,\n  resourceType: z.string(),\n});\n\nconst evaluatePermissionRequestSchema = z.union([\n  z.object({\n    id: z.string(),\n    resourceRef: z.undefined().optional(),\n    permission: basicPermissionSchema,\n  }),\n  z.object({\n    id: z.string(),\n    resourceRef: z\n      .union([z.string(), z.array(z.string()).nonempty()])\n      .optional(),\n    permission: resourcePermissionSchema,\n  }),\n]);\n\nconst evaluatePermissionRequestBatchSchema = z.object({\n  items: z.array(evaluatePermissionRequestSchema),\n});\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @internal\n */\nexport interface RouterOptions {\n  logger: LoggerService;\n  discovery: DiscoveryService;\n  policy: PermissionPolicy;\n  identity?: IdentityApi;\n  config: RootConfigService;\n  auth: AuthService;\n  httpAuth: HttpAuthService;\n  userInfo: UserInfoService;\n}\n\nconst handleRequest = async (\n  requests: z.infer<typeof evaluatePermissionRequestBatchSchema>['items'],\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  credentials: BackstageCredentials<\n    BackstageNonePrincipal | BackstageUserPrincipal\n  >,\n  auth: AuthService,\n  userInfo: UserInfoService,\n): Promise<\n  IdentifiedPermissionMessage<InternalEvaluatePermissionResponse>[]\n> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, credentials, batch),\n    );\n  });\n\n  let user: PolicyQueryUser | undefined;\n  if (auth.isPrincipal(credentials, 'user')) {\n    const info = await userInfo.getUserInfo(credentials);\n    const { token } = await auth.getPluginRequestToken({\n      onBehalfOf: credentials,\n      targetPluginId: 'catalog', // TODO: unknown at this point\n    });\n    user = {\n      identity: {\n        type: 'user',\n        userEntityRef: credentials.principal.userEntityRef,\n        ownershipEntityRefs: info.ownershipEntityRefs,\n      },\n      token,\n      credentials,\n      info,\n    };\n  }\n\n  return Promise.all(\n    requests.map(request =>\n      policy\n        .handle({ permission: request.permission }, user)\n        .then(async decision => {\n          if (decision.result !== AuthorizeResult.CONDITIONAL) {\n            return {\n              id: request.id,\n              ...decision,\n            };\n          }\n\n          if (!isResourcePermission(request.permission)) {\n            throw new Error(\n              `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n            );\n          }\n\n          if (decision.resourceType !== request.permission.resourceType) {\n            throw new Error(\n              `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n            );\n          }\n\n          if (!request.resourceRef) {\n            return {\n              id: request.id,\n              ...decision,\n            };\n          }\n\n          return applyConditionsLoaderFor(decision.pluginId).load({\n            id: request.id,\n            resourceRef: request.resourceRef,\n            ...decision,\n          });\n        }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @internal\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, config, logger, auth, httpAuth, userInfo } =\n    options;\n\n  if (!config.getOptionalBoolean('permission.enabled')) {\n    logger.warn(\n      'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n    );\n  }\n\n  const disabledDefaultAuthPolicy =\n    config.getOptionalBoolean(\n      'backend.auth.dangerouslyDisableDefaultAuthPolicy',\n    ) ?? false;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n    auth,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.json({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request,\n      res: Response<PermissionMessageBatch<InternalEvaluatePermissionResponse>>,\n    ) => {\n      const credentials = await httpAuth.credentials(req, {\n        allow: ['user', 'none'],\n      });\n\n      const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n        req.body,\n      );\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      if (\n        (auth.isPrincipal(credentials, 'none') && !disabledDefaultAuthPolicy) ||\n        (auth.isPrincipal(credentials, 'user') && !credentials.principal.actor)\n      ) {\n        if (\n          body.items.some(\n            r =>\n              isResourcePermission(r.permission) && r.resourceRef === undefined,\n          )\n        ) {\n          throw new InputError(\n            'Resource permissions require a resourceRef to be set. Direct user requests without a resourceRef are not allowed.',\n          );\n        }\n      }\n\n      res.json({\n        items: await handleRequest(\n          body.items,\n          policy,\n          permissionIntegrationClient,\n          credentials,\n          auth,\n          userInfo,\n        ),\n      });\n    },\n  );\n\n  return router;\n}\n\n/**\n * @internal\n */\ntype InternalEvaluatePermissionResponse =\n  | EvaluatePermissionResponse\n  | {\n      result: Array<AuthorizeResult.ALLOW | AuthorizeResult.DENY>;\n    };\n"],"names":["z","memoize","DataLoader","AuthorizeResult","isResourcePermission","PermissionIntegrationClient","Router","express","InputError"],"mappings":";;;;;;;;;;;;;;;;;AAkDA,MAAM,gBAAA,GAAsDA,MAAE,MAAO,CAAA;AAAA,EACnE,MAAA,EAAQA,MACL,KAAM,CAAA;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ;AAAA,GACnB,EACA,QAAS;AACd,CAAC,CAAA;AAED,MAAM,qBAAA,GAAwBA,MAAE,MAAO,CAAA;AAAA,EACrC,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,OAAO,CAAA;AAAA,EACvB,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,EACf,UAAY,EAAA;AACd,CAAC,CAAA;AAED,MAAM,wBAAA,GAA2BA,MAAE,MAAO,CAAA;AAAA,EACxC,IAAA,EAAMA,KAAE,CAAA,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,EACf,UAAY,EAAA,gBAAA;AAAA,EACZ,YAAA,EAAcA,MAAE,MAAO;AACzB,CAAC,CAAA;AAED,MAAM,+BAAA,GAAkCA,MAAE,KAAM,CAAA;AAAA,EAC9CA,MAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,WAAa,EAAAA,KAAA,CAAE,SAAU,EAAA,CAAE,QAAS,EAAA;AAAA,IACpC,UAAY,EAAA;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,aAAaA,KACV,CAAA,KAAA,CAAM,CAACA,KAAA,CAAE,QAAU,EAAAA,KAAA,CAAE,KAAM,CAAAA,KAAA,CAAE,QAAQ,CAAA,CAAE,UAAU,CAAC,EAClD,QAAS,EAAA;AAAA,IACZ,UAAY,EAAA;AAAA,GACb;AACH,CAAC,CAAA;AAED,MAAM,oCAAA,GAAuCA,MAAE,MAAO,CAAA;AAAA,EACpD,KAAA,EAAOA,KAAE,CAAA,KAAA,CAAM,+BAA+B;AAChD,CAAC,CAAA;AAmBD,MAAM,gBAAgB,OACpB,QAAA,EACA,QACA,2BACA,EAAA,WAAA,EAGA,MACA,QAGG,KAAA;AACH,EAAM,MAAA,wBAAA,GAA2BC,cAAQ,CAAA,CAAC,QAAqB,KAAA;AAC7D,IAAA,OAAO,IAAIC,2BAAA;AAAA,MAGT,CACA,KAAA,KAAA,2BAAA,CAA4B,eAAgB,CAAA,QAAA,EAAU,aAAa,KAAK;AAAA,KAC1E;AAAA,GACD,CAAA;AAED,EAAI,IAAA,IAAA;AACJ,EAAA,IAAI,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,CAAG,EAAA;AACzC,IAAA,MAAM,IAAO,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,WAAW,CAAA;AACnD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,qBAAsB,CAAA;AAAA,MACjD,UAAY,EAAA,WAAA;AAAA,MACZ,cAAgB,EAAA;AAAA;AAAA,KACjB,CAAA;AACD,IAAO,IAAA,GAAA;AAAA,MACL,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,YAAY,SAAU,CAAA,aAAA;AAAA,QACrC,qBAAqB,IAAK,CAAA;AAAA,OAC5B;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA,KACF;AAAA;AAGF,EAAA,OAAO,OAAQ,CAAA,GAAA;AAAA,IACb,QAAS,CAAA,GAAA;AAAA,MAAI,CACX,OAAA,KAAA,MAAA,CACG,MAAO,CAAA,EAAE,UAAY,EAAA,OAAA,CAAQ,UAAW,EAAA,EAAG,IAAI,CAAA,CAC/C,IAAK,CAAA,OAAM,QAAY,KAAA;AACtB,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAO,OAAA;AAAA,YACL,IAAI,OAAQ,CAAA,EAAA;AAAA,YACZ,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,IAAI,CAACC,2CAAA,CAAqB,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WAC7G;AAAA;AAGF,QAAA,IAAI,QAAS,CAAA,YAAA,KAAiB,OAAQ,CAAA,UAAA,CAAW,YAAc,EAAA;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,OAAQ,CAAA,UAAA,CAAW,IAAI,CAAA;AAAA,WACvG;AAAA;AAGF,QAAI,IAAA,CAAC,QAAQ,WAAa,EAAA;AACxB,UAAO,OAAA;AAAA,YACL,IAAI,OAAQ,CAAA,EAAA;AAAA,YACZ,GAAG;AAAA,WACL;AAAA;AAGF,QAAA,OAAO,wBAAyB,CAAA,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAK,CAAA;AAAA,UACtD,IAAI,OAAQ,CAAA,EAAA;AAAA,UACZ,aAAa,OAAQ,CAAA,WAAA;AAAA,UACrB,GAAG;AAAA,SACJ,CAAA;AAAA,OACF;AAAA;AACL,GACF;AACF,CAAA;AAQA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAM,MAAA,EAAE,QAAQ,SAAW,EAAA,MAAA,EAAQ,QAAQ,IAAM,EAAA,QAAA,EAAU,UACzD,GAAA,OAAA;AAEF,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAG,EAAA;AACpD,IAAO,MAAA,CAAA,IAAA;AAAA,MACL;AAAA,KACF;AAAA;AAGF,EAAA,MAAM,4BACJ,MAAO,CAAA,kBAAA;AAAA,IACL;AAAA,GACG,IAAA,KAAA;AAEP,EAAM,MAAA,2BAAA,GAA8B,IAAIC,uDAA4B,CAAA;AAAA,IAClE,SAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,SAASC,uBAAO,EAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,wBAAQ,CAAA,IAAA,EAAM,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,SAAA,EAAW,CAAC,CAAA,EAAG,QAAa,KAAA;AACrC,IAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,IAAA,EAAM,CAAA;AAAA,GAC/B,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GACG,KAAA;AACH,MAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,GAAK,EAAA;AAAA,QAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAM;AAAA,OACvB,CAAA;AAED,MAAA,MAAM,cAAc,oCAAqC,CAAA,SAAA;AAAA,QACvD,GAAI,CAAA;AAAA,OACN;AAEA,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA;AAAA;AAGnD,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA;AAEzB,MAAA,IACG,IAAK,CAAA,WAAA,CAAY,WAAa,EAAA,MAAM,KAAK,CAAC,yBAAA,IAC1C,IAAK,CAAA,WAAA,CAAY,aAAa,MAAM,CAAA,IAAK,CAAC,WAAA,CAAY,UAAU,KACjE,EAAA;AACA,QAAA,IACE,KAAK,KAAM,CAAA,IAAA;AAAA,UACT,OACEJ,2CAAqB,CAAA,CAAA,CAAE,UAAU,CAAA,IAAK,EAAE,WAAgB,KAAA,KAAA;AAAA,SAE5D,EAAA;AACA,UAAA,MAAM,IAAII,iBAAA;AAAA,YACR;AAAA,WACF;AAAA;AACF;AAGF,MAAA,GAAA,CAAI,IAAK,CAAA;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAK,CAAA,KAAA;AAAA,UACL,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,WAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA;AACH,GACF;AAEA,EAAO,OAAA,MAAA;AACT;;;;"}
+{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { z } from 'zod';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport { InputError } from '@backstage/errors';\nimport { IdentityApi } from '@backstage/plugin-auth-node';\nimport {\n  AuthorizeResult,\n  EvaluatePermissionResponse,\n  IdentifiedPermissionMessage,\n  isResourcePermission,\n  PermissionAttributes,\n  PermissionMessageBatch,\n} from '@backstage/plugin-permission-common';\nimport {\n  ApplyConditionsRequestEntry,\n  ApplyConditionsResponseEntry,\n  PermissionPolicy,\n  PolicyQueryUser,\n} from '@backstage/plugin-permission-node';\nimport { PermissionIntegrationClient } from './PermissionIntegrationClient';\nimport { memoize } from 'lodash';\nimport DataLoader from 'dataloader';\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageNonePrincipal,\n  BackstageUserPrincipal,\n  DiscoveryService,\n  HttpAuthService,\n  LoggerService,\n  RootConfigService,\n  UserInfoService,\n} from '@backstage/backend-plugin-api';\n\nconst attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({\n  action: z\n    .union([\n      z.literal('create'),\n      z.literal('read'),\n      z.literal('update'),\n      z.literal('delete'),\n    ])\n    .optional(),\n});\n\nconst basicPermissionSchema = z.object({\n  type: z.literal('basic'),\n  name: z.string(),\n  attributes: attributesSchema,\n});\n\nconst resourcePermissionSchema = z.object({\n  type: z.literal('resource'),\n  name: z.string(),\n  attributes: attributesSchema,\n  resourceType: z.string(),\n});\n\nconst evaluatePermissionRequestSchema = z.union([\n  z.object({\n    id: z.string(),\n    resourceRef: z.undefined().optional(),\n    permission: basicPermissionSchema,\n  }),\n  z.object({\n    id: z.string(),\n    resourceRef: z\n      .union([z.string(), z.array(z.string()).nonempty()])\n      .optional(),\n    permission: resourcePermissionSchema,\n  }),\n]);\n\nconst evaluatePermissionRequestBatchSchema = z.object({\n  items: z.array(evaluatePermissionRequestSchema),\n});\n\n/**\n * Options required when constructing a new {@link express#Router} using\n * {@link createRouter}.\n *\n * @internal\n */\nexport interface RouterOptions {\n  logger: LoggerService;\n  discovery: DiscoveryService;\n  policy: PermissionPolicy;\n  identity?: IdentityApi;\n  config: RootConfigService;\n  auth: AuthService;\n  httpAuth: HttpAuthService;\n  userInfo: UserInfoService;\n}\n\nconst handleRequest = async (\n  requests: z.infer<typeof evaluatePermissionRequestBatchSchema>['items'],\n  policy: PermissionPolicy,\n  permissionIntegrationClient: PermissionIntegrationClient,\n  credentials: BackstageCredentials<\n    BackstageNonePrincipal | BackstageUserPrincipal\n  >,\n  auth: AuthService,\n  userInfo: UserInfoService,\n): Promise<\n  IdentifiedPermissionMessage<InternalEvaluatePermissionResponse>[]\n> => {\n  const applyConditionsLoaderFor = memoize((pluginId: string) => {\n    return new DataLoader<\n      ApplyConditionsRequestEntry,\n      ApplyConditionsResponseEntry\n    >(batch =>\n      permissionIntegrationClient.applyConditions(pluginId, credentials, batch),\n    );\n  });\n\n  let user: PolicyQueryUser | undefined;\n  if (auth.isPrincipal(credentials, 'user')) {\n    const info = await userInfo.getUserInfo(credentials);\n    const { token } = await auth.getPluginRequestToken({\n      onBehalfOf: credentials,\n      targetPluginId: 'catalog', // TODO: unknown at this point\n    });\n    user = {\n      identity: {\n        type: 'user',\n        userEntityRef: credentials.principal.userEntityRef,\n        ownershipEntityRefs: info.ownershipEntityRefs,\n      },\n      token,\n      credentials,\n      info,\n    };\n  }\n\n  return Promise.all(\n    requests.map(request =>\n      policy\n        .handle({ permission: request.permission }, user)\n        .then(async decision => {\n          if (decision.result !== AuthorizeResult.CONDITIONAL) {\n            return {\n              id: request.id,\n              ...decision,\n            };\n          }\n\n          if (!isResourcePermission(request.permission)) {\n            throw new Error(\n              `Conditional decision returned from permission policy for non-resource permission ${request.permission.name}`,\n            );\n          }\n\n          if (decision.resourceType !== request.permission.resourceType) {\n            throw new Error(\n              `Invalid resource conditions returned from permission policy for permission ${request.permission.name}`,\n            );\n          }\n\n          if (!request.resourceRef) {\n            return {\n              id: request.id,\n              ...decision,\n            };\n          }\n\n          return applyConditionsLoaderFor(decision.pluginId).load({\n            id: request.id,\n            resourceRef: request.resourceRef,\n            ...decision,\n          });\n        }),\n    ),\n  );\n};\n\n/**\n * Creates a new {@link express#Router} which provides the backend API\n * for the permission system.\n *\n * @internal\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const { policy, discovery, config, logger, auth, httpAuth, userInfo } =\n    options;\n\n  if (!config.getOptionalBoolean('permission.enabled')) {\n    logger.warn(\n      'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',\n    );\n  }\n\n  const disabledDefaultAuthPolicy =\n    config.getOptionalBoolean(\n      'backend.auth.dangerouslyDisableDefaultAuthPolicy',\n    ) ?? false;\n\n  const permissionIntegrationClient = new PermissionIntegrationClient({\n    discovery,\n    auth,\n  });\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/health', (_, response) => {\n    response.json({ status: 'ok' });\n  });\n\n  router.post(\n    '/authorize',\n    async (\n      req: Request,\n      res: Response<PermissionMessageBatch<InternalEvaluatePermissionResponse>>,\n    ) => {\n      const credentials = await httpAuth.credentials(req, {\n        allow: ['user', 'none'],\n      });\n\n      const parseResult = evaluatePermissionRequestBatchSchema.safeParse(\n        req.body,\n      );\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      if (\n        (auth.isPrincipal(credentials, 'none') && !disabledDefaultAuthPolicy) ||\n        (auth.isPrincipal(credentials, 'user') && !credentials.principal.actor)\n      ) {\n        if (\n          body.items.some(\n            r =>\n              isResourcePermission(r.permission) && r.resourceRef === undefined,\n          )\n        ) {\n          throw new InputError(\n            'Resource permissions require a resourceRef to be set. Direct user requests without a resourceRef are not allowed.',\n          );\n        }\n      }\n\n      res.json({\n        items: await handleRequest(\n          body.items,\n          policy,\n          permissionIntegrationClient,\n          credentials,\n          auth,\n          userInfo,\n        ),\n      });\n    },\n  );\n\n  return router;\n}\n\n/**\n * @internal\n */\ntype InternalEvaluatePermissionResponse =\n  | EvaluatePermissionResponse\n  | {\n      result: Array<AuthorizeResult.ALLOW | AuthorizeResult.DENY>;\n    };\n"],"names":["z","memoize","DataLoader","AuthorizeResult","isResourcePermission","PermissionIntegrationClient","Router","express","InputError"],"mappings":";;;;;;;;;;;;;;;;;AAkDA,MAAM,gBAAA,GAAsDA,MAAE,MAAA,CAAO;AAAA,EACnE,MAAA,EAAQA,MACL,KAAA,CAAM;AAAA,IACLA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,MAAM,CAAA;AAAA,IAChBA,KAAA,CAAE,QAAQ,QAAQ,CAAA;AAAA,IAClBA,KAAA,CAAE,QAAQ,QAAQ;AAAA,GACnB,EACA,QAAA;AACL,CAAC,CAAA;AAED,MAAM,qBAAA,GAAwBA,MAAE,MAAA,CAAO;AAAA,EACrC,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,EACvB,IAAA,EAAMA,MAAE,MAAA,EAAO;AAAA,EACf,UAAA,EAAY;AACd,CAAC,CAAA;AAED,MAAM,wBAAA,GAA2BA,MAAE,MAAA,CAAO;AAAA,EACxC,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,IAAA,EAAMA,MAAE,MAAA,EAAO;AAAA,EACf,UAAA,EAAY,gBAAA;AAAA,EACZ,YAAA,EAAcA,MAAE,MAAA;AAClB,CAAC,CAAA;AAED,MAAM,+BAAA,GAAkCA,MAAE,KAAA,CAAM;AAAA,EAC9CA,MAAE,MAAA,CAAO;AAAA,IACP,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,WAAA,EAAaA,KAAA,CAAE,SAAA,EAAU,CAAE,QAAA,EAAS;AAAA,IACpC,UAAA,EAAY;AAAA,GACb,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACP,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,aAAaA,KAAA,CACV,KAAA,CAAM,CAACA,KAAA,CAAE,QAAO,EAAGA,KAAA,CAAE,KAAA,CAAMA,KAAA,CAAE,QAAQ,CAAA,CAAE,UAAU,CAAC,EAClD,QAAA,EAAS;AAAA,IACZ,UAAA,EAAY;AAAA,GACb;AACH,CAAC,CAAA;AAED,MAAM,oCAAA,GAAuCA,MAAE,MAAA,CAAO;AAAA,EACpD,KAAA,EAAOA,KAAA,CAAE,KAAA,CAAM,+BAA+B;AAChD,CAAC,CAAA;AAmBD,MAAM,gBAAgB,OACpB,QAAA,EACA,QACA,2BAAA,EACA,WAAA,EAGA,MACA,QAAA,KAGG;AACH,EAAA,MAAM,wBAAA,GAA2BC,cAAA,CAAQ,CAAC,QAAA,KAAqB;AAC7D,IAAA,OAAO,IAAIC,2BAAA;AAAA,MAGT,CAAA,KAAA,KACA,2BAAA,CAA4B,eAAA,CAAgB,QAAA,EAAU,aAAa,KAAK;AAAA,KAC1E;AAAA,EACF,CAAC,CAAA;AAED,EAAA,IAAI,IAAA;AACJ,EAAA,IAAI,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA,EAAG;AACzC,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,WAAA,CAAY,WAAW,CAAA;AACnD,IAAA,MAAM,EAAE,KAAA,EAAM,GAAI,MAAM,KAAK,qBAAA,CAAsB;AAAA,MACjD,UAAA,EAAY,WAAA;AAAA,MACZ,cAAA,EAAgB;AAAA;AAAA,KACjB,CAAA;AACD,IAAA,IAAA,GAAO;AAAA,MACL,QAAA,EAAU;AAAA,QACR,IAAA,EAAM,MAAA;AAAA,QACN,aAAA,EAAe,YAAY,SAAA,CAAU,aAAA;AAAA,QACrC,qBAAqB,IAAA,CAAK;AAAA,OAC5B;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA;AAAA,IACb,QAAA,CAAS,GAAA;AAAA,MAAI,CAAA,OAAA,KACX,MAAA,CACG,MAAA,CAAO,EAAE,UAAA,EAAY,OAAA,CAAQ,UAAA,EAAW,EAAG,IAAI,CAAA,CAC/C,IAAA,CAAK,OAAM,QAAA,KAAY;AACtB,QAAA,IAAI,QAAA,CAAS,MAAA,KAAWC,sCAAA,CAAgB,WAAA,EAAa;AACnD,UAAA,OAAO;AAAA,YACL,IAAI,OAAA,CAAQ,EAAA;AAAA,YACZ,GAAG;AAAA,WACL;AAAA,QACF;AAEA,QAAA,IAAI,CAACC,2CAAA,CAAqB,OAAA,CAAQ,UAAU,CAAA,EAAG;AAC7C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,iFAAA,EAAoF,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA;AAAA,WAC7G;AAAA,QACF;AAEA,QAAA,IAAI,QAAA,CAAS,YAAA,KAAiB,OAAA,CAAQ,UAAA,CAAW,YAAA,EAAc;AAC7D,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,2EAAA,EAA8E,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA;AAAA,WACvG;AAAA,QACF;AAEA,QAAA,IAAI,CAAC,QAAQ,WAAA,EAAa;AACxB,UAAA,OAAO;AAAA,YACL,IAAI,OAAA,CAAQ,EAAA;AAAA,YACZ,GAAG;AAAA,WACL;AAAA,QACF;AAEA,QAAA,OAAO,wBAAA,CAAyB,QAAA,CAAS,QAAQ,CAAA,CAAE,IAAA,CAAK;AAAA,UACtD,IAAI,OAAA,CAAQ,EAAA;AAAA,UACZ,aAAa,OAAA,CAAQ,WAAA;AAAA,UACrB,GAAG;AAAA,SACJ,CAAA;AAAA,MACH,CAAC;AAAA;AACL,GACF;AACF,CAAA;AAQA,eAAsB,aACpB,OAAA,EACyB;AACzB,EAAA,MAAM,EAAE,QAAQ,SAAA,EAAW,MAAA,EAAQ,QAAQ,IAAA,EAAM,QAAA,EAAU,UAAS,GAClE,OAAA;AAEF,EAAA,IAAI,CAAC,MAAA,CAAO,kBAAA,CAAmB,oBAAoB,CAAA,EAAG;AACpD,IAAA,MAAA,CAAO,IAAA;AAAA,MACL;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,4BACJ,MAAA,CAAO,kBAAA;AAAA,IACL;AAAA,GACF,IAAK,KAAA;AAEP,EAAA,MAAM,2BAAA,GAA8B,IAAIC,uDAAA,CAA4B;AAAA,IAClE,SAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,SAASC,uBAAA,EAAO;AACtB,EAAA,MAAA,CAAO,GAAA,CAAIC,wBAAA,CAAQ,IAAA,EAAM,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAA,CAAI,SAAA,EAAW,CAAC,CAAA,EAAG,QAAA,KAAa;AACrC,IAAA,QAAA,CAAS,IAAA,CAAK,EAAE,MAAA,EAAQ,IAAA,EAAM,CAAA;AAAA,EAChC,CAAC,CAAA;AAED,EAAA,MAAA,CAAO,IAAA;AAAA,IACL,YAAA;AAAA,IACA,OACE,KACA,GAAA,KACG;AACH,MAAA,MAAM,WAAA,GAAc,MAAM,QAAA,CAAS,WAAA,CAAY,GAAA,EAAK;AAAA,QAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAM;AAAA,OACvB,CAAA;AAED,MAAA,MAAM,cAAc,oCAAA,CAAqC,SAAA;AAAA,QACvD,GAAA,CAAI;AAAA,OACN;AAEA,MAAA,IAAI,CAAC,YAAY,OAAA,EAAS;AACxB,QAAA,MAAM,IAAIC,iBAAA,CAAW,WAAA,CAAY,KAAA,CAAM,UAAU,CAAA;AAAA,MACnD;AAEA,MAAA,MAAM,OAAO,WAAA,CAAY,IAAA;AAEzB,MAAA,IACG,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,MAAM,KAAK,CAAC,yBAAA,IAC1C,IAAA,CAAK,WAAA,CAAY,aAAa,MAAM,CAAA,IAAK,CAAC,WAAA,CAAY,UAAU,KAAA,EACjE;AACA,QAAA,IACE,KAAK,KAAA,CAAM,IAAA;AAAA,UACT,OACEJ,2CAAA,CAAqB,CAAA,CAAE,UAAU,CAAA,IAAK,EAAE,WAAA,KAAgB;AAAA,SAC5D,EACA;AACA,UAAA,MAAM,IAAII,iBAAA;AAAA,YACR;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAEA,MAAA,GAAA,CAAI,IAAA,CAAK;AAAA,QACP,OAAO,MAAM,aAAA;AAAA,UACX,IAAA,CAAK,KAAA;AAAA,UACL,MAAA;AAAA,UACA,2BAAA;AAAA,UACA,WAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA,IACH;AAAA,GACF;AAEA,EAAA,OAAO,MAAA;AACT;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-backend",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "backstage": {
     "role": "backend-plugin",
     "pluginId": "permission",
@@ -65,12 +65,12 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "^1.4.1",
+    "@backstage/backend-plugin-api": "^1.4.2",
     "@backstage/config": "^1.3.3",
     "@backstage/errors": "^1.2.7",
-    "@backstage/plugin-auth-node": "^0.6.5",
+    "@backstage/plugin-auth-node": "^0.6.6",
     "@backstage/plugin-permission-common": "^0.9.1",
-    "@backstage/plugin-permission-node": "^0.10.2",
+    "@backstage/plugin-permission-node": "^0.10.3",
     "dataloader": "^2.0.0",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
@@ -79,9 +79,9 @@
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "^0.11.1",
-    "@backstage/backend-test-utils": "^1.7.0",
-    "@backstage/cli": "^0.33.1",
+    "@backstage/backend-defaults": "^0.12.0",
+    "@backstage/backend-test-utils": "^1.8.0",
+    "@backstage/cli": "^0.34.0",
     "@types/express": "^4.17.6",
     "@types/lodash": "^4.14.151",
     "@types/supertest": "^2.0.8",