@backstage/plugin-permission-common 0.0.0-nightly-20220303023541 → 0.0.0-nightly-20220323023253

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/CHANGELOG.md +18 -1
  2. package/dist/index.cjs.js +28 -0
  3. package/dist/index.cjs.js.map +1 -1
  4. package/dist/index.d.ts +273 -0
  5. package/dist/index.esm.js +27 -1
  6. package/dist/index.esm.js.map +1 -1
  7. package/package.json +4 -4
package/CHANGELOG.md CHANGED
@@ -1,6 +1,23 @@
1
1
  # @backstage/plugin-permission-common
2
2
 
3
- ## 0.0.0-nightly-20220303023541
3
+ ## 0.0.0-nightly-20220323023253
4
+
5
+ ### Patch Changes
6
+
7
+ - 95284162d6: - Add more specific `Permission` types.
8
+ - Add `createPermission` helper to infer the appropriate type for some permission input.
9
+ - Add `isResourcePermission` helper to refine Permissions to ResourcePermissions.
10
+
11
+ ## 0.5.3
12
+
13
+ ### Patch Changes
14
+
15
+ - f24ef7864e: Minor typo fixes
16
+ - Updated dependencies
17
+ - @backstage/config@1.0.0
18
+ - @backstage/errors@1.0.0
19
+
20
+ ## 0.5.2
4
21
 
5
22
  ### Patch Changes
6
23
 
package/dist/index.cjs.js CHANGED
@@ -37,6 +37,12 @@ var AuthorizeResult = /* @__PURE__ */ ((AuthorizeResult2) => {
37
37
  return AuthorizeResult2;
38
38
  })(AuthorizeResult || {});
39
39
 
40
+ function isResourcePermission(permission, resourceType) {
41
+ if (!("resourceType" in permission)) {
42
+ return false;
43
+ }
44
+ return !resourceType || permission.resourceType === resourceType;
45
+ }
40
46
  function isCreatePermission(permission) {
41
47
  return permission.attributes.action === "create";
42
48
  }
@@ -50,6 +56,26 @@ function isDeletePermission(permission) {
50
56
  return permission.attributes.action === "delete";
51
57
  }
52
58
 
59
+ function createPermission({
60
+ name,
61
+ attributes,
62
+ resourceType
63
+ }) {
64
+ if (resourceType) {
65
+ return {
66
+ type: "resource",
67
+ name,
68
+ attributes,
69
+ resourceType
70
+ };
71
+ }
72
+ return {
73
+ type: "basic",
74
+ name,
75
+ attributes
76
+ };
77
+ }
78
+
53
79
  const permissionCriteriaSchema = zod.z.lazy(() => zod.z.object({
54
80
  rule: zod.z.string(),
55
81
  params: zod.z.array(zod.z.unknown())
@@ -115,8 +141,10 @@ class PermissionClient {
115
141
 
116
142
  exports.AuthorizeResult = AuthorizeResult;
117
143
  exports.PermissionClient = PermissionClient;
144
+ exports.createPermission = createPermission;
118
145
  exports.isCreatePermission = isCreatePermission;
119
146
  exports.isDeletePermission = isDeletePermission;
120
147
  exports.isReadPermission = isReadPermission;
148
+ exports.isResourcePermission = isResourcePermission;
121
149
  exports.isUpdatePermission = isUpdatePermission;
122
150
  //# sourceMappingURL=index.cjs.js.map
package/dist/index.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.cjs.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An individual authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeQuery = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A batch of authorization requests from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n items: Identified<AuthorizeQuery>[];\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represnts a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represnts a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | AllOfCriteria<TQuery>\n | AnyOfCriteria<TQuery>\n | NotCriteria<TQuery>\n | TQuery;\n\n/**\n * An individual authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeDecision =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n\n/**\n * A batch of authorization responses from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse = {\n items: Identified<AuthorizeDecision>[];\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from '../types';\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeQuery,\n AuthorizeDecision,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n AuthorizeResponse,\n AuthorizeRequest,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n PermissionAuthorizer,\n AuthorizeRequestOptions,\n} from './types/permission';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .strict()\n .or(\n z\n .object({ anyOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(\n z\n .object({ allOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(z.object({ not: permissionCriteriaSchema }).strict()),\n);\n\nconst responseSchema = z.object({\n items: z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n ),\n});\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionAuthorizer {\n private readonly enabled: boolean;\n private readonly discovery: DiscoveryApi;\n\n constructor(options: { discovery: DiscoveryApi; config: Config }) {\n this.discovery = options.discovery;\n this.enabled =\n options.config.getOptionalBoolean('permission.enabled') ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n queries: AuthorizeQuery[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeDecision[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const request: AuthorizeRequest = {\n items: queries.map(query => ({\n id: uuid.v4(),\n ...query,\n })),\n };\n\n const permissionApi = await this.discovery.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(request),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const responseBody = await response.json();\n this.assertValidResponse(request, responseBody);\n\n const responsesById = responseBody.items.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeDecision>>);\n\n return request.items.map(query => responsesById[query.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponse(\n request: AuthorizeRequest,\n json: any,\n ): asserts json is AuthorizeResponse {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.items.map(r => r.id);\n const hasAllRequestIds = request.items.every(r =>\n responseIds.includes(r.id),\n );\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":["z","uuid","fetch","ResponseError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA6BY,oCAAA,qBAAL;AAIL,6BAAO;AAIP,8BAAQ;AAIR,oCAAc;AAZJ;AAAA;;4BCPuB,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;0BAOT,YAAwB;AACvD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;;ACV1C,MAAM,2BAEFA,MAAE,KAAK,MACTA,MACG,OAAO;AAAA,EACN,MAAMA,MAAE;AAAA,EACR,QAAQA,MAAE,MAAMA,MAAE;AAAA,GAEnB,SACA,GACCA,MACG,OAAO,EAAE,OAAOA,MAAE,MAAM,0BAA0B,cAClD,UAEJ,GACCA,MACG,OAAO,EAAE,OAAOA,MAAE,MAAM,0BAA0B,cAClD,UAEJ,GAAGA,MAAE,OAAO,EAAE,KAAK,4BAA4B;AAGpD,MAAM,iBAAiBA,MAAE,OAAO;AAAA,EAC9B,OAAOA,MAAE,MACPA,MACG,OAAO;AAAA,IACN,IAAIA,MAAE;AAAA,IACN,QAAQA,MACL,QAAQ,gBAAgB,OACxB,GAAGA,MAAE,QAAQ,gBAAgB;AAAA,KAEjC,GACCA,MAAE,OAAO;AAAA,IACP,IAAIA,MAAE;AAAA,IACN,QAAQA,MAAE,QAAQ,gBAAgB;AAAA,IAClC,YAAY;AAAA;AAAA;uBAUwC;AAAA,EAI5D,YAAY,SAAsD;AAtFpE;AAuFI,SAAK,YAAY,QAAQ;AACzB,SAAK,UACH,cAAQ,OAAO,mBAAmB,0BAAlC,YAA2D;AAAA;AAAA,QAmBzD,UACJ,SACA,SAC8B;AAM9B,QAAI,CAAC,KAAK,SAAS;AACjB,aAAO,QAAQ,IAAI,UAAQ,QAAQ,gBAAgB;AAAA;AAGrD,UAAM,UAA4B;AAAA,MAChC,OAAO,QAAQ,IAAI;AAAU,QAC3B,IAAIC,gBAAK;AAAA,WACN;AAAA;AAAA;AAIP,UAAM,gBAAgB,MAAM,KAAK,UAAU,WAAW;AACtD,UAAM,WAAW,MAAMC,0BAAM,GAAG,2BAA2B;AAAA,MACzD,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACJ,KAAK,uBAAuB,mCAAS;AAAA,QACxC,gBAAgB;AAAA;AAAA;AAGpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAMC,qBAAc,aAAa;AAAA;AAGzC,UAAM,eAAe,MAAM,SAAS;AACpC,SAAK,oBAAoB,SAAS;AAElC,UAAM,gBAAgB,aAAa,MAAM,OAAO,CAAC,KAAK,MAAM;AAC1D,UAAI,EAAE,MAAM;AACZ,aAAO;AAAA,OACN;AAEH,WAAO,QAAQ,MAAM,IAAI,WAAS,cAAc,MAAM;AAAA;AAAA,EAGhD,uBAAuB,OAAwC;AACrE,WAAO,QAAQ,EAAE,eAAe,UAAU,YAAY;AAAA;AAAA,EAGhD,oBACN,SACA,MACmC;AACnC,UAAM,sBAAsB,eAAe,MAAM;AACjD,UAAM,cAAc,oBAAoB,MAAM,IAAI,OAAK,EAAE;AACzD,UAAM,mBAAmB,QAAQ,MAAM,MAAM,OAC3C,YAAY,SAAS,EAAE;AAEzB,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MACR;AAAA;AAAA;AAAA;;;;;;;;;"}
1
+ {"version":3,"file":"index.cjs.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/permissions/createPermission.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An individual authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeQuery = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A batch of authorization requests from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n items: Identified<AuthorizeQuery>[];\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represents a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | AllOfCriteria<TQuery>\n | AnyOfCriteria<TQuery>\n | NotCriteria<TQuery>\n | TQuery;\n\n/**\n * An individual authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeDecision =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n\n/**\n * A batch of authorization responses from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse = {\n items: Identified<AuthorizeDecision>[];\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission, ResourcePermission } from '../types';\n\n/**\n * Check if a given permission is a {@link ResourcePermission}. When\n * `resourceType` is supplied as the second parameter, also checks if\n * the permission has the specified resource type.\n * @public\n */\nexport function isResourcePermission<T extends string = string>(\n permission: Permission,\n resourceType?: T,\n): permission is ResourcePermission<T> {\n if (!('resourceType' in permission)) {\n return false;\n }\n\n return !resourceType || permission.resourceType === resourceType;\n}\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n BasicPermission,\n Permission,\n PermissionAttributes,\n ResourcePermission,\n} from '../types';\n\n/**\n * Utility function for creating a valid {@link ResourcePermission}, inferring\n * the appropriate type and resource type parameter.\n *\n * @public\n */\nexport function createPermission<TResourceType extends string>(input: {\n name: string;\n attributes: PermissionAttributes;\n resourceType: TResourceType;\n}): ResourcePermission<TResourceType>;\n/**\n * Utility function for creating a valid {@link BasicPermission}.\n *\n * @public\n */\nexport function createPermission(input: {\n name: string;\n attributes: PermissionAttributes;\n}): BasicPermission;\nexport function createPermission({\n name,\n attributes,\n resourceType,\n}: {\n name: string;\n attributes: PermissionAttributes;\n resourceType?: string;\n}): Permission {\n if (resourceType) {\n return {\n type: 'resource',\n name,\n attributes,\n resourceType,\n };\n }\n\n return {\n type: 'basic',\n name,\n attributes,\n };\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeQuery,\n AuthorizeDecision,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n AuthorizeResponse,\n AuthorizeRequest,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n PermissionAuthorizer,\n AuthorizeRequestOptions,\n} from './types/permission';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .strict()\n .or(\n z\n .object({ anyOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(\n z\n .object({ allOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(z.object({ not: permissionCriteriaSchema }).strict()),\n);\n\nconst responseSchema = z.object({\n items: z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n ),\n});\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionAuthorizer {\n private readonly enabled: boolean;\n private readonly discovery: DiscoveryApi;\n\n constructor(options: { discovery: DiscoveryApi; config: Config }) {\n this.discovery = options.discovery;\n this.enabled =\n options.config.getOptionalBoolean('permission.enabled') ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n queries: AuthorizeQuery[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeDecision[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const request: AuthorizeRequest = {\n items: queries.map(query => ({\n id: uuid.v4(),\n ...query,\n })),\n };\n\n const permissionApi = await this.discovery.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(request),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const responseBody = await response.json();\n this.assertValidResponse(request, responseBody);\n\n const responsesById = responseBody.items.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeDecision>>);\n\n return request.items.map(query => responsesById[query.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponse(\n request: AuthorizeRequest,\n json: any,\n ): asserts json is AuthorizeResponse {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.items.map(r => r.id);\n const hasAllRequestIds = request.items.every(r =>\n responseIds.includes(r.id),\n );\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":["z","uuid","fetch","ResponseError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BY,IAAA,eAAA,qBAAA,gBAAL,KAAA;AAIL,EAAO,gBAAA,CAAA,MAAA,CAAA,GAAA,MAAA,CAAA;AAIP,EAAQ,gBAAA,CAAA,OAAA,CAAA,GAAA,OAAA,CAAA;AAIR,EAAc,gBAAA,CAAA,aAAA,CAAA,GAAA,aAAA,CAAA;AAZJ,EAAA,OAAA,gBAAA,CAAA;AAAA,CAAA,EAAA,eAAA,IAAA,EAAA;;ACLL,SAAA,oBAAA,CACL,YACA,YACqC,EAAA;AACrC,EAAI,IAAA,oBAAoB,UAAa,CAAA,EAAA;AACnC,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAEA,EAAO,OAAA,CAAC,YAAgB,IAAA,UAAA,CAAW,YAAiB,KAAA,YAAA,CAAA;AACtD,CAAA;AAMO,SAAA,kBAAA,CAA4B,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA,CAAA;AAC1C,CAAA;AAMO,SAAA,gBAAA,CAA0B,UAAwB,EAAA;AACvD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,MAAA,CAAA;AAC1C,CAAA;AAMO,SAAA,kBAAA,CAA4B,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA,CAAA;AAC1C,CAAA;AAMO,SAAA,kBAAA,CAA4B,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA,CAAA;AAC1C;;ACtBiC,SAAA,gBAAA,CAAA;AAAA,EAC/B,IAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,CAKa,EAAA;AACb,EAAA,IAAI,YAAc,EAAA;AAChB,IAAO,OAAA;AAAA,MACL,IAAM,EAAA,UAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA;AAAA,MACA,YAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,IAAM,EAAA,OAAA;AAAA,IACN,IAAA;AAAA,IACA,UAAA;AAAA,GACF,CAAA;AACF;;AC7BA,MAAM,wBAEF,GAAAA,KAAA,CAAE,IAAK,CAAA,MACTA,MACG,MAAO,CAAA;AAAA,EACN,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,EACf,MAAQ,EAAAA,KAAA,CAAE,KAAM,CAAAA,KAAA,CAAE,SAAS,CAAA;AAC7B,CAAC,CAAA,CACA,QACA,CAAA,EAAA,CACCA,MACG,MAAO,CAAA,EAAE,OAAOA,KAAE,CAAA,KAAA,CAAM,wBAAwB,CAAE,CAAA,QAAA,IAAY,CAAA,CAC9D,QACL,CAAA,CACC,GACCA,KACG,CAAA,MAAA,CAAO,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,UAAW,EAAC,EAC9D,MAAO,EACZ,EACC,EAAG,CAAAA,KAAA,CAAE,OAAO,EAAE,GAAA,EAAK,0BAA0B,CAAA,CAAE,MAAO,EAAC,CAC5D,CAAA,CAAA;AAEA,MAAM,cAAA,GAAiBA,MAAE,MAAO,CAAA;AAAA,EAC9B,KAAO,EAAAA,KAAA,CAAE,KACP,CAAAA,KAAA,CACG,MAAO,CAAA;AAAA,IACN,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,MAAA,EAAQA,KACL,CAAA,OAAA,CAAQ,eAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAGA,KAAE,CAAA,OAAA,CAAQ,eAAgB,CAAA,IAAI,CAAC,CAAA;AAAA,GACtC,CAAA,CACA,EACC,CAAAA,KAAA,CAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,IACb,MAAQ,EAAAA,KAAA,CAAE,OAAQ,CAAA,eAAA,CAAgB,WAAW,CAAA;AAAA,IAC7C,UAAY,EAAA,wBAAA;AAAA,GACb,CACH,CACJ,CAAA;AACF,CAAC,CAAA,CAAA;AAMM,MAAM,gBAAiD,CAAA;AAAA,EAI5D,YAAY,OAAsD,EAAA;AAtFpE,IAAA,IAAA,EAAA,CAAA;AAuFI,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,UACH,CAAQ,EAAA,GAAA,OAAA,CAAA,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,MAAtD,IAA2D,GAAA,EAAA,GAAA,KAAA,CAAA;AAAA,GAC/D;AAAA,EAkBM,MAAA,SAAA,CACJ,SACA,OAC8B,EAAA;AAM9B,IAAI,IAAA,CAAC,KAAK,OAAS,EAAA;AACjB,MAAA,OAAO,QAAQ,GAAI,CAAA,CAAA,CAAA,QAAQ,MAAQ,EAAA,eAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,KAC7D;AAEA,IAAA,MAAM,OAA4B,GAAA;AAAA,MAChC,KAAA,EAAO,OAAQ,CAAA,GAAA,CAAI,CAAU,KAAA,MAAA;AAAA,QAC3B,EAAA,EAAIC,gBAAK,EAAG,EAAA;AAAA,QACT,GAAA,KAAA;AAAA,OACH,CAAA,CAAA;AAAA,KACJ,CAAA;AAEA,IAAA,MAAM,aAAgB,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,YAAY,CAAA,CAAA;AAClE,IAAA,MAAM,QAAW,GAAA,MAAMC,yBAAM,CAAA,CAAA,EAAG,aAA2B,CAAA,UAAA,CAAA,EAAA;AAAA,MACzD,MAAQ,EAAA,MAAA;AAAA,MACR,IAAA,EAAM,IAAK,CAAA,SAAA,CAAU,OAAO,CAAA;AAAA,MAC5B,OAAS,EAAA;AAAA,QACJ,GAAA,IAAA,CAAK,sBAAuB,CAAA,OAAA,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAS,KAAK,CAAA;AAAA,QAC7C,cAAgB,EAAA,kBAAA;AAAA,OAClB;AAAA,KACD,CAAA,CAAA;AACD,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAM,MAAA,MAAMC,oBAAc,CAAA,YAAA,CAAa,QAAQ,CAAA,CAAA;AAAA,KACjD;AAEA,IAAM,MAAA,YAAA,GAAe,MAAM,QAAA,CAAS,IAAK,EAAA,CAAA;AACzC,IAAK,IAAA,CAAA,mBAAA,CAAoB,SAAS,YAAY,CAAA,CAAA;AAE9C,IAAA,MAAM,gBAAgB,YAAa,CAAA,KAAA,CAAM,MAAO,CAAA,CAAC,KAAK,CAAM,KAAA;AAC1D,MAAA,GAAA,CAAI,EAAE,EAAM,CAAA,GAAA,CAAA,CAAA;AACZ,MAAO,OAAA,GAAA,CAAA;AAAA,KACT,EAAG,EAAmD,CAAA,CAAA;AAEtD,IAAA,OAAO,QAAQ,KAAM,CAAA,GAAA,CAAI,CAAS,KAAA,KAAA,aAAA,CAAc,MAAM,EAAG,CAAA,CAAA,CAAA;AAAA,GAC3D;AAAA,EAEQ,uBAAuB,KAAwC,EAAA;AACrE,IAAA,OAAO,QAAQ,EAAE,aAAA,EAAe,CAAU,OAAA,EAAA,KAAA,CAAA,CAAA,KAAY,EAAC,CAAA;AAAA,GACzD;AAAA,EAEQ,mBAAA,CACN,SACA,IACmC,EAAA;AACnC,IAAM,MAAA,mBAAA,GAAsB,cAAe,CAAA,KAAA,CAAM,IAAI,CAAA,CAAA;AACrD,IAAA,MAAM,cAAc,mBAAoB,CAAA,KAAA,CAAM,GAAI,CAAA,CAAA,CAAA,KAAK,EAAE,EAAE,CAAA,CAAA;AAC3D,IAAM,MAAA,gBAAA,GAAmB,QAAQ,KAAM,CAAA,KAAA,CAAM,OAC3C,WAAY,CAAA,QAAA,CAAS,CAAE,CAAA,EAAE,CAC3B,CAAA,CAAA;AACA,IAAA,IAAI,CAAC,gBAAkB,EAAA;AACrB,MAAM,MAAA,IAAI,MACR,2DACF,CAAA,CAAA;AAAA,KACF;AAAA,GACF;AACF;;;;;;;;;;;"}
package/dist/index.d.ts ADDED
@@ -0,0 +1,273 @@
1
+ import { Config } from '@backstage/config';
2
+
3
+ /**
4
+ * The attributes related to a given permission; these should be generic and widely applicable to
5
+ * all permissions in the system.
6
+ * @public
7
+ */
8
+ declare type PermissionAttributes = {
9
+ action?: 'create' | 'read' | 'update' | 'delete';
10
+ };
11
+ /**
12
+ * Generic type for building {@link Permission} types.
13
+ * @public
14
+ */
15
+ declare type PermissionBase<TType extends string, TFields extends object> = {
16
+ /**
17
+ * The name of the permission.
18
+ */
19
+ name: string;
20
+ /**
21
+ * {@link PermissionAttributes} which describe characteristics of the permission, to help
22
+ * policy authors make consistent decisions for similar permissions without referring to them
23
+ * all by name.
24
+ */
25
+ attributes: PermissionAttributes;
26
+ } & {
27
+ /**
28
+ * String value indicating the type of the permission (e.g. 'basic',
29
+ * 'resource'). The allowed authorization flows in the permission system
30
+ * depend on the type. For example, a `resourceRef` should only be provided
31
+ * when authorizing permissions of type 'resource'.
32
+ */
33
+ type: TType;
34
+ } & TFields;
35
+ /**
36
+ * A permission that can be checked through authorization.
37
+ *
38
+ * @remarks
39
+ *
40
+ * Permissions are the "what" part of authorization, the action to be performed. This may be reading
41
+ * an entity from the catalog, executing a software template, or any other action a plugin author
42
+ * may wish to protect.
43
+ *
44
+ * To evaluate authorization, a permission is paired with a Backstage identity (the "who") and
45
+ * evaluated using an authorization policy.
46
+ * @public
47
+ */
48
+ declare type Permission = BasicPermission | ResourcePermission;
49
+ /**
50
+ * A standard {@link Permission} with no additional capabilities or restrictions.
51
+ * @public
52
+ */
53
+ declare type BasicPermission = PermissionBase<'basic', {}>;
54
+ /**
55
+ * ResourcePermissions are {@link Permission}s that can be authorized based on
56
+ * characteristics of a resource such a catalog entity.
57
+ * @public
58
+ */
59
+ declare type ResourcePermission<TResourceType extends string = string> = PermissionBase<'resource', {
60
+ /**
61
+ * Denotes the type of the resource whose resourceRef should be passed when
62
+ * authorizing.
63
+ */
64
+ resourceType: TResourceType;
65
+ }>;
66
+ /**
67
+ * A client interacting with the permission backend can implement this authorizer interface.
68
+ * @public
69
+ */
70
+ interface PermissionAuthorizer {
71
+ authorize(queries: AuthorizeQuery[], options?: AuthorizeRequestOptions): Promise<AuthorizeDecision[]>;
72
+ }
73
+ /**
74
+ * Options for authorization requests.
75
+ * @public
76
+ */
77
+ declare type AuthorizeRequestOptions = {
78
+ token?: string;
79
+ };
80
+
81
+ /**
82
+ * A request with a UUID identifier, so that batched responses can be matched up with the original
83
+ * requests.
84
+ * @public
85
+ */
86
+ declare type Identified<T> = T & {
87
+ id: string;
88
+ };
89
+ /**
90
+ * The result of an authorization request.
91
+ * @public
92
+ */
93
+ declare enum AuthorizeResult {
94
+ /**
95
+ * The authorization request is denied.
96
+ */
97
+ DENY = "DENY",
98
+ /**
99
+ * The authorization request is allowed.
100
+ */
101
+ ALLOW = "ALLOW",
102
+ /**
103
+ * The authorization request is allowed if the provided conditions are met.
104
+ */
105
+ CONDITIONAL = "CONDITIONAL"
106
+ }
107
+ /**
108
+ * An individual authorization request for {@link PermissionClient#authorize}.
109
+ * @public
110
+ */
111
+ declare type AuthorizeQuery = {
112
+ permission: Permission;
113
+ resourceRef?: string;
114
+ };
115
+ /**
116
+ * A batch of authorization requests from {@link PermissionClient#authorize}.
117
+ * @public
118
+ */
119
+ declare type AuthorizeRequest = {
120
+ items: Identified<AuthorizeQuery>[];
121
+ };
122
+ /**
123
+ * A condition returned with a CONDITIONAL authorization response.
124
+ *
125
+ * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For
126
+ * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity
127
+ * claims from a identity token.
128
+ * @public
129
+ */
130
+ declare type PermissionCondition<TParams extends unknown[] = unknown[]> = {
131
+ rule: string;
132
+ params: TParams;
133
+ };
134
+ /**
135
+ * Utility type to represent an array with 1 or more elements.
136
+ * @ignore
137
+ */
138
+ declare type NonEmptyArray<T> = [T, ...T[]];
139
+ /**
140
+ * Represents a logical AND for the provided criteria.
141
+ * @public
142
+ */
143
+ declare type AllOfCriteria<TQuery> = {
144
+ allOf: NonEmptyArray<PermissionCriteria<TQuery>>;
145
+ };
146
+ /**
147
+ * Represents a logical OR for the provided criteria.
148
+ * @public
149
+ */
150
+ declare type AnyOfCriteria<TQuery> = {
151
+ anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;
152
+ };
153
+ /**
154
+ * Represents a negation of the provided criteria.
155
+ * @public
156
+ */
157
+ declare type NotCriteria<TQuery> = {
158
+ not: PermissionCriteria<TQuery>;
159
+ };
160
+ /**
161
+ * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.
162
+ * @public
163
+ */
164
+ declare type PermissionCriteria<TQuery> = AllOfCriteria<TQuery> | AnyOfCriteria<TQuery> | NotCriteria<TQuery> | TQuery;
165
+ /**
166
+ * An individual authorization response from {@link PermissionClient#authorize}.
167
+ * @public
168
+ */
169
+ declare type AuthorizeDecision = {
170
+ result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;
171
+ } | {
172
+ result: AuthorizeResult.CONDITIONAL;
173
+ conditions: PermissionCriteria<PermissionCondition>;
174
+ };
175
+ /**
176
+ * A batch of authorization responses from {@link PermissionClient#authorize}.
177
+ * @public
178
+ */
179
+ declare type AuthorizeResponse = {
180
+ items: Identified<AuthorizeDecision>[];
181
+ };
182
+
183
+ /**
184
+ * This is a copy of the core DiscoveryApi, to avoid importing core.
185
+ *
186
+ * @public
187
+ */
188
+ declare type DiscoveryApi = {
189
+ getBaseUrl(pluginId: string): Promise<string>;
190
+ };
191
+
192
+ /**
193
+ * Check if a given permission is a {@link ResourcePermission}. When
194
+ * `resourceType` is supplied as the second parameter, also checks if
195
+ * the permission has the specified resource type.
196
+ * @public
197
+ */
198
+ declare function isResourcePermission<T extends string = string>(permission: Permission, resourceType?: T): permission is ResourcePermission<T>;
199
+ /**
200
+ * Check if a given permission is related to a create action.
201
+ * @public
202
+ */
203
+ declare function isCreatePermission(permission: Permission): boolean;
204
+ /**
205
+ * Check if a given permission is related to a read action.
206
+ * @public
207
+ */
208
+ declare function isReadPermission(permission: Permission): boolean;
209
+ /**
210
+ * Check if a given permission is related to an update action.
211
+ * @public
212
+ */
213
+ declare function isUpdatePermission(permission: Permission): boolean;
214
+ /**
215
+ * Check if a given permission is related to a delete action.
216
+ * @public
217
+ */
218
+ declare function isDeletePermission(permission: Permission): boolean;
219
+
220
+ /**
221
+ * Utility function for creating a valid {@link ResourcePermission}, inferring
222
+ * the appropriate type and resource type parameter.
223
+ *
224
+ * @public
225
+ */
226
+ declare function createPermission<TResourceType extends string>(input: {
227
+ name: string;
228
+ attributes: PermissionAttributes;
229
+ resourceType: TResourceType;
230
+ }): ResourcePermission<TResourceType>;
231
+ /**
232
+ * Utility function for creating a valid {@link BasicPermission}.
233
+ *
234
+ * @public
235
+ */
236
+ declare function createPermission(input: {
237
+ name: string;
238
+ attributes: PermissionAttributes;
239
+ }): BasicPermission;
240
+
241
+ /**
242
+ * An isomorphic client for requesting authorization for Backstage permissions.
243
+ * @public
244
+ */
245
+ declare class PermissionClient implements PermissionAuthorizer {
246
+ private readonly enabled;
247
+ private readonly discovery;
248
+ constructor(options: {
249
+ discovery: DiscoveryApi;
250
+ config: Config;
251
+ });
252
+ /**
253
+ * Request authorization from the permission-backend for the given set of permissions.
254
+ *
255
+ * Authorization requests check that a given Backstage user can perform a protected operation,
256
+ * potentially for a specific resource (such as a catalog entity). The Backstage identity token
257
+ * should be included in the `options` if available.
258
+ *
259
+ * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.
260
+ *
261
+ * The response will be either ALLOW or DENY when either the permission has no resourceType, or a
262
+ * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be
263
+ * returned if no resourceRef is provided in the request. Conditional responses are intended only
264
+ * for backends which have access to the data source for permissioned resources, so that filters
265
+ * can be applied when loading collections of resources.
266
+ * @public
267
+ */
268
+ authorize(queries: AuthorizeQuery[], options?: AuthorizeRequestOptions): Promise<AuthorizeDecision[]>;
269
+ private getAuthorizationHeader;
270
+ private assertValidResponse;
271
+ }
272
+
273
+ export { AllOfCriteria, AnyOfCriteria, AuthorizeDecision, AuthorizeQuery, AuthorizeRequest, AuthorizeRequestOptions, AuthorizeResponse, AuthorizeResult, BasicPermission, DiscoveryApi, Identified, NotCriteria, Permission, PermissionAttributes, PermissionAuthorizer, PermissionBase, PermissionClient, PermissionCondition, PermissionCriteria, ResourcePermission, createPermission, isCreatePermission, isDeletePermission, isReadPermission, isResourcePermission, isUpdatePermission };
package/dist/index.esm.js CHANGED
@@ -10,6 +10,12 @@ var AuthorizeResult = /* @__PURE__ */ ((AuthorizeResult2) => {
10
10
  return AuthorizeResult2;
11
11
  })(AuthorizeResult || {});
12
12
 
13
+ function isResourcePermission(permission, resourceType) {
14
+ if (!("resourceType" in permission)) {
15
+ return false;
16
+ }
17
+ return !resourceType || permission.resourceType === resourceType;
18
+ }
13
19
  function isCreatePermission(permission) {
14
20
  return permission.attributes.action === "create";
15
21
  }
@@ -23,6 +29,26 @@ function isDeletePermission(permission) {
23
29
  return permission.attributes.action === "delete";
24
30
  }
25
31
 
32
+ function createPermission({
33
+ name,
34
+ attributes,
35
+ resourceType
36
+ }) {
37
+ if (resourceType) {
38
+ return {
39
+ type: "resource",
40
+ name,
41
+ attributes,
42
+ resourceType
43
+ };
44
+ }
45
+ return {
46
+ type: "basic",
47
+ name,
48
+ attributes
49
+ };
50
+ }
51
+
26
52
  const permissionCriteriaSchema = z.lazy(() => z.object({
27
53
  rule: z.string(),
28
54
  params: z.array(z.unknown())
@@ -86,5 +112,5 @@ class PermissionClient {
86
112
  }
87
113
  }
88
114
 
89
- export { AuthorizeResult, PermissionClient, isCreatePermission, isDeletePermission, isReadPermission, isUpdatePermission };
115
+ export { AuthorizeResult, PermissionClient, createPermission, isCreatePermission, isDeletePermission, isReadPermission, isResourcePermission, isUpdatePermission };
90
116
  //# sourceMappingURL=index.esm.js.map
package/dist/index.esm.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.esm.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An individual authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeQuery = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A batch of authorization requests from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n items: Identified<AuthorizeQuery>[];\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represnts a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represnts a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | AllOfCriteria<TQuery>\n | AnyOfCriteria<TQuery>\n | NotCriteria<TQuery>\n | TQuery;\n\n/**\n * An individual authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeDecision =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n\n/**\n * A batch of authorization responses from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse = {\n items: Identified<AuthorizeDecision>[];\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from '../types';\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeQuery,\n AuthorizeDecision,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n AuthorizeResponse,\n AuthorizeRequest,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n PermissionAuthorizer,\n AuthorizeRequestOptions,\n} from './types/permission';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .strict()\n .or(\n z\n .object({ anyOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(\n z\n .object({ allOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(z.object({ not: permissionCriteriaSchema }).strict()),\n);\n\nconst responseSchema = z.object({\n items: z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n ),\n});\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionAuthorizer {\n private readonly enabled: boolean;\n private readonly discovery: DiscoveryApi;\n\n constructor(options: { discovery: DiscoveryApi; config: Config }) {\n this.discovery = options.discovery;\n this.enabled =\n options.config.getOptionalBoolean('permission.enabled') ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n queries: AuthorizeQuery[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeDecision[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const request: AuthorizeRequest = {\n items: queries.map(query => ({\n id: uuid.v4(),\n ...query,\n })),\n };\n\n const permissionApi = await this.discovery.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(request),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const responseBody = await response.json();\n this.assertValidResponse(request, responseBody);\n\n const responsesById = responseBody.items.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeDecision>>);\n\n return request.items.map(query => responsesById[query.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponse(\n request: AuthorizeRequest,\n json: any,\n ): asserts json is AuthorizeResponse {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.items.map(r => r.id);\n const hasAllRequestIds = request.items.every(r =>\n responseIds.includes(r.id),\n );\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":[],"mappings":";;;;;IA6BY,oCAAA,qBAAL;AAIL,6BAAO;AAIP,8BAAQ;AAIR,oCAAc;AAZJ;AAAA;;4BCPuB,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;0BAOT,YAAwB;AACvD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;;ACV1C,MAAM,2BAEF,EAAE,KAAK,MACT,EACG,OAAO;AAAA,EACN,MAAM,EAAE;AAAA,EACR,QAAQ,EAAE,MAAM,EAAE;AAAA,GAEnB,SACA,GACC,EACG,OAAO,EAAE,OAAO,EAAE,MAAM,0BAA0B,cAClD,UAEJ,GACC,EACG,OAAO,EAAE,OAAO,EAAE,MAAM,0BAA0B,cAClD,UAEJ,GAAG,EAAE,OAAO,EAAE,KAAK,4BAA4B;AAGpD,MAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,OAAO,EAAE,MACP,EACG,OAAO;AAAA,IACN,IAAI,EAAE;AAAA,IACN,QAAQ,EACL,QAAQ,gBAAgB,OACxB,GAAG,EAAE,QAAQ,gBAAgB;AAAA,KAEjC,GACC,EAAE,OAAO;AAAA,IACP,IAAI,EAAE;AAAA,IACN,QAAQ,EAAE,QAAQ,gBAAgB;AAAA,IAClC,YAAY;AAAA;AAAA;uBAUwC;AAAA,EAI5D,YAAY,SAAsD;AAtFpE;AAuFI,SAAK,YAAY,QAAQ;AACzB,SAAK,UACH,cAAQ,OAAO,mBAAmB,0BAAlC,YAA2D;AAAA;AAAA,QAmBzD,UACJ,SACA,SAC8B;AAM9B,QAAI,CAAC,KAAK,SAAS;AACjB,aAAO,QAAQ,IAAI,UAAQ,QAAQ,gBAAgB;AAAA;AAGrD,UAAM,UAA4B;AAAA,MAChC,OAAO,QAAQ,IAAI;AAAU,QAC3B,IAAI,KAAK;AAAA,WACN;AAAA;AAAA;AAIP,UAAM,gBAAgB,MAAM,KAAK,UAAU,WAAW;AACtD,UAAM,WAAW,MAAM,MAAM,GAAG,2BAA2B;AAAA,MACzD,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACJ,KAAK,uBAAuB,mCAAS;AAAA,QACxC,gBAAgB;AAAA;AAAA;AAGpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAM,cAAc,aAAa;AAAA;AAGzC,UAAM,eAAe,MAAM,SAAS;AACpC,SAAK,oBAAoB,SAAS;AAElC,UAAM,gBAAgB,aAAa,MAAM,OAAO,CAAC,KAAK,MAAM;AAC1D,UAAI,EAAE,MAAM;AACZ,aAAO;AAAA,OACN;AAEH,WAAO,QAAQ,MAAM,IAAI,WAAS,cAAc,MAAM;AAAA;AAAA,EAGhD,uBAAuB,OAAwC;AACrE,WAAO,QAAQ,EAAE,eAAe,UAAU,YAAY;AAAA;AAAA,EAGhD,oBACN,SACA,MACmC;AACnC,UAAM,sBAAsB,eAAe,MAAM;AACjD,UAAM,cAAc,oBAAoB,MAAM,IAAI,OAAK,EAAE;AACzD,UAAM,mBAAmB,QAAQ,MAAM,MAAM,OAC3C,YAAY,SAAS,EAAE;AAEzB,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MACR;AAAA;AAAA;AAAA;;;;"}
1
+ {"version":3,"file":"index.esm.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/permissions/createPermission.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An individual authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeQuery = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A batch of authorization requests from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n items: Identified<AuthorizeQuery>[];\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represents a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | AllOfCriteria<TQuery>\n | AnyOfCriteria<TQuery>\n | NotCriteria<TQuery>\n | TQuery;\n\n/**\n * An individual authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeDecision =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n\n/**\n * A batch of authorization responses from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse = {\n items: Identified<AuthorizeDecision>[];\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission, ResourcePermission } from '../types';\n\n/**\n * Check if a given permission is a {@link ResourcePermission}. When\n * `resourceType` is supplied as the second parameter, also checks if\n * the permission has the specified resource type.\n * @public\n */\nexport function isResourcePermission<T extends string = string>(\n permission: Permission,\n resourceType?: T,\n): permission is ResourcePermission<T> {\n if (!('resourceType' in permission)) {\n return false;\n }\n\n return !resourceType || permission.resourceType === resourceType;\n}\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n BasicPermission,\n Permission,\n PermissionAttributes,\n ResourcePermission,\n} from '../types';\n\n/**\n * Utility function for creating a valid {@link ResourcePermission}, inferring\n * the appropriate type and resource type parameter.\n *\n * @public\n */\nexport function createPermission<TResourceType extends string>(input: {\n name: string;\n attributes: PermissionAttributes;\n resourceType: TResourceType;\n}): ResourcePermission<TResourceType>;\n/**\n * Utility function for creating a valid {@link BasicPermission}.\n *\n * @public\n */\nexport function createPermission(input: {\n name: string;\n attributes: PermissionAttributes;\n}): BasicPermission;\nexport function createPermission({\n name,\n attributes,\n resourceType,\n}: {\n name: string;\n attributes: PermissionAttributes;\n resourceType?: string;\n}): Permission {\n if (resourceType) {\n return {\n type: 'resource',\n name,\n attributes,\n resourceType,\n };\n }\n\n return {\n type: 'basic',\n name,\n attributes,\n };\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeQuery,\n AuthorizeDecision,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n AuthorizeResponse,\n AuthorizeRequest,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n PermissionAuthorizer,\n AuthorizeRequestOptions,\n} from './types/permission';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .strict()\n .or(\n z\n .object({ anyOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(\n z\n .object({ allOf: z.array(permissionCriteriaSchema).nonempty() })\n .strict(),\n )\n .or(z.object({ not: permissionCriteriaSchema }).strict()),\n);\n\nconst responseSchema = z.object({\n items: z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n ),\n});\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionAuthorizer {\n private readonly enabled: boolean;\n private readonly discovery: DiscoveryApi;\n\n constructor(options: { discovery: DiscoveryApi; config: Config }) {\n this.discovery = options.discovery;\n this.enabled =\n options.config.getOptionalBoolean('permission.enabled') ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n queries: AuthorizeQuery[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeDecision[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const request: AuthorizeRequest = {\n items: queries.map(query => ({\n id: uuid.v4(),\n ...query,\n })),\n };\n\n const permissionApi = await this.discovery.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(request),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const responseBody = await response.json();\n this.assertValidResponse(request, responseBody);\n\n const responsesById = responseBody.items.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeDecision>>);\n\n return request.items.map(query => responsesById[query.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponse(\n request: AuthorizeRequest,\n json: any,\n ): asserts json is AuthorizeResponse {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.items.map(r => r.id);\n const hasAllRequestIds = request.items.every(r =>\n responseIds.includes(r.id),\n );\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":[],"mappings":";;;;;AA6BY,IAAA,eAAA,qBAAA,gBAAL,KAAA;AAIL,EAAO,gBAAA,CAAA,MAAA,CAAA,GAAA,MAAA,CAAA;AAIP,EAAQ,gBAAA,CAAA,OAAA,CAAA,GAAA,OAAA,CAAA;AAIR,EAAc,gBAAA,CAAA,aAAA,CAAA,GAAA,aAAA,CAAA;AAZJ,EAAA,OAAA,gBAAA,CAAA;AAAA,CAAA,EAAA,eAAA,IAAA,EAAA;;ACLL,SAAA,oBAAA,CACL,YACA,YACqC,EAAA;AACrC,EAAI,IAAA,oBAAoB,UAAa,CAAA,EAAA;AACnC,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAEA,EAAO,OAAA,CAAC,YAAgB,IAAA,UAAA,CAAW,YAAiB,KAAA,YAAA,CAAA;AACtD,CAAA;AAMO,SAAA,kBAAA,CAA4B,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA,CAAA;AAC1C,CAAA;AAMO,SAAA,gBAAA,CAA0B,UAAwB,EAAA;AACvD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,MAAA,CAAA;AAC1C,CAAA;AAMO,SAAA,kBAAA,CAA4B,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA,CAAA;AAC1C,CAAA;AAMO,SAAA,kBAAA,CAA4B,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA,CAAA;AAC1C;;ACtBiC,SAAA,gBAAA,CAAA;AAAA,EAC/B,IAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,CAKa,EAAA;AACb,EAAA,IAAI,YAAc,EAAA;AAChB,IAAO,OAAA;AAAA,MACL,IAAM,EAAA,UAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA;AAAA,MACA,YAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,IAAM,EAAA,OAAA;AAAA,IACN,IAAA;AAAA,IACA,UAAA;AAAA,GACF,CAAA;AACF;;AC7BA,MAAM,wBAEF,GAAA,CAAA,CAAE,IAAK,CAAA,MACT,EACG,MAAO,CAAA;AAAA,EACN,IAAA,EAAM,EAAE,MAAO,EAAA;AAAA,EACf,MAAQ,EAAA,CAAA,CAAE,KAAM,CAAA,CAAA,CAAE,SAAS,CAAA;AAC7B,CAAC,CAAA,CACA,QACA,CAAA,EAAA,CACC,EACG,MAAO,CAAA,EAAE,OAAO,CAAE,CAAA,KAAA,CAAM,wBAAwB,CAAE,CAAA,QAAA,IAAY,CAAA,CAC9D,QACL,CAAA,CACC,GACC,CACG,CAAA,MAAA,CAAO,EAAE,KAAO,EAAA,CAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,UAAW,EAAC,EAC9D,MAAO,EACZ,EACC,EAAG,CAAA,CAAA,CAAE,OAAO,EAAE,GAAA,EAAK,0BAA0B,CAAA,CAAE,MAAO,EAAC,CAC5D,CAAA,CAAA;AAEA,MAAM,cAAA,GAAiB,EAAE,MAAO,CAAA;AAAA,EAC9B,KAAO,EAAA,CAAA,CAAE,KACP,CAAA,CAAA,CACG,MAAO,CAAA;AAAA,IACN,EAAA,EAAI,EAAE,MAAO,EAAA;AAAA,IACb,MAAA,EAAQ,CACL,CAAA,OAAA,CAAQ,eAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAG,CAAE,CAAA,OAAA,CAAQ,eAAgB,CAAA,IAAI,CAAC,CAAA;AAAA,GACtC,CAAA,CACA,EACC,CAAA,CAAA,CAAE,MAAO,CAAA;AAAA,IACP,EAAA,EAAI,EAAE,MAAO,EAAA;AAAA,IACb,MAAQ,EAAA,CAAA,CAAE,OAAQ,CAAA,eAAA,CAAgB,WAAW,CAAA;AAAA,IAC7C,UAAY,EAAA,wBAAA;AAAA,GACb,CACH,CACJ,CAAA;AACF,CAAC,CAAA,CAAA;AAMM,MAAM,gBAAiD,CAAA;AAAA,EAI5D,YAAY,OAAsD,EAAA;AAtFpE,IAAA,IAAA,EAAA,CAAA;AAuFI,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,UACH,CAAQ,EAAA,GAAA,OAAA,CAAA,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,MAAtD,IAA2D,GAAA,EAAA,GAAA,KAAA,CAAA;AAAA,GAC/D;AAAA,EAkBM,MAAA,SAAA,CACJ,SACA,OAC8B,EAAA;AAM9B,IAAI,IAAA,CAAC,KAAK,OAAS,EAAA;AACjB,MAAA,OAAO,QAAQ,GAAI,CAAA,CAAA,CAAA,QAAQ,MAAQ,EAAA,eAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,KAC7D;AAEA,IAAA,MAAM,OAA4B,GAAA;AAAA,MAChC,KAAA,EAAO,OAAQ,CAAA,GAAA,CAAI,CAAU,KAAA,MAAA;AAAA,QAC3B,EAAA,EAAI,KAAK,EAAG,EAAA;AAAA,QACT,GAAA,KAAA;AAAA,OACH,CAAA,CAAA;AAAA,KACJ,CAAA;AAEA,IAAA,MAAM,aAAgB,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,YAAY,CAAA,CAAA;AAClE,IAAA,MAAM,QAAW,GAAA,MAAM,KAAM,CAAA,CAAA,EAAG,aAA2B,CAAA,UAAA,CAAA,EAAA;AAAA,MACzD,MAAQ,EAAA,MAAA;AAAA,MACR,IAAA,EAAM,IAAK,CAAA,SAAA,CAAU,OAAO,CAAA;AAAA,MAC5B,OAAS,EAAA;AAAA,QACJ,GAAA,IAAA,CAAK,sBAAuB,CAAA,OAAA,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAS,KAAK,CAAA;AAAA,QAC7C,cAAgB,EAAA,kBAAA;AAAA,OAClB;AAAA,KACD,CAAA,CAAA;AACD,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAM,MAAA,MAAM,aAAc,CAAA,YAAA,CAAa,QAAQ,CAAA,CAAA;AAAA,KACjD;AAEA,IAAM,MAAA,YAAA,GAAe,MAAM,QAAA,CAAS,IAAK,EAAA,CAAA;AACzC,IAAK,IAAA,CAAA,mBAAA,CAAoB,SAAS,YAAY,CAAA,CAAA;AAE9C,IAAA,MAAM,gBAAgB,YAAa,CAAA,KAAA,CAAM,MAAO,CAAA,CAAC,KAAK,CAAM,KAAA;AAC1D,MAAA,GAAA,CAAI,EAAE,EAAM,CAAA,GAAA,CAAA,CAAA;AACZ,MAAO,OAAA,GAAA,CAAA;AAAA,KACT,EAAG,EAAmD,CAAA,CAAA;AAEtD,IAAA,OAAO,QAAQ,KAAM,CAAA,GAAA,CAAI,CAAS,KAAA,KAAA,aAAA,CAAc,MAAM,EAAG,CAAA,CAAA,CAAA;AAAA,GAC3D;AAAA,EAEQ,uBAAuB,KAAwC,EAAA;AACrE,IAAA,OAAO,QAAQ,EAAE,aAAA,EAAe,CAAU,OAAA,EAAA,KAAA,CAAA,CAAA,KAAY,EAAC,CAAA;AAAA,GACzD;AAAA,EAEQ,mBAAA,CACN,SACA,IACmC,EAAA;AACnC,IAAM,MAAA,mBAAA,GAAsB,cAAe,CAAA,KAAA,CAAM,IAAI,CAAA,CAAA;AACrD,IAAA,MAAM,cAAc,mBAAoB,CAAA,KAAA,CAAM,GAAI,CAAA,CAAA,CAAA,KAAK,EAAE,EAAE,CAAA,CAAA;AAC3D,IAAM,MAAA,gBAAA,GAAmB,QAAQ,KAAM,CAAA,KAAA,CAAM,OAC3C,WAAY,CAAA,QAAA,CAAS,CAAE,CAAA,EAAE,CAC3B,CAAA,CAAA;AACA,IAAA,IAAI,CAAC,gBAAkB,EAAA;AACrB,MAAM,MAAA,IAAI,MACR,2DACF,CAAA,CAAA;AAAA,KACF;AAAA,GACF;AACF;;;;"}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@backstage/plugin-permission-common",
3
3
  "description": "Isomorphic types and client for Backstage permissions and authorization",
4
- "version": "0.0.0-nightly-20220303023541",
4
+ "version": "0.0.0-nightly-20220323023253",
5
5
  "main": "dist/index.cjs.js",
6
6
  "types": "dist/index.d.ts",
7
7
  "publishConfig": {
@@ -41,14 +41,14 @@
41
41
  "url": "https://github.com/backstage/backstage/issues"
42
42
  },
43
43
  "dependencies": {
44
- "@backstage/config": "^0.1.15",
45
- "@backstage/errors": "^0.2.2",
44
+ "@backstage/config": "^1.0.0",
45
+ "@backstage/errors": "^1.0.0",
46
46
  "cross-fetch": "^3.1.5",
47
47
  "uuid": "^8.0.0",
48
48
  "zod": "^3.11.6"
49
49
  },
50
50
  "devDependencies": {
51
- "@backstage/cli": "^0.0.0-nightly-20220303023541",
51
+ "@backstage/cli": "^0.0.0-nightly-20220323023253",
52
52
  "@types/jest": "^26.0.7",
53
53
  "msw": "^0.35.0"
54
54
  },