@backstage/plugin-permission-common 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/dist/index.cjs.js +1 -1
  3. package/dist/index.cjs.js.map +1 -1
  4. package/dist/index.d.ts +3 -1
  5. package/dist/index.esm.js +1 -1
  6. package/dist/index.esm.js.map +1 -1
  7. package/package.json +5 -4
package/CHANGELOG.md ADDED
@@ -0,0 +1,12 @@
1
+ # @backstage/plugin-permission-common
2
+
3
+ ## 0.2.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 92439056fb: Accept configApi rather than enabled flag in PermissionClient constructor.
8
+
9
+ ### Patch Changes
10
+
11
+ - Updated dependencies
12
+ - @backstage/errors@0.1.5
package/dist/index.cjs.js CHANGED
@@ -68,7 +68,7 @@ class PermissionClient {
68
68
  constructor(options) {
69
69
  var _a;
70
70
  this.discoveryApi = options.discoveryApi;
71
- this.enabled = (_a = options.enabled) != null ? _a : false;
71
+ this.enabled = (_a = options.configApi.getOptionalBoolean("permission.enabled")) != null ? _a : false;
72
72
  }
73
73
  async authorize(requests, options) {
74
74
  if (!this.enabled) {
package/dist/index.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.cjs.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | { allOf: PermissionCriteria<TQuery>[] }\n | { anyOf: PermissionCriteria<TQuery>[] }\n | { not: PermissionCriteria<TQuery> }\n | TQuery;\n\n/**\n * An authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from '../types';\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeRequest,\n AuthorizeResponse,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .or(z.object({ anyOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ allOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst responseSchema = z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n);\n\n/**\n * Options for authorization requests; currently only an optional auth token.\n * @public\n */\nexport type AuthorizeRequestOptions = {\n token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient {\n private readonly enabled: boolean;\n private readonly discoveryApi: DiscoveryApi;\n\n constructor(options: { discoveryApi: DiscoveryApi; enabled?: boolean }) {\n this.discoveryApi = options.discoveryApi;\n this.enabled = options.enabled ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n requests: AuthorizeRequest[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeResponse[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const identifiedRequests: Identified<AuthorizeRequest>[] = requests.map(\n request => ({\n id: uuid.v4(),\n ...request,\n }),\n );\n\n const permissionApi = await this.discoveryApi.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(identifiedRequests),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const identifiedResponses = await response.json();\n this.assertValidResponses(identifiedRequests, identifiedResponses);\n\n const responsesById = identifiedResponses.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeResponse>>);\n\n return identifiedRequests.map(request => responsesById[request.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponses(\n requests: Identified<AuthorizeRequest>[],\n json: any,\n ): asserts json is Identified<AuthorizeResponse>[] {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.map(r => r.id);\n const hasAllRequestIds = requests.every(r => responseIds.includes(r.id));\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":["AuthorizeResult","z","uuid","fetch","ResponseError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BYA;AAAL,UAAK,kBAAL;AAIL,6BAAO;AAIP,8BAAQ;AAIR,oCAAc;AAAA,GAZJA;;4BCPuB,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;0BAOT,YAAwB;AACvD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;;ACjB1C,MAAM,2BAEFC,MAAE,KAAK,MACTA,MACG,OAAO;AAAA,EACN,MAAMA,MAAE;AAAA,EACR,QAAQA,MAAE,MAAMA,MAAE;AAAA,GAEnB,GAAGA,MAAE,OAAO,CAAE,OAAOA,MAAE,MAAM,6BAC7B,GAAGA,MAAE,OAAO,CAAE,OAAOA,MAAE,MAAM,6BAC7B,GAAGA,MAAE,OAAO,CAAE,KAAK;AAGxB,MAAM,iBAAiBA,MAAE,MACvBA,MACG,OAAO;AAAA,EACN,IAAIA,MAAE;AAAA,EACN,QAAQA,MACL,QAAQD,wBAAgB,OACxB,GAAGC,MAAE,QAAQD,wBAAgB;AAAA,GAEjC,GACCC,MAAE,OAAO;AAAA,EACP,IAAIA,MAAE;AAAA,EACN,QAAQA,MAAE,QAAQD,wBAAgB;AAAA,EAClC,YAAY;AAAA;uBAiBU;AAAA,EAI5B,YAAY,SAA4D;AA5E1E;AA6EI,SAAK,eAAe,QAAQ;AAC5B,SAAK,UAAU,cAAQ,YAAR,YAAmB;AAAA;AAAA,QAmB9B,UACJ,UACA,SAC8B;AAM9B,QAAI,CAAC,KAAK,SAAS;AACjB,aAAO,SAAS,IAAI,SAAQ,QAAQA,wBAAgB;AAAA;AAGtD,UAAM,qBAAqD,SAAS,IAClE;AAAY,MACV,IAAIE,gBAAK;AAAA,SACN;AAAA;AAIP,UAAM,gBAAgB,MAAM,KAAK,aAAa,WAAW;AACzD,UAAM,WAAW,MAAMC,0BAAM,GAAG,2BAA2B;AAAA,MACzD,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACJ,KAAK,uBAAuB,mCAAS;AAAA,QACxC,gBAAgB;AAAA;AAAA;AAGpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAMC,qBAAc,aAAa;AAAA;AAGzC,UAAM,sBAAsB,MAAM,SAAS;AAC3C,SAAK,qBAAqB,oBAAoB;AAE9C,UAAM,gBAAgB,oBAAoB,OAAO,CAAC,KAAK,MAAM;AAC3D,UAAI,EAAE,MAAM;AACZ,aAAO;AAAA,OACN;AAEH,WAAO,mBAAmB,IAAI,aAAW,cAAc,QAAQ;AAAA;AAAA,EAGzD,uBAAuB,OAAwC;AACrE,WAAO,QAAQ,CAAE,eAAe,UAAU,WAAY;AAAA;AAAA,EAGhD,qBACN,UACA,MACiD;AACjD,UAAM,sBAAsB,eAAe,MAAM;AACjD,UAAM,cAAc,oBAAoB,IAAI,OAAK,EAAE;AACnD,UAAM,mBAAmB,SAAS,MAAM,OAAK,YAAY,SAAS,EAAE;AACpE,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MACR;AAAA;AAAA;AAAA;;;;;;;;"}
1
+ {"version":3,"file":"index.cjs.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | { allOf: PermissionCriteria<TQuery>[] }\n | { anyOf: PermissionCriteria<TQuery>[] }\n | { not: PermissionCriteria<TQuery> }\n | TQuery;\n\n/**\n * An authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from '../types';\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeRequest,\n AuthorizeResponse,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .or(z.object({ anyOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ allOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst responseSchema = z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n);\n\n/**\n * Options for authorization requests; currently only an optional auth token.\n * @public\n */\nexport type AuthorizeRequestOptions = {\n token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient {\n private readonly enabled: boolean;\n private readonly discoveryApi: DiscoveryApi;\n\n constructor(options: { discoveryApi: DiscoveryApi; configApi: Config }) {\n this.discoveryApi = options.discoveryApi;\n this.enabled =\n options.configApi.getOptionalBoolean('permission.enabled') ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n requests: AuthorizeRequest[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeResponse[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const identifiedRequests: Identified<AuthorizeRequest>[] = requests.map(\n request => ({\n id: uuid.v4(),\n ...request,\n }),\n );\n\n const permissionApi = await this.discoveryApi.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(identifiedRequests),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const identifiedResponses = await response.json();\n this.assertValidResponses(identifiedRequests, identifiedResponses);\n\n const responsesById = identifiedResponses.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeResponse>>);\n\n return identifiedRequests.map(request => responsesById[request.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponses(\n requests: Identified<AuthorizeRequest>[],\n json: any,\n ): asserts json is Identified<AuthorizeResponse>[] {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.map(r => r.id);\n const hasAllRequestIds = requests.every(r => responseIds.includes(r.id));\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":["AuthorizeResult","z","uuid","fetch","ResponseError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BYA;AAAL,UAAK,kBAAL;AAIL,6BAAO;AAIP,8BAAQ;AAIR,oCAAc;AAAA,GAZJA;;4BCPuB,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;0BAOT,YAAwB;AACvD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;;AChB1C,MAAM,2BAEFC,MAAE,KAAK,MACTA,MACG,OAAO;AAAA,EACN,MAAMA,MAAE;AAAA,EACR,QAAQA,MAAE,MAAMA,MAAE;AAAA,GAEnB,GAAGA,MAAE,OAAO,CAAE,OAAOA,MAAE,MAAM,6BAC7B,GAAGA,MAAE,OAAO,CAAE,OAAOA,MAAE,MAAM,6BAC7B,GAAGA,MAAE,OAAO,CAAE,KAAK;AAGxB,MAAM,iBAAiBA,MAAE,MACvBA,MACG,OAAO;AAAA,EACN,IAAIA,MAAE;AAAA,EACN,QAAQA,MACL,QAAQD,wBAAgB,OACxB,GAAGC,MAAE,QAAQD,wBAAgB;AAAA,GAEjC,GACCC,MAAE,OAAO;AAAA,EACP,IAAIA,MAAE;AAAA,EACN,QAAQA,MAAE,QAAQD,wBAAgB;AAAA,EAClC,YAAY;AAAA;uBAiBU;AAAA,EAI5B,YAAY,SAA4D;AA7E1E;AA8EI,SAAK,eAAe,QAAQ;AAC5B,SAAK,UACH,cAAQ,UAAU,mBAAmB,0BAArC,YAA8D;AAAA;AAAA,QAmB5D,UACJ,UACA,SAC8B;AAM9B,QAAI,CAAC,KAAK,SAAS;AACjB,aAAO,SAAS,IAAI,SAAQ,QAAQA,wBAAgB;AAAA;AAGtD,UAAM,qBAAqD,SAAS,IAClE;AAAY,MACV,IAAIE,gBAAK;AAAA,SACN;AAAA;AAIP,UAAM,gBAAgB,MAAM,KAAK,aAAa,WAAW;AACzD,UAAM,WAAW,MAAMC,0BAAM,GAAG,2BAA2B;AAAA,MACzD,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACJ,KAAK,uBAAuB,mCAAS;AAAA,QACxC,gBAAgB;AAAA;AAAA;AAGpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAMC,qBAAc,aAAa;AAAA;AAGzC,UAAM,sBAAsB,MAAM,SAAS;AAC3C,SAAK,qBAAqB,oBAAoB;AAE9C,UAAM,gBAAgB,oBAAoB,OAAO,CAAC,KAAK,MAAM;AAC3D,UAAI,EAAE,MAAM;AACZ,aAAO;AAAA,OACN;AAEH,WAAO,mBAAmB,IAAI,aAAW,cAAc,QAAQ;AAAA;AAAA,EAGzD,uBAAuB,OAAwC;AACrE,WAAO,QAAQ,CAAE,eAAe,UAAU,WAAY;AAAA;AAAA,EAGhD,qBACN,UACA,MACiD;AACjD,UAAM,sBAAsB,eAAe,MAAM;AACjD,UAAM,cAAc,oBAAoB,IAAI,OAAK,EAAE;AACnD,UAAM,mBAAmB,SAAS,MAAM,OAAK,YAAY,SAAS,EAAE;AACpE,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MACR;AAAA;AAAA;AAAA;;;;;;;;"}
package/dist/index.d.ts CHANGED
@@ -1,3 +1,5 @@
1
+ import { Config } from '@backstage/config';
2
+
1
3
  /**
2
4
  * The attributes related to a given permission; these should be generic and widely applicable to
3
5
  * all permissions in the system.
@@ -137,7 +139,7 @@ declare class PermissionClient {
137
139
  private readonly discoveryApi;
138
140
  constructor(options: {
139
141
  discoveryApi: DiscoveryApi;
140
- enabled?: boolean;
142
+ configApi: Config;
141
143
  });
142
144
  /**
143
145
  * Request authorization from the permission-backend for the given set of permissions.
package/dist/index.esm.js CHANGED
@@ -39,7 +39,7 @@ class PermissionClient {
39
39
  constructor(options) {
40
40
  var _a;
41
41
  this.discoveryApi = options.discoveryApi;
42
- this.enabled = (_a = options.enabled) != null ? _a : false;
42
+ this.enabled = (_a = options.configApi.getOptionalBoolean("permission.enabled")) != null ? _a : false;
43
43
  }
44
44
  async authorize(requests, options) {
45
45
  if (!this.enabled) {
package/dist/index.esm.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.esm.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | { allOf: PermissionCriteria<TQuery>[] }\n | { anyOf: PermissionCriteria<TQuery>[] }\n | { not: PermissionCriteria<TQuery> }\n | TQuery;\n\n/**\n * An authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from '../types';\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeRequest,\n AuthorizeResponse,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .or(z.object({ anyOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ allOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst responseSchema = z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n);\n\n/**\n * Options for authorization requests; currently only an optional auth token.\n * @public\n */\nexport type AuthorizeRequestOptions = {\n token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient {\n private readonly enabled: boolean;\n private readonly discoveryApi: DiscoveryApi;\n\n constructor(options: { discoveryApi: DiscoveryApi; enabled?: boolean }) {\n this.discoveryApi = options.discoveryApi;\n this.enabled = options.enabled ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n requests: AuthorizeRequest[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeResponse[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const identifiedRequests: Identified<AuthorizeRequest>[] = requests.map(\n request => ({\n id: uuid.v4(),\n ...request,\n }),\n );\n\n const permissionApi = await this.discoveryApi.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(identifiedRequests),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const identifiedResponses = await response.json();\n this.assertValidResponses(identifiedRequests, identifiedResponses);\n\n const responsesById = identifiedResponses.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeResponse>>);\n\n return identifiedRequests.map(request => responsesById[request.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponses(\n requests: Identified<AuthorizeRequest>[],\n json: any,\n ): asserts json is Identified<AuthorizeResponse>[] {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.map(r => r.id);\n const hasAllRequestIds = requests.every(r => responseIds.includes(r.id));\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":[],"mappings":";;;;;IA6BY;AAAL,UAAK,kBAAL;AAIL,6BAAO;AAIP,8BAAQ;AAIR,oCAAc;AAAA,GAZJ;;4BCPuB,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;0BAOT,YAAwB;AACvD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;;ACjB1C,MAAM,2BAEF,EAAE,KAAK,MACT,EACG,OAAO;AAAA,EACN,MAAM,EAAE;AAAA,EACR,QAAQ,EAAE,MAAM,EAAE;AAAA,GAEnB,GAAG,EAAE,OAAO,CAAE,OAAO,EAAE,MAAM,6BAC7B,GAAG,EAAE,OAAO,CAAE,OAAO,EAAE,MAAM,6BAC7B,GAAG,EAAE,OAAO,CAAE,KAAK;AAGxB,MAAM,iBAAiB,EAAE,MACvB,EACG,OAAO;AAAA,EACN,IAAI,EAAE;AAAA,EACN,QAAQ,EACL,QAAQ,gBAAgB,OACxB,GAAG,EAAE,QAAQ,gBAAgB;AAAA,GAEjC,GACC,EAAE,OAAO;AAAA,EACP,IAAI,EAAE;AAAA,EACN,QAAQ,EAAE,QAAQ,gBAAgB;AAAA,EAClC,YAAY;AAAA;uBAiBU;AAAA,EAI5B,YAAY,SAA4D;AA5E1E;AA6EI,SAAK,eAAe,QAAQ;AAC5B,SAAK,UAAU,cAAQ,YAAR,YAAmB;AAAA;AAAA,QAmB9B,UACJ,UACA,SAC8B;AAM9B,QAAI,CAAC,KAAK,SAAS;AACjB,aAAO,SAAS,IAAI,SAAQ,QAAQ,gBAAgB;AAAA;AAGtD,UAAM,qBAAqD,SAAS,IAClE;AAAY,MACV,IAAI,KAAK;AAAA,SACN;AAAA;AAIP,UAAM,gBAAgB,MAAM,KAAK,aAAa,WAAW;AACzD,UAAM,WAAW,MAAM,MAAM,GAAG,2BAA2B;AAAA,MACzD,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACJ,KAAK,uBAAuB,mCAAS;AAAA,QACxC,gBAAgB;AAAA;AAAA;AAGpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAM,cAAc,aAAa;AAAA;AAGzC,UAAM,sBAAsB,MAAM,SAAS;AAC3C,SAAK,qBAAqB,oBAAoB;AAE9C,UAAM,gBAAgB,oBAAoB,OAAO,CAAC,KAAK,MAAM;AAC3D,UAAI,EAAE,MAAM;AACZ,aAAO;AAAA,OACN;AAEH,WAAO,mBAAmB,IAAI,aAAW,cAAc,QAAQ;AAAA;AAAA,EAGzD,uBAAuB,OAAwC;AACrE,WAAO,QAAQ,CAAE,eAAe,UAAU,WAAY;AAAA;AAAA,EAGhD,qBACN,UACA,MACiD;AACjD,UAAM,sBAAsB,eAAe,MAAM;AACjD,UAAM,cAAc,oBAAoB,IAAI,OAAK,EAAE;AACnD,UAAM,mBAAmB,SAAS,MAAM,OAAK,YAAY,SAAS,EAAE;AACpE,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MACR;AAAA;AAAA;AAAA;;;;"}
1
+ {"version":3,"file":"index.esm.js","sources":["../src/types/api.ts","../src/permissions/util.ts","../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type Identified<T> = T & { id: string };\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n /**\n * The authorization request is denied.\n */\n DENY = 'DENY',\n /**\n * The authorization request is allowed.\n */\n ALLOW = 'ALLOW',\n /**\n * The authorization request is allowed if the provided conditions are met.\n */\n CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * An authorization request for {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeRequest = {\n permission: Permission;\n resourceRef?: string;\n};\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<TParams extends unknown[] = unknown[]> = {\n rule: string;\n params: TParams;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n | { allOf: PermissionCriteria<TQuery>[] }\n | { anyOf: PermissionCriteria<TQuery>[] }\n | { not: PermissionCriteria<TQuery> }\n | TQuery;\n\n/**\n * An authorization response from {@link PermissionClient#authorize}.\n * @public\n */\nexport type AuthorizeResponse =\n | { result: AuthorizeResult.ALLOW | AuthorizeResult.DENY }\n | {\n result: AuthorizeResult.CONDITIONAL;\n conditions: PermissionCriteria<PermissionCondition>;\n };\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Permission } from '../types';\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n return permission.attributes.action === 'delete';\n}\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n AuthorizeRequest,\n AuthorizeResponse,\n Identified,\n PermissionCriteria,\n PermissionCondition,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z\n .object({\n rule: z.string(),\n params: z.array(z.unknown()),\n })\n .or(z.object({ anyOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ allOf: z.array(permissionCriteriaSchema) }))\n .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst responseSchema = z.array(\n z\n .object({\n id: z.string(),\n result: z\n .literal(AuthorizeResult.ALLOW)\n .or(z.literal(AuthorizeResult.DENY)),\n })\n .or(\n z.object({\n id: z.string(),\n result: z.literal(AuthorizeResult.CONDITIONAL),\n conditions: permissionCriteriaSchema,\n }),\n ),\n);\n\n/**\n * Options for authorization requests; currently only an optional auth token.\n * @public\n */\nexport type AuthorizeRequestOptions = {\n token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient {\n private readonly enabled: boolean;\n private readonly discoveryApi: DiscoveryApi;\n\n constructor(options: { discoveryApi: DiscoveryApi; configApi: Config }) {\n this.discoveryApi = options.discoveryApi;\n this.enabled =\n options.configApi.getOptionalBoolean('permission.enabled') ?? false;\n }\n\n /**\n * Request authorization from the permission-backend for the given set of permissions.\n *\n * Authorization requests check that a given Backstage user can perform a protected operation,\n * potentially for a specific resource (such as a catalog entity). The Backstage identity token\n * should be included in the `options` if available.\n *\n * Permissions can be imported from plugins exposing them, such as `catalogEntityReadPermission`.\n *\n * The response will be either ALLOW or DENY when either the permission has no resourceType, or a\n * resourceRef is provided in the request. For permissions with a resourceType, CONDITIONAL may be\n * returned if no resourceRef is provided in the request. Conditional responses are intended only\n * for backends which have access to the data source for permissioned resources, so that filters\n * can be applied when loading collections of resources.\n * @public\n */\n async authorize(\n requests: AuthorizeRequest[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeResponse[]> {\n // TODO(permissions): it would be great to provide some kind of typing guarantee that\n // conditional responses will only ever be returned for requests containing a resourceType\n // but no resourceRef. That way clients who aren't prepared to handle filtering according\n // to conditions can be guaranteed that they won't unexpectedly get a CONDITIONAL response.\n\n if (!this.enabled) {\n return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n const identifiedRequests: Identified<AuthorizeRequest>[] = requests.map(\n request => ({\n id: uuid.v4(),\n ...request,\n }),\n );\n\n const permissionApi = await this.discoveryApi.getBaseUrl('permission');\n const response = await fetch(`${permissionApi}/authorize`, {\n method: 'POST',\n body: JSON.stringify(identifiedRequests),\n headers: {\n ...this.getAuthorizationHeader(options?.token),\n 'content-type': 'application/json',\n },\n });\n if (!response.ok) {\n throw await ResponseError.fromResponse(response);\n }\n\n const identifiedResponses = await response.json();\n this.assertValidResponses(identifiedRequests, identifiedResponses);\n\n const responsesById = identifiedResponses.reduce((acc, r) => {\n acc[r.id] = r;\n return acc;\n }, {} as Record<string, Identified<AuthorizeResponse>>);\n\n return identifiedRequests.map(request => responsesById[request.id]);\n }\n\n private getAuthorizationHeader(token?: string): Record<string, string> {\n return token ? { Authorization: `Bearer ${token}` } : {};\n }\n\n private assertValidResponses(\n requests: Identified<AuthorizeRequest>[],\n json: any,\n ): asserts json is Identified<AuthorizeResponse>[] {\n const authorizedResponses = responseSchema.parse(json);\n const responseIds = authorizedResponses.map(r => r.id);\n const hasAllRequestIds = requests.every(r => responseIds.includes(r.id));\n if (!hasAllRequestIds) {\n throw new Error(\n 'Unexpected authorization response from permission-backend',\n );\n }\n }\n}\n"],"names":[],"mappings":";;;;;IA6BY;AAAL,UAAK,kBAAL;AAIL,6BAAO;AAIP,8BAAQ;AAIR,oCAAc;AAAA,GAZJ;;4BCPuB,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;0BAOT,YAAwB;AACvD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;4BAOP,YAAwB;AACzD,SAAO,WAAW,WAAW,WAAW;AAAA;;AChB1C,MAAM,2BAEF,EAAE,KAAK,MACT,EACG,OAAO;AAAA,EACN,MAAM,EAAE;AAAA,EACR,QAAQ,EAAE,MAAM,EAAE;AAAA,GAEnB,GAAG,EAAE,OAAO,CAAE,OAAO,EAAE,MAAM,6BAC7B,GAAG,EAAE,OAAO,CAAE,OAAO,EAAE,MAAM,6BAC7B,GAAG,EAAE,OAAO,CAAE,KAAK;AAGxB,MAAM,iBAAiB,EAAE,MACvB,EACG,OAAO;AAAA,EACN,IAAI,EAAE;AAAA,EACN,QAAQ,EACL,QAAQ,gBAAgB,OACxB,GAAG,EAAE,QAAQ,gBAAgB;AAAA,GAEjC,GACC,EAAE,OAAO;AAAA,EACP,IAAI,EAAE;AAAA,EACN,QAAQ,EAAE,QAAQ,gBAAgB;AAAA,EAClC,YAAY;AAAA;uBAiBU;AAAA,EAI5B,YAAY,SAA4D;AA7E1E;AA8EI,SAAK,eAAe,QAAQ;AAC5B,SAAK,UACH,cAAQ,UAAU,mBAAmB,0BAArC,YAA8D;AAAA;AAAA,QAmB5D,UACJ,UACA,SAC8B;AAM9B,QAAI,CAAC,KAAK,SAAS;AACjB,aAAO,SAAS,IAAI,SAAQ,QAAQ,gBAAgB;AAAA;AAGtD,UAAM,qBAAqD,SAAS,IAClE;AAAY,MACV,IAAI,KAAK;AAAA,SACN;AAAA;AAIP,UAAM,gBAAgB,MAAM,KAAK,aAAa,WAAW;AACzD,UAAM,WAAW,MAAM,MAAM,GAAG,2BAA2B;AAAA,MACzD,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU;AAAA,MACrB,SAAS;AAAA,WACJ,KAAK,uBAAuB,mCAAS;AAAA,QACxC,gBAAgB;AAAA;AAAA;AAGpB,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAM,cAAc,aAAa;AAAA;AAGzC,UAAM,sBAAsB,MAAM,SAAS;AAC3C,SAAK,qBAAqB,oBAAoB;AAE9C,UAAM,gBAAgB,oBAAoB,OAAO,CAAC,KAAK,MAAM;AAC3D,UAAI,EAAE,MAAM;AACZ,aAAO;AAAA,OACN;AAEH,WAAO,mBAAmB,IAAI,aAAW,cAAc,QAAQ;AAAA;AAAA,EAGzD,uBAAuB,OAAwC;AACrE,WAAO,QAAQ,CAAE,eAAe,UAAU,WAAY;AAAA;AAAA,EAGhD,qBACN,UACA,MACiD;AACjD,UAAM,sBAAsB,eAAe,MAAM;AACjD,UAAM,cAAc,oBAAoB,IAAI,OAAK,EAAE;AACnD,UAAM,mBAAmB,SAAS,MAAM,OAAK,YAAY,SAAS,EAAE;AACpE,QAAI,CAAC,kBAAkB;AACrB,YAAM,IAAI,MACR;AAAA;AAAA;AAAA;;;;"}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@backstage/plugin-permission-common",
3
3
  "description": "Isomorphic types and client for Backstage permissions and authorization",
4
- "version": "0.1.0",
4
+ "version": "0.2.0",
5
5
  "main": "dist/index.cjs.js",
6
6
  "types": "dist/index.d.ts",
7
7
  "publishConfig": {
@@ -38,16 +38,17 @@
38
38
  "url": "https://github.com/backstage/backstage/issues"
39
39
  },
40
40
  "dependencies": {
41
- "@backstage/errors": "^0.1.2",
41
+ "@backstage/config": "^0.1.11",
42
+ "@backstage/errors": "^0.1.5",
42
43
  "cross-fetch": "^3.0.6",
43
44
  "uuid": "^8.0.0",
44
45
  "zod": "^3.11.6"
45
46
  },
46
47
  "devDependencies": {
47
- "@backstage/cli": "^0.8.0",
48
+ "@backstage/cli": "^0.9.1",
48
49
  "@types/jest": "^26.0.7",
49
50
  "msw": "^0.35.0"
50
51
  },
51
- "gitHead": "1db337ea593cfaf5659cc44859a5a994fb1f1089",
52
+ "gitHead": "85c127e436a24140bb3606f17f034f82aa9c7c0d",
52
53
  "module": "dist/index.esm.js"
53
54
  }