@backstage/plugin-permission-common 0.9.1-next.0 → 0.9.2-next.0

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @backstage/plugin-permission-common
 
+## 0.9.2-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/config@1.3.4-next.0
+
+## 0.9.1
+
+### Patch Changes
+
+- 3507fcd: Just some more circular dep cleanup
+- Updated dependencies
+  - @backstage/config@1.3.3
+
 ## 0.9.1-next.0
 
 ### Patch Changes

package/dist/PermissionClient.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"PermissionClient.cjs.js","sources":["../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  PermissionMessageBatch,\n  PermissionCriteria,\n  PermissionCondition,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  QueryPermissionResponse,\n  IdentifiedPermissionMessage,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n  AuthorizeRequestOptions,\n  BasicPermission,\n  ResourcePermission,\n} from './types/permission';\nimport { isResourcePermission } from './permissions';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z\n    .object({\n      rule: z.string(),\n      resourceType: z.string(),\n      params: z.record(z.any()).optional(),\n    })\n    .or(z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst authorizePermissionResponseSchema: z.ZodSchema<AuthorizePermissionResponse> =\n  z.object({\n    result: z\n      .literal(AuthorizeResult.ALLOW)\n      .or(z.literal(AuthorizeResult.DENY)),\n  });\n\nconst authorizePermissionResponseBatchSchema = z\n  .object({\n    result: z.array(\n      z.union([\n        z.literal(AuthorizeResult.ALLOW),\n        z.literal(AuthorizeResult.DENY),\n      ]),\n    ),\n  })\n  .or(authorizePermissionResponseSchema);\n\nconst queryPermissionResponseSchema: z.ZodSchema<QueryPermissionResponse> =\n  z.union([\n    z.object({\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n    z.object({\n      result: z.literal(AuthorizeResult.CONDITIONAL),\n      pluginId: z.string(),\n      resourceType: z.string(),\n      conditions: permissionCriteriaSchema,\n    }),\n  ]);\n\nconst responseSchema = <T>(\n  itemSchema: z.ZodSchema<T>,\n  ids: Set<string>,\n): z.ZodSchema<PermissionMessageBatch<T>> =>\n  z.object({\n    items: z\n      .array(\n        z.intersection(\n          z.object({\n            id: z.string(),\n          }),\n          itemSchema,\n        ),\n      )\n      .refine(\n        items =>\n          items.length === ids.size && items.every(({ id }) => ids.has(id)),\n        {\n          message: 'Items in response do not match request',\n        },\n      ),\n  });\n\n/**\n * Options for {@link PermissionClient} requests.\n *\n * @public\n */\nexport type PermissionClientRequestOptions = {\n  token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionEvaluator {\n  private readonly enabled: boolean;\n  private readonly discovery: DiscoveryApi;\n  private readonly enableBatchedRequests: boolean;\n\n  constructor(options: { discovery: DiscoveryApi; config: Config }) {\n    this.discovery = options.discovery;\n    this.enabled =\n      options.config.getOptionalBoolean('permission.enabled') ?? false;\n\n    this.enableBatchedRequests =\n      options.config.getOptionalBoolean(\n        'permission.EXPERIMENTAL_enableBatchedRequests',\n      ) ?? false;\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorize}\n   */\n  async authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<AuthorizePermissionResponse[]> {\n    if (!this.enabled) {\n      return requests.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    if (this.enableBatchedRequests) {\n      return this.makeBatchedRequest(requests, options);\n    }\n\n    return this.makeRequest(\n      requests,\n      authorizePermissionResponseSchema,\n      options,\n    );\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorizeConditional}\n   */\n  async authorizeConditional(\n    queries: QueryPermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<QueryPermissionResponse[]> {\n    if (!this.enabled) {\n      return queries.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    return this.makeRequest(queries, queryPermissionResponseSchema, options);\n  }\n\n  private async makeRequest<TQuery, TResult>(\n    queries: TQuery[],\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: PermissionMessageBatch<TQuery> = {\n      items: queries.map(query => ({\n        id: uuid.v4(),\n        ...query,\n      })),\n    };\n\n    const parsedResponse = await this.makeRawRequest(\n      request,\n      itemSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, z.infer<typeof itemSchema>>);\n\n    return request.items.map(query => responsesById[query.id]);\n  }\n\n  private async makeBatchedRequest(\n    queries: AuthorizePermissionRequest[],\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: Record<string, BatchedAuthorizePermissionRequest> = {};\n\n    for (const query of queries) {\n      const { permission, resourceRef } = query;\n\n      if (isResourcePermission(permission)) {\n        request[permission.name] ||= {\n          permission,\n          resourceRef: [],\n          id: uuid.v4(),\n        };\n\n        if (resourceRef) {\n          request[permission.name].resourceRef?.push(resourceRef);\n        }\n      } else {\n        request[permission.name] ||= {\n          permission,\n          id: uuid.v4(),\n        };\n      }\n    }\n\n    const parsedResponse = await this.makeRawRequest(\n      { items: Object.values(request) },\n      authorizePermissionResponseBatchSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, (typeof parsedResponse)['items'][number]>);\n\n    return queries.map(query => {\n      const { id } = request[query.permission.name];\n\n      const item = responsesById[id];\n\n      if (Array.isArray(item.result)) {\n        return {\n          result: query.resourceRef ? item.result.shift()! : item.result[0],\n        };\n      }\n      return { result: item.result };\n    });\n  }\n\n  private async makeRawRequest<TQuery, TResult>(\n    request: PermissionMessageBatch<TQuery>,\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const permissionApi = await this.discovery.getBaseUrl('permission');\n    const response = await fetch(`${permissionApi}/authorize`, {\n      method: 'POST',\n      body: JSON.stringify(request),\n      headers: {\n        ...this.getAuthorizationHeader(options?.token),\n        'content-type': 'application/json',\n      },\n    });\n    if (!response.ok) {\n      throw await ResponseError.fromResponse(response);\n    }\n\n    const responseBody = await response.json();\n\n    return responseSchema(\n      itemSchema,\n      new Set(request.items.map(({ id }) => id)),\n    ).parse(responseBody);\n  }\n\n  private getAuthorizationHeader(token?: string): Record<string, string> {\n    return token ? { Authorization: `Bearer ${token}` } : {};\n  }\n}\n\n/**\n * @internal\n */\nexport type BatchedAuthorizePermissionRequest = IdentifiedPermissionMessage<\n  | {\n      permission: BasicPermission;\n      resourceRef?: undefined;\n    }\n  | { permission: ResourcePermission; resourceRef: string[] }\n>;\n"],"names":["z","AuthorizeResult","uuid","isResourcePermission","fetch","ResponseError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyCA,MAAM,2BAEFA,KAAE,CAAA,IAAA;AAAA,EAAK,MACTA,MACG,MAAO,CAAA;AAAA,IACN,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,IACf,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,IACvB,QAAQA,KAAE,CAAA,MAAA,CAAOA,MAAE,GAAI,EAAC,EAAE,QAAS;AAAA,GACpC,CACA,CAAA,EAAA,CAAGA,KAAE,CAAA,MAAA,CAAO,EAAE,KAAO,EAAAA,KAAA,CAAE,KAAM,CAAA,wBAAwB,EAAE,QAAS,EAAA,EAAG,CAAC,EACpE,EAAG,CAAAA,KAAA,CAAE,MAAO,CAAA,EAAE,OAAOA,KAAE,CAAA,KAAA,CAAM,wBAAwB,CAAA,CAAE,UAAW,EAAC,CAAC,CAAA,CACpE,GAAGA,KAAE,CAAA,MAAA,CAAO,EAAE,GAAK,EAAA,wBAAA,EAA0B,CAAC;AACnD,CAAA;AAEA,MAAM,iCAAA,GACJA,MAAE,MAAO,CAAA;AAAA,EACP,MAAA,EAAQA,KACL,CAAA,OAAA,CAAQC,mBAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAGD,KAAE,CAAA,OAAA,CAAQC,mBAAgB,CAAA,IAAI,CAAC;AACvC,CAAC,CAAA;AAEH,MAAM,sCAAA,GAAyCD,MAC5C,MAAO,CAAA;AAAA,EACN,QAAQA,KAAE,CAAA,KAAA;AAAA,IACRA,MAAE,KAAM,CAAA;AAAA,MACNA,KAAA,CAAE,OAAQ,CAAAC,mBAAA,CAAgB,KAAK,CAAA;AAAA,MAC/BD,KAAA,CAAE,OAAQ,CAAAC,mBAAA,CAAgB,IAAI;AAAA,KAC/B;AAAA;AAEL,CAAC,CAAA,CACA,GAAG,iCAAiC,CAAA;AAEvC,MAAM,6BAAA,GACJD,MAAE,KAAM,CAAA;AAAA,EACNA,MAAE,MAAO,CAAA;AAAA,IACP,MAAA,EAAQA,KACL,CAAA,OAAA,CAAQC,mBAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAGD,KAAE,CAAA,OAAA,CAAQC,mBAAgB,CAAA,IAAI,CAAC;AAAA,GACtC,CAAA;AAAA,EACDD,MAAE,MAAO,CAAA;AAAA,IACP,MAAQ,EAAAA,KAAA,CAAE,OAAQ,CAAAC,mBAAA,CAAgB,WAAW,CAAA;AAAA,IAC7C,QAAA,EAAUD,MAAE,MAAO,EAAA;AAAA,IACnB,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,IACvB,UAAY,EAAA;AAAA,GACb;AACH,CAAC,CAAA;AAEH,MAAM,cAAiB,GAAA,CACrB,UACA,EAAA,GAAA,KAEAA,MAAE,MAAO,CAAA;AAAA,EACP,OAAOA,KACJ,CAAA,KAAA;AAAA,IACCA,KAAE,CAAA,YAAA;AAAA,MACAA,MAAE,MAAO,CAAA;AAAA,QACP,EAAA,EAAIA,MAAE,MAAO;AAAA,OACd,CAAA;AAAA,MACD;AAAA;AACF,GAED,CAAA,MAAA;AAAA,IACC,CACE,KAAA,KAAA,KAAA,CAAM,MAAW,KAAA,GAAA,CAAI,QAAQ,KAAM,CAAA,KAAA,CAAM,CAAC,EAAE,EAAG,EAAA,KAAM,GAAI,CAAA,GAAA,CAAI,EAAE,CAAC,CAAA;AAAA,IAClE;AAAA,MACE,OAAS,EAAA;AAAA;AACX;AAEN,CAAC,CAAA;AAeI,MAAM,gBAAgD,CAAA;AAAA,EAC1C,OAAA;AAAA,EACA,SAAA;AAAA,EACA,qBAAA;AAAA,EAEjB,YAAY,OAAsD,EAAA;AAChE,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA;AACzB,IAAA,IAAA,CAAK,OACH,GAAA,OAAA,CAAQ,MAAO,CAAA,kBAAA,CAAmB,oBAAoB,CAAK,IAAA,KAAA;AAE7D,IAAK,IAAA,CAAA,qBAAA,GACH,QAAQ,MAAO,CAAA,kBAAA;AAAA,MACb;AAAA,KACG,IAAA,KAAA;AAAA;AACT;AAAA;AAAA;AAAA,EAKA,MAAM,SACJ,CAAA,QAAA,EACA,OACwC,EAAA;AACxC,IAAI,IAAA,CAAC,KAAK,OAAS,EAAA;AACjB,MAAA,OAAO,SAAS,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAC,mBAAA,CAAgB,OAAiB,CAAA,CAAA;AAAA;AAGvE,IAAA,IAAI,KAAK,qBAAuB,EAAA;AAC9B,MAAO,OAAA,IAAA,CAAK,kBAAmB,CAAA,QAAA,EAAU,OAAO,CAAA;AAAA;AAGlD,IAAA,OAAO,IAAK,CAAA,WAAA;AAAA,MACV,QAAA;AAAA,MACA,iCAAA;AAAA,MACA;AAAA,KACF;AAAA;AACF;AAAA;AAAA;AAAA,EAKA,MAAM,oBACJ,CAAA,OAAA,EACA,OACoC,EAAA;AACpC,IAAI,IAAA,CAAC,KAAK,OAAS,EAAA;AACjB,MAAA,OAAO,QAAQ,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAA,mBAAA,CAAgB,OAAiB,CAAA,CAAA;AAAA;AAGtE,IAAA,OAAO,IAAK,CAAA,WAAA,CAAY,OAAS,EAAA,6BAAA,EAA+B,OAAO,CAAA;AAAA;AACzE,EAEA,MAAc,WAAA,CACZ,OACA,EAAA,UAAA,EACA,OACA,EAAA;AACA,IAAA,MAAM,OAA0C,GAAA;AAAA,MAC9C,KAAA,EAAO,OAAQ,CAAA,GAAA,CAAI,CAAU,KAAA,MAAA;AAAA,QAC3B,EAAA,EAAIC,gBAAK,EAAG,EAAA;AAAA,QACZ,GAAG;AAAA,OACH,CAAA;AAAA,KACJ;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAM,IAAK,CAAA,cAAA;AAAA,MAChC,OAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAe,CAAA,KAAA,CAAM,MAAO,CAAA,CAAC,KAAK,CAAM,KAAA;AAC5D,MAAI,GAAA,CAAA,CAAA,CAAE,EAAE,CAAI,GAAA,CAAA;AACZ,MAAO,OAAA,GAAA;AAAA,KACT,EAAG,EAAgD,CAAA;AAEnD,IAAA,OAAO,QAAQ,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,CAAM,EAAE,CAAC,CAAA;AAAA;AAC3D,EAEA,MAAc,kBACZ,CAAA,OAAA,EACA,OACA,EAAA;AACA,IAAA,MAAM,UAA6D,EAAC;AAEpE,IAAA,KAAA,MAAW,SAAS,OAAS,EAAA;AAC3B,MAAM,MAAA,EAAE,UAAY,EAAA,WAAA,EAAgB,GAAA,KAAA;AAEpC,MAAI,IAAAC,yBAAA,CAAqB,UAAU,CAAG,EAAA;AACpC,QAAQ,OAAA,CAAA,UAAA,CAAW,IAAI,CAAM,KAAA;AAAA,UAC3B,UAAA;AAAA,UACA,aAAa,EAAC;AAAA,UACd,EAAA,EAAID,gBAAK,EAAG;AAAA,SACd;AAEA,QAAA,IAAI,WAAa,EAAA;AACf,UAAA,OAAA,CAAQ,UAAW,CAAA,IAAI,CAAE,CAAA,WAAA,EAAa,KAAK,WAAW,CAAA;AAAA;AACxD,OACK,MAAA;AACL,QAAQ,OAAA,CAAA,UAAA,CAAW,IAAI,CAAM,KAAA;AAAA,UAC3B,UAAA;AAAA,UACA,EAAA,EAAIA,gBAAK,EAAG;AAAA,SACd;AAAA;AACF;AAGF,IAAM,MAAA,cAAA,GAAiB,MAAM,IAAK,CAAA,cAAA;AAAA,MAChC,EAAE,KAAA,EAAO,MAAO,CAAA,MAAA,CAAO,OAAO,CAAE,EAAA;AAAA,MAChC,sCAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAe,CAAA,KAAA,CAAM,MAAO,CAAA,CAAC,KAAK,CAAM,KAAA;AAC5D,MAAI,GAAA,CAAA,CAAA,CAAE,EAAE,CAAI,GAAA,CAAA;AACZ,MAAO,OAAA,GAAA;AAAA,KACT,EAAG,EAA8D,CAAA;AAEjE,IAAO,OAAA,OAAA,CAAQ,IAAI,CAAS,KAAA,KAAA;AAC1B,MAAA,MAAM,EAAE,EAAG,EAAA,GAAI,OAAQ,CAAA,KAAA,CAAM,WAAW,IAAI,CAAA;AAE5C,MAAM,MAAA,IAAA,GAAO,cAAc,EAAE,CAAA;AAE7B,MAAA,IAAI,KAAM,CAAA,OAAA,CAAQ,IAAK,CAAA,MAAM,CAAG,EAAA;AAC9B,QAAO,OAAA;AAAA,UACL,MAAA,EAAQ,MAAM,WAAc,GAAA,IAAA,CAAK,OAAO,KAAM,EAAA,GAAK,IAAK,CAAA,MAAA,CAAO,CAAC;AAAA,SAClE;AAAA;AAEF,MAAO,OAAA,EAAE,MAAQ,EAAA,IAAA,CAAK,MAAO,EAAA;AAAA,KAC9B,CAAA;AAAA;AACH,EAEA,MAAc,cAAA,CACZ,OACA,EAAA,UAAA,EACA,OACA,EAAA;AACA,IAAA,MAAM,aAAgB,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,YAAY,CAAA;AAClE,IAAA,MAAM,QAAW,GAAA,MAAME,sBAAM,CAAA,CAAA,EAAG,aAAa,CAAc,UAAA,CAAA,EAAA;AAAA,MACzD,MAAQ,EAAA,MAAA;AAAA,MACR,IAAA,EAAM,IAAK,CAAA,SAAA,CAAU,OAAO,CAAA;AAAA,MAC5B,OAAS,EAAA;AAAA,QACP,GAAG,IAAA,CAAK,sBAAuB,CAAA,OAAA,EAAS,KAAK,CAAA;AAAA,QAC7C,cAAgB,EAAA;AAAA;AAClB,KACD,CAAA;AACD,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAM,MAAA,MAAMC,oBAAc,CAAA,YAAA,CAAa,QAAQ,CAAA;AAAA;AAGjD,IAAM,MAAA,YAAA,GAAe,MAAM,QAAA,CAAS,IAAK,EAAA;AAEzC,IAAO,OAAA,cAAA;AAAA,MACL,UAAA;AAAA,MACA,IAAI,GAAI,CAAA,OAAA,CAAQ,KAAM,CAAA,GAAA,CAAI,CAAC,EAAE,EAAA,EAAS,KAAA,EAAE,CAAC;AAAA,KAC3C,CAAE,MAAM,YAAY,CAAA;AAAA;AACtB,EAEQ,uBAAuB,KAAwC,EAAA;AACrE,IAAA,OAAO,QAAQ,EAAE,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA,KAAO,EAAC;AAAA;AAE3D;;;;"}
+{"version":3,"file":"PermissionClient.cjs.js","sources":["../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  PermissionMessageBatch,\n  PermissionCriteria,\n  PermissionCondition,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  QueryPermissionResponse,\n  IdentifiedPermissionMessage,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n  AuthorizeRequestOptions,\n  BasicPermission,\n  ResourcePermission,\n} from './types/permission';\nimport { isResourcePermission } from './permissions';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z\n    .object({\n      rule: z.string(),\n      resourceType: z.string(),\n      params: z.record(z.any()).optional(),\n    })\n    .or(z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst authorizePermissionResponseSchema: z.ZodSchema<AuthorizePermissionResponse> =\n  z.object({\n    result: z\n      .literal(AuthorizeResult.ALLOW)\n      .or(z.literal(AuthorizeResult.DENY)),\n  });\n\nconst authorizePermissionResponseBatchSchema = z\n  .object({\n    result: z.array(\n      z.union([\n        z.literal(AuthorizeResult.ALLOW),\n        z.literal(AuthorizeResult.DENY),\n      ]),\n    ),\n  })\n  .or(authorizePermissionResponseSchema);\n\nconst queryPermissionResponseSchema: z.ZodSchema<QueryPermissionResponse> =\n  z.union([\n    z.object({\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n    z.object({\n      result: z.literal(AuthorizeResult.CONDITIONAL),\n      pluginId: z.string(),\n      resourceType: z.string(),\n      conditions: permissionCriteriaSchema,\n    }),\n  ]);\n\nconst responseSchema = <T>(\n  itemSchema: z.ZodSchema<T>,\n  ids: Set<string>,\n): z.ZodSchema<PermissionMessageBatch<T>> =>\n  z.object({\n    items: z\n      .array(\n        z.intersection(\n          z.object({\n            id: z.string(),\n          }),\n          itemSchema,\n        ),\n      )\n      .refine(\n        items =>\n          items.length === ids.size && items.every(({ id }) => ids.has(id)),\n        {\n          message: 'Items in response do not match request',\n        },\n      ),\n  });\n\n/**\n * Options for {@link PermissionClient} requests.\n *\n * @public\n */\nexport type PermissionClientRequestOptions = {\n  token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionEvaluator {\n  private readonly enabled: boolean;\n  private readonly discovery: DiscoveryApi;\n  private readonly enableBatchedRequests: boolean;\n\n  constructor(options: { discovery: DiscoveryApi; config: Config }) {\n    this.discovery = options.discovery;\n    this.enabled =\n      options.config.getOptionalBoolean('permission.enabled') ?? false;\n\n    this.enableBatchedRequests =\n      options.config.getOptionalBoolean(\n        'permission.EXPERIMENTAL_enableBatchedRequests',\n      ) ?? false;\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorize}\n   */\n  async authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<AuthorizePermissionResponse[]> {\n    if (!this.enabled) {\n      return requests.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    if (this.enableBatchedRequests) {\n      return this.makeBatchedRequest(requests, options);\n    }\n\n    return this.makeRequest(\n      requests,\n      authorizePermissionResponseSchema,\n      options,\n    );\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorizeConditional}\n   */\n  async authorizeConditional(\n    queries: QueryPermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<QueryPermissionResponse[]> {\n    if (!this.enabled) {\n      return queries.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    return this.makeRequest(queries, queryPermissionResponseSchema, options);\n  }\n\n  private async makeRequest<TQuery, TResult>(\n    queries: TQuery[],\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: PermissionMessageBatch<TQuery> = {\n      items: queries.map(query => ({\n        id: uuid.v4(),\n        ...query,\n      })),\n    };\n\n    const parsedResponse = await this.makeRawRequest(\n      request,\n      itemSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, z.infer<typeof itemSchema>>);\n\n    return request.items.map(query => responsesById[query.id]);\n  }\n\n  private async makeBatchedRequest(\n    queries: AuthorizePermissionRequest[],\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: Record<string, BatchedAuthorizePermissionRequest> = {};\n\n    for (const query of queries) {\n      const { permission, resourceRef } = query;\n\n      if (isResourcePermission(permission)) {\n        request[permission.name] ||= {\n          permission,\n          resourceRef: [],\n          id: uuid.v4(),\n        };\n\n        if (resourceRef) {\n          request[permission.name].resourceRef?.push(resourceRef);\n        }\n      } else {\n        request[permission.name] ||= {\n          permission,\n          id: uuid.v4(),\n        };\n      }\n    }\n\n    const parsedResponse = await this.makeRawRequest(\n      { items: Object.values(request) },\n      authorizePermissionResponseBatchSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, (typeof parsedResponse)['items'][number]>);\n\n    return queries.map(query => {\n      const { id } = request[query.permission.name];\n\n      const item = responsesById[id];\n\n      if (Array.isArray(item.result)) {\n        return {\n          result: query.resourceRef ? item.result.shift()! : item.result[0],\n        };\n      }\n      return { result: item.result };\n    });\n  }\n\n  private async makeRawRequest<TQuery, TResult>(\n    request: PermissionMessageBatch<TQuery>,\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const permissionApi = await this.discovery.getBaseUrl('permission');\n    const response = await fetch(`${permissionApi}/authorize`, {\n      method: 'POST',\n      body: JSON.stringify(request),\n      headers: {\n        ...this.getAuthorizationHeader(options?.token),\n        'content-type': 'application/json',\n      },\n    });\n    if (!response.ok) {\n      throw await ResponseError.fromResponse(response);\n    }\n\n    const responseBody = await response.json();\n\n    return responseSchema(\n      itemSchema,\n      new Set(request.items.map(({ id }) => id)),\n    ).parse(responseBody);\n  }\n\n  private getAuthorizationHeader(token?: string): Record<string, string> {\n    return token ? { Authorization: `Bearer ${token}` } : {};\n  }\n}\n\n/**\n * @internal\n */\nexport type BatchedAuthorizePermissionRequest = IdentifiedPermissionMessage<\n  | {\n      permission: BasicPermission;\n      resourceRef?: undefined;\n    }\n  | { permission: ResourcePermission; resourceRef: string[] }\n>;\n"],"names":["z","AuthorizeResult","uuid","isResourcePermission","fetch","ResponseError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyCA,MAAM,2BAEFA,KAAA,CAAE,IAAA;AAAA,EAAK,MACTA,MACG,MAAA,CAAO;AAAA,IACN,IAAA,EAAMA,MAAE,MAAA,EAAO;AAAA,IACf,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,IACvB,QAAQA,KAAA,CAAE,MAAA,CAAOA,MAAE,GAAA,EAAK,EAAE,QAAA;AAAS,GACpC,CAAA,CACA,EAAA,CAAGA,KAAA,CAAE,MAAA,CAAO,EAAE,KAAA,EAAOA,KAAA,CAAE,KAAA,CAAM,wBAAwB,EAAE,QAAA,EAAS,EAAG,CAAC,EACpE,EAAA,CAAGA,KAAA,CAAE,MAAA,CAAO,EAAE,OAAOA,KAAA,CAAE,KAAA,CAAM,wBAAwB,CAAA,CAAE,UAAS,EAAG,CAAC,CAAA,CACpE,GAAGA,KAAA,CAAE,MAAA,CAAO,EAAE,GAAA,EAAK,wBAAA,EAA0B,CAAC;AACnD,CAAA;AAEA,MAAM,iCAAA,GACJA,MAAE,MAAA,CAAO;AAAA,EACP,MAAA,EAAQA,KAAA,CACL,OAAA,CAAQC,mBAAA,CAAgB,KAAK,CAAA,CAC7B,EAAA,CAAGD,KAAA,CAAE,OAAA,CAAQC,mBAAA,CAAgB,IAAI,CAAC;AACvC,CAAC,CAAA;AAEH,MAAM,sCAAA,GAAyCD,MAC5C,MAAA,CAAO;AAAA,EACN,QAAQA,KAAA,CAAE,KAAA;AAAA,IACRA,MAAE,KAAA,CAAM;AAAA,MACNA,KAAA,CAAE,OAAA,CAAQC,mBAAA,CAAgB,KAAK,CAAA;AAAA,MAC/BD,KAAA,CAAE,OAAA,CAAQC,mBAAA,CAAgB,IAAI;AAAA,KAC/B;AAAA;AAEL,CAAC,CAAA,CACA,GAAG,iCAAiC,CAAA;AAEvC,MAAM,6BAAA,GACJD,MAAE,KAAA,CAAM;AAAA,EACNA,MAAE,MAAA,CAAO;AAAA,IACP,MAAA,EAAQA,KAAA,CACL,OAAA,CAAQC,mBAAA,CAAgB,KAAK,CAAA,CAC7B,EAAA,CAAGD,KAAA,CAAE,OAAA,CAAQC,mBAAA,CAAgB,IAAI,CAAC;AAAA,GACtC,CAAA;AAAA,EACDD,MAAE,MAAA,CAAO;AAAA,IACP,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQC,mBAAA,CAAgB,WAAW,CAAA;AAAA,IAC7C,QAAA,EAAUD,MAAE,MAAA,EAAO;AAAA,IACnB,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,IACvB,UAAA,EAAY;AAAA,GACb;AACH,CAAC,CAAA;AAEH,MAAM,cAAA,GAAiB,CACrB,UAAA,EACA,GAAA,KAEAA,MAAE,MAAA,CAAO;AAAA,EACP,OAAOA,KAAA,CACJ,KAAA;AAAA,IACCA,KAAA,CAAE,YAAA;AAAA,MACAA,MAAE,MAAA,CAAO;AAAA,QACP,EAAA,EAAIA,MAAE,MAAA;AAAO,OACd,CAAA;AAAA,MACD;AAAA;AACF,GACF,CACC,MAAA;AAAA,IACC,CAAA,KAAA,KACE,KAAA,CAAM,MAAA,KAAW,GAAA,CAAI,QAAQ,KAAA,CAAM,KAAA,CAAM,CAAC,EAAE,EAAA,EAAG,KAAM,GAAA,CAAI,GAAA,CAAI,EAAE,CAAC,CAAA;AAAA,IAClE;AAAA,MACE,OAAA,EAAS;AAAA;AACX;AAEN,CAAC,CAAA;AAeI,MAAM,gBAAA,CAAgD;AAAA,EAC1C,OAAA;AAAA,EACA,SAAA;AAAA,EACA,qBAAA;AAAA,EAEjB,YAAY,OAAA,EAAsD;AAChE,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,SAAA;AACzB,IAAA,IAAA,CAAK,OAAA,GACH,OAAA,CAAQ,MAAA,CAAO,kBAAA,CAAmB,oBAAoB,CAAA,IAAK,KAAA;AAE7D,IAAA,IAAA,CAAK,qBAAA,GACH,QAAQ,MAAA,CAAO,kBAAA;AAAA,MACb;AAAA,KACF,IAAK,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,SAAA,CACJ,QAAA,EACA,OAAA,EACwC;AACxC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,OAAO,SAAS,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,MAAA,EAAQC,mBAAA,CAAgB,OAAe,CAAE,CAAA;AAAA,IACvE;AAEA,IAAA,IAAI,KAAK,qBAAA,EAAuB;AAC9B,MAAA,OAAO,IAAA,CAAK,kBAAA,CAAmB,QAAA,EAAU,OAAO,CAAA;AAAA,IAClD;AAEA,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,MACV,QAAA;AAAA,MACA,iCAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAA,CACJ,OAAA,EACA,OAAA,EACoC;AACpC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,OAAO,QAAQ,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,MAAA,EAAQA,mBAAA,CAAgB,OAAe,CAAE,CAAA;AAAA,IACtE;AAEA,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,OAAA,EAAS,6BAAA,EAA+B,OAAO,CAAA;AAAA,EACzE;AAAA,EAEA,MAAc,WAAA,CACZ,OAAA,EACA,UAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,OAAA,GAA0C;AAAA,MAC9C,KAAA,EAAO,OAAA,CAAQ,GAAA,CAAI,CAAA,KAAA,MAAU;AAAA,QAC3B,EAAA,EAAIC,gBAAK,EAAA,EAAG;AAAA,QACZ,GAAG;AAAA,OACL,CAAE;AAAA,KACJ;AAEA,IAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,cAAA;AAAA,MAChC,OAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAA,CAAe,KAAA,CAAM,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM;AAC5D,MAAA,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,CAAA;AACZ,MAAA,OAAO,GAAA;AAAA,IACT,CAAA,EAAG,EAAgD,CAAA;AAEnD,IAAA,OAAO,QAAQ,KAAA,CAAM,GAAA,CAAI,WAAS,aAAA,CAAc,KAAA,CAAM,EAAE,CAAC,CAAA;AAAA,EAC3D;AAAA,EAEA,MAAc,kBAAA,CACZ,OAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,UAA6D,EAAC;AAEpE,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,EAAE,UAAA,EAAY,WAAA,EAAY,GAAI,KAAA;AAEpC,MAAA,IAAIC,yBAAA,CAAqB,UAAU,CAAA,EAAG;AACpC,QAAA,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,KAAM;AAAA,UAC3B,UAAA;AAAA,UACA,aAAa,EAAC;AAAA,UACd,EAAA,EAAID,gBAAK,EAAA;AAAG,SACd;AAEA,QAAA,IAAI,WAAA,EAAa;AACf,UAAA,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,CAAE,WAAA,EAAa,KAAK,WAAW,CAAA;AAAA,QACxD;AAAA,MACF,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,KAAM;AAAA,UAC3B,UAAA;AAAA,UACA,EAAA,EAAIA,gBAAK,EAAA;AAAG,SACd;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,cAAA;AAAA,MAChC,EAAE,KAAA,EAAO,MAAA,CAAO,MAAA,CAAO,OAAO,CAAA,EAAE;AAAA,MAChC,sCAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAA,CAAe,KAAA,CAAM,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM;AAC5D,MAAA,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,CAAA;AACZ,MAAA,OAAO,GAAA;AAAA,IACT,CAAA,EAAG,EAA8D,CAAA;AAEjE,IAAA,OAAO,OAAA,CAAQ,IAAI,CAAA,KAAA,KAAS;AAC1B,MAAA,MAAM,EAAE,EAAA,EAAG,GAAI,OAAA,CAAQ,KAAA,CAAM,WAAW,IAAI,CAAA;AAE5C,MAAA,MAAM,IAAA,GAAO,cAAc,EAAE,CAAA;AAE7B,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,MAAM,CAAA,EAAG;AAC9B,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,MAAM,WAAA,GAAc,IAAA,CAAK,OAAO,KAAA,EAAM,GAAK,IAAA,CAAK,MAAA,CAAO,CAAC;AAAA,SAClE;AAAA,MACF;AACA,MAAA,OAAO,EAAE,MAAA,EAAQ,IAAA,CAAK,MAAA,EAAO;AAAA,IAC/B,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,cAAA,CACZ,OAAA,EACA,UAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,SAAA,CAAU,WAAW,YAAY,CAAA;AAClE,IAAA,MAAM,QAAA,GAAW,MAAME,sBAAA,CAAM,CAAA,EAAG,aAAa,CAAA,UAAA,CAAA,EAAc;AAAA,MACzD,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA;AAAA,MAC5B,OAAA,EAAS;AAAA,QACP,GAAG,IAAA,CAAK,sBAAA,CAAuB,OAAA,EAAS,KAAK,CAAA;AAAA,QAC7C,cAAA,EAAgB;AAAA;AAClB,KACD,CAAA;AACD,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,MAAMC,oBAAA,CAAc,YAAA,CAAa,QAAQ,CAAA;AAAA,IACjD;AAEA,IAAA,MAAM,YAAA,GAAe,MAAM,QAAA,CAAS,IAAA,EAAK;AAEzC,IAAA,OAAO,cAAA;AAAA,MACL,UAAA;AAAA,MACA,IAAI,GAAA,CAAI,OAAA,CAAQ,KAAA,CAAM,GAAA,CAAI,CAAC,EAAE,EAAA,EAAG,KAAM,EAAE,CAAC;AAAA,KAC3C,CAAE,MAAM,YAAY,CAAA;AAAA,EACtB;AAAA,EAEQ,uBAAuB,KAAA,EAAwC;AACrE,IAAA,OAAO,QAAQ,EAAE,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA,KAAO,EAAC;AAAA,EACzD;AACF;;;;"}

package/dist/PermissionClient.esm.js.map

@@ -1 +1 @@
-{"version":3,"file":"PermissionClient.esm.js","sources":["../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  PermissionMessageBatch,\n  PermissionCriteria,\n  PermissionCondition,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  QueryPermissionResponse,\n  IdentifiedPermissionMessage,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n  AuthorizeRequestOptions,\n  BasicPermission,\n  ResourcePermission,\n} from './types/permission';\nimport { isResourcePermission } from './permissions';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z\n    .object({\n      rule: z.string(),\n      resourceType: z.string(),\n      params: z.record(z.any()).optional(),\n    })\n    .or(z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst authorizePermissionResponseSchema: z.ZodSchema<AuthorizePermissionResponse> =\n  z.object({\n    result: z\n      .literal(AuthorizeResult.ALLOW)\n      .or(z.literal(AuthorizeResult.DENY)),\n  });\n\nconst authorizePermissionResponseBatchSchema = z\n  .object({\n    result: z.array(\n      z.union([\n        z.literal(AuthorizeResult.ALLOW),\n        z.literal(AuthorizeResult.DENY),\n      ]),\n    ),\n  })\n  .or(authorizePermissionResponseSchema);\n\nconst queryPermissionResponseSchema: z.ZodSchema<QueryPermissionResponse> =\n  z.union([\n    z.object({\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n    z.object({\n      result: z.literal(AuthorizeResult.CONDITIONAL),\n      pluginId: z.string(),\n      resourceType: z.string(),\n      conditions: permissionCriteriaSchema,\n    }),\n  ]);\n\nconst responseSchema = <T>(\n  itemSchema: z.ZodSchema<T>,\n  ids: Set<string>,\n): z.ZodSchema<PermissionMessageBatch<T>> =>\n  z.object({\n    items: z\n      .array(\n        z.intersection(\n          z.object({\n            id: z.string(),\n          }),\n          itemSchema,\n        ),\n      )\n      .refine(\n        items =>\n          items.length === ids.size && items.every(({ id }) => ids.has(id)),\n        {\n          message: 'Items in response do not match request',\n        },\n      ),\n  });\n\n/**\n * Options for {@link PermissionClient} requests.\n *\n * @public\n */\nexport type PermissionClientRequestOptions = {\n  token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionEvaluator {\n  private readonly enabled: boolean;\n  private readonly discovery: DiscoveryApi;\n  private readonly enableBatchedRequests: boolean;\n\n  constructor(options: { discovery: DiscoveryApi; config: Config }) {\n    this.discovery = options.discovery;\n    this.enabled =\n      options.config.getOptionalBoolean('permission.enabled') ?? false;\n\n    this.enableBatchedRequests =\n      options.config.getOptionalBoolean(\n        'permission.EXPERIMENTAL_enableBatchedRequests',\n      ) ?? false;\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorize}\n   */\n  async authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<AuthorizePermissionResponse[]> {\n    if (!this.enabled) {\n      return requests.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    if (this.enableBatchedRequests) {\n      return this.makeBatchedRequest(requests, options);\n    }\n\n    return this.makeRequest(\n      requests,\n      authorizePermissionResponseSchema,\n      options,\n    );\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorizeConditional}\n   */\n  async authorizeConditional(\n    queries: QueryPermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<QueryPermissionResponse[]> {\n    if (!this.enabled) {\n      return queries.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    return this.makeRequest(queries, queryPermissionResponseSchema, options);\n  }\n\n  private async makeRequest<TQuery, TResult>(\n    queries: TQuery[],\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: PermissionMessageBatch<TQuery> = {\n      items: queries.map(query => ({\n        id: uuid.v4(),\n        ...query,\n      })),\n    };\n\n    const parsedResponse = await this.makeRawRequest(\n      request,\n      itemSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, z.infer<typeof itemSchema>>);\n\n    return request.items.map(query => responsesById[query.id]);\n  }\n\n  private async makeBatchedRequest(\n    queries: AuthorizePermissionRequest[],\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: Record<string, BatchedAuthorizePermissionRequest> = {};\n\n    for (const query of queries) {\n      const { permission, resourceRef } = query;\n\n      if (isResourcePermission(permission)) {\n        request[permission.name] ||= {\n          permission,\n          resourceRef: [],\n          id: uuid.v4(),\n        };\n\n        if (resourceRef) {\n          request[permission.name].resourceRef?.push(resourceRef);\n        }\n      } else {\n        request[permission.name] ||= {\n          permission,\n          id: uuid.v4(),\n        };\n      }\n    }\n\n    const parsedResponse = await this.makeRawRequest(\n      { items: Object.values(request) },\n      authorizePermissionResponseBatchSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, (typeof parsedResponse)['items'][number]>);\n\n    return queries.map(query => {\n      const { id } = request[query.permission.name];\n\n      const item = responsesById[id];\n\n      if (Array.isArray(item.result)) {\n        return {\n          result: query.resourceRef ? item.result.shift()! : item.result[0],\n        };\n      }\n      return { result: item.result };\n    });\n  }\n\n  private async makeRawRequest<TQuery, TResult>(\n    request: PermissionMessageBatch<TQuery>,\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const permissionApi = await this.discovery.getBaseUrl('permission');\n    const response = await fetch(`${permissionApi}/authorize`, {\n      method: 'POST',\n      body: JSON.stringify(request),\n      headers: {\n        ...this.getAuthorizationHeader(options?.token),\n        'content-type': 'application/json',\n      },\n    });\n    if (!response.ok) {\n      throw await ResponseError.fromResponse(response);\n    }\n\n    const responseBody = await response.json();\n\n    return responseSchema(\n      itemSchema,\n      new Set(request.items.map(({ id }) => id)),\n    ).parse(responseBody);\n  }\n\n  private getAuthorizationHeader(token?: string): Record<string, string> {\n    return token ? { Authorization: `Bearer ${token}` } : {};\n  }\n}\n\n/**\n * @internal\n */\nexport type BatchedAuthorizePermissionRequest = IdentifiedPermissionMessage<\n  | {\n      permission: BasicPermission;\n      resourceRef?: undefined;\n    }\n  | { permission: ResourcePermission; resourceRef: string[] }\n>;\n"],"names":[],"mappings":";;;;;;;AAyCA,MAAM,2BAEF,CAAE,CAAA,IAAA;AAAA,EAAK,MACT,EACG,MAAO,CAAA;AAAA,IACN,IAAA,EAAM,EAAE,MAAO,EAAA;AAAA,IACf,YAAA,EAAc,EAAE,MAAO,EAAA;AAAA,IACvB,QAAQ,CAAE,CAAA,MAAA,CAAO,EAAE,GAAI,EAAC,EAAE,QAAS;AAAA,GACpC,CACA,CAAA,EAAA,CAAG,CAAE,CAAA,MAAA,CAAO,EAAE,KAAO,EAAA,CAAA,CAAE,KAAM,CAAA,wBAAwB,EAAE,QAAS,EAAA,EAAG,CAAC,EACpE,EAAG,CAAA,CAAA,CAAE,MAAO,CAAA,EAAE,OAAO,CAAE,CAAA,KAAA,CAAM,wBAAwB,CAAA,CAAE,UAAW,EAAC,CAAC,CAAA,CACpE,GAAG,CAAE,CAAA,MAAA,CAAO,EAAE,GAAK,EAAA,wBAAA,EAA0B,CAAC;AACnD,CAAA;AAEA,MAAM,iCAAA,GACJ,EAAE,MAAO,CAAA;AAAA,EACP,MAAA,EAAQ,CACL,CAAA,OAAA,CAAQ,eAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAG,CAAE,CAAA,OAAA,CAAQ,eAAgB,CAAA,IAAI,CAAC;AACvC,CAAC,CAAA;AAEH,MAAM,sCAAA,GAAyC,EAC5C,MAAO,CAAA;AAAA,EACN,QAAQ,CAAE,CAAA,KAAA;AAAA,IACR,EAAE,KAAM,CAAA;AAAA,MACN,CAAA,CAAE,OAAQ,CAAA,eAAA,CAAgB,KAAK,CAAA;AAAA,MAC/B,CAAA,CAAE,OAAQ,CAAA,eAAA,CAAgB,IAAI;AAAA,KAC/B;AAAA;AAEL,CAAC,CAAA,CACA,GAAG,iCAAiC,CAAA;AAEvC,MAAM,6BAAA,GACJ,EAAE,KAAM,CAAA;AAAA,EACN,EAAE,MAAO,CAAA;AAAA,IACP,MAAA,EAAQ,CACL,CAAA,OAAA,CAAQ,eAAgB,CAAA,KAAK,CAC7B,CAAA,EAAA,CAAG,CAAE,CAAA,OAAA,CAAQ,eAAgB,CAAA,IAAI,CAAC;AAAA,GACtC,CAAA;AAAA,EACD,EAAE,MAAO,CAAA;AAAA,IACP,MAAQ,EAAA,CAAA,CAAE,OAAQ,CAAA,eAAA,CAAgB,WAAW,CAAA;AAAA,IAC7C,QAAA,EAAU,EAAE,MAAO,EAAA;AAAA,IACnB,YAAA,EAAc,EAAE,MAAO,EAAA;AAAA,IACvB,UAAY,EAAA;AAAA,GACb;AACH,CAAC,CAAA;AAEH,MAAM,cAAiB,GAAA,CACrB,UACA,EAAA,GAAA,KAEA,EAAE,MAAO,CAAA;AAAA,EACP,OAAO,CACJ,CAAA,KAAA;AAAA,IACC,CAAE,CAAA,YAAA;AAAA,MACA,EAAE,MAAO,CAAA;AAAA,QACP,EAAA,EAAI,EAAE,MAAO;AAAA,OACd,CAAA;AAAA,MACD;AAAA;AACF,GAED,CAAA,MAAA;AAAA,IACC,CACE,KAAA,KAAA,KAAA,CAAM,MAAW,KAAA,GAAA,CAAI,QAAQ,KAAM,CAAA,KAAA,CAAM,CAAC,EAAE,EAAG,EAAA,KAAM,GAAI,CAAA,GAAA,CAAI,EAAE,CAAC,CAAA;AAAA,IAClE;AAAA,MACE,OAAS,EAAA;AAAA;AACX;AAEN,CAAC,CAAA;AAeI,MAAM,gBAAgD,CAAA;AAAA,EAC1C,OAAA;AAAA,EACA,SAAA;AAAA,EACA,qBAAA;AAAA,EAEjB,YAAY,OAAsD,EAAA;AAChE,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA;AACzB,IAAA,IAAA,CAAK,OACH,GAAA,OAAA,CAAQ,MAAO,CAAA,kBAAA,CAAmB,oBAAoB,CAAK,IAAA,KAAA;AAE7D,IAAK,IAAA,CAAA,qBAAA,GACH,QAAQ,MAAO,CAAA,kBAAA;AAAA,MACb;AAAA,KACG,IAAA,KAAA;AAAA;AACT;AAAA;AAAA;AAAA,EAKA,MAAM,SACJ,CAAA,QAAA,EACA,OACwC,EAAA;AACxC,IAAI,IAAA,CAAC,KAAK,OAAS,EAAA;AACjB,MAAA,OAAO,SAAS,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAA,eAAA,CAAgB,OAAiB,CAAA,CAAA;AAAA;AAGvE,IAAA,IAAI,KAAK,qBAAuB,EAAA;AAC9B,MAAO,OAAA,IAAA,CAAK,kBAAmB,CAAA,QAAA,EAAU,OAAO,CAAA;AAAA;AAGlD,IAAA,OAAO,IAAK,CAAA,WAAA;AAAA,MACV,QAAA;AAAA,MACA,iCAAA;AAAA,MACA;AAAA,KACF;AAAA;AACF;AAAA;AAAA;AAAA,EAKA,MAAM,oBACJ,CAAA,OAAA,EACA,OACoC,EAAA;AACpC,IAAI,IAAA,CAAC,KAAK,OAAS,EAAA;AACjB,MAAA,OAAO,QAAQ,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAA,eAAA,CAAgB,OAAiB,CAAA,CAAA;AAAA;AAGtE,IAAA,OAAO,IAAK,CAAA,WAAA,CAAY,OAAS,EAAA,6BAAA,EAA+B,OAAO,CAAA;AAAA;AACzE,EAEA,MAAc,WAAA,CACZ,OACA,EAAA,UAAA,EACA,OACA,EAAA;AACA,IAAA,MAAM,OAA0C,GAAA;AAAA,MAC9C,KAAA,EAAO,OAAQ,CAAA,GAAA,CAAI,CAAU,KAAA,MAAA;AAAA,QAC3B,EAAA,EAAI,KAAK,EAAG,EAAA;AAAA,QACZ,GAAG;AAAA,OACH,CAAA;AAAA,KACJ;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAM,IAAK,CAAA,cAAA;AAAA,MAChC,OAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAe,CAAA,KAAA,CAAM,MAAO,CAAA,CAAC,KAAK,CAAM,KAAA;AAC5D,MAAI,GAAA,CAAA,CAAA,CAAE,EAAE,CAAI,GAAA,CAAA;AACZ,MAAO,OAAA,GAAA;AAAA,KACT,EAAG,EAAgD,CAAA;AAEnD,IAAA,OAAO,QAAQ,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,CAAM,EAAE,CAAC,CAAA;AAAA;AAC3D,EAEA,MAAc,kBACZ,CAAA,OAAA,EACA,OACA,EAAA;AACA,IAAA,MAAM,UAA6D,EAAC;AAEpE,IAAA,KAAA,MAAW,SAAS,OAAS,EAAA;AAC3B,MAAM,MAAA,EAAE,UAAY,EAAA,WAAA,EAAgB,GAAA,KAAA;AAEpC,MAAI,IAAA,oBAAA,CAAqB,UAAU,CAAG,EAAA;AACpC,QAAQ,OAAA,CAAA,UAAA,CAAW,IAAI,CAAM,KAAA;AAAA,UAC3B,UAAA;AAAA,UACA,aAAa,EAAC;AAAA,UACd,EAAA,EAAI,KAAK,EAAG;AAAA,SACd;AAEA,QAAA,IAAI,WAAa,EAAA;AACf,UAAA,OAAA,CAAQ,UAAW,CAAA,IAAI,CAAE,CAAA,WAAA,EAAa,KAAK,WAAW,CAAA;AAAA;AACxD,OACK,MAAA;AACL,QAAQ,OAAA,CAAA,UAAA,CAAW,IAAI,CAAM,KAAA;AAAA,UAC3B,UAAA;AAAA,UACA,EAAA,EAAI,KAAK,EAAG;AAAA,SACd;AAAA;AACF;AAGF,IAAM,MAAA,cAAA,GAAiB,MAAM,IAAK,CAAA,cAAA;AAAA,MAChC,EAAE,KAAA,EAAO,MAAO,CAAA,MAAA,CAAO,OAAO,CAAE,EAAA;AAAA,MAChC,sCAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAe,CAAA,KAAA,CAAM,MAAO,CAAA,CAAC,KAAK,CAAM,KAAA;AAC5D,MAAI,GAAA,CAAA,CAAA,CAAE,EAAE,CAAI,GAAA,CAAA;AACZ,MAAO,OAAA,GAAA;AAAA,KACT,EAAG,EAA8D,CAAA;AAEjE,IAAO,OAAA,OAAA,CAAQ,IAAI,CAAS,KAAA,KAAA;AAC1B,MAAA,MAAM,EAAE,EAAG,EAAA,GAAI,OAAQ,CAAA,KAAA,CAAM,WAAW,IAAI,CAAA;AAE5C,MAAM,MAAA,IAAA,GAAO,cAAc,EAAE,CAAA;AAE7B,MAAA,IAAI,KAAM,CAAA,OAAA,CAAQ,IAAK,CAAA,MAAM,CAAG,EAAA;AAC9B,QAAO,OAAA;AAAA,UACL,MAAA,EAAQ,MAAM,WAAc,GAAA,IAAA,CAAK,OAAO,KAAM,EAAA,GAAK,IAAK,CAAA,MAAA,CAAO,CAAC;AAAA,SAClE;AAAA;AAEF,MAAO,OAAA,EAAE,MAAQ,EAAA,IAAA,CAAK,MAAO,EAAA;AAAA,KAC9B,CAAA;AAAA;AACH,EAEA,MAAc,cAAA,CACZ,OACA,EAAA,UAAA,EACA,OACA,EAAA;AACA,IAAA,MAAM,aAAgB,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,YAAY,CAAA;AAClE,IAAA,MAAM,QAAW,GAAA,MAAM,KAAM,CAAA,CAAA,EAAG,aAAa,CAAc,UAAA,CAAA,EAAA;AAAA,MACzD,MAAQ,EAAA,MAAA;AAAA,MACR,IAAA,EAAM,IAAK,CAAA,SAAA,CAAU,OAAO,CAAA;AAAA,MAC5B,OAAS,EAAA;AAAA,QACP,GAAG,IAAA,CAAK,sBAAuB,CAAA,OAAA,EAAS,KAAK,CAAA;AAAA,QAC7C,cAAgB,EAAA;AAAA;AAClB,KACD,CAAA;AACD,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAM,MAAA,MAAM,aAAc,CAAA,YAAA,CAAa,QAAQ,CAAA;AAAA;AAGjD,IAAM,MAAA,YAAA,GAAe,MAAM,QAAA,CAAS,IAAK,EAAA;AAEzC,IAAO,OAAA,cAAA;AAAA,MACL,UAAA;AAAA,MACA,IAAI,GAAI,CAAA,OAAA,CAAQ,KAAM,CAAA,GAAA,CAAI,CAAC,EAAE,EAAA,EAAS,KAAA,EAAE,CAAC;AAAA,KAC3C,CAAE,MAAM,YAAY,CAAA;AAAA;AACtB,EAEQ,uBAAuB,KAAwC,EAAA;AACrE,IAAA,OAAO,QAAQ,EAAE,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA,KAAO,EAAC;AAAA;AAE3D;;;;"}
+{"version":3,"file":"PermissionClient.esm.js","sources":["../src/PermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ResponseError } from '@backstage/errors';\nimport fetch from 'cross-fetch';\nimport * as uuid from 'uuid';\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  PermissionMessageBatch,\n  PermissionCriteria,\n  PermissionCondition,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  QueryPermissionResponse,\n  IdentifiedPermissionMessage,\n} from './types/api';\nimport { DiscoveryApi } from './types/discovery';\nimport {\n  AuthorizeRequestOptions,\n  BasicPermission,\n  ResourcePermission,\n} from './types/permission';\nimport { isResourcePermission } from './permissions';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z\n    .object({\n      rule: z.string(),\n      resourceType: z.string(),\n      params: z.record(z.any()).optional(),\n    })\n    .or(z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }))\n    .or(z.object({ not: permissionCriteriaSchema })),\n);\n\nconst authorizePermissionResponseSchema: z.ZodSchema<AuthorizePermissionResponse> =\n  z.object({\n    result: z\n      .literal(AuthorizeResult.ALLOW)\n      .or(z.literal(AuthorizeResult.DENY)),\n  });\n\nconst authorizePermissionResponseBatchSchema = z\n  .object({\n    result: z.array(\n      z.union([\n        z.literal(AuthorizeResult.ALLOW),\n        z.literal(AuthorizeResult.DENY),\n      ]),\n    ),\n  })\n  .or(authorizePermissionResponseSchema);\n\nconst queryPermissionResponseSchema: z.ZodSchema<QueryPermissionResponse> =\n  z.union([\n    z.object({\n      result: z\n        .literal(AuthorizeResult.ALLOW)\n        .or(z.literal(AuthorizeResult.DENY)),\n    }),\n    z.object({\n      result: z.literal(AuthorizeResult.CONDITIONAL),\n      pluginId: z.string(),\n      resourceType: z.string(),\n      conditions: permissionCriteriaSchema,\n    }),\n  ]);\n\nconst responseSchema = <T>(\n  itemSchema: z.ZodSchema<T>,\n  ids: Set<string>,\n): z.ZodSchema<PermissionMessageBatch<T>> =>\n  z.object({\n    items: z\n      .array(\n        z.intersection(\n          z.object({\n            id: z.string(),\n          }),\n          itemSchema,\n        ),\n      )\n      .refine(\n        items =>\n          items.length === ids.size && items.every(({ id }) => ids.has(id)),\n        {\n          message: 'Items in response do not match request',\n        },\n      ),\n  });\n\n/**\n * Options for {@link PermissionClient} requests.\n *\n * @public\n */\nexport type PermissionClientRequestOptions = {\n  token?: string;\n};\n\n/**\n * An isomorphic client for requesting authorization for Backstage permissions.\n * @public\n */\nexport class PermissionClient implements PermissionEvaluator {\n  private readonly enabled: boolean;\n  private readonly discovery: DiscoveryApi;\n  private readonly enableBatchedRequests: boolean;\n\n  constructor(options: { discovery: DiscoveryApi; config: Config }) {\n    this.discovery = options.discovery;\n    this.enabled =\n      options.config.getOptionalBoolean('permission.enabled') ?? false;\n\n    this.enableBatchedRequests =\n      options.config.getOptionalBoolean(\n        'permission.EXPERIMENTAL_enableBatchedRequests',\n      ) ?? false;\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorize}\n   */\n  async authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<AuthorizePermissionResponse[]> {\n    if (!this.enabled) {\n      return requests.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    if (this.enableBatchedRequests) {\n      return this.makeBatchedRequest(requests, options);\n    }\n\n    return this.makeRequest(\n      requests,\n      authorizePermissionResponseSchema,\n      options,\n    );\n  }\n\n  /**\n   * {@inheritdoc PermissionEvaluator.authorizeConditional}\n   */\n  async authorizeConditional(\n    queries: QueryPermissionRequest[],\n    options?: PermissionClientRequestOptions,\n  ): Promise<QueryPermissionResponse[]> {\n    if (!this.enabled) {\n      return queries.map(_ => ({ result: AuthorizeResult.ALLOW as const }));\n    }\n\n    return this.makeRequest(queries, queryPermissionResponseSchema, options);\n  }\n\n  private async makeRequest<TQuery, TResult>(\n    queries: TQuery[],\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: PermissionMessageBatch<TQuery> = {\n      items: queries.map(query => ({\n        id: uuid.v4(),\n        ...query,\n      })),\n    };\n\n    const parsedResponse = await this.makeRawRequest(\n      request,\n      itemSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, z.infer<typeof itemSchema>>);\n\n    return request.items.map(query => responsesById[query.id]);\n  }\n\n  private async makeBatchedRequest(\n    queries: AuthorizePermissionRequest[],\n    options?: AuthorizeRequestOptions,\n  ) {\n    const request: Record<string, BatchedAuthorizePermissionRequest> = {};\n\n    for (const query of queries) {\n      const { permission, resourceRef } = query;\n\n      if (isResourcePermission(permission)) {\n        request[permission.name] ||= {\n          permission,\n          resourceRef: [],\n          id: uuid.v4(),\n        };\n\n        if (resourceRef) {\n          request[permission.name].resourceRef?.push(resourceRef);\n        }\n      } else {\n        request[permission.name] ||= {\n          permission,\n          id: uuid.v4(),\n        };\n      }\n    }\n\n    const parsedResponse = await this.makeRawRequest(\n      { items: Object.values(request) },\n      authorizePermissionResponseBatchSchema,\n      options,\n    );\n\n    const responsesById = parsedResponse.items.reduce((acc, r) => {\n      acc[r.id] = r;\n      return acc;\n    }, {} as Record<string, (typeof parsedResponse)['items'][number]>);\n\n    return queries.map(query => {\n      const { id } = request[query.permission.name];\n\n      const item = responsesById[id];\n\n      if (Array.isArray(item.result)) {\n        return {\n          result: query.resourceRef ? item.result.shift()! : item.result[0],\n        };\n      }\n      return { result: item.result };\n    });\n  }\n\n  private async makeRawRequest<TQuery, TResult>(\n    request: PermissionMessageBatch<TQuery>,\n    itemSchema: z.ZodSchema<TResult>,\n    options?: AuthorizeRequestOptions,\n  ) {\n    const permissionApi = await this.discovery.getBaseUrl('permission');\n    const response = await fetch(`${permissionApi}/authorize`, {\n      method: 'POST',\n      body: JSON.stringify(request),\n      headers: {\n        ...this.getAuthorizationHeader(options?.token),\n        'content-type': 'application/json',\n      },\n    });\n    if (!response.ok) {\n      throw await ResponseError.fromResponse(response);\n    }\n\n    const responseBody = await response.json();\n\n    return responseSchema(\n      itemSchema,\n      new Set(request.items.map(({ id }) => id)),\n    ).parse(responseBody);\n  }\n\n  private getAuthorizationHeader(token?: string): Record<string, string> {\n    return token ? { Authorization: `Bearer ${token}` } : {};\n  }\n}\n\n/**\n * @internal\n */\nexport type BatchedAuthorizePermissionRequest = IdentifiedPermissionMessage<\n  | {\n      permission: BasicPermission;\n      resourceRef?: undefined;\n    }\n  | { permission: ResourcePermission; resourceRef: string[] }\n>;\n"],"names":[],"mappings":";;;;;;;AAyCA,MAAM,2BAEF,CAAA,CAAE,IAAA;AAAA,EAAK,MACT,EACG,MAAA,CAAO;AAAA,IACN,IAAA,EAAM,EAAE,MAAA,EAAO;AAAA,IACf,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,IACvB,QAAQ,CAAA,CAAE,MAAA,CAAO,EAAE,GAAA,EAAK,EAAE,QAAA;AAAS,GACpC,CAAA,CACA,EAAA,CAAG,CAAA,CAAE,MAAA,CAAO,EAAE,KAAA,EAAO,CAAA,CAAE,KAAA,CAAM,wBAAwB,EAAE,QAAA,EAAS,EAAG,CAAC,EACpE,EAAA,CAAG,CAAA,CAAE,MAAA,CAAO,EAAE,OAAO,CAAA,CAAE,KAAA,CAAM,wBAAwB,CAAA,CAAE,UAAS,EAAG,CAAC,CAAA,CACpE,GAAG,CAAA,CAAE,MAAA,CAAO,EAAE,GAAA,EAAK,wBAAA,EAA0B,CAAC;AACnD,CAAA;AAEA,MAAM,iCAAA,GACJ,EAAE,MAAA,CAAO;AAAA,EACP,MAAA,EAAQ,CAAA,CACL,OAAA,CAAQ,eAAA,CAAgB,KAAK,CAAA,CAC7B,EAAA,CAAG,CAAA,CAAE,OAAA,CAAQ,eAAA,CAAgB,IAAI,CAAC;AACvC,CAAC,CAAA;AAEH,MAAM,sCAAA,GAAyC,EAC5C,MAAA,CAAO;AAAA,EACN,QAAQ,CAAA,CAAE,KAAA;AAAA,IACR,EAAE,KAAA,CAAM;AAAA,MACN,CAAA,CAAE,OAAA,CAAQ,eAAA,CAAgB,KAAK,CAAA;AAAA,MAC/B,CAAA,CAAE,OAAA,CAAQ,eAAA,CAAgB,IAAI;AAAA,KAC/B;AAAA;AAEL,CAAC,CAAA,CACA,GAAG,iCAAiC,CAAA;AAEvC,MAAM,6BAAA,GACJ,EAAE,KAAA,CAAM;AAAA,EACN,EAAE,MAAA,CAAO;AAAA,IACP,MAAA,EAAQ,CAAA,CACL,OAAA,CAAQ,eAAA,CAAgB,KAAK,CAAA,CAC7B,EAAA,CAAG,CAAA,CAAE,OAAA,CAAQ,eAAA,CAAgB,IAAI,CAAC;AAAA,GACtC,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACP,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,eAAA,CAAgB,WAAW,CAAA;AAAA,IAC7C,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,IACnB,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,IACvB,UAAA,EAAY;AAAA,GACb;AACH,CAAC,CAAA;AAEH,MAAM,cAAA,GAAiB,CACrB,UAAA,EACA,GAAA,KAEA,EAAE,MAAA,CAAO;AAAA,EACP,OAAO,CAAA,CACJ,KAAA;AAAA,IACC,CAAA,CAAE,YAAA;AAAA,MACA,EAAE,MAAA,CAAO;AAAA,QACP,EAAA,EAAI,EAAE,MAAA;AAAO,OACd,CAAA;AAAA,MACD;AAAA;AACF,GACF,CACC,MAAA;AAAA,IACC,CAAA,KAAA,KACE,KAAA,CAAM,MAAA,KAAW,GAAA,CAAI,QAAQ,KAAA,CAAM,KAAA,CAAM,CAAC,EAAE,EAAA,EAAG,KAAM,GAAA,CAAI,GAAA,CAAI,EAAE,CAAC,CAAA;AAAA,IAClE;AAAA,MACE,OAAA,EAAS;AAAA;AACX;AAEN,CAAC,CAAA;AAeI,MAAM,gBAAA,CAAgD;AAAA,EAC1C,OAAA;AAAA,EACA,SAAA;AAAA,EACA,qBAAA;AAAA,EAEjB,YAAY,OAAA,EAAsD;AAChE,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,SAAA;AACzB,IAAA,IAAA,CAAK,OAAA,GACH,OAAA,CAAQ,MAAA,CAAO,kBAAA,CAAmB,oBAAoB,CAAA,IAAK,KAAA;AAE7D,IAAA,IAAA,CAAK,qBAAA,GACH,QAAQ,MAAA,CAAO,kBAAA;AAAA,MACb;AAAA,KACF,IAAK,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,SAAA,CACJ,QAAA,EACA,OAAA,EACwC;AACxC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,OAAO,SAAS,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,MAAA,EAAQ,eAAA,CAAgB,OAAe,CAAE,CAAA;AAAA,IACvE;AAEA,IAAA,IAAI,KAAK,qBAAA,EAAuB;AAC9B,MAAA,OAAO,IAAA,CAAK,kBAAA,CAAmB,QAAA,EAAU,OAAO,CAAA;AAAA,IAClD;AAEA,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,MACV,QAAA;AAAA,MACA,iCAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAA,CACJ,OAAA,EACA,OAAA,EACoC;AACpC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,OAAO,QAAQ,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,MAAA,EAAQ,eAAA,CAAgB,OAAe,CAAE,CAAA;AAAA,IACtE;AAEA,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,OAAA,EAAS,6BAAA,EAA+B,OAAO,CAAA;AAAA,EACzE;AAAA,EAEA,MAAc,WAAA,CACZ,OAAA,EACA,UAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,OAAA,GAA0C;AAAA,MAC9C,KAAA,EAAO,OAAA,CAAQ,GAAA,CAAI,CAAA,KAAA,MAAU;AAAA,QAC3B,EAAA,EAAI,KAAK,EAAA,EAAG;AAAA,QACZ,GAAG;AAAA,OACL,CAAE;AAAA,KACJ;AAEA,IAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,cAAA;AAAA,MAChC,OAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAA,CAAe,KAAA,CAAM,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM;AAC5D,MAAA,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,CAAA;AACZ,MAAA,OAAO,GAAA;AAAA,IACT,CAAA,EAAG,EAAgD,CAAA;AAEnD,IAAA,OAAO,QAAQ,KAAA,CAAM,GAAA,CAAI,WAAS,aAAA,CAAc,KAAA,CAAM,EAAE,CAAC,CAAA;AAAA,EAC3D;AAAA,EAEA,MAAc,kBAAA,CACZ,OAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,UAA6D,EAAC;AAEpE,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,EAAE,UAAA,EAAY,WAAA,EAAY,GAAI,KAAA;AAEpC,MAAA,IAAI,oBAAA,CAAqB,UAAU,CAAA,EAAG;AACpC,QAAA,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,KAAM;AAAA,UAC3B,UAAA;AAAA,UACA,aAAa,EAAC;AAAA,UACd,EAAA,EAAI,KAAK,EAAA;AAAG,SACd;AAEA,QAAA,IAAI,WAAA,EAAa;AACf,UAAA,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,CAAE,WAAA,EAAa,KAAK,WAAW,CAAA;AAAA,QACxD;AAAA,MACF,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,KAAM;AAAA,UAC3B,UAAA;AAAA,UACA,EAAA,EAAI,KAAK,EAAA;AAAG,SACd;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,cAAA;AAAA,MAChC,EAAE,KAAA,EAAO,MAAA,CAAO,MAAA,CAAO,OAAO,CAAA,EAAE;AAAA,MAChC,sCAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,gBAAgB,cAAA,CAAe,KAAA,CAAM,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM;AAC5D,MAAA,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,CAAA;AACZ,MAAA,OAAO,GAAA;AAAA,IACT,CAAA,EAAG,EAA8D,CAAA;AAEjE,IAAA,OAAO,OAAA,CAAQ,IAAI,CAAA,KAAA,KAAS;AAC1B,MAAA,MAAM,EAAE,EAAA,EAAG,GAAI,OAAA,CAAQ,KAAA,CAAM,WAAW,IAAI,CAAA;AAE5C,MAAA,MAAM,IAAA,GAAO,cAAc,EAAE,CAAA;AAE7B,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,MAAM,CAAA,EAAG;AAC9B,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,MAAM,WAAA,GAAc,IAAA,CAAK,OAAO,KAAA,EAAM,GAAK,IAAA,CAAK,MAAA,CAAO,CAAC;AAAA,SAClE;AAAA,MACF;AACA,MAAA,OAAO,EAAE,MAAA,EAAQ,IAAA,CAAK,MAAA,EAAO;AAAA,IAC/B,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,cAAA,CACZ,OAAA,EACA,UAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,SAAA,CAAU,WAAW,YAAY,CAAA;AAClE,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,aAAa,CAAA,UAAA,CAAA,EAAc;AAAA,MACzD,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA;AAAA,MAC5B,OAAA,EAAS;AAAA,QACP,GAAG,IAAA,CAAK,sBAAA,CAAuB,OAAA,EAAS,KAAK,CAAA;AAAA,QAC7C,cAAA,EAAgB;AAAA;AAClB,KACD,CAAA;AACD,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,MAAM,aAAA,CAAc,YAAA,CAAa,QAAQ,CAAA;AAAA,IACjD;AAEA,IAAA,MAAM,YAAA,GAAe,MAAM,QAAA,CAAS,IAAA,EAAK;AAEzC,IAAA,OAAO,cAAA;AAAA,MACL,UAAA;AAAA,MACA,IAAI,GAAA,CAAI,OAAA,CAAQ,KAAA,CAAM,GAAA,CAAI,CAAC,EAAE,EAAA,EAAG,KAAM,EAAE,CAAC;AAAA,KAC3C,CAAE,MAAM,YAAY,CAAA;AAAA,EACtB;AAAA,EAEQ,uBAAuB,KAAA,EAAwC;AACrE,IAAA,OAAO,QAAQ,EAAE,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA,KAAO,EAAC;AAAA,EACzD;AACF;;;;"}

package/dist/permissions/createPermission.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"createPermission.cjs.js","sources":["../../src/permissions/createPermission.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  BasicPermission,\n  Permission,\n  PermissionAttributes,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Utility function for creating a valid {@link ResourcePermission}, inferring\n * the appropriate type and resource type parameter.\n *\n * @public\n */\nexport function createPermission<TResourceType extends string>(input: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType: TResourceType;\n}): ResourcePermission<TResourceType>;\n/**\n * Utility function for creating a valid {@link BasicPermission}.\n *\n * @public\n */\nexport function createPermission(input: {\n  name: string;\n  attributes: PermissionAttributes;\n}): BasicPermission;\nexport function createPermission({\n  name,\n  attributes,\n  resourceType,\n}: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType?: string;\n}): Permission {\n  if (resourceType) {\n    return {\n      type: 'resource',\n      name,\n      attributes,\n      resourceType,\n    };\n  }\n\n  return {\n    type: 'basic',\n    name,\n    attributes,\n  };\n}\n"],"names":[],"mappings":";;AA2CO,SAAS,gBAAiB,CAAA;AAAA,EAC/B,IAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAIe,EAAA;AACb,EAAA,IAAI,YAAc,EAAA;AAChB,IAAO,OAAA;AAAA,MACL,IAAM,EAAA,UAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAAA;AAGF,EAAO,OAAA;AAAA,IACL,IAAM,EAAA,OAAA;AAAA,IACN,IAAA;AAAA,IACA;AAAA,GACF;AACF;;;;"}
+{"version":3,"file":"createPermission.cjs.js","sources":["../../src/permissions/createPermission.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  BasicPermission,\n  Permission,\n  PermissionAttributes,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Utility function for creating a valid {@link ResourcePermission}, inferring\n * the appropriate type and resource type parameter.\n *\n * @public\n */\nexport function createPermission<TResourceType extends string>(input: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType: TResourceType;\n}): ResourcePermission<TResourceType>;\n/**\n * Utility function for creating a valid {@link BasicPermission}.\n *\n * @public\n */\nexport function createPermission(input: {\n  name: string;\n  attributes: PermissionAttributes;\n}): BasicPermission;\nexport function createPermission({\n  name,\n  attributes,\n  resourceType,\n}: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType?: string;\n}): Permission {\n  if (resourceType) {\n    return {\n      type: 'resource',\n      name,\n      attributes,\n      resourceType,\n    };\n  }\n\n  return {\n    type: 'basic',\n    name,\n    attributes,\n  };\n}\n"],"names":[],"mappings":";;AA2CO,SAAS,gBAAA,CAAiB;AAAA,EAC/B,IAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA,EAIe;AACb,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,UAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,OAAA;AAAA,IACN,IAAA;AAAA,IACA;AAAA,GACF;AACF;;;;"}

package/dist/permissions/createPermission.esm.js.map

@@ -1 +1 @@
-{"version":3,"file":"createPermission.esm.js","sources":["../../src/permissions/createPermission.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  BasicPermission,\n  Permission,\n  PermissionAttributes,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Utility function for creating a valid {@link ResourcePermission}, inferring\n * the appropriate type and resource type parameter.\n *\n * @public\n */\nexport function createPermission<TResourceType extends string>(input: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType: TResourceType;\n}): ResourcePermission<TResourceType>;\n/**\n * Utility function for creating a valid {@link BasicPermission}.\n *\n * @public\n */\nexport function createPermission(input: {\n  name: string;\n  attributes: PermissionAttributes;\n}): BasicPermission;\nexport function createPermission({\n  name,\n  attributes,\n  resourceType,\n}: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType?: string;\n}): Permission {\n  if (resourceType) {\n    return {\n      type: 'resource',\n      name,\n      attributes,\n      resourceType,\n    };\n  }\n\n  return {\n    type: 'basic',\n    name,\n    attributes,\n  };\n}\n"],"names":[],"mappings":"AA2CO,SAAS,gBAAiB,CAAA;AAAA,EAC/B,IAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAIe,EAAA;AACb,EAAA,IAAI,YAAc,EAAA;AAChB,IAAO,OAAA;AAAA,MACL,IAAM,EAAA,UAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAAA;AAGF,EAAO,OAAA;AAAA,IACL,IAAM,EAAA,OAAA;AAAA,IACN,IAAA;AAAA,IACA;AAAA,GACF;AACF;;;;"}
+{"version":3,"file":"createPermission.esm.js","sources":["../../src/permissions/createPermission.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  BasicPermission,\n  Permission,\n  PermissionAttributes,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Utility function for creating a valid {@link ResourcePermission}, inferring\n * the appropriate type and resource type parameter.\n *\n * @public\n */\nexport function createPermission<TResourceType extends string>(input: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType: TResourceType;\n}): ResourcePermission<TResourceType>;\n/**\n * Utility function for creating a valid {@link BasicPermission}.\n *\n * @public\n */\nexport function createPermission(input: {\n  name: string;\n  attributes: PermissionAttributes;\n}): BasicPermission;\nexport function createPermission({\n  name,\n  attributes,\n  resourceType,\n}: {\n  name: string;\n  attributes: PermissionAttributes;\n  resourceType?: string;\n}): Permission {\n  if (resourceType) {\n    return {\n      type: 'resource',\n      name,\n      attributes,\n      resourceType,\n    };\n  }\n\n  return {\n    type: 'basic',\n    name,\n    attributes,\n  };\n}\n"],"names":[],"mappings":"AA2CO,SAAS,gBAAA,CAAiB;AAAA,EAC/B,IAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA,EAIe;AACb,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,UAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,OAAA;AAAA,IACN,IAAA;AAAA,IACA;AAAA,GACF;AACF;;;;"}

package/dist/permissions/util.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.cjs.js","sources":["../../src/permissions/util.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  DefinitivePolicyDecision,\n  EvaluatorRequestOptions,\n  Permission,\n  PermissionAuthorizer,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  QueryPermissionResponse,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Check if the two parameters are equivalent permissions.\n * @public\n */\nexport function isPermission<T extends Permission>(\n  permission: Permission,\n  comparedPermission: T,\n): permission is T {\n  return permission.name === comparedPermission.name;\n}\n\n/**\n * Check if a given permission is a {@link ResourcePermission}. When\n * `resourceType` is supplied as the second parameter, also checks if\n * the permission has the specified resource type.\n * @public\n */\nexport function isResourcePermission<T extends string = string>(\n  permission: Permission,\n  resourceType?: T,\n): permission is ResourcePermission<T> {\n  if (!('resourceType' in permission)) {\n    return false;\n  }\n\n  return !resourceType || permission.resourceType === resourceType;\n}\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n  return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n  return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n  return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n  return permission.attributes.action === 'delete';\n}\n\n/**\n * Convert {@link PermissionAuthorizer} to {@link PermissionEvaluator}.\n *\n * @public\n */\nexport function toPermissionEvaluator(\n  permissionAuthorizer: PermissionAuthorizer,\n): PermissionEvaluator {\n  return {\n    authorize: async (\n      requests: AuthorizePermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<AuthorizePermissionResponse[]> => {\n      const response = await permissionAuthorizer.authorize(requests, options);\n\n      return response as DefinitivePolicyDecision[];\n    },\n    authorizeConditional(\n      requests: QueryPermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<QueryPermissionResponse[]> {\n      const parsedRequests =\n        requests as unknown as AuthorizePermissionRequest[];\n      return permissionAuthorizer.authorize(parsedRequests, options);\n    },\n  };\n}\n"],"names":[],"mappings":";;AAiCgB,SAAA,YAAA,CACd,YACA,kBACiB,EAAA;AACjB,EAAO,OAAA,UAAA,CAAW,SAAS,kBAAmB,CAAA,IAAA;AAChD;AAQgB,SAAA,oBAAA,CACd,YACA,YACqC,EAAA;AACrC,EAAI,IAAA,EAAE,kBAAkB,UAAa,CAAA,EAAA;AACnC,IAAO,OAAA,KAAA;AAAA;AAGT,EAAO,OAAA,CAAC,YAAgB,IAAA,UAAA,CAAW,YAAiB,KAAA,YAAA;AACtD;AAMO,SAAS,mBAAmB,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA;AAC1C;AAMO,SAAS,iBAAiB,UAAwB,EAAA;AACvD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,MAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA;AAC1C;AAOO,SAAS,sBACd,oBACqB,EAAA;AACrB,EAAO,OAAA;AAAA,IACL,SAAA,EAAW,OACT,QAAA,EACA,OAC2C,KAAA;AAC3C,MAAA,MAAM,QAAW,GAAA,MAAM,oBAAqB,CAAA,SAAA,CAAU,UAAU,OAAO,CAAA;AAEvE,MAAO,OAAA,QAAA;AAAA,KACT;AAAA,IACA,oBAAA,CACE,UACA,OACoC,EAAA;AACpC,MAAA,MAAM,cACJ,GAAA,QAAA;AACF,MAAO,OAAA,oBAAA,CAAqB,SAAU,CAAA,cAAA,EAAgB,OAAO,CAAA;AAAA;AAC/D,GACF;AACF;;;;;;;;;;"}
+{"version":3,"file":"util.cjs.js","sources":["../../src/permissions/util.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  DefinitivePolicyDecision,\n  EvaluatorRequestOptions,\n  Permission,\n  PermissionAuthorizer,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  QueryPermissionResponse,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Check if the two parameters are equivalent permissions.\n * @public\n */\nexport function isPermission<T extends Permission>(\n  permission: Permission,\n  comparedPermission: T,\n): permission is T {\n  return permission.name === comparedPermission.name;\n}\n\n/**\n * Check if a given permission is a {@link ResourcePermission}. When\n * `resourceType` is supplied as the second parameter, also checks if\n * the permission has the specified resource type.\n * @public\n */\nexport function isResourcePermission<T extends string = string>(\n  permission: Permission,\n  resourceType?: T,\n): permission is ResourcePermission<T> {\n  if (!('resourceType' in permission)) {\n    return false;\n  }\n\n  return !resourceType || permission.resourceType === resourceType;\n}\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n  return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n  return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n  return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n  return permission.attributes.action === 'delete';\n}\n\n/**\n * Convert {@link PermissionAuthorizer} to {@link PermissionEvaluator}.\n *\n * @public\n */\nexport function toPermissionEvaluator(\n  permissionAuthorizer: PermissionAuthorizer,\n): PermissionEvaluator {\n  return {\n    authorize: async (\n      requests: AuthorizePermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<AuthorizePermissionResponse[]> => {\n      const response = await permissionAuthorizer.authorize(requests, options);\n\n      return response as DefinitivePolicyDecision[];\n    },\n    authorizeConditional(\n      requests: QueryPermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<QueryPermissionResponse[]> {\n      const parsedRequests =\n        requests as unknown as AuthorizePermissionRequest[];\n      return permissionAuthorizer.authorize(parsedRequests, options);\n    },\n  };\n}\n"],"names":[],"mappings":";;AAiCO,SAAS,YAAA,CACd,YACA,kBAAA,EACiB;AACjB,EAAA,OAAO,UAAA,CAAW,SAAS,kBAAA,CAAmB,IAAA;AAChD;AAQO,SAAS,oBAAA,CACd,YACA,YAAA,EACqC;AACrC,EAAA,IAAI,EAAE,kBAAkB,UAAA,CAAA,EAAa;AACnC,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO,CAAC,YAAA,IAAgB,UAAA,CAAW,YAAA,KAAiB,YAAA;AACtD;AAMO,SAAS,mBAAmB,UAAA,EAAwB;AACzD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,QAAA;AAC1C;AAMO,SAAS,iBAAiB,UAAA,EAAwB;AACvD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,MAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAA,EAAwB;AACzD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,QAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAA,EAAwB;AACzD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,QAAA;AAC1C;AAOO,SAAS,sBACd,oBAAA,EACqB;AACrB,EAAA,OAAO;AAAA,IACL,SAAA,EAAW,OACT,QAAA,EACA,OAAA,KAC2C;AAC3C,MAAA,MAAM,QAAA,GAAW,MAAM,oBAAA,CAAqB,SAAA,CAAU,UAAU,OAAO,CAAA;AAEvE,MAAA,OAAO,QAAA;AAAA,IACT,CAAA;AAAA,IACA,oBAAA,CACE,UACA,OAAA,EACoC;AACpC,MAAA,MAAM,cAAA,GACJ,QAAA;AACF,MAAA,OAAO,oBAAA,CAAqB,SAAA,CAAU,cAAA,EAAgB,OAAO,CAAA;AAAA,IAC/D;AAAA,GACF;AACF;;;;;;;;;;"}

package/dist/permissions/util.esm.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.esm.js","sources":["../../src/permissions/util.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  DefinitivePolicyDecision,\n  EvaluatorRequestOptions,\n  Permission,\n  PermissionAuthorizer,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  QueryPermissionResponse,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Check if the two parameters are equivalent permissions.\n * @public\n */\nexport function isPermission<T extends Permission>(\n  permission: Permission,\n  comparedPermission: T,\n): permission is T {\n  return permission.name === comparedPermission.name;\n}\n\n/**\n * Check if a given permission is a {@link ResourcePermission}. When\n * `resourceType` is supplied as the second parameter, also checks if\n * the permission has the specified resource type.\n * @public\n */\nexport function isResourcePermission<T extends string = string>(\n  permission: Permission,\n  resourceType?: T,\n): permission is ResourcePermission<T> {\n  if (!('resourceType' in permission)) {\n    return false;\n  }\n\n  return !resourceType || permission.resourceType === resourceType;\n}\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n  return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n  return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n  return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n  return permission.attributes.action === 'delete';\n}\n\n/**\n * Convert {@link PermissionAuthorizer} to {@link PermissionEvaluator}.\n *\n * @public\n */\nexport function toPermissionEvaluator(\n  permissionAuthorizer: PermissionAuthorizer,\n): PermissionEvaluator {\n  return {\n    authorize: async (\n      requests: AuthorizePermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<AuthorizePermissionResponse[]> => {\n      const response = await permissionAuthorizer.authorize(requests, options);\n\n      return response as DefinitivePolicyDecision[];\n    },\n    authorizeConditional(\n      requests: QueryPermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<QueryPermissionResponse[]> {\n      const parsedRequests =\n        requests as unknown as AuthorizePermissionRequest[];\n      return permissionAuthorizer.authorize(parsedRequests, options);\n    },\n  };\n}\n"],"names":[],"mappings":"AAiCgB,SAAA,YAAA,CACd,YACA,kBACiB,EAAA;AACjB,EAAO,OAAA,UAAA,CAAW,SAAS,kBAAmB,CAAA,IAAA;AAChD;AAQgB,SAAA,oBAAA,CACd,YACA,YACqC,EAAA;AACrC,EAAI,IAAA,EAAE,kBAAkB,UAAa,CAAA,EAAA;AACnC,IAAO,OAAA,KAAA;AAAA;AAGT,EAAO,OAAA,CAAC,YAAgB,IAAA,UAAA,CAAW,YAAiB,KAAA,YAAA;AACtD;AAMO,SAAS,mBAAmB,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA;AAC1C;AAMO,SAAS,iBAAiB,UAAwB,EAAA;AACvD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,MAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAwB,EAAA;AACzD,EAAO,OAAA,UAAA,CAAW,WAAW,MAAW,KAAA,QAAA;AAC1C;AAOO,SAAS,sBACd,oBACqB,EAAA;AACrB,EAAO,OAAA;AAAA,IACL,SAAA,EAAW,OACT,QAAA,EACA,OAC2C,KAAA;AAC3C,MAAA,MAAM,QAAW,GAAA,MAAM,oBAAqB,CAAA,SAAA,CAAU,UAAU,OAAO,CAAA;AAEvE,MAAO,OAAA,QAAA;AAAA,KACT;AAAA,IACA,oBAAA,CACE,UACA,OACoC,EAAA;AACpC,MAAA,MAAM,cACJ,GAAA,QAAA;AACF,MAAO,OAAA,oBAAA,CAAqB,SAAU,CAAA,cAAA,EAAgB,OAAO,CAAA;AAAA;AAC/D,GACF;AACF;;;;"}
+{"version":3,"file":"util.esm.js","sources":["../../src/permissions/util.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  DefinitivePolicyDecision,\n  EvaluatorRequestOptions,\n  Permission,\n  PermissionAuthorizer,\n  PermissionEvaluator,\n  QueryPermissionRequest,\n  QueryPermissionResponse,\n  ResourcePermission,\n} from '../types';\n\n/**\n * Check if the two parameters are equivalent permissions.\n * @public\n */\nexport function isPermission<T extends Permission>(\n  permission: Permission,\n  comparedPermission: T,\n): permission is T {\n  return permission.name === comparedPermission.name;\n}\n\n/**\n * Check if a given permission is a {@link ResourcePermission}. When\n * `resourceType` is supplied as the second parameter, also checks if\n * the permission has the specified resource type.\n * @public\n */\nexport function isResourcePermission<T extends string = string>(\n  permission: Permission,\n  resourceType?: T,\n): permission is ResourcePermission<T> {\n  if (!('resourceType' in permission)) {\n    return false;\n  }\n\n  return !resourceType || permission.resourceType === resourceType;\n}\n\n/**\n * Check if a given permission is related to a create action.\n * @public\n */\nexport function isCreatePermission(permission: Permission) {\n  return permission.attributes.action === 'create';\n}\n\n/**\n * Check if a given permission is related to a read action.\n * @public\n */\nexport function isReadPermission(permission: Permission) {\n  return permission.attributes.action === 'read';\n}\n\n/**\n * Check if a given permission is related to an update action.\n * @public\n */\nexport function isUpdatePermission(permission: Permission) {\n  return permission.attributes.action === 'update';\n}\n\n/**\n * Check if a given permission is related to a delete action.\n * @public\n */\nexport function isDeletePermission(permission: Permission) {\n  return permission.attributes.action === 'delete';\n}\n\n/**\n * Convert {@link PermissionAuthorizer} to {@link PermissionEvaluator}.\n *\n * @public\n */\nexport function toPermissionEvaluator(\n  permissionAuthorizer: PermissionAuthorizer,\n): PermissionEvaluator {\n  return {\n    authorize: async (\n      requests: AuthorizePermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<AuthorizePermissionResponse[]> => {\n      const response = await permissionAuthorizer.authorize(requests, options);\n\n      return response as DefinitivePolicyDecision[];\n    },\n    authorizeConditional(\n      requests: QueryPermissionRequest[],\n      options?: EvaluatorRequestOptions,\n    ): Promise<QueryPermissionResponse[]> {\n      const parsedRequests =\n        requests as unknown as AuthorizePermissionRequest[];\n      return permissionAuthorizer.authorize(parsedRequests, options);\n    },\n  };\n}\n"],"names":[],"mappings":"AAiCO,SAAS,YAAA,CACd,YACA,kBAAA,EACiB;AACjB,EAAA,OAAO,UAAA,CAAW,SAAS,kBAAA,CAAmB,IAAA;AAChD;AAQO,SAAS,oBAAA,CACd,YACA,YAAA,EACqC;AACrC,EAAA,IAAI,EAAE,kBAAkB,UAAA,CAAA,EAAa;AACnC,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO,CAAC,YAAA,IAAgB,UAAA,CAAW,YAAA,KAAiB,YAAA;AACtD;AAMO,SAAS,mBAAmB,UAAA,EAAwB;AACzD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,QAAA;AAC1C;AAMO,SAAS,iBAAiB,UAAA,EAAwB;AACvD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,MAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAA,EAAwB;AACzD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,QAAA;AAC1C;AAMO,SAAS,mBAAmB,UAAA,EAAwB;AACzD,EAAA,OAAO,UAAA,CAAW,WAAW,MAAA,KAAW,QAAA;AAC1C;AAOO,SAAS,sBACd,oBAAA,EACqB;AACrB,EAAA,OAAO;AAAA,IACL,SAAA,EAAW,OACT,QAAA,EACA,OAAA,KAC2C;AAC3C,MAAA,MAAM,QAAA,GAAW,MAAM,oBAAA,CAAqB,SAAA,CAAU,UAAU,OAAO,CAAA;AAEvE,MAAA,OAAO,QAAA;AAAA,IACT,CAAA;AAAA,IACA,oBAAA,CACE,UACA,OAAA,EACoC;AACpC,MAAA,MAAM,cAAA,GACJ,QAAA;AACF,MAAA,OAAO,oBAAA,CAAqB,SAAA,CAAU,cAAA,EAAgB,OAAO,CAAA;AAAA,IAC/D;AAAA,GACF;AACF;;;;"}

package/dist/types/api.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.cjs.js","sources":["../../src/types/api.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JsonPrimitive } from '@backstage/types';\nimport { Permission, ResourcePermission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type IdentifiedPermissionMessage<T> = T & { id: string };\n\n/**\n * A batch of request or response items.\n * @public\n */\nexport type PermissionMessageBatch<T> = {\n  items: IdentifiedPermissionMessage<T>[];\n};\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n  /**\n   * The authorization request is denied.\n   */\n  DENY = 'DENY',\n  /**\n   * The authorization request is allowed.\n   */\n  ALLOW = 'ALLOW',\n  /**\n   * The authorization request is allowed if the provided conditions are met.\n   */\n  CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * A definitive decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy unconditionally allows (or denies) the request.\n *\n * @public\n */\nexport type DefinitivePolicyDecision = {\n  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;\n};\n\n/**\n * A conditional decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy allows authorization for the request, given that the returned\n * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin\n * which knows about the referenced permission rules.\n *\n * @public\n */\nexport type ConditionalPolicyDecision = {\n  result: AuthorizeResult.CONDITIONAL;\n  pluginId: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n};\n\n/**\n * A decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @public\n */\nexport type PolicyDecision =\n  | DefinitivePolicyDecision\n  | ConditionalPolicyDecision;\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<\n  TResourceType extends string = string,\n  TParams extends PermissionRuleParams = PermissionRuleParams,\n> = {\n  resourceType: TResourceType;\n  rule: string;\n  params?: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represents a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n  allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n  anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n  not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n  | AllOfCriteria<TQuery>\n  | AnyOfCriteria<TQuery>\n  | NotCriteria<TQuery>\n  | TQuery;\n\n/**\n * A parameter to a permission rule.\n *\n * @public\n */\nexport type PermissionRuleParam = undefined | JsonPrimitive | JsonPrimitive[];\n\n/**\n * Types that can be used as parameters to permission rules.\n *\n * @public\n */\nexport type PermissionRuleParams =\n  | undefined\n  | Record<string, PermissionRuleParam>;\n\n/**\n * An individual request sent to the permission backend.\n * @public\n */\nexport type EvaluatePermissionRequest = {\n  permission: Permission;\n  resourceRef?: string;\n};\n\n/**\n * A batch of requests sent to the permission backend.\n * @public\n * @deprecated This type is not used and it will be removed in the future\n */\nexport type EvaluatePermissionRequestBatch =\n  PermissionMessageBatch<EvaluatePermissionRequest>;\n\n/**\n * An individual response from the permission backend.\n *\n * @remarks\n *\n * This response type is an alias of {@link PolicyDecision} to maintain separation between the\n * {@link @backstage/plugin-permission-node#PermissionPolicy} interface and the permission backend\n * api. They may diverge at some point in the future. The response\n *\n * @public\n */\nexport type EvaluatePermissionResponse = PolicyDecision;\n\n/**\n * A batch of responses from the permission backend.\n * @public\n */\nexport type EvaluatePermissionResponseBatch =\n  PermissionMessageBatch<EvaluatePermissionResponse>;\n\n/**\n * Request object for {@link PermissionEvaluator.authorize}. If a {@link ResourcePermission}\n * is provided, it must include a corresponding `resourceRef`.\n * @public\n */\nexport type AuthorizePermissionRequest =\n  | {\n      permission: Exclude<Permission, ResourcePermission>;\n      resourceRef?: never;\n    }\n  | { permission: ResourcePermission; resourceRef: string };\n\n/**\n * Response object for {@link PermissionEvaluator.authorize}.\n * @public\n */\nexport type AuthorizePermissionResponse = DefinitivePolicyDecision;\n\n/**\n * Request object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionRequest = {\n  permission: ResourcePermission;\n  resourceRef?: never;\n};\n\n/**\n * Response object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionResponse = PolicyDecision;\n\n/**\n * A client interacting with the permission backend can implement this evaluator interface.\n *\n * @public\n */\nexport interface PermissionEvaluator {\n  /**\n   * Evaluates {@link Permission | Permissions} and returns a definitive decision.\n   */\n  authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<AuthorizePermissionResponse[]>;\n\n  /**\n   * Evaluates {@link ResourcePermission | ResourcePermissions} and returns both definitive and\n   * conditional decisions, depending on the configured\n   * {@link @backstage/plugin-permission-node#PermissionPolicy}. This method is useful when the\n   * caller needs more control over the processing of conditional decisions. For example, a plugin\n   * backend may want to use {@link PermissionCriteria | conditions} in a database query instead of\n   * evaluating each resource in memory.\n   */\n  authorizeConditional(\n    requests: QueryPermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<QueryPermissionResponse[]>;\n}\n\n// Note(Rugvip): I kept the below type around in case we want to add new options\n// in the future, for example a signal. It also helps out enabling API\n// constraints, as without this we can't have the permissions service implement\n// the evaluator interface due to the mismatch in parameter count.\n\n/**\n * Options for {@link PermissionEvaluator} requests.\n *\n * This is currently empty, as there are no longer any common options for the permission evaluator.\n *\n * @public\n */\nexport interface EvaluatorRequestOptions {}\n"],"names":["AuthorizeResult"],"mappings":";;AAsCY,IAAA,eAAA,qBAAAA,gBAAL,KAAA;AAIL,EAAAA,iBAAA,MAAO,CAAA,GAAA,MAAA;AAIP,EAAAA,iBAAA,OAAQ,CAAA,GAAA,OAAA;AAIR,EAAAA,iBAAA,aAAc,CAAA,GAAA,aAAA;AAZJ,EAAAA,OAAAA,gBAAAA;AAAA,CAAA,EAAA,eAAA,IAAA,EAAA;;;;"}
+{"version":3,"file":"api.cjs.js","sources":["../../src/types/api.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JsonPrimitive } from '@backstage/types';\nimport { Permission, ResourcePermission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type IdentifiedPermissionMessage<T> = T & { id: string };\n\n/**\n * A batch of request or response items.\n * @public\n */\nexport type PermissionMessageBatch<T> = {\n  items: IdentifiedPermissionMessage<T>[];\n};\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n  /**\n   * The authorization request is denied.\n   */\n  DENY = 'DENY',\n  /**\n   * The authorization request is allowed.\n   */\n  ALLOW = 'ALLOW',\n  /**\n   * The authorization request is allowed if the provided conditions are met.\n   */\n  CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * A definitive decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy unconditionally allows (or denies) the request.\n *\n * @public\n */\nexport type DefinitivePolicyDecision = {\n  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;\n};\n\n/**\n * A conditional decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy allows authorization for the request, given that the returned\n * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin\n * which knows about the referenced permission rules.\n *\n * @public\n */\nexport type ConditionalPolicyDecision = {\n  result: AuthorizeResult.CONDITIONAL;\n  pluginId: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n};\n\n/**\n * A decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @public\n */\nexport type PolicyDecision =\n  | DefinitivePolicyDecision\n  | ConditionalPolicyDecision;\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<\n  TResourceType extends string = string,\n  TParams extends PermissionRuleParams = PermissionRuleParams,\n> = {\n  resourceType: TResourceType;\n  rule: string;\n  params?: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represents a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n  allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n  anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n  not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n  | AllOfCriteria<TQuery>\n  | AnyOfCriteria<TQuery>\n  | NotCriteria<TQuery>\n  | TQuery;\n\n/**\n * A parameter to a permission rule.\n *\n * @public\n */\nexport type PermissionRuleParam = undefined | JsonPrimitive | JsonPrimitive[];\n\n/**\n * Types that can be used as parameters to permission rules.\n *\n * @public\n */\nexport type PermissionRuleParams =\n  | undefined\n  | Record<string, PermissionRuleParam>;\n\n/**\n * An individual request sent to the permission backend.\n * @public\n */\nexport type EvaluatePermissionRequest = {\n  permission: Permission;\n  resourceRef?: string;\n};\n\n/**\n * A batch of requests sent to the permission backend.\n * @public\n * @deprecated This type is not used and it will be removed in the future\n */\nexport type EvaluatePermissionRequestBatch =\n  PermissionMessageBatch<EvaluatePermissionRequest>;\n\n/**\n * An individual response from the permission backend.\n *\n * @remarks\n *\n * This response type is an alias of {@link PolicyDecision} to maintain separation between the\n * {@link @backstage/plugin-permission-node#PermissionPolicy} interface and the permission backend\n * api. They may diverge at some point in the future. The response\n *\n * @public\n */\nexport type EvaluatePermissionResponse = PolicyDecision;\n\n/**\n * A batch of responses from the permission backend.\n * @public\n */\nexport type EvaluatePermissionResponseBatch =\n  PermissionMessageBatch<EvaluatePermissionResponse>;\n\n/**\n * Request object for {@link PermissionEvaluator.authorize}. If a {@link ResourcePermission}\n * is provided, it must include a corresponding `resourceRef`.\n * @public\n */\nexport type AuthorizePermissionRequest =\n  | {\n      permission: Exclude<Permission, ResourcePermission>;\n      resourceRef?: never;\n    }\n  | { permission: ResourcePermission; resourceRef: string };\n\n/**\n * Response object for {@link PermissionEvaluator.authorize}.\n * @public\n */\nexport type AuthorizePermissionResponse = DefinitivePolicyDecision;\n\n/**\n * Request object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionRequest = {\n  permission: ResourcePermission;\n  resourceRef?: never;\n};\n\n/**\n * Response object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionResponse = PolicyDecision;\n\n/**\n * A client interacting with the permission backend can implement this evaluator interface.\n *\n * @public\n */\nexport interface PermissionEvaluator {\n  /**\n   * Evaluates {@link Permission | Permissions} and returns a definitive decision.\n   */\n  authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<AuthorizePermissionResponse[]>;\n\n  /**\n   * Evaluates {@link ResourcePermission | ResourcePermissions} and returns both definitive and\n   * conditional decisions, depending on the configured\n   * {@link @backstage/plugin-permission-node#PermissionPolicy}. This method is useful when the\n   * caller needs more control over the processing of conditional decisions. For example, a plugin\n   * backend may want to use {@link PermissionCriteria | conditions} in a database query instead of\n   * evaluating each resource in memory.\n   */\n  authorizeConditional(\n    requests: QueryPermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<QueryPermissionResponse[]>;\n}\n\n// Note(Rugvip): I kept the below type around in case we want to add new options\n// in the future, for example a signal. It also helps out enabling API\n// constraints, as without this we can't have the permissions service implement\n// the evaluator interface due to the mismatch in parameter count.\n\n/**\n * Options for {@link PermissionEvaluator} requests.\n *\n * This is currently empty, as there are no longer any common options for the permission evaluator.\n *\n * @public\n */\nexport interface EvaluatorRequestOptions {}\n"],"names":["AuthorizeResult"],"mappings":";;AAsCO,IAAK,eAAA,qBAAAA,gBAAAA,KAAL;AAIL,EAAAA,iBAAA,MAAA,CAAA,GAAO,MAAA;AAIP,EAAAA,iBAAA,OAAA,CAAA,GAAQ,OAAA;AAIR,EAAAA,iBAAA,aAAA,CAAA,GAAc,aAAA;AAZJ,EAAA,OAAAA,gBAAAA;AAAA,CAAA,EAAA,eAAA,IAAA,EAAA;;;;"}

package/dist/types/api.esm.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.esm.js","sources":["../../src/types/api.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JsonPrimitive } from '@backstage/types';\nimport { Permission, ResourcePermission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type IdentifiedPermissionMessage<T> = T & { id: string };\n\n/**\n * A batch of request or response items.\n * @public\n */\nexport type PermissionMessageBatch<T> = {\n  items: IdentifiedPermissionMessage<T>[];\n};\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n  /**\n   * The authorization request is denied.\n   */\n  DENY = 'DENY',\n  /**\n   * The authorization request is allowed.\n   */\n  ALLOW = 'ALLOW',\n  /**\n   * The authorization request is allowed if the provided conditions are met.\n   */\n  CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * A definitive decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy unconditionally allows (or denies) the request.\n *\n * @public\n */\nexport type DefinitivePolicyDecision = {\n  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;\n};\n\n/**\n * A conditional decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy allows authorization for the request, given that the returned\n * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin\n * which knows about the referenced permission rules.\n *\n * @public\n */\nexport type ConditionalPolicyDecision = {\n  result: AuthorizeResult.CONDITIONAL;\n  pluginId: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n};\n\n/**\n * A decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @public\n */\nexport type PolicyDecision =\n  | DefinitivePolicyDecision\n  | ConditionalPolicyDecision;\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<\n  TResourceType extends string = string,\n  TParams extends PermissionRuleParams = PermissionRuleParams,\n> = {\n  resourceType: TResourceType;\n  rule: string;\n  params?: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represents a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n  allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n  anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n  not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n  | AllOfCriteria<TQuery>\n  | AnyOfCriteria<TQuery>\n  | NotCriteria<TQuery>\n  | TQuery;\n\n/**\n * A parameter to a permission rule.\n *\n * @public\n */\nexport type PermissionRuleParam = undefined | JsonPrimitive | JsonPrimitive[];\n\n/**\n * Types that can be used as parameters to permission rules.\n *\n * @public\n */\nexport type PermissionRuleParams =\n  | undefined\n  | Record<string, PermissionRuleParam>;\n\n/**\n * An individual request sent to the permission backend.\n * @public\n */\nexport type EvaluatePermissionRequest = {\n  permission: Permission;\n  resourceRef?: string;\n};\n\n/**\n * A batch of requests sent to the permission backend.\n * @public\n * @deprecated This type is not used and it will be removed in the future\n */\nexport type EvaluatePermissionRequestBatch =\n  PermissionMessageBatch<EvaluatePermissionRequest>;\n\n/**\n * An individual response from the permission backend.\n *\n * @remarks\n *\n * This response type is an alias of {@link PolicyDecision} to maintain separation between the\n * {@link @backstage/plugin-permission-node#PermissionPolicy} interface and the permission backend\n * api. They may diverge at some point in the future. The response\n *\n * @public\n */\nexport type EvaluatePermissionResponse = PolicyDecision;\n\n/**\n * A batch of responses from the permission backend.\n * @public\n */\nexport type EvaluatePermissionResponseBatch =\n  PermissionMessageBatch<EvaluatePermissionResponse>;\n\n/**\n * Request object for {@link PermissionEvaluator.authorize}. If a {@link ResourcePermission}\n * is provided, it must include a corresponding `resourceRef`.\n * @public\n */\nexport type AuthorizePermissionRequest =\n  | {\n      permission: Exclude<Permission, ResourcePermission>;\n      resourceRef?: never;\n    }\n  | { permission: ResourcePermission; resourceRef: string };\n\n/**\n * Response object for {@link PermissionEvaluator.authorize}.\n * @public\n */\nexport type AuthorizePermissionResponse = DefinitivePolicyDecision;\n\n/**\n * Request object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionRequest = {\n  permission: ResourcePermission;\n  resourceRef?: never;\n};\n\n/**\n * Response object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionResponse = PolicyDecision;\n\n/**\n * A client interacting with the permission backend can implement this evaluator interface.\n *\n * @public\n */\nexport interface PermissionEvaluator {\n  /**\n   * Evaluates {@link Permission | Permissions} and returns a definitive decision.\n   */\n  authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<AuthorizePermissionResponse[]>;\n\n  /**\n   * Evaluates {@link ResourcePermission | ResourcePermissions} and returns both definitive and\n   * conditional decisions, depending on the configured\n   * {@link @backstage/plugin-permission-node#PermissionPolicy}. This method is useful when the\n   * caller needs more control over the processing of conditional decisions. For example, a plugin\n   * backend may want to use {@link PermissionCriteria | conditions} in a database query instead of\n   * evaluating each resource in memory.\n   */\n  authorizeConditional(\n    requests: QueryPermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<QueryPermissionResponse[]>;\n}\n\n// Note(Rugvip): I kept the below type around in case we want to add new options\n// in the future, for example a signal. It also helps out enabling API\n// constraints, as without this we can't have the permissions service implement\n// the evaluator interface due to the mismatch in parameter count.\n\n/**\n * Options for {@link PermissionEvaluator} requests.\n *\n * This is currently empty, as there are no longer any common options for the permission evaluator.\n *\n * @public\n */\nexport interface EvaluatorRequestOptions {}\n"],"names":["AuthorizeResult"],"mappings":"AAsCY,IAAA,eAAA,qBAAAA,gBAAL,KAAA;AAIL,EAAAA,iBAAA,MAAO,CAAA,GAAA,MAAA;AAIP,EAAAA,iBAAA,OAAQ,CAAA,GAAA,OAAA;AAIR,EAAAA,iBAAA,aAAc,CAAA,GAAA,aAAA;AAZJ,EAAAA,OAAAA,gBAAAA;AAAA,CAAA,EAAA,eAAA,IAAA,EAAA;;;;"}
+{"version":3,"file":"api.esm.js","sources":["../../src/types/api.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JsonPrimitive } from '@backstage/types';\nimport { Permission, ResourcePermission } from './permission';\n\n/**\n * A request with a UUID identifier, so that batched responses can be matched up with the original\n * requests.\n * @public\n */\nexport type IdentifiedPermissionMessage<T> = T & { id: string };\n\n/**\n * A batch of request or response items.\n * @public\n */\nexport type PermissionMessageBatch<T> = {\n  items: IdentifiedPermissionMessage<T>[];\n};\n\n/**\n * The result of an authorization request.\n * @public\n */\nexport enum AuthorizeResult {\n  /**\n   * The authorization request is denied.\n   */\n  DENY = 'DENY',\n  /**\n   * The authorization request is allowed.\n   */\n  ALLOW = 'ALLOW',\n  /**\n   * The authorization request is allowed if the provided conditions are met.\n   */\n  CONDITIONAL = 'CONDITIONAL',\n}\n\n/**\n * A definitive decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy unconditionally allows (or denies) the request.\n *\n * @public\n */\nexport type DefinitivePolicyDecision = {\n  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;\n};\n\n/**\n * A conditional decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @remarks\n *\n * This indicates that the policy allows authorization for the request, given that the returned\n * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin\n * which knows about the referenced permission rules.\n *\n * @public\n */\nexport type ConditionalPolicyDecision = {\n  result: AuthorizeResult.CONDITIONAL;\n  pluginId: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n};\n\n/**\n * A decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.\n *\n * @public\n */\nexport type PolicyDecision =\n  | DefinitivePolicyDecision\n  | ConditionalPolicyDecision;\n\n/**\n * A condition returned with a CONDITIONAL authorization response.\n *\n * Conditions are a reference to a rule defined by a plugin, and parameters to apply the rule. For\n * example, a rule might be `isOwner` from the catalog-backend, and params may be a list of entity\n * claims from a identity token.\n * @public\n */\nexport type PermissionCondition<\n  TResourceType extends string = string,\n  TParams extends PermissionRuleParams = PermissionRuleParams,\n> = {\n  resourceType: TResourceType;\n  rule: string;\n  params?: TParams;\n};\n\n/**\n * Utility type to represent an array with 1 or more elements.\n * @ignore\n */\ntype NonEmptyArray<T> = [T, ...T[]];\n\n/**\n * Represents a logical AND for the provided criteria.\n * @public\n */\nexport type AllOfCriteria<TQuery> = {\n  allOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a logical OR for the provided criteria.\n * @public\n */\nexport type AnyOfCriteria<TQuery> = {\n  anyOf: NonEmptyArray<PermissionCriteria<TQuery>>;\n};\n\n/**\n * Represents a negation of the provided criteria.\n * @public\n */\nexport type NotCriteria<TQuery> = {\n  not: PermissionCriteria<TQuery>;\n};\n\n/**\n * Composes several {@link PermissionCondition}s as criteria with a nested AND/OR structure.\n * @public\n */\nexport type PermissionCriteria<TQuery> =\n  | AllOfCriteria<TQuery>\n  | AnyOfCriteria<TQuery>\n  | NotCriteria<TQuery>\n  | TQuery;\n\n/**\n * A parameter to a permission rule.\n *\n * @public\n */\nexport type PermissionRuleParam = undefined | JsonPrimitive | JsonPrimitive[];\n\n/**\n * Types that can be used as parameters to permission rules.\n *\n * @public\n */\nexport type PermissionRuleParams =\n  | undefined\n  | Record<string, PermissionRuleParam>;\n\n/**\n * An individual request sent to the permission backend.\n * @public\n */\nexport type EvaluatePermissionRequest = {\n  permission: Permission;\n  resourceRef?: string;\n};\n\n/**\n * A batch of requests sent to the permission backend.\n * @public\n * @deprecated This type is not used and it will be removed in the future\n */\nexport type EvaluatePermissionRequestBatch =\n  PermissionMessageBatch<EvaluatePermissionRequest>;\n\n/**\n * An individual response from the permission backend.\n *\n * @remarks\n *\n * This response type is an alias of {@link PolicyDecision} to maintain separation between the\n * {@link @backstage/plugin-permission-node#PermissionPolicy} interface and the permission backend\n * api. They may diverge at some point in the future. The response\n *\n * @public\n */\nexport type EvaluatePermissionResponse = PolicyDecision;\n\n/**\n * A batch of responses from the permission backend.\n * @public\n */\nexport type EvaluatePermissionResponseBatch =\n  PermissionMessageBatch<EvaluatePermissionResponse>;\n\n/**\n * Request object for {@link PermissionEvaluator.authorize}. If a {@link ResourcePermission}\n * is provided, it must include a corresponding `resourceRef`.\n * @public\n */\nexport type AuthorizePermissionRequest =\n  | {\n      permission: Exclude<Permission, ResourcePermission>;\n      resourceRef?: never;\n    }\n  | { permission: ResourcePermission; resourceRef: string };\n\n/**\n * Response object for {@link PermissionEvaluator.authorize}.\n * @public\n */\nexport type AuthorizePermissionResponse = DefinitivePolicyDecision;\n\n/**\n * Request object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionRequest = {\n  permission: ResourcePermission;\n  resourceRef?: never;\n};\n\n/**\n * Response object for {@link PermissionEvaluator.authorizeConditional}.\n * @public\n */\nexport type QueryPermissionResponse = PolicyDecision;\n\n/**\n * A client interacting with the permission backend can implement this evaluator interface.\n *\n * @public\n */\nexport interface PermissionEvaluator {\n  /**\n   * Evaluates {@link Permission | Permissions} and returns a definitive decision.\n   */\n  authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<AuthorizePermissionResponse[]>;\n\n  /**\n   * Evaluates {@link ResourcePermission | ResourcePermissions} and returns both definitive and\n   * conditional decisions, depending on the configured\n   * {@link @backstage/plugin-permission-node#PermissionPolicy}. This method is useful when the\n   * caller needs more control over the processing of conditional decisions. For example, a plugin\n   * backend may want to use {@link PermissionCriteria | conditions} in a database query instead of\n   * evaluating each resource in memory.\n   */\n  authorizeConditional(\n    requests: QueryPermissionRequest[],\n    options?: EvaluatorRequestOptions & { _ignored?: never }, // Since the options are empty we add this placeholder to reject all options\n  ): Promise<QueryPermissionResponse[]>;\n}\n\n// Note(Rugvip): I kept the below type around in case we want to add new options\n// in the future, for example a signal. It also helps out enabling API\n// constraints, as without this we can't have the permissions service implement\n// the evaluator interface due to the mismatch in parameter count.\n\n/**\n * Options for {@link PermissionEvaluator} requests.\n *\n * This is currently empty, as there are no longer any common options for the permission evaluator.\n *\n * @public\n */\nexport interface EvaluatorRequestOptions {}\n"],"names":["AuthorizeResult"],"mappings":"AAsCO,IAAK,eAAA,qBAAAA,gBAAAA,KAAL;AAIL,EAAAA,iBAAA,MAAA,CAAA,GAAO,MAAA;AAIP,EAAAA,iBAAA,OAAA,CAAA,GAAQ,OAAA;AAIR,EAAAA,iBAAA,aAAA,CAAA,GAAc,aAAA;AAZJ,EAAA,OAAAA,gBAAAA;AAAA,CAAA,EAAA,eAAA,IAAA,EAAA;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-common",
-  "version": "0.9.1-next.0",
+  "version": "0.9.2-next.0",
   "description": "Isomorphic types and client for Backstage permissions and authorization",
   "backstage": {
     "role": "common-library",
@@ -48,16 +48,16 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/config": "1.3.3-next.0",
+    "@backstage/config": "1.3.4-next.0",
     "@backstage/errors": "1.2.7",
-    "@backstage/types": "1.2.1",
+    "@backstage/types": "1.2.2",
     "cross-fetch": "^4.0.0",
     "uuid": "^11.0.0",
     "zod": "^3.22.4",
     "zod-to-json-schema": "^3.20.4"
   },
   "devDependencies": {
-    "@backstage/cli": "0.33.1-next.1",
+    "@backstage/cli": "0.34.4-next.1",
     "msw": "^1.0.0"
   },
   "configSchema": "config.d.ts",