@backstage/plugin-permission-node 0.0.0-nightly-202111222339 → 0.2.1

package/CHANGELOG.md

@@ -1,16 +1,28 @@
 # @backstage/plugin-permission-node
 
-## 0.0.0-nightly-202111222339
+## 0.2.1
+
+### Patch Changes
+
+- dcd1a0c3f4: Minor improvement to the API reports, by not unpacking arguments directly
+- a036b65c2f: Updated to use the new `BackstageIdentityResponse` type from `@backstage/plugin-auth-backend`.
+
+  The `BackstageIdentityResponse` type is backwards compatible with the `BackstageIdentity`, and provides an additional `identity` field with the claims of the user.
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.5.0
+
+## 0.2.0
 
 ### Minor Changes
 
 - e7851efa9e: Rename and adjust permission policy return type to reduce nesting
+- 450ca92330: Change route used for integration between the authorization framework and other plugin backends to use the /.well-known prefix.
 
 ### Patch Changes
 
 - Updated dependencies
-  - @backstage/plugin-auth-backend@0.0.0-nightly-202111222339
-  - @backstage/plugin-permission-common@0.0.0-nightly-202111222339
+  - @backstage/plugin-auth-backend@0.4.10
 
 ## 0.1.0
 

package/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright 2020 The Backstage Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

package/dist/index.cjs.js

@@ -16,7 +16,7 @@ const createConditionFactory = (rule) => (...params) => ({
 });
 
 const createConditionExports = (options) => {
-  const {pluginId, resourceType, rules} = options;
+  const { pluginId, resourceType, rules } = options;
   return {
     conditions: Object.entries(rules).reduce((acc, [key, rule]) => ({
       ...acc,
@@ -67,9 +67,9 @@ const createConditionTransformer = (permissionRules) => {
 };
 
 const permissionCriteriaSchema = zod.z.lazy(() => zod.z.union([
-  zod.z.object({anyOf: zod.z.array(permissionCriteriaSchema)}),
-  zod.z.object({allOf: zod.z.array(permissionCriteriaSchema)}),
-  zod.z.object({not: permissionCriteriaSchema}),
+  zod.z.object({ anyOf: zod.z.array(permissionCriteriaSchema) }),
+  zod.z.object({ allOf: zod.z.array(permissionCriteriaSchema) }),
+  zod.z.object({ not: permissionCriteriaSchema }),
   zod.z.object({
     rule: zod.z.string(),
     params: zod.z.array(zod.z.unknown())
@@ -90,19 +90,16 @@ const applyConditions = (criteria, resource, getRule) => {
   }
   return getRule(criteria.rule).apply(resource, ...criteria.params);
 };
-const createPermissionIntegrationRouter = ({
-  resourceType,
-  rules,
-  getResource
-}) => {
+const createPermissionIntegrationRouter = (options) => {
+  const { resourceType, rules, getResource } = options;
   const router = express.Router();
   const getRule = createGetRule(rules);
-  router.post("/permissions/apply-conditions", express__default['default'].json(), async (req, res) => {
+  router.post("/.well-known/backstage/permissions/apply-conditions", express__default["default"].json(), async (req, res) => {
     const parseResult = applyConditionsRequestSchema.safeParse(req.body);
     if (!parseResult.success) {
       return res.status(400).send(`Invalid request body.`);
     }
-    const {data: body} = parseResult;
+    const { data: body } = parseResult;
     if (body.resourceType !== resourceType) {
       return res.status(400).send(`Unexpected resource type: ${body.resourceType}.`);
     }

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PermissionRule } from '../types';\n\n/**\n * Creates a condition factory function for a given authorization rule and parameter types.\n *\n * @remarks\n *\n * For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n *\n * Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n *\n * @public\n */\nexport const createConditionFactory =\n  <TParams extends any[]>(rule: PermissionRule<unknown, unknown, TParams>) =>\n  (...params: TParams) => ({\n    rule: rule.name,\n    params,\n  });\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizeResult,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { ConditionalPolicyDecision } from '../policy';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/**\n * A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n *\n * @public\n */\nexport type Condition<TRule> = TRule extends PermissionRule<\n  any,\n  any,\n  infer TParams\n>\n  ? (...params: TParams) => PermissionCondition<TParams>\n  : never;\n\n/**\n * A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n *\n * @public\n */\nexport type Conditions<\n  TRules extends Record<string, PermissionRule<any, any>>,\n> = {\n  [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/**\n * Creates the recommended condition-related exports for a given plugin based on the built-in\n * {@link PermissionRule}s it supports.\n *\n * @remarks\n *\n * The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for each of the\n * supplied {@link PermissionRule}s, along with a `createConditions` function which builds the\n * wrapper object needed to enclose conditions when authoring {@link PermissionPolicy} implementations.\n *\n * Plugin authors should generally call this method with all the built-in {@link PermissionRule}s\n * the plugin supports, and export the resulting `conditions` object and `createConditions`\n * function so that they can be used by {@link PermissionPolicy} authors.\n *\n * @public\n */\nexport const createConditionExports = <\n  TResource,\n  TRules extends Record<string, PermissionRule<TResource, any>>,\n>(options: {\n  pluginId: string;\n  resourceType: string;\n  rules: TRules;\n}): {\n  conditions: Conditions<TRules>;\n  createPolicyDecision: (\n    conditions: PermissionCriteria<PermissionCondition>,\n  ) => ConditionalPolicyDecision;\n} => {\n  const { pluginId, resourceType, rules } = options;\n\n  return {\n    conditions: Object.entries(rules).reduce(\n      (acc, [key, rule]) => ({\n        ...acc,\n        [key]: createConditionFactory(rule),\n      }),\n      {} as Conditions<TRules>,\n    ),\n    createPolicyDecision: (\n      conditions: PermissionCriteria<PermissionCondition>,\n    ) => ({\n      result: AuthorizeResult.CONDITIONAL,\n      pluginId,\n      resourceType,\n      conditions,\n    }),\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PermissionCriteria } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\nexport const isAndCriteria = (\n  filter: PermissionCriteria<unknown>,\n): filter is { allOf: PermissionCriteria<unknown>[] } =>\n  Object.prototype.hasOwnProperty.call(filter, 'allOf');\n\nexport const isOrCriteria = (\n  filter: PermissionCriteria<unknown>,\n): filter is { anyOf: PermissionCriteria<unknown>[] } =>\n  Object.prototype.hasOwnProperty.call(filter, 'anyOf');\n\nexport const isNotCriteria = (\n  filter: PermissionCriteria<unknown>,\n): filter is { not: PermissionCriteria<unknown> } =>\n  Object.prototype.hasOwnProperty.call(filter, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n  rules: PermissionRule<TResource, TQuery>[],\n) => {\n  const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n  return (name: string): PermissionRule<TResource, TQuery> => {\n    const rule = rulesMap.get(name);\n\n    if (!rule) {\n      throw new Error(`Unexpected permission rule: ${name}`);\n    }\n\n    return rule;\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n  criteria: PermissionCriteria<PermissionCondition>,\n  getRule: (name: string) => PermissionRule<unknown, TQuery>,\n): PermissionCriteria<TQuery> => {\n  if (isAndCriteria(criteria)) {\n    return {\n      allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n    };\n  } else if (isOrCriteria(criteria)) {\n    return {\n      anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n    };\n  } else if (isNotCriteria(criteria)) {\n    return {\n      not: mapConditions(criteria.not, getRule),\n    };\n  }\n\n  return getRule(criteria.rule).toQuery(...criteria.params);\n};\n\n/**\n * A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n *\n * @public\n */\nexport type ConditionTransformer<TQuery> = (\n  conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/**\n * A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n *\n * @public\n */\nexport const createConditionTransformer = <\n  TQuery,\n  TRules extends PermissionRule<any, TQuery>[],\n>(\n  permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n  const getRule = createGetRule(permissionRules);\n\n  return conditions => mapConditions(conditions, getRule);\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express, { Response, Router } from 'express';\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z.union([\n    z.object({ anyOf: z.array(permissionCriteriaSchema) }),\n    z.object({ allOf: z.array(permissionCriteriaSchema) }),\n    z.object({ not: permissionCriteriaSchema }),\n    z.object({\n      rule: z.string(),\n      params: z.array(z.unknown()),\n    }),\n  ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n  resourceRef: z.string(),\n  resourceType: z.string(),\n  conditions: permissionCriteriaSchema,\n});\n\n/**\n * A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n *\n * @public\n */\nexport type ApplyConditionsRequest = {\n  resourceRef: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n};\n\n/**\n * The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n *\n * @public\n */\nexport type ApplyConditionsResponse = {\n  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;\n};\n\nconst applyConditions = <TResource>(\n  criteria: PermissionCriteria<PermissionCondition>,\n  resource: TResource,\n  getRule: (name: string) => PermissionRule<TResource, unknown>,\n): boolean => {\n  if (isAndCriteria(criteria)) {\n    return criteria.allOf.every(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isOrCriteria(criteria)) {\n    return criteria.anyOf.some(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isNotCriteria(criteria)) {\n    return !applyConditions(criteria.not, resource, getRule);\n  }\n\n  return getRule(criteria.rule).apply(resource, ...criteria.params);\n};\n\n/**\n * Create an express Router which provides an authorization route to allow integration between the\n * permission backend and other Backstage backend plugins. Plugin owners that wish to support\n * conditional authorization for their resources should add the router created by this function\n * to their express app inside their `createRouter` implementation.\n *\n * @remarks\n *\n * To make this concrete, we can use the Backstage software catalog as an example. The catalog has\n * conditional rules around access to specific _entities_ in the catalog. The _type_ of resource is\n * captured here as `resourceType`, a string identifier (`catalog-entity` in this example) that can\n * be provided with permission definitions. This is merely a _type_ to verify that conditions in an\n * authorization policy are constructed correctly, not a reference to a specific resource.\n *\n * The `rules` parameter is an array of {@link PermissionRule}s that introduce conditional\n * filtering logic for resources; for the catalog, these are things like `isEntityOwner` or\n * `hasAnnotation`. Rules describe how to filter a list of resources, and the `conditions` returned\n * allow these rules to be applied with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n *\n * The `getResource` argument should load a resource by reference. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be any serialized format.\n * This is used to construct the `createPermissionIntegrationRouter`, a function to add an\n * authorization route to your backend plugin. This route will be called by the `permission-backend`\n * when authorization conditions relating to this plugin need to be evaluated.\n * @public\n */\nexport const createPermissionIntegrationRouter = <TResource>({\n  resourceType,\n  rules,\n  getResource,\n}: {\n  resourceType: string;\n  rules: PermissionRule<TResource, any>[];\n  getResource: (resourceRef: string) => Promise<TResource | undefined>;\n}): Router => {\n  const router = Router();\n\n  const getRule = createGetRule(rules);\n\n  router.post(\n    '/permissions/apply-conditions',\n    express.json(),\n    async (\n      req,\n      res: Response<\n        | {\n            result: Omit<AuthorizeResult, AuthorizeResult.CONDITIONAL>;\n          }\n        | string\n      >,\n    ) => {\n      const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n      if (!parseResult.success) {\n        return res.status(400).send(`Invalid request body.`);\n      }\n\n      const { data: body } = parseResult;\n\n      if (body.resourceType !== resourceType) {\n        return res\n          .status(400)\n          .send(`Unexpected resource type: ${body.resourceType}.`);\n      }\n\n      const resource = await getResource(body.resourceRef);\n\n      if (!resource) {\n        return res\n          .status(400)\n          .send(`Resource for ref ${body.resourceRef} not found.`);\n      }\n\n      return res.status(200).json({\n        result: applyConditions(body.conditions, resource, getRule)\n          ? AuthorizeResult.ALLOW\n          : AuthorizeResult.DENY,\n      });\n    },\n  );\n\n  return router;\n};\n"],"names":["AuthorizeResult","z","Router","express"],"mappings":";;;;;;;;;;;;MAkCa,yBACX,CAAwB,SACxB,IAAI;AAAqB,EACvB,MAAM,KAAK;AAAA,EACX;AAAA;;MC8BS,yBAAyB,CAGpC,YASG;AACH,QAAM,CAAE,UAAU,cAAc,SAAU;AAE1C,SAAO;AAAA,IACL,YAAY,OAAO,QAAQ,OAAO,OAChC,CAAC,KAAK,CAAC,KAAK;AAAW,SAClB;AAAA,OACF,MAAM,uBAAuB;AAAA,QAEhC;AAAA,IAEF,sBAAsB,CACpB;AACI,MACJ,QAAQA,uCAAgB;AAAA,MACxB;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA;;MC9EO,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,eAAe,CAC1B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,UACG;AACH,QAAM,WAAW,IAAI,IAAI,OAAO,OAAO,OAAO,IAAI,UAAQ,CAAC,KAAK,MAAM;AAEtE,SAAO,CAAC,SAAoD;AAC1D,UAAM,OAAO,SAAS,IAAI;AAE1B,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,+BAA+B;AAAA;AAGjD,WAAO;AAAA;AAAA;;ACnBX,MAAM,gBAAgB,CACpB,UACA,YAC+B;AAC/B,MAAI,cAAc,WAAW;AAC3B,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,aAAa,WAAW;AACjC,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,cAAc,WAAW;AAClC,WAAO;AAAA,MACL,KAAK,cAAc,SAAS,KAAK;AAAA;AAAA;AAIrC,SAAO,QAAQ,SAAS,MAAM,QAAQ,GAAG,SAAS;AAAA;MAuBvC,6BAA6B,CAIxC,oBACiC;AACjC,QAAM,UAAU,cAAc;AAE9B,SAAO,gBAAc,cAAc,YAAY;AAAA;;AC7CjD,MAAM,2BAEFC,MAAE,KAAK,MACTA,MAAE,MAAM;AAAA,EACNA,MAAE,OAAO,CAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,CAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,CAAE,KAAK;AAAA,EAChBA,MAAE,OAAO;AAAA,IACP,MAAMA,MAAE;AAAA,IACR,QAAQA,MAAE,MAAMA,MAAE;AAAA;AAAA;AAKxB,MAAM,+BAA+BA,MAAE,OAAO;AAAA,EAC5C,aAAaA,MAAE;AAAA,EACf,cAAcA,MAAE;AAAA,EAChB,YAAY;AAAA;AAyBd,MAAM,kBAAkB,CACtB,UACA,UACA,YACY;AACZ,MAAI,cAAc,WAAW;AAC3B,WAAO,SAAS,MAAM,MAAM,WAC1B,gBAAgB,OAAO,UAAU;AAAA,aAE1B,aAAa,WAAW;AACjC,WAAO,SAAS,MAAM,KAAK,WACzB,gBAAgB,OAAO,UAAU;AAAA,aAE1B,cAAc,WAAW;AAClC,WAAO,CAAC,gBAAgB,SAAS,KAAK,UAAU;AAAA;AAGlD,SAAO,QAAQ,SAAS,MAAM,MAAM,UAAU,GAAG,SAAS;AAAA;MA8B/C,oCAAoC,CAAY;AAAA,EAC3D;AAAA,EACA;AAAA,EACA;AAAA,MAKY;AACZ,QAAM,SAASC;AAEf,QAAM,UAAU,cAAc;AAE9B,SAAO,KACL,iCACAC,4BAAQ,QACR,OACE,KACA,QAMG;AACH,UAAM,cAAc,6BAA6B,UAAU,IAAI;AAE/D,QAAI,CAAC,YAAY,SAAS;AACxB,aAAO,IAAI,OAAO,KAAK,KAAK;AAAA;AAG9B,UAAM,CAAE,MAAM,QAAS;AAEvB,QAAI,KAAK,iBAAiB,cAAc;AACtC,aAAO,IACJ,OAAO,KACP,KAAK,6BAA6B,KAAK;AAAA;AAG5C,UAAM,WAAW,MAAM,YAAY,KAAK;AAExC,QAAI,CAAC,UAAU;AACb,aAAO,IACJ,OAAO,KACP,KAAK,oBAAoB,KAAK;AAAA;AAGnC,WAAO,IAAI,OAAO,KAAK,KAAK;AAAA,MAC1B,QAAQ,gBAAgB,KAAK,YAAY,UAAU,WAC/CH,uCAAgB,QAChBA,uCAAgB;AAAA;AAAA;AAK1B,SAAO;AAAA;;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PermissionRule } from '../types';\n\n/**\n * Creates a condition factory function for a given authorization rule and parameter types.\n *\n * @remarks\n *\n * For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n *\n * Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n *\n * @public\n */\nexport const createConditionFactory =\n  <TParams extends any[]>(rule: PermissionRule<unknown, unknown, TParams>) =>\n  (...params: TParams) => ({\n    rule: rule.name,\n    params,\n  });\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizeResult,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { ConditionalPolicyDecision } from '../policy';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/**\n * A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n *\n * @public\n */\nexport type Condition<TRule> = TRule extends PermissionRule<\n  any,\n  any,\n  infer TParams\n>\n  ? (...params: TParams) => PermissionCondition<TParams>\n  : never;\n\n/**\n * A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n *\n * @public\n */\nexport type Conditions<\n  TRules extends Record<string, PermissionRule<any, any>>,\n> = {\n  [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/**\n * Creates the recommended condition-related exports for a given plugin based on the built-in\n * {@link PermissionRule}s it supports.\n *\n * @remarks\n *\n * The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for each of the\n * supplied {@link PermissionRule}s, along with a `createConditions` function which builds the\n * wrapper object needed to enclose conditions when authoring {@link PermissionPolicy} implementations.\n *\n * Plugin authors should generally call this method with all the built-in {@link PermissionRule}s\n * the plugin supports, and export the resulting `conditions` object and `createConditions`\n * function so that they can be used by {@link PermissionPolicy} authors.\n *\n * @public\n */\nexport const createConditionExports = <\n  TResource,\n  TRules extends Record<string, PermissionRule<TResource, any>>,\n>(options: {\n  pluginId: string;\n  resourceType: string;\n  rules: TRules;\n}): {\n  conditions: Conditions<TRules>;\n  createPolicyDecision: (\n    conditions: PermissionCriteria<PermissionCondition>,\n  ) => ConditionalPolicyDecision;\n} => {\n  const { pluginId, resourceType, rules } = options;\n\n  return {\n    conditions: Object.entries(rules).reduce(\n      (acc, [key, rule]) => ({\n        ...acc,\n        [key]: createConditionFactory(rule),\n      }),\n      {} as Conditions<TRules>,\n    ),\n    createPolicyDecision: (\n      conditions: PermissionCriteria<PermissionCondition>,\n    ) => ({\n      result: AuthorizeResult.CONDITIONAL,\n      pluginId,\n      resourceType,\n      conditions,\n    }),\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PermissionCriteria } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\nexport const isAndCriteria = (\n  filter: PermissionCriteria<unknown>,\n): filter is { allOf: PermissionCriteria<unknown>[] } =>\n  Object.prototype.hasOwnProperty.call(filter, 'allOf');\n\nexport const isOrCriteria = (\n  filter: PermissionCriteria<unknown>,\n): filter is { anyOf: PermissionCriteria<unknown>[] } =>\n  Object.prototype.hasOwnProperty.call(filter, 'anyOf');\n\nexport const isNotCriteria = (\n  filter: PermissionCriteria<unknown>,\n): filter is { not: PermissionCriteria<unknown> } =>\n  Object.prototype.hasOwnProperty.call(filter, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n  rules: PermissionRule<TResource, TQuery>[],\n) => {\n  const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n  return (name: string): PermissionRule<TResource, TQuery> => {\n    const rule = rulesMap.get(name);\n\n    if (!rule) {\n      throw new Error(`Unexpected permission rule: ${name}`);\n    }\n\n    return rule;\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n  criteria: PermissionCriteria<PermissionCondition>,\n  getRule: (name: string) => PermissionRule<unknown, TQuery>,\n): PermissionCriteria<TQuery> => {\n  if (isAndCriteria(criteria)) {\n    return {\n      allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n    };\n  } else if (isOrCriteria(criteria)) {\n    return {\n      anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n    };\n  } else if (isNotCriteria(criteria)) {\n    return {\n      not: mapConditions(criteria.not, getRule),\n    };\n  }\n\n  return getRule(criteria.rule).toQuery(...criteria.params);\n};\n\n/**\n * A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n *\n * @public\n */\nexport type ConditionTransformer<TQuery> = (\n  conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/**\n * A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n *\n * @public\n */\nexport const createConditionTransformer = <\n  TQuery,\n  TRules extends PermissionRule<any, TQuery>[],\n>(\n  permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n  const getRule = createGetRule(permissionRules);\n\n  return conditions => mapConditions(conditions, getRule);\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express, { Response, Router } from 'express';\nimport { z } from 'zod';\nimport {\n  AuthorizeResult,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z.union([\n    z.object({ anyOf: z.array(permissionCriteriaSchema) }),\n    z.object({ allOf: z.array(permissionCriteriaSchema) }),\n    z.object({ not: permissionCriteriaSchema }),\n    z.object({\n      rule: z.string(),\n      params: z.array(z.unknown()),\n    }),\n  ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n  resourceRef: z.string(),\n  resourceType: z.string(),\n  conditions: permissionCriteriaSchema,\n});\n\n/**\n * A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n *\n * @public\n */\nexport type ApplyConditionsRequest = {\n  resourceRef: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n};\n\n/**\n * The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n *\n * @public\n */\nexport type ApplyConditionsResponse = {\n  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;\n};\n\nconst applyConditions = <TResource>(\n  criteria: PermissionCriteria<PermissionCondition>,\n  resource: TResource,\n  getRule: (name: string) => PermissionRule<TResource, unknown>,\n): boolean => {\n  if (isAndCriteria(criteria)) {\n    return criteria.allOf.every(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isOrCriteria(criteria)) {\n    return criteria.anyOf.some(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isNotCriteria(criteria)) {\n    return !applyConditions(criteria.not, resource, getRule);\n  }\n\n  return getRule(criteria.rule).apply(resource, ...criteria.params);\n};\n\n/**\n * Create an express Router which provides an authorization route to allow integration between the\n * permission backend and other Backstage backend plugins. Plugin owners that wish to support\n * conditional authorization for their resources should add the router created by this function\n * to their express app inside their `createRouter` implementation.\n *\n * @remarks\n *\n * To make this concrete, we can use the Backstage software catalog as an example. The catalog has\n * conditional rules around access to specific _entities_ in the catalog. The _type_ of resource is\n * captured here as `resourceType`, a string identifier (`catalog-entity` in this example) that can\n * be provided with permission definitions. This is merely a _type_ to verify that conditions in an\n * authorization policy are constructed correctly, not a reference to a specific resource.\n *\n * The `rules` parameter is an array of {@link PermissionRule}s that introduce conditional\n * filtering logic for resources; for the catalog, these are things like `isEntityOwner` or\n * `hasAnnotation`. Rules describe how to filter a list of resources, and the `conditions` returned\n * allow these rules to be applied with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n *\n * The `getResource` argument should load a resource by reference. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be any serialized format.\n * This is used to construct the `createPermissionIntegrationRouter`, a function to add an\n * authorization route to your backend plugin. This route will be called by the `permission-backend`\n * when authorization conditions relating to this plugin need to be evaluated.\n *\n * @public\n */\nexport const createPermissionIntegrationRouter = <TResource>(options: {\n  resourceType: string;\n  rules: PermissionRule<TResource, any>[];\n  getResource: (resourceRef: string) => Promise<TResource | undefined>;\n}): Router => {\n  const { resourceType, rules, getResource } = options;\n  const router = Router();\n\n  const getRule = createGetRule(rules);\n\n  router.post(\n    '/.well-known/backstage/permissions/apply-conditions',\n    express.json(),\n    async (\n      req,\n      res: Response<\n        | {\n            result: Omit<AuthorizeResult, AuthorizeResult.CONDITIONAL>;\n          }\n        | string\n      >,\n    ) => {\n      const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n      if (!parseResult.success) {\n        return res.status(400).send(`Invalid request body.`);\n      }\n\n      const { data: body } = parseResult;\n\n      if (body.resourceType !== resourceType) {\n        return res\n          .status(400)\n          .send(`Unexpected resource type: ${body.resourceType}.`);\n      }\n\n      const resource = await getResource(body.resourceRef);\n\n      if (!resource) {\n        return res\n          .status(400)\n          .send(`Resource for ref ${body.resourceRef} not found.`);\n      }\n\n      return res.status(200).json({\n        result: applyConditions(body.conditions, resource, getRule)\n          ? AuthorizeResult.ALLOW\n          : AuthorizeResult.DENY,\n      });\n    },\n  );\n\n  return router;\n};\n"],"names":["AuthorizeResult","z","Router","express"],"mappings":";;;;;;;;;;;;MAkCa,yBACX,CAAwB,SACxB,IAAI;AAAqB,EACvB,MAAM,KAAK;AAAA,EACX;AAAA;;MC8BS,yBAAyB,CAGpC,YASG;AACH,QAAM,EAAE,UAAU,cAAc,UAAU;AAE1C,SAAO;AAAA,IACL,YAAY,OAAO,QAAQ,OAAO,OAChC,CAAC,KAAK,CAAC,KAAK;AAAW,SAClB;AAAA,OACF,MAAM,uBAAuB;AAAA,QAEhC;AAAA,IAEF,sBAAsB,CACpB;AACI,MACJ,QAAQA,uCAAgB;AAAA,MACxB;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA;;MC9EO,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,eAAe,CAC1B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,UACG;AACH,QAAM,WAAW,IAAI,IAAI,OAAO,OAAO,OAAO,IAAI,UAAQ,CAAC,KAAK,MAAM;AAEtE,SAAO,CAAC,SAAoD;AAC1D,UAAM,OAAO,SAAS,IAAI;AAE1B,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,+BAA+B;AAAA;AAGjD,WAAO;AAAA;AAAA;;ACnBX,MAAM,gBAAgB,CACpB,UACA,YAC+B;AAC/B,MAAI,cAAc,WAAW;AAC3B,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,aAAa,WAAW;AACjC,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,cAAc,WAAW;AAClC,WAAO;AAAA,MACL,KAAK,cAAc,SAAS,KAAK;AAAA;AAAA;AAIrC,SAAO,QAAQ,SAAS,MAAM,QAAQ,GAAG,SAAS;AAAA;MAuBvC,6BAA6B,CAIxC,oBACiC;AACjC,QAAM,UAAU,cAAc;AAE9B,SAAO,gBAAc,cAAc,YAAY;AAAA;;AC7CjD,MAAM,2BAEFC,MAAE,KAAK,MACTA,MAAE,MAAM;AAAA,EACNA,MAAE,OAAO,EAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,EAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,EAAE,KAAK;AAAA,EAChBA,MAAE,OAAO;AAAA,IACP,MAAMA,MAAE;AAAA,IACR,QAAQA,MAAE,MAAMA,MAAE;AAAA;AAAA;AAKxB,MAAM,+BAA+BA,MAAE,OAAO;AAAA,EAC5C,aAAaA,MAAE;AAAA,EACf,cAAcA,MAAE;AAAA,EAChB,YAAY;AAAA;AAyBd,MAAM,kBAAkB,CACtB,UACA,UACA,YACY;AACZ,MAAI,cAAc,WAAW;AAC3B,WAAO,SAAS,MAAM,MAAM,WAC1B,gBAAgB,OAAO,UAAU;AAAA,aAE1B,aAAa,WAAW;AACjC,WAAO,SAAS,MAAM,KAAK,WACzB,gBAAgB,OAAO,UAAU;AAAA,aAE1B,cAAc,WAAW;AAClC,WAAO,CAAC,gBAAgB,SAAS,KAAK,UAAU;AAAA;AAGlD,SAAO,QAAQ,SAAS,MAAM,MAAM,UAAU,GAAG,SAAS;AAAA;MA+B/C,oCAAoC,CAAY,YAI/C;AACZ,QAAM,EAAE,cAAc,OAAO,gBAAgB;AAC7C,QAAM,SAASC;AAEf,QAAM,UAAU,cAAc;AAE9B,SAAO,KACL,uDACAC,4BAAQ,QACR,OACE,KACA,QAMG;AACH,UAAM,cAAc,6BAA6B,UAAU,IAAI;AAE/D,QAAI,CAAC,YAAY,SAAS;AACxB,aAAO,IAAI,OAAO,KAAK,KAAK;AAAA;AAG9B,UAAM,EAAE,MAAM,SAAS;AAEvB,QAAI,KAAK,iBAAiB,cAAc;AACtC,aAAO,IACJ,OAAO,KACP,KAAK,6BAA6B,KAAK;AAAA;AAG5C,UAAM,WAAW,MAAM,YAAY,KAAK;AAExC,QAAI,CAAC,UAAU;AACb,aAAO,IACJ,OAAO,KACP,KAAK,oBAAoB,KAAK;AAAA;AAGnC,WAAO,IAAI,OAAO,KAAK,KAAK;AAAA,MAC1B,QAAQ,gBAAgB,KAAK,YAAY,UAAU,WAC/CH,uCAAgB,QAChBA,uCAAgB;AAAA;AAAA;AAK1B,SAAO;AAAA;;;;;;;"}

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 import { PermissionCriteria, AuthorizeRequest, AuthorizeResult, PermissionCondition } from '@backstage/plugin-permission-common';
-import { BackstageIdentity } from '@backstage/plugin-auth-backend';
+import { BackstageIdentityResponse } from '@backstage/plugin-auth-backend';
 import { Router } from 'express';
 
 /**
@@ -112,7 +112,7 @@ declare type PolicyDecision = {
  * @public
  */
 interface PermissionPolicy {
-    handle(request: PolicyAuthorizeRequest, user?: BackstageIdentity): Promise<PolicyDecision>;
+    handle(request: PolicyAuthorizeRequest, user?: BackstageIdentityResponse): Promise<PolicyDecision>;
 }
 
 /**
@@ -221,9 +221,10 @@ declare type ApplyConditionsResponse = {
  * This is used to construct the `createPermissionIntegrationRouter`, a function to add an
  * authorization route to your backend plugin. This route will be called by the `permission-backend`
  * when authorization conditions relating to this plugin need to be evaluated.
+ *
  * @public
  */
-declare const createPermissionIntegrationRouter: <TResource>({ resourceType, rules, getResource, }: {
+declare const createPermissionIntegrationRouter: <TResource>(options: {
     resourceType: string;
     rules: PermissionRule<TResource, any, unknown[]>[];
     getResource: (resourceRef: string) => Promise<TResource | undefined>;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-permission-node",
   "description": "Common permission and authorization utilities for backend plugins",
-  "version": "0.0.0-nightly-202111222339",
+  "version": "0.2.1",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -29,18 +29,19 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/plugin-auth-backend": "^0.0.0-nightly-202111222339",
-    "@backstage/plugin-permission-common": "^0.0.0-nightly-202111222339",
+    "@backstage/plugin-auth-backend": "^0.5.0",
+    "@backstage/plugin-permission-common": "^0.2.0",
     "@types/express": "^4.17.6",
     "express": "^4.17.1",
     "zod": "^3.11.6"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.0.0-nightly-202111222339",
+    "@backstage/cli": "^0.10.1",
     "@types/supertest": "^2.0.8",
     "supertest": "^6.1.3"
   },
   "files": [
     "dist"
-  ]
+  ],
+  "gitHead": "562be0b43016294e27af3ad024191bb86b13b1c1"
 }