npm - @backstage/plugin-permission-node - Versions diffs - 0.2.3 → 0.4.1 - Mend

@backstage/plugin-permission-node 0.2.3 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,64 @@
 # @backstage/plugin-permission-node
+## 0.4.1
+### Patch Changes
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.8.0
+  - @backstage/backend-common@0.10.5
+## 0.4.0
+### Minor Changes
+- 0ae4f4cc82: **BREAKING**: `PolicyAuthorizeRequest` type has been renamed to `PolicyAuthorizeQuery`.
+  **BREAKING**: Update to use renamed request and response types from @backstage/plugin-permission-common.
+### Patch Changes
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.7.0
+  - @backstage/plugin-permission-common@0.4.0
+  - @backstage/backend-common@0.10.4
+  - @backstage/config@0.1.13
+## 0.4.0-next.0
+### Minor Changes
+- 0ae4f4cc82: **BREAKING**: `PolicyAuthorizeRequest` type has been renamed to `PolicyAuthorizeQuery`.
+  **BREAKING**: Update to use renamed request and response types from @backstage/plugin-permission-common.
+### Patch Changes
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.7.0-next.0
+  - @backstage/plugin-permission-common@0.4.0-next.0
+  - @backstage/backend-common@0.10.4-next.0
+  - @backstage/config@0.1.13-next.0
+## 0.3.0
+### Minor Changes
+- 419ca637c0: Optimizations to the integration between the permission backend and plugin-backends using createPermissionIntegrationRouter:
+  - The permission backend already supported batched requests to authorize, but would make calls to plugin backend to apply conditions serially. Now, after applying the policy for each authorization request, the permission backend makes a single batched /apply-conditions request to each plugin backend referenced in policy decisions.
+  - The `getResource` method accepted by `createPermissionIntegrationRouter` has been replaced with `getResources`, to allow consumers to make batch requests to upstream data stores. When /apply-conditions is called with a batch of requests, all required resources are requested in a single invocation of `getResources`.
+  Plugin owners consuming `createPermissionIntegrationRouter` should replace the `getResource` method in the options with a `getResources` method, accepting an array of resourceRefs, and returning an array of the corresponding resources.
+### Patch Changes
+- 9db1b86f32: Add helpers for creating PermissionRules with inferred types
+- Updated dependencies
+  - @backstage/config@0.1.12
+  - @backstage/backend-common@0.10.3
+  - @backstage/plugin-auth-backend@0.6.2
+  - @backstage/errors@0.2.0
+  - @backstage/plugin-permission-common@0.3.1
 ## 0.2.3
 ### Patch Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -4,11 +4,15 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var pluginPermissionCommon = require('@backstage/plugin-permission-common');
 var express = require('express');
+var Router = require('express-promise-router');
 var zod = require('zod');
+var errors = require('@backstage/errors');
+var backendCommon = require('@backstage/backend-common');
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
+var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 const createConditionFactory = (rule) => (...params) => ({
   rule: rule.name,
@@ -76,11 +80,17 @@ const permissionCriteriaSchema = zod.z.lazy(() => zod.z.union([
   })
 ]));
 const applyConditionsRequestSchema = zod.z.object({
-  resourceRef: zod.z.string(),
-  resourceType: zod.z.string(),
-  conditions: permissionCriteriaSchema
+  items: zod.z.array(zod.z.object({
+    id: zod.z.string(),
+    resourceRef: zod.z.string(),
+    resourceType: zod.z.string(),
+    conditions: permissionCriteriaSchema
+  }))
 });
 const applyConditions = (criteria, resource, getRule) => {
+  if (resource === void 0) {
+    return false;
+  }
   if (isAndCriteria(criteria)) {
     return criteria.allOf.every((child) => applyConditions(child, resource, getRule));
   } else if (isOrCriteria(criteria)) {
@@ -91,29 +101,43 @@ const applyConditions = (criteria, resource, getRule) => {
   return getRule(criteria.rule).apply(resource, ...criteria.params);
 };
 const createPermissionIntegrationRouter = (options) => {
-  const { resourceType, rules, getResource } = options;
-  const router = express.Router();
+  const { resourceType, rules, getResources } = options;
+  const router = Router__default["default"]();
   const getRule = createGetRule(rules);
-  router.post("/.well-known/backstage/permissions/apply-conditions", express__default["default"].json(), async (req, res) => {
+  const assertValidResourceTypes = (requests) => {
+    const invalidResourceTypes = requests.filter((request) => request.resourceType !== resourceType).map((request) => request.resourceType);
+    if (invalidResourceTypes.length) {
+      throw new errors.InputError(`Unexpected resource types: ${invalidResourceTypes.join(", ")}.`);
+    }
+  };
+  router.use(express__default["default"].json());
+  router.post("/.well-known/backstage/permissions/apply-conditions", async (req, res) => {
     const parseResult = applyConditionsRequestSchema.safeParse(req.body);
     if (!parseResult.success) {
-      return res.status(400).send(`Invalid request body.`);
-    }
-    const { data: body } = parseResult;
-    if (body.resourceType !== resourceType) {
-      return res.status(400).send(`Unexpected resource type: ${body.resourceType}.`);
-    }
-    const resource = await getResource(body.resourceRef);
-    if (!resource) {
-      return res.status(400).send(`Resource for ref ${body.resourceRef} not found.`);
+      throw new errors.InputError(parseResult.error.toString());
     }
+    const body = parseResult.data;
+    assertValidResourceTypes(body.items);
+    const resourceRefs = Array.from(new Set(body.items.map(({ resourceRef }) => resourceRef)));
+    const resourceArray = await getResources(resourceRefs);
+    const resources = resourceRefs.reduce((acc, resourceRef, index) => {
+      acc[resourceRef] = resourceArray[index];
+      return acc;
+    }, {});
     return res.status(200).json({
-      result: applyConditions(body.conditions, resource, getRule) ? pluginPermissionCommon.AuthorizeResult.ALLOW : pluginPermissionCommon.AuthorizeResult.DENY
+      items: body.items.map((request) => ({
+        id: request.id,
+        result: applyConditions(request.conditions, resources[request.resourceRef], getRule) ? pluginPermissionCommon.AuthorizeResult.ALLOW : pluginPermissionCommon.AuthorizeResult.DENY
+      }))
     });
   });
+  router.use(backendCommon.errorHandler());
   return router;
 };
+const createPermissionRule = (rule) => rule;
+const makeCreatePermissionRule = () => (rule) => createPermissionRule(rule);
 class ServerPermissionClient {
   static fromConfig(config, options) {
     var _a;
@@ -134,11 +158,11 @@ class ServerPermissionClient {
     this.tokenManager = options.tokenManager;
     this.permissionEnabled = options.permissionEnabled;
   }
-  async authorize(requests, options) {
+  async authorize(queries, options) {
     if (!this.permissionEnabled || await this.isValidServerToken(options == null ? void 0 : options.token)) {
-      return requests.map((_) => ({ result: pluginPermissionCommon.AuthorizeResult.ALLOW }));
+      return queries.map((_) => ({ result: pluginPermissionCommon.AuthorizeResult.ALLOW }));
     }
-    return this.permissionClient.authorize(requests, options);
+    return this.permissionClient.authorize(queries, options);
   }
   async isValidServerToken(token) {
     if (!token) {
@@ -153,4 +177,6 @@ exports.createConditionExports = createConditionExports;
 exports.createConditionFactory = createConditionFactory;
 exports.createConditionTransformer = createConditionTransformer;
 exports.createPermissionIntegrationRouter = createPermissionIntegrationRouter;
+exports.createPermissionRule = createPermissionRule;
+exports.makeCreatePermissionRule = makeCreatePermissionRule;
 //# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts","../src/ServerPermissionClient.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PermissionRule } from '../types';\n\n/\n Creates a condition factory function for a given authorization rule and parameter types.\n \n @remarks\n \n For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n \n Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n \n @public\n /\nexport const createConditionFactory =\n <TParams extends any[]>(rule: PermissionRule<unknown, unknown, TParams>) =>\n (...params: TParams) => ({\n rule: rule.name,\n params,\n });\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n AuthorizeResult,\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { ConditionalPolicyDecision } from '../policy';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/\n A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n \n @public\n /\nexport type Condition<TRule> = TRule extends PermissionRule<\n any,\n any,\n infer TParams\n>\n ? (...params: TParams) => PermissionCondition<TParams>\n : never;\n\n/\n A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n \n @public\n /\nexport type Conditions<\n TRules extends Record<string, PermissionRule<any, any>>,\n> = {\n [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/\n Creates the recommended condition-related exports for a given plugin based on the built-in\n * {@link PermissionRule}s it supports.\n \n @remarks\n \n The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for each of the\n * supplied {@link PermissionRule}s, along with a `createConditions` function which builds the\n * wrapper object needed to enclose conditions when authoring {@link PermissionPolicy} implementations.\n \n Plugin authors should generally call this method with all the built-in {@link PermissionRule}s\n * the plugin supports, and export the resulting `conditions` object and `createConditions`\n * function so that they can be used by {@link PermissionPolicy} authors.\n \n @public\n /\nexport const createConditionExports = <\n TResource,\n TRules extends Record<string, PermissionRule<TResource, any>>,\n>(options: {\n pluginId: string;\n resourceType: string;\n rules: TRules;\n}): {\n conditions: Conditions<TRules>;\n createPolicyDecision: (\n conditions: PermissionCriteria<PermissionCondition>,\n ) => ConditionalPolicyDecision;\n} => {\n const { pluginId, resourceType, rules } = options;\n\n return {\n conditions: Object.entries(rules).reduce(\n (acc, [key, rule]) => ({\n ...acc,\n [key]: createConditionFactory(rule),\n }),\n {} as Conditions<TRules>,\n ),\n createPolicyDecision: (\n conditions: PermissionCriteria<PermissionCondition>,\n ) => ({\n result: AuthorizeResult.CONDITIONAL,\n pluginId,\n resourceType,\n conditions,\n }),\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PermissionCriteria } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\nexport const isAndCriteria = (\n filter: PermissionCriteria<unknown>,\n): filter is { allOf: PermissionCriteria<unknown>[] } =>\n Object.prototype.hasOwnProperty.call(filter, 'allOf');\n\nexport const isOrCriteria = (\n filter: PermissionCriteria<unknown>,\n): filter is { anyOf: PermissionCriteria<unknown>[] } =>\n Object.prototype.hasOwnProperty.call(filter, 'anyOf');\n\nexport const isNotCriteria = (\n filter: PermissionCriteria<unknown>,\n): filter is { not: PermissionCriteria<unknown> } =>\n Object.prototype.hasOwnProperty.call(filter, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n rules: PermissionRule<TResource, TQuery>[],\n) => {\n const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n return (name: string): PermissionRule<TResource, TQuery> => {\n const rule = rulesMap.get(name);\n\n if (!rule) {\n throw new Error(`Unexpected permission rule: ${name}`);\n }\n\n return rule;\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\nimport {\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n criteria: PermissionCriteria<PermissionCondition>,\n getRule: (name: string) => PermissionRule<unknown, TQuery>,\n): PermissionCriteria<TQuery> => {\n if (isAndCriteria(criteria)) {\n return {\n allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n };\n } else if (isOrCriteria(criteria)) {\n return {\n anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n };\n } else if (isNotCriteria(criteria)) {\n return {\n not: mapConditions(criteria.not, getRule),\n };\n }\n\n return getRule(criteria.rule).toQuery(...criteria.params);\n};\n\n/\n A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n \n @public\n /\nexport type ConditionTransformer<TQuery> = (\n conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/\n A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n \n @public\n /\nexport const createConditionTransformer = <\n TQuery,\n TRules extends PermissionRule<any, TQuery>[],\n>(\n permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n const getRule = createGetRule(permissionRules);\n\n return conditions => mapConditions(conditions, getRule);\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express, { Response, Router } from 'express';\nimport { z } from 'zod';\nimport {\n AuthorizeResult,\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z.union([\n z.object({ anyOf: z.array(permissionCriteriaSchema) }),\n z.object({ allOf: z.array(permissionCriteriaSchema) }),\n z.object({ not: permissionCriteriaSchema }),\n z.object({\n rule: z.string(),\n params: z.array(z.unknown()),\n }),\n ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n resourceRef: z.string(),\n resourceType: z.string(),\n conditions: permissionCriteriaSchema,\n});\n\n/\n A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n \n @public\n /\nexport type ApplyConditionsRequest = {\n resourceRef: string;\n resourceType: string;\n conditions: PermissionCriteria<PermissionCondition>;\n};\n\n/\n The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n \n @public\n /\nexport type ApplyConditionsResponse = {\n result: AuthorizeResult.ALLOW \| AuthorizeResult.DENY;\n};\n\nconst applyConditions = <TResource>(\n criteria: PermissionCriteria<PermissionCondition>,\n resource: TResource,\n getRule: (name: string) => PermissionRule<TResource, unknown>,\n): boolean => {\n if (isAndCriteria(criteria)) {\n return criteria.allOf.every(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isOrCriteria(criteria)) {\n return criteria.anyOf.some(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isNotCriteria(criteria)) {\n return !applyConditions(criteria.not, resource, getRule);\n }\n\n return getRule(criteria.rule).apply(resource, ...criteria.params);\n};\n\n/\n Create an express Router which provides an authorization route to allow integration between the\n * permission backend and other Backstage backend plugins. Plugin owners that wish to support\n * conditional authorization for their resources should add the router created by this function\n * to their express app inside their `createRouter` implementation.\n \n @remarks\n \n To make this concrete, we can use the Backstage software catalog as an example. The catalog has\n * conditional rules around access to specific _entities_ in the catalog. The _type_ of resource is\n * captured here as `resourceType`, a string identifier (`catalog-entity` in this example) that can\n * be provided with permission definitions. This is merely a _type_ to verify that conditions in an\n * authorization policy are constructed correctly, not a reference to a specific resource.\n \n The `rules` parameter is an array of {@link PermissionRule}s that introduce conditional\n * filtering logic for resources; for the catalog, these are things like `isEntityOwner` or\n * `hasAnnotation`. Rules describe how to filter a list of resources, and the `conditions` returned\n * allow these rules to be applied with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n \n The `getResource` argument should load a resource by reference. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be any serialized format.\n * This is used to construct the `createPermissionIntegrationRouter`, a function to add an\n * authorization route to your backend plugin. This route will be called by the `permission-backend`\n * when authorization conditions relating to this plugin need to be evaluated.\n \n @public\n /\nexport const createPermissionIntegrationRouter = <TResource>(options: {\n resourceType: string;\n rules: PermissionRule<TResource, any>[];\n getResource: (resourceRef: string) => Promise<TResource \| undefined>;\n}): Router => {\n const { resourceType, rules, getResource } = options;\n const router = Router();\n\n const getRule = createGetRule(rules);\n\n router.post(\n '/.well-known/backstage/permissions/apply-conditions',\n express.json(),\n async (\n req,\n res: Response<\n \| {\n result: Omit<AuthorizeResult, AuthorizeResult.CONDITIONAL>;\n }\n \| string\n >,\n ) => {\n const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n if (!parseResult.success) {\n return res.status(400).send(`Invalid request body.`);\n }\n\n const { data: body } = parseResult;\n\n if (body.resourceType !== resourceType) {\n return res\n .status(400)\n .send(`Unexpected resource type: ${body.resourceType}.`);\n }\n\n const resource = await getResource(body.resourceRef);\n\n if (!resource) {\n return res\n .status(400)\n .send(`Resource for ref ${body.resourceRef} not found.`);\n }\n\n return res.status(200).json({\n result: applyConditions(body.conditions, resource, getRule)\n ? AuthorizeResult.ALLOW\n : AuthorizeResult.DENY,\n });\n },\n );\n\n return router;\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n TokenManager,\n PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { Config } from '@backstage/config';\nimport {\n AuthorizeRequest,\n AuthorizeRequestOptions,\n AuthorizeResponse,\n AuthorizeResult,\n PermissionClient,\n PermissionAuthorizer,\n} from '@backstage/plugin-permission-common';\n\n/\n A thin wrapper around\n * {@link @backstage/plugin-permission-common#PermissionClient} that allows all\n * backend-to-backend requests.\n * @public\n */\nexport class ServerPermissionClient implements PermissionAuthorizer {\n private readonly permissionClient: PermissionClient;\n private readonly tokenManager: TokenManager;\n private readonly permissionEnabled: boolean;\n\n static fromConfig(\n config: Config,\n options: {\n discovery: PluginEndpointDiscovery;\n tokenManager: TokenManager;\n },\n ) {\n const { discovery, tokenManager } = options;\n const permissionClient = new PermissionClient({ discovery, config });\n const permissionEnabled =\n config.getOptionalBoolean('permission.enabled') ?? false;\n\n if (\n permissionEnabled &&\n (tokenManager as any).isInsecureServerTokenManager\n ) {\n throw new Error(\n 'You must configure at least one key in backend.auth.keys if permissions are enabled.',\n );\n }\n\n return new ServerPermissionClient({\n permissionClient,\n tokenManager,\n permissionEnabled,\n });\n }\n\n private constructor(options: {\n permissionClient: PermissionClient;\n tokenManager: TokenManager;\n permissionEnabled: boolean;\n }) {\n this.permissionClient = options.permissionClient;\n this.tokenManager = options.tokenManager;\n this.permissionEnabled = options.permissionEnabled;\n }\n\n async authorize(\n requests: AuthorizeRequest[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeResponse[]> {\n // Check if permissions are enabled before validating the server token. That\n // way when permissions are disabled, the noop token manager can be used\n // without fouling up the logic inside the ServerPermissionClient, because\n // the code path won't be reached.\n if (\n !this.permissionEnabled \|\|\n (await this.isValidServerToken(options?.token))\n ) {\n return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n return this.permissionClient.authorize(requests, options);\n }\n\n private async isValidServerToken(\n token: string \| undefined,\n ): Promise<boolean> {\n if (!token) {\n return false;\n }\n return this.tokenManager\n .authenticate(token)\n .then(() => true)\n .catch(() => false);\n }\n}\n"],"names":["AuthorizeResult","z","Router","express","PermissionClient"],"mappings":";;;;;;;;;;;;MAkCa,yBACX,CAAwB,SACxB,IAAI;AAAqB,EACvB,MAAM,KAAK;AAAA,EACX;AAAA;;MC8BS,yBAAyB,CAGpC,YASG;AACH,QAAM,EAAE,UAAU,cAAc,UAAU;AAE1C,SAAO;AAAA,IACL,YAAY,OAAO,QAAQ,OAAO,OAChC,CAAC,KAAK,CAAC,KAAK;AAAW,SAClB;AAAA,OACF,MAAM,uBAAuB;AAAA,QAEhC;AAAA,IAEF,sBAAsB,CACpB;AACI,MACJ,QAAQA,uCAAgB;AAAA,MACxB;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA;;MC9EO,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,eAAe,CAC1B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,UACG;AACH,QAAM,WAAW,IAAI,IAAI,OAAO,OAAO,OAAO,IAAI,UAAQ,CAAC,KAAK,MAAM;AAEtE,SAAO,CAAC,SAAoD;AAC1D,UAAM,OAAO,SAAS,IAAI;AAE1B,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,+BAA+B;AAAA;AAGjD,WAAO;AAAA;AAAA;;ACnBX,MAAM,gBAAgB,CACpB,UACA,YAC+B;AAC/B,MAAI,cAAc,WAAW;AAC3B,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,aAAa,WAAW;AACjC,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,cAAc,WAAW;AAClC,WAAO;AAAA,MACL,KAAK,cAAc,SAAS,KAAK;AAAA;AAAA;AAIrC,SAAO,QAAQ,SAAS,MAAM,QAAQ,GAAG,SAAS;AAAA;MAuBvC,6BAA6B,CAIxC,oBACiC;AACjC,QAAM,UAAU,cAAc;AAE9B,SAAO,gBAAc,cAAc,YAAY;AAAA;;AC7CjD,MAAM,2BAEFC,MAAE,KAAK,MACTA,MAAE,MAAM;AAAA,EACNA,MAAE,OAAO,EAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,EAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,EAAE,KAAK;AAAA,EAChBA,MAAE,OAAO;AAAA,IACP,MAAMA,MAAE;AAAA,IACR,QAAQA,MAAE,MAAMA,MAAE;AAAA;AAAA;AAKxB,MAAM,+BAA+BA,MAAE,OAAO;AAAA,EAC5C,aAAaA,MAAE;AAAA,EACf,cAAcA,MAAE;AAAA,EAChB,YAAY;AAAA;AAyBd,MAAM,kBAAkB,CACtB,UACA,UACA,YACY;AACZ,MAAI,cAAc,WAAW;AAC3B,WAAO,SAAS,MAAM,MAAM,WAC1B,gBAAgB,OAAO,UAAU;AAAA,aAE1B,aAAa,WAAW;AACjC,WAAO,SAAS,MAAM,KAAK,WACzB,gBAAgB,OAAO,UAAU;AAAA,aAE1B,cAAc,WAAW;AAClC,WAAO,CAAC,gBAAgB,SAAS,KAAK,UAAU;AAAA;AAGlD,SAAO,QAAQ,SAAS,MAAM,MAAM,UAAU,GAAG,SAAS;AAAA;MA+B/C,oCAAoC,CAAY,YAI/C;AACZ,QAAM,EAAE,cAAc,OAAO,gBAAgB;AAC7C,QAAM,SAASC;AAEf,QAAM,UAAU,cAAc;AAE9B,SAAO,KACL,uDACAC,4BAAQ,QACR,OACE,KACA,QAMG;AACH,UAAM,cAAc,6BAA6B,UAAU,IAAI;AAE/D,QAAI,CAAC,YAAY,SAAS;AACxB,aAAO,IAAI,OAAO,KAAK,KAAK;AAAA;AAG9B,UAAM,EAAE,MAAM,SAAS;AAEvB,QAAI,KAAK,iBAAiB,cAAc;AACtC,aAAO,IACJ,OAAO,KACP,KAAK,6BAA6B,KAAK;AAAA;AAG5C,UAAM,WAAW,MAAM,YAAY,KAAK;AAExC,QAAI,CAAC,UAAU;AACb,aAAO,IACJ,OAAO,KACP,KAAK,oBAAoB,KAAK;AAAA;AAGnC,WAAO,IAAI,OAAO,KAAK,KAAK;AAAA,MAC1B,QAAQ,gBAAgB,KAAK,YAAY,UAAU,WAC/CH,uCAAgB,QAChBA,uCAAgB;AAAA;AAAA;AAK1B,SAAO;AAAA;;6BCzI2D;AAAA,SAK3D,WACL,QACA,SAIA;AA/CJ;AAgDI,UAAM,EAAE,WAAW,iBAAiB;AACpC,UAAM,mBAAmB,IAAII,wCAAiB,EAAE,WAAW;AAC3D,UAAM,oBACJ,aAAO,mBAAmB,0BAA1B,YAAmD;AAErD,QACE,qBACC,aAAqB,8BACtB;AACA,YAAM,IAAI,MACR;AAAA;AAIJ,WAAO,IAAI,uBAAuB;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA,EAII,YAAY,SAIjB;AACD,SAAK,mBAAmB,QAAQ;AAChC,SAAK,eAAe,QAAQ;AAC5B,SAAK,oBAAoB,QAAQ;AAAA;AAAA,QAG7B,UACJ,UACA,SAC8B;AAK9B,QACE,CAAC,KAAK,qBACL,MAAM,KAAK,mBAAmB,mCAAS,QACxC;AACA,aAAO,SAAS,IAAI,UAAQ,QAAQJ,uCAAgB;AAAA;AAEtD,WAAO,KAAK,iBAAiB,UAAU,UAAU;AAAA;AAAA,QAGrC,mBACZ,OACkB;AAClB,QAAI,CAAC,OAAO;AACV,aAAO;AAAA;AAET,WAAO,KAAK,aACT,aAAa,OACb,KAAK,MAAM,MACX,MAAM,MAAM;AAAA;AAAA;;;;;;;;"}
1	+ {"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts","../src/integration/createPermissionRule.ts","../src/ServerPermissionClient.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PermissionRule } from '../types';\n\n/\n Creates a condition factory function for a given authorization rule and parameter types.\n \n @remarks\n \n For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n \n Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n \n @public\n /\nexport const createConditionFactory =\n <TParams extends any[]>(rule: PermissionRule<unknown, unknown, TParams>) =>\n (...params: TParams) => ({\n rule: rule.name,\n params,\n });\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n AuthorizeResult,\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { ConditionalPolicyDecision } from '../policy';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/\n A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n \n @public\n /\nexport type Condition<TRule> = TRule extends PermissionRule<\n any,\n any,\n infer TParams\n>\n ? (...params: TParams) => PermissionCondition<TParams>\n : never;\n\n/\n A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n \n @public\n /\nexport type Conditions<\n TRules extends Record<string, PermissionRule<any, any>>,\n> = {\n [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/\n Creates the recommended condition-related exports for a given plugin based on the built-in\n * {@link PermissionRule}s it supports.\n \n @remarks\n \n The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for each of the\n * supplied {@link PermissionRule}s, along with a `createConditions` function which builds the\n * wrapper object needed to enclose conditions when authoring {@link PermissionPolicy} implementations.\n \n Plugin authors should generally call this method with all the built-in {@link PermissionRule}s\n * the plugin supports, and export the resulting `conditions` object and `createConditions`\n * function so that they can be used by {@link PermissionPolicy} authors.\n \n @public\n /\nexport const createConditionExports = <\n TResource,\n TRules extends Record<string, PermissionRule<TResource, any>>,\n>(options: {\n pluginId: string;\n resourceType: string;\n rules: TRules;\n}): {\n conditions: Conditions<TRules>;\n createPolicyDecision: (\n conditions: PermissionCriteria<PermissionCondition>,\n ) => ConditionalPolicyDecision;\n} => {\n const { pluginId, resourceType, rules } = options;\n\n return {\n conditions: Object.entries(rules).reduce(\n (acc, [key, rule]) => ({\n ...acc,\n [key]: createConditionFactory(rule),\n }),\n {} as Conditions<TRules>,\n ),\n createPolicyDecision: (\n conditions: PermissionCriteria<PermissionCondition>,\n ) => ({\n result: AuthorizeResult.CONDITIONAL,\n pluginId,\n resourceType,\n conditions,\n }),\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PermissionCriteria } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\nexport const isAndCriteria = (\n filter: PermissionCriteria<unknown>,\n): filter is { allOf: PermissionCriteria<unknown>[] } =>\n Object.prototype.hasOwnProperty.call(filter, 'allOf');\n\nexport const isOrCriteria = (\n filter: PermissionCriteria<unknown>,\n): filter is { anyOf: PermissionCriteria<unknown>[] } =>\n Object.prototype.hasOwnProperty.call(filter, 'anyOf');\n\nexport const isNotCriteria = (\n filter: PermissionCriteria<unknown>,\n): filter is { not: PermissionCriteria<unknown> } =>\n Object.prototype.hasOwnProperty.call(filter, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n rules: PermissionRule<TResource, TQuery>[],\n) => {\n const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n return (name: string): PermissionRule<TResource, TQuery> => {\n const rule = rulesMap.get(name);\n\n if (!rule) {\n throw new Error(`Unexpected permission rule: ${name}`);\n }\n\n return rule;\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\nimport {\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n criteria: PermissionCriteria<PermissionCondition>,\n getRule: (name: string) => PermissionRule<unknown, TQuery>,\n): PermissionCriteria<TQuery> => {\n if (isAndCriteria(criteria)) {\n return {\n allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n };\n } else if (isOrCriteria(criteria)) {\n return {\n anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n };\n } else if (isNotCriteria(criteria)) {\n return {\n not: mapConditions(criteria.not, getRule),\n };\n }\n\n return getRule(criteria.rule).toQuery(...criteria.params);\n};\n\n/\n A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n \n @public\n /\nexport type ConditionTransformer<TQuery> = (\n conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/\n A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n \n @public\n /\nexport const createConditionTransformer = <\n TQuery,\n TRules extends PermissionRule<any, TQuery>[],\n>(\n permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n const getRule = createGetRule(permissionRules);\n\n return conditions => mapConditions(conditions, getRule);\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express, { Response } from 'express';\nimport Router from 'express-promise-router';\nimport { z } from 'zod';\nimport { InputError } from '@backstage/errors';\nimport { errorHandler } from '@backstage/backend-common';\nimport {\n AuthorizeResult,\n Identified,\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\nimport { DefinitivePolicyDecision } from '../policy/types';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z.union([\n z.object({ anyOf: z.array(permissionCriteriaSchema) }),\n z.object({ allOf: z.array(permissionCriteriaSchema) }),\n z.object({ not: permissionCriteriaSchema }),\n z.object({\n rule: z.string(),\n params: z.array(z.unknown()),\n }),\n ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n items: z.array(\n z.object({\n id: z.string(),\n resourceRef: z.string(),\n resourceType: z.string(),\n conditions: permissionCriteriaSchema,\n }),\n ),\n});\n\n/\n A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n \n @public\n /\nexport type ApplyConditionsRequestEntry = Identified<{\n resourceRef: string;\n resourceType: string;\n conditions: PermissionCriteria<PermissionCondition>;\n}>;\n\n/\n A batch of {@link ApplyConditionsRequestEntry} objects.\n \n @public\n /\nexport type ApplyConditionsRequest = {\n items: ApplyConditionsRequestEntry[];\n};\n\n/\n The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n \n @public\n /\nexport type ApplyConditionsResponseEntry = Identified<DefinitivePolicyDecision>;\n\n/\n A batch of {@link ApplyConditionsResponseEntry} objects.\n \n @public\n /\nexport type ApplyConditionsResponse = {\n items: ApplyConditionsResponseEntry[];\n};\n\nconst applyConditions = <TResource>(\n criteria: PermissionCriteria<PermissionCondition>,\n resource: TResource \| undefined,\n getRule: (name: string) => PermissionRule<TResource, unknown>,\n): boolean => {\n // If resource was not found, deny. This avoids leaking information from the\n // apply-conditions API which would allow a user to differentiate between\n // non-existent resources and resources to which they do not have access.\n if (resource === undefined) {\n return false;\n }\n\n if (isAndCriteria(criteria)) {\n return criteria.allOf.every(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isOrCriteria(criteria)) {\n return criteria.anyOf.some(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isNotCriteria(criteria)) {\n return !applyConditions(criteria.not, resource, getRule);\n }\n\n return getRule(criteria.rule).apply(resource, ...criteria.params);\n};\n\n/\n Create an express Router which provides an authorization route to allow\n * integration between the permission backend and other Backstage backend\n * plugins. Plugin owners that wish to support conditional authorization for\n * their resources should add the router created by this function to their\n * express app inside their `createRouter` implementation.\n \n @remarks\n \n To make this concrete, we can use the Backstage software catalog as an\n * example. The catalog has conditional rules around access to specific\n * _entities_ in the catalog. The _type_ of resource is captured here as\n * `resourceType`, a string identifier (`catalog-entity` in this example) that\n * can be provided with permission definitions. This is merely a _type_ to\n * verify that conditions in an authorization policy are constructed correctly,\n * not a reference to a specific resource.\n \n The `rules` parameter is an array of {@link PermissionRule}s that introduce\n * conditional filtering logic for resources; for the catalog, these are things\n * like `isEntityOwner` or `hasAnnotation`. Rules describe how to filter a list\n * of resources, and the `conditions` returned allow these rules to be applied\n * with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n \n The `getResources` argument should load resources based on a reference\n * identifier. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be\n * any serialized format. This is used to construct the\n * `createPermissionIntegrationRouter`, a function to add an authorization route\n * to your backend plugin. This function will be called by the\n * `permission-backend` when authorization conditions relating to this plugin\n * need to be evaluated.\n \n @public\n /\nexport const createPermissionIntegrationRouter = <TResource>(options: {\n resourceType: string;\n rules: PermissionRule<TResource, any>[];\n getResources: (\n resourceRefs: string[],\n ) => Promise<Array<TResource \| undefined>>;\n}): express.Router => {\n const { resourceType, rules, getResources } = options;\n const router = Router();\n\n const getRule = createGetRule(rules);\n\n const assertValidResourceTypes = (\n requests: ApplyConditionsRequestEntry[],\n ) => {\n const invalidResourceTypes = requests\n .filter(request => request.resourceType !== resourceType)\n .map(request => request.resourceType);\n\n if (invalidResourceTypes.length) {\n throw new InputError(\n `Unexpected resource types: ${invalidResourceTypes.join(', ')}.`,\n );\n }\n };\n\n router.use(express.json());\n\n router.post(\n '/.well-known/backstage/permissions/apply-conditions',\n async (req, res: Response<ApplyConditionsResponse \| string>) => {\n const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n if (!parseResult.success) {\n throw new InputError(parseResult.error.toString());\n }\n\n const body = parseResult.data;\n\n assertValidResourceTypes(body.items);\n\n const resourceRefs = Array.from(\n new Set(body.items.map(({ resourceRef }) => resourceRef)),\n );\n const resourceArray = await getResources(resourceRefs);\n const resources = resourceRefs.reduce((acc, resourceRef, index) => {\n acc[resourceRef] = resourceArray[index];\n\n return acc;\n }, {} as Record<string, TResource \| undefined>);\n\n return res.status(200).json({\n items: body.items.map(request => ({\n id: request.id,\n result: applyConditions(\n request.conditions,\n resources[request.resourceRef],\n getRule,\n )\n ? AuthorizeResult.ALLOW\n : AuthorizeResult.DENY,\n })),\n });\n },\n );\n\n router.use(errorHandler());\n\n return router;\n};\n","/\n * Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PermissionRule } from '../types';\n\n/\n Helper function to ensure that {@link PermissionRule} definitions are typed correctly.\n \n @public\n /\nexport const createPermissionRule = <\n TResource,\n TQuery,\n TParams extends unknown[],\n>(\n rule: PermissionRule<TResource, TQuery, TParams>,\n) => rule;\n\n/\n Helper for making plugin-specific createPermissionRule functions, that have\n * the TResource and TQuery type parameters populated but infer the params from\n * the supplied rule. This helps ensure that rules created for this plugin use\n * consistent types for the resource and query.\n \n @public\n /\nexport const makeCreatePermissionRule =\n <TResource, TQuery>() =>\n <TParams extends unknown[]>(\n rule: PermissionRule<TResource, TQuery, TParams>,\n ) =>\n createPermissionRule(rule);\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n TokenManager,\n PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { Config } from '@backstage/config';\nimport {\n AuthorizeQuery,\n AuthorizeRequestOptions,\n AuthorizeDecision,\n AuthorizeResult,\n PermissionClient,\n PermissionAuthorizer,\n} from '@backstage/plugin-permission-common';\n\n/\n A thin wrapper around\n * {@link @backstage/plugin-permission-common#PermissionClient} that allows all\n * backend-to-backend requests.\n * @public\n */\nexport class ServerPermissionClient implements PermissionAuthorizer {\n private readonly permissionClient: PermissionClient;\n private readonly tokenManager: TokenManager;\n private readonly permissionEnabled: boolean;\n\n static fromConfig(\n config: Config,\n options: {\n discovery: PluginEndpointDiscovery;\n tokenManager: TokenManager;\n },\n ) {\n const { discovery, tokenManager } = options;\n const permissionClient = new PermissionClient({ discovery, config });\n const permissionEnabled =\n config.getOptionalBoolean('permission.enabled') ?? false;\n\n if (\n permissionEnabled &&\n (tokenManager as any).isInsecureServerTokenManager\n ) {\n throw new Error(\n 'You must configure at least one key in backend.auth.keys if permissions are enabled.',\n );\n }\n\n return new ServerPermissionClient({\n permissionClient,\n tokenManager,\n permissionEnabled,\n });\n }\n\n private constructor(options: {\n permissionClient: PermissionClient;\n tokenManager: TokenManager;\n permissionEnabled: boolean;\n }) {\n this.permissionClient = options.permissionClient;\n this.tokenManager = options.tokenManager;\n this.permissionEnabled = options.permissionEnabled;\n }\n\n async authorize(\n queries: AuthorizeQuery[],\n options?: AuthorizeRequestOptions,\n ): Promise<AuthorizeDecision[]> {\n // Check if permissions are enabled before validating the server token. That\n // way when permissions are disabled, the noop token manager can be used\n // without fouling up the logic inside the ServerPermissionClient, because\n // the code path won't be reached.\n if (\n !this.permissionEnabled \|\|\n (await this.isValidServerToken(options?.token))\n ) {\n return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n return this.permissionClient.authorize(queries, options);\n }\n\n private async isValidServerToken(\n token: string \| undefined,\n ): Promise<boolean> {\n if (!token) {\n return false;\n }\n return this.tokenManager\n .authenticate(token)\n .then(() => true)\n .catch(() => false);\n }\n}\n"],"names":["AuthorizeResult","z","Router","InputError","express","errorHandler","PermissionClient"],"mappings":";;;;;;;;;;;;;;;;MAkCa,yBACX,CAAwB,SACxB,IAAI;AAAqB,EACvB,MAAM,KAAK;AAAA,EACX;AAAA;;MC8BS,yBAAyB,CAGpC,YASG;AACH,QAAM,EAAE,UAAU,cAAc,UAAU;AAE1C,SAAO;AAAA,IACL,YAAY,OAAO,QAAQ,OAAO,OAChC,CAAC,KAAK,CAAC,KAAK;AAAW,SAClB;AAAA,OACF,MAAM,uBAAuB;AAAA,QAEhC;AAAA,IAEF,sBAAsB,CACpB;AACI,MACJ,QAAQA,uCAAgB;AAAA,MACxB;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA;;MC9EO,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,eAAe,CAC1B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,WAEA,OAAO,UAAU,eAAe,KAAK,QAAQ;MAElC,gBAAgB,CAC3B,UACG;AACH,QAAM,WAAW,IAAI,IAAI,OAAO,OAAO,OAAO,IAAI,UAAQ,CAAC,KAAK,MAAM;AAEtE,SAAO,CAAC,SAAoD;AAC1D,UAAM,OAAO,SAAS,IAAI;AAE1B,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,+BAA+B;AAAA;AAGjD,WAAO;AAAA;AAAA;;ACnBX,MAAM,gBAAgB,CACpB,UACA,YAC+B;AAC/B,MAAI,cAAc,WAAW;AAC3B,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,aAAa,WAAW;AACjC,WAAO;AAAA,MACL,OAAO,SAAS,MAAM,IAAI,WAAS,cAAc,OAAO;AAAA;AAAA,aAEjD,cAAc,WAAW;AAClC,WAAO;AAAA,MACL,KAAK,cAAc,SAAS,KAAK;AAAA;AAAA;AAIrC,SAAO,QAAQ,SAAS,MAAM,QAAQ,GAAG,SAAS;AAAA;MAuBvC,6BAA6B,CAIxC,oBACiC;AACjC,QAAM,UAAU,cAAc;AAE9B,SAAO,gBAAc,cAAc,YAAY;AAAA;;ACxCjD,MAAM,2BAEFC,MAAE,KAAK,MACTA,MAAE,MAAM;AAAA,EACNA,MAAE,OAAO,EAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,EAAE,OAAOA,MAAE,MAAM;AAAA,EAC1BA,MAAE,OAAO,EAAE,KAAK;AAAA,EAChBA,MAAE,OAAO;AAAA,IACP,MAAMA,MAAE;AAAA,IACR,QAAQA,MAAE,MAAMA,MAAE;AAAA;AAAA;AAKxB,MAAM,+BAA+BA,MAAE,OAAO;AAAA,EAC5C,OAAOA,MAAE,MACPA,MAAE,OAAO;AAAA,IACP,IAAIA,MAAE;AAAA,IACN,aAAaA,MAAE;AAAA,IACf,cAAcA,MAAE;AAAA,IAChB,YAAY;AAAA;AAAA;AA2ClB,MAAM,kBAAkB,CACtB,UACA,UACA,YACY;AAIZ,MAAI,aAAa,QAAW;AAC1B,WAAO;AAAA;AAGT,MAAI,cAAc,WAAW;AAC3B,WAAO,SAAS,MAAM,MAAM,WAC1B,gBAAgB,OAAO,UAAU;AAAA,aAE1B,aAAa,WAAW;AACjC,WAAO,SAAS,MAAM,KAAK,WACzB,gBAAgB,OAAO,UAAU;AAAA,aAE1B,cAAc,WAAW;AAClC,WAAO,CAAC,gBAAgB,SAAS,KAAK,UAAU;AAAA;AAGlD,SAAO,QAAQ,SAAS,MAAM,MAAM,UAAU,GAAG,SAAS;AAAA;MAsC/C,oCAAoC,CAAY,YAMvC;AACpB,QAAM,EAAE,cAAc,OAAO,iBAAiB;AAC9C,QAAM,SAASC;AAEf,QAAM,UAAU,cAAc;AAE9B,QAAM,2BAA2B,CAC/B,aACG;AACH,UAAM,uBAAuB,SAC1B,OAAO,aAAW,QAAQ,iBAAiB,cAC3C,IAAI,aAAW,QAAQ;AAE1B,QAAI,qBAAqB,QAAQ;AAC/B,YAAM,IAAIC,kBACR,8BAA8B,qBAAqB,KAAK;AAAA;AAAA;AAK9D,SAAO,IAAIC,4BAAQ;AAEnB,SAAO,KACL,uDACA,OAAO,KAAK,QAAoD;AAC9D,UAAM,cAAc,6BAA6B,UAAU,IAAI;AAE/D,QAAI,CAAC,YAAY,SAAS;AACxB,YAAM,IAAID,kBAAW,YAAY,MAAM;AAAA;AAGzC,UAAM,OAAO,YAAY;AAEzB,6BAAyB,KAAK;AAE9B,UAAM,eAAe,MAAM,KACzB,IAAI,IAAI,KAAK,MAAM,IAAI,CAAC,EAAE,kBAAkB;AAE9C,UAAM,gBAAgB,MAAM,aAAa;AACzC,UAAM,YAAY,aAAa,OAAO,CAAC,KAAK,aAAa,UAAU;AACjE,UAAI,eAAe,cAAc;AAEjC,aAAO;AAAA,OACN;AAEH,WAAO,IAAI,OAAO,KAAK,KAAK;AAAA,MAC1B,OAAO,KAAK,MAAM,IAAI;AAAY,QAChC,IAAI,QAAQ;AAAA,QACZ,QAAQ,gBACN,QAAQ,YACR,UAAU,QAAQ,cAClB,WAEEH,uCAAgB,QAChBA,uCAAgB;AAAA;AAAA;AAAA;AAM5B,SAAO,IAAIK;AAEX,SAAO;AAAA;;MC9MI,uBAAuB,CAKlC,SACG;MAUQ,2BACX,MACA,CACE,SAEA,qBAAqB;;6BCR2C;AAAA,SAK3D,WACL,QACA,SAIA;AA/CJ;AAgDI,UAAM,EAAE,WAAW,iBAAiB;AACpC,UAAM,mBAAmB,IAAIC,wCAAiB,EAAE,WAAW;AAC3D,UAAM,oBACJ,aAAO,mBAAmB,0BAA1B,YAAmD;AAErD,QACE,qBACC,aAAqB,8BACtB;AACA,YAAM,IAAI,MACR;AAAA;AAIJ,WAAO,IAAI,uBAAuB;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA,EAII,YAAY,SAIjB;AACD,SAAK,mBAAmB,QAAQ;AAChC,SAAK,eAAe,QAAQ;AAC5B,SAAK,oBAAoB,QAAQ;AAAA;AAAA,QAG7B,UACJ,SACA,SAC8B;AAK9B,QACE,CAAC,KAAK,qBACL,MAAM,KAAK,mBAAmB,mCAAS,QACxC;AACA,aAAO,QAAQ,IAAI,UAAQ,QAAQN,uCAAgB;AAAA;AAErD,WAAO,KAAK,iBAAiB,UAAU,SAAS;AAAA;AAAA,QAGpC,mBACZ,OACkB;AAClB,QAAI,CAAC,OAAO;AACV,aAAO;AAAA;AAET,WAAO,KAAK,aACT,aAAa,OACb,KAAK,MAAM,MACX,MAAM,MAAM;AAAA;AAAA;;;;;;;;;;"}

package/dist/index.d.ts CHANGED Viewed

@@ -1,12 +1,12 @@
-import { PermissionCriteria, AuthorizeRequest, AuthorizeResult, PermissionCondition, PermissionAuthorizer, AuthorizeRequestOptions, AuthorizeResponse } from '@backstage/plugin-permission-common';
+import { PermissionCriteria, AuthorizeQuery, AuthorizeResult, PermissionCondition, Identified, PermissionAuthorizer, AuthorizeRequestOptions, AuthorizeDecision } from '@backstage/plugin-permission-common';
 import { BackstageIdentityResponse } from '@backstage/plugin-auth-backend';
-import { Router } from 'express';
+import express from 'express';
 import { PluginEndpointDiscovery, TokenManager } from '@backstage/backend-common';
 import { Config } from '@backstage/config';
 /**
  * A conditional rule that can be provided in an
- * {@link @backstage/permission-common#AuthorizeResult} response to an authorization request.
+ * {@link @backstage/permission-common#AuthorizeDecision} response to an authorization request.
  *
  * @remarks
  *
@@ -63,13 +63,25 @@ declare const createConditionFactory: <TParams extends any[]>(rule: PermissionRu
  *
  * @remarks
  *
- * This differs from {@link @backstage/permission-common#AuthorizeRequest} in that `resourceRef`
+ * This differs from {@link @backstage/permission-common#AuthorizeQuery} in that `resourceRef`
  * should never be provided. This forces policies to be written in a way that's compatible with
  * filtering collections of resources at data load time.
  *
  * @public
  */
-declare type PolicyAuthorizeRequest = Omit<AuthorizeRequest, 'resourceRef'>;
+declare type PolicyAuthorizeQuery = Omit<AuthorizeQuery, 'resourceRef'>;
+/**
+ * A definitive result to an authorization request, returned by the {@link PermissionPolicy}.
+ *
+ * @remarks
+ *
+ * This indicates that the policy unconditionally allows (or denies) the request.
+ *
+ * @public
+ */
+declare type DefinitivePolicyDecision = {
+    result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;
+};
 /**
  * A conditional result to an authorization request, returned by the {@link PermissionPolicy}.
  *
@@ -79,7 +91,7 @@ declare type PolicyAuthorizeRequest = Omit<AuthorizeRequest, 'resourceRef'>;
  * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin
  * which knows about the referenced permission rules.
  *
- * Similar to {@link @backstage/permission-common#AuthorizeResult}, but with the plugin and resource
+ * Similar to {@link @backstage/permission-common#AuthorizeDecision}, but with the plugin and resource
  * identifiers needed to evaluate the returned conditions.
  * @public
  */
@@ -94,9 +106,7 @@ declare type ConditionalPolicyDecision = {
  *
  * @public
  */
-declare type PolicyDecision = {
-    result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;
-} | ConditionalPolicyDecision;
+declare type PolicyDecision = DefinitivePolicyDecision | ConditionalPolicyDecision;
 /**
  * A policy to evaluate authorization requests for any permissioned action performed in Backstage.
  *
@@ -114,7 +124,7 @@ declare type PolicyDecision = {
  * @public
  */
 interface PermissionPolicy {
-    handle(request: PolicyAuthorizeRequest, user?: BackstageIdentityResponse): Promise<PolicyDecision>;
+    handle(request: PolicyAuthorizeQuery, user?: BackstageIdentityResponse): Promise<PolicyDecision>;
 }
 /**
@@ -184,10 +194,18 @@ declare const createConditionTransformer: <TQuery, TRules extends PermissionRule
  *
  * @public
  */
-declare type ApplyConditionsRequest = {
+declare type ApplyConditionsRequestEntry = Identified<{
     resourceRef: string;
     resourceType: string;
     conditions: PermissionCriteria<PermissionCondition>;
+}>;
+/**
+ * A batch of {@link ApplyConditionsRequestEntry} objects.
+ *
+ * @public
+ */
+declare type ApplyConditionsRequest = {
+    items: ApplyConditionsRequestEntry[];
 };
 /**
  * The result of applying the conditions, expressed as a definitive authorize
@@ -195,42 +213,71 @@ declare type ApplyConditionsRequest = {
  *
  * @public
  */
+declare type ApplyConditionsResponseEntry = Identified<DefinitivePolicyDecision>;
+/**
+ * A batch of {@link ApplyConditionsResponseEntry} objects.
+ *
+ * @public
+ */
 declare type ApplyConditionsResponse = {
-    result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;
+    items: ApplyConditionsResponseEntry[];
 };
 /**
- * Create an express Router which provides an authorization route to allow integration between the
- * permission backend and other Backstage backend plugins. Plugin owners that wish to support
- * conditional authorization for their resources should add the router created by this function
- * to their express app inside their `createRouter` implementation.
+ * Create an express Router which provides an authorization route to allow
+ * integration between the permission backend and other Backstage backend
+ * plugins. Plugin owners that wish to support conditional authorization for
+ * their resources should add the router created by this function to their
+ * express app inside their `createRouter` implementation.
  *
  * @remarks
  *
- * To make this concrete, we can use the Backstage software catalog as an example. The catalog has
- * conditional rules around access to specific _entities_ in the catalog. The _type_ of resource is
- * captured here as `resourceType`, a string identifier (`catalog-entity` in this example) that can
- * be provided with permission definitions. This is merely a _type_ to verify that conditions in an
- * authorization policy are constructed correctly, not a reference to a specific resource.
- *
- * The `rules` parameter is an array of {@link PermissionRule}s that introduce conditional
- * filtering logic for resources; for the catalog, these are things like `isEntityOwner` or
- * `hasAnnotation`. Rules describe how to filter a list of resources, and the `conditions` returned
- * allow these rules to be applied with specific parameters (such as 'group:default/team-a', or
+ * To make this concrete, we can use the Backstage software catalog as an
+ * example. The catalog has conditional rules around access to specific
+ * _entities_ in the catalog. The _type_ of resource is captured here as
+ * `resourceType`, a string identifier (`catalog-entity` in this example) that
+ * can be provided with permission definitions. This is merely a _type_ to
+ * verify that conditions in an authorization policy are constructed correctly,
+ * not a reference to a specific resource.
+ *
+ * The `rules` parameter is an array of {@link PermissionRule}s that introduce
+ * conditional filtering logic for resources; for the catalog, these are things
+ * like `isEntityOwner` or `hasAnnotation`. Rules describe how to filter a list
+ * of resources, and the `conditions` returned allow these rules to be applied
+ * with specific parameters (such as 'group:default/team-a', or
  * 'backstage.io/edit-url').
  *
- * The `getResource` argument should load a resource by reference. For the catalog, this is an
- * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be any serialized format.
- * This is used to construct the `createPermissionIntegrationRouter`, a function to add an
- * authorization route to your backend plugin. This route will be called by the `permission-backend`
- * when authorization conditions relating to this plugin need to be evaluated.
+ * The `getResources` argument should load resources based on a reference
+ * identifier. For the catalog, this is an
+ * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be
+ * any serialized format. This is used to construct the
+ * `createPermissionIntegrationRouter`, a function to add an authorization route
+ * to your backend plugin. This function will be called by the
+ * `permission-backend` when authorization conditions relating to this plugin
+ * need to be evaluated.
  *
  * @public
  */
 declare const createPermissionIntegrationRouter: <TResource>(options: {
     resourceType: string;
     rules: PermissionRule<TResource, any, unknown[]>[];
-    getResource: (resourceRef: string) => Promise<TResource | undefined>;
-}) => Router;
+    getResources: (resourceRefs: string[]) => Promise<(TResource | undefined)[]>;
+}) => express.Router;
+/**
+ * Helper function to ensure that {@link PermissionRule} definitions are typed correctly.
+ *
+ * @public
+ */
+declare const createPermissionRule: <TResource, TQuery, TParams extends unknown[]>(rule: PermissionRule<TResource, TQuery, TParams>) => PermissionRule<TResource, TQuery, TParams>;
+/**
+ * Helper for making plugin-specific createPermissionRule functions, that have
+ * the TResource and TQuery type parameters populated but infer the params from
+ * the supplied rule. This helps ensure that rules created for this plugin use
+ * consistent types for the resource and query.
+ *
+ * @public
+ */
+declare const makeCreatePermissionRule: <TResource, TQuery>() => <TParams extends unknown[]>(rule: PermissionRule<TResource, TQuery, TParams>) => PermissionRule<TResource, TQuery, TParams>;
 /**
  * A thin wrapper around
@@ -247,8 +294,8 @@ declare class ServerPermissionClient implements PermissionAuthorizer {
         tokenManager: TokenManager;
     }): ServerPermissionClient;
     private constructor();
-    authorize(requests: AuthorizeRequest[], options?: AuthorizeRequestOptions): Promise<AuthorizeResponse[]>;
+    authorize(queries: AuthorizeQuery[], options?: AuthorizeRequestOptions): Promise<AuthorizeDecision[]>;
     private isValidServerToken;
 }
-export { ApplyConditionsRequest, ApplyConditionsResponse, Condition, ConditionTransformer, ConditionalPolicyDecision, Conditions, PermissionPolicy, PermissionRule, PolicyAuthorizeRequest, PolicyDecision, ServerPermissionClient, createConditionExports, createConditionFactory, createConditionTransformer, createPermissionIntegrationRouter };
+export { ApplyConditionsRequest, ApplyConditionsRequestEntry, ApplyConditionsResponse, ApplyConditionsResponseEntry, Condition, ConditionTransformer, ConditionalPolicyDecision, Conditions, DefinitivePolicyDecision, PermissionPolicy, PermissionRule, PolicyAuthorizeQuery, PolicyDecision, ServerPermissionClient, createConditionExports, createConditionFactory, createConditionTransformer, createPermissionIntegrationRouter, createPermissionRule, makeCreatePermissionRule };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-permission-node",
   "description": "Common permission and authorization utilities for backend plugins",
-  "version": "0.2.3",
+  "version": "0.4.1",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -29,16 +29,18 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.10.1",
-    "@backstage/config": "^0.1.11",
-    "@backstage/plugin-auth-backend": "^0.6.0",
-    "@backstage/plugin-permission-common": "^0.3.0",
+    "@backstage/backend-common": "^0.10.5",
+    "@backstage/config": "^0.1.13",
+    "@backstage/errors": "^0.2.0",
+    "@backstage/plugin-auth-backend": "^0.8.0",
+    "@backstage/plugin-permission-common": "^0.4.0",
     "@types/express": "^4.17.6",
     "express": "^4.17.1",
+    "express-promise-router": "^4.1.0",
     "zod": "^3.11.6"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.10.4",
+    "@backstage/cli": "^0.13.0",
     "@types/supertest": "^2.0.8",
     "msw": "^0.35.0",
     "supertest": "^6.1.3"
@@ -46,5 +48,5 @@
   "files": [
     "dist"
   ],
-  "gitHead": "4b2a8ed96ff427735c872a72c1864321ef698436"
+  "gitHead": "493394603a2c47ea1d141159af9bc7bb84fac9e5"
 }