npm - @backstage/plugin-permission-node - Versions diffs - 0.7.24 → 0.7.25-next.1 - Mend

@backstage/plugin-permission-node 0.7.24 → 0.7.25-next.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,31 +1,29 @@
 # @backstage/plugin-permission-node
-## 0.7.24
+## 0.7.25-next.1
 ### Patch Changes
 - Updated dependencies
-  - @backstage/backend-common@0.21.3
-  - @backstage/plugin-auth-node@0.4.8
-  - @backstage/backend-plugin-api@0.6.13
+  - @backstage/config@1.2.0-next.1
+  - @backstage/backend-common@0.21.4-next.1
+  - @backstage/backend-plugin-api@0.6.14-next.1
+  - @backstage/plugin-auth-node@0.4.9-next.1
+  - @backstage/plugin-permission-common@0.7.13-next.1
+  - @backstage/errors@1.2.4-next.0
-## 0.7.23
+## 0.7.24-next.0
 ### Patch Changes
+- 0502d82: The `ServerPermissionClient` has been migrated to implement the `PermissionsService` interface, now accepting the new `BackstageCredentials` object in addition to the `token` option, which is now deprecated. It now also optionally depends on the new `AuthService`.
 - Updated dependencies
-  - @backstage/backend-common@0.21.2
-  - @backstage/plugin-auth-node@0.4.7
-  - @backstage/backend-plugin-api@0.6.12
-## 0.7.22
-### Patch Changes
-- Updated dependencies
-  - @backstage/backend-common@0.21.1
-  - @backstage/plugin-auth-node@0.4.6
-  - @backstage/backend-plugin-api@0.6.11
+  - @backstage/backend-common@0.21.3-next.0
+  - @backstage/plugin-auth-node@0.4.8-next.0
+  - @backstage/errors@1.2.4-next.0
+  - @backstage/backend-plugin-api@0.6.13-next.0
+  - @backstage/plugin-permission-common@0.7.13-next.0
+  - @backstage/config@1.1.2-next.0
 ## 0.7.21

package/alpha/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-node",
-  "version": "0.7.24",
+  "version": "0.7.25-next.1",
   "main": "../dist/alpha.cjs.js",
   "types": "../dist/alpha.d.ts"
 }

package/dist/index.cjs.js CHANGED Viewed

@@ -259,20 +259,39 @@ function isCreatePermissionIntegrationRouterResourceOptions(options) {
 const createPermissionRule = (rule) => rule;
 const makeCreatePermissionRule = () => (rule) => createPermissionRule(rule);
-var __defProp = Object.defineProperty;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField = (obj, key, value) => {
-  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __accessCheck = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet = (obj, member, getter) => {
+  __accessCheck(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet = (obj, member, value, setter) => {
+  __accessCheck(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
-class ServerPermissionClient {
+var __privateMethod = (obj, member, method) => {
+  __accessCheck(obj, member, "access private method");
+  return method;
+};
+var _auth, _permissionClient, _permissionEnabled, _getRequestOptions, getRequestOptions_fn, _shouldPermissionsBeApplied, shouldPermissionsBeApplied_fn;
+const _ServerPermissionClient = class _ServerPermissionClient {
   constructor(options) {
-    __publicField(this, "permissionClient");
-    __publicField(this, "tokenManager");
-    __publicField(this, "permissionEnabled");
-    this.permissionClient = options.permissionClient;
-    this.tokenManager = options.tokenManager;
-    this.permissionEnabled = options.permissionEnabled;
+    __privateAdd(this, _getRequestOptions);
+    __privateAdd(this, _shouldPermissionsBeApplied);
+    __privateAdd(this, _auth, void 0);
+    __privateAdd(this, _permissionClient, void 0);
+    __privateAdd(this, _permissionEnabled, void 0);
+    __privateSet(this, _auth, options.auth);
+    __privateSet(this, _permissionClient, options.permissionClient);
+    __privateSet(this, _permissionEnabled, options.permissionEnabled);
   }
   static fromConfig(config, options) {
     var _a;
@@ -284,28 +303,72 @@ class ServerPermissionClient {
         "Service-to-service authentication must be configured before enabling permissions. Read more here https://backstage.io/docs/auth/service-to-service-auth"
       );
     }
-    return new ServerPermissionClient({
+    const { auth } = backendCommon.createLegacyAuthAdapters(options);
+    return new _ServerPermissionClient({
+      auth,
       permissionClient,
-      tokenManager,
       permissionEnabled
     });
   }
   async authorizeConditional(queries, options) {
-    return await this.isEnabled(options == null ? void 0 : options.token) ? this.permissionClient.authorizeConditional(queries, options) : queries.map((_) => ({ result: pluginPermissionCommon.AuthorizeResult.ALLOW }));
+    if (await __privateMethod(this, _shouldPermissionsBeApplied, shouldPermissionsBeApplied_fn).call(this, options)) {
+      return __privateGet(this, _permissionClient).authorizeConditional(
+        queries,
+        await __privateMethod(this, _getRequestOptions, getRequestOptions_fn).call(this, options)
+      );
+    }
+    return queries.map((_) => ({ result: pluginPermissionCommon.AuthorizeResult.ALLOW }));
   }
   async authorize(requests, options) {
-    return await this.isEnabled(options == null ? void 0 : options.token) ? this.permissionClient.authorize(requests, options) : requests.map((_) => ({ result: pluginPermissionCommon.AuthorizeResult.ALLOW }));
+    if (await __privateMethod(this, _shouldPermissionsBeApplied, shouldPermissionsBeApplied_fn).call(this, options)) {
+      return __privateGet(this, _permissionClient).authorize(
+        requests,
+        await __privateMethod(this, _getRequestOptions, getRequestOptions_fn).call(this, options)
+      );
+    }
+    return requests.map((_) => ({ result: pluginPermissionCommon.AuthorizeResult.ALLOW }));
   }
-  async isValidServerToken(token) {
-    if (!token) {
-      return false;
+};
+_auth = new WeakMap();
+_permissionClient = new WeakMap();
+_permissionEnabled = new WeakMap();
+_getRequestOptions = new WeakSet();
+getRequestOptions_fn = async function(options) {
+  if (options && "credentials" in options) {
+    if (__privateGet(this, _auth).isPrincipal(options.credentials, "none")) {
+      return {};
     }
-    return this.tokenManager.authenticate(token).then(() => true).catch(() => false);
+    return __privateGet(this, _auth).getPluginRequestToken({
+      onBehalfOf: options.credentials,
+      targetPluginId: "permissions"
+    });
   }
-  async isEnabled(token) {
-    return this.permissionEnabled && !await this.isValidServerToken(token);
+  return options;
+};
+_shouldPermissionsBeApplied = new WeakSet();
+shouldPermissionsBeApplied_fn = async function(options) {
+  if (!__privateGet(this, _permissionEnabled)) {
+    return false;
   }
-}
+  let credentials;
+  if (options && "credentials" in options) {
+    credentials = options.credentials;
+  } else {
+    if (!(options == null ? void 0 : options.token)) {
+      return true;
+    }
+    try {
+      credentials = await __privateGet(this, _auth).authenticate(options.token);
+    } catch {
+      return true;
+    }
+  }
+  if (__privateGet(this, _auth).isPrincipal(credentials, "service")) {
+    return false;
+  }
+  return true;
+};
+let ServerPermissionClient = _ServerPermissionClient;
 exports.ServerPermissionClient = ServerPermissionClient;
 exports.createConditionAuthorizer = createConditionAuthorizer;

package/dist/index.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts","../src/integration/createPermissionRule.ts","../src/ServerPermissionClient.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n PermissionCondition,\n PermissionRuleParams,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/\n Creates a condition factory function for a given authorization rule and parameter types.\n \n @remarks\n \n For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n \n Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n \n @public\n /\nexport const createConditionFactory = <\n TResourceType extends string,\n TParams extends PermissionRuleParams = PermissionRuleParams,\n>(\n rule: PermissionRule<unknown, unknown, TResourceType, TParams>,\n) => {\n return (params: TParams): PermissionCondition<TResourceType, TParams> => {\n return {\n rule: rule.name,\n resourceType: rule.resourceType,\n params,\n };\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n AuthorizeResult,\n ConditionalPolicyDecision,\n PermissionCondition,\n PermissionCriteria,\n ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/\n A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n \n @public\n /\nexport type Condition<TRule> = TRule extends PermissionRule<\n any,\n any,\n infer TResourceType,\n infer TParams\n>\n ? undefined extends TParams\n ? () => PermissionCondition<TResourceType, TParams>\n : (params: TParams) => PermissionCondition<TResourceType, TParams>\n : never;\n\n/\n A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n \n @public\n /\nexport type Conditions<\n TRules extends Record<string, PermissionRule<any, any, any>>,\n> = {\n [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/\n Creates the recommended condition-related exports for a given plugin based on\n * the built-in {@link PermissionRule}s it supports.\n \n @remarks\n \n The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for\n * each of the supplied {@link PermissionRule}s, along with a\n * `createConditionalDecision` function which builds the wrapper object needed\n * to enclose conditions when authoring {@link PermissionPolicy}\n * implementations.\n \n Plugin authors should generally call this method with all the built-in\n * {@link PermissionRule}s the plugin supports, and export the resulting\n * `conditions` object and `createConditionalDecision` function so that they can\n * be used by {@link PermissionPolicy} authors.\n \n @public\n /\nexport const createConditionExports = <\n TResourceType extends string,\n TResource,\n TRules extends Record<string, PermissionRule<TResource, any, TResourceType>>,\n>(options: {\n pluginId: string;\n resourceType: TResourceType;\n rules: TRules;\n}): {\n conditions: Conditions<TRules>;\n createConditionalDecision: (\n permission: ResourcePermission<TResourceType>,\n conditions: PermissionCriteria<PermissionCondition<TResourceType>>,\n ) => ConditionalPolicyDecision;\n} => {\n const { pluginId, resourceType, rules } = options;\n\n return {\n conditions: Object.entries(rules).reduce(\n (acc, [key, rule]) => ({\n ...acc,\n [key]: createConditionFactory(rule),\n }),\n {} as Conditions<TRules>,\n ),\n createConditionalDecision: (\n _permission: ResourcePermission<TResourceType>,\n conditions: PermissionCriteria<PermissionCondition>,\n ) => ({\n result: AuthorizeResult.CONDITIONAL,\n pluginId,\n resourceType,\n conditions,\n }),\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n AllOfCriteria,\n AnyOfCriteria,\n NotCriteria,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/\n Prevent use of type parameter from contributing to type inference.\n \n https://github.com/Microsoft/TypeScript/issues/14829#issuecomment-980401795\n * @ignore\n /\nexport type NoInfer<T> = T extends infer S ? S : never;\n\n/\n Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n \n @returns `true` if the permission criteria is of type allOf,\n * narrowing down `criteria` to the specific type.\n /\nexport const isAndCriteria = <T>(\n criteria: PermissionCriteria<T>,\n): criteria is AllOfCriteria<T> =>\n Object.prototype.hasOwnProperty.call(criteria, 'allOf');\n\n/\n Utility function used to parse a PermissionCriteria of type\n * @param criteria - a PermissionCriteria\n * @public\n \n @returns `true` if the permission criteria is of type anyOf,\n * narrowing down `criteria` to the specific type.\n /\nexport const isOrCriteria = <T>(\n criteria: PermissionCriteria<T>,\n): criteria is AnyOfCriteria<T> =>\n Object.prototype.hasOwnProperty.call(criteria, 'anyOf');\n\n/\n Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n \n @returns `true` if the permission criteria is of type not,\n * narrowing down `criteria` to the specific type.\n /\nexport const isNotCriteria = <T>(\n criteria: PermissionCriteria<T>,\n): criteria is NotCriteria<T> =>\n Object.prototype.hasOwnProperty.call(criteria, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n return (name: string): PermissionRule<TResource, TQuery, string> => {\n const rule = rulesMap.get(name);\n\n if (!rule) {\n throw new Error(`Unexpected permission rule: ${name}`);\n }\n\n return rule;\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\nimport { InputError } from '@backstage/errors';\nimport {\n AllOfCriteria,\n AnyOfCriteria,\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n criteria: PermissionCriteria<PermissionCondition>,\n getRule: (name: string) => PermissionRule<unknown, TQuery, string>,\n): PermissionCriteria<TQuery> => {\n if (isAndCriteria(criteria)) {\n return {\n allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n } as AllOfCriteria<TQuery>;\n } else if (isOrCriteria(criteria)) {\n return {\n anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n } as AnyOfCriteria<TQuery>;\n } else if (isNotCriteria(criteria)) {\n return {\n not: mapConditions(criteria.not, getRule),\n };\n }\n\n const rule = getRule(criteria.rule);\n const result = rule.paramsSchema?.safeParse(criteria.params);\n\n if (result && !result.success) {\n throw new InputError(`Parameters to rule are invalid`, result.error);\n }\n\n return rule.toQuery(criteria.params ?? {});\n};\n\n/\n A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n \n @public\n /\nexport type ConditionTransformer<TQuery> = (\n conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/\n A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n \n @public\n /\nexport const createConditionTransformer = <\n TQuery,\n TRules extends PermissionRule<any, TQuery, string>[],\n>(\n permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n const getRule = createGetRule(permissionRules);\n\n return conditions => mapConditions(conditions, getRule);\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express, { Response } from 'express';\nimport Router from 'express-promise-router';\nimport { z } from 'zod';\nimport zodToJsonSchema from 'zod-to-json-schema';\nimport { InputError } from '@backstage/errors';\nimport { errorHandler } from '@backstage/backend-common';\nimport {\n AuthorizeResult,\n DefinitivePolicyDecision,\n IdentifiedPermissionMessage,\n Permission,\n PermissionCondition,\n PermissionCriteria,\n PolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n NoInfer,\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\nimport { NotImplementedError } from '@backstage/errors';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z.union([\n z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }),\n z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }),\n z.object({ not: permissionCriteriaSchema }),\n z.object({\n rule: z.string(),\n resourceType: z.string(),\n params: z.record(z.any()).optional(),\n }),\n ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n items: z.array(\n z.object({\n id: z.string(),\n resourceRef: z.string(),\n resourceType: z.string(),\n conditions: permissionCriteriaSchema,\n }),\n ),\n});\n\n/\n A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n \n @public\n /\nexport type ApplyConditionsRequestEntry = IdentifiedPermissionMessage<{\n resourceRef: string;\n resourceType: string;\n conditions: PermissionCriteria<PermissionCondition>;\n}>;\n\n/\n A batch of {@link ApplyConditionsRequestEntry} objects.\n \n @public\n /\nexport type ApplyConditionsRequest = {\n items: ApplyConditionsRequestEntry[];\n};\n\n/\n The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n \n @public\n /\nexport type ApplyConditionsResponseEntry =\n IdentifiedPermissionMessage<DefinitivePolicyDecision>;\n\n/\n A batch of {@link ApplyConditionsResponseEntry} objects.\n \n @public\n /\nexport type ApplyConditionsResponse = {\n items: ApplyConditionsResponseEntry[];\n};\n\n/\n Serialized permission rules, with the paramsSchema\n * converted from a ZodSchema to a JsonSchema.\n \n @public\n /\nexport type MetadataResponseSerializedRule = {\n name: string;\n description: string;\n resourceType: string;\n paramsSchema?: ReturnType<typeof zodToJsonSchema>;\n};\n\n/\n Response type for the .metadata endpoint.\n \n @public\n /\nexport type MetadataResponse = {\n permissions?: Permission[];\n rules: MetadataResponseSerializedRule[];\n};\n\nconst applyConditions = <TResourceType extends string, TResource>(\n criteria: PermissionCriteria<PermissionCondition<TResourceType>>,\n resource: TResource \| undefined,\n getRule: (name: string) => PermissionRule<TResource, unknown, TResourceType>,\n): boolean => {\n // If resource was not found, deny. This avoids leaking information from the\n // apply-conditions API which would allow a user to differentiate between\n // non-existent resources and resources to which they do not have access.\n if (resource === undefined) {\n return false;\n }\n\n if (isAndCriteria(criteria)) {\n return criteria.allOf.every(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isOrCriteria(criteria)) {\n return criteria.anyOf.some(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isNotCriteria(criteria)) {\n return !applyConditions(criteria.not, resource, getRule);\n }\n\n const rule = getRule(criteria.rule);\n const result = rule.paramsSchema?.safeParse(criteria.params);\n\n if (result && !result.success) {\n throw new InputError(`Parameters to rule are invalid`, result.error);\n }\n\n return rule.apply(resource, criteria.params ?? {});\n};\n\n/\n\n Takes some permission conditions and returns a definitive authorization result\n * on the resource to which they apply.\n \n @public\n /\nexport const createConditionAuthorizer = <TResource, TQuery>(\n rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n const getRule = createGetRule(rules);\n\n return (\n decision: PolicyDecision,\n resource: TResource \| undefined,\n ): boolean => {\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n return applyConditions(decision.conditions, resource, getRule);\n }\n\n return decision.result === AuthorizeResult.ALLOW;\n };\n};\n\n/\n Options for creating a permission integration router specific\n * for a particular resource type.\n \n @public\n /\nexport type CreatePermissionIntegrationRouterResourceOptions<\n TResourceType extends string,\n TResource,\n> = {\n resourceType: TResourceType;\n permissions?: Array<Permission>;\n // Do not infer value of TResourceType from supplied rules.\n // instead only consider the resourceType parameter, and\n // consider any rules whose resource type does not match\n // to be an error.\n rules: PermissionRule<TResource, any, NoInfer<TResourceType>>[];\n getResources?: (\n resourceRefs: string[],\n ) => Promise<Array<TResource \| undefined>>;\n};\n\n/\n Options for creating a permission integration router exposing\n * permissions and rules from multiple resource types.\n \n @public\n /\nexport type PermissionIntegrationRouterOptions<\n TResourceType1 extends string = string,\n TResource1 = any,\n TResourceType2 extends string = string,\n TResource2 = any,\n TResourceType3 extends string = string,\n TResource3 = any,\n> = {\n resources: Readonly<\n \| [\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n ]\n \| [\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType2,\n TResource2\n >,\n ]\n \| [\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType2,\n TResource2\n >,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType3,\n TResource3\n >,\n ]\n >;\n};\n\n/\n Create an express Router which provides an authorization route to allow\n * integration between the permission backend and other Backstage backend\n * plugins. Plugin owners that wish to support conditional authorization for\n * their resources should add the router created by this function to their\n * express app inside their `createRouter` implementation.\n \n In case the `permissions` option is provided, the router also\n * provides a route that exposes permissions and routes of a plugin.\n \n In case resources is provided, the routes can handle permissions\n * for multiple resource types.\n \n @remarks\n \n To make this concrete, we can use the Backstage software catalog as an\n * example. The catalog has conditional rules around access to specific\n * _entities_ in the catalog. The _type_ of resource is captured here as\n * `resourceType`, a string identifier (`catalog-entity` in this example) that\n * can be provided with permission definitions. This is merely a _type_ to\n * verify that conditions in an authorization policy are constructed correctly,\n * not a reference to a specific resource.\n \n The `rules` parameter is an array of {@link PermissionRule}s that introduce\n * conditional filtering logic for resources; for the catalog, these are things\n * like `isEntityOwner` or `hasAnnotation`. Rules describe how to filter a list\n * of resources, and the `conditions` returned allow these rules to be applied\n * with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n \n The `getResources` argument should load resources based on a reference\n * identifier. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be\n * any serialized format. This is used to construct the\n * `createPermissionIntegrationRouter`, a function to add an authorization route\n * to your backend plugin. This function will be called by the\n * `permission-backend` when authorization conditions relating to this plugin\n * need to be evaluated.\n \n @public\n /\nexport function createPermissionIntegrationRouter<\n TResourceType1 extends string,\n TResource1,\n TResourceType2 extends string,\n TResource2,\n TResourceType3 extends string,\n TResource3,\n>(\n options:\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >\n \| PermissionIntegrationRouterOptions<\n TResourceType1,\n TResource1,\n TResourceType2,\n TResource2,\n TResourceType3,\n TResource3\n >,\n): express.Router {\n const optionsWithResources = options as PermissionIntegrationRouterOptions;\n const allOptions = [\n optionsWithResources.resources ? optionsWithResources.resources : options,\n ].flat();\n const allRules = allOptions.flatMap(\n option =>\n (\n option as CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >\n ).rules \|\| [],\n );\n const allPermissions = [\n ...((options as { permissions: Permission[] }).permissions \|\| []),\n ...(optionsWithResources.resources?.flatMap(o => o.permissions \|\| []) \|\|\n []),\n ];\n\n const allResourceTypes = allOptions.reduce((acc, option) => {\n if (\n isCreatePermissionIntegrationRouterResourceOptions(\n option as\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n )\n ) {\n acc.push(\n (\n option as CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >\n ).resourceType,\n );\n }\n return acc;\n }, [] as string[]);\n\n const router = Router();\n router.use(express.json());\n\n router.get('/.well-known/backstage/permissions/metadata', (_, res) => {\n const serializedRules: MetadataResponseSerializedRule[] = allRules.map(\n rule => ({\n name: rule.name,\n description: rule.description,\n resourceType: rule.resourceType,\n paramsSchema: zodToJsonSchema(rule.paramsSchema ?? z.object({})),\n }),\n );\n\n const responseJson: MetadataResponse = {\n permissions: allPermissions,\n rules: serializedRules,\n };\n\n return res.json(responseJson);\n });\n\n router.post(\n '/.well-known/backstage/permissions/apply-conditions',\n async (req, res: Response<ApplyConditionsResponse \| string>) => {\n const ruleMapByResourceType: Record<\n string,\n ReturnType<typeof createGetRule>\n > = {};\n const getResourcesByResourceType: Record<\n string,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >['getResources']\n > = {};\n\n for (let option of allOptions) {\n option = option as\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >;\n if (isCreatePermissionIntegrationRouterResourceOptions(option)) {\n ruleMapByResourceType[option.resourceType] = createGetRule(\n option.rules,\n );\n\n getResourcesByResourceType[option.resourceType] = option.getResources;\n }\n }\n\n const assertValidResourceTypes = (\n requests: ApplyConditionsRequestEntry[],\n ) => {\n const invalidResourceTypes = requests\n .filter(request => !allResourceTypes.includes(request.resourceType))\n .map(request => request.resourceType);\n\n if (invalidResourceTypes.length) {\n throw new InputError(\n `Unexpected resource types: ${invalidResourceTypes.join(', ')}.`,\n );\n }\n };\n\n const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n if (!parseResult.success) {\n throw new InputError(parseResult.error.toString());\n }\n\n const body = parseResult.data;\n\n assertValidResourceTypes(body.items);\n\n const resourceRefsByResourceType = body.items.reduce<\n Record<string, Set<string>>\n >((acc, item) => {\n if (!acc[item.resourceType]) {\n acc[item.resourceType] = new Set();\n }\n acc[item.resourceType].add(item.resourceRef);\n return acc;\n }, {});\n\n const resourcesByResourceType: Record<string, Record<string, any>> = {};\n for (const resourceType of Object.keys(resourceRefsByResourceType)) {\n const getResources = getResourcesByResourceType[resourceType];\n if (!getResources) {\n throw new NotImplementedError(\n `This plugin does not expose any permission rule or can't evaluate the conditions request for ${resourceType}`,\n );\n }\n const resourceRefs = Array.from(\n resourceRefsByResourceType[resourceType],\n );\n const resources = await getResources(resourceRefs);\n resourceRefs.forEach((resourceRef, index) => {\n if (!resourcesByResourceType[resourceType]) {\n resourcesByResourceType[resourceType] = {};\n }\n resourcesByResourceType[resourceType][resourceRef] = resources[index];\n });\n }\n\n return res.json({\n items: body.items.map(request => ({\n id: request.id,\n result: applyConditions(\n request.conditions,\n resourcesByResourceType[request.resourceType][request.resourceRef],\n ruleMapByResourceType[request.resourceType],\n )\n ? AuthorizeResult.ALLOW\n : AuthorizeResult.DENY,\n })),\n });\n },\n );\n\n router.use(errorHandler());\n\n return router;\n}\n\nfunction isCreatePermissionIntegrationRouterResourceOptions<\n TResourceType extends string,\n TResource,\n>(\n options:\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType,\n TResource\n >,\n): options is CreatePermissionIntegrationRouterResourceOptions<\n TResourceType,\n TResource\n> {\n return (\n (\n options as CreatePermissionIntegrationRouterResourceOptions<\n TResourceType,\n TResource\n >\n ).resourceType !== undefined\n );\n}\n","/\n * Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PermissionRuleParams } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/\n Helper function to ensure that {@link PermissionRule} definitions are typed correctly.\n \n @public\n /\nexport const createPermissionRule = <\n TResource,\n TQuery,\n TResourceType extends string,\n TParams extends PermissionRuleParams = undefined,\n>(\n rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n) => rule;\n\n/\n Helper for making plugin-specific createPermissionRule functions, that have\n * the TResource and TQuery type parameters populated but infer the params from\n * the supplied rule. This helps ensure that rules created for this plugin use\n * consistent types for the resource and query.\n \n @public\n /\nexport const makeCreatePermissionRule =\n <TResource, TQuery, TResourceType extends string>() =>\n <TParams extends PermissionRuleParams = undefined>(\n rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n ) =>\n createPermissionRule(rule);\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n TokenManager,\n PluginEndpointDiscovery,\n} from '@backstage/backend-common';\nimport { Config } from '@backstage/config';\nimport {\n AuthorizeResult,\n PermissionClient,\n PermissionEvaluator,\n AuthorizePermissionRequest,\n EvaluatorRequestOptions,\n AuthorizePermissionResponse,\n PolicyDecision,\n QueryPermissionRequest,\n} from '@backstage/plugin-permission-common';\n\n/\n A thin wrapper around\n * {@link @backstage/plugin-permission-common#PermissionClient} that allows all\n * service-to-service requests.\n * @public\n */\nexport class ServerPermissionClient implements PermissionEvaluator {\n private readonly permissionClient: PermissionClient;\n private readonly tokenManager: TokenManager;\n private readonly permissionEnabled: boolean;\n\n static fromConfig(\n config: Config,\n options: {\n discovery: PluginEndpointDiscovery;\n tokenManager: TokenManager;\n },\n ) {\n const { discovery, tokenManager } = options;\n const permissionClient = new PermissionClient({ discovery, config });\n const permissionEnabled =\n config.getOptionalBoolean('permission.enabled') ?? false;\n\n if (\n permissionEnabled &&\n (tokenManager as any).isInsecureServerTokenManager\n ) {\n throw new Error(\n 'Service-to-service authentication must be configured before enabling permissions. Read more here https://backstage.io/docs/auth/service-to-service-auth',\n );\n }\n\n return new ServerPermissionClient({\n permissionClient,\n tokenManager,\n permissionEnabled,\n });\n }\n\n private constructor(options: {\n permissionClient: PermissionClient;\n tokenManager: TokenManager;\n permissionEnabled: boolean;\n }) {\n this.permissionClient = options.permissionClient;\n this.tokenManager = options.tokenManager;\n this.permissionEnabled = options.permissionEnabled;\n }\n\n async authorizeConditional(\n queries: QueryPermissionRequest[],\n options?: EvaluatorRequestOptions,\n ): Promise<PolicyDecision[]> {\n return (await this.isEnabled(options?.token))\n ? this.permissionClient.authorizeConditional(queries, options)\n : queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n async authorize(\n requests: AuthorizePermissionRequest[],\n options?: EvaluatorRequestOptions,\n ): Promise<AuthorizePermissionResponse[]> {\n return (await this.isEnabled(options?.token))\n ? this.permissionClient.authorize(requests, options)\n : requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n private async isValidServerToken(\n token: string \| undefined,\n ): Promise<boolean> {\n if (!token) {\n return false;\n }\n return this.tokenManager\n .authenticate(token)\n .then(() => true)\n .catch(() => false);\n }\n\n private async isEnabled(token?: string) {\n // Check if permissions are enabled before validating the server token. That\n // way when permissions are disabled, the noop token manager can be used\n // without fouling up the logic inside the ServerPermissionClient, because\n // the code path won't be reached.\n return this.permissionEnabled && !(await this.isValidServerToken(token));\n }\n}\n"],"names":["AuthorizeResult","InputError","z","Router","express","_a","zodToJsonSchema","NotImplementedError","errorHandler","PermissionClient"],"mappings":";;;;;;;;;;;;;;;;;;AAsCa,MAAA,sBAAA,GAAyB,CAIpC,IACG,KAAA;AACH,EAAA,OAAO,CAAC,MAAiE,KAAA;AACvE,IAAO,OAAA;AAAA,MACL,MAAM,IAAK,CAAA,IAAA;AAAA,MACX,cAAc,IAAK,CAAA,YAAA;AAAA,MACnB,MAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACwBa,MAAA,sBAAA,GAAyB,CAIpC,OAUG,KAAA;AACH,EAAA,MAAM,EAAE,QAAA,EAAU,YAAc,EAAA,KAAA,EAAU,GAAA,OAAA,CAAA;AAE1C,EAAO,OAAA;AAAA,IACL,UAAY,EAAA,MAAA,CAAO,OAAQ,CAAA,KAAK,CAAE,CAAA,MAAA;AAAA,MAChC,CAAC,GAAA,EAAK,CAAC,GAAA,EAAK,IAAI,CAAO,MAAA;AAAA,QACrB,GAAG,GAAA;AAAA,QACH,CAAC,GAAG,GAAG,sBAAA,CAAuB,IAAI,CAAA;AAAA,OACpC,CAAA;AAAA,MACA,EAAC;AAAA,KACH;AAAA,IACA,yBAAA,EAA2B,CACzB,WAAA,EACA,UACI,MAAA;AAAA,MACJ,QAAQA,sCAAgB,CAAA,WAAA;AAAA,MACxB,QAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACtEa,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,YAAA,GAAe,CAC1B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,KAAK,EAAA;AAEzC,MAAA,aAAA,GAAgB,CAC3B,KACG,KAAA;AACH,EAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,MAAA,CAAO,OAAO,KAAK,CAAA,CAAE,GAAI,CAAA,CAAA,IAAA,KAAQ,CAAC,IAAA,CAAK,IAAM,EAAA,IAAI,CAAC,CAAC,CAAA,CAAA;AAE5E,EAAA,OAAO,CAAC,IAA4D,KAAA;AAClE,IAAM,MAAA,IAAA,GAAO,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAE9B,IAAA,IAAI,CAAC,IAAM,EAAA;AACT,MAAA,MAAM,IAAI,KAAA,CAAM,CAA+B,4BAAA,EAAA,IAAI,CAAE,CAAA,CAAA,CAAA;AAAA,KACvD;AAEA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT,CAAA;AACF,CAAA;;ACvDA,MAAM,aAAA,GAAgB,CACpB,QAAA,EACA,OAC+B,KAAA;AAjCjC,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAkCE,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAO,OAAA;AAAA,MACL,GAAK,EAAA,aAAA,CAAc,QAAS,CAAA,GAAA,EAAK,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,IAAA,CAAK,YAAL,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAmB,UAAU,QAAS,CAAA,MAAA,CAAA,CAAA;AAErD,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAIC,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,KAAK,OAAQ,CAAA,CAAA,EAAA,GAAA,QAAA,CAAS,MAAT,KAAA,IAAA,GAAA,EAAA,GAAmB,EAAE,CAAA,CAAA;AAC3C,CAAA,CAAA;AAsBa,MAAA,0BAAA,GAA6B,CAIxC,eACiC,KAAA;AACjC,EAAM,MAAA,OAAA,GAAU,cAAc,eAAe,CAAA,CAAA;AAE7C,EAAO,OAAA,CAAA,UAAA,KAAc,aAAc,CAAA,UAAA,EAAY,OAAO,CAAA,CAAA;AACxD;;AC9CA,MAAM,2BAEFC,KAAE,CAAA,IAAA;AAAA,EAAK,MACTA,MAAE,KAAM,CAAA;AAAA,IACNA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAE,CAAA,MAAA,CAAO,EAAE,GAAA,EAAK,0BAA0B,CAAA;AAAA,IAC1CA,MAAE,MAAO,CAAA;AAAA,MACP,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,MACf,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,QAAQA,KAAE,CAAA,MAAA,CAAOA,MAAE,GAAI,EAAC,EAAE,QAAS,EAAA;AAAA,KACpC,CAAA;AAAA,GACF,CAAA;AACH,CAAA,CAAA;AAEA,MAAM,4BAAA,GAA+BA,MAAE,MAAO,CAAA;AAAA,EAC5C,OAAOA,KAAE,CAAA,KAAA;AAAA,IACPA,MAAE,MAAO,CAAA;AAAA,MACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,MACb,WAAA,EAAaA,MAAE,MAAO,EAAA;AAAA,MACtB,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,UAAY,EAAA,wBAAA;AAAA,KACb,CAAA;AAAA,GACH;AACF,CAAC,CAAA,CAAA;AAgED,MAAM,eAAkB,GAAA,CACtB,QACA,EAAA,QAAA,EACA,OACY,KAAA;AArId,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAyIE,EAAA,IAAI,aAAa,KAAW,CAAA,EAAA;AAC1B,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAEA,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAA,OAAO,SAAS,KAAM,CAAA,KAAA;AAAA,MAAM,CAC1B,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAA,OAAO,SAAS,KAAM,CAAA,IAAA;AAAA,MAAK,CACzB,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAA,OAAO,CAAC,eAAA,CAAgB,QAAS,CAAA,GAAA,EAAK,UAAU,OAAO,CAAA,CAAA;AAAA,GACzD;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,IAAA,CAAK,YAAL,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAmB,UAAU,QAAS,CAAA,MAAA,CAAA,CAAA;AAErD,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAID,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,KAAK,KAAM,CAAA,QAAA,EAAA,CAAU,cAAS,MAAT,KAAA,IAAA,GAAA,EAAA,GAAmB,EAAE,CAAA,CAAA;AACnD,CAAA,CAAA;AASa,MAAA,yBAAA,GAA4B,CACvC,KACG,KAAA;AACH,EAAM,MAAA,OAAA,GAAU,cAAc,KAAK,CAAA,CAAA;AAEnC,EAAO,OAAA,CACL,UACA,QACY,KAAA;AACZ,IAAI,IAAA,QAAA,CAAS,MAAW,KAAAD,sCAAA,CAAgB,WAAa,EAAA;AACnD,MAAA,OAAO,eAAgB,CAAA,QAAA,CAAS,UAAY,EAAA,QAAA,EAAU,OAAO,CAAA,CAAA;AAAA,KAC/D;AAEA,IAAO,OAAA,QAAA,CAAS,WAAWA,sCAAgB,CAAA,KAAA,CAAA;AAAA,GAC7C,CAAA;AACF,EAAA;AAiHO,SAAS,kCAQd,OAcgB,EAAA;AAhUlB,EAAA,IAAA,EAAA,CAAA;AAiUE,EAAA,MAAM,oBAAuB,GAAA,OAAA,CAAA;AAC7B,EAAA,MAAM,UAAa,GAAA;AAAA,IACjB,oBAAA,CAAqB,SAAY,GAAA,oBAAA,CAAqB,SAAY,GAAA,OAAA;AAAA,IAClE,IAAK,EAAA,CAAA;AACP,EAAA,MAAM,WAAW,UAAW,CAAA,OAAA;AAAA,IAC1B,CAAA,MAAA,KAEI,MAIA,CAAA,KAAA,IAAS,EAAC;AAAA,GAChB,CAAA;AACA,EAAA,MAAM,cAAiB,GAAA;AAAA,IACrB,GAAK,OAA0C,CAAA,WAAA,IAAe,EAAC;AAAA,IAC/D,GAAA,CAAA,CAAI,EAAqB,GAAA,oBAAA,CAAA,SAAA,KAArB,IAAgC,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,OAAA,CAAQ,OAAK,CAAE,CAAA,WAAA,IAAe,EAAC,CAAA,KACjE,EAAC;AAAA,GACL,CAAA;AAEA,EAAA,MAAM,gBAAmB,GAAA,UAAA,CAAW,MAAO,CAAA,CAAC,KAAK,MAAW,KAAA;AAC1D,IACE,IAAA,kDAAA;AAAA,MACE,MAAA;AAAA,KAOF,EAAA;AACA,MAAI,GAAA,CAAA,IAAA;AAAA,QAEA,MAIA,CAAA,YAAA;AAAA,OACJ,CAAA;AAAA,KACF;AACA,IAAO,OAAA,GAAA,CAAA;AAAA,GACT,EAAG,EAAc,CAAA,CAAA;AAEjB,EAAA,MAAM,SAASG,0BAAO,EAAA,CAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,2BAAQ,CAAA,IAAA,EAAM,CAAA,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,6CAAA,EAA+C,CAAC,CAAA,EAAG,GAAQ,KAAA;AACpE,IAAA,MAAM,kBAAoD,QAAS,CAAA,GAAA;AAAA,MACjE,CAAK,IAAA,KAAA;AAhXX,QAAAC,IAAAA,GAAAA,CAAAA;AAgXe,QAAA,OAAA;AAAA,UACP,MAAM,IAAK,CAAA,IAAA;AAAA,UACX,aAAa,IAAK,CAAA,WAAA;AAAA,UAClB,cAAc,IAAK,CAAA,YAAA;AAAA,UACnB,YAAA,EAAcC,mCAAgBD,CAAAA,CAAAA,GAAAA,GAAA,IAAK,CAAA,YAAA,KAAL,IAAAA,GAAAA,GAAAA,GAAqBH,KAAE,CAAA,MAAA,CAAO,EAAE,CAAC,CAAA;AAAA,SACjE,CAAA;AAAA,OAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,YAAiC,GAAA;AAAA,MACrC,WAAa,EAAA,cAAA;AAAA,MACb,KAAO,EAAA,eAAA;AAAA,KACT,CAAA;AAEA,IAAO,OAAA,GAAA,CAAI,KAAK,YAAY,CAAA,CAAA;AAAA,GAC7B,CAAA,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,qDAAA;AAAA,IACA,OAAO,KAAK,GAAoD,KAAA;AAC9D,MAAA,MAAM,wBAGF,EAAC,CAAA;AACL,MAAA,MAAM,6BAMF,EAAC,CAAA;AAEL,MAAA,KAAA,IAAS,UAAU,UAAY,EAAA;AAC7B,QAAS,MAAA,GAAA,MAAA,CAAA;AAMT,QAAI,IAAA,kDAAA,CAAmD,MAAM,CAAG,EAAA;AAC9D,UAAsB,qBAAA,CAAA,MAAA,CAAO,YAAY,CAAI,GAAA,aAAA;AAAA,YAC3C,MAAO,CAAA,KAAA;AAAA,WACT,CAAA;AAEA,UAA2B,0BAAA,CAAA,MAAA,CAAO,YAAY,CAAA,GAAI,MAAO,CAAA,YAAA,CAAA;AAAA,SAC3D;AAAA,OACF;AAEA,MAAM,MAAA,wBAAA,GAA2B,CAC/B,QACG,KAAA;AACH,QAAA,MAAM,oBAAuB,GAAA,QAAA,CAC1B,MAAO,CAAA,CAAA,OAAA,KAAW,CAAC,gBAAiB,CAAA,QAAA,CAAS,OAAQ,CAAA,YAAY,CAAC,CAAA,CAClE,GAAI,CAAA,CAAA,OAAA,KAAW,QAAQ,YAAY,CAAA,CAAA;AAEtC,QAAA,IAAI,qBAAqB,MAAQ,EAAA;AAC/B,UAAA,MAAM,IAAID,iBAAA;AAAA,YACR,CAA8B,2BAAA,EAAA,oBAAA,CAAqB,IAAK,CAAA,IAAI,CAAC,CAAA,CAAA,CAAA;AAAA,WAC/D,CAAA;AAAA,SACF;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,WAAc,GAAA,4BAAA,CAA6B,SAAU,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAEnE,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIA,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA,CAAA;AAAA,OACnD;AAEA,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA,CAAA;AAEzB,MAAA,wBAAA,CAAyB,KAAK,KAAK,CAAA,CAAA;AAEnC,MAAA,MAAM,6BAA6B,IAAK,CAAA,KAAA,CAAM,MAE5C,CAAA,CAAC,KAAK,IAAS,KAAA;AACf,QAAA,IAAI,CAAC,GAAA,CAAI,IAAK,CAAA,YAAY,CAAG,EAAA;AAC3B,UAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAI,mBAAA,IAAI,GAAI,EAAA,CAAA;AAAA,SACnC;AACA,QAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAE,CAAA,GAAA,CAAI,KAAK,WAAW,CAAA,CAAA;AAC3C,QAAO,OAAA,GAAA,CAAA;AAAA,OACT,EAAG,EAAE,CAAA,CAAA;AAEL,MAAA,MAAM,0BAA+D,EAAC,CAAA;AACtE,MAAA,KAAA,MAAW,YAAgB,IAAA,MAAA,CAAO,IAAK,CAAA,0BAA0B,CAAG,EAAA;AAClE,QAAM,MAAA,YAAA,GAAe,2BAA2B,YAAY,CAAA,CAAA;AAC5D,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAA,MAAM,IAAIM,0BAAA;AAAA,YACR,gGAAgG,YAAY,CAAA,CAAA;AAAA,WAC9G,CAAA;AAAA,SACF;AACA,QAAA,MAAM,eAAe,KAAM,CAAA,IAAA;AAAA,UACzB,2BAA2B,YAAY,CAAA;AAAA,SACzC,CAAA;AACA,QAAM,MAAA,SAAA,GAAY,MAAM,YAAA,CAAa,YAAY,CAAA,CAAA;AACjD,QAAa,YAAA,CAAA,OAAA,CAAQ,CAAC,WAAA,EAAa,KAAU,KAAA;AAC3C,UAAI,IAAA,CAAC,uBAAwB,CAAA,YAAY,CAAG,EAAA;AAC1C,YAAwB,uBAAA,CAAA,YAAY,IAAI,EAAC,CAAA;AAAA,WAC3C;AACA,UAAA,uBAAA,CAAwB,YAAY,CAAA,CAAE,WAAW,CAAA,GAAI,UAAU,KAAK,CAAA,CAAA;AAAA,SACrE,CAAA,CAAA;AAAA,OACH;AAEA,MAAA,OAAO,IAAI,IAAK,CAAA;AAAA,QACd,KAAO,EAAA,IAAA,CAAK,KAAM,CAAA,GAAA,CAAI,CAAY,OAAA,MAAA;AAAA,UAChC,IAAI,OAAQ,CAAA,EAAA;AAAA,UACZ,MAAQ,EAAA,eAAA;AAAA,YACN,OAAQ,CAAA,UAAA;AAAA,YACR,uBAAwB,CAAA,OAAA,CAAQ,YAAY,CAAA,CAAE,QAAQ,WAAW,CAAA;AAAA,YACjE,qBAAA,CAAsB,QAAQ,YAAY,CAAA;AAAA,WAC5C,GACIP,sCAAgB,CAAA,KAAA,GAChBA,sCAAgB,CAAA,IAAA;AAAA,SACpB,CAAA,CAAA;AAAA,OACH,CAAA,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AAEA,EAAO,MAAA,CAAA,GAAA,CAAIQ,4BAAc,CAAA,CAAA;AAEzB,EAAO,OAAA,MAAA,CAAA;AACT,CAAA;AAEA,SAAS,mDAIP,OASA,EAAA;AACA,EAAA,OAEI,QAIA,YAAiB,KAAA,KAAA,CAAA,CAAA;AAEvB;;ACvea,MAAA,oBAAA,GAAuB,CAMlC,IACG,KAAA,KAAA;AAUE,MAAM,wBACX,GAAA,MACA,CACE,IAAA,KAEA,qBAAqB,IAAI;;;;;;;;ACRtB,MAAM,sBAAsD,CAAA;AAAA,EAiCzD,YAAY,OAIjB,EAAA;AApCH,IAAiB,aAAA,CAAA,IAAA,EAAA,kBAAA,CAAA,CAAA;AACjB,IAAiB,aAAA,CAAA,IAAA,EAAA,cAAA,CAAA,CAAA;AACjB,IAAiB,aAAA,CAAA,IAAA,EAAA,mBAAA,CAAA,CAAA;AAmCf,IAAA,IAAA,CAAK,mBAAmB,OAAQ,CAAA,gBAAA,CAAA;AAChC,IAAA,IAAA,CAAK,eAAe,OAAQ,CAAA,YAAA,CAAA;AAC5B,IAAA,IAAA,CAAK,oBAAoB,OAAQ,CAAA,iBAAA,CAAA;AAAA,GACnC;AAAA,EApCA,OAAO,UACL,CAAA,MAAA,EACA,OAIA,EAAA;AAjDJ,IAAA,IAAA,EAAA,CAAA;AAkDI,IAAM,MAAA,EAAE,SAAW,EAAA,YAAA,EAAiB,GAAA,OAAA,CAAA;AACpC,IAAA,MAAM,mBAAmB,IAAIC,uCAAA,CAAiB,EAAE,SAAA,EAAW,QAAQ,CAAA,CAAA;AACnE,IAAA,MAAM,iBACJ,GAAA,CAAA,EAAA,GAAA,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,MAA9C,IAAmD,GAAA,EAAA,GAAA,KAAA,CAAA;AAErD,IACE,IAAA,iBAAA,IACC,aAAqB,4BACtB,EAAA;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,yJAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAA,OAAO,IAAI,sBAAuB,CAAA;AAAA,MAChC,gBAAA;AAAA,MACA,YAAA;AAAA,MACA,iBAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAAA,EAYA,MAAM,oBACJ,CAAA,OAAA,EACA,OAC2B,EAAA;AAC3B,IAAA,OAAQ,MAAM,IAAK,CAAA,SAAA,CAAU,mCAAS,KAAK,CAAA,GACvC,KAAK,gBAAiB,CAAA,oBAAA,CAAqB,SAAS,OAAO,CAAA,GAC3D,QAAQ,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAT,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,GAC1D;AAAA,EAEA,MAAM,SACJ,CAAA,QAAA,EACA,OACwC,EAAA;AACxC,IAAA,OAAQ,MAAM,IAAK,CAAA,SAAA,CAAU,mCAAS,KAAK,CAAA,GACvC,KAAK,gBAAiB,CAAA,SAAA,CAAU,UAAU,OAAO,CAAA,GACjD,SAAS,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,GAC3D;AAAA,EAEA,MAAc,mBACZ,KACkB,EAAA;AAClB,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AACA,IAAO,OAAA,IAAA,CAAK,YACT,CAAA,YAAA,CAAa,KAAK,CAAA,CAClB,IAAK,CAAA,MAAM,IAAI,CAAA,CACf,KAAM,CAAA,MAAM,KAAK,CAAA,CAAA;AAAA,GACtB;AAAA,EAEA,MAAc,UAAU,KAAgB,EAAA;AAKtC,IAAA,OAAO,KAAK,iBAAqB,IAAA,CAAE,MAAM,IAAA,CAAK,mBAAmB,KAAK,CAAA,CAAA;AAAA,GACxE;AACF;;;;;;;;;;;;;;"}
1	+ {"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts","../src/integration/createPermissionRule.ts","../src/ServerPermissionClient.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n PermissionCondition,\n PermissionRuleParams,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/\n Creates a condition factory function for a given authorization rule and parameter types.\n \n @remarks\n \n For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n \n Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n \n @public\n /\nexport const createConditionFactory = <\n TResourceType extends string,\n TParams extends PermissionRuleParams = PermissionRuleParams,\n>(\n rule: PermissionRule<unknown, unknown, TResourceType, TParams>,\n) => {\n return (params: TParams): PermissionCondition<TResourceType, TParams> => {\n return {\n rule: rule.name,\n resourceType: rule.resourceType,\n params,\n };\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n AuthorizeResult,\n ConditionalPolicyDecision,\n PermissionCondition,\n PermissionCriteria,\n ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/\n A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n \n @public\n /\nexport type Condition<TRule> = TRule extends PermissionRule<\n any,\n any,\n infer TResourceType,\n infer TParams\n>\n ? undefined extends TParams\n ? () => PermissionCondition<TResourceType, TParams>\n : (params: TParams) => PermissionCondition<TResourceType, TParams>\n : never;\n\n/\n A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n \n @public\n /\nexport type Conditions<\n TRules extends Record<string, PermissionRule<any, any, any>>,\n> = {\n [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/\n Creates the recommended condition-related exports for a given plugin based on\n * the built-in {@link PermissionRule}s it supports.\n \n @remarks\n \n The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for\n * each of the supplied {@link PermissionRule}s, along with a\n * `createConditionalDecision` function which builds the wrapper object needed\n * to enclose conditions when authoring {@link PermissionPolicy}\n * implementations.\n \n Plugin authors should generally call this method with all the built-in\n * {@link PermissionRule}s the plugin supports, and export the resulting\n * `conditions` object and `createConditionalDecision` function so that they can\n * be used by {@link PermissionPolicy} authors.\n \n @public\n /\nexport const createConditionExports = <\n TResourceType extends string,\n TResource,\n TRules extends Record<string, PermissionRule<TResource, any, TResourceType>>,\n>(options: {\n pluginId: string;\n resourceType: TResourceType;\n rules: TRules;\n}): {\n conditions: Conditions<TRules>;\n createConditionalDecision: (\n permission: ResourcePermission<TResourceType>,\n conditions: PermissionCriteria<PermissionCondition<TResourceType>>,\n ) => ConditionalPolicyDecision;\n} => {\n const { pluginId, resourceType, rules } = options;\n\n return {\n conditions: Object.entries(rules).reduce(\n (acc, [key, rule]) => ({\n ...acc,\n [key]: createConditionFactory(rule),\n }),\n {} as Conditions<TRules>,\n ),\n createConditionalDecision: (\n _permission: ResourcePermission<TResourceType>,\n conditions: PermissionCriteria<PermissionCondition>,\n ) => ({\n result: AuthorizeResult.CONDITIONAL,\n pluginId,\n resourceType,\n conditions,\n }),\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n AllOfCriteria,\n AnyOfCriteria,\n NotCriteria,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/\n Prevent use of type parameter from contributing to type inference.\n \n https://github.com/Microsoft/TypeScript/issues/14829#issuecomment-980401795\n * @ignore\n /\nexport type NoInfer<T> = T extends infer S ? S : never;\n\n/\n Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n \n @returns `true` if the permission criteria is of type allOf,\n * narrowing down `criteria` to the specific type.\n /\nexport const isAndCriteria = <T>(\n criteria: PermissionCriteria<T>,\n): criteria is AllOfCriteria<T> =>\n Object.prototype.hasOwnProperty.call(criteria, 'allOf');\n\n/\n Utility function used to parse a PermissionCriteria of type\n * @param criteria - a PermissionCriteria\n * @public\n \n @returns `true` if the permission criteria is of type anyOf,\n * narrowing down `criteria` to the specific type.\n /\nexport const isOrCriteria = <T>(\n criteria: PermissionCriteria<T>,\n): criteria is AnyOfCriteria<T> =>\n Object.prototype.hasOwnProperty.call(criteria, 'anyOf');\n\n/\n Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n \n @returns `true` if the permission criteria is of type not,\n * narrowing down `criteria` to the specific type.\n /\nexport const isNotCriteria = <T>(\n criteria: PermissionCriteria<T>,\n): criteria is NotCriteria<T> =>\n Object.prototype.hasOwnProperty.call(criteria, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n return (name: string): PermissionRule<TResource, TQuery, string> => {\n const rule = rulesMap.get(name);\n\n if (!rule) {\n throw new Error(`Unexpected permission rule: ${name}`);\n }\n\n return rule;\n };\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\nimport { InputError } from '@backstage/errors';\nimport {\n AllOfCriteria,\n AnyOfCriteria,\n PermissionCondition,\n PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n criteria: PermissionCriteria<PermissionCondition>,\n getRule: (name: string) => PermissionRule<unknown, TQuery, string>,\n): PermissionCriteria<TQuery> => {\n if (isAndCriteria(criteria)) {\n return {\n allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n } as AllOfCriteria<TQuery>;\n } else if (isOrCriteria(criteria)) {\n return {\n anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n } as AnyOfCriteria<TQuery>;\n } else if (isNotCriteria(criteria)) {\n return {\n not: mapConditions(criteria.not, getRule),\n };\n }\n\n const rule = getRule(criteria.rule);\n const result = rule.paramsSchema?.safeParse(criteria.params);\n\n if (result && !result.success) {\n throw new InputError(`Parameters to rule are invalid`, result.error);\n }\n\n return rule.toQuery(criteria.params ?? {});\n};\n\n/\n A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n \n @public\n /\nexport type ConditionTransformer<TQuery> = (\n conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/\n A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n \n @public\n /\nexport const createConditionTransformer = <\n TQuery,\n TRules extends PermissionRule<any, TQuery, string>[],\n>(\n permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n const getRule = createGetRule(permissionRules);\n\n return conditions => mapConditions(conditions, getRule);\n};\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express, { Response } from 'express';\nimport Router from 'express-promise-router';\nimport { z } from 'zod';\nimport zodToJsonSchema from 'zod-to-json-schema';\nimport { InputError } from '@backstage/errors';\nimport { errorHandler } from '@backstage/backend-common';\nimport {\n AuthorizeResult,\n DefinitivePolicyDecision,\n IdentifiedPermissionMessage,\n Permission,\n PermissionCondition,\n PermissionCriteria,\n PolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n NoInfer,\n createGetRule,\n isAndCriteria,\n isNotCriteria,\n isOrCriteria,\n} from './util';\nimport { NotImplementedError } from '@backstage/errors';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n z.union([\n z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }),\n z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }),\n z.object({ not: permissionCriteriaSchema }),\n z.object({\n rule: z.string(),\n resourceType: z.string(),\n params: z.record(z.any()).optional(),\n }),\n ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n items: z.array(\n z.object({\n id: z.string(),\n resourceRef: z.string(),\n resourceType: z.string(),\n conditions: permissionCriteriaSchema,\n }),\n ),\n});\n\n/\n A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n \n @public\n /\nexport type ApplyConditionsRequestEntry = IdentifiedPermissionMessage<{\n resourceRef: string;\n resourceType: string;\n conditions: PermissionCriteria<PermissionCondition>;\n}>;\n\n/\n A batch of {@link ApplyConditionsRequestEntry} objects.\n \n @public\n /\nexport type ApplyConditionsRequest = {\n items: ApplyConditionsRequestEntry[];\n};\n\n/\n The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n \n @public\n /\nexport type ApplyConditionsResponseEntry =\n IdentifiedPermissionMessage<DefinitivePolicyDecision>;\n\n/\n A batch of {@link ApplyConditionsResponseEntry} objects.\n \n @public\n /\nexport type ApplyConditionsResponse = {\n items: ApplyConditionsResponseEntry[];\n};\n\n/\n Serialized permission rules, with the paramsSchema\n * converted from a ZodSchema to a JsonSchema.\n \n @public\n /\nexport type MetadataResponseSerializedRule = {\n name: string;\n description: string;\n resourceType: string;\n paramsSchema?: ReturnType<typeof zodToJsonSchema>;\n};\n\n/\n Response type for the .metadata endpoint.\n \n @public\n /\nexport type MetadataResponse = {\n permissions?: Permission[];\n rules: MetadataResponseSerializedRule[];\n};\n\nconst applyConditions = <TResourceType extends string, TResource>(\n criteria: PermissionCriteria<PermissionCondition<TResourceType>>,\n resource: TResource \| undefined,\n getRule: (name: string) => PermissionRule<TResource, unknown, TResourceType>,\n): boolean => {\n // If resource was not found, deny. This avoids leaking information from the\n // apply-conditions API which would allow a user to differentiate between\n // non-existent resources and resources to which they do not have access.\n if (resource === undefined) {\n return false;\n }\n\n if (isAndCriteria(criteria)) {\n return criteria.allOf.every(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isOrCriteria(criteria)) {\n return criteria.anyOf.some(child =>\n applyConditions(child, resource, getRule),\n );\n } else if (isNotCriteria(criteria)) {\n return !applyConditions(criteria.not, resource, getRule);\n }\n\n const rule = getRule(criteria.rule);\n const result = rule.paramsSchema?.safeParse(criteria.params);\n\n if (result && !result.success) {\n throw new InputError(`Parameters to rule are invalid`, result.error);\n }\n\n return rule.apply(resource, criteria.params ?? {});\n};\n\n/\n\n Takes some permission conditions and returns a definitive authorization result\n * on the resource to which they apply.\n \n @public\n /\nexport const createConditionAuthorizer = <TResource, TQuery>(\n rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n const getRule = createGetRule(rules);\n\n return (\n decision: PolicyDecision,\n resource: TResource \| undefined,\n ): boolean => {\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n return applyConditions(decision.conditions, resource, getRule);\n }\n\n return decision.result === AuthorizeResult.ALLOW;\n };\n};\n\n/\n Options for creating a permission integration router specific\n * for a particular resource type.\n \n @public\n /\nexport type CreatePermissionIntegrationRouterResourceOptions<\n TResourceType extends string,\n TResource,\n> = {\n resourceType: TResourceType;\n permissions?: Array<Permission>;\n // Do not infer value of TResourceType from supplied rules.\n // instead only consider the resourceType parameter, and\n // consider any rules whose resource type does not match\n // to be an error.\n rules: PermissionRule<TResource, any, NoInfer<TResourceType>>[];\n getResources?: (\n resourceRefs: string[],\n ) => Promise<Array<TResource \| undefined>>;\n};\n\n/\n Options for creating a permission integration router exposing\n * permissions and rules from multiple resource types.\n \n @public\n /\nexport type PermissionIntegrationRouterOptions<\n TResourceType1 extends string = string,\n TResource1 = any,\n TResourceType2 extends string = string,\n TResource2 = any,\n TResourceType3 extends string = string,\n TResource3 = any,\n> = {\n resources: Readonly<\n \| [\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n ]\n \| [\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType2,\n TResource2\n >,\n ]\n \| [\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType2,\n TResource2\n >,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType3,\n TResource3\n >,\n ]\n >;\n};\n\n/\n Create an express Router which provides an authorization route to allow\n * integration between the permission backend and other Backstage backend\n * plugins. Plugin owners that wish to support conditional authorization for\n * their resources should add the router created by this function to their\n * express app inside their `createRouter` implementation.\n \n In case the `permissions` option is provided, the router also\n * provides a route that exposes permissions and routes of a plugin.\n \n In case resources is provided, the routes can handle permissions\n * for multiple resource types.\n \n @remarks\n \n To make this concrete, we can use the Backstage software catalog as an\n * example. The catalog has conditional rules around access to specific\n * _entities_ in the catalog. The _type_ of resource is captured here as\n * `resourceType`, a string identifier (`catalog-entity` in this example) that\n * can be provided with permission definitions. This is merely a _type_ to\n * verify that conditions in an authorization policy are constructed correctly,\n * not a reference to a specific resource.\n \n The `rules` parameter is an array of {@link PermissionRule}s that introduce\n * conditional filtering logic for resources; for the catalog, these are things\n * like `isEntityOwner` or `hasAnnotation`. Rules describe how to filter a list\n * of resources, and the `conditions` returned allow these rules to be applied\n * with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n \n The `getResources` argument should load resources based on a reference\n * identifier. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be\n * any serialized format. This is used to construct the\n * `createPermissionIntegrationRouter`, a function to add an authorization route\n * to your backend plugin. This function will be called by the\n * `permission-backend` when authorization conditions relating to this plugin\n * need to be evaluated.\n \n @public\n /\nexport function createPermissionIntegrationRouter<\n TResourceType1 extends string,\n TResource1,\n TResourceType2 extends string,\n TResource2,\n TResourceType3 extends string,\n TResource3,\n>(\n options:\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >\n \| PermissionIntegrationRouterOptions<\n TResourceType1,\n TResource1,\n TResourceType2,\n TResource2,\n TResourceType3,\n TResource3\n >,\n): express.Router {\n const optionsWithResources = options as PermissionIntegrationRouterOptions;\n const allOptions = [\n optionsWithResources.resources ? optionsWithResources.resources : options,\n ].flat();\n const allRules = allOptions.flatMap(\n option =>\n (\n option as CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >\n ).rules \|\| [],\n );\n const allPermissions = [\n ...((options as { permissions: Permission[] }).permissions \|\| []),\n ...(optionsWithResources.resources?.flatMap(o => o.permissions \|\| []) \|\|\n []),\n ];\n\n const allResourceTypes = allOptions.reduce((acc, option) => {\n if (\n isCreatePermissionIntegrationRouterResourceOptions(\n option as\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >,\n )\n ) {\n acc.push(\n (\n option as CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >\n ).resourceType,\n );\n }\n return acc;\n }, [] as string[]);\n\n const router = Router();\n router.use(express.json());\n\n router.get('/.well-known/backstage/permissions/metadata', (_, res) => {\n const serializedRules: MetadataResponseSerializedRule[] = allRules.map(\n rule => ({\n name: rule.name,\n description: rule.description,\n resourceType: rule.resourceType,\n paramsSchema: zodToJsonSchema(rule.paramsSchema ?? z.object({})),\n }),\n );\n\n const responseJson: MetadataResponse = {\n permissions: allPermissions,\n rules: serializedRules,\n };\n\n return res.json(responseJson);\n });\n\n router.post(\n '/.well-known/backstage/permissions/apply-conditions',\n async (req, res: Response<ApplyConditionsResponse \| string>) => {\n const ruleMapByResourceType: Record<\n string,\n ReturnType<typeof createGetRule>\n > = {};\n const getResourcesByResourceType: Record<\n string,\n CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >['getResources']\n > = {};\n\n for (let option of allOptions) {\n option = option as\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType1,\n TResource1\n >;\n if (isCreatePermissionIntegrationRouterResourceOptions(option)) {\n ruleMapByResourceType[option.resourceType] = createGetRule(\n option.rules,\n );\n\n getResourcesByResourceType[option.resourceType] = option.getResources;\n }\n }\n\n const assertValidResourceTypes = (\n requests: ApplyConditionsRequestEntry[],\n ) => {\n const invalidResourceTypes = requests\n .filter(request => !allResourceTypes.includes(request.resourceType))\n .map(request => request.resourceType);\n\n if (invalidResourceTypes.length) {\n throw new InputError(\n `Unexpected resource types: ${invalidResourceTypes.join(', ')}.`,\n );\n }\n };\n\n const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n if (!parseResult.success) {\n throw new InputError(parseResult.error.toString());\n }\n\n const body = parseResult.data;\n\n assertValidResourceTypes(body.items);\n\n const resourceRefsByResourceType = body.items.reduce<\n Record<string, Set<string>>\n >((acc, item) => {\n if (!acc[item.resourceType]) {\n acc[item.resourceType] = new Set();\n }\n acc[item.resourceType].add(item.resourceRef);\n return acc;\n }, {});\n\n const resourcesByResourceType: Record<string, Record<string, any>> = {};\n for (const resourceType of Object.keys(resourceRefsByResourceType)) {\n const getResources = getResourcesByResourceType[resourceType];\n if (!getResources) {\n throw new NotImplementedError(\n `This plugin does not expose any permission rule or can't evaluate the conditions request for ${resourceType}`,\n );\n }\n const resourceRefs = Array.from(\n resourceRefsByResourceType[resourceType],\n );\n const resources = await getResources(resourceRefs);\n resourceRefs.forEach((resourceRef, index) => {\n if (!resourcesByResourceType[resourceType]) {\n resourcesByResourceType[resourceType] = {};\n }\n resourcesByResourceType[resourceType][resourceRef] = resources[index];\n });\n }\n\n return res.json({\n items: body.items.map(request => ({\n id: request.id,\n result: applyConditions(\n request.conditions,\n resourcesByResourceType[request.resourceType][request.resourceRef],\n ruleMapByResourceType[request.resourceType],\n )\n ? AuthorizeResult.ALLOW\n : AuthorizeResult.DENY,\n })),\n });\n },\n );\n\n router.use(errorHandler());\n\n return router;\n}\n\nfunction isCreatePermissionIntegrationRouterResourceOptions<\n TResourceType extends string,\n TResource,\n>(\n options:\n \| { permissions: Array<Permission> }\n \| CreatePermissionIntegrationRouterResourceOptions<\n TResourceType,\n TResource\n >,\n): options is CreatePermissionIntegrationRouterResourceOptions<\n TResourceType,\n TResource\n> {\n return (\n (\n options as CreatePermissionIntegrationRouterResourceOptions<\n TResourceType,\n TResource\n >\n ).resourceType !== undefined\n );\n}\n","/\n * Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PermissionRuleParams } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/\n Helper function to ensure that {@link PermissionRule} definitions are typed correctly.\n \n @public\n /\nexport const createPermissionRule = <\n TResource,\n TQuery,\n TResourceType extends string,\n TParams extends PermissionRuleParams = undefined,\n>(\n rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n) => rule;\n\n/\n Helper for making plugin-specific createPermissionRule functions, that have\n * the TResource and TQuery type parameters populated but infer the params from\n * the supplied rule. This helps ensure that rules created for this plugin use\n * consistent types for the resource and query.\n \n @public\n /\nexport const makeCreatePermissionRule =\n <TResource, TQuery, TResourceType extends string>() =>\n <TParams extends PermissionRuleParams = undefined>(\n rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n ) =>\n createPermissionRule(rule);\n","/\n * Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n TokenManager,\n createLegacyAuthAdapters,\n} from '@backstage/backend-common';\nimport {\n AuthService,\n BackstageCredentials,\n DiscoveryService,\n PermissionsService,\n PermissionsServiceRequestOptions,\n} from '@backstage/backend-plugin-api';\nimport { Config } from '@backstage/config';\nimport {\n AuthorizeResult,\n PermissionClient,\n AuthorizePermissionRequest,\n AuthorizePermissionResponse,\n PolicyDecision,\n QueryPermissionRequest,\n} from '@backstage/plugin-permission-common';\n\n/\n A thin wrapper around\n * {@link @backstage/plugin-permission-common#PermissionClient} that allows all\n * service-to-service requests.\n * @public\n */\nexport class ServerPermissionClient implements PermissionsService {\n readonly #auth: AuthService;\n readonly #permissionClient: PermissionClient;\n readonly #permissionEnabled: boolean;\n\n static fromConfig(\n config: Config,\n options: {\n discovery: DiscoveryService;\n tokenManager: TokenManager;\n auth?: AuthService;\n },\n ) {\n const { discovery, tokenManager } = options;\n const permissionClient = new PermissionClient({ discovery, config });\n const permissionEnabled =\n config.getOptionalBoolean('permission.enabled') ?? false;\n\n if (\n permissionEnabled &&\n (tokenManager as any).isInsecureServerTokenManager\n ) {\n throw new Error(\n 'Service-to-service authentication must be configured before enabling permissions. Read more here https://backstage.io/docs/auth/service-to-service-auth',\n );\n }\n\n const { auth } = createLegacyAuthAdapters(options);\n\n return new ServerPermissionClient({\n auth,\n permissionClient,\n permissionEnabled,\n });\n }\n\n private constructor(options: {\n auth: AuthService;\n permissionClient: PermissionClient;\n permissionEnabled: boolean;\n }) {\n this.#auth = options.auth;\n this.#permissionClient = options.permissionClient;\n this.#permissionEnabled = options.permissionEnabled;\n }\n\n async authorizeConditional(\n queries: QueryPermissionRequest[],\n options?: PermissionsServiceRequestOptions,\n ): Promise<PolicyDecision[]> {\n if (await this.#shouldPermissionsBeApplied(options)) {\n return this.#permissionClient.authorizeConditional(\n queries,\n await this.#getRequestOptions(options),\n );\n }\n\n return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n async authorize(\n requests: AuthorizePermissionRequest[],\n options?: PermissionsServiceRequestOptions,\n ): Promise<AuthorizePermissionResponse[]> {\n if (await this.#shouldPermissionsBeApplied(options)) {\n return this.#permissionClient.authorize(\n requests,\n await this.#getRequestOptions(options),\n );\n }\n\n return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n }\n\n async #getRequestOptions(options?: PermissionsServiceRequestOptions) {\n if (options && 'credentials' in options) {\n if (this.#auth.isPrincipal(options.credentials, 'none')) {\n return {};\n }\n\n return this.#auth.getPluginRequestToken({\n onBehalfOf: options.credentials,\n targetPluginId: 'permissions',\n });\n }\n\n return options;\n }\n\n async #shouldPermissionsBeApplied(\n options?: PermissionsServiceRequestOptions,\n ) {\n if (!this.#permissionEnabled) {\n return false;\n }\n\n let credentials: BackstageCredentials;\n if (options && 'credentials' in options) {\n credentials = options.credentials;\n } else {\n if (!options?.token) {\n return true;\n }\n try {\n credentials = await this.#auth.authenticate(options.token);\n } catch {\n return true;\n }\n }\n\n if (this.#auth.isPrincipal(credentials, 'service')) {\n return false;\n }\n return true;\n }\n}\n"],"names":["AuthorizeResult","InputError","z","Router","express","_a","zodToJsonSchema","NotImplementedError","errorHandler","PermissionClient","createLegacyAuthAdapters"],"mappings":";;;;;;;;;;;;;;;;;;AAsCa,MAAA,sBAAA,GAAyB,CAIpC,IACG,KAAA;AACH,EAAA,OAAO,CAAC,MAAiE,KAAA;AACvE,IAAO,OAAA;AAAA,MACL,MAAM,IAAK,CAAA,IAAA;AAAA,MACX,cAAc,IAAK,CAAA,YAAA;AAAA,MACnB,MAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACwBa,MAAA,sBAAA,GAAyB,CAIpC,OAUG,KAAA;AACH,EAAA,MAAM,EAAE,QAAA,EAAU,YAAc,EAAA,KAAA,EAAU,GAAA,OAAA,CAAA;AAE1C,EAAO,OAAA;AAAA,IACL,UAAY,EAAA,MAAA,CAAO,OAAQ,CAAA,KAAK,CAAE,CAAA,MAAA;AAAA,MAChC,CAAC,GAAA,EAAK,CAAC,GAAA,EAAK,IAAI,CAAO,MAAA;AAAA,QACrB,GAAG,GAAA;AAAA,QACH,CAAC,GAAG,GAAG,sBAAA,CAAuB,IAAI,CAAA;AAAA,OACpC,CAAA;AAAA,MACA,EAAC;AAAA,KACH;AAAA,IACA,yBAAA,EAA2B,CACzB,WAAA,EACA,UACI,MAAA;AAAA,MACJ,QAAQA,sCAAgB,CAAA,WAAA;AAAA,MACxB,QAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACtEa,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,YAAA,GAAe,CAC1B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,KAAK,EAAA;AAEzC,MAAA,aAAA,GAAgB,CAC3B,KACG,KAAA;AACH,EAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,MAAA,CAAO,OAAO,KAAK,CAAA,CAAE,GAAI,CAAA,CAAA,IAAA,KAAQ,CAAC,IAAA,CAAK,IAAM,EAAA,IAAI,CAAC,CAAC,CAAA,CAAA;AAE5E,EAAA,OAAO,CAAC,IAA4D,KAAA;AAClE,IAAM,MAAA,IAAA,GAAO,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAE9B,IAAA,IAAI,CAAC,IAAM,EAAA;AACT,MAAA,MAAM,IAAI,KAAA,CAAM,CAA+B,4BAAA,EAAA,IAAI,CAAE,CAAA,CAAA,CAAA;AAAA,KACvD;AAEA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT,CAAA;AACF,CAAA;;ACvDA,MAAM,aAAA,GAAgB,CACpB,QAAA,EACA,OAC+B,KAAA;AAjCjC,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAkCE,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAO,OAAA;AAAA,MACL,GAAK,EAAA,aAAA,CAAc,QAAS,CAAA,GAAA,EAAK,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,IAAA,CAAK,YAAL,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAmB,UAAU,QAAS,CAAA,MAAA,CAAA,CAAA;AAErD,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAIC,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,KAAK,OAAQ,CAAA,CAAA,EAAA,GAAA,QAAA,CAAS,MAAT,KAAA,IAAA,GAAA,EAAA,GAAmB,EAAE,CAAA,CAAA;AAC3C,CAAA,CAAA;AAsBa,MAAA,0BAAA,GAA6B,CAIxC,eACiC,KAAA;AACjC,EAAM,MAAA,OAAA,GAAU,cAAc,eAAe,CAAA,CAAA;AAE7C,EAAO,OAAA,CAAA,UAAA,KAAc,aAAc,CAAA,UAAA,EAAY,OAAO,CAAA,CAAA;AACxD;;AC9CA,MAAM,2BAEFC,KAAE,CAAA,IAAA;AAAA,EAAK,MACTA,MAAE,KAAM,CAAA;AAAA,IACNA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAE,CAAA,MAAA,CAAO,EAAE,GAAA,EAAK,0BAA0B,CAAA;AAAA,IAC1CA,MAAE,MAAO,CAAA;AAAA,MACP,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,MACf,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,QAAQA,KAAE,CAAA,MAAA,CAAOA,MAAE,GAAI,EAAC,EAAE,QAAS,EAAA;AAAA,KACpC,CAAA;AAAA,GACF,CAAA;AACH,CAAA,CAAA;AAEA,MAAM,4BAAA,GAA+BA,MAAE,MAAO,CAAA;AAAA,EAC5C,OAAOA,KAAE,CAAA,KAAA;AAAA,IACPA,MAAE,MAAO,CAAA;AAAA,MACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,MACb,WAAA,EAAaA,MAAE,MAAO,EAAA;AAAA,MACtB,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,UAAY,EAAA,wBAAA;AAAA,KACb,CAAA;AAAA,GACH;AACF,CAAC,CAAA,CAAA;AAgED,MAAM,eAAkB,GAAA,CACtB,QACA,EAAA,QAAA,EACA,OACY,KAAA;AArId,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAyIE,EAAA,IAAI,aAAa,KAAW,CAAA,EAAA;AAC1B,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAEA,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAA,OAAO,SAAS,KAAM,CAAA,KAAA;AAAA,MAAM,CAC1B,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAA,OAAO,SAAS,KAAM,CAAA,IAAA;AAAA,MAAK,CACzB,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAA,OAAO,CAAC,eAAA,CAAgB,QAAS,CAAA,GAAA,EAAK,UAAU,OAAO,CAAA,CAAA;AAAA,GACzD;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,IAAA,CAAK,YAAL,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAmB,UAAU,QAAS,CAAA,MAAA,CAAA,CAAA;AAErD,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAID,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,KAAK,KAAM,CAAA,QAAA,EAAA,CAAU,cAAS,MAAT,KAAA,IAAA,GAAA,EAAA,GAAmB,EAAE,CAAA,CAAA;AACnD,CAAA,CAAA;AASa,MAAA,yBAAA,GAA4B,CACvC,KACG,KAAA;AACH,EAAM,MAAA,OAAA,GAAU,cAAc,KAAK,CAAA,CAAA;AAEnC,EAAO,OAAA,CACL,UACA,QACY,KAAA;AACZ,IAAI,IAAA,QAAA,CAAS,MAAW,KAAAD,sCAAA,CAAgB,WAAa,EAAA;AACnD,MAAA,OAAO,eAAgB,CAAA,QAAA,CAAS,UAAY,EAAA,QAAA,EAAU,OAAO,CAAA,CAAA;AAAA,KAC/D;AAEA,IAAO,OAAA,QAAA,CAAS,WAAWA,sCAAgB,CAAA,KAAA,CAAA;AAAA,GAC7C,CAAA;AACF,EAAA;AAiHO,SAAS,kCAQd,OAcgB,EAAA;AAhUlB,EAAA,IAAA,EAAA,CAAA;AAiUE,EAAA,MAAM,oBAAuB,GAAA,OAAA,CAAA;AAC7B,EAAA,MAAM,UAAa,GAAA;AAAA,IACjB,oBAAA,CAAqB,SAAY,GAAA,oBAAA,CAAqB,SAAY,GAAA,OAAA;AAAA,IAClE,IAAK,EAAA,CAAA;AACP,EAAA,MAAM,WAAW,UAAW,CAAA,OAAA;AAAA,IAC1B,CAAA,MAAA,KAEI,MAIA,CAAA,KAAA,IAAS,EAAC;AAAA,GAChB,CAAA;AACA,EAAA,MAAM,cAAiB,GAAA;AAAA,IACrB,GAAK,OAA0C,CAAA,WAAA,IAAe,EAAC;AAAA,IAC/D,GAAA,CAAA,CAAI,EAAqB,GAAA,oBAAA,CAAA,SAAA,KAArB,IAAgC,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,OAAA,CAAQ,OAAK,CAAE,CAAA,WAAA,IAAe,EAAC,CAAA,KACjE,EAAC;AAAA,GACL,CAAA;AAEA,EAAA,MAAM,gBAAmB,GAAA,UAAA,CAAW,MAAO,CAAA,CAAC,KAAK,MAAW,KAAA;AAC1D,IACE,IAAA,kDAAA;AAAA,MACE,MAAA;AAAA,KAOF,EAAA;AACA,MAAI,GAAA,CAAA,IAAA;AAAA,QAEA,MAIA,CAAA,YAAA;AAAA,OACJ,CAAA;AAAA,KACF;AACA,IAAO,OAAA,GAAA,CAAA;AAAA,GACT,EAAG,EAAc,CAAA,CAAA;AAEjB,EAAA,MAAM,SAASG,0BAAO,EAAA,CAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,2BAAQ,CAAA,IAAA,EAAM,CAAA,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,6CAAA,EAA+C,CAAC,CAAA,EAAG,GAAQ,KAAA;AACpE,IAAA,MAAM,kBAAoD,QAAS,CAAA,GAAA;AAAA,MACjE,CAAK,IAAA,KAAA;AAhXX,QAAAC,IAAAA,GAAAA,CAAAA;AAgXe,QAAA,OAAA;AAAA,UACP,MAAM,IAAK,CAAA,IAAA;AAAA,UACX,aAAa,IAAK,CAAA,WAAA;AAAA,UAClB,cAAc,IAAK,CAAA,YAAA;AAAA,UACnB,YAAA,EAAcC,mCAAgBD,CAAAA,CAAAA,GAAAA,GAAA,IAAK,CAAA,YAAA,KAAL,IAAAA,GAAAA,GAAAA,GAAqBH,KAAE,CAAA,MAAA,CAAO,EAAE,CAAC,CAAA;AAAA,SACjE,CAAA;AAAA,OAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,YAAiC,GAAA;AAAA,MACrC,WAAa,EAAA,cAAA;AAAA,MACb,KAAO,EAAA,eAAA;AAAA,KACT,CAAA;AAEA,IAAO,OAAA,GAAA,CAAI,KAAK,YAAY,CAAA,CAAA;AAAA,GAC7B,CAAA,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,qDAAA;AAAA,IACA,OAAO,KAAK,GAAoD,KAAA;AAC9D,MAAA,MAAM,wBAGF,EAAC,CAAA;AACL,MAAA,MAAM,6BAMF,EAAC,CAAA;AAEL,MAAA,KAAA,IAAS,UAAU,UAAY,EAAA;AAC7B,QAAS,MAAA,GAAA,MAAA,CAAA;AAMT,QAAI,IAAA,kDAAA,CAAmD,MAAM,CAAG,EAAA;AAC9D,UAAsB,qBAAA,CAAA,MAAA,CAAO,YAAY,CAAI,GAAA,aAAA;AAAA,YAC3C,MAAO,CAAA,KAAA;AAAA,WACT,CAAA;AAEA,UAA2B,0BAAA,CAAA,MAAA,CAAO,YAAY,CAAA,GAAI,MAAO,CAAA,YAAA,CAAA;AAAA,SAC3D;AAAA,OACF;AAEA,MAAM,MAAA,wBAAA,GAA2B,CAC/B,QACG,KAAA;AACH,QAAA,MAAM,oBAAuB,GAAA,QAAA,CAC1B,MAAO,CAAA,CAAA,OAAA,KAAW,CAAC,gBAAiB,CAAA,QAAA,CAAS,OAAQ,CAAA,YAAY,CAAC,CAAA,CAClE,GAAI,CAAA,CAAA,OAAA,KAAW,QAAQ,YAAY,CAAA,CAAA;AAEtC,QAAA,IAAI,qBAAqB,MAAQ,EAAA;AAC/B,UAAA,MAAM,IAAID,iBAAA;AAAA,YACR,CAA8B,2BAAA,EAAA,oBAAA,CAAqB,IAAK,CAAA,IAAI,CAAC,CAAA,CAAA,CAAA;AAAA,WAC/D,CAAA;AAAA,SACF;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,WAAc,GAAA,4BAAA,CAA6B,SAAU,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAEnE,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIA,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA,CAAA;AAAA,OACnD;AAEA,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA,CAAA;AAEzB,MAAA,wBAAA,CAAyB,KAAK,KAAK,CAAA,CAAA;AAEnC,MAAA,MAAM,6BAA6B,IAAK,CAAA,KAAA,CAAM,MAE5C,CAAA,CAAC,KAAK,IAAS,KAAA;AACf,QAAA,IAAI,CAAC,GAAA,CAAI,IAAK,CAAA,YAAY,CAAG,EAAA;AAC3B,UAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAI,mBAAA,IAAI,GAAI,EAAA,CAAA;AAAA,SACnC;AACA,QAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAE,CAAA,GAAA,CAAI,KAAK,WAAW,CAAA,CAAA;AAC3C,QAAO,OAAA,GAAA,CAAA;AAAA,OACT,EAAG,EAAE,CAAA,CAAA;AAEL,MAAA,MAAM,0BAA+D,EAAC,CAAA;AACtE,MAAA,KAAA,MAAW,YAAgB,IAAA,MAAA,CAAO,IAAK,CAAA,0BAA0B,CAAG,EAAA;AAClE,QAAM,MAAA,YAAA,GAAe,2BAA2B,YAAY,CAAA,CAAA;AAC5D,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAA,MAAM,IAAIM,0BAAA;AAAA,YACR,gGAAgG,YAAY,CAAA,CAAA;AAAA,WAC9G,CAAA;AAAA,SACF;AACA,QAAA,MAAM,eAAe,KAAM,CAAA,IAAA;AAAA,UACzB,2BAA2B,YAAY,CAAA;AAAA,SACzC,CAAA;AACA,QAAM,MAAA,SAAA,GAAY,MAAM,YAAA,CAAa,YAAY,CAAA,CAAA;AACjD,QAAa,YAAA,CAAA,OAAA,CAAQ,CAAC,WAAA,EAAa,KAAU,KAAA;AAC3C,UAAI,IAAA,CAAC,uBAAwB,CAAA,YAAY,CAAG,EAAA;AAC1C,YAAwB,uBAAA,CAAA,YAAY,IAAI,EAAC,CAAA;AAAA,WAC3C;AACA,UAAA,uBAAA,CAAwB,YAAY,CAAA,CAAE,WAAW,CAAA,GAAI,UAAU,KAAK,CAAA,CAAA;AAAA,SACrE,CAAA,CAAA;AAAA,OACH;AAEA,MAAA,OAAO,IAAI,IAAK,CAAA;AAAA,QACd,KAAO,EAAA,IAAA,CAAK,KAAM,CAAA,GAAA,CAAI,CAAY,OAAA,MAAA;AAAA,UAChC,IAAI,OAAQ,CAAA,EAAA;AAAA,UACZ,MAAQ,EAAA,eAAA;AAAA,YACN,OAAQ,CAAA,UAAA;AAAA,YACR,uBAAwB,CAAA,OAAA,CAAQ,YAAY,CAAA,CAAE,QAAQ,WAAW,CAAA;AAAA,YACjE,qBAAA,CAAsB,QAAQ,YAAY,CAAA;AAAA,WAC5C,GACIP,sCAAgB,CAAA,KAAA,GAChBA,sCAAgB,CAAA,IAAA;AAAA,SACpB,CAAA,CAAA;AAAA,OACH,CAAA,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AAEA,EAAO,MAAA,CAAA,GAAA,CAAIQ,4BAAc,CAAA,CAAA;AAEzB,EAAO,OAAA,MAAA,CAAA;AACT,CAAA;AAEA,SAAS,mDAIP,OASA,EAAA;AACA,EAAA,OAEI,QAIA,YAAiB,KAAA,KAAA,CAAA,CAAA;AAEvB;;ACvea,MAAA,oBAAA,GAAuB,CAMlC,IACG,KAAA,KAAA;AAUE,MAAM,wBACX,GAAA,MACA,CACE,IAAA,KAEA,qBAAqB,IAAI;;;;;;;;;;;;;;;;;;;;;;;;AC9C7B,IAAA,KAAA,EAAA,iBAAA,EAAA,kBAAA,EAAA,kBAAA,EAAA,oBAAA,EAAA,2BAAA,EAAA,6BAAA,CAAA;AA2CO,MAAM,uBAAA,GAAN,MAAM,uBAAqD,CAAA;AAAA,EAoCxD,YAAY,OAIjB,EAAA;AAkCH,IAAM,YAAA,CAAA,IAAA,EAAA,kBAAA,CAAA,CAAA;AAeN,IAAM,YAAA,CAAA,IAAA,EAAA,2BAAA,CAAA,CAAA;AAxFN,IAAA,YAAA,CAAA,IAAA,EAAS,KAAT,EAAA,KAAA,CAAA,CAAA,CAAA;AACA,IAAA,YAAA,CAAA,IAAA,EAAS,iBAAT,EAAA,KAAA,CAAA,CAAA,CAAA;AACA,IAAA,YAAA,CAAA,IAAA,EAAS,kBAAT,EAAA,KAAA,CAAA,CAAA,CAAA;AAsCE,IAAA,YAAA,CAAA,IAAA,EAAK,OAAQ,OAAQ,CAAA,IAAA,CAAA,CAAA;AACrB,IAAA,YAAA,CAAA,IAAA,EAAK,mBAAoB,OAAQ,CAAA,gBAAA,CAAA,CAAA;AACjC,IAAA,YAAA,CAAA,IAAA,EAAK,oBAAqB,OAAQ,CAAA,iBAAA,CAAA,CAAA;AAAA,GACpC;AAAA,EAvCA,OAAO,UACL,CAAA,MAAA,EACA,OAKA,EAAA;AAvDJ,IAAA,IAAA,EAAA,CAAA;AAwDI,IAAM,MAAA,EAAE,SAAW,EAAA,YAAA,EAAiB,GAAA,OAAA,CAAA;AACpC,IAAA,MAAM,mBAAmB,IAAIC,uCAAA,CAAiB,EAAE,SAAA,EAAW,QAAQ,CAAA,CAAA;AACnE,IAAA,MAAM,iBACJ,GAAA,CAAA,EAAA,GAAA,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,MAA9C,IAAmD,GAAA,EAAA,GAAA,KAAA,CAAA;AAErD,IACE,IAAA,iBAAA,IACC,aAAqB,4BACtB,EAAA;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,yJAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAC,sCAAA,CAAyB,OAAO,CAAA,CAAA;AAEjD,IAAA,OAAO,IAAI,uBAAuB,CAAA;AAAA,MAChC,IAAA;AAAA,MACA,gBAAA;AAAA,MACA,iBAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAAA,EAYA,MAAM,oBACJ,CAAA,OAAA,EACA,OAC2B,EAAA;AAC3B,IAAA,IAAI,MAAM,eAAA,CAAA,IAAA,EAAK,2BAAL,EAAA,6BAAA,CAAA,CAAA,IAAA,CAAA,IAAA,EAAiC,OAAU,CAAA,EAAA;AACnD,MAAA,OAAO,mBAAK,iBAAkB,CAAA,CAAA,oBAAA;AAAA,QAC5B,OAAA;AAAA,QACA,MAAM,eAAK,CAAA,IAAA,EAAA,kBAAA,EAAA,oBAAA,CAAA,CAAL,IAAwB,CAAA,IAAA,EAAA,OAAA,CAAA;AAAA,OAChC,CAAA;AAAA,KACF;AAEA,IAAA,OAAO,QAAQ,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAV,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,GAC7D;AAAA,EAEA,MAAM,SACJ,CAAA,QAAA,EACA,OACwC,EAAA;AACxC,IAAA,IAAI,MAAM,eAAA,CAAA,IAAA,EAAK,2BAAL,EAAA,6BAAA,CAAA,CAAA,IAAA,CAAA,IAAA,EAAiC,OAAU,CAAA,EAAA;AACnD,MAAA,OAAO,mBAAK,iBAAkB,CAAA,CAAA,SAAA;AAAA,QAC5B,QAAA;AAAA,QACA,MAAM,eAAK,CAAA,IAAA,EAAA,kBAAA,EAAA,oBAAA,CAAA,CAAL,IAAwB,CAAA,IAAA,EAAA,OAAA,CAAA;AAAA,OAChC,CAAA;AAAA,KACF;AAEA,IAAA,OAAO,SAAS,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,GAC9D;AA2CF,CAAA,CAAA;AAlHW,KAAA,GAAA,IAAA,OAAA,EAAA,CAAA;AACA,iBAAA,GAAA,IAAA,OAAA,EAAA,CAAA;AACA,kBAAA,GAAA,IAAA,OAAA,EAAA,CAAA;AAuEH,kBAAA,GAAA,IAAA,OAAA,EAAA,CAAA;AAAA,oBAAA,GAAkB,eAAC,OAA4C,EAAA;AACnE,EAAI,IAAA,OAAA,IAAW,iBAAiB,OAAS,EAAA;AACvC,IAAA,IAAI,mBAAK,KAAM,CAAA,CAAA,WAAA,CAAY,OAAQ,CAAA,WAAA,EAAa,MAAM,CAAG,EAAA;AACvD,MAAA,OAAO,EAAC,CAAA;AAAA,KACV;AAEA,IAAO,OAAA,YAAA,CAAA,IAAA,EAAK,OAAM,qBAAsB,CAAA;AAAA,MACtC,YAAY,OAAQ,CAAA,WAAA;AAAA,MACpB,cAAgB,EAAA,aAAA;AAAA,KACjB,CAAA,CAAA;AAAA,GACH;AAEA,EAAO,OAAA,OAAA,CAAA;AACT,CAAA,CAAA;AAEM,2BAAA,GAAA,IAAA,OAAA,EAAA,CAAA;AAAA,6BAAA,GAA2B,eAC/B,OACA,EAAA;AACA,EAAI,IAAA,CAAC,mBAAK,kBAAoB,CAAA,EAAA;AAC5B,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAEA,EAAI,IAAA,WAAA,CAAA;AACJ,EAAI,IAAA,OAAA,IAAW,iBAAiB,OAAS,EAAA;AACvC,IAAA,WAAA,GAAc,OAAQ,CAAA,WAAA,CAAA;AAAA,GACjB,MAAA;AACL,IAAI,IAAA,EAAC,mCAAS,KAAO,CAAA,EAAA;AACnB,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AACA,IAAI,IAAA;AACF,MAAA,WAAA,GAAc,MAAM,YAAA,CAAA,IAAA,EAAK,KAAM,CAAA,CAAA,YAAA,CAAa,QAAQ,KAAK,CAAA,CAAA;AAAA,KACnD,CAAA,MAAA;AACN,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAAA,GACF;AAEA,EAAA,IAAI,YAAK,CAAA,IAAA,EAAA,KAAA,CAAA,CAAM,WAAY,CAAA,WAAA,EAAa,SAAS,CAAG,EAAA;AAClD,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AACA,EAAO,OAAA,IAAA,CAAA;AACT,CAAA,CAAA;AAlHK,IAAM,sBAAN,GAAA;;;;;;;;;;;;;;"}

package/dist/index.d.ts CHANGED Viewed

@@ -1,9 +1,10 @@
-import { PermissionCriteria, AllOfCriteria, AnyOfCriteria, NotCriteria, PermissionRuleParams, PermissionCondition, ResourcePermission, ConditionalPolicyDecision, IdentifiedPermissionMessage, DefinitivePolicyDecision, Permission, PolicyDecision, PermissionEvaluator, QueryPermissionRequest, EvaluatorRequestOptions, AuthorizePermissionRequest, AuthorizePermissionResponse } from '@backstage/plugin-permission-common';
+import { PermissionCriteria, AllOfCriteria, AnyOfCriteria, NotCriteria, PermissionRuleParams, PermissionCondition, ResourcePermission, ConditionalPolicyDecision, IdentifiedPermissionMessage, DefinitivePolicyDecision, Permission, PolicyDecision, QueryPermissionRequest, AuthorizePermissionRequest, AuthorizePermissionResponse } from '@backstage/plugin-permission-common';
 import { z } from 'zod';
 import express from 'express';
 import zodToJsonSchema from 'zod-to-json-schema';
 import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
-import { PluginEndpointDiscovery, TokenManager } from '@backstage/backend-common';
+import { TokenManager } from '@backstage/backend-common';
+import { PermissionsService, DiscoveryService, AuthService, PermissionsServiceRequestOptions } from '@backstage/backend-plugin-api';
 import { Config } from '@backstage/config';
 /**
@@ -354,19 +355,16 @@ interface PermissionPolicy {
  * service-to-service requests.
  * @public
  */
-declare class ServerPermissionClient implements PermissionEvaluator {
-    private readonly permissionClient;
-    private readonly tokenManager;
-    private readonly permissionEnabled;
+declare class ServerPermissionClient implements PermissionsService {
+    #private;
     static fromConfig(config: Config, options: {
-        discovery: PluginEndpointDiscovery;
+        discovery: DiscoveryService;
         tokenManager: TokenManager;
+        auth?: AuthService;
     }): ServerPermissionClient;
     private constructor();
-    authorizeConditional(queries: QueryPermissionRequest[], options?: EvaluatorRequestOptions): Promise<PolicyDecision[]>;
-    authorize(requests: AuthorizePermissionRequest[], options?: EvaluatorRequestOptions): Promise<AuthorizePermissionResponse[]>;
-    private isValidServerToken;
-    private isEnabled;
+    authorizeConditional(queries: QueryPermissionRequest[], options?: PermissionsServiceRequestOptions): Promise<PolicyDecision[]>;
+    authorize(requests: AuthorizePermissionRequest[], options?: PermissionsServiceRequestOptions): Promise<AuthorizePermissionResponse[]>;
 }
 export { ApplyConditionsRequest, ApplyConditionsRequestEntry, ApplyConditionsResponse, ApplyConditionsResponseEntry, Condition, ConditionTransformer, Conditions, CreatePermissionIntegrationRouterResourceOptions, MetadataResponse, MetadataResponseSerializedRule, PermissionIntegrationRouterOptions, PermissionPolicy, PermissionRule, PolicyQuery, ServerPermissionClient, createConditionAuthorizer, createConditionExports, createConditionFactory, createConditionTransformer, createPermissionIntegrationRouter, createPermissionRule, isAndCriteria, isNotCriteria, isOrCriteria, makeCreatePermissionRule };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-permission-node",
   "description": "Common permission and authorization utilities for backend plugins",
-  "version": "0.7.24",
+  "version": "0.7.25-next.1",
   "main": "./dist/index.cjs.js",
   "types": "./dist/index.d.ts",
   "license": "Apache-2.0",
@@ -44,12 +44,12 @@
     "start": "backstage-cli package start"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.21.3",
-    "@backstage/backend-plugin-api": "^0.6.13",
-    "@backstage/config": "^1.1.1",
-    "@backstage/errors": "^1.2.3",
-    "@backstage/plugin-auth-node": "^0.4.8",
-    "@backstage/plugin-permission-common": "^0.7.12",
+    "@backstage/backend-common": "^0.21.4-next.1",
+    "@backstage/backend-plugin-api": "^0.6.14-next.1",
+    "@backstage/config": "^1.2.0-next.1",
+    "@backstage/errors": "^1.2.4-next.0",
+    "@backstage/plugin-auth-node": "^0.4.9-next.1",
+    "@backstage/plugin-permission-common": "^0.7.13-next.1",
     "@types/express": "^4.17.6",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
@@ -57,8 +57,8 @@
     "zod-to-json-schema": "^3.20.4"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^0.3.3",
-    "@backstage/cli": "^0.25.2",
+    "@backstage/backend-test-utils": "^0.3.4-next.1",
+    "@backstage/cli": "^0.25.3-next.1",
     "@types/supertest": "^2.0.8",
     "msw": "^1.0.0",
     "supertest": "^6.1.3"