@backstage/plugin-permission-node 0.8.1 → 0.8.3-next.0

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @backstage/plugin-permission-node
 
+## 0.8.3-next.0
+
+### Patch Changes
+
+- 19ff127: Internal refactor to remove dependencies on the identity and token manager services, which have been removed. Public APIs no longer require the identity service or token manager to be provided.
+- Updated dependencies
+  - @backstage/backend-plugin-api@0.9.0-next.0
+  - @backstage/backend-common@0.25.0-next.0
+  - @backstage/plugin-auth-node@0.5.2-next.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/plugin-permission-common@0.8.1
+
 ## 0.8.1
 
 ### Patch Changes

package/alpha/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-node__alpha",
-  "version": "0.8.1",
+  "version": "0.8.3-next.0",
   "main": "../dist/alpha.cjs.js",
   "types": "../dist/alpha.d.ts"
 }

package/dist/index.cjs.js

@@ -259,7 +259,7 @@ class ServerPermissionClient {
     const { discovery, tokenManager } = options;
     const permissionClient = new pluginPermissionCommon.PermissionClient({ discovery, config });
     const permissionEnabled = config.getOptionalBoolean("permission.enabled") ?? false;
-    if (permissionEnabled && tokenManager.isInsecureServerTokenManager) {
+    if (permissionEnabled && tokenManager && tokenManager.isInsecureServerTokenManager) {
       throw new Error(
         "Service-to-service authentication must be configured before enabling permissions. Read more here https://backstage.io/docs/auth/service-to-service-auth"
       );

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts","../src/integration/createPermissionRule.ts","../src/ServerPermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  PermissionCondition,\n  PermissionRuleParams,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/**\n * Creates a condition factory function for a given authorization rule and parameter types.\n *\n * @remarks\n *\n * For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n *\n * Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n *\n * @public\n */\nexport const createConditionFactory = <\n  TResourceType extends string,\n  TParams extends PermissionRuleParams = PermissionRuleParams,\n>(\n  rule: PermissionRule<unknown, unknown, TResourceType, TParams>,\n) => {\n  return (params: TParams): PermissionCondition<TResourceType, TParams> => {\n    return {\n      rule: rule.name,\n      resourceType: rule.resourceType,\n      params,\n    };\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizeResult,\n  ConditionalPolicyDecision,\n  PermissionCondition,\n  PermissionCriteria,\n  ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/**\n * A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n *\n * @public\n */\nexport type Condition<TRule> = TRule extends PermissionRule<\n  any,\n  any,\n  infer TResourceType,\n  infer TParams\n>\n  ? undefined extends TParams\n    ? () => PermissionCondition<TResourceType, TParams>\n    : (params: TParams) => PermissionCondition<TResourceType, TParams>\n  : never;\n\n/**\n * A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n *\n * @public\n */\nexport type Conditions<\n  TRules extends Record<string, PermissionRule<any, any, any>>,\n> = {\n  [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/**\n * Creates the recommended condition-related exports for a given plugin based on\n * the built-in {@link PermissionRule}s it supports.\n *\n * @remarks\n *\n * The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for\n * each of the supplied {@link PermissionRule}s, along with a\n * `createConditionalDecision` function which builds the wrapper object needed\n * to enclose conditions when authoring {@link PermissionPolicy}\n * implementations.\n *\n * Plugin authors should generally call this method with all the built-in\n * {@link PermissionRule}s the plugin supports, and export the resulting\n * `conditions` object and `createConditionalDecision` function so that they can\n * be used by {@link PermissionPolicy} authors.\n *\n * @public\n */\nexport const createConditionExports = <\n  TResourceType extends string,\n  TResource,\n  TRules extends Record<string, PermissionRule<TResource, any, TResourceType>>,\n>(options: {\n  pluginId: string;\n  resourceType: TResourceType;\n  rules: TRules;\n}): {\n  conditions: Conditions<TRules>;\n  createConditionalDecision: (\n    permission: ResourcePermission<TResourceType>,\n    conditions: PermissionCriteria<PermissionCondition<TResourceType>>,\n  ) => ConditionalPolicyDecision;\n} => {\n  const { pluginId, resourceType, rules } = options;\n\n  return {\n    conditions: Object.entries(rules).reduce(\n      (acc, [key, rule]) => ({\n        ...acc,\n        [key]: createConditionFactory(rule),\n      }),\n      {} as Conditions<TRules>,\n    ),\n    createConditionalDecision: (\n      _permission: ResourcePermission<TResourceType>,\n      conditions: PermissionCriteria<PermissionCondition>,\n    ) => ({\n      result: AuthorizeResult.CONDITIONAL,\n      pluginId,\n      resourceType,\n      conditions,\n    }),\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AllOfCriteria,\n  AnyOfCriteria,\n  NotCriteria,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/**\n * Prevent use of type parameter from contributing to type inference.\n *\n * https://github.com/Microsoft/TypeScript/issues/14829#issuecomment-980401795\n * @ignore\n */\nexport type NoInfer<T> = T extends infer S ? S : never;\n\n/**\n * Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n *\n * @returns `true` if the permission criteria is of type allOf,\n * narrowing down `criteria` to the specific type.\n */\nexport const isAndCriteria = <T>(\n  criteria: PermissionCriteria<T>,\n): criteria is AllOfCriteria<T> =>\n  Object.prototype.hasOwnProperty.call(criteria, 'allOf');\n\n/**\n * Utility function used to parse a PermissionCriteria of type\n * @param criteria - a PermissionCriteria\n * @public\n *\n * @returns `true` if the permission criteria is of type anyOf,\n * narrowing down `criteria` to the specific type.\n */\nexport const isOrCriteria = <T>(\n  criteria: PermissionCriteria<T>,\n): criteria is AnyOfCriteria<T> =>\n  Object.prototype.hasOwnProperty.call(criteria, 'anyOf');\n\n/**\n * Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n *\n * @returns `true` if the permission criteria is of type not,\n * narrowing down `criteria` to the specific type.\n */\nexport const isNotCriteria = <T>(\n  criteria: PermissionCriteria<T>,\n): criteria is NotCriteria<T> =>\n  Object.prototype.hasOwnProperty.call(criteria, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n  rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n  const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n  return (name: string): PermissionRule<TResource, TQuery, string> => {\n    const rule = rulesMap.get(name);\n\n    if (!rule) {\n      throw new Error(`Unexpected permission rule: ${name}`);\n    }\n\n    return rule;\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { InputError } from '@backstage/errors';\nimport {\n  AllOfCriteria,\n  AnyOfCriteria,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n  criteria: PermissionCriteria<PermissionCondition>,\n  getRule: (name: string) => PermissionRule<unknown, TQuery, string>,\n): PermissionCriteria<TQuery> => {\n  if (isAndCriteria(criteria)) {\n    return {\n      allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n    } as AllOfCriteria<TQuery>;\n  } else if (isOrCriteria(criteria)) {\n    return {\n      anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n    } as AnyOfCriteria<TQuery>;\n  } else if (isNotCriteria(criteria)) {\n    return {\n      not: mapConditions(criteria.not, getRule),\n    };\n  }\n\n  const rule = getRule(criteria.rule);\n  const result = rule.paramsSchema?.safeParse(criteria.params);\n\n  if (result && !result.success) {\n    throw new InputError(`Parameters to rule are invalid`, result.error);\n  }\n\n  return rule.toQuery(criteria.params ?? {});\n};\n\n/**\n * A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n *\n * @public\n */\nexport type ConditionTransformer<TQuery> = (\n  conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/**\n * A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n *\n * @public\n */\nexport const createConditionTransformer = <\n  TQuery,\n  TRules extends PermissionRule<any, TQuery, string>[],\n>(\n  permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n  const getRule = createGetRule(permissionRules);\n\n  return conditions => mapConditions(conditions, getRule);\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express, { Response } from 'express';\nimport Router from 'express-promise-router';\nimport { z } from 'zod';\nimport zodToJsonSchema from 'zod-to-json-schema';\nimport { InputError } from '@backstage/errors';\nimport { errorHandler } from '@backstage/backend-common';\nimport {\n  AuthorizeResult,\n  DefinitivePolicyDecision,\n  IdentifiedPermissionMessage,\n  MetadataResponse as CommonMetadataResponse,\n  MetadataResponseSerializedRule as CommonMetadataResponseSerializedRule,\n  Permission,\n  PermissionCondition,\n  PermissionCriteria,\n  PolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  NoInfer,\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\nimport { NotImplementedError } from '@backstage/errors';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z.union([\n    z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }),\n    z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }),\n    z.object({ not: permissionCriteriaSchema }),\n    z.object({\n      rule: z.string(),\n      resourceType: z.string(),\n      params: z.record(z.any()).optional(),\n    }),\n  ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      resourceRef: z.string(),\n      resourceType: z.string(),\n      conditions: permissionCriteriaSchema,\n    }),\n  ),\n});\n\n/**\n * A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n *\n * @public\n */\nexport type ApplyConditionsRequestEntry = IdentifiedPermissionMessage<{\n  resourceRef: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n}>;\n\n/**\n * A batch of {@link ApplyConditionsRequestEntry} objects.\n *\n * @public\n */\nexport type ApplyConditionsRequest = {\n  items: ApplyConditionsRequestEntry[];\n};\n\n/**\n * The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n *\n * @public\n */\nexport type ApplyConditionsResponseEntry =\n  IdentifiedPermissionMessage<DefinitivePolicyDecision>;\n\n/**\n * A batch of {@link ApplyConditionsResponseEntry} objects.\n *\n * @public\n */\nexport type ApplyConditionsResponse = {\n  items: ApplyConditionsResponseEntry[];\n};\n\n/**\n * Serialized permission rules, with the paramsSchema\n * converted from a ZodSchema to a JsonSchema.\n *\n * @public\n * @deprecated Please import from `@backstage/plugin-permission-common` instead.\n */\nexport type MetadataResponseSerializedRule =\n  CommonMetadataResponseSerializedRule;\n\n/**\n * Response type for the .metadata endpoint.\n *\n * @public\n * @deprecated Please import from `@backstage/plugin-permission-common` instead.\n */\nexport type MetadataResponse = CommonMetadataResponse;\n\nconst applyConditions = <TResourceType extends string, TResource>(\n  criteria: PermissionCriteria<PermissionCondition<TResourceType>>,\n  resource: TResource | undefined,\n  getRule: (name: string) => PermissionRule<TResource, unknown, TResourceType>,\n): boolean => {\n  // If resource was not found, deny. This avoids leaking information from the\n  // apply-conditions API which would allow a user to differentiate between\n  // non-existent resources and resources to which they do not have access.\n  if (resource === undefined) {\n    return false;\n  }\n\n  if (isAndCriteria(criteria)) {\n    return criteria.allOf.every(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isOrCriteria(criteria)) {\n    return criteria.anyOf.some(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isNotCriteria(criteria)) {\n    return !applyConditions(criteria.not, resource, getRule);\n  }\n\n  const rule = getRule(criteria.rule);\n  const result = rule.paramsSchema?.safeParse(criteria.params);\n\n  if (result && !result.success) {\n    throw new InputError(`Parameters to rule are invalid`, result.error);\n  }\n\n  return rule.apply(resource, criteria.params ?? {});\n};\n\n/**\n * Takes some permission conditions and returns a definitive authorization result\n * on the resource to which they apply.\n *\n * @public\n */\nexport const createConditionAuthorizer = <TResource, TQuery>(\n  rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n  const getRule = createGetRule(rules);\n\n  return (\n    decision: PolicyDecision,\n    resource: TResource | undefined,\n  ): boolean => {\n    if (decision.result === AuthorizeResult.CONDITIONAL) {\n      return applyConditions(decision.conditions, resource, getRule);\n    }\n\n    return decision.result === AuthorizeResult.ALLOW;\n  };\n};\n\n/**\n * Options for creating a permission integration router specific\n * for a particular resource type.\n *\n * @public\n */\nexport type CreatePermissionIntegrationRouterResourceOptions<\n  TResourceType extends string,\n  TResource,\n> = {\n  resourceType: TResourceType;\n  permissions?: Array<Permission>;\n  // Do not infer value of TResourceType from supplied rules.\n  // instead only consider the resourceType parameter, and\n  // consider any rules whose resource type does not match\n  // to be an error.\n  rules: PermissionRule<TResource, any, NoInfer<TResourceType>>[];\n  getResources?: (\n    resourceRefs: string[],\n  ) => Promise<Array<TResource | undefined>>;\n};\n\n/**\n * Options for creating a permission integration router exposing\n * permissions and rules from multiple resource types.\n *\n * @public\n */\nexport type PermissionIntegrationRouterOptions<\n  TResourceType1 extends string = string,\n  TResource1 = any,\n  TResourceType2 extends string = string,\n  TResource2 = any,\n  TResourceType3 extends string = string,\n  TResource3 = any,\n> = {\n  resources: Readonly<\n    | [\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >,\n      ]\n    | [\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType2,\n          TResource2\n        >,\n      ]\n    | [\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType2,\n          TResource2\n        >,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType3,\n          TResource3\n        >,\n      ]\n  >;\n};\n\n/**\n * Create an express Router which provides an authorization route to allow\n * integration between the permission backend and other Backstage backend\n * plugins. Plugin owners that wish to support conditional authorization for\n * their resources should add the router created by this function to their\n * express app inside their `createRouter` implementation.\n *\n * In case the `permissions` option is provided, the router also\n * provides a route that exposes permissions and routes of a plugin.\n *\n * In case resources is provided, the routes can handle permissions\n * for multiple resource types.\n *\n * @remarks\n *\n * To make this concrete, we can use the Backstage software catalog as an\n * example. The catalog has conditional rules around access to specific\n * _entities_ in the catalog. The _type_ of resource is captured here as\n * `resourceType`, a string identifier (`catalog-entity` in this example) that\n * can be provided with permission definitions. This is merely a _type_ to\n * verify that conditions in an authorization policy are constructed correctly,\n * not a reference to a specific resource.\n *\n * The `rules` parameter is an array of {@link PermissionRule}s that introduce\n * conditional filtering logic for resources; for the catalog, these are things\n * like `isEntityOwner` or `hasAnnotation`. Rules describe how to filter a list\n * of resources, and the `conditions` returned allow these rules to be applied\n * with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n *\n * The `getResources` argument should load resources based on a reference\n * identifier. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be\n * any serialized format. This is used to construct the\n * `createPermissionIntegrationRouter`, a function to add an authorization route\n * to your backend plugin. This function will be called by the\n * `permission-backend` when authorization conditions relating to this plugin\n * need to be evaluated.\n *\n * @public\n */\nexport function createPermissionIntegrationRouter<\n  TResourceType1 extends string,\n  TResource1,\n  TResourceType2 extends string,\n  TResource2,\n  TResourceType3 extends string,\n  TResource3,\n>(\n  options:\n    | { permissions: Array<Permission> }\n    | CreatePermissionIntegrationRouterResourceOptions<\n        TResourceType1,\n        TResource1\n      >\n    | PermissionIntegrationRouterOptions<\n        TResourceType1,\n        TResource1,\n        TResourceType2,\n        TResource2,\n        TResourceType3,\n        TResource3\n      >,\n): express.Router {\n  const optionsWithResources = options as PermissionIntegrationRouterOptions;\n  const allOptions = [\n    optionsWithResources.resources ? optionsWithResources.resources : options,\n  ].flat();\n  const allRules = allOptions.flatMap(\n    option =>\n      (\n        option as CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >\n      ).rules || [],\n  );\n  const allPermissions = [\n    ...((options as { permissions: Permission[] }).permissions || []),\n    ...(optionsWithResources.resources?.flatMap(o => o.permissions || []) ||\n      []),\n  ];\n\n  const allResourceTypes = allOptions.reduce((acc, option) => {\n    if (\n      isCreatePermissionIntegrationRouterResourceOptions(\n        option as\n          | { permissions: Array<Permission> }\n          | CreatePermissionIntegrationRouterResourceOptions<\n              TResourceType1,\n              TResource1\n            >,\n      )\n    ) {\n      acc.push(\n        (\n          option as CreatePermissionIntegrationRouterResourceOptions<\n            TResourceType1,\n            TResource1\n          >\n        ).resourceType,\n      );\n    }\n    return acc;\n  }, [] as string[]);\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/.well-known/backstage/permissions/metadata', (_, res) => {\n    const serializedRules: MetadataResponseSerializedRule[] = allRules.map(\n      rule => ({\n        name: rule.name,\n        description: rule.description,\n        resourceType: rule.resourceType,\n        paramsSchema: zodToJsonSchema(rule.paramsSchema ?? z.object({})),\n      }),\n    );\n\n    const responseJson: MetadataResponse = {\n      permissions: allPermissions,\n      rules: serializedRules,\n    };\n\n    return res.json(responseJson);\n  });\n\n  router.post(\n    '/.well-known/backstage/permissions/apply-conditions',\n    async (req, res: Response<ApplyConditionsResponse | string>) => {\n      const ruleMapByResourceType: Record<\n        string,\n        ReturnType<typeof createGetRule>\n      > = {};\n      const getResourcesByResourceType: Record<\n        string,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >['getResources']\n      > = {};\n\n      for (let option of allOptions) {\n        option = option as\n          | { permissions: Array<Permission> }\n          | CreatePermissionIntegrationRouterResourceOptions<\n              TResourceType1,\n              TResource1\n            >;\n        if (isCreatePermissionIntegrationRouterResourceOptions(option)) {\n          ruleMapByResourceType[option.resourceType] = createGetRule(\n            option.rules,\n          );\n\n          getResourcesByResourceType[option.resourceType] = option.getResources;\n        }\n      }\n\n      const assertValidResourceTypes = (\n        requests: ApplyConditionsRequestEntry[],\n      ) => {\n        const invalidResourceTypes = requests\n          .filter(request => !allResourceTypes.includes(request.resourceType))\n          .map(request => request.resourceType);\n\n        if (invalidResourceTypes.length) {\n          throw new InputError(\n            `Unexpected resource types: ${invalidResourceTypes.join(', ')}.`,\n          );\n        }\n      };\n\n      const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      assertValidResourceTypes(body.items);\n\n      const resourceRefsByResourceType = body.items.reduce<\n        Record<string, Set<string>>\n      >((acc, item) => {\n        if (!acc[item.resourceType]) {\n          acc[item.resourceType] = new Set();\n        }\n        acc[item.resourceType].add(item.resourceRef);\n        return acc;\n      }, {});\n\n      const resourcesByResourceType: Record<string, Record<string, any>> = {};\n      for (const resourceType of Object.keys(resourceRefsByResourceType)) {\n        const getResources = getResourcesByResourceType[resourceType];\n        if (!getResources) {\n          throw new NotImplementedError(\n            `This plugin does not expose any permission rule or can't evaluate the conditions request for ${resourceType}`,\n          );\n        }\n        const resourceRefs = Array.from(\n          resourceRefsByResourceType[resourceType],\n        );\n        const resources = await getResources(resourceRefs);\n        resourceRefs.forEach((resourceRef, index) => {\n          if (!resourcesByResourceType[resourceType]) {\n            resourcesByResourceType[resourceType] = {};\n          }\n          resourcesByResourceType[resourceType][resourceRef] = resources[index];\n        });\n      }\n\n      return res.json({\n        items: body.items.map(request => ({\n          id: request.id,\n          result: applyConditions(\n            request.conditions,\n            resourcesByResourceType[request.resourceType][request.resourceRef],\n            ruleMapByResourceType[request.resourceType],\n          )\n            ? AuthorizeResult.ALLOW\n            : AuthorizeResult.DENY,\n        })),\n      });\n    },\n  );\n\n  // TODO(belugas): Remove this when dropping support to the legacy backend system because setting the error handler manually is no logger required in the new system.\n  router.use(errorHandler());\n\n  return router;\n}\n\nfunction isCreatePermissionIntegrationRouterResourceOptions<\n  TResourceType extends string,\n  TResource,\n>(\n  options:\n    | { permissions: Array<Permission> }\n    | CreatePermissionIntegrationRouterResourceOptions<\n        TResourceType,\n        TResource\n      >,\n): options is CreatePermissionIntegrationRouterResourceOptions<\n  TResourceType,\n  TResource\n> {\n  return (\n    (\n      options as CreatePermissionIntegrationRouterResourceOptions<\n        TResourceType,\n        TResource\n      >\n    ).resourceType !== undefined\n  );\n}\n","/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PermissionRuleParams } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/**\n * Helper function to ensure that {@link PermissionRule} definitions are typed correctly.\n *\n * @public\n */\nexport const createPermissionRule = <\n  TResource,\n  TQuery,\n  TResourceType extends string,\n  TParams extends PermissionRuleParams = undefined,\n>(\n  rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n) => rule;\n\n/**\n * Helper for making plugin-specific createPermissionRule functions, that have\n * the TResource and TQuery type parameters populated but infer the params from\n * the supplied rule. This helps ensure that rules created for this plugin use\n * consistent types for the resource and query.\n *\n * @public\n */\nexport const makeCreatePermissionRule =\n  <TResource, TQuery, TResourceType extends string>() =>\n  <TParams extends PermissionRuleParams = undefined>(\n    rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n  ) =>\n    createPermissionRule(rule);\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createLegacyAuthAdapters } from '@backstage/backend-common';\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageServicePrincipal,\n  DiscoveryService,\n  PermissionsService,\n  PermissionsServiceRequestOptions,\n  TokenManagerService,\n} from '@backstage/backend-plugin-api';\nimport { Config } from '@backstage/config';\nimport {\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  AuthorizeResult,\n  DefinitivePolicyDecision,\n  Permission,\n  PermissionClient,\n  PolicyDecision,\n  QueryPermissionRequest,\n} from '@backstage/plugin-permission-common';\n\n/**\n * A thin wrapper around\n * {@link @backstage/plugin-permission-common#PermissionClient} that allows all\n * service-to-service requests.\n * @public\n */\nexport class ServerPermissionClient implements PermissionsService {\n  readonly #auth: AuthService;\n  readonly #permissionClient: PermissionClient;\n  readonly #permissionEnabled: boolean;\n\n  static fromConfig(\n    config: Config,\n    options: {\n      discovery: DiscoveryService;\n      tokenManager: TokenManagerService;\n      auth?: AuthService;\n    },\n  ) {\n    const { discovery, tokenManager } = options;\n    const permissionClient = new PermissionClient({ discovery, config });\n    const permissionEnabled =\n      config.getOptionalBoolean('permission.enabled') ?? false;\n\n    if (\n      permissionEnabled &&\n      (tokenManager as any).isInsecureServerTokenManager\n    ) {\n      throw new Error(\n        'Service-to-service authentication must be configured before enabling permissions. Read more here https://backstage.io/docs/auth/service-to-service-auth',\n      );\n    }\n\n    const { auth } = createLegacyAuthAdapters(options);\n\n    return new ServerPermissionClient({\n      auth,\n      permissionClient,\n      permissionEnabled,\n    });\n  }\n\n  private constructor(options: {\n    auth: AuthService;\n    permissionClient: PermissionClient;\n    permissionEnabled: boolean;\n  }) {\n    this.#auth = options.auth;\n    this.#permissionClient = options.permissionClient;\n    this.#permissionEnabled = options.permissionEnabled;\n  }\n\n  async authorizeConditional(\n    queries: QueryPermissionRequest[],\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<PolicyDecision[]> {\n    const credentials = await this.#getIncomingCredentials(options);\n    if (credentials && this.#auth.isPrincipal(credentials, 'service')) {\n      return this.#servicePrincipalDecision(queries, credentials);\n    } else if (!this.#permissionEnabled) {\n      return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n    }\n\n    return this.#permissionClient.authorizeConditional(\n      queries,\n      await this.#getRequestOptions(options),\n    );\n  }\n\n  async authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<AuthorizePermissionResponse[]> {\n    const credentials = await this.#getIncomingCredentials(options);\n    if (credentials && this.#auth.isPrincipal(credentials, 'service')) {\n      return this.#servicePrincipalDecision(requests, credentials);\n    } else if (!this.#permissionEnabled) {\n      return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n    }\n\n    return this.#permissionClient.authorize(\n      requests,\n      await this.#getRequestOptions(options),\n    );\n  }\n\n  async #getRequestOptions(\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<{ token?: string } | undefined> {\n    if (options && 'credentials' in options) {\n      if (this.#auth.isPrincipal(options.credentials, 'none')) {\n        return {};\n      }\n\n      return this.#auth.getPluginRequestToken({\n        onBehalfOf: options.credentials,\n        targetPluginId: 'permission',\n      });\n    }\n\n    return options;\n  }\n\n  async #getIncomingCredentials(\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<BackstageCredentials | undefined> {\n    if (options && 'credentials' in options) {\n      return options.credentials;\n    }\n\n    return undefined;\n  }\n\n  /**\n   * For service principals, we can always make an immediate definitive decision\n   * based on their associated access restrictions (if any).\n   */\n  #servicePrincipalDecision(\n    input: { permission: Permission }[],\n    credentials: BackstageCredentials<BackstageServicePrincipal>,\n  ): DefinitivePolicyDecision[] {\n    const { permissionNames, permissionAttributes } =\n      credentials.principal.accessRestrictions ?? {};\n\n    return input.map(item => {\n      if (permissionNames && !permissionNames.includes(item.permission.name)) {\n        return { result: AuthorizeResult.DENY };\n      }\n\n      if (permissionAttributes?.action) {\n        const action = item.permission.attributes?.action;\n        if (!action || !permissionAttributes.action.includes(action)) {\n          return { result: AuthorizeResult.DENY };\n        }\n      }\n\n      return { result: AuthorizeResult.ALLOW };\n    });\n  }\n}\n"],"names":["AuthorizeResult","InputError","z","Router","express","zodToJsonSchema","NotImplementedError","errorHandler","PermissionClient","createLegacyAuthAdapters"],"mappings":";;;;;;;;;;;;;;;;AAsCa,MAAA,sBAAA,GAAyB,CAIpC,IACG,KAAA;AACH,EAAA,OAAO,CAAC,MAAiE,KAAA;AACvE,IAAO,OAAA;AAAA,MACL,MAAM,IAAK,CAAA,IAAA;AAAA,MACX,cAAc,IAAK,CAAA,YAAA;AAAA,MACnB,MAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACwBa,MAAA,sBAAA,GAAyB,CAIpC,OAUG,KAAA;AACH,EAAA,MAAM,EAAE,QAAA,EAAU,YAAc,EAAA,KAAA,EAAU,GAAA,OAAA,CAAA;AAE1C,EAAO,OAAA;AAAA,IACL,UAAY,EAAA,MAAA,CAAO,OAAQ,CAAA,KAAK,CAAE,CAAA,MAAA;AAAA,MAChC,CAAC,GAAA,EAAK,CAAC,GAAA,EAAK,IAAI,CAAO,MAAA;AAAA,QACrB,GAAG,GAAA;AAAA,QACH,CAAC,GAAG,GAAG,sBAAA,CAAuB,IAAI,CAAA;AAAA,OACpC,CAAA;AAAA,MACA,EAAC;AAAA,KACH;AAAA,IACA,yBAAA,EAA2B,CACzB,WAAA,EACA,UACI,MAAA;AAAA,MACJ,QAAQA,sCAAgB,CAAA,WAAA;AAAA,MACxB,QAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACtEa,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,YAAA,GAAe,CAC1B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,KAAK,EAAA;AAEzC,MAAA,aAAA,GAAgB,CAC3B,KACG,KAAA;AACH,EAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,MAAA,CAAO,OAAO,KAAK,CAAA,CAAE,GAAI,CAAA,CAAA,IAAA,KAAQ,CAAC,IAAA,CAAK,IAAM,EAAA,IAAI,CAAC,CAAC,CAAA,CAAA;AAE5E,EAAA,OAAO,CAAC,IAA4D,KAAA;AAClE,IAAM,MAAA,IAAA,GAAO,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAE9B,IAAA,IAAI,CAAC,IAAM,EAAA;AACT,MAAA,MAAM,IAAI,KAAA,CAAM,CAA+B,4BAAA,EAAA,IAAI,CAAE,CAAA,CAAA,CAAA;AAAA,KACvD;AAEA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT,CAAA;AACF,CAAA;;ACvDA,MAAM,aAAA,GAAgB,CACpB,QAAA,EACA,OAC+B,KAAA;AAC/B,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAO,OAAA;AAAA,MACL,GAAK,EAAA,aAAA,CAAc,QAAS,CAAA,GAAA,EAAK,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAc,EAAA,SAAA,CAAU,SAAS,MAAM,CAAA,CAAA;AAE3D,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAIC,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,IAAK,CAAA,OAAA,CAAQ,QAAS,CAAA,MAAA,IAAU,EAAE,CAAA,CAAA;AAC3C,CAAA,CAAA;AAsBa,MAAA,0BAAA,GAA6B,CAIxC,eACiC,KAAA;AACjC,EAAM,MAAA,OAAA,GAAU,cAAc,eAAe,CAAA,CAAA;AAE7C,EAAO,OAAA,CAAA,UAAA,KAAc,aAAc,CAAA,UAAA,EAAY,OAAO,CAAA,CAAA;AACxD;;AC5CA,MAAM,2BAEFC,KAAE,CAAA,IAAA;AAAA,EAAK,MACTA,MAAE,KAAM,CAAA;AAAA,IACNA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAE,CAAA,MAAA,CAAO,EAAE,GAAA,EAAK,0BAA0B,CAAA;AAAA,IAC1CA,MAAE,MAAO,CAAA;AAAA,MACP,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,MACf,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,QAAQA,KAAE,CAAA,MAAA,CAAOA,MAAE,GAAI,EAAC,EAAE,QAAS,EAAA;AAAA,KACpC,CAAA;AAAA,GACF,CAAA;AACH,CAAA,CAAA;AAEA,MAAM,4BAAA,GAA+BA,MAAE,MAAO,CAAA;AAAA,EAC5C,OAAOA,KAAE,CAAA,KAAA;AAAA,IACPA,MAAE,MAAO,CAAA;AAAA,MACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,MACb,WAAA,EAAaA,MAAE,MAAO,EAAA;AAAA,MACtB,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,UAAY,EAAA,wBAAA;AAAA,KACb,CAAA;AAAA,GACH;AACF,CAAC,CAAA,CAAA;AA2DD,MAAM,eAAkB,GAAA,CACtB,QACA,EAAA,QAAA,EACA,OACY,KAAA;AAIZ,EAAA,IAAI,aAAa,KAAW,CAAA,EAAA;AAC1B,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAEA,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAA,OAAO,SAAS,KAAM,CAAA,KAAA;AAAA,MAAM,CAC1B,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAA,OAAO,SAAS,KAAM,CAAA,IAAA;AAAA,MAAK,CACzB,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAA,OAAO,CAAC,eAAA,CAAgB,QAAS,CAAA,GAAA,EAAK,UAAU,OAAO,CAAA,CAAA;AAAA,GACzD;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAc,EAAA,SAAA,CAAU,SAAS,MAAM,CAAA,CAAA;AAE3D,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAID,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,KAAK,KAAM,CAAA,QAAA,EAAU,QAAS,CAAA,MAAA,IAAU,EAAE,CAAA,CAAA;AACnD,CAAA,CAAA;AAQa,MAAA,yBAAA,GAA4B,CACvC,KACG,KAAA;AACH,EAAM,MAAA,OAAA,GAAU,cAAc,KAAK,CAAA,CAAA;AAEnC,EAAO,OAAA,CACL,UACA,QACY,KAAA;AACZ,IAAI,IAAA,QAAA,CAAS,MAAW,KAAAD,sCAAA,CAAgB,WAAa,EAAA;AACnD,MAAA,OAAO,eAAgB,CAAA,QAAA,CAAS,UAAY,EAAA,QAAA,EAAU,OAAO,CAAA,CAAA;AAAA,KAC/D;AAEA,IAAO,OAAA,QAAA,CAAS,WAAWA,sCAAgB,CAAA,KAAA,CAAA;AAAA,GAC7C,CAAA;AACF,EAAA;AAiHO,SAAS,kCAQd,OAcgB,EAAA;AAChB,EAAA,MAAM,oBAAuB,GAAA,OAAA,CAAA;AAC7B,EAAA,MAAM,UAAa,GAAA;AAAA,IACjB,oBAAA,CAAqB,SAAY,GAAA,oBAAA,CAAqB,SAAY,GAAA,OAAA;AAAA,IAClE,IAAK,EAAA,CAAA;AACP,EAAA,MAAM,WAAW,UAAW,CAAA,OAAA;AAAA,IAC1B,CAAA,MAAA,KAEI,MAIA,CAAA,KAAA,IAAS,EAAC;AAAA,GAChB,CAAA;AACA,EAAA,MAAM,cAAiB,GAAA;AAAA,IACrB,GAAK,OAA0C,CAAA,WAAA,IAAe,EAAC;AAAA,IAC/D,GAAI,oBAAqB,CAAA,SAAA,EAAW,OAAQ,CAAA,CAAA,CAAA,KAAK,EAAE,WAAe,IAAA,EAAE,CAAA,IAClE,EAAC;AAAA,GACL,CAAA;AAEA,EAAA,MAAM,gBAAmB,GAAA,UAAA,CAAW,MAAO,CAAA,CAAC,KAAK,MAAW,KAAA;AAC1D,IACE,IAAA,kDAAA;AAAA,MACE,MAAA;AAAA,KAOF,EAAA;AACA,MAAI,GAAA,CAAA,IAAA;AAAA,QAEA,MAIA,CAAA,YAAA;AAAA,OACJ,CAAA;AAAA,KACF;AACA,IAAO,OAAA,GAAA,CAAA;AAAA,GACT,EAAG,EAAc,CAAA,CAAA;AAEjB,EAAA,MAAM,SAASG,uBAAO,EAAA,CAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,wBAAQ,CAAA,IAAA,EAAM,CAAA,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,6CAAA,EAA+C,CAAC,CAAA,EAAG,GAAQ,KAAA;AACpE,IAAA,MAAM,kBAAoD,QAAS,CAAA,GAAA;AAAA,MACjE,CAAS,IAAA,MAAA;AAAA,QACP,MAAM,IAAK,CAAA,IAAA;AAAA,QACX,aAAa,IAAK,CAAA,WAAA;AAAA,QAClB,cAAc,IAAK,CAAA,YAAA;AAAA,QACnB,YAAA,EAAcC,iCAAgB,IAAK,CAAA,YAAA,IAAgBH,MAAE,MAAO,CAAA,EAAE,CAAC,CAAA;AAAA,OACjE,CAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,YAAiC,GAAA;AAAA,MACrC,WAAa,EAAA,cAAA;AAAA,MACb,KAAO,EAAA,eAAA;AAAA,KACT,CAAA;AAEA,IAAO,OAAA,GAAA,CAAI,KAAK,YAAY,CAAA,CAAA;AAAA,GAC7B,CAAA,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,qDAAA;AAAA,IACA,OAAO,KAAK,GAAoD,KAAA;AAC9D,MAAA,MAAM,wBAGF,EAAC,CAAA;AACL,MAAA,MAAM,6BAMF,EAAC,CAAA;AAEL,MAAA,KAAA,IAAS,UAAU,UAAY,EAAA;AAC7B,QAAS,MAAA,GAAA,MAAA,CAAA;AAMT,QAAI,IAAA,kDAAA,CAAmD,MAAM,CAAG,EAAA;AAC9D,UAAsB,qBAAA,CAAA,MAAA,CAAO,YAAY,CAAI,GAAA,aAAA;AAAA,YAC3C,MAAO,CAAA,KAAA;AAAA,WACT,CAAA;AAEA,UAA2B,0BAAA,CAAA,MAAA,CAAO,YAAY,CAAA,GAAI,MAAO,CAAA,YAAA,CAAA;AAAA,SAC3D;AAAA,OACF;AAEA,MAAM,MAAA,wBAAA,GAA2B,CAC/B,QACG,KAAA;AACH,QAAA,MAAM,oBAAuB,GAAA,QAAA,CAC1B,MAAO,CAAA,CAAA,OAAA,KAAW,CAAC,gBAAiB,CAAA,QAAA,CAAS,OAAQ,CAAA,YAAY,CAAC,CAAA,CAClE,GAAI,CAAA,CAAA,OAAA,KAAW,QAAQ,YAAY,CAAA,CAAA;AAEtC,QAAA,IAAI,qBAAqB,MAAQ,EAAA;AAC/B,UAAA,MAAM,IAAID,iBAAA;AAAA,YACR,CAA8B,2BAAA,EAAA,oBAAA,CAAqB,IAAK,CAAA,IAAI,CAAC,CAAA,CAAA,CAAA;AAAA,WAC/D,CAAA;AAAA,SACF;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,WAAc,GAAA,4BAAA,CAA6B,SAAU,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAEnE,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIA,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA,CAAA;AAAA,OACnD;AAEA,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA,CAAA;AAEzB,MAAA,wBAAA,CAAyB,KAAK,KAAK,CAAA,CAAA;AAEnC,MAAA,MAAM,6BAA6B,IAAK,CAAA,KAAA,CAAM,MAE5C,CAAA,CAAC,KAAK,IAAS,KAAA;AACf,QAAA,IAAI,CAAC,GAAA,CAAI,IAAK,CAAA,YAAY,CAAG,EAAA;AAC3B,UAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAI,mBAAA,IAAI,GAAI,EAAA,CAAA;AAAA,SACnC;AACA,QAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAE,CAAA,GAAA,CAAI,KAAK,WAAW,CAAA,CAAA;AAC3C,QAAO,OAAA,GAAA,CAAA;AAAA,OACT,EAAG,EAAE,CAAA,CAAA;AAEL,MAAA,MAAM,0BAA+D,EAAC,CAAA;AACtE,MAAA,KAAA,MAAW,YAAgB,IAAA,MAAA,CAAO,IAAK,CAAA,0BAA0B,CAAG,EAAA;AAClE,QAAM,MAAA,YAAA,GAAe,2BAA2B,YAAY,CAAA,CAAA;AAC5D,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAA,MAAM,IAAIK,0BAAA;AAAA,YACR,gGAAgG,YAAY,CAAA,CAAA;AAAA,WAC9G,CAAA;AAAA,SACF;AACA,QAAA,MAAM,eAAe,KAAM,CAAA,IAAA;AAAA,UACzB,2BAA2B,YAAY,CAAA;AAAA,SACzC,CAAA;AACA,QAAM,MAAA,SAAA,GAAY,MAAM,YAAA,CAAa,YAAY,CAAA,CAAA;AACjD,QAAa,YAAA,CAAA,OAAA,CAAQ,CAAC,WAAA,EAAa,KAAU,KAAA;AAC3C,UAAI,IAAA,CAAC,uBAAwB,CAAA,YAAY,CAAG,EAAA;AAC1C,YAAwB,uBAAA,CAAA,YAAY,IAAI,EAAC,CAAA;AAAA,WAC3C;AACA,UAAA,uBAAA,CAAwB,YAAY,CAAA,CAAE,WAAW,CAAA,GAAI,UAAU,KAAK,CAAA,CAAA;AAAA,SACrE,CAAA,CAAA;AAAA,OACH;AAEA,MAAA,OAAO,IAAI,IAAK,CAAA;AAAA,QACd,KAAO,EAAA,IAAA,CAAK,KAAM,CAAA,GAAA,CAAI,CAAY,OAAA,MAAA;AAAA,UAChC,IAAI,OAAQ,CAAA,EAAA;AAAA,UACZ,MAAQ,EAAA,eAAA;AAAA,YACN,OAAQ,CAAA,UAAA;AAAA,YACR,uBAAwB,CAAA,OAAA,CAAQ,YAAY,CAAA,CAAE,QAAQ,WAAW,CAAA;AAAA,YACjE,qBAAA,CAAsB,QAAQ,YAAY,CAAA;AAAA,WAC5C,GACIN,sCAAgB,CAAA,KAAA,GAChBA,sCAAgB,CAAA,IAAA;AAAA,SACpB,CAAA,CAAA;AAAA,OACH,CAAA,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AAGA,EAAO,MAAA,CAAA,GAAA,CAAIO,4BAAc,CAAA,CAAA;AAEzB,EAAO,OAAA,MAAA,CAAA;AACT,CAAA;AAEA,SAAS,mDAIP,OASA,EAAA;AACA,EAAA,OAEI,QAIA,YAAiB,KAAA,KAAA,CAAA,CAAA;AAEvB;;ACpea,MAAA,oBAAA,GAAuB,CAMlC,IACG,KAAA,KAAA;AAUE,MAAM,wBACX,GAAA,MACA,CACE,IAAA,KAEA,qBAAqB,IAAI;;ACFtB,MAAM,sBAAqD,CAAA;AAAA,EACvD,KAAA,CAAA;AAAA,EACA,iBAAA,CAAA;AAAA,EACA,kBAAA,CAAA;AAAA,EAET,OAAO,UACL,CAAA,MAAA,EACA,OAKA,EAAA;AACA,IAAM,MAAA,EAAE,SAAW,EAAA,YAAA,EAAiB,GAAA,OAAA,CAAA;AACpC,IAAA,MAAM,mBAAmB,IAAIC,uCAAA,CAAiB,EAAE,SAAA,EAAW,QAAQ,CAAA,CAAA;AACnE,IAAA,MAAM,iBACJ,GAAA,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAK,IAAA,KAAA,CAAA;AAErD,IACE,IAAA,iBAAA,IACC,aAAqB,4BACtB,EAAA;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,yJAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAC,sCAAA,CAAyB,OAAO,CAAA,CAAA;AAEjD,IAAA,OAAO,IAAI,sBAAuB,CAAA;AAAA,MAChC,IAAA;AAAA,MACA,gBAAA;AAAA,MACA,iBAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAAA,EAEQ,YAAY,OAIjB,EAAA;AACD,IAAA,IAAA,CAAK,QAAQ,OAAQ,CAAA,IAAA,CAAA;AACrB,IAAA,IAAA,CAAK,oBAAoB,OAAQ,CAAA,gBAAA,CAAA;AACjC,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,iBAAA,CAAA;AAAA,GACpC;AAAA,EAEA,MAAM,oBACJ,CAAA,OAAA,EACA,OAC2B,EAAA;AAC3B,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,uBAAA,CAAwB,OAAO,CAAA,CAAA;AAC9D,IAAA,IAAI,eAAe,IAAK,CAAA,KAAA,CAAM,WAAY,CAAA,WAAA,EAAa,SAAS,CAAG,EAAA;AACjE,MAAO,OAAA,IAAA,CAAK,yBAA0B,CAAA,OAAA,EAAS,WAAW,CAAA,CAAA;AAAA,KAC5D,MAAA,IAAW,CAAC,IAAA,CAAK,kBAAoB,EAAA;AACnC,MAAA,OAAO,QAAQ,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAT,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,KAC7D;AAEA,IAAA,OAAO,KAAK,iBAAkB,CAAA,oBAAA;AAAA,MAC5B,OAAA;AAAA,MACA,MAAM,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAAA,KACvC,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,SACJ,CAAA,QAAA,EACA,OACwC,EAAA;AACxC,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,uBAAA,CAAwB,OAAO,CAAA,CAAA;AAC9D,IAAA,IAAI,eAAe,IAAK,CAAA,KAAA,CAAM,WAAY,CAAA,WAAA,EAAa,SAAS,CAAG,EAAA;AACjE,MAAO,OAAA,IAAA,CAAK,yBAA0B,CAAA,QAAA,EAAU,WAAW,CAAA,CAAA;AAAA,KAC7D,MAAA,IAAW,CAAC,IAAA,CAAK,kBAAoB,EAAA;AACnC,MAAA,OAAO,SAAS,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,KAC9D;AAEA,IAAA,OAAO,KAAK,iBAAkB,CAAA,SAAA;AAAA,MAC5B,QAAA;AAAA,MACA,MAAM,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAAA,KACvC,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,mBACJ,OACyC,EAAA;AACzC,IAAI,IAAA,OAAA,IAAW,iBAAiB,OAAS,EAAA;AACvC,MAAA,IAAI,KAAK,KAAM,CAAA,WAAA,CAAY,OAAQ,CAAA,WAAA,EAAa,MAAM,CAAG,EAAA;AACvD,QAAA,OAAO,EAAC,CAAA;AAAA,OACV;AAEA,MAAO,OAAA,IAAA,CAAK,MAAM,qBAAsB,CAAA;AAAA,QACtC,YAAY,OAAQ,CAAA,WAAA;AAAA,QACpB,cAAgB,EAAA,YAAA;AAAA,OACjB,CAAA,CAAA;AAAA,KACH;AAEA,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AAAA,EAEA,MAAM,wBACJ,OAC2C,EAAA;AAC3C,IAAI,IAAA,OAAA,IAAW,iBAAiB,OAAS,EAAA;AACvC,MAAA,OAAO,OAAQ,CAAA,WAAA,CAAA;AAAA,KACjB;AAEA,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,yBAAA,CACE,OACA,WAC4B,EAAA;AAC5B,IAAA,MAAM,EAAE,eAAiB,EAAA,oBAAA,KACvB,WAAY,CAAA,SAAA,CAAU,sBAAsB,EAAC,CAAA;AAE/C,IAAO,OAAA,KAAA,CAAM,IAAI,CAAQ,IAAA,KAAA;AACvB,MAAA,IAAI,mBAAmB,CAAC,eAAA,CAAgB,SAAS,IAAK,CAAA,UAAA,CAAW,IAAI,CAAG,EAAA;AACtE,QAAO,OAAA,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,IAAK,EAAA,CAAA;AAAA,OACxC;AAEA,MAAA,IAAI,sBAAsB,MAAQ,EAAA;AAChC,QAAM,MAAA,MAAA,GAAS,IAAK,CAAA,UAAA,CAAW,UAAY,EAAA,MAAA,CAAA;AAC3C,QAAA,IAAI,CAAC,MAAU,IAAA,CAAC,qBAAqB,MAAO,CAAA,QAAA,CAAS,MAAM,CAAG,EAAA;AAC5D,UAAO,OAAA,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,IAAK,EAAA,CAAA;AAAA,SACxC;AAAA,OACF;AAEA,MAAO,OAAA,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,KAAM,EAAA,CAAA;AAAA,KACxC,CAAA,CAAA;AAAA,GACH;AACF;;;;;;;;;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/integration/createConditionFactory.ts","../src/integration/createConditionExports.ts","../src/integration/util.ts","../src/integration/createConditionTransformer.ts","../src/integration/createPermissionIntegrationRouter.ts","../src/integration/createPermissionRule.ts","../src/ServerPermissionClient.ts"],"sourcesContent":["/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  PermissionCondition,\n  PermissionRuleParams,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/**\n * Creates a condition factory function for a given authorization rule and parameter types.\n *\n * @remarks\n *\n * For example, an isEntityOwner rule for catalog entities might take an array of entityRef strings.\n * The rule itself defines _how_ to check a given resource, whereas a condition also includes _what_\n * to verify.\n *\n * Plugin authors should generally use the {@link createConditionExports} in order to efficiently\n * create multiple condition factories. This helper should generally only be used to construct\n * condition factories for third-party rules that aren't part of the backend plugin with which\n * they're intended to integrate.\n *\n * @public\n */\nexport const createConditionFactory = <\n  TResourceType extends string,\n  TParams extends PermissionRuleParams = PermissionRuleParams,\n>(\n  rule: PermissionRule<unknown, unknown, TResourceType, TParams>,\n) => {\n  return (params: TParams): PermissionCondition<TResourceType, TParams> => {\n    return {\n      rule: rule.name,\n      resourceType: rule.resourceType,\n      params,\n    };\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthorizeResult,\n  ConditionalPolicyDecision,\n  PermissionCondition,\n  PermissionCriteria,\n  ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport { createConditionFactory } from './createConditionFactory';\n\n/**\n * A utility type for mapping a single {@link PermissionRule} to its\n * corresponding {@link @backstage/plugin-permission-common#PermissionCondition}.\n *\n * @public\n */\nexport type Condition<TRule> = TRule extends PermissionRule<\n  any,\n  any,\n  infer TResourceType,\n  infer TParams\n>\n  ? undefined extends TParams\n    ? () => PermissionCondition<TResourceType, TParams>\n    : (params: TParams) => PermissionCondition<TResourceType, TParams>\n  : never;\n\n/**\n * A utility type for mapping {@link PermissionRule}s to their corresponding\n * {@link @backstage/plugin-permission-common#PermissionCondition}s.\n *\n * @public\n */\nexport type Conditions<\n  TRules extends Record<string, PermissionRule<any, any, any>>,\n> = {\n  [Name in keyof TRules]: Condition<TRules[Name]>;\n};\n\n/**\n * Creates the recommended condition-related exports for a given plugin based on\n * the built-in {@link PermissionRule}s it supports.\n *\n * @remarks\n *\n * The function returns a `conditions` object containing a\n * {@link @backstage/plugin-permission-common#PermissionCondition} factory for\n * each of the supplied {@link PermissionRule}s, along with a\n * `createConditionalDecision` function which builds the wrapper object needed\n * to enclose conditions when authoring {@link PermissionPolicy}\n * implementations.\n *\n * Plugin authors should generally call this method with all the built-in\n * {@link PermissionRule}s the plugin supports, and export the resulting\n * `conditions` object and `createConditionalDecision` function so that they can\n * be used by {@link PermissionPolicy} authors.\n *\n * @public\n */\nexport const createConditionExports = <\n  TResourceType extends string,\n  TResource,\n  TRules extends Record<string, PermissionRule<TResource, any, TResourceType>>,\n>(options: {\n  pluginId: string;\n  resourceType: TResourceType;\n  rules: TRules;\n}): {\n  conditions: Conditions<TRules>;\n  createConditionalDecision: (\n    permission: ResourcePermission<TResourceType>,\n    conditions: PermissionCriteria<PermissionCondition<TResourceType>>,\n  ) => ConditionalPolicyDecision;\n} => {\n  const { pluginId, resourceType, rules } = options;\n\n  return {\n    conditions: Object.entries(rules).reduce(\n      (acc, [key, rule]) => ({\n        ...acc,\n        [key]: createConditionFactory(rule),\n      }),\n      {} as Conditions<TRules>,\n    ),\n    createConditionalDecision: (\n      _permission: ResourcePermission<TResourceType>,\n      conditions: PermissionCriteria<PermissionCondition>,\n    ) => ({\n      result: AuthorizeResult.CONDITIONAL,\n      pluginId,\n      resourceType,\n      conditions,\n    }),\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AllOfCriteria,\n  AnyOfCriteria,\n  NotCriteria,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/**\n * Prevent use of type parameter from contributing to type inference.\n *\n * https://github.com/Microsoft/TypeScript/issues/14829#issuecomment-980401795\n * @ignore\n */\nexport type NoInfer<T> = T extends infer S ? S : never;\n\n/**\n * Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n *\n * @returns `true` if the permission criteria is of type allOf,\n * narrowing down `criteria` to the specific type.\n */\nexport const isAndCriteria = <T>(\n  criteria: PermissionCriteria<T>,\n): criteria is AllOfCriteria<T> =>\n  Object.prototype.hasOwnProperty.call(criteria, 'allOf');\n\n/**\n * Utility function used to parse a PermissionCriteria of type\n * @param criteria - a PermissionCriteria\n * @public\n *\n * @returns `true` if the permission criteria is of type anyOf,\n * narrowing down `criteria` to the specific type.\n */\nexport const isOrCriteria = <T>(\n  criteria: PermissionCriteria<T>,\n): criteria is AnyOfCriteria<T> =>\n  Object.prototype.hasOwnProperty.call(criteria, 'anyOf');\n\n/**\n * Utility function used to parse a PermissionCriteria\n * @param criteria - a PermissionCriteria\n * @public\n *\n * @returns `true` if the permission criteria is of type not,\n * narrowing down `criteria` to the specific type.\n */\nexport const isNotCriteria = <T>(\n  criteria: PermissionCriteria<T>,\n): criteria is NotCriteria<T> =>\n  Object.prototype.hasOwnProperty.call(criteria, 'not');\n\nexport const createGetRule = <TResource, TQuery>(\n  rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n  const rulesMap = new Map(Object.values(rules).map(rule => [rule.name, rule]));\n\n  return (name: string): PermissionRule<TResource, TQuery, string> => {\n    const rule = rulesMap.get(name);\n\n    if (!rule) {\n      throw new Error(`Unexpected permission rule: ${name}`);\n    }\n\n    return rule;\n  };\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { InputError } from '@backstage/errors';\nimport {\n  AllOfCriteria,\n  AnyOfCriteria,\n  PermissionCondition,\n  PermissionCriteria,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\n\nconst mapConditions = <TQuery>(\n  criteria: PermissionCriteria<PermissionCondition>,\n  getRule: (name: string) => PermissionRule<unknown, TQuery, string>,\n): PermissionCriteria<TQuery> => {\n  if (isAndCriteria(criteria)) {\n    return {\n      allOf: criteria.allOf.map(child => mapConditions(child, getRule)),\n    } as AllOfCriteria<TQuery>;\n  } else if (isOrCriteria(criteria)) {\n    return {\n      anyOf: criteria.anyOf.map(child => mapConditions(child, getRule)),\n    } as AnyOfCriteria<TQuery>;\n  } else if (isNotCriteria(criteria)) {\n    return {\n      not: mapConditions(criteria.not, getRule),\n    };\n  }\n\n  const rule = getRule(criteria.rule);\n  const result = rule.paramsSchema?.safeParse(criteria.params);\n\n  if (result && !result.success) {\n    throw new InputError(`Parameters to rule are invalid`, result.error);\n  }\n\n  return rule.toQuery(criteria.params ?? {});\n};\n\n/**\n * A function which accepts {@link @backstage/plugin-permission-common#PermissionCondition}s\n * logically grouped in a {@link @backstage/plugin-permission-common#PermissionCriteria}\n * object, and transforms the {@link @backstage/plugin-permission-common#PermissionCondition}s\n * into plugin specific query fragments while retaining the enclosing criteria shape.\n *\n * @public\n */\nexport type ConditionTransformer<TQuery> = (\n  conditions: PermissionCriteria<PermissionCondition>,\n) => PermissionCriteria<TQuery>;\n\n/**\n * A higher-order helper function which accepts an array of\n * {@link PermissionRule}s, and returns a {@link ConditionTransformer}\n * which transforms input conditions into equivalent plugin-specific\n * query fragments using the supplied rules.\n *\n * @public\n */\nexport const createConditionTransformer = <\n  TQuery,\n  TRules extends PermissionRule<any, TQuery, string>[],\n>(\n  permissionRules: [...TRules],\n): ConditionTransformer<TQuery> => {\n  const getRule = createGetRule(permissionRules);\n\n  return conditions => mapConditions(conditions, getRule);\n};\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express, { Response } from 'express';\nimport Router from 'express-promise-router';\nimport { z } from 'zod';\nimport zodToJsonSchema from 'zod-to-json-schema';\nimport { InputError } from '@backstage/errors';\nimport { errorHandler } from '@backstage/backend-common';\nimport {\n  AuthorizeResult,\n  DefinitivePolicyDecision,\n  IdentifiedPermissionMessage,\n  MetadataResponse as CommonMetadataResponse,\n  MetadataResponseSerializedRule as CommonMetadataResponseSerializedRule,\n  Permission,\n  PermissionCondition,\n  PermissionCriteria,\n  PolicyDecision,\n} from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\nimport {\n  NoInfer,\n  createGetRule,\n  isAndCriteria,\n  isNotCriteria,\n  isOrCriteria,\n} from './util';\nimport { NotImplementedError } from '@backstage/errors';\n\nconst permissionCriteriaSchema: z.ZodSchema<\n  PermissionCriteria<PermissionCondition>\n> = z.lazy(() =>\n  z.union([\n    z.object({ anyOf: z.array(permissionCriteriaSchema).nonempty() }),\n    z.object({ allOf: z.array(permissionCriteriaSchema).nonempty() }),\n    z.object({ not: permissionCriteriaSchema }),\n    z.object({\n      rule: z.string(),\n      resourceType: z.string(),\n      params: z.record(z.any()).optional(),\n    }),\n  ]),\n);\n\nconst applyConditionsRequestSchema = z.object({\n  items: z.array(\n    z.object({\n      id: z.string(),\n      resourceRef: z.string(),\n      resourceType: z.string(),\n      conditions: permissionCriteriaSchema,\n    }),\n  ),\n});\n\n/**\n * A request to load the referenced resource and apply conditions in order to\n * finalize a conditional authorization response.\n *\n * @public\n */\nexport type ApplyConditionsRequestEntry = IdentifiedPermissionMessage<{\n  resourceRef: string;\n  resourceType: string;\n  conditions: PermissionCriteria<PermissionCondition>;\n}>;\n\n/**\n * A batch of {@link ApplyConditionsRequestEntry} objects.\n *\n * @public\n */\nexport type ApplyConditionsRequest = {\n  items: ApplyConditionsRequestEntry[];\n};\n\n/**\n * The result of applying the conditions, expressed as a definitive authorize\n * result of ALLOW or DENY.\n *\n * @public\n */\nexport type ApplyConditionsResponseEntry =\n  IdentifiedPermissionMessage<DefinitivePolicyDecision>;\n\n/**\n * A batch of {@link ApplyConditionsResponseEntry} objects.\n *\n * @public\n */\nexport type ApplyConditionsResponse = {\n  items: ApplyConditionsResponseEntry[];\n};\n\n/**\n * Serialized permission rules, with the paramsSchema\n * converted from a ZodSchema to a JsonSchema.\n *\n * @public\n * @deprecated Please import from `@backstage/plugin-permission-common` instead.\n */\nexport type MetadataResponseSerializedRule =\n  CommonMetadataResponseSerializedRule;\n\n/**\n * Response type for the .metadata endpoint.\n *\n * @public\n * @deprecated Please import from `@backstage/plugin-permission-common` instead.\n */\nexport type MetadataResponse = CommonMetadataResponse;\n\nconst applyConditions = <TResourceType extends string, TResource>(\n  criteria: PermissionCriteria<PermissionCondition<TResourceType>>,\n  resource: TResource | undefined,\n  getRule: (name: string) => PermissionRule<TResource, unknown, TResourceType>,\n): boolean => {\n  // If resource was not found, deny. This avoids leaking information from the\n  // apply-conditions API which would allow a user to differentiate between\n  // non-existent resources and resources to which they do not have access.\n  if (resource === undefined) {\n    return false;\n  }\n\n  if (isAndCriteria(criteria)) {\n    return criteria.allOf.every(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isOrCriteria(criteria)) {\n    return criteria.anyOf.some(child =>\n      applyConditions(child, resource, getRule),\n    );\n  } else if (isNotCriteria(criteria)) {\n    return !applyConditions(criteria.not, resource, getRule);\n  }\n\n  const rule = getRule(criteria.rule);\n  const result = rule.paramsSchema?.safeParse(criteria.params);\n\n  if (result && !result.success) {\n    throw new InputError(`Parameters to rule are invalid`, result.error);\n  }\n\n  return rule.apply(resource, criteria.params ?? {});\n};\n\n/**\n * Takes some permission conditions and returns a definitive authorization result\n * on the resource to which they apply.\n *\n * @public\n */\nexport const createConditionAuthorizer = <TResource, TQuery>(\n  rules: PermissionRule<TResource, TQuery, string>[],\n) => {\n  const getRule = createGetRule(rules);\n\n  return (\n    decision: PolicyDecision,\n    resource: TResource | undefined,\n  ): boolean => {\n    if (decision.result === AuthorizeResult.CONDITIONAL) {\n      return applyConditions(decision.conditions, resource, getRule);\n    }\n\n    return decision.result === AuthorizeResult.ALLOW;\n  };\n};\n\n/**\n * Options for creating a permission integration router specific\n * for a particular resource type.\n *\n * @public\n */\nexport type CreatePermissionIntegrationRouterResourceOptions<\n  TResourceType extends string,\n  TResource,\n> = {\n  resourceType: TResourceType;\n  permissions?: Array<Permission>;\n  // Do not infer value of TResourceType from supplied rules.\n  // instead only consider the resourceType parameter, and\n  // consider any rules whose resource type does not match\n  // to be an error.\n  rules: PermissionRule<TResource, any, NoInfer<TResourceType>>[];\n  getResources?: (\n    resourceRefs: string[],\n  ) => Promise<Array<TResource | undefined>>;\n};\n\n/**\n * Options for creating a permission integration router exposing\n * permissions and rules from multiple resource types.\n *\n * @public\n */\nexport type PermissionIntegrationRouterOptions<\n  TResourceType1 extends string = string,\n  TResource1 = any,\n  TResourceType2 extends string = string,\n  TResource2 = any,\n  TResourceType3 extends string = string,\n  TResource3 = any,\n> = {\n  resources: Readonly<\n    | [\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >,\n      ]\n    | [\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType2,\n          TResource2\n        >,\n      ]\n    | [\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType2,\n          TResource2\n        >,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType3,\n          TResource3\n        >,\n      ]\n  >;\n};\n\n/**\n * Create an express Router which provides an authorization route to allow\n * integration between the permission backend and other Backstage backend\n * plugins. Plugin owners that wish to support conditional authorization for\n * their resources should add the router created by this function to their\n * express app inside their `createRouter` implementation.\n *\n * In case the `permissions` option is provided, the router also\n * provides a route that exposes permissions and routes of a plugin.\n *\n * In case resources is provided, the routes can handle permissions\n * for multiple resource types.\n *\n * @remarks\n *\n * To make this concrete, we can use the Backstage software catalog as an\n * example. The catalog has conditional rules around access to specific\n * _entities_ in the catalog. The _type_ of resource is captured here as\n * `resourceType`, a string identifier (`catalog-entity` in this example) that\n * can be provided with permission definitions. This is merely a _type_ to\n * verify that conditions in an authorization policy are constructed correctly,\n * not a reference to a specific resource.\n *\n * The `rules` parameter is an array of {@link PermissionRule}s that introduce\n * conditional filtering logic for resources; for the catalog, these are things\n * like `isEntityOwner` or `hasAnnotation`. Rules describe how to filter a list\n * of resources, and the `conditions` returned allow these rules to be applied\n * with specific parameters (such as 'group:default/team-a', or\n * 'backstage.io/edit-url').\n *\n * The `getResources` argument should load resources based on a reference\n * identifier. For the catalog, this is an\n * {@link @backstage/catalog-model#EntityRef}. For other plugins, this can be\n * any serialized format. This is used to construct the\n * `createPermissionIntegrationRouter`, a function to add an authorization route\n * to your backend plugin. This function will be called by the\n * `permission-backend` when authorization conditions relating to this plugin\n * need to be evaluated.\n *\n * @public\n */\nexport function createPermissionIntegrationRouter<\n  TResourceType1 extends string,\n  TResource1,\n  TResourceType2 extends string,\n  TResource2,\n  TResourceType3 extends string,\n  TResource3,\n>(\n  options:\n    | { permissions: Array<Permission> }\n    | CreatePermissionIntegrationRouterResourceOptions<\n        TResourceType1,\n        TResource1\n      >\n    | PermissionIntegrationRouterOptions<\n        TResourceType1,\n        TResource1,\n        TResourceType2,\n        TResource2,\n        TResourceType3,\n        TResource3\n      >,\n): express.Router {\n  const optionsWithResources = options as PermissionIntegrationRouterOptions;\n  const allOptions = [\n    optionsWithResources.resources ? optionsWithResources.resources : options,\n  ].flat();\n  const allRules = allOptions.flatMap(\n    option =>\n      (\n        option as CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >\n      ).rules || [],\n  );\n  const allPermissions = [\n    ...((options as { permissions: Permission[] }).permissions || []),\n    ...(optionsWithResources.resources?.flatMap(o => o.permissions || []) ||\n      []),\n  ];\n\n  const allResourceTypes = allOptions.reduce((acc, option) => {\n    if (\n      isCreatePermissionIntegrationRouterResourceOptions(\n        option as\n          | { permissions: Array<Permission> }\n          | CreatePermissionIntegrationRouterResourceOptions<\n              TResourceType1,\n              TResource1\n            >,\n      )\n    ) {\n      acc.push(\n        (\n          option as CreatePermissionIntegrationRouterResourceOptions<\n            TResourceType1,\n            TResource1\n          >\n        ).resourceType,\n      );\n    }\n    return acc;\n  }, [] as string[]);\n\n  const router = Router();\n  router.use(express.json());\n\n  router.get('/.well-known/backstage/permissions/metadata', (_, res) => {\n    const serializedRules: MetadataResponseSerializedRule[] = allRules.map(\n      rule => ({\n        name: rule.name,\n        description: rule.description,\n        resourceType: rule.resourceType,\n        paramsSchema: zodToJsonSchema(rule.paramsSchema ?? z.object({})),\n      }),\n    );\n\n    const responseJson: MetadataResponse = {\n      permissions: allPermissions,\n      rules: serializedRules,\n    };\n\n    return res.json(responseJson);\n  });\n\n  router.post(\n    '/.well-known/backstage/permissions/apply-conditions',\n    async (req, res: Response<ApplyConditionsResponse | string>) => {\n      const ruleMapByResourceType: Record<\n        string,\n        ReturnType<typeof createGetRule>\n      > = {};\n      const getResourcesByResourceType: Record<\n        string,\n        CreatePermissionIntegrationRouterResourceOptions<\n          TResourceType1,\n          TResource1\n        >['getResources']\n      > = {};\n\n      for (let option of allOptions) {\n        option = option as\n          | { permissions: Array<Permission> }\n          | CreatePermissionIntegrationRouterResourceOptions<\n              TResourceType1,\n              TResource1\n            >;\n        if (isCreatePermissionIntegrationRouterResourceOptions(option)) {\n          ruleMapByResourceType[option.resourceType] = createGetRule(\n            option.rules,\n          );\n\n          getResourcesByResourceType[option.resourceType] = option.getResources;\n        }\n      }\n\n      const assertValidResourceTypes = (\n        requests: ApplyConditionsRequestEntry[],\n      ) => {\n        const invalidResourceTypes = requests\n          .filter(request => !allResourceTypes.includes(request.resourceType))\n          .map(request => request.resourceType);\n\n        if (invalidResourceTypes.length) {\n          throw new InputError(\n            `Unexpected resource types: ${invalidResourceTypes.join(', ')}.`,\n          );\n        }\n      };\n\n      const parseResult = applyConditionsRequestSchema.safeParse(req.body);\n\n      if (!parseResult.success) {\n        throw new InputError(parseResult.error.toString());\n      }\n\n      const body = parseResult.data;\n\n      assertValidResourceTypes(body.items);\n\n      const resourceRefsByResourceType = body.items.reduce<\n        Record<string, Set<string>>\n      >((acc, item) => {\n        if (!acc[item.resourceType]) {\n          acc[item.resourceType] = new Set();\n        }\n        acc[item.resourceType].add(item.resourceRef);\n        return acc;\n      }, {});\n\n      const resourcesByResourceType: Record<string, Record<string, any>> = {};\n      for (const resourceType of Object.keys(resourceRefsByResourceType)) {\n        const getResources = getResourcesByResourceType[resourceType];\n        if (!getResources) {\n          throw new NotImplementedError(\n            `This plugin does not expose any permission rule or can't evaluate the conditions request for ${resourceType}`,\n          );\n        }\n        const resourceRefs = Array.from(\n          resourceRefsByResourceType[resourceType],\n        );\n        const resources = await getResources(resourceRefs);\n        resourceRefs.forEach((resourceRef, index) => {\n          if (!resourcesByResourceType[resourceType]) {\n            resourcesByResourceType[resourceType] = {};\n          }\n          resourcesByResourceType[resourceType][resourceRef] = resources[index];\n        });\n      }\n\n      return res.json({\n        items: body.items.map(request => ({\n          id: request.id,\n          result: applyConditions(\n            request.conditions,\n            resourcesByResourceType[request.resourceType][request.resourceRef],\n            ruleMapByResourceType[request.resourceType],\n          )\n            ? AuthorizeResult.ALLOW\n            : AuthorizeResult.DENY,\n        })),\n      });\n    },\n  );\n\n  // TODO(belugas): Remove this when dropping support to the legacy backend system because setting the error handler manually is no logger required in the new system.\n  router.use(errorHandler());\n\n  return router;\n}\n\nfunction isCreatePermissionIntegrationRouterResourceOptions<\n  TResourceType extends string,\n  TResource,\n>(\n  options:\n    | { permissions: Array<Permission> }\n    | CreatePermissionIntegrationRouterResourceOptions<\n        TResourceType,\n        TResource\n      >,\n): options is CreatePermissionIntegrationRouterResourceOptions<\n  TResourceType,\n  TResource\n> {\n  return (\n    (\n      options as CreatePermissionIntegrationRouterResourceOptions<\n        TResourceType,\n        TResource\n      >\n    ).resourceType !== undefined\n  );\n}\n","/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PermissionRuleParams } from '@backstage/plugin-permission-common';\nimport { PermissionRule } from '../types';\n\n/**\n * Helper function to ensure that {@link PermissionRule} definitions are typed correctly.\n *\n * @public\n */\nexport const createPermissionRule = <\n  TResource,\n  TQuery,\n  TResourceType extends string,\n  TParams extends PermissionRuleParams = undefined,\n>(\n  rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n) => rule;\n\n/**\n * Helper for making plugin-specific createPermissionRule functions, that have\n * the TResource and TQuery type parameters populated but infer the params from\n * the supplied rule. This helps ensure that rules created for this plugin use\n * consistent types for the resource and query.\n *\n * @public\n */\nexport const makeCreatePermissionRule =\n  <TResource, TQuery, TResourceType extends string>() =>\n  <TParams extends PermissionRuleParams = undefined>(\n    rule: PermissionRule<TResource, TQuery, TResourceType, TParams>,\n  ) =>\n    createPermissionRule(rule);\n","/*\n * Copyright 2021 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  TokenManager,\n  createLegacyAuthAdapters,\n} from '@backstage/backend-common';\nimport {\n  AuthService,\n  BackstageCredentials,\n  BackstageServicePrincipal,\n  DiscoveryService,\n  PermissionsService,\n  PermissionsServiceRequestOptions,\n} from '@backstage/backend-plugin-api';\nimport { Config } from '@backstage/config';\nimport {\n  AuthorizePermissionRequest,\n  AuthorizePermissionResponse,\n  AuthorizeResult,\n  DefinitivePolicyDecision,\n  Permission,\n  PermissionClient,\n  PolicyDecision,\n  QueryPermissionRequest,\n} from '@backstage/plugin-permission-common';\n\n/**\n * A thin wrapper around\n * {@link @backstage/plugin-permission-common#PermissionClient} that allows all\n * service-to-service requests.\n * @public\n */\nexport class ServerPermissionClient implements PermissionsService {\n  readonly #auth: AuthService;\n  readonly #permissionClient: PermissionClient;\n  readonly #permissionEnabled: boolean;\n\n  static fromConfig(\n    config: Config,\n    options: {\n      discovery: DiscoveryService;\n      /** @deprecated This option will be removed in the future, provide a the auth option instead */\n      tokenManager?: TokenManager;\n      auth?: AuthService;\n    },\n  ) {\n    const { discovery, tokenManager } = options;\n    const permissionClient = new PermissionClient({ discovery, config });\n    const permissionEnabled =\n      config.getOptionalBoolean('permission.enabled') ?? false;\n\n    if (\n      permissionEnabled &&\n      tokenManager &&\n      (tokenManager as any).isInsecureServerTokenManager\n    ) {\n      throw new Error(\n        'Service-to-service authentication must be configured before enabling permissions. Read more here https://backstage.io/docs/auth/service-to-service-auth',\n      );\n    }\n\n    const { auth } = createLegacyAuthAdapters(options);\n\n    return new ServerPermissionClient({\n      auth,\n      permissionClient,\n      permissionEnabled,\n    });\n  }\n\n  private constructor(options: {\n    auth: AuthService;\n    permissionClient: PermissionClient;\n    permissionEnabled: boolean;\n  }) {\n    this.#auth = options.auth;\n    this.#permissionClient = options.permissionClient;\n    this.#permissionEnabled = options.permissionEnabled;\n  }\n\n  async authorizeConditional(\n    queries: QueryPermissionRequest[],\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<PolicyDecision[]> {\n    const credentials = await this.#getIncomingCredentials(options);\n    if (credentials && this.#auth.isPrincipal(credentials, 'service')) {\n      return this.#servicePrincipalDecision(queries, credentials);\n    } else if (!this.#permissionEnabled) {\n      return queries.map(_ => ({ result: AuthorizeResult.ALLOW }));\n    }\n\n    return this.#permissionClient.authorizeConditional(\n      queries,\n      await this.#getRequestOptions(options),\n    );\n  }\n\n  async authorize(\n    requests: AuthorizePermissionRequest[],\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<AuthorizePermissionResponse[]> {\n    const credentials = await this.#getIncomingCredentials(options);\n    if (credentials && this.#auth.isPrincipal(credentials, 'service')) {\n      return this.#servicePrincipalDecision(requests, credentials);\n    } else if (!this.#permissionEnabled) {\n      return requests.map(_ => ({ result: AuthorizeResult.ALLOW }));\n    }\n\n    return this.#permissionClient.authorize(\n      requests,\n      await this.#getRequestOptions(options),\n    );\n  }\n\n  async #getRequestOptions(\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<{ token?: string } | undefined> {\n    if (options && 'credentials' in options) {\n      if (this.#auth.isPrincipal(options.credentials, 'none')) {\n        return {};\n      }\n\n      return this.#auth.getPluginRequestToken({\n        onBehalfOf: options.credentials,\n        targetPluginId: 'permission',\n      });\n    }\n\n    return options;\n  }\n\n  async #getIncomingCredentials(\n    options?: PermissionsServiceRequestOptions,\n  ): Promise<BackstageCredentials | undefined> {\n    if (options && 'credentials' in options) {\n      return options.credentials;\n    }\n\n    return undefined;\n  }\n\n  /**\n   * For service principals, we can always make an immediate definitive decision\n   * based on their associated access restrictions (if any).\n   */\n  #servicePrincipalDecision(\n    input: { permission: Permission }[],\n    credentials: BackstageCredentials<BackstageServicePrincipal>,\n  ): DefinitivePolicyDecision[] {\n    const { permissionNames, permissionAttributes } =\n      credentials.principal.accessRestrictions ?? {};\n\n    return input.map(item => {\n      if (permissionNames && !permissionNames.includes(item.permission.name)) {\n        return { result: AuthorizeResult.DENY };\n      }\n\n      if (permissionAttributes?.action) {\n        const action = item.permission.attributes?.action;\n        if (!action || !permissionAttributes.action.includes(action)) {\n          return { result: AuthorizeResult.DENY };\n        }\n      }\n\n      return { result: AuthorizeResult.ALLOW };\n    });\n  }\n}\n"],"names":["AuthorizeResult","InputError","z","Router","express","zodToJsonSchema","NotImplementedError","errorHandler","PermissionClient","createLegacyAuthAdapters"],"mappings":";;;;;;;;;;;;;;;;AAsCa,MAAA,sBAAA,GAAyB,CAIpC,IACG,KAAA;AACH,EAAA,OAAO,CAAC,MAAiE,KAAA;AACvE,IAAO,OAAA;AAAA,MACL,MAAM,IAAK,CAAA,IAAA;AAAA,MACX,cAAc,IAAK,CAAA,YAAA;AAAA,MACnB,MAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACwBa,MAAA,sBAAA,GAAyB,CAIpC,OAUG,KAAA;AACH,EAAA,MAAM,EAAE,QAAA,EAAU,YAAc,EAAA,KAAA,EAAU,GAAA,OAAA,CAAA;AAE1C,EAAO,OAAA;AAAA,IACL,UAAY,EAAA,MAAA,CAAO,OAAQ,CAAA,KAAK,CAAE,CAAA,MAAA;AAAA,MAChC,CAAC,GAAA,EAAK,CAAC,GAAA,EAAK,IAAI,CAAO,MAAA;AAAA,QACrB,GAAG,GAAA;AAAA,QACH,CAAC,GAAG,GAAG,sBAAA,CAAuB,IAAI,CAAA;AAAA,OACpC,CAAA;AAAA,MACA,EAAC;AAAA,KACH;AAAA,IACA,yBAAA,EAA2B,CACzB,WAAA,EACA,UACI,MAAA;AAAA,MACJ,QAAQA,sCAAgB,CAAA,WAAA;AAAA,MACxB,QAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,KACF,CAAA;AAAA,GACF,CAAA;AACF;;ACtEa,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,YAAA,GAAe,CAC1B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,OAAO,EAAA;AAU3C,MAAA,aAAA,GAAgB,CAC3B,QAEA,KAAA,MAAA,CAAO,UAAU,cAAe,CAAA,IAAA,CAAK,UAAU,KAAK,EAAA;AAEzC,MAAA,aAAA,GAAgB,CAC3B,KACG,KAAA;AACH,EAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,MAAA,CAAO,OAAO,KAAK,CAAA,CAAE,GAAI,CAAA,CAAA,IAAA,KAAQ,CAAC,IAAA,CAAK,IAAM,EAAA,IAAI,CAAC,CAAC,CAAA,CAAA;AAE5E,EAAA,OAAO,CAAC,IAA4D,KAAA;AAClE,IAAM,MAAA,IAAA,GAAO,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAE9B,IAAA,IAAI,CAAC,IAAM,EAAA;AACT,MAAA,MAAM,IAAI,KAAA,CAAM,CAA+B,4BAAA,EAAA,IAAI,CAAE,CAAA,CAAA,CAAA;AAAA,KACvD;AAEA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT,CAAA;AACF,CAAA;;ACvDA,MAAM,aAAA,GAAgB,CACpB,QAAA,EACA,OAC+B,KAAA;AAC/B,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAO,OAAA;AAAA,MACL,KAAA,EAAO,SAAS,KAAM,CAAA,GAAA,CAAI,WAAS,aAAc,CAAA,KAAA,EAAO,OAAO,CAAC,CAAA;AAAA,KAClE,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAO,OAAA;AAAA,MACL,GAAK,EAAA,aAAA,CAAc,QAAS,CAAA,GAAA,EAAK,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAc,EAAA,SAAA,CAAU,SAAS,MAAM,CAAA,CAAA;AAE3D,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAIC,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,IAAK,CAAA,OAAA,CAAQ,QAAS,CAAA,MAAA,IAAU,EAAE,CAAA,CAAA;AAC3C,CAAA,CAAA;AAsBa,MAAA,0BAAA,GAA6B,CAIxC,eACiC,KAAA;AACjC,EAAM,MAAA,OAAA,GAAU,cAAc,eAAe,CAAA,CAAA;AAE7C,EAAO,OAAA,CAAA,UAAA,KAAc,aAAc,CAAA,UAAA,EAAY,OAAO,CAAA,CAAA;AACxD;;AC5CA,MAAM,2BAEFC,KAAE,CAAA,IAAA;AAAA,EAAK,MACTA,MAAE,KAAM,CAAA;AAAA,IACNA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAA,CAAE,MAAO,CAAA,EAAE,KAAO,EAAAA,KAAA,CAAE,MAAM,wBAAwB,CAAA,CAAE,QAAS,EAAA,EAAG,CAAA;AAAA,IAChEA,KAAE,CAAA,MAAA,CAAO,EAAE,GAAA,EAAK,0BAA0B,CAAA;AAAA,IAC1CA,MAAE,MAAO,CAAA;AAAA,MACP,IAAA,EAAMA,MAAE,MAAO,EAAA;AAAA,MACf,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,QAAQA,KAAE,CAAA,MAAA,CAAOA,MAAE,GAAI,EAAC,EAAE,QAAS,EAAA;AAAA,KACpC,CAAA;AAAA,GACF,CAAA;AACH,CAAA,CAAA;AAEA,MAAM,4BAAA,GAA+BA,MAAE,MAAO,CAAA;AAAA,EAC5C,OAAOA,KAAE,CAAA,KAAA;AAAA,IACPA,MAAE,MAAO,CAAA;AAAA,MACP,EAAA,EAAIA,MAAE,MAAO,EAAA;AAAA,MACb,WAAA,EAAaA,MAAE,MAAO,EAAA;AAAA,MACtB,YAAA,EAAcA,MAAE,MAAO,EAAA;AAAA,MACvB,UAAY,EAAA,wBAAA;AAAA,KACb,CAAA;AAAA,GACH;AACF,CAAC,CAAA,CAAA;AA2DD,MAAM,eAAkB,GAAA,CACtB,QACA,EAAA,QAAA,EACA,OACY,KAAA;AAIZ,EAAA,IAAI,aAAa,KAAW,CAAA,EAAA;AAC1B,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAEA,EAAI,IAAA,aAAA,CAAc,QAAQ,CAAG,EAAA;AAC3B,IAAA,OAAO,SAAS,KAAM,CAAA,KAAA;AAAA,MAAM,CAC1B,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,YAAa,CAAA,QAAQ,CAAG,EAAA;AACjC,IAAA,OAAO,SAAS,KAAM,CAAA,IAAA;AAAA,MAAK,CACzB,KAAA,KAAA,eAAA,CAAgB,KAAO,EAAA,QAAA,EAAU,OAAO,CAAA;AAAA,KAC1C,CAAA;AAAA,GACF,MAAA,IAAW,aAAc,CAAA,QAAQ,CAAG,EAAA;AAClC,IAAA,OAAO,CAAC,eAAA,CAAgB,QAAS,CAAA,GAAA,EAAK,UAAU,OAAO,CAAA,CAAA;AAAA,GACzD;AAEA,EAAM,MAAA,IAAA,GAAO,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAClC,EAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAc,EAAA,SAAA,CAAU,SAAS,MAAM,CAAA,CAAA;AAE3D,EAAI,IAAA,MAAA,IAAU,CAAC,MAAA,CAAO,OAAS,EAAA;AAC7B,IAAA,MAAM,IAAID,iBAAA,CAAW,CAAkC,8BAAA,CAAA,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GACrE;AAEA,EAAA,OAAO,KAAK,KAAM,CAAA,QAAA,EAAU,QAAS,CAAA,MAAA,IAAU,EAAE,CAAA,CAAA;AACnD,CAAA,CAAA;AAQa,MAAA,yBAAA,GAA4B,CACvC,KACG,KAAA;AACH,EAAM,MAAA,OAAA,GAAU,cAAc,KAAK,CAAA,CAAA;AAEnC,EAAO,OAAA,CACL,UACA,QACY,KAAA;AACZ,IAAI,IAAA,QAAA,CAAS,MAAW,KAAAD,sCAAA,CAAgB,WAAa,EAAA;AACnD,MAAA,OAAO,eAAgB,CAAA,QAAA,CAAS,UAAY,EAAA,QAAA,EAAU,OAAO,CAAA,CAAA;AAAA,KAC/D;AAEA,IAAO,OAAA,QAAA,CAAS,WAAWA,sCAAgB,CAAA,KAAA,CAAA;AAAA,GAC7C,CAAA;AACF,EAAA;AAiHO,SAAS,kCAQd,OAcgB,EAAA;AAChB,EAAA,MAAM,oBAAuB,GAAA,OAAA,CAAA;AAC7B,EAAA,MAAM,UAAa,GAAA;AAAA,IACjB,oBAAA,CAAqB,SAAY,GAAA,oBAAA,CAAqB,SAAY,GAAA,OAAA;AAAA,IAClE,IAAK,EAAA,CAAA;AACP,EAAA,MAAM,WAAW,UAAW,CAAA,OAAA;AAAA,IAC1B,CAAA,MAAA,KAEI,MAIA,CAAA,KAAA,IAAS,EAAC;AAAA,GAChB,CAAA;AACA,EAAA,MAAM,cAAiB,GAAA;AAAA,IACrB,GAAK,OAA0C,CAAA,WAAA,IAAe,EAAC;AAAA,IAC/D,GAAI,oBAAqB,CAAA,SAAA,EAAW,OAAQ,CAAA,CAAA,CAAA,KAAK,EAAE,WAAe,IAAA,EAAE,CAAA,IAClE,EAAC;AAAA,GACL,CAAA;AAEA,EAAA,MAAM,gBAAmB,GAAA,UAAA,CAAW,MAAO,CAAA,CAAC,KAAK,MAAW,KAAA;AAC1D,IACE,IAAA,kDAAA;AAAA,MACE,MAAA;AAAA,KAOF,EAAA;AACA,MAAI,GAAA,CAAA,IAAA;AAAA,QAEA,MAIA,CAAA,YAAA;AAAA,OACJ,CAAA;AAAA,KACF;AACA,IAAO,OAAA,GAAA,CAAA;AAAA,GACT,EAAG,EAAc,CAAA,CAAA;AAEjB,EAAA,MAAM,SAASG,uBAAO,EAAA,CAAA;AACtB,EAAO,MAAA,CAAA,GAAA,CAAIC,wBAAQ,CAAA,IAAA,EAAM,CAAA,CAAA;AAEzB,EAAA,MAAA,CAAO,GAAI,CAAA,6CAAA,EAA+C,CAAC,CAAA,EAAG,GAAQ,KAAA;AACpE,IAAA,MAAM,kBAAoD,QAAS,CAAA,GAAA;AAAA,MACjE,CAAS,IAAA,MAAA;AAAA,QACP,MAAM,IAAK,CAAA,IAAA;AAAA,QACX,aAAa,IAAK,CAAA,WAAA;AAAA,QAClB,cAAc,IAAK,CAAA,YAAA;AAAA,QACnB,YAAA,EAAcC,iCAAgB,IAAK,CAAA,YAAA,IAAgBH,MAAE,MAAO,CAAA,EAAE,CAAC,CAAA;AAAA,OACjE,CAAA;AAAA,KACF,CAAA;AAEA,IAAA,MAAM,YAAiC,GAAA;AAAA,MACrC,WAAa,EAAA,cAAA;AAAA,MACb,KAAO,EAAA,eAAA;AAAA,KACT,CAAA;AAEA,IAAO,OAAA,GAAA,CAAI,KAAK,YAAY,CAAA,CAAA;AAAA,GAC7B,CAAA,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,qDAAA;AAAA,IACA,OAAO,KAAK,GAAoD,KAAA;AAC9D,MAAA,MAAM,wBAGF,EAAC,CAAA;AACL,MAAA,MAAM,6BAMF,EAAC,CAAA;AAEL,MAAA,KAAA,IAAS,UAAU,UAAY,EAAA;AAC7B,QAAS,MAAA,GAAA,MAAA,CAAA;AAMT,QAAI,IAAA,kDAAA,CAAmD,MAAM,CAAG,EAAA;AAC9D,UAAsB,qBAAA,CAAA,MAAA,CAAO,YAAY,CAAI,GAAA,aAAA;AAAA,YAC3C,MAAO,CAAA,KAAA;AAAA,WACT,CAAA;AAEA,UAA2B,0BAAA,CAAA,MAAA,CAAO,YAAY,CAAA,GAAI,MAAO,CAAA,YAAA,CAAA;AAAA,SAC3D;AAAA,OACF;AAEA,MAAM,MAAA,wBAAA,GAA2B,CAC/B,QACG,KAAA;AACH,QAAA,MAAM,oBAAuB,GAAA,QAAA,CAC1B,MAAO,CAAA,CAAA,OAAA,KAAW,CAAC,gBAAiB,CAAA,QAAA,CAAS,OAAQ,CAAA,YAAY,CAAC,CAAA,CAClE,GAAI,CAAA,CAAA,OAAA,KAAW,QAAQ,YAAY,CAAA,CAAA;AAEtC,QAAA,IAAI,qBAAqB,MAAQ,EAAA;AAC/B,UAAA,MAAM,IAAID,iBAAA;AAAA,YACR,CAA8B,2BAAA,EAAA,oBAAA,CAAqB,IAAK,CAAA,IAAI,CAAC,CAAA,CAAA,CAAA;AAAA,WAC/D,CAAA;AAAA,SACF;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,WAAc,GAAA,4BAAA,CAA6B,SAAU,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AAEnE,MAAI,IAAA,CAAC,YAAY,OAAS,EAAA;AACxB,QAAA,MAAM,IAAIA,iBAAA,CAAW,WAAY,CAAA,KAAA,CAAM,UAAU,CAAA,CAAA;AAAA,OACnD;AAEA,MAAA,MAAM,OAAO,WAAY,CAAA,IAAA,CAAA;AAEzB,MAAA,wBAAA,CAAyB,KAAK,KAAK,CAAA,CAAA;AAEnC,MAAA,MAAM,6BAA6B,IAAK,CAAA,KAAA,CAAM,MAE5C,CAAA,CAAC,KAAK,IAAS,KAAA;AACf,QAAA,IAAI,CAAC,GAAA,CAAI,IAAK,CAAA,YAAY,CAAG,EAAA;AAC3B,UAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAI,mBAAA,IAAI,GAAI,EAAA,CAAA;AAAA,SACnC;AACA,QAAA,GAAA,CAAI,IAAK,CAAA,YAAY,CAAE,CAAA,GAAA,CAAI,KAAK,WAAW,CAAA,CAAA;AAC3C,QAAO,OAAA,GAAA,CAAA;AAAA,OACT,EAAG,EAAE,CAAA,CAAA;AAEL,MAAA,MAAM,0BAA+D,EAAC,CAAA;AACtE,MAAA,KAAA,MAAW,YAAgB,IAAA,MAAA,CAAO,IAAK,CAAA,0BAA0B,CAAG,EAAA;AAClE,QAAM,MAAA,YAAA,GAAe,2BAA2B,YAAY,CAAA,CAAA;AAC5D,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAA,MAAM,IAAIK,0BAAA;AAAA,YACR,gGAAgG,YAAY,CAAA,CAAA;AAAA,WAC9G,CAAA;AAAA,SACF;AACA,QAAA,MAAM,eAAe,KAAM,CAAA,IAAA;AAAA,UACzB,2BAA2B,YAAY,CAAA;AAAA,SACzC,CAAA;AACA,QAAM,MAAA,SAAA,GAAY,MAAM,YAAA,CAAa,YAAY,CAAA,CAAA;AACjD,QAAa,YAAA,CAAA,OAAA,CAAQ,CAAC,WAAA,EAAa,KAAU,KAAA;AAC3C,UAAI,IAAA,CAAC,uBAAwB,CAAA,YAAY,CAAG,EAAA;AAC1C,YAAwB,uBAAA,CAAA,YAAY,IAAI,EAAC,CAAA;AAAA,WAC3C;AACA,UAAA,uBAAA,CAAwB,YAAY,CAAA,CAAE,WAAW,CAAA,GAAI,UAAU,KAAK,CAAA,CAAA;AAAA,SACrE,CAAA,CAAA;AAAA,OACH;AAEA,MAAA,OAAO,IAAI,IAAK,CAAA;AAAA,QACd,KAAO,EAAA,IAAA,CAAK,KAAM,CAAA,GAAA,CAAI,CAAY,OAAA,MAAA;AAAA,UAChC,IAAI,OAAQ,CAAA,EAAA;AAAA,UACZ,MAAQ,EAAA,eAAA;AAAA,YACN,OAAQ,CAAA,UAAA;AAAA,YACR,uBAAwB,CAAA,OAAA,CAAQ,YAAY,CAAA,CAAE,QAAQ,WAAW,CAAA;AAAA,YACjE,qBAAA,CAAsB,QAAQ,YAAY,CAAA;AAAA,WAC5C,GACIN,sCAAgB,CAAA,KAAA,GAChBA,sCAAgB,CAAA,IAAA;AAAA,SACpB,CAAA,CAAA;AAAA,OACH,CAAA,CAAA;AAAA,KACH;AAAA,GACF,CAAA;AAGA,EAAO,MAAA,CAAA,GAAA,CAAIO,4BAAc,CAAA,CAAA;AAEzB,EAAO,OAAA,MAAA,CAAA;AACT,CAAA;AAEA,SAAS,mDAIP,OASA,EAAA;AACA,EAAA,OAEI,QAIA,YAAiB,KAAA,KAAA,CAAA,CAAA;AAEvB;;ACpea,MAAA,oBAAA,GAAuB,CAMlC,IACG,KAAA,KAAA;AAUE,MAAM,wBACX,GAAA,MACA,CACE,IAAA,KAEA,qBAAqB,IAAI;;ACAtB,MAAM,sBAAqD,CAAA;AAAA,EACvD,KAAA,CAAA;AAAA,EACA,iBAAA,CAAA;AAAA,EACA,kBAAA,CAAA;AAAA,EAET,OAAO,UACL,CAAA,MAAA,EACA,OAMA,EAAA;AACA,IAAM,MAAA,EAAE,SAAW,EAAA,YAAA,EAAiB,GAAA,OAAA,CAAA;AACpC,IAAA,MAAM,mBAAmB,IAAIC,uCAAA,CAAiB,EAAE,SAAA,EAAW,QAAQ,CAAA,CAAA;AACnE,IAAA,MAAM,iBACJ,GAAA,MAAA,CAAO,kBAAmB,CAAA,oBAAoB,CAAK,IAAA,KAAA,CAAA;AAErD,IACE,IAAA,iBAAA,IACA,YACC,IAAA,YAAA,CAAqB,4BACtB,EAAA;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,yJAAA;AAAA,OACF,CAAA;AAAA,KACF;AAEA,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAC,sCAAA,CAAyB,OAAO,CAAA,CAAA;AAEjD,IAAA,OAAO,IAAI,sBAAuB,CAAA;AAAA,MAChC,IAAA;AAAA,MACA,gBAAA;AAAA,MACA,iBAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAAA,EAEQ,YAAY,OAIjB,EAAA;AACD,IAAA,IAAA,CAAK,QAAQ,OAAQ,CAAA,IAAA,CAAA;AACrB,IAAA,IAAA,CAAK,oBAAoB,OAAQ,CAAA,gBAAA,CAAA;AACjC,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,iBAAA,CAAA;AAAA,GACpC;AAAA,EAEA,MAAM,oBACJ,CAAA,OAAA,EACA,OAC2B,EAAA;AAC3B,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,uBAAA,CAAwB,OAAO,CAAA,CAAA;AAC9D,IAAA,IAAI,eAAe,IAAK,CAAA,KAAA,CAAM,WAAY,CAAA,WAAA,EAAa,SAAS,CAAG,EAAA;AACjE,MAAO,OAAA,IAAA,CAAK,yBAA0B,CAAA,OAAA,EAAS,WAAW,CAAA,CAAA;AAAA,KAC5D,MAAA,IAAW,CAAC,IAAA,CAAK,kBAAoB,EAAA;AACnC,MAAA,OAAO,QAAQ,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAT,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,KAC7D;AAEA,IAAA,OAAO,KAAK,iBAAkB,CAAA,oBAAA;AAAA,MAC5B,OAAA;AAAA,MACA,MAAM,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAAA,KACvC,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,SACJ,CAAA,QAAA,EACA,OACwC,EAAA;AACxC,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,uBAAA,CAAwB,OAAO,CAAA,CAAA;AAC9D,IAAA,IAAI,eAAe,IAAK,CAAA,KAAA,CAAM,WAAY,CAAA,WAAA,EAAa,SAAS,CAAG,EAAA;AACjE,MAAO,OAAA,IAAA,CAAK,yBAA0B,CAAA,QAAA,EAAU,WAAW,CAAA,CAAA;AAAA,KAC7D,MAAA,IAAW,CAAC,IAAA,CAAK,kBAAoB,EAAA;AACnC,MAAA,OAAO,SAAS,GAAI,CAAA,CAAA,CAAA,MAAM,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,OAAQ,CAAA,CAAA,CAAA;AAAA,KAC9D;AAEA,IAAA,OAAO,KAAK,iBAAkB,CAAA,SAAA;AAAA,MAC5B,QAAA;AAAA,MACA,MAAM,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAAA,KACvC,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,mBACJ,OACyC,EAAA;AACzC,IAAI,IAAA,OAAA,IAAW,iBAAiB,OAAS,EAAA;AACvC,MAAA,IAAI,KAAK,KAAM,CAAA,WAAA,CAAY,OAAQ,CAAA,WAAA,EAAa,MAAM,CAAG,EAAA;AACvD,QAAA,OAAO,EAAC,CAAA;AAAA,OACV;AAEA,MAAO,OAAA,IAAA,CAAK,MAAM,qBAAsB,CAAA;AAAA,QACtC,YAAY,OAAQ,CAAA,WAAA;AAAA,QACpB,cAAgB,EAAA,YAAA;AAAA,OACjB,CAAA,CAAA;AAAA,KACH;AAEA,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AAAA,EAEA,MAAM,wBACJ,OAC2C,EAAA;AAC3C,IAAI,IAAA,OAAA,IAAW,iBAAiB,OAAS,EAAA;AACvC,MAAA,OAAO,OAAQ,CAAA,WAAA,CAAA;AAAA,KACjB;AAEA,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,yBAAA,CACE,OACA,WAC4B,EAAA;AAC5B,IAAA,MAAM,EAAE,eAAiB,EAAA,oBAAA,KACvB,WAAY,CAAA,SAAA,CAAU,sBAAsB,EAAC,CAAA;AAE/C,IAAO,OAAA,KAAA,CAAM,IAAI,CAAQ,IAAA,KAAA;AACvB,MAAA,IAAI,mBAAmB,CAAC,eAAA,CAAgB,SAAS,IAAK,CAAA,UAAA,CAAW,IAAI,CAAG,EAAA;AACtE,QAAO,OAAA,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,IAAK,EAAA,CAAA;AAAA,OACxC;AAEA,MAAA,IAAI,sBAAsB,MAAQ,EAAA;AAChC,QAAM,MAAA,MAAA,GAAS,IAAK,CAAA,UAAA,CAAW,UAAY,EAAA,MAAA,CAAA;AAC3C,QAAA,IAAI,CAAC,MAAU,IAAA,CAAC,qBAAqB,MAAO,CAAA,QAAA,CAAS,MAAM,CAAG,EAAA;AAC5D,UAAO,OAAA,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,IAAK,EAAA,CAAA;AAAA,SACxC;AAAA,OACF;AAEA,MAAO,OAAA,EAAE,MAAQ,EAAAA,sCAAA,CAAgB,KAAM,EAAA,CAAA;AAAA,KACxC,CAAA,CAAA;AAAA,GACH;AACF;;;;;;;;;;;;;;"}

package/dist/index.d.ts

@@ -2,7 +2,8 @@ import { PermissionCriteria, AllOfCriteria, AnyOfCriteria, NotCriteria, Permissi
 import { z } from 'zod';
 import express from 'express';
 import { BackstageUserIdentity } from '@backstage/plugin-auth-node';
-import { BackstageCredentials, BackstageUserInfo, PermissionsService, DiscoveryService, TokenManagerService, AuthService, PermissionsServiceRequestOptions } from '@backstage/backend-plugin-api';
+import { BackstageCredentials, BackstageUserInfo, PermissionsService, DiscoveryService, AuthService, PermissionsServiceRequestOptions } from '@backstage/backend-plugin-api';
+import { TokenManager } from '@backstage/backend-common';
 import { Config } from '@backstage/config';
 
 /**
@@ -383,7 +384,8 @@ declare class ServerPermissionClient implements PermissionsService {
     #private;
     static fromConfig(config: Config, options: {
         discovery: DiscoveryService;
-        tokenManager: TokenManagerService;
+        /** @deprecated This option will be removed in the future, provide a the auth option instead */
+        tokenManager?: TokenManager;
         auth?: AuthService;
     }): ServerPermissionClient;
     private constructor();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-permission-node",
-  "version": "0.8.1",
+  "version": "0.8.3-next.0",
   "description": "Common permission and authorization utilities for backend plugins",
   "backstage": {
     "role": "node-library",
@@ -55,11 +55,11 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.24.0",
-    "@backstage/backend-plugin-api": "^0.8.0",
+    "@backstage/backend-common": "^0.25.0-next.0",
+    "@backstage/backend-plugin-api": "^0.9.0-next.0",
     "@backstage/config": "^1.2.0",
     "@backstage/errors": "^1.2.4",
-    "@backstage/plugin-auth-node": "^0.5.0",
+    "@backstage/plugin-auth-node": "^0.5.2-next.0",
     "@backstage/plugin-permission-common": "^0.8.1",
     "@types/express": "^4.17.6",
     "express": "^4.17.1",
@@ -68,8 +68,8 @@
     "zod-to-json-schema": "^3.20.4"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^0.5.0",
-    "@backstage/cli": "^0.27.0",
+    "@backstage/backend-test-utils": "^0.6.0-next.0",
+    "@backstage/cli": "^0.27.1-next.0",
     "@types/supertest": "^2.0.8",
     "msw": "^1.0.0",
     "supertest": "^6.1.3"