@backstage/plugin-scaffolder-backend 1.13.0-next.3 → 1.13.0

package/dist/cjs/{ScaffolderEntitiesProcessor-b5a2b352.cjs.js → ScaffolderEntitiesProcessor-2f24bb9e.cjs.js}

@@ -36,10 +36,11 @@ var PQueue = require('p-queue');
 var winston = require('winston');
 var nunjucks = require('nunjucks');
 var lodash = require('lodash');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
 var promClient = require('prom-client');
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
 var url = require('url');
 var os = require('os');
-var pluginPermissionNode = require('@backstage/plugin-permission-node');
 var pluginCatalogNode = require('@backstage/plugin-catalog-node');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
@@ -1270,7 +1271,7 @@ async function initRepoAndPush({
     name: (_a = gitAuthorInfo == null ? void 0 : gitAuthorInfo.name) != null ? _a : "Scaffolder",
     email: (_b = gitAuthorInfo == null ? void 0 : gitAuthorInfo.email) != null ? _b : "scaffolder@backstage.io"
   };
-  await git.commit({
+  const commitHash = await git.commit({
     dir,
     message: commitMessage,
     author: authorInfo,
@@ -1285,6 +1286,7 @@ async function initRepoAndPush({
     dir,
     remote: "origin"
   });
+  return { commitHash };
 }
 async function commitAndPushRepo({
   dir,
@@ -1307,7 +1309,7 @@ async function commitAndPushRepo({
     name: (_a = gitAuthorInfo == null ? void 0 : gitAuthorInfo.name) != null ? _a : "Scaffolder",
     email: (_b = gitAuthorInfo == null ? void 0 : gitAuthorInfo.email) != null ? _b : "scaffolder@backstage.io"
   };
-  await git.commit({
+  const commitHash = await git.commit({
     dir,
     message: commitMessage,
     author: authorInfo,
@@ -1318,6 +1320,7 @@ async function commitAndPushRepo({
     remote: "origin",
     remoteRef: remoteRef != null ? remoteRef : `refs/heads/${branch}`
   });
+  return { commitHash };
 }
 const enableBranchProtectionOnDefaultRepoBranch = async ({
   repoName,
@@ -1560,7 +1563,7 @@ async function initRepoPushAndProtect(remoteUrl, password, workspacePath, source
     email: gitAuthorEmail ? gitAuthorEmail : config.getOptionalString("scaffolder.defaultAuthor.email")
   };
   const commitMessage = gitCommitMessage ? gitCommitMessage : config.getOptionalString("scaffolder.defaultCommitMessage");
-  await initRepoAndPush({
+  const commitResult = await initRepoAndPush({
     dir: getRepoSourceDirectory(workspacePath, sourcePath),
     remoteUrl,
     defaultBranch,
@@ -1598,6 +1601,7 @@ async function initRepoPushAndProtect(remoteUrl, password, workspacePath, source
       );
     }
   }
+  return { commitHash: commitResult.commitHash };
 }
 function extractCollaboratorName(collaborator) {
   if ("username" in collaborator)
@@ -2007,6 +2011,10 @@ const repoContentsUrl = {
   title: "A URL to the root of the repository",
   type: "string"
 };
+const commitHash = {
+  title: "The git commit hash of the initial commit",
+  type: "string"
+};
 
 function createGithubRepoCreateAction(options) {
   const { integrations, githubCredentialsProvider } = options;
@@ -2147,7 +2155,8 @@ function createGithubRepoPushAction(options) {
         type: "object",
         properties: {
           remoteUrl: remoteUrl,
-          repoContentsUrl: repoContentsUrl
+          repoContentsUrl: repoContentsUrl,
+          commitHash: commitHash
         }
       }
     },
@@ -2185,7 +2194,7 @@ function createGithubRepoPushAction(options) {
       const targetRepo = await client.rest.repos.get({ owner, repo });
       const remoteUrl = targetRepo.data.clone_url;
       const repoContentsUrl = `${targetRepo.data.html_url}/blob/${defaultBranch}`;
-      await initRepoPushAndProtect(
+      const { commitHash } = await initRepoPushAndProtect(
         remoteUrl,
         octokitOptions.auth,
         ctx.workspacePath,
@@ -2213,6 +2222,7 @@ function createGithubRepoPushAction(options) {
       );
       ctx.output("remoteUrl", remoteUrl);
       ctx.output("repoContentsUrl", repoContentsUrl);
+      ctx.output("commitHash", commitHash);
     }
   });
 }
@@ -2399,6 +2409,10 @@ function createPublishAzureAction(options) {
           repositoryId: {
             title: "The Id of the created repository",
             type: "string"
+          },
+          commitHash: {
+            title: "The git commit hash of the initial commit",
+            type: "string"
           }
         }
       }
@@ -2457,7 +2471,7 @@ function createPublishAzureAction(options) {
         name: gitAuthorName ? gitAuthorName : config.getOptionalString("scaffolder.defaultAuthor.name"),
         email: gitAuthorEmail ? gitAuthorEmail : config.getOptionalString("scaffolder.defaultAuthor.email")
       };
-      await initRepoAndPush({
+      const commitResult = await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, ctx.input.sourcePath),
         remoteUrl,
         defaultBranch,
@@ -2469,6 +2483,7 @@ function createPublishAzureAction(options) {
         commitMessage: gitCommitMessage ? gitCommitMessage : config.getOptionalString("scaffolder.defaultCommitMessage"),
         gitAuthorInfo
       });
+      ctx.output("commitHash", commitResult == null ? void 0 : commitResult.commitHash);
       ctx.output("remoteUrl", remoteUrl);
       ctx.output("repoContentsUrl", repoContentsUrl);
       ctx.output("repositoryId", repositoryId);
@@ -2668,6 +2683,10 @@ function createPublishBitbucketAction(options) {
           repoContentsUrl: {
             title: "A URL to the root of the repository",
             type: "string"
+          },
+          commitHash: {
+            title: "The git commit hash of the initial commit",
+            type: "string"
           }
         }
       }
@@ -2744,7 +2763,7 @@ function createPublishBitbucketAction(options) {
           password: integrationConfig.config.appPassword ? integrationConfig.config.appPassword : (_a = integrationConfig.config.token) != null ? _a : ""
         };
       }
-      await initRepoAndPush({
+      const commitResult = await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, ctx.input.sourcePath),
         remoteUrl,
         auth,
@@ -2756,6 +2775,7 @@ function createPublishBitbucketAction(options) {
       if (enableLFS && host !== "bitbucket.org") {
         await performEnableLFS$1({ authorization, host, project, repo });
       }
+      ctx.output("commitHash", commitResult == null ? void 0 : commitResult.commitHash);
       ctx.output("remoteUrl", remoteUrl);
       ctx.output("repoContentsUrl", repoContentsUrl);
     }
@@ -2875,6 +2895,10 @@ function createPublishBitbucketCloudAction(options) {
           repoContentsUrl: {
             title: "A URL to the root of the repository",
             type: "string"
+          },
+          commitHash: {
+            title: "The git commit hash of the initial commit",
+            type: "string"
           }
         }
       }
@@ -2941,7 +2965,7 @@ function createPublishBitbucketCloudAction(options) {
           password: integrationConfig.config.appPassword
         };
       }
-      await initRepoAndPush({
+      const commitResult = await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, ctx.input.sourcePath),
         remoteUrl,
         auth,
@@ -2952,6 +2976,7 @@ function createPublishBitbucketCloudAction(options) {
         ),
         gitAuthorInfo
       });
+      ctx.output("commitHash", commitResult == null ? void 0 : commitResult.commitHash);
       ctx.output("remoteUrl", remoteUrl);
       ctx.output("repoContentsUrl", repoContentsUrl);
     }
@@ -3089,6 +3114,10 @@ function createPublishBitbucketServerAction(options) {
           repoContentsUrl: {
             title: "A URL to the root of the repository",
             type: "string"
+          },
+          commitHash: {
+            title: "The git commit hash of the initial commit",
+            type: "string"
           }
         }
       }
@@ -3149,7 +3178,7 @@ function createPublishBitbucketServerAction(options) {
         username: authConfig.username,
         password: authConfig.password
       };
-      await initRepoAndPush({
+      const commitResult = await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, ctx.input.sourcePath),
         remoteUrl,
         auth,
@@ -3161,6 +3190,7 @@ function createPublishBitbucketServerAction(options) {
       if (enableLFS) {
         await performEnableLFS({ authorization, host, project, repo });
       }
+      ctx.output("commitHash", commitResult == null ? void 0 : commitResult.commitHash);
       ctx.output("remoteUrl", remoteUrl);
       ctx.output("repoContentsUrl", repoContentsUrl);
     }
@@ -3254,6 +3284,10 @@ function createPublishGerritAction(options) {
           repoContentsUrl: {
             title: "A URL to the root of the repository",
             type: "string"
+          },
+          commitHash: {
+            title: "The git commit hash of the initial commit",
+            type: "string"
           }
         }
       }
@@ -3298,7 +3332,7 @@ function createPublishGerritAction(options) {
         email: gitAuthorEmail ? gitAuthorEmail : config.getOptionalString("scaffolder.defaultAuthor.email")
       };
       const remoteUrl = `${integrationConfig.config.cloneUrl}/a/${repo}`;
-      await initRepoAndPush({
+      const commitResult = await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, sourcePath),
         remoteUrl,
         auth,
@@ -3309,6 +3343,7 @@ function createPublishGerritAction(options) {
       });
       const repoContentsUrl = `${integrationConfig.config.gitilesBaseUrl}/${repo}/+/refs/heads/${defaultBranch}`;
       ctx.output("remoteUrl", remoteUrl);
+      ctx.output("commitHash", commitResult == null ? void 0 : commitResult.commitHash);
       ctx.output("repoContentsUrl", repoContentsUrl);
     }
   });
@@ -3473,7 +3508,8 @@ function createPublishGithubAction(options) {
         type: "object",
         properties: {
           remoteUrl: remoteUrl,
-          repoContentsUrl: repoContentsUrl
+          repoContentsUrl: repoContentsUrl,
+          commitHash: commitHash
         }
       }
     },
@@ -3548,7 +3584,7 @@ function createPublishGithubAction(options) {
       );
       const remoteUrl = newRepo.clone_url;
       const repoContentsUrl = `${newRepo.html_url}/blob/${defaultBranch}`;
-      await initRepoPushAndProtect(
+      const commitResult = await initRepoPushAndProtect(
         remoteUrl,
         octokitOptions.auth,
         ctx.workspacePath,
@@ -3574,6 +3610,7 @@ function createPublishGithubAction(options) {
         dismissStaleReviews,
         requiredCommitSigning
       );
+      ctx.output("commitHash", commitResult == null ? void 0 : commitResult.commitHash);
       ctx.output("remoteUrl", remoteUrl);
       ctx.output("repoContentsUrl", repoContentsUrl);
     }
@@ -3959,6 +3996,10 @@ function createPublishGitlabAction(options) {
           projectId: {
             title: "The ID of the project",
             type: "string"
+          },
+          commitHash: {
+            title: "The git commit hash of the initial commit",
+            type: "string"
           }
         }
       }
@@ -4019,7 +4060,7 @@ function createPublishGitlabAction(options) {
         name: gitAuthorName ? gitAuthorName : config.getOptionalString("scaffolder.defaultAuthor.name"),
         email: gitAuthorEmail ? gitAuthorEmail : config.getOptionalString("scaffolder.defaultAuthor.email")
       };
-      await initRepoAndPush({
+      const commitResult = await initRepoAndPush({
         dir: getRepoSourceDirectory(ctx.workspacePath, ctx.input.sourcePath),
         remoteUrl: http_url_to_repo,
         defaultBranch,
@@ -4031,6 +4072,7 @@ function createPublishGitlabAction(options) {
         commitMessage: gitCommitMessage ? gitCommitMessage : config.getOptionalString("scaffolder.defaultCommitMessage"),
         gitAuthorInfo
       });
+      ctx.output("commitHash", commitResult == null ? void 0 : commitResult.commitHash);
       ctx.output("remoteUrl", remoteUrl);
       ctx.output("repoContentsUrl", repoContentsUrl);
       ctx.output("projectId", projectId);
@@ -4899,6 +4941,87 @@ function createHistogramMetric(config) {
   return metric;
 }
 
+const createTemplatePermissionRule = pluginPermissionNode.makeCreatePermissionRule();
+const hasTag = createTemplatePermissionRule({
+  name: "HAS_TAG",
+  resourceType: alpha.RESOURCE_TYPE_SCAFFOLDER_TEMPLATE,
+  description: `Match parameters or steps with the given tag`,
+  paramsSchema: zod.z.object({
+    tag: zod.z.string().describe("Name of the tag to match on")
+  }),
+  apply: (resource, { tag }) => {
+    var _a, _b, _c;
+    return (_c = (_b = (_a = resource["backstage:permissions"]) == null ? void 0 : _a.tags) == null ? void 0 : _b.includes(tag)) != null ? _c : false;
+  },
+  toQuery: () => ({})
+});
+const createActionPermissionRule = pluginPermissionNode.makeCreatePermissionRule();
+const hasActionId = createActionPermissionRule({
+  name: "HAS_ACTION_ID",
+  resourceType: alpha.RESOURCE_TYPE_SCAFFOLDER_ACTION,
+  description: `Match actions with the given actionId`,
+  paramsSchema: zod.z.object({
+    actionId: zod.z.string().describe("Name of the actionId to match on")
+  }),
+  apply: (resource, { actionId }) => {
+    return resource.action === actionId;
+  },
+  toQuery: () => ({})
+});
+buildHasProperty({
+  name: "HAS_PROPERTY",
+  valueSchema: zod.z.union([zod.z.string(), zod.z.number(), zod.z.boolean(), zod.z.null()]),
+  validateProperty: false
+});
+const hasBooleanProperty = buildHasProperty({
+  name: "HAS_BOOLEAN_PROPERTY",
+  valueSchema: zod.z.boolean()
+});
+const hasNumberProperty = buildHasProperty({
+  name: "HAS_NUMBER_PROPERTY",
+  valueSchema: zod.z.number()
+});
+const hasStringProperty = buildHasProperty({
+  name: "HAS_STRING_PROPERTY",
+  valueSchema: zod.z.string()
+});
+function buildHasProperty({
+  name,
+  valueSchema,
+  validateProperty = true
+}) {
+  return createActionPermissionRule({
+    name,
+    description: `Allow actions with the specified property`,
+    resourceType: alpha.RESOURCE_TYPE_SCAFFOLDER_ACTION,
+    paramsSchema: zod.z.object({
+      key: zod.z.string().describe(`Property within the action parameters to match on`),
+      value: valueSchema.describe(`Value of the given property to match on`)
+    }),
+    apply: (resource, { key, value }) => {
+      const foundValue = lodash.get(resource.input, key);
+      if (validateProperty && !valueSchema.safeParse(foundValue).success) {
+        return false;
+      }
+      if (value !== void 0) {
+        if (valueSchema.safeParse(value).success) {
+          return value === foundValue;
+        }
+        return false;
+      }
+      return foundValue !== void 0;
+    },
+    toQuery: () => ({})
+  });
+}
+const scaffolderTemplateRules = { hasTag };
+const scaffolderActionRules = {
+  hasActionId,
+  hasBooleanProperty,
+  hasNumberProperty,
+  hasStringProperty
+};
+
 const isValidTaskSpec = (taskSpec) => {
   return taskSpec.apiVersion === "scaffolder.backstage.io/v1beta3";
 };
@@ -4925,6 +5048,9 @@ const createStepLogger = ({
   taskLogger.add(new winston__namespace.transports.Stream({ stream: streamLogger }));
   return { taskLogger, streamLogger };
 };
+const isActionAuthorized = pluginPermissionNode.createConditionAuthorizer(
+  Object.values(scaffolderActionRules)
+);
 class NunjucksWorkflowRunner {
   constructor(options) {
     this.options = options;
@@ -4982,7 +5108,7 @@ class NunjucksWorkflowRunner {
       return value;
     });
   }
-  async executeStep(task, step, context, renderTemplate, taskTrack, workspacePath) {
+  async executeStep(task, step, context, renderTemplate, taskTrack, workspacePath, decision) {
     var _a, _b, _c, _d, _e, _f, _g;
     const stepTrack = await this.tracker.stepStart(task, step);
     if (task.cancelSignal.aborted) {
@@ -5047,6 +5173,15 @@ class NunjucksWorkflowRunner {
           );
         }
       }
+      if (!isActionAuthorized(decision, { action: action.id, input })) {
+        throw new errors.NotAllowedError(
+          `Unauthorized action: ${action.id}. The action is not allowed. Input: ${JSON.stringify(
+            input,
+            null,
+            2
+          )}`
+        );
+      }
       const tmpDirs = new Array();
       const stepOutput = {};
       await action.handler({
@@ -5083,6 +5218,7 @@ class NunjucksWorkflowRunner {
     }
   }
   async execute(task) {
+    var _a;
     if (!isValidTaskSpec(task.spec)) {
       throw new errors.InputError(
         "Wrong template version executed with the workflow engine"
@@ -5108,6 +5244,10 @@ class NunjucksWorkflowRunner {
         steps: {},
         user: task.spec.user
       };
+      const [decision] = this.options.permissions && task.spec.steps.length ? await this.options.permissions.authorizeConditional(
+        [{ permission: alpha.actionExecutePermission }],
+        { token: (_a = task.secrets) == null ? void 0 : _a.backstageToken }
+      ) : [{ result: pluginPermissionCommon.AuthorizeResult.ALLOW }];
       for (const step of task.spec.steps) {
         await this.executeStep(
           task,
@@ -5115,7 +5255,8 @@ class NunjucksWorkflowRunner {
           context,
           renderTemplate,
           taskTrack,
-          workspacePath
+          workspacePath,
+          decision
         );
       }
       const output = this.render(task.spec.output, context, renderTemplate);
@@ -5265,7 +5406,7 @@ class TaskWorker {
   constructor(options) {
     this.options = options;
     this.taskQueue = new PQueue__default["default"]({
-      concurrency: this.options.concurrentTasksLimit
+      concurrency: options.concurrentTasksLimit
     });
   }
   static async create(options) {
@@ -5278,7 +5419,8 @@ class TaskWorker {
       additionalTemplateFilters,
       concurrentTasksLimit = 10,
       // from 1 to Infinity
-      additionalTemplateGlobals
+      additionalTemplateGlobals,
+      permissions
     } = options;
     const workflowRunner = new NunjucksWorkflowRunner({
       actionRegistry,
@@ -5286,12 +5428,14 @@ class TaskWorker {
       logger,
       workingDirectory,
       additionalTemplateFilters,
-      additionalTemplateGlobals
+      additionalTemplateGlobals,
+      permissions
     });
     return new TaskWorker({
       taskBroker,
       runners: { workflowRunner },
-      concurrentTasksLimit
+      concurrentTasksLimit,
+      permissions
     });
   }
   start() {
@@ -5478,22 +5622,6 @@ async function findTemplate(options) {
   return template;
 }
 
-const createScaffolderPermissionRule = pluginPermissionNode.makeCreatePermissionRule();
-const hasTag = createScaffolderPermissionRule({
-  name: "HAS_TAG",
-  resourceType: alpha.RESOURCE_TYPE_SCAFFOLDER_TEMPLATE,
-  description: `Match parameters or steps with the given tag`,
-  paramsSchema: zod.z.object({
-    tag: zod.z.string().describe("Name of the tag to match on")
-  }),
-  apply: (resource, { tag }) => {
-    var _a, _b, _c;
-    return (_c = (_b = (_a = resource["backstage:permissions"]) == null ? void 0 : _a.tags) == null ? void 0 : _b.includes(tag)) != null ? _c : false;
-  },
-  toQuery: () => ({})
-});
-const scaffolderTemplateRules = { hasTag };
-
 function isSupportedTemplate(entity) {
   return entity.apiVersion === "scaffolder.backstage.io/v1beta3";
 }
@@ -5556,7 +5684,7 @@ async function createRouter(options) {
     scheduler,
     additionalTemplateFilters,
     additionalTemplateGlobals,
-    permissionApi,
+    permissions,
     permissionRules
   } = options;
   const logger = parentLogger.child({ plugin: "scaffolder" });
@@ -5598,7 +5726,8 @@ async function createRouter(options) {
       workingDirectory,
       additionalTemplateFilters,
       additionalTemplateGlobals,
-      concurrentTasksLimit
+      concurrentTasksLimit,
+      permissions
     });
     workers.push(worker);
   }
@@ -5618,7 +5747,8 @@ async function createRouter(options) {
     logger,
     workingDirectory,
     additionalTemplateFilters,
-    additionalTemplateGlobals
+    additionalTemplateGlobals,
+    permissions
   });
   const templateRules = Object.values(
     scaffolderTemplateRules
@@ -5668,7 +5798,7 @@ async function createRouter(options) {
     });
     res.json(actionsList);
   }).post("/v2/tasks", async (req, res) => {
-    var _a, _b, _c;
+    var _a, _b;
     const templateRef = req.body.templateRef;
     const { kind, namespace, name } = catalogModel.parseEntityRef(templateRef, {
       defaultKind: "template"
@@ -5714,11 +5844,7 @@ async function createRouter(options) {
         ref: userEntityRef
       },
       templateInfo: {
-        entityRef: catalogModel.stringifyEntityRef({
-          kind,
-          namespace,
-          name: (_c = template.metadata) == null ? void 0 : _c.name
-        }),
+        entityRef: catalogModel.stringifyEntityRef({ kind, name, namespace }),
         baseUrl,
         entity: {
           metadata: template.metadata
@@ -5899,10 +6025,10 @@ data: ${JSON.stringify(event)}
         `Unsupported apiVersion field in schema entity, ${template.apiVersion}`
       );
     }
-    if (!permissionApi) {
+    if (!permissions) {
       return template;
     }
-    const [parameterDecision, stepDecision] = await permissionApi.authorizeConditional(
+    const [parameterDecision, stepDecision] = await permissions.authorizeConditional(
       [
         { permission: alpha.templateParameterReadPermission },
         { permission: alpha.templateStepReadPermission }
@@ -6011,5 +6137,6 @@ exports.createRouter = createRouter;
 exports.createWaitAction = createWaitAction;
 exports.executeShellCommand = executeShellCommand;
 exports.fetchContents = fetchContents;
+exports.scaffolderActionRules = scaffolderActionRules;
 exports.scaffolderTemplateRules = scaffolderTemplateRules;
-//# sourceMappingURL=ScaffolderEntitiesProcessor-b5a2b352.cjs.js.map
+//# sourceMappingURL=ScaffolderEntitiesProcessor-2f24bb9e.cjs.js.map