@backstage/plugin-scaffolder-backend 1.21.3 → 1.22.0-next.1

package/dist/cjs/{router-f392ade6.cjs.js → router-1665319e.cjs.js}

@@ -1,5 +1,6 @@
 'use strict';
 
+var backendCommon = require('@backstage/backend-common');
 var catalogModel = require('@backstage/catalog-model');
 var config = require('@backstage/config');
 var errors = require('@backstage/errors');
@@ -13,7 +14,6 @@ var zod = require('zod');
 var pluginScaffolderNode = require('@backstage/plugin-scaffolder-node');
 var yaml = require('yaml');
 var fs = require('fs-extra');
-var backendCommon = require('@backstage/backend-common');
 var path = require('path');
 var luxon = require('luxon');
 var globby = require('globby');
@@ -95,7 +95,7 @@ const examples$9 = [
 
 const id$4 = "catalog:register";
 function createCatalogRegisterAction(options) {
-  const { catalogClient, integrations } = options;
+  const { catalogClient, integrations, auth } = options;
   return pluginScaffolderNode.createTemplateAction({
     id: id$4,
     description: "Registers entities from a catalog descriptor file in the workspace into the software catalog.",
@@ -175,13 +175,17 @@ function createCatalogRegisterAction(options) {
         });
       }
       ctx.logger.info(`Registering ${catalogInfoUrl} in the catalog`);
+      const { token } = (_b = await (auth == null ? void 0 : auth.getPluginRequestToken({
+        onBehalfOf: await ctx.getInitiatorCredentials(),
+        targetPluginId: "catalog"
+      }))) != null ? _b : { token: (_a = ctx.secrets) == null ? void 0 : _a.backstageToken };
       try {
         await catalogClient.addLocation(
           {
             type: "url",
             target: catalogInfoUrl
           },
-          ((_a = ctx.secrets) == null ? void 0 : _a.backstageToken) ? { token: ctx.secrets.backstageToken } : {}
+          token ? { token } : {}
         );
       } catch (e) {
         if (!input.optional) {
@@ -195,7 +199,7 @@ function createCatalogRegisterAction(options) {
             type: "url",
             target: catalogInfoUrl
           },
-          ((_b = ctx.secrets) == null ? void 0 : _b.backstageToken) ? { token: ctx.secrets.backstageToken } : {}
+          token ? { token } : {}
         );
         if (result.entities.length) {
           const { entities } = result;
@@ -316,7 +320,7 @@ const examples$7 = [
 
 const id$2 = "catalog:fetch";
 function createFetchCatalogEntityAction(options) {
-  const { catalogClient } = options;
+  const { catalogClient, auth } = options;
   return pluginScaffolderNode.createTemplateAction({
     id: id$2,
     description: "Returns entity or entities from the catalog by entity reference(s)",
@@ -356,13 +360,17 @@ function createFetchCatalogEntityAction(options) {
         }
         throw new Error("Missing entity reference or references");
       }
+      const { token } = (_b = await (auth == null ? void 0 : auth.getPluginRequestToken({
+        onBehalfOf: await ctx.getInitiatorCredentials(),
+        targetPluginId: "catalog"
+      }))) != null ? _b : { token: (_a = ctx.secrets) == null ? void 0 : _a.backstageToken };
       if (entityRef) {
         const entity = await catalogClient.getEntityByRef(
           catalogModel.stringifyEntityRef(
             catalogModel.parseEntityRef(entityRef, { defaultKind, defaultNamespace })
           ),
           {
-            token: (_a = ctx.secrets) == null ? void 0 : _a.backstageToken
+            token
           }
         );
         if (!entity && !optional) {
@@ -380,7 +388,7 @@ function createFetchCatalogEntityAction(options) {
             )
           },
           {
-            token: (_b = ctx.secrets) == null ? void 0 : _b.backstageToken
+            token
           }
         );
         const finalEntities = entities.items.map((e, i) => {
@@ -1320,6 +1328,7 @@ const createBuiltinActions = (options) => {
     reader,
     integrations,
     catalogClient,
+    auth,
     config,
     additionalTemplateFilters,
     additionalTemplateGlobals
@@ -1393,8 +1402,8 @@ const createBuiltinActions = (options) => {
     }),
     createDebugLogAction(),
     createWaitAction(),
-    createCatalogRegisterAction({ catalogClient, integrations }),
-    createFetchCatalogEntityAction({ catalogClient }),
+    createCatalogRegisterAction({ catalogClient, integrations, auth }),
+    createFetchCatalogEntityAction({ catalogClient, auth }),
     createCatalogWriteAction(),
     createFilesystemDeleteAction(),
     createFilesystemRenameAction(),
@@ -1742,6 +1751,18 @@ class DatabaseTaskStore {
       body: serializedBody
     });
   }
+  async getTaskState({ taskId }) {
+    const [result] = await this.db("tasks").where({ id: taskId }).select("state");
+    return result.state ? JSON.parse(result.state) : void 0;
+  }
+  async saveTaskState(options) {
+    if (options.state) {
+      const serializedState = JSON.stringify({ state: options.state });
+      await this.db("tasks").where({ id: options.taskId }).update({
+        state: serializedState
+      });
+    }
+  }
   async listEvents(options) {
     const { taskId, after } = options;
     const rawEvents = await this.db("task_events").where({
@@ -1881,16 +1902,17 @@ var __publicField$2 = (obj, key, value) => {
 };
 class TaskManager {
   // Runs heartbeat internally
-  constructor(task, storage, signal, logger) {
+  constructor(task, storage, signal, logger, auth) {
     this.task = task;
     this.storage = storage;
     this.signal = signal;
     this.logger = logger;
+    this.auth = auth;
     __publicField$2(this, "isDone", false);
     __publicField$2(this, "heartbeatTimeoutId");
   }
-  static create(task, storage, abortSignal, logger) {
-    const agent = new TaskManager(task, storage, abortSignal, logger);
+  static create(task, storage, abortSignal, logger, auth) {
+    const agent = new TaskManager(task, storage, abortSignal, logger, auth);
     agent.startTimeout();
     return agent;
   }
@@ -1918,6 +1940,23 @@ class TaskManager {
       body: { message, ...logMetadata }
     });
   }
+  async getTaskState() {
+    var _a, _b;
+    return (_b = (_a = this.storage).getTaskState) == null ? void 0 : _b.call(_a, { taskId: this.task.taskId });
+  }
+  async updateCheckpoint(options) {
+    var _a, _b;
+    const { key, ...value } = options;
+    if (this.task.state) {
+      this.task.state.checkpoints[key] = value;
+    } else {
+      this.task.state = { checkpoints: { [key]: value } };
+    }
+    await ((_b = (_a = this.storage).saveTaskState) == null ? void 0 : _b.call(_a, {
+      taskId: this.task.taskId,
+      state: this.task.state
+    }));
+  }
   async complete(result, metadata) {
     await this.storage.completeTask({
       taskId: this.task.taskId,
@@ -1946,6 +1985,17 @@ class TaskManager {
       }
     }, 1e3);
   }
+  async getInitiatorCredentials() {
+    if (this.task.secrets && "__initiatorCredentials" in this.task.secrets) {
+      return JSON.parse(this.task.secrets.__initiatorCredentials);
+    }
+    if (!this.auth) {
+      throw new Error(
+        "Failed to create none credentials in scaffolder task. The TaskManager has not been initialized with an auth service implementation"
+      );
+    }
+    return this.auth.getNoneCredentials();
+  }
 }
 function defer() {
   let resolve = () => {
@@ -1956,10 +2006,11 @@ function defer() {
   return { promise, resolve };
 }
 class StorageTaskBroker {
-  constructor(storage, logger, config) {
+  constructor(storage, logger, config, auth) {
     this.storage = storage;
     this.logger = logger;
     this.config = config;
+    this.auth = auth;
     __publicField$2(this, "deferredDispatch", defer());
   }
   async list(options) {
@@ -2030,7 +2081,8 @@ class StorageTaskBroker {
           },
           this.storage,
           abortController.signal,
-          this.logger
+          this.logger,
+          this.auth
         );
       }
       await this.waitForDispatch();
@@ -2311,7 +2363,7 @@ class NunjucksWorkflowRunner {
     });
   }
   async executeStep(task, step, context, renderTemplate, taskTrack, workspacePath, decision) {
-    var _a, _b, _c, _d, _e;
+    var _a, _b, _c, _d, _e, _f;
     const stepTrack = await this.tracker.stepStart(task, step);
     if (task.cancelSignal.aborted) {
       throw new Error(`Step ${step.name} has been cancelled.`);
@@ -2406,6 +2458,7 @@ class NunjucksWorkflowRunner {
       }
       const tmpDirs = new Array();
       const stepOutput = {};
+      const prevTaskState = await ((_e = task.getTaskState) == null ? void 0 : _e.call(task));
       for (const iteration of iterations) {
         if (iteration.each) {
           taskLogger.info(
@@ -2418,10 +2471,39 @@ class NunjucksWorkflowRunner {
         }
         await action.handler({
           input: iteration.input,
-          secrets: (_e = task.secrets) != null ? _e : {},
+          secrets: (_f = task.secrets) != null ? _f : {},
           logger: taskLogger,
           logStream: streamLogger,
           workspacePath,
+          async checkpoint(keySuffix, fn) {
+            var _a2, _b2, _c2, _d2;
+            const key = `v1.task.checkpoint.${keySuffix}`;
+            try {
+              let prevValue;
+              if (prevTaskState) {
+                const prevState = (_b2 = (_a2 = prevTaskState.state) == null ? void 0 : _a2.checkpoints) == null ? void 0 : _b2[key];
+                if (prevState && prevState.status === "success") {
+                  prevValue = prevState.value;
+                }
+              }
+              const value = prevValue ? prevValue : await fn();
+              if (!prevValue) {
+                (_c2 = task.updateCheckpoint) == null ? void 0 : _c2.call(task, {
+                  key,
+                  status: "success",
+                  value
+                });
+              }
+              return value;
+            } catch (err) {
+              (_d2 = task.updateCheckpoint) == null ? void 0 : _d2.call(task, {
+                key,
+                status: "failed",
+                reason: errors.stringifyError(err)
+              });
+              throw err;
+            }
+          },
           createTemporaryDirectory: async () => {
             const tmpDir = await fs__default["default"].mkdtemp(
               `${workspacePath}_step-${step.id}-`
@@ -2440,7 +2522,8 @@ class NunjucksWorkflowRunner {
           templateInfo: task.spec.templateInfo,
           user: task.spec.user,
           isDryRun: task.isDryRun,
-          signal: task.cancelSignal
+          signal: task.cancelSignal,
+          getInitiatorCredentials: task.getInitiatorCredentials
         });
       }
       for (const tmpDir of tmpDirs) {
@@ -2458,7 +2541,6 @@ class NunjucksWorkflowRunner {
     }
   }
   async execute(task) {
-    var _a;
     if (!isValidTaskSpec(task.spec)) {
       throw new errors.InputError(
         "Wrong template version executed with the workflow engine"
@@ -2486,7 +2568,7 @@ class NunjucksWorkflowRunner {
       };
       const [decision] = this.options.permissions && task.spec.steps.length ? await this.options.permissions.authorizeConditional(
         [{ permission: alpha.actionExecutePermission }],
-        { token: (_a = task.secrets) == null ? void 0 : _a.backstageToken }
+        { credentials: await task.getInitiatorCredentials() }
       ) : [{ result: pluginPermissionCommon.AuthorizeResult.ALLOW }];
       for (const step of task.spec.steps) {
         await this.executeStep(
@@ -2809,6 +2891,7 @@ function createDryRunner(options) {
           }
         },
         secrets: input.secrets,
+        getInitiatorCredentials: () => Promise.resolve(input.credentials),
         // No need to update this at the end of the run, so just hard-code it
         done: false,
         isDryRun: true,
@@ -2967,17 +3050,23 @@ async function createRouter(options) {
     additionalTemplateFilters,
     additionalTemplateGlobals,
     permissions,
-    permissionRules
+    permissionRules,
+    discovery = backendCommon.HostDiscovery.fromConfig(config),
+    identity = buildDefaultIdentityClient(options)
   } = options;
+  const { auth, httpAuth } = backendCommon.createLegacyAuthAdapters({
+    ...options,
+    identity,
+    discovery
+  });
   const concurrentTasksLimit = (_a = options.concurrentTasksLimit) != null ? _a : options.config.getOptionalNumber("scaffolder.concurrentTasksLimit");
   const logger = parentLogger.child({ plugin: "scaffolder" });
-  const identity = options.identity || buildDefaultIdentityClient(options);
   const workingDirectory = await getWorkingDirectory(config, logger);
   const integrations = integration.ScmIntegrations.fromConfig(config);
   let taskBroker;
   if (!options.taskBroker) {
     const databaseTaskStore = await DatabaseTaskStore.create({ database });
-    taskBroker = new StorageTaskBroker(databaseTaskStore, logger, config);
+    taskBroker = new StorageTaskBroker(databaseTaskStore, logger, config, auth);
     if (scheduler && databaseTaskStore.listStaleTasks) {
       await scheduler.scheduleTask({
         id: "close_stale_tasks",
@@ -3031,7 +3120,8 @@ async function createRouter(options) {
     reader,
     config,
     additionalTemplateFilters,
-    additionalTemplateGlobals
+    additionalTemplateGlobals,
+    auth
   });
   actionsToRegister.forEach((action) => actionRegistry.register(action));
   const launchWorkers = () => workers.forEach((worker) => worker.start());
@@ -3085,11 +3175,16 @@ async function createRouter(options) {
     "/v2/templates/:namespace/:kind/:name/parameter-schema",
     async (req, res) => {
       var _a2, _b;
-      const userIdentity = await identity.getIdentity({
-        request: req
+      const credentials = await httpAuth.credentials(req);
+      const { token } = await auth.getPluginRequestToken({
+        onBehalfOf: credentials,
+        targetPluginId: "catalog"
       });
-      const token = userIdentity == null ? void 0 : userIdentity.token;
-      const template = await authorizeTemplate(req.params, token);
+      const template = await authorizeTemplate(
+        req.params,
+        token,
+        credentials
+      );
       const parameters = [(_a2 = template.spec.parameters) != null ? _a2 : []].flat();
       const presentation = template.spec.presentation;
       res.json({
@@ -3123,11 +3218,12 @@ async function createRouter(options) {
     const { kind, namespace, name } = catalogModel.parseEntityRef(templateRef, {
       defaultKind: "template"
     });
-    const callerIdentity = await identity.getIdentity({
-      request: req
+    const credentials = await httpAuth.credentials(req, { allow: ["user"] });
+    const { token } = await auth.getPluginRequestToken({
+      onBehalfOf: credentials,
+      targetPluginId: "catalog"
     });
-    const token = callerIdentity == null ? void 0 : callerIdentity.token;
-    const userEntityRef = callerIdentity == null ? void 0 : callerIdentity.identity.userEntityRef;
+    const userEntityRef = credentials.principal.userEntityRef;
     const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
     let auditLog = `Scaffolding task for ${templateRef}`;
     if (userEntityRef) {
@@ -3137,7 +3233,8 @@ async function createRouter(options) {
     const values = req.body.values;
     const template = await authorizeTemplate(
       { kind, namespace, name },
-      token
+      token,
+      credentials
     );
     for (const parameters of [(_a2 = template.spec.parameters) != null ? _a2 : []].flat()) {
       const result2 = jsonschema.validate(values, parameters);
@@ -3177,7 +3274,8 @@ async function createRouter(options) {
       createdBy: userEntityRef,
       secrets: {
         ...req.body.secrets,
-        backstageToken: token
+        backstageToken: token,
+        initiatorCredentials: JSON.stringify(credentials)
       }
     });
     res.status(201).json({ id: result.taskId });
@@ -3272,7 +3370,7 @@ data: ${JSON.stringify(event)}
       clearTimeout(timeout);
     });
   }).post("/v2/dry-run", async (req, res) => {
-    var _a2, _b, _c, _d;
+    var _a2, _b, _c;
     const bodySchema = zod.z.object({
       template: zod.z.unknown(),
       values: zod.z.record(zod.z.unknown()),
@@ -3288,10 +3386,12 @@ data: ${JSON.stringify(event)}
     if (!await pluginScaffolderCommon.templateEntityV1beta3Validator.check(template)) {
       throw new errors.InputError("Input template is not a template");
     }
-    const token = (_a2 = await identity.getIdentity({
-      request: req
-    })) == null ? void 0 : _a2.token;
-    for (const parameters of [(_b = template.spec.parameters) != null ? _b : []].flat()) {
+    const credentials = await httpAuth.credentials(req);
+    const { token } = await auth.getPluginRequestToken({
+      onBehalfOf: credentials,
+      targetPluginId: "catalog"
+    });
+    for (const parameters of [(_a2 = template.spec.parameters) != null ? _a2 : []].flat()) {
       const result2 = jsonschema.validate(body.values, parameters);
       if (!result2.valid) {
         res.status(400).json({ errors: result2.errors });
@@ -3310,17 +3410,18 @@ data: ${JSON.stringify(event)}
       spec: {
         apiVersion: template.apiVersion,
         steps,
-        output: (_c = template.spec.output) != null ? _c : {},
+        output: (_b = template.spec.output) != null ? _b : {},
         parameters: body.values
       },
-      directoryContents: ((_d = body.directoryContents) != null ? _d : []).map((file) => ({
+      directoryContents: ((_c = body.directoryContents) != null ? _c : []).map((file) => ({
         path: file.path,
         content: Buffer.from(file.base64Content, "base64")
       })),
       secrets: {
         ...body.secrets,
         ...token && { backstageToken: token }
-      }
+      },
+      credentials
     });
     res.status(200).json({
       ...result,
@@ -3335,7 +3436,7 @@ data: ${JSON.stringify(event)}
   const app = express__default["default"]();
   app.set("logger", logger);
   app.use("/", router);
-  async function authorizeTemplate(entityRef, token) {
+  async function authorizeTemplate(entityRef, token, credentials) {
     const template = await findTemplate({
       catalogApi: catalogClient,
       entityRef,
@@ -3354,7 +3455,7 @@ data: ${JSON.stringify(event)}
         { permission: alpha.templateParameterReadPermission },
         { permission: alpha.templateStepReadPermission }
       ],
-      { token }
+      { credentials }
     );
     if (Array.isArray(template.spec.parameters)) {
       template.spec.parameters = template.spec.parameters.filter(
@@ -3389,4 +3490,4 @@ exports.createRouter = createRouter;
 exports.createWaitAction = createWaitAction;
 exports.scaffolderActionRules = scaffolderActionRules;
 exports.scaffolderTemplateRules = scaffolderTemplateRules;
-//# sourceMappingURL=router-f392ade6.cjs.js.map
+//# sourceMappingURL=router-1665319e.cjs.js.map