@backstage/plugin-scaffolder-backend 1.22.0-next.0 → 1.22.0-next.2

package/dist/cjs/{router-ae706822.cjs.js → router-52d79583.cjs.js}

@@ -1,5 +1,6 @@
 'use strict';
 
+var backendCommon = require('@backstage/backend-common');
 var catalogModel = require('@backstage/catalog-model');
 var config = require('@backstage/config');
 var errors = require('@backstage/errors');
@@ -13,7 +14,6 @@ var zod = require('zod');
 var pluginScaffolderNode = require('@backstage/plugin-scaffolder-node');
 var yaml = require('yaml');
 var fs = require('fs-extra');
-var backendCommon = require('@backstage/backend-common');
 var path = require('path');
 var luxon = require('luxon');
 var globby = require('globby');
@@ -95,7 +95,7 @@ const examples$9 = [
 
 const id$4 = "catalog:register";
 function createCatalogRegisterAction(options) {
-  const { catalogClient, integrations } = options;
+  const { catalogClient, integrations, auth } = options;
   return pluginScaffolderNode.createTemplateAction({
     id: id$4,
     description: "Registers entities from a catalog descriptor file in the workspace into the software catalog.",
@@ -175,13 +175,17 @@ function createCatalogRegisterAction(options) {
         });
       }
       ctx.logger.info(`Registering ${catalogInfoUrl} in the catalog`);
+      const { token } = (_b = await (auth == null ? void 0 : auth.getPluginRequestToken({
+        onBehalfOf: await ctx.getInitiatorCredentials(),
+        targetPluginId: "catalog"
+      }))) != null ? _b : { token: (_a = ctx.secrets) == null ? void 0 : _a.backstageToken };
       try {
         await catalogClient.addLocation(
           {
             type: "url",
             target: catalogInfoUrl
           },
-          ((_a = ctx.secrets) == null ? void 0 : _a.backstageToken) ? { token: ctx.secrets.backstageToken } : {}
+          token ? { token } : {}
         );
       } catch (e) {
         if (!input.optional) {
@@ -195,7 +199,7 @@ function createCatalogRegisterAction(options) {
             type: "url",
             target: catalogInfoUrl
           },
-          ((_b = ctx.secrets) == null ? void 0 : _b.backstageToken) ? { token: ctx.secrets.backstageToken } : {}
+          token ? { token } : {}
         );
         if (result.entities.length) {
           const { entities } = result;
@@ -270,7 +274,7 @@ function createCatalogWriteAction() {
     examples: examples$8,
     supportsDryRun: true,
     async handler(ctx) {
-      ctx.logStream.write(`Writing catalog-info.yaml`);
+      ctx.logger.info(`Writing catalog-info.yaml`);
       const { filePath, entity } = ctx.input;
       const path = filePath != null ? filePath : "catalog-info.yaml";
       await fs__default["default"].writeFile(
@@ -316,7 +320,7 @@ const examples$7 = [
 
 const id$2 = "catalog:fetch";
 function createFetchCatalogEntityAction(options) {
-  const { catalogClient } = options;
+  const { catalogClient, auth } = options;
   return pluginScaffolderNode.createTemplateAction({
     id: id$2,
     description: "Returns entity or entities from the catalog by entity reference(s)",
@@ -356,13 +360,17 @@ function createFetchCatalogEntityAction(options) {
         }
         throw new Error("Missing entity reference or references");
       }
+      const { token } = (_b = await (auth == null ? void 0 : auth.getPluginRequestToken({
+        onBehalfOf: await ctx.getInitiatorCredentials(),
+        targetPluginId: "catalog"
+      }))) != null ? _b : { token: (_a = ctx.secrets) == null ? void 0 : _a.backstageToken };
       if (entityRef) {
         const entity = await catalogClient.getEntityByRef(
           catalogModel.stringifyEntityRef(
             catalogModel.parseEntityRef(entityRef, { defaultKind, defaultNamespace })
           ),
           {
-            token: (_a = ctx.secrets) == null ? void 0 : _a.backstageToken
+            token
           }
         );
         if (!entity && !optional) {
@@ -380,7 +388,7 @@ function createFetchCatalogEntityAction(options) {
             )
           },
           {
-            token: (_b = ctx.secrets) == null ? void 0 : _b.backstageToken
+            token
           }
         );
         const finalEntities = entities.items.map((e, i) => {
@@ -457,11 +465,11 @@ function createDebugLogAction() {
       var _a, _b;
       ctx.logger.info(JSON.stringify(ctx.input, null, 2));
       if ((_a = ctx.input) == null ? void 0 : _a.message) {
-        ctx.logStream.write(ctx.input.message);
+        ctx.logger.info(ctx.input.message);
       }
       if ((_b = ctx.input) == null ? void 0 : _b.listWorkspace) {
         const files = await recursiveReadDir(ctx.workspacePath);
-        ctx.logStream.write(
+        ctx.logger.info(
           `Workspace:
 ${files.map((f) => `  - ${path.relative(ctx.workspacePath, f)}`).join("\n")}`
         );
@@ -1320,6 +1328,7 @@ const createBuiltinActions = (options) => {
     reader,
     integrations,
     catalogClient,
+    auth,
     config,
     additionalTemplateFilters,
     additionalTemplateGlobals
@@ -1393,8 +1402,8 @@ const createBuiltinActions = (options) => {
     }),
     createDebugLogAction(),
     createWaitAction(),
-    createCatalogRegisterAction({ catalogClient, integrations }),
-    createFetchCatalogEntityAction({ catalogClient }),
+    createCatalogRegisterAction({ catalogClient, integrations, auth }),
+    createFetchCatalogEntityAction({ catalogClient, auth }),
     createCatalogWriteAction(),
     createFilesystemDeleteAction(),
     createFilesystemRenameAction(),
@@ -1893,16 +1902,17 @@ var __publicField$2 = (obj, key, value) => {
 };
 class TaskManager {
   // Runs heartbeat internally
-  constructor(task, storage, signal, logger) {
+  constructor(task, storage, signal, logger, auth) {
     this.task = task;
     this.storage = storage;
     this.signal = signal;
     this.logger = logger;
+    this.auth = auth;
     __publicField$2(this, "isDone", false);
     __publicField$2(this, "heartbeatTimeoutId");
   }
-  static create(task, storage, abortSignal, logger) {
-    const agent = new TaskManager(task, storage, abortSignal, logger);
+  static create(task, storage, abortSignal, logger, auth) {
+    const agent = new TaskManager(task, storage, abortSignal, logger, auth);
     agent.startTimeout();
     return agent;
   }
@@ -1975,6 +1985,17 @@ class TaskManager {
       }
     }, 1e3);
   }
+  async getInitiatorCredentials() {
+    if (this.task.secrets && "__initiatorCredentials" in this.task.secrets) {
+      return JSON.parse(this.task.secrets.__initiatorCredentials);
+    }
+    if (!this.auth) {
+      throw new Error(
+        "Failed to create none credentials in scaffolder task. The TaskManager has not been initialized with an auth service implementation"
+      );
+    }
+    return this.auth.getNoneCredentials();
+  }
 }
 function defer() {
   let resolve = () => {
@@ -1985,10 +2006,11 @@ function defer() {
   return { promise, resolve };
 }
 class StorageTaskBroker {
-  constructor(storage, logger, config) {
+  constructor(storage, logger, config, auth) {
     this.storage = storage;
     this.logger = logger;
     this.config = config;
+    this.auth = auth;
     __publicField$2(this, "deferredDispatch", defer());
   }
   async list(options) {
@@ -2059,7 +2081,8 @@ class StorageTaskBroker {
           },
           this.storage,
           abortController.signal,
-          this.logger
+          this.logger,
+          this.auth
         );
       }
       await this.waitForDispatch();
@@ -2246,6 +2269,137 @@ const scaffolderActionRules = {
   hasStringProperty
 };
 
+var __accessCheck = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet = (obj, member, getter) => {
+  __accessCheck(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet = (obj, member, value, setter) => {
+  __accessCheck(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var _winston, _addRedactions;
+const escapeRegExp = (text) => {
+  return text.replace(/[.*+?^${}(\)|[\]\\]/g, "\\$&");
+};
+const _WinstonLogger = class _WinstonLogger {
+  constructor(winston, addRedactions) {
+    __privateAdd(this, _winston, void 0);
+    __privateAdd(this, _addRedactions, void 0);
+    __privateSet(this, _winston, winston);
+    __privateSet(this, _addRedactions, addRedactions);
+  }
+  /**
+   * Creates a {@link WinstonLogger} instance.
+   */
+  static create(options) {
+    var _a;
+    const redacter = _WinstonLogger.redacter();
+    let logger = winston.createLogger({
+      level: options.level,
+      format: winston.format.combine(redacter.format, options.format),
+      transports: (_a = options.transports) != null ? _a : new winston.transports.Console()
+    });
+    if (options.meta) {
+      logger = logger.child(options.meta);
+    }
+    return new _WinstonLogger(logger, redacter.add);
+  }
+  /**
+   * Creates a winston log formatter for redacting secrets.
+   */
+  static redacter() {
+    const redactionSet = /* @__PURE__ */ new Set();
+    let redactionPattern = void 0;
+    return {
+      format: winston.format((info) => {
+        if (redactionPattern && typeof info.message === "string") {
+          info.message = info.message.replace(redactionPattern, "[REDACTED]");
+        }
+        if (redactionPattern && typeof info.stack === "string") {
+          info.stack = info.stack.replace(redactionPattern, "[REDACTED]");
+        }
+        return info;
+      })(),
+      add(newRedactions) {
+        let added = 0;
+        for (const redactionToTrim of newRedactions) {
+          const redaction = redactionToTrim.trim();
+          if (redaction.length <= 1) {
+            continue;
+          }
+          if (!redactionSet.has(redaction)) {
+            redactionSet.add(redaction);
+            added += 1;
+          }
+        }
+        if (added > 0) {
+          const redactions = Array.from(redactionSet).map((r) => escapeRegExp(r)).join("|");
+          redactionPattern = new RegExp(`(${redactions})`, "g");
+        }
+      }
+    };
+  }
+  /**
+   * Creates a pretty printed winston log formatter.
+   */
+  static colorFormat() {
+    const colorizer = winston.format.colorize();
+    return winston.format.combine(
+      winston.format.timestamp(),
+      winston.format.colorize({
+        colors: {
+          timestamp: "dim",
+          prefix: "blue",
+          field: "cyan",
+          debug: "grey"
+        }
+      }),
+      winston.format.printf((info) => {
+        const { timestamp, level, message, plugin, service, ...fields } = info;
+        const prefix = plugin || service;
+        const timestampColor = colorizer.colorize("timestamp", timestamp);
+        const prefixColor = colorizer.colorize("prefix", prefix);
+        const extraFields = Object.entries(fields).map(
+          ([key, value]) => `${colorizer.colorize("field", `${key}`)}=${value}`
+        ).join(" ");
+        return `${timestampColor} ${prefixColor} ${level} ${message} ${extraFields}`;
+      })
+    );
+  }
+  error(message, meta) {
+    __privateGet(this, _winston).error(message, meta);
+  }
+  warn(message, meta) {
+    __privateGet(this, _winston).warn(message, meta);
+  }
+  info(message, meta) {
+    __privateGet(this, _winston).info(message, meta);
+  }
+  debug(message, meta) {
+    __privateGet(this, _winston).debug(message, meta);
+  }
+  child(meta) {
+    return new _WinstonLogger(__privateGet(this, _winston).child(meta));
+  }
+  addRedactions(redactions) {
+    var _a;
+    (_a = __privateGet(this, _addRedactions)) == null ? void 0 : _a.call(this, redactions);
+  }
+};
+_winston = new WeakMap();
+_addRedactions = new WeakMap();
+let WinstonLogger = _WinstonLogger;
+
 var __defProp$1 = Object.defineProperty;
 var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField$1 = (obj, key, value) => {
@@ -2259,23 +2413,33 @@ const createStepLogger = ({
   task,
   step
 }) => {
-  const metadata = { stepId: step.id };
-  const taskLogger = winston__namespace.createLogger({
+  var _a;
+  const stepLogStream = new stream.PassThrough();
+  stepLogStream.on("data", async (data) => {
+    const message = data.toString().trim();
+    if ((message == null ? void 0 : message.length) > 1) {
+      await task.emitLog(message, { stepId: step.id });
+    }
+  });
+  const taskLogger = WinstonLogger.create({
     level: process.env.LOG_LEVEL || "info",
     format: winston__namespace.format.combine(
       winston__namespace.format.colorize(),
       winston__namespace.format.simple()
     ),
-    defaultMeta: {}
+    transports: [
+      new winston__namespace.transports.Console(),
+      new winston__namespace.transports.Stream({ stream: stepLogStream })
+    ]
   });
+  taskLogger.addRedactions(Object.values((_a = task.secrets) != null ? _a : {}));
   const streamLogger = new stream.PassThrough();
   streamLogger.on("data", async (data) => {
     const message = data.toString().trim();
     if ((message == null ? void 0 : message.length) > 1) {
-      await task.emitLog(message, metadata);
+      taskLogger.info(message);
     }
   });
-  taskLogger.add(new winston__namespace.transports.Stream({ stream: streamLogger }));
   return { taskLogger, streamLogger };
 };
 const isActionAuthorized = pluginPermissionNode.createConditionAuthorizer(
@@ -2449,7 +2613,8 @@ class NunjucksWorkflowRunner {
         await action.handler({
           input: iteration.input,
           secrets: (_f = task.secrets) != null ? _f : {},
-          logger: taskLogger,
+          // TODO(blam): move to LoggerService and away from Winston
+          logger: backendCommon.loggerToWinstonLogger(taskLogger),
           logStream: streamLogger,
           workspacePath,
           async checkpoint(keySuffix, fn) {
@@ -2499,7 +2664,8 @@ class NunjucksWorkflowRunner {
           templateInfo: task.spec.templateInfo,
           user: task.spec.user,
           isDryRun: task.isDryRun,
-          signal: task.cancelSignal
+          signal: task.cancelSignal,
+          getInitiatorCredentials: task.getInitiatorCredentials
         });
       }
       for (const tmpDir of tmpDirs) {
@@ -2517,7 +2683,6 @@ class NunjucksWorkflowRunner {
     }
   }
   async execute(task) {
-    var _a;
     if (!isValidTaskSpec(task.spec)) {
       throw new errors.InputError(
         "Wrong template version executed with the workflow engine"
@@ -2545,7 +2710,7 @@ class NunjucksWorkflowRunner {
       };
       const [decision] = this.options.permissions && task.spec.steps.length ? await this.options.permissions.authorizeConditional(
         [{ permission: alpha.actionExecutePermission }],
-        { token: (_a = task.secrets) == null ? void 0 : _a.backstageToken }
+        { credentials: await task.getInitiatorCredentials() }
       ) : [{ result: pluginPermissionCommon.AuthorizeResult.ALLOW }];
       for (const step of task.spec.steps) {
         await this.executeStep(
@@ -2868,6 +3033,7 @@ function createDryRunner(options) {
           }
         },
         secrets: input.secrets,
+        getInitiatorCredentials: () => Promise.resolve(input.credentials),
         // No need to update this at the end of the run, so just hard-code it
         done: false,
         isDryRun: true,
@@ -3026,17 +3192,23 @@ async function createRouter(options) {
     additionalTemplateFilters,
     additionalTemplateGlobals,
     permissions,
-    permissionRules
+    permissionRules,
+    discovery = backendCommon.HostDiscovery.fromConfig(config),
+    identity = buildDefaultIdentityClient(options)
   } = options;
+  const { auth, httpAuth } = backendCommon.createLegacyAuthAdapters({
+    ...options,
+    identity,
+    discovery
+  });
   const concurrentTasksLimit = (_a = options.concurrentTasksLimit) != null ? _a : options.config.getOptionalNumber("scaffolder.concurrentTasksLimit");
   const logger = parentLogger.child({ plugin: "scaffolder" });
-  const identity = options.identity || buildDefaultIdentityClient(options);
   const workingDirectory = await getWorkingDirectory(config, logger);
   const integrations = integration.ScmIntegrations.fromConfig(config);
   let taskBroker;
   if (!options.taskBroker) {
     const databaseTaskStore = await DatabaseTaskStore.create({ database });
-    taskBroker = new StorageTaskBroker(databaseTaskStore, logger, config);
+    taskBroker = new StorageTaskBroker(databaseTaskStore, logger, config, auth);
     if (scheduler && databaseTaskStore.listStaleTasks) {
       await scheduler.scheduleTask({
         id: "close_stale_tasks",
@@ -3090,7 +3262,8 @@ async function createRouter(options) {
     reader,
     config,
     additionalTemplateFilters,
-    additionalTemplateGlobals
+    additionalTemplateGlobals,
+    auth
   });
   actionsToRegister.forEach((action) => actionRegistry.register(action));
   const launchWorkers = () => workers.forEach((worker) => worker.start());
@@ -3144,11 +3317,16 @@ async function createRouter(options) {
     "/v2/templates/:namespace/:kind/:name/parameter-schema",
     async (req, res) => {
       var _a2, _b;
-      const userIdentity = await identity.getIdentity({
-        request: req
+      const credentials = await httpAuth.credentials(req);
+      const { token } = await auth.getPluginRequestToken({
+        onBehalfOf: credentials,
+        targetPluginId: "catalog"
       });
-      const token = userIdentity == null ? void 0 : userIdentity.token;
-      const template = await authorizeTemplate(req.params, token);
+      const template = await authorizeTemplate(
+        req.params,
+        token,
+        credentials
+      );
       const parameters = [(_a2 = template.spec.parameters) != null ? _a2 : []].flat();
       const presentation = template.spec.presentation;
       res.json({
@@ -3182,11 +3360,12 @@ async function createRouter(options) {
     const { kind, namespace, name } = catalogModel.parseEntityRef(templateRef, {
       defaultKind: "template"
     });
-    const callerIdentity = await identity.getIdentity({
-      request: req
+    const credentials = await httpAuth.credentials(req);
+    const { token } = await auth.getPluginRequestToken({
+      onBehalfOf: credentials,
+      targetPluginId: "catalog"
     });
-    const token = callerIdentity == null ? void 0 : callerIdentity.token;
-    const userEntityRef = callerIdentity == null ? void 0 : callerIdentity.identity.userEntityRef;
+    const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
     const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
     let auditLog = `Scaffolding task for ${templateRef}`;
     if (userEntityRef) {
@@ -3196,7 +3375,8 @@ async function createRouter(options) {
     const values = req.body.values;
     const template = await authorizeTemplate(
       { kind, namespace, name },
-      token
+      token,
+      credentials
     );
     for (const parameters of [(_a2 = template.spec.parameters) != null ? _a2 : []].flat()) {
       const result2 = jsonschema.validate(values, parameters);
@@ -3236,7 +3416,8 @@ async function createRouter(options) {
       createdBy: userEntityRef,
       secrets: {
         ...req.body.secrets,
-        backstageToken: token
+        backstageToken: token,
+        initiatorCredentials: JSON.stringify(credentials)
       }
     });
     res.status(201).json({ id: result.taskId });
@@ -3331,7 +3512,7 @@ data: ${JSON.stringify(event)}
       clearTimeout(timeout);
     });
   }).post("/v2/dry-run", async (req, res) => {
-    var _a2, _b, _c, _d;
+    var _a2, _b, _c;
     const bodySchema = zod.z.object({
       template: zod.z.unknown(),
       values: zod.z.record(zod.z.unknown()),
@@ -3347,10 +3528,12 @@ data: ${JSON.stringify(event)}
     if (!await pluginScaffolderCommon.templateEntityV1beta3Validator.check(template)) {
       throw new errors.InputError("Input template is not a template");
     }
-    const token = (_a2 = await identity.getIdentity({
-      request: req
-    })) == null ? void 0 : _a2.token;
-    for (const parameters of [(_b = template.spec.parameters) != null ? _b : []].flat()) {
+    const credentials = await httpAuth.credentials(req);
+    const { token } = await auth.getPluginRequestToken({
+      onBehalfOf: credentials,
+      targetPluginId: "catalog"
+    });
+    for (const parameters of [(_a2 = template.spec.parameters) != null ? _a2 : []].flat()) {
       const result2 = jsonschema.validate(body.values, parameters);
       if (!result2.valid) {
         res.status(400).json({ errors: result2.errors });
@@ -3369,17 +3552,18 @@ data: ${JSON.stringify(event)}
       spec: {
         apiVersion: template.apiVersion,
         steps,
-        output: (_c = template.spec.output) != null ? _c : {},
+        output: (_b = template.spec.output) != null ? _b : {},
         parameters: body.values
       },
-      directoryContents: ((_d = body.directoryContents) != null ? _d : []).map((file) => ({
+      directoryContents: ((_c = body.directoryContents) != null ? _c : []).map((file) => ({
         path: file.path,
         content: Buffer.from(file.base64Content, "base64")
       })),
       secrets: {
         ...body.secrets,
         ...token && { backstageToken: token }
-      }
+      },
+      credentials
     });
     res.status(200).json({
       ...result,
@@ -3394,7 +3578,7 @@ data: ${JSON.stringify(event)}
   const app = express__default["default"]();
   app.set("logger", logger);
   app.use("/", router);
-  async function authorizeTemplate(entityRef, token) {
+  async function authorizeTemplate(entityRef, token, credentials) {
     const template = await findTemplate({
       catalogApi: catalogClient,
       entityRef,
@@ -3413,7 +3597,7 @@ data: ${JSON.stringify(event)}
         { permission: alpha.templateParameterReadPermission },
         { permission: alpha.templateStepReadPermission }
       ],
-      { token }
+      { credentials }
     );
     if (Array.isArray(template.spec.parameters)) {
       template.spec.parameters = template.spec.parameters.filter(
@@ -3448,4 +3632,4 @@ exports.createRouter = createRouter;
 exports.createWaitAction = createWaitAction;
 exports.scaffolderActionRules = scaffolderActionRules;
 exports.scaffolderTemplateRules = scaffolderTemplateRules;
-//# sourceMappingURL=router-ae706822.cjs.js.map
+//# sourceMappingURL=router-52d79583.cjs.js.map