@backstage/plugin-scaffolder-backend 1.22.0-next.1 → 1.22.0

package/CHANGELOG.md

@@ -1,5 +1,87 @@
 # @backstage/plugin-scaffolder-backend
 
+## 1.22.0
+
+### Minor Changes
+
+- e9663a9: Move away from using `ctx.logStream`
+- aa543c9: Migrate plugin to use the new auth services, add an optional service discovery to the router options and change the permissions type to be `PermissionsService`.
+- e9663a9: Enable the redaction of secrets using the redacting logger and the secrets from the `TaskSpec`
+- c6b132e: Introducing checkpoints for scaffolder task action idempotency
+
+### Patch Changes
+
+- 984abfa: Fixing the lost of the initial state after a task recovery.
+- 703ebc9: Fix support for unauthenticated requests to create scaffolder tasks
+- f44589d: Introduced `createMockActionContext` to unify the way of creating scaffolder mock context.
+
+  It will help to maintain tests in a long run during structural changes of action context.
+
+- 0fb419b: Updated dependency `uuid` to `^9.0.0`.
+  Updated dependency `@types/uuid` to `^9.0.0`.
+- bbd1fe1: Made "checkpoint" on scaffolder action context non-optional
+- Updated dependencies
+  - @backstage/plugin-scaffolder-node@0.4.0
+  - @backstage/plugin-scaffolder-backend-module-azure@0.1.6
+  - @backstage/plugin-scaffolder-backend-module-bitbucket-cloud@0.1.4
+  - @backstage/plugin-scaffolder-backend-module-bitbucket-server@0.1.4
+  - @backstage/plugin-scaffolder-backend-module-bitbucket@0.2.4
+  - @backstage/backend-common@0.21.4
+  - @backstage/integration@1.9.1
+  - @backstage/plugin-auth-node@0.4.9
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/backend-plugin-api@0.6.14
+  - @backstage/plugin-scaffolder-backend-module-gerrit@0.1.6
+  - @backstage/plugin-scaffolder-backend-module-github@0.2.4
+  - @backstage/plugin-scaffolder-backend-module-gitlab@0.3.0
+  - @backstage/plugin-scaffolder-backend-module-gitea@0.1.4
+  - @backstage/plugin-permission-common@0.7.13
+  - @backstage/plugin-catalog-node@1.8.0
+  - @backstage/catalog-client@1.6.1
+  - @backstage/backend-tasks@0.5.19
+  - @backstage/plugin-permission-node@0.7.25
+  - @backstage/plugin-catalog-backend-module-scaffolder-entity-model@0.1.11
+  - @backstage/catalog-model@1.4.5
+  - @backstage/types@1.1.1
+  - @backstage/plugin-scaffolder-common@1.5.1
+
+## 1.22.0-next.2
+
+### Minor Changes
+
+- e9663a9: Move away from using `ctx.logStream`
+- e9663a9: Enable the redaction of secrets using the redacting logger and the secrets from the `TaskSpec`
+
+### Patch Changes
+
+- 703ebc9: Fix support for unauthenticated requests to create scaffolder tasks
+- Updated dependencies
+  - @backstage/plugin-scaffolder-node@0.4.0-next.2
+  - @backstage/plugin-scaffolder-backend-module-azure@0.1.6-next.2
+  - @backstage/plugin-scaffolder-backend-module-bitbucket-cloud@0.1.4-next.2
+  - @backstage/plugin-scaffolder-backend-module-bitbucket-server@0.1.4-next.2
+  - @backstage/plugin-scaffolder-backend-module-bitbucket@0.2.4-next.2
+  - @backstage/integration@1.9.1-next.2
+  - @backstage/plugin-scaffolder-backend-module-gitlab@0.3.0-next.2
+  - @backstage/plugin-scaffolder-backend-module-gitea@0.1.4-next.2
+  - @backstage/catalog-client@1.6.1-next.1
+  - @backstage/plugin-scaffolder-backend-module-gerrit@0.1.6-next.2
+  - @backstage/plugin-scaffolder-backend-module-github@0.2.4-next.2
+  - @backstage/backend-common@0.21.4-next.2
+  - @backstage/plugin-auth-node@0.4.9-next.2
+  - @backstage/plugin-catalog-node@1.8.0-next.2
+  - @backstage/backend-plugin-api@0.6.14-next.2
+  - @backstage/backend-tasks@0.5.19-next.2
+  - @backstage/catalog-model@1.4.5-next.0
+  - @backstage/config@1.2.0-next.1
+  - @backstage/errors@1.2.4-next.0
+  - @backstage/types@1.1.1
+  - @backstage/plugin-catalog-backend-module-scaffolder-entity-model@0.1.11-next.2
+  - @backstage/plugin-permission-common@0.7.13-next.1
+  - @backstage/plugin-permission-node@0.7.25-next.2
+  - @backstage/plugin-scaffolder-common@1.5.1-next.1
+
 ## 1.22.0-next.1
 
 ### Minor Changes

package/alpha/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-scaffolder-backend",
-  "version": "1.22.0-next.1",
+  "version": "1.22.0",
   "main": "../dist/alpha.cjs.js",
   "types": "../dist/alpha.d.ts"
 }

package/dist/alpha.cjs.js

@@ -4,7 +4,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
 
 var alpha = require('@backstage/plugin-scaffolder-common/alpha');
 var pluginPermissionNode = require('@backstage/plugin-permission-node');
-var router = require('./cjs/router-1665319e.cjs.js');
+var router = require('./cjs/router-77345506.cjs.js');
 var backendPluginApi = require('@backstage/backend-plugin-api');
 var backendCommon = require('@backstage/backend-common');
 var integration = require('@backstage/integration');

package/dist/cjs/{router-1665319e.cjs.js → router-77345506.cjs.js}

@@ -274,7 +274,7 @@ function createCatalogWriteAction() {
     examples: examples$8,
     supportsDryRun: true,
     async handler(ctx) {
-      ctx.logStream.write(`Writing catalog-info.yaml`);
+      ctx.logger.info(`Writing catalog-info.yaml`);
       const { filePath, entity } = ctx.input;
       const path = filePath != null ? filePath : "catalog-info.yaml";
       await fs__default["default"].writeFile(
@@ -465,11 +465,11 @@ function createDebugLogAction() {
       var _a, _b;
       ctx.logger.info(JSON.stringify(ctx.input, null, 2));
       if ((_a = ctx.input) == null ? void 0 : _a.message) {
-        ctx.logStream.write(ctx.input.message);
+        ctx.logger.info(ctx.input.message);
       }
       if ((_b = ctx.input) == null ? void 0 : _b.listWorkspace) {
         const files = await recursiveReadDir(ctx.workspacePath);
-        ctx.logStream.write(
+        ctx.logger.info(
           `Workspace:
 ${files.map((f) => `  - ${path.relative(ctx.workspacePath, f)}`).join("\n")}`
         );
@@ -1615,6 +1615,7 @@ class DatabaseTaskStore {
     try {
       const spec = JSON.parse(result.spec);
       const secrets = result.secrets ? JSON.parse(result.secrets) : void 0;
+      const state = result.state ? JSON.parse(result.state).state : void 0;
       return {
         id: result.id,
         spec,
@@ -1622,7 +1623,8 @@ class DatabaseTaskStore {
         lastHeartbeatAt: parseSqlDateToIsoString(result.last_heartbeat_at),
         createdAt: parseSqlDateToIsoString(result.created_at),
         createdBy: (_a = result.created_by) != null ? _a : void 0,
-        secrets
+        secrets,
+        state
       };
     } catch (error) {
       throw new Error(`Failed to parse spec of task '${taskId}', ${error}`);
@@ -1659,6 +1661,15 @@ class DatabaseTaskStore {
       if (updateCount < 1) {
         return void 0;
       }
+      const getState = () => {
+        try {
+          return task.state ? JSON.parse(task.state).state : void 0;
+        } catch (error) {
+          throw new Error(
+            `Failed to parse state of the task '${task.id}', ${error}`
+          );
+        }
+      };
       const secrets = this.parseTaskSecrets(task);
       return {
         id: task.id,
@@ -1667,7 +1678,8 @@ class DatabaseTaskStore {
         lastHeartbeatAt: task.last_heartbeat_at,
         createdAt: task.created_at,
         createdBy: (_a = task.created_by) != null ? _a : void 0,
-        secrets
+        secrets,
+        state: getState()
       };
     });
   }
@@ -1843,7 +1855,7 @@ class DatabaseTaskStore {
       taskIdsToRecover.push(...result.map((i) => i.id));
       for (const { id, spec } of result) {
         const taskSpec = JSON.parse(spec);
-        await this.db("task_events").insert({
+        await tx("task_events").insert({
           task_id: id,
           event_type: "recovered",
           body: JSON.stringify({
@@ -2077,7 +2089,8 @@ class StorageTaskBroker {
             taskId: pendingTask.id,
             spec: pendingTask.spec,
             secrets: pendingTask.secrets,
-            createdBy: pendingTask.createdBy
+            createdBy: pendingTask.createdBy,
+            state: pendingTask.state
           },
           this.storage,
           abortController.signal,
@@ -2269,6 +2282,137 @@ const scaffolderActionRules = {
   hasStringProperty
 };
 
+var __accessCheck = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet = (obj, member, getter) => {
+  __accessCheck(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet = (obj, member, value, setter) => {
+  __accessCheck(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var _winston, _addRedactions;
+const escapeRegExp = (text) => {
+  return text.replace(/[.*+?^${}(\)|[\]\\]/g, "\\$&");
+};
+const _WinstonLogger = class _WinstonLogger {
+  constructor(winston, addRedactions) {
+    __privateAdd(this, _winston, void 0);
+    __privateAdd(this, _addRedactions, void 0);
+    __privateSet(this, _winston, winston);
+    __privateSet(this, _addRedactions, addRedactions);
+  }
+  /**
+   * Creates a {@link WinstonLogger} instance.
+   */
+  static create(options) {
+    var _a;
+    const redacter = _WinstonLogger.redacter();
+    let logger = winston.createLogger({
+      level: options.level,
+      format: winston.format.combine(redacter.format, options.format),
+      transports: (_a = options.transports) != null ? _a : new winston.transports.Console()
+    });
+    if (options.meta) {
+      logger = logger.child(options.meta);
+    }
+    return new _WinstonLogger(logger, redacter.add);
+  }
+  /**
+   * Creates a winston log formatter for redacting secrets.
+   */
+  static redacter() {
+    const redactionSet = /* @__PURE__ */ new Set();
+    let redactionPattern = void 0;
+    return {
+      format: winston.format((info) => {
+        if (redactionPattern && typeof info.message === "string") {
+          info.message = info.message.replace(redactionPattern, "[REDACTED]");
+        }
+        if (redactionPattern && typeof info.stack === "string") {
+          info.stack = info.stack.replace(redactionPattern, "[REDACTED]");
+        }
+        return info;
+      })(),
+      add(newRedactions) {
+        let added = 0;
+        for (const redactionToTrim of newRedactions) {
+          const redaction = redactionToTrim.trim();
+          if (redaction.length <= 1) {
+            continue;
+          }
+          if (!redactionSet.has(redaction)) {
+            redactionSet.add(redaction);
+            added += 1;
+          }
+        }
+        if (added > 0) {
+          const redactions = Array.from(redactionSet).map((r) => escapeRegExp(r)).join("|");
+          redactionPattern = new RegExp(`(${redactions})`, "g");
+        }
+      }
+    };
+  }
+  /**
+   * Creates a pretty printed winston log formatter.
+   */
+  static colorFormat() {
+    const colorizer = winston.format.colorize();
+    return winston.format.combine(
+      winston.format.timestamp(),
+      winston.format.colorize({
+        colors: {
+          timestamp: "dim",
+          prefix: "blue",
+          field: "cyan",
+          debug: "grey"
+        }
+      }),
+      winston.format.printf((info) => {
+        const { timestamp, level, message, plugin, service, ...fields } = info;
+        const prefix = plugin || service;
+        const timestampColor = colorizer.colorize("timestamp", timestamp);
+        const prefixColor = colorizer.colorize("prefix", prefix);
+        const extraFields = Object.entries(fields).map(
+          ([key, value]) => `${colorizer.colorize("field", `${key}`)}=${value}`
+        ).join(" ");
+        return `${timestampColor} ${prefixColor} ${level} ${message} ${extraFields}`;
+      })
+    );
+  }
+  error(message, meta) {
+    __privateGet(this, _winston).error(message, meta);
+  }
+  warn(message, meta) {
+    __privateGet(this, _winston).warn(message, meta);
+  }
+  info(message, meta) {
+    __privateGet(this, _winston).info(message, meta);
+  }
+  debug(message, meta) {
+    __privateGet(this, _winston).debug(message, meta);
+  }
+  child(meta) {
+    return new _WinstonLogger(__privateGet(this, _winston).child(meta));
+  }
+  addRedactions(redactions) {
+    var _a;
+    (_a = __privateGet(this, _addRedactions)) == null ? void 0 : _a.call(this, redactions);
+  }
+};
+_winston = new WeakMap();
+_addRedactions = new WeakMap();
+let WinstonLogger = _WinstonLogger;
+
 var __defProp$1 = Object.defineProperty;
 var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField$1 = (obj, key, value) => {
@@ -2282,23 +2426,33 @@ const createStepLogger = ({
   task,
   step
 }) => {
-  const metadata = { stepId: step.id };
-  const taskLogger = winston__namespace.createLogger({
+  var _a;
+  const stepLogStream = new stream.PassThrough();
+  stepLogStream.on("data", async (data) => {
+    const message = data.toString().trim();
+    if ((message == null ? void 0 : message.length) > 1) {
+      await task.emitLog(message, { stepId: step.id });
+    }
+  });
+  const taskLogger = WinstonLogger.create({
     level: process.env.LOG_LEVEL || "info",
     format: winston__namespace.format.combine(
       winston__namespace.format.colorize(),
       winston__namespace.format.simple()
     ),
-    defaultMeta: {}
+    transports: [
+      new winston__namespace.transports.Console(),
+      new winston__namespace.transports.Stream({ stream: stepLogStream })
+    ]
   });
+  taskLogger.addRedactions(Object.values((_a = task.secrets) != null ? _a : {}));
   const streamLogger = new stream.PassThrough();
   streamLogger.on("data", async (data) => {
     const message = data.toString().trim();
     if ((message == null ? void 0 : message.length) > 1) {
-      await task.emitLog(message, metadata);
+      taskLogger.info(message);
     }
   });
-  taskLogger.add(new winston__namespace.transports.Stream({ stream: streamLogger }));
   return { taskLogger, streamLogger };
 };
 const isActionAuthorized = pluginPermissionNode.createConditionAuthorizer(
@@ -2472,7 +2626,8 @@ class NunjucksWorkflowRunner {
         await action.handler({
           input: iteration.input,
           secrets: (_f = task.secrets) != null ? _f : {},
-          logger: taskLogger,
+          // TODO(blam): move to LoggerService and away from Winston
+          logger: backendCommon.loggerToWinstonLogger(taskLogger),
           logStream: streamLogger,
           workspacePath,
           async checkpoint(keySuffix, fn) {
@@ -3218,12 +3373,12 @@ async function createRouter(options) {
     const { kind, namespace, name } = catalogModel.parseEntityRef(templateRef, {
       defaultKind: "template"
     });
-    const credentials = await httpAuth.credentials(req, { allow: ["user"] });
+    const credentials = await httpAuth.credentials(req);
     const { token } = await auth.getPluginRequestToken({
       onBehalfOf: credentials,
       targetPluginId: "catalog"
     });
-    const userEntityRef = credentials.principal.userEntityRef;
+    const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
     const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
     let auditLog = `Scaffolding task for ${templateRef}`;
     if (userEntityRef) {
@@ -3490,4 +3645,4 @@ exports.createRouter = createRouter;
 exports.createWaitAction = createWaitAction;
 exports.scaffolderActionRules = scaffolderActionRules;
 exports.scaffolderTemplateRules = scaffolderTemplateRules;
-//# sourceMappingURL=router-1665319e.cjs.js.map
+//# sourceMappingURL=router-77345506.cjs.js.map