npm - @backstage/plugin-scaffolder-backend - Versions diffs - 1.26.0-next.1 → 1.26.0-next.2 - Mend

@backstage/plugin-scaffolder-backend 1.26.0-next.1 → 1.26.0-next.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/dist/service/router.cjs.js ADDED Viewed

@@ -0,0 +1,640 @@
+'use strict';
+var backendCommon = require('@backstage/backend-common');
+var catalogModel = require('@backstage/catalog-model');
+var config = require('@backstage/config');
+var errors = require('@backstage/errors');
+var integration = require('@backstage/integration');
+var pluginScaffolderCommon = require('@backstage/plugin-scaffolder-common');
+var alpha = require('@backstage/plugin-scaffolder-common/alpha');
+var express = require('express');
+var Router = require('express-promise-router');
+var jsonschema = require('jsonschema');
+var zod = require('zod');
+require('@backstage/plugin-scaffolder-node');
+require('../scaffolder/actions/builtin/catalog/register.examples.cjs.js');
+require('fs-extra');
+require('yaml');
+require('@backstage/backend-plugin-api');
+require('../scaffolder/actions/builtin/catalog/write.examples.cjs.js');
+require('../scaffolder/actions/builtin/catalog/fetch.examples.cjs.js');
+var createBuiltinActions = require('../scaffolder/actions/builtin/createBuiltinActions.cjs.js');
+require('path');
+require('../scaffolder/actions/builtin/debug/log.examples.cjs.js');
+require('fs');
+var luxon = require('luxon');
+require('../scaffolder/actions/builtin/debug/wait.examples.cjs.js');
+require('../scaffolder/actions/builtin/fetch/plain.examples.cjs.js');
+require('../scaffolder/actions/builtin/fetch/plainFile.examples.cjs.js');
+require('globby');
+require('isbinaryfile');
+require('isolated-vm');
+require('lodash/get');
+require('../scaffolder/actions/builtin/fetch/template.examples.cjs.js');
+require('../scaffolder/actions/builtin/fetch/templateFile.examples.cjs.js');
+require('../scaffolder/actions/builtin/filesystem/delete.examples.cjs.js');
+require('../scaffolder/actions/builtin/filesystem/rename.examples.cjs.js');
+require('@backstage/plugin-scaffolder-backend-module-github');
+require('@backstage/plugin-scaffolder-backend-module-gitlab');
+require('@backstage/plugin-scaffolder-backend-module-azure');
+require('@backstage/plugin-scaffolder-backend-module-bitbucket');
+require('@backstage/plugin-scaffolder-backend-module-bitbucket-cloud');
+require('@backstage/plugin-scaffolder-backend-module-bitbucket-server');
+require('@backstage/plugin-scaffolder-backend-module-gerrit');
+var TemplateActionRegistry = require('../scaffolder/actions/TemplateActionRegistry.cjs.js');
+var DatabaseTaskStore = require('../scaffolder/tasks/DatabaseTaskStore.cjs.js');
+var StorageTaskBroker = require('../scaffolder/tasks/StorageTaskBroker.cjs.js');
+var TaskWorker = require('../scaffolder/tasks/TaskWorker.cjs.js');
+var createDryRunner = require('../scaffolder/dryrun/createDryRunner.cjs.js');
+var helpers = require('./helpers.cjs.js');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
+var rules = require('./rules.cjs.js');
+var checkPermissions = require('../util/checkPermissions.cjs.js');
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+var express__default = /*#__PURE__*/_interopDefaultCompat(express);
+var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);
+function isTemplatePermissionRuleInput(permissionRule) {
+  return permissionRule.resourceType === alpha.RESOURCE_TYPE_SCAFFOLDER_TEMPLATE;
+}
+function isActionPermissionRuleInput(permissionRule) {
+  return permissionRule.resourceType === alpha.RESOURCE_TYPE_SCAFFOLDER_ACTION;
+}
+function isSupportedTemplate(entity) {
+  return entity.apiVersion === "scaffolder.backstage.io/v1beta3";
+}
+function buildDefaultIdentityClient(options) {
+  return {
+    getIdentity: async ({ request }) => {
+      const header = request.headers.authorization;
+      const { logger } = options;
+      if (!header) {
+        return void 0;
+      }
+      try {
+        const token = header.match(/^Bearer\s(\S+\.\S+\.\S+)$/i)?.[1];
+        if (!token) {
+          throw new TypeError("Expected Bearer with JWT");
+        }
+        const [_header, rawPayload, _signature] = token.split(".");
+        const payload = JSON.parse(
+          Buffer.from(rawPayload, "base64").toString()
+        );
+        if (typeof payload !== "object" || payload === null || Array.isArray(payload)) {
+          throw new TypeError("Malformed JWT payload");
+        }
+        const sub = payload.sub;
+        if (typeof sub !== "string") {
+          throw new TypeError("Expected string sub claim");
+        }
+        if (sub === "backstage-server") {
+          return void 0;
+        }
+        catalogModel.parseEntityRef(sub);
+        return {
+          identity: {
+            userEntityRef: sub,
+            ownershipEntityRefs: [],
+            type: "user"
+          },
+          token
+        };
+      } catch (e) {
+        logger.error(`Invalid authorization header: ${errors.stringifyError(e)}`);
+        return void 0;
+      }
+    }
+  };
+}
+const readDuration = (config$1, key, defaultValue) => {
+  if (config$1.has(key)) {
+    return config.readDurationFromConfig(config$1, { key });
+  }
+  return defaultValue;
+};
+async function createRouter(options) {
+  const router = Router__default.default();
+  router.use(express__default.default.json({ limit: "10MB" }));
+  const {
+    logger: parentLogger,
+    config,
+    reader,
+    database,
+    catalogClient,
+    actions,
+    taskWorkers,
+    scheduler,
+    additionalTemplateFilters,
+    additionalTemplateGlobals,
+    additionalWorkspaceProviders,
+    permissions,
+    permissionRules,
+    discovery = backendCommon.HostDiscovery.fromConfig(config),
+    identity = buildDefaultIdentityClient(options),
+    autocompleteHandlers = {}
+  } = options;
+  const { auth, httpAuth } = backendCommon.createLegacyAuthAdapters({
+    ...options,
+    identity,
+    discovery
+  });
+  const concurrentTasksLimit = options.concurrentTasksLimit ?? options.config.getOptionalNumber("scaffolder.concurrentTasksLimit");
+  const logger = parentLogger.child({ plugin: "scaffolder" });
+  const workingDirectory = await helpers.getWorkingDirectory(config, logger);
+  const integrations = integration.ScmIntegrations.fromConfig(config);
+  let taskBroker;
+  if (!options.taskBroker) {
+    const databaseTaskStore = await DatabaseTaskStore.DatabaseTaskStore.create({ database });
+    taskBroker = new StorageTaskBroker.StorageTaskBroker(
+      databaseTaskStore,
+      logger,
+      config,
+      auth,
+      additionalWorkspaceProviders
+    );
+    if (scheduler && databaseTaskStore.listStaleTasks) {
+      await scheduler.scheduleTask({
+        id: "close_stale_tasks",
+        frequency: readDuration(
+          config,
+          "scaffolder.taskTimeoutJanitorFrequency",
+          {
+            minutes: 5
+          }
+        ),
+        timeout: { minutes: 15 },
+        fn: async () => {
+          const { tasks } = await databaseTaskStore.listStaleTasks({
+            timeoutS: luxon.Duration.fromObject(
+              readDuration(config, "scaffolder.taskTimeout", {
+                hours: 24
+              })
+            ).as("seconds")
+          });
+          for (const task of tasks) {
+            await databaseTaskStore.shutdownTask(task);
+            logger.info(`Successfully closed stale task ${task.taskId}`);
+          }
+        }
+      });
+    }
+  } else {
+    taskBroker = options.taskBroker;
+  }
+  const actionRegistry = new TemplateActionRegistry.TemplateActionRegistry();
+  const workers = [];
+  if (concurrentTasksLimit !== 0) {
+    for (let i = 0; i < (taskWorkers || 1); i++) {
+      const worker = await TaskWorker.TaskWorker.create({
+        taskBroker,
+        actionRegistry,
+        integrations,
+        logger,
+        workingDirectory,
+        additionalTemplateFilters,
+        additionalTemplateGlobals,
+        concurrentTasksLimit,
+        permissions
+      });
+      workers.push(worker);
+    }
+  }
+  const actionsToRegister = Array.isArray(actions) ? actions : createBuiltinActions.createBuiltinActions({
+    integrations,
+    catalogClient,
+    reader,
+    config,
+    additionalTemplateFilters,
+    additionalTemplateGlobals,
+    auth
+  });
+  actionsToRegister.forEach((action) => actionRegistry.register(action));
+  const launchWorkers = () => workers.forEach((worker) => worker.start());
+  const shutdownWorkers = () => {
+    workers.forEach((worker) => worker.stop());
+  };
+  if (options.lifecycle) {
+    options.lifecycle.addStartupHook(launchWorkers);
+    options.lifecycle.addShutdownHook(shutdownWorkers);
+  } else {
+    launchWorkers();
+  }
+  const dryRunner = createDryRunner.createDryRunner({
+    actionRegistry,
+    integrations,
+    logger,
+    workingDirectory,
+    additionalTemplateFilters,
+    additionalTemplateGlobals,
+    permissions
+  });
+  const templateRules = Object.values(
+    rules.scaffolderTemplateRules
+  );
+  const actionRules = Object.values(
+    rules.scaffolderActionRules
+  );
+  if (permissionRules) {
+    templateRules.push(
+      ...permissionRules.filter(isTemplatePermissionRuleInput)
+    );
+    actionRules.push(...permissionRules.filter(isActionPermissionRuleInput));
+  }
+  const isAuthorized = pluginPermissionNode.createConditionAuthorizer(Object.values(templateRules));
+  const permissionIntegrationRouter = pluginPermissionNode.createPermissionIntegrationRouter({
+    resources: [
+      {
+        resourceType: alpha.RESOURCE_TYPE_SCAFFOLDER_TEMPLATE,
+        permissions: alpha.scaffolderTemplatePermissions,
+        rules: templateRules
+      },
+      {
+        resourceType: alpha.RESOURCE_TYPE_SCAFFOLDER_ACTION,
+        permissions: alpha.scaffolderActionPermissions,
+        rules: actionRules
+      }
+    ],
+    permissions: alpha.scaffolderTaskPermissions
+  });
+  router.use(permissionIntegrationRouter);
+  router.get(
+    "/v2/templates/:namespace/:kind/:name/parameter-schema",
+    async (req, res) => {
+      const credentials = await httpAuth.credentials(req);
+      const { token } = await auth.getPluginRequestToken({
+        onBehalfOf: credentials,
+        targetPluginId: "catalog"
+      });
+      const template = await authorizeTemplate(
+        req.params,
+        token,
+        credentials
+      );
+      const parameters = [template.spec.parameters ?? []].flat();
+      const presentation = template.spec.presentation;
+      res.json({
+        title: template.metadata.title ?? template.metadata.name,
+        ...presentation ? { presentation } : {},
+        description: template.metadata.description,
+        "ui:options": template.metadata["ui:options"],
+        steps: parameters.map((schema) => ({
+          title: schema.title ?? "Please enter the following information",
+          description: schema.description,
+          schema
+        }))
+      });
+    }
+  ).get("/v2/actions", async (_req, res) => {
+    const actionsList = actionRegistry.list().map((action) => {
+      return {
+        id: action.id,
+        description: action.description,
+        examples: action.examples,
+        schema: action.schema
+      };
+    });
+    res.json(actionsList);
+  }).post("/v2/tasks", async (req, res) => {
+    const templateRef = req.body.templateRef;
+    const { kind, namespace, name } = catalogModel.parseEntityRef(templateRef, {
+      defaultKind: "template"
+    });
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskCreatePermission],
+      permissionService: permissions
+    });
+    const { token } = await auth.getPluginRequestToken({
+      onBehalfOf: credentials,
+      targetPluginId: "catalog"
+    });
+    const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
+    const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
+    let auditLog = `Scaffolding task for ${templateRef}`;
+    if (userEntityRef) {
+      auditLog += ` created by ${userEntityRef}`;
+    }
+    logger.info(auditLog);
+    const values = req.body.values;
+    const template = await authorizeTemplate(
+      { kind, namespace, name },
+      token,
+      credentials
+    );
+    for (const parameters of [template.spec.parameters ?? []].flat()) {
+      const result2 = jsonschema.validate(values, parameters);
+      if (!result2.valid) {
+        res.status(400).json({ errors: result2.errors });
+        return;
+      }
+    }
+    const baseUrl = helpers.getEntityBaseUrl(template);
+    const taskSpec = {
+      apiVersion: template.apiVersion,
+      steps: template.spec.steps.map((step, index) => ({
+        ...step,
+        id: step.id ?? `step-${index + 1}`,
+        name: step.name ?? step.action
+      })),
+      EXPERIMENTAL_recovery: template.spec.EXPERIMENTAL_recovery,
+      output: template.spec.output ?? {},
+      parameters: values,
+      user: {
+        entity: userEntity,
+        ref: userEntityRef
+      },
+      templateInfo: {
+        entityRef: catalogModel.stringifyEntityRef({ kind, name, namespace }),
+        baseUrl,
+        entity: {
+          metadata: template.metadata
+        }
+      }
+    };
+    const secrets = {
+      ...req.body.secrets,
+      backstageToken: token,
+      __initiatorCredentials: JSON.stringify(credentials)
+    };
+    const result = await taskBroker.dispatch({
+      spec: taskSpec,
+      createdBy: userEntityRef,
+      secrets
+    });
+    res.status(201).json({ id: result.taskId });
+  }).get("/v2/tasks", async (req, res) => {
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskReadPermission],
+      permissionService: permissions
+    });
+    if (!taskBroker.list) {
+      throw new Error(
+        "TaskBroker does not support listing tasks, please implement the list method on the TaskBroker."
+      );
+    }
+    const createdBy = helpers.parseStringsParam(req.query.createdBy, "createdBy");
+    const status = helpers.parseStringsParam(req.query.status, "status");
+    const order = helpers.parseStringsParam(req.query.order, "order")?.map((item) => {
+      const match = item.match(/^(asc|desc):(.+)$/);
+      if (!match) {
+        throw new errors.InputError(
+          `Invalid order parameter "${item}", expected "<asc or desc>:<field name>"`
+        );
+      }
+      return {
+        order: match[1],
+        field: match[2]
+      };
+    });
+    const limit = helpers.parseNumberParam(req.query.limit, "limit");
+    const offset = helpers.parseNumberParam(req.query.offset, "offset");
+    const tasks = await taskBroker.list({
+      filters: {
+        createdBy,
+        status: status ? status : void 0
+      },
+      order,
+      pagination: {
+        limit: limit ? limit[0] : void 0,
+        offset: offset ? offset[0] : void 0
+      }
+    });
+    res.status(200).json(tasks);
+  }).get("/v2/tasks/:taskId", async (req, res) => {
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskReadPermission],
+      permissionService: permissions
+    });
+    const { taskId } = req.params;
+    const task = await taskBroker.get(taskId);
+    if (!task) {
+      throw new errors.NotFoundError(`Task with id ${taskId} does not exist`);
+    }
+    delete task.secrets;
+    res.status(200).json(task);
+  }).post("/v2/tasks/:taskId/cancel", async (req, res) => {
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskCancelPermission, alpha.taskReadPermission],
+      permissionService: permissions
+    });
+    const { taskId } = req.params;
+    await taskBroker.cancel?.(taskId);
+    res.status(200).json({ status: "cancelled" });
+  }).post("/v2/tasks/:taskId/retry", async (req, res) => {
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskCreatePermission, alpha.taskReadPermission],
+      permissionService: permissions
+    });
+    const { taskId } = req.params;
+    await taskBroker.retry?.(taskId);
+    res.status(201).json({ id: taskId });
+  }).get("/v2/tasks/:taskId/eventstream", async (req, res) => {
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskReadPermission],
+      permissionService: permissions
+    });
+    const { taskId } = req.params;
+    const after = req.query.after !== void 0 ? Number(req.query.after) : void 0;
+    logger.debug(`Event stream observing taskId '${taskId}' opened`);
+    res.writeHead(200, {
+      Connection: "keep-alive",
+      "Cache-Control": "no-cache",
+      "Content-Type": "text/event-stream"
+    });
+    const subscription = taskBroker.event$({ taskId, after }).subscribe({
+      error: (error) => {
+        logger.error(
+          `Received error from event stream when observing taskId '${taskId}', ${error}`
+        );
+        res.end();
+      },
+      next: ({ events }) => {
+        let shouldUnsubscribe = false;
+        for (const event of events) {
+          res.write(
+            `event: ${event.type}
+data: ${JSON.stringify(event)}
+`
+          );
+          if (event.type === "completion" && !event.isTaskRecoverable) {
+            shouldUnsubscribe = true;
+          }
+        }
+        res.flush?.();
+        if (shouldUnsubscribe) {
+          subscription.unsubscribe();
+          res.end();
+        }
+      }
+    });
+    req.on("close", () => {
+      subscription.unsubscribe();
+      logger.debug(`Event stream observing taskId '${taskId}' closed`);
+    });
+  }).get("/v2/tasks/:taskId/events", async (req, res) => {
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskReadPermission],
+      permissionService: permissions
+    });
+    const { taskId } = req.params;
+    const after = Number(req.query.after) || void 0;
+    const timeout = setTimeout(() => {
+      res.json([]);
+    }, 3e4);
+    const subscription = taskBroker.event$({ taskId, after }).subscribe({
+      error: (error) => {
+        logger.error(
+          `Received error from event stream when observing taskId '${taskId}', ${error}`
+        );
+      },
+      next: ({ events }) => {
+        clearTimeout(timeout);
+        subscription.unsubscribe();
+        res.json(events);
+      }
+    });
+    req.on("close", () => {
+      subscription.unsubscribe();
+      clearTimeout(timeout);
+    });
+  }).post("/v2/dry-run", async (req, res) => {
+    const credentials = await httpAuth.credentials(req);
+    await checkPermissions.checkPermission({
+      credentials,
+      permissions: [alpha.taskCreatePermission],
+      permissionService: permissions
+    });
+    const bodySchema = zod.z.object({
+      template: zod.z.unknown(),
+      values: zod.z.record(zod.z.unknown()),
+      secrets: zod.z.record(zod.z.string()).optional(),
+      directoryContents: zod.z.array(
+        zod.z.object({ path: zod.z.string(), base64Content: zod.z.string() })
+      )
+    });
+    const body = await bodySchema.parseAsync(req.body).catch((e) => {
+      throw new errors.InputError(`Malformed request: ${e}`);
+    });
+    const template = body.template;
+    if (!await pluginScaffolderCommon.templateEntityV1beta3Validator.check(template)) {
+      throw new errors.InputError("Input template is not a template");
+    }
+    const { token } = await auth.getPluginRequestToken({
+      onBehalfOf: credentials,
+      targetPluginId: "catalog"
+    });
+    const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
+    const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
+    for (const parameters of [template.spec.parameters ?? []].flat()) {
+      const result2 = jsonschema.validate(body.values, parameters);
+      if (!result2.valid) {
+        res.status(400).json({ errors: result2.errors });
+        return;
+      }
+    }
+    const steps = template.spec.steps.map((step, index) => ({
+      ...step,
+      id: step.id ?? `step-${index + 1}`,
+      name: step.name ?? step.action
+    }));
+    const result = await dryRunner({
+      spec: {
+        apiVersion: template.apiVersion,
+        steps,
+        output: template.spec.output ?? {},
+        parameters: body.values,
+        user: {
+          entity: userEntity,
+          ref: userEntityRef
+        }
+      },
+      directoryContents: (body.directoryContents ?? []).map((file) => ({
+        path: file.path,
+        content: Buffer.from(file.base64Content, "base64")
+      })),
+      secrets: {
+        ...body.secrets,
+        ...token && { backstageToken: token }
+      },
+      credentials
+    });
+    res.status(200).json({
+      ...result,
+      steps,
+      directoryContents: result.directoryContents.map((file) => ({
+        path: file.path,
+        executable: file.executable,
+        base64Content: file.content.toString("base64")
+      }))
+    });
+  }).post("/v2/autocomplete/:provider/:resource", async (req, res) => {
+    const { token, context } = req.body;
+    const { provider, resource } = req.params;
+    if (!token) throw new errors.InputError("Missing token query parameter");
+    if (!autocompleteHandlers[provider]) {
+      throw new errors.InputError(`Unsupported provider: ${provider}`);
+    }
+    const { results } = await autocompleteHandlers[provider]({
+      resource,
+      token,
+      context
+    });
+    res.status(200).json({ results });
+  });
+  const app = express__default.default();
+  app.set("logger", logger);
+  app.use("/", router);
+  async function authorizeTemplate(entityRef, token, credentials) {
+    const template = await helpers.findTemplate({
+      catalogApi: catalogClient,
+      entityRef,
+      token
+    });
+    if (!isSupportedTemplate(template)) {
+      throw new errors.InputError(
+        `Unsupported apiVersion field in schema entity, ${template.apiVersion}`
+      );
+    }
+    if (!permissions) {
+      return template;
+    }
+    const [parameterDecision, stepDecision] = await permissions.authorizeConditional(
+      [
+        { permission: alpha.templateParameterReadPermission },
+        { permission: alpha.templateStepReadPermission }
+      ],
+      { credentials }
+    );
+    if (Array.isArray(template.spec.parameters)) {
+      template.spec.parameters = template.spec.parameters.filter(
+        (step) => isAuthorized(parameterDecision, step)
+      );
+    } else if (template.spec.parameters && !isAuthorized(parameterDecision, template.spec.parameters)) {
+      template.spec.parameters = void 0;
+    }
+    template.spec.steps = template.spec.steps.filter(
+      (step) => isAuthorized(stepDecision, step)
+    );
+    return template;
+  }
+  return app;
+}
+exports.createRouter = createRouter;
+//# sourceMappingURL=router.cjs.js.map