npm - @backstage/plugin-scaffolder-backend - Versions diffs - 1.29.0 → 1.30.0-next.0 - Mend

@backstage/plugin-scaffolder-backend 1.29.0 → 1.30.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/CHANGELOG.md +35 -0
package/README.md +29 -0
package/dist/ScaffolderPlugin.cjs.js +8 -5
package/dist/ScaffolderPlugin.cjs.js.map +1 -1
package/dist/index.d.ts +7 -4
package/dist/scaffolder/dryrun/createDryRunner.cjs.js +5 -4
package/dist/scaffolder/dryrun/createDryRunner.cjs.js.map +1 -1
package/dist/scaffolder/tasks/NunjucksWorkflowRunner.cjs.js +18 -14
package/dist/scaffolder/tasks/NunjucksWorkflowRunner.cjs.js.map +1 -1
package/dist/scaffolder/tasks/StorageTaskBroker.cjs.js +14 -5
package/dist/scaffolder/tasks/StorageTaskBroker.cjs.js.map +1 -1
package/dist/scaffolder/tasks/TaskWorker.cjs.js +21 -2
package/dist/scaffolder/tasks/TaskWorker.cjs.js.map +1 -1
package/dist/service/router.cjs.js +475 -309
package/dist/service/router.cjs.js.map +1 -1
package/package.json +31 -31

package/dist/service/router.cjs.js CHANGED Viewed

@@ -1,28 +1,31 @@
 'use strict';
 var backendCommon = require('@backstage/backend-common');
+var backendPluginApi = require('@backstage/backend-plugin-api');
 var catalogModel = require('@backstage/catalog-model');
 var config = require('@backstage/config');
 var errors = require('@backstage/errors');
 var integration = require('@backstage/integration');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
 var pluginScaffolderCommon = require('@backstage/plugin-scaffolder-common');
 var alpha = require('@backstage/plugin-scaffolder-common/alpha');
 var express = require('express');
 var Router = require('express-promise-router');
 var jsonschema = require('jsonschema');
+var luxon = require('luxon');
+var url = require('url');
+var uuid = require('uuid');
 var z = require('zod');
 require('@backstage/plugin-scaffolder-node');
 require('../scaffolder/actions/builtin/catalog/register.examples.cjs.js');
 require('fs-extra');
 require('yaml');
-var backendPluginApi = require('@backstage/backend-plugin-api');
 require('../scaffolder/actions/builtin/catalog/write.examples.cjs.js');
 require('../scaffolder/actions/builtin/catalog/fetch.examples.cjs.js');
 var createBuiltinActions = require('../scaffolder/actions/builtin/createBuiltinActions.cjs.js');
 require('path');
 require('../scaffolder/actions/builtin/debug/log.examples.cjs.js');
 require('fs');
-var luxon = require('luxon');
 require('../scaffolder/actions/builtin/debug/wait.examples.cjs.js');
 require('../scaffolder/actions/builtin/fetch/plain.examples.cjs.js');
 require('../scaffolder/actions/builtin/fetch/plainFile.examples.cjs.js');
@@ -47,12 +50,9 @@ var DatabaseTaskStore = require('../scaffolder/tasks/DatabaseTaskStore.cjs.js');
 var StorageTaskBroker = require('../scaffolder/tasks/StorageTaskBroker.cjs.js');
 var TaskWorker = require('../scaffolder/tasks/TaskWorker.cjs.js');
 var createDryRunner = require('../scaffolder/dryrun/createDryRunner.cjs.js');
+var checkPermissions = require('../util/checkPermissions.cjs.js');
 var helpers = require('./helpers.cjs.js');
-var pluginPermissionNode = require('@backstage/plugin-permission-node');
 var rules = require('./rules.cjs.js');
-var checkPermissions = require('../util/checkPermissions.cjs.js');
-var url = require('url');
-var uuid = require('uuid');
 function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
@@ -137,7 +137,8 @@ async function createRouter(options) {
     discovery = backendCommon.HostDiscovery.fromConfig(config),
     identity = buildDefaultIdentityClient(options),
     autocompleteHandlers = {},
-    events: eventsService
+    events: eventsService,
+    auditor
   } = options;
   const { auth, httpAuth } = backendCommon.createLegacyAuthAdapters({
     ...options,
@@ -159,7 +160,8 @@ async function createRouter(options) {
       logger,
       config,
       auth,
-      additionalWorkspaceProviders
+      additionalWorkspaceProviders,
+      auditor
     );
     if (scheduler && databaseTaskStore.listStaleTasks) {
       await scheduler.scheduleTask({
@@ -199,6 +201,7 @@ async function createRouter(options) {
         actionRegistry,
         integrations,
         logger,
+        auditor,
         workingDirectory,
         additionalTemplateFilters,
         additionalTemplateGlobals,
@@ -232,6 +235,7 @@ async function createRouter(options) {
     actionRegistry,
     integrations,
     logger,
+    auditor,
     workingDirectory,
     additionalTemplateFilters,
     additionalTemplateGlobals,
@@ -269,347 +273,509 @@ async function createRouter(options) {
   router.get(
     "/v2/templates/:namespace/:kind/:name/parameter-schema",
     async (req, res) => {
+      const requestedTemplateRef = `${req.params.kind}:${req.params.namespace}/${req.params.name}`;
+      const auditorEvent = await auditor?.createEvent({
+        eventId: "template-parameter-schema",
+        request: req,
+        meta: { templateRef: requestedTemplateRef }
+      });
+      try {
+        const credentials = await httpAuth.credentials(req);
+        const { token } = await auth.getPluginRequestToken({
+          onBehalfOf: credentials,
+          targetPluginId: "catalog"
+        });
+        const template = await authorizeTemplate(
+          req.params,
+          token,
+          credentials
+        );
+        const parameters = [template.spec.parameters ?? []].flat();
+        const presentation = template.spec.presentation;
+        const templateRef = `${template.kind}:${template.metadata.namespace || "default"}/${template.metadata.name}`;
+        await auditorEvent?.success({ meta: { templateRef } });
+        res.json({
+          title: template.metadata.title ?? template.metadata.name,
+          ...presentation ? { presentation } : {},
+          description: template.metadata.description,
+          "ui:options": template.metadata["ui:options"],
+          steps: parameters.map((schema) => ({
+            title: schema.title ?? "Please enter the following information",
+            description: schema.description,
+            schema
+          })),
+          EXPERIMENTAL_formDecorators: template.spec.EXPERIMENTAL_formDecorators
+        });
+      } catch (err) {
+        await auditorEvent?.fail({ error: err });
+        throw err;
+      }
+    }
+  ).get("/v2/actions", async (req, res) => {
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "action-fetch",
+      request: req
+    });
+    try {
+      const actionsList = actionRegistry.list().map((action) => {
+        return {
+          id: action.id,
+          description: action.description,
+          examples: action.examples,
+          schema: action.schema
+        };
+      });
+      await auditorEvent?.success();
+      res.json(actionsList);
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
+    }
+  }).post("/v2/tasks", async (req, res) => {
+    const templateRef = req.body.templateRef;
+    const { kind, namespace, name } = catalogModel.parseEntityRef(templateRef, {
+      defaultKind: "template"
+    });
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      severityLevel: "medium",
+      request: req,
+      meta: {
+        actionType: "create",
+        templateRef
+      }
+    });
+    try {
       const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskCreatePermission],
+        permissionService: permissions
+      });
       const { token } = await auth.getPluginRequestToken({
         onBehalfOf: credentials,
         targetPluginId: "catalog"
       });
+      const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
+      const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
+      let auditLog = `Scaffolding task for ${templateRef}`;
+      if (userEntityRef) {
+        auditLog += ` created by ${userEntityRef}`;
+      }
+      logger.info(auditLog);
+      const values = req.body.values;
       const template = await authorizeTemplate(
-        req.params,
+        { kind, namespace, name },
         token,
         credentials
       );
-      const parameters = [template.spec.parameters ?? []].flat();
-      const presentation = template.spec.presentation;
-      res.json({
-        title: template.metadata.title ?? template.metadata.name,
-        ...presentation ? { presentation } : {},
-        description: template.metadata.description,
-        "ui:options": template.metadata["ui:options"],
-        steps: parameters.map((schema) => ({
-          title: schema.title ?? "Please enter the following information",
-          description: schema.description,
-          schema
+      for (const parameters of [template.spec.parameters ?? []].flat()) {
+        const result2 = jsonschema.validate(values, parameters);
+        if (!result2.valid) {
+          await auditorEvent?.fail({
+            // TODO(Rugvip): Seems like there aren't proper types for AggregateError yet
+            error: AggregateError(
+              result2.errors,
+              "Could not create entity"
+            )
+          });
+          res.status(400).json({ errors: result2.errors });
+          return;
+        }
+      }
+      const baseUrl = helpers.getEntityBaseUrl(template);
+      const taskSpec = {
+        apiVersion: template.apiVersion,
+        steps: template.spec.steps.map((step, index) => ({
+          ...step,
+          id: step.id ?? `step-${index + 1}`,
+          name: step.name ?? step.action
         })),
-        EXPERIMENTAL_formDecorators: template.spec.EXPERIMENTAL_formDecorators
+        EXPERIMENTAL_recovery: template.spec.EXPERIMENTAL_recovery,
+        output: template.spec.output ?? {},
+        parameters: values,
+        user: {
+          entity: userEntity,
+          ref: userEntityRef
+        },
+        templateInfo: {
+          entityRef: catalogModel.stringifyEntityRef({ kind, name, namespace }),
+          baseUrl,
+          entity: {
+            metadata: template.metadata
+          }
+        }
+      };
+      const secrets = {
+        ...req.body.secrets,
+        backstageToken: token,
+        __initiatorCredentials: JSON.stringify({
+          ...credentials,
+          // credentials.token is nonenumerable and will not be serialized, so we need to add it explicitly
+          token: credentials.token
+        })
+      };
+      const result = await taskBroker.dispatch({
+        spec: taskSpec,
+        createdBy: userEntityRef,
+        secrets
       });
+      await auditorEvent?.success({ meta: { taskId: result.taskId } });
+      res.status(201).json({ id: result.taskId });
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
     }
-  ).get("/v2/actions", async (_req, res) => {
-    const actionsList = actionRegistry.list().map((action) => {
-      return {
-        id: action.id,
-        description: action.description,
-        examples: action.examples,
-        schema: action.schema
-      };
-    });
-    res.json(actionsList);
-  }).post("/v2/tasks", async (req, res) => {
-    const templateRef = req.body.templateRef;
-    const { kind, namespace, name } = catalogModel.parseEntityRef(templateRef, {
-      defaultKind: "template"
-    });
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskCreatePermission],
-      permissionService: permissions
-    });
-    const { token } = await auth.getPluginRequestToken({
-      onBehalfOf: credentials,
-      targetPluginId: "catalog"
+  }).get("/v2/tasks", async (req, res) => {
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      request: req,
+      meta: {
+        actionType: "list"
+      }
     });
-    const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
-    const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
-    let auditLog = `Scaffolding task for ${templateRef}`;
-    if (userEntityRef) {
-      auditLog += ` created by ${userEntityRef}`;
-    }
-    logger.info(auditLog);
-    const values = req.body.values;
-    const template = await authorizeTemplate(
-      { kind, namespace, name },
-      token,
-      credentials
-    );
-    for (const parameters of [template.spec.parameters ?? []].flat()) {
-      const result2 = jsonschema.validate(values, parameters);
-      if (!result2.valid) {
-        res.status(400).json({ errors: result2.errors });
-        return;
+    try {
+      const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskReadPermission],
+        permissionService: permissions
+      });
+      if (!taskBroker.list) {
+        throw new Error(
+          "TaskBroker does not support listing tasks, please implement the list method on the TaskBroker."
+        );
       }
-    }
-    const baseUrl = helpers.getEntityBaseUrl(template);
-    const taskSpec = {
-      apiVersion: template.apiVersion,
-      steps: template.spec.steps.map((step, index) => ({
-        ...step,
-        id: step.id ?? `step-${index + 1}`,
-        name: step.name ?? step.action
-      })),
-      EXPERIMENTAL_recovery: template.spec.EXPERIMENTAL_recovery,
-      output: template.spec.output ?? {},
-      parameters: values,
-      user: {
-        entity: userEntity,
-        ref: userEntityRef
-      },
-      templateInfo: {
-        entityRef: catalogModel.stringifyEntityRef({ kind, name, namespace }),
-        baseUrl,
-        entity: {
-          metadata: template.metadata
+      const createdBy = helpers.parseStringsParam(req.query.createdBy, "createdBy");
+      const status = helpers.parseStringsParam(req.query.status, "status");
+      const order = helpers.parseStringsParam(req.query.order, "order")?.map((item) => {
+        const match = item.match(/^(asc|desc):(.+)$/);
+        if (!match) {
+          throw new errors.InputError(
+            `Invalid order parameter "${item}", expected "<asc or desc>:<field name>"`
+          );
         }
-      }
-    };
-    const secrets = {
-      ...req.body.secrets,
-      backstageToken: token,
-      __initiatorCredentials: JSON.stringify({
-        ...credentials,
-        // credentials.token is nonenumerable and will not be serialized, so we need to add it explicitly
-        token: credentials.token
-      })
-    };
-    const result = await taskBroker.dispatch({
-      spec: taskSpec,
-      createdBy: userEntityRef,
-      secrets
-    });
-    res.status(201).json({ id: result.taskId });
-  }).get("/v2/tasks", async (req, res) => {
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskReadPermission],
-      permissionService: permissions
-    });
-    if (!taskBroker.list) {
-      throw new Error(
-        "TaskBroker does not support listing tasks, please implement the list method on the TaskBroker."
-      );
+        return {
+          order: match[1],
+          field: match[2]
+        };
+      });
+      const limit = helpers.parseNumberParam(req.query.limit, "limit");
+      const offset = helpers.parseNumberParam(req.query.offset, "offset");
+      const tasks = await taskBroker.list({
+        filters: {
+          createdBy,
+          status: status ? status : void 0
+        },
+        order,
+        pagination: {
+          limit: limit ? limit[0] : void 0,
+          offset: offset ? offset[0] : void 0
+        }
+      });
+      await auditorEvent?.success();
+      res.status(200).json(tasks);
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
     }
-    const createdBy = helpers.parseStringsParam(req.query.createdBy, "createdBy");
-    const status = helpers.parseStringsParam(req.query.status, "status");
-    const order = helpers.parseStringsParam(req.query.order, "order")?.map((item) => {
-      const match = item.match(/^(asc|desc):(.+)$/);
-      if (!match) {
-        throw new errors.InputError(
-          `Invalid order parameter "${item}", expected "<asc or desc>:<field name>"`
-        );
+  }).get("/v2/tasks/:taskId", async (req, res) => {
+    const { taskId } = req.params;
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      request: req,
+      meta: {
+        actionType: "get",
+        taskId
       }
-      return {
-        order: match[1],
-        field: match[2]
-      };
     });
-    const limit = helpers.parseNumberParam(req.query.limit, "limit");
-    const offset = helpers.parseNumberParam(req.query.offset, "offset");
-    const tasks = await taskBroker.list({
-      filters: {
-        createdBy,
-        status: status ? status : void 0
-      },
-      order,
-      pagination: {
-        limit: limit ? limit[0] : void 0,
-        offset: offset ? offset[0] : void 0
+    try {
+      const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskReadPermission],
+        permissionService: permissions
+      });
+      const task = await taskBroker.get(taskId);
+      if (!task) {
+        throw new errors.NotFoundError(`Task with id ${taskId} does not exist`);
       }
-    });
-    res.status(200).json(tasks);
-  }).get("/v2/tasks/:taskId", async (req, res) => {
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskReadPermission],
-      permissionService: permissions
-    });
-    const { taskId } = req.params;
-    const task = await taskBroker.get(taskId);
-    if (!task) {
-      throw new errors.NotFoundError(`Task with id ${taskId} does not exist`);
+      await auditorEvent?.success();
+      delete task.secrets;
+      res.status(200).json(task);
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
     }
-    delete task.secrets;
-    res.status(200).json(task);
   }).post("/v2/tasks/:taskId/cancel", async (req, res) => {
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskCancelPermission, alpha.taskReadPermission],
-      permissionService: permissions
-    });
     const { taskId } = req.params;
-    await taskBroker.cancel?.(taskId);
-    res.status(200).json({ status: "cancelled" });
-  }).post("/v2/tasks/:taskId/retry", async (req, res) => {
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskCreatePermission, alpha.taskReadPermission],
-      permissionService: permissions
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      severityLevel: "medium",
+      request: req,
+      meta: {
+        actionType: "cancel",
+        taskId
+      }
     });
+    try {
+      const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskCancelPermission, alpha.taskReadPermission],
+        permissionService: permissions
+      });
+      await taskBroker.cancel?.(taskId);
+      await auditorEvent?.success();
+      res.status(200).json({ status: "cancelled" });
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
+    }
+  }).post("/v2/tasks/:taskId/retry", async (req, res) => {
     const { taskId } = req.params;
-    await taskBroker.retry?.(taskId);
-    res.status(201).json({ id: taskId });
-  }).get("/v2/tasks/:taskId/eventstream", async (req, res) => {
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskReadPermission],
-      permissionService: permissions
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      severityLevel: "medium",
+      request: req,
+      meta: {
+        actionType: "retry",
+        taskId
+      }
     });
+    try {
+      const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskCreatePermission, alpha.taskReadPermission],
+        permissionService: permissions
+      });
+      await auditorEvent?.success();
+      await taskBroker.retry?.(taskId);
+      res.status(201).json({ id: taskId });
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
+    }
+  }).get("/v2/tasks/:taskId/eventstream", async (req, res) => {
     const { taskId } = req.params;
-    const after = req.query.after !== void 0 ? Number(req.query.after) : void 0;
-    logger.debug(`Event stream observing taskId '${taskId}' opened`);
-    res.writeHead(200, {
-      Connection: "keep-alive",
-      "Cache-Control": "no-cache",
-      "Content-Type": "text/event-stream"
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      request: req,
+      meta: {
+        actionType: "stream",
+        taskId
+      }
     });
-    const subscription = taskBroker.event$({ taskId, after }).subscribe({
-      error: (error) => {
-        logger.error(
-          `Received error from event stream when observing taskId '${taskId}', ${error}`
-        );
-        res.end();
-      },
-      next: ({ events }) => {
-        let shouldUnsubscribe = false;
-        for (const event of events) {
-          res.write(
-            `event: ${event.type}
+    try {
+      const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskReadPermission],
+        permissionService: permissions
+      });
+      const after = req.query.after !== void 0 ? Number(req.query.after) : void 0;
+      logger.debug(`Event stream observing taskId '${taskId}' opened`);
+      res.writeHead(200, {
+        Connection: "keep-alive",
+        "Cache-Control": "no-cache",
+        "Content-Type": "text/event-stream"
+      });
+      const subscription = taskBroker.event$({ taskId, after }).subscribe({
+        error: async (error) => {
+          logger.error(
+            `Received error from event stream when observing taskId '${taskId}', ${error}`
+          );
+          await auditorEvent?.fail({ error });
+          res.end();
+        },
+        next: ({ events }) => {
+          let shouldUnsubscribe = false;
+          for (const event of events) {
+            res.write(
+              `event: ${event.type}
 data: ${JSON.stringify(event)}
 `
-          );
-          if (event.type === "completion" && !event.isTaskRecoverable) {
-            shouldUnsubscribe = true;
+            );
+            if (event.type === "completion" && !event.isTaskRecoverable) {
+              shouldUnsubscribe = true;
+            }
+          }
+          res.flush?.();
+          if (shouldUnsubscribe) {
+            subscription.unsubscribe();
+            res.end();
           }
         }
-        res.flush?.();
-        if (shouldUnsubscribe) {
-          subscription.unsubscribe();
-          res.end();
-        }
-      }
-    });
-    req.on("close", () => {
-      subscription.unsubscribe();
-      logger.debug(`Event stream observing taskId '${taskId}' closed`);
-    });
+      });
+      req.on("close", async () => {
+        subscription.unsubscribe();
+        logger.debug(`Event stream observing taskId '${taskId}' closed`);
+        await auditorEvent?.success();
+      });
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
+    }
   }).get("/v2/tasks/:taskId/events", async (req, res) => {
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskReadPermission],
-      permissionService: permissions
-    });
     const { taskId } = req.params;
-    const after = Number(req.query.after) || void 0;
-    const timeout = setTimeout(() => {
-      res.json([]);
-    }, 3e4);
-    const subscription = taskBroker.event$({ taskId, after }).subscribe({
-      error: (error) => {
-        logger.error(
-          `Received error from event stream when observing taskId '${taskId}', ${error}`
-        );
-      },
-      next: ({ events }) => {
-        clearTimeout(timeout);
-        subscription.unsubscribe();
-        res.json(events);
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      request: req,
+      meta: {
+        actionType: "events",
+        taskId
       }
     });
-    req.on("close", () => {
-      subscription.unsubscribe();
-      clearTimeout(timeout);
-    });
-  }).post("/v2/dry-run", async (req, res) => {
-    const credentials = await httpAuth.credentials(req);
-    await checkPermissions.checkPermission({
-      credentials,
-      permissions: [alpha.taskCreatePermission],
-      permissionService: permissions
-    });
-    const bodySchema = z.z.object({
-      template: z.z.unknown(),
-      values: z.z.record(z.z.unknown()),
-      secrets: z.z.record(z.z.string()).optional(),
-      directoryContents: z.z.array(
-        z.z.object({ path: z.z.string(), base64Content: z.z.string() })
-      )
-    });
-    const body = await bodySchema.parseAsync(req.body).catch((e) => {
-      throw new errors.InputError(`Malformed request: ${e}`);
-    });
-    const template = body.template;
-    if (!await pluginScaffolderCommon.templateEntityV1beta3Validator.check(template)) {
-      throw new errors.InputError("Input template is not a template");
+    try {
+      const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskReadPermission],
+        permissionService: permissions
+      });
+      const after = Number(req.query.after) || void 0;
+      const timeout = setTimeout(() => {
+        res.json([]);
+      }, 3e4);
+      const subscription = taskBroker.event$({ taskId, after }).subscribe({
+        error: async (error) => {
+          logger.error(
+            `Received error from event stream when observing taskId '${taskId}', ${error}`
+          );
+          await auditorEvent?.fail({ error });
+        },
+        next: async ({ events }) => {
+          clearTimeout(timeout);
+          subscription.unsubscribe();
+          await auditorEvent?.success();
+          res.json(events);
+        }
+      });
+      req.on("close", () => {
+        subscription.unsubscribe();
+        clearTimeout(timeout);
+      });
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
     }
-    const { token } = await auth.getPluginRequestToken({
-      onBehalfOf: credentials,
-      targetPluginId: "catalog"
+  }).post("/v2/dry-run", async (req, res) => {
+    const auditorEvent = await auditor?.createEvent({
+      eventId: "task",
+      request: req,
+      meta: {
+        actionType: "dry-run"
+      }
     });
-    const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
-    const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
-    for (const parameters of [template.spec.parameters ?? []].flat()) {
-      const result2 = jsonschema.validate(body.values, parameters);
-      if (!result2.valid) {
-        res.status(400).json({ errors: result2.errors });
-        return;
+    try {
+      const credentials = await httpAuth.credentials(req);
+      await checkPermissions.checkPermission({
+        credentials,
+        permissions: [alpha.taskCreatePermission],
+        permissionService: permissions
+      });
+      const bodySchema = z.z.object({
+        template: z.z.unknown(),
+        values: z.z.record(z.z.unknown()),
+        secrets: z.z.record(z.z.string()).optional(),
+        directoryContents: z.z.array(
+          z.z.object({ path: z.z.string(), base64Content: z.z.string() })
+        )
+      });
+      const body = await bodySchema.parseAsync(req.body).catch((e) => {
+        throw new errors.InputError(`Malformed request: ${e}`);
+      });
+      const template = body.template;
+      if (!await pluginScaffolderCommon.templateEntityV1beta3Validator.check(template)) {
+        throw new errors.InputError("Input template is not a template");
       }
-    }
-    const steps = template.spec.steps.map((step, index) => ({
-      ...step,
-      id: step.id ?? `step-${index + 1}`,
-      name: step.name ?? step.action
-    }));
-    const dryRunId = uuid.v4();
-    const contentsPath = backendPluginApi.resolveSafeChildPath(
-      workingDirectory,
-      `dry-run-content-${dryRunId}`
-    );
-    const templateInfo = {
-      entityRef: catalogModel.stringifyEntityRef(template),
-      entity: {
-        metadata: template.metadata
-      },
-      baseUrl: url.pathToFileURL(
-        backendPluginApi.resolveSafeChildPath(contentsPath, "template.yaml")
-      ).toString()
-    };
-    const result = await dryRunner({
-      spec: {
-        apiVersion: template.apiVersion,
-        steps,
-        output: template.spec.output ?? {},
-        parameters: body.values,
-        user: {
-          entity: userEntity,
-          ref: userEntityRef
+      const { token } = await auth.getPluginRequestToken({
+        onBehalfOf: credentials,
+        targetPluginId: "catalog"
+      });
+      const userEntityRef = auth.isPrincipal(credentials, "user") ? credentials.principal.userEntityRef : void 0;
+      const userEntity = userEntityRef ? await catalogClient.getEntityByRef(userEntityRef, { token }) : void 0;
+      const templateRef = `${template.kind}:${template.metadata.namespace || "default"}/${template.metadata.name}`;
+      for (const parameters of [template.spec.parameters ?? []].flat()) {
+        const result2 = jsonschema.validate(body.values, parameters);
+        if (!result2.valid) {
+          await auditorEvent?.fail({
+            // TODO(Rugvip): Seems like there aren't proper types for AggregateError yet
+            error: AggregateError(
+              result2.errors,
+              "Could not execute dry run"
+            ),
+            meta: {
+              templateRef,
+              parameters: template.spec.parameters
+            }
+          });
+          res.status(400).json({ errors: result2.errors });
+          return;
         }
-      },
-      templateInfo,
-      directoryContents: (body.directoryContents ?? []).map((file) => ({
-        path: file.path,
-        content: Buffer.from(file.base64Content, "base64")
-      })),
-      secrets: {
-        ...body.secrets,
-        ...token && { backstageToken: token }
-      },
-      credentials
-    });
-    res.status(200).json({
-      ...result,
-      steps,
-      directoryContents: result.directoryContents.map((file) => ({
-        path: file.path,
-        executable: file.executable,
-        base64Content: file.content.toString("base64")
-      }))
-    });
+      }
+      const steps = template.spec.steps.map((step, index) => ({
+        ...step,
+        id: step.id ?? `step-${index + 1}`,
+        name: step.name ?? step.action
+      }));
+      const dryRunId = uuid.v4();
+      const contentsPath = backendPluginApi.resolveSafeChildPath(
+        workingDirectory,
+        `dry-run-content-${dryRunId}`
+      );
+      const templateInfo = {
+        entityRef: "template:default/dry-run",
+        entity: {
+          metadata: template.metadata
+        },
+        baseUrl: url.pathToFileURL(
+          backendPluginApi.resolveSafeChildPath(contentsPath, "template.yaml")
+        ).toString()
+      };
+      const result = await dryRunner({
+        spec: {
+          apiVersion: template.apiVersion,
+          steps,
+          output: template.spec.output ?? {},
+          parameters: body.values,
+          user: {
+            entity: userEntity,
+            ref: userEntityRef
+          }
+        },
+        templateInfo,
+        directoryContents: (body.directoryContents ?? []).map((file) => ({
+          path: file.path,
+          content: Buffer.from(file.base64Content, "base64")
+        })),
+        secrets: {
+          ...body.secrets,
+          ...token && { backstageToken: token }
+        },
+        credentials
+      });
+      await auditorEvent?.success({
+        meta: {
+          templateRef,
+          parameters: template.spec.parameters
+        }
+      });
+      res.status(200).json({
+        ...result,
+        steps,
+        directoryContents: result.directoryContents.map((file) => ({
+          path: file.path,
+          executable: file.executable,
+          base64Content: file.content.toString("base64")
+        }))
+      });
+    } catch (err) {
+      await auditorEvent?.fail({ error: err });
+      throw err;
+    }
   }).post("/v2/autocomplete/:provider/:resource", async (req, res) => {
     const { token, context } = req.body;
     const { provider, resource } = req.params;