@backstage/plugin-scaffolder-backend 2.0.1-next.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/CHANGELOG.md +64 -0
  2. package/dist/alpha.cjs.js +2 -0
  3. package/dist/alpha.cjs.js.map +1 -1
  4. package/dist/alpha.d.ts +17 -1
  5. package/dist/index.d.ts +8 -2
  6. package/dist/scaffolder/tasks/DatabaseTaskStore.cjs.js +63 -20
  7. package/dist/scaffolder/tasks/DatabaseTaskStore.cjs.js.map +1 -1
  8. package/dist/scaffolder/tasks/StorageTaskBroker.cjs.js +3 -0
  9. package/dist/scaffolder/tasks/StorageTaskBroker.cjs.js.map +1 -1
  10. package/dist/scaffolder/tasks/TaskWorker.cjs.js +1 -0
  11. package/dist/scaffolder/tasks/TaskWorker.cjs.js.map +1 -1
  12. package/dist/service/alpha.cjs.js +9 -0
  13. package/dist/service/alpha.cjs.js.map +1 -1
  14. package/dist/service/permissions.cjs.js +4 -0
  15. package/dist/service/permissions.cjs.js.map +1 -1
  16. package/dist/service/router.cjs.js +53 -21
  17. package/dist/service/router.cjs.js.map +1 -1
  18. package/dist/service/rules.cjs.js +27 -0
  19. package/dist/service/rules.cjs.js.map +1 -1
  20. package/dist/util/checkPermissions.cjs.js +38 -0
  21. package/dist/util/checkPermissions.cjs.js.map +1 -1
  22. package/package.json +30 -30
package/dist/service/rules.cjs.js CHANGED
@@ -77,6 +77,29 @@ function buildHasProperty({
77
77
  toQuery: () => ({})
78
78
  });
79
79
  }
80
+ const createTaskPermissionRule = pluginPermissionNode.makeCreatePermissionRule();
81
+ const isTaskOwner = createTaskPermissionRule({
82
+ name: "IS_TASK_OWNER",
83
+ description: "Allows tasks created by certain users to be accessible",
84
+ resourceType: alpha.RESOURCE_TYPE_SCAFFOLDER_TASK,
85
+ paramsSchema: zod.z.object({
86
+ createdBy: zod.z.array(zod.z.string()).describe(
87
+ "List of creater entity refs; only tasks created by these users will be viewable"
88
+ )
89
+ }),
90
+ apply: (resource, { createdBy }) => {
91
+ if (!resource.createdBy) {
92
+ return false;
93
+ }
94
+ return createdBy.includes(resource.createdBy);
95
+ },
96
+ toQuery: ({ createdBy }) => {
97
+ return {
98
+ key: "created_by",
99
+ values: createdBy
100
+ };
101
+ }
102
+ });
80
103
  const scaffolderTemplateRules = { hasTag };
81
104
  const scaffolderActionRules = {
82
105
  hasActionId,
@@ -84,14 +107,18 @@ const scaffolderActionRules = {
84
107
  hasNumberProperty,
85
108
  hasStringProperty
86
109
  };
110
+ const scaffolderTaskRules = { isTaskOwner };
87
111
 
88
112
  exports.createActionPermissionRule = createActionPermissionRule;
113
+ exports.createTaskPermissionRule = createTaskPermissionRule;
89
114
  exports.createTemplatePermissionRule = createTemplatePermissionRule;
90
115
  exports.hasActionId = hasActionId;
91
116
  exports.hasBooleanProperty = hasBooleanProperty;
92
117
  exports.hasNumberProperty = hasNumberProperty;
93
118
  exports.hasStringProperty = hasStringProperty;
94
119
  exports.hasTag = hasTag;
120
+ exports.isTaskOwner = isTaskOwner;
95
121
  exports.scaffolderActionRules = scaffolderActionRules;
122
+ exports.scaffolderTaskRules = scaffolderTaskRules;
96
123
  exports.scaffolderTemplateRules = scaffolderTemplateRules;
97
124
  //# sourceMappingURL=rules.cjs.js.map
package/dist/service/rules.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"rules.cjs.js","sources":["../../src/service/rules.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { makeCreatePermissionRule } from '@backstage/plugin-permission-node';\nimport {\n RESOURCE_TYPE_SCAFFOLDER_TEMPLATE,\n RESOURCE_TYPE_SCAFFOLDER_ACTION,\n} from '@backstage/plugin-scaffolder-common/alpha';\n\nimport {\n TemplateEntityStepV1beta3,\n TemplateParametersV1beta3,\n} from '@backstage/plugin-scaffolder-common';\n\nimport { z } from 'zod';\nimport { JsonObject, JsonPrimitive } from '@backstage/types';\nimport { get } from 'lodash';\n\nexport const createTemplatePermissionRule = makeCreatePermissionRule<\n TemplateEntityStepV1beta3 | TemplateParametersV1beta3,\n {},\n typeof RESOURCE_TYPE_SCAFFOLDER_TEMPLATE\n>();\n\nexport const hasTag = createTemplatePermissionRule({\n name: 'HAS_TAG',\n resourceType: RESOURCE_TYPE_SCAFFOLDER_TEMPLATE,\n description: `Match parameters or steps with the given tag`,\n paramsSchema: z.object({\n tag: z.string().describe('Name of the tag to match on'),\n }),\n apply: (resource, { tag }) => {\n return resource['backstage:permissions']?.tags?.includes(tag) ?? false;\n },\n toQuery: () => ({}),\n});\n\nexport const createActionPermissionRule = makeCreatePermissionRule<\n {\n action: string;\n input: JsonObject | undefined;\n },\n {},\n typeof RESOURCE_TYPE_SCAFFOLDER_ACTION\n>();\n\nexport const hasActionId = createActionPermissionRule({\n name: 'HAS_ACTION_ID',\n resourceType: RESOURCE_TYPE_SCAFFOLDER_ACTION,\n description: `Match actions with the given actionId`,\n paramsSchema: z.object({\n actionId: z.string().describe('Name of the actionId to match on'),\n }),\n apply: (resource, { actionId }) => {\n return resource.action === actionId;\n },\n toQuery: () => ({}),\n});\n\nexport const hasProperty = buildHasProperty({\n name: 'HAS_PROPERTY',\n valueSchema: z.union([z.string(), z.number(), z.boolean(), z.null()]),\n validateProperty: false,\n});\n\nexport const hasBooleanProperty = buildHasProperty({\n name: 'HAS_BOOLEAN_PROPERTY',\n valueSchema: z.boolean(),\n});\nexport const hasNumberProperty = buildHasProperty({\n name: 'HAS_NUMBER_PROPERTY',\n valueSchema: z.number(),\n});\nexport const hasStringProperty = buildHasProperty({\n name: 'HAS_STRING_PROPERTY',\n valueSchema: z.string(),\n});\n\nfunction buildHasProperty<Schema extends z.ZodType<JsonPrimitive>>({\n name,\n valueSchema,\n validateProperty = true,\n}: {\n name: string;\n valueSchema: Schema;\n validateProperty?: boolean;\n}) {\n return createActionPermissionRule({\n name,\n description: `Allow actions with the specified property`,\n resourceType: RESOURCE_TYPE_SCAFFOLDER_ACTION,\n paramsSchema: z.object({\n key: z\n .string()\n .describe(`Property within the action parameters to match on`),\n value: valueSchema\n .optional()\n .describe(`Value of the given property to match on`),\n }) as unknown as z.ZodType<{ key: string; value?: z.infer<Schema> }>,\n apply: (resource, { key, value }) => {\n const foundValue = get(resource.input, key);\n\n if (validateProperty && !valueSchema.safeParse(foundValue).success) {\n return false;\n }\n if (value !== undefined) {\n if (valueSchema.safeParse(value).success) {\n return value === foundValue;\n }\n return false;\n }\n\n return foundValue !== undefined;\n },\n toQuery: () => ({}),\n });\n}\n\nexport const scaffolderTemplateRules = { hasTag };\nexport const scaffolderActionRules = {\n hasActionId,\n hasBooleanProperty,\n hasNumberProperty,\n hasStringProperty,\n};\n"],"names":["makeCreatePermissionRule","RESOURCE_TYPE_SCAFFOLDER_TEMPLATE","z","RESOURCE_TYPE_SCAFFOLDER_ACTION","get"],"mappings":";;;;;;;AA+BO,MAAM,+BAA+BA,6CAI1C;AAEK,MAAM,SAAS,4BAA6B,CAAA;AAAA,EACjD,IAAM,EAAA,SAAA;AAAA,EACN,YAAc,EAAAC,uCAAA;AAAA,EACd,WAAa,EAAA,CAAA,4CAAA,CAAA;AAAA,EACb,YAAA,EAAcC,MAAE,MAAO,CAAA;AAAA,IACrB,GAAK,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,SAAS,6BAA6B;AAAA,GACvD,CAAA;AAAA,EACD,KAAO,EAAA,CAAC,QAAU,EAAA,EAAE,KAAU,KAAA;AAC5B,IAAA,OAAO,SAAS,uBAAuB,CAAA,EAAG,IAAM,EAAA,QAAA,CAAS,GAAG,CAAK,IAAA,KAAA;AAAA,GACnE;AAAA,EACA,OAAA,EAAS,OAAO,EAAC;AACnB,CAAC;AAEM,MAAM,6BAA6BF,6CAOxC;AAEK,MAAM,cAAc,0BAA2B,CAAA;AAAA,EACpD,IAAM,EAAA,eAAA;AAAA,EACN,YAAc,EAAAG,qCAAA;AAAA,EACd,WAAa,EAAA,CAAA,qCAAA,CAAA;AAAA,EACb,YAAA,EAAcD,MAAE,MAAO,CAAA;AAAA,IACrB,QAAU,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,SAAS,kCAAkC;AAAA,GACjE,CAAA;AAAA,EACD,KAAO,EAAA,CAAC,QAAU,EAAA,EAAE,UAAe,KAAA;AACjC,IAAA,OAAO,SAAS,MAAW,KAAA,QAAA;AAAA,GAC7B;AAAA,EACA,OAAA,EAAS,OAAO,EAAC;AACnB,CAAC;AAE0B,gBAAiB,CAAA;AAAA,EAC1C,IAAM,EAAA,cAAA;AAAA,EACN,aAAaA,KAAE,CAAA,KAAA,CAAM,CAACA,KAAA,CAAE,QAAU,EAAAA,KAAA,CAAE,MAAO,EAAA,EAAGA,MAAE,OAAQ,EAAA,EAAGA,KAAE,CAAA,IAAA,EAAM,CAAC,CAAA;AAAA,EACpE,gBAAkB,EAAA;AACpB,CAAC;AAEM,MAAM,qBAAqB,gBAAiB,CAAA;AAAA,EACjD,IAAM,EAAA,sBAAA;AAAA,EACN,WAAA,EAAaA,MAAE,OAAQ;AACzB,CAAC;AACM,MAAM,oBAAoB,gBAAiB,CAAA;AAAA,EAChD,IAAM,EAAA,qBAAA;AAAA,EACN,WAAA,EAAaA,MAAE,MAAO;AACxB,CAAC;AACM,MAAM,oBAAoB,gBAAiB,CAAA;AAAA,EAChD,IAAM,EAAA,qBAAA;AAAA,EACN,WAAA,EAAaA,MAAE,MAAO;AACxB,CAAC;AAED,SAAS,gBAA0D,CAAA;AAAA,EACjE,IAAA;AAAA,EACA,WAAA;AAAA,EACA,gBAAmB,GAAA;AACrB,CAIG,EAAA;AACD,EAAA,OAAO,0BAA2B,CAAA;AAAA,IAChC,IAAA;AAAA,IACA,WAAa,EAAA,CAAA,yCAAA,CAAA;AAAA,IACb,YAAc,EAAAC,qCAAA;AAAA,IACd,YAAA,EAAcD,MAAE,MAAO,CAAA;AAAA,MACrB,GAAK,EAAAA,KAAA,CACF,MAAO,EAAA,CACP,SAAS,CAAmD,iDAAA,CAAA,CAAA;AAAA,MAC/D,KAAO,EAAA,WAAA,CACJ,QAAS,EAAA,CACT,SAAS,CAAyC,uCAAA,CAAA;AAAA,KACtD,CAAA;AAAA,IACD,OAAO,CAAC,QAAA,EAAU,EAAE,GAAA,EAAK,OAAY,KAAA;AACnC,MAAA,MAAM,UAAa,GAAAE,UAAA,CAAI,QAAS,CAAA,KAAA,EAAO,GAAG,CAAA;AAE1C,MAAA,IAAI,oBAAoB,CAAC,WAAA,CAAY,SAAU,CAAA,UAAU,EAAE,OAAS,EAAA;AAClE,QAAO,OAAA,KAAA;AAAA;AAET,MAAA,IAAI,UAAU,KAAW,CAAA,EAAA;AACvB,QAAA,IAAI,WAAY,CAAA,SAAA,CAAU,KAAK,CAAA,CAAE,OAAS,EAAA;AACxC,UAAA,OAAO,KAAU,KAAA,UAAA;AAAA;AAEnB,QAAO,OAAA,KAAA;AAAA;AAGT,MAAA,OAAO,UAAe,KAAA,KAAA,CAAA;AAAA,KACxB;AAAA,IACA,OAAA,EAAS,OAAO,EAAC;AAAA,GAClB,CAAA;AACH;AAEa,MAAA,uBAAA,GAA0B,EAAE,MAAO;AACzC,MAAM,qBAAwB,GAAA;AAAA,EACnC,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF;;;;;;;;;;;;"}
1
+ {"version":3,"file":"rules.cjs.js","sources":["../../src/service/rules.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { makeCreatePermissionRule } from '@backstage/plugin-permission-node';\n\nimport {\n RESOURCE_TYPE_SCAFFOLDER_TEMPLATE,\n RESOURCE_TYPE_SCAFFOLDER_ACTION,\n RESOURCE_TYPE_SCAFFOLDER_TASK,\n} from '@backstage/plugin-scaffolder-common/alpha';\n\nimport {\n TemplateEntityStepV1beta3,\n TemplateParametersV1beta3,\n} from '@backstage/plugin-scaffolder-common';\n\nimport { SerializedTask, TaskFilter } from '@backstage/plugin-scaffolder-node';\n\nimport { z } from 'zod';\nimport { JsonObject, JsonPrimitive } from '@backstage/types';\nimport { get } from 'lodash';\n\nexport const createTemplatePermissionRule = makeCreatePermissionRule<\n TemplateEntityStepV1beta3 | TemplateParametersV1beta3,\n {},\n typeof RESOURCE_TYPE_SCAFFOLDER_TEMPLATE\n>();\n\nexport const hasTag = createTemplatePermissionRule({\n name: 'HAS_TAG',\n resourceType: RESOURCE_TYPE_SCAFFOLDER_TEMPLATE,\n description: `Match parameters or steps with the given tag`,\n paramsSchema: z.object({\n tag: z.string().describe('Name of the tag to match on'),\n }),\n apply: (resource, { tag }) => {\n return resource['backstage:permissions']?.tags?.includes(tag) ?? false;\n },\n toQuery: () => ({}),\n});\n\nexport const createActionPermissionRule = makeCreatePermissionRule<\n {\n action: string;\n input: JsonObject | undefined;\n },\n {},\n typeof RESOURCE_TYPE_SCAFFOLDER_ACTION\n>();\n\nexport const hasActionId = createActionPermissionRule({\n name: 'HAS_ACTION_ID',\n resourceType: RESOURCE_TYPE_SCAFFOLDER_ACTION,\n description: `Match actions with the given actionId`,\n paramsSchema: z.object({\n actionId: z.string().describe('Name of the actionId to match on'),\n }),\n apply: (resource, { actionId }) => {\n return resource.action === actionId;\n },\n toQuery: () => ({}),\n});\n\nexport const hasProperty = buildHasProperty({\n name: 'HAS_PROPERTY',\n valueSchema: z.union([z.string(), z.number(), z.boolean(), z.null()]),\n validateProperty: false,\n});\n\nexport const hasBooleanProperty = buildHasProperty({\n name: 'HAS_BOOLEAN_PROPERTY',\n valueSchema: z.boolean(),\n});\nexport const hasNumberProperty = buildHasProperty({\n name: 'HAS_NUMBER_PROPERTY',\n valueSchema: z.number(),\n});\nexport const hasStringProperty = buildHasProperty({\n name: 'HAS_STRING_PROPERTY',\n valueSchema: z.string(),\n});\n\nfunction buildHasProperty<Schema extends z.ZodType<JsonPrimitive>>({\n name,\n valueSchema,\n validateProperty = true,\n}: {\n name: string;\n valueSchema: Schema;\n validateProperty?: boolean;\n}) {\n return createActionPermissionRule({\n name,\n description: `Allow actions with the specified property`,\n resourceType: RESOURCE_TYPE_SCAFFOLDER_ACTION,\n paramsSchema: z.object({\n key: z\n .string()\n .describe(`Property within the action parameters to match on`),\n value: valueSchema\n .optional()\n .describe(`Value of the given property to match on`),\n }) as unknown as z.ZodType<{ key: string; value?: z.infer<Schema> }>,\n apply: (resource, { key, value }) => {\n const foundValue = get(resource.input, key);\n\n if (validateProperty && !valueSchema.safeParse(foundValue).success) {\n return false;\n }\n if (value !== undefined) {\n if (valueSchema.safeParse(value).success) {\n return value === foundValue;\n }\n return false;\n }\n\n return foundValue !== undefined;\n },\n toQuery: () => ({}),\n });\n}\n\nexport const createTaskPermissionRule = makeCreatePermissionRule<\n SerializedTask,\n TaskFilter,\n typeof RESOURCE_TYPE_SCAFFOLDER_TASK\n>();\n\nexport const isTaskOwner = createTaskPermissionRule({\n name: 'IS_TASK_OWNER',\n description: 'Allows tasks created by certain users to be accessible',\n resourceType: RESOURCE_TYPE_SCAFFOLDER_TASK,\n paramsSchema: z.object({\n createdBy: z\n .array(z.string())\n .describe(\n 'List of creater entity refs; only tasks created by these users will be viewable',\n ),\n }),\n apply: (resource, { createdBy }) => {\n if (!resource.createdBy) {\n return false;\n }\n return createdBy.includes(resource.createdBy);\n },\n toQuery: ({ createdBy }) => {\n return {\n key: 'created_by',\n values: createdBy,\n };\n },\n});\n\nexport const scaffolderTemplateRules = { hasTag };\nexport const scaffolderActionRules = {\n hasActionId,\n hasBooleanProperty,\n hasNumberProperty,\n hasStringProperty,\n};\nexport const scaffolderTaskRules = { isTaskOwner };\n"],"names":["makeCreatePermissionRule","RESOURCE_TYPE_SCAFFOLDER_TEMPLATE","z","RESOURCE_TYPE_SCAFFOLDER_ACTION","get","RESOURCE_TYPE_SCAFFOLDER_TASK"],"mappings":";;;;;;;AAmCO,MAAM,+BAA+BA,6CAI1C;AAEK,MAAM,SAAS,4BAA6B,CAAA;AAAA,EACjD,IAAM,EAAA,SAAA;AAAA,EACN,YAAc,EAAAC,uCAAA;AAAA,EACd,WAAa,EAAA,CAAA,4CAAA,CAAA;AAAA,EACb,YAAA,EAAcC,MAAE,MAAO,CAAA;AAAA,IACrB,GAAK,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,SAAS,6BAA6B;AAAA,GACvD,CAAA;AAAA,EACD,KAAO,EAAA,CAAC,QAAU,EAAA,EAAE,KAAU,KAAA;AAC5B,IAAA,OAAO,SAAS,uBAAuB,CAAA,EAAG,IAAM,EAAA,QAAA,CAAS,GAAG,CAAK,IAAA,KAAA;AAAA,GACnE;AAAA,EACA,OAAA,EAAS,OAAO,EAAC;AACnB,CAAC;AAEM,MAAM,6BAA6BF,6CAOxC;AAEK,MAAM,cAAc,0BAA2B,CAAA;AAAA,EACpD,IAAM,EAAA,eAAA;AAAA,EACN,YAAc,EAAAG,qCAAA;AAAA,EACd,WAAa,EAAA,CAAA,qCAAA,CAAA;AAAA,EACb,YAAA,EAAcD,MAAE,MAAO,CAAA;AAAA,IACrB,QAAU,EAAAA,KAAA,CAAE,MAAO,EAAA,CAAE,SAAS,kCAAkC;AAAA,GACjE,CAAA;AAAA,EACD,KAAO,EAAA,CAAC,QAAU,EAAA,EAAE,UAAe,KAAA;AACjC,IAAA,OAAO,SAAS,MAAW,KAAA,QAAA;AAAA,GAC7B;AAAA,EACA,OAAA,EAAS,OAAO,EAAC;AACnB,CAAC;AAE0B,gBAAiB,CAAA;AAAA,EAC1C,IAAM,EAAA,cAAA;AAAA,EACN,aAAaA,KAAE,CAAA,KAAA,CAAM,CAACA,KAAA,CAAE,QAAU,EAAAA,KAAA,CAAE,MAAO,EAAA,EAAGA,MAAE,OAAQ,EAAA,EAAGA,KAAE,CAAA,IAAA,EAAM,CAAC,CAAA;AAAA,EACpE,gBAAkB,EAAA;AACpB,CAAC;AAEM,MAAM,qBAAqB,gBAAiB,CAAA;AAAA,EACjD,IAAM,EAAA,sBAAA;AAAA,EACN,WAAA,EAAaA,MAAE,OAAQ;AACzB,CAAC;AACM,MAAM,oBAAoB,gBAAiB,CAAA;AAAA,EAChD,IAAM,EAAA,qBAAA;AAAA,EACN,WAAA,EAAaA,MAAE,MAAO;AACxB,CAAC;AACM,MAAM,oBAAoB,gBAAiB,CAAA;AAAA,EAChD,IAAM,EAAA,qBAAA;AAAA,EACN,WAAA,EAAaA,MAAE,MAAO;AACxB,CAAC;AAED,SAAS,gBAA0D,CAAA;AAAA,EACjE,IAAA;AAAA,EACA,WAAA;AAAA,EACA,gBAAmB,GAAA;AACrB,CAIG,EAAA;AACD,EAAA,OAAO,0BAA2B,CAAA;AAAA,IAChC,IAAA;AAAA,IACA,WAAa,EAAA,CAAA,yCAAA,CAAA;AAAA,IACb,YAAc,EAAAC,qCAAA;AAAA,IACd,YAAA,EAAcD,MAAE,MAAO,CAAA;AAAA,MACrB,GAAK,EAAAA,KAAA,CACF,MAAO,EAAA,CACP,SAAS,CAAmD,iDAAA,CAAA,CAAA;AAAA,MAC/D,KAAO,EAAA,WAAA,CACJ,QAAS,EAAA,CACT,SAAS,CAAyC,uCAAA,CAAA;AAAA,KACtD,CAAA;AAAA,IACD,OAAO,CAAC,QAAA,EAAU,EAAE,GAAA,EAAK,OAAY,KAAA;AACnC,MAAA,MAAM,UAAa,GAAAE,UAAA,CAAI,QAAS,CAAA,KAAA,EAAO,GAAG,CAAA;AAE1C,MAAA,IAAI,oBAAoB,CAAC,WAAA,CAAY,SAAU,CAAA,UAAU,EAAE,OAAS,EAAA;AAClE,QAAO,OAAA,KAAA;AAAA;AAET,MAAA,IAAI,UAAU,KAAW,CAAA,EAAA;AACvB,QAAA,IAAI,WAAY,CAAA,SAAA,CAAU,KAAK,CAAA,CAAE,OAAS,EAAA;AACxC,UAAA,OAAO,KAAU,KAAA,UAAA;AAAA;AAEnB,QAAO,OAAA,KAAA;AAAA;AAGT,MAAA,OAAO,UAAe,KAAA,KAAA,CAAA;AAAA,KACxB;AAAA,IACA,OAAA,EAAS,OAAO,EAAC;AAAA,GAClB,CAAA;AACH;AAEO,MAAM,2BAA2BJ,6CAItC;AAEK,MAAM,cAAc,wBAAyB,CAAA;AAAA,EAClD,IAAM,EAAA,eAAA;AAAA,EACN,WAAa,EAAA,wDAAA;AAAA,EACb,YAAc,EAAAK,mCAAA;AAAA,EACd,YAAA,EAAcH,MAAE,MAAO,CAAA;AAAA,IACrB,WAAWA,KACR,CAAA,KAAA,CAAMA,KAAE,CAAA,MAAA,EAAQ,CAChB,CAAA,QAAA;AAAA,MACC;AAAA;AACF,GACH,CAAA;AAAA,EACD,KAAO,EAAA,CAAC,QAAU,EAAA,EAAE,WAAgB,KAAA;AAClC,IAAI,IAAA,CAAC,SAAS,SAAW,EAAA;AACvB,MAAO,OAAA,KAAA;AAAA;AAET,IAAO,OAAA,SAAA,CAAU,QAAS,CAAA,QAAA,CAAS,SAAS,CAAA;AAAA,GAC9C;AAAA,EACA,OAAS,EAAA,CAAC,EAAE,SAAA,EAAgB,KAAA;AAC1B,IAAO,OAAA;AAAA,MACL,GAAK,EAAA,YAAA;AAAA,MACL,MAAQ,EAAA;AAAA,KACV;AAAA;AAEJ,CAAC;AAEY,MAAA,uBAAA,GAA0B,EAAE,MAAO;AACzC,MAAM,qBAAwB,GAAA;AAAA,EACnC,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF;AACa,MAAA,mBAAA,GAAsB,EAAE,WAAY;;;;;;;;;;;;;;;"}
package/dist/util/checkPermissions.cjs.js CHANGED
@@ -20,6 +20,44 @@ async function checkPermission(options) {
20
20
  }
21
21
  }
22
22
  }
23
+ async function checkTaskPermission(options) {
24
+ const {
25
+ permissions,
26
+ permissionService,
27
+ credentials,
28
+ task,
29
+ isTaskAuthorized
30
+ } = options;
31
+ if (permissionService) {
32
+ const permissionRequest = permissions.map((permission) => ({
33
+ permission
34
+ }));
35
+ const authorizationResponses = await permissionService.authorizeConditional(
36
+ permissionRequest,
37
+ { credentials }
38
+ );
39
+ for (const response of authorizationResponses) {
40
+ if (response.result === pluginPermissionCommon.AuthorizeResult.DENY || !isTaskAuthorized(response, task)) {
41
+ throw new errors.NotAllowedError();
42
+ }
43
+ }
44
+ }
45
+ }
46
+ const getAuthorizeConditions = async (options) => {
47
+ const { permission, permissionService, credentials, transformConditions } = options;
48
+ if (permissionService) {
49
+ const [taskDecision] = await permissionService.authorizeConditional(
50
+ [{ permission }],
51
+ { credentials }
52
+ );
53
+ if (taskDecision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
54
+ return transformConditions(taskDecision.conditions);
55
+ }
56
+ }
57
+ return void 0;
58
+ };
23
59
 
24
60
  exports.checkPermission = checkPermission;
61
+ exports.checkTaskPermission = checkTaskPermission;
62
+ exports.getAuthorizeConditions = getAuthorizeConditions;
25
63
  //# sourceMappingURL=checkPermissions.cjs.js.map
package/dist/util/checkPermissions.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"checkPermissions.cjs.js","sources":["../../src/util/checkPermissions.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n BackstageCredentials,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport { NotAllowedError } from '@backstage/errors';\nimport {\n AuthorizeResult,\n BasicPermission,\n} from '@backstage/plugin-permission-common';\n\nexport type checkPermissionOptions = {\n credentials: BackstageCredentials;\n permissions: BasicPermission[];\n permissionService?: PermissionsService;\n};\n\n/**\n * Does a basic check on permissions. Throws 403 error if any permission responds with AuthorizeResult.DENY\n * @public\n */\nexport async function checkPermission(options: checkPermissionOptions) {\n const { permissions, permissionService, credentials } = options;\n if (permissionService) {\n const permissionRequest = permissions.map(permission => ({\n permission,\n }));\n const authorizationResponses = await permissionService.authorize(\n permissionRequest,\n { credentials: credentials },\n );\n\n for (const response of authorizationResponses) {\n if (response.result === AuthorizeResult.DENY) {\n throw new NotAllowedError();\n }\n }\n }\n}\n"],"names":["AuthorizeResult","NotAllowedError"],"mappings":";;;;;AAmCA,eAAsB,gBAAgB,OAAiC,EAAA;AACrE,EAAA,MAAM,EAAE,WAAA,EAAa,iBAAmB,EAAA,WAAA,EAAgB,GAAA,OAAA;AACxD,EAAA,IAAI,iBAAmB,EAAA;AACrB,IAAM,MAAA,iBAAA,GAAoB,WAAY,CAAA,GAAA,CAAI,CAAe,UAAA,MAAA;AAAA,MACvD;AAAA,KACA,CAAA,CAAA;AACF,IAAM,MAAA,sBAAA,GAAyB,MAAM,iBAAkB,CAAA,SAAA;AAAA,MACrD,iBAAA;AAAA,MACA,EAAE,WAAyB;AAAA,KAC7B;AAEA,IAAA,KAAA,MAAW,YAAY,sBAAwB,EAAA;AAC7C,MAAI,IAAA,QAAA,CAAS,MAAW,KAAAA,sCAAA,CAAgB,IAAM,EAAA;AAC5C,QAAA,MAAM,IAAIC,sBAAgB,EAAA;AAAA;AAC5B;AACF;AAEJ;;;;"}
1
+ {"version":3,"file":"checkPermissions.cjs.js","sources":["../../src/util/checkPermissions.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n BackstageCredentials,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport { NotAllowedError } from '@backstage/errors';\nimport {\n AuthorizeResult,\n BasicPermission,\n PermissionCriteria,\n PolicyDecision,\n ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport { ConditionTransformer } from '@backstage/plugin-permission-node';\nimport { SerializedTask } from '@backstage/plugin-scaffolder-node';\nimport { TaskFilters } from '@backstage/plugin-scaffolder-node';\n\nexport type checkPermissionOptions = {\n credentials: BackstageCredentials;\n permissions: BasicPermission[];\n permissionService?: PermissionsService;\n};\n\nexport type checkTaskPermissionOptions = {\n credentials: BackstageCredentials;\n permissions: ResourcePermission[];\n permissionService?: PermissionsService;\n task: SerializedTask;\n isTaskAuthorized: (\n decision: PolicyDecision,\n resource: SerializedTask | undefined,\n ) => boolean;\n};\n\nexport type authorizeConditionsOptions = {\n credentials: BackstageCredentials;\n permission: ResourcePermission;\n permissionService?: PermissionsService;\n transformConditions: ConditionTransformer<TaskFilters>;\n};\n\n/**\n * Does a basic check on permissions. Throws 403 error if any permission responds with AuthorizeResult.DENY\n * @public\n */\nexport async function checkPermission(options: checkPermissionOptions) {\n const { permissions, permissionService, credentials } = options;\n if (permissionService) {\n const permissionRequest = permissions.map(permission => ({\n permission,\n }));\n const authorizationResponses = await permissionService.authorize(\n permissionRequest,\n { credentials: credentials },\n );\n\n for (const response of authorizationResponses) {\n if (response.result === AuthorizeResult.DENY) {\n throw new NotAllowedError();\n }\n }\n }\n}\n\n/**\n * Does a conditional permission check for scaffolder task reading and cancellation.\n * Throws 403 error if permission responds with AuthorizeResult.DENY, or does not resolve to true during the conditional rule check\n * @public\n */\nexport async function checkTaskPermission(options: checkTaskPermissionOptions) {\n const {\n permissions,\n permissionService,\n credentials,\n task,\n isTaskAuthorized,\n } = options;\n if (permissionService) {\n const permissionRequest = permissions.map(permission => ({\n permission,\n }));\n const authorizationResponses = await permissionService.authorizeConditional(\n permissionRequest,\n { credentials },\n );\n for (const response of authorizationResponses) {\n if (\n response.result === AuthorizeResult.DENY ||\n !isTaskAuthorized(response, task)\n ) {\n throw new NotAllowedError();\n }\n }\n }\n}\n\n/** Fetches and transforms authorization conditions into filters, or returns `undefined` if the decision is not conditional.\n * @public\n */\nexport const getAuthorizeConditions = async (\n options: authorizeConditionsOptions,\n): Promise<PermissionCriteria<TaskFilters> | undefined> => {\n const { permission, permissionService, credentials, transformConditions } =\n options;\n if (permissionService) {\n const [taskDecision] = await permissionService.authorizeConditional(\n [{ permission: permission }],\n { credentials },\n );\n if (taskDecision.result === AuthorizeResult.CONDITIONAL) {\n return transformConditions(taskDecision.conditions);\n }\n }\n return undefined;\n};\n"],"names":["AuthorizeResult","NotAllowedError"],"mappings":";;;;;AA2DA,eAAsB,gBAAgB,OAAiC,EAAA;AACrE,EAAA,MAAM,EAAE,WAAA,EAAa,iBAAmB,EAAA,WAAA,EAAgB,GAAA,OAAA;AACxD,EAAA,IAAI,iBAAmB,EAAA;AACrB,IAAM,MAAA,iBAAA,GAAoB,WAAY,CAAA,GAAA,CAAI,CAAe,UAAA,MAAA;AAAA,MACvD;AAAA,KACA,CAAA,CAAA;AACF,IAAM,MAAA,sBAAA,GAAyB,MAAM,iBAAkB,CAAA,SAAA;AAAA,MACrD,iBAAA;AAAA,MACA,EAAE,WAAyB;AAAA,KAC7B;AAEA,IAAA,KAAA,MAAW,YAAY,sBAAwB,EAAA;AAC7C,MAAI,IAAA,QAAA,CAAS,MAAW,KAAAA,sCAAA,CAAgB,IAAM,EAAA;AAC5C,QAAA,MAAM,IAAIC,sBAAgB,EAAA;AAAA;AAC5B;AACF;AAEJ;AAOA,eAAsB,oBAAoB,OAAqC,EAAA;AAC7E,EAAM,MAAA;AAAA,IACJ,WAAA;AAAA,IACA,iBAAA;AAAA,IACA,WAAA;AAAA,IACA,IAAA;AAAA,IACA;AAAA,GACE,GAAA,OAAA;AACJ,EAAA,IAAI,iBAAmB,EAAA;AACrB,IAAM,MAAA,iBAAA,GAAoB,WAAY,CAAA,GAAA,CAAI,CAAe,UAAA,MAAA;AAAA,MACvD;AAAA,KACA,CAAA,CAAA;AACF,IAAM,MAAA,sBAAA,GAAyB,MAAM,iBAAkB,CAAA,oBAAA;AAAA,MACrD,iBAAA;AAAA,MACA,EAAE,WAAY;AAAA,KAChB;AACA,IAAA,KAAA,MAAW,YAAY,sBAAwB,EAAA;AAC7C,MACE,IAAA,QAAA,CAAS,WAAWD,sCAAgB,CAAA,IAAA,IACpC,CAAC,gBAAiB,CAAA,QAAA,EAAU,IAAI,CAChC,EAAA;AACA,QAAA,MAAM,IAAIC,sBAAgB,EAAA;AAAA;AAC5B;AACF;AAEJ;AAKa,MAAA,sBAAA,GAAyB,OACpC,OACyD,KAAA;AACzD,EAAA,MAAM,EAAE,UAAA,EAAY,iBAAmB,EAAA,WAAA,EAAa,qBAClD,GAAA,OAAA;AACF,EAAA,IAAI,iBAAmB,EAAA;AACrB,IAAA,MAAM,CAAC,YAAY,CAAI,GAAA,MAAM,iBAAkB,CAAA,oBAAA;AAAA,MAC7C,CAAC,EAAE,UAAA,EAAwB,CAAA;AAAA,MAC3B,EAAE,WAAY;AAAA,KAChB;AACA,IAAI,IAAA,YAAA,CAAa,MAAW,KAAAD,sCAAA,CAAgB,WAAa,EAAA;AACvD,MAAO,OAAA,mBAAA,CAAoB,aAAa,UAAU,CAAA;AAAA;AACpD;AAEF,EAAO,OAAA,KAAA,CAAA;AACT;;;;;;"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage/plugin-scaffolder-backend",
3
- "version": "2.0.1-next.1",
3
+ "version": "2.1.0",
4
4
  "description": "The Backstage backend plugin that helps you create new things",
5
5
  "backstage": {
6
6
  "role": "backend-plugin",
@@ -73,30 +73,30 @@
73
73
  "test": "backstage-cli package test"
74
74
  },
75
75
  "dependencies": {
76
- "@backstage/backend-defaults": "0.11.1-next.1",
77
- "@backstage/backend-plugin-api": "1.4.1-next.0",
78
- "@backstage/catalog-model": "1.7.5-next.0",
79
- "@backstage/config": "1.3.3-next.0",
80
- "@backstage/errors": "1.2.7",
81
- "@backstage/integration": "1.17.1-next.1",
82
- "@backstage/plugin-auth-node": "0.6.5-next.0",
83
- "@backstage/plugin-bitbucket-cloud-common": "0.3.1-next.0",
84
- "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "0.2.10-next.0",
85
- "@backstage/plugin-catalog-node": "1.17.2-next.0",
86
- "@backstage/plugin-events-node": "0.4.13-next.0",
87
- "@backstage/plugin-permission-common": "0.9.1-next.0",
88
- "@backstage/plugin-permission-node": "0.10.2-next.0",
89
- "@backstage/plugin-scaffolder-backend-module-azure": "0.2.11-next.1",
90
- "@backstage/plugin-scaffolder-backend-module-bitbucket": "0.3.12-next.1",
91
- "@backstage/plugin-scaffolder-backend-module-bitbucket-cloud": "0.2.11-next.1",
92
- "@backstage/plugin-scaffolder-backend-module-bitbucket-server": "0.2.11-next.1",
93
- "@backstage/plugin-scaffolder-backend-module-gerrit": "0.2.11-next.1",
94
- "@backstage/plugin-scaffolder-backend-module-gitea": "0.2.11-next.1",
95
- "@backstage/plugin-scaffolder-backend-module-github": "0.8.1-next.1",
96
- "@backstage/plugin-scaffolder-backend-module-gitlab": "0.9.3-next.1",
97
- "@backstage/plugin-scaffolder-common": "1.5.12-next.0",
98
- "@backstage/plugin-scaffolder-node": "0.9.1-next.1",
99
- "@backstage/types": "1.2.1",
76
+ "@backstage/backend-defaults": "^0.11.1",
77
+ "@backstage/backend-plugin-api": "^1.4.1",
78
+ "@backstage/catalog-model": "^1.7.5",
79
+ "@backstage/config": "^1.3.3",
80
+ "@backstage/errors": "^1.2.7",
81
+ "@backstage/integration": "^1.17.1",
82
+ "@backstage/plugin-auth-node": "^0.6.5",
83
+ "@backstage/plugin-bitbucket-cloud-common": "^0.3.1",
84
+ "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "^0.2.10",
85
+ "@backstage/plugin-catalog-node": "^1.17.2",
86
+ "@backstage/plugin-events-node": "^0.4.13",
87
+ "@backstage/plugin-permission-common": "^0.9.1",
88
+ "@backstage/plugin-permission-node": "^0.10.2",
89
+ "@backstage/plugin-scaffolder-backend-module-azure": "^0.2.11",
90
+ "@backstage/plugin-scaffolder-backend-module-bitbucket": "^0.3.12",
91
+ "@backstage/plugin-scaffolder-backend-module-bitbucket-cloud": "^0.2.11",
92
+ "@backstage/plugin-scaffolder-backend-module-bitbucket-server": "^0.2.11",
93
+ "@backstage/plugin-scaffolder-backend-module-gerrit": "^0.2.11",
94
+ "@backstage/plugin-scaffolder-backend-module-gitea": "^0.2.11",
95
+ "@backstage/plugin-scaffolder-backend-module-github": "^0.8.1",
96
+ "@backstage/plugin-scaffolder-backend-module-gitlab": "^0.9.3",
97
+ "@backstage/plugin-scaffolder-common": "^1.6.0",
98
+ "@backstage/plugin-scaffolder-node": "^0.10.0",
99
+ "@backstage/types": "^1.2.1",
100
100
  "@opentelemetry/api": "^1.9.0",
101
101
  "@types/luxon": "^3.0.0",
102
102
  "concat-stream": "^2.0.0",
@@ -126,11 +126,11 @@
126
126
  "zod-to-json-schema": "^3.20.4"
127
127
  },
128
128
  "devDependencies": {
129
- "@backstage/backend-app-api": "1.2.5-next.0",
130
- "@backstage/backend-defaults": "0.11.1-next.1",
131
- "@backstage/backend-test-utils": "1.7.0-next.1",
132
- "@backstage/cli": "0.33.1-next.1",
133
- "@backstage/plugin-scaffolder-node-test-utils": "0.3.1-next.1",
129
+ "@backstage/backend-app-api": "^1.2.5",
130
+ "@backstage/backend-defaults": "^0.11.1",
131
+ "@backstage/backend-test-utils": "^1.7.0",
132
+ "@backstage/cli": "^0.33.1",
133
+ "@backstage/plugin-scaffolder-node-test-utils": "^0.3.1",
134
134
  "@types/express": "^4.17.6",
135
135
  "@types/fs-extra": "^11.0.0",
136
136
  "@types/nunjucks": "^3.1.4",