@kuadrant/kuadrant-backstage-plugin-backend 0.0.1-test.1-1593c3ec

package/dist/router.cjs.js

@@ -0,0 +1,820 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
+var zod = require('zod');
+var express = require('express');
+var Router = require('express-promise-router');
+var cors = require('cors');
+var crypto = require('crypto');
+var k8sClient = require('./k8s-client.cjs.js');
+var permissions = require('./permissions.cjs.js');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var express__default = /*#__PURE__*/_interopDefaultCompat(express);
+var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);
+var cors__default = /*#__PURE__*/_interopDefaultCompat(cors);
+
+function generateApiKey() {
+  return crypto.randomBytes(32).toString("hex");
+}
+async function getUserIdentity(req, httpAuth, userInfo) {
+  try {
+    const credentials = await httpAuth.credentials(req, { allow: ["user", "none"] });
+    if (!credentials || !credentials.principal || credentials.principal.type === "none") {
+      console.log("no user credentials, treating as guest api owner");
+      return {
+        userId: "guest",
+        isPlatformEngineer: false,
+        isApiOwner: true,
+        // allow guest as api owner in development
+        isApiConsumer: true,
+        groups: []
+      };
+    }
+    const info = await userInfo.getUserInfo(credentials);
+    const userId = info.userEntityRef.split("/")[1] || "guest";
+    const groups = info.ownershipEntityRefs || [];
+    const isPlatformEngineer = userId === "guest" || groups.some(
+      (ref) => ref === "group:default/platform-engineers" || ref === "group:default/platform-admins"
+    );
+    const isApiOwner = userId === "guest" || groups.some(
+      (ref) => ref === "group:default/api-owners" || ref === "group:default/app-developers"
+    );
+    const isApiConsumer = groups.some(
+      (ref) => ref === "group:default/api-consumers"
+    );
+    console.log(`user identity resolved: userId=${userId}, isPlatformEngineer=${isPlatformEngineer}, isApiOwner=${isApiOwner}, isApiConsumer=${isApiConsumer}, groups=${groups.join(",")}`);
+    return { userId, isPlatformEngineer, isApiOwner, isApiConsumer, groups };
+  } catch (error) {
+    const errorMsg = error instanceof Error ? error.message : String(error);
+    console.warn(`failed to get user identity, defaulting to guest api owner: ${errorMsg}`);
+    return {
+      userId: "guest",
+      isPlatformEngineer: false,
+      isApiOwner: true,
+      // allow guest as api owner in development
+      isApiConsumer: true,
+      groups: []
+    };
+  }
+}
+async function createRouter({
+  httpAuth,
+  userInfo,
+  config,
+  permissions: permissions$1
+}) {
+  const router = Router__default.default();
+  router.use(cors__default.default({
+    origin: "http://localhost:3000",
+    credentials: true
+  }));
+  router.use(express__default.default.json());
+  const k8sClient$1 = new k8sClient.KuadrantK8sClient(config);
+  router.get("/apiproducts", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiProductListPermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const data = await k8sClient$1.listCustomResources("extensions.kuadrant.io", "v1alpha1", "apiproducts");
+      res.json(data);
+    } catch (error) {
+      console.error("error fetching apiproducts:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to fetch apiproducts" });
+      }
+    }
+  });
+  router.get("/apiproducts/:namespace/:name", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiProductReadPermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const { namespace, name } = req.params;
+      const data = await k8sClient$1.getCustomResource("extensions.kuadrant.io", "v1alpha1", namespace, "apiproducts", name);
+      res.json(data);
+    } catch (error) {
+      console.error("error fetching apiproduct:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to fetch apiproduct" });
+      }
+    }
+  });
+  router.post("/apiproducts", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiProductCreatePermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const { userId } = await getUserIdentity(req, httpAuth, userInfo);
+      const apiProduct = req.body;
+      const namespace = apiProduct.metadata?.namespace;
+      const planPolicyRef = apiProduct.spec?.planPolicyRef;
+      if (!namespace) {
+        throw new errors.InputError("namespace is required in metadata");
+      }
+      if (!planPolicyRef?.name || !planPolicyRef?.namespace) {
+        throw new errors.InputError("planPolicyRef with name and namespace is required");
+      }
+      const planPolicy = await k8sClient$1.getCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        planPolicyRef.namespace,
+        "planpolicies",
+        planPolicyRef.name
+      );
+      const plans = planPolicy.spec?.plans || [];
+      if (plans.length === 0) {
+        throw new errors.InputError("selected planpolicy has no plans defined");
+      }
+      apiProduct.spec.plans = plans;
+      if (!apiProduct.spec.contact) {
+        apiProduct.spec.contact = {};
+      }
+      apiProduct.spec.contact.team = `user:default/${userId}`;
+      const created = await k8sClient$1.createCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apiproducts",
+        apiProduct
+      );
+      res.status(201).json(created);
+    } catch (error) {
+      console.error("error creating apiproduct:", error);
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else if (error instanceof errors.InputError) {
+        res.status(400).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: errorMessage });
+      }
+    }
+  });
+  router.delete("/apiproducts/:namespace/:name", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiProductDeletePermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const { namespace, name } = req.params;
+      await k8sClient$1.deleteCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apiproducts",
+        name
+      );
+      res.status(204).send();
+    } catch (error) {
+      console.error("error deleting apiproduct:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to delete apiproduct" });
+      }
+    }
+  });
+  router.get("/planpolicies", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantPlanPolicyListPermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const data = await k8sClient$1.listCustomResources("extensions.kuadrant.io", "v1alpha1", "planpolicies");
+      const filtered = {
+        items: (data.items || []).map((policy) => ({
+          metadata: {
+            name: policy.metadata.name,
+            namespace: policy.metadata.namespace
+          }
+        }))
+      };
+      res.json(filtered);
+    } catch (error) {
+      console.error("error fetching planpolicies:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to fetch planpolicies" });
+      }
+    }
+  });
+  router.get("/planpolicies/:namespace/:name", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantPlanPolicyReadPermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const { namespace, name } = req.params;
+      const data = await k8sClient$1.getCustomResource("extensions.kuadrant.io", "v1alpha1", namespace, "planpolicies", name);
+      res.json(data);
+    } catch (error) {
+      console.error("error fetching planpolicy:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to fetch planpolicy" });
+      }
+    }
+  });
+  router.get("/apikeys", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const userId = req.query.userId;
+      const namespace = req.query.namespace;
+      if (!namespace) {
+        throw new errors.InputError("namespace query parameter is required");
+      }
+      const permission = userId ? permissions.kuadrantApiKeyReadOwnPermission : permissions.kuadrantApiKeyReadAllPermission;
+      const decision = await permissions$1.authorize(
+        [{ permission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const data = await k8sClient$1.listSecrets(namespace);
+      let filteredItems = data.items || [];
+      if (userId) {
+        filteredItems = filteredItems.filter(
+          (secret) => secret.metadata?.annotations?.["secret.kuadrant.io/user-id"] === userId
+        );
+      }
+      filteredItems = filteredItems.filter(
+        (secret) => secret.metadata?.annotations?.["secret.kuadrant.io/user-id"]
+      );
+      res.json({ items: filteredItems });
+    } catch (error) {
+      console.error("error fetching api keys:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to fetch api keys" });
+      }
+    }
+  });
+  router.delete("/apikeys/:namespace/:name", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const { userId } = await getUserIdentity(req, httpAuth, userInfo);
+      const { namespace, name } = req.params;
+      const secret = await k8sClient$1.getSecret(namespace, name);
+      const secretUserId = secret.metadata?.annotations?.["secret.kuadrant.io/user-id"];
+      const deleteAllDecision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiKeyDeleteAllPermission }],
+        { credentials }
+      );
+      const canDeleteAll = deleteAllDecision[0].result === pluginPermissionCommon.AuthorizeResult.ALLOW;
+      if (!canDeleteAll) {
+        const deleteOwnDecision = await permissions$1.authorize(
+          [{ permission: permissions.kuadrantApiKeyDeleteOwnPermission }],
+          { credentials }
+        );
+        if (deleteOwnDecision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+          throw new errors.NotAllowedError("unauthorised");
+        }
+        if (secretUserId !== userId) {
+          throw new errors.NotAllowedError("you can only delete your own api keys");
+        }
+      }
+      await k8sClient$1.deleteSecret(namespace, name);
+      res.status(204).send();
+    } catch (error) {
+      console.error("error deleting api key:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to delete api key" });
+      }
+    }
+  });
+  const requestSchema = zod.z.object({
+    apiName: zod.z.string(),
+    apiNamespace: zod.z.string(),
+    planTier: zod.z.string(),
+    useCase: zod.z.string().optional(),
+    userId: zod.z.string(),
+    userEmail: zod.z.string().optional(),
+    namespace: zod.z.string()
+  });
+  router.post("/requests", async (req, res) => {
+    const parsed = requestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      throw new errors.InputError(parsed.error.toString());
+    }
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const { apiName, apiNamespace, planTier, useCase, userId, userEmail, namespace } = parsed.data;
+      const resourceRef = `apiproduct:${apiNamespace}/${apiName}`;
+      const decision = await permissions$1.authorize(
+        [{
+          permission: permissions.kuadrantApiKeyRequestCreatePermission,
+          resourceRef
+        }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError(`not authorised to request access to ${apiName}`);
+      }
+      const { userId: authenticatedUserId, isPlatformEngineer, isApiOwner } = await getUserIdentity(req, httpAuth, userInfo);
+      const canCreateForOthers = isPlatformEngineer || isApiOwner;
+      if (!canCreateForOthers && userId !== authenticatedUserId) {
+        throw new errors.NotAllowedError("you can only create api key requests for yourself");
+      }
+      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      const randomSuffix = crypto.randomBytes(4).toString("hex");
+      const requestName = `${userId}-${apiName}-${randomSuffix}`.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+      const requestedBy = { userId };
+      if (userEmail) {
+        requestedBy.email = userEmail;
+      }
+      const request = {
+        apiVersion: "extensions.kuadrant.io/v1alpha1",
+        kind: "APIKeyRequest",
+        metadata: {
+          name: requestName,
+          namespace
+        },
+        spec: {
+          apiName,
+          apiNamespace,
+          planTier,
+          useCase: useCase || "",
+          requestedBy,
+          requestedAt: timestamp
+        }
+      };
+      const created = await k8sClient$1.createCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apikeyrequests",
+        request
+      );
+      try {
+        const apiProduct = await k8sClient$1.getCustomResource(
+          "extensions.kuadrant.io",
+          "v1alpha1",
+          apiNamespace,
+          "apiproducts",
+          apiName
+        );
+        if (apiProduct.spec?.approvalMode === "automatic") {
+          const apiKey = generateApiKey();
+          const timestamp2 = Date.now();
+          const secretName = `${userId}-${apiName}-${timestamp2}`.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+          const secret = {
+            apiVersion: "v1",
+            kind: "Secret",
+            metadata: {
+              name: secretName,
+              namespace: apiNamespace,
+              labels: {
+                app: apiName
+              },
+              annotations: {
+                "secret.kuadrant.io/plan-id": planTier,
+                "secret.kuadrant.io/user-id": userId
+              }
+            },
+            stringData: {
+              api_key: apiKey
+            },
+            type: "Opaque"
+          };
+          await k8sClient$1.createSecret(apiNamespace, secret);
+          let planLimits = null;
+          const plan = apiProduct.spec?.plans?.find((p) => p.tier === planTier);
+          if (plan) {
+            planLimits = plan.limits;
+          }
+          let apiHostname = `${apiName}.apps.example.com`;
+          try {
+            const httproute = await k8sClient$1.getCustomResource(
+              "gateway.networking.k8s.io",
+              "v1",
+              apiNamespace,
+              "httproutes",
+              apiName
+            );
+            if (httproute.spec?.hostnames && httproute.spec.hostnames.length > 0) {
+              apiHostname = httproute.spec.hostnames[0];
+            }
+          } catch (error) {
+            console.warn("could not fetch httproute for hostname, using default:", error);
+          }
+          const status = {
+            phase: "Approved",
+            reviewedBy: "system",
+            reviewedAt: (/* @__PURE__ */ new Date()).toISOString(),
+            reason: "automatic approval",
+            apiKey,
+            apiHostname,
+            apiBasePath: "/api/v1",
+            apiDescription: `${apiName} api`,
+            planLimits
+          };
+          await k8sClient$1.patchCustomResourceStatus(
+            "extensions.kuadrant.io",
+            "v1alpha1",
+            namespace,
+            "apikeyrequests",
+            requestName,
+            status
+          );
+        }
+      } catch (error) {
+        console.warn("could not check approval mode or auto-approve:", error);
+      }
+      res.status(201).json(created);
+    } catch (error) {
+      console.error("error creating api key request:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to create api key request" });
+      }
+    }
+  });
+  router.get("/requests", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiKeyRequestListPermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const status = req.query.status;
+      const namespace = req.query.namespace;
+      let data;
+      if (namespace) {
+        data = await k8sClient$1.listCustomResources("extensions.kuadrant.io", "v1alpha1", "apikeyrequests", namespace);
+      } else {
+        data = await k8sClient$1.listCustomResources("extensions.kuadrant.io", "v1alpha1", "apikeyrequests");
+      }
+      let filteredItems = data.items || [];
+      if (status) {
+        filteredItems = filteredItems.filter((req2) => {
+          const phase = req2.status?.phase || "Pending";
+          return phase === status;
+        });
+      }
+      res.json({ items: filteredItems });
+    } catch (error) {
+      console.error("error fetching api key requests:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to fetch api key requests" });
+      }
+    }
+  });
+  router.get("/requests/my", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiKeyRequestReadOwnPermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const userId = req.query.userId;
+      const namespace = req.query.namespace;
+      if (!userId) {
+        throw new errors.InputError("userId query parameter is required");
+      }
+      let data;
+      if (namespace) {
+        data = await k8sClient$1.listCustomResources("extensions.kuadrant.io", "v1alpha1", "apikeyrequests", namespace);
+      } else {
+        data = await k8sClient$1.listCustomResources("extensions.kuadrant.io", "v1alpha1", "apikeyrequests");
+      }
+      const filteredItems = (data.items || []).filter(
+        (req2) => req2.spec?.requestedBy?.userId === userId
+      );
+      res.json({ items: filteredItems });
+    } catch (error) {
+      console.error("error fetching user api key requests:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to fetch user api key requests" });
+      }
+    }
+  });
+  const approveRejectSchema = zod.z.object({
+    comment: zod.z.string().optional()
+  });
+  router.post("/requests/:namespace/:name/approve", async (req, res) => {
+    const parsed = approveRejectSchema.safeParse(req.body);
+    if (!parsed.success) {
+      throw new errors.InputError(parsed.error.toString());
+    }
+    try {
+      const { userId, isApiOwner } = await getUserIdentity(req, httpAuth, userInfo);
+      let canApprove = isApiOwner;
+      if (!canApprove) {
+        try {
+          const credentials = await httpAuth.credentials(req, { allow: ["none"] });
+          if (credentials) {
+            const decision = await permissions$1.authorize(
+              [{ permission: permissions.kuadrantApiKeyRequestUpdatePermission }],
+              { credentials }
+            );
+            canApprove = decision[0].result === pluginPermissionCommon.AuthorizeResult.ALLOW;
+          }
+        } catch (error) {
+          console.warn("permission check failed, using group-based authorization:", error);
+        }
+      }
+      if (!canApprove) {
+        throw new errors.NotAllowedError("you do not have permission to approve api key requests");
+      }
+      const { namespace, name } = req.params;
+      const { comment } = parsed.data;
+      const reviewedBy = `user:default/${userId}`;
+      const request = await k8sClient$1.getCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apikeyrequests",
+        name
+      );
+      const spec = request.spec;
+      const apiKey = generateApiKey();
+      const timestamp = Date.now();
+      const secretName = `${spec.requestedBy.userId}-${spec.apiName}-${timestamp}`.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+      const secret = {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: secretName,
+          namespace: spec.apiNamespace,
+          labels: {
+            app: spec.apiName
+          },
+          annotations: {
+            "secret.kuadrant.io/plan-id": spec.planTier,
+            "secret.kuadrant.io/user-id": spec.requestedBy.userId
+          }
+        },
+        stringData: {
+          api_key: apiKey
+        },
+        type: "Opaque"
+      };
+      await k8sClient$1.createSecret(spec.apiNamespace, secret);
+      let planLimits = null;
+      try {
+        const products = await k8sClient$1.listCustomResources("extensions.kuadrant.io", "v1alpha1", "apiproducts");
+        const product = (products.items || []).find(
+          (p) => p.metadata.name.includes(spec.apiName) || p.spec?.displayName?.toLowerCase().includes(spec.apiName.toLowerCase())
+        );
+        if (product) {
+          const plan = product.spec?.plans?.find((p) => p.tier === spec.planTier);
+          if (plan) {
+            planLimits = plan.limits;
+          }
+        }
+      } catch (e) {
+        console.warn("could not fetch apiproduct for plan limits:", e);
+      }
+      if (!planLimits) {
+        try {
+          const policy = await k8sClient$1.getCustomResource(
+            "extensions.kuadrant.io",
+            "v1alpha1",
+            spec.apiNamespace,
+            "planpolicies",
+            `${spec.apiName}-plan`
+          );
+          const plan = policy.spec?.plans?.find((p) => p.tier === spec.planTier);
+          if (plan) {
+            planLimits = plan.limits;
+          }
+        } catch (e) {
+          console.warn("could not fetch planpolicy for plan limits:", e);
+        }
+      }
+      let apiHostname = `${spec.apiName}.apps.example.com`;
+      try {
+        const httproute = await k8sClient$1.getCustomResource(
+          "gateway.networking.k8s.io",
+          "v1",
+          spec.apiNamespace,
+          "httproutes",
+          spec.apiName
+        );
+        if (httproute.spec?.hostnames && httproute.spec.hostnames.length > 0) {
+          apiHostname = httproute.spec.hostnames[0];
+        }
+      } catch (error) {
+        console.warn("could not fetch httproute for hostname, using default:", error);
+      }
+      const status = {
+        phase: "Approved",
+        reviewedBy,
+        reviewedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        reason: comment || "approved",
+        apiKey,
+        apiHostname,
+        apiBasePath: "/api/v1",
+        apiDescription: `${spec.apiName} api`,
+        planLimits
+      };
+      await k8sClient$1.patchCustomResourceStatus(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apikeyrequests",
+        name,
+        status
+      );
+      res.json({ secretName });
+    } catch (error) {
+      console.error("error approving api key request:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to approve api key request" });
+      }
+    }
+  });
+  router.post("/requests/:namespace/:name/reject", async (req, res) => {
+    const parsed = approveRejectSchema.safeParse(req.body);
+    if (!parsed.success) {
+      throw new errors.InputError(parsed.error.toString());
+    }
+    try {
+      const { userId, isApiOwner } = await getUserIdentity(req, httpAuth, userInfo);
+      let canReject = isApiOwner;
+      if (!canReject) {
+        try {
+          const credentials = await httpAuth.credentials(req, { allow: ["none"] });
+          if (credentials) {
+            const decision = await permissions$1.authorize(
+              [{ permission: permissions.kuadrantApiKeyRequestUpdatePermission }],
+              { credentials }
+            );
+            canReject = decision[0].result === pluginPermissionCommon.AuthorizeResult.ALLOW;
+          }
+        } catch (error) {
+          console.warn("permission check failed, using group-based authorization:", error);
+        }
+      }
+      if (!canReject) {
+        throw new errors.NotAllowedError("you do not have permission to reject api key requests");
+      }
+      const { namespace, name } = req.params;
+      const { comment } = parsed.data;
+      const reviewedBy = `user:default/${userId}`;
+      const status = {
+        phase: "Rejected",
+        reviewedBy,
+        reviewedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        reason: comment || "rejected"
+      };
+      await k8sClient$1.patchCustomResourceStatus(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apikeyrequests",
+        name,
+        status
+      );
+      res.status(204).send();
+    } catch (error) {
+      console.error("error rejecting api key request:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to reject api key request" });
+      }
+    }
+  });
+  router.delete("/requests/:namespace/:name", async (req, res) => {
+    try {
+      const { userId, isPlatformEngineer, isApiOwner } = await getUserIdentity(req, httpAuth, userInfo);
+      const { namespace, name } = req.params;
+      const request = await k8sClient$1.getCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apikeyrequests",
+        name
+      );
+      const requestUserId = request.spec?.requestedBy?.userId;
+      const canDeleteAll = isPlatformEngineer || isApiOwner;
+      if (!canDeleteAll && requestUserId !== userId) {
+        throw new errors.NotAllowedError("you can only delete your own api key requests");
+      }
+      if (request.status?.phase === "Approved") {
+        try {
+          const apiNamespace = request.spec?.apiNamespace;
+          const apiName = request.spec?.apiName;
+          const planTier = request.spec?.planTier;
+          const secrets = await k8sClient$1.listSecrets(apiNamespace);
+          const matchingSecret = secrets.items?.find((s) => {
+            const annotations = s.metadata?.annotations || {};
+            return annotations["secret.kuadrant.io/user-id"] === requestUserId && annotations["secret.kuadrant.io/plan-id"] === planTier && s.metadata?.labels?.app === apiName;
+          });
+          if (matchingSecret) {
+            await k8sClient$1.deleteSecret(apiNamespace, matchingSecret.metadata.name);
+          }
+        } catch (error) {
+          console.warn("failed to delete associated secret:", error);
+        }
+      }
+      await k8sClient$1.deleteCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apikeyrequests",
+        name
+      );
+      res.status(204).send();
+    } catch (error) {
+      console.error("error deleting api key request:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to delete api key request" });
+      }
+    }
+  });
+  router.patch("/requests/:namespace/:name", async (req, res) => {
+    try {
+      const credentials = await httpAuth.credentials(req);
+      const decision = await permissions$1.authorize(
+        [{ permission: permissions.kuadrantApiKeyRequestUpdatePermission }],
+        { credentials }
+      );
+      if (decision[0].result !== pluginPermissionCommon.AuthorizeResult.ALLOW) {
+        throw new errors.NotAllowedError("unauthorised");
+      }
+      const { namespace, name } = req.params;
+      const patch = req.body;
+      const updated = await k8sClient$1.patchCustomResource(
+        "extensions.kuadrant.io",
+        "v1alpha1",
+        namespace,
+        "apikeyrequests",
+        name,
+        patch
+      );
+      res.json(updated);
+    } catch (error) {
+      console.error("error updating api key request:", error);
+      if (error instanceof errors.NotAllowedError) {
+        res.status(403).json({ error: error.message });
+      } else {
+        res.status(500).json({ error: "failed to update api key request" });
+      }
+    }
+  });
+  router.use(pluginPermissionNode.createPermissionIntegrationRouter({
+    permissions: permissions.kuadrantPermissions
+  }));
+  return router;
+}
+
+exports.createRouter = createRouter;
+//# sourceMappingURL=router.cjs.js.map