@backstage/backend-defaults/dist/entrypoints/permissionsRegistry/permissionsRegistryServiceFactory.cjs.js

Backend defaults used by Backstage backend apps

'use strict';

var backendPluginApi = require('@backstage/backend-plugin-api');
var pluginPermissionNode = require('@backstage/plugin-permission-node');
var errors = require('@backstage/errors');
var Router = require('express-promise-router');

function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }

var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);

function assertRefPluginId(ref, pluginId) {
  if (ref.pluginId !== pluginId) {
    throw new Error(
      `Resource type '${ref.resourceType}' belongs to plugin '${ref.pluginId}', but was used with plugin '${pluginId}'`
    );
  }
}
const permissionsRegistryServiceFactory = backendPluginApi.createServiceFactory({
  service: backendPluginApi.coreServices.permissionsRegistry,
  deps: {
    auth: backendPluginApi.coreServices.auth,
    httpAuth: backendPluginApi.coreServices.httpAuth,
    lifecycle: backendPluginApi.coreServices.lifecycle,
    httpRouter: backendPluginApi.coreServices.httpRouter,
    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
  },
  async factory({ auth, httpAuth, httpRouter, lifecycle, pluginMetadata }) {
    const router = pluginPermissionNode.createPermissionIntegrationRouter();
    const pluginId = pluginMetadata.getId();
    const applyConditionMiddleware = Router__default.default();
    applyConditionMiddleware.use(
      "/.well-known/backstage/permissions/apply-conditions",
      async (req, _res, next) => {
        const credentials = await httpAuth.credentials(req, {
          allow: ["user", "service"]
        });
        if (auth.isPrincipal(credentials, "user") && !credentials.principal.actor) {
          throw new errors.NotAllowedError();
        }
        next();
      }
    );
    httpRouter.use(applyConditionMiddleware);
    httpRouter.use(router);
    let started = false;
    lifecycle.addStartupHook(() => {
      started = true;
    });
    return {
      addResourceType(resource) {
        if (started) {
          throw new Error(
            "Cannot add permission resource types after the plugin has started"
          );
        }
        assertRefPluginId(resource.resourceRef, pluginId);
        router.addResourceType({
          ...resource,
          resourceType: resource.resourceRef.resourceType
        });
      },
      addPermissions(permissions) {
        if (started) {
          throw new Error(
            "Cannot add permissions after the plugin has started"
          );
        }
        router.addPermissions(permissions);
      },
      addPermissionRules(rules) {
        if (started) {
          throw new Error(
            "Cannot add permission rules after the plugin has started"
          );
        }
        router.addPermissionRules(rules);
      },
      getPermissionRuleset(resourceRef) {
        assertRefPluginId(resourceRef, pluginId);
        return router.getPermissionRuleset(resourceRef);
      }
    };
  }
});

exports.permissionsRegistryServiceFactory = permissionsRegistryServiceFactory;
//# sourceMappingURL=permissionsRegistryServiceFactory.cjs.js.map