@parsifal-m/plugin-permission-backend-module-opa-wrapper/dist/policy.cjs.js

A Backstage backend module that integrates Open Policy Agent (OPA) with the Backstage Permission Framework for policy-based authorization.

'use strict';

var pluginPermissionCommon = require('@backstage/plugin-permission-common');

class OpaPermissionPolicy {
  opaClient;
  logger;
  opaEntryPoint;
  constructor(opaClient, logger, opaEntryPoint) {
    this.opaClient = opaClient;
    this.logger = logger;
    this.opaEntryPoint = opaEntryPoint;
  }
  async handle(request, user) {
    return await this.evaluatePolicy(request, user);
  }
  async evaluatePolicy(request, user) {
    const input = {
      permission: {
        name: request.permission.name
      },
      identity: {
        user: user.info.userEntityRef,
        claims: user.info.ownershipEntityRefs ?? []
      }
    };
    try {
      const response = await this.opaClient.evaluatePermissionsFrameworkPolicy(
        input,
        this.opaEntryPoint
      );
      if (!response) {
        this.logger.error(
          "The result is missing in the response from OPA, are you sure the policy is loaded?"
        );
        throw new Error(
          "The result is missing in the response from OPA, are you sure the policy is loaded?"
        );
      }
      if (response.result === "CONDITIONAL") {
        if (!response.conditions) {
          this.logger.error("Conditions are missing for CONDITIONAL decision");
          throw new Error("Conditions are missing for CONDITIONAL decision");
        }
        if (!response.pluginId) {
          this.logger.error("PluginId is missing for CONDITIONAL decision");
          throw new Error("PluginId is missing for CONDITIONAL decision");
        }
        if (!response.resourceType) {
          this.logger.error("ResourceType is missing for CONDITIONAL decision");
          throw new Error("ResourceType is missing for CONDITIONAL decision");
        }
        return {
          result: pluginPermissionCommon.AuthorizeResult.CONDITIONAL,
          pluginId: response.pluginId,
          resourceType: response.resourceType,
          conditions: response.conditions
        };
      }
      if (response.result !== "ALLOW") {
        return { result: pluginPermissionCommon.AuthorizeResult.DENY };
      }
      return { result: pluginPermissionCommon.AuthorizeResult.ALLOW };
    } catch (error) {
      throw error;
    }
  }
}

exports.OpaPermissionPolicy = OpaPermissionPolicy;
//# sourceMappingURL=policy.cjs.js.map