Skip to content

Commit

Permalink
Merge pull request #250 from Parsifal-M/feature/use-perm-identity
Browse files Browse the repository at this point in the history 
Use PolicyQueryUser over BackstageIdentity
  • Loading branch information
@Parsifal-M
Parsifal-M authored Dec 1, 2024
2 parents 22b00b7 + 97d8c9e commit b31f837
Show file tree
Hide file tree
Showing 7 changed files with 463 additions and 477 deletions.
5 changes: 5 additions & 0 deletions .changeset/lazy-rules-count.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@parsifal-m/plugin-permission-backend-module-opa-wrapper': patch
---

Change to using PolicyUser instead of BackstageIdentity when passing the user information to the OPA policy to be more inline with how it was intended to be used.
4 changes: 2 additions & 2 deletions .github/workflows/test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,10 @@ jobs:
run: yarn tsc:full

- name: Run Tests
run: yarn test:all --coverage
run: yarn test:silent

- name: Upload results to Codecov
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: Parsifal-M/backstage-opa-plugins
slug: Parsifal-M/backstage-opa-plugins
7 changes: 3 additions & 4 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"version": "1.0.0",
"private": true,
"engines": {
"node": "16 || 18"
"node": "20 || 22"
},
"scripts": {
"dev": "concurrently \"yarn start\" \"yarn start-backend\"",
Expand All @@ -19,6 +19,7 @@
"test": "backstage-cli repo test",
"test:all": "backstage-cli repo test --coverage",
"test:changed": "backstage-cli repo test --onlyChanged --coverage",
"test:silent": "backstage-cli repo test --silent --coverage",
"lint": "backstage-cli repo lint --since origin/main",
"lint:all": "backstage-cli repo lint",
"prettier:write": "prettier --write .",
Expand Down Expand Up @@ -51,9 +52,7 @@
},
"resolutions": {
"@types/react": "^18",
"@types/react-dom": "^18",
"@yarnpkg/parsers": "3.0.0-rc.4",
"swagger-ui-react": "5.10.5"
"@types/react-dom": "^18"
},
"prettier": "@spotify/prettier-config",
"lint-staged": {
Expand Down
31 changes: 24 additions & 7 deletions plugins/permission-backend-module-opa-wrapper/src/permission-evaluator/opaEvaluator.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
import { OpaClient } from '../opa-client/opaClient';
import { LoggerService } from '@backstage/backend-plugin-api';
import { PolicyQuery } from '@backstage/plugin-permission-node';
import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
import {
PolicyQuery,
PolicyQueryUser,
} from '@backstage/plugin-permission-node';
import { AuthorizeResult } from '@backstage/plugin-permission-common';
import { Config } from '@backstage/config';
import { policyEvaluator } from './opaEvaluator';

jest.mock('../opa-client/opaClient');
jest.mock('winston');
jest.mock('@backstage/config');

describe('policyEvaluator', () => {
Expand Down Expand Up @@ -46,13 +47,21 @@ describe('policyEvaluator', () => {
resourceType: 'someResourceType',
},
};
const mockUser: BackstageIdentityResponse = {
const mockUser: PolicyQueryUser = {
identity: {
userEntityRef: 'parsifal-m',
userEntityRef: 'user:default/parsifal-m',
ownershipEntityRefs: ['user:default/parsifal-m', 'group:default/users'],
type: 'user',
},
token: 'mockToken',
credentials: {
$$type: '@backstage/BackstageCredentials',
principal: 'user:default/parsifal-m',
},
info: {
userEntityRef: 'user:default/parsifal-m',
ownershipEntityRefs: ['user:default/parsifal-m', 'group:default/users'],
},
};
const mockopaEntryPoint = 'some/package/admin';

Expand All @@ -79,13 +88,21 @@ describe('policyEvaluator', () => {
resourceType: 'someResourceType',
},
};
const mockUser: BackstageIdentityResponse = {
const mockUser: PolicyQueryUser = {
identity: {
userEntityRef: 'parsifal-m',
userEntityRef: 'user:default/parsifal-m',
ownershipEntityRefs: ['user:default/parsifal-m', 'group:default/users'],
type: 'user',
},
token: 'mockToken',
credentials: {
$$type: '@backstage/BackstageCredentials',
principal: 'user:default/parsifal-m',
},
info: {
userEntityRef: 'user:default/parsifal-m',
ownershipEntityRefs: ['user:default/parsifal-m', 'group:default/users'],
},
};
const mockopaEntryPoint = 'some/package/admin';

Expand Down
12 changes: 7 additions & 5 deletions plugins/permission-backend-module-opa-wrapper/src/permission-evaluator/opaEvaluator.ts
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
import {
PolicyDecision,
AuthorizeResult,
Expand All @@ -7,7 +6,10 @@ import {
PermissionRuleParams,
} from '@backstage/plugin-permission-common';
import { OpaClient } from '../opa-client/opaClient';
import { PolicyQuery } from '@backstage/plugin-permission-node';
import {
PolicyQuery,
PolicyQueryUser,
} from '@backstage/plugin-permission-node';
import { PolicyEvaluationInput } from '../types';
import { LoggerService } from '@backstage/backend-plugin-api';

Expand All @@ -18,15 +20,15 @@ export const policyEvaluator = (
) => {
return async (
request: PolicyQuery,
user?: BackstageIdentityResponse,
user: PolicyQueryUser,
): Promise<PolicyDecision> => {
const input: PolicyEvaluationInput = {
permission: {
name: request.permission.name,
},
identity: {
user: user?.identity.userEntityRef,
claims: user?.identity.ownershipEntityRefs ?? [],
user: user.info.userEntityRef,
claims: user.info.ownershipEntityRefs ?? [],
},
};

Expand Down
4 changes: 2 additions & 2 deletions plugins/permission-backend-module-opa-wrapper/src/policy.ts
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
import { PolicyDecision } from '@backstage/plugin-permission-common';
import {
PermissionPolicy,
PolicyQuery,
PolicyQueryUser,
} from '@backstage/plugin-permission-node';
import { OpaClient } from './opa-client';
import { LoggerService } from '@backstage/backend-plugin-api';
Expand All @@ -19,7 +19,7 @@ export class OpaPermissionPolicy implements PermissionPolicy {

async handle(
request: PolicyQuery,
user?: BackstageIdentityResponse,
user: PolicyQueryUser,
): Promise<PolicyDecision> {
const opaRbacPolicy = policyEvaluator(this.opaClient, this.logger);
return await opaRbacPolicy(request, user);
Expand Down
Loading

0 comments on commit b31f837

Please sign in to comment.