Skip to content

Commit 36b7c77

Browse files
PatAKnightPatAKnight
authored
fix(rbac): pass token to readUrl for well-known permission endpoint (#1342)
1 parent 1c86a96 commit 36b7c77

File tree

3 files changed

+37
-24
lines changed

3 files changed

+37
-24
lines changed

plugins/rbac-backend/src/service/plugin-endpoint.test.ts

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ jest.mock('@backstage/backend-common', () => {
3434
});
3535

3636
describe('plugin-endpoint', () => {
37+
const fakeToken = 'fakeToken';
3738
const mockPluginEndpointDiscovery = {
3839
getBaseUrl: jest.fn().mockImplementation(async (pluginId: string) => {
3940
return `https://localhost:7007/api/${pluginId}`;
@@ -63,7 +64,7 @@ describe('plugin-endpoint', () => {
6364
logger,
6465
config,
6566
);
66-
const policiesMetadata = await collector.getPluginPolicies();
67+
const policiesMetadata = await collector.getPluginPolicies(fakeToken);
6768

6869
expect(policiesMetadata.length).toEqual(0);
6970
});
@@ -82,7 +83,7 @@ describe('plugin-endpoint', () => {
8283
logger,
8384
config,
8485
);
85-
const policiesMetadata = await collector.getPluginPolicies();
86+
const policiesMetadata = await collector.getPluginPolicies(fakeToken);
8687

8788
expect(policiesMetadata.length).toEqual(1);
8889
expect(policiesMetadata[0].pluginId).toEqual('permission');
@@ -112,7 +113,7 @@ describe('plugin-endpoint', () => {
112113
logger,
113114
config,
114115
);
115-
const policiesMetadata = await collector.getPluginPolicies();
116+
const policiesMetadata = await collector.getPluginPolicies(fakeToken);
116117

117118
expect(policiesMetadata.length).toEqual(1);
118119
expect(policiesMetadata[0].pluginId).toEqual('permission');
@@ -151,7 +152,7 @@ describe('plugin-endpoint', () => {
151152
logger,
152153
config,
153154
);
154-
const policiesMetadata = await collector.getPluginPolicies();
155+
const policiesMetadata = await collector.getPluginPolicies(fakeToken);
155156

156157
expect(policiesMetadata.length).toEqual(1);
157158
expect(policiesMetadata[0].pluginId).toEqual('permission');
@@ -192,7 +193,7 @@ describe('plugin-endpoint', () => {
192193
config,
193194
);
194195

195-
const policiesMetadata = await collector.getPluginPolicies();
196+
const policiesMetadata = await collector.getPluginPolicies(fakeToken);
196197

197198
expect(policiesMetadata.length).toEqual(1);
198199
expect(policiesMetadata[0].pluginId).toEqual('permission');
@@ -233,7 +234,7 @@ describe('plugin-endpoint', () => {
233234
logger,
234235
config,
235236
);
236-
const policiesMetadata = await collector.getPluginPolicies();
237+
const policiesMetadata = await collector.getPluginPolicies(fakeToken);
237238

238239
expect(policiesMetadata.length).toEqual(1);
239240
expect(policiesMetadata[0].pluginId).toEqual('permission');
@@ -259,7 +260,8 @@ describe('plugin-endpoint', () => {
259260
logger,
260261
config,
261262
);
262-
const conditionRulesMetadata = await collector.getPluginConditionRules();
263+
const conditionRulesMetadata =
264+
await collector.getPluginConditionRules(fakeToken);
263265

264266
expect(conditionRulesMetadata.length).toEqual(0);
265267
});
@@ -278,7 +280,8 @@ describe('plugin-endpoint', () => {
278280
logger,
279281
config,
280282
);
281-
const conditionRulesMetadata = await collector.getPluginConditionRules();
283+
const conditionRulesMetadata =
284+
await collector.getPluginConditionRules(fakeToken);
282285

283286
expect(conditionRulesMetadata.length).toEqual(1);
284287
expect(conditionRulesMetadata[0].pluginId).toEqual('catalog');

plugins/rbac-backend/src/service/plugin-endpoints.ts

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -54,10 +54,10 @@ export class PluginPermissionMetadataCollector {
5454
});
5555
}
5656

57-
async getPluginConditionRules(): Promise<
58-
PluginMetadataResponseSerializedRule[]
59-
> {
60-
const pluginMetadata = await this.getPluginMetaData();
57+
async getPluginConditionRules(
58+
token: string | undefined,
59+
): Promise<PluginMetadataResponseSerializedRule[]> {
60+
const pluginMetadata = await this.getPluginMetaData(token);
6161

6262
return pluginMetadata
6363
.filter(metadata => metadata.metaDataResponse.rules.length > 0)
@@ -69,8 +69,10 @@ export class PluginPermissionMetadataCollector {
6969
});
7070
}
7171

72-
async getPluginPolicies(): Promise<PluginPermissionMetaData[]> {
73-
const pluginMetadata = await this.getPluginMetaData();
72+
async getPluginPolicies(
73+
token: string | undefined,
74+
): Promise<PluginPermissionMetaData[]> {
75+
const pluginMetadata = await this.getPluginMetaData(token);
7476

7577
return pluginMetadata
7678
.filter(metadata => metadata.metaDataResponse.permissions !== undefined)
@@ -88,14 +90,16 @@ export class PluginPermissionMetadataCollector {
8890
return [{ reader: new FetchUrlReader(), predicate: (_url: URL) => true }];
8991
};
9092

91-
private async getPluginMetaData(): Promise<PluginMetadataResponse[]> {
93+
private async getPluginMetaData(
94+
token: string | undefined,
95+
): Promise<PluginMetadataResponse[]> {
9296
let pluginResponses: PluginMetadataResponse[] = [];
9397

9498
for (const pluginId of this.pluginIds) {
9599
const baseEndpoint = await this.discovery.getBaseUrl(pluginId);
96100
const wellKnownURL = `${baseEndpoint}/.well-known/backstage/permissions/metadata`;
97101
try {
98-
const permResp = await this.urlReader.readUrl(wellKnownURL);
102+
const permResp = await this.urlReader.readUrl(wellKnownURL, { token });
99103
const permMetaDataRaw = (await permResp.buffer()).toString();
100104
let permMetaData;
101105
try {

plugins/rbac-backend/src/service/policies-rest-api.ts

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -551,30 +551,36 @@ export class PolicesServer {
551551
},
552552
);
553553

554-
router.get('/plugins/policies', async (req, resp) => {
555-
const decision = await this.authorize(req, {
554+
router.get('/plugins/policies', async (request, response) => {
555+
const decision = await this.authorize(request, {
556556
permission: policyEntityReadPermission,
557557
});
558558

559559
if (decision.result === AuthorizeResult.DENY) {
560560
throw new NotAllowedError(); // 403
561561
}
562562

563-
const policies = await pluginPermMetaData.getPluginPolicies();
564-
resp.json(policies);
563+
const authHeader = request.header('authorization');
564+
const token = getBearerTokenFromAuthorizationHeader(authHeader);
565+
566+
const policies = await pluginPermMetaData.getPluginPolicies(token);
567+
response.json(policies);
565568
});
566569

567-
router.get('/plugins/condition-rules', async (req, resp) => {
568-
const decision = await this.authorize(req, {
570+
router.get('/plugins/condition-rules', async (request, response) => {
571+
const decision = await this.authorize(request, {
569572
permission: policyEntityReadPermission,
570573
});
571574

572575
if (decision.result === AuthorizeResult.DENY) {
573576
throw new NotAllowedError(); // 403
574577
}
575578

576-
const rules = await pluginPermMetaData.getPluginConditionRules();
577-
resp.json(rules);
579+
const authHeader = request.header('authorization');
580+
const token = getBearerTokenFromAuthorizationHeader(authHeader);
581+
582+
const rules = await pluginPermMetaData.getPluginConditionRules(token);
583+
response.json(rules);
578584
});
579585

580586
router.get('/conditions', async (req, resp) => {

0 commit comments

Comments
 (0)