feat(orchestrator): add permissions to orchestrator plugin (#1599)

Motivation
Workflows create assets and retrieve data from external parties.
Those created assets are non-trivial by nature, cost money and time and
the data retrieved should be kept for federated.
For this reason we are introducing permission on the  various route
entries of the orchestrator.

Modification
All the route entries of the orchestrator backend plugin will run an authorization check
All frontend calls to the backend will pass identity when its available

Result
Orchestrator interactions requires authorization to execute workflow and view their outcomes.

Signed-off-by: Roy Golan <[email protected]>

Author: rgolangh

plugins/orchestrator-backend/dev/index.ts

@@ -1,8 +1,13 @@
-import { createServiceBuilder, UrlReader } from '@backstage/backend-common';
+import {
+  createServiceBuilder,
+  ServerTokenManager,
+  UrlReader,
+} from '@backstage/backend-common';
+import { DiscoveryService } from '@backstage/backend-plugin-api';
 import { PluginTaskScheduler } from '@backstage/backend-tasks';
 import { CatalogApi } from '@backstage/catalog-client';
 import { Config } from '@backstage/config';
-import { DiscoveryApi } from '@backstage/core-plugin-api';
+import { ServerPermissionClient } from '@backstage/plugin-permission-node';
 
 import { Logger } from 'winston';
 
@@ -15,7 +20,7 @@ export interface ServerOptions {
   enableCors: boolean;
   logger: Logger;
   config: Config;
-  discovery: DiscoveryApi;
+  discovery: DiscoveryService;
   catalogApi: CatalogApi;
   urlReader: UrlReader;
   scheduler: PluginTaskScheduler;
@@ -26,13 +31,20 @@ export async function startStandaloneServer(
 ): Promise<Server> {
   const logger = options.logger.child({ service: 'orchestrator-backend' });
   logger.debug('Starting application server...');
+
+  const permissions = ServerPermissionClient.fromConfig(options.config, {
+    discovery: options.discovery,
+    tokenManager: ServerTokenManager.noop(),
+  });
+
   const router = await createRouter({
     logger: logger,
     config: options.config,
     discovery: options.discovery,
     catalogApi: options.catalogApi,
     urlReader: options.urlReader,
     scheduler: options.scheduler,
+    permissions: permissions,
   });
 
   let service = createServiceBuilder(module)

plugins/orchestrator-backend/dist-dynamic/package.json

@@ -60,6 +60,7 @@
     "@backstage/backend-app-api": "^0.7.2",
     "@backstage/backend-common": "^0.21.7",
     "@backstage/backend-dynamic-feature-service": "^0.2.9",
+    "@backstage/errors": "^1.2.4",
     "@backstage/backend-plugin-api": "^0.6.17",
     "@backstage/backend-tasks": "^0.5.22",
     "@backstage/catalog-client": "^1.6.4",
@@ -71,6 +72,9 @@
     "@backstage/plugin-events-node": "^0.3.3",
     "@backstage/plugin-scaffolder-backend": "^1.22.5",
     "@backstage/plugin-scaffolder-node": "^0.4.3",
+    "@backstage/plugin-permission-common": "^0.7.13",
+    "@backstage/plugin-permission-node": "^0.7.27",
+    "@backstage/plugin-auth-node": "^0.4.11",
     "@backstage/types": "^1.1.1"
   },
   "overrides": {

plugins/orchestrator-backend/package.json

@@ -60,6 +60,7 @@
     "@backstage/backend-app-api": "^0.7.2",
     "@backstage/backend-common": "^0.21.7",
     "@backstage/backend-dynamic-feature-service": "^0.2.9",
+    "@backstage/errors": "^1.2.4",
     "@backstage/backend-plugin-api": "^0.6.17",
     "@backstage/backend-tasks": "^0.5.22",
     "@backstage/catalog-client": "^1.6.4",
@@ -71,6 +72,9 @@
     "@backstage/plugin-events-node": "^0.3.3",
     "@backstage/plugin-scaffolder-backend": "^1.22.5",
     "@backstage/plugin-scaffolder-node": "^0.4.3",
+    "@backstage/plugin-permission-common": "^0.7.13",
+    "@backstage/plugin-permission-node": "^0.7.27",
+    "@backstage/plugin-auth-node": "^0.4.11",
     "@backstage/types": "^1.1.1",
     "@janus-idp/backstage-plugin-orchestrator-common": "1.7.2",
     "@urql/core": "^4.1.4",

plugins/orchestrator-backend/src/OrchestratorPlugin.ts

@@ -18,6 +18,8 @@ export const orchestratorPlugin = createBackendPlugin({
         httpRouter: coreServices.httpRouter,
         urlReader: coreServices.urlReader,
         scheduler: coreServices.scheduler,
+        permissions: coreServices.permissions,
+        httpAuth: coreServices.httpAuth,
         catalogApi: catalogServiceRef,
       },
       async init({
@@ -28,6 +30,8 @@ export const orchestratorPlugin = createBackendPlugin({
         catalogApi,
         urlReader,
         scheduler,
+        permissions,
+        httpAuth,
       }) {
         const log = loggerToWinstonLogger(logger);
         const router = await createRouter({
@@ -37,6 +41,8 @@ export const orchestratorPlugin = createBackendPlugin({
           catalogApi: catalogApi,
           urlReader: urlReader,
           scheduler: scheduler,
+          permissions: permissions,
+          httpAuth: httpAuth,
         });
         httpRouter.use(router);
       },

plugins/orchestrator-backend/src/routerWrapper/index.ts

@@ -1,8 +1,12 @@
-import { UrlReader } from '@backstage/backend-common';
+import { createLegacyAuthAdapters, UrlReader } from '@backstage/backend-common';
+import {
+  DiscoveryService,
+  HttpAuthService,
+  PermissionsService,
+} from '@backstage/backend-plugin-api';
 import { PluginTaskScheduler } from '@backstage/backend-tasks';
 import { CatalogApi } from '@backstage/catalog-client';
 import { Config } from '@backstage/config';
-import { DiscoveryApi } from '@backstage/core-plugin-api';
 
 import express from 'express';
 import { Logger } from 'winston';
@@ -13,10 +17,12 @@ import { createBackendRouter } from '../service/router';
 export interface RouterArgs {
   config: Config;
   logger: Logger;
-  discovery: DiscoveryApi;
+  discovery: DiscoveryService;
   catalogApi: CatalogApi;
   urlReader: UrlReader;
   scheduler: PluginTaskScheduler;
+  permissions: PermissionsService;
+  httpAuth?: HttpAuthService;
 }
 
 export async function createRouter(args: RouterArgs): Promise<express.Router> {
@@ -35,12 +41,18 @@ export async function createRouter(args: RouterArgs): Promise<express.Router> {
     }
   }
 
+  const { httpAuth } = createLegacyAuthAdapters({
+    httpAuth: args.httpAuth,
+    discovery: args.discovery,
+  });
   return await createBackendRouter({
     config: args.config,
     logger: args.logger,
     discovery: args.discovery,
     catalogApi: args.catalogApi,
     urlReader: args.urlReader,
     scheduler: args.scheduler,
+    permissions: args.permissions,
+    httpAuth: httpAuth,
   });
 }

plugins/orchestrator-backend/src/service/DevModeService.ts

@@ -136,7 +136,6 @@ export class DevModeService {
       launcherArgs.push(`--add-host`, `jira.test:${this.connection.jira.host}`);
     }
 
-    launcherArgs.push('--rm');
     launcherArgs.push('-e', `QUARKUS_HTTP_PORT=${this.connection.port}`);
 
     launcherArgs.push('-p', `${this.connection.port}:${this.connection.port}`);