feat(orchestrator): add permissions to orchestrator plugin (janus-idp…

…#1599) Motivation Workflows create assets and retrieve data from external parties. Those created assets are non-trivial by nature, cost money and time and the data retrieved should be kept for federated. For this reason we are introducing permission on the various route entries of the orchestrator. Modification All the route entries of the orchestrator backend plugin will run an authorization check All frontend calls to the backend will pass identity when its available Result Orchestrator interactions requires authorization to execute workflow and view their outcomes. Signed-off-by: Roy Golan <[email protected]>
kim-tsao · May 22, 2024 · d0a4531 · d0a4531
1 parent 0b36164
commit d0a4531
Show file tree

Hide file tree

Showing 16 changed files with 471 additions and 90 deletions.
diff --git a/plugins/orchestrator-backend/dev/index.ts b/plugins/orchestrator-backend/dev/index.ts
@@ -1,8 +1,13 @@
-import { createServiceBuilder, UrlReader } from '@backstage/backend-common';
+import {
+  createServiceBuilder,
+  ServerTokenManager,
+  UrlReader,
+} from '@backstage/backend-common';
+import { DiscoveryService } from '@backstage/backend-plugin-api';
 import { PluginTaskScheduler } from '@backstage/backend-tasks';
 import { CatalogApi } from '@backstage/catalog-client';
 import { Config } from '@backstage/config';
-import { DiscoveryApi } from '@backstage/core-plugin-api';
+import { ServerPermissionClient } from '@backstage/plugin-permission-node';
 
 import { Logger } from 'winston';
 
@@ -15,7 +20,7 @@ export interface ServerOptions {
   enableCors: boolean;
   logger: Logger;
   config: Config;
-  discovery: DiscoveryApi;
+  discovery: DiscoveryService;
   catalogApi: CatalogApi;
   urlReader: UrlReader;
   scheduler: PluginTaskScheduler;
@@ -26,13 +31,20 @@ export async function startStandaloneServer(
 ): Promise<Server> {
   const logger = options.logger.child({ service: 'orchestrator-backend' });
   logger.debug('Starting application server...');
+
+  const permissions = ServerPermissionClient.fromConfig(options.config, {
+    discovery: options.discovery,
+    tokenManager: ServerTokenManager.noop(),
+  });
+
   const router = await createRouter({
     logger: logger,
     config: options.config,
     discovery: options.discovery,
     catalogApi: options.catalogApi,
     urlReader: options.urlReader,
     scheduler: options.scheduler,
+    permissions: permissions,
   });
 
   let service = createServiceBuilder(module)

diff --git a/plugins/orchestrator-backend/dist-dynamic/package.json b/plugins/orchestrator-backend/dist-dynamic/package.json
@@ -60,6 +60,7 @@
     "@backstage/backend-app-api": "^0.7.2",
     "@backstage/backend-common": "^0.21.7",
     "@backstage/backend-dynamic-feature-service": "^0.2.9",
+    "@backstage/errors": "^1.2.4",
     "@backstage/backend-plugin-api": "^0.6.17",
     "@backstage/backend-tasks": "^0.5.22",
     "@backstage/catalog-client": "^1.6.4",
@@ -71,6 +72,9 @@
     "@backstage/plugin-events-node": "^0.3.3",
     "@backstage/plugin-scaffolder-backend": "^1.22.5",
     "@backstage/plugin-scaffolder-node": "^0.4.3",
+    "@backstage/plugin-permission-common": "^0.7.13",
+    "@backstage/plugin-permission-node": "^0.7.27",
+    "@backstage/plugin-auth-node": "^0.4.11",
     "@backstage/types": "^1.1.1"
   },
   "overrides": {

diff --git a/plugins/orchestrator-backend/package.json b/plugins/orchestrator-backend/package.json
@@ -60,6 +60,7 @@
     "@backstage/backend-app-api": "^0.7.2",
     "@backstage/backend-common": "^0.21.7",
     "@backstage/backend-dynamic-feature-service": "^0.2.9",
+    "@backstage/errors": "^1.2.4",
     "@backstage/backend-plugin-api": "^0.6.17",
     "@backstage/backend-tasks": "^0.5.22",
     "@backstage/catalog-client": "^1.6.4",
@@ -71,6 +72,9 @@
     "@backstage/plugin-events-node": "^0.3.3",
     "@backstage/plugin-scaffolder-backend": "^1.22.5",
     "@backstage/plugin-scaffolder-node": "^0.4.3",
+    "@backstage/plugin-permission-common": "^0.7.13",
+    "@backstage/plugin-permission-node": "^0.7.27",
+    "@backstage/plugin-auth-node": "^0.4.11",
     "@backstage/types": "^1.1.1",
     "@janus-idp/backstage-plugin-orchestrator-common": "1.7.2",
     "@urql/core": "^4.1.4",

diff --git a/plugins/orchestrator-backend/src/OrchestratorPlugin.ts b/plugins/orchestrator-backend/src/OrchestratorPlugin.ts
@@ -18,6 +18,8 @@ export const orchestratorPlugin = createBackendPlugin({
         httpRouter: coreServices.httpRouter,
         urlReader: coreServices.urlReader,
         scheduler: coreServices.scheduler,
+        permissions: coreServices.permissions,
+        httpAuth: coreServices.httpAuth,
         catalogApi: catalogServiceRef,
       },
       async init({
@@ -28,6 +30,8 @@ export const orchestratorPlugin = createBackendPlugin({
         catalogApi,
         urlReader,
         scheduler,
+        permissions,
+        httpAuth,
       }) {
         const log = loggerToWinstonLogger(logger);
         const router = await createRouter({
@@ -37,6 +41,8 @@ export const orchestratorPlugin = createBackendPlugin({
           catalogApi: catalogApi,
           urlReader: urlReader,
           scheduler: scheduler,
+          permissions: permissions,
+          httpAuth: httpAuth,
         });
         httpRouter.use(router);
       },

diff --git a/plugins/orchestrator-backend/src/routerWrapper/index.ts b/plugins/orchestrator-backend/src/routerWrapper/index.ts
@@ -1,8 +1,12 @@
-import { UrlReader } from '@backstage/backend-common';
+import { createLegacyAuthAdapters, UrlReader } from '@backstage/backend-common';
+import {
+  DiscoveryService,
+  HttpAuthService,
+  PermissionsService,
+} from '@backstage/backend-plugin-api';
 import { PluginTaskScheduler } from '@backstage/backend-tasks';
 import { CatalogApi } from '@backstage/catalog-client';
 import { Config } from '@backstage/config';
-import { DiscoveryApi } from '@backstage/core-plugin-api';
 
 import express from 'express';
 import { Logger } from 'winston';
@@ -13,10 +17,12 @@ import { createBackendRouter } from '../service/router';
 export interface RouterArgs {
   config: Config;
   logger: Logger;
-  discovery: DiscoveryApi;
+  discovery: DiscoveryService;
   catalogApi: CatalogApi;
   urlReader: UrlReader;
   scheduler: PluginTaskScheduler;
+  permissions: PermissionsService;
+  httpAuth?: HttpAuthService;
 }
 
 export async function createRouter(args: RouterArgs): Promise<express.Router> {
@@ -35,12 +41,18 @@ export async function createRouter(args: RouterArgs): Promise<express.Router> {
     }
   }
 
+  const { httpAuth } = createLegacyAuthAdapters({
+    httpAuth: args.httpAuth,
+    discovery: args.discovery,
+  });
   return await createBackendRouter({
     config: args.config,
     logger: args.logger,
     discovery: args.discovery,
     catalogApi: args.catalogApi,
     urlReader: args.urlReader,
     scheduler: args.scheduler,
+    permissions: args.permissions,
+    httpAuth: httpAuth,
   });
 }
diff --git a/plugins/orchestrator-backend/src/service/DevModeService.ts b/plugins/orchestrator-backend/src/service/DevModeService.ts
@@ -136,7 +136,6 @@ export class DevModeService {
       launcherArgs.push(`--add-host`, `jira.test:${this.connection.jira.host}`);
     }
 
-    launcherArgs.push('--rm');
     launcherArgs.push('-e', `QUARKUS_HTTP_PORT=${this.connection.port}`);
 
     launcherArgs.push('-p', `${this.connection.port}:${this.connection.port}`);