feat(extensions): Add extension permissions (#691)

* feat(marketplace): add permissions to extensions

* adding conditional policies

* add new service to check config authorization

Author: debsmita1

workspaces/marketplace/.changeset/short-geckos-cry.md

@@ -0,0 +1,7 @@
+---
+'@red-hat-developer-hub/backstage-plugin-marketplace-backend': minor
+'@red-hat-developer-hub/backstage-plugin-marketplace-common': minor
+'@red-hat-developer-hub/backstage-plugin-marketplace': minor
+---
+
+Added extension permissions

workspaces/marketplace/plugins/marketplace-backend/package.json

@@ -37,11 +37,13 @@
     "@backstage/backend-plugin-api": "^1.2.0",
     "@backstage/catalog-client": "^1.9.1",
     "@backstage/catalog-model": "^1.7.3",
-    "@backstage/errors": "^1.2.7",
     "@backstage/plugin-catalog-node": "^1.16.0",
+    "@backstage/plugin-permission-common": "^0.8.4",
+    "@backstage/plugin-permission-node": "^0.8.8",
     "@red-hat-developer-hub/backstage-plugin-marketplace-common": "workspace:^",
     "express": "^4.17.1",
-    "express-promise-router": "^4.1.0"
+    "express-promise-router": "^4.1.0",
+    "zod": "^3.22.4"
   },
   "devDependencies": {
     "@backstage/backend-test-utils": "^1.3.0",

workspaces/marketplace/plugins/marketplace-backend/src/permissions/rules.ts

@@ -0,0 +1,99 @@
+/*
+ * Copyright The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {
+  createPermissionResourceRef,
+  createPermissionRule,
+} from '@backstage/plugin-permission-node';
+import { z } from 'zod';
+import {
+  MarketplacePlugin,
+  RESOURCE_TYPE_EXTENSION_PLUGIN,
+} from '@red-hat-developer-hub/backstage-plugin-marketplace-common';
+
+export type ExtentionFilter = {
+  key: string;
+  values: Array<string> | undefined;
+};
+
+export type ExtentionFilters =
+  | { anyOf: ExtentionFilters[] }
+  | { allOf: ExtentionFilters[] }
+  | { not: ExtentionFilters }
+  | ExtentionFilter;
+
+export const extensionPermissionResourceRef = createPermissionResourceRef<
+  MarketplacePlugin,
+  ExtentionFilter
+>().with({
+  pluginId: 'marketplace',
+  resourceType: RESOURCE_TYPE_EXTENSION_PLUGIN,
+});
+
+export type ExtensionParams = {
+  annotation: string;
+  value?: string;
+  pluginNames?: string[];
+};
+
+const hasPluginName = createPermissionRule({
+  name: 'HAS_NAME',
+  description: 'Should allow users to install the plugin with specified name',
+  resourceRef: extensionPermissionResourceRef,
+
+  paramsSchema: z.object({
+    pluginNames: z
+      .string()
+      .array()
+      .optional()
+      .describe('List of plugin names to match on'),
+  }),
+  apply: (plugin: MarketplacePlugin, { pluginNames }) => {
+    return pluginNames && pluginNames.length > 0
+      ? !!pluginNames?.find(
+          name =>
+            name.toLowerCase() === plugin.metadata.title?.toLowerCase() ||
+            name.toLowerCase() === plugin.metadata.name.toLowerCase(),
+        )
+      : true;
+  },
+  toQuery: ({ pluginNames }) => ({ key: 'name', values: pluginNames }),
+});
+
+const hasAnnotation = createPermissionRule({
+  name: 'HAS_ANNOTATION',
+  description:
+    'Should allow users to install the plugin with specified annotation',
+  resourceRef: extensionPermissionResourceRef,
+  paramsSchema: z.object({
+    annotation: z.string().describe('Name of the annotation to match on'),
+    value: z
+      .string()
+      .optional()
+      .describe('Value of the annotation to match on'),
+  }),
+  apply: (plugin: MarketplacePlugin, params: ExtensionParams) =>
+    !!plugin.metadata.annotations?.hasOwnProperty(params.annotation) &&
+    (params.value === undefined
+      ? true
+      : plugin.metadata.annotations?.[params.annotation] === params.value),
+  toQuery: ({ annotation, value }) => ({
+    key: annotation,
+    values: value ? [value] : undefined,
+  }),
+});
+
+export const rules = { hasPluginName, hasAnnotation };

workspaces/marketplace/plugins/marketplace-backend/src/plugin.ts

@@ -41,8 +41,9 @@ export const marketplacePlugin = createBackendPlugin({
         httpAuth: coreServices.httpAuth,
         httpRouter: coreServices.httpRouter,
         discovery: coreServices.discovery,
+        permissions: coreServices.permissions,
       },
-      async init({ auth, httpAuth, httpRouter, discovery }) {
+      async init({ auth, httpAuth, httpRouter, discovery, permissions }) {
         const catalogApi = new CatalogClient({ discoveryApi: discovery });
 
         const marketplaceApi: MarketplaceApi = new MarketplaceCatalogClient({
@@ -54,6 +55,7 @@ export const marketplacePlugin = createBackendPlugin({
           await createRouter({
             httpAuth,
             marketplaceApi,
+            permissions,
           }),
         );
       },

workspaces/marketplace/plugins/marketplace-backend/src/router.ts

@@ -14,27 +14,78 @@
  * limitations under the License.
  */
 
-import express from 'express';
+import express, { Request } from 'express';
 import Router from 'express-promise-router';
 
-import { HttpAuthService } from '@backstage/backend-plugin-api';
+import {
+  HttpAuthService,
+  PermissionsService,
+} from '@backstage/backend-plugin-api';
+import {
+  AuthorizeResult,
+  BasicPermission,
+  PolicyDecision,
+  ResourcePermission,
+} from '@backstage/plugin-permission-common';
 
 import {
   decodeGetEntitiesRequest,
   decodeGetEntityFacetsRequest,
+  extensionPluginCreatePermission,
+  extensionPluginReadPermission,
   MarketplaceApi,
+  MarketplacePlugin,
+  RESOURCE_TYPE_EXTENSION_PLUGIN,
+  extensionPermissions,
 } from '@red-hat-developer-hub/backstage-plugin-marketplace-common';
+import { createPermissionIntegrationRouter } from '@backstage/plugin-permission-node';
 import { createSearchParams } from './utils/createSearchParams';
 import { removeVerboseSpecContent } from './utils/removeVerboseSpecContent';
+import { rules as extensionRules } from './permissions/rules';
+import { matches } from './utils/permissionUtils';
 
 export async function createRouter({
   marketplaceApi,
+  httpAuth,
+  permissions,
 }: {
   httpAuth: HttpAuthService;
   marketplaceApi: MarketplaceApi;
+  permissions: PermissionsService;
 }): Promise<express.Router> {
   const router = Router();
+  const permissionsIntegrationRouter = createPermissionIntegrationRouter({
+    resourceType: RESOURCE_TYPE_EXTENSION_PLUGIN,
+    permissions: extensionPermissions,
+    rules: Object.values(extensionRules),
+  });
   router.use(express.json());
+  router.use(permissionsIntegrationRouter);
+
+  const authorizeConditional = async (
+    request: Request,
+    permission:
+      | ResourcePermission<'extension-plugin' | 'extension-package'>
+      | BasicPermission,
+  ) => {
+    const credentials = await httpAuth.credentials(request);
+    let decision: PolicyDecision;
+    if (permission.type === 'resource') {
+      decision = (
+        await permissions.authorizeConditional([{ permission }], {
+          credentials,
+        })
+      )[0];
+    } else {
+      decision = (
+        await permissions.authorize([{ permission }], {
+          credentials,
+        })
+      )[0];
+    }
+
+    return decision;
+  };
 
   router.get('/collections', async (req, res) => {
     const request = decodeGetEntitiesRequest(createSearchParams(req));
@@ -108,6 +159,112 @@ export async function createRouter({
     res.json(plugin);
   });
 
+  router.get(
+    '/plugin/:namespace/:name/configuration/authorize',
+    async (req, res) => {
+      const [readDecision, installDecision] = await Promise.all([
+        authorizeConditional(req, extensionPluginReadPermission),
+        authorizeConditional(req, extensionPluginCreatePermission),
+      ]);
+      if (
+        readDecision.result === AuthorizeResult.DENY &&
+        installDecision.result === AuthorizeResult.DENY
+      ) {
+        res.status(403);
+        return;
+      }
+
+      const authorizedActions: string[] = [];
+      let plugin: MarketplacePlugin;
+
+      const evaluateConditional = async (
+        decision: PolicyDecision,
+        action: string,
+      ) => {
+        if (decision.result === AuthorizeResult.CONDITIONAL) {
+          if (!plugin) {
+            plugin = await marketplaceApi.getPluginByName(
+              req.params.namespace,
+              req.params.name,
+            );
+          }
+          if (matches(plugin, decision.conditions)) {
+            authorizedActions.push(action);
+          }
+        } else if (decision.result === AuthorizeResult.ALLOW) {
+          authorizedActions.push(action);
+        }
+      };
+
+      await Promise.all([
+        evaluateConditional(readDecision, 'read'),
+        evaluateConditional(installDecision, 'create'),
+      ]);
+
+      if (authorizedActions.length === 0) {
+        res.status(403);
+        return;
+      }
+      res.status(200).json({ authorizedActions });
+    },
+  );
+
+  router.get('/plugin/:namespace/:name/configuration', async (req, res) => {
+    const readDecision = await authorizeConditional(
+      req,
+      extensionPluginReadPermission,
+    );
+    if (readDecision.result === AuthorizeResult.DENY) {
+      res.status(403).json({ error: 'Forbidden' });
+      return;
+    }
+
+    const plugin = await marketplaceApi.getPluginByName(
+      req.params.namespace,
+      req.params.name,
+    );
+
+    const hasReadAccess =
+      readDecision.result === AuthorizeResult.ALLOW ||
+      (readDecision.result === AuthorizeResult.CONDITIONAL &&
+        matches(plugin, readDecision.conditions));
+    if (!hasReadAccess) {
+      res.status(403).json({ error: 'Forbidden' });
+      return;
+    }
+
+    res.status(200).json({}); // This should return the configuration in YAML string
+  });
+
+  router.post('/plugin/:namespace/:name/configuration', async (req, res) => {
+    // installs the plugin
+    const installDecision = await authorizeConditional(
+      req,
+      extensionPluginCreatePermission,
+    );
+    if (installDecision.result === AuthorizeResult.DENY) {
+      res.status(403).json({ error: 'Forbidden' });
+      return;
+    }
+
+    const plugin = await marketplaceApi.getPluginByName(
+      req.params.namespace,
+      req.params.name,
+    );
+
+    const hasInstallAccess =
+      installDecision.result === AuthorizeResult.ALLOW ||
+      (installDecision.result === AuthorizeResult.CONDITIONAL &&
+        matches(plugin, installDecision.conditions));
+
+    if (!hasInstallAccess) {
+      res.status(403).json({ error: 'Forbidden' });
+      return;
+    }
+
+    res.status(200).json({});
+  });
+
   router.get('/plugin/:namespace/:name/packages', async (req, res) => {
     const packages = await marketplaceApi.getPluginPackages(
       req.params.namespace,

workspaces/marketplace/plugins/marketplace-backend/src/utils/permissionUtils.ts

@@ -0,0 +1,57 @@
+/*
+ * Copyright The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {
+  PermissionCondition,
+  PermissionCriteria,
+  PermissionRuleParams,
+} from '@backstage/plugin-permission-common';
+
+import { MarketplacePlugin } from '@red-hat-developer-hub/backstage-plugin-marketplace-common';
+
+import { ExtensionParams, rules as extensionRules } from '../permissions/rules';
+
+export const matches = (
+  plugin?: MarketplacePlugin,
+  filters?: PermissionCriteria<
+    PermissionCondition<string, PermissionRuleParams>
+  >,
+): boolean => {
+  if (!filters) {
+    return true;
+  }
+
+  if (!plugin) {
+    return false;
+  }
+
+  if ('allOf' in filters) {
+    return filters.allOf.every(filter => matches(plugin, filter));
+  }
+
+  if ('anyOf' in filters) {
+    return filters.anyOf.some(filter => matches(plugin, filter));
+  }
+
+  if ('not' in filters) {
+    return !matches(plugin, filters.not);
+  }
+  return (
+    Object.values(extensionRules)
+      .find(r => r.name === filters.rule)
+      ?.apply(plugin, filters.params as ExtensionParams) ?? false
+  );
+};