feat: including authentication to server applications in scaffolder plugin

lucasdrpires · lucasdrpires · commit 860de10fa67c · 2023-02-15T15:20:04.000-03:00
Signed-off-by: Lucas Pires &lt;lucas.tulio@grupoboticario.com.br&gt;
diff --git a/.changeset/backend-token-authentication.md b/.changeset/backend-token-authentication.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-scaffolder-backend': patch
+---
+
+Make identity valid if subject of token is a github-server token
diff --git a/packages/backend/src/plugins/scaffolder.ts b/packages/backend/src/plugins/scaffolder.ts
@@ -34,5 +34,6 @@ export default async function createPlugin(
     reader: env.reader,
     identity: env.identity,
     scheduler: env.scheduler,
+    tokenManager: env.tokenManager,
   });
 }
diff --git a/plugins/scaffolder-backend/src/ScaffolderPlugin.ts b/plugins/scaffolder-backend/src/ScaffolderPlugin.ts
@@ -82,6 +82,7 @@ export const scaffolderPlugin = createBackendPlugin(
           database: coreServices.database,
           httpRouter: coreServices.httpRouter,
           catalogClient: catalogServiceRef,
+          tokenManager: coreServices.tokenManager,
         },
         async init({
           logger,
@@ -90,6 +91,7 @@ export const scaffolderPlugin = createBackendPlugin(
           database,
           httpRouter,
           catalogClient,
+          tokenManager,
         }) {
           const {
             additionalTemplateFilters,
@@ -127,6 +129,7 @@ export const scaffolderPlugin = createBackendPlugin(
             taskWorkers,
             additionalTemplateFilters,
             additionalTemplateGlobals,
+            tokenManager,
           });
           httpRouter.use(router);
         },
diff --git a/plugins/scaffolder-backend/src/service/router.ts b/plugins/scaffolder-backend/src/service/router.ts
@@ -14,7 +14,11 @@
  * limitations under the License.
  */
 
-import { PluginDatabaseManager, UrlReader } from '@backstage/backend-common';
+import {
+  PluginDatabaseManager,
+  TokenManager,
+  UrlReader,
+} from '@backstage/backend-common';
 import { PluginTaskScheduler } from '@backstage/backend-tasks';
 import { CatalogApi } from '@backstage/catalog-client';
 import {
@@ -82,6 +86,7 @@ export interface RouterOptions {
   additionalTemplateFilters?: Record<string, TemplateFilter>;
   additionalTemplateGlobals?: Record<string, TemplateGlobal>;
   identity?: IdentityApi;
+  tokenManager?: TokenManager;
 }
 
 function isSupportedTemplate(entity: TemplateEntityV1beta3) {
@@ -96,13 +101,14 @@ function isSupportedTemplate(entity: TemplateEntityV1beta3) {
  * are using the IdentityApi, we can remove this function.
  */
 function buildDefaultIdentityClient({
-  logger,
+  options,
 }: {
-  logger: Logger;
+  options: RouterOptions;
 }): IdentityApi {
   return {
     getIdentity: async ({ request }: IdentityApiGetIdentityRequest) => {
       const header = request.headers.authorization;
+      const { logger, tokenManager } = options;
 
       if (!header) {
         return undefined;
@@ -132,8 +138,15 @@ function buildDefaultIdentityClient({
           throw new TypeError('Expected string sub claim');
         }
 
-        // Check that it's a valid ref, otherwise this will throw.
-        parseEntityRef(sub);
+        try {
+          // Check that it's a valid ref, otherwise this will throw.
+          parseEntityRef(sub);
+        } catch (e) {
+          if (sub !== 'backstage-server' || !options.tokenManager) {
+            throw e;
+          }
+          await tokenManager?.authenticate(token);
+        }
 
         return {
           identity: {
@@ -179,8 +192,7 @@ export async function createRouter(
   const logger = parentLogger.child({ plugin: 'scaffolder' });
 
   const identity: IdentityApi =
-    options.identity || buildDefaultIdentityClient({ logger });
-
+    options.identity || buildDefaultIdentityClient({ options });
   const workingDirectory = await getWorkingDirectory(config, logger);
   const integrations = ScmIntegrations.fromConfig(config);
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@backstage/plugin-scaffolder-backend': patch
 +---
++
 +Make identity valid if subject of token is a github-server token
Original file line number	Diff line number	Diff line change
`@@ -34,5 +34,6 @@ export default async function createPlugin(`
`34`	`34`	`reader: env.reader,`
`35`	`35`	`identity: env.identity,`
`36`	`36`	`scheduler: env.scheduler,`
	`37`	`+ tokenManager: env.tokenManager,`
`37`	`38`	`});`
`38`	`39`	`}`