Warn if permission backend is used without permissions enabled

Signed-off-by: Joe Porpeglia <josephp@spotify.com>
backstage · Feb 14, 2022 · e2cf066 · e2cf066
1 parent a929ef2
commit e2cf066
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 2 deletions.
diff --git a/.changeset/green-bobcats-burn.md b/.changeset/green-bobcats-burn.md
@@ -0,0 +1,22 @@
+---
+'@backstage/plugin-permission-backend': minor
+---
+
+Add a warning if the permission backend is used without setting `permission.enabled=true`.
+
+**BREAKING** Permission backend's `createRouter` now requires a `config` option.
+
+```diff
+// packages/backend/src/plugins/permission.ts
+
+...
+export default async function createPlugin({
+  ...
++ config,
+}: PluginEnvironment) {
+  return createRouter({
+    ...
++   config,
+  });
+}
+```
diff --git a/packages/backend/src/plugins/permission.ts b/packages/backend/src/plugins/permission.ts
@@ -35,8 +35,9 @@ class AllowAllPermissionPolicy implements PermissionPolicy {
 export default async function createPlugin(
   env: PluginEnvironment,
 ): Promise<Router> {
-  const { logger, discovery } = env;
+  const { logger, discovery, config } = env;
   return await createRouter({
+    config,
     logger,
     discovery,
     policy: new AllowAllPermissionPolicy(),

diff --git a/plugins/permission-backend/api-report.md b/plugins/permission-backend/api-report.md
@@ -3,6 +3,7 @@
 > Do not edit this file. It is a report generated by [API Extractor](https://api-extractor.com/).
 
 ```ts
+import { Config } from '@backstage/config';
 import express from 'express';
 import { IdentityClient } from '@backstage/plugin-auth-node';
 import { Logger as Logger_2 } from 'winston';
@@ -14,6 +15,8 @@ export function createRouter(options: RouterOptions): Promise<express.Router>;
 
 // @public
 export interface RouterOptions {
+  // (undocumented)
+  config: Config;
   // (undocumented)
   discovery: PluginEndpointDiscovery;
   // (undocumented)

diff --git a/plugins/permission-backend/src/service/router.test.ts b/plugins/permission-backend/src/service/router.test.ts
@@ -26,6 +26,7 @@ import {
 import { PermissionIntegrationClient } from './PermissionIntegrationClient';
 
 import { createRouter } from './router';
+import { ConfigReader } from '@backstage/config';
 
 const mockApplyConditions: jest.MockedFunction<
   InstanceType<typeof PermissionIntegrationClient>['applyConditions']
@@ -63,6 +64,7 @@ describe('createRouter', () => {
 
   beforeAll(async () => {
     const router = await createRouter({
+      config: new ConfigReader({ permission: { enabled: true } }),
       logger: getVoidLogger(),
       discovery: {
         getBaseUrl: jest.fn(),

diff --git a/plugins/permission-backend/src/service/router.ts b/plugins/permission-backend/src/service/router.ts
@@ -44,6 +44,7 @@ import {
 import { PermissionIntegrationClient } from './PermissionIntegrationClient';
 import { memoize } from 'lodash';
 import DataLoader from 'dataloader';
+import { Config } from '@backstage/config';
 
 const querySchema: z.ZodSchema<Identified<AuthorizeQuery>> = z.object({
   id: z.string(),
@@ -79,6 +80,7 @@ export interface RouterOptions {
   discovery: PluginEndpointDiscovery;
   policy: PermissionPolicy;
   identity: IdentityClient;
+  config: Config;
 }
 
 const handleRequest = async (
@@ -139,7 +141,13 @@ const handleRequest = async (
 export async function createRouter(
   options: RouterOptions,
 ): Promise<express.Router> {
-  const { policy, discovery, identity } = options;
+  const { policy, discovery, identity, config, logger } = options;
+
+  if (!config.getOptionalBoolean('permission.enabled')) {
+    logger.warn(
+      'Permission backend started with permissions disabled. Enable permissions by setting permission.enabled=true.',
+    );
+  }
 
   const permissionIntegrationClient = new PermissionIntegrationClient({
     discovery,