🐛 Bug Report: Error 403 when accessing catalog using GitLab auth method

[javiermartingonzalez]

📜 Description

After upgrading Backstage form 1.25.0 to 1.26.4 I'm not able to get the entities in the front using my GitLab account.

I'm able to access to entities successfully using Guest account but I'm getting a 403 error when logged in with my GitLab user. I'm using the new backend system.

I only updated to new release and also changed the imports to backstage-community. No more changes.

👍 Expected behavior

To be able to get the entities in catalog logged in with my GitLab account in the same way that Guest access.

👎 Actual Behavior with Screenshots

I'm getting an error 403 when trying to get entities from catalog.

The backend log says:

2024-04-24T16:24:47.484Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:47 +0000] "POST /api/permission/authorize HTTP/1.1" 403 636 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
2024-04-24T16:24:47.493Z backstage error Request failed with status 500 There was a problem performing the search query: Request failed with 403 Forbidden type=errorHandler stack=Error: There was a problem performing the search query: Request failed with 403 Forbidden
    at <anonymous> (C:\Repositorios\idp\backstage\node_modules\@backstage\plugin-search-backend\src\service\router.ts:213:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-04-24T16:24:47.494Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:47 +0000] "GET /api/search/query?term= HTTP/1.1" 500 518 "http://localhost:3000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" type=incomingRequest        
2024-04-24T16:24:47.508Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:47 +0000] "POST /api/permission/authorize HTTP/1.1" 403 636 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
2024-04-24T16:24:47.532Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:47 +0000] "GET /api/catalog/entities?fields=metadata.name,metadata.changelog,kind&filter=kind%3Dapi HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" type=incomingRequest
2024-04-24T16:24:48.223Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:48 +0000] "POST /api/permission/authorize HTTP/1.1" 403 636 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
2024-04-24T16:24:48.235Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:48 +0000] "POST /api/permission/authorize HTTP/1.1" 403 636 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
2024-04-24T16:24:48.249Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:48 +0000] "POST /api/permission/authorize HTTP/1.1" 403 636 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
2024-04-24T16:24:48.261Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:48 +0000] "POST /api/permission/authorize HTTP/1.1" 403 636 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
2024-04-24T16:24:48.274Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:48 +0000] "POST /api/permission/authorize HTTP/1.1" 403 636 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
2024-04-24T16:24:48.431Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:48 +0000] "GET /api/catalog/entity-facets?facet=relations.ownedBy HTTP/1.1" 
403 - "http://localhost:3000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" type=incomingRequest
2024-04-24T16:24:48.432Z rootHttpRouter info ::1 - - [24/Apr/2024:16:24:48 +0000] "GET /api/catalog/entity-facets?facet=kind HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" type=incomingRequest

I'm using the new backend system, importing permission plugin as legacyPlugin with ALLOW policy:

class ExamplePermissionPolicy implements PermissionPolicy {
  async handle(): Promise<PolicyDecision> {
    return {
      result: AuthorizeResult.ALLOW,
    };
  }
}

export default async function createPlugin(
  env: PluginEnvironment,
): Promise<Router> {
  return await createRouter({
    config: env.config,
    logger: env.logger,
    discovery: env.discovery,
    policy: new ExamplePermissionPolicy(),
    identity: env.identity,
  });
}

With guest user I'm getting 200 code and the catalog is displayed on the screen

The login is OK, I'm able to access to my GitLab username and read info about Ownership from GitLab, but anyting more due to permission error

👟 Reproduction steps

1. Log-in to Backstage using GitLab with new backend system
2. Try to access to any entity

📃 Provide the context for the Bug.

I have in my app-config.yaml from 1.25.0 the following key (need to be able to call getEntities from a quartz job in my backend):

backend:
  auth:
    dangerouslyDisableDefaultAuthPolicy: true

And my resolver for GitLab is:

    gitlab:
      development:
        clientId: ${AUTH_GITLAB_CLIENTID}
        clientSecret: ${AUTH_GITLAB_CLIENT_SECRET}
        audience: ${AUTH_GITLAB_AUDIENCE_URL}
        callbackUrl: https://${BASE_URL}/api/auth/gitlab/handler/frame/
        signIn:
          resolvers:
            - resolver: usernameMatchingUserEntityName

🖥️ Your Environment

OS:   Windows_NT 10.0.19045 - win32/x64
node: v18.12.1
yarn: 1.22.1
cli:  0.26.4 (installed)
backstage:  1.26.4

Dependencies:
  @backstage/app-defaults                                          1.5.4
  @backstage/backend-app-api                                       0.4.5, 0.5.14, 0.7.1
  @backstage/backend-common                                        0.18.5, 0.19.9, 0.21.7
  @backstage/backend-defaults                                      0.2.17
  @backstage/backend-dev-utils                                     0.1.4
  @backstage/backend-openapi-utils                                 0.1.10
  @backstage/backend-plugin-api                                    0.4.0, 0.5.4, 0.6.17
  @backstage/backend-tasks                                         0.4.3, 0.5.22
  @backstage/catalog-client                                        1.6.4
  @backstage/catalog-model                                         1.4.5
  @backstage/cli-common                                            0.1.13
  @backstage/cli-node                                              0.2.5
  @backstage/cli                                                   0.26.4
  @backstage/config-loader                                         1.8.0
  @backstage/config                                                1.2.0
  @backstage/core-app-api                                          1.12.4
  @backstage/core-compat-api                                       0.2.4
  @backstage/core-components                                       0.13.10, 0.14.5
  @backstage/core-plugin-api                                       1.9.2
  @backstage/dev-utils                                             1.0.31
  @backstage/errors                                                1.2.4
  @backstage/eslint-plugin                                         0.1.7
  @backstage/frontend-plugin-api                                   0.6.4
  @backstage/integration-aws-node                                  0.1.12
  @backstage/integration-react                                     1.1.26
  @backstage/integration                                           1.10.0
  @backstage/plugin-api-docs                                       0.11.4
  @backstage/plugin-app-backend                                    0.3.65
  @backstage/plugin-app-node                                       0.1.17
  @backstage/plugin-auth-backend-module-atlassian-provider         0.1.9
  @backstage/plugin-auth-backend-module-aws-alb-provider           0.1.9
  @backstage/plugin-auth-backend-module-azure-easyauth-provider    0.1.0
  @backstage/plugin-auth-backend-module-bitbucket-provider         0.1.0
  @backstage/plugin-auth-backend-module-cloudflare-access-provider 0.1.0
  @backstage/plugin-auth-backend-module-gcp-iap-provider           0.2.12
  @backstage/plugin-auth-backend-module-github-provider            0.1.14
  @backstage/plugin-auth-backend-module-gitlab-provider            0.1.14
  @backstage/plugin-auth-backend-module-google-provider            0.1.14
  @backstage/plugin-auth-backend-module-microsoft-provider         0.1.12
  @backstage/plugin-auth-backend-module-oauth2-provider            0.1.14
  @backstage/plugin-auth-backend-module-oauth2-proxy-provider      0.1.10
  @backstage/plugin-auth-backend-module-oidc-provider              0.1.8
  @backstage/plugin-auth-backend-module-okta-provider              0.0.10
  @backstage/plugin-auth-backend                                   0.22.4
  @backstage/plugin-auth-node                                      0.2.19, 0.4.12
  @backstage/plugin-auth-react                                     0.1.1
  @backstage/plugin-catalog-backend-module-gitlab                  0.3.15
  @backstage/plugin-catalog-backend-module-scaffolder-entity-model 0.1.15
  @backstage/plugin-catalog-backend                                1.21.1
  @backstage/plugin-catalog-common                                 1.0.22
  @backstage/plugin-catalog-graph                                  0.4.4
  @backstage/plugin-catalog-import                                 0.10.10
  @backstage/plugin-catalog-node                                   1.11.1
  @backstage/plugin-catalog-react                                  1.11.3
  @backstage/plugin-catalog                                        1.19.0
  @backstage/plugin-events-node                                    0.3.3
  @backstage/plugin-explore-common                                 0.0.3
  @backstage/plugin-home-react                                     0.1.12
  @backstage/plugin-home                                           0.7.3
  @backstage/plugin-org                                            0.6.24
  @backstage/plugin-permission-backend                             0.5.41
  @backstage/plugin-permission-common                              0.7.13
  @backstage/plugin-permission-node                                0.7.28
  @backstage/plugin-permission-react                               0.4.22
  @backstage/plugin-proxy-backend                                  0.4.15
  @backstage/plugin-scaffolder-backend-module-azure                0.1.9
  @backstage/plugin-scaffolder-backend-module-bitbucket-cloud      0.1.7
  @backstage/plugin-scaffolder-backend-module-bitbucket-server     0.1.7
  @backstage/plugin-scaffolder-backend-module-bitbucket            0.2.7
  @backstage/plugin-scaffolder-backend-module-gerrit               0.1.9
  @backstage/plugin-scaffolder-backend-module-gitea                0.1.7
  @backstage/plugin-scaffolder-backend-module-github               0.2.7
  @backstage/plugin-scaffolder-backend-module-gitlab               0.3.3
  @backstage/plugin-scaffolder-backend-module-rails                0.4.34
  @backstage/plugin-scaffolder-backend                             1.22.4
  @backstage/plugin-scaffolder-common                              1.5.1
  @backstage/plugin-scaffolder-node                                0.1.0, 0.4.3
  @backstage/plugin-scaffolder-react                               1.8.4
  @backstage/plugin-scaffolder                                     1.19.3
  @backstage/plugin-search-backend-module-catalog                  0.1.23
  @backstage/plugin-search-backend-module-explore                  0.1.23
  @backstage/plugin-search-backend-module-pg                       0.5.26
  @backstage/plugin-search-backend-module-techdocs                 0.1.22
  @backstage/plugin-search-backend-node                            1.2.21
  @backstage/plugin-search-backend                                 1.5.7
  @backstage/plugin-search-common                                  1.2.11
  @backstage/plugin-search-react                                   1.7.10
  @backstage/plugin-search                                         1.4.10
  @backstage/plugin-techdocs-backend                               1.10.4
  @backstage/plugin-techdocs-module-addons-contrib                 1.1.9
  @backstage/plugin-techdocs-node                                  1.12.3
  @backstage/plugin-techdocs-react                                 1.2.3
  @backstage/plugin-techdocs                                       1.10.4
  @backstage/plugin-user-settings                                  0.8.5
  @backstage/release-manifests                                     0.0.11
  @backstage/repo-tools                                            0.8.0
  @backstage/test-utils                                            1.5.4
  @backstage/theme                                                 0.4.4, 0.5.3
  @backstage/types                                                 1.1.1
  @backstage/version-bridge                                        1.0.8
Done in 4.78s.

👀 Have you spent some time to check if this bug has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

Are you willing to submit PR?

None

[javiermartingonzalez]

Updated to Backstage 1.27.1 and problem persists, any idea?

[Rugvip]

Hmm, do you have some custom auth setup or other middleware as part of your setup? For example the following request does not have any code path that returns a 403 in a standard setup afaik: POST /api/permission/authorize HTTP/1.1" 403

[javiermartingonzalez]

Hello, I don't have a custom auth. I'm using GitLab provider offered by Backstage.

I don't have a custom Middleware, I'm using in permissions.ts the ExamplePermissionPolicy that comes with Backstage

The strange thing here is that when using Guest access I don't have any problem, but git GitLab access, I'm getting 403 trying to read the catalog without any custom middleware or anything similar

[javiermartingonzalez]

It seems to be something with Permissions framework, because changing in app-config.yaml to permissions false it is working.

Checking again, I have the ExamplePermissionPolicy with a change, allow all if user is logged in, and allow specific components if user is not logged in (Guest).

Doing some tests with console.logs, if user is not present (guests) I'm entering to that policy and returning the desired components without any problem. But with user present, it isn't entering into the policy, so it is crashing in some point before checking the middle framework policy.

All was working before 1.26 and I have it working with 1.25 in another branch. But in the branch where I'm updating to 1.26 (and now 1.27) it seems there is an incompatibility or a breaking change with permissions and GitLab Auth resolver (or the Auth in general...)

The permissions plugin (https://backstage.io/docs/permissions) still using old backend way.... probably the problem is related with that

[javiermartingonzalez]

Solved, after reading (#24517 (comment)) message, I reviewed again the Migrating to new backend guide, and a new section about migration Permissions is available (https://backstage.io/docs/backend-system/building-backends/migrating/#the-permission-plugin)

I performed that guide some versions ago, and the changelog of Backstage, Permissions documentation and plugin changelog file... no mention about that new 'alpha' version that is needed to still using permission framework.

As an advice, please notify that in documentation!

[JD-Gonz]

Thanks for documenting your solution @javiermartingonzalez I had the same issue and this helped!