/
source_backstage.go
116 lines (100 loc) · 2.94 KB
/
source_backstage.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package source
import (
"context"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"time"
kitlog "github.com/go-kit/kit/log"
"github.com/go-ozzo/ozzo-validation/is"
validation "github.com/go-ozzo/ozzo-validation/v4"
"github.com/golang-jwt/jwt"
"github.com/hashicorp/go-cleanhttp"
"github.com/pkg/errors"
)
type SourceBackstage struct {
Endpoint string `json:"endpoint"` // https://backstage.company.io/api/catalog/entities
Token Credential `json:"token"`
SignJWT *bool `json:"sign_jwt"`
}
func (s SourceBackstage) Validate() error {
return validation.ValidateStruct(&s,
validation.Field(&s.Endpoint,
validation.Required.Error("must provide an endpoint for fetching Backstage entries"),
is.URL,
),
)
}
func (s SourceBackstage) String() string {
return fmt.Sprintf("backstage (endpoint=%s)", s.Endpoint)
}
func (s SourceBackstage) Load(ctx context.Context, logger kitlog.Logger) ([]*SourceEntry, error) {
var token string
if s.Token != "" {
// If not provided or explicitly enabled, sign the token into a JWT and use that as
// the Authorization header.
if s.SignJWT == nil || *s.SignJWT {
var err error
token, err = s.getJWT()
if err != nil {
return nil, err
}
// Otherwise if someone has told us not to, don't sign the token and use it as-is.
} else {
token = string(s.Token)
}
}
client := cleanhttp.DefaultClient()
var (
limit = 100
offset = 0
)
entries := []*SourceEntry{}
for {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, s.Endpoint+fmt.Sprintf("?limit=%d&offset=%d", limit, offset), nil)
if err != nil {
return nil, errors.Wrap(err, "building Backstage URL")
}
if token != "" {
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
}
resp, err := client.Do(req)
if err == nil && resp.StatusCode != http.StatusOK {
err = fmt.Errorf("received error from Backstage: %s", resp.Status)
}
if err != nil {
return nil, errors.Wrap(err, "fetching Backstage entries")
}
page := []json.RawMessage{}
if err := json.NewDecoder(resp.Body).Decode(&page); err != nil {
return nil, errors.Wrap(err, "parsing Backstage entries")
}
if len(page) == 0 {
return entries, nil
}
for idx := range page {
entries = append(entries, &SourceEntry{
Origin: s.String(),
Content: page[idx],
})
}
offset += len(page)
}
}
// getJWT applies the rules from the Backstage docs to generate a JWT that is valid for
// external Backstage authentication.
//
// https://backstage.io/docs/auth/service-to-service-auth/#usage-in-external-callers
func (s SourceBackstage) getJWT() (string, error) {
token := jwt.New(jwt.SigningMethodHS256)
token.Claims = jwt.MapClaims{
"sub": "backstage-server",
"exp": time.Now().Add(time.Hour).Unix(),
}
secret, err := base64.StdEncoding.DecodeString(string(s.Token))
if err != nil {
return "", errors.Wrap(err, "supplied backstage token must be a base64 string")
}
return token.SignedString(secret)
}