diff --git a/packages/backend/src/plugins/permission.ts b/packages/backend/src/plugins/permission.ts index 7337687c54a19..e4c2e1d435ecc 100644 --- a/packages/backend/src/plugins/permission.ts +++ b/packages/backend/src/plugins/permission.ts @@ -16,11 +16,11 @@ import { IdentityClient } from '@backstage/plugin-auth-node'; import { createRouter } from '@backstage/plugin-permission-backend'; -import { AuthorizeResult } from '@backstage/plugin-permission-common'; import { - PermissionPolicy, + AuthorizeResult, PolicyDecision, -} from '@backstage/plugin-permission-node'; +} from '@backstage/plugin-permission-common'; +import { PermissionPolicy } from '@backstage/plugin-permission-node'; import { Router } from 'express'; import { PluginEnvironment } from '../types'; diff --git a/plugins/permission-backend/src/service/PermissionIntegrationClient.ts b/plugins/permission-backend/src/service/PermissionIntegrationClient.ts index 2b2161ee71048..2c31d371c3999 100644 --- a/plugins/permission-backend/src/service/PermissionIntegrationClient.ts +++ b/plugins/permission-backend/src/service/PermissionIntegrationClient.ts @@ -17,11 +17,13 @@ import fetch from 'node-fetch'; import { z } from 'zod'; import { PluginEndpointDiscovery } from '@backstage/backend-common'; -import { AuthorizeResult } from '@backstage/plugin-permission-common'; +import { + AuthorizeResult, + ConditionalPolicyDecision, +} from '@backstage/plugin-permission-common'; import { ApplyConditionsRequestEntry, ApplyConditionsResponseEntry, - ConditionalPolicyDecision, } from '@backstage/plugin-permission-node'; const responseSchema = z.object({ diff --git a/plugins/permission-common/src/types/api.ts b/plugins/permission-common/src/types/api.ts index c4d68ce3fa98e..97b1182805c78 100644 --- a/plugins/permission-common/src/types/api.ts +++ b/plugins/permission-common/src/types/api.ts @@ -50,6 +50,46 @@ export enum AuthorizeResult { CONDITIONAL = 'CONDITIONAL', } +/** + * A definitive decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}. + * + * @remarks + * + * This indicates that the policy unconditionally allows (or denies) the request. + * + * @public + */ +export type DefinitivePolicyDecision = { + result: AuthorizeResult.ALLOW | AuthorizeResult.DENY; +}; + +/** + * A conditional decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}. + * + * @remarks + * + * This indicates that the policy allows authorization for the request, given that the returned + * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin + * which knows about the referenced permission rules. + * + * @public + */ +export type ConditionalPolicyDecision = { + result: AuthorizeResult.CONDITIONAL; + pluginId: string; + resourceType: string; + conditions: PermissionCriteria; +}; + +/** + * A decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}. + * + * @public + */ +export type PolicyDecision = + | DefinitivePolicyDecision + | ConditionalPolicyDecision; + /** * An individual authorization request for {@link PermissionClient#authorize}. * @public diff --git a/plugins/permission-common/src/types/index.ts b/plugins/permission-common/src/types/index.ts index 83be62504645c..f89f0c8aecc0c 100644 --- a/plugins/permission-common/src/types/index.ts +++ b/plugins/permission-common/src/types/index.ts @@ -22,6 +22,9 @@ export type { AuthorizeResponse, IdentifiedPermissionMessage, PermissionMessageBatch, + ConditionalPolicyDecision, + DefinitivePolicyDecision, + PolicyDecision, PermissionCondition, PermissionCriteria, AllOfCriteria, diff --git a/plugins/permission-node/src/integration/createConditionExports.ts b/plugins/permission-node/src/integration/createConditionExports.ts index fd351128ed0b1..ab889873891d8 100644 --- a/plugins/permission-node/src/integration/createConditionExports.ts +++ b/plugins/permission-node/src/integration/createConditionExports.ts @@ -16,10 +16,10 @@ import { AuthorizeResult, + ConditionalPolicyDecision, PermissionCondition, PermissionCriteria, } from '@backstage/plugin-permission-common'; -import { ConditionalPolicyDecision } from '../policy'; import { PermissionRule } from '../types'; import { createConditionFactory } from './createConditionFactory'; diff --git a/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts b/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts index 17e514432c9aa..b598487062247 100644 --- a/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts +++ b/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts @@ -21,6 +21,7 @@ import { InputError } from '@backstage/errors'; import { errorHandler } from '@backstage/backend-common'; import { AuthorizeResult, + DefinitivePolicyDecision, IdentifiedPermissionMessage, PermissionCondition, PermissionCriteria, @@ -32,7 +33,6 @@ import { isNotCriteria, isOrCriteria, } from './util'; -import { DefinitivePolicyDecision } from '../policy/types'; const permissionCriteriaSchema: z.ZodSchema< PermissionCriteria diff --git a/plugins/permission-node/src/policy/index.ts b/plugins/permission-node/src/policy/index.ts index 1d3fc4a737e01..988ce345a4991 100644 --- a/plugins/permission-node/src/policy/index.ts +++ b/plugins/permission-node/src/policy/index.ts @@ -14,10 +14,4 @@ * limitations under the License. */ -export type { - ConditionalPolicyDecision, - DefinitivePolicyDecision, - PermissionPolicy, - PolicyAuthorizeQuery, - PolicyDecision, -} from './types'; +export type { PermissionPolicy, PolicyAuthorizeQuery } from './types'; diff --git a/plugins/permission-node/src/policy/types.ts b/plugins/permission-node/src/policy/types.ts index 19b12b8f28482..fed803a2a931b 100644 --- a/plugins/permission-node/src/policy/types.ts +++ b/plugins/permission-node/src/policy/types.ts @@ -16,9 +16,7 @@ import { AuthorizeQuery, - AuthorizeResult, - PermissionCondition, - PermissionCriteria, + PolicyDecision, } from '@backstage/plugin-permission-common'; import { BackstageIdentityResponse } from '@backstage/plugin-auth-node'; @@ -35,48 +33,6 @@ import { BackstageIdentityResponse } from '@backstage/plugin-auth-node'; */ export type PolicyAuthorizeQuery = Omit; -/** - * A definitive result to an authorization request, returned by the {@link PermissionPolicy}. - * - * @remarks - * - * This indicates that the policy unconditionally allows (or denies) the request. - * - * @public - */ -export type DefinitivePolicyDecision = { - result: AuthorizeResult.ALLOW | AuthorizeResult.DENY; -}; - -/** - * A conditional result to an authorization request, returned by the {@link PermissionPolicy}. - * - * @remarks - * - * This indicates that the policy allows authorization for the request, given that the returned - * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin - * which knows about the referenced permission rules. - * - * Similar to {@link @backstage/permission-common#AuthorizeDecision}, but with the plugin and resource - * identifiers needed to evaluate the returned conditions. - * @public - */ -export type ConditionalPolicyDecision = { - result: AuthorizeResult.CONDITIONAL; - pluginId: string; - resourceType: string; - conditions: PermissionCriteria; -}; - -/** - * The result of evaluating an authorization request with a {@link PermissionPolicy}. - * - * @public - */ -export type PolicyDecision = - | DefinitivePolicyDecision - | ConditionalPolicyDecision; - /** * A policy to evaluate authorization requests for any permissioned action performed in Backstage. *