From 970814ed38423d868a4ae463047da1922f861ec0 Mon Sep 17 00:00:00 2001
From: Joe Porpeglia <josephp@spotify.com>
Date: Mon, 21 Mar 2022 21:56:49 -0400
Subject: [PATCH] Move policy decision types to permission-common

Co-authored-by: Mike Lewis <mtlewis@users.noreply.github.com>
Signed-off-by: Joe Porpeglia <josephp@spotify.com>
---
 packages/backend/src/plugins/permission.ts    |  6 +--
 .../service/PermissionIntegrationClient.ts    |  6 ++-
 plugins/permission-common/src/types/api.ts    | 40 ++++++++++++++++
 plugins/permission-common/src/types/index.ts  |  3 ++
 .../src/integration/createConditionExports.ts |  2 +-
 .../createPermissionIntegrationRouter.ts      |  2 +-
 plugins/permission-node/src/policy/index.ts   |  8 +---
 plugins/permission-node/src/policy/types.ts   | 46 +------------------
 8 files changed, 54 insertions(+), 59 deletions(-)

diff --git a/packages/backend/src/plugins/permission.ts b/packages/backend/src/plugins/permission.ts
index 7337687c54a19..e4c2e1d435ecc 100644
--- a/packages/backend/src/plugins/permission.ts
+++ b/packages/backend/src/plugins/permission.ts
@@ -16,11 +16,11 @@
 
 import { IdentityClient } from '@backstage/plugin-auth-node';
 import { createRouter } from '@backstage/plugin-permission-backend';
-import { AuthorizeResult } from '@backstage/plugin-permission-common';
 import {
-  PermissionPolicy,
+  AuthorizeResult,
   PolicyDecision,
-} from '@backstage/plugin-permission-node';
+} from '@backstage/plugin-permission-common';
+import { PermissionPolicy } from '@backstage/plugin-permission-node';
 import { Router } from 'express';
 import { PluginEnvironment } from '../types';
 
diff --git a/plugins/permission-backend/src/service/PermissionIntegrationClient.ts b/plugins/permission-backend/src/service/PermissionIntegrationClient.ts
index 2b2161ee71048..2c31d371c3999 100644
--- a/plugins/permission-backend/src/service/PermissionIntegrationClient.ts
+++ b/plugins/permission-backend/src/service/PermissionIntegrationClient.ts
@@ -17,11 +17,13 @@
 import fetch from 'node-fetch';
 import { z } from 'zod';
 import { PluginEndpointDiscovery } from '@backstage/backend-common';
-import { AuthorizeResult } from '@backstage/plugin-permission-common';
+import {
+  AuthorizeResult,
+  ConditionalPolicyDecision,
+} from '@backstage/plugin-permission-common';
 import {
   ApplyConditionsRequestEntry,
   ApplyConditionsResponseEntry,
-  ConditionalPolicyDecision,
 } from '@backstage/plugin-permission-node';
 
 const responseSchema = z.object({
diff --git a/plugins/permission-common/src/types/api.ts b/plugins/permission-common/src/types/api.ts
index c4d68ce3fa98e..97b1182805c78 100644
--- a/plugins/permission-common/src/types/api.ts
+++ b/plugins/permission-common/src/types/api.ts
@@ -50,6 +50,46 @@ export enum AuthorizeResult {
   CONDITIONAL = 'CONDITIONAL',
 }
 
+/**
+ * A definitive decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.
+ *
+ * @remarks
+ *
+ * This indicates that the policy unconditionally allows (or denies) the request.
+ *
+ * @public
+ */
+export type DefinitivePolicyDecision = {
+  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;
+};
+
+/**
+ * A conditional decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.
+ *
+ * @remarks
+ *
+ * This indicates that the policy allows authorization for the request, given that the returned
+ * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin
+ * which knows about the referenced permission rules.
+ *
+ * @public
+ */
+export type ConditionalPolicyDecision = {
+  result: AuthorizeResult.CONDITIONAL;
+  pluginId: string;
+  resourceType: string;
+  conditions: PermissionCriteria<PermissionCondition>;
+};
+
+/**
+ * A decision returned by the {@link @backstage/plugin-permission-node#PermissionPolicy}.
+ *
+ * @public
+ */
+export type PolicyDecision =
+  | DefinitivePolicyDecision
+  | ConditionalPolicyDecision;
+
 /**
  * An individual authorization request for {@link PermissionClient#authorize}.
  * @public
diff --git a/plugins/permission-common/src/types/index.ts b/plugins/permission-common/src/types/index.ts
index 83be62504645c..f89f0c8aecc0c 100644
--- a/plugins/permission-common/src/types/index.ts
+++ b/plugins/permission-common/src/types/index.ts
@@ -22,6 +22,9 @@ export type {
   AuthorizeResponse,
   IdentifiedPermissionMessage,
   PermissionMessageBatch,
+  ConditionalPolicyDecision,
+  DefinitivePolicyDecision,
+  PolicyDecision,
   PermissionCondition,
   PermissionCriteria,
   AllOfCriteria,
diff --git a/plugins/permission-node/src/integration/createConditionExports.ts b/plugins/permission-node/src/integration/createConditionExports.ts
index fd351128ed0b1..ab889873891d8 100644
--- a/plugins/permission-node/src/integration/createConditionExports.ts
+++ b/plugins/permission-node/src/integration/createConditionExports.ts
@@ -16,10 +16,10 @@
 
 import {
   AuthorizeResult,
+  ConditionalPolicyDecision,
   PermissionCondition,
   PermissionCriteria,
 } from '@backstage/plugin-permission-common';
-import { ConditionalPolicyDecision } from '../policy';
 import { PermissionRule } from '../types';
 import { createConditionFactory } from './createConditionFactory';
 
diff --git a/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts b/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts
index 17e514432c9aa..b598487062247 100644
--- a/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts
+++ b/plugins/permission-node/src/integration/createPermissionIntegrationRouter.ts
@@ -21,6 +21,7 @@ import { InputError } from '@backstage/errors';
 import { errorHandler } from '@backstage/backend-common';
 import {
   AuthorizeResult,
+  DefinitivePolicyDecision,
   IdentifiedPermissionMessage,
   PermissionCondition,
   PermissionCriteria,
@@ -32,7 +33,6 @@ import {
   isNotCriteria,
   isOrCriteria,
 } from './util';
-import { DefinitivePolicyDecision } from '../policy/types';
 
 const permissionCriteriaSchema: z.ZodSchema<
   PermissionCriteria<PermissionCondition>
diff --git a/plugins/permission-node/src/policy/index.ts b/plugins/permission-node/src/policy/index.ts
index 1d3fc4a737e01..988ce345a4991 100644
--- a/plugins/permission-node/src/policy/index.ts
+++ b/plugins/permission-node/src/policy/index.ts
@@ -14,10 +14,4 @@
  * limitations under the License.
  */
 
-export type {
-  ConditionalPolicyDecision,
-  DefinitivePolicyDecision,
-  PermissionPolicy,
-  PolicyAuthorizeQuery,
-  PolicyDecision,
-} from './types';
+export type { PermissionPolicy, PolicyAuthorizeQuery } from './types';
diff --git a/plugins/permission-node/src/policy/types.ts b/plugins/permission-node/src/policy/types.ts
index 19b12b8f28482..fed803a2a931b 100644
--- a/plugins/permission-node/src/policy/types.ts
+++ b/plugins/permission-node/src/policy/types.ts
@@ -16,9 +16,7 @@
 
 import {
   AuthorizeQuery,
-  AuthorizeResult,
-  PermissionCondition,
-  PermissionCriteria,
+  PolicyDecision,
 } from '@backstage/plugin-permission-common';
 import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
 
@@ -35,48 +33,6 @@ import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
  */
 export type PolicyAuthorizeQuery = Omit<AuthorizeQuery, 'resourceRef'>;
 
-/**
- * A definitive result to an authorization request, returned by the {@link PermissionPolicy}.
- *
- * @remarks
- *
- * This indicates that the policy unconditionally allows (or denies) the request.
- *
- * @public
- */
-export type DefinitivePolicyDecision = {
-  result: AuthorizeResult.ALLOW | AuthorizeResult.DENY;
-};
-
-/**
- * A conditional result to an authorization request, returned by the {@link PermissionPolicy}.
- *
- * @remarks
- *
- * This indicates that the policy allows authorization for the request, given that the returned
- * conditions hold when evaluated. The conditions will be evaluated by the corresponding plugin
- * which knows about the referenced permission rules.
- *
- * Similar to {@link @backstage/permission-common#AuthorizeDecision}, but with the plugin and resource
- * identifiers needed to evaluate the returned conditions.
- * @public
- */
-export type ConditionalPolicyDecision = {
-  result: AuthorizeResult.CONDITIONAL;
-  pluginId: string;
-  resourceType: string;
-  conditions: PermissionCriteria<PermissionCondition>;
-};
-
-/**
- * The result of evaluating an authorization request with a {@link PermissionPolicy}.
- *
- * @public
- */
-export type PolicyDecision =
-  | DefinitivePolicyDecision
-  | ConditionalPolicyDecision;
-
 /**
  * A policy to evaluate authorization requests for any permissioned action performed in Backstage.
  *