diff --git a/.changeset/tall-suits-share.md b/.changeset/tall-suits-share.md new file mode 100644 index 0000000000..b7c5d1ccfe --- /dev/null +++ b/.changeset/tall-suits-share.md @@ -0,0 +1,23 @@ +--- +'@backstage/plugin-auth-backend-module-cloudflare-access-provider': patch +'@backstage/plugin-auth-backend-module-bitbucket-server-provider': patch +'@backstage/plugin-auth-backend-module-azure-easyauth-provider': patch +'@backstage/plugin-auth-backend-module-oauth2-proxy-provider': patch +'@backstage/plugin-auth-backend-module-vmware-cloud-provider': patch +'@backstage/plugin-auth-backend-module-atlassian-provider': patch +'@backstage/plugin-auth-backend-module-bitbucket-provider': patch +'@backstage/plugin-auth-backend-module-microsoft-provider': patch +'@backstage/plugin-auth-backend-module-onelogin-provider': patch +'@backstage/plugin-auth-backend-module-aws-alb-provider': patch +'@backstage/plugin-auth-backend-module-gcp-iap-provider': patch +'@backstage/plugin-auth-backend-module-github-provider': patch +'@backstage/plugin-auth-backend-module-gitlab-provider': patch +'@backstage/plugin-auth-backend-module-google-provider': patch +'@backstage/plugin-auth-backend-module-oauth2-provider': patch +'@backstage/plugin-auth-backend-module-oidc-provider': patch +'@backstage/plugin-auth-backend-module-okta-provider': patch +'@backstage/plugin-auth-backend': patch +'@backstage/plugin-auth-node': patch +--- + +introduce dangerouslyAllowSignInWithoutUserInCatalog auth resolver config diff --git a/.changeset/twenty-olives-impress.md b/.changeset/twenty-olives-impress.md deleted file mode 100644 index 9051cf2e67..0000000000 --- a/.changeset/twenty-olives-impress.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -'@backstage/plugin-auth-backend-module-cloudflare-access-provider': minor -'@backstage/plugin-auth-backend-module-bitbucket-server-provider': minor -'@backstage/plugin-auth-backend-module-azure-easyauth-provider': minor -'@backstage/plugin-auth-backend-module-oauth2-proxy-provider': minor -'@backstage/plugin-auth-backend-module-vmware-cloud-provider': minor -'@backstage/plugin-auth-backend-module-atlassian-provider': minor -'@backstage/plugin-auth-backend-module-bitbucket-provider': minor -'@backstage/plugin-auth-backend-module-microsoft-provider': minor -'@backstage/plugin-auth-backend-module-onelogin-provider': minor -'@backstage/plugin-auth-backend-module-aws-alb-provider': minor -'@backstage/plugin-auth-backend-module-gcp-iap-provider': minor -'@backstage/plugin-auth-backend-module-github-provider': minor -'@backstage/plugin-auth-backend-module-gitlab-provider': minor -'@backstage/plugin-auth-backend-module-google-provider': minor -'@backstage/plugin-auth-backend-module-oauth2-provider': minor -'@backstage/plugin-auth-backend-module-oidc-provider': minor -'@backstage/plugin-auth-backend-module-okta-provider': minor -'@backstage/plugin-auth-backend': minor -'@backstage/plugin-auth-node': minor ---- - -introduce dangerouslyAllowSignInWithoutUserInCatalog auth resolver config diff --git a/.github/vale/config/vocabularies/Backstage/accept.txt b/.github/vale/config/vocabularies/Backstage/accept.txt index f5defc22f2..67ccf26c28 100644 --- a/.github/vale/config/vocabularies/Backstage/accept.txt +++ b/.github/vale/config/vocabularies/Backstage/accept.txt @@ -302,6 +302,7 @@ oidc Okta Olausson Oldsberg +onboarded onboarding Onboarding onelogin diff --git a/plugins/auth-backend-module-atlassian-provider/src/resolvers.ts b/plugins/auth-backend-module-atlassian-provider/src/resolvers.ts index cbd93e4b4f..949f25db9c 100644 --- a/plugins/auth-backend-module-atlassian-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-atlassian-provider/src/resolvers.ts @@ -54,7 +54,7 @@ export namespace atlassianSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: id } + ? { entityRef: { name: id } } : undefined, }, ); diff --git a/plugins/auth-backend-module-aws-alb-provider/src/resolvers.ts b/plugins/auth-backend-module-aws-alb-provider/src/resolvers.ts index 5d04de620f..38b4b60f27 100644 --- a/plugins/auth-backend-module-aws-alb-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-aws-alb-provider/src/resolvers.ts @@ -52,7 +52,11 @@ export namespace awsAlbSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: info.result.fullProfile.emails[0].value } + ? { + entityRef: { + name: info.result.fullProfile.emails[0].value, + }, + } : undefined, }, ); diff --git a/plugins/auth-backend-module-azure-easyauth-provider/src/resolvers.ts b/plugins/auth-backend-module-azure-easyauth-provider/src/resolvers.ts index 17463123c4..94afa90c5f 100644 --- a/plugins/auth-backend-module-azure-easyauth-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-azure-easyauth-provider/src/resolvers.ts @@ -47,7 +47,7 @@ export namespace azureEasyAuthSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: id } + ? { entityRef: { name: id } } : undefined, }, ); diff --git a/plugins/auth-backend-module-bitbucket-provider/src/resolvers.ts b/plugins/auth-backend-module-bitbucket-provider/src/resolvers.ts index 1dd9783b98..6691806e63 100644 --- a/plugins/auth-backend-module-bitbucket-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-bitbucket-provider/src/resolvers.ts @@ -59,7 +59,7 @@ export namespace bitbucketSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: id } + ? { entityRef: { name: id } } : undefined, }, ); @@ -101,7 +101,7 @@ export namespace bitbucketSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: username } + ? { entityRef: { name: username } } : undefined, }, ); diff --git a/plugins/auth-backend-module-bitbucket-server-provider/src/resolvers.ts b/plugins/auth-backend-module-bitbucket-server-provider/src/resolvers.ts index cf6970a6df..2e92d8c6ad 100644 --- a/plugins/auth-backend-module-bitbucket-server-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-bitbucket-server-provider/src/resolvers.ts @@ -59,7 +59,7 @@ export namespace bitbucketServerSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: profile.email } + ? { entityRef: { name: profile.email } } : undefined, }, ); diff --git a/plugins/auth-backend-module-cloudflare-access-provider/src/resolvers.ts b/plugins/auth-backend-module-cloudflare-access-provider/src/resolvers.ts index 6ac9fba958..21cb124be4 100644 --- a/plugins/auth-backend-module-cloudflare-access-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-cloudflare-access-provider/src/resolvers.ts @@ -56,7 +56,7 @@ export namespace cloudflareAccessSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: profile.email } + ? { entityRef: { name: profile.email } } : undefined, }, ); diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts b/plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts index 383d32cc57..77dc7b1062 100644 --- a/plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts @@ -53,7 +53,7 @@ export namespace gcpIapSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: email } + ? { entityRef: { name: email } } : undefined, }, ); @@ -83,7 +83,7 @@ export namespace gcpIapSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: userId } + ? { entityRef: { name: userId } } : undefined, }, ); diff --git a/plugins/auth-backend-module-github-provider/src/resolvers.ts b/plugins/auth-backend-module-github-provider/src/resolvers.ts index cc1950e9dd..5a6934439f 100644 --- a/plugins/auth-backend-module-github-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-github-provider/src/resolvers.ts @@ -56,7 +56,7 @@ export namespace githubSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: userId } + ? { entityRef: { name: userId } } : undefined, }, ); diff --git a/plugins/auth-backend-module-gitlab-provider/src/resolvers.ts b/plugins/auth-backend-module-gitlab-provider/src/resolvers.ts index b235f7b4bb..d5715f7e91 100644 --- a/plugins/auth-backend-module-gitlab-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-gitlab-provider/src/resolvers.ts @@ -56,7 +56,7 @@ export namespace gitlabSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: id } + ? { entityRef: { name: id } } : undefined, }, ); diff --git a/plugins/auth-backend-module-google-provider/src/resolvers.ts b/plugins/auth-backend-module-google-provider/src/resolvers.ts index c9ba884cfb..297ac0da6e 100644 --- a/plugins/auth-backend-module-google-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-google-provider/src/resolvers.ts @@ -57,7 +57,7 @@ export namespace googleSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: profile.email } + ? { entityRef: { name: profile.email } } : undefined, }, ); diff --git a/plugins/auth-backend-module-microsoft-provider/src/resolvers.ts b/plugins/auth-backend-module-microsoft-provider/src/resolvers.ts index 5090e26c5a..0ce276522e 100644 --- a/plugins/auth-backend-module-microsoft-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-microsoft-provider/src/resolvers.ts @@ -57,7 +57,7 @@ export namespace microsoftSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: profile.email } + ? { entityRef: { name: profile.email } } : undefined, }, ); @@ -96,7 +96,7 @@ export namespace microsoftSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: id } + ? { entityRef: { name: id } } : undefined, }, ); diff --git a/plugins/auth-backend-module-oauth2-provider/src/resolvers.ts b/plugins/auth-backend-module-oauth2-provider/src/resolvers.ts index 7bf098a308..bad3f015c8 100644 --- a/plugins/auth-backend-module-oauth2-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-oauth2-provider/src/resolvers.ts @@ -56,7 +56,7 @@ export namespace oauth2SignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: id } + ? { entityRef: { name: id } } : undefined, }, ); diff --git a/plugins/auth-backend-module-oauth2-proxy-provider/src/resolvers.ts b/plugins/auth-backend-module-oauth2-proxy-provider/src/resolvers.ts index a31e1958dc..8ac639b3c0 100644 --- a/plugins/auth-backend-module-oauth2-proxy-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-oauth2-proxy-provider/src/resolvers.ts @@ -46,7 +46,7 @@ export namespace oauth2ProxySignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name } + ? { entityRef: { name } } : undefined, }, ); diff --git a/plugins/auth-backend-module-okta-provider/src/resolvers.ts b/plugins/auth-backend-module-okta-provider/src/resolvers.ts index b3b2a33493..cdb37dbaae 100644 --- a/plugins/auth-backend-module-okta-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-okta-provider/src/resolvers.ts @@ -58,7 +58,7 @@ export namespace oktaSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: profile.email } + ? { entityRef: { name: profile.email } } : undefined, }, ); diff --git a/plugins/auth-backend-module-onelogin-provider/src/resolvers.ts b/plugins/auth-backend-module-onelogin-provider/src/resolvers.ts index 4a617589da..56710472be 100644 --- a/plugins/auth-backend-module-onelogin-provider/src/resolvers.ts +++ b/plugins/auth-backend-module-onelogin-provider/src/resolvers.ts @@ -56,7 +56,7 @@ export namespace oneLoginSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: id } + ? { entityRef: { name: id } } : undefined, }, ); diff --git a/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts b/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts index e4deaaef33..4f9b33d021 100644 --- a/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts +++ b/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts @@ -142,13 +142,15 @@ export class CatalogAuthResolverContext implements AuthResolverContext { async signInWithCatalogUser( query: AuthResolverCatalogUserQuery, options?: { - dangerousEntityRefFallback?: - | string - | { - kind?: string; - namespace?: string; - name: string; - }; + dangerousEntityRefFallback?: { + entityRef: + | string + | { + kind?: string; + namespace?: string; + name: string; + }; + }; }, ) { try { @@ -165,21 +167,14 @@ export class CatalogAuthResolverContext implements AuthResolverContext { }, }); } catch (error) { - if (error?.name !== 'NotFoundError') { + if ( + error?.name !== 'NotFoundError' || + !options?.dangerousEntityRefFallback + ) { throw error; } - if (!options?.dangerousEntityRefFallback) { - this.logger.error( - 'Failed to sign-in, unable to resolve user identity. For non-production environments, manually provision the user or disable the user provisioning requirement by setting the dangerouslyAllowSignInWithoutUserInCatalog option.', - ); - - throw new Error( - 'Failed to sign-in, unable to resolve user identity. Please verify that your catalog contains the expected User entities that would match your configured sign-in resolver.', - ); - } - const userEntityRef = stringifyEntityRef( - parseEntityRef(options.dangerousEntityRefFallback, { + parseEntityRef(options.dangerousEntityRefFallback.entityRef, { defaultKind: 'User', defaultNamespace: DEFAULT_NAMESPACE, }), diff --git a/plugins/auth-node/report.api.md b/plugins/auth-node/report.api.md index 64716dfe5c..090f981636 100644 --- a/plugins/auth-node/report.api.md +++ b/plugins/auth-node/report.api.md @@ -111,13 +111,15 @@ export type AuthResolverContext = { signInWithCatalogUser( query: AuthResolverCatalogUserQuery, options?: { - dangerousEntityRefFallback?: - | string - | { - kind?: string; - namespace?: string; - name: string; - }; + dangerousEntityRefFallback?: { + entityRef: + | string + | { + kind?: string; + namespace?: string; + name: string; + }; + }; }, ): Promise; resolveOwnershipEntityRefs(entity: Entity): Promise<{ diff --git a/plugins/auth-node/src/sign-in/commonSignInResolvers.ts b/plugins/auth-node/src/sign-in/commonSignInResolvers.ts index 307ebbfef5..2b7442f746 100644 --- a/plugins/auth-node/src/sign-in/commonSignInResolvers.ts +++ b/plugins/auth-node/src/sign-in/commonSignInResolvers.ts @@ -74,7 +74,7 @@ export namespace commonSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: noPlusEmail } + ? { entityRef: { name: noPlusEmail } } : undefined, }, ); @@ -122,7 +122,7 @@ export namespace commonSignInResolvers { { dangerousEntityRefFallback: options?.dangerouslyAllowSignInWithoutUserInCatalog - ? { name: localPart } + ? { entityRef: { name: localPart } } : undefined, }, ); diff --git a/plugins/auth-node/src/types.ts b/plugins/auth-node/src/types.ts index b628313a4f..8d6b8f34fb 100644 --- a/plugins/auth-node/src/types.ts +++ b/plugins/auth-node/src/types.ts @@ -172,13 +172,15 @@ export type AuthResolverContext = { signInWithCatalogUser( query: AuthResolverCatalogUserQuery, options?: { - dangerousEntityRefFallback?: - | string - | { - kind?: string; - namespace?: string; - name: string; - }; + dangerousEntityRefFallback?: { + entityRef: + | string + | { + kind?: string; + namespace?: string; + name: string; + }; + }; }, ): Promise;