Merge pull request #36 from mozilla-services/wstuckey/add-gcp-iap-bac…

…kend-plugin

Attempt to fix the GCP IAP auth

app-config.production.yaml

@@ -90,7 +90,7 @@ catalog:
 auth:
   environment: production
   providers:
-    gcp-iap:
+    gcpIap:
       audience: ${GCP_IAP_AUDIENCE}
     github: # GitHub auth required for workflow data for service components
       production:

packages/app/src/App.tsx

@@ -39,7 +39,6 @@ import { RequirePermission } from '@backstage/plugin-permission-react';
 import { catalogEntityCreatePermission } from '@backstage/plugin-catalog-common/alpha';
 import {
   configApiRef,
-  googleAuthApiRef,
   useApi,
 } from '@backstage/core-plugin-api';
 
@@ -70,7 +69,7 @@ const app = createApp({
       if (configApi.getOptionalString('auth.environment') === 'development') {
         return <SignInPage {...props} providers={['guest']} />;
       }
-      return <ProxiedSignInPage {...props} provider="gcp-iap" />;
+      return <ProxiedSignInPage {...props} provider="gcpIap" />;
     },
   },
 });

packages/backend/package.json

@@ -20,6 +20,7 @@
     "@backstage/config": "^1.2.0",
     "@backstage/plugin-app-backend": "^0.3.76",
     "@backstage/plugin-auth-backend": "^0.23.1",
+    "@backstage/plugin-auth-backend-module-gcp-iap-provider": "^0.3.1",
     "@backstage/plugin-auth-backend-module-github-provider": "^0.2.1",
     "@backstage/plugin-auth-backend-module-google-provider": "^0.2.1",
     "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.1",

packages/backend/src/auth.ts

@@ -0,0 +1,63 @@
+import { createBackendModule } from '@backstage/backend-plugin-api';
+import { gcpIapAuthenticator } from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
+import {
+  authProvidersExtensionPoint,
+  createProxyAuthProviderFactory,
+} from '@backstage/plugin-auth-node';
+import {
+  stringifyEntityRef,
+  DEFAULT_NAMESPACE,
+} from '@backstage/catalog-model';
+
+export const gcpIapCustomAuthProvider = createBackendModule({
+  pluginId: 'auth',
+  moduleId: 'custom-gcp-iap-auth-provider',
+  register(reg) {
+    reg.registerInit({
+      deps: { providers: authProvidersExtensionPoint },
+      async init({ providers }) {
+        providers.registerProvider({
+          providerId: 'gcpIap',
+          factory: createProxyAuthProviderFactory({
+            authenticator: gcpIapAuthenticator,
+            async signInResolver(info, ctx) {
+              const {
+                profile: { email },
+              } = info;
+
+              if (!email) {
+                throw new Error('User profile contained no email');
+              }
+
+              const [name, domain] = email.split('@');
+              if (domain !== 'mozilla.com') {
+                throw new Error(
+                  `Login failed, this email ${email} does not belong to the expected domain`,
+                );
+              }
+
+              // try to resolve an existing gh username to the name part of the email
+              // otherwise, issue a log in token.
+              try {
+                return await ctx.signInWithCatalogUser({ entityRef: { name } });
+              } catch (_) {
+                const userEntity = stringifyEntityRef({
+                  kind: 'User',
+                  name,
+                  namespace: DEFAULT_NAMESPACE,
+                });
+
+                return ctx.issueToken({
+                  claims: {
+                    sub: userEntity,
+                    ent: [userEntity],
+                  },
+                });
+              }
+            },
+          }),
+        });
+      },
+    });
+  },
+});

packages/backend/src/index.ts

@@ -7,6 +7,7 @@
  */
 
 import { createBackend } from '@backstage/backend-defaults';
+import { gcpIapCustomAuthProvider } from './auth';
 
 const backend = createBackend();
 
@@ -19,8 +20,7 @@ backend.add(import('@backstage/plugin-techdocs-backend/alpha'));
 backend.add(import('@backstage/plugin-auth-backend'));
 // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
 backend.add(import('@backstage/plugin-auth-backend-module-guest-provider'));
-backend.add(import('@backstage/plugin-auth-backend-module-google-provider'));
-backend.add(import('@backstage/plugin-auth-backend-module-gcp-iap-provider'));
+backend.add(gcpIapCustomAuthProvider);
 // See https://backstage.io/docs/auth/guest/provider
 
 // catalog plugin

yarn.lock

@@ -14095,6 +14095,7 @@ __metadata:
     "@backstage/config": "npm:^1.2.0"
     "@backstage/plugin-app-backend": "npm:^0.3.76"
     "@backstage/plugin-auth-backend": "npm:^0.23.1"
+    "@backstage/plugin-auth-backend-module-gcp-iap-provider": "npm:^0.3.1"
     "@backstage/plugin-auth-backend-module-github-provider": "npm:^0.2.1"
     "@backstage/plugin-auth-backend-module-google-provider": "npm:^0.2.1"
     "@backstage/plugin-auth-backend-module-guest-provider": "npm:^0.2.1"