fix: Allow delete of orphans (#105)

Signed-off-by: Tomas Coufal <[email protected]>

Signed-off-by: Tomas Coufal <[email protected]>

packages/backend/package.json

@@ -25,6 +25,7 @@
     "@backstage/plugin-auth-backend": "^0.14.0",
     "@backstage/plugin-badges-backend": "^0.1.27",
     "@backstage/plugin-catalog-backend": "^1.1.2",
+    "@backstage/plugin-catalog-common": "^1.0.5",
     "@backstage/plugin-kubernetes-backend": "^0.6.0",
     "@backstage/plugin-permission-backend": "^0.5.7",
     "@backstage/plugin-permission-common": "^0.6.1",

packages/backend/src/plugins/permission.ts

@@ -3,23 +3,32 @@ import { createRouter } from '@backstage/plugin-permission-backend';
 import {
   AuthorizeResult,
   PolicyDecision,
+  isPermission,
 } from '@backstage/plugin-permission-common';
+import {
+  catalogConditions,
+  createCatalogConditionalDecision,
+} from '@backstage/plugin-catalog-backend/alpha';
 import {
   PermissionPolicy,
-  PolicyQuery
+  PolicyQuery,
 } from '@backstage/plugin-permission-node';
+import { catalogEntityDeletePermission } from '@backstage/plugin-catalog-common/alpha';
 import { Router } from 'express';
 import { PluginEnvironment } from '../types';
 
 class ReadOnlyPermissionPolicy implements PermissionPolicy {
   async handle(request: PolicyQuery): Promise<PolicyDecision> {
-    const permissions = [
-      'catalog.entity.read',
-      'catalog.entity.refresh'
-    ];
+    const permissions = ['catalog.entity.read', 'catalog.entity.refresh'];
     if (permissions.includes(request.permission.name)) {
       return { result: AuthorizeResult.ALLOW };
     }
+    if (isPermission(request.permission, catalogEntityDeletePermission)) {
+      return createCatalogConditionalDecision(
+        request.permission,
+        catalogConditions.hasAnnotation('backstage.io/orphan'),
+      );
+    }
     return { result: AuthorizeResult.DENY };
   }
 }

yarn.lock

@@ -1760,6 +1760,15 @@
     cross-fetch "^3.1.5"
     serialize-error "^8.0.1"
 
+"@backstage/errors@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@backstage/errors/-/errors-1.1.0.tgz#7e2376f8d0e5d58422b43a1551e5d980173acb7b"
+  integrity sha512-cWy7TpjrUvsMJ74et1PFvh0YYzzLDtK4qGJTwmF5AQBTZbNsi1UlNYET0sPVdlWbr6FRqa1QQNZwUkvpllB6YQ==
+  dependencies:
+    "@backstage/types" "^1.0.0"
+    cross-fetch "^3.1.5"
+    serialize-error "^8.0.1"
+
 "@backstage/integration-react@^1.0.0", "@backstage/integration-react@^1.1.1":
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/@backstage/integration-react/-/integration-react-1.1.1.tgz#936fd1441c47709fa8825360ea14ada26046b910"
@@ -2043,6 +2052,14 @@
     "@backstage/plugin-permission-common" "^0.6.2"
     "@backstage/plugin-search-common" "^0.3.5"
 
+"@backstage/plugin-catalog-common@^1.0.5":
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/@backstage/plugin-catalog-common/-/plugin-catalog-common-1.0.5.tgz#0617387e52181ea347b505d00704b791eef2dcda"
+  integrity sha512-dBKSBHPlohL3aHVGZLKGZfHtEnWzH1bwWCTJlqJLdiyfiRWjwtgRTIlcv2GSizYs4WZ1IW1LfDxkheR0pAW8vg==
+  dependencies:
+    "@backstage/plugin-permission-common" "^0.6.3"
+    "@backstage/plugin-search-common" "^1.0.0"
+
 "@backstage/plugin-catalog-graph@^0.2.17":
   version "0.2.17"
   resolved "https://registry.yarnpkg.com/@backstage/plugin-catalog-graph/-/plugin-catalog-graph-0.2.17.tgz#b45deddbfc3a359037711b76016ffb16e87eacfa"
@@ -2339,6 +2356,17 @@
     uuid "^8.0.0"
     zod "^3.11.6"
 
+"@backstage/plugin-permission-common@^0.6.3":
+  version "0.6.3"
+  resolved "https://registry.yarnpkg.com/@backstage/plugin-permission-common/-/plugin-permission-common-0.6.3.tgz#9815dd2dddf224454f55f35710b6a68644e95f00"
+  integrity sha512-7GL3+9M2wDiG406JSIzTq08KNrSZToAG5PTwKHXD6RFC1jF9X50aRYv+5jVwdmRhSk6r5JqoB4HhcgisseBzoQ==
+  dependencies:
+    "@backstage/config" "^1.0.1"
+    "@backstage/errors" "^1.1.0"
+    cross-fetch "^3.1.5"
+    uuid "^8.0.0"
+    zod "^3.11.6"
+
 "@backstage/plugin-permission-node@^0.6.1":
   version "0.6.1"
   resolved "https://registry.yarnpkg.com/@backstage/plugin-permission-node/-/plugin-permission-node-0.6.1.tgz#dbdc87eff8fd51eda0381ed5582a2caa46f4d86d"
@@ -2560,6 +2588,14 @@
     "@backstage/plugin-permission-common" "^0.6.2"
     "@backstage/types" "^1.0.0"
 
+"@backstage/plugin-search-common@^1.0.0":
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/@backstage/plugin-search-common/-/plugin-search-common-1.0.0.tgz#fa9ac1f57d79e7cd9b9ca9a929065979010a5a37"
+  integrity sha512-Jr+z/cqc60GkY7rrIXifmAIdlRbEFtWesoLx5v4rgLGG/lCgsMzAm0Vxzg1g/9r71raSnKBakPajjhpMEZ5SWA==
+  dependencies:
+    "@backstage/plugin-permission-common" "^0.6.3"
+    "@backstage/types" "^1.0.0"
+
 "@backstage/plugin-search-react@^0.2.0":
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/@backstage/plugin-search-react/-/plugin-search-react-0.2.0.tgz#dd9c13c387c666981a902154c2e13850bbbf0d40"
@@ -5749,7 +5785,7 @@
   resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.4.tgz#cd667bcfdd025213aafb7ca5915a932590acdcdc"
   integrity sha512-EEhsLsD6UsDM1yFhAvy0Cjr6VwmpMWqFBCb9w07wVugF7w9nfajxLuVmngTIpgS6svCnm6Vaw+MZhoDCKnOfsw==
 
-"@types/react-dom@*", "@types/react-dom@<18.0.0", "@types/react-dom@^17":
+"@types/react-dom@*", "@types/react-dom@<18.0.0":
   version "17.0.17"
   resolved "https://registry.yarnpkg.com/@types/react-dom/-/react-dom-17.0.17.tgz#2e3743277a793a96a99f1bf87614598289da68a1"
   integrity sha512-VjnqEmqGnasQKV0CWLevqMTXBYG9GbwuE6x3VetERLh0cq2LTptFE73MrQi2S7GkKXCf2GgwItB/melLnxfnsg==