Merge pull request #6 from Parfuemerie-Douglas/auth-token-refactor

Refactor reading of auth token and add pipeline URL as output

Author: clemensheithecker

README.md

@@ -1,14 +1,14 @@
 # scaffolder-backend-module-azure-pipelines
 
-Welcome to the Microsoft Azure pipelines actions for the `scaffolder-backend`.
+Welcome to the Microsoft Azure pipeline actions for the `scaffolder-backend`.
 
 This plugin contains a collection of actions:
 
 - `azure:pipeline:create`
 - `azure:pipeline:run`
 - `azure:pipeline:permit`
 
-It utilizes Azure DevOps REST APIs to [create](https://docs.microsoft.com/en-us/rest/api/azure/devops/pipelines/pipelines/create?view=azure-devops-rest-6.1) and [run](https://docs.microsoft.com/en-us/rest/api/azure/devops/pipelines/runs/run-pipeline?view=azure-devops-rest-6.1) Azure pipelines.
+It utilizes Azure DevOps REST APIs to [create](https://docs.microsoft.com/en-us/rest/api/azure/devops/pipelines/pipelines/create?view=azure-devops-rest-6.1), [run](https://docs.microsoft.com/en-us/rest/api/azure/devops/pipelines/runs/run-pipeline?view=azure-devops-rest-6.1), and [authorize](https://docs.microsoft.com/en-us/rest/api/azure/devops/approvalsandchecks/pipeline-permissions/update-pipeline-permisions-for-resource?view=azure-devops-rest-7.1) Azure pipelines.
 
 ## Getting started
 
@@ -33,13 +33,13 @@ Configure the actions (you can check the [docs](https://backstage.io/docs/featur
 import {
   createAzurePipelineAction,
   permitAzurePipelineAction,
-  runAzurePipelineAction
-} from '@parfuemerie-douglas/scaffolder-backend-module-azure-pipelines';
+  runAzurePipelineAction,
+} from "@parfuemerie-douglas/scaffolder-backend-module-azure-pipelines";
 
 const actions = [
-  createAzurePipelineAction(<azurePersonalAccessToken>),
-  permitAzurePipelineAction(<azurePersonalAccessToken>),
-  runAzurePipelineAction(<azurePersonalAccessToken>),
+  createAzurePipelineAction({ integrations }),
+  permitAzurePipelineAction({ integrations }),
+  runAzurePipelineAction({ integrations }),
   ...createBuiltInActions({
     containerRunner,
     catalogClient,
@@ -60,7 +60,18 @@ return await createRouter({
 });
 ```
 
-The Azure pipeline actions accepts an [Azure PAT (personal access token)](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate) parameter which should be a string. The PAT requires `Read & execute` permission for `Build` for the `azure:pipeline:create` and `azure:pipeline:run` actions. For the `azure:pipeline:permit` action the PAT requires `Read, query, & manage` permission for `Service Connections`. Simply replace `<azurePersonalAccessToken>` with your Azure PAT.
+The Azure pipeline actions use an [Azure PAT (personal access token)](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate) for authorization. The PAT requires `Read & execute` permission for `Build` for the `azure:pipeline:create` and `azure:pipeline:run` actions. For the `azure:pipeline:permit` action the PAT requires `Read, query, & manage` permission for `Service Connections`. Simply add the PAT to your `app-config.yaml`:
+
+```yaml
+# app-config.yaml
+
+integrations:
+  azure:
+    - host: dev.azure.com
+      token: ${AZURE_TOKEN}
+```
+
+Read more on integrations in Backstage in the [Integrations documentation](https://backstage.io/docs/integrations/).
 
 ## Using the template
 
@@ -174,11 +185,13 @@ spec:
     links:
       - title: Repository
         url: ${{ steps.publish.output.remoteUrl }}
+      - title: Pipeline
+        url: ${{ steps.createAzurePipeline.output.pipelineUrl }}
       - title: Open in catalog
         icon: catalog
         entityRef: ${{ steps.register.output.entityRef }}
 ```
 
 **_Note_**: The `azure:pipeline:permit` action authorizes/unauthorizes a pipeline for a given resource. To authorize a pipeline for a [service endpoint](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview) set `resourceType` to `endpoint`, provide `resourceId` with the service endpoint ID (replace `<serviceEndpointId>` in the example code above), and set authorized to `true`.
 
-You can also visit the `/create/actions` route in your Backstage application to find out more about the parameters these actions accepts when it's installed to configure how you like.
+You can find a list of all registred actions including their parameters at the `/create/actions` route in your Backstage application.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@parfuemerie-douglas/scaffolder-backend-module-azure-pipelines",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "A collection of Backstage scaffolder backend modules for Azure pipelines.",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",

src/actions/run/createAzurePipeline.ts

@@ -14,18 +14,25 @@
  * limitations under the License.
  */
 
+import { InputError } from "@backstage/errors";
+import { ScmIntegrationRegistry } from "@backstage/integration";
 import { createTemplateAction } from "@backstage/plugin-scaffolder-backend";
 
 import fetch from "node-fetch";
 
-export const createAzurePipelineAction = (azurePersonalAccessToken: string) => {
+export const createAzurePipelineAction = (options: {
+  integrations: ScmIntegrationRegistry;
+}) => {
+  const { integrations } = options;
+
   return createTemplateAction<{
     organization: string;
     project: string;
     folder: string;
     name: string;
     repositoryId: string;
     repositoryName: string;
+    token?: string;
   }>({
     id: "azure:pipeline:create",
     schema: {
@@ -70,37 +77,66 @@ export const createAzurePipelineAction = (azurePersonalAccessToken: string) => {
             title: "Repository Name",
             description: "The name of the repository.",
           },
+          token: {
+            title: "Authenticatino Token",
+            type: "string",
+            description: "The token to use for authorization.",
+          },
         },
       },
     },
     async handler(ctx) {
+      const {
+        organization,
+        project,
+        folder,
+        name,
+        repositoryId,
+        repositoryName,
+      } = ctx.input;
+
+      const host = "dev.azure.com";
+      const integrationConfig = integrations.azure.byHost(host);
+
+      if (!integrationConfig) {
+        throw new InputError(
+          `No matching integration configuration for host ${host}, please check your integrations config`
+        );
+      }
+
+      if (!integrationConfig.config.token && !ctx.input.token) {
+        throw new InputError(`No token provided for Azure Integration ${host}`);
+      }
+
+      const token = ctx.input.token ?? integrationConfig.config.token!;
+
       ctx.logger.info(
-        `Creating an Azure pipeline for the repository ${ctx.input.repositoryName} with the ID ${ctx.input.repositoryId}.`
+        `Creating an Azure pipeline for the repository ${repositoryName} with the ID ${repositoryId}.`
       );
 
       // See the Azure DevOps documentation for more information about the REST API:
       // https://docs.microsoft.com/en-us/rest/api/azure/devops/pipelines/pipelines/create?view=azure-devops-rest-6.1
       await fetch(
-        `https://dev.azure.com/${ctx.input.organization}/${ctx.input.project}/_apis/pipelines?api-version=6.1-preview.1`,
+        `https://dev.azure.com/${organization}/${project}/_apis/pipelines?api-version=6.1-preview.1`,
         {
           method: "POST",
           headers: {
             "Content-Type": "application/json",
             Accept: "application/json",
-            Authorization: `Basic ${Buffer.from(
-              `PAT:${azurePersonalAccessToken}`
-            ).toString("base64")}`,
+            Authorization: `Basic ${Buffer.from(`PAT:${token}`).toString(
+              "base64"
+            )}`,
             "X-TFS-FedAuthRedirect": "Suppress",
           },
           body: JSON.stringify({
-            folder: ctx.input.folder,
-            name: ctx.input.name,
+            folder: folder,
+            name: name,
             configuration: {
               type: "yaml",
               path: "/azure-pipelines.yaml",
               repository: {
-                id: ctx.input.repositoryId,
-                name: ctx.input.repositoryName,
+                id: repositoryId,
+                name: repositoryName,
                 type: "azureReposGit",
               },
             },
@@ -110,7 +146,7 @@ export const createAzurePipelineAction = (azurePersonalAccessToken: string) => {
         .then((response) => {
           if (response.ok) {
             ctx.logger.info(
-              `Successfully created ${ctx.input.name} Azure pipeline in ${ctx.input.folder}.`
+              `Successfully created ${name} Azure pipeline in ${folder}.`
             );
           } else {
             ctx.logger.error(
@@ -124,6 +160,7 @@ export const createAzurePipelineAction = (azurePersonalAccessToken: string) => {
           ctx.logger.info(`The Azure pipeline ID is ${data.id}.`);
 
           ctx.output("pipelineId", data.id.toString());
+          ctx.output("pipelineUrl", data._links.web.href);
         });
     },
   });

src/actions/run/permitAzurePipeline.ts

@@ -14,18 +14,25 @@
  * limitations under the License.
  */
 
+import { InputError } from "@backstage/errors";
+import { ScmIntegrationRegistry } from "@backstage/integration";
 import { createTemplateAction } from "@backstage/plugin-scaffolder-backend";
 
 import fetch from "node-fetch";
 
-export const permitAzurePipelineAction = (azurePersonalAccessToken: string) => {
+export const permitAzurePipelineAction = (options: {
+  integrations: ScmIntegrationRegistry;
+}) => {
+  const { integrations } = options;
+
   return createTemplateAction<{
     organization: string;
     project: string;
     resourceId: string;
     resourceType: string;
     authorized: boolean;
     pipelineId: string;
+    token?: string;
   }>({
     id: "azure:pipeline:permit",
     schema: {
@@ -60,44 +67,78 @@ export const permitAzurePipelineAction = (azurePersonalAccessToken: string) => {
             title: "Resource Type",
             description: "The type of the resource (e.g. endpoint).",
           },
+          authorized: {
+            type: "boolean",
+            title: "Authorized",
+            description: "A true or false authorization indicator.",
+          },
           pipelineId: {
             type: "string",
             title: "Pipeline ID",
             description: "The pipeline ID.",
           },
+          token: {
+            title: "Authenticatino Token",
+            type: "string",
+            description: "The token to use for authorization.",
+          },
         },
       },
     },
     async handler(ctx) {
+      const {
+        organization,
+        project,
+        resourceId,
+        resourceType,
+        authorized,
+        pipelineId,
+      } = ctx.input;
+
+      const host = "dev.azure.com";
+      const integrationConfig = integrations.azure.byHost(host);
+
+      if (!integrationConfig) {
+        throw new InputError(
+          `No matching integration configuration for host ${host}, please check your integrations config`
+        );
+      }
+
+      if (!integrationConfig.config.token && !ctx.input.token) {
+        throw new InputError(`No token provided for Azure Integration ${host}`);
+      }
+
+      const token = ctx.input.token ?? integrationConfig.config.token!;
+
       if (ctx.input.authorized == true) {
         ctx.logger.info(
-          `Authorizing Azure pipeline with ID ${ctx.input.pipelineId} for ${ctx.input.resourceType} with ID ${ctx.input.resourceId}.`
+          `Authorizing Azure pipeline with ID ${pipelineId} for ${resourceType} with ID ${resourceId}.`
         );
       } else {
         ctx.logger.info(
-          `Unauthorizing Azure pipeline with ID ${ctx.input.pipelineId} for ${ctx.input.resourceType} with ID ${ctx.input.resourceId}.`
+          `Unauthorizing Azure pipeline with ID ${pipelineId} for ${resourceType} with ID ${resourceId}.`
         );
       }
 
       // See the Azure DevOps documentation for more information about the REST API:
       // https://docs.microsoft.com/en-us/rest/api/azure/devops/approvalsandchecks/pipeline-permissions/update-pipeline-permisions-for-resource?view=azure-devops-rest-7.1
       await fetch(
-        `https://dev.azure.com/${ctx.input.organization}/${ctx.input.project}/_apis/pipelines/pipelinepermissions/${ctx.input.resourceType}/${ctx.input.resourceId}?api-version=7.1-preview.1`,
+        `https://dev.azure.com/${organization}/${project}/_apis/pipelines/pipelinepermissions/${resourceType}/${resourceId}?api-version=7.1-preview.1`,
         {
           method: "PATCH",
           headers: {
             "Content-Type": "application/json",
             Accept: "application/json",
-            Authorization: `Basic ${Buffer.from(
-              `PAT:${azurePersonalAccessToken}`
-            ).toString("base64")}`,
+            Authorization: `Basic ${Buffer.from(`PAT:${token}`).toString(
+              "base64"
+            )}`,
             "X-TFS-FedAuthRedirect": "Suppress",
           },
           body: JSON.stringify({
             pipelines: [
               {
-                authorized: ctx.input.authorized,
-                id: parseInt(ctx.input.pipelineId),
+                authorized: authorized,
+                id: parseInt(pipelineId),
               },
             ],
           }),

src/actions/run/runAzurePipeline.ts

@@ -14,15 +14,22 @@
  * limitations under the License.
  */
 
+import { InputError } from "@backstage/errors";
+import { ScmIntegrationRegistry } from "@backstage/integration";
 import { createTemplateAction } from "@backstage/plugin-scaffolder-backend";
 
 import fetch from "node-fetch";
 
-export const runAzurePipelineAction = (azurePersonalAccessToken: string) => {
+export const runAzurePipelineAction = (options: {
+  integrations: ScmIntegrationRegistry;
+}) => {
+  const { integrations } = options;
+
   return createTemplateAction<{
     organization: string;
     pipelineId: string;
     project: string;
+    token?: string;
   }>({
     id: "azure:pipeline:run",
     schema: {
@@ -45,26 +52,46 @@ export const runAzurePipelineAction = (azurePersonalAccessToken: string) => {
             title: "Project",
             description: "The name of the Azure project.",
           },
+          token: {
+            title: "Authenticatino Token",
+            type: "string",
+            description: "The token to use for authorization.",
+          },
         },
       },
     },
     async handler(ctx) {
-      ctx.logger.info(
-        `Running Azure pipeline with the ID ${ctx.input.pipelineId}.`
-      );
+      const { organization, pipelineId, project } = ctx.input;
+
+      const host = "dev.azure.com";
+      const integrationConfig = integrations.azure.byHost(host);
+
+      if (!integrationConfig) {
+        throw new InputError(
+          `No matching integration configuration for host ${host}, please check your integrations config`
+        );
+      }
+
+      if (!integrationConfig.config.token && !ctx.input.token) {
+        throw new InputError(`No token provided for Azure Integration ${host}`);
+      }
+
+      const token = ctx.input.token ?? integrationConfig.config.token!;
+
+      ctx.logger.info(`Running Azure pipeline with the ID ${pipelineId}.`);
 
       // See the Azure DevOps documentation for more information about the REST API:
       // https://docs.microsoft.com/en-us/rest/api/azure/devops/pipelines/runs/run-pipeline?view=azure-devops-rest-6.1
       await fetch(
-        `https://dev.azure.com/${ctx.input.organization}/${ctx.input.project}/_apis/pipelines/${ctx.input.pipelineId}/runs?api-version=6.1-preview.1`,
+        `https://dev.azure.com/${organization}/${project}/_apis/pipelines/${pipelineId}/runs?api-version=6.1-preview.1`,
         {
           method: "POST",
           headers: {
             "Content-Type": "application/json",
             Accept: "application/json",
-            Authorization: `Basic ${Buffer.from(
-              `PAT:${azurePersonalAccessToken}`
-            ).toString("base64")}`,
+            Authorization: `Basic ${Buffer.from(`PAT:${token}`).toString(
+              "base64"
+            )}`,
             "X-TFS-FedAuthRedirect": "Suppress",
           },
           body: JSON.stringify({