search-backend-node: track document visibility permission by type in IndexBuilder

Tracking permissions by collator ensures that all the documents of a
given type are authorized using the same permission. This is not
critical for result-by-result authorization, but will likely be a
useful constraint when adding in-engine permission filtering to
specific search engines in the future.

Signed-off-by: MT Lewis <mtlewis@users.noreply.github.com>

.changeset/angry-carrots-brush.md

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-search-backend-node': patch
+---
+
+Track visibility permissions by document type in IndexBuilder

plugins/search-backend-node/api-report.md

@@ -8,11 +8,19 @@ import { DocumentDecorator } from '@backstage/search-common';
 import { IndexableDocument } from '@backstage/search-common';
 import { Logger as Logger_2 } from 'winston';
 import { default as lunr_2 } from 'lunr';
+import { Permission } from '@backstage/plugin-permission-common';
 import { QueryTranslator } from '@backstage/search-common';
 import { SearchEngine } from '@backstage/search-common';
 import { SearchQuery } from '@backstage/search-common';
 import { SearchResultSet } from '@backstage/search-common';
 
+// Warning: (ae-missing-release-tag) "DocumentTypeInfo" is exported by the package, but it is missing a release tag (@alpha, @beta, @public, or @internal)
+//
+// @public (undocumented)
+export type DocumentTypeInfo = {
+  visibilityPermission?: Permission;
+};
+
 // Warning: (ae-missing-release-tag) "IndexBuilder" is exported by the package, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public (undocumented)
@@ -30,6 +38,8 @@ export class IndexBuilder {
     scheduler: Scheduler;
   }>;
   // (undocumented)
+  getDocumentTypes(): Record<string, DocumentTypeInfo>;
+  // (undocumented)
   getSearchEngine(): SearchEngine;
 }
 

plugins/search-backend-node/package.json

@@ -20,6 +20,7 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
+    "@backstage/plugin-permission-common": "^0.4.0-next.0",
     "@backstage/search-common": "^0.2.1",
     "winston": "^3.2.1",
     "lunr": "^2.3.9",

plugins/search-backend-node/src/IndexBuilder.ts

@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+import { Permission } from '@backstage/plugin-permission-common';
 import {
   DocumentCollator,
   DocumentDecorator,
@@ -37,15 +38,25 @@ type IndexBuilderOptions = {
   logger: Logger;
 };
 
+export type DocumentTypeInfo = {
+  /**
+   * The {@link @backstage/plugin-permission-common#Permission} that controls
+   * visibility of resources associated with this collator's documents.
+   */
+  visibilityPermission?: Permission;
+};
+
 export class IndexBuilder {
   private collators: Record<string, CollatorEnvelope>;
   private decorators: Record<string, DocumentDecorator[]>;
+  private documentTypes: Record<string, DocumentTypeInfo>;
   private searchEngine: SearchEngine;
   private logger: Logger;
 
   constructor({ logger, searchEngine }: IndexBuilderOptions) {
     this.collators = {};
     this.decorators = {};
+    this.documentTypes = {};
     this.logger = logger;
     this.searchEngine = searchEngine;
   }
@@ -54,6 +65,10 @@ export class IndexBuilder {
     return this.searchEngine;
   }
 
+  getDocumentTypes(): Record<string, DocumentTypeInfo> {
+    return this.documentTypes;
+  }
+
   /**
    * Makes the index builder aware of a collator that should be executed at the
    * given refresh interval.
@@ -69,6 +84,9 @@ export class IndexBuilder {
       refreshInterval: defaultRefreshIntervalSeconds,
       collate: collator,
     };
+    this.documentTypes[collator.type] = {
+      visibilityPermission: collator.visibilityPermission,
+    };
   }
 
   /**

plugins/search-backend-node/src/index.ts

@@ -21,6 +21,7 @@
  */
 
 export { IndexBuilder } from './IndexBuilder';
+export type { DocumentTypeInfo } from './IndexBuilder';
 export { Scheduler } from './Scheduler';
 export { LunrSearchEngine } from './engines';