chore: add patches for scaffolder audit logging with scaffolder permissions

[Zaperex]

Description

Adding the scaffolder audit logging changes via a patch using patch-package

This will also include cherry picked changes for the scaffolder permissions since the audit logging changes are built on the v1.26.5 branch, while the scaffolder permissions are released in v1.28.0-next.1

Relates to https://github.com/janus-idp/backstage-showcase/pull/1265

Which issue(s) does this PR fix

Relates to RHIDP-2324

PR acceptance criteria

Please make sure that the following steps are complete:

• [ ] GitHub Actions are completed and successful
• [ ] Unit Tests are updated and passing
• [ ] E2E Tests are updated and passing
• [ ] Documentation is updated if necessary (requirement for new features)
• [ ] Add a screenshot if the change is UX/UI related

How to test changes / Special notes to the reviewer

If running on Node 20, start with:

NODE_OPTIONS=--no-node-snapshot

Verifying audit logging

• Use the scaffolder (frontend or backend) (make sure you are logged in with a backstage identity or else actorId will be null)
• Observe audit logs be outputted for router endpoint access, task creation, cancellation, execution, etc.

The new permissions add the following new behaviours:

• Verify that new permissions are available via <BACKEND_URL>/api/scaffolder/.well-known/backstage/permissions/metadata
• scaffolder.task.read: prevents reading of tasks, task events/eventstreams
  • Test with the GET /v2/tasks, GET /v2/tasks/:taskId, GET /v2/tasks/:taskId/events and GET /v2/tasks/:taskId/eventstream endpoints
  • Test with the UI: View log stream, list tasks
• scaffolder.task.create: prevents creation of scaffolder tasks (can't trigger a software template)
  • Test with the POST /v2/tasks endpoint and try launching a software template via the UI (catalog entity about page, and Create page should both have their buttons disabled)
• scaffolder.task.cancel: prevents cancellation of scaffolder tasks
  • Test with the POST /v2/tasks/:taskId/cancel endpoint and try cancelling a running task in the UI (cancel button should be disabled)

[openshift-ci[bot]]

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

[Zaperex]

Yet again, patch fails after doing a rm -rf node_modules. Tried debugging by running yarn postinstall --partial to get an error log: patch-package-errors.md

[Zaperex]

The process I used to apply the patches is the following:

1. Switch to the branch for https://github.com/redhat-developer/backstage/pull/1
2. Do a yarn build for the plugins/scaffolder-backend and plugins/scaffolder-node directories
3. Run npm pack .
4. Run tar -xf backstage-plugin-scaffolder-<backend or node>-<version>.tgz && mv ./package/ ./plugin-scaffolder-<backend or node>
5. Add missing CHANGELOG.md and nested node_modules from the corresponding packages in the backstage-showcase/node_modules/@backstage/plugin-scaffolder-<backend or node> directories
6. Remove the backstage-showcase/node_modules/@backstage/plugin-scaffolder-<backend or node> directories and replace them with the newly created packages.'

This method was mainly to help capture the source map changes as well.

[Zaperex]

For some reason the error log I posted above seemed to complain about the plugin-app-backend patch despite it working when I run yarn postinstall:

yarn postinstall
yarn run v1.22.19
$ patch-package
patch-package 8.0.0
Applying patches...
@backstage/plugin-app-backend@0.3.65 ✔
@backstage/plugin-scaffolder-node@0.4.3 ✔

**ERROR** Failed to apply patch for package @backstage/plugin-scaffolder-backend at path

    node_modules/@backstage/plugin-scaffolder-backend

  This error was caused because patch-package cannot apply the following patch file:

    patches/@backstage+plugin-scaffolder-backend+1.22.5.patch

  Try removing node_modules and trying again. If that doesn't work, maybe there was
  an accidental change made to the patch file? Try recreating it by manually
  editing the appropriate files and running:

    patch-package @backstage/plugin-scaffolder-backend

  If that doesn't work, then it's a bug in patch-package, so please submit a bug
  report. Thanks!

    https://github.com/ds300/patch-package/issues

---
patch-package finished with 1 error(s).

[github-actions[bot]]

The image is available at: quay.io/janus-idp/backstage-showcase:pr-1282!

[github-actions[bot]]

The image is available at: quay.io/janus-idp/backstage-showcase:pr-1282!

[Zaperex]

The patch applies properly after a rm -rf node_modules now. However, there's currently a bug in the frontend which is causing the Launch Template button of the entity About Card and Choose button of the template cards to throw a 400 error due to a InputError: Invalid kind, only 'Template' kind is supported that should not be happening.

This issue does not occur in the upstream fork https://github.com/redhat-developer/backstage/pull/1

[Zaperex]

Well then... it seems the log redactor somehow redacted the API call? For reference, I have temp as placeholder for some app-config.yaml secrets.

Need to investigate why this is happening only in the showcase when this patch is applied.

[Zaperex]

Cherry picked the scaffolder permission changes into the existing audit log changes.

Created a script to try to automate as much of the patching process as possible: https://gist.github.com/Zaperex/5cf97c464bb0459e97ad8ebe9ad397d2

Note: In this PR, I manually modified the catalog and scaffolder frontend plugin files. I found the script can also do so without any file replacements, but it leaves behind the old unpatched files (not referenced anywhere).

Currently the audit logger patch does not pull in the audit-log-node common package since it has not been published yet. It is currently added in-line and contains the changes in https://github.com/janus-idp/backstage-plugins/pull/1730.

[github-actions[bot]]

The image is available at: quay.io/janus-idp/backstage-showcase:pr-1282!

[github-actions[bot]]

The image is available at: quay.io/janus-idp/backstage-showcase:pr-1282!

[sonarcloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: schultzp2020

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/janus-idp/backstage-showcase/blob/main/OWNERS)~~ [schultzp2020] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[github-actions[bot]]

The image is available at: quay.io/janus-idp/backstage-showcase:pr-1282!

[nickboldt]

/cherry-pick 1.2.x

[openshift-cherrypick-robot]

@nickboldt: new pull request created: #1301

In response to [this](https://github.com/janus-idp/backstage-showcase/pull/1282#issuecomment-2148393242): >/cherry-pick 1.2.x > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.