feat(scorecard): introduce Scorecard permissions (#1398)

* Add rbac

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Introduce permissions

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Add tests

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>
Assisted-by: Cursor Desktop

* Update api

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Update docs

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>
Assisted-by: Cursor Desktop

* Deduplicate

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Add list of providers to docs

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

---------

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Author: dzemanov

workspaces/scorecard/README.md

@@ -8,3 +8,5 @@ To start the app, run:
 yarn install
 yarn start
 ```
+
+> Notice: The guest user has admin permissions in this application for quick setup. For better control, specify more users and groups in app-config.local.yaml and define a separate admin/admins permission instead of using the guest user. Using the guest user as an admin is not recommended for permission management.

workspaces/scorecard/app-config.yaml

@@ -114,3 +114,12 @@ kubernetes:
 permission:
   # setting this to `false` will disable permissions
   enabled: true
+  rbac:
+    pluginsWithPermission:
+      - catalog
+      - permission
+      - scaffolder
+      - scorecard
+    admin:
+      users:
+        - name: user:development/guest

workspaces/scorecard/examples/org.yaml

@@ -4,6 +4,7 @@ apiVersion: backstage.io/v1alpha1
 kind: User
 metadata:
   name: guest
+  namespace: development
 spec:
   memberOf: [guests]
 ---
@@ -12,6 +13,7 @@ apiVersion: backstage.io/v1alpha1
 kind: Group
 metadata:
   name: guests
+  namespace: development
 spec:
   type: team
   children: []

workspaces/scorecard/packages/app/package.json

@@ -19,6 +19,7 @@
     "lint": "backstage-cli package lint"
   },
   "dependencies": {
+    "@backstage-community/plugin-rbac": "^1.43.0",
     "@backstage/app-defaults": "^1.6.4",
     "@backstage/catalog-model": "^1.7.5",
     "@backstage/cli": "^0.33.1",

workspaces/scorecard/packages/app/src/App.tsx

@@ -24,6 +24,7 @@ import {
   CatalogImportPage,
   catalogImportPlugin,
 } from '@backstage/plugin-catalog-import';
+import { RbacPage } from '@backstage-community/plugin-rbac';
 import { ScaffolderPage, scaffolderPlugin } from '@backstage/plugin-scaffolder';
 import { orgPlugin } from '@backstage/plugin-org';
 import { SearchPage } from '@backstage/plugin-search';
@@ -110,6 +111,7 @@ const routes = (
         <ReportIssue />
       </TechDocsAddons>
     </Route>
+    <Route path="/rbac" element={<RbacPage />} />;
     <Route path="/create" element={<ScaffolderPage />} />
     <Route path="/api-docs" element={<ApiExplorerPage />} />
     <Route

workspaces/scorecard/packages/app/src/components/Root/Root.tsx

@@ -26,6 +26,7 @@ import {
   UserSettingsSignInAvatar,
 } from '@backstage/plugin-user-settings';
 import { SidebarSearchModal } from '@backstage/plugin-search';
+import { Administration } from '@backstage-community/plugin-rbac';
 import {
   Sidebar,
   sidebarConfig,
@@ -90,6 +91,7 @@ export const Root = ({ children }: PropsWithChildren<{}>) => (
         <SidebarItem icon={ExtensionIcon} to="api-docs" text="APIs" />
         <SidebarItem icon={LibraryBooks} to="docs" text="Docs" />
         <SidebarItem icon={CreateComponentIcon} to="create" text="Create..." />
+        <Administration />
         {/* End global nav */}
         <SidebarDivider />
         <SidebarScrollWrapper>

workspaces/scorecard/packages/backend/package.json

@@ -21,6 +21,7 @@
     "build-image": "docker build ../.. -f Dockerfile --tag backstage"
   },
   "dependencies": {
+    "@backstage-community/plugin-rbac-backend": "^7.2.0",
     "@backstage/backend-defaults": "^0.11.1",
     "@backstage/config": "^1.3.3",
     "@backstage/plugin-app-backend": "^0.5.4",
@@ -33,7 +34,6 @@
     "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "^0.2.10",
     "@backstage/plugin-kubernetes-backend": "^0.19.8",
     "@backstage/plugin-permission-backend": "^0.7.2",
-    "@backstage/plugin-permission-backend-module-allow-all-policy": "^0.2.10",
     "@backstage/plugin-permission-common": "^0.9.1",
     "@backstage/plugin-permission-node": "^0.10.2",
     "@backstage/plugin-proxy-backend": "^0.6.4",

workspaces/scorecard/packages/backend/src/index.ts

@@ -28,6 +28,7 @@ backend.add(import('@backstage/plugin-techdocs-backend'));
 backend.add(import('@backstage/plugin-auth-backend'));
 // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
 backend.add(import('@backstage/plugin-auth-backend-module-guest-provider'));
+backend.add(import('@backstage/plugin-auth-backend-module-github-provider'));
 // See https://backstage.io/docs/auth/guest/provider
 
 // catalog plugin
@@ -42,9 +43,7 @@ backend.add(import('@backstage/plugin-catalog-backend-module-logs'));
 // permission plugin
 backend.add(import('@backstage/plugin-permission-backend'));
 // See https://backstage.io/docs/permissions/getting-started for how to create your own permission policy
-backend.add(
-  import('@backstage/plugin-permission-backend-module-allow-all-policy'),
-);
+backend.add(import('@backstage-community/plugin-rbac-backend'));
 
 // search plugin
 backend.add(import('@backstage/plugin-search-backend'));

workspaces/scorecard/plugins/scorecard-backend/README.md

@@ -21,10 +21,70 @@ backend.add(
 );
 ```
 
+## RBAC permissions
+
+Scorecard plugin provides the following permissions:
+
+| Name                  | Resource Type    | Policy | Description                               | Requirements        |
+| --------------------- | ---------------- | ------ | ----------------------------------------- | ------------------- |
+| scorecard.metric.read | scorecard-metric | read   | Allows the user to read scorecard metrics | catalog.entity.read |
+
+### `scorecard.metric.read`
+
+- **Description**: Allows the user to read scorecard metrics
+- **Resource Type**: `scorecard-metric`
+- **Action**: `read`
+
+This permission controls access to viewing scorecard metrics for entities.
+
+#### Condition `HAS_METRIC_ID`
+
+- Optionally allow access to only specific metrics by their identifiers.
+
+**Example RBAC policies file configuration:**
+
+```csv rbac-policy.csv
+g, user:default/<YOUR_USERNAME>, role:default/scorecard-viewer
+p, role:default/scorecard-viewer, scorecard.metric.read, read, allow
+```
+
+**Example RBAC conditional policies file configuration:**
+
+```YAML rbac-conditions.yaml
+---
+result: CONDITIONAL
+roleEntityRef: "role:default/scorecard-viewer"
+pluginId: scorecard
+resourceType: scorecard-metric
+permissionMapping:
+  - read
+conditions:
+  rule: HAS_METRIC_ID
+  resourceType: scorecard-metric
+  params:
+    metricIds: ['github.open-prs']
+```
+
+This policy would allow users to read only the GitHub Open PRs metric, while restricting access to other available metrics.
+
 ## Metric Providers
 
 The Scorecard plugin collects metrics from third-party data sources using metric providers. The Scorecard node plugin provides `scorecardMetricsExtensionPoint` extension point that is used to connect your backend plugin module that exports custom metrics via metric providers to the Scorecard backend plugin. For detailed information on creating metric providers, see [providers.md](./docs/providers.md).
 
+### Available Metric Providers
+
+The following metric providers are available:
+
+| Provider   | Metric ID          | Title            | Description                           | Type   |
+| ---------- | ------------------ | ---------------- | ------------------------------------- | ------ |
+| **GitHub** | `github.open-prs`  | GitHub open PRs  | Count of open Pull Requests in GitHub | number |
+| **Jira**   | `jira.open-issues` | Jira open issues | The number of opened issues in Jira   | number |
+
+To use these providers, install the corresponding backend modules:
+
+- GitHub: [`@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-github`](../scorecard-backend-module-github/README.md)
+- Jira: [`@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-jira`](../scorecard-backend-module-jira/README.md)
+
 ## Thresholds
 
 Thresholds define conditions that determine which category a metric value belongs to (`error`, `warning`, or `success`). The Scorecard plugin provides multiple ways to configure thresholds:

workspaces/scorecard/plugins/scorecard-backend/package.json

@@ -41,6 +41,8 @@
     "@backstage/catalog-model": "^1.7.5",
     "@backstage/errors": "^1.2.7",
     "@backstage/plugin-catalog-node": "^1.17.2",
+    "@backstage/plugin-permission-common": "^0.9.1",
+    "@backstage/plugin-permission-node": "^0.10.2",
     "@red-hat-developer-hub/backstage-plugin-scorecard-common": "workspace:^",
     "@red-hat-developer-hub/backstage-plugin-scorecard-node": "workspace:^",
     "express": "^4.17.1",