eclipse-apoapsis
diff --git a/‎components/authorization/backend/src/main/kotlin/routes/AuthorizationChecker.kt‎
Lines changed: 29 additions & 28 deletions b/‎components/authorization/backend/src/main/kotlin/routes/AuthorizationChecker.kt‎
Lines changed: 29 additions & 28 deletions
diff --git a/‎components/authorization/backend/src/main/kotlin/routes/AuthorizedRoutes.kt‎
Lines changed: 11 additions & 8 deletions b/‎components/authorization/backend/src/main/kotlin/routes/AuthorizedRoutes.kt‎
Lines changed: 11 additions & 8 deletions
diff --git a/‎components/authorization/backend/src/main/kotlin/routes/OrtServerPrincipal.kt‎
Lines changed: 21 additions & 4 deletions b/‎components/authorization/backend/src/main/kotlin/routes/OrtServerPrincipal.kt‎
Lines changed: 21 additions & 4 deletions
@@ -22,7 +22,9 @@ package org.eclipse.apoapsis.ortserver.components.authorization.routes
 import io.ktor.server.application.ApplicationCall
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.HierarchyPermissions
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
@@ -51,15 +53,10 @@ interface AuthorizationChecker {
      * Use the provided [service] to load the [EffectiveRole] of the user with the given [userId] for the current
      * [call]. A typical implementation will figure out the ID of an element in the hierarchy (organization, product,
      * or repository) based on current call parameters. Then it can invoke the [service] to query the permissions on
-     * this element.
+     * this element. If the permission check is successful, return a properly initialized [EffectiveRole] instance.
+     * Otherwise, return *null*, which cause the request to fail with a 403 error.
      */
-    suspend fun loadEffectiveRole(service: AuthorizationService, userId: String, call: ApplicationCall): EffectiveRole
-
-    /**
-     * Check whether the given [effectiveRole] contains the permission(s) required by this [AuthorizationChecker].
-     * This function is called with the [EffectiveRole] that was loaded via [loadEffectiveRole].
-     */
-    fun checkAuthorization(effectiveRole: EffectiveRole): Boolean
+    suspend fun loadEffectiveRole(service: AuthorizationService, userId: String, call: ApplicationCall): EffectiveRole?
 }
 
 /** The name of the request parameter referring to the organization ID. */
@@ -80,11 +77,12 @@ fun requirePermission(permission: OrganizationPermission): AuthorizationChecker
             service: AuthorizationService,
             userId: String,
             call: ApplicationCall
-        ): EffectiveRole =
-            service.getEffectiveRole(userId, OrganizationId(call.requireIdParameter(ORGANIZATION_ID_PARAM)))
-
-        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
-            effectiveRole.hasOrganizationPermission(permission)
+        ): EffectiveRole? =
+            service.checkPermissions(
+                userId,
+                OrganizationId(call.requireIdParameter(ORGANIZATION_ID_PARAM)),
+                HierarchyPermissions.permissions(permission)
+            )
 
         override fun toString(): String = "RequireOrganizationPermission($permission)"
     }
@@ -98,11 +96,12 @@ fun requirePermission(permission: ProductPermission): AuthorizationChecker =
             service: AuthorizationService,
             userId: String,
             call: ApplicationCall
-        ): EffectiveRole =
-            service.getEffectiveRole(userId, ProductId(call.requireIdParameter(PRODUCT_ID_PARAM)))
-
-        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
-            effectiveRole.hasProductPermission(permission)
+        ): EffectiveRole? =
+            service.checkPermissions(
+                userId,
+                ProductId(call.requireIdParameter(PRODUCT_ID_PARAM)),
+                HierarchyPermissions.permissions(permission)
+            )
 
         override fun toString(): String = "RequireProductPermission($permission)"
     }
@@ -116,11 +115,12 @@ fun requirePermission(permission: RepositoryPermission): AuthorizationChecker =
             service: AuthorizationService,
             userId: String,
             call: ApplicationCall
-        ): EffectiveRole =
-            service.getEffectiveRole(userId, RepositoryId(call.requireIdParameter(REPOSITORY_ID_PARAM)))
-
-        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
-            effectiveRole.hasRepositoryPermission(permission)
+        ): EffectiveRole? =
+            service.checkPermissions(
+                userId,
+                RepositoryId(call.requireIdParameter(REPOSITORY_ID_PARAM)),
+                HierarchyPermissions.permissions(permission)
+            )
 
         override fun toString(): String = "RequireRepositoryPermission($permission)"
     }
@@ -134,11 +134,12 @@ fun requireSuperuser(): AuthorizationChecker =
             service: AuthorizationService,
             userId: String,
             call: ApplicationCall
-        ): EffectiveRole =
-            service.getEffectiveRole(userId, CompoundHierarchyId.WILDCARD)
-
-        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
-            effectiveRole.isSuperuser
+        ): EffectiveRole? =
+            service.checkPermissions(
+                userId,
+                CompoundHierarchyId.WILDCARD,
+                HierarchyPermissions.permissions(OrganizationRole.ADMIN)
+            )?.takeIf { it.isSuperuser }
 
         override fun toString(): String = "RequireSuperuser"
     }
@@ -52,11 +52,15 @@ suspend fun ApplicationCall.createAuthorizedPrincipal(
     (this as? RoutingPipelineCall)?.let { routingCall ->
         val checker = routingCall.route.findAuthorizationChecker()
 
-        val effectiveRole = checker?.loadEffectiveRole(
-            service = authorizationService,
-            userId = payload.getClaim("preferred_username").asString(),
-            call = this
-        ) ?: EffectiveRole.EMPTY
+        val effectiveRole = if (checker != null) {
+            checker.loadEffectiveRole(
+                service = authorizationService,
+                userId = payload.getClaim("preferred_username").asString(),
+                call = this
+            )
+        } else {
+            EffectiveRole.EMPTY
+        }
 
         OrtServerPrincipal.create(payload, effectiveRole)
     }
@@ -122,9 +126,8 @@ private fun Route.documentedAuthorized(
     authorizedRoute.attributes.put(AuthorizationCheckerKey, checker)
 
     val authorizedBody: suspend RoutingContext.() -> Unit = {
-        val principal = call.principal<OrtServerPrincipal>() ?: throw AuthorizationException()
-
-        if (!checker.checkAuthorization(principal.effectiveRole)) {
+        // Check whether an authorized principal is available in the call.
+        if (call.principal<OrtServerPrincipal>()?.isAuthorized != true) {
             throw AuthorizationException()
         }
 
 
@@ -36,8 +36,11 @@ class OrtServerPrincipal(
     /** The full name of the principal. */
     val fullName: String,
 
-    /** The effective role computed for the principal. */
-    val effectiveRole: EffectiveRole
+    /**
+     * The effective role computed for the principal. This can be *null* if either no authorization is required or the
+     * authorization check failed. In the latter case, an exception is thrown when the role is accessed.
+     */
+    private val role: EffectiveRole?
 ) {
     companion object {
         /** Constant for the name of the claim containing the username. */
@@ -49,12 +52,26 @@ class OrtServerPrincipal(
         /**
          * Create an [OrtServerPrincipal] from the given JWT [payload] and [effectiveRole].
          */
-        fun create(payload: Payload, effectiveRole: EffectiveRole): OrtServerPrincipal =
+        fun create(payload: Payload, effectiveRole: EffectiveRole?): OrtServerPrincipal =
             OrtServerPrincipal(
                 userId = payload.subject,
                 username = payload.getClaim(CLAIM_USERNAME).asString(),
                 fullName = payload.getClaim(CLAIM_FULL_NAME).asString(),
-                effectiveRole = effectiveRole
+                role = effectiveRole
             )
     }
+
+    /**
+     * A flag indicating whether the principal is authorized. If this is *true*, the effective role of the principal
+     * can be accessed via [effectiveRole].
+     */
+    val isAuthorized: Boolean
+        get() = role != null
+
+    /**
+     * The effective role of the principal if authorization was successful. Otherwise, accessing this property throws
+     * an [AuthorizationException].
+     */
+    val effectiveRole: EffectiveRole
+        get() = role ?: throw AuthorizationException()
 }