feat(authorization): Add more AuthorizationChecker implementations

oheger-bosch · oheger-bosch · commit 2f683e0ac3e7 · 2025-10-22T10:19:40.000+02:00
Add support for permissions on product and repository level and superuser
checks.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.com&gt;
diff --git a/components/authorization/backend/src/main/kotlin/routes/AuthorizationChecker.kt b/components/authorization/backend/src/main/kotlin/routes/AuthorizationChecker.kt
@@ -23,8 +23,13 @@ import io.ktor.server.application.ApplicationCall
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.model.ProductId
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
 
 /**
@@ -57,6 +62,15 @@ interface AuthorizationChecker {
     fun checkAuthorization(effectiveRole: EffectiveRole): Boolean
 }
 
+/** The name of the request parameter referring to the organization ID. */
+private const val ORGANIZATION_ID_PARAM = "organizationId"
+
+/** The name of the request parameter referring to the product ID. */
+private const val PRODUCT_ID_PARAM = "productId"
+
+/** The name of the request parameter referring to the repository ID. */
+private const val REPOSITORY_ID_PARAM = "repositoryId"
+
 /**
  * Create an [AuthorizationChecker] that checks for the presence of the given organization-level [permission].
  */
@@ -67,10 +81,64 @@ fun requirePermission(permission: OrganizationPermission): AuthorizationChecker
             userId: String,
             call: ApplicationCall
         ): EffectiveRole =
-            service.getEffectiveRole(userId, OrganizationId(call.requireIdParameter("organizationId")))
+            service.getEffectiveRole(userId, OrganizationId(call.requireIdParameter(ORGANIZATION_ID_PARAM)))
 
         override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
             effectiveRole.hasOrganizationPermission(permission)
 
         override fun toString(): String = "RequireOrganizationPermission($permission)"
     }
+
+/**
+ * Create an [AuthorizationChecker] that checks for the presence of the given product-level [permission].
+ */
+fun requirePermission(permission: ProductPermission): AuthorizationChecker =
+    object : AuthorizationChecker {
+        override suspend fun loadEffectiveRole(
+            service: AuthorizationService,
+            userId: String,
+            call: ApplicationCall
+        ): EffectiveRole =
+            service.getEffectiveRole(userId, ProductId(call.requireIdParameter(PRODUCT_ID_PARAM)))
+
+        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
+            effectiveRole.hasProductPermission(permission)
+
+        override fun toString(): String = "RequireProductPermission($permission)"
+    }
+
+/**
+ * Create an [AuthorizationChecker] that checks for the presence of the given repository-level [permission].
+ */
+fun requirePermission(permission: RepositoryPermission): AuthorizationChecker =
+    object : AuthorizationChecker {
+        override suspend fun loadEffectiveRole(
+            service: AuthorizationService,
+            userId: String,
+            call: ApplicationCall
+        ): EffectiveRole =
+            service.getEffectiveRole(userId, RepositoryId(call.requireIdParameter(REPOSITORY_ID_PARAM)))
+
+        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
+            effectiveRole.hasRepositoryPermission(permission)
+
+        override fun toString(): String = "RequireRepositoryPermission($permission)"
+    }
+
+/**
+ * Create an [AuthorizationChecker] that checks whether the user is a superuser.
+ */
+fun requireSuperuser(): AuthorizationChecker =
+    object : AuthorizationChecker {
+        override suspend fun loadEffectiveRole(
+            service: AuthorizationService,
+            userId: String,
+            call: ApplicationCall
+        ): EffectiveRole =
+            service.getEffectiveRole(userId, CompoundHierarchyId.WILDCARD)
+
+        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
+            effectiveRole.isSuperuser
+
+        override fun toString(): String = "RequireSuperuser"
+    }
diff --git a/components/authorization/backend/src/test/kotlin/routes/AuthorizedRoutesTest.kt b/components/authorization/backend/src/test/kotlin/routes/AuthorizedRoutesTest.kt
@@ -54,6 +54,7 @@ import io.ktor.server.testing.testApplication
 import io.mockk.coEvery
 import io.mockk.every
 import io.mockk.mockk
+import io.mockk.verify
 
 import java.util.Date
 
@@ -64,6 +65,8 @@ import org.eclipse.apoapsis.ortserver.components.authorization.rights.Repository
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.model.ProductId
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 
 class AuthorizedRoutesTest : WordSpec() {
     /**
@@ -270,6 +273,105 @@ class AuthorizedRoutesTest : WordSpec() {
                     response.status shouldBe HttpStatusCode.OK
                 }
             }
+
+            "support requests on product level" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { hasProductPermission(ProductPermission.DELETE) } returns true
+                }
+                val service = mockk<AuthorizationService> {
+                    coEvery {
+                        getEffectiveRole(USERNAME, ProductId(ID_PARAMETER))
+                    } returns effectiveRole
+                }
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{productId}") {
+                            get(testDocs, requirePermission(ProductPermission.DELETE)) {
+                                call.principal<OrtServerPrincipal>().shouldNotBeNull {
+                                    username shouldBe USERNAME
+                                }
+
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.get("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.OK
+
+                    verify {
+                        effectiveRole.hasProductPermission(ProductPermission.DELETE)
+                    }
+                }
+            }
+
+            "support requests on repository level" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { hasRepositoryPermission(RepositoryPermission.READ) } returns true
+                }
+                val service = mockk<AuthorizationService> {
+                    coEvery {
+                        getEffectiveRole(USERNAME, RepositoryId(ID_PARAMETER))
+                    } returns effectiveRole
+                }
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{repositoryId}") {
+                            get(testDocs, requirePermission(RepositoryPermission.READ)) {
+                                call.principal<OrtServerPrincipal>().shouldNotBeNull {
+                                    username shouldBe USERNAME
+                                }
+
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.get("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.OK
+
+                    verify {
+                        effectiveRole.hasRepositoryPermission(RepositoryPermission.READ)
+                    }
+                }
+            }
+
+            "support requests that require superuser rights" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { isSuperuser } returns true
+                }
+                val service = mockk<AuthorizationService> {
+                    coEvery {
+                        getEffectiveRole(USERNAME, CompoundHierarchyId.WILDCARD)
+                    } returns effectiveRole
+                }
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{organizationId}") {
+                            get(testDocs, requireSuperuser()) {
+                                call.principal<OrtServerPrincipal>().shouldNotBeNull {
+                                    username shouldBe USERNAME
+                                }
+
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.get("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.OK
+
+                    verify {
+                        effectiveRole.isSuperuser
+                    }
+                }
+            }
         }
 
         "failed authorization checks" should {
