feat(authorization): Fix the status code for failed authorization

oheger-bosch · oheger-bosch · commit 3db932576854 · 2025-10-22T10:19:40.000+02:00
If a request fails because of missing permissions, return the correct
status code 403. Add a new `AuthorizationException` that is thrown in
this case and can be mapped to the corresponding status code.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.com&gt;
diff --git a/components/authorization/backend/build.gradle.kts b/components/authorization/backend/build.gradle.kts
@@ -44,6 +44,7 @@ dependencies {
 
     testImplementation(ktorLibs.client.contentNegotiation)
     testImplementation(ktorLibs.client.core)
+    testImplementation(ktorLibs.server.statusPages)
     testImplementation(ktorLibs.server.testHost)
     testImplementation(ktorLibs.utils)
     testImplementation(libs.kotestAssertionsCore)
diff --git a/components/authorization/backend/src/main/kotlin/routes/AuthorizedRoutes.kt b/components/authorization/backend/src/main/kotlin/routes/AuthorizedRoutes.kt
@@ -29,6 +29,7 @@ import io.github.smiley4.ktoropenapi.post
 import io.github.smiley4.ktoropenapi.put
 
 import io.ktor.server.application.ApplicationCall
+import io.ktor.server.auth.principal
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.RouteSelector
 import io.ktor.server.routing.RouteSelectorEvaluation
@@ -51,17 +52,13 @@ suspend fun ApplicationCall.createAuthorizedPrincipal(
     (this as? RoutingPipelineCall)?.let { routingCall ->
         val checker = routingCall.route.findAuthorizationChecker()
 
-        val effectiveRole = if (checker != null) {
-            checker.loadEffectiveRole(
-                service = authorizationService,
-                userId = payload.getClaim("preferred_username").asString(),
-                call = this
-            ).takeIf { checker.checkAuthorization(it) }
-        } else {
-            EffectiveRole.EMPTY
-        }
+        val effectiveRole = checker?.loadEffectiveRole(
+            service = authorizationService,
+            userId = payload.getClaim("preferred_username").asString(),
+            call = this
+        ) ?: EffectiveRole.EMPTY
 
-        effectiveRole?.let { OrtServerPrincipal.create(payload, it) }
+        OrtServerPrincipal.create(payload, effectiveRole)
     }
 
 /**
@@ -71,7 +68,7 @@ fun Route.get(
     builder: RouteConfig.() -> Unit,
     checker: AuthorizationChecker,
     body: suspend RoutingContext.() -> Unit
-): Route = documentedAuthorized(checker) { get(builder, body) }
+): Route = documentedAuthorized(checker, body) { get(builder, it) }
 
 /**
  * Create a new [Route] for HTTP POST requests that performs an automatic authorization check using the given [checker].
@@ -80,7 +77,7 @@ fun Route.post(
     builder: RouteConfig.() -> Unit,
     checker: AuthorizationChecker,
     body: suspend RoutingContext.() -> Unit
-): Route = documentedAuthorized(checker) { post(builder, body) }
+): Route = documentedAuthorized(checker, body) { post(builder, it) }
 
 /**
  * Create a new [Route] for HTTP PATCH requests that performs an automatic authorization check using the given
@@ -90,7 +87,7 @@ fun Route.patch(
     builder: RouteConfig.() -> Unit,
     checker: AuthorizationChecker,
     body: suspend RoutingContext.() -> Unit
-): Route = documentedAuthorized(checker) { patch(builder, body) }
+): Route = documentedAuthorized(checker, body) { patch(builder, it) }
 
 /**
  * Create a new [Route] for HTTP PUT requests that performs an automatic authorization check using the given
@@ -100,7 +97,7 @@ fun Route.put(
     builder: RouteConfig.() -> Unit,
     checker: AuthorizationChecker,
     body: suspend RoutingContext.() -> Unit
-): Route = documentedAuthorized(checker) { put(builder, body) }
+): Route = documentedAuthorized(checker, body) { put(builder, it) }
 
 /**
  * Create a new [Route] for HTTP DELETE requests that performs an automatic authorization check using the given
@@ -110,16 +107,31 @@ fun Route.delete(
     builder: RouteConfig.() -> Unit,
     checker: AuthorizationChecker,
     body: suspend RoutingContext.() -> Unit
-): Route = documentedAuthorized(checker) { delete(builder, body) }
+): Route = documentedAuthorized(checker, body) { delete(builder, it) }
 
 /**
  * Generic function to create a new [Route] that performs an automatic authorization check using the given [checker].
- * The content of the route is defined by the given [build] function.
+ * The content of the route is defined by the given original [body] and the [build] function.
  */
-private fun Route.documentedAuthorized(checker: AuthorizationChecker, build: Route.() -> Unit): Route {
+private fun Route.documentedAuthorized(
+    checker: AuthorizationChecker,
+    body: suspend RoutingContext.() -> Unit,
+    build: Route.(suspend RoutingContext.() -> Unit) -> Unit
+): Route {
     val authorizedRoute = createChild(authorizedRouteSelector(checker.toString()))
     authorizedRoute.attributes.put(AuthorizationCheckerKey, checker)
-    authorizedRoute.build()
+
+    val authorizedBody: suspend RoutingContext.() -> Unit = {
+        val principal = call.principal<OrtServerPrincipal>() ?: throw AuthorizationException()
+
+        if (!checker.checkAuthorization(principal.effectiveRole)) {
+            throw AuthorizationException()
+        }
+
+        body()
+    }
+
+    authorizedRoute.build(authorizedBody)
     return authorizedRoute
 }
 
@@ -160,3 +172,9 @@ object AuthenticationProviders {
      */
     const val TOKEN_PROVIDER = "token"
 }
+
+/**
+ * An exception class to indicate a failed authorization check. Such exceptions are thrown by the route functions when
+ * the current user does not have the required permissions. They are mapped to HTTP 403 Forbidden responses.
+ */
+class AuthorizationException : RuntimeException()
diff --git a/components/authorization/backend/src/test/kotlin/routes/AuthorizedRoutesTest.kt b/components/authorization/backend/src/test/kotlin/routes/AuthorizedRoutesTest.kt
@@ -44,6 +44,7 @@ import io.ktor.server.auth.Authentication
 import io.ktor.server.auth.authenticate
 import io.ktor.server.auth.jwt.jwt
 import io.ktor.server.auth.principal
+import io.ktor.server.plugins.statuspages.StatusPages
 import io.ktor.server.response.respond
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.route
@@ -93,6 +94,12 @@ class AuthorizedRoutesTest : WordSpec() {
                     }
                 }
 
+                install(StatusPages) {
+                    exception<AuthorizationException> { call, _ ->
+                        call.respond(HttpStatusCode.Forbidden)
+                    }
+                }
+
                 routing {
                     authenticate(AuthenticationProviders.TOKEN_PROVIDER, build = routeBuilder)
                 }
@@ -264,6 +271,113 @@ class AuthorizedRoutesTest : WordSpec() {
                 }
             }
         }
+
+        "failed authorization checks" should {
+            "return a 403 response for GET with insufficient organization permission" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { hasOrganizationPermission(any()) } returns false
+                }
+                val service = createServiceForOrganizationRole(effectiveRole)
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{organizationId}") {
+                            get(testDocs, requirePermission(OrganizationPermission.READ)) {
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.get("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.Forbidden
+                }
+            }
+
+            "return a 403 response for POST with insufficient organization permission" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { hasOrganizationPermission(any()) } returns false
+                }
+                val service = createServiceForOrganizationRole(effectiveRole)
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{organizationId}") {
+                            post(testDocs, requirePermission(OrganizationPermission.CREATE_PRODUCT)) {
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.post("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.Forbidden
+                }
+            }
+
+            "return a 403 response for PATCH with insufficient organization permission" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { hasOrganizationPermission(any()) } returns false
+                }
+                val service = createServiceForOrganizationRole(effectiveRole)
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{organizationId}") {
+                            patch(testDocs, requirePermission(OrganizationPermission.MANAGE_GROUPS)) {
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.patch("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.Forbidden
+                }
+            }
+
+            "return a 403 response for PUT with insufficient organization permission" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { hasOrganizationPermission(any()) } returns false
+                }
+                val service = createServiceForOrganizationRole(effectiveRole)
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{organizationId}") {
+                            put(testDocs, requirePermission(OrganizationPermission.WRITE_SECRETS)) {
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.put("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.Forbidden
+                }
+            }
+
+            "return a 403 response for DELETE with insufficient organization permission" {
+                val effectiveRole = mockk<EffectiveRole> {
+                    every { hasOrganizationPermission(any()) } returns false
+                }
+                val service = createServiceForOrganizationRole(effectiveRole)
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{organizationId}") {
+                            delete(testDocs, requirePermission(OrganizationPermission.DELETE)) {
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.delete("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.Forbidden
+                }
+            }
+        }
     }
 }
 
