feat(authorization): Handle exceptions during authentication

Exceptions that occur during authentication and the creation of a
principal all caught by Ktor and mapped to responses with status code
401. To support different mappings, also based on the `StatusPages`
plugin, record such exceptions in the `OrtServerPrincipal`, so that they
can be evaluated in route handlers, where they are handled in the usual
way.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

components/authorization/backend/src/main/kotlin/routes/AuthorizedRoutes.kt

@@ -52,17 +52,19 @@ suspend fun ApplicationCall.createAuthorizedPrincipal(
     (this as? RoutingPipelineCall)?.let { routingCall ->
         val checker = routingCall.route.findAuthorizationChecker()
 
-        val effectiveRole = if (checker != null) {
-            checker.loadEffectiveRole(
-                service = authorizationService,
-                userId = payload.getClaim("preferred_username").asString(),
-                call = this
-            )
-        } else {
-            EffectiveRole.EMPTY
-        }
-
-        OrtServerPrincipal.create(payload, effectiveRole)
+        runCatching {
+            val effectiveRole = if (checker != null) {
+                checker.loadEffectiveRole(
+                    service = authorizationService,
+                    userId = payload.getClaim("preferred_username").asString(),
+                    call = this
+                )
+            } else {
+                EffectiveRole.EMPTY
+            }
+
+            OrtServerPrincipal.create(payload, effectiveRole)
+        }.getOrElse(OrtServerPrincipal::fromException)
     }
 
 /**

components/authorization/backend/src/main/kotlin/routes/OrtServerPrincipal.kt

@@ -36,6 +36,15 @@ class OrtServerPrincipal(
     /** The full name of the principal. */
     val fullName: String,
 
+    /**
+     * An exception that occurred when setting up the principal. If this is not *null*, this exception is re-thrown
+     * when querying the authorization status. The background of this property is that during authentication, all
+     * exceptions are caught by Ktor and lead to HTTP 401 responses. However, for some exceptions, different status
+     * codes are more appropriate, for instance, status 404 if a non-existing hierarchy ID was requested. This can
+     * only be achieved by storing the exception first and re-throwing it later when a route handler is active.
+     */
+    val validationException: Throwable?,
+
     /**
      * The effective role computed for the principal. This can be *null* if either no authorization is required or the
      * authorization check failed. In the latter case, an exception is thrown when the role is accessed.
@@ -57,16 +66,32 @@ class OrtServerPrincipal(
                 userId = payload.subject,
                 username = payload.getClaim(CLAIM_USERNAME).asString(),
                 fullName = payload.getClaim(CLAIM_FULL_NAME).asString(),
-                role = effectiveRole
+                role = effectiveRole,
+                validationException = null
+            )
+
+        /**
+         * Create an [OrtServerPrincipal] for the case that during authentication the given [exception] occurred. This
+         * exception is recorded, so that it can be handled later.
+         */
+        fun fromException(exception: Throwable): OrtServerPrincipal =
+            OrtServerPrincipal(
+                userId = "",
+                username = "",
+                fullName = "",
+                role = null,
+                validationException = exception
             )
     }
 
     /**
      * A flag indicating whether the principal is authorized. If this is *true*, the effective role of the principal
-     * can be accessed via [effectiveRole].
+     * can be accessed via [effectiveRole]. If a [validationException] is recorded in this instance, it is thrown
+     * when accessing this property. Since this property is typically accessed in the beginning of a route handler,
+     * this leads to proper exception handling and mapping to HTTP response status codes.
      */
     val isAuthorized: Boolean
-        get() = role != null
+        get() = validationException?.let { throw it } ?: (role != null)
 
     /**
      * The effective role of the principal if authorization was successful. Otherwise, accessing this property throws

components/authorization/backend/src/test/kotlin/routes/AuthorizedRoutesTest.kt

@@ -67,6 +67,7 @@ import org.eclipse.apoapsis.ortserver.components.authorization.rights.Permission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
+import org.eclipse.apoapsis.ortserver.components.authorization.service.InvalidHierarchyIdException
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.HierarchyId
 import org.eclipse.apoapsis.ortserver.model.OrganizationId
@@ -106,6 +107,9 @@ class AuthorizedRoutesTest : WordSpec() {
                     exception<AuthorizationException> { call, _ ->
                         call.respond(HttpStatusCode.Forbidden)
                     }
+                    exception<InvalidHierarchyIdException> { call, _ ->
+                        call.respond(HttpStatusCode.NotFound)
+                    }
                 }
 
                 routing {
@@ -453,6 +457,29 @@ class AuthorizedRoutesTest : WordSpec() {
                 }
             }
         }
+
+        "exceptions" should {
+            "be mapped to correct status codes" {
+                val service = mockk<AuthorizationService> {
+                    coEvery { checkPermissions(any(), any<HierarchyId>(), any()) } throws
+                        InvalidHierarchyIdException(OrganizationId(42))
+                }
+
+                runAuthorizationTest(
+                    service,
+                    routeBuilder = {
+                        route("test/{organizationId}") {
+                            get(testDocs, requirePermission(OrganizationPermission.READ)) {
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.get("test/$ID_PARAMETER")
+                    response.status shouldBe HttpStatusCode.NotFound
+                }
+            }
+        }
     }
 }
 

components/authorization/backend/src/test/kotlin/routes/OrtServerPrincipalTest.kt

@@ -58,7 +58,8 @@ class OrtServerPrincipalTest : WordSpec({
                 userId = "user-id",
                 username = "username",
                 fullName = "Full Name",
-                role = mockk()
+                role = mockk(),
+                validationException = null
             )
 
             principal.isAuthorized shouldBe true
@@ -69,11 +70,25 @@ class OrtServerPrincipalTest : WordSpec({
                 userId = "user-id",
                 username = "username",
                 fullName = "Full Name",
-                role = null
+                role = null,
+                validationException = null
             )
 
             principal.isAuthorized shouldBe false
         }
+
+        "re-throw a validation exception if present" {
+            val exception = IllegalStateException("Validation failed")
+            val principal = OrtServerPrincipal.fromException(exception)
+
+            principal.userId shouldBe ""
+            principal.username shouldBe ""
+            principal.fullName shouldBe ""
+
+            shouldThrow<IllegalStateException> {
+                principal.isAuthorized
+            } shouldBe exception
+        }
     }
 
     "effectiveRole" should {
@@ -83,7 +98,8 @@ class OrtServerPrincipalTest : WordSpec({
                 userId = "user-id",
                 username = "username",
                 fullName = "Full Name",
-                role = effectiveRole
+                role = effectiveRole,
+                validationException = null
             )
 
             principal.effectiveRole shouldBe effectiveRole
@@ -94,7 +110,8 @@ class OrtServerPrincipalTest : WordSpec({
                 userId = "user-id",
                 username = "username",
                 fullName = "Full Name",
-                role = null
+                role = null,
+                validationException = null
             )
 
             shouldThrow<AuthorizationException> {