feat(Authorization): Add an endpoint to check superuser status

oheger-bosch · oheger-bosch · commit 4215152e532d · 2025-11-07T16:30:02.000+01:00
This endpoint is going to be used by the UI to adapt itself according to
the status of the current user.

Make a function of AbstractAuthorizationTest public which can be reused
here to access the authorization infrastructure.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.com&gt;
diff --git a/components/authorization/backend/build.gradle.kts b/components/authorization/backend/build.gradle.kts
@@ -40,7 +40,10 @@ dependencies {
     implementation(libs.exposedCore)
     implementation(libs.exposedJdbc)
 
+    routesImplementation(libs.ktorOpenApi)
+
     testImplementation(testFixtures(projects.dao))
+    testImplementation(testFixtures(projects.shared.ktorUtils))
 
     testImplementation(ktorLibs.client.contentNegotiation)
     testImplementation(ktorLibs.client.core)
diff --git a/components/authorization/backend/src/routes/kotlin/routes/Routing.kt b/components/authorization/backend/src/routes/kotlin/routes/Routing.kt
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.authorization.routes
+
+import io.ktor.server.routing.Route
+
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.userinfo.getSuperuser
+
+fun Route.authorizationRoutes() {
+    getSuperuser()
+}
diff --git a/components/authorization/backend/src/routes/kotlin/routes/userinfo/GetSuperuser.kt b/components/authorization/backend/src/routes/kotlin/routes/userinfo/GetSuperuser.kt
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.authorization.routes.userinfo
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.application.ApplicationCall
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.AuthorizationChecker
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal.Companion.requirePrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.get
+import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+
+internal fun Route.getSuperuser() = get("/authorization/superuser", {
+    operationId = "getSuperuser"
+    summary = "Check if the current user is a superuser"
+    tags = listOf("Authorization")
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success"
+            body<Boolean> {
+                description = "Whether the current user is a superuser."
+            }
+        }
+    }
+}, userInfoChecker()) {
+    val isSuperuser = requirePrincipal().effectiveRole.isSuperuser
+    call.respond(HttpStatusCode.OK, isSuperuser.toString())
+}
+
+private fun userInfoChecker(): AuthorizationChecker =
+    object : AuthorizationChecker {
+        override suspend fun loadEffectiveRole(
+            service: AuthorizationService,
+            userId: String,
+            call: ApplicationCall
+        ): EffectiveRole {
+            return service.getEffectiveRole(userId, CompoundHierarchyId.WILDCARD)
+        }
+    }
diff --git a/components/authorization/backend/src/test/kotlin/routes/userinfo/GetSuperuserTest.kt b/components/authorization/backend/src/test/kotlin/routes/userinfo/GetSuperuserTest.kt
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.authorization.routes.userinfo
+
+import io.kotest.assertions.ktor.client.shouldHaveStatus
+import io.kotest.matchers.shouldBe
+
+import io.ktor.client.request.get
+import io.ktor.client.statement.bodyAsText
+import io.ktor.http.HttpStatusCode
+
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.authorizationRoutes
+import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
+import org.eclipse.apoapsis.ortserver.components.authorization.service.DbAuthorizationService
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.AbstractAuthorizationTest
+
+class GetSuperuserTest : AbstractAuthorizationTest({
+    lateinit var authorizationService: AuthorizationService
+
+    beforeEach {
+        authorizationService = DbAuthorizationService(dbExtension.db)
+    }
+
+    "GET /authorization/superuser" should {
+        "return 'true' for a superuser" {
+            authorizationTestApplication(routes = { authorizationRoutes() }) { _, client ->
+                authorizationService.assignRole(
+                    TEST_USER,
+                    OrganizationRole.ADMIN,
+                    CompoundHierarchyId.WILDCARD
+                )
+
+                val response = client.get("/authorization/superuser")
+                response shouldHaveStatus HttpStatusCode.OK
+                response.bodyAsText() shouldBe "true"
+            }
+        }
+
+        "return 'false' for a normal user" {
+            authorizationTestApplication(routes = { authorizationRoutes() }) { _, client ->
+                val orgId = CompoundHierarchyId.forOrganization(OrganizationId(dbExtension.fixtures.organization.id))
+                authorizationService.assignRole(
+                    TEST_USER,
+                    OrganizationRole.ADMIN,
+                    orgId
+                )
+
+                val response = client.get("/authorization/superuser")
+                response shouldHaveStatus HttpStatusCode.OK
+                response.bodyAsText() shouldBe "false"
+            }
+        }
+
+        "require an authenticated user" {
+            requestShouldRequireAuthentication({ authorizationRoutes() }) {
+                get("/authorization/superuser")
+            }
+        }
+    }
+})
+
+private const val TEST_USER = "test-user"
diff --git a/shared/ktor-utils/src/testFixtures/kotlin/AbstractAuthorizationTest.kt b/shared/ktor-utils/src/testFixtures/kotlin/AbstractAuthorizationTest.kt
@@ -111,7 +111,7 @@ abstract class AbstractAuthorizationTest(body: AbstractAuthorizationTest.() -> U
         authorizationService = DbAuthorizationService(dbExtension.db)
     }
 
-    private fun authorizationTestApplication(
+    fun authorizationTestApplication(
         routes: Route.() -> Unit,
         block: suspend ApplicationTestBuilder.(unauthenticatedClient: HttpClient, testUserClient: HttpClient) -> Unit
     ) {

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ abstract class AbstractAuthorizationTest(body: AbstractAuthorizationTest.() -> U`
`111`	`111`	`authorizationService = DbAuthorizationService(dbExtension.db)`
`112`	`112`	`}`
`113`	`113`
`114`		`- private fun authorizationTestApplication(`
	`114`	`+ fun authorizationTestApplication(`
`115`	`115`	`routes: Route.() -> Unit,`
`116`	`116`	`block: suspend ApplicationTestBuilder.(unauthenticatedClient: HttpClient, testUserClient: HttpClient) -> Unit`
`117`	`117`	`) {`