feat(authorization): Correctly filter products

oheger-bosch · oheger-bosch · commit 5bba125df811 · 2025-11-07T11:28:00.000+01:00
In the endpoint to fetch the products of an organization, apply a
`HierarchyFilter`. Extend `OrganizationService` accordingly. This makes
sure that only products are listed that are visible to the user. If a
user has only been granted access to specific repositories, he or she
should only see the products these repositories belong to, even if there
is an implicit READ right on the organization.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.com&gt;
diff --git a/core/src/main/kotlin/api/OrganizationsRoute.kt b/core/src/main/kotlin/api/OrganizationsRoute.kt
@@ -38,6 +38,7 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.Username
 import org.eclipse.apoapsis.ortserver.components.authorization.api.OrganizationRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal.Companion.requirePrincipal
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.delete
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.get
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.mapToModel
@@ -167,10 +168,12 @@ fun Route.organizations() = route("organizations") {
                 val orgId = call.requireIdParameter("organizationId")
                 val pagingOptions = call.pagingOptions(SortProperty("name", SortDirection.ASCENDING))
                 val filter = call.filterParameter("filter")
+                val principal = requirePrincipal()
 
                 val productsForOrganization =
-                    organizationService.listProductsForOrganization(
+                    organizationService.listProductsForOrganizationAndUser(
                         orgId,
+                        principal.username,
                         pagingOptions.mapToModel(),
                         filter?.mapToModel()
                     )
diff --git a/core/src/test/kotlin/api/OrganizationsRouteIntegrationTest.kt b/core/src/test/kotlin/api/OrganizationsRouteIntegrationTest.kt
@@ -67,6 +67,8 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityForRunsFilters
 import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityRating
 import org.eclipse.apoapsis.ortserver.components.authorization.api.OrganizationRole as ApiOrganizationRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryRole
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.mapToModel
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.components.authorization.service.DbAuthorizationService
@@ -75,6 +77,8 @@ import org.eclipse.apoapsis.ortserver.core.TEST_USER
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.JobStatus
 import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.model.ProductId
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
 import org.eclipse.apoapsis.ortserver.model.Severity
 import org.eclipse.apoapsis.ortserver.model.runs.Identifier
@@ -605,6 +609,77 @@ class OrganizationsRouteIntegrationTest : AbstractIntegrationTest({
             }
         }
 
+        "return only products for which the user has ProductPermission.READ" {
+            integrationTestApplication {
+                val createdOrganization = createOrganization()
+                val orgId = createdOrganization.id
+                val otherOrg = createOrganization("otherOrg")
+
+                val name1 = "name1"
+                val name2 = "name2"
+                val description = "description"
+
+                val createdProduct1 =
+                    organizationService.createProduct(name = name1, description = description, organizationId = orgId)
+                val createdProduct2 =
+                    organizationService.createProduct(name = name2, description = description, organizationId = orgId)
+                organizationService.createProduct(name = "name3", description = description, organizationId = orgId)
+                val createdRepo = productService.createRepository(
+                    RepositoryType.GIT,
+                    "https://example.com/repo.git",
+                    createdProduct2.id,
+                    null
+                )
+                val productInOtherOrg = organizationService.createProduct(
+                    name = "otherOrgProduct",
+                    description = description,
+                    organizationId = otherOrg.id
+                )
+
+                authorizationService.assignRole(
+                    TEST_USER.username.value,
+                    ProductRole.READER,
+                    CompoundHierarchyId.forProduct(
+                        OrganizationId(createdOrganization.id),
+                        ProductId(createdProduct1.id)
+                    )
+                )
+                authorizationService.assignRole(
+                    TEST_USER.username.value,
+                    ProductRole.READER,
+                    CompoundHierarchyId.forProduct(
+                        OrganizationId(otherOrg.id),
+                        ProductId(productInOtherOrg.id)
+                    )
+                )
+                authorizationService.assignRole(
+                    TEST_USER.username.value,
+                    RepositoryRole.WRITER,
+                    CompoundHierarchyId.forRepository(
+                        OrganizationId(createdOrganization.id),
+                        ProductId(createdProduct2.id),
+                        RepositoryId(createdRepo.id)
+                    )
+                )
+
+                val response = testUserClient.get("/api/v1/organizations/$orgId/products")
+
+                response shouldHaveStatus HttpStatusCode.OK
+                response shouldHaveBody PagedResponse(
+                    listOf(
+                        Product(createdProduct1.id, orgId, name1, description),
+                        Product(createdProduct2.id, orgId, name2, description)
+                    ),
+                    PagingData(
+                        limit = DEFAULT_LIMIT,
+                        offset = 0,
+                        totalCount = 2,
+                        sortProperties = listOf(SortProperty("name", SortDirection.ASCENDING))
+                    )
+                )
+            }
+        }
+
         "support query parameters" {
             integrationTestApplication {
                 val orgId = createOrganization().id
diff --git a/services/hierarchy/src/main/kotlin/OrganizationService.kt b/services/hierarchy/src/main/kotlin/OrganizationService.kt
@@ -20,11 +20,14 @@
 package org.eclipse.apoapsis.ortserver.services
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRole
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.dao.dbQuery
 import org.eclipse.apoapsis.ortserver.dao.repositories.product.ProductsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.repository.RepositoriesTable
 import org.eclipse.apoapsis.ortserver.model.Organization
+import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.model.Product
 import org.eclipse.apoapsis.ortserver.model.repositories.OrganizationRepository
 import org.eclipse.apoapsis.ortserver.model.repositories.ProductRepository
 import org.eclipse.apoapsis.ortserver.model.util.FilterParameter
@@ -115,6 +118,25 @@ class OrganizationService(
         productRepository.listForOrganization(organizationId, parameters, filter)
     }
 
+    /**
+     * List all products for an [organization][organizationId] that are visible to the user with the given [userId],
+     * applying the given [parameters] and optional [nameFilter].
+     */
+    suspend fun listProductsForOrganizationAndUser(
+        organizationId: Long,
+        userId: String,
+        parameters: ListQueryParameters = ListQueryParameters.DEFAULT,
+        nameFilter: FilterParameter? = null
+    ): ListQueryResult<Product> {
+        val productFilter = authorizationService.filterHierarchyIds(
+            userId,
+            ProductRole.READER,
+            OrganizationId(organizationId)
+        )
+
+        return productRepository.list(parameters, nameFilter, productFilter)
+    }
+
     /**
      * Update an organization by [organizationId] with the [present][OptionalValue.Present] values.
      */
diff --git a/services/hierarchy/src/test/kotlin/OrganizationServiceTest.kt b/services/hierarchy/src/test/kotlin/OrganizationServiceTest.kt
@@ -27,13 +27,15 @@ import io.mockk.coEvery
 import io.mockk.mockk
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRole
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.dao.repositories.organization.DaoOrganizationRepository
 import org.eclipse.apoapsis.ortserver.dao.repositories.product.DaoProductRepository
 import org.eclipse.apoapsis.ortserver.dao.test.DatabaseTestExtension
 import org.eclipse.apoapsis.ortserver.dao.test.Fixtures
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.model.ProductId
 import org.eclipse.apoapsis.ortserver.model.util.HierarchyFilter
 
 import org.jetbrains.exposed.sql.Database
@@ -97,4 +99,39 @@ class OrganizationServiceTest : WordSpec({
             organizations.data shouldContainExactlyInAnyOrder listOf(fixtures.organization, org2)
         }
     }
+
+    "listOrganizationsForUserAndOrganization" should {
+        "filter for products visible to a specific user in a specific organization" {
+            val userId = "test-user"
+            val org1Id = fixtures.organization.id
+            val prod1 = fixtures.createProduct("product", organizationId = org1Id)
+            val prod2 = fixtures.createProduct("product2", organizationId = org1Id)
+            fixtures.createProduct("hiddenProduct")
+            val prod1HierarchyId = CompoundHierarchyId.forProduct(
+                OrganizationId(org1Id),
+                ProductId(prod1.id)
+            )
+            val prod2HierarchyId = CompoundHierarchyId.forProduct(
+                OrganizationId(org1Id),
+                ProductId(prod2.id)
+            )
+
+            val authService = mockk<AuthorizationService> {
+                coEvery {
+                    filterHierarchyIds(userId, ProductRole.READER, OrganizationId(org1Id))
+                } returns HierarchyFilter(
+                    transitiveIncludes = mapOf(
+                        CompoundHierarchyId.PRODUCT_LEVEL to listOf(prod1HierarchyId, prod2HierarchyId)
+                    ),
+                    nonTransitiveIncludes = emptyMap()
+                )
+            }
+
+            val service = OrganizationService(db, organizationRepository, productRepository, authService)
+            val products = service.listProductsForOrganizationAndUser(org1Id, userId)
+
+            products.totalCount shouldBe 2
+            products.data shouldContainExactlyInAnyOrder listOf(prod1, prod2)
+        }
+    }
 })
