feat(authorization): Support checking for a principal

oheger-bosch · oheger-bosch · commit 61d3543b825a · 2025-11-06T11:28:56.000+01:00
Add an extension function to `OrtServerPrincipal` that allows checking
whether an authenticated principal exists in the current routing context.
This is needed for some routes that require an authenticated user, even
if no specific permissions are checked.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.com&gt;
diff --git a/components/authorization/backend/src/main/kotlin/routes/OrtServerPrincipal.kt b/components/authorization/backend/src/main/kotlin/routes/OrtServerPrincipal.kt
@@ -21,6 +21,9 @@ package org.eclipse.apoapsis.ortserver.components.authorization.routes
 
 import com.auth0.jwt.interfaces.Payload
 
+import io.ktor.server.auth.principal
+import io.ktor.server.routing.RoutingContext
+
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
 
 /**
@@ -82,6 +85,13 @@ class OrtServerPrincipal(
                 role = null,
                 validationException = exception
             )
+
+        /**
+         * Make sure that the current [RoutingContext] contains an authorized [OrtServerPrincipal] and return it.
+         * Throw an [AuthorizationException] otherwise.
+         */
+        fun RoutingContext.requirePrincipal(): OrtServerPrincipal =
+            call.principal<OrtServerPrincipal>() ?: throw AuthorizationException()
     }
 
     /**
diff --git a/components/authorization/backend/src/test/kotlin/routes/AuthorizedRoutesTest.kt b/components/authorization/backend/src/test/kotlin/routes/AuthorizedRoutesTest.kt
@@ -66,6 +66,7 @@ import org.eclipse.apoapsis.ortserver.components.authorization.rights.Organizati
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.PermissionChecker
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal.Companion.requirePrincipal
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.components.authorization.service.InvalidHierarchyIdException
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
@@ -194,6 +195,26 @@ class AuthorizedRoutesTest : WordSpec() {
                 }
             }
 
+            "support checks for an authenticated principal" {
+                runAuthorizationTest(
+                    mockk(),
+                    routeBuilder = {
+                        route("test") {
+                            get(testDocs) {
+                                val principal = requirePrincipal()
+                                principal.username shouldBe USERNAME
+                                principal.effectiveRole.elementId shouldBe CompoundHierarchyId.WILDCARD
+
+                                call.respond(HttpStatusCode.OK)
+                            }
+                        }
+                    }
+                ) { client ->
+                    val response = client.get("test")
+                    response.status shouldBe HttpStatusCode.OK
+                }
+            }
+
             "support GET with an organization permission" {
                 runAuthorizationTest(
                     OrganizationPermission.WRITE_SECRETS,
diff --git a/components/authorization/backend/src/test/kotlin/routes/OrtServerPrincipalTest.kt b/components/authorization/backend/src/test/kotlin/routes/OrtServerPrincipalTest.kt
@@ -25,10 +25,14 @@ import io.kotest.assertions.throwables.shouldThrow
 import io.kotest.core.spec.style.WordSpec
 import io.kotest.matchers.shouldBe
 
+import io.ktor.server.auth.principal
+import io.ktor.server.routing.RoutingContext
+
 import io.mockk.every
 import io.mockk.mockk
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal.Companion.requirePrincipal
 
 class OrtServerPrincipalTest : WordSpec({
     "create()" should {
@@ -119,4 +123,16 @@ class OrtServerPrincipalTest : WordSpec({
             }
         }
     }
+
+    "requirePrincipal()" should {
+        "throw an exception if no principal is present in the routing context" {
+            val context = mockk<RoutingContext> {
+                every { call.principal<OrtServerPrincipal>() } returns null
+            }
+
+            shouldThrow<AuthorizationException> {
+                context.requirePrincipal()
+            }
+        }
+    }
 })
