feat: Allow to restore vulnerability resolution definitions

lamppu · lamppu · commit 64347f68bf9e · 2025-10-30T09:36:18.000+02:00
Signed-off-by: Johanna Lamppu &lt;johanna.lamppu@doubleopen.org&gt;
diff --git a/components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt b/components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt
@@ -95,6 +95,30 @@ class VulnerabilityResolutionDefinitionService(private val db: Database, private
         VulnerabilityResolutionDefinitionsTable.get(id)
     }
 
+    suspend fun restore(id: Long, userDisplayName: UserDisplayName): VulnerabilityResolutionDefinition = db.dbQuery {
+        val user =
+            UserDisplayNameDao.insertOrUpdate(userDisplayName) ?: throw NullPointerException("No user created or found")
+
+        VulnerabilityResolutionDefinitionsTable.updateDefinition(
+            id,
+            archivedInput = false.asPresent()
+        )
+
+        ChangeLogTable.insert(
+            ChangeEventEntityType.VULNERABILITY_RESOLUTION_DEFINITION,
+            id.toString(),
+            user.id.value,
+            ChangeEventAction.RESTORE
+        )
+
+        ortRunService.markAsOutdated(
+            getAffectedRuns(id),
+            "Vulnerability resolution definition restored."
+        )
+
+        VulnerabilityResolutionDefinitionsTable.get(id)
+    }
+
     suspend fun getById(id: Long): VulnerabilityResolutionDefinition? = db.dbQuery {
         VulnerabilityResolutionDefinitionsTable
             .getOrNull(id)
diff --git a/components/resolutions/backend/src/routes/kotlin/Routing.kt b/components/resolutions/backend/src/routes/kotlin/Routing.kt
@@ -23,6 +23,7 @@ import io.ktor.server.routing.Route
 
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.deleteVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.postVulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.restoreVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
 /** Add all resolutions routes. */
@@ -32,4 +33,5 @@ fun Route.resolutionsRoutes(
 ) {
     postVulnerabilityResolutionDefinition(ortRunService, vulnerabilityResolutionDefinitionService)
     deleteVulnerabilityResolutionDefinition(vulnerabilityResolutionDefinitionService)
+    restoreVulnerabilityResolutionDefinition(vulnerabilityResolutionDefinitionService)
 }
diff --git a/components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/RestoreVulnerabilityResolutionDefinition.kt b/components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/RestoreVulnerabilityResolutionDefinition.kt
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.github.smiley4.ktoropenapi.post
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.auth.principal
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import kotlinx.datetime.Instant
+
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.AuthorizationException
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.OrtPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getFullName
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUserId
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUsername
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requirePermission
+import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName as ModelUserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToApi
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
+
+internal fun Route.restoreVulnerabilityResolutionDefinition(
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) = post("/resolutions/vulnerabilities/{id}/restore", {
+    operationId = "RestoreVulnerabilityResolutionDefinition"
+    summary = "Restore a vulnerability resolution definition"
+    tags = listOf("Resolutions")
+
+    request {
+        pathParameter<Long>("id") {
+            description = "The ID of the vulnerability resolution definition."
+        }
+    }
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success"
+            jsonBody<VulnerabilityResolutionDefinition> {
+                example("Restore Vulnerability Resolution Definition") {
+                    value = VulnerabilityResolutionDefinition(
+                        id = 1,
+                        idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                        reason = VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                        comment = "Comment",
+                        archived = false,
+                        changes = listOf(
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-01T00:00:00Z"),
+                                ChangeEventAction.CREATE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-03T00:00:00Z"),
+                                ChangeEventAction.ARCHIVE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-04T00:00:00Z"),
+                                ChangeEventAction.RESTORE
+                            )
+                        )
+                    )
+                }
+            }
+        }
+
+        HttpStatusCode.Conflict to {
+            description = "The vulnerability resolution definition is not archived."
+        }
+    }
+}) {
+    val id = call.requireIdParameter("id")
+
+    val definition = vulnerabilityResolutionDefinitionService.getById(id)
+
+    if (definition == null) throw AuthorizationException()
+
+    requirePermission(RepositoryPermission.WRITE.roleName(definition.hierarchyId.value))
+
+    if (!definition.archived) {
+        call.respond(HttpStatusCode.NoContent)
+        return@post
+    }
+
+    // Extract the user information from the principal.
+    val userDisplayName = call.principal<OrtPrincipal>()?.let { principal ->
+        ModelUserDisplayName(principal.getUserId(), principal.getUsername(), principal.getFullName())
+    }
+
+    if (userDisplayName == null) {
+        call.respondError(HttpStatusCode.InternalServerError, "Unable to resolve user display name from token.")
+        return@post
+    }
+
+    val vulnerabilityResolutionDefinition =
+        vulnerabilityResolutionDefinitionService.restore(id, userDisplayName).mapToApi()
+
+    call.respond(HttpStatusCode.OK, vulnerabilityResolutionDefinition)
+}
diff --git a/components/resolutions/backend/src/test/kotlin/VulnerabilityResolutionDefinitionServiceTest.kt b/components/resolutions/backend/src/test/kotlin/VulnerabilityResolutionDefinitionServiceTest.kt
@@ -169,6 +169,49 @@ class VulnerabilityResolutionDefinitionServiceTest : WordSpec({
         }
     }
 
+    "restore" should {
+        "restore an archived vulnerability resolution definition" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            ).id
+
+            definitionService.archive(definitionId, userDisplayName)
+
+            val restoredDefinition = definitionService.restore(definitionId, userDisplayName)
+
+            with(restoredDefinition) {
+                archived shouldBe false
+                changes shouldHaveSize 3
+
+                with(changes[0]) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.CREATE
+                }
+
+                with(changes[1]) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.ARCHIVE
+                }
+
+                with(changes[2]) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.RESTORE
+                }
+            }
+        }
+    }
+
     "getById" should {
         "return the vulnerability resolution definition if it exists" {
             val userDisplayName = UserDisplayName(
diff --git a/components/resolutions/backend/src/test/kotlin/routes/ResolutionsAuthorizationTest.kt b/components/resolutions/backend/src/test/kotlin/routes/ResolutionsAuthorizationTest.kt
@@ -148,4 +148,37 @@ class ResolutionsAuthorizationTest : AbstractAuthorizationTest({
             }
         }
     }
+
+    "RestoreVulnerabilityResolutionDefinition" should {
+        "require role RepositoryPermission.WRITE.roleName(repositoryId)" {
+            val userDisplayName = UserDisplayName("abc", "Test")
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                createBody.idMatchers,
+                createBody.reason.mapToModel(),
+                createBody.comment
+            ).id
+
+            definitionService.archive(definitionId, userDisplayName)
+
+            requestShouldRequireRole(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                role = RepositoryPermission.WRITE.roleName(repositoryId)
+            ) {
+                post("/resolutions/vulnerabilities/$definitionId/restore")
+            }
+        }
+
+        "respond with 'Forbidden' when repository ID cannot be resolved" {
+            requestShouldRequireAuthentication(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                successStatus = HttpStatusCode.Forbidden
+            ) {
+                post("/resolutions/vulnerabilities/9999/restore")
+            }
+        }
+    }
 })
diff --git a/components/resolutions/backend/src/test/kotlin/routes/vulnerabilities/RestoreVulnerabilityResolutionDefinition.kt b/components/resolutions/backend/src/test/kotlin/routes/vulnerabilities/RestoreVulnerabilityResolutionDefinition.kt
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.kotest.assertions.ktor.client.shouldHaveStatus
+import io.kotest.matchers.collections.shouldHaveSize
+import io.kotest.matchers.shouldBe
+
+import io.ktor.client.call.body
+import io.ktor.client.request.delete
+import io.ktor.client.request.post
+import io.ktor.client.request.setBody
+import io.ktor.http.HttpStatusCode
+
+import org.eclipse.apoapsis.ortserver.components.resolutions.CreateVulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.components.resolutions.ResolutionsIntegrationTest
+import org.eclipse.apoapsis.ortserver.dao.test.Fixtures
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+
+class RestoreVulnerabilityResolutionDefinition : ResolutionsIntegrationTest({
+    var runId = 0L
+
+    lateinit var fixtures: Fixtures
+
+    beforeEach {
+        fixtures = dbExtension.fixtures
+        runId = fixtures.ortRun.id
+    }
+
+    "RestoreVulnerabilityResolutionDefinition" should {
+        "restore the definition" {
+            resolutionsTestApplication { client ->
+                val createResponse = client.post("/resolutions/vulnerabilities") {
+                    setBody(
+                        CreateVulnerabilityResolutionDefinition(
+                            runId,
+                            listOf("CVE-2020-15250"),
+                            VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                            "Comment."
+                        )
+                    )
+                }
+
+                val definitionId = (createResponse.body<VulnerabilityResolutionDefinition>()).id
+
+                client.delete("/resolutions/vulnerabilities/$definitionId")
+
+                val restoreResponse = client.post("/resolutions/vulnerabilities/$definitionId/restore")
+
+                restoreResponse shouldHaveStatus HttpStatusCode.OK
+
+                with(restoreResponse.body<VulnerabilityResolutionDefinition>()) {
+                    idMatchers shouldBe listOf("CVE-2020-15250")
+                    reason shouldBe VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY
+                    comment shouldBe "Comment."
+                    archived shouldBe false
+                    changes shouldHaveSize 3
+                    changes[0].user shouldBe UserDisplayName("test", "Test User")
+                    changes[0].action shouldBe ChangeEventAction.CREATE
+                    changes[1].user shouldBe UserDisplayName("test", "Test User")
+                    changes[1].action shouldBe ChangeEventAction.ARCHIVE
+                    changes[2].user shouldBe UserDisplayName("test", "Test User")
+                    changes[2].action shouldBe ChangeEventAction.RESTORE
+                }
+            }
+        }
+
+        "respond with 'No content' if the definition is not archived" {
+            resolutionsTestApplication { client ->
+                val createResponse = client.post("/resolutions/vulnerabilities") {
+                    setBody(
+                        CreateVulnerabilityResolutionDefinition(
+                            runId,
+                            listOf("CVE-2020-15250"),
+                            VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                            "Comment."
+                        )
+                    )
+                }
+
+                val definitionId = (createResponse.body<VulnerabilityResolutionDefinition>()).id
+
+                val restoreResponse = client.post("/resolutions/vulnerabilities/$definitionId/restore")
+
+                restoreResponse shouldHaveStatus HttpStatusCode.NoContent
+            }
+        }
+    }
+})
