feat(authorization): Implement migration to new rights structures

Extend `KeycloakAuthorizationService` by a function that can create
structures in the database that correspond to the roles and permissions
currently kept in Keycloak. The function is going to be called on startup
of ORT Server to perform a one-time migration.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

components/authorization-keycloak/backend/build.gradle.kts

@@ -26,6 +26,7 @@ group = "org.eclipse.apoapsis.ortserver.components.authorization.keycloak"
 
 dependencies {
     api(projects.clients.keycloak)
+    api(projects.components.authorization.backend)
     api(projects.components.authorizationKeycloak.apiModel)
     api(projects.model)
 

components/authorization-keycloak/backend/src/main/kotlin/service/AuthorizationService.kt

@@ -128,4 +128,11 @@ interface AuthorizationService {
      * Return a [Set] with the names of all roles assigned to the user with the given [userId].
      */
     suspend fun getUserRoleNames(userId: String): Set<String>
+
+    /**
+     * Perform a one-time migration of roles stored in Keycloak to the database. The migration happens if and only if
+     * the table with role assignments is empty. It is then populated with data corresponding to the current set of
+     * groups existing in Keycloak. The return value indicates whether a migration was performed.
+     */
+    suspend fun migrateRolesToDb(): Boolean
 }

components/authorization-keycloak/backend/src/main/kotlin/service/KeycloakAuthorizationService.kt

@@ -27,6 +27,7 @@ import org.eclipse.apoapsis.ortserver.clients.keycloak.KeycloakClient
 import org.eclipse.apoapsis.ortserver.clients.keycloak.RoleName
 import org.eclipse.apoapsis.ortserver.clients.keycloak.UserId
 import org.eclipse.apoapsis.ortserver.clients.keycloak.UserName
+import org.eclipse.apoapsis.ortserver.components.authorization.db.RoleAssignmentsTable
 import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.OrganizationPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.ProductPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
@@ -35,8 +36,20 @@ import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.roles.Pr
 import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.roles.RepositoryRole
 import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.roles.Role
 import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.roles.Superuser
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole as DbOrganizationRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRole as DbProductRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryRole as DbRepositoryRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.Role as DbRole
+import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService as DbAuthorizationService
 import org.eclipse.apoapsis.ortserver.dao.dbQuery
+import org.eclipse.apoapsis.ortserver.dao.repositories.organization.OrganizationsTable
+import org.eclipse.apoapsis.ortserver.dao.repositories.product.ProductsTable
+import org.eclipse.apoapsis.ortserver.dao.repositories.repository.RepositoriesTable
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.HierarchyId
+import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.model.ProductId
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.repositories.OrganizationRepository
 import org.eclipse.apoapsis.ortserver.model.repositories.ProductRepository
 import org.eclipse.apoapsis.ortserver.model.repositories.RepositoryRepository
@@ -53,7 +66,7 @@ internal const val ROLE_DESCRIPTION = "This role is auto-generated, do not edit
 /**
  * An implementation of [AuthorizationService], based on [Keycloak](https://www.keycloak.org/).
  */
-@Suppress("TooManyFunctions")
+@Suppress("TooManyFunctions", "LargeClass")
 class KeycloakAuthorizationService(
     private val keycloakClient: KeycloakClient,
     private val db: Database,
@@ -65,7 +78,13 @@ class KeycloakAuthorizationService(
      * A prefix for Keycloak group names, to be used when multiple instances of ORT Server share the same Keycloak
      * realm.
      */
-    private val keycloakGroupPrefix: String
+    private val keycloakGroupPrefix: String,
+
+    /**
+     * The reworked authorization service that stores authorization data in the database. This is used for the
+     * migration functionality.
+     */
+    private val dbAuthorizationService: DbAuthorizationService
 ) : AuthorizationService {
     override suspend fun createOrganizationPermissions(organizationId: Long) {
         OrganizationPermission.getRolesForOrganization(organizationId).forEach { roleName ->
@@ -780,4 +799,165 @@ class KeycloakAuthorizationService(
         return keycloakClient.getUserClientRoles(UserId(userId))
             .mapTo(mutableSetOf()) { role -> role.name.value }
     }
+
+    override suspend fun migrateRolesToDb(): Boolean {
+        if (!canMigrate()) return false
+
+        logger.warn("Starting migration of Keycloak roles to database-based roles.")
+
+        val organizationIds = db.dbQuery {
+            OrganizationsTable.select(OrganizationsTable.id)
+                .map { it[OrganizationsTable.id].value }
+        }
+
+        logger.info("Migrating {} organizations.", organizationIds.size)
+        organizationIds.forEach { organizationId ->
+            migrateOrganizationRolesToDb(organizationId)
+        }
+
+        logger.info("Migrating superusers")
+        migrateUsersInGroupToDb(
+            GroupName(keycloakGroupPrefix + Superuser.GROUP_NAME),
+            DbOrganizationRole.ADMIN,
+            CompoundHierarchyId.WILDCARD
+        )
+
+        return true
+    }
+
+    /**
+     * Migrate the access rights for the organization with the given [organizationId] to the new database-based roles.
+     * This includes the migration of all products and repositories belonging to the organization.
+     */
+    private suspend fun migrateOrganizationRolesToDb(organizationId: Long) {
+        logger.info("Migrating roles for organization '{}'.", organizationId)
+        val organizationHierarchyId = CompoundHierarchyId.forOrganization(OrganizationId(organizationId))
+
+        migrateElementRolesToDb(
+            oldRoles = OrganizationRole.entries,
+            newRoles = DbOrganizationRole.entries,
+            id = OrganizationId(organizationId),
+            newHierarchyID = organizationHierarchyId
+        )
+
+        val productIds = db.dbQuery {
+            ProductsTable.select(ProductsTable.id)
+                .where { ProductsTable.organizationId eq organizationId }
+                .map { it[ProductsTable.id].value }
+        }
+
+        logger.info("Migrating {} products for organization '{}'.", productIds.size, organizationId)
+        productIds.forEach { productId ->
+            val productHierarchyId = CompoundHierarchyId.forProduct(
+                OrganizationId(organizationId),
+                ProductId(productId)
+            )
+            migrateProductRolesToDb(productHierarchyId)
+        }
+    }
+
+    /**
+     * Migrate the access rights for the product with the given [productHierarchyId] to the new database-based roles.
+     * This includes the migration of all repositories belonging to the product.
+     */
+    private suspend fun migrateProductRolesToDb(productHierarchyId: CompoundHierarchyId) {
+        val productId = requireNotNull(productHierarchyId.productId)
+        logger.info("Migrating roles for product '{}'.", productId)
+
+        migrateElementRolesToDb(
+            oldRoles = ProductRole.entries,
+            newRoles = DbProductRole.entries,
+            id = productId,
+            productHierarchyId
+        )
+
+        val repositoryIds = db.dbQuery {
+            RepositoriesTable.select(RepositoriesTable.id)
+                .where { RepositoriesTable.productId eq productId.value }
+                .map { it[RepositoriesTable.id].value }
+        }
+
+        logger.info("Migrating {} repositories for product '{}'.", repositoryIds.size, productId)
+        repositoryIds.forEach { repositoryId ->
+            val repositoryHierarchyId = CompoundHierarchyId.forRepository(
+                requireNotNull(productHierarchyId.organizationId),
+                productId,
+                RepositoryId(repositoryId)
+            )
+            migrateRepositoryRolesToDb(repositoryHierarchyId)
+        }
+    }
+
+    /**
+     * Migrate the access rights for the repository with the given [repositoryId] to the new database-based roles.
+     */
+    private suspend fun migrateRepositoryRolesToDb(repositoryId: CompoundHierarchyId) {
+        logger.info("Migrating roles for repository '{}'.", repositoryId.repositoryId)
+
+        migrateElementRolesToDb(
+            oldRoles = RepositoryRole.entries,
+            newRoles = DbRepositoryRole.entries,
+            id = requireNotNull(repositoryId.repositoryId),
+            repositoryId
+        )
+    }
+
+    /**
+     * Migrate all users in the given [oldRoles] to the corresponding [newRoles] for the hierarchy element with the
+     * given [id] and [newHierarchyID].
+     */
+    private suspend fun <ID : HierarchyId> migrateElementRolesToDb(
+        oldRoles: Collection<Role<*, ID>>,
+        newRoles: Collection<DbRole>,
+        id: ID,
+        newHierarchyID: CompoundHierarchyId
+    ) {
+        oldRoles.zip(newRoles).forEach { (oldRole, newRole) ->
+            migrateUsersForRoleToDb(oldRole, newRole, id, newHierarchyID)
+        }
+    }
+
+    /**
+     * Migrate all users assigned to the given [oldRole] for the hierarchy element with the given [id] to the new
+     * [newRole] in the database, using the provided [newHierarchyID].
+     */
+    private suspend fun <ID : HierarchyId> migrateUsersForRoleToDb(
+        oldRole: Role<*, ID>,
+        newRole: DbRole,
+        id: ID,
+        newHierarchyID: CompoundHierarchyId
+    ) {
+        val groupName = GroupName(keycloakGroupPrefix + oldRole.groupName(id))
+        migrateUsersInGroupToDb(groupName, newRole, newHierarchyID)
+    }
+
+    /**
+     * Migrate all users in the Keycloak group with the given [groupName] (which represents a role) to the given
+     * [newRole] for the hierarchy element with the given [newHierarchyID].
+     */
+    private suspend fun migrateUsersInGroupToDb(
+        groupName: GroupName,
+        newRole: DbRole,
+        newHierarchyID: CompoundHierarchyId
+    ) {
+        runCatching {
+            keycloakClient.getGroupMembers(groupName).forEach { user ->
+                dbAuthorizationService.assignRole(
+                    userId = user.username.value,
+                    role = newRole,
+                    compoundHierarchyId = newHierarchyID
+                )
+            }
+        }.onFailure { exception ->
+            logger.error("Failed to load users in group '${groupName.value}' during migration.", exception)
+        }
+    }
+
+    /**
+     * Return a flag whether the migration of access rights to the new database structures is possible. This is the
+     * case
+     */
+    private suspend fun canMigrate(): Boolean = db.dbQuery {
+        RoleAssignmentsTable.select(RoleAssignmentsTable.id).count() == 0L
+    }
 }

components/authorization-keycloak/backend/src/test/kotlin/service/KeycloakAuthorizationServiceTest.kt

@@ -113,7 +113,8 @@ class KeycloakAuthorizationServiceTest : WordSpec({
             organizationRepository,
             productRepository,
             repositoryRepository,
-            keycloakGroupPrefix
+            keycloakGroupPrefix,
+            mockk()
         ).apply {
             if (createRolesForHierarchy) {
                 createOrganizationPermissions(organizationId)