feat(authorization): Correctly filter repositories

In the endpoint to fetch the repositories of a product, apply a
`HierarchyFilter`. Extend `ProductService` accordingly. This makes
sure that only repositories are listed that are visible to the user. By
having access to some repositories, the user gets implicit READ
permission on the owning products. However, in these products, not
automatically all repositories are visible.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

core/src/main/kotlin/api/ProductsRoute.kt

@@ -35,6 +35,7 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.PostRepositoryRun
 import org.eclipse.apoapsis.ortserver.api.v1.model.Username
 import org.eclipse.apoapsis.ortserver.components.authorization.api.ProductRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal.Companion.requirePrincipal
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.delete
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.get
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.mapToModel
@@ -135,9 +136,14 @@ fun Route.products() = route("products/{productId}") {
 
             val productId = call.requireIdParameter("productId")
             val pagingOptions = call.pagingOptions(SortProperty("url", SortDirection.ASCENDING))
+            val principal = requirePrincipal()
 
-            val repositoriesForProduct =
-                productService.listRepositoriesForProduct(productId, pagingOptions.mapToModel(), filter?.mapToModel())
+            val repositoriesForProduct = productService.listRepositoriesForProductAndUser(
+                productId,
+                principal.username,
+                pagingOptions.mapToModel(),
+                filter?.mapToModel()
+            )
 
             val pagedResponse = repositoriesForProduct.mapToApi(Repository::mapToApi)
 

core/src/test/kotlin/api/DownloadsRouteIntegrationTest.kt

@@ -63,7 +63,8 @@ class DownloadsRouteIntegrationTest : AbstractIntegrationTest({
             dbExtension.db,
             dbExtension.fixtures.productRepository,
             dbExtension.fixtures.repositoryRepository,
-            dbExtension.fixtures.ortRunRepository
+            dbExtension.fixtures.ortRunRepository,
+            mockk()
         )
 
         val orgId = organizationService.createOrganization(name = "name", description = "description").id

core/src/test/kotlin/api/OrganizationsRouteIntegrationTest.kt

@@ -129,7 +129,8 @@ class OrganizationsRouteIntegrationTest : AbstractIntegrationTest({
             dbExtension.db,
             dbExtension.fixtures.productRepository,
             dbExtension.fixtures.repositoryRepository,
-            dbExtension.fixtures.ortRunRepository
+            dbExtension.fixtures.ortRunRepository,
+            authorizationService
         )
     }
 

core/src/test/kotlin/api/ProductsRouteIntegrationTest.kt

@@ -81,6 +81,7 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityForRunsFilters
 import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityRating
 import org.eclipse.apoapsis.ortserver.components.authorization.api.ProductRole as ApiProductRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryRole
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.mapToModel
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.components.authorization.service.DbAuthorizationService
@@ -94,6 +95,7 @@ import org.eclipse.apoapsis.ortserver.model.JobStatus
 import org.eclipse.apoapsis.ortserver.model.OrganizationId
 import org.eclipse.apoapsis.ortserver.model.OrtRunStatus
 import org.eclipse.apoapsis.ortserver.model.ProductId
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
 import org.eclipse.apoapsis.ortserver.model.Severity
 import org.eclipse.apoapsis.ortserver.model.runs.Identifier
@@ -148,7 +150,8 @@ class ProductsRouteIntegrationTest : AbstractIntegrationTest({
             dbExtension.db,
             dbExtension.fixtures.productRepository,
             dbExtension.fixtures.repositoryRepository,
-            dbExtension.fixtures.ortRunRepository
+            dbExtension.fixtures.ortRunRepository,
+            authorizationService
         )
 
         orgId = organizationService.createOrganization(name = "name", description = "description").id
@@ -299,6 +302,71 @@ class ProductsRouteIntegrationTest : AbstractIntegrationTest({
             }
         }
 
+        "return the repositories a user has access to" {
+            integrationTestApplication {
+                val createdProduct = createProduct()
+
+                val type = RepositoryType.GIT
+                val url1 = "https://example.com/repo1.git"
+                val url2 = "https://example.com/repo2.git"
+                val description = "description"
+
+                val createdRepository1 = productService.createRepository(
+                    type = type,
+                    url = url1,
+                    productId = createdProduct.id,
+                    description = description
+                )
+                val createdRepository2 = productService.createRepository(
+                    type = type,
+                    url = url2,
+                    productId = createdProduct.id,
+                    description = description
+                )
+                productService.createRepository(
+                    type = type,
+                    url = "https://example.com/hidden-repo.git",
+                    productId = createdProduct.id,
+                    description = "You cannot see me"
+                )
+
+                authorizationService.assignRole(
+                    TEST_USER.username.value,
+                    RepositoryRole.READER,
+                    CompoundHierarchyId.forRepository(
+                        OrganizationId(createdProduct.organizationId),
+                        ProductId(createdProduct.id),
+                        RepositoryId(createdRepository1.id)
+                    )
+                )
+                authorizationService.assignRole(
+                    TEST_USER.username.value,
+                    RepositoryRole.READER,
+                    CompoundHierarchyId.forRepository(
+                        OrganizationId(createdProduct.organizationId),
+                        ProductId(createdProduct.id),
+                        RepositoryId(createdRepository2.id)
+                    )
+                )
+
+                val response = testUserClient.get("/api/v1/products/${createdProduct.id}/repositories")
+
+                response shouldHaveStatus HttpStatusCode.OK
+                response shouldHaveBody PagedResponse(
+                    listOf(
+                        Repository(createdRepository1.id, orgId, createdProduct.id, type.mapToApi(), url1, description),
+                        Repository(createdRepository2.id, orgId, createdProduct.id, type.mapToApi(), url2, description)
+                    ),
+                    PagingData(
+                        limit = DEFAULT_LIMIT,
+                        offset = 0,
+                        totalCount = 2,
+                        sortProperties = listOf(SortProperty("url", SortDirection.ASCENDING))
+                    )
+                )
+            }
+        }
+
         "support query parameters" {
             integrationTestApplication {
                 val createdProduct = createProduct()

core/src/test/kotlin/api/RepositoriesRouteIntegrationTest.kt

@@ -143,7 +143,8 @@ class RepositoriesRouteIntegrationTest : AbstractIntegrationTest({
             dbExtension.db,
             dbExtension.fixtures.productRepository,
             dbExtension.fixtures.repositoryRepository,
-            dbExtension.fixtures.ortRunRepository
+            dbExtension.fixtures.ortRunRepository,
+            mockk()
         )
 
         ortRunRepository = dbExtension.fixtures.ortRunRepository

core/src/test/kotlin/api/RunsRouteIntegrationTest.kt

@@ -166,7 +166,8 @@ class RunsRouteIntegrationTest : AbstractIntegrationTest({
             dbExtension.db,
             dbExtension.fixtures.productRepository,
             dbExtension.fixtures.repositoryRepository,
-            dbExtension.fixtures.ortRunRepository
+            dbExtension.fixtures.ortRunRepository,
+            mockk()
         )
 
         ortRunRepository = dbExtension.fixtures.ortRunRepository

services/hierarchy/src/main/kotlin/ProductService.kt

@@ -19,12 +19,15 @@
 
 package org.eclipse.apoapsis.ortserver.services
 
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryRole
+import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.dao.dbQuery
 import org.eclipse.apoapsis.ortserver.dao.repositories.ortrun.OrtRunsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.repository.RepositoriesTable
 import org.eclipse.apoapsis.ortserver.model.OrtRun
 import org.eclipse.apoapsis.ortserver.model.OrtRunStatus
 import org.eclipse.apoapsis.ortserver.model.Product
+import org.eclipse.apoapsis.ortserver.model.ProductId
 import org.eclipse.apoapsis.ortserver.model.Repository
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
 import org.eclipse.apoapsis.ortserver.model.repositories.OrtRunRepository
@@ -48,6 +51,7 @@ class ProductService(
     private val productRepository: ProductRepository,
     private val repositoryRepository: RepositoryRepository,
     private val ortRunRepository: OrtRunRepository,
+    private val authorizationService: AuthorizationService
 ) {
     /**
      * Create a repository inside a [product][productId].
@@ -89,6 +93,22 @@ class ProductService(
         repositoryRepository.listForProduct(productId, parameters, filter)
     }
 
+    /**
+     * List all repositories for a [product][productId] that are visible to a specific [user][userId] according to the
+     * given [parameters] and [urlFilter].
+     */
+    suspend fun listRepositoriesForProductAndUser(
+        productId: Long,
+        userId: String,
+        parameters: ListQueryParameters = ListQueryParameters.DEFAULT,
+        urlFilter: FilterParameter? = null
+    ): ListQueryResult<Repository> = getProduct(productId)?.let { product ->
+        val filter = authorizationService.filterHierarchyIds(userId, RepositoryRole.READER, ProductId(product.id))
+        db.dbQuery {
+            repositoryRepository.list(parameters, urlFilter, filter)
+        }
+    } ?: ListQueryResult(emptyList(), parameters, 0)
+
     /**
      * Update a product by [productId] with the [present][OptionalValue.Present] values.
      */

services/hierarchy/src/test/kotlin/ProductServiceTest.kt

@@ -20,14 +20,26 @@
 package org.eclipse.apoapsis.ortserver.services
 
 import io.kotest.core.spec.style.WordSpec
+import io.kotest.matchers.collections.beEmpty
 import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
+import io.kotest.matchers.should
 import io.kotest.matchers.shouldBe
 
+import io.mockk.coEvery
+import io.mockk.mockk
+
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryRole
+import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.dao.repositories.ortrun.DaoOrtRunRepository
 import org.eclipse.apoapsis.ortserver.dao.repositories.product.DaoProductRepository
 import org.eclipse.apoapsis.ortserver.dao.repositories.repository.DaoRepositoryRepository
 import org.eclipse.apoapsis.ortserver.dao.test.DatabaseTestExtension
 import org.eclipse.apoapsis.ortserver.dao.test.Fixtures
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.model.ProductId
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.util.HierarchyFilter
 
 import org.jetbrains.exposed.sql.Database
 
@@ -50,7 +62,7 @@ class ProductServiceTest : WordSpec({
 
     "deleteProduct" should {
         "delete all repositories associated to this product" {
-            val service = ProductService(db, productRepository, repositoryRepository, ortRunRepository)
+            val service = ProductService(db, productRepository, repositoryRepository, ortRunRepository, mockk())
 
             val product = fixtures.createProduct()
 
@@ -76,7 +88,7 @@ class ProductServiceTest : WordSpec({
 
     "getRepositoryIdsForProduct" should {
         "return IDs for all repositories of a product" {
-            val service = ProductService(db, productRepository, repositoryRepository, ortRunRepository)
+            val service = ProductService(db, productRepository, repositoryRepository, ortRunRepository, mockk())
 
             val prodId = fixtures.createProduct().id
 
@@ -87,4 +99,46 @@ class ProductServiceTest : WordSpec({
             service.getRepositoryIdsForProduct(prodId).shouldContainExactlyInAnyOrder(repo1Id, repo2Id, repo3Id)
         }
     }
+
+    "listRepositoriesForProductAndUser" should {
+        "apply a hierarchy filter obtained from the authorization service" {
+            val userId = "the-test-user"
+            val repo1 = fixtures.repository
+            val repo1Id = CompoundHierarchyId.forRepository(
+                OrganizationId(fixtures.organization.id),
+                ProductId(fixtures.product.id),
+                RepositoryId(repo1.id)
+            )
+            val repo2 = fixtures.createRepository(url = "https://example.com/another-repo.git")
+            val repo2Id = CompoundHierarchyId.forRepository(
+                OrganizationId(fixtures.organization.id),
+                ProductId(fixtures.product.id),
+                RepositoryId(repo2.id)
+            )
+
+            val filter = HierarchyFilter(
+                transitiveIncludes = mapOf(CompoundHierarchyId.REPOSITORY_LEVEL to listOf(repo1Id, repo2Id)),
+                nonTransitiveIncludes = emptyMap()
+            )
+            val authService = mockk<AuthorizationService> {
+                coEvery {
+                    filterHierarchyIds(userId, RepositoryRole.READER, ProductId(fixtures.product.id))
+                } returns filter
+            }
+
+            val service = ProductService(db, productRepository, repositoryRepository, ortRunRepository, authService)
+            val result = service.listRepositoriesForProductAndUser(
+                productId = fixtures.product.id,
+                userId = userId
+            )
+
+            result.data shouldContainExactlyInAnyOrder listOf(repo1, repo2)
+        }
+
+        "return an empty list for a non-existing product ID" {
+            val service = ProductService(db, productRepository, repositoryRepository, ortRunRepository, mockk())
+
+            service.listRepositoriesForProductAndUser(-1L, "some-user").data should beEmpty()
+        }
+    }
 })