feat(authorization): Rework permission checks in AuthorizationService

Introduce new `checkPermissions` functions that are based on
`HierarchyPermissions` and check whether specific permissions are
granted. These are going to be used for permission checks in the REST
API.

Rework the `getEffectiveRole` functions in `DbAuthorizationService` to
use `HierarchyPermissions` as well.

Modify the permission sets in the role classes, so that permissions
granted on higher levels of the hierarchy are inherited downwards.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

components/authorization/backend/src/main/kotlin/rights/OrganizationRole.kt

@@ -22,18 +22,25 @@ package org.eclipse.apoapsis.ortserver.components.authorization.rights
 /**
  * This enum contains the available roles for [organizations][org.eclipse.apoapsis.ortserver.model.Organization]. It
  * maps the permissions available for an organization to the default roles [READER], [WRITER], and [ADMIN].
+ *
+ * Notes:
+ * - Permissions are inherited down the hierarchy. This is implemented by including the lower level permissions
+ *   of the corresponding roles in the sets of permissions managed by the single instances.
+ * - The constants are expected to be listed in increasing order of permissions.
  */
 enum class OrganizationRole(
     override val organizationPermissions: Set<OrganizationPermission>,
-    override val productPermissions: Set<ProductPermission> = emptySet(),
-    override val repositoryPermissions: Set<RepositoryPermission> = emptySet()
+    override val productPermissions: Set<ProductPermission>,
+    override val repositoryPermissions: Set<RepositoryPermission>
 ) : Role {
     /** A role that grants read permissions for an [org.eclipse.apoapsis.ortserver.model.Organization]. */
     READER(
         organizationPermissions = setOf(
             OrganizationPermission.READ,
             OrganizationPermission.READ_PRODUCTS
-        )
+        ),
+        productPermissions = ProductRole.READER.productPermissions,
+        repositoryPermissions = RepositoryRole.READER.repositoryPermissions
     ),
 
     /** A role that grants write permissions for an [org.eclipse.apoapsis.ortserver.model.Organization]. */
@@ -43,7 +50,9 @@ enum class OrganizationRole(
             OrganizationPermission.WRITE,
             OrganizationPermission.READ_PRODUCTS,
             OrganizationPermission.CREATE_PRODUCT
-        )
+        ),
+        productPermissions = ProductRole.WRITER.productPermissions,
+        repositoryPermissions = RepositoryRole.WRITER.repositoryPermissions
     ),
 
     /**

components/authorization/backend/src/main/kotlin/rights/ProductRole.kt

@@ -22,18 +22,24 @@ package org.eclipse.apoapsis.ortserver.components.authorization.rights
 /**
  * This enum contains the available roles for [products][org.eclipse.apoapsis.ortserver.model.Product]. It
  * maps the permissions available for a product to the default roles [READER], [WRITER], and [ADMIN].
+ *
+ * Notes:
+ * - Permissions are inherited down the hierarchy. This is implemented by including the lower level permissions
+ *   of the corresponding roles in the sets of permissions managed by the single instances.
+ * - The constants are expected to be listed in increasing order of permissions.
  */
 enum class ProductRole(
     override val organizationPermissions: Set<OrganizationPermission> = setOf(OrganizationPermission.READ),
     override val productPermissions: Set<ProductPermission>,
-    override val repositoryPermissions: Set<RepositoryPermission> = emptySet()
+    override val repositoryPermissions: Set<RepositoryPermission>
 ) : Role {
     /** A role that grants read permissions for a [org.eclipse.apoapsis.ortserver.model.Product]. */
     READER(
         productPermissions = setOf(
             ProductPermission.READ,
             ProductPermission.READ_REPOSITORIES
-        )
+        ),
+        repositoryPermissions = RepositoryRole.READER.repositoryPermissions
     ),
 
     /** A role that grants write permissions for a [org.eclipse.apoapsis.ortserver.model.Product]. */
@@ -44,7 +50,8 @@ enum class ProductRole(
             ProductPermission.READ_REPOSITORIES,
             ProductPermission.CREATE_REPOSITORY,
             ProductPermission.TRIGGER_ORT_RUN
-        )
+        ),
+        repositoryPermissions = RepositoryRole.WRITER.repositoryPermissions
     ),
 
     /**

components/authorization/backend/src/main/kotlin/service/AuthorizationService.kt

@@ -20,6 +20,7 @@
 package org.eclipse.apoapsis.ortserver.components.authorization.service
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.PermissionChecker
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.Role
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.HierarchyId
@@ -29,6 +30,29 @@ import org.eclipse.apoapsis.ortserver.model.HierarchyId
  * hierarchy.
  */
 interface AuthorizationService {
+    /**
+     * Check whether the user identified by [userId] has the permissions defined by the given [checker] on the element
+     * identified by [compoundHierarchyId]. If the check is successful, the function returns an [EffectiveRole] object
+     * with the requested permissions and the [compoundHierarchyId]; otherwise, it returns *null*.
+     */
+    suspend fun checkPermissions(
+        userId: String,
+        compoundHierarchyId: CompoundHierarchyId,
+        checker: PermissionChecker
+    ): EffectiveRole?
+
+    /**
+     * Check whether the user identified by [userId] has the permissions defined by the given [checker] on the element
+     * identified by [hierarchyId]. This function constructs a [CompoundHierarchyId] based on the passed in
+     * [hierarchyId]. If such a [CompoundHierarchyId] is already known, using the overloaded function is more
+     * efficient.
+     */
+    suspend fun checkPermissions(
+        userId: String,
+        hierarchyId: HierarchyId,
+        checker: PermissionChecker
+    ): EffectiveRole?
+
     /**
      * Return an [EffectiveRole] object for the specified [userId] that contains all permissions for this user on the
      * element identified by [compoundHierarchyId].

components/authorization/backend/src/main/kotlin/service/DbAuthorizationService.kt

@@ -21,8 +21,10 @@ package org.eclipse.apoapsis.ortserver.components.authorization.service
 
 import org.eclipse.apoapsis.ortserver.components.authorization.db.RoleAssignmentsTable
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.HierarchyPermissions
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.PermissionChecker
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
@@ -63,24 +65,61 @@ class DbAuthorizationService(
     /** The database to use. */
     private val db: Database
 ) : AuthorizationService {
+    override suspend fun checkPermissions(
+        userId: String,
+        compoundHierarchyId: CompoundHierarchyId,
+        checker: PermissionChecker
+    ): EffectiveRole? {
+        val roleAssignments = loadAssignments(userId, compoundHierarchyId)
+
+        val permissions = HierarchyPermissions.create(roleAssignments, checker)
+        return if (permissions.hasPermission(compoundHierarchyId)) {
+            EffectiveRoleImpl(
+                elementId = compoundHierarchyId,
+                isSuperuser = permissions.isSuperuser(),
+                permissions = checker
+            )
+        } else {
+            null
+        }
+    }
+
+    override suspend fun checkPermissions(
+        userId: String,
+        hierarchyId: HierarchyId,
+        checker: PermissionChecker
+    ): EffectiveRole? {
+        val compoundHierarchyId = resolveCompoundId(hierarchyId)
+
+        return compoundHierarchyId.takeUnless { it.isInvalid() }?.let {
+            checkPermissions(userId, it, checker)
+        }
+    }
+
     override suspend fun getEffectiveRole(
         userId: String,
         compoundHierarchyId: CompoundHierarchyId
     ): EffectiveRole {
         val roleAssignments = loadAssignments(userId, compoundHierarchyId)
-        val permissions = roleAssignments.map { it.toHierarchyPermissions() }
-            .takeUnless { it.isEmpty() }?.reduce(::reducePermissions) ?: EMPTY_PERMISSIONS
-        val isSuperuser = roleAssignments.any {
-            it[RoleAssignmentsTable.organizationId] == null &&
-                    it[RoleAssignmentsTable.productId] == null &&
-                    it[RoleAssignmentsTable.repositoryId] == null &&
-                    it.extractRole() == OrganizationRole.ADMIN
-        }
-
-        return EffectiveRoleImpl(
+        val roles = rolesForLevel(compoundHierarchyId).reversed().asSequence()
+
+        // Check for all roles on the current level, starting with the ADMIN role, whether all its permissions are
+        // granted. This is then the effective role. This assumes that constants in the enums for roles are ordered
+        // by the number of permissions they grant in ascending order. If this changes, there should be failing tests.
+        return roles.mapNotNull { role ->
+            val permissionChecker = HierarchyPermissions.permissions(role)
+            HierarchyPermissions.create(roleAssignments, permissionChecker)
+                .takeIf { it.hasPermission(compoundHierarchyId) }?.let {
+                    EffectiveRoleImpl(
+                        elementId = compoundHierarchyId,
+                        isSuperuser = it.isSuperuser(),
+                        permissions = permissionChecker
+                    )
+                }
+        }.firstOrNull() ?: EffectiveRoleImpl(
             elementId = compoundHierarchyId,
-            isSuperuser = isSuperuser,
-            permissions = permissions
+            isSuperuser = false,
+            permissions = PermissionChecker()
         )
     }
 
@@ -96,7 +135,7 @@ class DbAuthorizationService(
             EffectiveRoleImpl(
                 elementId = compoundHierarchyId,
                 isSuperuser = false,
-                permissions = EMPTY_PERMISSIONS
+                permissions = PermissionChecker()
             )
         } else {
             getEffectiveRole(userId, compoundHierarchyId)
@@ -206,20 +245,25 @@ class DbAuthorizationService(
 
     /**
      * Load all role assignments for the given [userId] in the hierarchy defined by [compoundHierarchyId]. Return a
-     * list of [HierarchyPermissions] instances for the entities that were found.
+     * list with pairs of IDs and assigned roles for the entities that were found. The function selects assignments in
+     * the whole hierarchy below the organization referenced by [compoundHierarchyId]. This makes sure that all
+     * relevant assignments are found.
      */
     private suspend fun loadAssignments(
         userId: String,
         compoundHierarchyId: CompoundHierarchyId
-    ): List<ResultRow> = db.dbQuery {
+    ): List<Pair<CompoundHierarchyId, Role>> = db.dbQuery {
         RoleAssignmentsTable.selectAll()
             .where {
                 (RoleAssignmentsTable.userId eq userId) and (
-                        repositoryCondition(compoundHierarchyId) or
-                                productWildcardCondition(compoundHierarchyId) or
-                                organizationWildcardCondition()
+                        (RoleAssignmentsTable.organizationId eq compoundHierarchyId.organizationId?.value) or
+                                (RoleAssignmentsTable.organizationId eq null)
                         )
-            }.toList()
+            }.mapNotNull { row ->
+                row.extractRole()?.let { role ->
+                    row.extractHierarchyId() to role
+                }
+            }
     }
 
     /**
@@ -249,27 +293,6 @@ class DbAuthorizationService(
  */
 private const val INVALID_ID = -1L
 
-/**
- * An internally used data class to store the available permissions on all levels of the hierarchy for a user.
- */
-private data class HierarchyPermissions(
-    /** The permissions granted on organization level. */
-    val organizationPermissions: Set<OrganizationPermission>,
-
-    /** The permissions granted on product level. */
-    val productPermissions: Set<ProductPermission>,
-
-    /** The permissions granted on repository level. */
-    val repositoryPermissions: Set<RepositoryPermission>
-)
-
-/** An instance of [HierarchyPermissions] with no permissions at all. */
-private val EMPTY_PERMISSIONS = HierarchyPermissions(
-    organizationPermissions = emptySet(),
-    productPermissions = emptySet(),
-    repositoryPermissions = emptySet()
-)
-
 /**
  * An implementation of the [EffectiveRole] interface used by [DbAuthorizationService].
  */
@@ -279,7 +302,7 @@ private class EffectiveRoleImpl(
     override val isSuperuser: Boolean,
 
     /** The permissions granted on the different levels of the hierarchy. */
-    private val permissions: HierarchyPermissions
+    private val permissions: PermissionChecker
 ) : EffectiveRole {
     override fun hasOrganizationPermission(permission: OrganizationPermission): Boolean =
         permission in permissions.organizationPermissions
@@ -313,42 +336,38 @@ private fun ResultRow.extractRole(): Role? = runCatching {
 }.getOrNull()
 
 /**
- * Obtain the information about roles from this [ResultRow] and construct a [HierarchyPermissions] object from it.
+ * Extract the [CompoundHierarchyId] on the correct level from this [ResultRow].
  */
-private fun ResultRow.toHierarchyPermissions(): HierarchyPermissions =
-    extractRole()?.let { role ->
-        HierarchyPermissions(
-            organizationPermissions = role.organizationPermissions,
-            productPermissions = role.productPermissions,
-            repositoryPermissions = role.repositoryPermissions
-        )
-    } ?: EMPTY_PERMISSIONS
-
-/**
- * Combine two [HierarchyPermissions] instances [p1] and [p2] by constructing the union of their permissions on all
- * levels.
- */
-private fun reducePermissions(
-    p1: HierarchyPermissions,
-    p2: HierarchyPermissions
-): HierarchyPermissions =
-    HierarchyPermissions(
-        organizationPermissions = p1.organizationPermissions + p2.organizationPermissions,
-        productPermissions = p1.productPermissions + p2.productPermissions,
-        repositoryPermissions = p1.repositoryPermissions + p2.repositoryPermissions
-    )
+private fun ResultRow.extractHierarchyId(): CompoundHierarchyId {
+    val orgId = this[RoleAssignmentsTable.organizationId]?.let { OrganizationId(it.value) }
+    if (orgId == null) {
+        return CompoundHierarchyId.WILDCARD
+    } else {
+        val productId = this[RoleAssignmentsTable.productId]?.let { ProductId(it.value) }
+        if (productId == null) {
+            return CompoundHierarchyId.forOrganization(orgId)
+        } else {
+            val repositoryId = this[RoleAssignmentsTable.repositoryId]?.let { RepositoryId(it.value) }
+            return if (repositoryId == null) {
+                CompoundHierarchyId.forProduct(orgId, productId)
+            } else {
+                CompoundHierarchyId.forRepository(orgId, productId, repositoryId)
+            }
+        }
+    }
+}
 
 /**
  * Generate the SQL condition to match the repository part of this [hierarchyId]. The condition also has to select
  * assignments on higher levels in the same hierarchy.
  */
 private fun SqlExpressionBuilder.repositoryCondition(hierarchyId: CompoundHierarchyId): Op<Boolean> =
     (
-        (RoleAssignmentsTable.repositoryId eq hierarchyId.repositoryId?.value) or
-            (RoleAssignmentsTable.repositoryId eq null)
-    ) and
-                    (RoleAssignmentsTable.productId eq hierarchyId.productId?.value) and
-                    (RoleAssignmentsTable.organizationId eq hierarchyId.organizationId?.value)
+            (RoleAssignmentsTable.repositoryId eq hierarchyId.repositoryId?.value) or
+                    (RoleAssignmentsTable.repositoryId eq null)
+            ) and
+            (RoleAssignmentsTable.productId eq hierarchyId.productId?.value) and
+            (RoleAssignmentsTable.organizationId eq hierarchyId.organizationId?.value)
 
 /**
  * Generate the SQL condition to match role assignments for the given [hierarchyId] for which no product ID is
@@ -358,12 +377,6 @@ private fun SqlExpressionBuilder.productWildcardCondition(hierarchyId: CompoundH
     (RoleAssignmentsTable.productId eq null) and
             (RoleAssignmentsTable.organizationId eq hierarchyId.organizationId?.value)
 
-/**
- * Generate the SQL condition to match role assignments for which no organization ID is defined.
- */
-private fun SqlExpressionBuilder.organizationWildcardCondition(): Op<Boolean> =
-    RoleAssignmentsTable.organizationId eq null
-
 /**
  * Generate the SQL condition to match role assignments for the given [role].
  */
@@ -373,3 +386,13 @@ private fun SqlExpressionBuilder.roleCondition(role: Role): Op<Boolean> =
         is ProductRole -> RoleAssignmentsTable.productRole eq role.name
         is RepositoryRole -> RoleAssignmentsTable.repositoryRole eq role.name
     }
+
+/**
+ * Return a collection with the roles that are relevant on the hierarchy level defined by [hierarchyId].
+ */
+private fun rolesForLevel(hierarchyId: CompoundHierarchyId): Collection<Role> =
+    when (hierarchyId.level) {
+        CompoundHierarchyId.REPOSITORY_LEVEL -> RepositoryRole.entries
+        CompoundHierarchyId.PRODUCT_LEVEL -> ProductRole.entries
+        else -> OrganizationRole.entries
+    }