feat(authorization): Support filters on hierarchy IDs

oheger-bosch · oheger-bosch · commit 9e11ee4a0001 · 2025-10-28T12:13:14.000+01:00
Add a function to `AuthorizationService` that computes a
`HierarchyFilter` for the IDs of
elements in the hierarchy on which a user has specific access rights.
This can then be used to generate filter conditions for database queries.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.com&gt;
diff --git a/components/authorization/backend/src/main/kotlin/service/AuthorizationService.kt b/components/authorization/backend/src/main/kotlin/service/AuthorizationService.kt
@@ -20,10 +20,14 @@
 package org.eclipse.apoapsis.ortserver.components.authorization.service
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.PermissionChecker
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.Role
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.HierarchyId
+import org.eclipse.apoapsis.ortserver.model.util.HierarchyFilter
 
 /**
  * A service interface providing functionality to query and manage roles and permissions for users on entities in the
@@ -94,4 +98,43 @@ interface AuthorizationService {
      * higher levels, such as organization admins.
      */
     suspend fun listUsers(compoundHierarchyId: CompoundHierarchyId): Map<String, Set<Role>>
+
+    /**
+     * Return a [HierarchyFilter] with information about all hierarchy elements for which the specified [userId] has at
+     * least all the permissions defined by [organizationPermissions], [productPermissions], and
+     * [repositoryPermissions]. With the optional [containedIn] ID, the filter can be restricted to elements that
+     * belong to this root element (directly or indirectly). This function can be used to generate filters for queries
+     * based on the access rights of a user. For the returned [CompoundHierarchyId]s not necessarily all components
+     * corresponding to the requested permissions are filled. For instance, if all repositories with READ access are
+     * requested and the user has the ADMIN role on the product, the result will contain the ID of this product. This
+     * basically means that all repositories under this product are accessible to the user.
+     */
+    suspend fun filterHierarchyIds(
+        userId: String,
+        organizationPermissions: Set<OrganizationPermission> = emptySet(),
+        productPermissions: Set<ProductPermission> = emptySet(),
+        repositoryPermissions: Set<RepositoryPermission> = emptySet(),
+        containedIn: HierarchyId? = null
+    ): HierarchyFilter
+
+    /**
+     * Return a [HierarchyFilter] with information about all hierarchy elements for which the specified [userId] has at
+     * least the permissions defined by the given [requiredRole], optionally restricted to the hierarchical structure
+     * defined by [containedIn]. This is an overload of the function with the same name that obtains the required
+     * permissions from the passed in role. Note that this does not perform an exact match of the role, but checks
+     * whether all the permissions defined by the role are granted to the user. So, for instance, when searching for a
+     * READER role, also WRITER and ADMIN roles will match.
+     */
+    suspend fun filterHierarchyIds(
+        userId: String,
+        requiredRole: Role,
+        containedIn: HierarchyId? = null
+    ): HierarchyFilter =
+        filterHierarchyIds(
+            userId = userId,
+            organizationPermissions = requiredRole.organizationPermissions,
+            productPermissions = requiredRole.productPermissions,
+            repositoryPermissions = requiredRole.repositoryPermissions,
+            containedIn = containedIn
+        )
 }
diff --git a/components/authorization/backend/src/main/kotlin/service/DbAuthorizationService.kt b/components/authorization/backend/src/main/kotlin/service/DbAuthorizationService.kt
@@ -17,11 +17,14 @@
  * License-Filename: LICENSE
  */
 
+@file:Suppress("TooManyFunctions")
+
 package org.eclipse.apoapsis.ortserver.components.authorization.service
 
 import org.eclipse.apoapsis.ortserver.components.authorization.db.RoleAssignmentsTable
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.HierarchyPermissions
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.IdsByLevel
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.PermissionChecker
@@ -38,6 +41,7 @@ import org.eclipse.apoapsis.ortserver.model.HierarchyId
 import org.eclipse.apoapsis.ortserver.model.OrganizationId
 import org.eclipse.apoapsis.ortserver.model.ProductId
 import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.util.HierarchyFilter
 
 import org.jetbrains.exposed.sql.Database
 import org.jetbrains.exposed.sql.JoinType
@@ -199,6 +203,55 @@ class DbAuthorizationService(
             .mapValues { it.value.filterNotNullTo(mutableSetOf()) }
     }
 
+    override suspend fun filterHierarchyIds(
+        userId: String,
+        organizationPermissions: Set<OrganizationPermission>,
+        productPermissions: Set<ProductPermission>,
+        repositoryPermissions: Set<RepositoryPermission>,
+        containedIn: HierarchyId?
+    ): HierarchyFilter {
+        val assignments = loadAssignments(userId, null)
+        val checker = PermissionChecker(
+            organizationPermissions,
+            productPermissions,
+            repositoryPermissions
+        )
+        val permissions = HierarchyPermissions.create(assignments, checker)
+
+        val containedInId = containedIn?.let { resolveCompoundId(it) }
+        val includes = includesDominatedByContainsFilter(permissions, containedInId)
+            ?: permissions.includes().filterContainedIn(containedInId)
+
+        return HierarchyFilter(
+            transitiveIncludes = includes,
+            nonTransitiveIncludes = permissions.implicitIncludes().filterContainedIn(containedInId),
+            excludes = permissions.excludes().filterContainedIn(containedInId),
+            isWildcard = permissions.isSuperuser()
+        )
+    }
+
+    /**
+     * Check if the given [containedInId] filter is contained in any of the includes in the given [permissions]. If so,
+     * the user can access all elements under the [containedInId] ID, so return a map of includes with just this ID.
+     * If this is not the case or [containedInId] is undefined, return *null*.
+     */
+    private fun includesDominatedByContainsFilter(
+        permissions: HierarchyPermissions,
+        containedInId: CompoundHierarchyId?
+    ): IdsByLevel? =
+        containedInId?.let {
+            val containedInLevel = it.level
+            val isFilterCovered = permissions.includes().entries.any { (level, ids) ->
+                level < containedInLevel && ids.any { id -> id.contains(containedInId) }
+            }
+
+            if (isFilterCovered) {
+                mapOf(containedInId.level to listOf(containedInId))
+            } else {
+                null
+            }
+        }
+
     /**
      * Retrieve the missing components to construct a [CompoundHierarchyId] from the given [hierarchyId]. Throw a
      * meaningful exception if this fails.
@@ -246,19 +299,20 @@ class DbAuthorizationService(
     /**
      * Load all role assignments for the given [userId] in the hierarchy defined by [compoundHierarchyId]. Return a
      * list with pairs of IDs and assigned roles for the entities that were found. The function selects assignments in
-     * the whole hierarchy below the organization referenced by [compoundHierarchyId]. This makes sure that all
-     * relevant assignments are found.
+     * the whole hierarchy below the organization referenced by [compoundHierarchyId] or all assignments of the given
+     * [userId] if no ID is specified. This makes sure that all relevant assignments are found.
      */
     private suspend fun loadAssignments(
         userId: String,
-        compoundHierarchyId: CompoundHierarchyId
+        compoundHierarchyId: CompoundHierarchyId?
     ): List<Pair<CompoundHierarchyId, Role>> = db.dbQuery {
         RoleAssignmentsTable.selectAll()
             .where {
-                (RoleAssignmentsTable.userId eq userId) and (
-                        (RoleAssignmentsTable.organizationId eq compoundHierarchyId.organizationId?.value) or
-                                (RoleAssignmentsTable.organizationId eq null)
-                        )
+                val hierarchyCondition = compoundHierarchyId?.let { id ->
+                    (RoleAssignmentsTable.organizationId eq id.organizationId?.value) or
+                            (RoleAssignmentsTable.organizationId eq null)
+} ?: Op.TRUE
+                (RoleAssignmentsTable.userId eq userId) and hierarchyCondition
             }.mapNotNull { row ->
                 row.extractRole()?.let { role ->
                     row.extractHierarchyId() to role
@@ -277,15 +331,15 @@ class DbAuthorizationService(
                         (RoleAssignmentsTable.productId eq compoundHierarchyId.productId?.value) and
                         (RoleAssignmentsTable.repositoryId eq compoundHierarchyId.repositoryId?.value)
             } == 1
-    ).also {
-        if (it) {
-            logger.info(
-                "Removed role assignment for user '{}' on hierarchy element {}.",
-                userId,
-                compoundHierarchyId
-            )
+            ).also {
+            if (it) {
+                logger.info(
+                    "Removed role assignment for user '{}' on hierarchy element {}.",
+                    userId,
+                    compoundHierarchyId
+                )
+            }
         }
-    }
 }
 
 /**
@@ -387,6 +441,21 @@ private fun SqlExpressionBuilder.roleCondition(role: Role): Op<Boolean> =
         is RepositoryRole -> RoleAssignmentsTable.repositoryRole eq role.name
     }
 
+/**
+ * Filter the IDs in this [IdsByLevel] to only include those that are contained in the given [containedInId]. If
+ * [containedInId] is *null*, return this object unmodified.
+ */
+private fun IdsByLevel.filterContainedIn(
+    containedInId: CompoundHierarchyId?
+): IdsByLevel =
+    if (containedInId == null) {
+        this
+    } else {
+        this.mapValues { (_, ids) ->
+            ids.filter { id -> id in containedInId }
+        }.filterValues { it.isNotEmpty() }
+    }
+
 /**
  * Return a collection with the roles that are relevant on the hierarchy level defined by [hierarchyId].
  */
diff --git a/components/authorization/backend/src/test/kotlin/service/DbAuthorizationServiceTest.kt b/components/authorization/backend/src/test/kotlin/service/DbAuthorizationServiceTest.kt
