feat(authorization): Integrate new authorization with routes

Rework the routes defined in the `core` module to use the new
`Authorization` component.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

components/authorization/backend/src/main/kotlin/routes/AuthorizedRoutes.kt

@@ -21,6 +21,7 @@
 
 package org.eclipse.apoapsis.ortserver.components.authorization.routes
 
+import com.auth0.jwk.JwkProviderBuilder
 import com.auth0.jwt.interfaces.Payload
 
 import io.github.smiley4.ktoropenapi.config.RouteConfig
@@ -30,8 +31,13 @@ import io.github.smiley4.ktoropenapi.patch
 import io.github.smiley4.ktoropenapi.post
 import io.github.smiley4.ktoropenapi.put
 
+import io.ktor.server.application.Application
 import io.ktor.server.application.ApplicationCall
+import io.ktor.server.application.install
+import io.ktor.server.auth.Authentication
+import io.ktor.server.auth.jwt.jwt
 import io.ktor.server.auth.principal
+import io.ktor.server.config.ApplicationConfig
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.RouteSelector
 import io.ktor.server.routing.RouteSelectorEvaluation
@@ -40,9 +46,44 @@ import io.ktor.server.routing.RoutingPipelineCall
 import io.ktor.server.routing.RoutingResolveContext
 import io.ktor.util.AttributeKey
 
+import java.net.URI
+import java.util.concurrent.TimeUnit
+
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 
+/**
+ * Configure the authentication for this server application.
+ *
+ * This function sets up the Ktor plugins for authentication using JWT tokens. It configures the creation of an
+ * [OrtServerPrincipal] instance for authorized requests.
+ */
+fun Application.configureAuthentication(config: ApplicationConfig, authorizationService: AuthorizationService) {
+    val issuer = config.property("jwt.issuer").getString()
+    val jwksUri = URI.create(config.property("jwt.jwksUri").getString()).toURL()
+    val configuredRealm = config.property("jwt.realm").getString()
+    val requiredAudience = config.property("jwt.audience").getString()
+    val jwkProvider = JwkProviderBuilder(jwksUri)
+        .cached(10, 24, TimeUnit.HOURS)
+        .rateLimited(10, 1, TimeUnit.MINUTES)
+        .build()
+
+    install(Authentication) {
+        jwt(AuthenticationProviders.TOKEN_PROVIDER) {
+            realm = configuredRealm
+            verifier(jwkProvider, issuer) {
+                acceptLeeway(10)
+            }
+
+            validate { credential ->
+                credential.payload.takeIf { it.audience.contains(requiredAudience) }?.let {
+                    createAuthorizedPrincipal(authorizationService, credential.payload)
+                }
+            }
+        }
+    }
+}
+
 /**
  * Create an [OrtServerPrincipal] for this [ApplicationCall]. If an [AuthorizationChecker] is present in the current
  * context, use it to an [EffectiveRole] and perform an authorization check. Result is *null* if this check fails.

components/authorization/backend/src/main/kotlin/routes/OrtServerPrincipal.kt

@@ -21,6 +21,7 @@ package org.eclipse.apoapsis.ortserver.components.authorization.routes
 
 import com.auth0.jwt.interfaces.Payload
 
+import io.ktor.server.application.ApplicationCall
 import io.ktor.server.auth.principal
 import io.ktor.server.routing.RoutingContext
 
@@ -110,3 +111,10 @@ class OrtServerPrincipal(
     val effectiveRole: EffectiveRole
         get() = role ?: throw AuthorizationException()
 }
+
+/**
+ * A convenience extension property to obtain the [OrtServerPrincipal] from an [ApplicationCall] that has already been
+ * authenticated.
+ */
+val ApplicationCall.ortServerPrincipal: OrtServerPrincipal
+    get() = requireNotNull(principal())

core/build.gradle.kts

@@ -71,6 +71,7 @@ dependencies {
             requireCapability("$group:routes:$version")
         }
     }
+    implementation(projects.components.authorization.backend)
     implementation(projects.components.authorizationKeycloak.backend)
     implementation(projects.components.infrastructureServices.backend)
     implementation(projects.components.infrastructureServices.backend) {

core/src/main/kotlin/api/AdminRoute.kt

@@ -19,71 +19,47 @@
 
 package org.eclipse.apoapsis.ortserver.core.api
 
-import io.github.smiley4.ktoropenapi.delete
 import io.github.smiley4.ktoropenapi.get
-import io.github.smiley4.ktoropenapi.patch
-import io.github.smiley4.ktoropenapi.post
 
 import io.ktor.http.HttpStatusCode
 import io.ktor.server.request.receive
 import io.ktor.server.response.respond
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.route
 
-import kotlinx.coroutines.Dispatchers
-import kotlinx.coroutines.launch
-import kotlinx.coroutines.withContext
-
 import org.eclipse.apoapsis.ortserver.api.v1.mapping.mapToApi
 import org.eclipse.apoapsis.ortserver.api.v1.model.PatchSection
 import org.eclipse.apoapsis.ortserver.api.v1.model.PostUser
-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requireAuthenticated
-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requireSuperuser
-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.service.AuthorizationService
-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.service.UserService
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal.Companion.requirePrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.delete
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.get
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.patch
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.post
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.requireSuperuser
+import org.eclipse.apoapsis.ortserver.components.authorization.service.UserService
 import org.eclipse.apoapsis.ortserver.core.apiDocs.deleteUser
 import org.eclipse.apoapsis.ortserver.core.apiDocs.getSection
 import org.eclipse.apoapsis.ortserver.core.apiDocs.getUsers
 import org.eclipse.apoapsis.ortserver.core.apiDocs.patchSection
 import org.eclipse.apoapsis.ortserver.core.apiDocs.postUser
-import org.eclipse.apoapsis.ortserver.core.apiDocs.runPermissionsSync
 import org.eclipse.apoapsis.ortserver.services.ContentManagementService
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireParameter
 
 import org.koin.ktor.ext.inject
 
 fun Route.admin() = route("admin") {
-    route("sync-roles") {
-        val authorizationService by inject<AuthorizationService>()
-
-        get(runPermissionsSync) {
-            requireSuperuser()
-
-            withContext(Dispatchers.IO) {
-                launch {
-                    authorizationService.ensureSuperuserAndSynchronizeRolesAndPermissions()
-                }
-
-                call.respond(HttpStatusCode.Accepted)
-            }
-        }
-    }
     /**
      * For CRUD operations for users.
      */
     route("users") {
         val userService by inject<UserService>()
 
-        get(getUsers) {
-            requireSuperuser()
-
+        get(getUsers, requireSuperuser()) {
             val users = userService.getUsers().map { user -> user.mapToApi() }
             call.respond(users)
         }
 
-        post(postUser) {
-            requireSuperuser()
-
+        post(postUser, requireSuperuser()) {
             val createUser = call.receive<PostUser>()
             userService.createUser(
                 username = createUser.username,
@@ -97,9 +73,7 @@ fun Route.admin() = route("admin") {
             call.respond(HttpStatusCode.Created)
         }
 
-        delete(deleteUser) {
-            requireSuperuser()
-
+        delete(deleteUser, requireSuperuser()) {
             val username = call.requireParameter("username")
             userService.deleteUser(username)
 
@@ -115,7 +89,7 @@ fun Route.admin() = route("admin") {
 
         route("sections/{sectionId}") {
             get(getSection) {
-                requireAuthenticated()
+                requirePrincipal()
 
                 val id = call.requireParameter("sectionId")
 
@@ -125,9 +99,7 @@ fun Route.admin() = route("admin") {
                 call.respond(HttpStatusCode.OK, section.mapToApi())
             }
 
-            patch(patchSection) {
-                requireSuperuser()
-
+            patch(patchSection, requireSuperuser()) {
                 val id = call.requireParameter("sectionId")
                 val updateSection = call.receive<PatchSection>()