feat(authorization): Introduce functions for authorized routes

Extend the Ktor DSL for route definitions by functions that perform an
automatic check for permissions based on provided `AuthorizationChecker`
objects. This enables a declarative approach for permission checks.

Provide a concrete `AuthorizationChecker` implementation for organization
permissions. Add a test class to test this approach.

Note that currently failed permission checks yield a return status code
of 401 rather than 403. This is going to be changed in an upcoming
commit.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

components/authorization/backend/build.gradle.kts

@@ -32,14 +32,20 @@ dependencies {
     api(ktorLibs.server.auth)
     api(ktorLibs.server.auth.jwt)
     api(ktorLibs.server.core)
+    api(libs.ktorOpenApi)
 
     implementation(projects.dao)
+    implementation(projects.shared.ktorUtils)
 
     implementation(libs.exposedCore)
     implementation(libs.exposedJdbc)
 
     testImplementation(testFixtures(projects.dao))
 
+    testImplementation(ktorLibs.client.contentNegotiation)
+    testImplementation(ktorLibs.client.core)
+    testImplementation(ktorLibs.server.testHost)
+    testImplementation(ktorLibs.utils)
     testImplementation(libs.kotestAssertionsCore)
     testImplementation(libs.kotestAssertionsKtor)
     testImplementation(libs.kotestRunnerJunit5)

components/authorization/backend/src/main/kotlin/rights/EffectiveRole.kt

@@ -28,6 +28,24 @@ import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
  * provided here, client code can check whether the user has the required permissions to perform the requested action.
  */
 interface EffectiveRole {
+    companion object {
+        /**
+         * A special instance of [EffectiveRole] that does not contain any permissions and is not associated with any
+         * specific hierarchy element.
+         */
+        val EMPTY: EffectiveRole = object : EffectiveRole {
+            override val elementId: CompoundHierarchyId = CompoundHierarchyId.WILDCARD
+
+            override val isSuperuser: Boolean = false
+
+            override fun hasOrganizationPermission(permission: OrganizationPermission): Boolean = false
+
+            override fun hasProductPermission(permission: ProductPermission): Boolean = false
+
+            override fun hasRepositoryPermission(permission: RepositoryPermission): Boolean = false
+        }
+    }
+
     /**
      * The compound ID of the hierarchy element this effective role applies to. This object contains the aggregated
      * permissions of the current user for this element.

components/authorization/backend/src/main/kotlin/routes/AuthorizationChecker.kt

@@ -22,7 +22,10 @@ package org.eclipse.apoapsis.ortserver.components.authorization.routes
 import io.ktor.server.application.ApplicationCall
 
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.OrganizationPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
+import org.eclipse.apoapsis.ortserver.model.OrganizationId
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
 
 /**
  * An interface defining a mechanism to check for required permissions using an [AuthorizationService] instance.
@@ -53,3 +56,21 @@ interface AuthorizationChecker {
      */
     fun checkAuthorization(effectiveRole: EffectiveRole): Boolean
 }
+
+/**
+ * Create an [AuthorizationChecker] that checks for the presence of the given organization-level [permission].
+ */
+fun requirePermission(permission: OrganizationPermission): AuthorizationChecker =
+    object : AuthorizationChecker {
+        override suspend fun loadEffectiveRole(
+            service: AuthorizationService,
+            userId: String,
+            call: ApplicationCall
+        ): EffectiveRole =
+            service.getEffectiveRole(userId, OrganizationId(call.requireIdParameter("organizationId")))
+
+        override fun checkAuthorization(effectiveRole: EffectiveRole): Boolean =
+            effectiveRole.hasOrganizationPermission(permission)
+
+        override fun toString(): String = "RequireOrganizationPermission($permission)"
+    }

components/authorization/backend/src/main/kotlin/routes/AuthorizedRoutes.kt

@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.authorization.routes
+
+import com.auth0.jwt.interfaces.Payload
+
+import io.github.smiley4.ktoropenapi.config.RouteConfig
+import io.github.smiley4.ktoropenapi.delete
+import io.github.smiley4.ktoropenapi.get
+import io.github.smiley4.ktoropenapi.patch
+import io.github.smiley4.ktoropenapi.post
+import io.github.smiley4.ktoropenapi.put
+
+import io.ktor.server.application.ApplicationCall
+import io.ktor.server.routing.Route
+import io.ktor.server.routing.RouteSelector
+import io.ktor.server.routing.RouteSelectorEvaluation
+import io.ktor.server.routing.RoutingContext
+import io.ktor.server.routing.RoutingPipelineCall
+import io.ktor.server.routing.RoutingResolveContext
+import io.ktor.util.AttributeKey
+
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.EffectiveRole
+import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
+
+/**
+ * Create an [OrtServerPrincipal] for this [ApplicationCall]. If an [AuthorizationChecker] is present in the current
+ * context, use it to an [EffectiveRole] and perform an authorization check. Result is *null* if this check fails.
+ */
+suspend fun ApplicationCall.createAuthorizedPrincipal(
+    authorizationService: AuthorizationService,
+    payload: Payload
+): OrtServerPrincipal? =
+    (this as? RoutingPipelineCall)?.let { routingCall ->
+        val checker = routingCall.route.findAuthorizationChecker()
+
+        val effectiveRole = if (checker != null) {
+            checker.loadEffectiveRole(
+                service = authorizationService,
+                userId = payload.getClaim("preferred_username").asString(),
+                call = this
+            ).takeIf { checker.checkAuthorization(it) }
+        } else {
+            EffectiveRole.EMPTY
+        }
+
+        effectiveRole?.let { OrtServerPrincipal.create(payload, it) }
+    }
+
+/**
+ * Create a new [Route] for HTTP GET requests that performs an automatic authorization check using the given [checker].
+ */
+fun Route.get(
+    builder: RouteConfig.() -> Unit,
+    checker: AuthorizationChecker,
+    body: suspend RoutingContext.() -> Unit
+): Route = documentedAuthorized(checker) { get(builder, body) }
+
+/**
+ * Create a new [Route] for HTTP POST requests that performs an automatic authorization check using the given [checker].
+ */
+fun Route.post(
+    builder: RouteConfig.() -> Unit,
+    checker: AuthorizationChecker,
+    body: suspend RoutingContext.() -> Unit
+): Route = documentedAuthorized(checker) { post(builder, body) }
+
+/**
+ * Create a new [Route] for HTTP PATCH requests that performs an automatic authorization check using the given
+ * [checker].
+ */
+fun Route.patch(
+    builder: RouteConfig.() -> Unit,
+    checker: AuthorizationChecker,
+    body: suspend RoutingContext.() -> Unit
+): Route = documentedAuthorized(checker) { patch(builder, body) }
+
+/**
+ * Create a new [Route] for HTTP PUT requests that performs an automatic authorization check using the given
+ * [checker].
+ */
+fun Route.put(
+    builder: RouteConfig.() -> Unit,
+    checker: AuthorizationChecker,
+    body: suspend RoutingContext.() -> Unit
+): Route = documentedAuthorized(checker) { put(builder, body) }
+
+/**
+ * Create a new [Route] for HTTP DELETE requests that performs an automatic authorization check using the given
+ * [checker].
+ */
+fun Route.delete(
+    builder: RouteConfig.() -> Unit,
+    checker: AuthorizationChecker,
+    body: suspend RoutingContext.() -> Unit
+): Route = documentedAuthorized(checker) { delete(builder, body) }
+
+/**
+ * Generic function to create a new [Route] that performs an automatic authorization check using the given [checker].
+ * The content of the route is defined by the given [build] function.
+ */
+private fun Route.documentedAuthorized(checker: AuthorizationChecker, build: Route.() -> Unit): Route {
+    val authorizedRoute = createChild(authorizedRouteSelector(checker.toString()))
+    authorizedRoute.attributes.put(AuthorizationCheckerKey, checker)
+    authorizedRoute.build()
+    return authorizedRoute
+}
+
+/**
+ * Create a [RouteSelector] for a new authorized [Route] whose string representation is derived from the given [tag].
+ */
+private fun authorizedRouteSelector(tag: String): RouteSelector =
+    object : RouteSelector() {
+        override suspend fun evaluate(
+            context: RoutingResolveContext,
+            segmentIndex: Int
+        ): RouteSelectorEvaluation = RouteSelectorEvaluation.Transparent
+
+        override fun toString(): String {
+            return "(authorized $tag)"
+        }
+    }
+
+/**
+ * Search for an [AuthorizationChecker] object in the context of the current [Route]. The checker has been defined
+ * using the routes DSL. It may be available in this route or in any of its parent routes.
+ */
+private fun Route.findAuthorizationChecker(): AuthorizationChecker? =
+    this.attributes.getOrNull(AuthorizationCheckerKey)
+        ?: parent?.findAuthorizationChecker()
+
+/**
+ * Constant for a key in the attributes of a [Route] to store an [AuthorizationChecker].
+ */
+private val AuthorizationCheckerKey = AttributeKey<AuthorizationChecker>("AuthorizationCheckerKey")
+
+/**
+ * An object defining constants for the names of supported authentication providers.
+ */
+object AuthenticationProviders {
+    /**
+     * The name of the authentication provider for authorization based on JWT tokens.
+     */
+    const val TOKEN_PROVIDER = "token"
+}