feat(authorization): Extend EffectiveRole for superuser checks

Add a new property to `EffectiveRole` that holds the superuser status, so
that this can be checked efficiently. Extend `DbAuthorizationService` to
set this flag correctly. Add more test cases for role assignments on the
superuser level.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

components/authorization/backend/src/main/kotlin/rights/EffectiveRole.kt

@@ -34,6 +34,11 @@ interface EffectiveRole {
      */
     val elementId: CompoundHierarchyId
 
+    /**
+     * A flag indicating whether the associated user has superuser rights.
+     */
+    val isSuperuser: Boolean
+
     /**
      * Check whether this effective role grants the given [permission] on the organization level.
      */

components/authorization/backend/src/main/kotlin/service/DbAuthorizationService.kt

@@ -67,10 +67,20 @@ class DbAuthorizationService(
         userId: String,
         compoundHierarchyId: CompoundHierarchyId
     ): EffectiveRole {
+        val roleAssignments = loadAssignments(userId, compoundHierarchyId)
+        val permissions = roleAssignments.map { it.toHierarchyPermissions() }
+            .takeUnless { it.isEmpty() }?.reduce(::reducePermissions) ?: EMPTY_PERMISSIONS
+        val isSuperuser = roleAssignments.any {
+            it[RoleAssignmentsTable.organizationId] == null &&
+                    it[RoleAssignmentsTable.productId] == null &&
+                    it[RoleAssignmentsTable.repositoryId] == null &&
+                    it.extractRole() == OrganizationRole.ADMIN
+        }
+
         return EffectiveRoleImpl(
             elementId = compoundHierarchyId,
-            permissions = loadAssignments(userId, compoundHierarchyId)
-                .takeUnless { it.isEmpty() }?.reduce(::reducePermissions) ?: EMPTY_PERMISSIONS
+            isSuperuser = isSuperuser,
+            permissions = permissions
         )
     }
 
@@ -85,6 +95,7 @@ class DbAuthorizationService(
 
             EffectiveRoleImpl(
                 elementId = compoundHierarchyId,
+                isSuperuser = false,
                 permissions = EMPTY_PERMISSIONS
             )
         } else {
@@ -200,15 +211,15 @@ class DbAuthorizationService(
     private suspend fun loadAssignments(
         userId: String,
         compoundHierarchyId: CompoundHierarchyId
-    ): List<HierarchyPermissions> = db.dbQuery {
+    ): List<ResultRow> = db.dbQuery {
         RoleAssignmentsTable.selectAll()
             .where {
                 (RoleAssignmentsTable.userId eq userId) and (
                         repositoryCondition(compoundHierarchyId) or
                                 productWildcardCondition(compoundHierarchyId) or
                                 organizationWildcardCondition()
                         )
-            }.map { it.toHierarchyPermissions() }
+            }.toList()
     }
 
     /**
@@ -265,6 +276,8 @@ private val EMPTY_PERMISSIONS = HierarchyPermissions(
 private class EffectiveRoleImpl(
     override val elementId: CompoundHierarchyId,
 
+    override val isSuperuser: Boolean,
+
     /** The permissions granted on the different levels of the hierarchy. */
     private val permissions: HierarchyPermissions
 ) : EffectiveRole {
@@ -330,11 +343,12 @@ private fun reducePermissions(
  * assignments on higher levels in the same hierarchy.
  */
 private fun SqlExpressionBuilder.repositoryCondition(hierarchyId: CompoundHierarchyId): Op<Boolean> =
-    (RoleAssignmentsTable.repositoryId eq hierarchyId.repositoryId?.value) or (
-            (RoleAssignmentsTable.repositoryId eq null) and
+    (
+        (RoleAssignmentsTable.repositoryId eq hierarchyId.repositoryId?.value) or
+            (RoleAssignmentsTable.repositoryId eq null)
+    ) and
                     (RoleAssignmentsTable.productId eq hierarchyId.productId?.value) and
                     (RoleAssignmentsTable.organizationId eq hierarchyId.organizationId?.value)
-            )
 
 /**
  * Generate the SQL condition to match role assignments for the given [hierarchyId] for which no product ID is

components/authorization/backend/src/test/kotlin/service/DbAuthorizationServiceTest.kt

@@ -278,7 +278,26 @@ class DbAuthorizationServiceTest : WordSpec() {
 
                 val effectiveRole = service.getEffectiveRole(USER_ID, repositoryCompoundId)
 
-                checkPermissions(effectiveRole, OrganizationRole.ADMIN)
+                checkPermissions(effectiveRole, OrganizationRole.ADMIN, expectedSuperuser = true)
+            }
+
+            "allow querying super users only" {
+                val normalUser = "normal-user"
+                createAssignment(
+                    organizationRole = OrganizationRole.ADMIN
+                )
+                createAssignment(
+                    userId = normalUser,
+                    organizationId = dbExtension.fixtures.organization.id,
+                    organizationRole = OrganizationRole.READER
+                )
+                val service = createService()
+
+                val effectiveRoleNormal = service.getEffectiveRole(normalUser, CompoundHierarchyId.WILDCARD)
+                val effectiveRoleSuper = service.getEffectiveRole(USER_ID, CompoundHierarchyId.WILDCARD)
+
+                checkPermissions(effectiveRoleNormal)
+                checkPermissions(effectiveRoleSuper, OrganizationRole.ADMIN, expectedSuperuser = true)
             }
 
             "not fail for invalid role names" {
@@ -332,7 +351,7 @@ class DbAuthorizationServiceTest : WordSpec() {
                 checkPermissions(effectiveRole, ProductRole.WRITER)
 
                 val effectiveRoleOrg = service.getEffectiveRole(USER_ID, productCompoundId.parent!!)
-                checkPermissions(effectiveRoleOrg, ProductRole.WRITER)
+                checkPermissions(effectiveRoleOrg)
             }
 
             "create a new role assignment on organization level" {
@@ -354,7 +373,7 @@ class DbAuthorizationServiceTest : WordSpec() {
                 checkPermissions(effectiveRoleRepo, OrganizationRole.WRITER)
             }
 
-            "create a new role assignment for the WILDCARD ID" {
+            "create a new superuser role assignment" {
                 val service = createService()
 
                 service.assignRole(
@@ -364,7 +383,7 @@ class DbAuthorizationServiceTest : WordSpec() {
                 )
 
                 val effectiveRole = service.getEffectiveRole(USER_ID, repositoryCompoundId())
-                checkPermissions(effectiveRole, OrganizationRole.ADMIN)
+                checkPermissions(effectiveRole, OrganizationRole.ADMIN, expectedSuperuser = true)
             }
 
             "replace an already exiting assignment" {
@@ -710,13 +729,15 @@ private const val USER_ID = "test-user"
 
 /**
  * Check that the given [effectiveRole] contains exactly the specified [expectedOrganizationPermissions],
- * [expectedProductPermissions], and [expectedRepositoryPermissions] on the different hierarchy levels.
+ * [expectedProductPermissions], and [expectedRepositoryPermissions] on the different hierarchy levels. Also check the
+ * [superuser][expectedSuperuser] flag.
  */
 private fun checkPermissions(
     effectiveRole: EffectiveRole,
     expectedOrganizationPermissions: Set<OrganizationPermission> = emptySet(),
     expectedProductPermissions: Set<ProductPermission> = emptySet(),
-    expectedRepositoryPermissions: Set<RepositoryPermission> = emptySet()
+    expectedRepositoryPermissions: Set<RepositoryPermission> = emptySet(),
+    expectedSuperuser: Boolean = false
 ) {
     OrganizationPermission.entries.forAll {
         effectiveRole.hasOrganizationPermission(it) shouldBe (it in expectedOrganizationPermissions)
@@ -727,15 +748,19 @@ private fun checkPermissions(
     RepositoryPermission.entries.forAll {
         effectiveRole.hasRepositoryPermission(it) shouldBe (it in expectedRepositoryPermissions)
     }
+
+    effectiveRole.isSuperuser shouldBe expectedSuperuser
 }
 
 /**
- * Check that the given [effectiveRole] contains exactly the permissions as defined by the given [expectedRole].
+ * Check that the given [effectiveRole] contains exactly the permissions as defined by the given [expectedRole]. Also
+ * check the [superuser][expectedSuperuser] flag.
  */
-private fun checkPermissions(effectiveRole: EffectiveRole, expectedRole: Role) =
+private fun checkPermissions(effectiveRole: EffectiveRole, expectedRole: Role, expectedSuperuser: Boolean = false) =
     checkPermissions(
         effectiveRole,
         expectedRole.organizationPermissions,
         expectedRole.productPermissions,
-        expectedRole.repositoryPermissions
+        expectedRole.repositoryPermissions,
+        expectedSuperuser
     )