eclipse-apoapsis · oheger-bosch · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 30, 2025
@@ -42,7 +42,7 @@ dependencies {
     implementation(libs.exposedCore)
     implementation(libs.exposedKotlinDatetime)
 
-    routesImplementation(projects.components.authorizationKeycloak.backend)
+    routesImplementation(projects.components.authorization.backend)
     routesImplementation(projects.shared.apiModel)
     routesImplementation(projects.shared.ktorUtils)
 

@@ -28,7 +28,7 @@ import io.ktor.server.routing.Route
 import org.eclipse.apoapsis.ortserver.components.adminconfig.Config
 import org.eclipse.apoapsis.ortserver.components.adminconfig.ConfigKey
 import org.eclipse.apoapsis.ortserver.components.adminconfig.ConfigTable
-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requireAuthenticated
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.OrtServerPrincipal.Companion.requirePrincipal
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireParameter
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
@@ -68,7 +68,7 @@ internal fun Route.getConfigByKey(db: Database) = get("admin/config/{key}", {
         }
     }
 }) {
-    requireAuthenticated()
+    requirePrincipal()
 
     val keyParameter = call.requireParameter("key")
 

@@ -19,8 +19,6 @@
 
 package org.eclipse.apoapsis.ortserver.components.adminconfig.routes
 
-import io.github.smiley4.ktoropenapi.post
-
 import io.ktor.http.HttpStatusCode
 import io.ktor.server.request.receive
 import io.ktor.server.response.respond
@@ -29,7 +27,8 @@ import io.ktor.server.routing.Route
 import org.eclipse.apoapsis.ortserver.components.adminconfig.Config
 import org.eclipse.apoapsis.ortserver.components.adminconfig.ConfigKey
 import org.eclipse.apoapsis.ortserver.components.adminconfig.ConfigTable
-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requireSuperuser
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.post
+import org.eclipse.apoapsis.ortserver.components.authorization.routes.requireSuperuser
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireParameter
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
@@ -69,9 +68,7 @@ internal fun Route.setConfigByKey(db: Database) = post("admin/config/{key}", {
             description = "The config key is invalid."
         }
     }
-}) {
-    requireSuperuser()
-
+}, requireSuperuser()) {
     val keyParameter = call.requireParameter("key")
 
     val key = runCatching {

@@ -49,3 +49,12 @@ enum class OrganizationPermission {
     /** Permission to delete the [Organization]. */
     DELETE
 }
+
+/**
+ * The set of permissions required by the role to read an organization. (This is defined here to avoid circular
+ * dependencies, as it is referenced by multiple role classes.)
+ */
+internal val organizationReadPermissions = setOf(
+    OrganizationPermission.READ,
+    OrganizationPermission.READ_PRODUCTS
+)
@@ -19,6 +19,8 @@
 
 package org.eclipse.apoapsis.ortserver.components.authorization.rights
 
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+
 /**
  * This enum contains the available roles for [organizations][org.eclipse.apoapsis.ortserver.model.Organization]. It
  * maps the permissions available for an organization to the default roles [READER], [WRITER], and [ADMIN].
@@ -35,10 +37,7 @@ enum class OrganizationRole(
 ) : Role {
     /** A role that grants read permissions for an [org.eclipse.apoapsis.ortserver.model.Organization]. */
     READER(
-        organizationPermissions = setOf(
-            OrganizationPermission.READ,
-            OrganizationPermission.READ_PRODUCTS
-        ),
+        organizationPermissions = organizationReadPermissions,
         productPermissions = ProductRole.READER.productPermissions,
         repositoryPermissions = RepositoryRole.READER.repositoryPermissions
     ),
@@ -63,5 +62,7 @@ enum class OrganizationRole(
         organizationPermissions = OrganizationPermission.entries.toSet(),
         productPermissions = ProductPermission.entries.toSet(),
         repositoryPermissions = RepositoryPermission.entries.toSet()
-    )
+    );
+
+    override val level = CompoundHierarchyId.ORGANIZATION_LEVEL
 }
@@ -51,3 +51,12 @@ enum class ProductPermission {
     /** Permission to delete the [Product]. */
     DELETE
 }
+
+/**
+ * The set of permissions required by the role to read a product. (This is defined here to avoid circular dependencies,
+ * as it is referenced by multiple role classes.)
+ */
+internal val productReadPermissions = setOf(
+    ProductPermission.READ,
+    ProductPermission.READ_REPOSITORIES
+)
@@ -19,6 +19,8 @@
 
 package org.eclipse.apoapsis.ortserver.components.authorization.rights
 
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+
 /**
  * This enum contains the available roles for [products][org.eclipse.apoapsis.ortserver.model.Product]. It
  * maps the permissions available for a product to the default roles [READER], [WRITER], and [ADMIN].
@@ -29,16 +31,13 @@ package org.eclipse.apoapsis.ortserver.components.authorization.rights
  * - The constants are expected to be listed in increasing order of permissions.
  */
 enum class ProductRole(
-    override val organizationPermissions: Set<OrganizationPermission> = setOf(OrganizationPermission.READ),
+    override val organizationPermissions: Set<OrganizationPermission> = organizationReadPermissions,
     override val productPermissions: Set<ProductPermission>,
     override val repositoryPermissions: Set<RepositoryPermission>
 ) : Role {
     /** A role that grants read permissions for a [org.eclipse.apoapsis.ortserver.model.Product]. */
     READER(
-        productPermissions = setOf(
-            ProductPermission.READ,
-            ProductPermission.READ_REPOSITORIES
-        ),
+        productPermissions = productReadPermissions,
         repositoryPermissions = RepositoryRole.READER.repositoryPermissions
     ),
 
@@ -61,5 +60,7 @@ enum class ProductRole(
     ADMIN(
         productPermissions = ProductPermission.entries.toSet(),
         repositoryPermissions = RepositoryPermission.entries.toSet()
-    )
+    );
+
+    override val level = CompoundHierarchyId.PRODUCT_LEVEL
 }
@@ -19,13 +19,15 @@
 
 package org.eclipse.apoapsis.ortserver.components.authorization.rights
 
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+
 /**
  * This enum contains the available roles for [repositories][org.eclipse.apoapsis.ortserver.model.Repository]. It
  * maps the permissions available for a product to the default roles [READER], [WRITER], and [ADMIN].
  */
 enum class RepositoryRole(
-    override val organizationPermissions: Set<OrganizationPermission> = setOf(OrganizationPermission.READ),
-    override val productPermissions: Set<ProductPermission> = setOf(ProductPermission.READ),
+    override val organizationPermissions: Set<OrganizationPermission> = organizationReadPermissions,
+    override val productPermissions: Set<ProductPermission> = productReadPermissions,
     override val repositoryPermissions: Set<RepositoryPermission>
 ) : Role {
     /** A role that grants read permissions for a [org.eclipse.apoapsis.ortserver.model.Repository]. */
@@ -49,5 +51,7 @@ enum class RepositoryRole(
     /** A role that grants all permissions for a [org.eclipse.apoapsis.ortserver.model.Repository]. */
     ADMIN(
         repositoryPermissions = RepositoryPermission.entries.toSet()
-    )
+    );
+
+    override val level: Int = CompoundHierarchyId.REPOSITORY_LEVEL
 }
@@ -19,6 +19,8 @@
 
 package org.eclipse.apoapsis.ortserver.components.authorization.rights
 
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+
 /**
  * An interface to define common properties of all roles in the authorization system.
  *
@@ -27,6 +29,36 @@ package org.eclipse.apoapsis.ortserver.components.authorization.rights
  * specific repository should also be entitled to view the product and the organization the repository belongs to.
  */
 sealed interface Role {
+    companion object {
+        /**
+         * Return a [List] of all roles defined for the given hierarchy [level]. For an invalid level, return an empty
+         * list.
+         */
+        fun rolesForLevel(level: Int): List<Role> =
+            when (level) {
+                CompoundHierarchyId.ORGANIZATION_LEVEL -> OrganizationRole.entries
+                CompoundHierarchyId.PRODUCT_LEVEL -> ProductRole.entries
+                CompoundHierarchyId.REPOSITORY_LEVEL -> RepositoryRole.entries
+                else -> emptyList()
+            }
+
+        /**
+         * Return the role with the given [name] defined for the given hierarchy [level], or null if no such role
+         * exists.
+         */
+        fun getRoleByNameAndLevel(level: Int, name: String): Role? =
+            rolesForLevel(level).find { it.name == name }
+    }
+
+    /** The name of this role. */
+    val name: String
+
+    /**
+     * The level in the hierarchy this role is defined for. The value corresponds to the constants defined by the
+     * [org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId] companion object.
+     */
+    val level: Int
+
     /** A set with permissions that are granted by this role on the organization level. */
     val organizationPermissions: Set<OrganizationPermission>