feat(authorization): Extend role assignment information for users

Introduce a new `RoleInfo` class that stores additional information on
which hierarchy level a role has been assigned to a user. Change
`AuthorizationService.listUsers()` to return such `RoleInfo` objects.
This additional information can be used by the UI to distinguish between
users who have been explicitly assigned to a hierarchy element and those
with roles inherited from other elements.

For now, the REST API only uses this new functionality to filter out
users with inherited roles. This can be extended later to support more
advanced views about users in the UI.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

components/authorization/backend/src/main/kotlin/rights/RoleInfo.kt

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.authorization.rights
+
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
+
+/**
+ * A data class storing information about a role assignment. An instance holds the assigned [Role] and information
+ * about where in the hierarchy the role was assigned. This makes it possible to distinguish between explicit role
+ * assignments for a specific level and inherited role assignments from other levels.
+ */
+data class RoleInfo(
+    /** The assigned [Role]. */
+    val role: Role,
+
+    /** The hierarchy ID where the role was assigned. */
+    val assignedAt: CompoundHierarchyId
+)

components/authorization/backend/src/main/kotlin/service/AuthorizationService.kt

@@ -25,6 +25,7 @@ import org.eclipse.apoapsis.ortserver.components.authorization.rights.Permission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.Role
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RoleInfo
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.HierarchyId
 import org.eclipse.apoapsis.ortserver.model.util.HierarchyFilter
@@ -93,11 +94,12 @@ interface AuthorizationService {
     suspend fun listUsersWithRole(role: Role, compoundHierarchyId: CompoundHierarchyId): Set<String>
 
     /**
-     * Return a [Map] with the IDs of all users and their assigned role on the hierarchy element identified by the
-     * given [compoundHierarchyId]. The result includes users who inherit access rights on this hierarchy element from
-     * higher levels, such as organization admins, but no superusers.
+     * Return a [Map] with the IDs of all users and information about their assigned role on the hierarchy element
+     * identified by the given [compoundHierarchyId]. The result includes users who inherit access rights on this
+     * hierarchy element from higher levels, such as organization admins, but no superusers. The [RoleInfo] objects
+     * can be used to find out from where users have been granted their access rights.
      */
-    suspend fun listUsers(compoundHierarchyId: CompoundHierarchyId): Map<String, Role>
+    suspend fun listUsers(compoundHierarchyId: CompoundHierarchyId): Map<String, RoleInfo>
 
     /**
      * Return a [HierarchyFilter] with information about all hierarchy elements for which the specified [userId] has at

components/authorization/backend/src/main/kotlin/service/DbAuthorizationService.kt

@@ -37,6 +37,7 @@ import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRol
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.Role
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RoleInfo
 import org.eclipse.apoapsis.ortserver.dao.dbQuery
 import org.eclipse.apoapsis.ortserver.dao.repositories.product.ProductsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.repository.RepositoriesTable
@@ -174,7 +175,7 @@ class DbAuthorizationService(
             }.mapTo(mutableSetOf()) { it[RoleAssignmentsTable.userId] }
     }
 
-    override suspend fun listUsers(compoundHierarchyId: CompoundHierarchyId): Map<String, Role> =
+    override suspend fun listUsers(compoundHierarchyId: CompoundHierarchyId): Map<String, RoleInfo> =
         withContext(Dispatchers.Default) {
             db.dbQuery {
                 logger.debug("Loading role assignments on element {}...", compoundHierarchyId)
@@ -414,7 +415,7 @@ private fun computeRoleForUser(
     user: String,
     hierarchyId: CompoundHierarchyId,
     assignments: List<Pair<CompoundHierarchyId, Role>>
-): Role? {
+): RoleInfo? {
     logger.debug("Computing effective role for user '{}' on element {}...", user, hierarchyId)
 
     return findHighestRole(assignments, hierarchyId)?.first
@@ -455,17 +456,17 @@ private fun IdsByLevel.filterContainedIn(
 private fun findHighestRole(
     roleAssignments: List<Pair<CompoundHierarchyId, Role>>,
     hierarchyId: CompoundHierarchyId
-): Triple<Role, PermissionChecker, HierarchyPermissions>? {
+): Triple<RoleInfo, PermissionChecker, HierarchyPermissions>? {
     val roles = (
             Role.rolesForLevel(hierarchyId.level)
                 .takeUnless { it.isEmpty() } ?: OrganizationRole.entries
             ).reversed().asSequence()
 
     return roles.mapNotNull { role ->
         val permissionChecker = HierarchyPermissions.permissions(role)
-        HierarchyPermissions.create(roleAssignments, permissionChecker)
-            .takeIf { it.hasPermission(hierarchyId) }?.let {
-                Triple(role, permissionChecker, it)
-            }
+        val permissions = HierarchyPermissions.create(roleAssignments, permissionChecker)
+        permissions.permissionGrantedOnLevel(hierarchyId)?.let {
+            Triple(RoleInfo(role, it), permissionChecker, permissions)
+        }
     }.firstOrNull()
 }

components/authorization/backend/src/test/kotlin/service/DbAuthorizationServiceTest.kt

@@ -42,6 +42,7 @@ import org.eclipse.apoapsis.ortserver.components.authorization.rights.ProductRol
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.RepositoryRole
 import org.eclipse.apoapsis.ortserver.components.authorization.rights.Role
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RoleInfo
 import org.eclipse.apoapsis.ortserver.dao.dbQuery
 import org.eclipse.apoapsis.ortserver.dao.test.DatabaseTestExtension
 import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
@@ -626,6 +627,9 @@ class DbAuthorizationServiceTest : WordSpec() {
                 val repository2 = dbExtension.fixtures.createRepository(url = "https://example.com/other.git")
                 val product2 = dbExtension.fixtures.createProduct("otherProduct")
                 val organization2 = dbExtension.fixtures.createOrganization("otherOrg")
+                val organizationId = CompoundHierarchyId.forOrganization(
+                    OrganizationId(dbExtension.fixtures.organization.id)
+                )
                 val writerUser = "writer-user"
                 val productAdminUser = "product-admin-user"
                 val organizationAdminUser = "organization-admin-user"
@@ -663,7 +667,7 @@ class DbAuthorizationServiceTest : WordSpec() {
                 service.assignRole(
                     organizationAdminUser,
                     OrganizationRole.ADMIN,
-                    CompoundHierarchyId.forOrganization(OrganizationId(dbExtension.fixtures.organization.id))
+                    organizationId
                 )
 
                 val users = service.listUsers(repositoryCompoundId)
@@ -674,10 +678,10 @@ class DbAuthorizationServiceTest : WordSpec() {
                     organizationAdminUser
                 )
 
-                users[USER_ID] shouldBe RepositoryRole.READER
-                users[writerUser] shouldBe RepositoryRole.WRITER
-                users[productAdminUser] shouldBe RepositoryRole.ADMIN
-                users[organizationAdminUser] shouldBe RepositoryRole.ADMIN
+                users[USER_ID] shouldBe RoleInfo(RepositoryRole.READER, repositoryCompoundId)
+                users[writerUser] shouldBe RoleInfo(RepositoryRole.WRITER, repositoryCompoundId)
+                users[productAdminUser] shouldBe RoleInfo(RepositoryRole.ADMIN, repositoryCompoundId.parent!!)
+                users[organizationAdminUser] shouldBe RoleInfo(RepositoryRole.ADMIN, organizationId)
             }
 
             "list users with assignments on organization level" {
@@ -703,10 +707,10 @@ class DbAuthorizationServiceTest : WordSpec() {
                     repoReaderUser
                 )
 
-                users[USER_ID] shouldBe OrganizationRole.READER
-                users[writerUser] shouldBe OrganizationRole.WRITER
-                users[adminUser] shouldBe OrganizationRole.ADMIN
-                users[repoReaderUser] shouldBe OrganizationRole.READER
+                users[USER_ID] shouldBe RoleInfo(OrganizationRole.READER, organizationCompoundId)
+                users[writerUser] shouldBe RoleInfo(OrganizationRole.WRITER, organizationCompoundId)
+                users[adminUser] shouldBe RoleInfo(OrganizationRole.ADMIN, organizationCompoundId)
+                users[repoReaderUser] shouldBe RoleInfo(OrganizationRole.READER, repositoryCompoundId)
             }
 
             "list users with implicit rights from lower levels" {
@@ -718,24 +722,27 @@ class DbAuthorizationServiceTest : WordSpec() {
                 val users = service.listUsers(repositoryCompoundId.parent!!)
                 users shouldHaveSize 1
 
-                users[USER_ID] shouldBe ProductRole.READER
+                users[USER_ID] shouldBe RoleInfo(ProductRole.READER, repositoryCompoundId)
             }
 
             "inherit roles from higher levels" {
                 val repositoryCompoundId = repositoryCompoundId()
+                val orgCompoundId = CompoundHierarchyId.forOrganization(
+                    OrganizationId(dbExtension.fixtures.organization.id)
+                )
                 val service = createService()
 
                 service.assignRole(
                     USER_ID,
                     OrganizationRole.WRITER,
-                    CompoundHierarchyId.forOrganization(OrganizationId(dbExtension.fixtures.organization.id))
+                    orgCompoundId
                 )
                 service.assignRole(USER_ID, RepositoryRole.READER, repositoryCompoundId)
 
                 val users = service.listUsers(repositoryCompoundId)
                 users shouldHaveSize 1
 
-                users[USER_ID] shouldBe RepositoryRole.WRITER
+                users[USER_ID] shouldBe RoleInfo(RepositoryRole.WRITER, orgCompoundId)
             }
 
             "not include super users" {
@@ -770,7 +777,7 @@ class DbAuthorizationServiceTest : WordSpec() {
 
                 users.entries.shouldBeSingleton { (key, value) ->
                     key shouldBe USER_ID
-                    value shouldBe RepositoryRole.READER
+                    value shouldBe RoleInfo(RepositoryRole.READER, repositoryCompoundId)
                 }
             }
         }

core/src/main/kotlin/api/OrganizationsRoute.kt

@@ -375,7 +375,8 @@ fun Route.organizations() = route("organizations") {
                 )
                 val pagingOptions = call.pagingOptions(SortProperty("username", SortDirection.ASCENDING))
 
-                val users = authorizationService.listUsers(orgId).mapToApi(userService)
+                val users = authorizationService.listUsers(orgId)
+                    .mapToApi(userService) { it.assignedAt.level == CompoundHierarchyId.ORGANIZATION_LEVEL }
                 call.respond(
                     PagedResponse(users.sortAndPage(pagingOptions), pagingOptions.toPagingData(users.size.toLong()))
                 )

core/src/main/kotlin/api/ProductsRoute.kt

@@ -64,6 +64,7 @@ import org.eclipse.apoapsis.ortserver.core.services.OrchestratorService
 import org.eclipse.apoapsis.ortserver.core.utils.getPluginConfigs
 import org.eclipse.apoapsis.ortserver.core.utils.hasKeepAliveWorkerFlag
 import org.eclipse.apoapsis.ortserver.core.utils.vulnerabilityForRunsFilters
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.Repository
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityWithAccumulatedData
@@ -425,7 +426,7 @@ fun Route.products() = route("products/{productId}") {
             val pagingOptions = call.pagingOptions(SortProperty("username", SortDirection.ASCENDING))
 
             val users = authorizationService.listUsers(call.ortServerPrincipal.effectiveRole.elementId)
-                .mapToApi(userService)
+                .mapToApi(userService) { it.assignedAt.level == CompoundHierarchyId.PRODUCT_LEVEL }
 
             call.respond(
                 PagedResponse(users.sortAndPage(pagingOptions), pagingOptions.toPagingData(users.size.toLong()))

core/src/main/kotlin/api/RepositoriesRoute.kt

@@ -59,6 +59,7 @@ import org.eclipse.apoapsis.ortserver.core.apiDocs.putRepositoryRoleToUser
 import org.eclipse.apoapsis.ortserver.core.services.OrchestratorService
 import org.eclipse.apoapsis.ortserver.core.utils.getPluginConfigs
 import org.eclipse.apoapsis.ortserver.core.utils.hasKeepAliveWorkerFlag
+import org.eclipse.apoapsis.ortserver.model.CompoundHierarchyId
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.services.RepositoryService
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
@@ -247,7 +248,7 @@ fun Route.repositories() = route("repositories/{repositoryId}") {
             val pagingOptions = call.pagingOptions(SortProperty("username", SortDirection.ASCENDING))
 
             val users = authorizationService.listUsers(call.ortServerPrincipal.effectiveRole.elementId)
-                .mapToApi(userService)
+                .mapToApi(userService) { it.assignedAt.level == CompoundHierarchyId.REPOSITORY_LEVEL }
 
             call.respond(
                 PagedResponse(users.sortAndPage(pagingOptions), pagingOptions.toPagingData(users.size.toLong()))

core/src/main/kotlin/api/UserWithGroupsHelper.kt

@@ -21,7 +21,7 @@ package org.eclipse.apoapsis.ortserver.core.api
 
 import org.eclipse.apoapsis.ortserver.api.v1.mapping.mapToApi
 import org.eclipse.apoapsis.ortserver.api.v1.model.UserWithGroups
-import org.eclipse.apoapsis.ortserver.components.authorization.rights.Role
+import org.eclipse.apoapsis.ortserver.components.authorization.rights.RoleInfo
 import org.eclipse.apoapsis.ortserver.components.authorization.routes.mapToGroup
 import org.eclipse.apoapsis.ortserver.components.authorization.service.UserService
 import org.eclipse.apoapsis.ortserver.dao.QueryParametersException
@@ -70,11 +70,20 @@ internal object UserWithGroupsHelper {
         )
     }
 
-    internal suspend fun Map<String, Role>.mapToApi(userService: UserService): List<UserWithGroups> {
+    /**
+     * Convert this [Map] with information about users and their assigned roles to a list of [UserWithGroups] objects
+     * that can be used to display user / group information for a specific hierarchy element. Apply the given
+     * [roleFilter] to select only specific items based on their role information. This can be used for instance, to
+     * distinguish between users with an explicit role assignment and users who only have inherited roles.
+     */
+    internal suspend fun Map<String, RoleInfo>.mapToApi(
+        userService: UserService,
+        roleFilter: (RoleInfo) -> Boolean = { true }
+    ): List<UserWithGroups> {
         val userMapping = userService.getUsersById(keys).associateBy(User::username)
 
-        return filter { it.key in userMapping }
+        return filter { it.key in userMapping && roleFilter(it.value) }
             .mapKeys { userMapping.getValue(it.key) }
-            .mapValues { (_, role) -> setOf(role.mapToGroup()) }.mapToApi()
+            .mapValues { (_, roleInfo) -> setOf(roleInfo.role.mapToGroup()) }.mapToApi()
     }
 }

core/src/test/kotlin/api/OrganizationsRouteIntegrationTest.kt

@@ -1833,6 +1833,48 @@ class OrganizationsRouteIntegrationTest : AbstractIntegrationTest({
             }
         }
 
+        "filter out users with inherited roles" {
+            integrationTestApplication {
+                val orgId = createOrganization().id
+                val orgHierarchyId = CompoundHierarchyId.forOrganization(OrganizationId(orgId))
+                val productId = dbExtension.fixtures.createProduct(organizationId = orgId).id
+                val repositoryId = dbExtension.fixtures.createRepository(productId = productId).id
+
+                authorizationService.assignRole(
+                    SUPERUSER.username.value,
+                    OrganizationRole.WRITER,
+                    orgHierarchyId
+                )
+                authorizationService.assignRole(
+                    TEST_USER.username.value,
+                    RepositoryRole.READER,
+                    CompoundHierarchyId.forRepository(
+                        OrganizationId(orgId),
+                        ProductId(productId),
+                        RepositoryId(repositoryId)
+                    )
+                )
+
+                val response = superuserClient.get("/api/v1/organizations/$orgId/users")
+
+                response shouldHaveStatus HttpStatusCode.OK
+                response shouldHaveBody PagedResponse(
+                    listOf(
+                        ApiUserWithGroups(
+                            ApiUser(SUPERUSER.username.value, SUPERUSER.firstName, SUPERUSER.lastName, SUPERUSER.email),
+                            listOf(ApiUserGroup.WRITERS)
+                        )
+                    ),
+                    PagingData(
+                        limit = DEFAULT_LIMIT,
+                        offset = 0,
+                        totalCount = 1,
+                        sortProperties = listOf(SortProperty("username", SortDirection.ASCENDING))
+                    )
+                )
+            }
+        }
+
         "respond with 'Bad Request' if there is more than one sort field" {
             integrationTestApplication {
                 val orgId = createOrganization().id

core/src/test/kotlin/api/ProductsRouteIntegrationTest.kt

@@ -1499,6 +1499,44 @@ class ProductsRouteIntegrationTest : AbstractIntegrationTest({
             }
         }
 
+        "filter out users with inherited roles" {
+            integrationTestApplication {
+                val product = createProduct()
+                val productId = product.id
+                val productHierarchyId = CompoundHierarchyId.forProduct(
+                    OrganizationId(product.organizationId),
+                    ProductId(productId)
+                )
+
+                authorizationService.assignRole(TEST_USER.username.value, ProductRole.READER, productHierarchyId)
+                authorizationService.assignRole(
+                    SUPERUSER.username.value,
+                    ProductRole.ADMIN,
+                    CompoundHierarchyId.forOrganization(
+                        OrganizationId(product.organizationId)
+                    )
+                )
+
+                val response = superuserClient.get("/api/v1/products/$productId/users")
+
+                response shouldHaveStatus HttpStatusCode.OK
+                response shouldHaveBody PagedResponse(
+                    listOf(
+                        ApiUserWithGroups(
+                            ApiUser(TEST_USER.username.value, TEST_USER.firstName, TEST_USER.lastName, TEST_USER.email),
+                            listOf(ApiUserGroup.READERS)
+                        )
+                    ),
+                    PagingData(
+                        limit = DEFAULT_LIMIT,
+                        offset = 0,
+                        totalCount = 1,
+                        sortProperties = listOf(SortProperty("username", SortDirection.ASCENDING))
+                    )
+                )
+            }
+        }
+
         "respond with 'Bad Request' if there is more than one sort field" {
             integrationTestApplication {
                 val productId = createProduct().id