org.camunda.bpm.engine.impl.persistence.entity.AuthorizationEntity Java Examples

public void testRevokeAuthPermissions() {

    AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_REVOKE);
    authorization.setResource(Resources.DEPLOYMENT);

    assertFalse(authorization.isPermissionRevoked(ALL));
    List<Permission> perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
    assertEquals(0, perms.size());

    authorization.removePermission(READ);
    perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
    assertTrue(perms.contains(READ));
    assertTrue(perms.contains(ALL));
    assertEquals(2, perms.size());

    try {
      authorization.isPermissionGranted(READ);
      fail("Exception expected");
    } catch (IllegalStateException e) {
      assertTextPresent("ENGINE-03026 Method 'isPermissionGranted' cannot be used for authorization with type 'REVOKE'.", e.getMessage());
    }

  }
 

protected void provideRemovalTime(AuthorizationEntity authorization, Task task) {
  String rootProcessInstanceId = getRootProcessInstanceId(task);

  if (rootProcessInstanceId != null) {
    authorization.setRootProcessInstanceId(rootProcessInstanceId);

    if (isHistoryRemovalTimeStrategyStart()) {
      HistoryEvent rootProcessInstance = findHistoricProcessInstance(rootProcessInstanceId);

      Date removalTime = null;
      if (rootProcessInstance != null) {
        removalTime = rootProcessInstance.getRemovalTime();

      }

      authorization.setRemovalTime(removalTime);

    }
  }
}
 

public void saveDefaultAuthorizations(final AuthorizationEntity[] authorizations) {
  if(authorizations != null && authorizations.length > 0) {
    Context.getCommandContext().runWithoutAuthorization(new Callable<Void>() {
      public Void call() {
        AuthorizationManager authorizationManager = getAuthorizationManager();
        for (AuthorizationEntity authorization : authorizations) {

          if(authorization.getId() == null) {
            authorizationManager.insert(authorization);
          } else {
            authorizationManager.update(authorization);
          }

        }
        return null;
      }
    });
  }
}
 

public Authorization execute(CommandContext commandContext) {
  
  final AuthorizationManager authorizationManager = commandContext.getAuthorizationManager();

  authorizationManager.validateResourceCompatibility(authorization);

  provideRemovalTime(commandContext);

  String operationType = null;
  AuthorizationEntity previousValues = null;
  if(authorization.getId() == null) {
    authorizationManager.insert(authorization);
    operationType = UserOperationLogEntry.OPERATION_TYPE_CREATE;
  } else {
    previousValues = commandContext.getDbEntityManager().selectById(AuthorizationEntity.class, authorization.getId());
    authorizationManager.update(authorization);
    operationType = UserOperationLogEntry.OPERATION_TYPE_UPDATE;
  }
  commandContext.getOperationLogManager().logAuthorizationOperation(operationType, authorization, previousValues);
  
  return authorization;
}
 

protected AuthorizationEntity createGrantAuthorization(String userId, String groupId,
                                                       Resource resource, String resourceId,
                                                       Permission... permissions) {
  // assuming that there are no default authorizations for *
  if (userId != null) {
    ensureValidIndividualResourceId("Cannot create authorization for user " + userId, userId);
  }
  if (groupId != null) {
    ensureValidIndividualResourceId("Cannot create authorization for group " + groupId, groupId);
  }

  AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_GRANT);
  authorization.setUserId(userId);
  authorization.setGroupId(groupId);
  authorization.setResource(resource);
  authorization.setResourceId(resourceId);

  addPermissions(authorization, permissions);

  return authorization;
}
 

@Override
public void postProcessEngineBuild(final ProcessEngine processEngine) {
  requireNonNull(adminUser);

  final IdentityService identityService = processEngine.getIdentityService();
  final AuthorizationService authorizationService = processEngine.getAuthorizationService();

  if (userAlreadyExists(identityService, adminUser)) {
    return;
  }

  createUser(identityService, adminUser);

  // create group
  if (identityService.createGroupQuery().groupId(CAMUNDA_ADMIN).count() == 0) {
    Group camundaAdminGroup = identityService.newGroup(CAMUNDA_ADMIN);
    camundaAdminGroup.setName("camunda BPM Administrators");
    camundaAdminGroup.setType(Groups.GROUP_TYPE_SYSTEM);
    identityService.saveGroup(camundaAdminGroup);
  }

  // create ADMIN authorizations on all built-in resources
  for (Resource resource : Resources.values()) {
    if (authorizationService.createAuthorizationQuery().groupIdIn(CAMUNDA_ADMIN).resourceType(resource).resourceId(ANY).count() == 0) {
      AuthorizationEntity userAdminAuth = new AuthorizationEntity(AUTH_TYPE_GRANT);
      userAdminAuth.setGroupId(CAMUNDA_ADMIN);
      userAdminAuth.setResource(resource);
      userAdminAuth.setResourceId(ANY);
      userAdminAuth.addPermission(ALL);
      authorizationService.saveAuthorization(userAdminAuth);
    }
  }

  identityService.createMembership(adminUser.getId(), CAMUNDA_ADMIN);
  LOG.creatingInitialAdminUser(adminUser);
}
 

protected AuthorizationEntity getGrantAuthorization(String taskId, String userId,
                                                    String groupId, Resource resource) {
  if (groupId != null) {
    return getGrantAuthorizationByGroupId(groupId, resource, taskId);

  } else {
    return getGrantAuthorizationByUserId(userId, resource, taskId);

  }
}
 

public void testGlobalAuthPermissions() {

    AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_GRANT);
    authorization.setResource(Resources.DEPLOYMENT);

    assertFalse(authorization.isPermissionGranted(ALL));
    assertTrue(authorization.isPermissionGranted(NONE));
    List<Permission> perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
    assertTrue(perms.contains(NONE));
    assertEquals(1, perms.size());

    authorization.addPermission(READ);
    perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
    assertTrue(perms.contains(NONE));
    assertTrue(perms.contains(READ));
    assertEquals(2, perms.size());
    assertTrue(authorization.isPermissionGranted(READ));
    assertTrue(authorization.isPermissionGranted(NONE)); // (none is always granted => you are always authorized to do nothing)

    try {
      authorization.isPermissionRevoked(READ);
      fail("Exception expected");
    } catch (IllegalStateException e) {
      assertTextPresent("ENGINE-03026 Method 'isPermissionRevoked' cannot be used for authorization with type 'GRANT'.", e.getMessage());
    }

  }
 

protected void createDefaultAuthorizations(DecisionDefinition decisionDefinition) {
  if(isAuthorizationEnabled()) {
    ResourceAuthorizationProvider provider = getResourceAuthorizationProvider();
    AuthorizationEntity[] authorizations = provider.newDecisionDefinition(decisionDefinition);
    saveDefaultAuthorizations(authorizations);
  }
}
 

public AuthorizationEntity[] newTaskUserIdentityLink(Task task, String userId, String type) {
  // create (or update) an authorization for the given user
  // whenever a new user identity link will be added

  ensureValidIndividualResourceId("Cannot grant default authorization for identity link to user " + userId,
      userId);

  return createOrUpdateAuthorizationsByUserId(task, userId);
}
 

protected AuthorizationEntity createAuthorization(String userId, String groupId,
                                                  Resource resource, String resourceId,
                                                  Permission... permissions) {
  AuthorizationEntity authorization =
      createGrantAuthorization(userId, groupId, resource, resourceId, permissions);

  updateAuthorizationBasedOnCacheEntries(authorization, userId, groupId, resource, resourceId);

  return authorization;
}
 

public void testGrantAuthPermissions() {

    AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_GRANT);
    authorization.setResource(Resources.DEPLOYMENT);

    assertFalse(authorization.isPermissionGranted(ALL));
    assertTrue(authorization.isPermissionGranted(NONE));
    List<Permission> perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
    assertTrue(perms.contains(NONE));
    assertEquals(1, perms.size());

    authorization.addPermission(READ);
    perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
    assertTrue(perms.contains(NONE));
    assertTrue(perms.contains(READ));
    assertEquals(2, perms.size());
    assertTrue(authorization.isPermissionGranted(READ));
    assertTrue(authorization.isPermissionGranted(NONE)); // (none is always granted => you are always authorized to do nothing)

    try {
      authorization.isPermissionRevoked(READ);
      fail("Exception expected");
    } catch (IllegalStateException e) {
      assertTextPresent("ENGINE-03026 Method 'isPermissionRevoked' cannot be used for authorization with type 'GRANT'.", e.getMessage());
    }

  }
 

protected void addPermissions(AuthorizationEntity authorization, Permission... permissions) {
  if (permissions != null) {
    for (Permission permission : permissions) {
      if (permission != null) {
        authorization.addPermission(permission);
      }
    }
  }
}
 

public AuthorizationEntity[] newDeployment(Deployment deployment) {
  ProcessEngineConfigurationImpl processEngineConfiguration = Context.getProcessEngineConfiguration();
  IdentityService identityService = processEngineConfiguration.getIdentityService();
  Authentication currentAuthentication = identityService.getCurrentAuthentication();

  if (currentAuthentication != null && currentAuthentication.getUserId() != null) {
    String userId = currentAuthentication.getUserId();
    String deploymentId = deployment.getId();
    AuthorizationEntity authorization = createGrantAuthorization(userId, null, DEPLOYMENT, deploymentId, READ, DELETE);
    return new AuthorizationEntity[]{ authorization };
  }

  return null;
}
 

public void afterPropertiesSet() throws Exception {

    System.out.println("Generating demo data");

    scheduleInstanceStart();

    // ensure admin user exists
    IdentityService identityService = processEngine.getIdentityService();
    User user = identityService.createUserQuery().userId("demo").singleResult();
    if(user == null) {
      User newUser = identityService.newUser("demo");
      newUser.setPassword("demo");
      identityService.saveUser(newUser);
      System.out.println("Created used 'demo', password 'demo'");
      AuthorizationService authorizationService = processEngine.getAuthorizationService();

      // create group
      if(identityService.createGroupQuery().groupId(Groups.CAMUNDA_ADMIN).count() == 0) {
        Group camundaAdminGroup = identityService.newGroup(Groups.CAMUNDA_ADMIN);
        camundaAdminGroup.setName("camunda BPM Administrators");
        camundaAdminGroup.setType(Groups.GROUP_TYPE_SYSTEM);
        identityService.saveGroup(camundaAdminGroup);
      }

      // create ADMIN authorizations on all built-in resources
      for (Resource resource : Resources.values()) {
        if(authorizationService.createAuthorizationQuery().groupIdIn(Groups.CAMUNDA_ADMIN).resourceType(resource).resourceId(ANY).count() == 0) {
          AuthorizationEntity userAdminAuth = new AuthorizationEntity(AUTH_TYPE_GRANT);
          userAdminAuth.setGroupId(Groups.CAMUNDA_ADMIN);
          userAdminAuth.setResource(resource);
          userAdminAuth.setResourceId(ANY);
          userAdminAuth.addPermission(ALL);
          authorizationService.saveAuthorization(userAdminAuth);
        }
      }

      processEngine.getIdentityService()
      .createMembership("demo", Groups.CAMUNDA_ADMIN);
    }
  }
 

@Override
public void postProcessEngineBuild(final ProcessEngine processEngine) {
  requireNonNull(adminUser);

  final IdentityService identityService = processEngine.getIdentityService();
  final AuthorizationService authorizationService = processEngine.getAuthorizationService();

  if (userAlreadyExists(identityService, adminUser)) {
    return;
  }

  createUser(identityService, adminUser);

  // create group
  if (identityService.createGroupQuery().groupId(CAMUNDA_ADMIN).count() == 0) {
    Group camundaAdminGroup = identityService.newGroup(CAMUNDA_ADMIN);
    camundaAdminGroup.setName("camunda BPM Administrators");
    camundaAdminGroup.setType(Groups.GROUP_TYPE_SYSTEM);
    identityService.saveGroup(camundaAdminGroup);
  }

  // create ADMIN authorizations on all built-in resources
  for (Resource resource : Resources.values()) {
    if (authorizationService.createAuthorizationQuery().groupIdIn(CAMUNDA_ADMIN).resourceType(resource).resourceId(ANY).count() == 0) {
      AuthorizationEntity userAdminAuth = new AuthorizationEntity(AUTH_TYPE_GRANT);
      userAdminAuth.setGroupId(CAMUNDA_ADMIN);
      userAdminAuth.setResource(resource);
      userAdminAuth.setResourceId(ANY);
      userAdminAuth.addPermission(ALL);
      authorizationService.saveAuthorization(userAdminAuth);
    }
  }

  identityService.createMembership(adminUser.getId(), CAMUNDA_ADMIN);
  LOG.creatingInitialAdminUser(adminUser);
}
 

public AuthorizationEntity[] newUser(User user) {
  // create an authorization which gives the user all permissions on himself:
  String userId = user.getId();

  ensureValidIndividualResourceId("Cannot create default authorization for user " + userId,
      userId);
  AuthorizationEntity resourceOwnerAuthorization = createGrantAuthorization(userId, null, USER, userId, ALL);

  return new AuthorizationEntity[]{ resourceOwnerAuthorization };
}
 

public AuthorizationEntity[] newGroup(Group group) {
  List<AuthorizationEntity> authorizations = new ArrayList<AuthorizationEntity>();

  // whenever a new group is created, all users part of the
  // group are granted READ permissions on the group
  String groupId = group.getId();

  ensureValidIndividualResourceId("Cannot create default authorization for group " + groupId,
      groupId);

  AuthorizationEntity groupMemberAuthorization = createGrantAuthorization(null, groupId, GROUP, groupId, READ);
  authorizations.add(groupMemberAuthorization);

  return authorizations.toArray(new AuthorizationEntity[0]);
}
 

public void deleteDefaultAuthorizations(final AuthorizationEntity[] authorizations) {
  if(authorizations != null && authorizations.length > 0) {
    Context.getCommandContext().runWithoutAuthorization(new Callable<Void>() {
      public Void call() {
        AuthorizationManager authorizationManager = getAuthorizationManager();
        for (AuthorizationEntity authorization : authorizations) {
          authorizationManager.delete(authorization);
        }
        return null;
      }
    });
  }
}
 

protected boolean hasEntitySameAuthorizationRights(AuthorizationEntity authEntity, String userId, String groupId,
                                                   Resource resource, String resourceId) {
  boolean sameUserId = areIdsEqual(authEntity.getUserId(), userId);
  boolean sameGroupId = areIdsEqual(authEntity.getGroupId(), groupId);
  boolean sameResourceId = areIdsEqual(authEntity.getResourceId(), (resourceId));
  boolean sameResourceType = authEntity.getResourceType() == resource.resourceType();
  boolean sameAuthorizationType = authEntity.getAuthorizationType() == AUTH_TYPE_GRANT;
  return sameUserId && sameGroupId &&
      sameResourceType && sameResourceId &&
      sameAuthorizationType;
}
 

/**
 * Searches through the cache, if there is already an authorization with same rights. If that's the case
 * update the given authorization with the permissions and remove the old one from the cache.
 */
protected void updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorization, String userId, String groupId,
                                                      Resource resource, String resourceId) {
  DbEntityManager dbManager = Context.getCommandContext().getDbEntityManager();
  List<AuthorizationEntity> list = dbManager.getCachedEntitiesByType(AuthorizationEntity.class);
  for (AuthorizationEntity authEntity : list) {
    boolean hasSameAuthRights = hasEntitySameAuthorizationRights(authEntity, userId, groupId, resource, resourceId);
    if (hasSameAuthRights) {
      int previousPermissions = authEntity.getPermissions();
      authorization.setPermissions(previousPermissions);
      dbManager.getDbEntityCache().remove(authEntity);
      return;
    }
  }
}
 

public SaveAuthorizationCmd(Authorization authorization) {
  this.authorization = (AuthorizationEntity) authorization;
  validate();
}
 

public AuthorizationEntity[] tenantMembershipCreated(Tenant tenant, Group group) {
  return null;
}
 

public AuthorizationEntity[] newUser(User user) {
  return null;
}
 

public AuthorizationEntity[] newTaskGroupIdentityLink(Task task, String groupId, String type) {
  ADD_GROUP_IDENTITY_LINK_TYPE = type;
  ADD_GROUP_IDENTITY_LINK_GROUP = groupId;
  return null;
}
 

public AuthorizationEntity[] newTask(Task task) {
  return null;
}
 

public AuthorizationEntity[] newTaskAssignee(Task task, String oldAssignee, String newAssignee) {
  OLD_ASSIGNEE = oldAssignee;
  NEW_ASSIGNEE = newAssignee;
  return null;
}
 

public AuthorizationEntity[] newTaskOwner(Task task, String oldOwner, String newOwner) {
  OLD_OWNER = oldOwner;
  NEW_OWNER = newOwner;
  return null;
}
 

public AuthorizationEntity[] newTaskUserIdentityLink(Task task, String userId, String type) {
  ADD_USER_IDENTITY_LINK_TYPE = type;
  ADD_USER_IDENTITY_LINK_USER = userId;
  return null;
}
 

public AuthorizationEntity[] deleteTaskGroupIdentityLink(Task task, String groupId, String type) {
  DELETE_GROUP_IDENTITY_LINK_TYPE = type;
  DELETE_GROUP_IDENTITY_LINK_GROUP = groupId;
  return null;
}