org.camunda.bpm.engine.authorization.Resource Java Examples

The following examples show how to use org.camunda.bpm.engine.authorization.Resource. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: AuthorizationRestServiceInteractionTest.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
@Test
@SuppressWarnings("unchecked")
public void testIsUserAuthorizedNoAuthentication() {

  List<String> exampleGroups = new ArrayList<String>();

  when(identityServiceMock.getCurrentAuthentication()).thenReturn(null);

  ResourceUtil resource = new ResourceUtil(MockProvider.EXAMPLE_RESOURCE_TYPE_NAME, MockProvider.EXAMPLE_RESOURCE_TYPE_ID);
  Permission permission = getPermissionProvider().getPermissionForName(MockProvider.EXAMPLE_PERMISSION_NAME, MockProvider.EXAMPLE_RESOURCE_TYPE_ID);
  when(authorizationServiceMock.isUserAuthorized(MockProvider.EXAMPLE_USER_ID, exampleGroups, permission, resource)).thenReturn(false);

  given()
      .queryParam("permissionName", MockProvider.EXAMPLE_PERMISSION_NAME)
      .queryParam("resourceName", MockProvider.EXAMPLE_RESOURCE_TYPE_NAME)
      .queryParam("resourceType", MockProvider.EXAMPLE_RESOURCE_TYPE_ID)
  .then().expect().statusCode(Status.UNAUTHORIZED.getStatusCode())
  .when().get(AUTH_CHECK_PATH);

  verify(identityServiceMock, times(1)).getCurrentAuthentication();
  verify(authorizationServiceMock, never()).isUserAuthorized(any(String.class), any(List.class), any(Permission.class), any(Resource.class));
  verify(authorizationServiceMock, never()).isUserAuthorized(any(String.class), any(List.class), any(Permission.class), any(Resource.class), any(String.class));

}
 
Example #2
Source File: AuthorizationServiceTest.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
public void testGlobalUniqueConstraints() {

    Resource resource1 = TestResource.RESOURCE1;

    Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);

    authorization1.setResource(resource1);
    authorization1.setResourceId("someId");

    authorization2.setResource(resource1);
    authorization2.setResourceId("someId");

    // the first one can be saved
    authorizationService.saveAuthorization(authorization1);

    // the second one cannot
    try {
      authorizationService.saveAuthorization(authorization2);
      fail("exception expected");
    } catch(Exception e) {
      //expected
    }
  }
 
Example #3
Source File: DefaultAuthorizationProvider.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
protected AuthorizationEntity createOrUpdateAuthorization(Task task, String userId,
                                                          String groupId, Resource resource,
                                                          boolean isHistoric,
                                                          Permission... permissions) {

  String taskId = task.getId();

  AuthorizationEntity authorization = getGrantAuthorization(taskId, userId, groupId, resource);

  if (authorization == null) {
    authorization = createAuthorization(userId, groupId, resource, taskId, permissions);

    if (isHistoric) {
      provideRemovalTime(authorization, task);
    }

  } else {
    addPermissions(authorization, permissions);

  }

  return authorization;
}
 
Example #4
Source File: AbstractAuthorizedRestResource.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
protected boolean isAuthorized(Permission permission, Resource resource, String resourceId) {
  if (!processEngine.getProcessEngineConfiguration().isAuthorizationEnabled()) {
    // if authorization is disabled everyone is authorized
    return true;
  }

  final IdentityService identityService = processEngine.getIdentityService();
  final AuthorizationService authorizationService = processEngine.getAuthorizationService();

  Authentication authentication = identityService.getCurrentAuthentication();
  if(authentication == null) {
    return true;

  } else {
    return authorizationService
       .isUserAuthorized(authentication.getUserId(), authentication.getGroupIds(), permission, resource, resourceId);
  }
}
 
Example #5
Source File: MissingAuthorizationMatcher.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
protected static MissingAuthorization asMissingAuthorization(Authorization authorization) {
  String permissionName = null;
  String resourceId = null;
  String resourceName = null;

  Permission[] permissions = AuthorizationTestUtil.getPermissions(authorization);
  for (Permission permission : permissions) {
    if (permission.getValue() != Permissions.NONE.getValue()) {
      permissionName = permission.getName();
      break;
    }
  }

  resourceId = authorization.getResourceId();

  Resource resource = AuthorizationTestUtil.getResourceByType(authorization.getResourceType());
  resourceName = resource.resourceName();
  return new MissingAuthorization(permissionName, resourceName, resourceId);
}
 
Example #6
Source File: DefaultAuthorizationProvider.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
protected AuthorizationEntity createGrantAuthorization(String userId, String groupId,
                                                       Resource resource, String resourceId,
                                                       Permission... permissions) {
  // assuming that there are no default authorizations for *
  if (userId != null) {
    ensureValidIndividualResourceId("Cannot create authorization for user " + userId, userId);
  }
  if (groupId != null) {
    ensureValidIndividualResourceId("Cannot create authorization for group " + groupId, groupId);
  }

  AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_GRANT);
  authorization.setUserId(userId);
  authorization.setGroupId(groupId);
  authorization.setResource(resource);
  authorization.setResourceId(resourceId);

  addPermissions(authorization, permissions);

  return authorization;
}
 
Example #7
Source File: AuthorizationServiceTest.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
public void testGlobalGrantAuthorizationCheck() {
  Resource resource1 = TestResource.RESOURCE1;

  // create global authorization which grants all permissions to all users (on resource1):
  Authorization globalAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
  globalAuth.setResource(resource1);
  globalAuth.setResourceId(ANY);
  globalAuth.addPermission(TestPermissions.ALL);
  authorizationService.saveAuthorization(globalAuth);

  List<String> jonnysGroups = Arrays.asList(new String[]{"sales", "marketing"});
  List<String> someOneElsesGroups = Arrays.asList(new String[]{"marketing"});

  // this authorizes any user to do anything in this resource:
  processEngineConfiguration.setAuthorizationEnabled(true);
  assertTrue(authorizationService.isUserAuthorized("jonny", null, TestPermissions.ALL, resource1));
  assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, TestPermissions.ALL, resource1));
  assertTrue(authorizationService.isUserAuthorized("someone", null, TestPermissions.ACCESS, resource1));
  assertTrue(authorizationService.isUserAuthorized("someone", someOneElsesGroups, TestPermissions.ACCESS, resource1));
  assertTrue(authorizationService.isUserAuthorized("someone else", null, TestPermissions.DELETE, resource1));
  assertTrue(authorizationService.isUserAuthorized("jonny", null, TestPermissions.ALL, resource1, "someId"));
  assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, TestPermissions.ALL, resource1, "someId"));
  assertTrue(authorizationService.isUserAuthorized("someone", null, TestPermissions.ACCESS, resource1, "someId"));
  assertTrue(authorizationService.isUserAuthorized("someone else", null, TestPermissions.DELETE, resource1, "someOtherId"));
  processEngineConfiguration.setAuthorizationEnabled(true);
}
 
Example #8
Source File: PermissionsTest.java    From camunda-bpm-platform with Apache License 2.0 6 votes vote down vote up
@Test
public void testNewPermissionsIntegrityToOld() {
  for (Permissions permission : Permissions.values()) {
    String permissionName = permission.getName();
    for (Resource resource : permission.getTypes()) {
      Class<? extends Enum<?>> clazz = ResourceTypeUtil.getPermissionEnums().get(resource.resourceType());
      if (clazz != null && !clazz.equals(Permissions.class)) {
        Permission resolvedPermission = null;
        for (Enum<?> enumCandidate : clazz.getEnumConstants()) {
          if (enumCandidate.toString().equals(permissionName)) {
            resolvedPermission = (Permission) enumCandidate;
            break;
          }
        }
        assertThat(resolvedPermission)
          .overridingErrorMessage("Permission %s for resource %s not found in new enum %s", permission, resource, clazz.getSimpleName())
          .isNotNull();
          
        assertThat(resolvedPermission.getValue()).isEqualTo(permission.getValue());
      }
    }
  }
}
 
Example #9
Source File: MigrateProcessInstanceSyncQueryTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
protected void grantAuthorization(String userId, Resource resource, String resourceId, Permission permission) {
  Authorization authorization = engineRule.getAuthorizationService().createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
  authorization.setResource(resource);
  authorization.setResourceId(resourceId);
  authorization.addPermission(permission);
  authorization.setUserId(userId);
  engineRule.getAuthorizationService().saveAuthorization(authorization);
  authorizations.add(authorization);
}
 
Example #10
Source File: AuthorizationManager.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void deleteAuthorizationsByResourceIdAndGroupId(Resource resource, String resourceId, String groupId) {

    if(resourceId == null) {
      throw new IllegalArgumentException("Resource id cannot be null");
    }

    if(isAuthorizationEnabled()) {
      Map<String, Object> deleteParams = new HashMap<String, Object>();
      deleteParams.put("resourceType", resource.resourceType());
      deleteParams.put("resourceId", resourceId);
      deleteParams.put("groupId", groupId);
      getDbEntityManager().delete(AuthorizationEntity.class, "deleteAuthorizationsForResourceId", deleteParams);
    }

  }
 
Example #11
Source File: AuthorizationTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
protected Authorization createAuthorization(int type, Resource resource, String resourceId) {
  Authorization authorization = authorizationService.createNewAuthorization(type);

  authorization.setResource(resource);
  if (resourceId != null) {
    authorization.setResourceId(resourceId);
  }

  return authorization;
}
 
Example #12
Source File: AuthorizationManager.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void deleteAuthorizationsByResourceId(Resource resource, String resourceId) {

    if(resourceId == null) {
      throw new IllegalArgumentException("Resource id cannot be null");
    }

    if(isAuthorizationEnabled()) {
      Map<String, Object> deleteParams = new HashMap<String, Object>();
      deleteParams.put("resourceType", resource.resourceType());
      deleteParams.put("resourceId", resourceId);
      getDbEntityManager().delete(AuthorizationEntity.class, "deleteAuthorizationsForResourceId", deleteParams);
    }

  }
 
Example #13
Source File: AuthorizationManager.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void deleteAuthorizationsByResourceIdAndUserId(Resource resource, String resourceId, String userId) {

    if(resourceId == null) {
      throw new IllegalArgumentException("Resource id cannot be null");
    }

    if(isAuthorizationEnabled()) {
      Map<String, Object> deleteParams = new HashMap<String, Object>();
      deleteParams.put("resourceType", resource.resourceType());
      deleteParams.put("resourceId", resourceId);
      deleteParams.put("userId", userId);
      getDbEntityManager().delete(AuthorizationEntity.class, "deleteAuthorizationsForResourceId", deleteParams);
    }

  }
 
Example #14
Source File: AuthorizationServiceTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void testDisabledAuthorizationCheck() {
  // given
  Resource resource1 = TestResource.RESOURCE1;

  // when
  boolean isAuthorized = authorizationService.isUserAuthorized("jonny", null, UPDATE, resource1);

  // then
  assertTrue(isAuthorized);
}
 
Example #15
Source File: AuthorizationUserOperationLogTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
@Override
public String getNameForResource(int resourceType) {
  for (Resource resource : TestResource.values()) {
    if (resourceType == resource.resourceType()) {
      return resource.resourceName();
    }
  }
  return null;
}
 
Example #16
Source File: PermissionCheck.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void setResource(Resource resource) {
  this.resource = resource;

  if (resource != null) {
    resourceType = resource.resourceType();
  }
}
 
Example #17
Source File: AuthorizationCheckCmd.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public AuthorizationCheckCmd(String userId, List<String> groupIds, Permission permission, Resource resource, String resourceId) {
  this.userId = userId;
  this.groupIds = groupIds;
  this.permission = permission;
  this.resource = resource;
  this.resourceId = resourceId;
  validate(userId, groupIds, permission, resource);
}
 
Example #18
Source File: AuthorizationQueryImpl.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public AuthorizationQuery hasPermission(Permission p) {
  queryByPermission = true;

  if (resourcesIntersection.size() == 0) {
    resourcesIntersection.addAll(Arrays.asList(p.getTypes()));
  } else {
    resourcesIntersection.retainAll(new HashSet<Resource>(Arrays.asList(p.getTypes())));
  }

  this.permission |= p.getValue();
  return this;
}
 
Example #19
Source File: AuthorizationQueryImpl.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
/**
 * check whether the permissions' resources
 * are compatible to the filtered resource parameter
 */
private boolean containsIncompatibleResourceType() {
  if (queryByResourceType && queryByPermission) {
    Resource[] resources = resourcesIntersection.toArray(new Resource[resourcesIntersection.size()]);
    return !ResourceTypeUtil.resourceIsContainedInArray(resourceType, resources);
  }
  return false;
}
 
Example #20
Source File: ResourceTypeUtil.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
/**
 * Iterates over the {@link Resources} and 
 * returns either the resource with specified <code>resourceType</code> or <code>null</code>.
 */
public static Resource getResourceByType(int resourceType) {
  for (Resource resource : Resources.values()) {
    if (resource.resourceType() == resourceType) {
      return resource;
    }
  }
  return null;
}
 
Example #21
Source File: ResourceTypeUtil.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
/**
 * @return <code>true</code> in case the resource with the provided resourceTypeId is contained by the specified list
 */
public static boolean resourceIsContainedInArray(Integer resourceTypeId, Resource[] resources) {
  for (Resource resource : resources) {
    if (resourceTypeId == resource.resourceType()) {
      return true;
    }
  }
  return false;
}
 
Example #22
Source File: AuthorizationSpec.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public static AuthorizationSpec auth(int type, Resource resource, String resourceId, String userId, Permission... permissions) {
  AuthorizationSpec spec = new AuthorizationSpec();
  spec.type = type;
  spec.resource = resource;
  spec.resourceId = resourceId;
  spec.userId = userId;
  spec.permissions = permissions;
  return spec;
}
 
Example #23
Source File: AuthorizationManager.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void configureQuery(AbstractQuery query, Resource resource, String queryParam, Permission permission) {
  configureQuery(query);
  CompositePermissionCheck permissionCheck = new PermissionCheckBuilder()
      .atomicCheck(resource, queryParam, permission)
      .build();
  addPermissionCheck(query.getAuthCheck(), permissionCheck);
}
 
Example #24
Source File: AuthorizationServiceWithEnabledAuthorizationTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void testEnabledAuthorizationCheck() {
  // given
  Resource resource1 = TestResource.RESOURCE1;

  // when
  boolean isAuthorized = authorizationService.isUserAuthorized("jonny", null, UPDATE, resource1);

  // then
  assertFalse(isAuthorized);
}
 
Example #25
Source File: AuthorizationRestServiceInteractionTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
@Test
@SuppressWarnings("unchecked")
public void testIsUserAuthorizedBadRequests() {

  given()
      .queryParam("permissionName", MockProvider.EXAMPLE_PERMISSION_NAME)
      .queryParam("resourceName", MockProvider.EXAMPLE_RESOURCE_TYPE_NAME)
  .then().expect().statusCode(Status.BAD_REQUEST.getStatusCode())
  .when().get(AUTH_CHECK_PATH);

  given()
      .queryParam("permissionName", MockProvider.EXAMPLE_PERMISSION_NAME)
      .queryParam("resourceType", MockProvider.EXAMPLE_RESOURCE_TYPE_ID)
  .then().expect().statusCode(Status.BAD_REQUEST.getStatusCode())
  .when().get(AUTH_CHECK_PATH);

  given()
      .queryParam("resourceName", MockProvider.EXAMPLE_RESOURCE_TYPE_NAME)
      .queryParam("resourceType", MockProvider.EXAMPLE_RESOURCE_TYPE_ID)
  .then().expect().statusCode(Status.BAD_REQUEST.getStatusCode())
  .when().get(AUTH_CHECK_PATH);

  verify(identityServiceMock, never()).getCurrentAuthentication();
  verify(authorizationServiceMock, never()).isUserAuthorized(any(String.class), any(List.class), any(Permission.class), any(Resource.class));
  verify(authorizationServiceMock, never()).isUserAuthorized(any(String.class), any(List.class), any(Permission.class), any(Resource.class), any(String.class));

}
 
Example #26
Source File: AuthorizationManager.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void configureQueryHistoricFinishedInstanceReport(ListQueryParameterObject query, Resource resource) {
  configureQuery(query);

  CompositePermissionCheck compositePermissionCheck = new PermissionCheckBuilder()
    .conjunctive()
      .atomicCheck(resource, "RES.KEY_", READ)
      .atomicCheck(resource, "RES.KEY_", READ_HISTORY)
    .build();

  query.getAuthCheck().setPermissionChecks(compositePermissionCheck);
}
 
Example #27
Source File: AuthorizationQueryTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
protected void createAuthorization(String userId, String groupId, Resource resourceType, String resourceId, Permission... permissions) {

    Authorization authorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
    authorization.setUserId(userId);
    authorization.setGroupId(groupId);
    authorization.setResource(resourceType);
    authorization.setResourceId(resourceId);

    for (Permission permission : permissions) {
      authorization.addPermission(permission);
    }

    authorizationService.saveAuthorization(authorization);
  }
 
Example #28
Source File: AuthorizationManager.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public boolean isAuthorized(Permission permission, Resource resource, String resourceId) {
  // this will be called by LdapIdentityProviderSession#isAuthorized() for executing LdapQueries.
  // to be backward compatible a check whether authorization has been enabled inside the given
  // command context will not be done.
  final Authentication currentAuthentication = getCurrentAuthentication();

  if(isAuthorizationEnabled() && currentAuthentication != null && currentAuthentication.getUserId() != null) {
    return isAuthorized(currentAuthentication.getUserId(), currentAuthentication.getGroupIds(), permission, resource, resourceId);

  } else {
    return true;

  }
}
 
Example #29
Source File: AuthorizationServiceWithEnabledAuthorizationTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
public void testUserOverrideGlobalGrantAuthorizationCheck() {
  Resource resource1 = TestResource.RESOURCE1;

  // create global authorization which grants all permissions to all users  (on resource1):
  Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
  globalGrant.setResource(resource1);
  globalGrant.setResourceId(ANY);
  globalGrant.addPermission(ALL);
  authorizationService.saveAuthorization(globalGrant);

  // revoke READ for jonny
  Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
  localRevoke.setUserId("jonny");
  localRevoke.setResource(resource1);
  localRevoke.setResourceId(ANY);
  localRevoke.removePermission(READ);
  authorizationService.saveAuthorization(localRevoke);

  List<String> jonnysGroups = Arrays.asList("sales", "marketing");
  List<String> someOneElsesGroups = Collections.singletonList("marketing");

  // jonny does not have ALL permissions
  assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
  assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
  // jonny can't read
  assertFalse(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
  assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
  // someone else can
  assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
  assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
  assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
  assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
  // jonny can still delete
  assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
  assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
}
 
Example #30
Source File: ResourceAuthorizationProviderTest.java    From camunda-bpm-platform with Apache License 2.0 5 votes vote down vote up
protected Authorization createAuthorization(int type, Resource resource, String resourceId) {
  Authorization authorization = authorizationService.createNewAuthorization(type);

  authorization.setResource(resource);
  if (resourceId != null) {
    authorization.setResourceId(resourceId);
  }

  return authorization;
}