public void configureExecutionQuery(AbstractQuery query) { configureQuery(query); addPermissionCheck(query, PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ); addPermissionCheck(query, PROCESS_DEFINITION, "P.KEY_", READ_INSTANCE); }
public boolean isAuthorized(String userId, List<String> groupIds, List<PermissionCheck> permissionChecks) { if(!isAuthorizationEnabled()) { return true; } for (PermissionCheck permissionCheck : permissionChecks) { if (!isResourceValidForPermission(permissionCheck)) { throw LOG.invalidResourceForPermission(permissionCheck.getResource().resourceName(), permissionCheck.getPermission().getName()); } } List<String> filteredGroupIds = filterAuthenticatedGroupIds(groupIds); boolean isRevokeAuthorizationCheckEnabled = isRevokeAuthCheckEnabled(userId, groupIds); AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, permissionChecks, isRevokeAuthorizationCheckEnabled); return getDbEntityManager().selectBoolean("isUserAuthorizedForResource", authCheck); }
public boolean isAuthorized(Permission permission, Resource resource, String resourceId) { // this will be called by LdapIdentityProviderSession#isAuthorized() for executing LdapQueries. // to be backward compatible a check whether authorization has been enabled inside the given // command context will not be done. final Authentication currentAuthentication = getCurrentAuthentication(); if(isAuthorizationEnabled() && currentAuthentication != null && currentAuthentication.getUserId() != null) { return isAuthorized(currentAuthentication.getUserId(), currentAuthentication.getGroupIds(), permission, resource, resourceId); } else { return true; } }
@Override public void insert(DbEntity authorization) { checkAuthorization(CREATE, AUTHORIZATION, null); getDbEntityManager().insert(authorization); }
public boolean isAuthorized(CompositePermissionCheck compositePermissionCheck) { Authentication currentAuthentication = getCurrentAuthentication(); if (currentAuthentication != null) { return isAuthorized(currentAuthentication.getUserId(), currentAuthentication.getGroupIds(), compositePermissionCheck); } else { return true; } }
@Override public void checkAuthorization(Permission permission, Resource resource, String resourceId) { if(isAuthCheckExecuted()) { Authentication currentAuthentication = getCurrentAuthentication(); boolean isAuthorized = isAuthorized(currentAuthentication.getUserId(), currentAuthentication.getGroupIds(), permission, resource, resourceId); if (!isAuthorized) { throw new AuthorizationException( currentAuthentication.getUserId(), permission.getName(), resource.resourceName(), resourceId); } } }
public Void execute(CommandContext commandContext) { AuthorizationManager authorizationManager = spyOnSession(commandContext, AuthorizationManager.class); DbEntityManager dbEntityManager = spyOnSession(commandContext, DbEntityManager.class); authorizationService.isUserAuthorized(testUserId, testGroupIds, Permissions.READ, Resources.TASK); verify(authorizationManager, atLeastOnce()).filterAuthenticatedGroupIds(eq(testGroupIds)); ArgumentCaptor<AuthorizationCheck> authorizationCheckArgument = ArgumentCaptor.forClass(AuthorizationCheck.class); verify(dbEntityManager).selectBoolean(eq("isUserAuthorizedForResource"), authorizationCheckArgument.capture()); AuthorizationCheck authorizationCheck = authorizationCheckArgument.getValue(); assertThat(authorizationCheck.getAuthGroupIds(), containsInAnyOrder(testGroupIds.toArray())); return null; } });
public Set<String> execute(CommandContext commandContext) { commandContext.getAuthorizationManager().checkCamundaAdmin(); Set<String> registeredDeployments = Context.getProcessEngineConfiguration().getRegisteredDeployments(); return new HashSet<String>(registeredDeployments); } });
@Override public void checkCreateProcessInstance(ProcessDefinition processDefinition) { // necessary permissions: // - CREATE on PROCESS_INSTANCE // AND // - CREATE_INSTANCE on PROCESS_DEFINITION getAuthorizationManager().checkAuthorization(CREATE, PROCESS_INSTANCE); getAuthorizationManager().checkAuthorization(CREATE_INSTANCE, PROCESS_DEFINITION, processDefinition.getKey()); }
public boolean isAuthorized(String userId, List<String> groupIds, Permission permission, Resource resource, String resourceId) { PermissionCheck permCheck = newPermissionCheck(); permCheck.setPermission(permission); permCheck.setResource(resource); permCheck.setResourceId(resourceId); ArrayList<PermissionCheck> permissionChecks = new ArrayList<PermissionCheck>(); permissionChecks.add(permCheck); return isAuthorized(userId, groupIds, permissionChecks); }
public void enableQueryAuthCheck(AuthorizationCheck authCheck) { List<String> authGroupIds = authCheck.getAuthGroupIds(); String authUserId = authCheck.getAuthUserId(); authCheck.setAuthorizationCheckEnabled(true); authCheck.setAuthGroupIds(filterAuthenticatedGroupIds(authGroupIds)); authCheck.setRevokeAuthorizationCheckEnabled(isRevokeAuthCheckEnabled(authUserId, authGroupIds)); }
protected boolean isRevokeAuthCheckEnabled(String userId, List<String> groupIds) { Boolean isRevokeAuthCheckEnabled = this.isRevokeAuthCheckUsed; if(isRevokeAuthCheckEnabled == null) { String configuredMode = Context.getProcessEngineConfiguration().getAuthorizationCheckRevokes(); if(configuredMode != null) { configuredMode = configuredMode.toLowerCase(); } if(ProcessEngineConfiguration.AUTHORIZATION_CHECK_REVOKE_ALWAYS.equals(configuredMode)) { isRevokeAuthCheckEnabled = true; } else if(ProcessEngineConfiguration.AUTHORIZATION_CHECK_REVOKE_NEVER.equals(configuredMode)) { isRevokeAuthCheckEnabled = false; } else { final Map<String, Object> params = new HashMap<String, Object>(); params.put("userId", userId); params.put("authGroupIds", filterAuthenticatedGroupIds(groupIds)); isRevokeAuthCheckEnabled = getDbEntityManager().selectBoolean("selectRevokeAuthorization", params); } this.isRevokeAuthCheckUsed = isRevokeAuthCheckEnabled; } return isRevokeAuthCheckEnabled; }
@Override protected void configureQuery(@SuppressWarnings("rawtypes") AbstractQuery query, Resource resource) { Context.getCommandContext() .getAuthorizationManager() .configureQuery(query, resource); }
public Boolean execute(CommandContext commandContext) { final AuthorizationManager authorizationManager = commandContext.getAuthorizationManager(); return authorizationManager.isAuthorized(userId, groupIds, permission, resource, resourceId); }
@Override public void delete(DbEntity authorization) { checkAuthorization(DELETE, AUTHORIZATION, authorization.getId()); deleteAuthorizationsByResourceId(AUTHORIZATION, authorization.getId()); super.delete(authorization); }
@Before public void setup() { mockedCmdContext = mock(CommandContext.class); mockedConfiguration = mock(ProcessEngineConfigurationImpl.class); authorizationManager = spy(new AuthorizationManager()); mockedEntityManager = mock(DbEntityManager.class); when(mockedCmdContext.getSession(eq(DbEntityManager.class))).thenReturn(mockedEntityManager); when(authorizationManager.filterAuthenticatedGroupIds(eq(AUTHENTICATED_GROUPS))).thenReturn(AUTHENTICATED_GROUPS); when(mockedCmdContext.getAuthentication()).thenReturn(new Authentication(AUTHENTICATED_USER_ID, AUTHENTICATED_GROUPS)); when(mockedCmdContext.isAuthorizationCheckEnabled()).thenReturn(true); when(mockedConfiguration.isAuthorizationEnabled()).thenReturn(true); Context.setCommandContext(mockedCmdContext); Context.setProcessEngineConfiguration(mockedConfiguration); }
protected void configureQuery(ActivityStatisticsQueryImpl query) { checkReadProcessDefinition(query); getAuthorizationManager().configureActivityStatisticsQuery(query); getTenantManager().configureQuery(query); }
protected void configureQuery(BatchStatisticsQueryImpl batchQuery) { getAuthorizationManager().configureBatchStatisticsQuery(batchQuery); getTenantManager().configureQuery(batchQuery); }
protected void configureQuery(BatchQueryImpl batchQuery) { getAuthorizationManager().configureBatchQuery(batchQuery); getTenantManager().configureQuery(batchQuery); }
protected void configurParameterObject(ListQueryParameterObject parameter) { getAuthorizationManager().configureConditionalEventSubscriptionQuery(parameter); getTenantManager().configureQuery(parameter); }