use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.
the class ParticipantsAccessPolicy method whenInitiatorNotSetOrAsIdentity.
@SuppressWarnings("unchecked")
protected boolean whenInitiatorNotSetOrAsIdentity(IdentityProvider identityProvider, ProcessInstance<T> instance) {
if (identityProvider.isAdmin()) {
return true;
}
WorkflowProcessInstance pi = (WorkflowProcessInstance) ((AbstractProcessInstance<?>) instance).processInstance();
if (pi.getInitiator() == null || pi.getInitiator().isEmpty() || pi.getInitiator().equals(identityProvider.getName())) {
return true;
}
// next check if the user/group is assigned to any of the active user tasks that
// can make it eligible to access the instance
boolean result = ((WorkflowProcessInstanceImpl) pi).getNodeInstances(true).stream().filter(ni -> ni instanceof HumanTaskNodeInstance).anyMatch(ni -> {
HumanTaskWorkItem workitem = (HumanTaskWorkItem) ((HumanTaskNodeInstance) ni).getWorkItem();
return workitem.enforce(SecurityPolicy.of(identityProvider));
});
if (!result) {
result = instance.subprocesses().stream().anyMatch(spi -> whenInitiatorNotSetOrAsIdentity(identityProvider, (ProcessInstance<T>) spi));
}
return result;
}
use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.
the class ProcessEventsEndpoint method onOpen.
@OnOpen
public void onOpen(Session session) {
Map<String, List<String>> params = session.getRequestParameterMap();
IdentityProvider identityProvider = identitySupplier.buildIdentityProvider(params.getOrDefault("user", Collections.singletonList(null)).get(0), params.get("groups"));
session.getUserProperties().put("atk_identity", identityProvider);
session.getUserProperties().put("atk_filter", params.getOrDefault("filter", Collections.singletonList(null)).get(0));
publisher.add(session.getId(), session);
}
use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.
the class SecurityAwareBroadcastProcessor method onNext.
public void onNext(T item, Collection<String> visibleTo) {
ParameterValidation.nonNullNpe(item, "item");
for (BroadcastSubscription<T> s : subscribers.get()) {
IdentityProvider identityProvider = s.identityProvider();
boolean allowed = visibleTo.isEmpty() || visibleTo.contains(identityProvider.getName()) || visibleTo.stream().anyMatch(i -> identityProvider.getRoles().contains(i));
if (allowed) {
s.onNext(item);
}
}
}
use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.
the class $Type$Resource method updateModel_$name$.
@APIResponses(value = { @APIResponse(responseCode = "500", description = "In case of processing errors", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "404", description = "In case of instance with given id was not found", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "200", description = "Successfully updated instance", content = @Content(mediaType = "application/json", schema = @Schema(implementation = $Type$Output.class))) })
@Operation(summary = "Updates data of $name$ instance with given id")
@POST()
@Path("$prefix$/$name$/{id_$name$}")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response updateModel_$name$(@Context HttpHeaders httpHeaders, @PathParam("id") String id, @PathParam("id_$name$") String id_$name$, @Parameter(description = "User identifier as alternative autroization info", required = false, hidden = true) @QueryParam("user") final String user, @Parameter(description = "Groups as alternative autroization info", required = false, hidden = true) @QueryParam("group") final List<String> groups, @Parameter(description = "Indicates if instance metadata should be included", required = false) @QueryParam("metadata") @DefaultValue("false") final boolean metadata, $Type$ resource) {
String execMode = httpHeaders.getHeaderString("X-ATK-Mode");
if ("async".equalsIgnoreCase(execMode)) {
String callbackUrl = httpHeaders.getHeaderString("X-ATK-Callback");
Map<String, String> headers = httpHeaders.getRequestHeaders().entrySet().stream().collect(Collectors.toMap(Entry::getKey, e -> e.getValue().get(0)));
IdentityProvider identity = identitySupplier.buildIdentityProvider(user, groups);
IdentityProvider.set(null);
CompletableFuture.runAsync(() -> {
IdentityProvider.set(identity);
io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
ProcessInstance<$Type$> pi = subprocess_$name$.instances().findById($parentprocessid$ + ":" + id_$name$).orElseThrow(() -> new ProcessInstanceNotFoundException(id));
tracing(pi);
pi.updateVariables(resource);
$Type$Output result = mapOutput(new $Type$Output(), pi.variables(), pi.businessKey(), metadata ? pi.metadata() : null);
io.automatiko.engine.workflow.http.HttpCallbacks.get().post(callbackUrl, result, httpAuth.produce(headers), pi.status());
return null;
});
});
ResponseBuilder builder = Response.accepted().entity(Collections.singletonMap("id", id));
return builder.build();
} else {
identitySupplier.buildIdentityProvider(user, groups);
return io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
ProcessInstance<$Type$> pi = subprocess_$name$.instances().findById($parentprocessid$ + ":" + id_$name$).orElseThrow(() -> new ProcessInstanceNotFoundException(id));
tracing(pi);
pi.updateVariables(resource);
ResponseBuilder builder = Response.ok().entity(mapOutput(new $Type$Output(), pi.variables(), pi.businessKey(), metadata ? pi.metadata() : null));
return builder.build();
});
}
}
use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.
the class $Type$Resource method create_$name$.
@APIResponses(value = { @APIResponse(responseCode = "400", description = "In case request given does not meet expectations", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "500", description = "In case of processing errors", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "409", description = "In case an instance already exists with given business key", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "403", description = "In case an instance cannot be created due to access policy by the caller", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "200", description = "Successfully created instance", content = @Content(mediaType = "application/json", schema = @Schema(implementation = $Type$Output.class))), @APIResponse(responseCode = "202", description = "Successfully accepted request to create instance (applies only to async execution mode)", content = @Content(mediaType = "application/json", schema = @Schema(implementation = $Type$Output.class))) })
@Operation(summary = "Creates new instance of $name$")
@POST()
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public Response create_$name$(@Context HttpHeaders httpHeaders, @QueryParam("businessKey") @Parameter(description = "Alternative id to be assigned to the instance", required = false) String businessKey, @Parameter(description = "User identifier as alternative autroization info", required = false, hidden = true) @QueryParam("user") final String user, @Parameter(description = "Groups as alternative autroization info", required = false, hidden = true) @QueryParam("group") final List<String> groups, @Parameter(description = "Indicates if instance metadata should be included", required = false) @QueryParam("metadata") @DefaultValue("false") final boolean metadata, @Parameter(description = "The input model for $name$ instance") $Type$Input resource) {
if (resource == null) {
resource = new $Type$Input();
}
final $Type$Input value = resource;
String execMode = httpHeaders.getHeaderString("X-ATK-Mode");
if ("async".equalsIgnoreCase(execMode)) {
String callbackUrl = httpHeaders.getHeaderString("X-ATK-Callback");
String startFromNode = httpHeaders.getHeaderString("X-ATK-StartFromNode");
ProcessInstance<$Type$> pi = process.createInstance(businessKey, mapInput(value, new $Type$()));
((AbstractProcessInstance<$Type$>) pi).unlock(true);
$Type$Output output = mapOutput(new $Type$Output(), pi.variables(), businessKey, pi.metadata());
Map<String, String> headers = httpHeaders.getRequestHeaders().entrySet().stream().collect(Collectors.toMap(Entry::getKey, e -> e.getValue().get(0)));
IdentityProvider identity = identitySupplier.buildIdentityProvider(user, groups);
IdentityProvider.set(null);
CompletableFuture.runAsync(() -> {
IdentityProvider.set(identity);
io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
if (startFromNode != null) {
pi.startFrom(startFromNode);
} else {
pi.start();
}
tracing(pi);
$Type$Output result = getModel(pi, metadata);
io.automatiko.engine.workflow.http.HttpCallbacks.get().post(callbackUrl, result, httpAuth.produce(headers), pi.status());
return null;
});
});
ResponseBuilder builder = Response.accepted().entity(output);
return builder.build();
} else {
identitySupplier.buildIdentityProvider(user, groups);
return io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
ProcessInstance<$Type$> pi = process.createInstance(businessKey, mapInput(value, new $Type$()));
String startFromNode = httpHeaders.getHeaderString("X-ATK-StartFromNode");
if (startFromNode != null) {
pi.startFrom(startFromNode);
} else {
pi.start();
}
tracing(pi);
ResponseBuilder builder = Response.ok().entity(getModel(pi, metadata));
return builder.build();
});
}
}
Aggregations