Search in sources :

Example 1 with IdentityProvider

use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.

the class ParticipantsAccessPolicy method whenInitiatorNotSetOrAsIdentity.

@SuppressWarnings("unchecked")
protected boolean whenInitiatorNotSetOrAsIdentity(IdentityProvider identityProvider, ProcessInstance<T> instance) {
    if (identityProvider.isAdmin()) {
        return true;
    }
    WorkflowProcessInstance pi = (WorkflowProcessInstance) ((AbstractProcessInstance<?>) instance).processInstance();
    if (pi.getInitiator() == null || pi.getInitiator().isEmpty() || pi.getInitiator().equals(identityProvider.getName())) {
        return true;
    }
    // next check if the user/group is assigned to any of the active user tasks that
    // can make it eligible to access the instance
    boolean result = ((WorkflowProcessInstanceImpl) pi).getNodeInstances(true).stream().filter(ni -> ni instanceof HumanTaskNodeInstance).anyMatch(ni -> {
        HumanTaskWorkItem workitem = (HumanTaskWorkItem) ((HumanTaskNodeInstance) ni).getWorkItem();
        return workitem.enforce(SecurityPolicy.of(identityProvider));
    });
    if (!result) {
        result = instance.subprocesses().stream().anyMatch(spi -> whenInitiatorNotSetOrAsIdentity(identityProvider, (ProcessInstance<T>) spi));
    }
    return result;
}
Also used : HumanTaskWorkItem(io.automatiko.engine.api.runtime.process.HumanTaskWorkItem) AbstractProcessInstance(io.automatiko.engine.workflow.AbstractProcessInstance) SecurityPolicy(io.automatiko.engine.api.auth.SecurityPolicy) WorkflowProcessInstanceImpl(io.automatiko.engine.workflow.process.instance.impl.WorkflowProcessInstanceImpl) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider) Set(java.util.Set) AccessPolicy(io.automatiko.engine.api.auth.AccessPolicy) HumanTaskNodeInstance(io.automatiko.engine.workflow.process.instance.node.HumanTaskNodeInstance) ProcessInstance(io.automatiko.engine.api.workflow.ProcessInstance) WorkflowProcessInstance(io.automatiko.engine.workflow.process.instance.WorkflowProcessInstance) HumanTaskWorkItem(io.automatiko.engine.api.runtime.process.HumanTaskWorkItem) HumanTaskNodeInstance(io.automatiko.engine.workflow.process.instance.node.HumanTaskNodeInstance) WorkflowProcessInstance(io.automatiko.engine.workflow.process.instance.WorkflowProcessInstance)

Example 2 with IdentityProvider

use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.

the class ProcessEventsEndpoint method onOpen.

@OnOpen
public void onOpen(Session session) {
    Map<String, List<String>> params = session.getRequestParameterMap();
    IdentityProvider identityProvider = identitySupplier.buildIdentityProvider(params.getOrDefault("user", Collections.singletonList(null)).get(0), params.get("groups"));
    session.getUserProperties().put("atk_identity", identityProvider);
    session.getUserProperties().put("atk_filter", params.getOrDefault("filter", Collections.singletonList(null)).get(0));
    publisher.add(session.getId(), session);
}
Also used : List(java.util.List) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider) OnOpen(javax.websocket.OnOpen)

Example 3 with IdentityProvider

use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.

the class SecurityAwareBroadcastProcessor method onNext.

public void onNext(T item, Collection<String> visibleTo) {
    ParameterValidation.nonNullNpe(item, "item");
    for (BroadcastSubscription<T> s : subscribers.get()) {
        IdentityProvider identityProvider = s.identityProvider();
        boolean allowed = visibleTo.isEmpty() || visibleTo.contains(identityProvider.getName()) || visibleTo.stream().anyMatch(i -> identityProvider.getRoles().contains(i));
        if (allowed) {
            s.onNext(item);
        }
    }
}
Also used : HumanTaskWorkItem(io.automatiko.engine.api.runtime.process.HumanTaskWorkItem) AbstractMulti(io.smallrye.mutiny.operators.AbstractMulti) SecurityPolicy(io.automatiko.engine.api.auth.SecurityPolicy) Collection(java.util.Collection) Processor(org.reactivestreams.Processor) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider) AtomicReference(java.util.concurrent.atomic.AtomicReference) ArrayList(java.util.ArrayList) Subscriptions(io.smallrye.mutiny.helpers.Subscriptions) AtomicLong(java.util.concurrent.atomic.AtomicLong) List(java.util.List) ParameterValidation(io.smallrye.mutiny.helpers.ParameterValidation) BackPressureFailure(io.smallrye.mutiny.subscription.BackPressureFailure) UnicastProcessor(io.smallrye.mutiny.operators.multi.processors.UnicastProcessor) Subscription(org.reactivestreams.Subscription) Subscriber(org.reactivestreams.Subscriber) MultiSubscriber(io.smallrye.mutiny.subscription.MultiSubscriber) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) SerializedProcessor(io.smallrye.mutiny.operators.multi.processors.SerializedProcessor) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider)

Example 4 with IdentityProvider

use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.

the class $Type$Resource method updateModel_$name$.

@APIResponses(value = { @APIResponse(responseCode = "500", description = "In case of processing errors", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "404", description = "In case of instance with given id was not found", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "200", description = "Successfully updated instance", content = @Content(mediaType = "application/json", schema = @Schema(implementation = $Type$Output.class))) })
@Operation(summary = "Updates data of $name$ instance with given id")
@POST()
@Path("$prefix$/$name$/{id_$name$}")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response updateModel_$name$(@Context HttpHeaders httpHeaders, @PathParam("id") String id, @PathParam("id_$name$") String id_$name$, @Parameter(description = "User identifier as alternative autroization info", required = false, hidden = true) @QueryParam("user") final String user, @Parameter(description = "Groups as alternative autroization info", required = false, hidden = true) @QueryParam("group") final List<String> groups, @Parameter(description = "Indicates if instance metadata should be included", required = false) @QueryParam("metadata") @DefaultValue("false") final boolean metadata, $Type$ resource) {
    String execMode = httpHeaders.getHeaderString("X-ATK-Mode");
    if ("async".equalsIgnoreCase(execMode)) {
        String callbackUrl = httpHeaders.getHeaderString("X-ATK-Callback");
        Map<String, String> headers = httpHeaders.getRequestHeaders().entrySet().stream().collect(Collectors.toMap(Entry::getKey, e -> e.getValue().get(0)));
        IdentityProvider identity = identitySupplier.buildIdentityProvider(user, groups);
        IdentityProvider.set(null);
        CompletableFuture.runAsync(() -> {
            IdentityProvider.set(identity);
            io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
                ProcessInstance<$Type$> pi = subprocess_$name$.instances().findById($parentprocessid$ + ":" + id_$name$).orElseThrow(() -> new ProcessInstanceNotFoundException(id));
                tracing(pi);
                pi.updateVariables(resource);
                $Type$Output result = mapOutput(new $Type$Output(), pi.variables(), pi.businessKey(), metadata ? pi.metadata() : null);
                io.automatiko.engine.workflow.http.HttpCallbacks.get().post(callbackUrl, result, httpAuth.produce(headers), pi.status());
                return null;
            });
        });
        ResponseBuilder builder = Response.accepted().entity(Collections.singletonMap("id", id));
        return builder.build();
    } else {
        identitySupplier.buildIdentityProvider(user, groups);
        return io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
            ProcessInstance<$Type$> pi = subprocess_$name$.instances().findById($parentprocessid$ + ":" + id_$name$).orElseThrow(() -> new ProcessInstanceNotFoundException(id));
            tracing(pi);
            pi.updateVariables(resource);
            ResponseBuilder builder = Response.ok().entity(mapOutput(new $Type$Output(), pi.variables(), pi.businessKey(), metadata ? pi.metadata() : null));
            return builder.build();
        });
    }
}
Also used : PathParam(javax.ws.rs.PathParam) Produces(javax.ws.rs.Produces) SecurityPolicy(io.automatiko.engine.api.auth.SecurityPolicy) GET(javax.ws.rs.GET) Path(javax.ws.rs.Path) LoggerFactory(org.slf4j.LoggerFactory) CompletableFuture(java.util.concurrent.CompletableFuture) WorkItemNotFoundException(io.automatiko.engine.api.runtime.process.WorkItemNotFoundException) ProcessInstanceExecutionException(io.automatiko.engine.api.workflow.ProcessInstanceExecutionException) MediaType(javax.ws.rs.core.MediaType) Application(io.automatiko.engine.api.Application) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) ProcessImageNotFoundException(io.automatiko.engine.api.workflow.ProcessImageNotFoundException) Map(java.util.Map) DefaultValue(javax.ws.rs.DefaultValue) InstanceMetadata(io.automatiko.engine.api.workflow.InstanceMetadata) Process(io.automatiko.engine.api.workflow.Process) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) DELETE(javax.ws.rs.DELETE) OutputStream(java.io.OutputStream) POST(javax.ws.rs.POST) Context(javax.ws.rs.core.Context) Logger(org.slf4j.Logger) Schema(org.eclipse.microprofile.openapi.annotations.media.Schema) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider) IOException(java.io.IOException) StreamingOutput(javax.ws.rs.core.StreamingOutput) ProcessInstance(io.automatiko.engine.api.workflow.ProcessInstance) Policy(io.automatiko.engine.api.workflow.workitem.Policy) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) List(java.util.List) HttpHeaders(javax.ws.rs.core.HttpHeaders) Response(javax.ws.rs.core.Response) Sig(io.automatiko.engine.workflow.Sig) Entry(java.util.Map.Entry) WebApplicationException(javax.ws.rs.WebApplicationException) Collections(java.util.Collections) WorkItem(io.automatiko.engine.api.workflow.WorkItem) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 5 with IdentityProvider

use of io.automatiko.engine.api.auth.IdentityProvider in project automatiko-engine by automatiko-io.

the class $Type$Resource method create_$name$.

@APIResponses(value = { @APIResponse(responseCode = "400", description = "In case request given does not meet expectations", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "500", description = "In case of processing errors", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "409", description = "In case an instance already exists with given business key", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "403", description = "In case an instance cannot be created due to access policy by the caller", content = @Content(mediaType = "application/json")), @APIResponse(responseCode = "200", description = "Successfully created instance", content = @Content(mediaType = "application/json", schema = @Schema(implementation = $Type$Output.class))), @APIResponse(responseCode = "202", description = "Successfully accepted request to create instance (applies only to async execution mode)", content = @Content(mediaType = "application/json", schema = @Schema(implementation = $Type$Output.class))) })
@Operation(summary = "Creates new instance of $name$")
@POST()
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public Response create_$name$(@Context HttpHeaders httpHeaders, @QueryParam("businessKey") @Parameter(description = "Alternative id to be assigned to the instance", required = false) String businessKey, @Parameter(description = "User identifier as alternative autroization info", required = false, hidden = true) @QueryParam("user") final String user, @Parameter(description = "Groups as alternative autroization info", required = false, hidden = true) @QueryParam("group") final List<String> groups, @Parameter(description = "Indicates if instance metadata should be included", required = false) @QueryParam("metadata") @DefaultValue("false") final boolean metadata, @Parameter(description = "The input model for $name$ instance") $Type$Input resource) {
    if (resource == null) {
        resource = new $Type$Input();
    }
    final $Type$Input value = resource;
    String execMode = httpHeaders.getHeaderString("X-ATK-Mode");
    if ("async".equalsIgnoreCase(execMode)) {
        String callbackUrl = httpHeaders.getHeaderString("X-ATK-Callback");
        String startFromNode = httpHeaders.getHeaderString("X-ATK-StartFromNode");
        ProcessInstance<$Type$> pi = process.createInstance(businessKey, mapInput(value, new $Type$()));
        ((AbstractProcessInstance<$Type$>) pi).unlock(true);
        $Type$Output output = mapOutput(new $Type$Output(), pi.variables(), businessKey, pi.metadata());
        Map<String, String> headers = httpHeaders.getRequestHeaders().entrySet().stream().collect(Collectors.toMap(Entry::getKey, e -> e.getValue().get(0)));
        IdentityProvider identity = identitySupplier.buildIdentityProvider(user, groups);
        IdentityProvider.set(null);
        CompletableFuture.runAsync(() -> {
            IdentityProvider.set(identity);
            io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
                if (startFromNode != null) {
                    pi.startFrom(startFromNode);
                } else {
                    pi.start();
                }
                tracing(pi);
                $Type$Output result = getModel(pi, metadata);
                io.automatiko.engine.workflow.http.HttpCallbacks.get().post(callbackUrl, result, httpAuth.produce(headers), pi.status());
                return null;
            });
        });
        ResponseBuilder builder = Response.accepted().entity(output);
        return builder.build();
    } else {
        identitySupplier.buildIdentityProvider(user, groups);
        return io.automatiko.engine.services.uow.UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> {
            ProcessInstance<$Type$> pi = process.createInstance(businessKey, mapInput(value, new $Type$()));
            String startFromNode = httpHeaders.getHeaderString("X-ATK-StartFromNode");
            if (startFromNode != null) {
                pi.startFrom(startFromNode);
            } else {
                pi.start();
            }
            tracing(pi);
            ResponseBuilder builder = Response.ok().entity(getModel(pi, metadata));
            return builder.build();
        });
    }
}
Also used : Produces(javax.ws.rs.Produces) SecurityPolicy(io.automatiko.engine.api.auth.SecurityPolicy) Path(javax.ws.rs.Path) WorkItemNotFoundException(io.automatiko.engine.api.runtime.process.WorkItemNotFoundException) TagInstance(io.automatiko.engine.workflow.base.instance.TagInstance) ProcessInstanceExecutionException(io.automatiko.engine.api.workflow.ProcessInstanceExecutionException) MediaType(javax.ws.rs.core.MediaType) Application(io.automatiko.engine.api.Application) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) ProcessImageNotFoundException(io.automatiko.engine.api.workflow.ProcessImageNotFoundException) SchemaType(org.eclipse.microprofile.openapi.annotations.enums.SchemaType) Map(java.util.Map) DefaultValue(javax.ws.rs.DefaultValue) APIResponse(org.eclipse.microprofile.openapi.annotations.responses.APIResponse) DELETE(javax.ws.rs.DELETE) Context(javax.ws.rs.core.Context) Collection(java.util.Collection) Tag(io.automatiko.engine.api.workflow.Tag) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider) StreamingOutput(javax.ws.rs.core.StreamingOutput) Operation(org.eclipse.microprofile.openapi.annotations.Operation) ProcessInstance(io.automatiko.engine.api.workflow.ProcessInstance) Policy(io.automatiko.engine.api.workflow.workitem.Policy) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) List(java.util.List) HttpHeaders(javax.ws.rs.core.HttpHeaders) Response(javax.ws.rs.core.Response) Sig(io.automatiko.engine.workflow.Sig) Parameter(org.eclipse.microprofile.openapi.annotations.parameters.Parameter) Entry(java.util.Map.Entry) WebApplicationException(javax.ws.rs.WebApplicationException) UriInfo(javax.ws.rs.core.UriInfo) ProcessInstanceNotFoundException(io.automatiko.engine.api.workflow.ProcessInstanceNotFoundException) WorkItem(io.automatiko.engine.api.workflow.WorkItem) PathParam(javax.ws.rs.PathParam) AbstractProcessInstance(io.automatiko.engine.workflow.AbstractProcessInstance) GET(javax.ws.rs.GET) CompletableFuture(java.util.concurrent.CompletableFuture) IdentitySupplier(io.automatiko.engine.api.auth.IdentitySupplier) InstanceMetadata(io.automatiko.engine.api.workflow.InstanceMetadata) Process(io.automatiko.engine.api.workflow.Process) Content(org.eclipse.microprofile.openapi.annotations.media.Content) Status(javax.ws.rs.core.Response.Status) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) OutputStream(java.io.OutputStream) POST(javax.ws.rs.POST) Schema(org.eclipse.microprofile.openapi.annotations.media.Schema) IOException(java.io.IOException) HttpAuthSupport(io.automatiko.engine.service.auth.HttpAuthSupport) APIResponses(org.eclipse.microprofile.openapi.annotations.responses.APIResponses) Collections(java.util.Collections) AbstractProcessInstance(io.automatiko.engine.workflow.AbstractProcessInstance) IdentityProvider(io.automatiko.engine.api.auth.IdentityProvider) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces) Consumes(javax.ws.rs.Consumes) APIResponses(org.eclipse.microprofile.openapi.annotations.responses.APIResponses) Operation(org.eclipse.microprofile.openapi.annotations.Operation)

Aggregations

IdentityProvider (io.automatiko.engine.api.auth.IdentityProvider)15 ProcessInstance (io.automatiko.engine.api.workflow.ProcessInstance)8 List (java.util.List)8 WorkItemNotFoundException (io.automatiko.engine.api.runtime.process.WorkItemNotFoundException)7 WorkItem (io.automatiko.engine.api.workflow.WorkItem)7 Sig (io.automatiko.engine.workflow.Sig)6 Collections (java.util.Collections)6 Entry (java.util.Map.Entry)6 CompletableFuture (java.util.concurrent.CompletableFuture)6 Collectors (java.util.stream.Collectors)6 SecurityPolicy (io.automatiko.engine.api.auth.SecurityPolicy)4 Application (io.automatiko.engine.api.Application)3 HumanTaskWorkItem (io.automatiko.engine.api.runtime.process.HumanTaskWorkItem)3 Process (io.automatiko.engine.api.workflow.Process)3 ProcessInstanceReadMode (io.automatiko.engine.api.workflow.ProcessInstanceReadMode)3 GET (javax.ws.rs.GET)3 Path (javax.ws.rs.Path)3 InstanceMetadata (io.automatiko.engine.api.workflow.InstanceMetadata)2 ProcessImageNotFoundException (io.automatiko.engine.api.workflow.ProcessImageNotFoundException)2 ProcessInstanceExecutionException (io.automatiko.engine.api.workflow.ProcessInstanceExecutionException)2