Example 1 with Resource
use of org.camunda.bpm.engine.authorization.Resource in project camunda-bpm-platform by camunda.
the class MissingAuthorizationMatcher method asMissingAuthorization.
protected static MissingAuthorization asMissingAuthorization(Authorization authorization) {
String permissionName = null;
String resourceId = null;
String resourceName = null;
for (Permission permission : authorization.getPermissions(Permissions.values())) {
if (permission != Permissions.NONE) {
permissionName = permission.getName();
break;
}
}
if (!Authorization.ANY.equals(authorization.getResourceId())) {
// missing ANY authorizations are not explicitly represented in the error message
resourceId = authorization.getResourceId();
}
Resource resource = AuthorizationTestUtil.getResourceByType(authorization.getResourceType());
resourceName = resource.resourceName();
return new MissingAuthorization(permissionName, resourceName, resourceId);
}
Also used :
MissingAuthorization(org.camunda.bpm.engine.authorization.MissingAuthorization)
Permission(org.camunda.bpm.engine.authorization.Permission)
Resource(org.camunda.bpm.engine.authorization.Resource)
Example 2 with Resource
use of org.camunda.bpm.engine.authorization.Resource in project camunda-bpm-platform by camunda.
the class AuthorizationQueryTest method testOrderByQueries.
public void testOrderByQueries() {
Resource resource1 = new TestResource("resource1", 100);
Resource resource2 = new TestResource("resource2", 101);
List<Authorization> list = authorizationService.createAuthorizationQuery().orderByResourceType().asc().list();
assertEquals(resource1.resourceType(), list.get(0).getResourceType());
assertEquals(resource1.resourceType(), list.get(1).getResourceType());
assertEquals(resource1.resourceType(), list.get(2).getResourceType());
assertEquals(resource1.resourceType(), list.get(3).getResourceType());
assertEquals(resource2.resourceType(), list.get(4).getResourceType());
assertEquals(resource2.resourceType(), list.get(5).getResourceType());
assertEquals(resource2.resourceType(), list.get(6).getResourceType());
assertEquals(resource2.resourceType(), list.get(7).getResourceType());
list = authorizationService.createAuthorizationQuery().orderByResourceType().desc().list();
assertEquals(resource2.resourceType(), list.get(0).getResourceType());
assertEquals(resource2.resourceType(), list.get(1).getResourceType());
assertEquals(resource2.resourceType(), list.get(2).getResourceType());
assertEquals(resource2.resourceType(), list.get(3).getResourceType());
assertEquals(resource1.resourceType(), list.get(4).getResourceType());
assertEquals(resource1.resourceType(), list.get(5).getResourceType());
assertEquals(resource1.resourceType(), list.get(6).getResourceType());
assertEquals(resource1.resourceType(), list.get(7).getResourceType());
list = authorizationService.createAuthorizationQuery().orderByResourceId().asc().list();
assertEquals("resource1-1", list.get(0).getResourceId());
assertEquals("resource1-1", list.get(1).getResourceId());
assertEquals("resource1-2", list.get(2).getResourceId());
assertEquals("resource1-2", list.get(3).getResourceId());
assertEquals("resource2-1", list.get(4).getResourceId());
assertEquals("resource2-1", list.get(5).getResourceId());
assertEquals("resource2-2", list.get(6).getResourceId());
assertEquals("resource2-3", list.get(7).getResourceId());
list = authorizationService.createAuthorizationQuery().orderByResourceId().desc().list();
assertEquals("resource2-3", list.get(0).getResourceId());
assertEquals("resource2-2", list.get(1).getResourceId());
assertEquals("resource2-1", list.get(2).getResourceId());
assertEquals("resource2-1", list.get(3).getResourceId());
assertEquals("resource1-2", list.get(4).getResourceId());
assertEquals("resource1-2", list.get(5).getResourceId());
assertEquals("resource1-1", list.get(6).getResourceId());
assertEquals("resource1-1", list.get(7).getResourceId());
}
Also used :
Authorization(org.camunda.bpm.engine.authorization.Authorization)
Resource(org.camunda.bpm.engine.authorization.Resource)
Example 3 with Resource
use of org.camunda.bpm.engine.authorization.Resource in project camunda-bpm-platform by camunda.
the class AuthorizationQueryTest method testValidQueryLists.
public void testValidQueryLists() {
Resource resource1 = new TestResource("resource1", 100);
Resource resource2 = new TestResource("resource2", 101);
Resource nonExisting = new TestResource("non-existing", 102);
// query by user id
assertEquals(2, authorizationService.createAuthorizationQuery().userIdIn("user1").list().size());
assertEquals(1, authorizationService.createAuthorizationQuery().userIdIn("user2").list().size());
assertEquals(1, authorizationService.createAuthorizationQuery().userIdIn("user3").list().size());
assertEquals(3, authorizationService.createAuthorizationQuery().userIdIn("user1", "user2").list().size());
assertEquals(0, authorizationService.createAuthorizationQuery().userIdIn("non-existing").list().size());
// query by group id
assertEquals(2, authorizationService.createAuthorizationQuery().groupIdIn("group1").list().size());
assertEquals(1, authorizationService.createAuthorizationQuery().groupIdIn("group2").list().size());
assertEquals(1, authorizationService.createAuthorizationQuery().groupIdIn("group3").list().size());
assertEquals(3, authorizationService.createAuthorizationQuery().groupIdIn("group1", "group2").list().size());
assertEquals(0, authorizationService.createAuthorizationQuery().groupIdIn("non-existing").list().size());
// query by resource type
assertEquals(4, authorizationService.createAuthorizationQuery().resourceType(resource1).list().size());
assertEquals(0, authorizationService.createAuthorizationQuery().resourceType(nonExisting).list().size());
// query by resource id
assertEquals(2, authorizationService.createAuthorizationQuery().resourceId("resource1-2").list().size());
assertEquals(0, authorizationService.createAuthorizationQuery().resourceId("non-existing").list().size());
// query by permission
assertEquals(1, authorizationService.createAuthorizationQuery().hasPermission(Permissions.ACCESS).list().size());
assertEquals(2, authorizationService.createAuthorizationQuery().hasPermission(Permissions.DELETE).list().size());
assertEquals(2, authorizationService.createAuthorizationQuery().hasPermission(Permissions.READ).list().size());
assertEquals(3, authorizationService.createAuthorizationQuery().hasPermission(Permissions.UPDATE).list().size());
// multiple permissions at the same time
assertEquals(2, authorizationService.createAuthorizationQuery().hasPermission(Permissions.READ).hasPermission(Permissions.UPDATE).list().size());
assertEquals(2, authorizationService.createAuthorizationQuery().hasPermission(Permissions.UPDATE).hasPermission(Permissions.READ).list().size());
assertEquals(0, authorizationService.createAuthorizationQuery().hasPermission(Permissions.READ).hasPermission(Permissions.ACCESS).list().size());
// user id & resource type
assertEquals(1, authorizationService.createAuthorizationQuery().userIdIn("user1").resourceType(resource1).list().size());
assertEquals(0, authorizationService.createAuthorizationQuery().userIdIn("user1").resourceType(nonExisting).list().size());
// group id & resource type
assertEquals(1, authorizationService.createAuthorizationQuery().groupIdIn("group2").resourceType(resource2).list().size());
assertEquals(0, authorizationService.createAuthorizationQuery().groupIdIn("group1").resourceType(nonExisting).list().size());
}
Also used :
Resource(org.camunda.bpm.engine.authorization.Resource)
Example 4 with Resource
use of org.camunda.bpm.engine.authorization.Resource in project camunda-bpm-platform by camunda.
the class DemoDataGenerator method createUsers.
public void createUsers(ProcessEngine engine) {
final IdentityService identityService = engine.getIdentityService();
if (identityService.isReadOnly()) {
LOGGER.info("Identity service provider is Read Only, not creating any demo users.");
return;
}
User singleResult = identityService.createUserQuery().userId("demo").singleResult();
if (singleResult != null) {
return;
}
LOGGER.info("Generating demo data for invoice showcase");
User user = identityService.newUser("demo");
user.setFirstName("Demo");
user.setLastName("Demo");
user.setPassword("demo");
user.setEmail("demo@camunda.org");
identityService.saveUser(user);
User user2 = identityService.newUser("john");
user2.setFirstName("John");
user2.setLastName("Doe");
user2.setPassword("john");
user2.setEmail("john@camunda.org");
identityService.saveUser(user2);
User user3 = identityService.newUser("mary");
user3.setFirstName("Mary");
user3.setLastName("Anne");
user3.setPassword("mary");
user3.setEmail("mary@camunda.org");
identityService.saveUser(user3);
User user4 = identityService.newUser("peter");
user4.setFirstName("Peter");
user4.setLastName("Meter");
user4.setPassword("peter");
user4.setEmail("peter@camunda.org");
identityService.saveUser(user4);
Group salesGroup = identityService.newGroup("sales");
salesGroup.setName("Sales");
salesGroup.setType("WORKFLOW");
identityService.saveGroup(salesGroup);
Group accountingGroup = identityService.newGroup("accounting");
accountingGroup.setName("Accounting");
accountingGroup.setType("WORKFLOW");
identityService.saveGroup(accountingGroup);
Group managementGroup = identityService.newGroup("management");
managementGroup.setName("Management");
managementGroup.setType("WORKFLOW");
identityService.saveGroup(managementGroup);
final AuthorizationService authorizationService = engine.getAuthorizationService();
// create group
if (identityService.createGroupQuery().groupId(Groups.CAMUNDA_ADMIN).count() == 0) {
Group camundaAdminGroup = identityService.newGroup(Groups.CAMUNDA_ADMIN);
camundaAdminGroup.setName("camunda BPM Administrators");
camundaAdminGroup.setType(Groups.GROUP_TYPE_SYSTEM);
identityService.saveGroup(camundaAdminGroup);
}
// create ADMIN authorizations on all built-in resources
for (Resource resource : Resources.values()) {
if (authorizationService.createAuthorizationQuery().groupIdIn(Groups.CAMUNDA_ADMIN).resourceType(resource).resourceId(ANY).count() == 0) {
AuthorizationEntity userAdminAuth = new AuthorizationEntity(AUTH_TYPE_GRANT);
userAdminAuth.setGroupId(Groups.CAMUNDA_ADMIN);
userAdminAuth.setResource(resource);
userAdminAuth.setResourceId(ANY);
userAdminAuth.addPermission(ALL);
authorizationService.saveAuthorization(userAdminAuth);
}
}
identityService.createMembership("demo", "sales");
identityService.createMembership("demo", "accounting");
identityService.createMembership("demo", "management");
identityService.createMembership("demo", "camunda-admin");
identityService.createMembership("john", "sales");
identityService.createMembership("mary", "accounting");
identityService.createMembership("peter", "management");
// authorize groups for tasklist only:
Authorization salesTasklistAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
salesTasklistAuth.setGroupId("sales");
salesTasklistAuth.addPermission(ACCESS);
salesTasklistAuth.setResourceId("tasklist");
salesTasklistAuth.setResource(APPLICATION);
authorizationService.saveAuthorization(salesTasklistAuth);
Authorization salesReadProcessDefinition = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
salesReadProcessDefinition.setGroupId("sales");
salesReadProcessDefinition.addPermission(Permissions.READ);
salesReadProcessDefinition.addPermission(Permissions.READ_HISTORY);
salesReadProcessDefinition.setResource(Resources.PROCESS_DEFINITION);
// restrict to invoice process definition only
salesReadProcessDefinition.setResourceId("invoice");
authorizationService.saveAuthorization(salesReadProcessDefinition);
Authorization accountingTasklistAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
accountingTasklistAuth.setGroupId("accounting");
accountingTasklistAuth.addPermission(ACCESS);
accountingTasklistAuth.setResourceId("tasklist");
accountingTasklistAuth.setResource(APPLICATION);
authorizationService.saveAuthorization(accountingTasklistAuth);
Authorization accountingReadProcessDefinition = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
accountingReadProcessDefinition.setGroupId("accounting");
accountingReadProcessDefinition.addPermission(Permissions.READ);
accountingReadProcessDefinition.addPermission(Permissions.READ_HISTORY);
accountingReadProcessDefinition.setResource(Resources.PROCESS_DEFINITION);
// restrict to invoice process definition only
accountingReadProcessDefinition.setResourceId("invoice");
authorizationService.saveAuthorization(accountingReadProcessDefinition);
Authorization managementTasklistAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
managementTasklistAuth.setGroupId("management");
managementTasklistAuth.addPermission(ACCESS);
managementTasklistAuth.setResourceId("tasklist");
managementTasklistAuth.setResource(APPLICATION);
authorizationService.saveAuthorization(managementTasklistAuth);
Authorization managementReadProcessDefinition = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
managementReadProcessDefinition.setGroupId("management");
managementReadProcessDefinition.addPermission(Permissions.READ);
managementReadProcessDefinition.addPermission(Permissions.READ_HISTORY);
managementReadProcessDefinition.setResource(Resources.PROCESS_DEFINITION);
// restrict to invoice process definition only
managementReadProcessDefinition.setResourceId("invoice");
authorizationService.saveAuthorization(managementReadProcessDefinition);
Authorization salesDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
salesDemoAuth.setGroupId("sales");
salesDemoAuth.setResource(USER);
salesDemoAuth.setResourceId("demo");
salesDemoAuth.addPermission(READ);
authorizationService.saveAuthorization(salesDemoAuth);
Authorization salesJohnAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
salesJohnAuth.setGroupId("sales");
salesJohnAuth.setResource(USER);
salesJohnAuth.setResourceId("john");
salesJohnAuth.addPermission(READ);
authorizationService.saveAuthorization(salesJohnAuth);
Authorization manDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
manDemoAuth.setGroupId("management");
manDemoAuth.setResource(USER);
manDemoAuth.setResourceId("demo");
manDemoAuth.addPermission(READ);
authorizationService.saveAuthorization(manDemoAuth);
Authorization manPeterAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
manPeterAuth.setGroupId("management");
manPeterAuth.setResource(USER);
manPeterAuth.setResourceId("peter");
manPeterAuth.addPermission(READ);
authorizationService.saveAuthorization(manPeterAuth);
Authorization accDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
accDemoAuth.setGroupId("accounting");
accDemoAuth.setResource(USER);
accDemoAuth.setResourceId("demo");
accDemoAuth.addPermission(READ);
authorizationService.saveAuthorization(accDemoAuth);
Authorization accMaryAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
accMaryAuth.setGroupId("accounting");
accMaryAuth.setResource(USER);
accMaryAuth.setResourceId("mary");
accMaryAuth.addPermission(READ);
authorizationService.saveAuthorization(accMaryAuth);
Authorization taskMaryAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
taskMaryAuth.setUserId("mary");
taskMaryAuth.setResource(TASK);
taskMaryAuth.setResourceId(ANY);
taskMaryAuth.addPermission(READ);
taskMaryAuth.addPermission(UPDATE);
authorizationService.saveAuthorization(taskMaryAuth);
// create default filters
FilterService filterService = engine.getFilterService();
Map<String, Object> filterProperties = new HashMap<String, Object>();
filterProperties.put("description", "Tasks assigned to me");
filterProperties.put("priority", -10);
addVariables(filterProperties);
TaskService taskService = engine.getTaskService();
TaskQuery query = taskService.createTaskQuery().taskAssigneeExpression("${currentUser()}");
Filter myTasksFilter = filterService.newTaskFilter().setName("My Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
filterService.saveFilter(myTasksFilter);
filterProperties.clear();
filterProperties.put("description", "Tasks assigned to my Groups");
filterProperties.put("priority", -5);
addVariables(filterProperties);
query = taskService.createTaskQuery().taskCandidateGroupInExpression("${currentUserGroups()}").taskUnassigned();
Filter groupTasksFilter = filterService.newTaskFilter().setName("My Group Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
filterService.saveFilter(groupTasksFilter);
// global read authorizations for these filters
Authorization globalMyTaskFilterRead = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GLOBAL);
globalMyTaskFilterRead.setResource(FILTER);
globalMyTaskFilterRead.setResourceId(myTasksFilter.getId());
globalMyTaskFilterRead.addPermission(READ);
authorizationService.saveAuthorization(globalMyTaskFilterRead);
Authorization globalGroupFilterRead = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GLOBAL);
globalGroupFilterRead.setResource(FILTER);
globalGroupFilterRead.setResourceId(groupTasksFilter.getId());
globalGroupFilterRead.addPermission(READ);
authorizationService.saveAuthorization(globalGroupFilterRead);
// management filter
filterProperties.clear();
filterProperties.put("description", "Tasks for Group Accounting");
filterProperties.put("priority", -3);
addVariables(filterProperties);
query = taskService.createTaskQuery().taskCandidateGroupIn(Arrays.asList("accounting")).taskUnassigned();
Filter candidateGroupTasksFilter = filterService.newTaskFilter().setName("Accounting").setProperties(filterProperties).setOwner("demo").setQuery(query);
filterService.saveFilter(candidateGroupTasksFilter);
Authorization managementGroupFilterRead = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
managementGroupFilterRead.setResource(FILTER);
managementGroupFilterRead.setResourceId(candidateGroupTasksFilter.getId());
managementGroupFilterRead.addPermission(READ);
managementGroupFilterRead.setGroupId("accounting");
authorizationService.saveAuthorization(managementGroupFilterRead);
// john's tasks
filterProperties.clear();
filterProperties.put("description", "Tasks assigned to John");
filterProperties.put("priority", -1);
addVariables(filterProperties);
query = taskService.createTaskQuery().taskAssignee("john");
Filter johnsTasksFilter = filterService.newTaskFilter().setName("John's Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
filterService.saveFilter(johnsTasksFilter);
// mary's tasks
filterProperties.clear();
filterProperties.put("description", "Tasks assigned to Mary");
filterProperties.put("priority", -1);
addVariables(filterProperties);
query = taskService.createTaskQuery().taskAssignee("mary");
Filter marysTasksFilter = filterService.newTaskFilter().setName("Mary's Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
filterService.saveFilter(marysTasksFilter);
// peter's tasks
filterProperties.clear();
filterProperties.put("description", "Tasks assigned to Peter");
filterProperties.put("priority", -1);
addVariables(filterProperties);
query = taskService.createTaskQuery().taskAssignee("peter");
Filter petersTasksFilter = filterService.newTaskFilter().setName("Peter's Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
filterService.saveFilter(petersTasksFilter);
// all tasks
filterProperties.clear();
filterProperties.put("description", "All Tasks - Not recommended to be used in production :)");
filterProperties.put("priority", 10);
addVariables(filterProperties);
query = taskService.createTaskQuery();
Filter allTasksFilter = filterService.newTaskFilter().setName("All Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
filterService.saveFilter(allTasksFilter);
}
Also used :
Group(org.camunda.bpm.engine.identity.Group)
User(org.camunda.bpm.engine.identity.User)
HashMap(java.util.HashMap)
TaskService(org.camunda.bpm.engine.TaskService)
Resource(org.camunda.bpm.engine.authorization.Resource)
FilterService(org.camunda.bpm.engine.FilterService)
IdentityService(org.camunda.bpm.engine.IdentityService)
Authorization(org.camunda.bpm.engine.authorization.Authorization)
AuthorizationService(org.camunda.bpm.engine.AuthorizationService)
Filter(org.camunda.bpm.engine.filter.Filter)
AuthorizationEntity(org.camunda.bpm.engine.impl.persistence.entity.AuthorizationEntity)
TaskQuery(org.camunda.bpm.engine.task.TaskQuery)
Example 5 with Resource
use of org.camunda.bpm.engine.authorization.Resource in project camunda-bpm-platform by camunda.
the class AdministratorAuthorizationPlugin method postProcessEngineBuild.
public void postProcessEngineBuild(ProcessEngine processEngine) {
if (!authorizationEnabled) {
return;
}
final AuthorizationService authorizationService = processEngine.getAuthorizationService();
if (administratorGroupName != null && administratorGroupName.length() > 0) {
// create ADMIN authorizations on all built-in resources for configured group
for (Resource resource : Resources.values()) {
if (authorizationService.createAuthorizationQuery().groupIdIn(administratorGroupName).resourceType(resource).resourceId(ANY).count() == 0) {
AuthorizationEntity adminGroupAuth = new AuthorizationEntity(AUTH_TYPE_GRANT);
adminGroupAuth.setGroupId(administratorGroupName);
adminGroupAuth.setResource(resource);
adminGroupAuth.setResourceId(ANY);
adminGroupAuth.addPermission(ALL);
authorizationService.saveAuthorization(adminGroupAuth);
LOG.grantGroupPermissions(administratorGroupName, resource.resourceName());
}
}
}
if (administratorUserName != null && administratorUserName.length() > 0) {
// create ADMIN authorizations on all built-in resources for configured user
for (Resource resource : Resources.values()) {
if (authorizationService.createAuthorizationQuery().userIdIn(administratorUserName).resourceType(resource).resourceId(ANY).count() == 0) {
AuthorizationEntity adminUserAuth = new AuthorizationEntity(AUTH_TYPE_GRANT);
adminUserAuth.setUserId(administratorUserName);
adminUserAuth.setResource(resource);
adminUserAuth.setResourceId(ANY);
adminUserAuth.addPermission(ALL);
authorizationService.saveAuthorization(adminUserAuth);
LOG.grantUserPermissions(administratorUserName, resource.resourceName());
}
}
}
}
Also used :
AuthorizationService(org.camunda.bpm.engine.AuthorizationService)
AuthorizationEntity(org.camunda.bpm.engine.impl.persistence.entity.AuthorizationEntity)
Resource(org.camunda.bpm.engine.authorization.Resource)
Aggregations
Resource (org.camunda.bpm.engine.authorization.Resource)8
Authorization (org.camunda.bpm.engine.authorization.Authorization)3
AuthorizationService (org.camunda.bpm.engine.AuthorizationService)2
MissingAuthorization (org.camunda.bpm.engine.authorization.MissingAuthorization)2
Permission (org.camunda.bpm.engine.authorization.Permission)2
AuthorizationEntity (org.camunda.bpm.engine.impl.persistence.entity.AuthorizationEntity)2
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
FilterService (org.camunda.bpm.engine.FilterService)1
IdentityService (org.camunda.bpm.engine.IdentityService)1
TaskService (org.camunda.bpm.engine.TaskService)1
Filter (org.camunda.bpm.engine.filter.Filter)1
Group (org.camunda.bpm.engine.identity.Group)1
User (org.camunda.bpm.engine.identity.User)1
TaskQuery (org.camunda.bpm.engine.task.TaskQuery)1
