public Void execute(CommandContext commandContext) { AuthorizationManager authorizationManager = spyOnSession(commandContext, AuthorizationManager.class); TaskQueryImpl taskQuery = (TaskQueryImpl) spy(processEngine.getTaskService().createTaskQuery()); AuthorizationCheck authCheck = spy(new AuthorizationCheck()); when(taskQuery.getAuthCheck()).thenReturn(authCheck); taskQuery.list(); verify(authorizationManager, atLeastOnce()).filterAuthenticatedGroupIds(eq(testGroupIds)); verify(authCheck).setAuthGroupIds(eq(Collections.<String>emptyList())); return null; } });
public void enableQueryAuthCheck(AuthorizationCheck authCheck) { List<String> authGroupIds = authCheck.getAuthGroupIds(); String authUserId = authCheck.getAuthUserId(); authCheck.setAuthorizationCheckEnabled(true); authCheck.setAuthGroupIds(filterAuthenticatedGroupIds(authGroupIds)); authCheck.setRevokeAuthorizationCheckEnabled(isRevokeAuthCheckEnabled(authUserId, authGroupIds)); }
@Test public void shouldCheckDbForCfgValueWithNoRevokes_auto() { final ListQueryParameterObject query = new ListQueryParameterObject(); final AuthorizationCheck authCheck = query.getAuthCheck(); final HashMap<String, Object> expectedQueryParams = new HashMap<String, Object>(); expectedQueryParams.put("userId", AUTHENTICATED_USER_ID); expectedQueryParams.put("authGroupIds", AUTHENTICATED_GROUPS); // given when(mockedConfiguration.getAuthorizationCheckRevokes()).thenReturn(ProcessEngineConfiguration.AUTHORIZATION_CHECK_REVOKE_AUTO); when(mockedEntityManager.selectBoolean(eq("selectRevokeAuthorization"), eq(expectedQueryParams))).thenReturn(false); // if authorizationManager.configureQuery(query); // then assertEquals(false, authCheck.isRevokeAuthorizationCheckEnabled()); verify(mockedEntityManager, times(1)).selectBoolean(eq("selectRevokeAuthorization"), eq(expectedQueryParams)); }
public void configureQuery(ListQueryParameterObject query) { AuthorizationCheck authCheck = query.getAuthCheck(); authCheck.getPermissionChecks().clear(); if(isAuthCheckExecuted()) { Authentication currentAuthentication = getCurrentAuthentication(); authCheck.setAuthUserId(currentAuthentication.getUserId()); authCheck.setAuthGroupIds(currentAuthentication.getGroupIds()); enableQueryAuthCheck(authCheck); } else { authCheck.setAuthorizationCheckEnabled(false); authCheck.setAuthUserId(null); authCheck.setAuthGroupIds(null); } }
public Void execute(CommandContext commandContext) { AuthorizationManager authorizationManager = spyOnSession(commandContext, AuthorizationManager.class); DbEntityManager dbEntityManager = spyOnSession(commandContext, DbEntityManager.class); authorizationService.isUserAuthorized(testUserId, testGroupIds, Permissions.READ, Resources.TASK); verify(authorizationManager, atLeastOnce()).filterAuthenticatedGroupIds(eq(testGroupIds)); ArgumentCaptor<AuthorizationCheck> authorizationCheckArgument = ArgumentCaptor.forClass(AuthorizationCheck.class); verify(dbEntityManager).selectBoolean(eq("isUserAuthorizedForResource"), authorizationCheckArgument.capture()); AuthorizationCheck authorizationCheck = authorizationCheckArgument.getValue(); assertEquals(testGroupIds.subList(0, 1), authorizationCheck.getAuthGroupIds()); return null; } });
public boolean isAuthorized(String userId, List<String> groupIds, CompositePermissionCheck compositePermissionCheck) { for (PermissionCheck permissionCheck : compositePermissionCheck.getAllPermissionChecks()) { if (!isResourceValidForPermission(permissionCheck)) { throw LOG.invalidResourceForPermission(permissionCheck.getResource().resourceName(), permissionCheck.getPermission().getName()); } } List<String> filteredGroupIds = filterAuthenticatedGroupIds(groupIds); boolean isRevokeAuthorizationCheckEnabled = isRevokeAuthCheckEnabled(userId, groupIds); AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, compositePermissionCheck, isRevokeAuthorizationCheckEnabled); return getDbEntityManager().selectBoolean("isUserAuthorizedForResource", authCheck); }
public void configureTaskQuery(TaskQueryImpl query) { configureQuery(query); if(query.getAuthCheck().isAuthorizationCheckEnabled()) { // necessary authorization check when the task is part of // a running process instance CompositePermissionCheck permissionCheck = new PermissionCheckBuilder() .disjunctive() .atomicCheck(TASK, "RES.ID_", READ) .atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_TASK) .build(); addPermissionCheck(query.getAuthCheck(), permissionCheck); } }
protected void addPermissionCheck(ListQueryParameterObject query, Resource resource, String queryParam, Permission permission) { CommandContext commandContext = getCommandContext(); if (isAuthorizationEnabled() && getCurrentAuthentication() != null && commandContext.isAuthorizationCheckEnabled()) { PermissionCheck permCheck = newPermissionCheck(); permCheck.setResource(resource); permCheck.setResourceIdQueryParam(queryParam); permCheck.setPermission(permission); query.getAuthCheck().addAtomicPermissionCheck(permCheck); } }
public void configureQuery(ListQueryParameterObject query) { AuthorizationCheck authCheck = query.getAuthCheck(); authCheck.getPermissionChecks().clear(); if(isAuthCheckExecuted()) { Authentication currentAuthentication = getCurrentAuthentication(); authCheck.setAuthUserId(currentAuthentication.getUserId()); authCheck.setAuthGroupIds(currentAuthentication.getGroupIds()); enableQueryAuthCheck(authCheck); } else { authCheck.setAuthorizationCheckEnabled(false); authCheck.setAuthUserId(null); authCheck.setAuthGroupIds(null); } }
public Void execute(CommandContext commandContext) { AuthorizationManager authorizationManager = spyOnSession(commandContext, AuthorizationManager.class); DbEntityManager dbEntityManager = spyOnSession(commandContext, DbEntityManager.class); authorizationService.isUserAuthorized(testUserId, testGroupIds, Permissions.READ, Resources.TASK); verify(authorizationManager, atLeastOnce()).filterAuthenticatedGroupIds(eq(testGroupIds)); ArgumentCaptor<AuthorizationCheck> authorizationCheckArgument = ArgumentCaptor.forClass(AuthorizationCheck.class); verify(dbEntityManager).selectBoolean(eq("isUserAuthorizedForResource"), authorizationCheckArgument.capture()); AuthorizationCheck authorizationCheck = authorizationCheckArgument.getValue(); assertThat(authorizationCheck.getAuthGroupIds(), containsInAnyOrder(testGroupIds.toArray())); return null; } });
public boolean isAuthorized(String userId, List<String> groupIds, CompositePermissionCheck compositePermissionCheck) { for (PermissionCheck permissionCheck : compositePermissionCheck.getAllPermissionChecks()) { if (!isResourceValidForPermission(permissionCheck)) { throw LOG.invalidResourceForPermission(permissionCheck.getResource().resourceName(), permissionCheck.getPermission().getName()); } } List<String> filteredGroupIds = filterAuthenticatedGroupIds(groupIds); boolean isRevokeAuthorizationCheckEnabled = isRevokeAuthCheckEnabled(userId, groupIds); AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, compositePermissionCheck, isRevokeAuthorizationCheckEnabled); return getDbEntityManager().selectBoolean("isUserAuthorizedForResource", authCheck); }
public void configureTaskQuery(TaskQueryImpl query) { configureQuery(query); if(query.getAuthCheck().isAuthorizationCheckEnabled()) { // necessary authorization check when the task is part of // a running process instance CompositePermissionCheck permissionCheck = new PermissionCheckBuilder() .disjunctive() .atomicCheck(TASK, "RES.ID_", READ) .atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_TASK) .build(); addPermissionCheck(query.getAuthCheck(), permissionCheck); } }
protected void addPermissionCheck(ListQueryParameterObject query, Resource resource, String queryParam, Permission permission) { CommandContext commandContext = getCommandContext(); if (isAuthorizationEnabled() && getCurrentAuthentication() != null && commandContext.isAuthorizationCheckEnabled()) { PermissionCheck permCheck = newPermissionCheck(); permCheck.setResource(resource); permCheck.setResourceIdQueryParam(queryParam); permCheck.setPermission(permission); query.getAuthCheck().addAtomicPermissionCheck(permCheck); } }
public void enableQueryAuthCheck(AuthorizationCheck authCheck) { List<String> authGroupIds = authCheck.getAuthGroupIds(); String authUserId = authCheck.getAuthUserId(); authCheck.setAuthorizationCheckEnabled(true); authCheck.setAuthGroupIds(filterAuthenticatedGroupIds(authGroupIds)); authCheck.setRevokeAuthorizationCheckEnabled(isRevokeAuthCheckEnabled(authUserId, authGroupIds)); }
public Void execute(CommandContext commandContext) { AuthorizationManager authorizationManager = spyOnSession(commandContext, AuthorizationManager.class); TaskQueryImpl taskQuery = (TaskQueryImpl) spy(processEngine.getTaskService().createTaskQuery()); AuthorizationCheck authCheck = spy(new AuthorizationCheck()); when(taskQuery.getAuthCheck()).thenReturn(authCheck); taskQuery.list(); verify(authorizationManager, atLeastOnce()).filterAuthenticatedGroupIds(eq(testGroupIds)); verify(authCheck).setAuthGroupIds(eq(testGroupIds.subList(0, 1))); return null; } });
public void configureQuery(ListQueryParameterObject query) { AuthorizationCheck authCheck = query.getAuthCheck(); authCheck.getPermissionChecks().clear(); if(isAuthCheckExecuted()) { Authentication currentAuthentication = getCurrentAuthentication(); authCheck.setAuthUserId(currentAuthentication.getUserId()); authCheck.setAuthGroupIds(currentAuthentication.getGroupIds()); enableQueryAuthCheck(authCheck); } else { authCheck.setAuthorizationCheckEnabled(false); authCheck.setAuthUserId(null); authCheck.setAuthGroupIds(null); } }
@Test public void shouldCheckDbForCfgCaseInsensitive() { final ListQueryParameterObject query = new ListQueryParameterObject(); final AuthorizationCheck authCheck = query.getAuthCheck(); final HashMap<String, Object> expectedQueryParams = new HashMap<String, Object>(); expectedQueryParams.put("userId", AUTHENTICATED_USER_ID); expectedQueryParams.put("authGroupIds", AUTHENTICATED_GROUPS); // given when(mockedConfiguration.getAuthorizationCheckRevokes()).thenReturn("AuTo"); when(mockedEntityManager.selectBoolean(eq("selectRevokeAuthorization"), eq(expectedQueryParams))).thenReturn(true); // if authorizationManager.configureQuery(query); // then assertEquals(true, authCheck.isRevokeAuthorizationCheckEnabled()); verify(mockedEntityManager, times(1)).selectBoolean(eq("selectRevokeAuthorization"), eq(expectedQueryParams)); }
public Void execute(CommandContext commandContext) { AuthorizationManager authorizationManager = spyOnSession(commandContext, AuthorizationManager.class); DbEntityManager dbEntityManager = spyOnSession(commandContext, DbEntityManager.class); authorizationService.isUserAuthorized(testUserId, testGroupIds, Permissions.READ, Resources.TASK); verify(authorizationManager, atLeastOnce()).filterAuthenticatedGroupIds(eq(testGroupIds)); ArgumentCaptor<AuthorizationCheck> authorizationCheckArgument = ArgumentCaptor.forClass(AuthorizationCheck.class); verify(dbEntityManager).selectBoolean(eq("isUserAuthorizedForResource"), authorizationCheckArgument.capture()); AuthorizationCheck authorizationCheck = authorizationCheckArgument.getValue(); assertTrue(authorizationCheck.getAuthGroupIds().isEmpty()); return null; } });
public boolean isAuthorized(String userId, List<String> groupIds, List<PermissionCheck> permissionChecks) { if(!isAuthorizationEnabled()) { return true; } for (PermissionCheck permissionCheck : permissionChecks) { if (!isResourceValidForPermission(permissionCheck)) { throw LOG.invalidResourceForPermission(permissionCheck.getResource().resourceName(), permissionCheck.getPermission().getName()); } } List<String> filteredGroupIds = filterAuthenticatedGroupIds(groupIds); boolean isRevokeAuthorizationCheckEnabled = isRevokeAuthCheckEnabled(userId, groupIds); AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, permissionChecks, isRevokeAuthorizationCheckEnabled); return getDbEntityManager().selectBoolean("isUserAuthorizedForResource", authCheck); }
protected void configureVariableInstanceQuery(VariableInstanceQueryImpl query) { configureQuery(query); if(query.getAuthCheck().isAuthorizationCheckEnabled()) { CompositePermissionCheck permissionCheck = new PermissionCheckBuilder() .disjunctive() .atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ) .atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_INSTANCE) .atomicCheck(TASK, "RES.TASK_ID_", READ) .build(); addPermissionCheck(query.getAuthCheck(), permissionCheck); } }