Examples of org.camunda.bpm.engine.authorization.Authorization

• org.camunda.bpm.engine.authorization.Authorization

  An {@link Authorization} assigns a set of {@link Permission Permissions}to an identity to interact with a given {@link Resource}.

  EXAMPLES:

  • User 'jonny' is authorized to start new instances of the 'invoice' process
  • Group 'marketing' is not authorized to cancel process instances.
  • Group 'marketing' is not allowed to use the tasklist application.
  • Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.

  Identities

  camunda BPM distinguished two types of identities: users and groups. Authorizations can either range over all users (userId = {@link #ANY}), an individual {@link User} or a {@link Group} of users.

  Permissions

  A {@link Permission} defines the way an identity is allowed to interactwith a certain resource. Examples of permissions are {@link Permissions#CREATE CREATE}, {@link Permissions#READ READ}, {@link Permissions#UPDATE UPDATE}, {@link Permissions#DELETE DELETE}, ... See {@link Permissions} for a set ofbuilt-in permissions.

  A single authorization object may assign multiple permissions to a single user and resource:

   authorization.addPermission(Permissions.READ); authorization.addPermission(Permissions.WRITE); authorization.addPermission(Permissions.DELETE); 

  On top of the built-in permissions, camunda BPM allows using custom permission types.

  Resources

  Resources are the entities the user interacts with. Examples of resources are {@link Resources#GROUP GROUPS}, {@link Resources#USER USERS}, process-definitions, process-instances, tasks ... See {@link Resources} for a setof built-in resource. The camunda BPM framework supports custom resources.

  Authorization Type

  There are three types of authorizations:

  • Global Authorizations ( {@link #AUTH_TYPE_GLOBAL}) range over all users and groups (userId = {@link #ANY}) and are usually used for fixing the "base" permission for a resource.
  • Grant Authorizations ( {@link #AUTH_TYPE_GRANT}) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.
  • Revoke Authorizations ( {@link #AUTH_TYPE_REVOKE}) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.

  Authorization Precedence

  Authorizations may range over all users, an individual user or a group of users or . They may apply to an individual resource instance or all instances of the same type (resourceId = {@link #ANY}). The precedence is as follows:

  1. An authorization applying to an individual resource instance preceds over an authorization applying to all instances of the same resource type.
  2. An authorization for an individual user preceds over an authorization for a group.
  3. A Group authorization preced over a {@link #AUTH_TYPE_GLOBAL GLOBAL} authorization.
  4. A Group {@link #AUTH_TYPE_REVOKE REVOKE} authorization preced over a Group{@link #AUTH_TYPE_GRANT GRANT} authorization.

  @author Daniel Meyer @since 7.0

  protected User createTestUser(String userId) {
    User user = identityService.newUser(userId);
    identityService.saveUser(user);

    // give user all permission to manipulate authorisations
    Authorization authorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
    authorization.setUserId(user.getId());
    authorization.setResource(Resources.AUTHORIZATION);
    authorization.setResourceId(Authorization.ANY);
    authorization.addPermission(Permissions.ALL);
    authorizationService.saveAuthorization(authorization);

    // give user all permission to manipulate users
    authorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
    authorization.setUserId(user.getId());
    authorization.setResource(Resources.USER);
    authorization.setResourceId(Authorization.ANY);
    authorization.addPermission(Permissions.ALL);
    authorizationService.saveAuthorization(authorization);

    return user;
  }

    Filter filter = filterService.newTaskFilter("testFilter");
    return filterService.saveFilter(filter);
  }

  protected Authorization createAuthorization(Permission permission, String resourceId) {
    Authorization authorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
    authorization.setUserId(testUser.getId());
    authorization.setResource(Resources.FILTER);
    authorization.addPermission(permission);
    if (resourceId != null) {
      authorization.setResourceId(resourceId);
    }
    return authorization;
  }

    authorizationService = processEngine.getAuthorizationService();
  }

  public AuthorizationDto getAuthorization(UriInfo context) {

    Authorization dbAuthorization = getDbAuthorization();

    return AuthorizationDto.fromAuthorization(dbAuthorization);

  }

    return AuthorizationDto.fromAuthorization(dbAuthorization);

  }

  public void deleteAuthorization() {
    Authorization dbAuthorization = getDbAuthorization();
    authorizationService.deleteAuthorization(dbAuthorization.getId());
  }

    authorizationService.deleteAuthorization(dbAuthorization.getId());
  }

  public void updateAuthorization(AuthorizationDto dto) {
    // get db auth
    Authorization dbAuthorization = getDbAuthorization();
    // copy values from dto
    AuthorizationDto.update(dto, dbAuthorization);
    // save
    authorizationService.saveAuthorization(dbAuthorization);
  }

  }

  // utils //////////////////////////////////////////////////

  protected Authorization getDbAuthorization() {
    Authorization dbAuthorization = authorizationService.createAuthorizationQuery()
      .authorizationId(resourceId)
      .singleResult();

    if (dbAuthorization == null) {
      throw new InvalidRequestException(Status.NOT_FOUND, "Authorization with id " + resourceId + " does not exist.");

      identityService.createMembership("peter", "management");


      // authorize groups for tasklist only:

      Authorization salesTasklistAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      salesTasklistAuth.setGroupId("sales");
      salesTasklistAuth.addPermission(ACCESS);
      salesTasklistAuth.setResourceId("tasklist");
      salesTasklistAuth.setResource(APPLICATION);
      authorizationService.saveAuthorization(salesTasklistAuth);

      Authorization accountingTasklistAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      accountingTasklistAuth.setGroupId("accounting");
      accountingTasklistAuth.addPermission(ACCESS);
      accountingTasklistAuth.setResourceId("tasklist");
      accountingTasklistAuth.setResource(APPLICATION);
      authorizationService.saveAuthorization(accountingTasklistAuth);

      Authorization managementTasklistAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      managementTasklistAuth.setGroupId("management");
      managementTasklistAuth.addPermission(ACCESS);
      managementTasklistAuth.setResourceId("tasklist");
      managementTasklistAuth.setResource(APPLICATION);
      authorizationService.saveAuthorization(managementTasklistAuth);

      Authorization salesDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      salesDemoAuth.setGroupId("sales");
      salesDemoAuth.setResource(USER);
      salesDemoAuth.setResourceId("demo");
      salesDemoAuth.addPermission(READ);
      authorizationService.saveAuthorization(salesDemoAuth);

      Authorization salesJohnAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      salesJohnAuth.setGroupId("sales");
      salesJohnAuth.setResource(USER);
      salesJohnAuth.setResourceId("john");
      salesJohnAuth.addPermission(READ);
      authorizationService.saveAuthorization(salesJohnAuth);

      Authorization manDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      manDemoAuth.setGroupId("management");
      manDemoAuth.setResource(USER);
      manDemoAuth.setResourceId("demo");
      manDemoAuth.addPermission(READ);
      authorizationService.saveAuthorization(manDemoAuth);

      Authorization manPeterAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      manPeterAuth.setGroupId("management");
      manPeterAuth.setResource(USER);
      manPeterAuth.setResourceId("peter");
      manPeterAuth.addPermission(READ);
      authorizationService.saveAuthorization(manPeterAuth);

      Authorization accDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      accDemoAuth.setGroupId("accounting");
      accDemoAuth.setResource(USER);
      accDemoAuth.setResourceId("demo");
      accDemoAuth.addPermission(READ);
      authorizationService.saveAuthorization(accDemoAuth);

      Authorization accMaryAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
      accMaryAuth.setGroupId("accounting");
      accMaryAuth.setResource(USER);
      accMaryAuth.setResourceId("mary");
      accMaryAuth.addPermission(READ);
      authorizationService.saveAuthorization(accMaryAuth);

      // create default filters

      FilterService filterService = engine.getFilterService();

      Map<String, Object> filterProperties = new HashMap<String, Object>();
      filterProperties.put("description", "Tasks assigned to me");
      filterProperties.put("priority", -10);
      addVariables(filterProperties);
      TaskService taskService = engine.getTaskService();
      TaskQuery query = taskService.createTaskQuery().taskAssigneeExpression("${currentUser()}");
      Filter myTasksFilter = filterService.newTaskFilter().setName("My Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
      filterService.saveFilter(myTasksFilter);

      filterProperties.clear();
      filterProperties.put("description", "Tasks assigned to my Groups");
      filterProperties.put("priority", -5);
      addVariables(filterProperties);
      query = taskService.createTaskQuery().taskCandidateGroupInExpression("${currentUserGroups()}").taskUnassigned();
      Filter groupTasksFilter = filterService.newTaskFilter().setName("My Group Tasks").setProperties(filterProperties).setOwner("demo").setQuery(query);
      filterService.saveFilter(groupTasksFilter);

      // global read authorizations for these filters

      Authorization globalMyTaskFilterRead = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GLOBAL);
      globalMyTaskFilterRead.setResource(FILTER);
      globalMyTaskFilterRead.setResourceId(myTasksFilter.getId());
      globalMyTaskFilterRead.addPermission(READ);
      authorizationService.saveAuthorization(globalMyTaskFilterRead);

      Authorization globalGroupFilterRead = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GLOBAL);
      globalGroupFilterRead.setResource(FILTER);
      globalGroupFilterRead.setResourceId(groupTasksFilter.getId());
      globalGroupFilterRead.addPermission(READ);
      authorizationService.saveAuthorization(globalGroupFilterRead);

      // management filter

      filterProperties.clear();
      filterProperties.put("description", "Tasks for Group Accounting");
      filterProperties.put("priority", -5);
      addVariables(filterProperties);
      query = taskService.createTaskQuery().taskCandidateGroupIn(Arrays.asList("accounting")).taskUnassigned();
      Filter candidateGroupTasksFilter = filterService.newTaskFilter().setName("Accounting").setProperties(filterProperties).setOwner("demo").setQuery(query);
      filterService.saveFilter(candidateGroupTasksFilter);

      Authorization managementGroupFilterRead = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
      managementGroupFilterRead.setResource(FILTER);
      managementGroupFilterRead.setResourceId(candidateGroupTasksFilter.getId());
      managementGroupFilterRead.addPermission(READ);
      managementGroupFilterRead.setGroupId("accounting");
      authorizationService.saveAuthorization(managementGroupFilterRead);

      // john's tasks

      filterProperties.clear();

    cleanupAfterTest();
    super.tearDown();
  }

  public void testGlobalAuthorizationType() {
    Authorization globalAuthorization = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    // I can set userId = null
    globalAuthorization.setUserId(null);
    // I can set userId = ANY
    globalAuthorization.setUserId(ANY);

    try {
      // I cannot set anything else:
      globalAuthorization.setUserId("something");
      fail("exception expected");

    } catch (Exception e) {
      assertTextPresent("Illegal value something for userId for GLOBAL authorization. must be '*'", e.getMessage());

    }

    // I can set groupId = null
    globalAuthorization.setGroupId(null);

    try {
      // I cannot set anything else:
      globalAuthorization.setGroupId("something");
      fail("exception expected");

    } catch (Exception e) {
      assertTextPresent("Cannot use groupId for GLOBAL authorization", e.getMessage());
    }

      assertTextPresent("Cannot use groupId for GLOBAL authorization", e.getMessage());
    }
  }

  public void testGrantAuthorizationType() {
    Authorization grantAuthorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    // I can set userId = null
    grantAuthorization.setUserId(null);
    // I can set userId = ANY
    grantAuthorization.setUserId(ANY);
    // I can set anything else:
    grantAuthorization.setUserId("something");
    // I can set groupId = null
    grantAuthorization.setGroupId(null);
    // I can set anything else:
    grantAuthorization.setGroupId("something");
  }

    // I can set anything else:
    grantAuthorization.setGroupId("something");
  }

  public void testRevokeAuthorizationType() {
    Authorization revokeAuthorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    // I can set userId = null
    revokeAuthorization.setUserId(null);
    // I can set userId = ANY
    revokeAuthorization.setUserId(ANY);
    // I can set anything else:
    revokeAuthorization.setUserId("something");
    // I can set groupId = null
    revokeAuthorization.setGroupId(null);
    // I can set anything else:
    revokeAuthorization.setGroupId("something");
  }