/* STATISTICS QUERY */ public virtual void configureDeploymentStatisticsQuery(DeploymentStatisticsQueryImpl query) { configureQuery(query, DEPLOYMENT, "RES.ID_"); query.ProcessInstancePermissionChecks.Clear(); query.JobPermissionChecks.Clear(); query.IncidentPermissionChecks.Clear(); if (query.AuthCheck.AuthorizationCheckEnabled) { CompositePermissionCheck processInstancePermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "EXECUTION.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_INSTANCE).build(); query.addProcessInstancePermissionCheck(processInstancePermissionCheck.AllPermissionChecks); if (query.FailedJobsToInclude) { CompositePermissionCheck jobPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "JOB.PROCESS_INSTANCE_ID_", READ).atomicCheck(PROCESS_DEFINITION, "JOB.PROCESS_DEF_KEY_", READ_INSTANCE).build(); query.addJobPermissionCheck(jobPermissionCheck.AllPermissionChecks); } if (query.IncidentsToInclude) { CompositePermissionCheck incidentPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "INC.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_INSTANCE).build(); query.addIncidentPermissionCheck(incidentPermissionCheck.AllPermissionChecks); } } }
protected internal virtual CompositePermissionCheck createCompositePermissionCheck(PermissionCheck permissionCheck) { CompositePermissionCheck compositePermissionCheck = new CompositePermissionCheck(); compositePermissionCheck.AtomicChecks = Arrays.asList(permissionCheck); return(compositePermissionCheck); }
public virtual void configureExternalTaskQuery(ExternalTaskQueryImpl query) { configureQuery(query); CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", READ_INSTANCE).build(); addPermissionCheck(query.AuthCheck, permissionCheck); }
public virtual void configureConditionalEventSubscriptionQuery(ListQueryParameterObject query) { configureQuery(query); CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).atomicCheck(PROCESS_DEFINITION, "P.KEY_", READ).build(); addPermissionCheck(query.AuthCheck, permissionCheck); }
public virtual void configureQuery(AbstractQuery query, Resource resource, string queryParam, Permission permission) { configureQuery(query); CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).atomicCheck(resource, queryParam, permission).build(); addPermissionCheck(query.AuthCheck, permissionCheck); }
// user operation log query /////////////////////////////// public virtual void configureUserOperationLogQuery(UserOperationLogQueryImpl query) { configureQuery(query); CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", READ_HISTORY).atomicCheck(Resources.OPERATION_LOG_CATEGORY, "RES.CATEGORY_", READ).build(); addPermissionCheck(query.AuthCheck, permissionCheck); }
// execution/process instance query //////////////////////// public virtual void configureExecutionQuery(AbstractQuery query) { configureQuery(query); CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "P.KEY_", READ_INSTANCE).build(); addPermissionCheck(query.AuthCheck, permissionCheck); }
public virtual void configureExternalTaskFetch(ListQueryParameterObject parameter) { configureQuery(parameter); CompositePermissionCheck permissionCheck = newPermissionCheckBuilder().conjunctive().composite().disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", READ_INSTANCE).done().composite().disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", UPDATE).atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", UPDATE_INSTANCE).done().build(); addPermissionCheck(parameter.AuthCheck, permissionCheck); }
public virtual void configureQueryHistoricFinishedInstanceReport(ListQueryParameterObject query, Resource resource) { configureQuery(query); CompositePermissionCheck compositePermissionCheck = (new PermissionCheckBuilder()).conjunctive().atomicCheck(resource, "RES.KEY_", READ).atomicCheck(resource, "RES.KEY_", READ_HISTORY).build(); query.AuthCheck.PermissionChecks = compositePermissionCheck; }
public virtual bool IsAuthorized(string userId, IList <string> groupIds, CompositePermissionCheck compositePermissionCheck) { //IList<string> filteredGroupIds = FilterAuthenticatedGroupIds(groupIds); //bool isRevokeAuthorizationCheckEnabled = IsRevokeAuthCheckEnabled(userId, groupIds); //AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, compositePermissionCheck, isRevokeAuthorizationCheckEnabled); //return DbEntityManager.SelectBoolean("isUserAuthorizedForResource", authCheck); throw new NotImplementedException(); }
public virtual bool IsAuthorized(CompositePermissionCheck compositePermissionCheck) { Authentication currentAuthentication = CurrentAuthentication; if (currentAuthentication != null) { return(IsAuthorized(currentAuthentication.UserId, currentAuthentication.GroupIds, compositePermissionCheck)); } else { return(true); } }
// task query ////////////////////////////////////////////// public virtual void configureTaskQuery(TaskQueryImpl query) { configureQuery(query); if (query.AuthCheck.AuthorizationCheckEnabled) { // necessary authorization check when the task is part of // a running process instance CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(TASK, "RES.ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_TASK).build(); addPermissionCheck(query.AuthCheck, permissionCheck); } }
public virtual bool isAuthorized(string userId, IList <string> groupIds, CompositePermissionCheck compositePermissionCheck) { foreach (PermissionCheck permissionCheck in compositePermissionCheck.AllPermissionChecks) { if (!isResourceValidForPermission(permissionCheck)) { throw LOG.invalidResourceForPermission(permissionCheck.Resource.resourceName(), permissionCheck.Permission.Name); } } IList <string> filteredGroupIds = filterAuthenticatedGroupIds(groupIds); bool isRevokeAuthorizationCheckEnabled = isRevokeAuthCheckEnabled(userId, groupIds); AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, compositePermissionCheck, isRevokeAuthorizationCheckEnabled); return(DbEntityManager.selectBoolean("isUserAuthorizedForResource", authCheck)); }
public virtual void CheckAuthorization(CompositePermissionCheck compositePermissionCheck) { if (AuthCheckExecuted) { Authentication currentAuthentication = CurrentAuthentication; string userId = currentAuthentication.UserId; bool isAuthorized = IsAuthorized(compositePermissionCheck); if (!isAuthorized) { IList <MissingAuthorization> missingAuthorizations = new List <MissingAuthorization>(); foreach (PermissionCheck check in compositePermissionCheck.AllPermissionChecks) { missingAuthorizations.Add(new MissingAuthorization(check.Permission.ToString(), check.Resource.ToString(), check.ResourceId)); } throw new AuthorizationException(userId, missingAuthorizations); } } }
// process definition query //////////////////////////////// public virtual void configureProcessDefinitionQuery(ProcessDefinitionQueryImpl query) { configureQuery(query, PROCESS_DEFINITION, "RES.KEY_"); if (query.StartablePermissionCheck) { AuthorizationCheck authorizationCheck = query.AuthCheck; if (!authorizationCheck.RevokeAuthorizationCheckEnabled) { CompositePermissionCheck permCheck = (new PermissionCheckBuilder()).atomicCheck(PROCESS_DEFINITION, "RES.KEY_", Permissions.CREATE_INSTANCE).build(); query.addProcessDefinitionCreatePermissionCheck(permCheck); } else { CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).conjunctive().atomicCheck(PROCESS_DEFINITION, "RES.KEY_", READ).atomicCheck(PROCESS_DEFINITION, "RES.KEY_", Permissions.CREATE_INSTANCE).build(); addPermissionCheck(authorizationCheck, permissionCheck); } } }
public virtual void configureActivityStatisticsQuery(ActivityStatisticsQueryImpl query) { configureQuery(query); query.ProcessInstancePermissionChecks.Clear(); query.JobPermissionChecks.Clear(); query.IncidentPermissionChecks.Clear(); if (query.AuthCheck.AuthorizationCheckEnabled) { CompositePermissionCheck processInstancePermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "E.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "P.KEY_", READ_INSTANCE).build(); // the following is need in order to evaluate whether to perform authCheck or not query.AuthCheck.PermissionChecks = processInstancePermissionCheck; // the actual check query.addProcessInstancePermissionCheck(processInstancePermissionCheck.AllPermissionChecks); if (query.FailedJobsToInclude) { CompositePermissionCheck jobPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "JOB.PROCESS_INSTANCE_ID_", READ).atomicCheck(PROCESS_DEFINITION, "JOB.PROCESS_DEF_KEY_", READ_INSTANCE).build(); // the following is need in order to evaluate whether to perform authCheck or not query.AuthCheck.PermissionChecks = jobPermissionCheck; // the actual check query.addJobPermissionCheck(jobPermissionCheck.AllPermissionChecks); } if (query.IncidentsToInclude) { CompositePermissionCheck incidentPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "I.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_INSTANCE).build(); // the following is need in order to evaluate whether to perform authCheck or not query.AuthCheck.PermissionChecks = incidentPermissionCheck; // the actual check query.addIncidentPermissionCheck(incidentPermissionCheck.AllPermissionChecks); } } }
//protected internal override void ConfigureQuery(ListQueryParameterObject query, Resources resource) //{ // ConfigureQuery(query, resource, "RES.ID_"); //} //public virtual void ConfigureQuery(ListQueryParameterObject query, Resources resource, string queryParam) //{ // ConfigureQuery(query, resource, queryParam, Permissions.Read); //} //public virtual void ConfigureQuery(ListQueryParameterObject query, Resources resource, string queryParam, Permissions permission) //{ // ConfigureQuery(query); // AddPermissionCheck(query, resource, queryParam, permission); //} //protected internal virtual void AddPermissionCheck(ListQueryParameterObject query,Resources resource, string queryParam, Permissions permission) //{ // CommandContext commandContext = CommandContext; // if (AuthorizationEnabled && CurrentAuthentication != null && commandContext.AuthorizationCheckEnabled) // { // PermissionCheck permCheck = NewPermissionCheck(); // permCheck.Resource = resource; // permCheck.ResourceIdQueryParam = queryParam; // permCheck.Permission = permission; // query.AuthCheck.AddAtomicPermissionCheck(permCheck); // } //} protected internal virtual void AddPermissionCheck(AuthorizationCheck authCheck, CompositePermissionCheck compositeCheck) { CommandContext commandContext = CommandContext; if (AuthorizationEnabled && CurrentAuthentication != null && commandContext.AuthorizationCheckEnabled) { authCheck.PermissionChecks = compositeCheck; } }
public virtual void addProcessDefinitionCreatePermissionCheck(CompositePermissionCheck processDefinitionCreatePermissionCheck) { ((IList <PermissionCheck>)processDefinitionCreatePermissionChecks).AddRange(processDefinitionCreatePermissionCheck.AllPermissionChecks); }
protected internal virtual void checkAuthorizations(CommandContext commandContext, ProcessDefinitionEntity sourceDefinition, ProcessDefinitionEntity targetDefinition, ICollection <string> processInstanceIds) { CompositePermissionCheck migrateInstanceCheck = (new PermissionCheckBuilder()).conjunctive().atomicCheckForResourceId(Resources.PROCESS_DEFINITION, sourceDefinition.Key, Permissions.MIGRATE_INSTANCE).atomicCheckForResourceId(Resources.PROCESS_DEFINITION, targetDefinition.Key, Permissions.MIGRATE_INSTANCE).build(); commandContext.AuthorizationManager.checkAuthorization(migrateInstanceCheck); }