/* STATISTICS QUERY */
public virtual void configureDeploymentStatisticsQuery(DeploymentStatisticsQueryImpl query)
{
configureQuery(query, DEPLOYMENT, "RES.ID_");
query.ProcessInstancePermissionChecks.Clear();
query.JobPermissionChecks.Clear();
query.IncidentPermissionChecks.Clear();
if (query.AuthCheck.AuthorizationCheckEnabled)
{
CompositePermissionCheck processInstancePermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "EXECUTION.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_INSTANCE).build();
query.addProcessInstancePermissionCheck(processInstancePermissionCheck.AllPermissionChecks);
if (query.FailedJobsToInclude)
{
CompositePermissionCheck jobPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "JOB.PROCESS_INSTANCE_ID_", READ).atomicCheck(PROCESS_DEFINITION, "JOB.PROCESS_DEF_KEY_", READ_INSTANCE).build();
query.addJobPermissionCheck(jobPermissionCheck.AllPermissionChecks);
}
if (query.IncidentsToInclude)
{
CompositePermissionCheck incidentPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "INC.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_INSTANCE).build();
query.addIncidentPermissionCheck(incidentPermissionCheck.AllPermissionChecks);
}
}
}
protected internal virtual CompositePermissionCheck createCompositePermissionCheck(PermissionCheck permissionCheck)
{
CompositePermissionCheck compositePermissionCheck = new CompositePermissionCheck();
compositePermissionCheck.AtomicChecks = Arrays.asList(permissionCheck);
return(compositePermissionCheck);
}
public virtual void configureExternalTaskQuery(ExternalTaskQueryImpl query)
{
configureQuery(query);
CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", READ_INSTANCE).build();
addPermissionCheck(query.AuthCheck, permissionCheck);
}
public virtual void configureConditionalEventSubscriptionQuery(ListQueryParameterObject query)
{
configureQuery(query);
CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).atomicCheck(PROCESS_DEFINITION, "P.KEY_", READ).build();
addPermissionCheck(query.AuthCheck, permissionCheck);
}
public virtual void configureQuery(AbstractQuery query, Resource resource, string queryParam, Permission permission)
{
configureQuery(query);
CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).atomicCheck(resource, queryParam, permission).build();
addPermissionCheck(query.AuthCheck, permissionCheck);
}
// user operation log query ///////////////////////////////
public virtual void configureUserOperationLogQuery(UserOperationLogQueryImpl query)
{
configureQuery(query);
CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", READ_HISTORY).atomicCheck(Resources.OPERATION_LOG_CATEGORY, "RES.CATEGORY_", READ).build();
addPermissionCheck(query.AuthCheck, permissionCheck);
}
// execution/process instance query ////////////////////////
public virtual void configureExecutionQuery(AbstractQuery query)
{
configureQuery(query);
CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "P.KEY_", READ_INSTANCE).build();
addPermissionCheck(query.AuthCheck, permissionCheck);
}
public virtual void configureExternalTaskFetch(ListQueryParameterObject parameter)
{
configureQuery(parameter);
CompositePermissionCheck permissionCheck = newPermissionCheckBuilder().conjunctive().composite().disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", READ_INSTANCE).done().composite().disjunctive().atomicCheck(PROCESS_INSTANCE, "RES.PROC_INST_ID_", UPDATE).atomicCheck(PROCESS_DEFINITION, "RES.PROC_DEF_KEY_", UPDATE_INSTANCE).done().build();
addPermissionCheck(parameter.AuthCheck, permissionCheck);
}
public virtual void configureQueryHistoricFinishedInstanceReport(ListQueryParameterObject query, Resource resource)
{
configureQuery(query);
CompositePermissionCheck compositePermissionCheck = (new PermissionCheckBuilder()).conjunctive().atomicCheck(resource, "RES.KEY_", READ).atomicCheck(resource, "RES.KEY_", READ_HISTORY).build();
query.AuthCheck.PermissionChecks = compositePermissionCheck;
}
public virtual bool IsAuthorized(string userId, IList <string> groupIds, CompositePermissionCheck compositePermissionCheck)
{
//IList<string> filteredGroupIds = FilterAuthenticatedGroupIds(groupIds);
//bool isRevokeAuthorizationCheckEnabled = IsRevokeAuthCheckEnabled(userId, groupIds);
//AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, compositePermissionCheck, isRevokeAuthorizationCheckEnabled);
//return DbEntityManager.SelectBoolean("isUserAuthorizedForResource", authCheck);
throw new NotImplementedException();
}
public virtual bool IsAuthorized(CompositePermissionCheck compositePermissionCheck)
{
Authentication currentAuthentication = CurrentAuthentication;
if (currentAuthentication != null)
{
return(IsAuthorized(currentAuthentication.UserId, currentAuthentication.GroupIds, compositePermissionCheck));
}
else
{
return(true);
}
}
// task query //////////////////////////////////////////////
public virtual void configureTaskQuery(TaskQueryImpl query)
{
configureQuery(query);
if (query.AuthCheck.AuthorizationCheckEnabled)
{
// necessary authorization check when the task is part of
// a running process instance
CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(TASK, "RES.ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_TASK).build();
addPermissionCheck(query.AuthCheck, permissionCheck);
}
}
public virtual bool isAuthorized(string userId, IList <string> groupIds, CompositePermissionCheck compositePermissionCheck)
{
foreach (PermissionCheck permissionCheck in compositePermissionCheck.AllPermissionChecks)
{
if (!isResourceValidForPermission(permissionCheck))
{
throw LOG.invalidResourceForPermission(permissionCheck.Resource.resourceName(), permissionCheck.Permission.Name);
}
}
IList <string> filteredGroupIds = filterAuthenticatedGroupIds(groupIds);
bool isRevokeAuthorizationCheckEnabled = isRevokeAuthCheckEnabled(userId, groupIds);
AuthorizationCheck authCheck = new AuthorizationCheck(userId, filteredGroupIds, compositePermissionCheck, isRevokeAuthorizationCheckEnabled);
return(DbEntityManager.selectBoolean("isUserAuthorizedForResource", authCheck));
}
public virtual void CheckAuthorization(CompositePermissionCheck compositePermissionCheck)
{
if (AuthCheckExecuted)
{
Authentication currentAuthentication = CurrentAuthentication;
string userId = currentAuthentication.UserId;
bool isAuthorized = IsAuthorized(compositePermissionCheck);
if (!isAuthorized)
{
IList <MissingAuthorization> missingAuthorizations = new List <MissingAuthorization>();
foreach (PermissionCheck check in compositePermissionCheck.AllPermissionChecks)
{
missingAuthorizations.Add(new MissingAuthorization(check.Permission.ToString(), check.Resource.ToString(), check.ResourceId));
}
throw new AuthorizationException(userId, missingAuthorizations);
}
}
}
// process definition query ////////////////////////////////
public virtual void configureProcessDefinitionQuery(ProcessDefinitionQueryImpl query)
{
configureQuery(query, PROCESS_DEFINITION, "RES.KEY_");
if (query.StartablePermissionCheck)
{
AuthorizationCheck authorizationCheck = query.AuthCheck;
if (!authorizationCheck.RevokeAuthorizationCheckEnabled)
{
CompositePermissionCheck permCheck = (new PermissionCheckBuilder()).atomicCheck(PROCESS_DEFINITION, "RES.KEY_", Permissions.CREATE_INSTANCE).build();
query.addProcessDefinitionCreatePermissionCheck(permCheck);
}
else
{
CompositePermissionCheck permissionCheck = (new PermissionCheckBuilder()).conjunctive().atomicCheck(PROCESS_DEFINITION, "RES.KEY_", READ).atomicCheck(PROCESS_DEFINITION, "RES.KEY_", Permissions.CREATE_INSTANCE).build();
addPermissionCheck(authorizationCheck, permissionCheck);
}
}
}
public virtual void configureActivityStatisticsQuery(ActivityStatisticsQueryImpl query)
{
configureQuery(query);
query.ProcessInstancePermissionChecks.Clear();
query.JobPermissionChecks.Clear();
query.IncidentPermissionChecks.Clear();
if (query.AuthCheck.AuthorizationCheckEnabled)
{
CompositePermissionCheck processInstancePermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "E.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "P.KEY_", READ_INSTANCE).build();
// the following is need in order to evaluate whether to perform authCheck or not
query.AuthCheck.PermissionChecks = processInstancePermissionCheck;
// the actual check
query.addProcessInstancePermissionCheck(processInstancePermissionCheck.AllPermissionChecks);
if (query.FailedJobsToInclude)
{
CompositePermissionCheck jobPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "JOB.PROCESS_INSTANCE_ID_", READ).atomicCheck(PROCESS_DEFINITION, "JOB.PROCESS_DEF_KEY_", READ_INSTANCE).build();
// the following is need in order to evaluate whether to perform authCheck or not
query.AuthCheck.PermissionChecks = jobPermissionCheck;
// the actual check
query.addJobPermissionCheck(jobPermissionCheck.AllPermissionChecks);
}
if (query.IncidentsToInclude)
{
CompositePermissionCheck incidentPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheck(PROCESS_INSTANCE, "I.PROC_INST_ID_", READ).atomicCheck(PROCESS_DEFINITION, "PROCDEF.KEY_", READ_INSTANCE).build();
// the following is need in order to evaluate whether to perform authCheck or not
query.AuthCheck.PermissionChecks = incidentPermissionCheck;
// the actual check
query.addIncidentPermissionCheck(incidentPermissionCheck.AllPermissionChecks);
}
}
}
//protected internal override void ConfigureQuery(ListQueryParameterObject query, Resources resource)
//{
// ConfigureQuery(query, resource, "RES.ID_");
//}
//public virtual void ConfigureQuery(ListQueryParameterObject query, Resources resource, string queryParam)
//{
// ConfigureQuery(query, resource, queryParam, Permissions.Read);
//}
//public virtual void ConfigureQuery(ListQueryParameterObject query, Resources resource, string queryParam, Permissions permission)
//{
// ConfigureQuery(query);
// AddPermissionCheck(query, resource, queryParam, permission);
//}
//protected internal virtual void AddPermissionCheck(ListQueryParameterObject query,Resources resource, string queryParam, Permissions permission)
//{
// CommandContext commandContext = CommandContext;
// if (AuthorizationEnabled && CurrentAuthentication != null && commandContext.AuthorizationCheckEnabled)
// {
// PermissionCheck permCheck = NewPermissionCheck();
// permCheck.Resource = resource;
// permCheck.ResourceIdQueryParam = queryParam;
// permCheck.Permission = permission;
// query.AuthCheck.AddAtomicPermissionCheck(permCheck);
// }
//}
protected internal virtual void AddPermissionCheck(AuthorizationCheck authCheck, CompositePermissionCheck compositeCheck)
{
CommandContext commandContext = CommandContext;
if (AuthorizationEnabled && CurrentAuthentication != null && commandContext.AuthorizationCheckEnabled)
{
authCheck.PermissionChecks = compositeCheck;
}
}
public virtual void addProcessDefinitionCreatePermissionCheck(CompositePermissionCheck processDefinitionCreatePermissionCheck)
{
((IList <PermissionCheck>)processDefinitionCreatePermissionChecks).AddRange(processDefinitionCreatePermissionCheck.AllPermissionChecks);
}
protected internal virtual void checkAuthorizations(CommandContext commandContext, ProcessDefinitionEntity sourceDefinition, ProcessDefinitionEntity targetDefinition, ICollection <string> processInstanceIds)
{
CompositePermissionCheck migrateInstanceCheck = (new PermissionCheckBuilder()).conjunctive().atomicCheckForResourceId(Resources.PROCESS_DEFINITION, sourceDefinition.Key, Permissions.MIGRATE_INSTANCE).atomicCheckForResourceId(Resources.PROCESS_DEFINITION, targetDefinition.Key, Permissions.MIGRATE_INSTANCE).build();
commandContext.AuthorizationManager.checkAuthorization(migrateInstanceCheck);
}
