Skip to content

Commit

Permalink
KOGITO-774 - Enforce user task authorisation for any task that has us…
Browse files Browse the repository at this point in the history 
…ers/groups assigned (apache#113)
  • Loading branch information
@mswiderski
mswiderski authored Dec 16, 2019
1 parent 7eee637 commit a202344
Show file tree
Hide file tree
Showing 9 changed files with 64 additions and 54 deletions.
2 changes: 1 addition & 1 deletion jbpm-quarkus-example/src/main/resources/application.properties
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
quarkus.infinispan-client.server-list=localhost:11222
quarkus.http.cors=true
quarkus.http.cors=true
13 changes: 9 additions & 4 deletions jbpm-quarkus-example/src/test/java/org/kie/kogito/examples/OrdersProcessTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertTrue;

import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
Expand All @@ -16,11 +17,13 @@
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.kie.kogito.Model;
import org.kie.kogito.auth.SecurityPolicy;
import org.kie.kogito.examples.demo.Order;
import org.kie.kogito.process.Process;
import org.kie.kogito.process.ProcessInstance;
import org.kie.kogito.process.ProcessInstances;
import org.kie.kogito.process.WorkItem;
import org.kie.kogito.services.identity.StaticIdentityProvider;

import io.quarkus.test.junit.QuarkusTest;

Expand All @@ -34,6 +37,8 @@ public class OrdersProcessTest {
@Inject
@Named("demo.orderItems")
Process<? extends Model> orderItemsProcess;

private SecurityPolicy policy = SecurityPolicy.of(new StaticIdentityProvider("john", Collections.singletonList("managers")));

@BeforeEach
public void setup() {
Expand Down Expand Up @@ -68,10 +73,10 @@ public void testOrderProcess() {

ProcessInstance<?> childProcessInstance = orderItemProcesses.values().iterator().next();

List<WorkItem> workItems = childProcessInstance.workItems();
List<WorkItem> workItems = childProcessInstance.workItems(policy);
assertEquals(1, workItems.size());

childProcessInstance.completeWorkItem(workItems.get(0).getId(), null);
childProcessInstance.completeWorkItem(workItems.get(0).getId(), null, policy);

assertEquals(ProcessInstance.STATE_COMPLETED, childProcessInstance.status());
Optional<?> pi = orderProcess.instances().findById(processInstance.id());
Expand Down Expand Up @@ -115,10 +120,10 @@ public void testOrderProcessWithError() {

ProcessInstance<?> childProcessInstance = orderItemProcesses.values().iterator().next();

List<WorkItem> workItems = childProcessInstance.workItems();
List<WorkItem> workItems = childProcessInstance.workItems(policy);
assertEquals(1, workItems.size());

childProcessInstance.completeWorkItem(workItems.get(0).getId(), null);
childProcessInstance.completeWorkItem(workItems.get(0).getId(), null, policy);

assertEquals(ProcessInstance.STATE_COMPLETED, childProcessInstance.status());
assertEquals(ProcessInstance.STATE_COMPLETED, processInstance.status());
Expand Down
6 changes: 3 additions & 3 deletions jbpm-quarkus-example/src/test/java/org/kie/kogito/examples/OrdersRestTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,15 +131,15 @@ public void testOrdersWithOrderItemsRest() {
.statusCode(200).body("id", is(orderItemsId));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks?user=john").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
taskInfo.containsValue("Verify_order");

// test completing task
String payload = "{}";
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(payload).when().post("/orderItems/" + orderItemsId + "/Verify_order/" + taskInfo.keySet().iterator().next()).then()
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(payload).when().post("/orderItems/" + orderItemsId + "/Verify_order/" + taskInfo.keySet().iterator().next() + "?user=john").then()
.statusCode(200).body("id", is(orderItemsId));

// get all orders make sure there is zero
Expand Down Expand Up @@ -177,7 +177,7 @@ public void testOrdersWithOrderItemsAbortedRest() {
.statusCode(200).body("id", is(orderItemsId));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks?user=john").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
Expand Down
15 changes: 7 additions & 8 deletions jbpm-quarkus-example/src/test/java/org/kie/kogito/examples/PersonProcessTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.assertFalse;

import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
Expand All @@ -30,6 +31,8 @@ public class PersonProcessTest {
@Inject
@Named("persons")
Process<? extends Model> personProcess;

private SecurityPolicy policy = SecurityPolicy.of(new StaticIdentityProvider("admin", Collections.singletonList("managers")));

@Test
public void testAdult() {
Expand Down Expand Up @@ -63,10 +66,10 @@ public void testChild() {
assertEquals(1, result.toMap().size());
assertFalse(((Person)result.toMap().get("person")).isAdult());

List<WorkItem> workItems = processInstance.workItems();
List<WorkItem> workItems = processInstance.workItems(policy);
assertEquals(1, workItems.size());

processInstance.completeWorkItem(workItems.get(0).getId(), null);
processInstance.completeWorkItem(workItems.get(0).getId(), null, policy);

assertEquals(ProcessInstance.STATE_COMPLETED, processInstance.status());
}
Expand All @@ -86,9 +89,6 @@ public void testChildWithSecurityPolicy() {
assertEquals(1, result.toMap().size());
assertFalse(((Person)result.toMap().get("person")).isAdult());

StaticIdentityProvider identity = new StaticIdentityProvider("admin");
SecurityPolicy policy = SecurityPolicy.of(identity);

List<WorkItem> workItems = processInstance.workItems(policy);
assertEquals(1, workItems.size());

Expand All @@ -112,10 +112,9 @@ public void testChildWithSecurityPolicyNotAuthorized() {
assertEquals(1, result.toMap().size());
assertFalse(((Person)result.toMap().get("person")).isAdult());

StaticIdentityProvider identity = new StaticIdentityProvider("john");
SecurityPolicy policy = SecurityPolicy.of(identity);
SecurityPolicy johnPolicy = SecurityPolicy.of(new StaticIdentityProvider("john"));

List<WorkItem> workItems = processInstance.workItems(policy);
List<WorkItem> workItems = processInstance.workItems(johnPolicy);
assertEquals(0, workItems.size());

processInstance.abort();
Expand Down
22 changes: 11 additions & 11 deletions jbpm-quarkus-example/src/test/java/org/kie/kogito/examples/PersonsRestTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,15 +65,15 @@ public void testChildPersonsRest() {
.body("$.size()", is(1), "[0].id", is(firstCreatedId));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks?user=admin").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
taskInfo.containsValue("ChildrenHandling");

// test completing task
String fixedOrderPayload = "{}";
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next()).then()
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next() + "?user=admin").then()
.statusCode(200).body("id", is(firstCreatedId));

// get all persons make sure there is zero
Expand Down Expand Up @@ -205,15 +205,15 @@ public void testPersonsRestStartFromUserTask() {
.body("$.size()", is(1), "[0].id", is(firstCreatedId), "[0].person.adult", is(false));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks?user=admin").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
taskInfo.containsValue("ChildrenHandling");

// test completing task
String fixedOrderPayload = "{}";
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next()).then()
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next() + "?user=admin").then()
.statusCode(200).body("id", is(firstCreatedId));

// get all persons make sure there is zero
Expand All @@ -238,7 +238,7 @@ public void testChildPersonsRestAbortViaMgmtInterface() {
.body("$.size()", is(1), "[0].id", is(firstCreatedId), "[0].person.adult", is(false));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks?user=admin").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
Expand Down Expand Up @@ -270,7 +270,7 @@ public void testChildPersonsRestRetriggerNodeViaMgmtInterface() {
.body("$.size()", is(1), "[0].id", is(firstCreatedId), "[0].person.adult", is(false));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks?user=admin").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
Expand All @@ -283,7 +283,7 @@ public void testChildPersonsRestRetriggerNodeViaMgmtInterface() {
given().contentType(ContentType.JSON).accept(ContentType.JSON).when().post("/management/processes/persons/instances/" + firstCreatedId + "/nodeInstances/" + nodeInstanceId).then()
.statusCode(200);

taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks").then()
taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks?user=admin").then()
.statusCode(200).extract().as(Map.class);

String retriggeredNodeInstanceId = given().contentType(ContentType.JSON).accept(ContentType.JSON).when().get("/management/processes/persons/instances/" + firstCreatedId + "/nodeInstances").then()
Expand All @@ -293,7 +293,7 @@ public void testChildPersonsRestRetriggerNodeViaMgmtInterface() {

// test completing task
String fixedOrderPayload = "{}";
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next()).then()
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next() + "?user=admin").then()
.statusCode(200).body("id", is(firstCreatedId));

// get all persons make sure there is zero
Expand All @@ -318,7 +318,7 @@ public void testChildPersonsRestCancelAndTriggerNodeViaMgmtInterface() {
.body("$.size()", is(1), "[0].id", is(firstCreatedId), "[0].person.adult", is(false));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks?user=admin").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
Expand All @@ -335,7 +335,7 @@ public void testChildPersonsRestCancelAndTriggerNodeViaMgmtInterface() {
given().contentType(ContentType.JSON).accept(ContentType.JSON).when().post("/management/processes/persons/instances/" + firstCreatedId + "/nodes/UserTask_1").then()
.statusCode(200);

taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks").then()
taskInfo = given().accept(ContentType.JSON).when().get("/persons/" + firstCreatedId + "/tasks?user=admin").then()
.statusCode(200).extract().as(Map.class);

String retriggeredNodeInstanceId = given().contentType(ContentType.JSON).accept(ContentType.JSON).when().get("/management/processes/persons/instances/" + firstCreatedId + "/nodeInstances").then()
Expand All @@ -345,7 +345,7 @@ public void testChildPersonsRestCancelAndTriggerNodeViaMgmtInterface() {

// test completing task
String fixedOrderPayload = "{}";
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next()).then()
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(fixedOrderPayload).when().post("/persons/" + firstCreatedId + "/ChildrenHandling/" + taskInfo.keySet().iterator().next() + "?user=admin").then()
.statusCode(200).body("id", is(firstCreatedId));

// get all persons make sure there is zero
Expand Down
14 changes: 10 additions & 4 deletions jbpm-springboot-example/src/test/java/org/kie/kogito/examples/demo/OrderServiceApiTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,21 @@
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;

import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import org.junit.Test;
import org.junit.runner.RunWith;
import org.kie.kogito.Model;
import org.kie.kogito.auth.SecurityPolicy;
import org.kie.kogito.examples.DemoApplication;
import org.kie.kogito.process.Process;
import org.kie.kogito.process.ProcessInstance;
import org.kie.kogito.process.ProcessInstances;
import org.kie.kogito.process.WorkItem;
import org.kie.kogito.services.identity.StaticIdentityProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.test.context.SpringBootTest;
Expand All @@ -36,6 +39,8 @@ public class OrderServiceApiTest {
@Autowired
@Qualifier("demo.orderItems")
Process<? extends Model> orderItemsProcess;

private SecurityPolicy policy = SecurityPolicy.of(new StaticIdentityProvider("john", Collections.singletonList("managers")));


@Test
Expand Down Expand Up @@ -68,12 +73,13 @@ public void testOrderProcess() {

ProcessInstance<?> childProcessInstance = orderItemProcesses.values().iterator().next();

List<WorkItem> workItems = childProcessInstance.workItems();
List<WorkItem> workItems = childProcessInstance.workItems(policy);
assertEquals(1,
workItems.size());

childProcessInstance.completeWorkItem(workItems.get(0).getId(),
null);
null,
policy);

assertEquals(ProcessInstance.STATE_COMPLETED,
childProcessInstance.status());
Expand Down Expand Up @@ -120,10 +126,10 @@ public void testOrderProcessWithError() {

ProcessInstance<?> childProcessInstance = orderItemProcesses.values().iterator().next();

List<WorkItem> workItems = childProcessInstance.workItems();
List<WorkItem> workItems = childProcessInstance.workItems(policy);
assertEquals(1, workItems.size());

childProcessInstance.completeWorkItem(workItems.get(0).getId(), null);
childProcessInstance.completeWorkItem(workItems.get(0).getId(), null, policy);

assertEquals(ProcessInstance.STATE_COMPLETED, childProcessInstance.status());
assertEquals(ProcessInstance.STATE_COMPLETED, processInstance.status());
Expand Down
6 changes: 3 additions & 3 deletions jbpm-springboot-example/src/test/java/org/kie/kogito/examples/demo/OrderServiceRestTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,15 +170,15 @@ public void testOrdersWithOrderItemsRest() {
.statusCode(200).body("id", is(orderItemsId));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks?user=john").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
taskInfo.containsValue("Verify_order");

// test completing task
String payload = "{}";
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(payload).when().post("/orderItems/" + orderItemsId + "/Verify_order/" + taskInfo.keySet().iterator().next()).then()
given().contentType(ContentType.JSON).accept(ContentType.JSON).body(payload).when().post("/orderItems/" + orderItemsId + "/Verify_order/" + taskInfo.keySet().iterator().next() + "?user=john").then()
.statusCode(200).body("id", is(orderItemsId));

// get all orders make sure there is zero
Expand Down Expand Up @@ -215,7 +215,7 @@ public void testOrdersWithOrderItemsAbortedRest() {
.statusCode(200).body("id", is(orderItemsId));

// test getting task
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks").then()
Map taskInfo = given().accept(ContentType.JSON).when().get("/orderItems/" + orderItemsId + "/tasks?user=john").then()
.statusCode(200).extract().as(Map.class);

assertEquals(1, taskInfo.size());
Expand Down
Loading

0 comments on commit a202344

Please sign in to comment.