Class AuthorizationManager

  • All Implemented Interfaces:
    Session

    public class AuthorizationManager
    extends AbstractManager
    Author:
    Daniel Meyer
    • Field Detail

      • EMPTY_LIST

        protected static final java.util.List<java.lang.String> EMPTY_LIST
      • availableAuthorizedGroupIds

        protected java.util.Set<java.lang.String> availableAuthorizedGroupIds
        Group ids for which authorizations exist in the database. This is initialized once per command by the filterAuthenticatedGroupIds(List) method. (Manager instances are command scoped). It is used to only check authorizations for groups for which authorizations exist. In other words, if for a given group no authorization exists in the DB, then auth checks are not performed for this group.
      • isRevokeAuthCheckUsed

        protected java.lang.Boolean isRevokeAuthCheckUsed
    • Constructor Detail

      • AuthorizationManager

        public AuthorizationManager()
    • Method Detail

      • createNewAuthorization

        public Authorization createNewAuthorization​(int type)
      • selectAuthorizationCountByQueryCriteria

        public java.lang.Long selectAuthorizationCountByQueryCriteria​(AuthorizationQueryImpl authorizationQuery)
      • findAuthorizationByUserIdAndResourceId

        public AuthorizationEntity findAuthorizationByUserIdAndResourceId​(int type,
                                                                          java.lang.String userId,
                                                                          Resource resource,
                                                                          java.lang.String resourceId)
      • findAuthorizationByGroupIdAndResourceId

        public AuthorizationEntity findAuthorizationByGroupIdAndResourceId​(int type,
                                                                           java.lang.String groupId,
                                                                           Resource resource,
                                                                           java.lang.String resourceId)
      • findAuthorization

        public AuthorizationEntity findAuthorization​(int type,
                                                     java.lang.String userId,
                                                     java.lang.String groupId,
                                                     Resource resource,
                                                     java.lang.String resourceId)
      • checkAuthorization

        public void checkAuthorization​(Permission permission,
                                       Resource resource)
      • isAuthorized

        public boolean isAuthorized​(Permission permission,
                                    Resource resource,
                                    java.lang.String resourceId)
      • isAuthorized

        public boolean isAuthorized​(java.lang.String userId,
                                    java.util.List<java.lang.String> groupIds,
                                    Permission permission,
                                    Resource resource,
                                    java.lang.String resourceId)
      • isAuthorized

        public boolean isAuthorized​(java.lang.String userId,
                                    java.util.List<java.lang.String> groupIds,
                                    PermissionCheck permissionCheck)
      • isRevokeAuthCheckEnabled

        protected boolean isRevokeAuthCheckEnabled​(java.lang.String userId,
                                                   java.util.List<java.lang.String> groupIds)
      • isAuthorized

        public boolean isAuthorized​(java.lang.String userId,
                                    java.util.List<java.lang.String> groupIds,
                                    CompositePermissionCheck compositePermissionCheck)
      • isResourceValidForPermission

        protected boolean isResourceValidForPermission​(PermissionCheck permissionCheck)
      • validateResourceCompatibility

        public void validateResourceCompatibility​(AuthorizationEntity authorization)
      • configureQueryHistoricFinishedInstanceReport

        public void configureQueryHistoricFinishedInstanceReport​(ListQueryParameterObject query,
                                                                 Resource resource)
      • enableQueryAuthCheck

        public void enableQueryAuthCheck​(AuthorizationCheck authCheck)
      • configureQuery

        public void configureQuery​(AbstractQuery query,
                                   Resource resource,
                                   java.lang.String queryParam)
      • isPermissionDisabled

        public boolean isPermissionDisabled​(Permission permission)
      • deleteAuthorizationsByResourceIds

        public void deleteAuthorizationsByResourceIds​(Resources resource,
                                                      java.util.List<java.lang.String> resourceIds)
      • deleteAuthorizationsByResourceId

        public void deleteAuthorizationsByResourceId​(Resource resource,
                                                     java.lang.String resourceId)
      • deleteAuthorizationsByResourceIdAndUserId

        public void deleteAuthorizationsByResourceIdAndUserId​(Resource resource,
                                                              java.lang.String resourceId,
                                                              java.lang.String userId)
      • deleteAuthorizationsByResourceIdAndGroupId

        public void deleteAuthorizationsByResourceIdAndGroupId​(Resource resource,
                                                               java.lang.String resourceId,
                                                               java.lang.String groupId)
      • checkCamundaAdmin

        public void checkCamundaAdmin()
        Checks if the current authentication contains the group Groups.CAMUNDA_ADMIN. The check is ignored if the authorization is disabled or no authentication exists.
        Throws:
        AuthorizationException
      • checkCamundaAdminOrPermission

        public void checkCamundaAdminOrPermission​(java.util.function.Consumer<CommandChecker> permissionCheck)
      • isCamundaAdmin

        public boolean isCamundaAdmin​(Authentication authentication)
        Parameters:
        authentication - authentication to check, cannot be null
        Returns:
        true if the given authentication contains the group Groups.CAMUNDA_ADMIN or the user
      • configureDeploymentQuery

        public void configureDeploymentQuery​(DeploymentQueryImpl query)
      • configureExecutionQuery

        public void configureExecutionQuery​(AbstractQuery query)
      • configureTaskQuery

        public void configureTaskQuery​(TaskQueryImpl query)
      • configureConditionalEventSubscriptionQuery

        public void configureConditionalEventSubscriptionQuery​(ListQueryParameterObject query)
      • configureIncidentQuery

        public void configureIncidentQuery​(IncidentQueryImpl query)
      • configureJobQuery

        public void configureJobQuery​(JobQueryImpl query)
      • configureHistoricVariableAndDetailQuery

        protected void configureHistoricVariableAndDetailQuery​(AbstractQuery query)
      • configureBatchQuery

        public void configureBatchQuery​(BatchQueryImpl query)
      • filterAuthenticatedGroupIds

        public java.util.List<java.lang.String> filterAuthenticatedGroupIds​(java.util.List<java.lang.String> authenticatedGroupIds)
      • getAllGroups

        protected java.util.Set<java.lang.String> getAllGroups()
      • isAuthCheckExecuted

        protected boolean isAuthCheckExecuted()
      • isEnsureSpecificVariablePermission

        public boolean isEnsureSpecificVariablePermission()
      • isHistoricInstancePermissionsEnabled

        protected boolean isHistoricInstancePermissionsEnabled()
      • addRemovalTimeToAuthorizationsByRootProcessInstanceId

        public void addRemovalTimeToAuthorizationsByRootProcessInstanceId​(java.lang.String rootProcessInstanceId,
                                                                          java.util.Date removalTime)
      • addRemovalTimeToAuthorizationsByProcessInstanceId

        public void addRemovalTimeToAuthorizationsByProcessInstanceId​(java.lang.String processInstanceId,
                                                                      java.util.Date removalTime)
      • deleteAuthorizationsByRemovalTime

        public DbOperation deleteAuthorizationsByRemovalTime​(java.util.Date removalTime,
                                                             int minuteFrom,
                                                             int minuteTo,
                                                             int batchSize)