[incubator-kie-issues-1597] Enforce authentication in User Tasks rest…

… endpoints (#3758) * [incubator-kie-issues-1597] Enforce authentication in User Tasks rest endpoints * Added configs * - formatting * - fix config
apache · Nov 1, 2024 · 0b99949 · 0b99949
1 parent 299764b
commit 0b99949
Show file tree

Hide file tree

Showing 15 changed files with 414 additions and 77 deletions.
diff --git a/api/kogito-api/src/main/java/org/kie/kogito/auth/IdentityProvider.java b/api/kogito-api/src/main/java/org/kie/kogito/auth/IdentityProvider.java
@@ -27,7 +27,7 @@
 public interface IdentityProvider {
 
     /**
-     * Returns name assigned to the current context, usually refers to user name
+     * Returns name assigned to the current context, usually refers to the username
      * 
      * @return assigned name taken from security context
      */

diff --git a/api/kogito-api/src/main/java/org/kie/kogito/auth/IdentityProviderFactory.java b/api/kogito-api/src/main/java/org/kie/kogito/auth/IdentityProviderFactory.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.kie.kogito.auth;
+
+import java.util.Collection;
+
+/**
+ * Factory that resolves the {@link IdentityProvider}
+ */
+public interface IdentityProviderFactory {
+
+    /**
+     * Enables (true) using the application security context when resolving current User Identity. Defaults to false.
+     */
+    String KOGITO_SECURITY_AUTH_ENABLED = "kogito.security.auth.enabled";
+
+    /**
+     * Comma-separated list of roles that allow identity impersonation when resolving the actual User Identity.
+     */
+    String KOGITO_SECURITY_AUTH_IMPERSONATION_ALLOWED_FOR_ROLES = "kogito.security.auth.impersonation.allowed-for-roles";
+
+    IdentityProvider getOrImpersonateIdentity(String user, Collection<String> roles);
+}
diff --git a/api/kogito-api/src/main/java/org/kie/kogito/auth/impl/IdentityProviderFactoryImpl.java b/api/kogito-api/src/main/java/org/kie/kogito/auth/impl/IdentityProviderFactoryImpl.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.kie.kogito.auth.impl;
+
+import java.util.Collection;
+
+import org.kie.kogito.auth.IdentityProvider;
+import org.kie.kogito.auth.IdentityProviderFactory;
+import org.kie.kogito.auth.IdentityProviders;
+
+public class IdentityProviderFactoryImpl implements IdentityProviderFactory {
+
+    private final IdentityProvider identityProvider;
+    private final KogitoAuthConfig config;
+
+    public IdentityProviderFactoryImpl(IdentityProvider identityProvider, KogitoAuthConfig config) {
+        this.identityProvider = identityProvider;
+        this.config = config;
+    }
+
+    @Override
+    public IdentityProvider getOrImpersonateIdentity(String user, Collection<String> roles) {
+
+        if (!config.isEnabled()) {
+            return IdentityProviders.of(user, roles);
+        }
+
+        Collection<String> identityRoles = identityProvider.getRoles();
+        if (config.getRolesThatAllowImpersonation().stream().anyMatch(identityRoles::contains)) {
+            return IdentityProviders.of(user, roles);
+        }
+
+        return identityProvider;
+    }
+}
diff --git a/api/kogito-api/src/main/java/org/kie/kogito/auth/impl/KogitoAuthConfig.java b/api/kogito-api/src/main/java/org/kie/kogito/auth/impl/KogitoAuthConfig.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.kie.kogito.auth.impl;
+
+import java.util.Collection;
+
+public class KogitoAuthConfig {
+
+    private final boolean enabled;
+    private final Collection<String> rolesThatAllowImpersonation;
+
+    public KogitoAuthConfig(boolean enabled, Collection<String> rolesThatAllowImpersonation) {
+        this.enabled = enabled;
+        this.rolesThatAllowImpersonation = rolesThatAllowImpersonation;
+    }
+
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public Collection<String> getRolesThatAllowImpersonation() {
+        return rolesThatAllowImpersonation;
+    }
+}
diff --git a/api/kogito-api/src/test/java/org/kie/kogito/auth/impl/IdentityProviderFactoryImplTest.java b/api/kogito-api/src/test/java/org/kie/kogito/auth/impl/IdentityProviderFactoryImplTest.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.kie.kogito.auth.impl;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.kie.kogito.auth.IdentityProviders;
+
+public class IdentityProviderFactoryImplTest {
+
+    private static final String KOGITO_IDENTITY_USER = "john";
+    private static final Collection<String> KOGITO_IDENTITY_ROLES = List.of("IT", "task-operator");
+    private static final Collection<String> KOGITO_IDENTITY_IMPERSONATOR_ROLES = List.of("root", "task-admin");
+    private static final String TEST_USER = "katty";
+    private static final Collection<String> TEST_ROLES = List.of("HR", "task-operator");
+
+    @Test
+    public void testResolveIdentityWithAuthDisabled() {
+        KogitoAuthConfig config = new KogitoAuthConfig(false, KOGITO_IDENTITY_IMPERSONATOR_ROLES);
+        IdentityProviderFactoryImpl identityProviderFactory = new IdentityProviderFactoryImpl(IdentityProviders.of(KOGITO_IDENTITY_USER, KOGITO_IDENTITY_ROLES), config);
+
+        Assertions.assertThat(identityProviderFactory.getOrImpersonateIdentity(TEST_USER, TEST_ROLES))
+                .isNotNull()
+                .hasFieldOrPropertyWithValue("name", TEST_USER)
+                .matches(identityProvider -> identityProvider.getRoles().containsAll(TEST_ROLES));
+    }
+
+    @Test
+    public void testResolveIdentityWithAuthEnabled() {
+        KogitoAuthConfig config = new KogitoAuthConfig(true, KOGITO_IDENTITY_IMPERSONATOR_ROLES);
+        IdentityProviderFactoryImpl identityProviderFactory = new IdentityProviderFactoryImpl(IdentityProviders.of(KOGITO_IDENTITY_USER, KOGITO_IDENTITY_ROLES), config);
+
+        Assertions.assertThat(identityProviderFactory.getOrImpersonateIdentity(TEST_USER, TEST_ROLES))
+                .isNotNull()
+                .hasFieldOrPropertyWithValue("name", KOGITO_IDENTITY_USER)
+                .matches(identityProvider -> identityProvider.getRoles().containsAll(KOGITO_IDENTITY_ROLES));
+    }
+
+    @Test
+    public void testResolveImpersonatedIdentityWithAuthEnabled() {
+        KogitoAuthConfig config = new KogitoAuthConfig(true, KOGITO_IDENTITY_IMPERSONATOR_ROLES);
+        IdentityProviderFactoryImpl identityProviderFactory = new IdentityProviderFactoryImpl(IdentityProviders.of(KOGITO_IDENTITY_USER, KOGITO_IDENTITY_IMPERSONATOR_ROLES), config);
+
+        Assertions.assertThat(identityProviderFactory.getOrImpersonateIdentity(TEST_USER, TEST_ROLES))
+                .isNotNull()
+                .hasFieldOrPropertyWithValue("name", TEST_USER)
+                .matches(identityProvider -> identityProvider.getRoles().containsAll(TEST_ROLES));
+    }
+
+}
diff --git a/...ito-codegen-processes/src/main/resources/class-templates/RestResourceQuarkusTemplate.java b/...ito-codegen-processes/src/main/resources/class-templates/RestResourceQuarkusTemplate.java
@@ -18,7 +18,6 @@
  */
 package com.myspace.demo;
 
-import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -50,17 +49,11 @@
 import org.jbpm.util.JsonSchemaUtil;
 import org.kie.kogito.process.Process;
 import org.kie.kogito.process.ProcessInstance;
-import org.kie.kogito.process.WorkItem;
 import org.kie.kogito.process.ProcessService;
 import org.kie.kogito.process.workitem.TaskModel;
-import org.kie.kogito.auth.IdentityProvider;
-import org.kie.kogito.auth.IdentityProviders;
+import org.kie.kogito.auth.IdentityProviderFactory;
 import org.kie.kogito.auth.SecurityPolicy;
 
-import org.kie.kogito.usertask.model.Attachment;
-import org.kie.kogito.usertask.model.AttachmentInfo;
-import org.kie.kogito.usertask.model.Comment;
-
 @Path("/$name$")
 public class $Type$Resource {
 
@@ -69,6 +62,9 @@ public class $Type$Resource {
     @Inject
     ProcessService processService;
 
+    @Inject
+    IdentityProviderFactory identityProviderFactory;
+
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.APPLICATION_JSON)
@@ -144,7 +140,7 @@ public class $Type$Resource {
     public List<TaskModel> getTasks_$name$(@PathParam("id") String id,
                                           @QueryParam("user") final String user,
                                           @QueryParam("group") final List<String> groups) {
-        return processService.getWorkItems(process, id, SecurityPolicy.of(IdentityProviders.of(user, groups)))
+        return processService.getWorkItems(process, id, SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)))
                 .orElseThrow(NotFoundException::new)
                 .stream()
                 .map($TaskModelFactory$::from)

diff --git a/...gito-codegen-processes/src/main/resources/class-templates/RestResourceSpringTemplate.java b/...gito-codegen-processes/src/main/resources/class-templates/RestResourceSpringTemplate.java
@@ -18,8 +18,6 @@
  */
 package com.myspace.demo;
 
-import java.net.URI;
-import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -28,17 +26,11 @@
 import org.jbpm.util.JsonSchemaUtil;
 import org.kie.kogito.process.Process;
 import org.kie.kogito.process.ProcessInstance;
-import org.kie.kogito.process.WorkItem;
 import org.kie.kogito.process.ProcessService;
 import org.kie.kogito.process.workitem.TaskModel;
-import org.kie.kogito.auth.IdentityProvider;
-import org.kie.kogito.auth.IdentityProviders;
+import org.kie.kogito.auth.IdentityProviderFactory;
 import org.kie.kogito.auth.SecurityPolicy;
 
-import org.kie.kogito.usertask.model.Attachment;
-import org.kie.kogito.usertask.model.AttachmentInfo;
-import org.kie.kogito.usertask.model.Comment;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
@@ -70,6 +62,9 @@ public class $Type$Resource {
     @Autowired
     ProcessService processService;
 
+    @Autowired
+    IdentityProviderFactory identityProviderFactory;
+
     @PostMapping(produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
     @Operation(summary = "$documentation$", description = "$processInstanceDescription$")
     public ResponseEntity<$Type$Output> createResource_$name$(@RequestHeader HttpHeaders httpHeaders,
@@ -128,7 +123,7 @@ public class $Type$Resource {
     public List<TaskModel> getTasks_$name$(@PathVariable("id") String id,
                                            @RequestParam(value = "user", required = false) final String user,
                                            @RequestParam(value = "group", required = false) final List<String> groups) {
-        return processService.getWorkItems(process, id, SecurityPolicy.of(IdentityProviders.of(user, groups)))
+        return processService.getWorkItems(process, id, SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)))
                 .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND))
                 .stream()
                 .map($TaskModelFactory$::from)

diff --git a/...gen-processes/src/main/resources/class-templates/RestResourceWorkItemQuarkusTemplate.java b/...gen-processes/src/main/resources/class-templates/RestResourceWorkItemQuarkusTemplate.java
@@ -25,7 +25,6 @@
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriInfo;
 
-import org.kie.kogito.auth.IdentityProviders;
 import org.kie.kogito.auth.SecurityPolicy;
 import org.kie.kogito.process.Process;
 import org.kie.kogito.process.ProcessInstance;
@@ -47,7 +46,7 @@ public Response signal(@PathParam("id") final String id,
             @QueryParam("user") final String user,
             @QueryParam("group") final List<String> groups,
             @Context UriInfo uriInfo) {
-        return processService.signalWorkItem(process, id, "$taskName$", SecurityPolicy.of(user, groups))
+        return processService.signalWorkItem(process, id, "$taskName$", SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)))
                 .map(task -> Response
                         .created(uriInfo.getAbsolutePathBuilder().path(task.getId()).build())
                         .entity(task.getResults())
@@ -65,7 +64,7 @@ public Response signal(@PathParam("id") final String id,
             @QueryParam("user") final String user,
             @QueryParam("group") final List<String> groups,
             final $TaskOutput$ model) {
-        return processService.transitionWorkItem(process, id, taskId, phase, SecurityPolicy.of(user, groups), model)
+        return processService.transitionWorkItem(process, id, taskId, phase, SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)), model)
                 .orElseThrow(NotFoundException::new);
     }
 
@@ -77,7 +76,7 @@ public Response signal(@PathParam("id") final String id,
             @QueryParam("user") final String user,
             @QueryParam("group") final List<String> groups,
             final $TaskOutput$ model) {
-        return processService.setWorkItemOutput(process, id, taskId, SecurityPolicy.of(user, groups), model, $TaskOutput$::fromMap)
+        return processService.setWorkItemOutput(process, id, taskId, SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)), model, $TaskOutput$::fromMap)
                 .orElseThrow(NotFoundException::new);
     }
 
@@ -92,7 +91,7 @@ public Response signal(@PathParam("id") final String id,
             @QueryParam("user") final String user,
             @QueryParam("group") final List<String> groups,
             final $TaskOutput$ model) {
-        return processService.transitionWorkItem(process, id, taskId, phase, SecurityPolicy.of(user, groups), model)
+        return processService.transitionWorkItem(process, id, taskId, phase, SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)), model)
                 .orElseThrow(NotFoundException::new);
     }
 
@@ -103,7 +102,7 @@ public Response signal(@PathParam("id") final String id,
             @PathParam("taskId") String taskId,
             @QueryParam("user") final String user,
             @QueryParam("group") final List<String> groups) {
-        return processService.getWorkItem(process, id, taskId, SecurityPolicy.of(user, groups), $TaskModel$::from)
+        return processService.getWorkItem(process, id, taskId, SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)), $TaskModel$::from)
                 .orElseThrow(NotFoundException::new);
     }
 
@@ -115,7 +114,7 @@ public Response signal(@PathParam("id") final String id,
             @QueryParam("phase") @DefaultValue("abort") final String phase,
             @QueryParam("user") final String user,
             @QueryParam("group") final List<String> groups) {
-        return processService.transitionWorkItem(process, id, taskId, phase, SecurityPolicy.of(user, groups), null)
+        return processService.transitionWorkItem(process, id, taskId, phase, SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)), null)
                 .orElseThrow(NotFoundException::new);
     }
 
@@ -133,7 +132,7 @@ public Map<String, Object> getSchemaAndPhases(@PathParam("id") final String id,
             @PathParam("taskId") final String taskId,
             @QueryParam("user") final String user,
             @QueryParam("group") final List<String> groups) {
-        return processService.getWorkItemSchemaAndPhases(process, id, taskId, "$taskName$", SecurityPolicy.of(user, groups));
+        return processService.getWorkItemSchemaAndPhases(process, id, taskId, "$taskName$", SecurityPolicy.of(identityProviderFactory.getOrImpersonateIdentity(user, groups)));
     }
 
 }