Closes #2563 - add handling of permissions as access ids

Co-authored-by: SebastianRoseneck <[email protected]> Co-authored-by: ryzheboka <[email protected]>
Taskana · Jul 26, 2024 · 31100a5 · 31100a5
1 parent 683068a
commit 31100a5
Show file tree

Hide file tree

Showing 56 changed files with 1,496 additions and 215 deletions.
diff --git a/common/taskana-common-data/src/main/resources/sql/sample-data/workbasket-access-list.sql b/common/taskana-common-data/src/main/resources/sql/sample-data/workbasket-access-list.sql
@@ -1,7 +1,6 @@
 -- sample-data is used for rest tests and for the example application
 
---SERT INTO WORKBASKET_ACCESS_LIST VALUES (ID                                        , WB_ID                                     , ACCESS_ID                                                                                    , ACCESS_NAME                 , READ , OPEN , APPEND, TRANSFER, DISTRIBUTE, C1    , C2    , C3    , C4    , C5    , C6    , C7    , C8    , C9    , C10   , C11   , C12  , READTASKS, EDITTASKS)
--- KSC authorizations
+-- KSC authorizations                     (ID                                        , WB_ID                                     , ACCESS_ID                                                                                    , ACCESS_NAME                 , READ , OPEN , APPEND, TRANSFER, DISTRIBUTE, C1, .., C12)
 -- PPKs
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000001', 'WBI:100000000000000000000000000000000004', 'teamlead-1'                                                                                 , 'Titus Toll'                , true , true , true  , true    , true      , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true , true    , true);
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000002', 'WBI:100000000000000000000000000000000005', 'teamlead-2'                                                                                 , 'Frauke Faul'               , true , true , true  , true    , true      , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true , true    , true);
@@ -37,7 +36,6 @@ INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:10000000000000000000000000000000
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000017', 'WBI:100000000000000000000000000000000008', 'cn=organisationseinheit ksc 1,cn=organisationseinheit ksc,cn=organisation,ou=test,o=taskana', 'Organisationseinheit KSC 1', true , false, false , false   , false     , false , false , false , false , false , false , false , false , false , false , false , false ,true    , true);
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000018', 'WBI:100000000000000000000000000000000009', 'cn=organisationseinheit ksc 1,cn=organisationseinheit ksc,cn=organisation,ou=test,o=taskana', 'Organisationseinheit KSC 1', true , false, true  , false   , false     , false , false , false , false , false , false , false , false , false , false , false , false ,true    , true);
 
---SERT INTO WORKBASKET_ACCESS_LIST VALUES (ID                                        , WB_ID                                     , ACCESS_ID                                                                                    , ACCESS_NAME                 , READ , OPEN , APPEND, TRANSFER, DISTRIBUTE, C1    , C2    , C3    , C4    , C5    , C6    , C7    , C8    , C9    , C10   , C11   , C12  ,READTASKS, EDITTASKS)
 -- Team GPK access
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000019', 'WBI:100000000000000000000000000000000002', 'cn=organisationseinheit ksc 1,cn=organisationseinheit ksc,cn=organisation,ou=test,o=taskana', 'Organisationseinheit KSC 1', true , true , true  , true    , true      , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true , true    , true);
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000020', 'WBI:100000000000000000000000000000000003', 'cn=organisationseinheit ksc 2,cn=organisationseinheit ksc,cn=organisation,ou=test,o=taskana', 'Organisationseinheit KSC 2', true , true , true  , true    , true      , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true , true    , true);
@@ -64,3 +62,8 @@ INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:00000000000000000000000000000000
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:000000000000000000000000000000000907', 'WBI:000000000000000000000000000000000907', 'user-b-1'                                                                                   , 'Bern, Bernd'               , true , true , true  , true    , true      , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true , true    , true);
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:000000000000000000000000000000000908', 'WBI:000000000000000000000000000000000908', 'user-b-1'                                                                                   , 'Bern, Bernd'               , true , true , true  , true    , true      , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true , true    , true);
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:000000000000000000000000000000000909', 'WBI:000000000000000000000000000000000909', 'user-b-1'                                                                                   , 'Bern, Bernd'               , true , true , true  , true    , true      , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true  , true , true    , true);
+
+-- permissions
+INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:200000000000000000000000000000000002', 'WBI:100000000000000000000000000000000005', 'taskana:callcenter:ab:ab/a:callcenter'                                                                             , 'PERM_1'           , true , true , true  , false   , true      , false, false, false, false, false, false, false, false, false, false, false, false, true   , false);
+INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:200000000000000000000000000000000003', 'WBI:100000000000000000000000000000000006', 'taskana:callcenter:ab:AB/a:callcenter'                                                                             , 'PERM_1'           , true , false, true  , true    , false     , false, false, false, false, false, false, false, false, false, false, false, false, true   , true );
+INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:200000000000000000000000000000000005', 'WBI:100000000000000000000000000000000012', 'taskana:callcenter:ab:AB/a:callcenter'                                                                             , 'PERM_1'           , true , false, true  , false   , false     , false, false, false, false, false, false, false, false, false, false, false, false, false  , false);
diff --git a/common/taskana-common-data/src/main/resources/sql/test-data/workbasket-access-list.sql b/common/taskana-common-data/src/main/resources/sql/test-data/workbasket-access-list.sql
@@ -51,3 +51,8 @@ INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:00000000000000000000000000000000
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:000000000000000000000000000000000907', 'WBI:000000000000000000000000000000000907', 'user-b-1'                                                                                   , 'Bern, Bernd'       , true , true , true  , true    , true      , true , true , true , true , true , true , true , true , true , true , true , true , true    , true);
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:000000000000000000000000000000000908', 'WBI:000000000000000000000000000000000908', 'user-b-1'                                                                                   , 'Bern, Bernd'       , true , true , true  , true    , true      , true , true , true , true , true , true , true , true , true , true , true , true , true    , true);
 INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WBI:000000000000000000000000000000000909', 'WBI:000000000000000000000000000000000909', 'user-b-1'                                                                                   , 'Bern, Bernd'       , true , true , true  , true    , true      , true , true , true , true , true , true , true , true , true , true , true , true , true    , true);
+
+-- permissions
+INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:200000000000000000000000000000000002', 'WBI:100000000000000000000000000000000005', 'taskana:callcenter:ab:ab/a:callcenter'                                                                             , 'PERM_1'           , true , true , true  , false   , true      , false, false, false, false, false, false, false, false, false, false, false, false, true   , false);
+INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:200000000000000000000000000000000003', 'WBI:100000000000000000000000000000000006', 'taskana:callcenter:ab:ab/a:callcenter'                                                                             , 'PERM_1'           , true , false, true  , true    , false     , false, false, false, false, false, false, false, false, false, false, false, false, true   , true );
+INSERT INTO WORKBASKET_ACCESS_LIST VALUES ('WAI:200000000000000000000000000000000005', 'WBI:100000000000000000000000000000000012', 'taskana:callcenter:ab:ab/a:callcenter'                                                                             , 'PERM_1'           , true , false, true  , false   , false     , false, false, false, false, false, false, false, false, false, false, false, false, false  , false);
diff --git a/common/taskana-common-test/src/main/java/pro/taskana/common/test/security/WithAccessId.java b/common/taskana-common-test/src/main/java/pro/taskana/common/test/security/WithAccessId.java
@@ -16,6 +16,8 @@
 
   String[] groups() default {};
 
+  String[] permissions() default {};
+
   @Retention(RetentionPolicy.RUNTIME)
   @Target(ElementType.METHOD)
   @interface WithAccessIds {

diff --git a/...taskana-common-test/src/test/java/pro/taskana/common/test/security/JaasExtensionTest.java b/...taskana-common-test/src/test/java/pro/taskana/common/test/security/JaasExtensionTest.java
@@ -7,7 +7,6 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.function.Supplier;
-import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.AfterEach;
@@ -215,11 +214,12 @@ void should_SetMultipleJaasSubjects_When_MultipleAnnotationsExist_On_TestTemplat
     assertThat(CURRENT_USER_CONTEXT.getUserid()).isEqualTo(accessId.user());
   }
 
-  @WithAccessId(user = "testtemplate1", groups = "abc")
+  @WithAccessId(user = "testtemplate1", groups = "abc", permissions = "perm")
   @TestTemplate
   void should_InjectCorrectAccessId_When_AnnotationExists_On_TestTemplate(WithAccessId accessId) {
     assertThat(accessId.user()).isEqualTo("testtemplate1");
     assertThat(accessId.groups()).containsExactly("abc");
+    assertThat(accessId.permissions()).containsExactly("perm");
   }
 
   // endregion
@@ -406,21 +406,21 @@ Stream<DynamicContainer> should_SetAccessIdForDynamicContainerInStream_When_Anno
 
   @TestFactory
   Iterable<DynamicTest> should_NotSetAccessIdForDynamicTestInIterable_When_AnnotationIsMissing() {
-    return Stream.of(NULL_DYNAMIC_TEST, NULL_DYNAMIC_TEST).collect(Collectors.toList());
+    return Stream.of(NULL_DYNAMIC_TEST, NULL_DYNAMIC_TEST).toList();
   }
 
   @WithAccessId(user = INSIDE_DYNAMIC_TEST_USER)
   @TestFactory
   Iterable<DynamicTest> should_SetAccessIdForDynamicTestInIterable_When_AnnotationExists() {
     return Stream.of(DYNAMIC_TEST_USER_DYNAMIC_TEST, DYNAMIC_TEST_USER_DYNAMIC_TEST)
-        .collect(Collectors.toList());
+        .toList();
   }
 
   @WithAccessId(user = INSIDE_DYNAMIC_TEST_USER)
   @WithAccessId(user = INSIDE_DYNAMIC_TEST_USER)
   @TestFactory
   Iterable<DynamicTest> should_SetMultipleAccessIdForDynamicTestInIterable_When_AnnotationsExist() {
-    return Stream.of(NOT_NULL_DYNAMIC_TEST, NOT_NULL_DYNAMIC_TEST).collect(Collectors.toList());
+    return Stream.of(NOT_NULL_DYNAMIC_TEST, NOT_NULL_DYNAMIC_TEST).toList();
   }
 
   // WITH DynamicContainer
@@ -431,7 +431,7 @@ Iterable<DynamicTest> should_SetMultipleAccessIdForDynamicTestInIterable_When_An
     Supplier<DynamicContainer> supplier =
         () ->
             dynamicContainer("dynamic container", Stream.of(NULL_DYNAMIC_TEST, NULL_DYNAMIC_TEST));
-    return Stream.generate(supplier).limit(2).collect(Collectors.toList());
+    return Stream.generate(supplier).limit(2).toList();
   }
 
   @WithAccessId(user = INSIDE_DYNAMIC_TEST_USER)
@@ -443,7 +443,7 @@ Iterable<DynamicTest> should_SetMultipleAccessIdForDynamicTestInIterable_When_An
             dynamicContainer(
                 "dynamic container",
                 Stream.of(DYNAMIC_TEST_USER_DYNAMIC_TEST, DYNAMIC_TEST_USER_DYNAMIC_TEST));
-    return Stream.generate(supplier).limit(2).collect(Collectors.toList());
+    return Stream.generate(supplier).limit(2).toList();
   }
 
   @WithAccessId(user = INSIDE_DYNAMIC_TEST_USER)
@@ -455,7 +455,7 @@ Iterable<DynamicTest> should_SetMultipleAccessIdForDynamicTestInIterable_When_An
         () ->
             dynamicContainer(
                 "dynamic container", Stream.of(NOT_NULL_DYNAMIC_TEST, NOT_NULL_DYNAMIC_TEST));
-    return Stream.generate(supplier).limit(2).collect(Collectors.toList());
+    return Stream.generate(supplier).limit(2).toList();
   }
 
   // WITH nested DynamicContainer
@@ -467,7 +467,7 @@ Iterable<DynamicTest> should_SetMultipleAccessIdForDynamicTestInIterable_When_An
         () -> dynamicContainer("inside container", Stream.of(NULL_DYNAMIC_TEST, NULL_DYNAMIC_TEST));
     Supplier<DynamicContainer> outsideSupplier =
         () -> dynamicContainer("outside container", Stream.of(supplier.get(), NULL_DYNAMIC_TEST));
-    return Stream.generate(outsideSupplier).limit(2).collect(Collectors.toList());
+    return Stream.generate(outsideSupplier).limit(2).toList();
   }
 
   @WithAccessId(user = INSIDE_DYNAMIC_TEST_USER)
@@ -483,7 +483,7 @@ Iterable<DynamicTest> should_SetMultipleAccessIdForDynamicTestInIterable_When_An
         () ->
             dynamicContainer(
                 "outside container", Stream.of(supplier.get(), DYNAMIC_TEST_USER_DYNAMIC_TEST));
-    return Stream.generate(outsideSupplier).limit(2).collect(Collectors.toList());
+    return Stream.generate(outsideSupplier).limit(2).toList();
   }
 
   @WithAccessId(user = INSIDE_DYNAMIC_TEST_USER)
@@ -498,7 +498,7 @@ Iterable<DynamicTest> should_SetMultipleAccessIdForDynamicTestInIterable_When_An
     Supplier<DynamicContainer> outsideSupplier =
         () ->
             dynamicContainer("outside container", Stream.of(supplier.get(), NOT_NULL_DYNAMIC_TEST));
-    return Stream.generate(outsideSupplier).limit(2).collect(Collectors.toList());
+    return Stream.generate(outsideSupplier).limit(2).toList();
   }
 
   // endregion

diff --git a/history/taskana-simplehistory-rest-spring/src/test/resources/application.properties b/history/taskana-simplehistory-rest-spring/src/test/resources/application.properties
@@ -34,6 +34,12 @@ taskana.ldap.groupNameAttribute=cn
 taskana.ldap.minSearchForLength=3
 taskana.ldap.maxNumberOfReturnedAccessIds=50
 taskana.ldap.groupsOfUser=memberUid
+taskana.ldap.permissionSearchBase=cn=groups
+taskana.ldap.permissionSearchFilterName=objectclass
+taskana.ldap.permissionSearchFilterValue=groupofuniquenames
+taskana.ldap.permissionNameAttribute=permission
+taskana.ldap.permissionsOfUser=uniquemember
+taskana.ldap.useDnForGroups=true
 # Embedded Spring LDAP server
 spring.ldap.embedded.base-dn=OU=Test,O=TASKANA
 spring.ldap.embedded.credential.username=uid=admin

diff --git a/lib/taskana-core/src/test/java/acceptance/AbstractAccTest.java b/lib/taskana-core/src/test/java/acceptance/AbstractAccTest.java
@@ -39,6 +39,8 @@ public abstract class AbstractAccTest {
       "cn=Organisationseinheit KSC 1,cn=Organisationseinheit KSC,cn=organisation,OU=Test,O=TASKANA";
   public static final String GROUP_2_DN =
       "cn=Organisationseinheit KSC 2,cn=Organisationseinheit KSC,cn=organisation,OU=Test,O=TASKANA";
+  public static final String PERM_1 =
+      "taskana:callcenter:ab:ab/a:callcenter";
 
   protected static TaskanaConfiguration taskanaConfiguration;
   protected static TaskanaEngine taskanaEngine;

diff --git a/...ana-core/src/test/java/acceptance/workbasket/query/QueryWorkbasketAccessItemsAccTest.java b/...ana-core/src/test/java/acceptance/workbasket/query/QueryWorkbasketAccessItemsAccTest.java
@@ -34,7 +34,7 @@ void testQueryWorkbasketAccessItemValuesForColumnName() throws Exception {
 
     columnValueList =
         workbasketService.createWorkbasketAccessItemQuery().listValues(ACCESS_ID, null);
-    assertThat(columnValueList).hasSize(10);
+    assertThat(columnValueList).hasSize(11);
 
     columnValueList =
         workbasketService.createWorkbasketAccessItemQuery().listValues(WORKBASKET_KEY, null);
@@ -51,9 +51,9 @@ void testQueryAccessItemsForAccessIds() throws Exception {
     List<WorkbasketAccessItem> results =
         workbasketService
             .createWorkbasketAccessItemQuery()
-            .accessIdIn("user-1-1", GROUP_1_DN)
+            .accessIdIn("user-1-1", GROUP_1_DN, PERM_1)
             .list();
-    assertThat(results).hasSize(8);
+    assertThat(results).hasSize(11);
   }
 
   @WithAccessId(user = "unknownuser")
@@ -78,12 +78,12 @@ void testQueryAccessItemsForAccessIdsOrderedDescending() throws Exception {
     WorkbasketAccessItemQuery query =
         workbasketService
             .createWorkbasketAccessItemQuery()
-            .accessIdIn("user-1-1", GROUP_1_DN)
+            .accessIdIn("user-1-1", GROUP_1_DN, PERM_1)
             .orderByAccessId(SortDirection.DESCENDING)
             .orderByWorkbasketId(SortDirection.DESCENDING);
     List<WorkbasketAccessItem> results = query.list();
     long count = query.count();
-    assertThat(results).hasSize(8).size().isEqualTo(count);
+    assertThat(results).hasSize(11).size().isEqualTo(count);
     assertThat(results.get(0).getId()).isEqualTo("WAI:100000000000000000000000000000000003");
   }
 
@@ -94,12 +94,13 @@ void testQueryAccessItemsForAccessIdsAndWorkbasketKey() throws Exception {
     List<WorkbasketAccessItem> results =
         workbasketService
             .createWorkbasketAccessItemQuery()
-            .accessIdIn("user-1-1", GROUP_1_DN)
+            .accessIdIn("user-1-1", GROUP_1_DN, PERM_1)
             .workbasketIdIn(
                 "WBI:100000000000000000000000000000000006",
-                "WBI:100000000000000000000000000000000002")
+                "WBI:100000000000000000000000000000000002",
+                "WBI:100000000000000000000000000000000005")
             .list();
-    assertThat(results).hasSize(3);
+    assertThat(results).hasSize(5);
   }
 
   @WithAccessId(user = "businessadmin")
@@ -135,7 +136,7 @@ void testQueryAccessItemsByWorkbasketKey() throws Exception {
             .createWorkbasketAccessItemQuery()
             .workbasketIdIn("WBI:100000000000000000000000000000000006")
             .list();
-    assertThat(results).hasSize(3);
+    assertThat(results).hasSize(4);
   }
 
   @WithAccessId(user = "businessadmin")
@@ -149,7 +150,7 @@ void testQueryAccessItemsByWorkbasketKeyOrderedDescending() throws Exception {
             .orderByWorkbasketId(SortDirection.DESCENDING)
             .orderByAccessId(SortDirection.ASCENDING)
             .list();
-    assertThat(results).hasSize(3);
+    assertThat(results).hasSize(4);
     assertThat(results.get(0).getId()).isEqualTo("WAI:100000000000000000000000000000000009");
   }
 
@@ -160,7 +161,7 @@ void testQueryForIdIn() throws Exception {
     String[] expectedIds = {
       "WAI:100000000000000000000000000000000001",
       "WAI:100000000000000000000000000000000015",
-      "WAI:100000000000000000000000000000000007"
+      "WAI:100000000000000000000000000000000006"
     };
     List<WorkbasketAccessItem> results =
         workbasketService.createWorkbasketAccessItemQuery().idIn(expectedIds).list();