From 32b97f7e9161a22d7ec3e5326d6e05fbf88bd363 Mon Sep 17 00:00:00 2001 From: tasso94 <3015690+tasso94@users.noreply.github.com> Date: Wed, 12 Jul 2023 09:57:05 +0200 Subject: [PATCH] fix(engine): respect user when deleting auth for group memberships (#3565) related to camunda/camunda-bpm-platform#3564 --- .../db/DbIdentityServiceProvider.java | 2 +- .../IdentityServiceAuthorizationsTest.java | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+), 1 deletion(-) diff --git a/engine/src/main/java/org/camunda/bpm/engine/impl/identity/db/DbIdentityServiceProvider.java b/engine/src/main/java/org/camunda/bpm/engine/impl/identity/db/DbIdentityServiceProvider.java index 401fc3cf6f2..673c618dc6a 100644 --- a/engine/src/main/java/org/camunda/bpm/engine/impl/identity/db/DbIdentityServiceProvider.java +++ b/engine/src/main/java/org/camunda/bpm/engine/impl/identity/db/DbIdentityServiceProvider.java @@ -299,7 +299,7 @@ public IdentityOperationResult createMembership(String userId, String groupId) { public IdentityOperationResult deleteMembership(String userId, String groupId) { checkAuthorization(Permissions.DELETE, Resources.GROUP_MEMBERSHIP, groupId); if (existsMembership(userId, groupId)) { - deleteAuthorizations(Resources.GROUP_MEMBERSHIP, groupId); + deleteAuthorizationsForUser(Resources.GROUP_MEMBERSHIP, groupId, userId); Map parameters = new HashMap<>(); parameters.put("userId", userId); diff --git a/engine/src/test/java/org/camunda/bpm/engine/test/api/identity/IdentityServiceAuthorizationsTest.java b/engine/src/test/java/org/camunda/bpm/engine/test/api/identity/IdentityServiceAuthorizationsTest.java index 921eafc990a..46276dfbeea 100644 --- a/engine/src/test/java/org/camunda/bpm/engine/test/api/identity/IdentityServiceAuthorizationsTest.java +++ b/engine/src/test/java/org/camunda/bpm/engine/test/api/identity/IdentityServiceAuthorizationsTest.java @@ -51,6 +51,8 @@ import org.camunda.bpm.engine.authorization.Authorization; import org.camunda.bpm.engine.authorization.Groups; import org.camunda.bpm.engine.authorization.MissingAuthorization; +import org.camunda.bpm.engine.authorization.Permissions; +import org.camunda.bpm.engine.authorization.Resources; import org.camunda.bpm.engine.identity.Group; import org.camunda.bpm.engine.identity.Tenant; import org.camunda.bpm.engine.identity.TenantQuery; @@ -659,6 +661,69 @@ public void testMembershipDeleteAuthorizations() { } } + @Test + public void shouldKeepAuthorizationsForAnyUser() { + // given + Group myGroup = identityService.newGroup("myGroup"); + identityService.saveGroup(myGroup); + + User myUser = identityService.newUser("myUser"); + identityService.saveUser(myUser); + + identityService.createMembership(myUser.getId(), myGroup.getId()); + + createAuthorization(AUTH_TYPE_GLOBAL, GROUP, myGroup.getId(), "*", ALL); + createAuthorization(AUTH_TYPE_GLOBAL, GROUP_MEMBERSHIP, myGroup.getId(), "*", ALL); + createAuthorization(AUTH_TYPE_GLOBAL, USER, myUser.getId(), "*", ALL); + + processEngineConfiguration.setAuthorizationEnabled(true); + identityService.setAuthenticatedUserId(myUser.getId()); + + // when + identityService.deleteMembership(myUser.getId(), myGroup.getId()); + + // then + processEngineConfiguration.setAuthorizationEnabled(false); + List list = authorizationService.createAuthorizationQuery().list(); + assertThat(list).extracting("resource", "resourceId", "userId", "permissions") + .containsExactlyInAnyOrder(tuple(GROUP.resourceType(), myGroup.getId(), "*", ALL.getValue()), + tuple(GROUP_MEMBERSHIP.resourceType(), myGroup.getId(), "*", ALL.getValue()), + tuple(USER.resourceType(), myUser.getId(), "*", ALL.getValue())); + } + + @Test + public void shouldRemoveAuthorizationForUserAndKeepAuthorizationsForAnyUser() { + // given + Group myGroup = identityService.newGroup("myGroup"); + identityService.saveGroup(myGroup); + + User myUser = identityService.newUser("myUser"); + identityService.saveUser(myUser); + + identityService.createMembership(myUser.getId(), myGroup.getId()); + + createAuthorization(AUTH_TYPE_GLOBAL, GROUP, myGroup.getId(), "*", ALL); + createAuthorization(AUTH_TYPE_GLOBAL, GROUP_MEMBERSHIP, myGroup.getId(), "*", ALL); + createAuthorization(AUTH_TYPE_GRANT, GROUP_MEMBERSHIP, myGroup.getId(), myUser.getId(), ALL); + createAuthorization(AUTH_TYPE_GRANT, GROUP_MEMBERSHIP, myGroup.getId(), "foo", ALL); + createAuthorization(AUTH_TYPE_GLOBAL, USER, myUser.getId(), "*", ALL); + + processEngineConfiguration.setAuthorizationEnabled(true); + identityService.setAuthenticatedUserId(myUser.getId()); + + // when + identityService.deleteMembership(myUser.getId(), myGroup.getId()); + + // then + processEngineConfiguration.setAuthorizationEnabled(false); + List list = authorizationService.createAuthorizationQuery().list(); + assertThat(list).extracting("resource", "resourceId", "userId", "permissions") + .containsExactlyInAnyOrder(tuple(GROUP.resourceType(), myGroup.getId(), "*", ALL.getValue()), + tuple(GROUP_MEMBERSHIP.resourceType(), myGroup.getId(), "*", ALL.getValue()), + tuple(GROUP_MEMBERSHIP.resourceType(), myGroup.getId(), "foo", ALL.getValue()), + tuple(USER.resourceType(), myUser.getId(), "*", ALL.getValue())); + } + @Test public void testTenantUserMembershipCreateAuthorizations() { @@ -1329,4 +1394,17 @@ protected void cleanupAfterTest() { } } + protected void createAuthorization(int authType, + Resources resource, + String resourceId, + String userId, + Permissions permission) { + Authorization authorization = authorizationService.createNewAuthorization(authType); + authorization.setResource(resource); + authorization.setResourceId(resourceId); + authorization.addPermission(permission); + authorization.setUserId(userId); + authorizationService.saveAuthorization(authorization); + } + }