Package com.flowable.platform.service.permission

Class AbstractDmnBasedPermissionHelper<T>

  • Type Parameters:
    T - the type of the scoped object this permission helper is implemented for (e.g. a conversation, a user or a case, etc)
    Direct Known Subclasses:
    UserPermissionServiceImpl
    public abstract class AbstractDmnBasedPermissionHelper<T>
extends Object
    An abstract based class for DMN based permission helpers where the evaluation of permissions is based on the execution of DMN models. There are two possible ways to implement such a helper: based on a default and detailed DMN permission model or simply based on one only. If based on two models, implement getDecisionKeyDefaultPermissions() and return the DMN key of the default permission model, otherwise return null instead. The idea of the default model is around execution speed where the commonly used use cases should already be covered by executing the default model and the details should only be needed for deeper testing or not so common use cases.

    • Constructor Detail

      • AbstractDmnBasedPermissionHelper

        public AbstractDmnBasedPermissionHelper()

    • Method Detail

      • evaluatePermissionsAndProcessResult

        protected Optional<String> evaluatePermissionsAndProcessResult​(String userId,
                                                               Collection<String> userGroupKeys,
                                                               String userTenantId,
                                                               String tenantId,
                                                               AuthorizedAction action,
                                                               T scopedObject,
                                                               Map<String,​Object> ruleInput,
                                                               String decisionModelKey,
                                                               String globalErrorMessageCode,
                                                               CommandContext commandContext)
        Evaluates default permissions first using the default DMN rule model and depending on the outcome, evaluates the detail DMN rule model according the provided action and decision key and finally processes the outcome accordingly resulting in an optional error message, if permissions have been denied.
        Parameters:
        userId - the id of the user to test for permissions
        userGroupKeys - the group keys of the user to check the permissions for
        userTenantId - the tenant id of the user to check the permissions for
        tenantId - the id of the tenant that will be used for lookup of the dmn definition
        action - the action to be tested
        scopedObject - the scoped object in which context the permissions should be checked
        ruleInput - the map containing the necessary input values for executing the detailed DMN rule model
        decisionModelKey - the key of the detailed DMN decision model
        globalErrorMessageCode - the error message code to be used for error message rendering, if permissions are denied but no detailed error message was provided
        commandContext - the command context to execute commands or request additional services and information
        Returns:
        the optional error message if permissions are denied, for granted access, an Optional.empty is returned

      • processErrorMessage

        protected Optional<String> processErrorMessage​(String tenantId,
                                               PermissionEvaluationResult evaluationResult,
                                               String globalErrorMessageCode,
                                               Map<String,​Object> ruleInput)
        Processes and returns the error code according the available error message or error message code within the given evaluation result. If none is provided, the general error message will be returned instead.
        Parameters:
        evaluationResult - the result from the DMN permission model evaluation
        globalErrorMessageCode - the global error message code to be used if not a specific one is provided
        ruleInput - the map with the input values to the DMN model
        Returns:
        the error message

      • evaluateDefaultPermissionOutput

        protected PermissionEvaluationResult evaluateDefaultPermissionOutput​(String userId,
                                                                     Collection<String> userGroupKeys,
                                                                     String userTenantId,
                                                                     String tenantId,
                                                                     AuthorizedAction action,
                                                                     T scopedObject,
                                                                     Map<String,​Object> detailedRuleInput,
                                                                     CommandContext commandContext)
        Evaluates the basic permissions for a given action within the scoped object for a specific user based on the default permission DMN model. The output might directly grant or deny access to the action or there is the need to test the action with the particular detailed DMN model for that action.
        Parameters:
        userId - the id of the user to test for action permission
        userGroupKeys - the group keys of the user to check the permissions for
        userTenantId - the tenant id of the user to check the permissions for
        action - the action to test privileges
        scopedObject - the optional scoped object for which the action should be checked
        commandContext - the command context used for execution or access to further services

      • createRuleInputForDefaultModel

        protected abstract Map<String,​Object> createRuleInputForDefaultModel​(String userId,
                                                                           AuthorizedAction action,
                                                                           T scopedObject,
                                                                           Map<String,​Object> detailedRuleInput,
                                                                           CommandContext commandContext)
        If getDecisionKeyDefaultPermissions() returns a non-null value, this method must be implemented in order to create the rule input data for evaluating the default permission model. The easiest way is by just returning the same rule input as being used for the detailed rule model, but in some cases, the rule input data is different for the default DMN model.
        Parameters:
        userId - the id of the user to test for action permissions
        action - the action to test privileges
        scopedObject - the optional scoped object for which the action should be checked
        detailedRuleInput - the rule input as provided and used for the detailed rule model execution
        commandContext - the command context used for execution or access to further services
        Returns:
        the rule input data used for executing the default DMN permission model

      • getDecisionKeyDefaultPermissions

        protected abstract String getDecisionKeyDefaultPermissions()
        If the permission helper is based on a default and detail DMN permission rule mechanism, this method must return the DMN key of the default permission rule model to execute.
        Returns:
        the optional key of the default DMN permission model, null, if none needed

      • executeAndLogPermissionModel

        protected Map<String,​Object> executeAndLogPermissionModel​(CommandContext commandContext,
                                                                String decisionModelKey,
                                                                String tenantId,
                                                                Map<String,​Object> ruleInput)
        Executes a DMN model based on the given input and decision model key with optional logging and returns the output as a single result.
        Parameters:
        commandContext - the command context used to execute the DMN model
        decisionModelKey - the key of the DMN model to be executed
        tenantId - the id of the tenant used to lookup the dmn definition
        ruleInput - the input values used for executing the DMN model
        Returns:
        the single output result

      • evaluatePermissionRuleOutput

        protected PermissionEvaluationResult evaluatePermissionRuleOutput​(String userId,
                                                                  Collection<String> userGroupKeys,
                                                                  String userTenantId,
                                                                  Map<String,​Object> outputValues,
                                                                  CommandContext commandContext)
        Further evaluates the permission output as retrieved from executing the DMN model. Depending on the output permission, it further checks whether the user is a member of a certain required group and returns the evaluated permission accordingly.
        Parameters:
        userId - the id of the user to check the permissions for
        userGroupKeys - the group keys of the user to check the permissions for
        userTenantId - the tenant id of the user to check the permissions for
        outputValues - the output values as being retrieved by executing the DMN model
        commandContext - the command context for retrieving further values
        Returns:
        the final evaluated permission

      • renderErrorMessage

        protected String renderErrorMessage​(String tenantId,
                                    String errorCode,
                                    Map<String,​Object> payload)
        Creates a permission error message based on the provided error code and payload. The payload must at least contain the necessary parameters as being defined within the TemplateVariationModel. This one uses english as the default language.
        Parameters:
        tenantId - the if of the tenant that should be used when preparing the message
        errorCode - the error code to choose the template variation for
        payload - the optional payload containing the necessary parameters (if any needed by the template)
        Returns:
        the rendered permission error message

      • getTenantId

        protected abstract String getTenantId​(T scopedObject)