Package com.flowable.platform.service.permission

Class AbstractDmnBasedPermissionHelper<T>

java.lang.Object
com.flowable.platform.service.permission.AbstractDmnBasedPermissionHelper<T>
Type Parameters:
T - the type of the scoped object this permission helper is implemented for (e.g. a conversation, a user or a case, etc)
Direct Known Subclasses:
UserPermissionServiceImpl
public abstract class AbstractDmnBasedPermissionHelper<T> extends Object
An abstract based class for DMN based permission helpers where the evaluation of permissions is based on the execution of DMN models. There are two possible ways to implement such a helper: based on a default and detailed DMN permission model or simply based on one only. If based on two models, implement getDecisionKeyDefaultPermissions() and return the DMN key of the default permission model, otherwise return null instead. The idea of the default model is around execution speed where the commonly used use cases should already be covered by executing the default model and the details should only be needed for deeper testing or not so common use cases.

  • Field Details

  • Constructor Details

    • AbstractDmnBasedPermissionHelper

      public AbstractDmnBasedPermissionHelper()

  • Method Details

    • evaluatePermissionsAndProcessResult

      protected Optional<String> evaluatePermissionsAndProcessResult(String userId, Collection<String> userGroupKeys, String userTenantId, String tenantId, AuthorizedAction action, T scopedObject, Map<String,Object> ruleInput, String decisionModelKey, String globalErrorMessageCode, CommandContext commandContext)
      Evaluates default permissions first using the default DMN rule model and depending on the outcome, evaluates the detail DMN rule model according the provided action and decision key and finally processes the outcome accordingly resulting in an optional error message, if permissions have been denied.
      Parameters:
      userId - the id of the user to test for permissions
      userGroupKeys - the group keys of the user to check the permissions for
      userTenantId - the tenant id of the user to check the permissions for
      tenantId - the id of the tenant that will be used for lookup of the dmn definition
      action - the action to be tested
      scopedObject - the scoped object in which context the permissions should be checked
      ruleInput - the map containing the necessary input values for executing the detailed DMN rule model
      decisionModelKey - the key of the detailed DMN decision model
      globalErrorMessageCode - the error message code to be used for error message rendering, if permissions are denied but no detailed error message was provided
      commandContext - the command context to execute commands or request additional services and information
      Returns:
      the optional error message if permissions are denied, for granted access, an Optional.empty is returned

    • processErrorMessage

      protected Optional<String> processErrorMessage(String tenantId, PermissionEvaluationResult evaluationResult, String globalErrorMessageCode, Map<String,Object> ruleInput)
      Processes and returns the error code according the available error message or error message code within the given evaluation result. If none is provided, the general error message will be returned instead.
      Parameters:
      evaluationResult - the result from the DMN permission model evaluation
      globalErrorMessageCode - the global error message code to be used if not a specific one is provided
      ruleInput - the map with the input values to the DMN model
      Returns:
      the error message

    • evaluateDefaultPermissionOutput

      protected PermissionEvaluationResult evaluateDefaultPermissionOutput(String userId, Collection<String> userGroupKeys, String userTenantId, String tenantId, AuthorizedAction action, T scopedObject, Map<String,Object> detailedRuleInput, CommandContext commandContext)
      Evaluates the basic permissions for a given action within the scoped object for a specific user based on the default permission DMN model. The output might directly grant or deny access to the action or there is the need to test the action with the particular detailed DMN model for that action.
      Parameters:
      userId - the id of the user to test for action permission
      userGroupKeys - the group keys of the user to check the permissions for
      userTenantId - the tenant id of the user to check the permissions for
      action - the action to test privileges
      scopedObject - the optional scoped object for which the action should be checked
      commandContext - the command context used for execution or access to further services

    • createRuleInputForDefaultModel

      protected abstract Map<String,Object> createRuleInputForDefaultModel(String userId, AuthorizedAction action, T scopedObject, Map<String,Object> detailedRuleInput, CommandContext commandContext)
      If getDecisionKeyDefaultPermissions() returns a non-null value, this method must be implemented in order to create the rule input data for evaluating the default permission model. The easiest way is by just returning the same rule input as being used for the detailed rule model, but in some cases, the rule input data is different for the default DMN model.
      Parameters:
      userId - the id of the user to test for action permissions
      action - the action to test privileges
      scopedObject - the optional scoped object for which the action should be checked
      detailedRuleInput - the rule input as provided and used for the detailed rule model execution
      commandContext - the command context used for execution or access to further services
      Returns:
      the rule input data used for executing the default DMN permission model

    • getDecisionKeyDefaultPermissions

      protected abstract String getDecisionKeyDefaultPermissions()
      If the permission helper is based on a default and detail DMN permission rule mechanism, this method must return the DMN key of the default permission rule model to execute.
      Returns:
      the optional key of the default DMN permission model, null, if none needed

    • executeAndLogPermissionModel

      protected Map<String,Object> executeAndLogPermissionModel(CommandContext commandContext, String decisionModelKey, String tenantId, Map<String,Object> ruleInput)
      Executes a DMN model based on the given input and decision model key with optional logging and returns the output as a single result.
      Parameters:
      commandContext - the command context used to execute the DMN model
      decisionModelKey - the key of the DMN model to be executed
      tenantId - the id of the tenant used to lookup the dmn definition
      ruleInput - the input values used for executing the DMN model
      Returns:
      the single output result

    • evaluatePermissionRuleOutput

      protected PermissionEvaluationResult evaluatePermissionRuleOutput(String userId, Collection<String> userGroupKeys, String userTenantId, Map<String,Object> outputValues, CommandContext commandContext)
      Further evaluates the permission output as retrieved from executing the DMN model. Depending on the output permission, it further checks whether the user is a member of a certain required group and returns the evaluated permission accordingly.
      Parameters:
      userId - the id of the user to check the permissions for
      userGroupKeys - the group keys of the user to check the permissions for
      userTenantId - the tenant id of the user to check the permissions for
      outputValues - the output values as being retrieved by executing the DMN model
      commandContext - the command context for retrieving further values
      Returns:
      the final evaluated permission

    • renderErrorMessage

      protected String renderErrorMessage(String tenantId, String errorCode, Map<String,Object> payload)
      Creates a permission error message based on the provided error code and payload. The payload must at least contain the necessary parameters as being defined within the TemplateVariationModel. This one uses english as the default language.
      Parameters:
      tenantId - the if of the tenant that should be used when preparing the message
      errorCode - the error code to choose the template variation for
      payload - the optional payload containing the necessary parameters (if any needed by the template)
      Returns:
      the rendered permission error message

    • getEmptyListOnNullValue

      protected List<String> getEmptyListOnNullValue(List<String> list)

    • isUserMemberOfGroup

      protected boolean isUserMemberOfGroup(List<PlatformGroup> groups, String groupKey)

    • getGroups

      protected List<PlatformGroup> getGroups(String userId, CommandContext commandContext)

    • isUserType

      protected boolean isUserType(String userId, String identityType, List<IdentityLinkEntity> identityLinks)

    • isGroupMember

      protected boolean isGroupMember(String userId, Collection<String> memberGroups, String identityType, List<IdentityLinkEntity> identityLinks)

    • getTenantId

      protected abstract String getTenantId(T scopedObject)