inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

[MNT-24913] Added fallback method to obtain deployment category in order to check if workflow is secure (#3236)

Browse Source
This commit is contained in:
Tiago Salvado
2025-03-06 12:35:03 +00:00
committed by GitHub
parent 7749f7b80d
commit ec78a1486c
1 changed files with 137 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
repository/src/main/java/org/alfresco/repo/workflow/activiti/script/ActivitiScriptBase.java
View File

@@ -28,11 +28,17 @@ package org.alfresco.repo.workflow.activiti.script;
import java.util.Map; import java.util.Map;
import org.activiti.engine.RepositoryService;
import org.activiti.engine.delegate.VariableScope; import org.activiti.engine.delegate.VariableScope;
import org.activiti.engine.impl.cfg.ProcessEngineConfigurationImpl; import org.activiti.engine.impl.cfg.ProcessEngineConfigurationImpl;
import org.activiti.engine.impl.context.Context; import org.activiti.engine.impl.context.Context;
import org.activiti.engine.impl.el.Expression; import org.activiti.engine.impl.el.Expression;
import org.activiti.engine.impl.persistence.entity.DeploymentEntity; import org.activiti.engine.impl.persistence.entity.DeploymentEntity;
import org.activiti.engine.impl.persistence.entity.ExecutionEntity;
import org.activiti.engine.repository.ProcessDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.workflow.WorkflowDeployer; import org.alfresco.repo.workflow.WorkflowDeployer;
@@ -45,13 +51,12 @@ import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.cmr.workflow.WorkflowException; import org.alfresco.service.cmr.workflow.WorkflowException;
/** /**
* Base class for execution scripts, using {@link ScriptService} as part of * Base class for execution scripts, using {@link ScriptService} as part of activiti workflow.
* activiti workflow.
* *
* @author Frederik Heremans * @author Frederik Heremans
* @since 3.4.e * @since 3.4.e
*/ */
public class ActivitiScriptBase public class ActivitiScriptBase
{ {
protected static final String PERSON_BINDING_NAME = "person"; protected static final String PERSON_BINDING_NAME = "person";
protected static final String USERHOME_BINDING_NAME = "userhome"; protected static final String USERHOME_BINDING_NAME = "userhome";
@@ -61,17 +66,19 @@ public class ActivitiScriptBase
protected Expression runAs; protected Expression runAs;
protected Expression scriptProcessor; protected Expression scriptProcessor;
private static final Logger LOGGER = LoggerFactory.getLogger(ActivitiScriptBase.class);
protected Object executeScript(String theScript, Map<String, Object> model, String scriptProcessorName, String runAsUser) protected Object executeScript(String theScript, Map<String, Object> model, String scriptProcessorName, String runAsUser)
{ {
String user = AuthenticationUtil.getFullyAuthenticatedUser(); String user = AuthenticationUtil.getFullyAuthenticatedUser();
Object scriptResult = null; Object scriptResult = null;
if (runAsUser == null && user != null) if (runAsUser == null && user != null)
{ {
// Just execute the script using the current user // Just execute the script using the current user
scriptResult = executeScript(theScript, model, scriptProcessorName); scriptResult = executeScript(theScript, model, scriptProcessorName);
} }
else else
{ {
if (runAsUser != null) if (runAsUser != null)
{ {
@@ -87,26 +94,25 @@ public class ActivitiScriptBase
} }
return scriptResult; return scriptResult;
} }
protected Object executeScriptAsUser(final String theScript, final Map<String, Object> model, final String scriptProcessorName, final String runAsUser) protected Object executeScriptAsUser(final String theScript, final Map<String, Object> model, final String scriptProcessorName, final String runAsUser)
{ {
// execute as specified runAsUser // execute as specified runAsUser
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<>() {
{
public Object doWork() throws Exception public Object doWork() throws Exception
{ {
return executeScript(theScript, model, scriptProcessorName); return executeScript(theScript, model, scriptProcessorName);
} }
}, runAsUser); }, runAsUser);
} }
protected Object executeScript(String theScript, Map<String, Object> model, String scriptProcessorName) protected Object executeScript(String theScript, Map<String, Object> model, String scriptProcessorName)
{ {
// Execute the script using the appropriate processor // Execute the script using the appropriate processor
Object scriptResult = null; Object scriptResult = null;
// Checks if current workflow is secure // Checks if current workflow is secure
boolean secure = isSecure(); boolean secure = isSecure(model);
if (scriptProcessorName != null) if (scriptProcessorName != null)
{ {
@@ -117,11 +123,11 @@ public class ActivitiScriptBase
// Use default script-processor // Use default script-processor
scriptResult = getServiceRegistry().getScriptService().executeScriptString(theScript, model, secure); scriptResult = getServiceRegistry().getScriptService().executeScriptString(theScript, model, secure);
} }
return scriptResult; return scriptResult;
} }
protected String getStringValue(Expression expression, VariableScope scope) protected String getStringValue(Expression expression, VariableScope scope)
{ {
if (expression != null) if (expression != null)
{ {
@@ -133,15 +139,15 @@ public class ActivitiScriptBase
protected ServiceRegistry getServiceRegistry() protected ServiceRegistry getServiceRegistry()
{ {
ProcessEngineConfigurationImpl config = Context.getProcessEngineConfiguration(); ProcessEngineConfigurationImpl config = Context.getProcessEngineConfiguration();
if (config != null) if (config != null)
{ {
// Fetch the registry that is injected in the activiti spring-configuration // Fetch the registry that is injected in the activiti spring-configuration
ServiceRegistry registry = (ServiceRegistry) config.getBeans().get(ActivitiConstants.SERVICE_REGISTRY_BEAN_KEY); ServiceRegistry registry = (ServiceRegistry) config.getBeans().get(ActivitiConstants.SERVICE_REGISTRY_BEAN_KEY);
if (registry == null) if (registry == null)
{ {
throw new RuntimeException( throw new RuntimeException(
"Service-registry not present in ProcessEngineConfiguration beans, expected ServiceRegistry with key" + "Service-registry not present in ProcessEngineConfiguration beans, expected ServiceRegistry with key" +
ActivitiConstants.SERVICE_REGISTRY_BEAN_KEY); ActivitiConstants.SERVICE_REGISTRY_BEAN_KEY);
} }
return registry; return registry;
} }
@@ -149,42 +155,136 @@ public class ActivitiScriptBase
} }
/** /**
* Checks whether the workflow must be considered secure or not - based on {@link DeploymentEntity} category. * Checks whether the workflow must be considered secure or not - based on {@link DeploymentEntity} category. If it is not considered secure, the workflow will be executed in sandbox context with more restrictions
* If it is not considered secure, the workflow will be executed in sandbox context with more restrictions
* *
* @return true if workflow is considered secure, false otherwise * @return true if workflow is considered secure, false otherwise
*/ */
private boolean isSecure() private boolean isSecure(Map<String, Object> model)
{
String category = getDeploymentCategory(model);
// iF The deployment category matches the condition (either internal or full access) the workflow is considered secure
return category != null && (WorkflowDeployer.CATEGORY_ALFRESCO_INTERNAL.equals(category) || WorkflowDeployer.CATEGORY_FULL_ACCESS.equals(category));
}
/**
* Gets the deployment category from the execution context. If no execution context is available, a query to obtain the deployment is performed so the category can be returned.
*
* @param model
* a map with workflow model
* @return the deployment category
*/
private String getDeploymentCategory(Map<String, Object> model)
{
String category = getDeploymentCategoryFromContext();
if (category == null)
{
String deploymentId = null;
String processDefinitionId = null;
if (model != null && model.containsKey(EXECUTION_BINDING_NAME) && model.get(EXECUTION_BINDING_NAME) instanceof ExecutionEntity)
{
ExecutionEntity executionEntity = (ExecutionEntity) model.get(EXECUTION_BINDING_NAME);
deploymentId = executionEntity.getDeploymentId();
processDefinitionId = executionEntity.getProcessDefinitionId();
}
category = getDeploymentCategoryFromQuery(deploymentId, processDefinitionId);
}
return category;
}
/**
* Obtains the deployment category from current execution context
*
* @return the category for current execution deployment, otherwise null
*/
private String getDeploymentCategoryFromContext()
{ {
String category = null; String category = null;
try try
{ {
if (Context.isExecutionContextActive()) if (Context.isExecutionContextActive())
{ {
category = Context.getExecutionContext().getDeployment().getCategory(); category = Context.getExecutionContext().getDeployment().getCategory();
} }
else
{
if (LOGGER.isDebugEnabled())
{
LOGGER.debug("No execution context available");
}
}
} }
catch (Exception e) catch (Exception e)
{ {
// No action required if (LOGGER.isDebugEnabled())
{
LOGGER.debug("Could not obtain deployment category from execution context: {}", e.getMessage());
}
} }
// If the workflow is considered secure, the deployment entity category matches the condition (either internal or full access) return category;
return category != null && (WorkflowDeployer.CATEGORY_ALFRESCO_INTERNAL.equals(category) || WorkflowDeployer.CATEGORY_FULL_ACCESS.equals(category));
} }
/** /**
* Checks that the specified 'runAs' field * Obtains the deployment category through a query
* specifies a valid username. *
* @param deploymentId
* the deployment id to obtain the category from
* @param processDefinitionId
* if no deployment id is provided, the process definition id can be used to obtain the deployment
* @return the category for the obtained deployment, otherwise null
*/ */
private void validateRunAsUser(final String runAsUser) private String getDeploymentCategoryFromQuery(String deploymentId, String processDefinitionId)
{ {
Boolean runAsExists = AuthenticationUtil.runAs(new RunAsWork<Boolean>() String category = null;
try
{ {
RepositoryService repositoryService = Context.getProcessEngineConfiguration().getRepositoryService();
if (deploymentId == null && processDefinitionId != null)
{
ProcessDefinition processDefnition = repositoryService.getProcessDefinition(processDefinitionId);
if (processDefnition != null)
{
deploymentId = processDefnition.getDeploymentId();
}
}
if (deploymentId != null)
{
DeploymentEntity deployment = (DeploymentEntity) repositoryService.createDeploymentQuery().deploymentId(deploymentId).singleResult();
if (deployment != null)
{
category = deployment.getCategory();
}
}
}
catch (Exception e)
{
if (LOGGER.isDebugEnabled())
{
LOGGER.debug("Could not obtain deployment category through a query: {}", e.getMessage());
}
}
return category;
}
/**
* Checks that the specified 'runAs' field specifies a valid username.
*/
private void validateRunAsUser(final String runAsUser)
{
Boolean runAsExists = AuthenticationUtil.runAs(new RunAsWork<>() {
// Validate using System user to ensure sufficient permissions available to access person node. // Validate using System user to ensure sufficient permissions available to access person node.
public Boolean doWork() throws Exception @Override
public Boolean doWork() throws Exception
{ {
return getServiceRegistry().getPersonService().personExists(runAsUser); return getServiceRegistry().getPersonService().personExists(runAsUser);
} }
@@ -195,21 +295,21 @@ public class ActivitiScriptBase
throw new WorkflowException("runas user '" + runAsUser + "' does not exist."); throw new WorkflowException("runas user '" + runAsUser + "' does not exist.");
} }
} }
protected ActivitiScriptNode getPersonNode(String runAsUser) protected ActivitiScriptNode getPersonNode(String runAsUser)
{ {
String userName = null; String userName = null;
if (runAsUser != null) if (runAsUser != null)
{ {
userName = runAsUser; userName = runAsUser;
} }
else else
{ {
userName = AuthenticationUtil.getFullyAuthenticatedUser(); userName = AuthenticationUtil.getFullyAuthenticatedUser();
} }
// The "System" user is a special case, which has no person object associated with it. // The "System" user is a special case, which has no person object associated with it.
if(userName != null && !AuthenticationUtil.SYSTEM_USER_NAME.equals(userName)) if (userName != null && !AuthenticationUtil.SYSTEM_USER_NAME.equals(userName))
{ {
ServiceRegistry services = getServiceRegistry(); ServiceRegistry services = getServiceRegistry();
PersonService personService = services.getPersonService(); PersonService personService = services.getPersonService();
@@ -221,18 +321,18 @@ public class ActivitiScriptBase
} }
return null; return null;
} }
public void setScript(Expression script) public void setScript(Expression script)
{ {
this.script = script; this.script = script;
} }
public void setRunAs(Expression runAs) public void setRunAs(Expression runAs)
{ {
this.runAs = runAs; this.runAs = runAs;
} }
public void setScriptProcessor(Expression scriptProcessor) public void setScriptProcessor(Expression scriptProcessor)
{ {
this.scriptProcessor = scriptProcessor; this.scriptProcessor = scriptProcessor;
} }