Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use custom IdM identity service in Flowable for user's groups resolution. #198

Merged
merged 6 commits into from
Sep 2, 2024
Merged

Use custom IdM identity service in Flowable for user's groups resolution. #198

merged 6 commits into from
Sep 2, 2024

Conversation

krausvo1
Copy link
Contributor

@krausvo1 krausvo1 commented Sep 2, 2024

  • IdM identity service for Flowable (former Activiti) has existed in Wren:IDM for some time, but it was never used. This PR refactors the service and group query implementation and enables usage of custom IdM service.
  • IdM service refactor is based on Flowable's implementation of LDAP IdM identity service (flowable-ldap module, flowable-ldap-configurator module).
  • Former group query implementation ignored filtering parameters. Not all parameters are supported. Only parameters that might be used by Flowable's internals or parameters used by Wren:IDM are supported.
  • Main use case for these changes is letting Flowable handle resolution of group members when deciding whether user is a task candidate or not. We no longer need to check user's authzRoles and compare them with task's candidate groups manually. This is reflected by changes in router-authz.js, getavailableuserstoassign.js and gettasksview.js.

Other notable changes:

  • endpoint/getavailableuserstoassign now should be called as query instead of action. The only script that calls this endpoint is gettasksview.js that incorrectly called it as query, which I think does make sense. Format of the response also changed: { users: [<users>], assignee: <assignee> -> [<users>]. Assignee property has not been used anywhere so I don't think it needs to preserved. Task's assignee is always available in the task instance object anyway.
  • endpoint/gettasksview and custom authz functions canUpdateTask and isUserCandidateForTask no longer use user's authorization roles from security context to compare them with task instance's candidate groups. Instead, task instance resource is queried with appropriate query parameters (taskCandidateUser, taskCandidateOrAssignee) and Flowable will decide whether user is a candidate or not based on user's roles (reverse attribute for managed role's members attribute).
  • User query used by IdM identity service has been disabled (throws error if used) since it is not used by Wren:IDM nor Flowable's internals (in Wren:IDM's use cases). I have not deleted IdmUserQuery.java, but I think we should consider it.

There are also some minor fixes that might be separated to another PR if desired.

@krausvo1 krausvo1 force-pushed the flowable_identity_service branch 2 times, most recently from 6afbf70 to 6242333 Compare September 2, 2024 08:16
@krausvo1
Copy link
Contributor Author

krausvo1 commented Sep 2, 2024

Updated forgotten copyright headers.

@krausvo1 krausvo1 force-pushed the flowable_identity_service branch 2 times, most recently from c70d652 to 6e965dd Compare September 2, 2024 09:01
pavelhoral
pavelhoral approved these changes Sep 2, 2024
View reviewed changes
Copy link
Member

@pavelhoral pavelhoral left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pavelhoral pavelhoral merged commit 963758e into WrenSecurity:main Sep 2, 2024
2 checks passed
pavelhoral added a commit that referenced this pull request Sep 2, 2024
@pavelhoral
Merge pull request #198 from krausvo1/flowable_identity_service
430eecc 
Use custom IdM identity service in Flowable for user's groups resolution.
@pavelhoral pavelhoral changed the title DRAFT: Use custom IdM identity service in Flowable for user's groups resolution. Use custom IdM identity service in Flowable for user's groups resolution. Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pavelhoral pavelhoral pavelhoral approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@krausvo1 @pavelhoral