From a51112ce624db82bd128af7a5a9c71410141f184 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pere=20Fern=C3=A1ndez?= Date: Tue, 23 Jul 2024 08:38:48 +0200 Subject: [PATCH] incubator-kie-issues#1388: `UserTasks` without Actors/Groups assignments can transition to any phase without checking any security policy (#1985) --- .../src/main/resources/service-desk.bpmn | 12 +++++++- .../quarkus/ServiceDeskProcessTest.java | 26 ++++++++++++----- .../src/main/resources/service-desk.bpmn | 14 +++++++-- .../springboot/ServiceDeskProcessTest.java | 29 ++++++++++++++----- 4 files changed, 62 insertions(+), 19 deletions(-) diff --git a/kogito-quarkus-examples/flexible-process-quarkus/src/main/resources/service-desk.bpmn b/kogito-quarkus-examples/flexible-process-quarkus/src/main/resources/service-desk.bpmn index 7065f168ef..264cf721c3 100644 --- a/kogito-quarkus-examples/flexible-process-quarkus/src/main/resources/service-desk.bpmn +++ b/kogito-quarkus-examples/flexible-process-quarkus/src/main/resources/service-desk.bpmn @@ -1,4 +1,5 @@ - + + @@ -499,11 +500,13 @@ + _AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputX _AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX + _AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX _AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX @@ -524,6 +527,13 @@ + + _AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX + + + + + _AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX evaluation diff --git a/kogito-quarkus-examples/flexible-process-quarkus/src/test/java/org/kie/kogito/flexible/example/quarkus/ServiceDeskProcessTest.java b/kogito-quarkus-examples/flexible-process-quarkus/src/test/java/org/kie/kogito/flexible/example/quarkus/ServiceDeskProcessTest.java index 768afb787c..a5f39fc5cf 100644 --- a/kogito-quarkus-examples/flexible-process-quarkus/src/test/java/org/kie/kogito/flexible/example/quarkus/ServiceDeskProcessTest.java +++ b/kogito-quarkus-examples/flexible-process-quarkus/src/test/java/org/kie/kogito/flexible/example/quarkus/ServiceDeskProcessTest.java @@ -94,6 +94,7 @@ private void addSupportComment(String id) { String location = given() .basePath(BASE_PATH) .contentType(ContentType.JSON) + .queryParam("group", "support") .when() .post("/{id}/ReceiveSupportComment", id) .then() @@ -125,9 +126,11 @@ private void addSupportComment(String id) { private void addCustomerComment(String id) { String location = given() - .basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON) + .basePath(BASE_PATH) + .contentType(ContentType.JSON) + .queryParam("group", "customer") .when() - .post("/ReceiveCustomerComment") + .post("/{id}/ReceiveCustomerComment", id) .then() .statusCode(201) .header("Location", notNullValue()) @@ -156,16 +159,23 @@ private void addCustomerComment(String id) { } private void resolveCase(String id) { - given().basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON).when().post("/Resolve_Case").then() - .statusCode(200).body("supportCase.state", is(State.RESOLVED.name())); + given() + .basePath(BASE_PATH) + .contentType(ContentType.JSON) + .when() + .post("/{id}/Resolve_Case", id) + .then() + .statusCode(200) + .body("supportCase.state", is(State.RESOLVED.name())); } private void sendQuestionnaire(String id) { String taskId = given() - .basePath(BASE_PATH + "/" + id) + .basePath(BASE_PATH) .contentType(ContentType.JSON) + .queryParam("group", "customer") .when() - .get("/tasks") + .get("/{id}/tasks", id) .then() .statusCode(200) .body("size()", is(1)) @@ -177,13 +187,13 @@ private void sendQuestionnaire(String id) { params.put("evaluation", 10); given() - .basePath(BASE_PATH + "/" + id) + .basePath(BASE_PATH) .queryParam("user", "Paco") .queryParam("group", "customer") .contentType(ContentType.JSON) .when() .body(params) - .post("/Questionnaire/" + taskId) + .post("/{id}/Questionnaire/{taskId}/", id, taskId) .then() .statusCode(200) .body("supportCase.state", is(State.CLOSED.name())) diff --git a/kogito-springboot-examples/flexible-process-springboot/src/main/resources/service-desk.bpmn b/kogito-springboot-examples/flexible-process-springboot/src/main/resources/service-desk.bpmn index 30e28de5b9..264cf721c3 100644 --- a/kogito-springboot-examples/flexible-process-springboot/src/main/resources/service-desk.bpmn +++ b/kogito-springboot-examples/flexible-process-springboot/src/main/resources/service-desk.bpmn @@ -1,4 +1,5 @@ - + + @@ -499,11 +500,13 @@ + _AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputX _AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX + _AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX _AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX @@ -524,6 +527,13 @@ + + _AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX + + + + + _AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX evaluation @@ -902,4 +912,4 @@ _fswpMKJxEDiZN4UVlvQdCA _fswpMKJxEDiZN4UVlvQdCA - + \ No newline at end of file diff --git a/kogito-springboot-examples/flexible-process-springboot/src/test/java/org/kie/kogito/flexible/example/springboot/ServiceDeskProcessTest.java b/kogito-springboot-examples/flexible-process-springboot/src/test/java/org/kie/kogito/flexible/example/springboot/ServiceDeskProcessTest.java index ab8be3b91e..d0f5da8495 100644 --- a/kogito-springboot-examples/flexible-process-springboot/src/test/java/org/kie/kogito/flexible/example/springboot/ServiceDeskProcessTest.java +++ b/kogito-springboot-examples/flexible-process-springboot/src/test/java/org/kie/kogito/flexible/example/springboot/ServiceDeskProcessTest.java @@ -109,6 +109,8 @@ private void addSupportComment(String id) { String location = given() .basePath(BASE_PATH) .contentType(ContentType.JSON) + .queryParam("user", "kelly") + .queryParam("group", "support") .when() .post("/{id}/ReceiveSupportComment", id) .then() @@ -140,9 +142,12 @@ private void addSupportComment(String id) { private void addCustomerComment(String id) { String location = given() - .basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON) + .basePath(BASE_PATH) + .contentType(ContentType.JSON) + .queryParam("user", "Paco") + .queryParam("group", "customer") .when() - .post("/ReceiveCustomerComment") + .post("/{id}/ReceiveCustomerComment", id) .then() .statusCode(201) .header("Location", notNullValue()) @@ -171,17 +176,25 @@ private void addCustomerComment(String id) { } private void resolveCase(String id) { - given().basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON).when().post("/Resolve_Case").then() - .statusCode(200).body("supportCase.state", is(State.RESOLVED.name())); + given() + .basePath(BASE_PATH) + .contentType(ContentType.JSON) + .when() + .post("/{id}/Resolve_Case", id) + .then() + .statusCode(200) + .body("supportCase.state", is(State.RESOLVED.name())); } @SuppressWarnings("unchecked") private void sendQuestionnaire(String id) { String taskId = given() - .basePath(BASE_PATH + "/" + id) + .basePath(BASE_PATH) .contentType(ContentType.JSON) + .queryParam("user", "Paco") + .queryParam("group", "customer") .when() - .get("/tasks") + .get("/{id}/tasks", id) .then() .statusCode(200) .body("size()", is(1)) @@ -195,13 +208,13 @@ private void sendQuestionnaire(String id) { params.put("evaluation", 10); given() - .basePath(BASE_PATH + "/" + id) + .basePath(BASE_PATH) .queryParam("user", "Paco") .queryParam("group", "customer") .contentType(ContentType.JSON) .when() .body(params) - .post("/Questionnaire/" + taskId) + .post("/{id}/Questionnaire/{taskId}", id, taskId) .then() .statusCode(200) .body("supportCase.state", is(State.CLOSED.name()))