incubator-kie-issues#1388: UserTasks without Actors/Groups assignments can transition to any phase without checking any security policy

pefernan · pefernan · commit 334b01783b04 · 2024-07-19T16:31:47.000+02:00
diff --git a/kogito-quarkus-examples/flexible-process-quarkus/src/main/resources/service-desk.bpmn b/kogito-quarkus-examples/flexible-process-quarkus/src/main/resources/service-desk.bpmn
@@ -1,4 +1,5 @@
-<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:bpsim="http://www.bpsim.org/schemas/1.0" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:drools="http://www.jboss.org/drools" id="_fswpMKJxEDiZN4UVlvQdCA" exporter="jBPM Process Modeler" exporterVersion="2.0" targetNamespace="http://www.omg.org/bpmn20">
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:bpsim="http://www.bpsim.org/schemas/1.0" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:drools="http://www.jboss.org/drools" id="_pNgJkCgBED20EbaiDTNDeg" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd http://www.jboss.org/drools drools.xsd http://www.bpsim.org/schemas/1.0 bpsim.xsd http://www.omg.org/spec/DD/20100524/DC DC.xsd http://www.omg.org/spec/DD/20100524/DI DI.xsd " exporter="jBPM Process Modeler" exporterVersion="2.0" targetNamespace="http://www.omg.org/bpmn20">
   <bpmn2:itemDefinition id="_supportCaseItem" structureRef="org.kie.kogito.flexible.example.model.SupportCase"/>
   <bpmn2:itemDefinition id="_supportGroupItem" structureRef="String"/>
   <bpmn2:itemDefinition id="_commentItem" structureRef="org.kie.kogito.flexible.example.model.Comment"/>
@@ -499,11 +500,13 @@
         <bpmn2:ioSpecification>
           <bpmn2:dataInput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputX" drools:dtype="Object" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputXItem" name="TaskName"/>
           <bpmn2:dataInput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX" drools:dtype="Object" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputXItem" name="Skippable"/>
+          <bpmn2:dataInput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX" drools:dtype="Object" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputXItem" name="GroupId"/>
           <bpmn2:dataOutput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX" drools:dtype="Integer" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputXItem" name="evaluation"/>
           <bpmn2:dataOutput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_commentOutputX" drools:dtype="String" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_commentOutputXItem" name="comment"/>
           <bpmn2:inputSet>
             <bpmn2:dataInputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputX</bpmn2:dataInputRefs>
             <bpmn2:dataInputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX</bpmn2:dataInputRefs>
+            <bpmn2:dataInputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX</bpmn2:dataInputRefs>
           </bpmn2:inputSet>
           <bpmn2:outputSet>
             <bpmn2:dataOutputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX</bpmn2:dataOutputRefs>
@@ -524,6 +527,13 @@
             <bpmn2:to xsi:type="bpmn2:tFormalExpression"><![CDATA[_AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX]]></bpmn2:to>
           </bpmn2:assignment>
         </bpmn2:dataInputAssociation>
+        <bpmn2:dataInputAssociation>
+          <bpmn2:targetRef>_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX</bpmn2:targetRef>
+          <bpmn2:assignment>
+            <bpmn2:from xsi:type="bpmn2:tFormalExpression"><![CDATA[customer]]></bpmn2:from>
+            <bpmn2:to xsi:type="bpmn2:tFormalExpression"><![CDATA[_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX]]></bpmn2:to>
+          </bpmn2:assignment>
+        </bpmn2:dataInputAssociation>
         <bpmn2:dataOutputAssociation>
           <bpmn2:sourceRef>_AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX</bpmn2:sourceRef>
           <bpmn2:targetRef>evaluation</bpmn2:targetRef>
diff --git a/kogito-quarkus-examples/flexible-process-quarkus/src/test/java/org/kie/kogito/flexible/example/quarkus/ServiceDeskProcessTest.java b/kogito-quarkus-examples/flexible-process-quarkus/src/test/java/org/kie/kogito/flexible/example/quarkus/ServiceDeskProcessTest.java
@@ -94,6 +94,7 @@ private void addSupportComment(String id) {
         String location = given()
                 .basePath(BASE_PATH)
                 .contentType(ContentType.JSON)
+                .queryParam("group", "support")
                 .when()
                 .post("/{id}/ReceiveSupportComment", id)
                 .then()
@@ -125,9 +126,11 @@ private void addSupportComment(String id) {
 
     private void addCustomerComment(String id) {
         String location = given()
-                .basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON)
+                .basePath(BASE_PATH)
+                .contentType(ContentType.JSON)
+                .queryParam("group", "customer")
                 .when()
-                .post("/ReceiveCustomerComment")
+                .post("/{id}/ReceiveCustomerComment", id)
                 .then()
                 .statusCode(201)
                 .header("Location", notNullValue())
@@ -156,16 +159,23 @@ private void addCustomerComment(String id) {
     }
 
     private void resolveCase(String id) {
-        given().basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON).when().post("/Resolve_Case").then()
-                .statusCode(200).body("supportCase.state", is(State.RESOLVED.name()));
+        given()
+                .basePath(BASE_PATH)
+                .contentType(ContentType.JSON)
+                .when()
+                .post("/{id}/Resolve_Case", id)
+                .then()
+                .statusCode(200)
+                .body("supportCase.state", is(State.RESOLVED.name()));
     }
 
     private void sendQuestionnaire(String id) {
         String taskId = given()
-                .basePath(BASE_PATH + "/" + id)
+                .basePath(BASE_PATH)
                 .contentType(ContentType.JSON)
+                .queryParam("group", "customer")
                 .when()
-                .get("/tasks")
+                .get("/{id}/tasks", id)
                 .then()
                 .statusCode(200)
                 .body("size()", is(1))
@@ -177,13 +187,13 @@ private void sendQuestionnaire(String id) {
         params.put("evaluation", 10);
 
         given()
-                .basePath(BASE_PATH + "/" + id)
+                .basePath(BASE_PATH)
                 .queryParam("user", "Paco")
                 .queryParam("group", "customer")
                 .contentType(ContentType.JSON)
                 .when()
                 .body(params)
-                .post("/Questionnaire/" + taskId)
+                .post("/{id}/Questionnaire/{taskId}/", id, taskId)
                 .then()
                 .statusCode(200)
                 .body("supportCase.state", is(State.CLOSED.name()))
diff --git a/kogito-springboot-examples/flexible-process-springboot/src/main/resources/service-desk.bpmn b/kogito-springboot-examples/flexible-process-springboot/src/main/resources/service-desk.bpmn
@@ -1,4 +1,5 @@
-<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:bpsim="http://www.bpsim.org/schemas/1.0" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:drools="http://www.jboss.org/drools" id="_fswpMKJxEDiZN4UVlvQdCA" exporter="jBPM Process Modeler" exporterVersion="2.0" targetNamespace="http://www.omg.org/bpmn20">
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:bpsim="http://www.bpsim.org/schemas/1.0" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:drools="http://www.jboss.org/drools" id="_pNgJkCgBED20EbaiDTNDeg" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd http://www.jboss.org/drools drools.xsd http://www.bpsim.org/schemas/1.0 bpsim.xsd http://www.omg.org/spec/DD/20100524/DC DC.xsd http://www.omg.org/spec/DD/20100524/DI DI.xsd " exporter="jBPM Process Modeler" exporterVersion="2.0" targetNamespace="http://www.omg.org/bpmn20">
   <bpmn2:itemDefinition id="_supportCaseItem" structureRef="org.kie.kogito.flexible.example.model.SupportCase"/>
   <bpmn2:itemDefinition id="_supportGroupItem" structureRef="String"/>
   <bpmn2:itemDefinition id="_commentItem" structureRef="org.kie.kogito.flexible.example.model.Comment"/>
@@ -499,11 +500,13 @@
         <bpmn2:ioSpecification>
           <bpmn2:dataInput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputX" drools:dtype="Object" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputXItem" name="TaskName"/>
           <bpmn2:dataInput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX" drools:dtype="Object" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputXItem" name="Skippable"/>
+          <bpmn2:dataInput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX" drools:dtype="Object" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputXItem" name="GroupId"/>
           <bpmn2:dataOutput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX" drools:dtype="Integer" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputXItem" name="evaluation"/>
           <bpmn2:dataOutput id="_AD768963-CBF7-4269-9D43-51FE0D5D2556_commentOutputX" drools:dtype="String" itemSubjectRef="__AD768963-CBF7-4269-9D43-51FE0D5D2556_commentOutputXItem" name="comment"/>
           <bpmn2:inputSet>
             <bpmn2:dataInputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_TaskNameInputX</bpmn2:dataInputRefs>
             <bpmn2:dataInputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX</bpmn2:dataInputRefs>
+            <bpmn2:dataInputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX</bpmn2:dataInputRefs>
           </bpmn2:inputSet>
           <bpmn2:outputSet>
             <bpmn2:dataOutputRefs>_AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX</bpmn2:dataOutputRefs>
@@ -524,6 +527,13 @@
             <bpmn2:to xsi:type="bpmn2:tFormalExpression"><![CDATA[_AD768963-CBF7-4269-9D43-51FE0D5D2556_SkippableInputX]]></bpmn2:to>
           </bpmn2:assignment>
         </bpmn2:dataInputAssociation>
+        <bpmn2:dataInputAssociation>
+          <bpmn2:targetRef>_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX</bpmn2:targetRef>
+          <bpmn2:assignment>
+            <bpmn2:from xsi:type="bpmn2:tFormalExpression"><![CDATA[customer]]></bpmn2:from>
+            <bpmn2:to xsi:type="bpmn2:tFormalExpression"><![CDATA[_AD768963-CBF7-4269-9D43-51FE0D5D2556_GroupIdInputX]]></bpmn2:to>
+          </bpmn2:assignment>
+        </bpmn2:dataInputAssociation>
         <bpmn2:dataOutputAssociation>
           <bpmn2:sourceRef>_AD768963-CBF7-4269-9D43-51FE0D5D2556_evaluationOutputX</bpmn2:sourceRef>
           <bpmn2:targetRef>evaluation</bpmn2:targetRef>
@@ -902,4 +912,4 @@
     <bpmn2:source>_fswpMKJxEDiZN4UVlvQdCA</bpmn2:source>
     <bpmn2:target>_fswpMKJxEDiZN4UVlvQdCA</bpmn2:target>
   </bpmn2:relationship>
-</bpmn2:definitions>
+</bpmn2:definitions>
diff --git a/kogito-springboot-examples/flexible-process-springboot/src/test/java/org/kie/kogito/flexible/example/springboot/ServiceDeskProcessTest.java b/kogito-springboot-examples/flexible-process-springboot/src/test/java/org/kie/kogito/flexible/example/springboot/ServiceDeskProcessTest.java
@@ -109,6 +109,8 @@ private void addSupportComment(String id) {
         String location = given()
                 .basePath(BASE_PATH)
                 .contentType(ContentType.JSON)
+                .queryParam("user", "kelly")
+                .queryParam("group", "support")
                 .when()
                 .post("/{id}/ReceiveSupportComment", id)
                 .then()
@@ -140,9 +142,12 @@ private void addSupportComment(String id) {
 
     private void addCustomerComment(String id) {
         String location = given()
-                .basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON)
+                .basePath(BASE_PATH)
+                .contentType(ContentType.JSON)
+                .queryParam("user", "Paco")
+                .queryParam("group", "customer")
                 .when()
-                .post("/ReceiveCustomerComment")
+                .post("/{id}/ReceiveCustomerComment", id)
                 .then()
                 .statusCode(201)
                 .header("Location", notNullValue())
@@ -171,17 +176,25 @@ private void addCustomerComment(String id) {
     }
 
     private void resolveCase(String id) {
-        given().basePath(BASE_PATH + "/" + id).contentType(ContentType.JSON).when().post("/Resolve_Case").then()
-                .statusCode(200).body("supportCase.state", is(State.RESOLVED.name()));
+        given()
+                .basePath(BASE_PATH)
+                .contentType(ContentType.JSON)
+                .when()
+                .post("/{id}/Resolve_Case", id)
+                .then()
+                .statusCode(200)
+                .body("supportCase.state", is(State.RESOLVED.name()));
     }
 
     @SuppressWarnings("unchecked")
     private void sendQuestionnaire(String id) {
         String taskId = given()
-                .basePath(BASE_PATH + "/" + id)
+                .basePath(BASE_PATH)
                 .contentType(ContentType.JSON)
+                .queryParam("user", "Paco")
+                .queryParam("group", "customer")
                 .when()
-                .get("/tasks")
+                .get("/{id}/tasks", id)
                 .then()
                 .statusCode(200)
                 .body("size()", is(1))
@@ -195,13 +208,13 @@ private void sendQuestionnaire(String id) {
         params.put("evaluation", 10);
 
         given()
-                .basePath(BASE_PATH + "/" + id)
+                .basePath(BASE_PATH)
                 .queryParam("user", "Paco")
                 .queryParam("group", "customer")
                 .contentType(ContentType.JSON)
                 .when()
                 .body(params)
-                .post("/Questionnaire/" + taskId)
+                .post("/{id}/Questionnaire/{taskId}", id, taskId)
                 .then()
                 .statusCode(200)
                 .body("supportCase.state", is(State.CLOSED.name()))
