Update authorization implementation for Operate V1/internal endpoints

[houssain-barouni]

Overview

Operate uses PermissionService to check permissions on process definitions and decision definitions. PermissionService uses Identity SDK for retrieving authorizations. In current implementation all authorizations are retrieved and then filtered by application logic.

From 8.7 on the Identity SDK is not available anymore. PermissionService needs to retrieve authorizations from AuthorizationService.

Retrieving a list of AuthorizationEntity can be done for example:

 final List<AuthorizationEntity> authorizationEntities =
        authorizationServices
            .search(
                AuthorizationQuery.of(
                    q ->
                        q.filter(
                            f ->
                                f.resourceKey(processDefinitionId)
                                    .resourceType(RESOURCE_TYPE_PROCESS_DEFINITION))))
            .items();

Components for permissions:

• Permission
• PermissionType
• AuthorizationEntity
• AuthorizationServices

Proposal

• PermissionService implements its methods in terms of components mentioned above
• No usage of Identity SDK (Identity object as main entry) anymore
• The permissions shouldn't be stored in session or some other cache-like objects. They need to be retrieved in every call.
• The retrieval should be specific as possible. Use the query filter.
• Replace IdentityPermission with PermissionType
• v1 API checks also permissions

Tasks

Adjust types and mapping of types:

• [ ] Adjust permission types or map them to the ones that are used in Operate
  • [ ] IdentityPermission -> PermissionType

The following queries needs to be rewritten:

• [ ] Retrieve process definition permissions by process definition id (bpmnProcessId)
• [ ] Retrieve decision definition permissions by decision id
• [ ] Retrieve process definitions keys by permission
• [ ] Retrieve decision definitions keys by permission
• [ ] Has permission for process definition id
• [ ] Has permission for decision id

Add missing checks:

• [ ] Add permissions check in v1 API

[romansmirnov]

@ralfpuchert, just a few questions/notes:

With

Add permissions check in v1 API

Do I assume correctly that the @PreAuthorize("hasPermission(...)") is meant?

The following queries needs to be rewritten:

This refers to the `PermissionService, right?

https://github.com/camunda/camunda/blob/622f2cd835abe17412b0523941b3ef11d3819c53/operate/webapp/src/main/java/io/camunda/operate/webapp/security/identity/PermissionsService.java

... and by that, the permissions won't retrieved anymore from the session/authentication?

Additionally, to make sure, what about checking access to the Operate UI? Will this be covered by the Identity stream (@Ben-Sheppard)?