Add get form-variables command security option

Author: StephenOTT

bpmn/MyUT1.json

@@ -70,7 +70,10 @@
       "tableView": true,
       "key": "comments",
       "type": "textarea",
-      "input": true
+      "input": true,
+      "properties": {
+        "camVariableName": "postProcessed_submission.data.thisIsAExpectedErrorToDemoDefaultValueErrors"
+      }
     },
     {
       "type": "button",

bpmn/SomeProcess1.bpmn

@@ -19,6 +19,9 @@
             </camunda:validation>
           </camunda:formField>
         </camunda:formData>
+        <camunda:properties>
+          <camunda:property name="restricted-variables" value="neverSeeVar" />
+        </camunda:properties>
       </bpmn:extensionElements>
       <bpmn:incoming>Flow_0069xxd</bpmn:incoming>
       <bpmn:outgoing>Flow_18xtnen</bpmn:outgoing>
@@ -37,7 +40,9 @@
       <bpmn:incoming>Flow_1ax32ut</bpmn:incoming>
       <bpmn:outgoing>Flow_0eob9zj</bpmn:outgoing>
       <bpmn:script>var hasSubmission = execution.hasVariable("submission")
-execution.setVariable('postProcessed_submission', execution.getVariable('submission'))</bpmn:script>
+execution.setVariable('postProcessed_submission', execution.getVariable('submission'))
+
+execution.setVariable('neverSeeVar', 'this variable should never be returned on the Typical Form with Service Validation task as it is restricted in the extension properties')</bpmn:script>
     </bpmn:scriptTask>
     <bpmn:sequenceFlow id="Flow_0069xxd" sourceRef="Gateway_0u22n92" targetRef="Activity_1xq7c62" />
     <bpmn:sequenceFlow id="Flow_0vjjadb" sourceRef="Gateway_0u22n92" targetRef="Activity_16j3pe3" />
@@ -156,9 +161,15 @@ execution.setVariable('postProcessed_submission', execution.getVariable('submiss
   <bpmn:escalation id="Escalation_07acmmp" name="custom-escalation" escalationCode="ce1" />
   <bpmndi:BPMNDiagram id="BPMNDiagram_1">
     <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="someProcess1">
-      <bpmndi:BPMNShape id="TextAnnotation_19wn5bt_di" bpmnElement="TextAnnotation_19wn5bt">
-        <dc:Bounds x="210" y="450" width="140" height="82" />
-      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_0dsu483_di" bpmnElement="Flow_0dsu483">
+        <di:waypoint x="590" y="120" />
+        <di:waypoint x="622" y="120" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1623iq8_di" bpmnElement="Flow_1623iq8">
+        <di:waypoint x="440" y="595" />
+        <di:waypoint x="440" y="120" />
+        <di:waypoint x="490" y="120" />
+      </bpmndi:BPMNEdge>
       <bpmndi:BPMNEdge id="Flow_1ius0d1_di" bpmnElement="Flow_1ius0d1">
         <di:waypoint x="760" y="630" />
         <di:waypoint x="812" y="630" />
@@ -257,15 +268,6 @@ execution.setVariable('postProcessed_submission', execution.getVariable('submiss
         <di:waypoint x="188" y="620" />
         <di:waypoint x="240" y="620" />
       </bpmndi:BPMNEdge>
-      <bpmndi:BPMNEdge id="Flow_1623iq8_di" bpmnElement="Flow_1623iq8">
-        <di:waypoint x="440" y="595" />
-        <di:waypoint x="440" y="120" />
-        <di:waypoint x="490" y="120" />
-      </bpmndi:BPMNEdge>
-      <bpmndi:BPMNEdge id="Flow_0dsu483_di" bpmnElement="Flow_0dsu483">
-        <di:waypoint x="590" y="120" />
-        <di:waypoint x="622" y="120" />
-      </bpmndi:BPMNEdge>
       <bpmndi:BPMNShape id="Event_0emfvgy_di" bpmnElement="Event_0emfvgy">
         <dc:Bounds x="152" y="602" width="36" height="36" />
       </bpmndi:BPMNShape>
@@ -338,10 +340,9 @@ execution.setVariable('postProcessed_submission', execution.getVariable('submiss
       <bpmndi:BPMNShape id="Activity_188iga8_di" bpmnElement="Activity_0ngrvxl">
         <dc:Bounds x="490" y="80" width="100" height="80" />
       </bpmndi:BPMNShape>
-      <bpmndi:BPMNEdge id="Association_04d5fx0_di" bpmnElement="Association_04d5fx0">
-        <di:waypoint x="287" y="580" />
-        <di:waypoint x="283" y="532" />
-      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNShape id="TextAnnotation_19wn5bt_di" bpmnElement="TextAnnotation_19wn5bt">
+        <dc:Bounds x="210" y="450" width="140" height="82" />
+      </bpmndi:BPMNShape>
       <bpmndi:BPMNShape id="Event_1p2gfns_di" bpmnElement="Event_1ugcuo2">
         <dc:Bounds x="572" y="692" width="36" height="36" />
       </bpmndi:BPMNShape>
@@ -351,6 +352,10 @@ execution.setVariable('postProcessed_submission', execution.getVariable('submiss
       <bpmndi:BPMNShape id="Event_0rfidvh_di" bpmnElement="Event_19kscew">
         <dc:Bounds x="472" y="772" width="36" height="36" />
       </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Association_04d5fx0_di" bpmnElement="Association_04d5fx0">
+        <di:waypoint x="287" y="580" />
+        <di:waypoint x="283" y="532" />
+      </bpmndi:BPMNEdge>
     </bpmndi:BPMNPlane>
   </bpmndi:BPMNDiagram>
 </bpmn:definitions>

common/forms/formio.html

@@ -104,6 +104,7 @@
                         if (formLocDeployment() === false && formLocPath() === false) {
                             //@TODO bubble this to formio errors
                             console.error("No valid form json location was found for formio. (could not deployment or path params in form key)")
+                            showNotification('error', 5000, "Invalid Form JSON", "No valid form json location was found for formio. (could not deployment or path params in form key)")
                         }
 
                         let formName = formLocDeployment() === true ? formNameDeployment : formNamePath
@@ -119,6 +120,7 @@
 
                                 if (formResource === undefined) {
                                     console.error('Unable to find resource with name: ' + details.formName);
+                                    showNotification('error', 5000, "Cannot find resource", "Unable to load form: unable to find resource in deployment with name " + details.formName)
                                 }
 
                                 return {deploymentId: details.deploymentId, resourceId: formResource.id}
@@ -138,6 +140,7 @@
 
                         } else {
                             console.error("Unknown form type was provided: " + details.formType)
+                            showNotification('error', 5000, "Unknown Form Type", "Unable to load form: unknown form type was provided: " + details.formType)
                         }
                     });
                 }]);
@@ -155,20 +158,27 @@
                         let variables = {}
                         let promises = []
 
-                        _.forEach(varNames, function (varName) {
-                            if (!variables.hasOwnProperty(varName)) {
-                                let promise = $http.get(Uri.appUri('engine://engine/:engine/task/' + taskId + '/variables/' + varName), {params: {deserializeValue: false}})
+                        // _.forEach(varNames, function (varName) {
+                        //     if (!variables.hasOwnProperty(varName)) {
+                                let promise = $http.get(Uri.appUri('engine://engine/:engine/task/' + taskId + '/form-variables/'), {
+                                    params: {
+                                        deserializeValues: false,
+                                        variableNames: varNames.join(",")
+                                    }
+                                })
                                 promises.push(promise)
                                 promise.then(response => {
-
-                                    if (response.data.type === 'Json') {
-                                        response.data.value = JSON.parse(response.data.value)
-                                    }
-                                    variables[varName] = response.data.value
+                                    _.forOwn(response.data, function(value, key) {
+                                        if (value.type === 'Json') {
+                                            value.value = JSON.parse(value.value)
+                                        }
+                                        variables[key] = value.value
+                                    } );
+                                    // variables = response.data
                                 })
-                            }
+                            // }
 
-                        })
+                        // })
                         Promise.all(promises).then(function () {
                             resolve(variables)
                         })
@@ -180,6 +190,17 @@
             })
         }
 
+        function showNotification(type, duration, status, message){
+            inject(['Notifications', function(Notifications) {
+                Notifications.addMessage({
+                    type: type,
+                    duration: duration,
+                    status: status,
+                    message: message
+                });
+            }]);
+        }
+
         function getDefaultValues(variablesStore, submissionObject, schema){
             let defaultValues = {data: {}}
             FormioUtils.eachComponent(schema.components, component => {
@@ -188,6 +209,12 @@
                         let defaultValue = _.get(variablesStore, component.properties[camVariableNameKey])
                         let key = component.key
 
+                        // @TODO review how to make this appear more quickly
+                        if (defaultValue === undefined){
+                            showNotification('error', null, 'Unable to find default value in variables',
+                            'form-variables data did not return expected default value in variables in key ' + component.properties[camVariableNameKey] )
+                        }
+
                         if (component.properties[stringifyKey] === 'true'){
                             // @TODO do a check if the value is a object!
                             defaultValue = JSON.stringify(defaultValue)

docker/bpm-platform.xml

@@ -38,6 +38,10 @@
             <plugin>
                 <class>com.github.stephenott.camunda.formio.FormioFormFieldValidatorProcessEnginePlugin</class>
             </plugin>
+            <plugin>
+                <class>com.github.stephenott.camunda.tasks.forms.command.GetFormVariablesSecurityProcessEnginePlugin</class>
+            </plugin>
+
 
             <!-- LDAP CONFIGURATION -->
             <!-- Uncomment this section in order to enable LDAP support for this process engine -->

formfieldvalidator/src/main/kotlin/com/github/stephenott/camunda/tasks/forms/command/CustomGetTaskFormVariablesCmd.kt

@@ -0,0 +1,46 @@
+package com.github.stephenott.camunda.tasks.forms.command
+
+import org.camunda.bpm.engine.impl.cmd.GetTaskFormVariablesCmd
+import org.camunda.bpm.engine.impl.interceptor.CommandContext
+import org.camunda.bpm.engine.variable.VariableMap
+import org.camunda.bpm.model.bpmn.instance.camunda.CamundaProperties
+
+class CustomGetTaskFormVariablesCmd(taskId: String, variableNames: MutableCollection<String>?, deserializeObjectValues: Boolean) : GetTaskFormVariablesCmd(taskId, variableNames, deserializeObjectValues) {
+
+    companion object {
+        var allowedVariablesKey: String = "allowed-variables"
+        var restrictedVariablesKey: String = "restricted-variables"
+    }
+
+    override fun execute(commandContext: CommandContext): VariableMap {
+        val result = super.execute(commandContext)
+
+        //@TODO add debug info about variables being filtered
+
+        val utModelInstance = commandContext.taskManager.findTaskById(resourceId).bpmnModelElementInstance
+        val props = utModelInstance.extensionElements.elementsQuery.filterByType<CamundaProperties>(CamundaProperties::class.java).singleResult()
+        val allowedVars = props.camundaProperties.find {
+            it.camundaName == allowedVariablesKey
+        }
+
+        val restrictedVars = props.camundaProperties.find {
+            it.camundaName == restrictedVariablesKey
+        }
+
+        allowedVars?.let { camProp ->
+            val varNames = camProp.camundaValue.split(",").map { it.trim() }
+            result.entries.removeIf {
+                it.key !in varNames
+            }
+        }
+
+        restrictedVars?.let { camProp->
+            val varNames = camProp.camundaValue.split(",").map { it.trim() }
+            result.entries.removeIf {
+                it.key in varNames
+            }
+        }
+
+        return result
+    }
+}

formfieldvalidator/src/main/kotlin/com/github/stephenott/camunda/tasks/forms/command/GetFormVariablesSecurityProcessEnginePlugin.kt

@@ -0,0 +1,33 @@
+package com.github.stephenott.camunda.tasks.forms.command
+
+import org.camunda.bpm.engine.ProcessEngine
+import org.camunda.bpm.engine.impl.FormServiceImpl
+import org.camunda.bpm.engine.impl.ServiceImpl
+import org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl
+import org.camunda.bpm.engine.impl.cfg.ProcessEnginePlugin
+import org.camunda.bpm.engine.variable.VariableMap
+import kotlin.reflect.full.createInstance
+
+/**
+ * Plugin for replacing the GetTaskFormVariablesCmd with CustomGetTaskFormVariablesCmd.
+ * The replacement provides additional security filtering based on Camunda Extension Properties configurations in the bpmn
+ */
+open class GetFormVariablesSecurityProcessEnginePlugin : ProcessEnginePlugin {
+
+    override fun preInit(processEngineConfiguration: ProcessEngineConfigurationImpl) {
+        // Setup a new instance of form service that has the cmd for security filtering of variables
+        // @TODO add startup info about form service being overriden and security added to remove variables.
+        processEngineConfiguration.formService = object: FormServiceImpl() {
+            override fun getTaskFormVariables(taskId: String, formVariables: MutableCollection<String>?, deserializeObjectValues: Boolean): VariableMap {
+                return commandExecutor.execute(CustomGetTaskFormVariablesCmd(taskId, formVariables, deserializeObjectValues))
+            }
+        }
+
+    }
+
+    override fun postInit(processEngineConfiguration: ProcessEngineConfigurationImpl) {
+    }
+
+    override fun postProcessEngineBuild(processEngine: ProcessEngine) {
+    }
+}

springboot/src/main/kotlin/com/github/stephenott/camunda/formio/Application.kt

@@ -1,5 +1,6 @@
 package com.github.stephenott.camunda.formio
 
+import com.github.stephenott.camunda.tasks.forms.command.GetFormVariablesSecurityProcessEnginePlugin
 import org.camunda.bpm.spring.boot.starter.annotation.EnableProcessApplication
 import org.springframework.boot.autoconfigure.SpringBootApplication
 import org.springframework.boot.runApplication
@@ -12,4 +13,7 @@ class Application
 fun main(args: Array<String>) = runApplication<Application>(*args).let { Unit }
 
 @Component
-class MyPlugin: FormioFormFieldValidatorProcessEnginePlugin()
+class MyPlugin: FormioFormFieldValidatorProcessEnginePlugin()
+
+@Component
+class MyFormsSecurityPlugin: GetFormVariablesSecurityProcessEnginePlugin()