Merge pull request #199 from krausvo1/idm_service_improvements

Improve group candidates resolution by Flowable IdM identity service.
WrenSecurity · Sep 11, 2024 · c390b0e · c390b0e
2 parents 8b62158 + d82152c
commit c390b0e
Show file tree

Hide file tree

Showing 10 changed files with 326 additions and 169 deletions.
diff --git a/openidm-ui/openidm-ui-admin/src/main/js/org/forgerock/openidm/ui/admin/util/WorkflowUtils.js b/openidm-ui/openidm-ui-admin/src/main/js/org/forgerock/openidm/ui/admin/util/WorkflowUtils.js
@@ -98,8 +98,10 @@ define([
                         label: $.t("common.form.submit"),
                         cssClass: "btn-primary",
                         action: function(dialogRef) {
-                            var id = $("#candidateUsersSelect").val(),
-                                selectedUser = _.find(candidateUsers, { _id: id }),
+                            var select = $("#candidateUsersSelect"),
+                                id = select.val(),
+                                users = select[0].selectize.options,
+                                selectedUser = users[id],
                                 callback = function () {
                                     _this.render([_this.model.id], _.bind(function () {
                                         messagesManager.messages.addMessage({"message": $.t("templates.taskInstance.assignedSuccess")});

diff --git a/...idm-ui-common/src/main/js/org/forgerock/openidm/ui/common/workflow/tasks/TasksMenuView.js b/...idm-ui-common/src/main/js/org/forgerock/openidm/ui/common/workflow/tasks/TasksMenuView.js
@@ -266,7 +266,7 @@ define([
                         user = task.usersToAssign[i];
 
                         if ($(target).find("option[value='"+ user.username +"']").length === 0 && user.username !== conf.loggedUser.get("userName")) {
-                            $(target).append('<option value="'+ user.username +'">'+ user.displayableName +'</option');
+                            $(target).append('<option value="'+ user.username +'">'+ user.displayName +'</option');
                         }
                     }
                 }

diff --git a/openidm-zip/src/main/resources/bin/defaults/script/workflow/getavailableuserstoassign.js b/openidm-zip/src/main/resources/bin/defaults/script/workflow/getavailableuserstoassign.js
@@ -26,82 +26,79 @@
 
 if (request.method !== "query") {
     throw {
-        "code" : 403,
-        "message" : "Access denied"
+        "code": 403,
+        "message": "Access denied"
     };
 }
 
 if (!request.additionalParameters || !request.additionalParameters.taskId) {
-    throw "Required param: taskId";
+    throw {
+        "code": 400,
+        "message": "Required param: taskId"
+    };
 }
 
 (function () {
-    var getUserByUserName = function(userName) {
-        var params = {
-                "_queryId": "for-userName",
-                "uid": userName
-            },
-            result = openidm.query("managed/user", params),
-            user = null;
+    const getUserByUserName = userName => {
+        const params = {
+            "_queryId": "for-userName",
+            "uid": userName
+        };
+        const users = openidm.query("managed/user", params);
+        return users.result[0];
+    };
 
-        if (result.result && result.result.length === 1) {
-            user = result.result[0];
-        }
-        return user;
-    },
-    getDisplayableOf = function(user) {
+    const getDisplayName = user => {
         if (user.givenName || user.sn) {
-            return user.givenName + " " + user.sn;
-        } else {
-            return user.userName ? user.userName : user._id;
+            return [user.givenName, user.sn].join(" ");
         }
-    },
-    usersToAdd = {},
-    availableUsersToAssign,
-    candidateUsers = [],
-    candidateUser,
-    candidateGroups = [],
-    result,
-    user,
-    username,
-    task = openidm.read("workflow/taskinstance/" + request.additionalParameters.taskId);
+        return user.userName ? user.userName : user._id;
+    };
 
+    // Fetch the task
+    const task = openidm.read(
+        `workflow/taskinstance/${encodeURIComponent(request.additionalParameters.taskId)}`
+    );
     if (!task) {
-        throw "Task ID " + request.additionalParameters.taskId + " Not Found";
+        throw "Task Not Found";
     }
 
-    // Collect candidate users
-    candidateUsers = task.candidates.candidateUsers;
-    candidateUsers.forEach(user => {
-        usersToAdd[candidateUser] = user;
-    });
+    const candidateUsers = {};
 
     // Collect users from candidate groups
-    candidateGroups = task.candidates.candidateGroups;
-    candidateGroups.forEach(group => {
-        result = openidm.query("managed/role/" + group + "/members", { "_queryFilter": "true" }, ["_id", "userName", "givenName", "sn"]);
-        if (result.result) {
-            result.result.forEach(user => {
-                usersToAdd[user.userName] = user;
-            });
-        }
+    task.candidates.candidateGroups.forEach(groupName => {
+        openidm.query(
+            `managed/role/${encodeURIComponent(groupName)}/authzMembers`,
+            { "_queryFilter": "true" },
+            ["_id", "userName", "givenName", "sn"]
+        ).result.forEach(user => {
+            candidateUsers[user.userName] = user;
+        });
     });
 
-    availableUsersToAssign = [];
-    for (username in usersToAdd) {
-        user = getUserByUserName(username);
-        if (user) {
-            availableUsersToAssign.push({ _id: user._id, username: username, displayableName: getDisplayableOf(user) });
+
+    // Collect candidate users
+    task.candidates.candidateUsers.forEach(userName => {
+        if (!candidateUsers[userName]) {
+            const user = getUserByUserName(userName);
+            if (user) {
+                candidateUsers[userName] = user;
+            }
         }
-    }
+    });
 
-    // Add internal users
-    internalUsers = openidm.query("repo/internal/user", { "_queryFilter": "true" });
-    if (internalUsers.result) {
-        internalUsers.result.forEach(user => {
-            availableUsersToAssign.push({ _id: user._id, username: user.userName, displayableName: getDisplayableOf(user) });
-        });
-    }
+    // Map candidates to the expected result format
+    const result = Object.values(candidateUsers).map(user => ({
+        _id: user._id,
+        username: user.userName,
+        displayName: getDisplayName(user)
+    }));
+
+    // Add internal users to the result
+    const internalUsers = openidm.query("repo/internal/user", { "_queryFilter": "true" });
+    internalUsers.result.forEach(user => {
+        result.push({ _id: user._id, username: user.userName, displayName: getDisplayName(user) });
+    });
 
-    return availableUsersToAssign;
+    return result;
 }());
diff --git a/openidm-zip/src/main/resources/bin/defaults/script/workflow/gettasksview.js b/openidm-zip/src/main/resources/bin/defaults/script/workflow/gettasksview.js
@@ -55,7 +55,7 @@ if (request.method !== "query") {
         },
         getUsersWhoCanBeAssignedToTask = function(taskId) {
             var usersWhoCanBeAssignedToTaskQueryParams = {
-                    "_queryId": "getavailableuserstoassign",
+                    "_queryId": "query-by-task-id",
                     "taskId": taskId
                 },
                 isTaskManager = false,
@@ -72,7 +72,7 @@ if (request.method !== "query") {
                 }
 
                 if(isTaskManager) {
-                    usersWhoCanBeAssignedToTaskResult = openidm.query("endpoint/getavailableuserstoassign", usersWhoCanBeAssignedToTaskQueryParams);
+                    usersWhoCanBeAssignedToTaskResult = openidm.query("endpoint/getavailableuserstoassign", usersWhoCanBeAssignedToTaskQueryParams).result;
                 }
                 usersWhoCanBeAssignedToTask[taskId] = usersWhoCanBeAssignedToTaskResult;
             }

diff --git a/.../java/org/wrensecurity/wrenidm/workflow/flowable/impl/identity/IdmEngineConfigurator.java b/.../java/org/wrensecurity/wrenidm/workflow/flowable/impl/identity/IdmEngineConfigurator.java
@@ -44,6 +44,8 @@ public void configure(AbstractEngineConfiguration engineConfiguration) {
     }
 
     protected static IdmEngineConfiguration getIdmEngineConfiguration(AbstractEngineConfiguration engineConfiguration) {
-        return (IdmEngineConfiguration) engineConfiguration.getEngineConfigurations().get(EngineConfigurationConstants.KEY_IDM_ENGINE_CONFIG);
+        return (IdmEngineConfiguration) engineConfiguration.getEngineConfigurations()
+                .get(EngineConfigurationConstants.KEY_IDM_ENGINE_CONFIG);
     }
+
 }
diff --git a/...able/src/main/java/org/wrensecurity/wrenidm/workflow/flowable/impl/identity/IdmGroup.java b/...able/src/main/java/org/wrensecurity/wrenidm/workflow/flowable/impl/identity/IdmGroup.java
@@ -20,7 +20,7 @@
 import org.forgerock.json.JsonValue;
 
 /**
- * Component representing IdM role.
+ * IdM's <i>managed role</i> wrapper.
  */
 public class IdmGroup extends JsonValue implements Group {
 
@@ -37,6 +37,7 @@ public String getId() {
 
     @Override
     public void setId(String id) {
+        throw new UnsupportedOperationException("IdM group cannot be modified");
     }
 
     @Override
@@ -46,6 +47,7 @@ public String getName() {
 
     @Override
     public void setName(String name) {
+        throw new UnsupportedOperationException("IdM group cannot be modified");
     }
 
     @Override
@@ -55,5 +57,7 @@ public String getType() {
 
     @Override
     public void setType(String string) {
+        throw new UnsupportedOperationException("IdM group cannot be modified");
     }
+
 }