Added authorization for workflow operations

Netflix · Oct 13, 2022 · a63c37a · a63c37a
1 parent 0787f84
commit a63c37a
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/core/src/main/java/com/netflix/conductor/core/execution/WorkflowExecutor.java b/core/src/main/java/com/netflix/conductor/core/execution/WorkflowExecutor.java
@@ -22,6 +22,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.event.EventListener;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;
 
 import com.netflix.conductor.annotations.Trace;
@@ -153,6 +154,7 @@ public void resetCallbacksForWorkflow(String workflowId) {
                         });
     }
 
+    @PreAuthorize("hasPermission(#request, 'OPERATOR')")
     public String rerun(RerunWorkflowRequest request) {
         Utils.checkNotNull(request.getReRunFromWorkflowId(), "reRunFromWorkflowId is missing");
         if (!rerunWF(
@@ -175,6 +177,7 @@ public String rerun(RerunWorkflowRequest request) {
      * @throws NotFoundException Workflow definition is not found or Workflow is deemed
      *     non-restartable as per workflow definition.
      */
+    @PreAuthorize("hasPermission(#workflowId, 'OPERATOR')")
     public void restart(String workflowId, boolean useLatestDefinitions) {
         final WorkflowModel workflow = executionDAOFacade.getWorkflowModel(workflowId, true);
 
@@ -260,6 +263,7 @@ public void restart(String workflowId, boolean useLatestDefinitions) {
      *
      * @param workflowId the id of the workflow to be retried
      */
+    @PreAuthorize("hasPermission(#workflowId, 'OPERATOR')")
     public void retry(String workflowId, boolean resumeSubworkflowTasks) {
         WorkflowModel workflow = executionDAOFacade.getWorkflowModel(workflowId, true);
         if (!workflow.getStatus().isTerminal()) {
@@ -561,6 +565,7 @@ WorkflowModel completeWorkflow(WorkflowModel workflow) {
         return workflow;
     }
 
+    @PreAuthorize("hasPermission(#workflowId, 'OPERATOR')")
     public void terminateWorkflow(String workflowId, String reason) {
         WorkflowModel workflow = executionDAOFacade.getWorkflowModel(workflowId, true);
         if (WorkflowModel.Status.COMPLETED.equals(workflow.getStatus())) {
@@ -1182,6 +1187,7 @@ List<TaskModel> dedupAndAddTasks(WorkflowModel workflow, List<TaskModel> tasks)
     /**
      * @throws ConflictException if the workflow is in terminal state.
      */
+    @PreAuthorize("hasPermission(#workflowId, 'OPERATOR')")
     public void pauseWorkflow(String workflowId) {
         try {
             executionLockService.acquireLock(workflowId, 60000);
@@ -1217,6 +1223,7 @@ public void pauseWorkflow(String workflowId) {
      * @param workflowId the workflow to be resumed
      * @throws IllegalStateException if the workflow is not in PAUSED state
      */
+    @PreAuthorize("hasPermission(#workflowId, 'OPERATOR')")
     public void resumeWorkflow(String workflowId) {
         WorkflowModel workflow = executionDAOFacade.getWorkflowModel(workflowId, false);
         if (!workflow.getStatus().equals(WorkflowModel.Status.PAUSED)) {
@@ -1245,6 +1252,7 @@ public void resumeWorkflow(String workflowId) {
      * @param skipTaskRequest the {@link SkipTaskRequest} object
      * @throws IllegalStateException
      */
+    @PreAuthorize("hasPermission(#workflowId, 'OPERATOR')")
     public void skipTaskFromWorkflow(
             String workflowId, String taskReferenceName, SkipTaskRequest skipTaskRequest) {