Automatiko 0.22.0 released

Secure your workflows in the way you need it

Posted by Automatiko team on February 19, 2023 · 4 mins read

We are pleased to announce a new release of Automatiko - 0.22.0

Highlights

  • Comosite access policy
  • Support for custom access policies
  • Improved instance sorting for file system persistence

Comosite access policy

Automatiko comes with AccessPolicy that allows to control access to workflow instances at runtime. Access policies control access in a fine grained way and what is the most important they are contextual. This means it can evaluate the content of the instance to grant access to it. It can take into account things like:

  • initiator of the instance
  • current identity (user and the groups)
  • data of the instance
  • and more

With this release, a new AccessPolicy was introduced, CompositeAccessPolicy. This policy allows to combine multiple access policy to be enforced at once, meaning that all defined policies must be met to gain access to given instance.

To learn more about composite access policy, read dedicated section in Automatiko documentation

Support for custom access policies

Access policies that are delivered by Automatiko out of the box:

  • Allow All - no restrictions, default access policy
  • Participants - allows to access the instance to the initiator and users that are currently assigned to active user tasks
  • Initiator - allows to access the instance only by the user who initiated the instance
might not be enough. There could be other aspects to cover with access policy such as where the request comes from, check custom group of the user who makes the request and more.

To address this, a custom access policy support was provided. Users can now develop their own custom access policy to be used at runtime. Custom access policies can take advantage of all compnents of the system becuase they are CDI beans and by that can use injection to gain additional capabilities.

Below is a simple access policy that allows to create instances from locahost only. As can be noticed, this policy gets access to request information to check which host is used. This should only be used as example what is required to build a custom access policy.

Example of custom access policy

  import javax.enterprise.context.ApplicationScoped;
  import javax.inject.Inject;

  import io.automatiko.engine.api.auth.IdentityProvider;
  import io.automatiko.engine.api.auth.NamedAccessPolicy;
  import io.automatiko.engine.api.workflow.ProcessInstance;
  import io.automatiko.engine.workflow.AbstractProcessInstance;
  import io.vertx.core.http.HttpServerRequest;

  @ApplicationScoped
  public class LocalHostOnlyAccessPolicy implements NamedAccessPolicy> {

      @Inject
      HttpServerRequest injectedHttpServletRequest;

      private boolean allowFromLocalhostOnly() {

          if (injectedHttpServletRequest != null && injectedHttpServletRequest.host() != null
                  && !injectedHttpServletRequest.host().toLowerCase().startsWith("localhost")) {
              return false;
          }
          return true;
      }

      @Override
      public boolean canCreateInstance(IdentityProvider identityProvider) {
          return allowFromLocalhostOnly();
      }

      @Override
      public boolean canReadInstance(IdentityProvider identityProvider, ProcessInstance instance) {
          return allowFromLocalhostOnly();
      }

      @Override
      public boolean canUpdateInstance(IdentityProvider identityProvider, ProcessInstance instance) {
          return allowFromLocalhostOnly();
      }

      @Override
      public boolean canDeleteInstance(IdentityProvider identityProvider, ProcessInstance instance) {
          return allowFromLocalhostOnly();
      }

      @Override
      public boolean canSignalInstance(IdentityProvider identityProvider, ProcessInstance instance) {
          return allowFromLocalhostOnly();
      }

      @Override
      public Set visibleTo(ProcessInstance instance) {

          return ((AbstractProcessInstance) instance).visibleTo();
      }

      @Override
      public String identifier() {
          return "localHostOnly";
      }
  }

To learn more about access policies, read dedicated section in Automatiko documentation

Improved instance sorting for file system persistence

Recenlty introduced sorting capabilities of the workflow instance have been improved for file system persistence. It was mainly focused on efficency of looking up instances to avoid too much file system access on each sorting request. This should significanlty improve speed of sorting for bigger volumes of data when using file system persistence addon.

Photographs by Unsplash.