Documentation
¶
Overview ¶
Package authorization is a generated GoMock package.
Package authorization is a generated GoMock package.
Package authorization is a generated GoMock package.
Index ¶
- Constants
- Variables
- func IsHealthCheckAPI(fullApi string) bool
- func IsNoopAuthorizer(authorizer Authorizer) bool
- func IsReadOnlyGlobalAPI(workflowServiceMethod string) bool
- func IsReadOnlyNamespaceAPI(workflowServiceMethod string) bool
- func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
- func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
- func TLSInfoFromContext(ctx context.Context) *credentials.TLSInfo
- type AudienceMapper
- type AuthInfo
- type Authorizer
- type CallTarget
- type ClaimMapper
- type ClaimMapperWithAuthInfoRequired
- type Claims
- type Decision
- type Interceptor
- func (a *Interceptor) Authorize(ctx context.Context, claims *Claims, ct *CallTarget) error
- func (a *Interceptor) EnhanceContext(ctx context.Context, authInfo *AuthInfo, claims *Claims) context.Context
- func (a *Interceptor) GetAuthInfo(tlsConnection *credentials.TLSInfo, header headers.HeaderGetter, ...) *AuthInfo
- func (a *Interceptor) GetClaims(authInfo *AuthInfo) (*Claims, error)
- func (a *Interceptor) Intercept(ctx context.Context, req any, info *grpc.UnaryServerInfo, ...) (any, error)
- type JWTAudienceMapper
- type MockAuthorizer
- type MockAuthorizerMockRecorder
- type MockClaimMapper
- type MockClaimMapperMockRecorder
- type MockClaimMapperWithAuthInfoRequired
- type MockClaimMapperWithAuthInfoRequiredMockRecorder
- type MockJWTAudienceMapper
- type MockJWTAudienceMapperMockRecorder
- type MockhasNamespace
- type MockhasNamespaceMockRecorder
- type NamespaceChecker
- type RawTokenKeyProvider
- type Result
- type Role
- type TokenKeyProvider
Constants ¶
const ( RoleWorker = Role(1 << iota) RoleReader RoleWriter RoleAdmin RoleUndefined = Role(0) )
@@@SNIPSTART temporal-common-authorization-role-enum User authz within the context of an entity, such as system, namespace or workflow. User may have any combination of these authz within each context, except for RoleUndefined, as a bitmask.
const (
)
Variables ¶
var ( MappedClaims contextKeyMappedClaims AuthHeader contextKeyAuthHeader )
Functions ¶
func IsHealthCheckAPI ¶
func IsNoopAuthorizer ¶
func IsNoopAuthorizer(authorizer Authorizer) bool
func IsReadOnlyGlobalAPI ¶
func IsReadOnlyNamespaceAPI ¶
func NewDefaultTokenKeyProvider ¶
func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
func PeerCert ¶
func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
PeerCert extracts an x509 certificate from given tlsInfo.
func TLSInfoFromContext ¶
func TLSInfoFromContext(ctx context.Context) *credentials.TLSInfo
TLSInfoFromContext extracts TLS information from the context's peer value.
Types ¶
type AudienceMapper ¶
type AudienceMapper struct {
JwtAudience string
}
AudienceMapper is a simple implementation of JWTAudienceMapper that returns the configured audience string.
func (*AudienceMapper) Audience ¶
func (m *AudienceMapper) Audience(ctx context.Context, req any, info *grpc.UnaryServerInfo) string
Audience returns the configured audience string.
type AuthInfo ¶
type AuthInfo struct {
AuthToken string
TLSSubject *pkix.Name
TLSConnection *credentials.TLSInfo
ExtraData string
Audience string
}
@@@SNIPSTART temporal-common-authorization-authinfo Authentication information from subject's JWT token or/and mTLS certificate
type Authorizer ¶
type Authorizer interface {
Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
}
@@@SNIPSTART temporal-common-authorization-authorizer-interface Authorizer is an interface for implementing authorization logic
func GetAuthorizerFromConfig ¶
func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error)
func NewDefaultAuthorizer ¶
func NewDefaultAuthorizer() Authorizer
NewDefaultAuthorizer creates a default authorizer
func NewNoopAuthorizer ¶
func NewNoopAuthorizer() Authorizer
NewNoopAuthorizer creates a no-op authorizer
type CallTarget ¶
type CallTarget struct {
// APIName must be the full API function name.
// Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution".
APIName string
// If a Namespace is not being targeted this be set to an empty string.
Namespace string
// The nexus endpoint name being targeted (if any).
NexusEndpointName string
// Request contains a deserialized copy of the API request object
Request any
}
@@@SNIPSTART temporal-common-authorization-authorizer-calltarget CallTarget is contains information for Authorizer to make a decision. It can be extended to include resources like WorkflowType and TaskQueue
type ClaimMapper ¶
@@@SNIPSTART temporal-common-authorization-claimmapper-interface ClaimMapper converts authorization info of a subject into Temporal claims (permissions) for authorization
func GetClaimMapperFromConfig ¶
func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error)
func NewDefaultJWTClaimMapper ¶
func NewDefaultJWTClaimMapper(provider TokenKeyProvider, cfg *config.Authorization, logger log.Logger) ClaimMapper
func NewNoopClaimMapper ¶
func NewNoopClaimMapper() ClaimMapper
type ClaimMapperWithAuthInfoRequired ¶
type ClaimMapperWithAuthInfoRequired interface {
AuthInfoRequired() bool
}
Normally, GetClaims will never be called without either an auth token or TLS metadata set in AuthInfo. However, if you want your ClaimMapper to be called in all cases, you can implement this additional interface and return false.
type Claims ¶
type Claims struct {
// Identity of the subject
Subject string
// Role within the context of the whole Temporal cluster or a multi-cluster setup
System Role
// Roles within specific namespaces
Namespaces map[string]Role
// Free form bucket for extra data
Extensions any
}
@@@SNIPSTART temporal-common-authorization-claims Claims contains the identity of the subject and subject's roles at the system level and for individual namespaces
type Interceptor ¶
type Interceptor struct {
// contains filtered or unexported fields
}
func NewInterceptor ¶
func NewInterceptor( claimMapper ClaimMapper, authorizer Authorizer, metricsHandler metrics.Handler, logger log.Logger, namespaceChecker NamespaceChecker, audienceGetter JWTAudienceMapper, authHeaderName string, authExtraHeaderName string, exposeAuthorizerErrors dynamicconfig.BoolPropertyFn, enableCrossNamespaceCommands dynamicconfig.BoolPropertyFn, ) *Interceptor
NewInterceptor creates an authorization interceptor.
func (*Interceptor) Authorize ¶
func (a *Interceptor) Authorize(ctx context.Context, claims *Claims, ct *CallTarget) error
Authorize uses the policy's authorizer to authorize a request based on provided claims and call target. Logs and emits metrics when unauthorized.
func (*Interceptor) EnhanceContext ¶
func (a *Interceptor) EnhanceContext(ctx context.Context, authInfo *AuthInfo, claims *Claims) context.Context
EnhanceContext returns a new context with MappedClaims and AuthHeader values.
func (*Interceptor) GetAuthInfo ¶
func (a *Interceptor) GetAuthInfo(tlsConnection *credentials.TLSInfo, header headers.HeaderGetter, audienceGetter func() string) *AuthInfo
GetAuthInfo extracts auth info from TLS info and headers. Returns nil if either the policy's claimMapper or authorizer are nil or when there is no auth information in the provided TLS info or headers.
func (*Interceptor) GetClaims ¶
func (a *Interceptor) GetClaims(authInfo *AuthInfo) (*Claims, error)
GetClaims uses the policy's claimMapper to map the provided authInfo to claims.
func (*Interceptor) Intercept ¶
func (a *Interceptor) Intercept( ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, ) (any, error)
type JWTAudienceMapper ¶
type JWTAudienceMapper interface {
Audience(ctx context.Context, req any, info *grpc.UnaryServerInfo) string
}
JWTAudienceMapper returns JWT audience for a given request
func GetAudienceMapperFromConfig ¶
func GetAudienceMapperFromConfig(cfg *config.Authorization) (JWTAudienceMapper, error)
GetAudienceMapperFromConfig returns a JWTAudienceMapper based on the provided Authorization config. Currently, it returns a static audience mapper using the Audience field.
func NewAudienceMapper ¶
func NewAudienceMapper(audience string) JWTAudienceMapper
NewAudienceMapper returns a JWTAudienceMapper that always returns the given audience string.
type MockAuthorizer ¶
type MockAuthorizer struct {
// contains filtered or unexported fields
}
MockAuthorizer is a mock of Authorizer interface.
func NewMockAuthorizer ¶
func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer
NewMockAuthorizer creates a new mock instance.
func (*MockAuthorizer) Authorize ¶
func (m *MockAuthorizer) Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
Authorize mocks base method.
func (*MockAuthorizer) EXPECT ¶
func (m *MockAuthorizer) EXPECT() *MockAuthorizerMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockAuthorizerMockRecorder ¶
type MockAuthorizerMockRecorder struct {
// contains filtered or unexported fields
}
MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.
type MockClaimMapper ¶
type MockClaimMapper struct {
// contains filtered or unexported fields
}
MockClaimMapper is a mock of ClaimMapper interface.
func NewMockClaimMapper ¶
func NewMockClaimMapper(ctrl *gomock.Controller) *MockClaimMapper
NewMockClaimMapper creates a new mock instance.
func (*MockClaimMapper) EXPECT ¶
func (m *MockClaimMapper) EXPECT() *MockClaimMapperMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockClaimMapperMockRecorder ¶
type MockClaimMapperMockRecorder struct {
// contains filtered or unexported fields
}
MockClaimMapperMockRecorder is the mock recorder for MockClaimMapper.
type MockClaimMapperWithAuthInfoRequired ¶
type MockClaimMapperWithAuthInfoRequired struct {
// contains filtered or unexported fields
}
MockClaimMapperWithAuthInfoRequired is a mock of ClaimMapperWithAuthInfoRequired interface.
func NewMockClaimMapperWithAuthInfoRequired ¶
func NewMockClaimMapperWithAuthInfoRequired(ctrl *gomock.Controller) *MockClaimMapperWithAuthInfoRequired
NewMockClaimMapperWithAuthInfoRequired creates a new mock instance.
func (*MockClaimMapperWithAuthInfoRequired) AuthInfoRequired ¶
func (m *MockClaimMapperWithAuthInfoRequired) AuthInfoRequired() bool
AuthInfoRequired mocks base method.
func (*MockClaimMapperWithAuthInfoRequired) EXPECT ¶
func (m *MockClaimMapperWithAuthInfoRequired) EXPECT() *MockClaimMapperWithAuthInfoRequiredMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockClaimMapperWithAuthInfoRequiredMockRecorder ¶
type MockClaimMapperWithAuthInfoRequiredMockRecorder struct {
// contains filtered or unexported fields
}
MockClaimMapperWithAuthInfoRequiredMockRecorder is the mock recorder for MockClaimMapperWithAuthInfoRequired.
func (*MockClaimMapperWithAuthInfoRequiredMockRecorder) AuthInfoRequired ¶
func (mr *MockClaimMapperWithAuthInfoRequiredMockRecorder) AuthInfoRequired() *gomock.Call
AuthInfoRequired indicates an expected call of AuthInfoRequired.
type MockJWTAudienceMapper ¶
type MockJWTAudienceMapper struct {
// contains filtered or unexported fields
}
MockJWTAudienceMapper is a mock of JWTAudienceMapper interface.
func NewMockJWTAudienceMapper ¶
func NewMockJWTAudienceMapper(ctrl *gomock.Controller) *MockJWTAudienceMapper
NewMockJWTAudienceMapper creates a new mock instance.
func (*MockJWTAudienceMapper) Audience ¶
func (m *MockJWTAudienceMapper) Audience(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo) string
Audience mocks base method.
func (*MockJWTAudienceMapper) EXPECT ¶
func (m *MockJWTAudienceMapper) EXPECT() *MockJWTAudienceMapperMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockJWTAudienceMapperMockRecorder ¶
type MockJWTAudienceMapperMockRecorder struct {
// contains filtered or unexported fields
}
MockJWTAudienceMapperMockRecorder is the mock recorder for MockJWTAudienceMapper.
func (*MockJWTAudienceMapperMockRecorder) Audience ¶
func (mr *MockJWTAudienceMapperMockRecorder) Audience(ctx, req, info interface{}) *gomock.Call
Audience indicates an expected call of Audience.
type MockhasNamespace ¶
type MockhasNamespace struct {
// contains filtered or unexported fields
}
MockhasNamespace is a mock of hasNamespace interface.
func NewMockhasNamespace ¶
func NewMockhasNamespace(ctrl *gomock.Controller) *MockhasNamespace
NewMockhasNamespace creates a new mock instance.
func (*MockhasNamespace) EXPECT ¶
func (m *MockhasNamespace) EXPECT() *MockhasNamespaceMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockhasNamespace) GetNamespace ¶
func (m *MockhasNamespace) GetNamespace() string
GetNamespace mocks base method.
type MockhasNamespaceMockRecorder ¶
type MockhasNamespaceMockRecorder struct {
// contains filtered or unexported fields
}
MockhasNamespaceMockRecorder is the mock recorder for MockhasNamespace.
func (*MockhasNamespaceMockRecorder) GetNamespace ¶
func (mr *MockhasNamespaceMockRecorder) GetNamespace() *gomock.Call
GetNamespace indicates an expected call of GetNamespace.
type NamespaceChecker ¶
type RawTokenKeyProvider ¶
type RawTokenKeyProvider interface {
GetKey(ctx context.Context, token *jwt.Token) (any, error)
SupportedMethods() []string
Close()
}
RawTokenKeyProvider is a TokenKeyProvider that provides keys for validating JWT tokens
type Result ¶
type Result struct {
Decision Decision
// Reason may contain a message explaining the value of the Decision field.
Reason string
}
Result is result from authority.
type TokenKeyProvider ¶
type TokenKeyProvider interface {
EcdsaKey(alg string, kid string) (*ecdsa.PublicKey, error)
HmacKey(alg string, kid string) ([]byte, error)
RsaKey(alg string, kid string) (*rsa.PublicKey, error)
SupportedMethods() []string
Close()
}
@@@SNIPSTART temporal-common-authorization-tokenkeyprovider-interface Provides keys for validating JWT tokens
Source Files