README
¶
Cadence has two authorizer options:
- OAuthAuthorizer: validates JWTs issued by your Identity Provider and enforces permissions.
- NoopAuthorizer: turns authorization off.
In order to configure, add an authorization section to Cadence server config example. These fields map 1:1 to the Go structs in common/config.
Option A for OAuth : Validate tokens via JWKS
authorization:
oauthAuthorizer:
enable: true
# Reject tokens with excessively long TTL (seconds). Optional but recommended.
maxJwtTTL: 3600
# JWT verification config (algorithm + how to fetch public keys)
jwtCredentials:
algorithm: RS256 # supported: RS256
# publicKey is optional if you supply a JWKS URL (below)
# publicKey: /etc/cadence/keys/idp-public.pem
provider:
jwksURL: "https://YOUR_IDP/.well-known/jwks.json"
# Optional JSONPath-like claims locations used by Cadence:
groupsAttributePath: "groups"
adminAttributePath: "admin"
Option B for OAuth : Validate tokens via a static public key
authorization:
oauthAuthorizer:
enable: true
maxJwtTTL: 3600
jwtCredentials:
algorithm: RS256
publicKey: /etc/cadence/keys/idp-public.pem
NoopAuthorizer: Turning authz off
authorization:
noopAuthorizer:
enable: true
Background
The server constructs an authorization.Attributes object for each API call (actor, API name, domain, optional workflow/tasklist), evaluates the token, and returns an allow/deny Decision. JWTs are expected to contain Cadence-specific claims including groups and (optionally) an admin flag.
Key structs & functions:
authorization.Authorizer interface
authorization.Attributes
authorization.Decision
authorization.JWTClaims
When OAuth authZ is enabled, clients must present a valid JWT to the frontend service on every call (Cadence uses the provided token to authorize the API/Domain access). The exact header/wire placement is handled by Cadence’s server middleware and the client transport; the important bit is that the token must validate against your jwksURL/publicKey, include expected claims (groups/admin), and not exceed maxJwtTTL.
Documentation
¶
Overview ¶
Package authorization is a generated GoMock package.
Index ¶
- Variables
- func GetAuthProviderClient(privateKey string) (clientworker.AuthorizationProvider, error)
- type Attributes
- type Authorizer
- type Decision
- type FilteredRequestBody
- type JWTClaims
- type MockAuthorizer
- type MockAuthorizerMockRecorder
- type MockFilteredRequestBody
- type MockFilteredRequestBodyMockRecorder
- type Permission
- type Result
- type XDGSCRAMClient
Constants ¶
This section is empty.
Variables ¶
var SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() }
SHA256 algorithm
var SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() }
SHA512 algorithm
Functions ¶
func GetAuthProviderClient ¶ added in v0.24.0
func GetAuthProviderClient(privateKey string) (clientworker.AuthorizationProvider, error)
Types ¶
type Attributes ¶
type Attributes struct {
Actor string
APIName string
DomainName string
WorkflowType *types.WorkflowType
TaskList *types.TaskList
Permission Permission
RequestBody FilteredRequestBody // request object except for data inputs (PII)
}
Attributes is input for authority to make decision. It can be extended in future if required auth on resources like WorkflowType and TaskList
type Authorizer ¶
type Authorizer interface {
Authorize(ctx context.Context, attributes *Attributes) (Result, error)
}
Authorizer is an interface for authorization
func NewAuthorizer ¶ added in v0.23.1
func NewAuthorizer(authorization config.Authorization, logger log.Logger, domainCache cache.DomainCache) (Authorizer, error)
func NewNopAuthorizer ¶
func NewNopAuthorizer() (Authorizer, error)
NewNopAuthorizer creates a no-op authority
func NewOAuthAuthorizer ¶ added in v0.23.1
func NewOAuthAuthorizer( oauthConfig config.OAuthAuthorizer, log log.Logger, domainCache cache.DomainCache, ) (Authorizer, error)
NewOAuthAuthorizer creates an oauth Authorizer
type FilteredRequestBody ¶ added in v1.2.1
FilteredRequestBody request object except for data inputs (PII)
func NewFilteredRequestBody ¶ added in v1.2.15
func NewFilteredRequestBody(request interface{}) FilteredRequestBody
type JWTClaims ¶ added in v0.23.1
type JWTClaims struct {
jwt.RegisteredClaims
Name string
Groups string // separated by space
Admin bool
TTL int64 // TODO should be removed. ExpiresAt should be used
}
JWTClaims is a Cadence specific claim with embeded Claims defined https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
type MockAuthorizer ¶ added in v0.12.0
type MockAuthorizer struct {
// contains filtered or unexported fields
}
MockAuthorizer is a mock of Authorizer interface.
func NewMockAuthorizer ¶ added in v0.12.0
func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer
NewMockAuthorizer creates a new mock instance.
func (*MockAuthorizer) Authorize ¶ added in v0.12.0
func (m *MockAuthorizer) Authorize(ctx context.Context, attributes *Attributes) (Result, error)
Authorize mocks base method.
func (*MockAuthorizer) EXPECT ¶ added in v0.12.0
func (m *MockAuthorizer) EXPECT() *MockAuthorizerMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockAuthorizerMockRecorder ¶ added in v0.12.0
type MockAuthorizerMockRecorder struct {
// contains filtered or unexported fields
}
MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.
type MockFilteredRequestBody ¶ added in v1.2.1
type MockFilteredRequestBody struct {
// contains filtered or unexported fields
}
MockFilteredRequestBody is a mock of FilteredRequestBody interface.
func NewMockFilteredRequestBody ¶ added in v1.2.1
func NewMockFilteredRequestBody(ctrl *gomock.Controller) *MockFilteredRequestBody
NewMockFilteredRequestBody creates a new mock instance.
func (*MockFilteredRequestBody) EXPECT ¶ added in v1.2.1
func (m *MockFilteredRequestBody) EXPECT() *MockFilteredRequestBodyMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockFilteredRequestBody) SerializeForLogging ¶ added in v1.2.1
func (m *MockFilteredRequestBody) SerializeForLogging() (string, error)
SerializeForLogging mocks base method.
type MockFilteredRequestBodyMockRecorder ¶ added in v1.2.1
type MockFilteredRequestBodyMockRecorder struct {
// contains filtered or unexported fields
}
MockFilteredRequestBodyMockRecorder is the mock recorder for MockFilteredRequestBody.
func (*MockFilteredRequestBodyMockRecorder) SerializeForLogging ¶ added in v1.2.1
func (mr *MockFilteredRequestBodyMockRecorder) SerializeForLogging() *gomock.Call
SerializeForLogging indicates an expected call of SerializeForLogging.
type Permission ¶ added in v0.23.1
type Permission int
Permission is enum type for auth permission
const ( // PermissionRead means the user can write on the domain level APIs PermissionRead Permission = iota + 1 // PermissionWrite means the user can write on the domain level APIs PermissionWrite // PermissionAdmin means the user can read+write on the domain level APIs PermissionAdmin // PermissionProcess means the user can process via the task execution related APIs PermissionProcess )
func NewPermission ¶ added in v0.23.1
func NewPermission(permission string) Permission
type XDGSCRAMClient ¶ added in v0.21.0
type XDGSCRAMClient struct {
*scram.Client
*scram.ClientConversation
scram.HashGeneratorFcn
}
XDGSCRAMClient is the scram client
func (*XDGSCRAMClient) Begin ¶ added in v0.21.0
func (x *XDGSCRAMClient) Begin(userName, password, authzID string) (err error)
Begin creates new client
func (*XDGSCRAMClient) Done ¶ added in v0.21.0
func (x *XDGSCRAMClient) Done() bool
Done stops the client
func (*XDGSCRAMClient) Step ¶ added in v0.21.0
func (x *XDGSCRAMClient) Step(challenge string) (response string, err error)
Step takes a string provided from a server (or just an empty string for the very first conversation step) and attempts to move the authentication conversation forward. It returns a string to be sent to the server or an error if the server message is invalid. Calling Step after a conversation completes is also an error.
Source Files