authorization

package
v1.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2021 License: MIT Imports: 24 Imported by: 16

Documentation

Overview

Package authorization is a generated GoMock package.

Package authorization is a generated GoMock package.

Index

Constants

View Source
const (
	RoleWorker = Role(1 << iota)
	RoleReader
	RoleWriter
	RoleAdmin
	RoleUndefined = Role(0)
)

@@@SNIPSTART temporal-common-authorization-role-enum User authz within the context of an entity, such as system, namespace or workflow. User may have any combination of these authz within each context, except for RoleUndefined, as a bitmask.

View Source
const (
	RequestUnauthorized = "Request unauthorized."
)

Variables

View Source
var (
	MappedClaims contextKeyMappedClaims
	AuthHeader   contextKeyAuthHeader
)

Functions

func ApiName added in v1.11.0

func ApiName(api string) string

func IsReadOnlyGlobalAPI added in v1.11.0

func IsReadOnlyGlobalAPI(api string) bool

func IsReadOnlyNamespaceAPI added in v1.11.0

func IsReadOnlyNamespaceAPI(api string) bool

func NewAuthorizationInterceptor added in v1.3.0

func NewAuthorizationInterceptor(
	claimMapper ClaimMapper,
	authorizer Authorizer,
	metrics metrics.Client,
	logger log.Logger,
	audienceGetter JWTAudienceMapper,
) grpc.UnaryServerInterceptor

NewAuthorizationInterceptor creates an authorization interceptor and return a func that points to its Interceptor method

func NewDefaultTokenKeyProvider added in v1.5.0

func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider

func PeerCert added in v1.11.0

func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate

func TLSInfoFormContext added in v1.11.0

func TLSInfoFormContext(ctx context.Context) *credentials.TLSInfo

Types

type AuthInfo added in v1.4.0

type AuthInfo struct {
	AuthToken     string
	TLSSubject    *pkix.Name
	TLSConnection *credentials.TLSInfo
	ExtraData     string
	Audience      string
}

@@@SNIPSTART temporal-common-authorization-authinfo Authentication information from subject's JWT token or/and mTLS certificate

type Authorizer

type Authorizer interface {
	Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
}

@@@SNIPSTART temporal-common-authorization-authorizer-interface Authorizer is an interface for implementing authorization logic

func GetAuthorizerFromConfig added in v1.5.7

func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error)

func NewDefaultAuthorizer added in v1.4.0

func NewDefaultAuthorizer() Authorizer

NewDefaultAuthorizer creates a default authorizer

func NewNoopAuthorizer added in v1.5.7

func NewNoopAuthorizer() Authorizer

NewNoopAuthorizer creates a no-op authorizer

type CallTarget added in v1.4.0

type CallTarget struct {
	// APIName must be the full API function name.
	// Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution".
	APIName string
	// If a Namespace is not being targeted this be set to an empty string.
	Namespace string
	// Request contains a deserialized copy of the API request object
	Request interface{}
}

@@@SNIPSTART temporal-common-authorization-authorizer-calltarget CallTarget is contains information for Authorizer to make a decision. It can be extended to include resources like WorkflowType and TaskQueue

type ClaimMapper added in v1.4.0

type ClaimMapper interface {
	GetClaims(authInfo *AuthInfo) (*Claims, error)
}

@@@SNIPSTART temporal-common-authorization-claimmapper-interface ClaimMapper converts authorization info of a subject into Temporal claims (permissions) for authorization

func GetClaimMapperFromConfig added in v1.5.7

func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error)

func NewDefaultJWTClaimMapper added in v1.4.0

func NewDefaultJWTClaimMapper(provider TokenKeyProvider, cfg *config.Authorization, logger log.Logger) ClaimMapper

func NewNoopClaimMapper added in v1.4.0

func NewNoopClaimMapper() ClaimMapper

type Claims added in v1.4.0

type Claims struct {
	// Identity of the subject
	Subject string
	// Role within the context of the whole Temporal cluster or a multi-cluster setup
	System Role
	// Roles within specific namespaces
	Namespaces map[string]Role
	// Free form bucket for extra data
	Extensions interface{}
}

@@@SNIPSTART temporal-common-authorization-claims Claims contains the identity of the subject and subject's roles at the system level and for individual namespaces

type Decision

type Decision int

Decision is enum type for auth decision

const (
	// DecisionDeny means auth decision is deny
	DecisionDeny Decision = iota + 1
	// DecisionAllow means auth decision is allow
	DecisionAllow
)

type JWTAudienceMapper added in v1.10.3

type JWTAudienceMapper interface {
	Audience(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo) string
}

JWTAudienceMapper returns JWT audience for a given request

type MockAuthorizer

type MockAuthorizer struct {
	// contains filtered or unexported fields
}

MockAuthorizer is a mock of Authorizer interface.

func NewMockAuthorizer

func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer

NewMockAuthorizer creates a new mock instance.

func (*MockAuthorizer) Authorize

func (m *MockAuthorizer) Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)

Authorize mocks base method.

func (*MockAuthorizer) EXPECT

EXPECT returns an object that allows the caller to indicate expected use.

type MockAuthorizerMockRecorder

type MockAuthorizerMockRecorder struct {
	// contains filtered or unexported fields
}

MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.

func (*MockAuthorizerMockRecorder) Authorize

func (mr *MockAuthorizerMockRecorder) Authorize(ctx, caller, target interface{}) *gomock.Call

Authorize indicates an expected call of Authorize.

type MockClaimMapper added in v1.4.0

type MockClaimMapper struct {
	// contains filtered or unexported fields
}

MockClaimMapper is a mock of ClaimMapper interface.

func NewMockClaimMapper added in v1.4.0

func NewMockClaimMapper(ctrl *gomock.Controller) *MockClaimMapper

NewMockClaimMapper creates a new mock instance.

func (*MockClaimMapper) EXPECT added in v1.4.0

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockClaimMapper) GetClaims added in v1.4.0

func (m *MockClaimMapper) GetClaims(authInfo *AuthInfo) (*Claims, error)

GetClaims mocks base method.

type MockClaimMapperMockRecorder added in v1.4.0

type MockClaimMapperMockRecorder struct {
	// contains filtered or unexported fields
}

MockClaimMapperMockRecorder is the mock recorder for MockClaimMapper.

func (*MockClaimMapperMockRecorder) GetClaims added in v1.4.0

func (mr *MockClaimMapperMockRecorder) GetClaims(authInfo interface{}) *gomock.Call

GetClaims indicates an expected call of GetClaims.

type MockhasNamespace added in v1.8.2

type MockhasNamespace struct {
	// contains filtered or unexported fields
}

MockhasNamespace is a mock of hasNamespace interface.

func NewMockhasNamespace added in v1.8.2

func NewMockhasNamespace(ctrl *gomock.Controller) *MockhasNamespace

NewMockhasNamespace creates a new mock instance.

func (*MockhasNamespace) EXPECT added in v1.8.2

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockhasNamespace) GetNamespace added in v1.8.2

func (m *MockhasNamespace) GetNamespace() string

GetNamespace mocks base method.

type MockhasNamespaceMockRecorder added in v1.8.2

type MockhasNamespaceMockRecorder struct {
	// contains filtered or unexported fields
}

MockhasNamespaceMockRecorder is the mock recorder for MockhasNamespace.

func (*MockhasNamespaceMockRecorder) GetNamespace added in v1.8.2

func (mr *MockhasNamespaceMockRecorder) GetNamespace() *gomock.Call

GetNamespace indicates an expected call of GetNamespace.

type Result

type Result struct {
	Decision Decision
	// Reason may contain a message explaining the value of the Decision field.
	Reason string
}

Result is result from authority.

type Role added in v1.4.0

type Role int16

func (Role) IsValid added in v1.4.0

func (b Role) IsValid() bool

Checks if the provided role bitmask represents a valid combination of authz

type TokenKeyProvider added in v1.4.0

type TokenKeyProvider interface {
	EcdsaKey(alg string, kid string) (*ecdsa.PublicKey, error)
	HmacKey(alg string, kid string) ([]byte, error)
	RsaKey(alg string, kid string) (*rsa.PublicKey, error)
	Close()
}

@@@SNIPSTART temporal-common-authorization-tokenkeyprovider-interface Provides keys for validating JWT tokens

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL