Documentation ¶
Overview ¶
Package authorization is a generated GoMock package.
Package authorization is a generated GoMock package.
Index ¶
- Constants
- Variables
- func ApiName(api string) string
- func IsNoopAuthorizer(authorizer Authorizer) bool
- func IsReadOnlyGlobalAPI(api string) bool
- func IsReadOnlyNamespaceAPI(api string) bool
- func NewAuthorizationInterceptor(claimMapper ClaimMapper, authorizer Authorizer, ...) grpc.UnaryServerInterceptor
- func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
- func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
- func TLSInfoFormContext(ctx context.Context) *credentials.TLSInfo
- type AuthInfo
- type Authorizer
- type CallTarget
- type ClaimMapper
- type Claims
- type Decision
- type JWTAudienceMapper
- type MockAuthorizer
- type MockAuthorizerMockRecorder
- type MockClaimMapper
- type MockClaimMapperMockRecorder
- type MockhasNamespace
- type MockhasNamespaceMockRecorder
- type RawTokenKeyProvider
- type Result
- type Role
- type TokenKeyProvider
Constants ¶
const ( RoleWorker = Role(1 << iota) RoleReader RoleWriter RoleAdmin RoleUndefined = Role(0) )
@@@SNIPSTART temporal-common-authorization-role-enum User authz within the context of an entity, such as system, namespace or workflow. User may have any combination of these authz within each context, except for RoleUndefined, as a bitmask.
const (
)Variables ¶
var ( MappedClaims contextKeyMappedClaims AuthHeader contextKeyAuthHeader )
Functions ¶
func IsNoopAuthorizer ¶ added in v1.18.0
func IsNoopAuthorizer(authorizer Authorizer) bool
func IsReadOnlyGlobalAPI ¶ added in v1.11.0
func IsReadOnlyNamespaceAPI ¶ added in v1.11.0
func NewAuthorizationInterceptor ¶ added in v1.3.0
func NewAuthorizationInterceptor( claimMapper ClaimMapper, authorizer Authorizer, metricsHandler metrics.MetricsHandler, logger log.Logger, audienceGetter JWTAudienceMapper, ) grpc.UnaryServerInterceptor
NewAuthorizationInterceptor creates an authorization interceptor and return a func that points to its Interceptor method
func NewDefaultTokenKeyProvider ¶ added in v1.5.0
func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
func PeerCert ¶ added in v1.11.0
func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
func TLSInfoFormContext ¶ added in v1.11.0
func TLSInfoFormContext(ctx context.Context) *credentials.TLSInfo
Types ¶
type AuthInfo ¶ added in v1.4.0
type AuthInfo struct { AuthToken string TLSSubject *pkix.Name TLSConnection *credentials.TLSInfo ExtraData string Audience string }
@@@SNIPSTART temporal-common-authorization-authinfo Authentication information from subject's JWT token or/and mTLS certificate
type Authorizer ¶
type Authorizer interface {
Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
}
@@@SNIPSTART temporal-common-authorization-authorizer-interface Authorizer is an interface for implementing authorization logic
func GetAuthorizerFromConfig ¶ added in v1.5.7
func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error)
func NewDefaultAuthorizer ¶ added in v1.4.0
func NewDefaultAuthorizer() Authorizer
NewDefaultAuthorizer creates a default authorizer
func NewNoopAuthorizer ¶ added in v1.5.7
func NewNoopAuthorizer() Authorizer
NewNoopAuthorizer creates a no-op authorizer
type CallTarget ¶ added in v1.4.0
type CallTarget struct { // APIName must be the full API function name. // Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution". APIName string // If a Namespace is not being targeted this be set to an empty string. Namespace string // Request contains a deserialized copy of the API request object Request interface{} }
@@@SNIPSTART temporal-common-authorization-authorizer-calltarget CallTarget is contains information for Authorizer to make a decision. It can be extended to include resources like WorkflowType and TaskQueue
type ClaimMapper ¶ added in v1.4.0
@@@SNIPSTART temporal-common-authorization-claimmapper-interface ClaimMapper converts authorization info of a subject into Temporal claims (permissions) for authorization
func GetClaimMapperFromConfig ¶ added in v1.5.7
func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error)
func NewDefaultJWTClaimMapper ¶ added in v1.4.0
func NewDefaultJWTClaimMapper(provider TokenKeyProvider, cfg *config.Authorization, logger log.Logger) ClaimMapper
func NewNoopClaimMapper ¶ added in v1.4.0
func NewNoopClaimMapper() ClaimMapper
type Claims ¶ added in v1.4.0
type Claims struct { // Identity of the subject Subject string // Role within the context of the whole Temporal cluster or a multi-cluster setup System Role // Roles within specific namespaces Namespaces map[string]Role // Free form bucket for extra data Extensions interface{} }
@@@SNIPSTART temporal-common-authorization-claims Claims contains the identity of the subject and subject's roles at the system level and for individual namespaces
type JWTAudienceMapper ¶ added in v1.10.3
type JWTAudienceMapper interface {
Audience(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo) string
}
JWTAudienceMapper returns JWT audience for a given request
type MockAuthorizer ¶
type MockAuthorizer struct {
// contains filtered or unexported fields
}
MockAuthorizer is a mock of Authorizer interface.
func NewMockAuthorizer ¶
func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer
NewMockAuthorizer creates a new mock instance.
func (*MockAuthorizer) Authorize ¶
func (m *MockAuthorizer) Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
Authorize mocks base method.
func (*MockAuthorizer) EXPECT ¶
func (m *MockAuthorizer) EXPECT() *MockAuthorizerMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockAuthorizerMockRecorder ¶
type MockAuthorizerMockRecorder struct {
// contains filtered or unexported fields
}
MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.
func (*MockAuthorizerMockRecorder) Authorize ¶
func (mr *MockAuthorizerMockRecorder) Authorize(ctx, caller, target interface{}) *gomock.Call
Authorize indicates an expected call of Authorize.
type MockClaimMapper ¶ added in v1.4.0
type MockClaimMapper struct {
// contains filtered or unexported fields
}
MockClaimMapper is a mock of ClaimMapper interface.
func NewMockClaimMapper ¶ added in v1.4.0
func NewMockClaimMapper(ctrl *gomock.Controller) *MockClaimMapper
NewMockClaimMapper creates a new mock instance.
func (*MockClaimMapper) EXPECT ¶ added in v1.4.0
func (m *MockClaimMapper) EXPECT() *MockClaimMapperMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockClaimMapperMockRecorder ¶ added in v1.4.0
type MockClaimMapperMockRecorder struct {
// contains filtered or unexported fields
}
MockClaimMapperMockRecorder is the mock recorder for MockClaimMapper.
func (*MockClaimMapperMockRecorder) GetClaims ¶ added in v1.4.0
func (mr *MockClaimMapperMockRecorder) GetClaims(authInfo interface{}) *gomock.Call
GetClaims indicates an expected call of GetClaims.
type MockhasNamespace ¶ added in v1.8.2
type MockhasNamespace struct {
// contains filtered or unexported fields
}
MockhasNamespace is a mock of hasNamespace interface.
func NewMockhasNamespace ¶ added in v1.8.2
func NewMockhasNamespace(ctrl *gomock.Controller) *MockhasNamespace
NewMockhasNamespace creates a new mock instance.
func (*MockhasNamespace) EXPECT ¶ added in v1.8.2
func (m *MockhasNamespace) EXPECT() *MockhasNamespaceMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockhasNamespace) GetNamespace ¶ added in v1.8.2
func (m *MockhasNamespace) GetNamespace() string
GetNamespace mocks base method.
type MockhasNamespaceMockRecorder ¶ added in v1.8.2
type MockhasNamespaceMockRecorder struct {
// contains filtered or unexported fields
}
MockhasNamespaceMockRecorder is the mock recorder for MockhasNamespace.
func (*MockhasNamespaceMockRecorder) GetNamespace ¶ added in v1.8.2
func (mr *MockhasNamespaceMockRecorder) GetNamespace() *gomock.Call
GetNamespace indicates an expected call of GetNamespace.
type RawTokenKeyProvider ¶ added in v1.15.0
type RawTokenKeyProvider interface { GetKey(ctx context.Context, token *jwt.Token) (interface{}, error) SupportedMethods() []string Close() }
RawTokenKeyProvider is a TokenKeyProvider that provides keys for validating JWT tokens
type Result ¶
type Result struct { Decision Decision // Reason may contain a message explaining the value of the Decision field. Reason string }
Result is result from authority.
type TokenKeyProvider ¶ added in v1.4.0
type TokenKeyProvider interface { EcdsaKey(alg string, kid string) (*ecdsa.PublicKey, error) HmacKey(alg string, kid string) ([]byte, error) RsaKey(alg string, kid string) (*rsa.PublicKey, error) SupportedMethods() []string Close() }
@@@SNIPSTART temporal-common-authorization-tokenkeyprovider-interface Provides keys for validating JWT tokens