Documentation ¶
Overview ¶
Package authorization is a generated GoMock package.
Package authorization is a generated GoMock package.
Index ¶
- Constants
- Variables
- func IsHealthCheckAPI(fullApi string) bool
- func IsNoopAuthorizer(authorizer Authorizer) bool
- func IsReadOnlyGlobalAPI(workflowServiceMethod string) bool
- func IsReadOnlyNamespaceAPI(workflowServiceMethod string) bool
- func NewAuthorizationInterceptor(claimMapper ClaimMapper, authorizer Authorizer, metricsHandler metrics.Handler, ...) grpc.UnaryServerInterceptor
- func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
- func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
- func TLSInfoFormContext(ctx context.Context) *credentials.TLSInfo
- type AuthInfo
- type Authorizer
- type CallTarget
- type ClaimMapper
- type ClaimMapperWithAuthInfoRequired
- type Claims
- type Decision
- type JWTAudienceMapper
- type MockAuthorizer
- type MockAuthorizerMockRecorder
- type MockClaimMapper
- type MockClaimMapperMockRecorder
- type MockClaimMapperWithAuthInfoRequired
- type MockClaimMapperWithAuthInfoRequiredMockRecorder
- type MockhasNamespace
- type MockhasNamespaceMockRecorder
- type RawTokenKeyProvider
- type Result
- type Role
- type TokenKeyProvider
Constants ¶
const ( RoleWorker = Role(1 << iota) RoleReader RoleWriter RoleAdmin RoleUndefined = Role(0) )
@@@SNIPSTART temporal-common-authorization-role-enum User authz within the context of an entity, such as system, namespace or workflow. User may have any combination of these authz within each context, except for RoleUndefined, as a bitmask.
const (
)Variables ¶
var ( MappedClaims contextKeyMappedClaims AuthHeader contextKeyAuthHeader )
Functions ¶
func IsHealthCheckAPI ¶ added in v1.20.0
func IsNoopAuthorizer ¶ added in v1.18.0
func IsNoopAuthorizer(authorizer Authorizer) bool
func IsReadOnlyGlobalAPI ¶ added in v1.11.0
func IsReadOnlyNamespaceAPI ¶ added in v1.11.0
func NewAuthorizationInterceptor ¶ added in v1.3.0
func NewAuthorizationInterceptor( claimMapper ClaimMapper, authorizer Authorizer, metricsHandler metrics.Handler, logger log.Logger, audienceGetter JWTAudienceMapper, ) grpc.UnaryServerInterceptor
NewAuthorizationInterceptor creates an authorization interceptor and return a func that points to its Interceptor method
func NewDefaultTokenKeyProvider ¶ added in v1.5.0
func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
func PeerCert ¶ added in v1.11.0
func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
func TLSInfoFormContext ¶ added in v1.11.0
func TLSInfoFormContext(ctx context.Context) *credentials.TLSInfo
Types ¶
type AuthInfo ¶ added in v1.4.0
type AuthInfo struct { AuthToken string TLSSubject *pkix.Name TLSConnection *credentials.TLSInfo ExtraData string Audience string }
@@@SNIPSTART temporal-common-authorization-authinfo Authentication information from subject's JWT token or/and mTLS certificate
type Authorizer ¶
type Authorizer interface {
Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
}
@@@SNIPSTART temporal-common-authorization-authorizer-interface Authorizer is an interface for implementing authorization logic
func GetAuthorizerFromConfig ¶ added in v1.5.7
func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error)
func NewDefaultAuthorizer ¶ added in v1.4.0
func NewDefaultAuthorizer() Authorizer
NewDefaultAuthorizer creates a default authorizer
func NewNoopAuthorizer ¶ added in v1.5.7
func NewNoopAuthorizer() Authorizer
NewNoopAuthorizer creates a no-op authorizer
type CallTarget ¶ added in v1.4.0
type CallTarget struct { // APIName must be the full API function name. // Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution". APIName string // If a Namespace is not being targeted this be set to an empty string. Namespace string // Request contains a deserialized copy of the API request object Request interface{} }
@@@SNIPSTART temporal-common-authorization-authorizer-calltarget CallTarget is contains information for Authorizer to make a decision. It can be extended to include resources like WorkflowType and TaskQueue
type ClaimMapper ¶ added in v1.4.0
@@@SNIPSTART temporal-common-authorization-claimmapper-interface ClaimMapper converts authorization info of a subject into Temporal claims (permissions) for authorization
func GetClaimMapperFromConfig ¶ added in v1.5.7
func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error)
func NewDefaultJWTClaimMapper ¶ added in v1.4.0
func NewDefaultJWTClaimMapper(provider TokenKeyProvider, cfg *config.Authorization, logger log.Logger) ClaimMapper
func NewNoopClaimMapper ¶ added in v1.4.0
func NewNoopClaimMapper() ClaimMapper
type ClaimMapperWithAuthInfoRequired ¶ added in v1.20.3
type ClaimMapperWithAuthInfoRequired interface {
AuthInfoRequired() bool
}
Normally, GetClaims will never be called without either an auth token or TLS metadata set in AuthInfo. However, if you want your ClaimMapper to be called in all cases, you can implement this additional interface and return false.
type Claims ¶ added in v1.4.0
type Claims struct { // Identity of the subject Subject string // Role within the context of the whole Temporal cluster or a multi-cluster setup System Role // Roles within specific namespaces Namespaces map[string]Role // Free form bucket for extra data Extensions interface{} }
@@@SNIPSTART temporal-common-authorization-claims Claims contains the identity of the subject and subject's roles at the system level and for individual namespaces
type JWTAudienceMapper ¶ added in v1.10.3
type JWTAudienceMapper interface {
Audience(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo) string
}
JWTAudienceMapper returns JWT audience for a given request
type MockAuthorizer ¶
type MockAuthorizer struct {
// contains filtered or unexported fields
}
MockAuthorizer is a mock of Authorizer interface.
func NewMockAuthorizer ¶
func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer
NewMockAuthorizer creates a new mock instance.
func (*MockAuthorizer) Authorize ¶
func (m *MockAuthorizer) Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
Authorize mocks base method.
func (*MockAuthorizer) EXPECT ¶
func (m *MockAuthorizer) EXPECT() *MockAuthorizerMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockAuthorizerMockRecorder ¶
type MockAuthorizerMockRecorder struct {
// contains filtered or unexported fields
}
MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.
func (*MockAuthorizerMockRecorder) Authorize ¶
func (mr *MockAuthorizerMockRecorder) Authorize(ctx, caller, target interface{}) *gomock.Call
Authorize indicates an expected call of Authorize.
type MockClaimMapper ¶ added in v1.4.0
type MockClaimMapper struct {
// contains filtered or unexported fields
}
MockClaimMapper is a mock of ClaimMapper interface.
func NewMockClaimMapper ¶ added in v1.4.0
func NewMockClaimMapper(ctrl *gomock.Controller) *MockClaimMapper
NewMockClaimMapper creates a new mock instance.
func (*MockClaimMapper) EXPECT ¶ added in v1.4.0
func (m *MockClaimMapper) EXPECT() *MockClaimMapperMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockClaimMapperMockRecorder ¶ added in v1.4.0
type MockClaimMapperMockRecorder struct {
// contains filtered or unexported fields
}
MockClaimMapperMockRecorder is the mock recorder for MockClaimMapper.
func (*MockClaimMapperMockRecorder) GetClaims ¶ added in v1.4.0
func (mr *MockClaimMapperMockRecorder) GetClaims(authInfo interface{}) *gomock.Call
GetClaims indicates an expected call of GetClaims.
type MockClaimMapperWithAuthInfoRequired ¶ added in v1.20.3
type MockClaimMapperWithAuthInfoRequired struct {
// contains filtered or unexported fields
}
MockClaimMapperWithAuthInfoRequired is a mock of ClaimMapperWithAuthInfoRequired interface.
func NewMockClaimMapperWithAuthInfoRequired ¶ added in v1.20.3
func NewMockClaimMapperWithAuthInfoRequired(ctrl *gomock.Controller) *MockClaimMapperWithAuthInfoRequired
NewMockClaimMapperWithAuthInfoRequired creates a new mock instance.
func (*MockClaimMapperWithAuthInfoRequired) AuthInfoRequired ¶ added in v1.20.3
func (m *MockClaimMapperWithAuthInfoRequired) AuthInfoRequired() bool
AuthInfoRequired mocks base method.
func (*MockClaimMapperWithAuthInfoRequired) EXPECT ¶ added in v1.20.3
func (m *MockClaimMapperWithAuthInfoRequired) EXPECT() *MockClaimMapperWithAuthInfoRequiredMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockClaimMapperWithAuthInfoRequiredMockRecorder ¶ added in v1.20.3
type MockClaimMapperWithAuthInfoRequiredMockRecorder struct {
// contains filtered or unexported fields
}
MockClaimMapperWithAuthInfoRequiredMockRecorder is the mock recorder for MockClaimMapperWithAuthInfoRequired.
func (*MockClaimMapperWithAuthInfoRequiredMockRecorder) AuthInfoRequired ¶ added in v1.20.3
func (mr *MockClaimMapperWithAuthInfoRequiredMockRecorder) AuthInfoRequired() *gomock.Call
AuthInfoRequired indicates an expected call of AuthInfoRequired.
type MockhasNamespace ¶ added in v1.8.2
type MockhasNamespace struct {
// contains filtered or unexported fields
}
MockhasNamespace is a mock of hasNamespace interface.
func NewMockhasNamespace ¶ added in v1.8.2
func NewMockhasNamespace(ctrl *gomock.Controller) *MockhasNamespace
NewMockhasNamespace creates a new mock instance.
func (*MockhasNamespace) EXPECT ¶ added in v1.8.2
func (m *MockhasNamespace) EXPECT() *MockhasNamespaceMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockhasNamespace) GetNamespace ¶ added in v1.8.2
func (m *MockhasNamespace) GetNamespace() string
GetNamespace mocks base method.
type MockhasNamespaceMockRecorder ¶ added in v1.8.2
type MockhasNamespaceMockRecorder struct {
// contains filtered or unexported fields
}
MockhasNamespaceMockRecorder is the mock recorder for MockhasNamespace.
func (*MockhasNamespaceMockRecorder) GetNamespace ¶ added in v1.8.2
func (mr *MockhasNamespaceMockRecorder) GetNamespace() *gomock.Call
GetNamespace indicates an expected call of GetNamespace.
type RawTokenKeyProvider ¶ added in v1.15.0
type RawTokenKeyProvider interface { GetKey(ctx context.Context, token *jwt.Token) (interface{}, error) SupportedMethods() []string Close() }
RawTokenKeyProvider is a TokenKeyProvider that provides keys for validating JWT tokens
type Result ¶
type Result struct { Decision Decision // Reason may contain a message explaining the value of the Decision field. Reason string }
Result is result from authority.
type TokenKeyProvider ¶ added in v1.4.0
type TokenKeyProvider interface { EcdsaKey(alg string, kid string) (*ecdsa.PublicKey, error) HmacKey(alg string, kid string) ([]byte, error) RsaKey(alg string, kid string) (*rsa.PublicKey, error) SupportedMethods() []string Close() }
@@@SNIPSTART temporal-common-authorization-tokenkeyprovider-interface Provides keys for validating JWT tokens