Documentation ¶
Overview ¶
Package authorization is a generated GoMock package.
Package authorization is a generated GoMock package.
Index ¶
- Constants
- Variables
- func IsHealthCheckAPI(fullApi string) bool
- func IsNoopAuthorizer(authorizer Authorizer) bool
- func IsReadOnlyGlobalAPI(workflowServiceMethod string) bool
- func IsReadOnlyNamespaceAPI(workflowServiceMethod string) bool
- func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
- func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
- func TLSInfoFromContext(ctx context.Context) *credentials.TLSInfo
- type AuthInfo
- type Authorizer
- type CallTarget
- type ClaimMapper
- type ClaimMapperWithAuthInfoRequired
- type Claims
- type Decision
- type Interceptor
- func (a *Interceptor) Authorize(ctx context.Context, claims *Claims, ct *CallTarget) error
- func (a *Interceptor) EnhanceContext(ctx context.Context, authInfo *AuthInfo, claims *Claims) context.Context
- func (a *Interceptor) GetAuthInfo(tlsConnection *credentials.TLSInfo, header headers.HeaderGetter, ...) *AuthInfo
- func (a *Interceptor) GetClaims(authInfo *AuthInfo) (*Claims, error)
- func (a *Interceptor) Intercept(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, ...) (interface{}, error)
- type JWTAudienceMapper
- type MockAuthorizer
- type MockAuthorizerMockRecorder
- type MockClaimMapper
- type MockClaimMapperMockRecorder
- type MockClaimMapperWithAuthInfoRequired
- type MockClaimMapperWithAuthInfoRequiredMockRecorder
- type MockhasNamespace
- type MockhasNamespaceMockRecorder
- type NamespaceChecker
- type RawTokenKeyProvider
- type Result
- type Role
- type TokenKeyProvider
Constants ¶
const ( RoleWorker = Role(1 << iota) RoleReader RoleWriter RoleAdmin RoleUndefined = Role(0) )
@@@SNIPSTART temporal-common-authorization-role-enum User authz within the context of an entity, such as system, namespace or workflow. User may have any combination of these authz within each context, except for RoleUndefined, as a bitmask.
const (
)Variables ¶
var ( MappedClaims contextKeyMappedClaims AuthHeader contextKeyAuthHeader )
Functions ¶
func IsHealthCheckAPI ¶ added in v1.20.0
func IsNoopAuthorizer ¶ added in v1.18.0
func IsNoopAuthorizer(authorizer Authorizer) bool
func IsReadOnlyGlobalAPI ¶ added in v1.11.0
func IsReadOnlyNamespaceAPI ¶ added in v1.11.0
func NewDefaultTokenKeyProvider ¶ added in v1.5.0
func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider
func PeerCert ¶ added in v1.11.0
func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate
PeerCert extracts an x509 certificate from given tlsInfo.
func TLSInfoFromContext ¶ added in v1.24.0
func TLSInfoFromContext(ctx context.Context) *credentials.TLSInfo
TLSInfoFromContext extracts TLS information from the context's peer value.
Types ¶
type AuthInfo ¶ added in v1.4.0
type AuthInfo struct { AuthToken string TLSSubject *pkix.Name TLSConnection *credentials.TLSInfo ExtraData string Audience string }
@@@SNIPSTART temporal-common-authorization-authinfo Authentication information from subject's JWT token or/and mTLS certificate
type Authorizer ¶
type Authorizer interface {
Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
}
@@@SNIPSTART temporal-common-authorization-authorizer-interface Authorizer is an interface for implementing authorization logic
func GetAuthorizerFromConfig ¶ added in v1.5.7
func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error)
func NewDefaultAuthorizer ¶ added in v1.4.0
func NewDefaultAuthorizer() Authorizer
NewDefaultAuthorizer creates a default authorizer
func NewNoopAuthorizer ¶ added in v1.5.7
func NewNoopAuthorizer() Authorizer
NewNoopAuthorizer creates a no-op authorizer
type CallTarget ¶ added in v1.4.0
type CallTarget struct { // APIName must be the full API function name. // Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution". APIName string // If a Namespace is not being targeted this be set to an empty string. Namespace string // The nexus endpoint name being targeted (if any). NexusEndpointName string // Request contains a deserialized copy of the API request object Request interface{} }
@@@SNIPSTART temporal-common-authorization-authorizer-calltarget CallTarget is contains information for Authorizer to make a decision. It can be extended to include resources like WorkflowType and TaskQueue
type ClaimMapper ¶ added in v1.4.0
@@@SNIPSTART temporal-common-authorization-claimmapper-interface ClaimMapper converts authorization info of a subject into Temporal claims (permissions) for authorization
func GetClaimMapperFromConfig ¶ added in v1.5.7
func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error)
func NewDefaultJWTClaimMapper ¶ added in v1.4.0
func NewDefaultJWTClaimMapper(provider TokenKeyProvider, cfg *config.Authorization, logger log.Logger) ClaimMapper
func NewNoopClaimMapper ¶ added in v1.4.0
func NewNoopClaimMapper() ClaimMapper
type ClaimMapperWithAuthInfoRequired ¶ added in v1.20.3
type ClaimMapperWithAuthInfoRequired interface {
AuthInfoRequired() bool
}
Normally, GetClaims will never be called without either an auth token or TLS metadata set in AuthInfo. However, if you want your ClaimMapper to be called in all cases, you can implement this additional interface and return false.
type Claims ¶ added in v1.4.0
type Claims struct { // Identity of the subject Subject string // Role within the context of the whole Temporal cluster or a multi-cluster setup System Role // Roles within specific namespaces Namespaces map[string]Role // Free form bucket for extra data Extensions interface{} }
@@@SNIPSTART temporal-common-authorization-claims Claims contains the identity of the subject and subject's roles at the system level and for individual namespaces
type Interceptor ¶ added in v1.24.0
type Interceptor struct {
// contains filtered or unexported fields
}
func NewInterceptor ¶ added in v1.24.0
func NewInterceptor( claimMapper ClaimMapper, authorizer Authorizer, metricsHandler metrics.Handler, logger log.Logger, namespaceChecker NamespaceChecker, audienceGetter JWTAudienceMapper, authHeaderName string, authExtraHeaderName string, ) *Interceptor
NewInterceptor creates an authorization interceptor.
func (*Interceptor) Authorize ¶ added in v1.24.0
func (a *Interceptor) Authorize(ctx context.Context, claims *Claims, ct *CallTarget) error
Authorize uses the policy's authorizer to authorize a request based on provided claims and call target. Logs and emits metrics when unauthorized.
func (*Interceptor) EnhanceContext ¶ added in v1.24.0
func (a *Interceptor) EnhanceContext(ctx context.Context, authInfo *AuthInfo, claims *Claims) context.Context
EnhanceContext returns a new context with MappedClaims and AuthHeader values.
func (*Interceptor) GetAuthInfo ¶ added in v1.24.0
func (a *Interceptor) GetAuthInfo(tlsConnection *credentials.TLSInfo, header headers.HeaderGetter, audienceGetter func() string) *AuthInfo
GetAuthInfo extracts auth info from TLS info and headers. Returns nil if either the policy's claimMapper or authorizer are nil or when there is no auth information in the provided TLS info or headers.
func (*Interceptor) GetClaims ¶ added in v1.24.0
func (a *Interceptor) GetClaims(authInfo *AuthInfo) (*Claims, error)
GetClaims uses the policy's claimMapper to map the provided authInfo to claims.
func (*Interceptor) Intercept ¶ added in v1.24.0
func (a *Interceptor) Intercept( ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, ) (interface{}, error)
type JWTAudienceMapper ¶ added in v1.10.3
type JWTAudienceMapper interface {
Audience(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo) string
}
JWTAudienceMapper returns JWT audience for a given request
type MockAuthorizer ¶
type MockAuthorizer struct {
// contains filtered or unexported fields
}
MockAuthorizer is a mock of Authorizer interface.
func NewMockAuthorizer ¶
func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer
NewMockAuthorizer creates a new mock instance.
func (*MockAuthorizer) Authorize ¶
func (m *MockAuthorizer) Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
Authorize mocks base method.
func (*MockAuthorizer) EXPECT ¶
func (m *MockAuthorizer) EXPECT() *MockAuthorizerMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockAuthorizerMockRecorder ¶
type MockAuthorizerMockRecorder struct {
// contains filtered or unexported fields
}
MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.
type MockClaimMapper ¶ added in v1.4.0
type MockClaimMapper struct {
// contains filtered or unexported fields
}
MockClaimMapper is a mock of ClaimMapper interface.
func NewMockClaimMapper ¶ added in v1.4.0
func NewMockClaimMapper(ctrl *gomock.Controller) *MockClaimMapper
NewMockClaimMapper creates a new mock instance.
func (*MockClaimMapper) EXPECT ¶ added in v1.4.0
func (m *MockClaimMapper) EXPECT() *MockClaimMapperMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockClaimMapperMockRecorder ¶ added in v1.4.0
type MockClaimMapperMockRecorder struct {
// contains filtered or unexported fields
}
MockClaimMapperMockRecorder is the mock recorder for MockClaimMapper.
type MockClaimMapperWithAuthInfoRequired ¶ added in v1.20.3
type MockClaimMapperWithAuthInfoRequired struct {
// contains filtered or unexported fields
}
MockClaimMapperWithAuthInfoRequired is a mock of ClaimMapperWithAuthInfoRequired interface.
func NewMockClaimMapperWithAuthInfoRequired ¶ added in v1.20.3
func NewMockClaimMapperWithAuthInfoRequired(ctrl *gomock.Controller) *MockClaimMapperWithAuthInfoRequired
NewMockClaimMapperWithAuthInfoRequired creates a new mock instance.
func (*MockClaimMapperWithAuthInfoRequired) AuthInfoRequired ¶ added in v1.20.3
func (m *MockClaimMapperWithAuthInfoRequired) AuthInfoRequired() bool
AuthInfoRequired mocks base method.
func (*MockClaimMapperWithAuthInfoRequired) EXPECT ¶ added in v1.20.3
func (m *MockClaimMapperWithAuthInfoRequired) EXPECT() *MockClaimMapperWithAuthInfoRequiredMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockClaimMapperWithAuthInfoRequiredMockRecorder ¶ added in v1.20.3
type MockClaimMapperWithAuthInfoRequiredMockRecorder struct {
// contains filtered or unexported fields
}
MockClaimMapperWithAuthInfoRequiredMockRecorder is the mock recorder for MockClaimMapperWithAuthInfoRequired.
func (*MockClaimMapperWithAuthInfoRequiredMockRecorder) AuthInfoRequired ¶ added in v1.20.3
func (mr *MockClaimMapperWithAuthInfoRequiredMockRecorder) AuthInfoRequired() *gomock.Call
AuthInfoRequired indicates an expected call of AuthInfoRequired.
type MockhasNamespace ¶ added in v1.8.2
type MockhasNamespace struct {
// contains filtered or unexported fields
}
MockhasNamespace is a mock of hasNamespace interface.
func NewMockhasNamespace ¶ added in v1.8.2
func NewMockhasNamespace(ctrl *gomock.Controller) *MockhasNamespace
NewMockhasNamespace creates a new mock instance.
func (*MockhasNamespace) EXPECT ¶ added in v1.8.2
func (m *MockhasNamespace) EXPECT() *MockhasNamespaceMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockhasNamespace) GetNamespace ¶ added in v1.8.2
func (m *MockhasNamespace) GetNamespace() string
GetNamespace mocks base method.
type MockhasNamespaceMockRecorder ¶ added in v1.8.2
type MockhasNamespaceMockRecorder struct {
// contains filtered or unexported fields
}
MockhasNamespaceMockRecorder is the mock recorder for MockhasNamespace.
func (*MockhasNamespaceMockRecorder) GetNamespace ¶ added in v1.8.2
func (mr *MockhasNamespaceMockRecorder) GetNamespace() *gomock.Call
GetNamespace indicates an expected call of GetNamespace.
type NamespaceChecker ¶ added in v1.24.0
type RawTokenKeyProvider ¶ added in v1.15.0
type RawTokenKeyProvider interface { GetKey(ctx context.Context, token *jwt.Token) (interface{}, error) SupportedMethods() []string Close() }
RawTokenKeyProvider is a TokenKeyProvider that provides keys for validating JWT tokens
type Result ¶
type Result struct { Decision Decision // Reason may contain a message explaining the value of the Decision field. Reason string }
Result is result from authority.
type TokenKeyProvider ¶ added in v1.4.0
type TokenKeyProvider interface { EcdsaKey(alg string, kid string) (*ecdsa.PublicKey, error) HmacKey(alg string, kid string) ([]byte, error) RsaKey(alg string, kid string) (*rsa.PublicKey, error) SupportedMethods() []string Close() }
@@@SNIPSTART temporal-common-authorization-tokenkeyprovider-interface Provides keys for validating JWT tokens