authorization

package
v1.26.2-125.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 2, 2024 License: MIT Imports: 30 Imported by: 16

Documentation

Overview

Package authorization is a generated GoMock package.

Package authorization is a generated GoMock package.

Index

Constants

View Source
const (
	RoleWorker = Role(1 << iota)
	RoleReader
	RoleWriter
	RoleAdmin
	RoleUndefined = Role(0)
)

@@@SNIPSTART temporal-common-authorization-role-enum User authz within the context of an entity, such as system, namespace or workflow. User may have any combination of these authz within each context, except for RoleUndefined, as a bitmask.

View Source
const (
	RequestUnauthorized = "Request unauthorized."
)

Variables

View Source
var (
	MappedClaims contextKeyMappedClaims
	AuthHeader   contextKeyAuthHeader
)

Functions

func IsHealthCheckAPI added in v1.20.0

func IsHealthCheckAPI(fullApi string) bool

func IsNoopAuthorizer added in v1.18.0

func IsNoopAuthorizer(authorizer Authorizer) bool

func IsReadOnlyGlobalAPI added in v1.11.0

func IsReadOnlyGlobalAPI(workflowServiceMethod string) bool

func IsReadOnlyNamespaceAPI added in v1.11.0

func IsReadOnlyNamespaceAPI(workflowServiceMethod string) bool

func NewDefaultTokenKeyProvider added in v1.5.0

func NewDefaultTokenKeyProvider(cfg *config.Authorization, logger log.Logger) *defaultTokenKeyProvider

func PeerCert added in v1.11.0

func PeerCert(tlsInfo *credentials.TLSInfo) *x509.Certificate

PeerCert extracts an x509 certificate from given tlsInfo.

func TLSInfoFromContext added in v1.24.0

func TLSInfoFromContext(ctx context.Context) *credentials.TLSInfo

TLSInfoFromContext extracts TLS information from the context's peer value.

Types

type AuthInfo added in v1.4.0

type AuthInfo struct {
	AuthToken     string
	TLSSubject    *pkix.Name
	TLSConnection *credentials.TLSInfo
	ExtraData     string
	Audience      string
}

@@@SNIPSTART temporal-common-authorization-authinfo Authentication information from subject's JWT token or/and mTLS certificate

type Authorizer

type Authorizer interface {
	Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
}

@@@SNIPSTART temporal-common-authorization-authorizer-interface Authorizer is an interface for implementing authorization logic

func GetAuthorizerFromConfig added in v1.5.7

func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error)

func NewDefaultAuthorizer added in v1.4.0

func NewDefaultAuthorizer() Authorizer

NewDefaultAuthorizer creates a default authorizer

func NewNoopAuthorizer added in v1.5.7

func NewNoopAuthorizer() Authorizer

NewNoopAuthorizer creates a no-op authorizer

type CallTarget added in v1.4.0

type CallTarget struct {
	// APIName must be the full API function name.
	// Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution".
	APIName string
	// If a Namespace is not being targeted this be set to an empty string.
	Namespace string
	// The nexus endpoint name being targeted (if any).
	NexusEndpointName string
	// Request contains a deserialized copy of the API request object
	Request interface{}
}

@@@SNIPSTART temporal-common-authorization-authorizer-calltarget CallTarget is contains information for Authorizer to make a decision. It can be extended to include resources like WorkflowType and TaskQueue

type ClaimMapper added in v1.4.0

type ClaimMapper interface {
	GetClaims(authInfo *AuthInfo) (*Claims, error)
}

@@@SNIPSTART temporal-common-authorization-claimmapper-interface ClaimMapper converts authorization info of a subject into Temporal claims (permissions) for authorization

func GetClaimMapperFromConfig added in v1.5.7

func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error)

func NewDefaultJWTClaimMapper added in v1.4.0

func NewDefaultJWTClaimMapper(provider TokenKeyProvider, cfg *config.Authorization, logger log.Logger) ClaimMapper

func NewNoopClaimMapper added in v1.4.0

func NewNoopClaimMapper() ClaimMapper

type ClaimMapperWithAuthInfoRequired added in v1.20.3

type ClaimMapperWithAuthInfoRequired interface {
	AuthInfoRequired() bool
}

Normally, GetClaims will never be called without either an auth token or TLS metadata set in AuthInfo. However, if you want your ClaimMapper to be called in all cases, you can implement this additional interface and return false.

type Claims added in v1.4.0

type Claims struct {
	// Identity of the subject
	Subject string
	// Role within the context of the whole Temporal cluster or a multi-cluster setup
	System Role
	// Roles within specific namespaces
	Namespaces map[string]Role
	// Free form bucket for extra data
	Extensions interface{}
}

@@@SNIPSTART temporal-common-authorization-claims Claims contains the identity of the subject and subject's roles at the system level and for individual namespaces

type Decision

type Decision int

Decision is enum type for auth decision

const (
	// DecisionDeny means auth decision is deny
	DecisionDeny Decision = iota + 1
	// DecisionAllow means auth decision is allow
	DecisionAllow
)

type Interceptor added in v1.24.0

type Interceptor struct {
	// contains filtered or unexported fields
}

func NewInterceptor added in v1.24.0

func NewInterceptor(
	claimMapper ClaimMapper,
	authorizer Authorizer,
	metricsHandler metrics.Handler,
	logger log.Logger,
	namespaceChecker NamespaceChecker,
	audienceGetter JWTAudienceMapper,
	authHeaderName string,
	authExtraHeaderName string,
) *Interceptor

NewInterceptor creates an authorization interceptor.

func (*Interceptor) Authorize added in v1.24.0

func (a *Interceptor) Authorize(ctx context.Context, claims *Claims, ct *CallTarget) error

Authorize uses the policy's authorizer to authorize a request based on provided claims and call target. Logs and emits metrics when unauthorized.

func (*Interceptor) EnhanceContext added in v1.24.0

func (a *Interceptor) EnhanceContext(ctx context.Context, authInfo *AuthInfo, claims *Claims) context.Context

EnhanceContext returns a new context with MappedClaims and AuthHeader values.

func (*Interceptor) GetAuthInfo added in v1.24.0

func (a *Interceptor) GetAuthInfo(tlsConnection *credentials.TLSInfo, header headers.HeaderGetter, audienceGetter func() string) *AuthInfo

GetAuthInfo extracts auth info from TLS info and headers. Returns nil if either the policy's claimMapper or authorizer are nil or when there is no auth information in the provided TLS info or headers.

func (*Interceptor) GetClaims added in v1.24.0

func (a *Interceptor) GetClaims(authInfo *AuthInfo) (*Claims, error)

GetClaims uses the policy's claimMapper to map the provided authInfo to claims.

func (*Interceptor) Intercept added in v1.24.0

func (a *Interceptor) Intercept(
	ctx context.Context,
	req interface{},
	info *grpc.UnaryServerInfo,
	handler grpc.UnaryHandler,
) (interface{}, error)

type JWTAudienceMapper added in v1.10.3

type JWTAudienceMapper interface {
	Audience(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo) string
}

JWTAudienceMapper returns JWT audience for a given request

type MockAuthorizer

type MockAuthorizer struct {
	// contains filtered or unexported fields
}

MockAuthorizer is a mock of Authorizer interface.

func NewMockAuthorizer

func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer

NewMockAuthorizer creates a new mock instance.

func (*MockAuthorizer) Authorize

func (m *MockAuthorizer) Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)

Authorize mocks base method.

func (*MockAuthorizer) EXPECT

EXPECT returns an object that allows the caller to indicate expected use.

type MockAuthorizerMockRecorder

type MockAuthorizerMockRecorder struct {
	// contains filtered or unexported fields
}

MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.

func (*MockAuthorizerMockRecorder) Authorize

func (mr *MockAuthorizerMockRecorder) Authorize(ctx, caller, target any) *gomock.Call

Authorize indicates an expected call of Authorize.

type MockClaimMapper added in v1.4.0

type MockClaimMapper struct {
	// contains filtered or unexported fields
}

MockClaimMapper is a mock of ClaimMapper interface.

func NewMockClaimMapper added in v1.4.0

func NewMockClaimMapper(ctrl *gomock.Controller) *MockClaimMapper

NewMockClaimMapper creates a new mock instance.

func (*MockClaimMapper) EXPECT added in v1.4.0

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockClaimMapper) GetClaims added in v1.4.0

func (m *MockClaimMapper) GetClaims(authInfo *AuthInfo) (*Claims, error)

GetClaims mocks base method.

type MockClaimMapperMockRecorder added in v1.4.0

type MockClaimMapperMockRecorder struct {
	// contains filtered or unexported fields
}

MockClaimMapperMockRecorder is the mock recorder for MockClaimMapper.

func (*MockClaimMapperMockRecorder) GetClaims added in v1.4.0

func (mr *MockClaimMapperMockRecorder) GetClaims(authInfo any) *gomock.Call

GetClaims indicates an expected call of GetClaims.

type MockClaimMapperWithAuthInfoRequired added in v1.20.3

type MockClaimMapperWithAuthInfoRequired struct {
	// contains filtered or unexported fields
}

MockClaimMapperWithAuthInfoRequired is a mock of ClaimMapperWithAuthInfoRequired interface.

func NewMockClaimMapperWithAuthInfoRequired added in v1.20.3

func NewMockClaimMapperWithAuthInfoRequired(ctrl *gomock.Controller) *MockClaimMapperWithAuthInfoRequired

NewMockClaimMapperWithAuthInfoRequired creates a new mock instance.

func (*MockClaimMapperWithAuthInfoRequired) AuthInfoRequired added in v1.20.3

func (m *MockClaimMapperWithAuthInfoRequired) AuthInfoRequired() bool

AuthInfoRequired mocks base method.

func (*MockClaimMapperWithAuthInfoRequired) EXPECT added in v1.20.3

EXPECT returns an object that allows the caller to indicate expected use.

type MockClaimMapperWithAuthInfoRequiredMockRecorder added in v1.20.3

type MockClaimMapperWithAuthInfoRequiredMockRecorder struct {
	// contains filtered or unexported fields
}

MockClaimMapperWithAuthInfoRequiredMockRecorder is the mock recorder for MockClaimMapperWithAuthInfoRequired.

func (*MockClaimMapperWithAuthInfoRequiredMockRecorder) AuthInfoRequired added in v1.20.3

AuthInfoRequired indicates an expected call of AuthInfoRequired.

type MockhasNamespace added in v1.8.2

type MockhasNamespace struct {
	// contains filtered or unexported fields
}

MockhasNamespace is a mock of hasNamespace interface.

func NewMockhasNamespace added in v1.8.2

func NewMockhasNamespace(ctrl *gomock.Controller) *MockhasNamespace

NewMockhasNamespace creates a new mock instance.

func (*MockhasNamespace) EXPECT added in v1.8.2

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockhasNamespace) GetNamespace added in v1.8.2

func (m *MockhasNamespace) GetNamespace() string

GetNamespace mocks base method.

type MockhasNamespaceMockRecorder added in v1.8.2

type MockhasNamespaceMockRecorder struct {
	// contains filtered or unexported fields
}

MockhasNamespaceMockRecorder is the mock recorder for MockhasNamespace.

func (*MockhasNamespaceMockRecorder) GetNamespace added in v1.8.2

func (mr *MockhasNamespaceMockRecorder) GetNamespace() *gomock.Call

GetNamespace indicates an expected call of GetNamespace.

type NamespaceChecker added in v1.24.0

type NamespaceChecker interface {
	// Exists returns nil if the namespace exists, otherwise an error.
	Exists(name namespace.Name) error
}

type RawTokenKeyProvider added in v1.15.0

type RawTokenKeyProvider interface {
	GetKey(ctx context.Context, token *jwt.Token) (interface{}, error)
	SupportedMethods() []string
	Close()
}

RawTokenKeyProvider is a TokenKeyProvider that provides keys for validating JWT tokens

type Result

type Result struct {
	Decision Decision
	// Reason may contain a message explaining the value of the Decision field.
	Reason string
}

Result is result from authority.

type Role added in v1.4.0

type Role int16

func (Role) IsValid added in v1.4.0

func (b Role) IsValid() bool

Checks if the provided role bitmask represents a valid combination of authz

type TokenKeyProvider added in v1.4.0

type TokenKeyProvider interface {
	EcdsaKey(alg string, kid string) (*ecdsa.PublicKey, error)
	HmacKey(alg string, kid string) ([]byte, error)
	RsaKey(alg string, kid string) (*rsa.PublicKey, error)
	SupportedMethods() []string
	Close()
}

@@@SNIPSTART temporal-common-authorization-tokenkeyprovider-interface Provides keys for validating JWT tokens

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL