go.temporal.io/server@v1.23.0/common/authorization/authorizer.go

go.temporal.io/server@v1.23.0/common/authorization/authorizer.go (about)

     1  // The MIT License
     2  //
     3  // Copyright (c) 2020 Temporal Technologies Inc.  All rights reserved.
     4  //
     5  // Copyright (c) 2020 Uber Technologies, Inc.
     6  //
     7  // Permission is hereby granted, free of charge, to any person obtaining a copy
     8  // of this software and associated documentation files (the "Software"), to deal
     9  // in the Software without restriction, including without limitation the rights
    10  // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    11  // copies of the Software, and to permit persons to whom the Software is
    12  // furnished to do so, subject to the following conditions:
    13  //
    14  // The above copyright notice and this permission notice shall be included in
    15  // all copies or substantial portions of the Software.
    16  //
    17  // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    18  // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    19  // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    20  // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    21  // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    22  // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    23  // THE SOFTWARE.
    24  
    25  //go:generate mockgen -copyright_file ../../LICENSE -package $GOPACKAGE -source $GOFILE -destination authorizer_mock.go
    26  
    27  package authorization
    28  
    29  import (
    30  	"context"
    31  	"fmt"
    32  	"strings"
    33  
    34  	"go.temporal.io/server/common/config"
    35  )
    36  
    37  const (
    38  	// DecisionDeny means auth decision is deny
    39  	DecisionDeny Decision = iota + 1
    40  	// DecisionAllow means auth decision is allow
    41  	DecisionAllow
    42  )
    43  
    44  // @@@SNIPSTART temporal-common-authorization-authorizer-calltarget
    45  // CallTarget is contains information for Authorizer to make a decision.
    46  // It can be extended to include resources like WorkflowType and TaskQueue
    47  type CallTarget struct {
    48  	// APIName must be the full API function name.
    49  	// Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution".
    50  	APIName string
    51  	// If a Namespace is not being targeted this be set to an empty string.
    52  	Namespace string
    53  	// Request contains a deserialized copy of the API request object
    54  	Request interface{}
    55  }
    56  
    57  // @@@SNIPEND
    58  
    59  type (
    60  	// Result is result from authority.
    61  	Result struct {
    62  		Decision Decision
    63  		// Reason may contain a message explaining the value of the Decision field.
    64  		Reason string
    65  	}
    66  
    67  	// Decision is enum type for auth decision
    68  	Decision int
    69  )
    70  
    71  // @@@SNIPSTART temporal-common-authorization-authorizer-interface
    72  // Authorizer is an interface for implementing authorization logic
    73  type Authorizer interface {
    74  	Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error)
    75  }
    76  
    77  // @@@SNIPEND
    78  
    79  type hasNamespace interface {
    80  	GetNamespace() string
    81  }
    82  
    83  func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error) {
    84  
    85  	switch strings.ToLower(config.Authorizer) {
    86  	case "":
    87  		return NewNoopAuthorizer(), nil
    88  	case "default":
    89  		return NewDefaultAuthorizer(), nil
    90  	}
    91  	return nil, fmt.Errorf("unknown authorizer: %s", config.Authorizer)
    92  }
    93  
    94  func IsNoopAuthorizer(authorizer Authorizer) bool {
    95  	_, ok := authorizer.(*noopAuthorizer)
    96  	return ok
    97  }