go.temporal.io/server@v1.23.0/common/authorization/authorizer.go (about) 1 // The MIT License 2 // 3 // Copyright (c) 2020 Temporal Technologies Inc. All rights reserved. 4 // 5 // Copyright (c) 2020 Uber Technologies, Inc. 6 // 7 // Permission is hereby granted, free of charge, to any person obtaining a copy 8 // of this software and associated documentation files (the "Software"), to deal 9 // in the Software without restriction, including without limitation the rights 10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 // copies of the Software, and to permit persons to whom the Software is 12 // furnished to do so, subject to the following conditions: 13 // 14 // The above copyright notice and this permission notice shall be included in 15 // all copies or substantial portions of the Software. 16 // 17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 // THE SOFTWARE. 24 25 //go:generate mockgen -copyright_file ../../LICENSE -package $GOPACKAGE -source $GOFILE -destination authorizer_mock.go 26 27 package authorization 28 29 import ( 30 "context" 31 "fmt" 32 "strings" 33 34 "go.temporal.io/server/common/config" 35 ) 36 37 const ( 38 // DecisionDeny means auth decision is deny 39 DecisionDeny Decision = iota + 1 40 // DecisionAllow means auth decision is allow 41 DecisionAllow 42 ) 43 44 // @@@SNIPSTART temporal-common-authorization-authorizer-calltarget 45 // CallTarget is contains information for Authorizer to make a decision. 46 // It can be extended to include resources like WorkflowType and TaskQueue 47 type CallTarget struct { 48 // APIName must be the full API function name. 49 // Example: "/temporal.api.workflowservice.v1.WorkflowService/StartWorkflowExecution". 50 APIName string 51 // If a Namespace is not being targeted this be set to an empty string. 52 Namespace string 53 // Request contains a deserialized copy of the API request object 54 Request interface{} 55 } 56 57 // @@@SNIPEND 58 59 type ( 60 // Result is result from authority. 61 Result struct { 62 Decision Decision 63 // Reason may contain a message explaining the value of the Decision field. 64 Reason string 65 } 66 67 // Decision is enum type for auth decision 68 Decision int 69 ) 70 71 // @@@SNIPSTART temporal-common-authorization-authorizer-interface 72 // Authorizer is an interface for implementing authorization logic 73 type Authorizer interface { 74 Authorize(ctx context.Context, caller *Claims, target *CallTarget) (Result, error) 75 } 76 77 // @@@SNIPEND 78 79 type hasNamespace interface { 80 GetNamespace() string 81 } 82 83 func GetAuthorizerFromConfig(config *config.Authorization) (Authorizer, error) { 84 85 switch strings.ToLower(config.Authorizer) { 86 case "": 87 return NewNoopAuthorizer(), nil 88 case "default": 89 return NewDefaultAuthorizer(), nil 90 } 91 return nil, fmt.Errorf("unknown authorizer: %s", config.Authorizer) 92 } 93 94 func IsNoopAuthorizer(authorizer Authorizer) bool { 95 _, ok := authorizer.(*noopAuthorizer) 96 return ok 97 }