go.temporal.io/server@v1.23.0/common/authorization/claim_mapper.go (about) 1 // The MIT License 2 // 3 // Copyright (c) 2020 Temporal Technologies Inc. All rights reserved. 4 // 5 // Copyright (c) 2020 Uber Technologies, Inc. 6 // 7 // Permission is hereby granted, free of charge, to any person obtaining a copy 8 // of this software and associated documentation files (the "Software"), to deal 9 // in the Software without restriction, including without limitation the rights 10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 // copies of the Software, and to permit persons to whom the Software is 12 // furnished to do so, subject to the following conditions: 13 // 14 // The above copyright notice and this permission notice shall be included in 15 // all copies or substantial portions of the Software. 16 // 17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 // THE SOFTWARE. 24 25 //go:generate mockgen -copyright_file ../../LICENSE -package $GOPACKAGE -source $GOFILE -destination claim_mapper_mock.go 26 27 package authorization 28 29 import ( 30 "crypto/x509/pkix" 31 "fmt" 32 "strings" 33 34 "google.golang.org/grpc/credentials" 35 36 "go.temporal.io/server/common/config" 37 "go.temporal.io/server/common/log" 38 ) 39 40 // @@@SNIPSTART temporal-common-authorization-authinfo 41 // Authentication information from subject's JWT token or/and mTLS certificate 42 type AuthInfo struct { 43 AuthToken string 44 TLSSubject *pkix.Name 45 TLSConnection *credentials.TLSInfo 46 ExtraData string 47 Audience string 48 } 49 50 // @@@SNIPEND 51 52 // @@@SNIPSTART temporal-common-authorization-claimmapper-interface 53 // ClaimMapper converts authorization info of a subject into Temporal claims (permissions) for authorization 54 type ClaimMapper interface { 55 GetClaims(authInfo *AuthInfo) (*Claims, error) 56 } 57 58 // @@@SNIPEND 59 60 // Normally, GetClaims will never be called without either an auth token or TLS metadata set in 61 // AuthInfo. However, if you want your ClaimMapper to be called in all cases, you can implement 62 // this additional interface and return false. 63 type ClaimMapperWithAuthInfoRequired interface { 64 AuthInfoRequired() bool 65 } 66 67 // No-op claim mapper that gives system level admin permission to everybody 68 type noopClaimMapper struct{} 69 70 var _ ClaimMapper = (*noopClaimMapper)(nil) 71 var _ ClaimMapperWithAuthInfoRequired = (*noopClaimMapper)(nil) 72 73 func NewNoopClaimMapper() ClaimMapper { 74 return &noopClaimMapper{} 75 } 76 77 func (*noopClaimMapper) GetClaims(_ *AuthInfo) (*Claims, error) { 78 return &Claims{System: RoleAdmin}, nil 79 } 80 81 // This implementation can run even without auth info. 82 func (*noopClaimMapper) AuthInfoRequired() bool { 83 return false 84 } 85 86 func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error) { 87 88 switch strings.ToLower(config.ClaimMapper) { 89 case "": 90 return NewNoopClaimMapper(), nil 91 case "default": 92 return NewDefaultJWTClaimMapper(NewDefaultTokenKeyProvider(config, logger), config, logger), nil 93 } 94 return nil, fmt.Errorf("unknown claim mapper: %s", config.ClaimMapper) 95 }