From 5e5895af649174837849c79b298ca9b13c63ef06 Mon Sep 17 00:00:00 2001 From: bowen xiao Date: Mon, 13 Mar 2023 15:27:54 -0700 Subject: [PATCH] Adding request body into Attributes for auditing purpose with PII fields are filtered (#5151) * add unit test for filter PII functions to check bugs and error when cloning * handles when pointers are nil to avoid bugs and errors * resume the changes from previous reverted branch * use json tags to filter PII instead of hard copies * Create a new struct in unit test that only contains PII. Would be much more clearer to see filtered result. * some clean up --- common/authorization/authority_mock.go | 38 +++ common/authorization/authorizer.go | 6 + common/log/tag/tags.go | 10 + common/types/admin.go | 63 ++++ common/types/replicator.go | 42 +++ common/types/shared.go | 280 +++++++++++++++++- common/types/shared_test.go | 245 +++++++++++++++ .../frontend/accessControlledAdminHandler.go | 150 ++++++---- service/frontend/accessControlledHandler.go | 218 +++++++++----- 9 files changed, 912 insertions(+), 140 deletions(-) create mode 100644 common/types/shared_test.go diff --git a/common/authorization/authority_mock.go b/common/authorization/authority_mock.go index 8418d8f338b..cf245b36792 100644 --- a/common/authorization/authority_mock.go +++ b/common/authorization/authority_mock.go @@ -70,3 +70,41 @@ func (mr *MockAuthorizerMockRecorder) Authorize(ctx, attributes interface{}) *go mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Authorize", reflect.TypeOf((*MockAuthorizer)(nil).Authorize), ctx, attributes) } + +// MockFilteredRequestBody is a mock of FilteredRequestBody interface. +type MockFilteredRequestBody struct { + ctrl *gomock.Controller + recorder *MockFilteredRequestBodyMockRecorder +} + +// MockFilteredRequestBodyMockRecorder is the mock recorder for MockFilteredRequestBody. +type MockFilteredRequestBodyMockRecorder struct { + mock *MockFilteredRequestBody +} + +// NewMockFilteredRequestBody creates a new mock instance. +func NewMockFilteredRequestBody(ctrl *gomock.Controller) *MockFilteredRequestBody { + mock := &MockFilteredRequestBody{ctrl: ctrl} + mock.recorder = &MockFilteredRequestBodyMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockFilteredRequestBody) EXPECT() *MockFilteredRequestBodyMockRecorder { + return m.recorder +} + +// SerializeForLogging mocks base method. +func (m *MockFilteredRequestBody) SerializeForLogging() (string, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "SerializeForLogging") + ret0, _ := ret[0].(string) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// SerializeForLogging indicates an expected call of SerializeForLogging. +func (mr *MockFilteredRequestBodyMockRecorder) SerializeForLogging() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SerializeForLogging", reflect.TypeOf((*MockFilteredRequestBody)(nil).SerializeForLogging)) +} diff --git a/common/authorization/authorizer.go b/common/authorization/authorizer.go index 763c80b2f0c..7ed4a7fcc87 100644 --- a/common/authorization/authorizer.go +++ b/common/authorization/authorizer.go @@ -58,6 +58,7 @@ type ( WorkflowType *types.WorkflowType TaskList *types.TaskList Permission Permission + RequestBody FilteredRequestBody // request object except for data inputs (PII) } // Result is result from authority. @@ -97,3 +98,8 @@ func GetAuthProviderClient(privateKey string) (clientworker.AuthorizationProvide } return clientworker.NewAdminJwtAuthorizationProvider(pk), nil } + +// FilteredRequestBody request object except for data inputs (PII) +type FilteredRequestBody interface { + SerializeForLogging() (string, error) +} diff --git a/common/log/tag/tags.go b/common/log/tag/tags.go index 6dd6798557f..36eec988c37 100644 --- a/common/log/tag/tags.go +++ b/common/log/tag/tags.go @@ -469,11 +469,21 @@ func ActorID(actorID string) Tag { return newStringTag("actor-id", actorID) } +// ActorEmail returns tag for the actor's email address +func ActorEmail(actorEmail string) Tag { + return newStringTag("actor-email", actorEmail) +} + // HandlerCall returns tag for the API name of a request func HandlerCall(handlerCall string) Tag { return newStringTag("handler-call", handlerCall) } +// RequestBody returns the tag for the API request body +func RequestBody(requestBody string) Tag { + return newStringTag("request-body", requestBody) +} + // history engine shard // ShardID returns tag for ShardID diff --git a/common/types/admin.go b/common/types/admin.go index 1c72e3486fa..2dc03246b1e 100644 --- a/common/types/admin.go +++ b/common/types/admin.go @@ -26,6 +26,13 @@ type AddSearchAttributeRequest struct { SecurityToken string `json:"securityToken,omitempty"` } +func (v *AddSearchAttributeRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetSearchAttribute is an internal getter (TBD...) func (v *AddSearchAttributeRequest) GetSearchAttribute() (o map[string]IndexedValueType) { if v != nil && v.SearchAttribute != nil { @@ -47,6 +54,13 @@ type AdminDescribeWorkflowExecutionRequest struct { Execution *WorkflowExecution `json:"execution,omitempty"` } +func (v *AdminDescribeWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *AdminDescribeWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -91,6 +105,13 @@ type GetWorkflowExecutionRawHistoryV2Request struct { NextPageToken []byte `json:"nextPageToken,omitempty"` } +func (v *GetWorkflowExecutionRawHistoryV2Request) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *GetWorkflowExecutionRawHistoryV2Request) GetDomain() (o string) { if v != nil { @@ -206,6 +227,13 @@ type ResendReplicationTasksRequest struct { EndVersion *int64 `json:"endVersion,omitempty"` } +func (v *ResendReplicationTasksRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetWorkflowID is an internal getter (TBD...) func (v *ResendReplicationTasksRequest) GetWorkflowID() (o string) { if v != nil { @@ -242,6 +270,13 @@ type GetDynamicConfigRequest struct { Filters []*DynamicConfigFilter `json:"filters,omitempty"` } +func (v *GetDynamicConfigRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + type GetDynamicConfigResponse struct { Value *DataBlob `json:"value,omitempty"` } @@ -251,11 +286,25 @@ type UpdateDynamicConfigRequest struct { ConfigValues []*DynamicConfigValue `json:"configValues,omitempty"` } +func (v *UpdateDynamicConfigRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + type RestoreDynamicConfigRequest struct { ConfigName string `json:"configName,omitempty"` Filters []*DynamicConfigFilter `json:"filters,omitempty"` } +func (v *RestoreDynamicConfigRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // AdminDeleteWorkflowRequest is an internal type (TBD...) type AdminDeleteWorkflowRequest struct { Domain string `json:"domain,omitempty"` @@ -263,6 +312,13 @@ type AdminDeleteWorkflowRequest struct { SkipErrors bool `json:"skipErrors,omitempty"` } +func (v *AdminDeleteWorkflowRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + func (v *AdminDeleteWorkflowRequest) GetDomain() (o string) { if v != nil { return v.Domain @@ -298,6 +354,13 @@ type ListDynamicConfigRequest struct { ConfigName string `json:"configName,omitempty"` } +func (v *ListDynamicConfigRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + type ListDynamicConfigResponse struct { Entries []*DynamicConfigEntry `json:"entries,omitempty"` } diff --git a/common/types/replicator.go b/common/types/replicator.go index ec0d1d1963c..9139cf411b8 100644 --- a/common/types/replicator.go +++ b/common/types/replicator.go @@ -229,6 +229,13 @@ type GetDLQReplicationMessagesRequest struct { TaskInfos []*ReplicationTaskInfo `json:"taskInfos,omitempty"` } +func (v *GetDLQReplicationMessagesRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetTaskInfos is an internal getter (TBD...) func (v *GetDLQReplicationMessagesRequest) GetTaskInfos() (o []*ReplicationTaskInfo) { if v != nil && v.TaskInfos != nil { @@ -249,6 +256,13 @@ type GetDomainReplicationMessagesRequest struct { ClusterName string `json:"clusterName,omitempty"` } +func (v *GetDomainReplicationMessagesRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetLastRetrievedMessageID is an internal getter (TBD...) func (v *GetDomainReplicationMessagesRequest) GetLastRetrievedMessageID() (o int64) { if v != nil && v.LastRetrievedMessageID != nil { @@ -284,6 +298,13 @@ type GetReplicationMessagesRequest struct { ClusterName string `json:"clusterName,omitempty"` } +func (v *GetReplicationMessagesRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetClusterName is an internal getter (TBD...) func (v *GetReplicationMessagesRequest) GetClusterName() (o string) { if v != nil { @@ -393,6 +414,13 @@ type MergeDLQMessagesRequest struct { NextPageToken []byte `json:"nextPageToken,omitempty"` } +func (v *MergeDLQMessagesRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetType is an internal getter (TBD...) func (v *MergeDLQMessagesRequest) GetType() (o DLQType) { if v != nil && v.Type != nil { @@ -454,6 +482,13 @@ type PurgeDLQMessagesRequest struct { InclusiveEndMessageID *int64 `json:"inclusiveEndMessageID,omitempty"` } +func (v *PurgeDLQMessagesRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetType is an internal getter (TBD...) func (v *PurgeDLQMessagesRequest) GetType() (o DLQType) { if v != nil && v.Type != nil { @@ -496,6 +531,13 @@ type ReadDLQMessagesRequest struct { NextPageToken []byte `json:"nextPageToken,omitempty"` } +func (v *ReadDLQMessagesRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetType is an internal getter (TBD...) func (v *ReadDLQMessagesRequest) GetType() (o DLQType) { if v != nil && v.Type != nil { diff --git a/common/types/shared.go b/common/types/shared.go index 76c539379c1..0e130a7b33b 100644 --- a/common/types/shared.go +++ b/common/types/shared.go @@ -21,6 +21,7 @@ package types import ( + "encoding/json" "fmt" "strconv" "strings" @@ -625,6 +626,13 @@ type CloseShardRequest struct { ShardID int32 `json:"shardID,omitempty"` } +func (v *CloseShardRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetShardID is an internal getter (TBD...) func (v *CloseShardRequest) GetShardID() (o int32) { if v != nil { @@ -788,6 +796,13 @@ type CountWorkflowExecutionsRequest struct { Query string `json:"query,omitempty"` } +func (v *CountWorkflowExecutionsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *CountWorkflowExecutionsRequest) GetDomain() (o string) { if v != nil { @@ -1447,6 +1462,13 @@ type DeprecateDomainRequest struct { SecurityToken string `json:"securityToken,omitempty"` } +func (v *DeprecateDomainRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetName is an internal getter (TBD...) func (v *DeprecateDomainRequest) GetName() (o string) { if v != nil { @@ -1461,6 +1483,13 @@ type DescribeDomainRequest struct { UUID *string `json:"uuid,omitempty"` } +func (v *DescribeDomainRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetName is an internal getter (TBD...) func (v *DescribeDomainRequest) GetName() (o string) { if v != nil && v.Name != nil { @@ -1526,12 +1555,26 @@ type DescribeHistoryHostRequest struct { ExecutionForHost *WorkflowExecution `json:"executionForHost,omitempty"` } +func (v *DescribeHistoryHostRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // DescribeShardDistributionRequest is an internal type (TBD...) type DescribeShardDistributionRequest struct { PageSize int32 `json:"pageSize,omitempty"` PageID int32 `json:"pageID,omitempty"` } +func (v *DescribeShardDistributionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetHostAddress is an internal getter (TBD...) func (v *DescribeHistoryHostRequest) GetHostAddress() (o string) { if v != nil && v.HostAddress != nil { @@ -1570,6 +1613,13 @@ type DescribeQueueRequest struct { Type *int32 `json:"type,omitempty"` } +func (v *DescribeQueueRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetShardID is an internal getter (TBD...) func (v *DescribeQueueRequest) GetShardID() (o int32) { if v != nil { @@ -1607,6 +1657,13 @@ type DescribeTaskListRequest struct { IncludeTaskListStatus bool `json:"includeTaskListStatus,omitempty"` } +func (v *DescribeTaskListRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *DescribeTaskListRequest) GetDomain() (o string) { if v != nil { @@ -1667,6 +1724,13 @@ type DescribeWorkflowExecutionRequest struct { Execution *WorkflowExecution `json:"execution,omitempty"` } +func (v *DescribeWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *DescribeWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -2427,6 +2491,13 @@ type GetWorkflowExecutionHistoryRequest struct { SkipArchival bool `json:"skipArchival,omitempty"` } +func (v *GetWorkflowExecutionHistoryRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *GetWorkflowExecutionHistoryRequest) GetDomain() (o string) { if v != nil { @@ -3152,6 +3223,13 @@ type ListArchivedWorkflowExecutionsRequest struct { Query string `json:"query,omitempty"` } +func (v *ListArchivedWorkflowExecutionsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *ListArchivedWorkflowExecutionsRequest) GetDomain() (o string) { if v != nil { @@ -3201,6 +3279,13 @@ type ListClosedWorkflowExecutionsRequest struct { StatusFilter *WorkflowExecutionCloseStatus `json:"statusFilter,omitempty"` } +func (v *ListClosedWorkflowExecutionsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *ListClosedWorkflowExecutionsRequest) GetDomain() (o string) { if v != nil { @@ -3245,6 +3330,13 @@ type ListDomainsRequest struct { NextPageToken []byte `json:"nextPageToken,omitempty"` } +func (v *ListDomainsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetPageSize is an internal getter (TBD...) func (v *ListDomainsRequest) GetPageSize() (o int32) { if v != nil { @@ -3285,6 +3377,13 @@ type ListOpenWorkflowExecutionsRequest struct { TypeFilter *WorkflowTypeFilter `json:"typeFilter,omitempty"` } +func (v *ListOpenWorkflowExecutionsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *ListOpenWorkflowExecutionsRequest) GetDomain() (o string) { if v != nil { @@ -3321,6 +3420,13 @@ type ListTaskListPartitionsRequest struct { TaskList *TaskList `json:"taskList,omitempty"` } +func (v *ListTaskListPartitionsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *ListTaskListPartitionsRequest) GetDomain() (o string) { if v != nil { @@ -3340,6 +3446,13 @@ type GetTaskListsByDomainRequest struct { Domain string `json:"domain,omitempty"` } +func (v *GetTaskListsByDomainRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *GetTaskListsByDomainRequest) GetDomain() (o string) { if v != nil { @@ -3378,6 +3491,13 @@ type ListWorkflowExecutionsRequest struct { Query string `json:"query,omitempty"` } +func (v *ListWorkflowExecutionsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *ListWorkflowExecutionsRequest) GetDomain() (o string) { if v != nil { @@ -3768,6 +3888,13 @@ type PollForActivityTaskRequest struct { TaskListMetadata *TaskListMetadata `json:"taskListMetadata,omitempty"` } +func (v *PollForActivityTaskRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *PollForActivityTaskRequest) GetDomain() (o string) { if v != nil { @@ -3828,6 +3955,13 @@ type PollForDecisionTaskRequest struct { BinaryChecksum string `json:"binaryChecksum,omitempty"` } +func (v *PollForDecisionTaskRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *PollForDecisionTaskRequest) GetDomain() (o string) { if v != nil { @@ -4181,6 +4315,13 @@ type QueryWorkflowRequest struct { QueryConsistencyLevel *QueryConsistencyLevel `json:"queryConsistencyLevel,omitempty"` } +func (v *QueryWorkflowRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *QueryWorkflowRequest) GetDomain() (o string) { if v != nil { @@ -4250,6 +4391,13 @@ type ReapplyEventsRequest struct { Events *DataBlob `json:"events,omitempty"` } +func (v *ReapplyEventsRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomainName is an internal getter (TBD...) func (v *ReapplyEventsRequest) GetDomainName() (o string) { if v != nil { @@ -4323,6 +4471,13 @@ type RecordActivityTaskHeartbeatRequest struct { Identity string `json:"identity,omitempty"` } +func (v *RecordActivityTaskHeartbeatRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // RecordActivityTaskHeartbeatResponse is an internal type (TBD...) type RecordActivityTaskHeartbeatResponse struct { CancelRequested bool `json:"cancelRequested,omitempty"` @@ -4349,6 +4504,13 @@ type RefreshWorkflowTasksRequest struct { Execution *WorkflowExecution `json:"execution,omitempty"` } +func (v *RefreshWorkflowTasksRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *RefreshWorkflowTasksRequest) GetDomain() (o string) { if v != nil { @@ -4383,6 +4545,13 @@ type RegisterDomainRequest struct { VisibilityArchivalURI string `json:"visibilityArchivalURI,omitempty"` } +func (v *RegisterDomainRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetName is an internal getter (TBD...) func (v *RegisterDomainRequest) GetName() (o string) { if v != nil { @@ -4478,6 +4647,13 @@ type RemoveTaskRequest struct { ClusterName string `json:"clusterName,omitempty"` } +func (v *RemoveTaskRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetShardID is an internal getter (TBD...) func (v *RemoveTaskRequest) GetShardID() (o int32) { if v != nil { @@ -4648,6 +4824,13 @@ type RequestCancelWorkflowExecutionRequest struct { FirstExecutionRunID string `json:"first_execution_run_id,omitempty"` } +func (v *RequestCancelWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *RequestCancelWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -4750,6 +4933,13 @@ type ResetQueueRequest struct { Type *int32 `json:"type,omitempty"` } +func (v *ResetQueueRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetShardID is an internal getter (TBD...) func (v *ResetQueueRequest) GetShardID() (o int32) { if v != nil { @@ -4780,6 +4970,13 @@ type ResetStickyTaskListRequest struct { Execution *WorkflowExecution `json:"execution,omitempty"` } +func (v *ResetStickyTaskListRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *ResetStickyTaskListRequest) GetDomain() (o string) { if v != nil { @@ -4810,6 +5007,13 @@ type ResetWorkflowExecutionRequest struct { SkipSignalReapply bool `json:"skipSignalReapply,omitempty"` } +func (v *ResetWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *ResetWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -5554,24 +5758,31 @@ type SignalWithStartWorkflowExecutionRequest struct { WorkflowID string `json:"workflowId,omitempty"` WorkflowType *WorkflowType `json:"workflowType,omitempty"` TaskList *TaskList `json:"taskList,omitempty"` - Input []byte `json:"input,omitempty"` + Input []byte `json:"-"` // Filtering PII ExecutionStartToCloseTimeoutSeconds *int32 `json:"executionStartToCloseTimeoutSeconds,omitempty"` TaskStartToCloseTimeoutSeconds *int32 `json:"taskStartToCloseTimeoutSeconds,omitempty"` Identity string `json:"identity,omitempty"` RequestID string `json:"requestId,omitempty"` WorkflowIDReusePolicy *WorkflowIDReusePolicy `json:"workflowIdReusePolicy,omitempty"` SignalName string `json:"signalName,omitempty"` - SignalInput []byte `json:"signalInput,omitempty"` + SignalInput []byte `json:"-"` // Filtering PII Control []byte `json:"control,omitempty"` RetryPolicy *RetryPolicy `json:"retryPolicy,omitempty"` CronSchedule string `json:"cronSchedule,omitempty"` - Memo *Memo `json:"memo,omitempty"` - SearchAttributes *SearchAttributes `json:"searchAttributes,omitempty"` + Memo *Memo `json:"-"` // Filtering PII + SearchAttributes *SearchAttributes `json:"-"` // Filtering PII Header *Header `json:"header,omitempty"` DelayStartSeconds *int32 `json:"delayStartSeconds,omitempty"` JitterStartSeconds *int32 `json:"jitterStartSeconds,omitempty"` } +func (v *SignalWithStartWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *SignalWithStartWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -5673,12 +5884,19 @@ type SignalWorkflowExecutionRequest struct { Domain string `json:"domain,omitempty"` WorkflowExecution *WorkflowExecution `json:"workflowExecution,omitempty"` SignalName string `json:"signalName,omitempty"` - Input []byte `json:"input,omitempty"` + Input []byte `json:"-"` // Filtering PII Identity string `json:"identity,omitempty"` RequestID string `json:"requestId,omitempty"` Control []byte `json:"control,omitempty"` } +func (v *SignalWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *SignalWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -5925,6 +6143,13 @@ type RestartWorkflowExecutionRequest struct { Identity string `json:"identity,omitempty"` } +func (v *RestartWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *RestartWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -5947,7 +6172,7 @@ type StartWorkflowExecutionRequest struct { WorkflowID string `json:"workflowId,omitempty"` WorkflowType *WorkflowType `json:"workflowType,omitempty"` TaskList *TaskList `json:"taskList,omitempty"` - Input []byte `json:"input,omitempty"` + Input []byte `json:"-"` ExecutionStartToCloseTimeoutSeconds *int32 `json:"executionStartToCloseTimeoutSeconds,omitempty"` TaskStartToCloseTimeoutSeconds *int32 `json:"taskStartToCloseTimeoutSeconds,omitempty"` Identity string `json:"identity,omitempty"` @@ -5955,13 +6180,20 @@ type StartWorkflowExecutionRequest struct { WorkflowIDReusePolicy *WorkflowIDReusePolicy `json:"workflowIdReusePolicy,omitempty"` RetryPolicy *RetryPolicy `json:"retryPolicy,omitempty"` CronSchedule string `json:"cronSchedule,omitempty"` - Memo *Memo `json:"memo,omitempty"` - SearchAttributes *SearchAttributes `json:"searchAttributes,omitempty"` + Memo *Memo `json:"-"` + SearchAttributes *SearchAttributes `json:"-"` Header *Header `json:"header,omitempty"` DelayStartSeconds *int32 `json:"delayStartSeconds,omitempty"` JitterStartSeconds *int32 `json:"jitterStartSeconds,omitempty"` } +func (v *StartWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *StartWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -6312,6 +6544,13 @@ type TerminateWorkflowExecutionRequest struct { FirstExecutionRunID string `json:"first_execution_run_id,omitempty"` } +func (v *TerminateWorkflowExecutionRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetDomain is an internal getter (TBD...) func (v *TerminateWorkflowExecutionRequest) GetDomain() (o string) { if v != nil { @@ -6512,6 +6751,13 @@ type UpdateDomainRequest struct { FailoverTimeoutInSeconds *int32 `json:"failoverTimeoutInSeconds,omitempty"` } +func (v *UpdateDomainRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetName is an internal getter (TBD...) func (v *UpdateDomainRequest) GetName() (o string) { if v != nil { @@ -7779,6 +8025,13 @@ type GetCrossClusterTasksRequest struct { TargetCluster string `json:"targetCluster,omitempty"` } +func (v *GetCrossClusterTasksRequest) SerializeForLogging() (string, error) { + if v == nil { + return "", nil + } + return SerializeRequest(v) +} + // GetShardIDs is an internal getter (TBD...) func (v *GetCrossClusterTasksRequest) GetShardIDs() (o []int32) { if v != nil && v.ShardIDs != nil { @@ -7842,3 +8095,14 @@ type RespondCrossClusterTasksCompletedResponse struct { type StickyWorkerUnavailableError struct { Message string `json:"message,required"` } + +// SerializeRequest Serialize an arbitrary request for logging +// pass in a pointer as a parameter to save space +func SerializeRequest(request interface{}) (string, error) { + res, err := json.Marshal(request) + if err != nil { + return "", err + } + + return string(res), nil +} diff --git a/common/types/shared_test.go b/common/types/shared_test.go new file mode 100644 index 00000000000..da563ed3138 --- /dev/null +++ b/common/types/shared_test.go @@ -0,0 +1,245 @@ +// The MIT License (MIT) + +// Copyright (c) 2017-2020 Uber Technologies Inc. + +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. + +package types + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestSignalWithStartWorkflowExecutionRequestSerializeForLogging(t *testing.T) { + tests := map[string]struct { + input *SignalWithStartWorkflowExecutionRequest + expectedOutput string + expectedErrorOutput error + }{ + "complete request without error": { + input: createNewSignalWithStartWorkflowExecutionRequest(), + expectedOutput: "{\"domain\":\"testDomain\",\"workflowId\":\"testWorkflowID\",\"workflowType\":{\"name\":\"testWorkflowType\"},\"taskList\":{\"name\":\"testTaskList\",\"kind\":\"STICKY\"},\"executionStartToCloseTimeoutSeconds\":1,\"taskStartToCloseTimeoutSeconds\":1,\"identity\":\"testIdentity\",\"requestId\":\"DF66E35D-A5B0-425D-8731-6AAC4A4B6368\",\"workflowIdReusePolicy\":\"AllowDuplicate\",\"signalName\":\"testRequest\",\"control\":\"dGVzdENvbnRyb2w=\",\"retryPolicy\":{\"initialIntervalInSeconds\":1,\"backoffCoefficient\":1,\"maximumIntervalInSeconds\":1,\"maximumAttempts\":1,\"nonRetriableErrorReasons\":[\"testArray\"],\"expirationIntervalInSeconds\":1},\"cronSchedule\":\"testSchedule\",\"header\":{},\"delayStartSeconds\":1,\"jitterStartSeconds\":1}", + expectedErrorOutput: nil, + }, + + "empty request without error": { + input: &SignalWithStartWorkflowExecutionRequest{}, + expectedOutput: "{}", + expectedErrorOutput: nil, + }, + + "nil request without error": { + input: nil, + expectedOutput: "", + expectedErrorOutput: nil, + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + assert.NotPanics(t, func() { + output, err := test.input.SerializeForLogging() + assert.Equal(t, test.expectedOutput, output) + assert.Equal(t, test.expectedErrorOutput, err) + assert.NotContains(t, output, "PII") + }) + }) + } +} + +func TestSignalWorkflowExecutionRequestSerializeForLogging(t *testing.T) { + tests := map[string]struct { + input *SignalWorkflowExecutionRequest + expectedOutput string + expectedErrorOutput error + }{ + "complete request without error": { + input: &SignalWorkflowExecutionRequest{ + Domain: "testDomain", + Input: []byte("testInputPII"), + Identity: "testIdentity", + RequestID: "DF66E35D-A5B0-425D-8731-6AAC4A4B6368", + SignalName: "testRequest", + Control: []byte("testControl"), + }, + expectedOutput: "{\"domain\":\"testDomain\",\"signalName\":\"testRequest\",\"identity\":\"testIdentity\",\"requestId\":\"DF66E35D-A5B0-425D-8731-6AAC4A4B6368\",\"control\":\"dGVzdENvbnRyb2w=\"}", + expectedErrorOutput: nil, + }, + + "empty request without error": { + input: &SignalWorkflowExecutionRequest{}, + expectedOutput: "{}", + expectedErrorOutput: nil, + }, + + "nil request without error": { + input: nil, + expectedOutput: "", + expectedErrorOutput: nil, + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + assert.NotPanics(t, func() { + output, err := test.input.SerializeForLogging() + assert.Equal(t, test.expectedOutput, output) + assert.Equal(t, test.expectedErrorOutput, err) + assert.NotContains(t, output, "PII") + }) + }) + } +} + +func TestStartWorkflowExecutionRequestRequestSerializeForLogging(t *testing.T) { + testTasklistKind := TaskListKind(1) + testExecutionStartToCloseTimeoutSeconds := int32(1) + testTaskStartToCloseTimeoutSeconds := int32(1) + testWorkflowIDReusePolicy := WorkflowIDReusePolicy(1) + testDelayStartSeconds := int32(1) + testJitterStartSeconds := int32(1) + + tests := map[string]struct { + input *StartWorkflowExecutionRequest + expectedOutput string + expectedErrorOutput error + }{ + "complete request without error": { + input: &StartWorkflowExecutionRequest{ + Domain: "testDomain", + WorkflowID: "testWorkflowID", + WorkflowType: &WorkflowType{Name: "testWorkflowType"}, + TaskList: &TaskList{ + Name: "testTaskList", + Kind: &testTasklistKind, + }, + Input: []byte("testInputPII"), + ExecutionStartToCloseTimeoutSeconds: &testExecutionStartToCloseTimeoutSeconds, + TaskStartToCloseTimeoutSeconds: &testTaskStartToCloseTimeoutSeconds, + Identity: "testIdentity", + RequestID: "DF66E35D-A5B0-425D-8731-6AAC4A4B6368", + WorkflowIDReusePolicy: &testWorkflowIDReusePolicy, + RetryPolicy: &RetryPolicy{ + InitialIntervalInSeconds: 1, + BackoffCoefficient: 1, + MaximumIntervalInSeconds: 1, + MaximumAttempts: 1, + NonRetriableErrorReasons: []string{"testArray"}, + ExpirationIntervalInSeconds: 1, + }, + CronSchedule: "testSchedule", + Memo: &Memo{Fields: map[string][]byte{}}, + SearchAttributes: &SearchAttributes{IndexedFields: map[string][]byte{}}, + Header: &Header{Fields: map[string][]byte{}}, + DelayStartSeconds: &testDelayStartSeconds, + JitterStartSeconds: &testJitterStartSeconds, + }, + expectedOutput: "{\"domain\":\"testDomain\",\"workflowId\":\"testWorkflowID\",\"workflowType\":{\"name\":\"testWorkflowType\"},\"taskList\":{\"name\":\"testTaskList\",\"kind\":\"STICKY\"},\"executionStartToCloseTimeoutSeconds\":1,\"taskStartToCloseTimeoutSeconds\":1,\"identity\":\"testIdentity\",\"requestId\":\"DF66E35D-A5B0-425D-8731-6AAC4A4B6368\",\"workflowIdReusePolicy\":\"AllowDuplicate\",\"retryPolicy\":{\"initialIntervalInSeconds\":1,\"backoffCoefficient\":1,\"maximumIntervalInSeconds\":1,\"maximumAttempts\":1,\"nonRetriableErrorReasons\":[\"testArray\"],\"expirationIntervalInSeconds\":1},\"cronSchedule\":\"testSchedule\",\"header\":{},\"delayStartSeconds\":1,\"jitterStartSeconds\":1}", + expectedErrorOutput: nil, + }, + + "empty request without error": { + input: &StartWorkflowExecutionRequest{}, + expectedOutput: "{}", + expectedErrorOutput: nil, + }, + + "nil request without error": { + input: nil, + expectedOutput: "", + expectedErrorOutput: nil, + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + assert.NotPanics(t, func() { + output, err := test.input.SerializeForLogging() + assert.Equal(t, test.expectedOutput, output) + assert.Equal(t, test.expectedErrorOutput, err) + assert.NotContains(t, output, "PII") + }) + }) + } +} + +func TestSerializeRequest(t *testing.T) { + // test serializing a normal request + testReq := createNewSignalWithStartWorkflowExecutionRequest() + serializeRes, err := SerializeRequest(testReq) + + expectRes := "{\"domain\":\"testDomain\",\"workflowId\":\"testWorkflowID\",\"workflowType\":{\"name\":\"testWorkflowType\"},\"taskList\":{\"name\":\"testTaskList\",\"kind\":\"STICKY\"},\"executionStartToCloseTimeoutSeconds\":1,\"taskStartToCloseTimeoutSeconds\":1,\"identity\":\"testIdentity\",\"requestId\":\"DF66E35D-A5B0-425D-8731-6AAC4A4B6368\",\"workflowIdReusePolicy\":\"AllowDuplicate\",\"signalName\":\"testRequest\",\"control\":\"dGVzdENvbnRyb2w=\",\"retryPolicy\":{\"initialIntervalInSeconds\":1,\"backoffCoefficient\":1,\"maximumIntervalInSeconds\":1,\"maximumAttempts\":1,\"nonRetriableErrorReasons\":[\"testArray\"],\"expirationIntervalInSeconds\":1},\"cronSchedule\":\"testSchedule\",\"header\":{},\"delayStartSeconds\":1,\"jitterStartSeconds\":1}" + expectErr := error(nil) + + assert.Equal(t, expectRes, serializeRes) + assert.Equal(t, expectErr, err) + + assert.NotPanics(t, func() { + SerializeRequest(nil) + }) + +} + +func createNewSignalWithStartWorkflowExecutionRequest() *SignalWithStartWorkflowExecutionRequest { + testTasklistKind := TaskListKind(1) + testExecutionStartToCloseTimeoutSeconds := int32(1) + testTaskStartToCloseTimeoutSeconds := int32(1) + testWorkflowIDReusePolicy := WorkflowIDReusePolicy(1) + testDelayStartSeconds := int32(1) + testJitterStartSeconds := int32(1) + piiTestArray := []byte("testInputPII") + piiTestMap := make(map[string][]byte) + piiTestMap["PII"] = piiTestArray + + testReq := &SignalWithStartWorkflowExecutionRequest{ + Domain: "testDomain", + WorkflowID: "testWorkflowID", + WorkflowType: &WorkflowType{Name: "testWorkflowType"}, + TaskList: &TaskList{ + Name: "testTaskList", + Kind: &testTasklistKind, + }, + Input: piiTestArray, + ExecutionStartToCloseTimeoutSeconds: &testExecutionStartToCloseTimeoutSeconds, + TaskStartToCloseTimeoutSeconds: &testTaskStartToCloseTimeoutSeconds, + Identity: "testIdentity", + RequestID: "DF66E35D-A5B0-425D-8731-6AAC4A4B6368", + WorkflowIDReusePolicy: &testWorkflowIDReusePolicy, + SignalName: "testRequest", + SignalInput: piiTestArray, + Control: []byte("testControl"), + RetryPolicy: &RetryPolicy{ + InitialIntervalInSeconds: 1, + BackoffCoefficient: 1, + MaximumIntervalInSeconds: 1, + MaximumAttempts: 1, + NonRetriableErrorReasons: []string{"testArray"}, + ExpirationIntervalInSeconds: 1, + }, + CronSchedule: "testSchedule", + Memo: &Memo{Fields: piiTestMap}, + SearchAttributes: &SearchAttributes{IndexedFields: piiTestMap}, + Header: &Header{Fields: map[string][]byte{}}, + DelayStartSeconds: &testDelayStartSeconds, + JitterStartSeconds: &testJitterStartSeconds, + } + return testReq +} diff --git a/service/frontend/accessControlledAdminHandler.go b/service/frontend/accessControlledAdminHandler.go index 22cffd3760e..bbfe1ed69be 100644 --- a/service/frontend/accessControlledAdminHandler.go +++ b/service/frontend/accessControlledAdminHandler.go @@ -56,9 +56,11 @@ func NewAccessControlledAdminHandlerImpl(adminHandler AdminHandler, resource res func (a *AccessControlledWorkflowAdminHandler) AddSearchAttribute(ctx context.Context, request *types.AddSearchAttributeRequest) error { attr := &authorization.Attributes{ - APIName: "AddSearchAttribute", - Permission: authorization.PermissionAdmin, + APIName: "AddSearchAttribute", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -72,9 +74,11 @@ func (a *AccessControlledWorkflowAdminHandler) AddSearchAttribute(ctx context.Co func (a *AccessControlledWorkflowAdminHandler) CloseShard(ctx context.Context, request *types.CloseShardRequest) error { attr := &authorization.Attributes{ - APIName: "CloseShard", - Permission: authorization.PermissionAdmin, + APIName: "CloseShard", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -104,9 +108,11 @@ func (a *AccessControlledWorkflowAdminHandler) DescribeCluster(ctx context.Conte func (a *AccessControlledWorkflowAdminHandler) DescribeShardDistribution(ctx context.Context, request *types.DescribeShardDistributionRequest) (*types.DescribeShardDistributionResponse, error) { attr := &authorization.Attributes{ - APIName: "DescribeShardDistribution", - Permission: authorization.PermissionAdmin, + APIName: "DescribeShardDistribution", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -120,9 +126,11 @@ func (a *AccessControlledWorkflowAdminHandler) DescribeShardDistribution(ctx con func (a *AccessControlledWorkflowAdminHandler) DescribeHistoryHost(ctx context.Context, request *types.DescribeHistoryHostRequest) (*types.DescribeHistoryHostResponse, error) { attr := &authorization.Attributes{ - APIName: "DescribeHistoryHost", - Permission: authorization.PermissionAdmin, + APIName: "DescribeHistoryHost", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -136,9 +144,11 @@ func (a *AccessControlledWorkflowAdminHandler) DescribeHistoryHost(ctx context.C func (a *AccessControlledWorkflowAdminHandler) DescribeQueue(ctx context.Context, request *types.DescribeQueueRequest) (*types.DescribeQueueResponse, error) { attr := &authorization.Attributes{ - APIName: "DescribeQueue", - Permission: authorization.PermissionAdmin, + APIName: "DescribeQueue", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -152,9 +162,11 @@ func (a *AccessControlledWorkflowAdminHandler) DescribeQueue(ctx context.Context func (a *AccessControlledWorkflowAdminHandler) DescribeWorkflowExecution(ctx context.Context, request *types.AdminDescribeWorkflowExecutionRequest) (*types.AdminDescribeWorkflowExecutionResponse, error) { attr := &authorization.Attributes{ - APIName: "DescribeWorkflowExecution", - Permission: authorization.PermissionAdmin, + APIName: "DescribeWorkflowExecution", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -168,9 +180,11 @@ func (a *AccessControlledWorkflowAdminHandler) DescribeWorkflowExecution(ctx con func (a *AccessControlledWorkflowAdminHandler) GetDLQReplicationMessages(ctx context.Context, request *types.GetDLQReplicationMessagesRequest) (*types.GetDLQReplicationMessagesResponse, error) { attr := &authorization.Attributes{ - APIName: "GetDLQReplicationMessages", - Permission: authorization.PermissionAdmin, + APIName: "GetDLQReplicationMessages", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -184,9 +198,11 @@ func (a *AccessControlledWorkflowAdminHandler) GetDLQReplicationMessages(ctx con func (a *AccessControlledWorkflowAdminHandler) GetDomainReplicationMessages(ctx context.Context, request *types.GetDomainReplicationMessagesRequest) (*types.GetDomainReplicationMessagesResponse, error) { attr := &authorization.Attributes{ - APIName: "GetDomainReplicationMessages", - Permission: authorization.PermissionAdmin, + APIName: "GetDomainReplicationMessages", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -200,9 +216,11 @@ func (a *AccessControlledWorkflowAdminHandler) GetDomainReplicationMessages(ctx func (a *AccessControlledWorkflowAdminHandler) GetReplicationMessages(ctx context.Context, request *types.GetReplicationMessagesRequest) (*types.GetReplicationMessagesResponse, error) { attr := &authorization.Attributes{ - APIName: "GetReplicationMessages", - Permission: authorization.PermissionAdmin, + APIName: "GetReplicationMessages", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -216,9 +234,11 @@ func (a *AccessControlledWorkflowAdminHandler) GetReplicationMessages(ctx contex func (a *AccessControlledWorkflowAdminHandler) GetWorkflowExecutionRawHistoryV2(ctx context.Context, request *types.GetWorkflowExecutionRawHistoryV2Request) (*types.GetWorkflowExecutionRawHistoryV2Response, error) { attr := &authorization.Attributes{ - APIName: "GetWorkflowExecutionRawHistoryV2", - Permission: authorization.PermissionAdmin, + APIName: "GetWorkflowExecutionRawHistoryV2", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -232,9 +252,11 @@ func (a *AccessControlledWorkflowAdminHandler) GetWorkflowExecutionRawHistoryV2( func (a *AccessControlledWorkflowAdminHandler) MergeDLQMessages(ctx context.Context, request *types.MergeDLQMessagesRequest) (*types.MergeDLQMessagesResponse, error) { attr := &authorization.Attributes{ - APIName: "MergeDLQMessages", - Permission: authorization.PermissionAdmin, + APIName: "MergeDLQMessages", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -248,9 +270,11 @@ func (a *AccessControlledWorkflowAdminHandler) MergeDLQMessages(ctx context.Cont func (a *AccessControlledWorkflowAdminHandler) PurgeDLQMessages(ctx context.Context, request *types.PurgeDLQMessagesRequest) error { attr := &authorization.Attributes{ - APIName: "PurgeDLQMessages", - Permission: authorization.PermissionAdmin, + APIName: "PurgeDLQMessages", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -264,9 +288,11 @@ func (a *AccessControlledWorkflowAdminHandler) PurgeDLQMessages(ctx context.Cont func (a *AccessControlledWorkflowAdminHandler) ReadDLQMessages(ctx context.Context, request *types.ReadDLQMessagesRequest) (*types.ReadDLQMessagesResponse, error) { attr := &authorization.Attributes{ - APIName: "ReadDLQMessages", - Permission: authorization.PermissionAdmin, + APIName: "ReadDLQMessages", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -280,9 +306,11 @@ func (a *AccessControlledWorkflowAdminHandler) ReadDLQMessages(ctx context.Conte func (a *AccessControlledWorkflowAdminHandler) ReapplyEvents(ctx context.Context, request *types.ReapplyEventsRequest) error { attr := &authorization.Attributes{ - APIName: "ReapplyEvents", - Permission: authorization.PermissionAdmin, + APIName: "ReapplyEvents", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -296,9 +324,11 @@ func (a *AccessControlledWorkflowAdminHandler) ReapplyEvents(ctx context.Context func (a *AccessControlledWorkflowAdminHandler) RefreshWorkflowTasks(ctx context.Context, request *types.RefreshWorkflowTasksRequest) error { attr := &authorization.Attributes{ - APIName: "RefreshWorkflowTasks", - Permission: authorization.PermissionAdmin, + APIName: "RefreshWorkflowTasks", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -312,9 +342,11 @@ func (a *AccessControlledWorkflowAdminHandler) RefreshWorkflowTasks(ctx context. func (a *AccessControlledWorkflowAdminHandler) RemoveTask(ctx context.Context, request *types.RemoveTaskRequest) error { attr := &authorization.Attributes{ - APIName: "RemoveTask", - Permission: authorization.PermissionAdmin, + APIName: "RemoveTask", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -328,9 +360,11 @@ func (a *AccessControlledWorkflowAdminHandler) RemoveTask(ctx context.Context, r func (a *AccessControlledWorkflowAdminHandler) ResendReplicationTasks(ctx context.Context, request *types.ResendReplicationTasksRequest) error { attr := &authorization.Attributes{ - APIName: "ResendReplicationTasks", - Permission: authorization.PermissionAdmin, + APIName: "ResendReplicationTasks", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -344,9 +378,11 @@ func (a *AccessControlledWorkflowAdminHandler) ResendReplicationTasks(ctx contex func (a *AccessControlledWorkflowAdminHandler) ResetQueue(ctx context.Context, request *types.ResetQueueRequest) error { attr := &authorization.Attributes{ - APIName: "ResetQueue", - Permission: authorization.PermissionAdmin, + APIName: "ResetQueue", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -360,9 +396,11 @@ func (a *AccessControlledWorkflowAdminHandler) ResetQueue(ctx context.Context, r func (a *AccessControlledWorkflowAdminHandler) GetCrossClusterTasks(ctx context.Context, request *types.GetCrossClusterTasksRequest) (*types.GetCrossClusterTasksResponse, error) { attr := &authorization.Attributes{ - APIName: "GetCrossClusterTasks", - Permission: authorization.PermissionAdmin, + APIName: "GetCrossClusterTasks", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -376,9 +414,11 @@ func (a *AccessControlledWorkflowAdminHandler) GetCrossClusterTasks(ctx context. func (a *AccessControlledWorkflowAdminHandler) GetDynamicConfig(ctx context.Context, request *types.GetDynamicConfigRequest) (*types.GetDynamicConfigResponse, error) { attr := &authorization.Attributes{ - APIName: "GetDynamicConfig", - Permission: authorization.PermissionAdmin, + APIName: "GetDynamicConfig", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -392,9 +432,11 @@ func (a *AccessControlledWorkflowAdminHandler) GetDynamicConfig(ctx context.Cont func (a *AccessControlledWorkflowAdminHandler) UpdateDynamicConfig(ctx context.Context, request *types.UpdateDynamicConfigRequest) error { attr := &authorization.Attributes{ - APIName: "UpdateDynamicConfig", - Permission: authorization.PermissionAdmin, + APIName: "UpdateDynamicConfig", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -408,9 +450,11 @@ func (a *AccessControlledWorkflowAdminHandler) UpdateDynamicConfig(ctx context.C func (a *AccessControlledWorkflowAdminHandler) RestoreDynamicConfig(ctx context.Context, request *types.RestoreDynamicConfigRequest) error { attr := &authorization.Attributes{ - APIName: "RestoreDynamicConfig", - Permission: authorization.PermissionAdmin, + APIName: "RestoreDynamicConfig", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return err @@ -424,9 +468,11 @@ func (a *AccessControlledWorkflowAdminHandler) RestoreDynamicConfig(ctx context. func (a *AccessControlledWorkflowAdminHandler) DeleteWorkflow(ctx context.Context, request *types.AdminDeleteWorkflowRequest) (*types.AdminDeleteWorkflowResponse, error) { attr := &authorization.Attributes{ - APIName: "DeleteWorkflow", - Permission: authorization.PermissionAdmin, + APIName: "DeleteWorkflow", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -440,9 +486,11 @@ func (a *AccessControlledWorkflowAdminHandler) DeleteWorkflow(ctx context.Contex func (a *AccessControlledWorkflowAdminHandler) MaintainCorruptWorkflow(ctx context.Context, request *types.AdminMaintainWorkflowRequest) (*types.AdminMaintainWorkflowResponse, error) { attr := &authorization.Attributes{ - APIName: "MaintainCorruptWorkflow", - Permission: authorization.PermissionAdmin, + APIName: "MaintainCorruptWorkflow", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err @@ -456,9 +504,11 @@ func (a *AccessControlledWorkflowAdminHandler) MaintainCorruptWorkflow(ctx conte func (a *AccessControlledWorkflowAdminHandler) ListDynamicConfig(ctx context.Context, request *types.ListDynamicConfigRequest) (*types.ListDynamicConfigResponse, error) { attr := &authorization.Attributes{ - APIName: "ListDynamicConfig", - Permission: authorization.PermissionAdmin, + APIName: "ListDynamicConfig", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr) if err != nil { return nil, err diff --git a/service/frontend/accessControlledHandler.go b/service/frontend/accessControlledHandler.go index 8821e97b56f..9db9109a7fa 100644 --- a/service/frontend/accessControlledHandler.go +++ b/service/frontend/accessControlledHandler.go @@ -73,10 +73,12 @@ func (a *AccessControlledWorkflowHandler) CountWorkflowExecutions( scope := a.getMetricsScopeWithDomain(metrics.FrontendCountWorkflowExecutionsScope, request) attr := &authorization.Attributes{ - APIName: "CountWorkflowExecutions", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "CountWorkflowExecutions", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -97,10 +99,12 @@ func (a *AccessControlledWorkflowHandler) DeprecateDomain( scope := a.getMetricsScopeWithDomainName(metrics.FrontendDeprecateDomainScope, request.GetName()) attr := &authorization.Attributes{ - APIName: "DeprecateDomain", - DomainName: request.GetName(), - Permission: authorization.PermissionAdmin, + APIName: "DeprecateDomain", + DomainName: request.GetName(), + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return err @@ -121,10 +125,12 @@ func (a *AccessControlledWorkflowHandler) DescribeDomain( scope := a.getMetricsScopeWithDomainName(metrics.FrontendDescribeDomainScope, request.GetName()) attr := &authorization.Attributes{ - APIName: "DescribeDomain", - DomainName: request.GetName(), - Permission: authorization.PermissionRead, + APIName: "DescribeDomain", + DomainName: request.GetName(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -145,10 +151,12 @@ func (a *AccessControlledWorkflowHandler) DescribeTaskList( scope := a.getMetricsScopeWithDomain(metrics.FrontendDescribeTaskListScope, request) attr := &authorization.Attributes{ - APIName: "DescribeTaskList", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "DescribeTaskList", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -168,10 +176,12 @@ func (a *AccessControlledWorkflowHandler) DescribeWorkflowExecution( scope := a.getMetricsScopeWithDomain(metrics.FrontendDescribeWorkflowExecutionScope, request) attr := &authorization.Attributes{ - APIName: "DescribeWorkflowExecution", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "DescribeWorkflowExecution", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -199,10 +209,12 @@ func (a *AccessControlledWorkflowHandler) GetWorkflowExecutionHistory( scope := a.getMetricsScopeWithDomain(metrics.FrontendGetWorkflowExecutionHistoryScope, request) attr := &authorization.Attributes{ - APIName: "GetWorkflowExecutionHistory", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "GetWorkflowExecutionHistory", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -223,10 +235,12 @@ func (a *AccessControlledWorkflowHandler) ListArchivedWorkflowExecutions( scope := a.getMetricsScopeWithDomain(metrics.FrontendListArchivedWorkflowExecutionsScope, request) attr := &authorization.Attributes{ - APIName: "ListArchivedWorkflowExecutions", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "ListArchivedWorkflowExecutions", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -247,10 +261,12 @@ func (a *AccessControlledWorkflowHandler) ListClosedWorkflowExecutions( scope := a.getMetricsScopeWithDomain(metrics.FrontendListClosedWorkflowExecutionsScope, request) attr := &authorization.Attributes{ - APIName: "ListClosedWorkflowExecutions", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "ListClosedWorkflowExecutions", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -268,12 +284,14 @@ func (a *AccessControlledWorkflowHandler) ListDomains( request *types.ListDomainsRequest, ) (*types.ListDomainsResponse, error) { - scope := a.GetMetricsClient().Scope(metrics.FrontendListDomainsScope).Tagged(metrics.DomainUnknownTag()) + scope := a.GetMetricsClient().Scope(metrics.FrontendListDomainsScope) attr := &authorization.Attributes{ - APIName: "ListDomains", - Permission: authorization.PermissionAdmin, + APIName: "ListDomains", + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -294,10 +312,12 @@ func (a *AccessControlledWorkflowHandler) ListOpenWorkflowExecutions( scope := a.getMetricsScopeWithDomain(metrics.FrontendListOpenWorkflowExecutionsScope, request) attr := &authorization.Attributes{ - APIName: "ListOpenWorkflowExecutions", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "ListOpenWorkflowExecutions", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -318,10 +338,12 @@ func (a *AccessControlledWorkflowHandler) ListWorkflowExecutions( scope := a.getMetricsScopeWithDomain(metrics.FrontendListWorkflowExecutionsScope, request) attr := &authorization.Attributes{ - APIName: "ListWorkflowExecutions", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "ListWorkflowExecutions", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -342,11 +364,13 @@ func (a *AccessControlledWorkflowHandler) PollForActivityTask( scope := a.getMetricsScopeWithDomain(metrics.FrontendPollForActivityTaskScope, request) attr := &authorization.Attributes{ - APIName: "PollForActivityTask", - DomainName: request.GetDomain(), - TaskList: request.TaskList, - Permission: authorization.PermissionWrite, + APIName: "PollForActivityTask", + DomainName: request.GetDomain(), + TaskList: request.TaskList, + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -367,11 +391,13 @@ func (a *AccessControlledWorkflowHandler) PollForDecisionTask( scope := a.getMetricsScopeWithDomain(metrics.FrontendPollForDecisionTaskScope, request) attr := &authorization.Attributes{ - APIName: "PollForDecisionTask", - DomainName: request.GetDomain(), - TaskList: request.TaskList, - Permission: authorization.PermissionWrite, + APIName: "PollForDecisionTask", + DomainName: request.GetDomain(), + TaskList: request.TaskList, + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -392,10 +418,12 @@ func (a *AccessControlledWorkflowHandler) QueryWorkflow( scope := a.getMetricsScopeWithDomain(metrics.FrontendQueryWorkflowScope, request) attr := &authorization.Attributes{ - APIName: "QueryWorkflow", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "QueryWorkflow", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -440,10 +468,12 @@ func (a *AccessControlledWorkflowHandler) RegisterDomain( scope := a.getMetricsScopeWithDomainName(metrics.FrontendRegisterDomainScope, request.GetName()) attr := &authorization.Attributes{ - APIName: "RegisterDomain", - DomainName: request.GetName(), - Permission: authorization.PermissionAdmin, + APIName: "RegisterDomain", + DomainName: request.GetName(), + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return err @@ -464,10 +494,12 @@ func (a *AccessControlledWorkflowHandler) RequestCancelWorkflowExecution( scope := a.getMetricsScopeWithDomain(metrics.FrontendRequestCancelWorkflowExecutionScope, request) attr := &authorization.Attributes{ - APIName: "RequestCancelWorkflowExecution", - DomainName: request.GetDomain(), - Permission: authorization.PermissionWrite, + APIName: "RequestCancelWorkflowExecution", + DomainName: request.GetDomain(), + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return err @@ -488,10 +520,12 @@ func (a *AccessControlledWorkflowHandler) ResetStickyTaskList( scope := a.getMetricsScopeWithDomain(metrics.FrontendResetStickyTaskListScope, request) attr := &authorization.Attributes{ - APIName: "ResetStickyTaskList", - DomainName: request.GetDomain(), - Permission: authorization.PermissionWrite, + APIName: "ResetStickyTaskList", + DomainName: request.GetDomain(), + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -512,10 +546,12 @@ func (a *AccessControlledWorkflowHandler) ResetWorkflowExecution( scope := a.getMetricsScopeWithDomain(metrics.FrontendResetWorkflowExecutionScope, request) attr := &authorization.Attributes{ - APIName: "ResetWorkflowExecution", - DomainName: request.GetDomain(), - Permission: authorization.PermissionWrite, + APIName: "ResetWorkflowExecution", + DomainName: request.GetDomain(), + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -604,10 +640,12 @@ func (a *AccessControlledWorkflowHandler) RestartWorkflowExecution(ctx context.C scope := a.getMetricsScopeWithDomain(metrics.FrontendRestartWorkflowExecutionScope, request) attr := &authorization.Attributes{ - APIName: "RestartWorkflowExecution", - DomainName: request.GetDomain(), - Permission: authorization.PermissionWrite, + APIName: "RestartWorkflowExecution", + DomainName: request.GetDomain(), + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -628,10 +666,12 @@ func (a *AccessControlledWorkflowHandler) ScanWorkflowExecutions( scope := a.getMetricsScopeWithDomain(metrics.FrontendScanWorkflowExecutionsScope, request) attr := &authorization.Attributes{ - APIName: "ScanWorkflowExecutions", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "ScanWorkflowExecutions", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -656,7 +696,9 @@ func (a *AccessControlledWorkflowHandler) SignalWithStartWorkflowExecution( DomainName: request.GetDomain(), Permission: authorization.PermissionWrite, WorkflowType: request.WorkflowType, + RequestBody: request, // The Authorizer plugin should use this request body while logging requests to avoid revealing private information } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -677,10 +719,12 @@ func (a *AccessControlledWorkflowHandler) SignalWorkflowExecution( scope := a.getMetricsScopeWithDomain(metrics.FrontendSignalWorkflowExecutionScope, request) attr := &authorization.Attributes{ - APIName: "SignalWorkflowExecution", - DomainName: request.GetDomain(), - Permission: authorization.PermissionWrite, + APIName: "SignalWorkflowExecution", + DomainName: request.GetDomain(), + Permission: authorization.PermissionWrite, + RequestBody: request, // The Authorizer plugin should use this request body while logging requests to avoid revealing private information } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return err @@ -705,7 +749,9 @@ func (a *AccessControlledWorkflowHandler) StartWorkflowExecution( DomainName: request.GetDomain(), Permission: authorization.PermissionWrite, WorkflowType: request.WorkflowType, + RequestBody: request, // The Authorizer plugin should use this request body while logging requests to avoid revealing private information } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -726,10 +772,12 @@ func (a *AccessControlledWorkflowHandler) TerminateWorkflowExecution( scope := a.getMetricsScopeWithDomain(metrics.FrontendTerminateWorkflowExecutionScope, request) attr := &authorization.Attributes{ - APIName: "TerminateWorkflowExecution", - DomainName: request.GetDomain(), - Permission: authorization.PermissionWrite, + APIName: "TerminateWorkflowExecution", + DomainName: request.GetDomain(), + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return err @@ -750,10 +798,12 @@ func (a *AccessControlledWorkflowHandler) ListTaskListPartitions( scope := a.getMetricsScopeWithDomain(metrics.FrontendListTaskListPartitionsScope, request) attr := &authorization.Attributes{ - APIName: "ListTaskListPartitions", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "ListTaskListPartitions", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -774,10 +824,12 @@ func (a *AccessControlledWorkflowHandler) GetTaskListsByDomain( scope := a.getMetricsScopeWithDomain(metrics.FrontendGetTaskListsByDomainScope, request) attr := &authorization.Attributes{ - APIName: "GetTaskListsByDomain", - DomainName: request.GetDomain(), - Permission: authorization.PermissionRead, + APIName: "GetTaskListsByDomain", + DomainName: request.GetDomain(), + Permission: authorization.PermissionRead, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err @@ -794,10 +846,12 @@ func (a *AccessControlledWorkflowHandler) RefreshWorkflowTasks(ctx context.Conte scope := a.getMetricsScopeWithDomain(metrics.FrontendRefreshWorkflowTasksScope, request) attr := &authorization.Attributes{ - APIName: "RefreshWorkflowTasks", - DomainName: request.GetDomain(), - Permission: authorization.PermissionWrite, + APIName: "RefreshWorkflowTasks", + DomainName: request.GetDomain(), + Permission: authorization.PermissionWrite, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return err @@ -814,14 +868,14 @@ func (a *AccessControlledWorkflowHandler) UpdateDomain( ctx context.Context, request *types.UpdateDomainRequest, ) (*types.UpdateDomainResponse, error) { - scope := a.getMetricsScopeWithDomainName(metrics.FrontendUpdateDomainScope, request.GetName()) - attr := &authorization.Attributes{ - APIName: "UpdateDomain", - DomainName: request.GetName(), - Permission: authorization.PermissionAdmin, + APIName: "UpdateDomain", + DomainName: request.GetName(), + Permission: authorization.PermissionAdmin, + RequestBody: request, } + isAuthorized, err := a.isAuthorized(ctx, attr, scope) if err != nil { return nil, err