Skip to content

SSL/TLS Support #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shawnhathaway merged 5 commits into from
May 22, 2020
Merged

SSL/TLS Support #90

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c585409
SSL/TLS Support
shawnhathaway May 20, 2020
c17e2ac
Merge branch 'master' into tls
shawnhathaway May 20, 2020
50eb2e3
Formatting
shawnhathaway May 20, 2020
2d7048a
Missing builder assignment
shawnhathaway May 21, 2020
066c6ad
Merge branch 'master' into tls
mfateev May 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions src/main/java/io/temporal/internal/WorkflowServiceStubsImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,11 @@
import io.grpc.ClientInterceptor;
import io.grpc.ClientInterceptors;
import io.grpc.ManagedChannel;
import io.grpc.ManagedChannelBuilder;
import io.grpc.Metadata;
import io.grpc.Server;
import io.grpc.inprocess.InProcessChannelBuilder;
import io.grpc.inprocess.InProcessServerBuilder;
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
import io.grpc.stub.MetadataUtils;
import io.temporal.proto.workflowservice.WorkflowServiceGrpc;
import io.temporal.serviceclient.WorkflowServiceStubs;
Expand Down Expand Up @@ -103,11 +103,19 @@ public WorkflowServiceStubsImpl(
// Do not shutdown a channel passed to the constructor from outside
channelNeedsShutdown = serviceImpl != null;
} else {
this.channel =
ManagedChannelBuilder.forTarget(options.getTarget())
.defaultLoadBalancingPolicy("round_robin")
.usePlaintext()
.build();
NettyChannelBuilder builder =
NettyChannelBuilder.forTarget(options.getTarget())
.defaultLoadBalancingPolicy("round_robin");
Copy link
Copy Markdown
Member

@mfateev mfateev May 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's add it to the options as well then.

Copy link
Copy Markdown
Contributor Author

@shawnhathaway shawnhathaway May 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a required setting on our side afaik. Mind if I tackle this in a follow up change as we'd likely want to expose this on go-ask side as well?


if (options.getSslContext() == null && !options.getEnableHttps()) {
builder.usePlaintext();
} else if (options.getSslContext() != null) {
builder.sslContext(options.getSslContext());
} else {
builder.useTransportSecurity();
}

this.channel = builder.build();
channelNeedsShutdown = true;
}
GrpcMetricsInterceptor metricsInterceptor =
Expand Down
64 changes: 59 additions & 5 deletions src/main/java/io/temporal/serviceclient/WorkflowServiceStubsOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import io.grpc.ManagedChannel;
import io.grpc.ManagedChannelBuilder;
import io.grpc.NameResolver;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.temporal.proto.workflowservice.WorkflowServiceGrpc;
import java.util.Map;
import java.util.Optional;
Expand Down Expand Up @@ -63,16 +64,22 @@ public static WorkflowServiceStubsOptions getDefaultInstance() {

private final String target;

/** The tChannel timeout in milliseconds */
/** The user provided context for SSL/TLS over gRPC * */
private final SslContext sslContext;

/** Indicates whether basic HTTPS/SSL/TLS should be enabled * */
private final boolean enableHttps;

/** The gRPC timeout in milliseconds */
private final long rpcTimeoutMillis;

/** The tChannel timeout for long poll calls in milliseconds */
/** The gRPC timeout for long poll calls in milliseconds */
private final long rpcLongPollTimeoutMillis;

/** The tChannel timeout for query workflow call in milliseconds */
/** The gRPC timeout for query workflow call in milliseconds */
private final long rpcQueryTimeoutMillis;

/** Optional TChannel headers */
/** Optional gRPC headers */
private final Map<String, String> headers;

private final Scope metricsScope;
Expand All @@ -89,6 +96,8 @@ public static WorkflowServiceStubsOptions getDefaultInstance() {

private WorkflowServiceStubsOptions(Builder builder) {
this.target = builder.target;
this.sslContext = builder.sslContext;
this.enableHttps = builder.enableHttps;
this.channel = builder.channel;
this.rpcLongPollTimeoutMillis = builder.rpcLongPollTimeoutMillis;
this.rpcQueryTimeoutMillis = builder.rpcQueryTimeoutMillis;
Expand All @@ -104,8 +113,21 @@ private WorkflowServiceStubsOptions(Builder builder, boolean ignore) {
throw new IllegalStateException(
"Only one of the target and channel options can be set at a time");
}

if (builder.sslContext != null && builder.channel != null) {
throw new IllegalStateException(
"Only one of the sslContext and channel options can be set at a time");
}

if (builder.enableHttps && builder.channel != null) {
throw new IllegalStateException(
"Only one of the enableHttps and channel options can be set at a time");
}

this.target =
builder.target == null && builder.channel == null ? LOCAL_DOCKER_TARGET : builder.target;
this.sslContext = builder.sslContext;
this.enableHttps = builder.enableHttps;
this.channel = builder.channel;
this.rpcLongPollTimeoutMillis = builder.rpcLongPollTimeoutMillis;
this.rpcQueryTimeoutMillis = builder.rpcQueryTimeoutMillis;
Expand All @@ -125,6 +147,16 @@ public String getTarget() {
return target;
}

/** @return Returns the gRPC SSL Context to use. * */
public SslContext getSslContext() {
return sslContext;
}

/** @return Returns a boolean indicating whether gRPC should use SSL/TLS. * */
public boolean getEnableHttps() {
return enableHttps;
}

/** @return Returns the rpc timeout value in millis. */
public long getRpcTimeoutMillis() {
return rpcTimeoutMillis;
Expand Down Expand Up @@ -171,6 +203,8 @@ public Scope getMetricsScope() {
*/
public static class Builder {
private ManagedChannel channel;
private SslContext sslContext;
private boolean enableHttps;
private String target;
private long rpcTimeoutMillis = DEFAULT_RPC_TIMEOUT_MILLIS;
private long rpcLongPollTimeoutMillis = DEFAULT_POLL_RPC_TIMEOUT_MILLIS;
Expand All @@ -191,6 +225,8 @@ private Builder() {}
private Builder(WorkflowServiceStubsOptions options) {
this.target = options.target;
this.channel = options.channel;
this.enableHttps = options.enableHttps;
this.sslContext = options.sslContext;
this.rpcLongPollTimeoutMillis = options.rpcLongPollTimeoutMillis;
this.rpcQueryTimeoutMillis = options.rpcQueryTimeoutMillis;
this.rpcTimeoutMillis = options.rpcTimeoutMillis;
Expand All @@ -200,12 +236,30 @@ private Builder(WorkflowServiceStubsOptions options) {
this.metricsScope = options.metricsScope;
}

/** Sets gRPC channel to use. Exclusive with target. */
/** Sets gRPC channel to use. Exclusive with target and sslContext. */
public Builder setChannel(ManagedChannel channel) {
this.channel = channel;
return this;
}

/**
* Sets gRPC SSL Context to use, used for more advanced scenarios such as mTLS. Supercedes
* enableHttps; Exclusive with channel.
*/
public Builder setSslContext(SslContext sslContext) {
this.sslContext = sslContext;
return this;
}

/**
* Sets option to enable SSL/TLS/HTTPS for gRPC. Exclusive with channel; Ignored if SSLContext
* is specified
*/
public Builder setEnableHttps(boolean enableHttps) {
this.enableHttps = enableHttps;
return this;
}

/**
* Sets a target string, which can be either a valid {@link NameResolver}-compliant URI, or an
* authority string. See {@link ManagedChannelBuilder#forTarget(String)} for more information
Expand Down