Separate TlsConfig

spiral · Aug 29, 2024 · d94eb74 · d94eb74
1 parent bec1ef3
commit d94eb74
Show file tree

Hide file tree

Showing 7 changed files with 104 additions and 65 deletions.
diff --git a/src/Bootloader/TemporalBridgeBootloader.php b/src/Bootloader/TemporalBridgeBootloader.php
@@ -157,7 +157,7 @@ protected function initConfig(EnvironmentInterface $env): void
             [
                 'connection' => $env->get('TEMPORAL_CONNECTION', 'default'),
                 'connections' => [
-                    'default' => ConnectionConfig::createInsecure(
+                    'default' => ConnectionConfig::create(
                         address: $env->get('TEMPORAL_ADDRESS', '127.0.0.1:7233'),
                     ),
                 ],
@@ -175,12 +175,13 @@ protected function initServiceClient(TemporalConfig $config): ServiceClientInter
     {
         $connection = $config->getConnection($config->getDefaultConnection());
 
-        return $connection->secure
+        return $connection->isSecure()
             ? ServiceClient::createSSL(
                 address: $connection->address,
-                crt: $connection->rootCerts,
-                clientKey: $connection->privateKey,
-                clientPem: $connection->certChain,
+                crt: $connection->tlsConfig->rootCerts,
+                clientKey: $connection->tlsConfig->privateKey,
+                clientPem: $connection->tlsConfig->certChain,
+                overrideServerName: $connection->tlsConfig->serverName,
             )
             : ServiceClient::create(address: $connection->address);
     }

diff --git a/src/Config/ConnectionConfig.php b/src/Config/ConnectionConfig.php
@@ -9,7 +9,7 @@
  *
  * How to connect to local Temporal server:
  *
- *     ConnectionConfig::createInsecure('localhost:7233'),
+ *     ConnectionConfig::create('localhost:7233'),
  *
  * How to connect to Temporal Cloud:
  *
@@ -23,43 +23,32 @@ final class ConnectionConfig
 {
     /**
      * @param non-empty-string $address
-     * @param non-empty-string|null $rootCerts
-     * @param non-empty-string|null $privateKey
-     * @param non-empty-string|null $certChain
      * @param non-empty-string|\Stringable|null $authToken
      */
     private function __construct(
         public readonly string $address,
-        public readonly bool $secure = false,
-        public readonly ?string $rootCerts = null,
-        public readonly ?string $privateKey = null,
-        public readonly ?string $certChain = null,
+        public readonly ?TlsConfig $tlsConfig = null,
         public readonly string|\Stringable|null $authToken = null,
     ) {}
 
     /**
-     * @param non-empty-string $address
+     * Check if the connection is secure.
+     *
+     * @psalm-assert-if-true TlsConfig $this->tlsConfig
+     * @psalm-assert-if-false null $this->tlsConfig
      */
-    public static function createInsecure(
-        string $address,
-    ): self {
-        return new self($address);
+    public function isSecure(): bool
+    {
+        return $this->tlsConfig !== null;
     }
 
     /**
      * @param non-empty-string $address
-     * @param non-empty-string|null $rootCerts Root certificates string or file in PEM format.
-     *         If null provided, default gRPC root certificates are used.
-     * @param non-empty-string|null $privateKey Client private key string or file in PEM format.
-     * @param non-empty-string|null $certChain Client certificate chain string or file in PEM format.
      */
-    public static function createSecure(
+    public static function create(
         string $address,
-        ?string $rootCerts = null,
-        ?string $privateKey = null,
-        ?string $certChain = null,
     ): self {
-        return new self($address, true, $rootCerts, $privateKey, $certChain);
+        return new self($address);
     }
 
     /**
@@ -76,7 +65,28 @@ public static function createCloud(
         string $privateKey,
         string $certChain,
     ): self {
-        return new self($address, true, null, $privateKey, $certChain);
+        return new self($address, new TlsConfig(privateKey: $privateKey, certChain: $certChain));
+    }
+
+    /**
+     * Set the TLS configuration for the connection.
+     *
+     * @param non-empty-string|null $rootCerts Root certificates string or file in PEM format.
+     *         If null provided, default gRPC root certificates are used.
+     * @param non-empty-string|null $privateKey Client private key string or file in PEM format.
+     * @param non-empty-string|null $certChain Client certificate chain string or file in PEM format.
+     * @param non-empty-string|null $serverName Server name override for TLS verification.
+     */
+    public function withTls(
+        ?string $rootCerts = null,
+        ?string $privateKey = null,
+        ?string $certChain = null,
+        ?string $serverName = null,
+    ): self {
+        return new self(
+            $this->address,
+            new TlsConfig($rootCerts, $privateKey, $certChain, $serverName),
+        );
     }
 
     /**
@@ -93,10 +103,7 @@ public function withAuthKey(string|\Stringable|null $authToken): self
     {
         return new self(
             $this->address,
-            $this->secure,
-            $this->rootCerts,
-            $this->privateKey,
-            $this->certChain,
+            $this->tlsConfig,
             $authToken,
         );
     }

diff --git a/src/Config/TemporalConfig.php b/src/Config/TemporalConfig.php
@@ -69,7 +69,7 @@ public function getConnection(string $name): ConnectionConfig
                 'Using `address` is deprecated, use `connections` instead.',
                 \E_USER_DEPRECATED,
             );
-            return ConnectionConfig::createInsecure(address: $address);
+            return ConnectionConfig::create(address: $address);
         }
 
         if (isset($this->config['connections'][$name])) {

diff --git a/src/Config/TlsConfig.php b/src/Config/TlsConfig.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Spiral\TemporalBridge\Config;
+
+/**
+ * gRPC TLS configuration.
+ */
+final class TlsConfig {
+    /**
+     * @param non-empty-string|null $rootCerts Root certificates string or file in PEM format.
+     *        If null provided, default gRPC root certificates are used.
+     * @param non-empty-string|null $privateKey Client private key string or file in PEM format.
+     * @param non-empty-string|null $certChain Client certificate chain string or file in PEM format.
+     * @param non-empty-string|null $serverName Server name override for TLS verification.
+     */
+    public function __construct(
+        public readonly ?string $rootCerts = null,
+        public readonly ?string $privateKey = null,
+        public readonly ?string $certChain = null,
+        public readonly ?string $serverName = null,
+    ) {}
+}
diff --git a/tests/app/config/temporal.php b/tests/app/config/temporal.php
@@ -7,11 +7,11 @@
 return [
     'connection' => env('TEMPORAL_CONNECTION', 'default'),
     'connections' => [
-        'default' => ConnectionConfig::createInsecure(
+        'default' => ConnectionConfig::create(
             address: 'localhost:7233',
         ),
-        'ssl' => ConnectionConfig::createSecure(
-            address: 'ssl:7233',
+        'ssl' => ConnectionConfig::create(address: 'ssl:7233')
+        ->withTls(
             rootCerts: '/path/to/crt',
             privateKey: '/path/to/clientKey',
             certChain: '/path/to/clientPem',

diff --git a/tests/src/Config/ConnectionConfigTest.php b/tests/src/Config/ConnectionConfigTest.php
@@ -11,27 +11,28 @@ final class ConnectionConfigTest extends TestCase
 {
     public function testCreateSecure(): void
     {
-        $config = ConnectionConfig::createSecure(
+        $config = ConnectionConfig::create(
             address: 'localhost:2222',
+        )->withTls(
             rootCerts: 'crt',
             privateKey: 'clientKey',
             certChain: 'clientPem',
         );
 
-        $this->assertTrue($config->secure);
+        $this->assertTrue($config->isSecure());
         $this->assertSame('localhost:2222', $config->address);
-        $this->assertSame('crt', $config->rootCerts);
-        $this->assertSame('clientKey', $config->privateKey);
-        $this->assertSame('clientPem', $config->certChain);
+        $this->assertSame('crt', $config->tlsConfig->rootCerts);
+        $this->assertSame('clientKey', $config->tlsConfig->privateKey);
+        $this->assertSame('clientPem', $config->tlsConfig->certChain);
     }
 
     public function testCreateInsecure(): void
     {
-        $config = ConnectionConfig::createInsecure(
+        $config = ConnectionConfig::create(
             address: 'localhost:1111',
         );
 
-        $this->assertFalse($config->secure);
+        $this->assertFalse($config->isSecure());
         $this->assertSame('localhost:1111', $config->address);
     }
 
@@ -43,16 +44,17 @@ public function testCreateCloud(): void
             certChain: 'clientPem',
         );
 
-        $this->assertTrue($config->secure);
+        $this->assertTrue($config->isSecure());
         $this->assertSame('localhost:1111', $config->address);
-        $this->assertSame('clientKey', $config->privateKey);
-        $this->assertSame('clientPem', $config->certChain);
+        $this->assertSame('clientKey', $config->tlsConfig->privateKey);
+        $this->assertSame('clientPem', $config->tlsConfig->certChain);
     }
 
     public function testWithAuthKey(): void
     {
-        $config = ConnectionConfig::createSecure(
+        $config = ConnectionConfig::create(
             address: 'localhost:1111',
+        )->withTls(
             certChain: 'clientPem',
         );
 
@@ -65,29 +67,31 @@ public function testWithAuthKey(): void
 
     public function testWithAuthKeyNull(): void
     {
-        $config = ConnectionConfig::createSecure(
-            address: 'localhost:1111',
-        )->withAuthKey('authKey');
+        $config = ConnectionConfig::create(address: 'localhost:1111')
+            ->withTls()
+            ->withAuthKey('authKey');
 
         $newConfig = $config->withAuthKey(null);
 
         $this->assertNotSame($config, $newConfig);
         $this->assertNotNull($config->authToken);
         $this->assertNull($newConfig->authToken);
+        $this->assertTrue($config->isSecure());
+        $this->assertTrue($newConfig->isSecure());
     }
 
     public function testWithAuthKeyStringable(): void
     {
-        $config = ConnectionConfig::createSecure(
-            address: 'localhost:1111',
-        )->withAuthKey(
-            $key = new class() implements \Stringable {
-                public function __toString(): string
-                {
-                    return 'authKey';
+        $config = ConnectionConfig::create(address: 'localhost:1111')
+            ->withTls()
+            ->withAuthKey(
+                $key = new class() implements \Stringable {
+                    public function __toString(): string
+                    {
+                        return 'authKey';
+                    }
                 }
-            }
-        );
+            );
 
         $this->assertSame($key, $config->authToken);
     }

diff --git a/tests/src/Config/TemporalConfigTest.php b/tests/src/Config/TemporalConfigTest.php
@@ -41,26 +41,29 @@ public function testGetConnectionFromAddress(): void
         $this->assertSame('localhost:1111', $connection->address);
     }
 
-    public function testGetSslConnection(): void
+    public function testGetTlsConnection(): void
     {
         $config = new TemporalConfig([
             'connections' => [
-                'default' => ConnectionConfig::createSecure(
+                'default' => ConnectionConfig::create(
                     address: 'localhost:2222',
+                )->withTls(
                     rootCerts: 'crt',
                     privateKey: 'clientKey',
                     certChain: 'clientPem',
+                    serverName: 'localhost',
                 ),
             ],
         ]);
 
         $connection = $config->getConnection('default');
 
-        $this->assertTrue($connection->secure);
+        $this->assertTrue($connection->isSecure());
         $this->assertSame('localhost:2222', $connection->address);
-        $this->assertSame('crt', $connection->rootCerts);
-        $this->assertSame('clientKey', $connection->privateKey);
-        $this->assertSame('clientPem', $connection->certChain);
+        $this->assertSame('crt', $connection->tlsConfig->rootCerts);
+        $this->assertSame('clientKey', $connection->tlsConfig->privateKey);
+        $this->assertSame('clientPem', $connection->tlsConfig->certChain);
+        $this->assertSame('localhost', $connection->tlsConfig->serverName);
     }
 
     public function testGetsDefaultWorker(): void