temporalio · jlegrone · Jun 28, 2022 · May 18, 2022 · May 18, 2022 · Jun 8, 2022
diff --git a/cmd/temporalite/main.go b/cmd/temporalite/main.go
@@ -34,16 +34,20 @@ var (
 )
 
 const (
-	ephemeralFlag = "ephemeral"
-	dbPathFlag    = "filename"
-	portFlag      = "port"
-	uiPortFlag    = "ui-port"
-	headlessFlag  = "headless"
-	ipFlag        = "ip"
-	logFormatFlag = "log-format"
-	logLevelFlag  = "log-level"
-	namespaceFlag = "namespace"
-	pragmaFlag    = "sqlite-pragma"
+	ephemeralFlag  = "ephemeral"
+	dbPathFlag     = "filename"
+	portFlag       = "port"
+	uiPortFlag     = "ui-port"
+	headlessFlag   = "headless"
+	ipFlag         = "ip"
+	logFormatFlag  = "log-format"
+	logLevelFlag   = "log-level"
+	namespaceFlag  = "namespace"
+	pragmaFlag     = "sqlite-pragma"
+	tlsCertFlag    = "tls-certificate-file"
+	tlsKeyFlag     = "tls-key-file"
+	clientAuthFlag = "require-mutual-tls"
+	clientCAFlag   = "client-certificate-authority"
 )
 
 func init() {
@@ -125,6 +129,34 @@ func buildCLI() *cli.App {
 					EnvVars: nil,
 					Value:   nil,
 				},
+				&cli.BoolFlag{
+					Name:    clientAuthFlag,
+					Aliases: []string{"mtls"},
+					Usage:   `require mutual tls`,
+					EnvVars: nil,
+					Value:   false,
+				},
+				&cli.StringFlag{
+					Name:    tlsCertFlag,
+					Aliases: []string{"cert"},
+					Usage:   `path to tls certificate`,
+					EnvVars: nil,
+					Value:   "",
+				},
+				&cli.StringFlag{
+					Name:    tlsKeyFlag,
+					Aliases: []string{"key"},
+					Usage:   `path to tls key`,
+					EnvVars: nil,
+					Value:   "",
+				},
+				&cli.StringSliceFlag{
+					Name:    clientCAFlag,
+					Aliases: []string{},
+					Usage:   `path to client certificate authority`,
+					EnvVars: nil,
+					Value:   cli.NewStringSlice(),
+				},
 			},
 			Before: func(c *cli.Context) error {
 				if c.Args().Len() > 0 {
@@ -151,6 +183,27 @@ func buildCLI() *cli.App {
 					return cli.Exit(fmt.Sprintf("bad value %q passed for flag %q", c.String(ipFlag), ipFlag), 1)
 				}
 
+				if c.IsSet(tlsCertFlag) || c.IsSet(tlsKeyFlag) {
+					if c.String(tlsCertFlag) == "" {
+						return cli.Exit("tls certificate path and key file path must both be set", 1)
+					}
+
+					if c.String(tlsKeyFlag) == "" {
+						return cli.Exit("tls certificate path and key file path must both be set", 1)
+					}
+				}
+
+				if c.IsSet(clientAuthFlag) {
+					if !(c.IsSet(tlsCertFlag) && c.IsSet(tlsKeyFlag)) {
+						return cli.Exit("tls certificate path and key file path must both be set to enable mutual tls", 1)
+					}
+
+					clientAuthorities := c.StringSlice(clientCAFlag)
+					if !c.IsSet(clientCAFlag) || clientAuthorities == nil || len(clientAuthorities) == 0 {
+						return cli.Exit("client certificate authority required for mutual tls", 1)
+					}
+				}
+
 				return nil
 			},
 			Action: func(c *cli.Context) error {
@@ -179,6 +232,8 @@ func buildCLI() *cli.App {
 					temporalite.WithUpstreamOptions(
 						temporal.InterruptOn(temporal.InterruptCh()),
 					),
+					temporalite.WithTLSOptions(c.StringSlice(clientCAFlag),
+						c.String(tlsCertFlag), c.String(tlsKeyFlag), c.Bool(clientAuthFlag)),
 				}
 				if !c.Bool(headlessFlag) {
 					opt := newUIOption(fmt.Sprintf(":%d", c.Int(portFlag)), ip, uiPort)

diff --git a/internal/liteconfig/config.go b/internal/liteconfig/config.go
@@ -56,6 +56,7 @@ type Config struct {
 	portProvider     *portProvider
 	FrontendIP       string
 	UIServer         UIServer
+	TLS              config.ServerTLS
 }
 
 var SupportedPragmas = map[string]struct{}{
@@ -93,6 +94,7 @@ func NewDefaultConfig() (*Config, error) {
 		})),
 		portProvider: &portProvider{},
 		FrontendIP:   "",
+		TLS:          config.ServerTLS{},
 	}, nil
 }
 
@@ -135,6 +137,34 @@ func Convert(cfg *Config) *config.Config {
 		pprofPort = cfg.FrontendPort + 201
 	}
 
+	tls := config.RootTLS{
+		Frontend: config.GroupTLS{
+			Server: config.ServerTLS{
+				CertFile:          cfg.TLS.CertFile,
+				KeyFile:           cfg.TLS.KeyFile,
+				RequireClientAuth: cfg.TLS.RequireClientAuth,
+				ClientCAFiles:     cfg.TLS.ClientCAFiles,
+			},
+			Client: config.ClientTLS{
+				RootCAFiles: cfg.TLS.ClientCAFiles,
+			},
+		},
+	}
+
+	if tls.Frontend.Server.RequireClientAuth {
+		tls.Internode = config.GroupTLS{
+			Server: config.ServerTLS{
+				CertFile:          cfg.TLS.CertFile,
+				KeyFile:           cfg.TLS.KeyFile,
+				RequireClientAuth: cfg.TLS.RequireClientAuth,
+				ClientCAFiles:     cfg.TLS.ClientCAFiles,
+			},
+			Client: config.ClientTLS{
+				RootCAFiles: cfg.TLS.ClientCAFiles,
+			},
+		}
+	}
+
 	return &config.Config{
 		Global: config.Global{
 			Membership: config.Membership{
@@ -148,6 +178,7 @@ func Convert(cfg *Config) *config.Config {
 				},
 			},
 			PProf: config.PProf{Port: pprofPort},
+			TLS:   tls,
 		},
 		Persistence: config.Persistence{
 			DefaultStore:     PersistenceStoreName,

diff --git a/options.go b/options.go
@@ -99,6 +99,19 @@ func WithUpstreamOptions(options ...temporal.ServerOption) ServerOption {
 	})
 }
 
+// WithTLSOptions configures tls for the Temporal server
+func WithTLSOptions(caCertificates []string, certificate, key string, clientAuth bool) ServerOption {
+	return newApplyFuncContainer(func(cfg *liteconfig.Config) {
+		for _, v := range caCertificates {
+			cfg.TLS.ClientCAFiles = append(cfg.TLS.ClientCAFiles, v)
+		}
+
+		cfg.TLS.CertFile = certificate
+		cfg.TLS.KeyFile = key
+		cfg.TLS.RequireClientAuth = clientAuth
+	})
+}
+
 type applyFuncContainer struct {
 	applyInternal func(*liteconfig.Config)
 }

diff --git a/server.go b/server.go
@@ -15,6 +15,8 @@ import (
 	"go.temporal.io/server/common/authorization"
 	"go.temporal.io/server/common/config"
 	"go.temporal.io/server/common/dynamicconfig"
+	"go.temporal.io/server/common/metrics"
+	"go.temporal.io/server/common/rpc/encryption"
 	"go.temporal.io/server/schema/sqlite"
 	"go.temporal.io/server/temporal"
 
@@ -94,6 +96,14 @@ func NewServer(opts ...ServerOption) (*Server, error) {
 		serverOpts = append(serverOpts, c.UpstreamOptions...)
 	}
 
+	if cfg.Global.TLS.Frontend.Server.CertFile != "" {
+		provider, err := encryption.NewLocalStoreTlsProvider(&cfg.Global.TLS, metrics.NoopClient.Scope(0), c.Logger, encryption.NewLocalStoreCertProvider)
+		if err != nil {
+			return nil, fmt.Errorf("unable to instiate tls provider: %w", err)
+		}
+		serverOpts = append(serverOpts, temporal.WithTLSConfigFactory(provider))
+	}
+
 	s := &Server{
 		internal:         temporal.NewServer(serverOpts...),
 		ui:               c.UIServer,

diff --git a/temporaltest/options.go b/temporaltest/options.go
@@ -4,7 +4,11 @@
 
 package temporaltest
 
-import "testing"
+import (
+	"github.com/DataDog/temporalite"
+	"go.temporal.io/sdk/client"
+	"testing"
+)
 
 type TestServerOption interface {
 	apply(*TestServer)
@@ -20,6 +24,20 @@ func WithT(t *testing.T) TestServerOption {
 	})
 }
 
+// WithClientOptions configures options for the default client of the test server
+func WithClientOptions(o client.Options) TestServerOption {
+	return newApplyFuncContainer(func(server *TestServer) {
+		server.defaultClientOptions = o
+	})
+}
+
+// WithTLS configures the tls options for the server
+func WithTLS(caCertificates []string, certificate, key string, clientAuth bool) TestServerOption {
+	return newApplyFuncContainer(func(server *TestServer) {
+		server.serverOptions = append(server.serverOptions, temporalite.WithTLSOptions(caCertificates, certificate, key, clientAuth))
+	})
+}
+
 type applyFuncContainer struct {
 	applyInternal func(*TestServer)
 }

diff --git a/temporaltest/server.go b/temporaltest/server.go
@@ -27,6 +27,8 @@ type TestServer struct {
 	clients              []client.Client
 	workers              []worker.Worker
 	t                    *testing.T
+	defaultClientOptions client.Options
+	serverOptions        []temporalite.ServerOption
 }
 
 func (ts *TestServer) fatal(err error) {
@@ -56,7 +58,7 @@ func (ts *TestServer) Worker(taskQueue string, registerFunc func(registry worker
 // be closed on TestServer.Stop.
 func (ts *TestServer) Client() client.Client {
 	if ts.defaultClient == nil {
-		ts.defaultClient = ts.NewClientWithOptions(client.Options{})
+		ts.defaultClient = ts.NewClientWithOptions(ts.defaultClientOptions)
 	}
 	return ts.defaultClient
 }
@@ -120,11 +122,12 @@ func NewServer(opts ...TestServerOption) *TestServer {
 	}
 
 	s, err := temporalite.NewServer(
-		temporalite.WithNamespaces(ts.defaultTestNamespace),
-		temporalite.WithPersistenceDisabled(),
-		temporalite.WithDynamicPorts(),
-		temporalite.WithLogger(log.NewNoopLogger()),
+		append([]temporalite.ServerOption{temporalite.WithNamespaces(ts.defaultTestNamespace),
+			temporalite.WithPersistenceDisabled(),
+			temporalite.WithDynamicPorts(),
+			temporalite.WithLogger(log.NewNoopLogger())}, ts.serverOptions...)...,
 	)
+
 	if err != nil {
 		ts.fatal(fmt.Errorf("error creating server: %w", err))
 	}
@@ -138,3 +141,8 @@ func NewServer(opts ...TestServerOption) *TestServer {
 
 	return &ts
 }
+
+// NewServerWithTls starts and returns a new TestServer.
+//
+// If not specifying the WithT option, the caller should execute Stop when finished to close
+// the server and release resources.