From ac053bc81f766b1e08517f03aca98d359426db9a Mon Sep 17 00:00:00 2001 From: Roman Molochkov Date: Sat, 22 Apr 2023 19:56:42 +0300 Subject: [PATCH 1/3] Adding TLS flag * refactor: add new flag --tls, to create tls connection by host from given address * refactor: rollback spaces * refactor: rollback spaces * refactor: change definition of flag * refactor: change the logic. (If we have server name, then it is not need to get tls flag) * refactor: rename TLS flag from "FlagEnableTLS" to "FlagTLS" * refactor: change error message * refactor: rewrite comment --- client/factory.go | 16 ++++++++++++++++ common/defs-flags.go | 4 +++- common/flags.go | 7 +++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/client/factory.go b/client/factory.go index c3f077aa6..95b6f2c7d 100644 --- a/client/factory.go +++ b/client/factory.go @@ -216,6 +216,11 @@ func (b *clientFactory) createTLSConfig(c *cli.Context) (*tls.Config, error) { if err != nil { return nil, fmt.Errorf("unable to read TLS disable host verification flag: %w", err) } + enableTLSS := c.String(common.FlagTLS) + enableTLS, err := strconv.ParseBool(enableTLSS) + if err != nil { + return nil, fmt.Errorf("unable to read TLS flag: %w", err) + } serverName := c.String(common.FlagTLSServerName) @@ -267,6 +272,17 @@ func (b *clientFactory) createTLSConfig(c *cli.Context) (*tls.Config, error) { tlsConfig := auth.NewTLSConfigForServer(host, !disableHostNameVerification) return tlsConfig, nil } + // If we are given a TLS flag, set the TLS server name from the address + if enableTLS { + hostPort := c.String(common.FlagAddress) + if hostPort == "" { + hostPort = common.LocalHostPort + } + // Ignoring error as we'll fail to dial anyway, and that will produce a meaningful error + host, _, _ = net.SplitHostPort(hostPort) + tlsConfig := auth.NewTLSConfigForServer(host, !disableHostNameVerification) + return tlsConfig, nil + } return nil, nil } diff --git a/common/defs-flags.go b/common/defs-flags.go index 679e26bcd..421d0334a 100644 --- a/common/defs-flags.go +++ b/common/defs-flags.go @@ -1,10 +1,12 @@ package common + const ( // Shared flag definitions FlagEnvDefinition = "Environment to read environmental variables from." FlagAddrDefinition = "The host and port (formatted as host:port) for the Temporal Frontend Service." FlagNSAliasDefinition = "Identifies a Namespace in the Temporal Workflow." FlagMetadataDefinition = "Contains gRPC metadata to send with requests (formatted as key=value). Values must be in a valid JSON format." + FlagTLSDefinition = "Enable TLS" FlagTLSCertPathDefinition = "Path to x509 certificate." FlagTLSKeyPathDefinition = "Path to private certificate key." FlagTLSCaPathDefinition = "Path to server CA certificate." @@ -128,4 +130,4 @@ const ( // Task Queue flags FlagTaskQueueName = "Name of the Task Queue." FlagTaskQueueTypeDefinition = "Task Queue type [workflow|activity]" -) \ No newline at end of file +) diff --git a/common/flags.go b/common/flags.go index ed93d8c8f..4616e2d30 100644 --- a/common/flags.go +++ b/common/flags.go @@ -107,6 +107,7 @@ var ( FlagTaskQueueAlias = []string{"t"} FlagTaskQueueType = "task-queue-type" FlagTimeZone = "time-zone" + FlagTLS = "tls" FlagTLSCaPath = "tls-ca-path" FlagTLSCertPath = "tls-cert-path" FlagTLSDisableHostVerification = "tls-disable-host-verification" @@ -158,6 +159,12 @@ var SharedFlags = []cli.Flag{ Usage: FlagMetadataDefinition, Category: CategoryGlobal, }, + &cli.BoolFlag{ + Name: FlagTLS, + Usage: FlagTLSDefinition, + EnvVars: []string{"TEMPORAL_CLI_TLS"}, + Category: CategoryGlobal, + }, &cli.StringFlag{ Name: FlagTLSCertPath, Value: "", From 7c0d63093d145a276e10072145d742211f307dba Mon Sep 17 00:00:00 2001 From: Roman Molochkov Date: Wed, 26 Apr 2023 11:52:36 +0300 Subject: [PATCH 2/3] Update common/defs-flags.go Co-authored-by: Ruslan <11838981+feedmeapples@users.noreply.github.com> --- common/defs-flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/defs-flags.go b/common/defs-flags.go index 421d0334a..819653023 100644 --- a/common/defs-flags.go +++ b/common/defs-flags.go @@ -6,7 +6,7 @@ const ( FlagAddrDefinition = "The host and port (formatted as host:port) for the Temporal Frontend Service." FlagNSAliasDefinition = "Identifies a Namespace in the Temporal Workflow." FlagMetadataDefinition = "Contains gRPC metadata to send with requests (formatted as key=value). Values must be in a valid JSON format." - FlagTLSDefinition = "Enable TLS" + FlagTLSDefinition = "Enable TLS encryption without additional options such as mTLS or client certificates" FlagTLSCertPathDefinition = "Path to x509 certificate." FlagTLSKeyPathDefinition = "Path to private certificate key." FlagTLSCaPathDefinition = "Path to server CA certificate." From b755b2648d728a6ce7481237137819a42e5c1568 Mon Sep 17 00:00:00 2001 From: Ruslan <11838981+feedmeapples@users.noreply.github.com> Date: Fri, 28 Apr 2023 16:28:43 -0400 Subject: [PATCH 3/3] Update common/defs-flags.go --- common/defs-flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/defs-flags.go b/common/defs-flags.go index 77b33ccd9..72b765e2c 100644 --- a/common/defs-flags.go +++ b/common/defs-flags.go @@ -6,7 +6,7 @@ const ( FlagAddrDefinition = "The host and port (formatted as host:port) for the Temporal Frontend Service." FlagNSAliasDefinition = "Identifies a Namespace in the Temporal Workflow." FlagMetadataDefinition = "Contains gRPC metadata to send with requests (formatted as key=value)." - FlagTLSDefinition = "Enable TLS encryption without additional options such as mTLS or client certificates" + FlagTLSDefinition = "Enable TLS encryption without additional options such as mTLS or client certificates" FlagTLSCertPathDefinition = "Path to x509 certificate." FlagTLSKeyPathDefinition = "Path to private certificate key." FlagTLSCaPathDefinition = "Path to server CA certificate."