Skip to content

Commit 9e1de6e

Browse files
Add the ability to pass the ca cert for doing mtls server verification (#690)
1 parent 60206fa commit 9e1de6e

20 files changed

Lines changed: 145 additions & 10 deletions

File tree

cmd/run.go

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ type RunConfig struct {
6262
Namespace string
6363
ClientCertPath string
6464
ClientKeyPath string
65+
CACertPath string
6566
TLSServerName string
6667
GenerateHistory bool
6768
DisableHistoryCheck bool
@@ -93,6 +94,11 @@ func (r *RunConfig) dockerRunFlags() []cli.Flag {
9394
Usage: "Path of TLS client key to use (optional)",
9495
Destination: &r.ClientKeyPath,
9596
},
97+
&cli.StringFlag{
98+
Name: "ca-cert-path",
99+
Usage: "Path of CA cert to use for server verification (optional)",
100+
Destination: &r.CACertPath,
101+
},
96102
&cli.StringFlag{
97103
Name: "tls-server-name",
98104
Usage: "TLS server name to use for verification and SNI override (optional)",
@@ -244,7 +250,7 @@ func (r *Runner) Run(ctx context.Context, patterns []string) error {
244250
} else {
245251
// Wait for namespace to become available
246252
err := harness.WaitNamespaceAvailable(ctx, r.log,
247-
r.config.Server, r.config.Namespace, r.config.ClientCertPath, r.config.ClientKeyPath, r.config.TLSServerName)
253+
r.config.Server, r.config.Namespace, r.config.ClientCertPath, r.config.ClientKeyPath, r.config.CACertPath, r.config.TLSServerName)
248254
if err != nil {
249255
return err
250256
}

cmd/run_dotnet.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,9 @@ func (r *Runner) RunDotNetExternal(ctx context.Context, run *cmd.Run) error {
4646
if r.config.ClientCertPath != "" {
4747
args = append(args, "--client-cert-path", r.config.ClientCertPath, "--client-key-path", r.config.ClientKeyPath)
4848
}
49+
if r.config.CACertPath != "" {
50+
args = append(args, "--ca-cert-path", r.config.CACertPath)
51+
}
4952
if r.config.HTTPProxyURL != "" {
5053
args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
5154
}

cmd/run_go.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ func (r *Runner) RunGoExternal(ctx context.Context, run *cmd.Run) error {
6565
"--client-key-path", r.config.ClientKeyPath,
6666
"--summary-uri", r.config.SummaryURI,
6767
}
68+
if r.config.CACertPath != "" {
69+
args = append(args, "--ca-cert-path", r.config.CACertPath)
70+
}
6871
if r.config.HTTPProxyURL != "" {
6972
args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
7073
}

cmd/run_java.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,13 @@ func (r *Runner) RunJavaExternal(ctx context.Context, run *cmd.Run) error {
5555
}
5656
args = append(args, "--client-key-path", clientKeyPath)
5757
}
58+
if r.config.CACertPath != "" {
59+
caCertPath, err := filepath.Abs(r.config.CACertPath)
60+
if err != nil {
61+
return err
62+
}
63+
args = append(args, "--ca-cert-path", caCertPath)
64+
}
5865
if r.config.SummaryURI != "" {
5966
args = append(args, "--summary-uri", r.config.SummaryURI)
6067
}

cmd/run_php.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"context"
55
"fmt"
66
"path/filepath"
7+
78
"github.com/temporalio/features/harness/go/cmd"
89
"github.com/temporalio/features/sdkbuild"
910
)
@@ -63,6 +64,13 @@ func (r *Runner) RunPhpExternal(ctx context.Context, run *cmd.Run) error {
6364
}
6465
args = append(args, "tls.key="+clientKeyPath)
6566
}
67+
if r.config.CACertPath != "" {
68+
caCertPath, err := filepath.Abs(r.config.CACertPath)
69+
if err != nil {
70+
return err
71+
}
72+
args = append(args, "tls.ca-cert="+caCertPath)
73+
}
6674
if r.config.TLSServerName != "" {
6775
args = append(args, "tls.server-name="+r.config.TLSServerName)
6876
}

cmd/run_python.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,13 @@ func (r *Runner) RunPythonExternal(ctx context.Context, run *cmd.Run) error {
7777
}
7878
args = append(args, "--client-key-path", clientKeyPath)
7979
}
80+
if r.config.CACertPath != "" {
81+
caCertPath, err := filepath.Abs(r.config.CACertPath)
82+
if err != nil {
83+
return err
84+
}
85+
args = append(args, "--ca-cert-path", caCertPath)
86+
}
8087
if r.config.HTTPProxyURL != "" {
8188
args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
8289
}

cmd/run_typescript.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,13 @@ func (r *Runner) RunTypeScriptExternal(ctx context.Context, run *cmd.Run) error
7979
}
8080
args = append(args, "--client-key-path", clientKeyPath)
8181
}
82+
if r.config.CACertPath != "" {
83+
caCertPath, err := filepath.Abs(r.config.CACertPath)
84+
if err != nil {
85+
return err
86+
}
87+
args = append(args, "--ca-cert-path", caCertPath)
88+
}
8289
if r.config.HTTPProxyURL != "" {
8390
args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
8491
}

features/client/http_proxy/feature.go

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ func (h HTTPProxyTest) Execute(ctx context.Context, r *harness.Runner) (client.W
5252
namespace: r.Namespace,
5353
clientCertPath: r.ClientCertPath,
5454
clientKeyPath: r.ClientKeyPath,
55+
caCertPath: r.CACertPath,
5556
tlsServerName: r.TLSServerName,
5657
taskQueue: r.TaskQueue,
5758
workflowID: "wf-" + uuid.NewString(),
@@ -94,7 +95,7 @@ func SubprocessExecuteWorkflow(ctx context.Context, args *subprocessArgs) error
9495
clientOpts := client.Options{HostPort: fmt.Sprintf("passthrough:///%s", args.server), Namespace: args.namespace}
9596
if args.clientCertPath != "" {
9697
var err error
97-
clientOpts.ConnectionOptions.TLS, err = harness.LoadTLSConfig(args.clientCertPath, args.clientKeyPath, args.tlsServerName)
98+
clientOpts.ConnectionOptions.TLS, err = harness.LoadTLSConfig(args.clientCertPath, args.clientKeyPath, args.caCertPath, args.tlsServerName)
9899
if err != nil {
99100
return fmt.Errorf("failed loading TLS config: %w", err)
100101
}
@@ -139,6 +140,7 @@ type subprocessArgs struct {
139140
namespace string
140141
clientCertPath string
141142
clientKeyPath string
143+
caCertPath string
142144
tlsServerName string
143145
taskQueue string
144146
workflowID string
@@ -151,6 +153,7 @@ func (s *subprocessArgs) flags() []cli.Flag {
151153
&cli.StringFlag{Name: "namespace", Destination: &s.namespace, Required: true},
152154
&cli.StringFlag{Name: "client-cert-path", Destination: &s.clientCertPath},
153155
&cli.StringFlag{Name: "client-key-path", Destination: &s.clientKeyPath},
156+
&cli.StringFlag{Name: "ca-cert-path", Destination: &s.caCertPath},
154157
&cli.StringFlag{Name: "tls-server-name", Destination: &s.tlsServerName},
155158
&cli.StringFlag{Name: "task-queue", Destination: &s.taskQueue, Required: true},
156159
&cli.StringFlag{Name: "workflow-id", Destination: &s.workflowID, Required: true},
@@ -167,6 +170,9 @@ func (s *subprocessArgs) args() []string {
167170
if s.clientCertPath != "" {
168171
args = append(args, "--client-cert-path", s.clientCertPath, "--client-key-path", s.clientKeyPath)
169172
}
173+
if s.caCertPath != "" {
174+
args = append(args, "--ca-cert-path", s.caCertPath)
175+
}
170176
if s.tlsServerName != "" {
171177
args = append(args, "--tls-server-name", s.tlsServerName)
172178
}

features/update/self/feature.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ type ConnMaterial struct {
2424
Identity string
2525
ClientCertPath string
2626
ClientKeyPath string
27+
CACertPath string
2728
TLSServerName string
2829
}
2930

@@ -45,6 +46,7 @@ var Feature = harness.Feature{
4546
Identity: runner.Feature.ClientOptions.Identity,
4647
ClientCertPath: runner.ClientCertPath,
4748
ClientKeyPath: runner.ClientKeyPath,
49+
CACertPath: runner.CACertPath,
4850
TLSServerName: runner.TLSServerName,
4951
})
5052
},
@@ -77,7 +79,7 @@ func SelfUpdateWorkflow(ctx workflow.Context, cm ConnMaterial) (string, error) {
7779
}
7880

7981
func SelfUpdateActivity(ctx context.Context, cm ConnMaterial) error {
80-
tlsCfg, err := harness.LoadTLSConfig(cm.ClientCertPath, cm.ClientKeyPath, cm.TLSServerName)
82+
tlsCfg, err := harness.LoadTLSConfig(cm.ClientCertPath, cm.ClientKeyPath, cm.CACertPath, cm.TLSServerName)
8183
if err != nil {
8284
return err
8385
}

harness/dotnet/Temporalio.Features.Harness/App.cs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,10 @@ public static class App
2727
name: "--client-key-path",
2828
description: "Path to a client key for TLS");
2929

30+
private static readonly Option<FileInfo?> caCertPathOption = new(
31+
name: "--ca-cert-path",
32+
description: "Path to a CA certificate for server verification");
33+
3034
private static readonly Option<string?> httpProxyUrlOption = new(
3135
name: "--http-proxy-url",
3236
description: "HTTP proxy URL");
@@ -64,6 +68,7 @@ private static Command CreateCommand()
6468
cmd.AddOption(namespaceOption);
6569
cmd.AddOption(clientCertPathOption);
6670
cmd.AddOption(clientKeyPathOption);
71+
cmd.AddOption(caCertPathOption);
6772
cmd.AddOption(httpProxyUrlOption);
6873
cmd.AddOption(tlsServerNameOption);
6974
cmd.AddArgument(featuresArgument);
@@ -95,6 +100,10 @@ private static async Task RunCommandAsync(InvocationContext ctx)
95100
ctx.ParseResult.GetValueForOption(clientKeyPathOption)?.FullName ??
96101
throw new ArgumentException("Missing key with cert"))
97102
};
103+
if (ctx.ParseResult.GetValueForOption(caCertPathOption) is { } caCertPath)
104+
{
105+
tlsOptions.ServerRootCACert = File.ReadAllBytes(caCertPath.FullName);
106+
}
98107
if (!string.IsNullOrEmpty(tlsServerName))
99108
{
100109
tlsOptions.Domain = tlsServerName;

0 commit comments

Comments
 (0)