diff --git a/temporalio/lib/temporalio/client.rb b/temporalio/lib/temporalio/client.rb index b60f3c6e..54694233 100644 --- a/temporalio/lib/temporalio/client.rb +++ b/temporalio/lib/temporalio/client.rb @@ -99,7 +99,7 @@ def self.connect( target_host, namespace, api_key: nil, - tls: false, + tls: nil, data_converter: Converters::DataConverter.default, interceptors: [], logger: Logger.new($stdout, level: Logger::WARN), diff --git a/temporalio/lib/temporalio/client/connection.rb b/temporalio/lib/temporalio/client/connection.rb index 2199e52e..21bb8e59 100644 --- a/temporalio/lib/temporalio/client/connection.rb +++ b/temporalio/lib/temporalio/client/connection.rb @@ -154,8 +154,9 @@ class HTTPConnectProxyOptions; end # rubocop:disable Lint/EmptyClass # +localhost:7233+. # @param api_key [String, nil] API key for Temporal. This becomes the +Authorization+ HTTP header with +"Bearer "+ # prepended. This is only set if RPC metadata doesn't already have an +authorization+ key. - # @param tls [Boolean, TLSOptions] If false, do not use TLS. If true, use system default TLS options. If TLS - # options are present, those TLS options will be used. + # @param tls [Boolean, TLSOptions, nil] If false, do not use TLS. If true, use system default TLS options. If TLS + # options are present, those TLS options will be used. If nil (the default), TLS will be auto-enabled if + # api_key is provided. # @param rpc_metadata [Hash] Headers to use for all calls to the server. Keys here can be # overriden by per-call RPC metadata keys. # @param rpc_retry [RPCRetryOptions] Retry options for direct service calls (when opted in) or all high-level @@ -173,7 +174,7 @@ class HTTPConnectProxyOptions; end # rubocop:disable Lint/EmptyClass def initialize( target_host:, api_key: nil, - tls: false, + tls: nil, rpc_metadata: {}, rpc_retry: RPCRetryOptions.new, identity: "#{Process.pid}@#{Socket.gethostname}", @@ -285,13 +286,17 @@ def new_core_client ), identity: @options.identity || "#{Process.pid}@#{Socket.gethostname}" ) - if @options.tls - options.tls = if @options.tls.is_a?(TLSOptions) + # Auto-enable TLS when API key is provided and tls not explicitly set + tls = @options.tls + tls = true if tls.nil? && @options.api_key + + if tls + options.tls = if tls.is_a?(TLSOptions) Internal::Bridge::Client::TLSOptions.new( - client_cert: @options.tls.client_cert, # steep:ignore - client_private_key: @options.tls.client_private_key, # steep:ignore - server_root_ca_cert: @options.tls.server_root_ca_cert, # steep:ignore - domain: @options.tls.domain # steep:ignore + client_cert: tls.client_cert, # steep:ignore + client_private_key: tls.client_private_key, # steep:ignore + server_root_ca_cert: tls.server_root_ca_cert, # steep:ignore + domain: tls.domain # steep:ignore ) else Internal::Bridge::Client::TLSOptions.new diff --git a/temporalio/sig/temporalio/client.rbs b/temporalio/sig/temporalio/client.rbs index 84a63d42..e40e9892 100644 --- a/temporalio/sig/temporalio/client.rbs +++ b/temporalio/sig/temporalio/client.rbs @@ -36,7 +36,7 @@ module Temporalio String target_host, String namespace, ?api_key: String?, - ?tls: bool | Connection::TLSOptions, + ?tls: bool | Connection::TLSOptions | nil, ?data_converter: Converters::DataConverter, ?interceptors: Array[Interceptor], ?logger: Logger, diff --git a/temporalio/sig/temporalio/client/connection.rbs b/temporalio/sig/temporalio/client/connection.rbs index 0c00d06e..1c43016a 100644 --- a/temporalio/sig/temporalio/client/connection.rbs +++ b/temporalio/sig/temporalio/client/connection.rbs @@ -4,7 +4,7 @@ module Temporalio class Options attr_reader target_host: String attr_reader api_key: String? - attr_reader tls: bool | Connection::TLSOptions + attr_reader tls: bool | Connection::TLSOptions | nil attr_reader rpc_metadata: Hash[String, String] attr_reader rpc_retry: RPCRetryOptions attr_reader identity: String @@ -16,7 +16,7 @@ module Temporalio def initialize: ( target_host: String, api_key: String?, - tls: bool | Connection::TLSOptions, + tls: bool | Connection::TLSOptions | nil, rpc_metadata: Hash[String, String], rpc_retry: RPCRetryOptions, identity: String, @@ -98,7 +98,7 @@ module Temporalio def initialize: ( target_host: String, ?api_key: String?, - ?tls: bool | Connection::TLSOptions, + ?tls: bool | Connection::TLSOptions | nil, ?rpc_metadata: Hash[String, String], ?rpc_retry: RPCRetryOptions, ?identity: String, diff --git a/temporalio/test/client_cloud_test.rb b/temporalio/test/client_cloud_test.rb index 264661ec..067cd6f4 100644 --- a/temporalio/test/client_cloud_test.rb +++ b/temporalio/test/client_cloud_test.rb @@ -28,6 +28,8 @@ def test_mtls end def test_api_key + # This test validates the auto-TLS feature: TLS is auto-enabled when api_key is provided + # and tls is not explicitly set. api_key = ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_API_KEY', '') skip('No cloud API key') if api_key.empty? @@ -35,7 +37,6 @@ def test_api_key ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_TARGET_HOST'), ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_NAMESPACE'), api_key:, - tls: true, rpc_metadata: { 'temporal-namespace' => ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_NAMESPACE') } ) # Run workflow @@ -52,14 +53,14 @@ def test_api_key end def test_cloud_ops + # This test also validates auto-TLS: TLS is auto-enabled when api_key is provided. api_key = ENV.fetch('TEMPORAL_CLOUD_OPS_TEST_API_KEY', '') skip('No cloud API key') if api_key.empty? - # Create connection + # Create connection (tls not set, auto-enabled due to api_key) conn = Temporalio::Client::Connection.new( target_host: ENV.fetch('TEMPORAL_CLOUD_OPS_TEST_TARGET_HOST'), api_key:, - tls: true, rpc_metadata: { 'temporal-cloud-api-version' => ENV.fetch('TEMPORAL_CLOUD_OPS_TEST_API_VERSION') } )