Allow overriding origin for core connections (#528)

* Override origin and therefore host/authority header when TLS domain override is set
* Allow overriding origin specifically

Author: Sushisource

.gitignore

@@ -14,3 +14,4 @@ src/protos/*.rs
 /machine_coverage/
 /bindings/
 /core/machine_coverage/
+/.cloud_certs/

client/src/lib.rs

@@ -33,7 +33,7 @@ use crate::{
     workflow_handle::UntypedWorkflowHandle,
 };
 use backoff::{exponential, ExponentialBackoff, SystemClock};
-use http::uri::InvalidUri;
+use http::{uri::InvalidUri, Uri};
 use once_cell::sync::OnceCell;
 use parking_lot::RwLock;
 use std::{
@@ -114,6 +114,14 @@ pub struct ClientOptions {
     /// Retry configuration for the server client. Default is [RetryConfig::default]
     #[builder(default)]
     pub retry_config: RetryConfig,
+
+    /// If set, override the origin used when connecting. May be useful in rare situations where tls
+    /// verification needs to use a different name from what should be set as the `:authority`
+    /// header. If [TlsConfig::domain] is set, and this is not, this will be set to
+    /// `https://<domain>`, effectively making the `:authority` header consistent with the domain
+    /// override.
+    #[builder(default)]
+    pub override_origin: Option<Uri>,
 }
 
 /// Configuration options for TLS
@@ -310,6 +318,11 @@ impl ClientOptions {
     {
         let channel = Channel::from_shared(self.target_url.to_string())?;
         let channel = self.add_tls_to_channel(channel).await?;
+        let channel = if let Some(origin) = self.override_origin.clone() {
+            channel.origin(origin)
+        } else {
+            channel
+        };
         let channel = channel.connect().await?;
         let service = ServiceBuilder::new()
             .layer_fn(|channel| GrpcMetricSvc {
@@ -347,10 +360,7 @@ impl ClientOptions {
 
     /// If TLS is configured, set the appropriate options on the provided channel and return it.
     /// Passes it through if TLS options not set.
-    async fn add_tls_to_channel(
-        &self,
-        channel: Endpoint,
-    ) -> Result<Endpoint, tonic::transport::Error> {
+    async fn add_tls_to_channel(&self, mut channel: Endpoint) -> Result<Endpoint, ClientInitError> {
         if let Some(tls_cfg) = &self.tls_cfg {
             let mut tls = tonic::transport::ClientTlsConfig::new();
 
@@ -361,6 +371,13 @@ impl ClientOptions {
 
             if let Some(domain) = &tls_cfg.domain {
                 tls = tls.domain_name(domain);
+
+                // This song and dance ultimately is just to make sure the `:authority` header ends
+                // up correct on requests while we use TLS. Setting the header directly in our
+                // interceptor doesn't work since seemingly it is overridden at some point by
+                // something lower level.
+                let uri: Uri = format!("https://{}", domain).parse()?;
+                channel = channel.origin(uri);
             }
 
             if let Some(client_opts) = &tls_cfg.client_tls_config {
@@ -369,7 +386,7 @@ impl ClientOptions {
                 tls = tls.identity(client_identity);
             }
 
-            return channel.tls_config(tls);
+            return channel.tls_config(tls).map_err(Into::into);
         }
         Ok(channel)
     }

tests/main.rs

@@ -25,7 +25,7 @@ mod integ_tests {
     use temporal_sdk_core_api::worker::WorkerConfigBuilder;
     use temporal_sdk_core_protos::temporal::api::workflowservice::v1::ListNamespacesRequest;
     use temporal_sdk_core_test_utils::{
-        get_integ_server_options, get_integ_telem_options, NAMESPACE,
+        get_integ_server_options, get_integ_telem_options, init_integ_telem,
     };
     use url::Url;
 
@@ -58,35 +58,23 @@ mod integ_tests {
             .await;
     }
 
-    // TODO: Currently ignored because starting up the docker image with TLS requires some hoop
-    //  jumping. We should upgrade CI to be able to do that but this was manually run against
-    //  https://github.com/temporalio/customization-samples/tree/master/tls/tls-simple
+    // Manually run to verify tls works against cloud. You will need certs in place in the
+    // indicated directory.
     #[tokio::test]
     #[ignore]
     async fn tls_test() {
-        // Load certs/keys
-        let root = tokio::fs::read(
-            "/home/sushi/dev/temporal/customization-samples/tls/tls-simple/certs/ca.cert",
-        )
-        .await
-        .unwrap();
-        let client_cert = tokio::fs::read(
-            "/home/sushi/dev/temporal/customization-samples/tls/tls-simple/certs/client.pem",
-        )
-        .await
-        .unwrap();
-        let client_private_key = tokio::fs::read(
-            "/home/sushi/dev/temporal/customization-samples/tls/tls-simple/certs/client.key",
-        )
-        .await
-        .unwrap();
+        init_integ_telem();
+        let root = tokio::fs::read("../.cloud_certs/ca.pem").await.unwrap();
+        let client_cert = tokio::fs::read("../.cloud_certs/client.pem").await.unwrap();
+        let client_private_key = tokio::fs::read("../.cloud_certs/client.key").await.unwrap();
         let sgo = ClientOptionsBuilder::default()
-            .target_url(Url::from_str("https://localhost:7233").unwrap())
+            .target_url(Url::from_str("https://spencer.temporal-dev.tmprl.cloud:7233").unwrap())
             .client_name("tls_tester")
             .client_version("clientver")
             .tls_cfg(TlsConfig {
                 server_root_ca_cert: Some(root),
-                domain: Some("tls-sample".to_string()),
+                // Not necessary, but illustrates functionality for people using proxies, etc.
+                domain: Some("spencer.temporal-dev.tmprl.cloud".to_string()),
                 client_tls_config: Some(ClientTlsConfig {
                     client_cert,
                     client_private_key,
@@ -95,9 +83,12 @@ mod integ_tests {
             .build()
             .unwrap();
         let con = sgo
-            .connect(NAMESPACE.to_string(), None, None)
+            .connect("spencer.temporal-dev".to_string(), None, None)
             .await
             .unwrap();
-        con.list_namespaces().await.unwrap();
+        dbg!(con
+            .list_workflow_executions(100, vec![], "".to_string())
+            .await
+            .unwrap());
     }
 }