CLI sending authorized request (#4327)

cadence-workflow · Jul 26, 2021 · 0085b7a · 0085b7a
1 parent bec009a
commit 0085b7a
Show file tree

Hide file tree

Showing 11 changed files with 168 additions and 6 deletions.
diff --git a/common/authorization/oauthAutorizer_test.go b/common/authorization/oauthAutorizer_test.go
@@ -60,8 +60,8 @@ func (s *oauthSuite) SetupTest() {
 		Enable: true,
 		JwtCredentials: config.JwtCredentials{
 			Algorithm:  jwt.RS256.String(),
-			PublicKey:  "./keytest.pub",
-			PrivateKey: "./keytest",
+			PublicKey:  "../../config/credentials/keytest.pub",
+			PrivateKey: "../../config/credentials/keytest",
 		},
 		MaxJwtTTL: 300000001,
 	}

diff --git a/common/config/config.go b/common/config/config.go
@@ -63,7 +63,7 @@ type (
 		// Blobstore is the config for setting up blobstore
 		Blobstore Blobstore `yaml:"blobstore"`
 		// Authorization is the config for setting up authorization
-		Authorization Authorization `yaml:authorization`
+		Authorization Authorization `yaml:"authorization"`
 	}
 
 	Authorization struct {

diff --git a/common/authorization/keytest → config/credentials/keytest b/common/authorization/keytest → config/credentials/keytest
diff --git a/common/authorization/keytest.pub → config/credentials/keytest.pub b/common/authorization/keytest.pub → config/credentials/keytest.pub
diff --git a/config/development_oauth.yaml b/config/development_oauth.yaml
@@ -0,0 +1,116 @@
+persistence:
+  defaultStore: cass-default
+  visibilityStore: cass-visibility
+  numHistoryShards: 4
+  datastores:
+    cass-default:
+      nosql:
+        pluginName: "cassandra"
+        hosts: "127.0.0.1"
+        keyspace: "cadence"
+    cass-visibility:
+      nosql:
+        pluginName: "cassandra"
+        hosts: "127.0.0.1"
+        keyspace: "cadence_visibility"
+
+ringpop:
+  name: cadence
+  bootstrapMode: hosts
+  bootstrapHosts: [ "127.0.0.1:7933", "127.0.0.1:7934", "127.0.0.1:7935" ]
+  maxJoinDuration: 30s
+
+services:
+  frontend:
+    rpc:
+      port: 7933
+      grpcPort: 7833
+      bindOnLocalHost: true
+      grpcMaxMsgSize: 33554432
+    metrics:
+      statsd:
+        hostPort: "127.0.0.1:8125"
+        prefix: "cadence"
+    pprof:
+      port: 7936
+
+  matching:
+    rpc:
+      port: 7935
+      grpcPort: 7835
+      bindOnLocalHost: true
+      grpcMaxMsgSize: 33554432
+    metrics:
+      statsd:
+        hostPort: "127.0.0.1:8125"
+        prefix: "cadence"
+    pprof:
+      port: 7938
+
+  history:
+    rpc:
+      port: 7934
+      grpcPort: 7834
+      bindOnLocalHost: true
+      grpcMaxMsgSize: 33554432
+    metrics:
+      statsd:
+        hostPort: "127.0.0.1:8125"
+        prefix: "cadence"
+    pprof:
+      port: 7937
+
+  worker:
+    rpc:
+      port: 7939
+      bindOnLocalHost: true
+    metrics:
+      statsd:
+        hostPort: "127.0.0.1:8125"
+        prefix: "cadence"
+    pprof:
+      port: 7940
+
+clusterMetadata:
+  enableGlobalDomain: true
+  failoverVersionIncrement: 10
+  masterClusterName: "active"
+  currentClusterName: "active"
+  clusterInformation:
+    active:
+      enabled: true
+      initialFailoverVersion: 0
+      rpcName: "cadence-frontend"
+      rpcAddress: "localhost:7933"
+
+dcRedirectionPolicy:
+  policy: "noop"
+  toDC: ""
+
+archival:
+  history:
+    status: "disabled"
+
+  visibility:
+    status: "disabled"
+
+
+publicClient:
+  hostPort: "localhost:7933"
+
+dynamicConfigClient:
+  filepath: "config/dynamicconfig/development_oauth.yaml"
+  pollInterval: "10s"
+
+blobstore:
+  filestore:
+    outputDirectory: "/tmp/blobstore"
+
+authorization:
+  oauthAuthorizer:
+    enable: true
+    maxJwtTTL: 600000000
+    jwtCredentials:
+      algorithm: "RS256"
+      publicKey: "config/credentials/keytest.pub"
+      privateKey: "config/credentials/keytest"
diff --git a/config/dynamicconfig/development_oauth.yaml b/config/dynamicconfig/development_oauth.yaml
@@ -0,0 +1,22 @@
+frontend.enableClientVersionCheck:
+- value: true
+  constraints: {}
+system.minRetentionDays:
+- value: 0
+  constraints: {}
+history.EnableConsistentQueryByDomain:
+- value: true
+  constraints: {}
+system.enableGRPCOutbound:
+- value: true
+  constraints: {}
+system.enableParentClosePolicyWorker:
+  - value: false
+    constraints: {}
+system.enableWorkflowShadower:
+  - value: false
+    constraints: {}
+system.enableFailoverManager:
+  - value: false
+    constraints: {}
+
diff --git a/service/frontend/accessControlledHandler.go b/service/frontend/accessControlledHandler.go
@@ -156,7 +156,6 @@ func (a *AccessControlledWorkflowHandler) DescribeWorkflowExecution(
 	ctx context.Context,
 	request *types.DescribeWorkflowExecutionRequest,
 ) (*types.DescribeWorkflowExecutionResponse, error) {
-
 	scope := a.getMetricsScopeWithDomain(metrics.FrontendDescribeWorkflowExecutionScope, request)
 
 	attr := &authorization.Attributes{

diff --git a/tools/cli/app.go b/tools/cli/app.go
@@ -59,6 +59,11 @@ func NewCliApp() *cli.App {
 			Usage:  "optional timeout for context of RPC call in seconds",
 			EnvVar: "CADENCE_CONTEXT_TIMEOUT",
 		},
+		cli.StringFlag{
+			Name:   FlagJWT,
+			Usage:  "optional JWT for authorization",
+			EnvVar: "CADENCE_CLI_JWT",
+		},
 	}
 	app.Commands = []cli.Command{
 		{

diff --git a/tools/cli/factory.go b/tools/cli/factory.go
@@ -44,6 +44,14 @@ const (
 	cadenceFrontendService = "cadence-frontend"
 )
 
+// ContextKey is an alias for string, used as context key
+type ContextKey string
+
+const (
+	// CtxKeyJWT is the name of the context key for the JWT
+	CtxKeyJWT = ContextKey("ctxKeyJWT")
+)
+
 // ClientFactory is used to construct rpc clients
 type ClientFactory interface {
 	ClientFrontendClient(c *cli.Context) clientFrontend.Interface
@@ -124,6 +132,11 @@ type versionMiddleware struct {
 func (vm *versionMiddleware) Call(ctx context.Context, request *transport.Request, out transport.UnaryOutbound) (*transport.Response, error) {
 	request.Headers = request.Headers.
 		With(common.ClientImplHeaderName, cc.CLI).
-		With(common.FeatureVersionHeaderName, cc.SupportedCLIVersion)
+		With(common.FeatureVersionHeaderName, cc.SupportedCLIVersion).
+		With(common.AuthorizationTokenHeaderName, ctx.Value(CtxKeyJWT).(string))
 	return out.Call(ctx, request)
 }
+
+func getJWT(c *cli.Context) string {
+	return c.GlobalString(FlagJWT)
+}
diff --git a/tools/cli/flags.go b/tools/cli/flags.go
@@ -276,6 +276,7 @@ const (
 	FlagBucketSize                        = "bucket_size"
 	DelayStartSeconds                     = "delay_start_seconds"
 	FlagConnectionAttributes              = "conn_attrs"
+	FlagJWT                               = "jwt"
 )
 
 var flagsForExecution = []cli.Flag{

diff --git a/tools/cli/util.go b/tools/cli/util.go
@@ -763,12 +763,18 @@ func getCliIdentity() string {
 	return fmt.Sprintf("cadence-cli@%s", hostName)
 }
 
+func populateContextFromCLIContext(ctx context.Context, cliCtx *cli.Context) context.Context {
+	ctx = context.WithValue(ctx, CtxKeyJWT, getJWT(cliCtx))
+	return ctx
+}
+
 func newContext(c *cli.Context) (context.Context, context.CancelFunc) {
 	contextTimeout := defaultContextTimeout
 	if c.GlobalInt(FlagContextTimeout) > 0 {
 		contextTimeout = time.Duration(c.GlobalInt(FlagContextTimeout)) * time.Second
 	}
-	return context.WithTimeout(context.Background(), contextTimeout)
+	ctx := populateContextFromCLIContext(context.Background(), c)
+	return context.WithTimeout(ctx, contextTimeout)
 }
 
 func newContextForLongPoll(c *cli.Context) (context.Context, context.CancelFunc) {