diff --git a/common/authorization/oauthAutorizer_test.go b/common/authorization/oauthAutorizer_test.go index b4c89ba0ff5..85561602ed5 100644 --- a/common/authorization/oauthAutorizer_test.go +++ b/common/authorization/oauthAutorizer_test.go @@ -60,8 +60,8 @@ func (s *oauthSuite) SetupTest() { Enable: true, JwtCredentials: config.JwtCredentials{ Algorithm: jwt.RS256.String(), - PublicKey: "./keytest.pub", - PrivateKey: "./keytest", + PublicKey: "../../config/credentials/keytest.pub", + PrivateKey: "../../config/credentials/keytest", }, MaxJwtTTL: 300000001, } diff --git a/common/config/config.go b/common/config/config.go index 44bd925c869..7f3aca9b54d 100644 --- a/common/config/config.go +++ b/common/config/config.go @@ -63,7 +63,7 @@ type ( // Blobstore is the config for setting up blobstore Blobstore Blobstore `yaml:"blobstore"` // Authorization is the config for setting up authorization - Authorization Authorization `yaml:authorization` + Authorization Authorization `yaml:"authorization"` } Authorization struct { diff --git a/common/authorization/keytest b/config/credentials/keytest similarity index 100% rename from common/authorization/keytest rename to config/credentials/keytest diff --git a/common/authorization/keytest.pub b/config/credentials/keytest.pub similarity index 100% rename from common/authorization/keytest.pub rename to config/credentials/keytest.pub diff --git a/config/development_oauth.yaml b/config/development_oauth.yaml new file mode 100644 index 00000000000..6c35d08d4d6 --- /dev/null +++ b/config/development_oauth.yaml @@ -0,0 +1,116 @@ +persistence: + defaultStore: cass-default + visibilityStore: cass-visibility + numHistoryShards: 4 + datastores: + cass-default: + nosql: + pluginName: "cassandra" + hosts: "127.0.0.1" + keyspace: "cadence" + cass-visibility: + nosql: + pluginName: "cassandra" + hosts: "127.0.0.1" + keyspace: "cadence_visibility" + +ringpop: + name: cadence + bootstrapMode: hosts + bootstrapHosts: [ "127.0.0.1:7933", "127.0.0.1:7934", "127.0.0.1:7935" ] + maxJoinDuration: 30s + +services: + frontend: + rpc: + port: 7933 + grpcPort: 7833 + bindOnLocalHost: true + grpcMaxMsgSize: 33554432 + metrics: + statsd: + hostPort: "127.0.0.1:8125" + prefix: "cadence" + pprof: + port: 7936 + + matching: + rpc: + port: 7935 + grpcPort: 7835 + bindOnLocalHost: true + grpcMaxMsgSize: 33554432 + metrics: + statsd: + hostPort: "127.0.0.1:8125" + prefix: "cadence" + pprof: + port: 7938 + + history: + rpc: + port: 7934 + grpcPort: 7834 + bindOnLocalHost: true + grpcMaxMsgSize: 33554432 + metrics: + statsd: + hostPort: "127.0.0.1:8125" + prefix: "cadence" + pprof: + port: 7937 + + worker: + rpc: + port: 7939 + bindOnLocalHost: true + metrics: + statsd: + hostPort: "127.0.0.1:8125" + prefix: "cadence" + pprof: + port: 7940 + +clusterMetadata: + enableGlobalDomain: true + failoverVersionIncrement: 10 + masterClusterName: "active" + currentClusterName: "active" + clusterInformation: + active: + enabled: true + initialFailoverVersion: 0 + rpcName: "cadence-frontend" + rpcAddress: "localhost:7933" + +dcRedirectionPolicy: + policy: "noop" + toDC: "" + +archival: + history: + status: "disabled" + + visibility: + status: "disabled" + + +publicClient: + hostPort: "localhost:7933" + +dynamicConfigClient: + filepath: "config/dynamicconfig/development_oauth.yaml" + pollInterval: "10s" + +blobstore: + filestore: + outputDirectory: "/tmp/blobstore" + +authorization: + oauthAuthorizer: + enable: true + maxJwtTTL: 600000000 + jwtCredentials: + algorithm: "RS256" + publicKey: "config/credentials/keytest.pub" + privateKey: "config/credentials/keytest" \ No newline at end of file diff --git a/config/dynamicconfig/development_oauth.yaml b/config/dynamicconfig/development_oauth.yaml new file mode 100644 index 00000000000..aa77f1fa9fb --- /dev/null +++ b/config/dynamicconfig/development_oauth.yaml @@ -0,0 +1,22 @@ +frontend.enableClientVersionCheck: +- value: true + constraints: {} +system.minRetentionDays: +- value: 0 + constraints: {} +history.EnableConsistentQueryByDomain: +- value: true + constraints: {} +system.enableGRPCOutbound: +- value: true + constraints: {} +system.enableParentClosePolicyWorker: + - value: false + constraints: {} +system.enableWorkflowShadower: + - value: false + constraints: {} +system.enableFailoverManager: + - value: false + constraints: {} + diff --git a/service/frontend/accessControlledHandler.go b/service/frontend/accessControlledHandler.go index 65ff26da650..8c16f6a2016 100644 --- a/service/frontend/accessControlledHandler.go +++ b/service/frontend/accessControlledHandler.go @@ -156,7 +156,6 @@ func (a *AccessControlledWorkflowHandler) DescribeWorkflowExecution( ctx context.Context, request *types.DescribeWorkflowExecutionRequest, ) (*types.DescribeWorkflowExecutionResponse, error) { - scope := a.getMetricsScopeWithDomain(metrics.FrontendDescribeWorkflowExecutionScope, request) attr := &authorization.Attributes{ diff --git a/tools/cli/app.go b/tools/cli/app.go index c7fcab4c60c..8a551821d85 100644 --- a/tools/cli/app.go +++ b/tools/cli/app.go @@ -59,6 +59,11 @@ func NewCliApp() *cli.App { Usage: "optional timeout for context of RPC call in seconds", EnvVar: "CADENCE_CONTEXT_TIMEOUT", }, + cli.StringFlag{ + Name: FlagJWT, + Usage: "optional JWT for authorization", + EnvVar: "CADENCE_CLI_JWT", + }, } app.Commands = []cli.Command{ { diff --git a/tools/cli/factory.go b/tools/cli/factory.go index 69adacf2b11..b75f27d4876 100644 --- a/tools/cli/factory.go +++ b/tools/cli/factory.go @@ -44,6 +44,14 @@ const ( cadenceFrontendService = "cadence-frontend" ) +// ContextKey is an alias for string, used as context key +type ContextKey string + +const ( + // CtxKeyJWT is the name of the context key for the JWT + CtxKeyJWT = ContextKey("ctxKeyJWT") +) + // ClientFactory is used to construct rpc clients type ClientFactory interface { ClientFrontendClient(c *cli.Context) clientFrontend.Interface @@ -124,6 +132,11 @@ type versionMiddleware struct { func (vm *versionMiddleware) Call(ctx context.Context, request *transport.Request, out transport.UnaryOutbound) (*transport.Response, error) { request.Headers = request.Headers. With(common.ClientImplHeaderName, cc.CLI). - With(common.FeatureVersionHeaderName, cc.SupportedCLIVersion) + With(common.FeatureVersionHeaderName, cc.SupportedCLIVersion). + With(common.AuthorizationTokenHeaderName, ctx.Value(CtxKeyJWT).(string)) return out.Call(ctx, request) } + +func getJWT(c *cli.Context) string { + return c.GlobalString(FlagJWT) +} diff --git a/tools/cli/flags.go b/tools/cli/flags.go index 8d6d91a29d0..b431fff5203 100644 --- a/tools/cli/flags.go +++ b/tools/cli/flags.go @@ -276,6 +276,7 @@ const ( FlagBucketSize = "bucket_size" DelayStartSeconds = "delay_start_seconds" FlagConnectionAttributes = "conn_attrs" + FlagJWT = "jwt" ) var flagsForExecution = []cli.Flag{ diff --git a/tools/cli/util.go b/tools/cli/util.go index f798a663a42..0d94f892bb3 100644 --- a/tools/cli/util.go +++ b/tools/cli/util.go @@ -763,12 +763,18 @@ func getCliIdentity() string { return fmt.Sprintf("cadence-cli@%s", hostName) } +func populateContextFromCLIContext(ctx context.Context, cliCtx *cli.Context) context.Context { + ctx = context.WithValue(ctx, CtxKeyJWT, getJWT(cliCtx)) + return ctx +} + func newContext(c *cli.Context) (context.Context, context.CancelFunc) { contextTimeout := defaultContextTimeout if c.GlobalInt(FlagContextTimeout) > 0 { contextTimeout = time.Duration(c.GlobalInt(FlagContextTimeout)) * time.Second } - return context.WithTimeout(context.Background(), contextTimeout) + ctx := populateContextFromCLIContext(context.Background(), c) + return context.WithTimeout(ctx, contextTimeout) } func newContextForLongPoll(c *cli.Context) (context.Context, context.CancelFunc) {