cadence-workflow · longquanzheng · Aug 30, 2021 · Aug 14, 2021 · Aug 14, 2021 · Aug 17, 2021
@@ -25,12 +25,14 @@ package client
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 
+	clientworker "go.uber.org/cadence/worker"
 	"go.uber.org/yarpc"
 	"go.uber.org/yarpc/api/peer"
 	"go.uber.org/yarpc/api/transport"
@@ -41,6 +43,7 @@ import (
 	"github.com/uber/cadence/client/frontend"
 	"github.com/uber/cadence/client/history"
 	"github.com/uber/cadence/client/matching"
+	"github.com/uber/cadence/common"
 	"github.com/uber/cadence/common/cluster"
 	"github.com/uber/cadence/common/log"
 	"github.com/uber/cadence/common/log/tag"
@@ -65,9 +68,13 @@ type (
 		SetRemoteFrontendClient(cluster string, client frontend.Client)
 	}
 
-	// DispatcherProvider provides a diapatcher to a given address
+	DispatcherOptions struct {
+		AuthProvider *clientworker.AuthorizationProvider
+	}
+
+	// DispatcherProvider provides a dispatcher to a given address
 	DispatcherProvider interface {
-		Get(name string, address string) (*yarpc.Dispatcher, error)
+		Get(name string, address string, options *DispatcherOptions) (*yarpc.Dispatcher, error)
 	}
 
 	clientBeanImpl struct {
@@ -116,8 +123,18 @@ func NewClientBean(factory Factory, dispatcherProvider DispatcherProvider, clust
 		if !info.Enabled {
 			continue
 		}
+		var authProvider clientworker.AuthorizationProvider
+		if info.AuthorizationProvider.Enable {
+			privateKey, err := ioutil.ReadFile(info.AuthorizationProvider.PrivateKey)
+			if err != nil {
+				return nil, fmt.Errorf("invalid private key path %s", info.AuthorizationProvider.PrivateKey)
+			}
+			authProvider = clientworker.NewJwtAuthorizationProvider(privateKey)
+		}
 
-		dispatcher, err := dispatcherProvider.Get(info.RPCName, info.RPCAddress)
+		dispatcher, err := dispatcherProvider.Get(info.RPCName, info.RPCAddress, &DispatcherOptions{
+			AuthProvider: &authProvider,
+		})
 		if err != nil {
 			return nil, err
 		}
@@ -256,7 +273,7 @@ func NewDNSYarpcDispatcherProvider(logger log.Logger, interval time.Duration) Di
 	}
 }
 
-func (p *dnsDispatcherProvider) Get(serviceName string, address string) (*yarpc.Dispatcher, error) {
+func (p *dnsDispatcherProvider) Get(serviceName string, address string, options *DispatcherOptions) (*yarpc.Dispatcher, error) {
 	tchanTransport, err := tchannel.NewTransport(
 		tchannel.ServiceName(serviceName),
 		// this aim to get rid of the annoying popup about accepting incoming network connections
@@ -285,6 +302,9 @@ func (p *dnsDispatcherProvider) Get(serviceName string, address string) (*yarpc.
 				ServiceName: serviceName,
 			},
 		},
+		OutboundMiddleware: yarpc.OutboundMiddleware{
+			Unary: &outboundMiddleware{authProvider: options.AuthProvider},
+		},
 	})
 
 	if err := dispatcher.Start(); err != nil {
@@ -293,6 +313,22 @@ func (p *dnsDispatcherProvider) Get(serviceName string, address string) (*yarpc.
 	return dispatcher, nil
 }
 
+type outboundMiddleware struct {
+	authProvider *clientworker.AuthorizationProvider
+}
+
+func (om *outboundMiddleware) Call(ctx context.Context, request *transport.Request, out transport.UnaryOutbound) (*transport.Response, error) {
+	if om.authProvider != nil {
+		token, err := (*om.authProvider).GetAuthToken()
+		if err != nil {
+			return nil, err
+		}
+		request.Headers = request.Headers.
+			With(common.AuthorizationTokenHeaderName, string(token))
+	}
+	return out.Call(ctx, request)
+}
+
 func newDNSUpdater(list peer.List, dnsPort string, interval time.Duration, logger log.Logger) (*dnsUpdater, error) {
 	ss := strings.Split(dnsPort, ":")
 	if len(ss) != 2 {

@@ -21,10 +21,12 @@
 package cadence
 
 import (
+	"io/ioutil"
 	"log"
 	"time"
 
 	"go.uber.org/cadence/.gen/go/cadence/workflowserviceclient"
+	clientworker "go.uber.org/cadence/worker"
 
 	"github.com/uber/cadence/client"
 	"github.com/uber/cadence/common"
@@ -220,7 +222,16 @@ func (s *server) startService() common.Daemon {
 		}
 	}
 
-	dispatcher, err := params.DispatcherProvider.Get(common.FrontendServiceName, s.cfg.PublicClient.HostPort)
+	// will return empty array if not enabled
+	var authProvider clientworker.AuthorizationProvider
+	if s.cfg.Authorization.OAuthAuthorizer.Enable {
+		privateKey, err := ioutil.ReadFile(s.cfg.Authorization.OAuthAuthorizer.JwtCredentials.PrivateKey)
+		if err != nil {
+			log.Fatalf("invalid private key path %s", s.cfg.Authorization.OAuthAuthorizer.JwtCredentials.PrivateKey)
+		}
+		authProvider = clientworker.NewJwtAuthorizationProvider(privateKey)
+	}
+	dispatcher, err := params.DispatcherProvider.Get(common.FrontendServiceName, s.cfg.PublicClient.HostPort, &client.DispatcherOptions{AuthProvider: &authProvider})
 	if err != nil {
 		log.Fatalf("failed to construct dispatcher: %v", err)
 	}

@@ -78,6 +78,10 @@ func (a *oauthAuthority) Authorize(
 		return Result{Decision: DecisionDeny}, err
 	}
 	token := call.Header(common.AuthorizationTokenHeaderName)
+	if token == "" {
+		a.log.Debug("request is not authorized", tag.Error(fmt.Errorf("token is not set in header")))
+		return Result{Decision: DecisionDeny}, nil
+	}
 	claims, err := a.parseToken(token, verifier)
 	if err != nil {
 		a.log.Debug("request is not authorized", tag.Error(err))

@@ -139,6 +139,21 @@ func (s *oauthSuite) TestItIsAdmin() {
 	s.Equal(result.Decision, DecisionAllow)
 }
 
+func (s *oauthSuite) TestEmptyToken() {
+	ctx := context.Background()
+	ctx, call := encoding.NewInboundCall(ctx)
+	err := call.ReadFromRequest(&transport.Request{
+		Headers: transport.NewHeaders().With(common.AuthorizationTokenHeaderName, ""),
+	})
+	s.NoError(err)
+	authorizer := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache)
+	s.logger.On("Debug", "request is not authorized", mock.MatchedBy(func(t []tag.Tag) bool {
+		return fmt.Sprintf("%v", t[0].Field().Interface) == "token is not set in header"
+	}))
+	result, _ := authorizer.Authorize(ctx, &s.att)
+	s.Equal(result.Decision, DecisionDeny)
+}
+
 func (s *oauthSuite) TestGetDomainError() {
 	s.domainCache.EXPECT().GetDomain(s.att.DomainName).Return(nil, fmt.Errorf("error")).Times(1)
 	authorizer := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache)

@@ -321,6 +321,15 @@ type (
 		RPCName string `yaml:"rpcName"`
 		// Address indicate the remote service address(Host:Port). Host can be DNS name.
 		RPCAddress string `yaml:"rpcAddress"`
+		// AuthorizationProvider contains the information to authorize the cluster
+		AuthorizationProvider struct {
+			// Enable indicates if the auth provider is enabled
+			Enable bool `yaml:"enable"`
+			// Type auth provider type
+			Type string `yaml:"type"` // only supports OAuthAuthorization
+			// PrivateKey is the private key path
+			PrivateKey string `yaml:"privateKey"`
+		}
 	}
 
 	// DCRedirectionPolicy contains the frontend datacenter redirection policy

@@ -110,7 +110,7 @@ publicClient:
 dynamicconfig:
   client: filebased
   filebased:
-    filepath: "config/dynamicconfig/development_oauth.yaml"
+    filepath: "config/dynamicconfig/development.yaml"
 
 blobstore:
   filestore:

@@ -13,7 +13,7 @@ require (
 	github.com/benbjohnson/clock v0.0.0-20161215174838-7dc76406b6d3 // indirect
 	github.com/cactus/go-statsd-client/statsd v0.0.0-20191106001114-12b4e2b38748
 	github.com/cch123/elasticsql v0.0.0-20190321073543-a1a440758eb9
-	github.com/cristalhq/jwt/v3 v3.0.14
+	github.com/cristalhq/jwt/v3 v3.1.0
 	github.com/davecgh/go-spew v1.1.1
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13
 	github.com/dmarkham/enumer v1.5.1
@@ -22,7 +22,7 @@ require (
 	github.com/fatih/color v1.10.0
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/gocql/gocql v0.0.0-20191126110522-1982a06ad6b9
-	github.com/gogo/protobuf v1.3.1
+	github.com/gogo/protobuf v1.3.2
 	github.com/golang/mock v1.4.4
 	github.com/golang/protobuf v1.4.3 // indirect
 	github.com/google/go-cmp v0.5.4 // indirect
@@ -60,12 +60,12 @@ require (
 	github.com/xwb1989/sqlparser v0.0.0-20180606152119-120387863bf2
 	go.opencensus.io v0.22.5 // indirect
 	go.uber.org/atomic v1.7.0
-	go.uber.org/cadence v0.17.1-0.20210609205819-61495d91ff9d
+	go.uber.org/cadence v0.17.1-0.20210806184645-7c70757e7c7f
 	go.uber.org/config v1.4.0
-	go.uber.org/fx v1.10.0
+	go.uber.org/fx v1.13.1
 	go.uber.org/multierr v1.6.0
 	go.uber.org/thriftrw v1.25.0
-	go.uber.org/yarpc v1.53.2
+	go.uber.org/yarpc v1.55.0
 	go.uber.org/zap v1.13.0
 	golang.org/x/net v0.0.0-20201031054903-ff519b6c9102
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
@@ -91,3 +91,5 @@ replace github.com/apache/thrift => github.com/apache/thrift v0.0.0-201612212036
 
 // until new version is released we need to pick up https://github.com/yarpc/yarpc-go/pull/2047
 replace go.uber.org/yarpc => go.uber.org/yarpc v1.52.1-0.20210303193224-b2caa40d56b6
+
+replace go.uber.org/cadence v0.17.1-0.20210806184645-7c70757e7c7f => /home/rv/go/src/go.uber.org/cadence
@@ -83,8 +83,8 @@ github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cristalhq/jwt/v3 v3.0.14 h1:u/QujUAmvKZbvSKEgHc5vQznGIJ/sUYW0cWQYuxNcVs=
-github.com/cristalhq/jwt/v3 v3.0.14/go.mod h1:XOnIXst8ozq/esy5N1XOlSyQqBd+84fxJ99FK+1jgL8=
+github.com/cristalhq/jwt/v3 v3.1.0 h1:iLeL9VzB0SCtjCy9Kg53rMwTcrNm+GHyVcz2eUujz6s=
+github.com/cristalhq/jwt/v3 v3.1.0/go.mod h1:XOnIXst8ozq/esy5N1XOlSyQqBd+84fxJ99FK+1jgL8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -137,8 +137,9 @@ github.com/gogo/googleapis v1.3.2 h1:kX1es4djPJrsDhY7aZKJy7aZasdcB5oSOEphMjSB53c
 github.com/gogo/googleapis v1.3.2/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/gogo/status v1.1.0 h1:+eIkrewn5q6b30y+g/BJINVVdi2xH7je5MPJ3ZPK3JA=
 github.com/gogo/status v1.1.0/go.mod h1:BFv9nrluPLmrS0EmGVvLaPNmRosr9KapBYd5/hpY1WM=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
@@ -230,8 +231,9 @@ github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfE
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/kisielk/errcheck v1.2.0 h1:reN85Pxc5larApoH1keMBiu2GWtPqXQ1nc9gx+jOU+E=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/errcheck v1.5.0 h1:e8esj/e4R+SAOwFwN+n3zr0nYeCyeweozKfO23MvHzY=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
@@ -413,14 +415,16 @@ go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/cadence v0.17.1-0.20210609205819-61495d91ff9d h1:y7vc87iC3d+1hLUAe5LhmW5nsOe9CyW/WqsQ5volgo0=
-go.uber.org/cadence v0.17.1-0.20210609205819-61495d91ff9d/go.mod h1:WNw63zcxMVCzEUU6cFOFuMh9s//jbc57kr2IfH1cyfs=
+go.uber.org/cadence v0.17.1-0.20210806184645-7c70757e7c7f h1:A8R/NsyX9nHkvFB62MXQsGY6k+ClQpwWvpcUKwpdtpQ=
+go.uber.org/cadence v0.17.1-0.20210806184645-7c70757e7c7f/go.mod h1:sGTCtpVbS/CSJtiEwi/a2dhhUvJ7hCloBUyVA7LzkZg=
 go.uber.org/config v1.4.0 h1:upnMPpMm6WlbZtXoasNkK4f0FhxwS+W4Iqz5oNznehQ=
 go.uber.org/config v1.4.0/go.mod h1:aCyrMHmUAc/s2h9sv1koP84M9ZF/4K+g2oleyESO/Ig=
-go.uber.org/dig v1.8.0 h1:1rR6hnL/bu1EVcjnRDN5kx1vbIjEJDTGhSQ2B3ddpcI=
 go.uber.org/dig v1.8.0/go.mod h1:X34SnWGr8Fyla9zQNO2GSO2D+TIuqB14OS8JhYocIyw=
-go.uber.org/fx v1.10.0 h1:S2K/H8oNied0Je/mLKdWzEWKZfv9jtxSDm8CnwK+5Fg=
+go.uber.org/dig v1.10.0 h1:yLmDDj9/zuDjv3gz8GQGviXMs9TfysIUMUilCpgzUJY=
+go.uber.org/dig v1.10.0/go.mod h1:X34SnWGr8Fyla9zQNO2GSO2D+TIuqB14OS8JhYocIyw=
 go.uber.org/fx v1.10.0/go.mod h1:vLRicqpG/qQEzno4SYU86iCwfT95EZza+Eba0ItuxqY=
+go.uber.org/fx v1.13.1 h1:CFNTr1oin5OJ0VCZ8EycL3wzF29Jz2g0xe55RFsf2a4=
+go.uber.org/fx v1.13.1/go.mod h1:bREWhavnedxpJeTq9pQT53BbvwhUv7TcpsOqcH4a+3w=
 go.uber.org/goleak v0.10.0/go.mod h1:VCZuO8V8mFPlL0F5J5GK1rtHV3DrFcQ1R8ryq7FK0aI=
 go.uber.org/goleak v1.0.0 h1:qsup4IcBdlmsnGfqyLl4Ntn3C2XCCuKAE7DwHpScyUo=
 go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
@@ -616,6 +620,8 @@ golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjs
 golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200409170454-77362c5149f0/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

@@ -471,7 +471,7 @@ func (c *cadenceImpl) startHistory(
 		integrationClient := newIntegrationConfigClient(dynamicconfig.NewNopClient())
 		c.overrideHistoryDynamicConfig(integrationClient)
 		params.DynamicConfig = integrationClient
-		dispatcher, err := params.DispatcherProvider.Get(common.FrontendServiceName, c.FrontendAddress())
+		dispatcher, err := params.DispatcherProvider.Get(common.FrontendServiceName, c.FrontendAddress(), nil)
 		if err != nil {
 			c.logger.Fatal("Failed to get dispatcher for history", tag.Error(err))
 		}
@@ -590,7 +590,7 @@ func (c *cadenceImpl) startWorker(hosts map[string][]string, startWG *sync.WaitG
 		c.logger.Fatal("Failed to copy persistence config for worker", tag.Error(err))
 	}
 
-	dispatcher, err := params.DispatcherProvider.Get(common.FrontendServiceName, c.FrontendAddress())
+	dispatcher, err := params.DispatcherProvider.Get(common.FrontendServiceName, c.FrontendAddress(), nil)
 	if err != nil {
 		c.logger.Fatal("Failed to get dispatcher for worker", tag.Error(err))
 	}