💥 enable TLS if api key provided (#366)

* enable TLS if api key provided

* fix

* update sig files, push tls/api key check to bridge options construction

* change cloud tests to use api key to enable TLS

Author: THardy98

temporalio/lib/temporalio/client.rb

@@ -99,7 +99,7 @@ def self.connect(
       target_host,
       namespace,
       api_key: nil,
-      tls: false,
+      tls: nil,
       data_converter: Converters::DataConverter.default,
       interceptors: [],
       logger: Logger.new($stdout, level: Logger::WARN),

temporalio/lib/temporalio/client/connection.rb

@@ -154,8 +154,9 @@ class HTTPConnectProxyOptions; end # rubocop:disable Lint/EmptyClass
       #   +localhost:7233+.
       # @param api_key [String, nil] API key for Temporal. This becomes the +Authorization+ HTTP header with +"Bearer "+
       #   prepended. This is only set if RPC metadata doesn't already have an +authorization+ key.
-      # @param tls [Boolean, TLSOptions] If false, do not use TLS. If true, use system default TLS options. If TLS
-      #   options are present, those TLS options will be used.
+      # @param tls [Boolean, TLSOptions, nil] If false, do not use TLS. If true, use system default TLS options. If TLS
+      #   options are present, those TLS options will be used. If nil (the default), TLS will be auto-enabled if
+      #   api_key is provided.
       # @param rpc_metadata [Hash<String, String>] Headers to use for all calls to the server. Keys here can be
       #   overriden by per-call RPC metadata keys.
       # @param rpc_retry [RPCRetryOptions] Retry options for direct service calls (when opted in) or all high-level
@@ -173,7 +174,7 @@ class HTTPConnectProxyOptions; end # rubocop:disable Lint/EmptyClass
       def initialize(
         target_host:,
         api_key: nil,
-        tls: false,
+        tls: nil,
         rpc_metadata: {},
         rpc_retry: RPCRetryOptions.new,
         identity: "#{Process.pid}@#{Socket.gethostname}",
@@ -285,13 +286,17 @@ def new_core_client
           ),
           identity: @options.identity || "#{Process.pid}@#{Socket.gethostname}"
         )
-        if @options.tls
-          options.tls = if @options.tls.is_a?(TLSOptions)
+        # Auto-enable TLS when API key is provided and tls not explicitly set
+        tls = @options.tls
+        tls = true if tls.nil? && @options.api_key
+
+        if tls
+          options.tls = if tls.is_a?(TLSOptions)
                           Internal::Bridge::Client::TLSOptions.new(
-                            client_cert: @options.tls.client_cert, # steep:ignore
-                            client_private_key: @options.tls.client_private_key, # steep:ignore
-                            server_root_ca_cert: @options.tls.server_root_ca_cert, # steep:ignore
-                            domain: @options.tls.domain # steep:ignore
+                            client_cert: tls.client_cert, # steep:ignore
+                            client_private_key: tls.client_private_key, # steep:ignore
+                            server_root_ca_cert: tls.server_root_ca_cert, # steep:ignore
+                            domain: tls.domain # steep:ignore
                           )
                         else
                           Internal::Bridge::Client::TLSOptions.new

temporalio/sig/temporalio/client.rbs

@@ -36,7 +36,7 @@ module Temporalio
       String target_host,
       String namespace,
       ?api_key: String?,
-      ?tls: bool | Connection::TLSOptions,
+      ?tls: bool | Connection::TLSOptions | nil,
       ?data_converter: Converters::DataConverter,
       ?interceptors: Array[Interceptor],
       ?logger: Logger,

temporalio/sig/temporalio/client/connection.rbs

@@ -4,7 +4,7 @@ module Temporalio
       class Options
         attr_reader target_host: String
         attr_reader api_key: String?
-        attr_reader tls: bool | Connection::TLSOptions
+        attr_reader tls: bool | Connection::TLSOptions | nil
         attr_reader rpc_metadata: Hash[String, String]
         attr_reader rpc_retry: RPCRetryOptions
         attr_reader identity: String
@@ -16,7 +16,7 @@ module Temporalio
         def initialize: (
           target_host: String,
           api_key: String?,
-          tls: bool | Connection::TLSOptions,
+          tls: bool | Connection::TLSOptions | nil,
           rpc_metadata: Hash[String, String],
           rpc_retry: RPCRetryOptions,
           identity: String,
@@ -98,7 +98,7 @@ module Temporalio
       def initialize: (
         target_host: String,
         ?api_key: String?,
-        ?tls: bool | Connection::TLSOptions,
+        ?tls: bool | Connection::TLSOptions | nil,
         ?rpc_metadata: Hash[String, String],
         ?rpc_retry: RPCRetryOptions,
         ?identity: String,

temporalio/test/client_cloud_test.rb

@@ -28,14 +28,15 @@ def test_mtls
   end
 
   def test_api_key
+    # This test validates the auto-TLS feature: TLS is auto-enabled when api_key is provided
+    # and tls is not explicitly set.
     api_key = ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_API_KEY', '')
     skip('No cloud API key') if api_key.empty?
 
     client = Temporalio::Client.connect(
       ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_TARGET_HOST'),
       ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_NAMESPACE'),
       api_key:,
-      tls: true,
       rpc_metadata: { 'temporal-namespace' => ENV.fetch('TEMPORAL_CLOUD_API_KEY_TEST_NAMESPACE') }
     )
     # Run workflow
@@ -52,14 +53,14 @@ def test_api_key
   end
 
   def test_cloud_ops
+    # This test also validates auto-TLS: TLS is auto-enabled when api_key is provided.
     api_key = ENV.fetch('TEMPORAL_CLOUD_OPS_TEST_API_KEY', '')
     skip('No cloud API key') if api_key.empty?
 
-    # Create connection
+    # Create connection (tls not set, auto-enabled due to api_key)
     conn = Temporalio::Client::Connection.new(
       target_host: ENV.fetch('TEMPORAL_CLOUD_OPS_TEST_TARGET_HOST'),
       api_key:,
-      tls: true,
       rpc_metadata: { 'temporal-cloud-api-version' => ENV.fetch('TEMPORAL_CLOUD_OPS_TEST_API_VERSION') }
     )