Documentation
¶
Overview ¶
Package stdtemporalcodecfx wires the Tink-backed Temporal payload codec into an fx application.
Two composable fx.Options are exposed:
Provide() wires the client/worker side. It produces a converter.DataConverter that stdtemporalfx (or any Temporal client) installs on its connection. When Config.Enabled is false a no-op DataConverter is provided so local development works without a keyset; when true, payloads are encrypted via Tink (AES-256-GCM in the typical configuration) using the configured keyset.
ProvideServer() wires the codec HTTP server. It produces an http.Handler under the fx name tag "codec" implementing Temporal's remote codec contract (POST /encode and POST /decode). The handler enforces an allowlist on the X-Namespace request header. Callers are expected to mount the handler on their own HTTP server.
The Tink keyset is read from the environment and MUST be the same value across every worker, client and codec-server process for a given namespace set. It is provided as a base64-encoded Tink cleartext keyset in JSON form. To generate one, run:
go run github.com/advdv/stdgo/fx/stdtemporalcodecfx/cmd/stdtemporalcodec-genkeyset
and paste the output into STDTEMPORALCODEC_KEYSET (and/or STDTEMPORALCODECSERVER_KEYSET).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Provide ¶
Provide returns an fx.Option providing the client/worker side data converter. See package documentation for details.
func ProvideServer ¶
ProvideServer returns an fx.Option providing the codec server http.Handler under the fx name tag "codec". See package documentation for details.
Types ¶
type Config ¶
type Config struct {
// Enabled toggles encryption of Temporal payloads. When false a
// pass-through DataConverter is provided so local development works
// without a configured keyset. Default false.
Enabled bool `env:"ENABLED"`
// Keyset is the base64-encoded Tink cleartext keyset (JSON form).
// Required when Enabled is true. It MUST be the same value as the
// one configured on the codec server and on every other
// worker/client in the same namespace.
Keyset string `env:"KEYSET"`
// Namespace is the Temporal namespace this client/worker operates in.
// It is bound into the AEAD additionalData to enforce cryptographic
// tenant isolation. Required when Enabled is true.
Namespace string `env:"NAMESPACE"`
}
Config configures the client/worker side of the codec module (Provide). Environment variables are prefixed with STDTEMPORALCODEC_.
type Result ¶
type Result struct {
fx.Out
// DataConverter is suitable for installing on a Temporal client.
// stdtemporalfx already consumes it as an optional dependency.
DataConverter converter.DataConverter
}
Result holds the values provided by Provide.
type ServerConfig ¶
type ServerConfig struct {
// Enabled toggles the codec server. When false a stub handler that
// responds 404 to every request is produced under the "codec" name
// tag, so consumers can mount it unconditionally. Default false.
Enabled bool `env:"ENABLED"`
// Keyset is the base64-encoded Tink cleartext keyset (JSON form).
// Required when Enabled is true. Must match the value used by every
// worker/client whose payloads this server is expected to decode.
Keyset string `env:"KEYSET"`
// AllowedNamespaces lists the Temporal namespaces this server will
// service. Requests bearing any other (normalized) namespace are
// rejected with 403 Forbidden. If empty, all requests are rejected.
AllowedNamespaces []string `env:"ALLOWED_NAMESPACES" envSeparator:","`
// StripCloudSuffix toggles the StripCloudAccountSuffix normalizer
// (which trims everything after the last dot in X-Namespace). Defaults
// to true so the handler works out of the box with the Temporal Cloud
// Web UI.
StripCloudSuffix bool `env:"STRIP_CLOUD_SUFFIX" envDefault:"true"`
}
ServerConfig configures the codec server (ProvideServer). Environment variables are prefixed with STDTEMPORALCODECSERVER_.
type ServerParams ¶
type ServerParams struct {
fx.In
Config ServerConfig
Logger *zap.Logger
}
ServerParams holds the dependencies for ProvideServer.
type ServerResult ¶
type ServerResult struct {
fx.Out
// Handler is the codec server handler, exposing POST /encode and
// POST /decode (suffix-matched so it can be mounted anywhere).
Handler http.Handler `name:"codec"`
}
ServerResult holds the values provided by ProvideServer.
func NewServer ¶
func NewServer(par ServerParams) (ServerResult, error)
NewServer constructs the codec server handler. When Config.Enabled is false the result handler responds 404 to every request so consumers can mount it unconditionally; they should still gate any CORS / route registration on Enabled if they want to avoid the stub being reachable at all.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
stdtemporalcodec-genkeyset
command
Command stdtemporalcodec-genkeyset generates a fresh AES-256-GCM Tink keyset and prints it to stdout as a base64-encoded JSON cleartext keyset, suitable for use as the value of the STDTEMPORALCODEC_KEYSET and STDTEMPORALCODECSERVER_KEYSET environment variables consumed by stdtemporalcodecfx.
|
Command stdtemporalcodec-genkeyset generates a fresh AES-256-GCM Tink keyset and prints it to stdout as a base64-encoded JSON cleartext keyset, suitable for use as the value of the STDTEMPORALCODEC_KEYSET and STDTEMPORALCODECSERVER_KEYSET environment variables consumed by stdtemporalcodecfx. |
|
Package stdtemporalcodec implements a Temporal converter.PayloadCodec that encrypts payloads using a Google Tink AEAD primitive backed by an AES-256-GCM keyset, together with an HTTP handler that exposes the codec over Temporal's remote codec contract.
|
Package stdtemporalcodec implements a Temporal converter.PayloadCodec that encrypts payloads using a Google Tink AEAD primitive backed by an AES-256-GCM keyset, together with an HTTP handler that exposes the codec over Temporal's remote codec contract. |