stdtemporalcodecfx

package
v0.0.234 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 18, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Overview

Package stdtemporalcodecfx wires the Tink-backed Temporal payload codec into an fx application.

Two composable fx.Options are exposed:

  • Provide() wires the client/worker side. It produces a converter.DataConverter that stdtemporalfx (or any Temporal client) installs on its connection. When Config.Enabled is false a no-op DataConverter is provided so local development works without a keyset; when true, payloads are encrypted via Tink (AES-256-GCM in the typical configuration) using the configured keyset.

  • ProvideServer() wires the codec HTTP server. It produces an http.Handler under the fx name tag "codec" implementing Temporal's remote codec contract (POST /encode and POST /decode). The handler enforces an allowlist on the X-Namespace request header. Callers are expected to mount the handler on their own HTTP server.

Keyset backends

The base64-encoded Tink keyset configured via the *_KEYSET environment variable may be either:

  • A cleartext JSON keyset (the default; suitable for local dev). Set *_KEYSET and leave *_KEYSET_KEK_URI empty.

  • A KMS-wrapped JSON keyset, sealed by a KEK living in a remote KMS. Set *_KEYSET to the wrapped blob and *_KEYSET_KEK_URI to the KEK URI. URIs prefixed with "aws-kms://" select the AWS KMS backend; the KEK is dereferenced via the standard aws-sdk-go-v2 chain (or via a custom KMS client injected through fx as an optional dependency).

In both cases the keyset is shipped as a single base64 blob via env or secrets manager; only the KEK URI env var differentiates the two modes. The CLI in cmd/stdtemporalcodec-genkeyset grows a --kek-uri flag to emit a KMS-wrapped keyset.

Index

Constants

View Source 
const AWSKMSURIPrefix = "aws-kms://"

AWSKMSURIPrefix is the URI scheme prefix that selects the AWS KMS backend for wrapping/unwrapping the Tink DEK keyset.

Variables

This section is empty.

Functions

func Provide 

func Provide() fx.Option

Provide returns an fx.Option providing the client/worker side data converter. See package documentation for details.

func ProvideServer 

func ProvideServer() fx.Option

ProvideServer returns an fx.Option providing the codec server http.Handler under the fx name tag "codec". See package documentation for details.

Types

type Config 

type Config struct {
	// Enabled toggles encryption of Temporal payloads. When false a
	// pass-through DataConverter is provided so local development works
	// without a configured keyset. Default false.
	Enabled bool `env:"ENABLED"`

	// Keyset is the base64-encoded Tink keyset (JSON form). When
	// KeysetKEKURI is empty it must be a cleartext keyset; otherwise it
	// must be a keyset wrapped by the KEK at KeysetKEKURI. Required when
	// Enabled is true. It MUST match the value configured on the codec
	// server and on every other worker/client in the same namespace.
	Keyset string `env:"KEYSET"`

	// KeysetKEKURI optionally selects the keyset backend. Leave empty for
	// a cleartext keyset (local dev); set to e.g.
	// "aws-kms://arn:aws:kms:<region>:<acct>:key/<id>" to unwrap Keyset
	// via AWS KMS.
	KeysetKEKURI string `env:"KEYSET_KEK_URI"`

	// Namespace is the Temporal namespace this client/worker operates in.
	// It is bound into the AEAD additionalData to enforce cryptographic
	// tenant isolation. Required when Enabled is true.
	Namespace string `env:"NAMESPACE"`
}

Config configures the client/worker side of the codec module (Provide). Environment variables are prefixed with STDTEMPORALCODEC_.

type KMS added in v0.0.234 

type KMS interface {
	Encrypt(ctx context.Context, params *kms.EncryptInput, optFns ...func(*kms.Options)) (*kms.EncryptOutput, error)
	Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error)
}

KMS is the subset of the aws-sdk-go-v2 KMS client methods used by this package when unwrapping a Tink keyset that was sealed by an AWS KMS KEK. It matches awskms.KMSAPI in tink-go-awskms/v3 so any value implementing this interface (e.g. *kms.Client or a generated mock) can be plugged in via fx as an optional dependency. When no implementation is provided and a wrapping KEK URI requires one, a default *kms.Client constructed from the ambient AWS SDK configuration is used.

type Params 

type Params struct {
	fx.In

	Config Config

	// KMS is optional. When the configured keyset backend is AWS KMS and
	// no KMS is provided, a default *kms.Client constructed from the
	// ambient AWS SDK configuration is used. Tests inject a mock here.
	KMS KMS `optional:"true"`
}

Params holds the dependencies for Provide.

type Result 

type Result struct {
	fx.Out

	// DataConverter is suitable for installing on a Temporal client.
	// stdtemporalfx already consumes it as an optional dependency.
	DataConverter converter.DataConverter
}

Result holds the values provided by Provide.

func New 

func New(par Params) (Result, error)

New constructs the data converter.

type ServerConfig 

type ServerConfig struct {
	// Enabled toggles the codec server. When false a stub handler that
	// responds 404 to every request is produced under the "codec" name
	// tag, so consumers can mount it unconditionally. Default false.
	Enabled bool `env:"ENABLED"`

	// Keyset is the base64-encoded Tink keyset (JSON form). When
	// KeysetKEKURI is empty it must be a cleartext keyset; otherwise it
	// must be a keyset wrapped by the KEK at KeysetKEKURI. Required when
	// Enabled is true. Must match the value used by every worker/client
	// whose payloads this server is expected to decode.
	Keyset string `env:"KEYSET"`

	// KeysetKEKURI mirrors Config.KeysetKEKURI for the server side.
	KeysetKEKURI string `env:"KEYSET_KEK_URI"`

	// AllowedNamespaces lists the Temporal namespaces this server will
	// service. Requests bearing any other (normalized) namespace are
	// rejected with 403 Forbidden. If empty, all requests are rejected.
	AllowedNamespaces []string `env:"ALLOWED_NAMESPACES" envSeparator:","`

	// StripCloudSuffix toggles the StripCloudAccountSuffix normalizer
	// (which trims everything after the last dot in X-Namespace). Defaults
	// to true so the handler works out of the box with the Temporal Cloud
	// Web UI.
	StripCloudSuffix bool `env:"STRIP_CLOUD_SUFFIX" envDefault:"true"`
}

ServerConfig configures the codec server (ProvideServer). Environment variables are prefixed with STDTEMPORALCODECSERVER_.

type ServerParams 

type ServerParams struct {
	fx.In

	Config ServerConfig
	Logger *zap.Logger

	// KMS is optional. When the configured keyset backend is AWS KMS and
	// no KMS is provided, a default *kms.Client constructed from the
	// ambient AWS SDK configuration is used. Tests inject a mock here.
	KMS KMS `optional:"true"`
}

ServerParams holds the dependencies for ProvideServer.

type ServerResult 

type ServerResult struct {
	fx.Out

	// Handler is the codec server handler, exposing POST /encode and
	// POST /decode (suffix-matched so it can be mounted anywhere).
	Handler http.Handler `name:"codec"`
}

ServerResult holds the values provided by ProvideServer.

func NewServer 

func NewServer(par ServerParams) (ServerResult, error)

NewServer constructs the codec server handler. When Config.Enabled is false the result handler responds 404 to every request so consumers can mount it unconditionally; they should still gate any CORS / route registration on Enabled if they want to avoid the stub being reachable at all.

Source Files

View all Source files

Directories

Path Synopsis
cmd
stdtemporalcodec-genkeyset command
Command stdtemporalcodec-genkeyset generates a fresh AES-256-GCM Tink keyset and prints it to stdout as a base64-encoded JSON keyset, suitable for use as the value of the STDTEMPORALCODEC_KEYSET and STDTEMPORALCODECSERVER_KEYSET environment variables consumed by stdtemporalcodecfx.
 Command stdtemporalcodec-genkeyset generates a fresh AES-256-GCM Tink keyset and prints it to stdout as a base64-encoded JSON keyset, suitable for use as the value of the STDTEMPORALCODEC_KEYSET and STDTEMPORALCODECSERVER_KEYSET environment variables consumed by stdtemporalcodecfx.
Package stdtemporalcodec implements a Temporal converter.PayloadCodec that encrypts payloads using a Google Tink AEAD primitive backed by an AES-256-GCM keyset, together with an HTTP handler that exposes the codec over Temporal's remote codec contract.
 Package stdtemporalcodec implements a Temporal converter.PayloadCodec that encrypts payloads using a Google Tink AEAD primitive backed by an AES-256-GCM keyset, together with an HTTP handler that exposes the codec over Temporal's remote codec contract.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.