@temporalio/core-bridge 1.12.2 → 1.12.3

package/sdk-core/core-c-bridge/src/tests/mod.rs

@@ -1,12 +1,22 @@
-use crate::client::RpcService;
+use crate::ByteArrayRef;
+use crate::client::{
+    ClientGrpcOverrideRequest, ClientGrpcOverrideResponse, RpcService,
+    temporal_core_client_grpc_override_request_headers,
+    temporal_core_client_grpc_override_request_proto,
+    temporal_core_client_grpc_override_request_respond,
+    temporal_core_client_grpc_override_request_rpc,
+    temporal_core_client_grpc_override_request_service,
+};
 use crate::tests::utils::{
     OwnedRpcCallOptions, RpcCallError, default_client_options, default_server_config,
 };
 use context::Context;
 use prost::Message;
-use std::sync::Arc;
+use std::sync::{Arc, LazyLock, Mutex};
+use temporal_sdk_core_protos::temporal::api::failure::v1::Failure;
 use temporal_sdk_core_protos::temporal::api::workflowservice::v1::{
-    GetSystemInfoRequest, GetSystemInfoResponse,
+    GetSystemInfoRequest, GetSystemInfoResponse, QueryWorkflowRequest,
+    StartWorkflowExecutionRequest, StartWorkflowExecutionResponse,
 };
 
 mod context;
@@ -176,3 +186,169 @@ fn test_all_rpc_calls_exist() {
         ));
     });
 }
+
+static CALLBACK_OVERRIDE_CALLS: LazyLock<Mutex<Vec<String>>> =
+    LazyLock::new(|| Mutex::new(Vec::new()));
+
+struct ClientOverrideError {
+    message: String,
+    details: Option<Vec<u8>>,
+}
+
+impl ClientOverrideError {
+    pub fn new(message: String) -> Self {
+        Self {
+            message,
+            details: None,
+        }
+    }
+}
+
+unsafe extern "C" fn callback_override(
+    req: *mut ClientGrpcOverrideRequest,
+    user_data: *mut libc::c_void,
+) {
+    let mut calls = CALLBACK_OVERRIDE_CALLS.lock().unwrap();
+
+    // Simple header check to confirm headers are working
+    let headers =
+        temporal_core_client_grpc_override_request_headers(req).to_string_map_on_newlines();
+    assert!(headers.get("content-type").unwrap().as_str() == "application/grpc");
+
+    // Confirm user data is as we expect
+    let user_data: &String = unsafe { &*(user_data as *const String) };
+    assert!(user_data.as_str() == "some-user-data");
+
+    calls.push(format!(
+        "service: {}, rpc: {}",
+        temporal_core_client_grpc_override_request_service(req).to_string(),
+        temporal_core_client_grpc_override_request_rpc(req).to_string()
+    ));
+    let resp_raw = match temporal_core_client_grpc_override_request_rpc(req).to_str() {
+        "GetSystemInfo" => Ok(GetSystemInfoResponse::default().encode_to_vec()),
+        "StartWorkflowExecution" => match StartWorkflowExecutionRequest::decode(
+            temporal_core_client_grpc_override_request_proto(req).to_slice(),
+        ) {
+            Ok(req) => Ok(StartWorkflowExecutionResponse {
+                run_id: format!("run-id for {}", req.workflow_id),
+                ..Default::default()
+            }
+            .encode_to_vec()),
+            Err(err) => Err(ClientOverrideError::new(format!("Bad bytes: {err}"))),
+        },
+        "QueryWorkflow" => match QueryWorkflowRequest::decode(
+            temporal_core_client_grpc_override_request_proto(req).to_slice(),
+        ) {
+            // Demonstrate fail details
+            Ok(_) => Err(ClientOverrideError {
+                message: "query-fail".to_string(),
+                details: Some(
+                    Failure {
+                        message: "intentional failure".to_string(),
+                        ..Default::default()
+                    }
+                    .encode_to_vec(),
+                ),
+            }),
+            Err(err) => Err(ClientOverrideError::new(format!("Bad bytes: {err}"))),
+        },
+        v => Err(ClientOverrideError::new(format!("Unknown RPC: {v}"))),
+    };
+    // It is very important that we borrow not move resp_raw here. If this were a "match resp_raw"
+    // without the &, ownership of bytes moves into the match arm and can drop bytes after the
+    // match arm. This is why we have a "let _" below for resp_raw to ensure a developed doesn't
+    // accidentally move it.
+    let resp = match &resp_raw {
+        Ok(bytes) => ClientGrpcOverrideResponse {
+            status_code: 0,
+            headers: ByteArrayRef::empty(),
+            success_proto: bytes.as_slice().into(),
+            fail_message: ByteArrayRef::empty(),
+            fail_details: ByteArrayRef::empty(),
+        },
+        Err(err) => ClientGrpcOverrideResponse {
+            status_code: tonic::Code::Internal.into(),
+            headers: ByteArrayRef::empty(),
+            success_proto: ByteArrayRef::empty(),
+            fail_message: err.message.as_str().into(),
+            fail_details: if let Some(details) = &err.details {
+                details.as_slice().into()
+            } else {
+                ByteArrayRef::empty()
+            },
+        },
+    };
+    temporal_core_client_grpc_override_request_respond(req, resp);
+    let _ = resp_raw;
+}
+
+#[test]
+fn test_simple_callback_override() {
+    Context::with(|context| {
+        let mut user_data = "some-user-data".to_owned();
+        context.runtime_new().unwrap();
+        // Create client which will invoke GetSystemInfo
+        context
+            .client_connect_with_override(
+                Box::new(default_client_options("127.0.0.1:4567")),
+                Some(callback_override),
+                &mut user_data as *mut String as *mut libc::c_void,
+            )
+            .unwrap();
+
+        // Invoke start workflow so we can confirm complex proto in/out
+        let start_resp_raw = context
+            .rpc_call(Box::new(OwnedRpcCallOptions {
+                service: RpcService::Workflow,
+                rpc: "StartWorkflowExecution".into(),
+                req: StartWorkflowExecutionRequest {
+                    workflow_id: "my-workflow-id".into(),
+                    ..Default::default()
+                }
+                .encode_to_vec(),
+                retry: false,
+                metadata: None,
+                timeout_millis: 0,
+                cancellation_token: None,
+            }))
+            .unwrap();
+        let start_resp = StartWorkflowExecutionResponse::decode(&*start_resp_raw).unwrap();
+        assert!(start_resp.run_id == "run-id for my-workflow-id");
+
+        // Try a query where a query failure will actually be delivered as failure details.
+        // However, we don't currently have temporal_sdk_core_protos::google::rpc::Status in
+        // the crate, so we'll just use the details directly even though a proper gRPC
+        // implementation will only provide a google.rpc.Status proto.
+        let query_err = context
+            .rpc_call(Box::new(OwnedRpcCallOptions {
+                service: RpcService::Workflow,
+                rpc: "QueryWorkflow".into(),
+                req: QueryWorkflowRequest::default().encode_to_vec(),
+                retry: false,
+                metadata: None,
+                timeout_millis: 0,
+                cancellation_token: None,
+            }))
+            .unwrap_err()
+            .downcast::<RpcCallError>()
+            .unwrap();
+        assert!(query_err.status_code == tonic::Code::Internal as u32);
+        assert!(query_err.message == "query-fail");
+        assert!(
+            Failure::decode(query_err.details.as_ref().unwrap().as_slice())
+                .unwrap()
+                .message
+                == "intentional failure"
+        );
+
+        // Confirm we got the expected calls
+        assert!(
+            *CALLBACK_OVERRIDE_CALLS.lock().unwrap()
+                == vec![
+                    "service: temporal.api.workflowservice.v1.WorkflowService, rpc: GetSystemInfo",
+                    "service: temporal.api.workflowservice.v1.WorkflowService, rpc: StartWorkflowExecution",
+                    "service: temporal.api.workflowservice.v1.WorkflowService, rpc: QueryWorkflow"
+                ]
+        );
+    });
+}

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/CODEOWNERS

@@ -3,4 +3,4 @@
 # @temporalio/saas will be requested for review when
 # someone opens a pull request.
 
-*       @temporalio/saas
+*       @temporalio/crew-iam-plus

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/README.md

@@ -15,7 +15,7 @@ To use the Cloud Ops API in your project, preform the following 4 steps:
 
 The client is expected to pass in a `temporal-cloud-api-version` header with the api version identifier with every request it makes to the apis. The backend will use the version to safely mutate resources. The `temporal:versioning:min_version` label specifies the minimum version of the API that supports the field.
 
-Current Version `v0.4.0`
+Current Version `v0.7.1`
 
 ### URL
 

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/VERSION

@@ -1 +1 @@
-v0.5.1
+v0.7.1

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/buf.yaml

@@ -3,6 +3,7 @@ name: buf.build/temporalio/cloud-api
 deps:
   - buf.build/googleapis/googleapis
   - buf.build/temporalio/api:v1.43.0
+
 breaking:
   use:
     - FILE

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/temporal/api/cloud/cloudservice/v1/request_response.proto

@@ -18,6 +18,7 @@ import "temporal/api/cloud/nexus/v1/message.proto";
 import "temporal/api/cloud/region/v1/message.proto";
 import "temporal/api/cloud/account/v1/message.proto";
 import "temporal/api/cloud/usage/v1/message.proto";
+import "temporal/api/cloud/connectivityrule/v1/message.proto";
 
 message GetUsersRequest {
     // The requested size of the page to retrieve - optional.
@@ -129,6 +130,9 @@ message CreateNamespaceRequest {
     // The id to use for this async operation.
     // Optional, if not provided a random id will be generated.
     string async_operation_id = 3;
+    // The tags to add to the namespace.
+    // Note: This field can be set by global admins or account owners only.
+    map<string, string> tags = 4;
 }
 
 message CreateNamespaceResponse {
@@ -845,3 +849,82 @@ message ValidateNamespaceExportSinkRequest {
 
 message ValidateNamespaceExportSinkResponse {
 }
+
+message UpdateNamespaceTagsRequest {
+    // The namespace to set tags for.
+    string namespace = 1;
+    // A list of tags to add or update. 
+    // If a key of an existing tag is added, the tag's value is updated. 
+    // At least one of tags_to_upsert or tags_to_remove must be specified.
+    map<string, string> tags_to_upsert = 2;
+    // A list of tag keys to remove. 
+    // If a tag key doesn't exist, it is silently ignored.
+    // At least one of tags_to_upsert or tags_to_remove must be specified.
+    repeated string tags_to_remove = 3;
+    // The id to use for this async operation - optional.
+    string async_operation_id = 4;
+}
+
+message UpdateNamespaceTagsResponse {
+    // The async operation.
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
+} 
+
+message CreateConnectivityRuleRequest {
+    // The connectivity rule specification.
+    temporal.api.cloud.connectivityrule.v1.ConnectivityRuleSpec spec = 1;
+    // The id to use for this async operation.
+    // Optional, if not provided a random id will be generated.
+    string async_operation_id = 2;
+}
+
+message CreateConnectivityRuleResponse {
+    // The id of the connectivity rule that was created.
+    string connectivity_rule_id = 1;
+    // The async operation
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 2;
+}
+
+message GetConnectivityRuleRequest {
+    // The id of the connectivity rule to get.
+    string connectivity_rule_id = 1;
+}
+
+message GetConnectivityRuleResponse {
+    temporal.api.cloud.connectivityrule.v1.ConnectivityRule connectivity_rule = 1;
+}
+
+message GetConnectivityRulesRequest {
+    // The requested size of the page to retrieve.
+    // Optional, defaults to 100.
+    int32 page_size = 1;
+    // The page token if this is continuing from another response.
+    // Optional, defaults to empty.
+    string page_token = 2;
+    // Filter connectivity rule by the namespace id.
+    string namespace = 3;
+}
+
+message GetConnectivityRulesResponse {
+    // connectivity_rules returned
+    repeated temporal.api.cloud.connectivityrule.v1.ConnectivityRule connectivity_rules = 1;
+    // The next page token
+    string next_page_token = 2;
+}
+
+message DeleteConnectivityRuleRequest {
+    // The ID of the connectivity rule that need be deleted, required.
+    string connectivity_rule_id = 1;
+
+    // The resource version which should be the same from the the db, required
+    // The latest version can be found in the GetConnectivityRule operation response
+    string resource_version = 2;
+    // The id to use for this async operation.
+    // Optional, if not provided a random id will be generated.
+    string async_operation_id = 3;
+}
+
+message DeleteConnectivityRuleResponse {
+    // The async operation
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
+}

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/temporal/api/cloud/cloudservice/v1/service.proto

@@ -395,4 +395,41 @@ service CloudService {
             body: "*"
         };
     }
+
+    // Update the tags for a namespace
+     rpc UpdateNamespaceTags(UpdateNamespaceTagsRequest) returns (UpdateNamespaceTagsResponse) {
+        option (google.api.http) = {
+            post: "/cloud/namespaces/{namespace}/update-tags"
+            body: "*"
+        };
+    }
+
+    // Creates a connectivity rule
+    rpc CreateConnectivityRule(CreateConnectivityRuleRequest) returns (CreateConnectivityRuleResponse) {
+        option (google.api.http) = {
+            post: "/cloud/connectivity-rules"
+            body: "*"
+        };
+    }
+
+    // Gets a connectivity rule by id
+    rpc GetConnectivityRule(GetConnectivityRuleRequest) returns (GetConnectivityRuleResponse) {
+        option (google.api.http) = {
+            get: "/cloud/connectivity-rules/{connectivity_rule_id}"
+        };
+    }
+
+    // Lists connectivity rules by account
+    rpc GetConnectivityRules(GetConnectivityRulesRequest) returns (GetConnectivityRulesResponse) {
+        option (google.api.http) = {
+            get: "/cloud/connectivity-rules"
+        };
+    }
+
+    // Deletes a connectivity rule by id
+    rpc DeleteConnectivityRule(DeleteConnectivityRuleRequest) returns (DeleteConnectivityRuleResponse) {
+        option (google.api.http) = {
+            delete: "/cloud/connectivity-rules/{connectivity_rule_id}"
+        };
+    }
 }

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/temporal/api/cloud/connectivityrule/v1/message.proto

@@ -0,0 +1,64 @@
+syntax = "proto3";
+
+package temporal.api.cloud.connectivityrule.v1;
+
+option go_package = "go.temporal.io/api/cloud/connectivityrule/v1;connectivityrule";
+option java_package = "io.temporal.api.cloud.connectivityrule.v1";
+option java_multiple_files = true;
+option java_outer_classname = "MessageProto";
+option ruby_package = "Temporalio::Api::Cloud::ConnectivityRule::V1";
+option csharp_namespace = "Temporalio.Api.Cloud.ConnectivityRule.V1";
+
+import "temporal/api/cloud/resource/v1/message.proto";
+import "google/protobuf/timestamp.proto";
+
+message ConnectivityRule {
+  reserved 3; // Removed endpoint field
+
+  // The id of the private connectivity rule.
+  string id = 1;
+
+  // The connectivity rule specification.
+  ConnectivityRuleSpec spec = 2;
+
+  // The current version of the connectivity rule specification.
+  // The next update operation will have to include this version.
+  string resource_version = 4;
+
+  temporal.api.cloud.resource.v1.ResourceState state = 5;
+
+  // The id of the async operation that is creating/updating/deleting the connectivity rule, if any.
+  string async_operation_id = 6;
+
+  // The date and time when the connectivity rule was created.
+  google.protobuf.Timestamp created_time = 7;
+}
+
+// The connectivity rule specification passed in on create/update operations.
+message ConnectivityRuleSpec {
+  oneof connection_type {
+    // This allows access via public internet.
+    PublicConnectivityRule public_rule = 1;
+    // This allows access via specific private vpc.
+    PrivateConnectivityRule private_rule = 2;
+  }
+}
+
+// A public connectivity rule allows access to the namespace via the public internet.
+message PublicConnectivityRule {}
+
+// A private connectivity rule allows connections from a specific private vpc only.
+message PrivateConnectivityRule {
+  // Connection id provided to enforce the private connectivity. This is required both by AWS and GCP.
+  string connection_id = 1;
+
+  // For GCP private connectivity service, GCP needs both GCP project id and the Private Service Connect Connection IDs
+  // AWS only needs the connection_id
+  string gcp_project_id = 2;
+
+  // The region of the connectivity rule. This should align with the namespace.
+  // Example: "aws-us-west-2"
+  string region = 3;
+
+  reserved 4;
+}

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/temporal/api/cloud/identity/v1/message.proto

@@ -13,12 +13,13 @@ import "temporal/api/cloud/resource/v1/message.proto";
 import "google/protobuf/timestamp.proto";
 
 message AccountAccess {
-    // The role on the account, should be one of [owner, admin, developer, financeadmin, read]
+    // The role on the account, should be one of [owner, admin, developer, financeadmin, read, metricsread]
     // owner - gives full access to the account, including users, namespaces, and billing
     // admin - gives full access the account, including users and namespaces
     // developer - gives access to create namespaces on the account
     // financeadmin - gives read only access and write access for billing
     // read - gives read only access to the account
+    // metricsread - gives read only access to all namespace metrics
     // Deprecated: Not supported after v0.3.0 api version. Use role instead.
     // temporal:versioning:max_version=v0.3.0
     string role_deprecated = 1 [deprecated = true];
@@ -34,6 +35,7 @@ message AccountAccess {
         ROLE_DEVELOPER = 3; // Gives access to create namespaces on the account.
         ROLE_FINANCE_ADMIN = 4; // Gives read only access and write access for billing.
         ROLE_READ = 5; // Gives read only access to the account.
+        ROLE_METRICS_READ = 6; // Gives read only access to the account metrics.
     }
 }
 

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/temporal/api/cloud/namespace/v1/message.proto

@@ -12,6 +12,7 @@ option csharp_namespace = "Temporalio.Api.Cloud.Namespace.V1";
 import "temporal/api/cloud/resource/v1/message.proto";
 import "google/protobuf/timestamp.proto";
 import "temporal/api/cloud/sink/v1/message.proto";
+import "temporal/api/cloud/connectivityrule/v1/message.proto";
 
 message CertificateFilterSpec {
     // The common_name in the certificate.
@@ -139,6 +140,11 @@ message NamespaceSpec {
     // The high availability configuration for the namespace.
     // temporal:versioning:min_version=v0.4.0
     HighAvailabilitySpec high_availability = 10;
+    // The private connectivity configuration for the namespace.
+    // This will apply the connectivity rules specified to the namespace.
+    // temporal:versioning:min_version=v0.6.0
+    repeated string connectivity_rule_ids = 11;
+
 
     enum SearchAttributeType {
         SEARCH_ATTRIBUTE_TYPE_UNSPECIFIED = 0;
@@ -218,6 +224,10 @@ message Namespace {
     // The status of each region where the namespace is available.
     // The id of the region is the key and the status is the value of the map.
     map<string, NamespaceRegionStatus> region_status = 12;
+    // The connectivity rules that are set on this namespace.
+    repeated temporal.api.cloud.connectivityrule.v1.ConnectivityRule connectivity_rules = 14;
+    // The tags for the namespace.
+    map<string, string> tags = 15;
 }
 
 message NamespaceRegionStatus {

package/sdk-core/sdk-core-protos/protos/api_cloud_upstream/temporal/api/cloud/operation/v1/message.proto

@@ -47,5 +47,6 @@ message AsyncOperation {
 	STATE_FAILED = 3;      // The operation failed, check failure_reason for more details.
 	STATE_CANCELLED = 4;   // The operation was cancelled.
 	STATE_FULFILLED = 5;   // The operation was fulfilled.
+        STATE_REJECTED = 6;    // The operation was rejected.
     }
 }