Allow authority override with different mTLS domain (#38)

README.md

@@ -57,26 +57,28 @@ You can configure the listener using one of the following methods:
 
 Use the following command-line parameters:
 
-| Parameter                                                           |
-| ------------------------------------------------------------------- |
-| --spi-events-listener-temporal-server=temporal:7233                 |
-| --spi-events-listener-temporal-namespace=default                    |
-| --spi-events-listener-temporal-task-queue=keycloak                  |
-| --spi-events-listener-temporal-mtls-cert-file=/etc/client-cert.crt  |
-| --spi-events-listener-temporal-mtls-key-file=/etc/client-cert.key   |
+| Parameter                                                                |
+|--------------------------------------------------------------------------|
+| --spi-events-listener-temporal-server=temporal:7233                      |
+| --spi-events-listener-temporal-namespace=default                         |
+| --spi-events-listener-temporal-task-queue=keycloak                       |
+| --spi-events-listener-temporal-mtls-cert-file=/etc/client-cert.crt       |
+| --spi-events-listener-temporal-mtls-key-file=/etc/client-cert.key        |
+| --spi-events-listener-temporal-mtls-override-authority=frontend.temporal |
 
 
 ### Option 2: Environment Variables
 
 Alternatively, you can set these environmental variables:
 
-| Variable                                        | Value                |
-| ----------------------------------------------- | -------------------- |
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_SERVER          | temporal:7233        |
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_NAMESPACE       | default              |
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_TASK_QUEUE      | keycloak             |
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_MTLS_CERT_FILE  | /etc/client-cert.crt |
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_MTLS_KEY_FILE   | /etc/client-cert.key |
+| Variable                                                | Value                |
+|---------------------------------------------------------|----------------------|
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_SERVER                  | temporal:7233        |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_NAMESPACE               | default              |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_TASK_QUEUE              | keycloak             |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_MTLS_CERT_FILE          | /etc/client-cert.crt |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_MTLS_KEY_FILE           | /etc/client-cert.key |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_MTLS_OVERRIDE_AUTHORITY | frontend.temporal    |
 
 # License
 This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.

src/main/kotlin/app/infinityflow/keycloak/events/TemporalEventListenerProviderFactory.kt

@@ -21,10 +21,11 @@ class TemporalEventListenerProviderFactory : EventListenerProviderFactory {
     private var _taskQueue = "keycloak"
     private var _clientCert = ""
     private var _clientCertKey = ""
+    private var _channelOverrideAuthority = ""
 
     override fun create(session: KeycloakSession?): EventListenerProvider {
         if (_logger.isDebugEnabled) {
-        _logger.debugf("Creating %s", TemporalEventListenerProvider::class)
+            _logger.debugf("Creating %s", TemporalEventListenerProvider::class)
         }
         return TemporalEventListenerProvider(_workflowClient!!, _taskQueue)
     }
@@ -39,24 +40,36 @@ class TemporalEventListenerProviderFactory : EventListenerProviderFactory {
         _taskQueue = config?.get("task-queue") ?: _taskQueue
         _clientCert = config?.get("mtls-cert-file") ?: _clientCert
         _clientCertKey = config?.get("mtls-key-file") ?: _clientCertKey
+        _channelOverrideAuthority = config?.get("mtls-override-authority") ?: _channelOverrideAuthority
 
-        val workflowServiceStubsOptionsBuilder = WorkflowServiceStubsOptions.newBuilder()
+        val workflowServiceStubsOptionsBuilder = WorkflowServiceStubsOptions
+            .newBuilder()
             .setTarget(_server)
 
         if (_clientCert.isNotEmpty() && _clientCertKey.isNotEmpty()) {
             FileInputStream(_clientCert).use { certInputStream ->
                 FileInputStream(_clientCertKey).use { keyInputStream ->
-                    val sslContext = SimpleSslContextBuilder.forPKCS8(certInputStream, keyInputStream).build()
+                    val sslContext = SimpleSslContextBuilder
+                        .forPKCS8(certInputStream, keyInputStream)
+                        .build()
+
                     workflowServiceStubsOptionsBuilder.setSslContext(sslContext)
+
+                    if (_channelOverrideAuthority.isNotEmpty()) {
+                        workflowServiceStubsOptionsBuilder
+                            .setChannelInitializer { channel -> channel.overrideAuthority(_channelOverrideAuthority) }
+                    }
                 }
             }
         }
 
         val workflowServiceStubs = WorkflowServiceStubs.newServiceStubs(workflowServiceStubsOptionsBuilder.build())
-
-        _workflowClient = WorkflowClient.newInstance(workflowServiceStubs, WorkflowClientOptions.newBuilder()
-            .setNamespace(_namespace)
-            .build())
+
+        _workflowClient = WorkflowClient
+            .newInstance(workflowServiceStubs, WorkflowClientOptions
+                .newBuilder()
+                .setNamespace(_namespace)
+                .build())
     }
 
     override fun postInit(factory: KeycloakSessionFactory?) {

src/test/kotlin/app/infinityflow/keycloak/events/tests/TestScope.kt

@@ -9,7 +9,8 @@ class TestScope : Scope {
         "task-queue" to "default",
         "namespace" to "default",
         "mtls-cert-file" to "",
-        "mtls-key-file" to ""
+        "mtls-key-file" to "",
+        "mtls-override-authority" to "",
     )
 
     override fun get(p0: String?): String {