using CloudOperationsClient API

temporalio · Oct 1, 2024 · 524e430 · 524e430
1 parent d38c972
commit 524e430
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 44 deletions.
diff --git a/encryption_jwt/codec_server.py b/encryption_jwt/codec_server.py
@@ -2,20 +2,22 @@
 import os
 import ssl
 
-import grpc
 import jwt
 import requests
 from aiohttp import hdrs, web
 from google.protobuf import json_format
 from jwt.algorithms import RSAAlgorithm
-from temporalio.api.cloud.cloudservice.v1 import request_response_pb2, service_pb2_grpc
-from temporalio.api.common.v1 import Payload, Payloads
+from temporalio.api.cloud.cloudservice.v1 import GetUsersRequest
+from temporalio.api.common.v1 import Payloads
+from temporalio.client import CloudOperationsClient
 
 from encryption_jwt.codec import EncryptionCodec
 
 AUTHORIZED_ACCOUNT_ACCESS_ROLES = ["owner", "admin"]
 AUTHORIZED_NAMESPACE_ACCESS_ROLES = ["read", "write", "admin"]
 
+TEMPORAL_CLIENT_CLOUD_API_VERSION = "2024-05-13-00"
+
 temporal_ops_address = "saas-api.tmprl.cloud:443"
 if os.environ.get("TEMPORAL_OPS_ADDRESS"):
     temporal_ops_address = os.environ.get("TEMPORAL_OPS_ADDRESS")
@@ -45,44 +47,32 @@ async def cors_options(req: web.Request) -> web.Response:
 
         return resp
 
-    def decryption_authorized(email: str, namespace: str) -> bool:
-        credentials = grpc.composite_channel_credentials(
-            grpc.ssl_channel_credentials(),
-            grpc.access_token_call_credentials(os.environ.get("TEMPORAL_API_KEY")),
+    async def decryption_authorized(email: str, namespace: str) -> bool:
+        client = await CloudOperationsClient.connect(
+            api_key=os.environ.get("TEMPORAL_API_KEY"),
+            version=TEMPORAL_CLIENT_CLOUD_API_VERSION,
         )
 
-        with grpc.secure_channel(temporal_ops_address, credentials) as channel:
-            client = service_pb2_grpc.CloudServiceStub(channel)
-            request = request_response_pb2.GetUsersRequest()
-
-            response = client.GetUsers(
-                request,
-                metadata=(
-                    (
-                        "temporal-cloud-api-version",
-                        os.environ.get("TEMPORAL_OPS_API_VERSION"),
-                    ),
-                ),
-            )
+        response = await client.cloud_service.get_users(
+            GetUsersRequest(namespace=namespace)
+        )
 
-            for user in response.users:
-                if user.spec.email.lower() == email.lower():
-                    if (
-                        user.spec.access.account_access.role
-                        in AUTHORIZED_ACCOUNT_ACCESS_ROLES
-                    ):
-                        return True
-                    else:
-                        if namespace in user.spec.access.namespace_accesses:
-                            if (
-                                user.spec.access.namespace_accesses[
-                                    namespace
-                                ].permission
-                                in AUTHORIZED_NAMESPACE_ACCESS_ROLES
-                            ):
-                                return True
-
-            return False
+        for user in response.users:
+            if user.spec.email.lower() == email.lower():
+                if (
+                    user.spec.access.account_access.role
+                    in AUTHORIZED_ACCOUNT_ACCESS_ROLES
+                ):
+                    return True
+                else:
+                    if namespace in user.spec.access.namespace_accesses:
+                        if (
+                            user.spec.access.namespace_accesses[namespace].permission
+                            in AUTHORIZED_NAMESPACE_ACCESS_ROLES
+                        ):
+                            return True
+
+        return False
 
     def make_handler(fn: str):
         async def handler(req: web.Request):
@@ -122,7 +112,7 @@ async def handler(req: web.Request):
             )
 
             # Use the email to determine if the user is authorized to decrypt the payload
-            authorized = decryption_authorized(
+            authorized = await decryption_authorized(
                 decoded["https://saas-api.tmprl.cloud/user/email"], namespace
             )
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -45,7 +45,7 @@ dependencies = { cryptography = "^38.0.1", aiohttp = "^3.8.1" }
 
 [tool.poetry.group.encryption_jwt]
 optional = true
-dependencies = { cryptography = "^38.0.1", aiohttp = "^3.8.1", pyjwt = "^2.9.0", grpcio = "^1.66.1", aioboto3 = "^13.1.1", "requests" = "^2.32.3" }
+dependencies = { cryptography = "^38.0.1", aiohttp = "^3.8.1", pyjwt = "^2.9.0", aioboto3 = "^13.1.1", "requests" = "^2.32.3" }
 
 [tool.poetry.group.gevent]
 optional = true