What are you really trying to do?

Use experimental

Describe the bug

Following instructions for trying experimental v1.17.0-beta I did the following but end up getting v1.14.0-alpha.2. I made sure my brew was up to date ( I think ) and still could not switch. See my commands

Minimal Reproduction

dev  % brew info tctl
tctl: stable 1.16.0 (bottled)
Temporal CLI (tctl)
https://temporal.io/
/opt/homebrew/Cellar/tctl/1.16.0 (6 files, 66.3MB) *
  Poured from bottle on 2022-04-11 at 23:08:48
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/tctl.rb
License: MIT
==> Dependencies
Build: go ✘
==> Analytics
install: 481 (30 days), 1,539 (90 days), 3,750 (365 days)
install-on-request: 479 (30 days), 1,535 (90 days), 3,745 (365 days)
build-error: 0 (30 days)
dev  % tctl config set --version next
Incorrect Usage: flag provided but not defined: -version

NAME:
   tctl config set - set property

USAGE:
   tctl config set [arguments...]
dev  % tctl config set version next
version: next
dev  % tctl --version
tctl version 1.14.0-alpha.2

Environment/Versions

• OS and processor: M1 Mac
• Golang Version: (I'm using go version go1.18 darwin/arm64).

Expected Behavior

--pjson should output well formatted JSON that can be parsed by standard parsers like jq.

Actual Behavior

--pjson includes an extra comma at the end of the list that is out of spec and causes parser failures.

Steps to Reproduce the Problem

1. Execute listall for workflows.
   tctl --namespace Money workflow listall --op --wt recurringVaultTransfer --pjson
2. Review output.
   [
   {"execution":{"workflowId":"2001-1000000011391-1","runId":"23c49786-0051-48cd-8268-2b3cdc19188a"},"type":{"name":"recurringVaultTransfer"},"startTime":"2021-12-14T18:49:32.074090Z","status":"Running","executionTime":"2021-12-14T18:49:32.074090Z","memo":{}},
   ]
3. Attempt to parse with jq and receive error "parse error: Expected another array element at line 1, column 261"

Specifications

• Version: 1.10.5
• Platform: Linux

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Add command tctl config edit to open tctl.yml config file in an editor

Additional context

Is your feature request related to a problem? Please describe.

A couple of scenarios have come up where being able to view or manipulate a task queue would be very handy:

1. When "renaming" a task queue, we can safely migrate from the old to the new if we can list the queued up workflows in a taskQueue, and verify that the queue is empty.
2. When running tests, we have to completely shut down Temporal to clear bad state from a previous run.

Describe the solution you'd like

I would like the tctl taskqueue commands to support:

1. list - gives all of the workflows queued up in a given taskqueue that have not yet been picked up by workers
2. deleteAll - allows manual removal of all jobs queued up in the task queue (this would be a GREAT test env helper function).
3. delete - allows manual removal of a specified job in the taskQueue (lower pri ask)

Is your feature request related to a problem? Please describe.
tctl wf l command list workflow, but only display with UTC timezone

Describe the solution you'd like
Local timezone will be greate

Describe alternatives you've considered
How about use ENV to control whether use local timezone display, such as TEMPORAL_CLI_DISPLAY_TIMEZONE

Additional context
n/a

At this time, I'm not seeing the timestamps from the results from show for a workflow. It would be nice to have consistency with the UI where it shows the timestamps for the workflow execution history states.

Is your feature request related to a problem? Please describe.

See temporalio/temporal#2597. This option is no longer present in the SDK. We need to connect on client instantiation.

Describe the solution you'd like

Remove the option, and make sure that's ok for tctl.

If service is not reachable tctl is just hangs for a long time. The ideal behavior would be giving an error after a short period of time.

Admin list tasks command only takes in min/max task visibility timestamp and pass them to server for listing timer tasks.

For transfer/replication/visibility tasks, there's no flag for specifying the taskID range and min/max taskID field is also not specified when calling admin list transfer/replication/visibility tasks API. This, I believe, means not task will be returned for those three task types.

What are you really trying to do?

executing tctl from a kubernetes deployment where the temporal-admin-tools container has readOnlyRootFileSystem set to true.

Describe the bug

tctl starting 1.16 keeps trying to create config directory and throws bunch of duplicate messages on console with each command execution.

Minimal Reproduction

[temporal@temporalfrontend-59b6f6584d-f7cb9 bin]$ tctl --ns scratchpad wf start --tq parallel --wt ParallelWorkflow
creating config dir: /home/temporal/.config/temporalio
creating config dir: /home/temporal/.config/temporalio

Environment/Versions

• OS and processor: Linux
• Temporal Version: 1.16
• Are you using Docker or Kubernetes or building Temporal from source? Copying the tctl binary from the public docker image.

Additional context

Slack Thread https://temporalio.slack.com/archives/CTRCR8RBP/p1650401597307829

Is your feature request related to a problem? Please describe.

Currently if TLS is enabled OR Nginx is used for the TLS termination towards the Frontend tctl does not know if it should activate the TLS unless one of the relevant flags is toggled - https://github.com/temporalio/temporal/blob/bdeff26cfe99248bd66bd1302abdf636f1fcc373/tools/cli/factory.go#L182

This requires specifying unnecessary flags in the case authorization is not mTLS but rather another method just to activate the TLS.

Describe the solution you'd like

Instead of activating TLS via flags, format of the temporal address can be like this grpc://<IP or DNS>:<port> for plain connection and grpcs://<IP or DNS>:<port> for the TLS. If preffix is not specified then connection can still revert to the non-TLS OR TLS based on one of the flags added. Adding this feature would help with making the Temporal protocol communication intent between the client and the frontend clean.

Describe alternatives you've considered

Adding flags we don't need to force tctl use TLS

e.g. for the valid public certificate we can activate the TLS by using the tls_server_name which is not really needed cause the cert is valid for the server name.

tctl --ad 'public-frontend.superhost.com:443' --tls_server_name 'public-frontend.superhost.com' namespace list

"tctl wf desc" does not work with archived executions:

tctl wf desc -w MyArchivedWorkflow -r myarchivedworkflowrunid
Error: Describe workflow execution failed
Error Details: rpc error: code = NotFound desc = Workflow executionsRow not found.  WorkflowId: HelloSignalWorkflow, RunId: f2a6c0f7-9551-4257-98c2-198d7213b8ed
Stack trace:
goroutine 1 [running]:
runtime/debug.Stack()
	runtime/debug/stack.go:24 +0x65
runtime/debug.PrintStack()
	runtime/debug/stack.go:16 +0x19
github.com/temporalio/tctl/cli_curr.printError({0x2b841eb, 0x22}, {0x2fac840, 0xc00019a0e8})
	github.com/temporalio/tctl/cli_curr/util.go:392 +0x21e
github.com/temporalio/tctl/cli_curr.ErrorAndExit({0x2b841eb?, 0x2fbcb40?}, {0x2fac840?, 0xc00019a0e8?})
	github.com/temporalio/tctl/cli_curr/util.go:403 +0x28
github.com/temporalio/tctl/cli_curr.describeWorkflowHelper(0xc00032e580, {0x7ffeefbffa40, 0x13}, {0x7ffeefbffa57, 0x24})
	github.com/temporalio/tctl/cli_curr/workflowCommands.go:880 +0x239
github.com/temporalio/tctl/cli_curr.DescribeWorkflow(0xc00032e580)
	github.com/temporalio/tctl/cli_curr/workflowCommands.go:845 +0x6c
github.com/temporalio/tctl/cli_curr.newWorkflowCommands.func15(0xc00032e580?)
	github.com/temporalio/tctl/cli_curr/workflow.go:196 +0x19
github.com/urfave/cli.HandleAction({0x273c0a0?, 0x2c17df0?}, 0x8?)
	github.com/urfave/[email protected]/app.go:526 +0x50
github.com/urfave/cli.Command.Run({{0x2b448a3, 0x8}, {0x0, 0x0}, {0xc000190310, 0x1, 0x1}, {0x2b91ead, 0x26}, {0x0, ...}, ...}, ...)
	github.com/urfave/[email protected]/command.go:173 +0x652
github.com/urfave/cli.(*App).RunAsSubcommand(0xc0003316c0, 0xc000235ce0)
	github.com/urfave/[email protected]/app.go:405 +0x91b
github.com/urfave/cli.Command.startApp({{0x2b45303, 0x8}, {0x0, 0x0}, {0xc000190650, 0x1, 0x1}, {0x2b6abf9, 0x19}, {0x0, ...}, ...}, ...)
	github.com/urfave/[email protected]/command.go:372 +0x6e7
github.com/urfave/cli.Command.Run({{0x2b45303, 0x8}, {0x0, 0x0}, {0xc000190650, 0x1, 0x1}, {0x2b6abf9, 0x19}, {0x0, ...}, ...}, ...)
	github.com/urfave/[email protected]/command.go:102 +0x808
github.com/urfave/cli.(*App).Run(0xc000331340, {0xc0001a6000, 0x7, 0x7})
	github.com/urfave/[email protected]/app.go:277 +0x8a7
main.main()
	./main.go:45 +0xa6

Is your feature request related to a problem? Please describe.

tctl and UI support saving workflow histories to files for replay testing. It would be nice to support pretty printing histories which are stored in a file. It is especially useful to show payloads that use non standard data converters.

Describe the solution you'd like

Add tctl command to pretty print history from file. Add UI "upload history" feature.

Additional context

Requested by user:

Hello. Is there a good method for us to deserialize history payloads? We have some old histories stored with encoded payloads for replay testing. It would be helpful to view these files with decoded payloads using less. Is there a quick way to do this?

Is your feature request related to a problem? Please describe.

In order to propagate information into workflow context we can use Context propagation in temporal.
The propagation uses headers to pass the information between the caller of workflow and the workflow (https://docs.temporal.io/docs/go/tracing/#server-side-headers)
Currently there is no way to pass headers when running "tctl workflow run" which forces us to run our own tctl-like tool

Describe the solution you'd like

Add --header flag.
Example:

tctl workflow run --wt MyWorkflow --wid MyWorkflow-0 --header=key=value

In context propagation we get header name name with value value
It would also be nice to have that you can pass multiple headers in a single command

What are you really trying to do?

We use a tctl-authorization-plugin with the tctl CLI for our Temporal clusters. We had reports from our users that many instances of our plugin was left running in the background after they had completed running their commands.

After some investigation I realized that the plugin server and client were handled correctly when CLI commands were completing successfully. However whenever the CLI commands were returning an error (specifically exiting with non-zero) the plugin server was left running in the background (aka "leaking").

I am very familiar with Hashicorp's go-plugin framework.

Describe the bug

When tctl exits with an error it calls os.Exit(1). This results in the process being immediately terminated without calling any of the deferred functions. This means that the stopPlugins function is not called, leaving the plugin server running.

Example command:

$ tctl wf show
Error: Option workflow_id is required
exit status 1

More in depth description

Stepping through the CLI application we can see that:

1. The application calls ShowHistory(c)
2. Which calls getRequiredOption(c, FlagWorkflowID)
3. Which in turn validates the workflow ID and calls ErrorAndExit(...) since the value hasn't been set
4. This then calls osExit(1)
5. This is a variable which is set to os.Exit

Quoting the Go documentation:

Exit causes the current program to exit with the given status code. Conventionally, code zero indicates success, non-zero an error. The program terminates immediately; deferred functions are not run.

For portability, the status code should be in the range [0, 125].

This means that the deferred stopPlugins function is never called and the plugin server is left running.

Note: I'm intentionally eliding the plugin setup, GRPC interceptor, etc. since it works as expected on the happy path.

Minimal Reproduction

I don't know of a minimal authorization plugin that I can run so this is a little more vague than I would like. Apologies in advance.

The Temporal environment variables (somewhat redacted):

$ env | grep '^TEMPORAL_CLI'
TEMPORAL_CLI_PLUGIN_HEADERS_PROVIDER=tctl-auth
TEMPORAL_CLI_NAMESPACE=default
TEMPORAL_CLI_TLS_KEY=
TEMPORAL_CLI_TLS_DISABLE_HOST_VERIFICATION=false
TEMPORAL_CLI_TLS_SERVER_NAME=
TEMPORAL_CLI_PLUGIN_DATA_CONVERTER=tctl-data-converter
TEMPORAL_CLI_ADDRESS=temporal.server.host.name:port
TEMPORAL_CLI_TLS_CERT=
TEMPORAL_CLI_TLS_CA=https://ca.server.host.name/path/to/ca/chain

The unhappy path:

1. Ensure that the authorization plugin is installed and in your path (tctl-auth in our case)
2. Run tctl wf show
3. See that the command exits with a non-zero exit code and a useful error message
4. See that the tctl-auth process is left running in the background

Example:

$ which tctl-auth
/usr/local/bin/tctl-auth

$ ps aux | grep '[t]ctl-auth' ; echo $?
1

$ tctl wf show
Error: Option workflow_id is required
exit status 1

$ ps aux | grep '[t]ctl-auth' ; echo $?
<username> 50280   0.0  0.1 34882124  20196 s000  S     7:29PM   0:00.03 tctl-auth
0

The happy path:

1. Ensure that the authorization plugin is installed and in your path (tctl-auth in our case)
2. Run tctl wf show -w <valid-workflow-id>
3. See that the command exits with a zero exit code
4. See that no tctl-auth processes are left running in the background

Example:

$ which tctl-auth
/usr/local/bin/tctl-auth

$ ps aux | grep '[t]ctl-auth' ; echo $?
1

$ tctl wf show -w <valid-workflow-id>
[... workflow output elided ...]

$ ps aux | grep '[t]ctl-auth' ; echo $?
1

Environment/Versions

• OS and processor: Mac AMD64
• tctl Version: 1.16.2
• Temporal Version: n/a
• Are you using Docker or Kubernetes or building Temporal from source? n/a

Additional context

Our authentication plugin is a Go application using cobra for CLI command parsing and boils down to:

func TctlAuthCommand() *cobra.Command {
	return &cobra.Command{
		Use:   "tctl-auth",
		Short: "[...]",
		RunE: func(_ *cobra.Command, _ []string) error {
			pluginMap := map[string]plugin.Plugin{
				cliPlugin.HeadersProviderPluginType: &cliPlugin.HeadersProviderPlugin{
					Impl: &provider{},
				},
			}
			plugin.Serve(&plugin.ServeConfig{
				HandshakeConfig: cliPlugin.PluginHandshakeConfig,
				Plugins:         pluginMap,
			})
			return nil
		},
	}
}

var _ cliPlugin.HeadersProvider = &provider{}

type provider struct {}

func (p provider) GetHeaders(_ context.Context) (map[string]string, error) {
	jwtToken, err := GetJWT()
	return map[string]string{"Authorization": jwtToken}, err
}

What are you really trying to do?

I'm attempting to encrypt data sent to Temporal via the CLI.

Describe the bug

When running workflow start and workflow signal commands in tctl, the input parameters are not encoded via the configured plugin data converter.

Minimal Reproduction

This is reproducible using the samples-go/encryption plugin:

1. Build the encryption plugin and start the worker as described in the samples-go/encryption readme
2. Run the following command:

export PATH="../bin:$PATH" TEMPORAL_CLI_PLUGIN_DATA_CONVERTER=encryption-plugin
tctl workflow start --tq encryption --wt Workflow -i '"My Secret Friend"'

3. Open the Temporal WebUI, and navigate to the new workflow
4. Note that the input is not encrypted
   

Environment/Versions

• OS and processor: macOS Big Sur 11.6, i9
• Temporal Version: 1.14.1
• Tested locally using the docker-compose files

Shell scripts don't want to parse errors on duplicated domain registration.

$ tctl -ns UnitTest namespace re
Error: Namespace UnitTest already registered.
Error Details: Namespace already exists.
('export TEMPORAL_CLI_SHOW_STACKS=1' to see stack traces)

The proposal would be:

$ tctl -ns UnitTest namespace re --overwrite

This would mean that any parameters (like retention period) passed in the registration are going to replace previous ones.

Is your feature request related to a problem? Please describe.

When I run this, I'd like to know

• whether the batch job started (it didn't)
• if not, how to get it to start (add rest of required options)

$ tctl batch start --query "ExecutionStatus != 'foo'" --batch-type terminate --yes

NAME:
   tctl batch start - Start a batch operation job

USAGE:
   tctl batch start [command options] [arguments...]

OPTIONS:
   --query value, -q value          Query to get workflows for being executed this batch operation
   --reason value, -r value         Reason to run this batch job
   --batch-type value, --bt value   Types supported: terminate,cancel,signal
   --signal-name value, --sn value  Required for batch signal
   --input value, -i value          Optional input of signal
   --rps value                      RPS of processing (default: 50)
   --yes                            Optional flag to disable confirmation prompt (default: false)
   --help, -h                       show help (default: false)

Describe the solution you'd like

• whether the batch job started (it didn't)

perhaps it is universally enough understood that printing usage means the command didn't work?

if not, how to get it to start (add rest of required options)

• under USAGE and/or OPTIONS, denote which are required or which are optional. here is one convention: https://stackoverflow.com/a/21503966/627729
• when entering a command without sufficient options, print the missing ones:

$ tctl batch start --query "ExecutionStatus != 'foo'" --batch-type terminate --yes

Missing required options:

   --reason value, -r value         Reason to run this batch job

Vulnerable Library - github.com/temporalio/temporal-v1.16.1

Found in HEAD commit: 6f6ebad8660634107adc1c457106cbb8c09792b6

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2019-0205	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2019-0210	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2018-11798	Medium	6.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌

Details

CVE-2019-0205

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.1 (Root Library)
  • github.com/temporalio/ringpop-go-6f91b5915e95e7b08817aae78fea3a38ea1b5bd2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 6f6ebad8660634107adc1c457106cbb8c09792b6

Found in base branch: main

Vulnerability Details

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Publish Date: 2019-10-29

URL: CVE-2019-0205

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205

Release Date: 2019-10-29

Fix Resolution: org.apache.thrift:libthrift:0.13.0

CVE-2019-0210

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.1 (Root Library)
  • github.com/temporalio/ringpop-go-6f91b5915e95e7b08817aae78fea3a38ea1b5bd2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 6f6ebad8660634107adc1c457106cbb8c09792b6

Found in base branch: main

Vulnerability Details

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

Publish Date: 2019-10-29

URL: CVE-2019-0210

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3E

Release Date: 2019-10-29

Fix Resolution: 0.13.0

CVE-2018-11798

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.1 (Root Library)
  • github.com/temporalio/ringpop-go-6f91b5915e95e7b08817aae78fea3a38ea1b5bd2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 6f6ebad8660634107adc1c457106cbb8c09792b6

Found in base branch: main

Vulnerability Details

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

Publish Date: 2019-01-07

URL: CVE-2018-11798

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11798

Release Date: 2019-01-07

Fix Resolution: v0.12.0

Vulnerable Library - github.com/temporalio/temporal-v1.16.0

Found in HEAD commit: 24cd6e57ac3042118ce62b973d381218de202bbf

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2019-0205	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2019-0210	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2018-11798	Medium	6.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌

Details

CVE-2019-0205

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.0 (Root Library)
  • github.com/temporalio/ringpop-go-6f91b5915e95e7b08817aae78fea3a38ea1b5bd2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 24cd6e57ac3042118ce62b973d381218de202bbf

Found in base branch: main

Vulnerability Details

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Publish Date: 2019-10-29

URL: CVE-2019-0205

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205

Release Date: 2019-10-29

Fix Resolution: org.apache.thrift:libthrift:0.13.0

CVE-2019-0210

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.0 (Root Library)
  • github.com/temporalio/ringpop-go-6f91b5915e95e7b08817aae78fea3a38ea1b5bd2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 24cd6e57ac3042118ce62b973d381218de202bbf

Found in base branch: main

Vulnerability Details

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

Publish Date: 2019-10-29

URL: CVE-2019-0210

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3E

Release Date: 2019-10-29

Fix Resolution: 0.13.0

CVE-2018-11798

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.0 (Root Library)
  • github.com/temporalio/ringpop-go-6f91b5915e95e7b08817aae78fea3a38ea1b5bd2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 24cd6e57ac3042118ce62b973d381218de202bbf

Found in base branch: main

Vulnerability Details

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

Publish Date: 2019-01-07

URL: CVE-2018-11798

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11798

Release Date: 2019-01-07

Fix Resolution: v0.12.0

What are you really trying to do?

Help output and potentially UX of tctl namespace register --clusters needs to be improved

Describe the bug

tctl namespace register --clusters help output is super not helpful and just says "Clusters"

This creates confusion for users

Minimal Reproduction

Run
tctl namespace register -h and look for --clusters help message

Environment/Versions

• OS and processor: [e.g. M1 Mac, x86 Windows, Linux]
• Temporal Version: [e.g. 1.14.0?] and/or SDK version
• Are you using Docker or Kubernetes or building Temporal from source?

Additional context

Is your feature request related to a problem? Please describe.

Currently only homebrew users can easily install tctl

Describe the solution you'd like

In addition to homebrew, publish and support tctl in:

• apt
• winget
• chocolatey
• ... ?

Additional context

There's some freeform text in the output of this command like "Result: " and "Progress: "

Is your feature request related to a problem? Please describe.

Users may run into an error gRPC message exceeds maximum size 25000000: 43086401 when server responds with messages larger than 4mb

Describe the solution you'd like

Expose control over message size limit
Expose control over page size (or make it small by default unless there is an issue with perf)

Additional context

Currently "tctl wf cancel" does not have a reason option, please add it.
Should be similar to "tctl wf terminate" which has it

tctl wf terminate -h
NAME:
tctl workflow terminate - terminate a new workflow execution

USAGE:
tctl workflow terminate [command options] [arguments...]

OPTIONS:
--workflow_id value, --wid value, -w value WorkflowId
--run_id value, --rid value, -r value RunId
--reason value, --re value The reason you want to terminate the workflow

Thanks!

Describe the bug

To Reproduce

tctl namespace desc

Name: default
...
RetentionInDays: 72h0m0s

The message RetentionInDays doesn't align with the output format

Expected behavior

Fix the message, possibly make format more readable

Screenshots/Terminal output

Versions

• OS: [e.g. Mac, Windows, Linux]
• Temporal Version [e.g. 1.7.0?]
• Are you using Docker or Kubernetes or building Temporal from source?

Additional context

I'm wondering, are there any plans to update tctl to use latest go.temporal.io/server version?

Thanks in advance

Describe the bug

Using TCTL workflow list command with --et and --lt with time like '2021-09-08T10:30:00' does not work.

To Reproduce

Run command like:
$ tctl wf list --et '2021-09-08T10:30:00'
Error: Cannot parse time '2021-09-08T10:30:00', use UTC format '2006-01-02T15:04:05', time range or raw UnixNano directly. See help for more details.
Error Details: cannot parse timeRange 2021-09-08T10:30:00

Notice the error message suggest to use the same format as what was used.

However, if I use '2021-09-08T10:30:00Z' (notice the Z at the end), then it works.

Is your feature request related to a problem? Please describe.

A common ask from developers is to be able to terminate all running workflows using tctl.

What most devs end up doing is running something like the following (with current gen tctl):

tctl workflow list --open --more | awk '{ print $3 }' | tail -n +2 | grep -v to | xargs -n 1 tctl workflow terminate --workflow_id

There's also a less known option if enhanced visibility is enabled documented here: https://docs.temporal.io/docs/system-tools/tctl/#signal-cancel-terminate-workflows-as-a-batch-job.
This option doesn't provide a great DX when you just want to nuke everything for local development.

Describe the solution you'd like

@mfateev suggested an alternative where tctl commands would accept a --query flag to start and await batch completion.

tctl wf terminate --workflow-id ...
tctl wf terminate --query "ExecutionStatus='Running'"

Originally posted by @feedmeapples in #190 (comment)

You could supply workflow execution timeout, but not workflow run timeout. For cron workflow, we would want the ability to specify a meaningful workflow run timeout while let workflow execution timeout to be infinity. The command only takes 2 timeouts as:
--execution_timeout value, --et value Execution start to close timeout in seconds (default: 0)
--workflow_task_timeout value, --wtt value Workflow task start to close timeout in seconds (default: 10)
Need --workflow_run_timeout as well.

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Expected Behavior

bash-5.0$ tctl admin cluster d
{
  "supportedClients": {
    "temporal-cli": "2.0.0",
    "temporal-go": "2.0.0",
    "temporal-java": "2.0.0",
    "temporal-server": "2.0.0"
  },

Actual Behavior

bash-5.0$ tctl admin cluster d
{
  "supportedClients": {
    "temporal-cli": "\u003c2.0.0",
    "temporal-go": "\u003c2.0.0",
    "temporal-java": "\u003c2.0.0",
    "temporal-server": "\u003c2.0.0"
  },


## Steps to Reproduce the Problem

  1. spawn temporal 1.11.1 cluster
  1. run tctl admin cluster d
  1. see output

## Specifications

  - Version: 1.11.1
  - Platform: kubernetes

What are you really trying to do?

Describe the bug

workflow show command ignores the --reset-points-only flag

Minimal Reproduction

• switch to tctl v1.17 UX tctl config set version next
• populate test data https://github.com/temporalio/canary-go
• run tctl workflow show -wid <workflow id> with and w/o --reset-points-only

Environment/Versions

• OS and processor: [e.g. M1 Mac, x86 Windows, Linux]
• Temporal Version: [e.g. 1.14.0?] and/or SDK version
• Are you using Docker or Kubernetes or building Temporal from source?

Additional context

tctl v1.16 has this implemented

What are you really trying to do?

Describe the bug

Some SDKs may return arbitrary string as the cause for non-deterministic failure. Currently the code depends on this cause to determine whether the last task failed with Non Determinism

Minimal Reproduction

Environment/Versions

• OS and processor: [e.g. M1 Mac, x86 Windows, Linux]
• Temporal Version: [e.g. 1.14.0?] and/or SDK version
• Are you using Docker or Kubernetes or building Temporal from source?

Additional context

What are you really trying to do?

Read the output

Describe the bug

$ tctl w show -wid workflow-yd9Py1AphAbuAFUIKEdzb -o json
...
  {
    ESC[34;1m"Details"ESC[0m: ESC[32;1m"{ScheduledEventId:8, StartedEventId:9, Identity:[email protected], BinaryChecksum:@temporalio/[email protected]}"ESC[0m,
    ESC[34;1m"ID"ESC[0m: ESC[32;1m"10"ESC[0m,
    ESC[34;1m"Time"ESC[0m: ESC[32;1m"2022-07-06T17:57:07Z"ESC[0m,
    ESC[34;1m"Type"ESC[0m: ESC[32;1m"WorkflowTaskCompleted"ESC[0m
  },
  {
    ESC[34;1m"Details"ESC[0m: ESC[32;1m"{\u001b[36mResult\u001b[0m:[\"Hello, Temporal!\"], WorkflowTaskCompletedEventId:10}"ESC[0m,
    ESC[34;1m"ID"ESC[0m: ESC[32;1m"11"ESC[0m,
    ESC[34;1m"Time"ESC[0m: ESC[32;1m"2022-07-06T17:57:07Z"ESC[0m,
    ESC[34;1m"Type"ESC[0m: ESC[32;1m"\u001b[32mWorkflowExecutionCompleted\u001b[0m"ESC[0m
  }
]

Minimal Reproduction

Environment/Versions

M1 macOS Terminal

Additional context

Current workaround is to pipe to jq:

$ tctl w show -wid workflow-yd9Py1AphAbuAFUIKEdzb -o json | jq
...
  {
    "Details": "{ScheduledEventId:8, StartedEventId:9, Identity:[email protected], BinaryChecksum:@temporalio/[email protected]}",
    "ID": "10",
    "Time": "2022-07-06T17:57:07Z",
    "Type": "WorkflowTaskCompleted"
  },
  {
    "Details": "{Result:[\"Hello, Temporal!\"], WorkflowTaskCompletedEventId:10}",
    "ID": "11",
    "Time": "2022-07-06T17:57:07Z",
    "Type": "WorkflowExecutionCompleted"
  }
]

Vulnerable Library - github.com/temporalio/temporal-v1.16.2

Found in HEAD commit: c3e45ba3f51f23542cf6971615ce4b1e9f888e1d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2019-0205	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2019-0210	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2018-11798	Medium	6.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌

Details

CVE-2019-0205

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.2 (Root Library)
  • github.com/uber/tchannel-go-v1.22.3
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: c3e45ba3f51f23542cf6971615ce4b1e9f888e1d

Found in base branch: main

Vulnerability Details

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Publish Date: 2019-10-29

URL: CVE-2019-0205

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205

Release Date: 2019-10-29

Fix Resolution: org.apache.thrift:libthrift:0.13.0

CVE-2019-0210

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.2 (Root Library)
  • github.com/uber/tchannel-go-v1.22.3
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: c3e45ba3f51f23542cf6971615ce4b1e9f888e1d

Found in base branch: main

Vulnerability Details

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

Publish Date: 2019-10-29

URL: CVE-2019-0210

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3E

Release Date: 2019-10-29

Fix Resolution: 0.13.0

CVE-2018-11798

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-v1.16.2 (Root Library)
  • github.com/uber/tchannel-go-v1.22.3
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: c3e45ba3f51f23542cf6971615ce4b1e9f888e1d

Found in base branch: main

Vulnerability Details

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

Publish Date: 2019-01-07

URL: CVE-2018-11798

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11798

Release Date: 2019-01-07

Fix Resolution: v0.12.0

Problem
I'm trying to run my workflow via tctl wf run but the workflow assumes certain values are in the context via context propagation.

Suggested solutions
A way to supply values into the context as if they were supplied via context propagation, for example (I don't mind the flag naming/exact input format):
tctl run wf ... --context-propagation '{"user-id"=1}'

Alternatives considered
Running the workflow via the client sdk, I think it might solve the problem though it takes a lot more work.

Not all CLI commands are covered with unit tests and some sort of integration tests need to be added.

What are you really trying to do?

Download artifacts built for releases from release tag

Describe the bug

Release tags should contain the output artifacts from go-releaser
Temporal server does this, as this will allow tags to be the source of truth for built binaries for docker images and users to install w/o having to build from source.

Minimal Reproduction

Environment/Versions

• OS and processor: [e.g. M1 Mac, x86 Windows, Linux]
• Temporal Version: [e.g. 1.14.0?] and/or SDK version
• Are you using Docker or Kubernetes or building Temporal from source?

Additional context

Example given:
https://github.com/temporalio/temporal/releases/tag/v1.16.0

Vulnerable Library - github.com/temporalio/temporal-3b8f6932d9fcb12c58cba0d461ac72a30fc9bb86

Found in HEAD commit: 740d063d2b31fb28b59301c4cd3b5432f9779094

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2019-0205	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2019-0210	High	7.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌
CVE-2018-11798	Medium	6.5	github.com/apache/thrift-0.10.0	Transitive	N/A	❌

Details

CVE-2019-0205

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-3b8f6932d9fcb12c58cba0d461ac72a30fc9bb86 (Root Library)
  • github.com/uber/tchannel-go-v1.22.2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 740d063d2b31fb28b59301c4cd3b5432f9779094

Found in base branch: main

Vulnerability Details

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Publish Date: 2019-10-29

URL: CVE-2019-0205

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205

Release Date: 2019-10-29

Fix Resolution: org.apache.thrift:libthrift:0.13.0

CVE-2019-0210

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-3b8f6932d9fcb12c58cba0d461ac72a30fc9bb86 (Root Library)
  • github.com/uber/tchannel-go-v1.22.2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 740d063d2b31fb28b59301c4cd3b5432f9779094

Found in base branch: main

Vulnerability Details

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

Publish Date: 2019-10-29

URL: CVE-2019-0210

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3E

Release Date: 2019-10-29

Fix Resolution: 0.13.0

CVE-2018-11798

Vulnerable Library - github.com/apache/thrift-0.10.0

Apache Thrift

Dependency Hierarchy:

• github.com/temporalio/temporal-3b8f6932d9fcb12c58cba0d461ac72a30fc9bb86 (Root Library)
  • github.com/uber/tchannel-go-v1.22.2
    • ❌ github.com/apache/thrift-0.10.0 (Vulnerable Library)

Found in HEAD commit: 740d063d2b31fb28b59301c4cd3b5432f9779094

Found in base branch: main

Vulnerability Details

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

Publish Date: 2019-01-07

URL: CVE-2018-11798

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11798

Release Date: 2019-01-07

Fix Resolution: v0.12.0

Is your feature request related to a problem? Please describe.

I'd rather not have to add --reason reason to my batch jobs.

Describe the solution you'd like

If it's required by the API, then use a default string like tctl.

Vulnerable Library - github.com/stretchr/testify-v1.7.1

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-28948	High	7.5	github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc	Transitive	N/A	❌

Details

CVE-2022-28948

Vulnerable Library - github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc

YAML support for the Go language.

Dependency Hierarchy:

• github.com/stretchr/testify-v1.7.1 (Root Library)
  • ❌ github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hp87-p4gw-j4gq

Release Date: 2022-05-19

Fix Resolution: 3.0.0

What are you really trying to do?

Describe the bug

tctl -n canary w l --output table --fields l
Error: unable to print table
Error Details: unknown field l.
Available fields: "Execution","Execution.WorkflowId","Execution.RunId","Type","Type.Name","StartTime","CloseTime","Status","HistoryLength","ParentNamespaceId","ParentExecution","ExecutionTime","Memo","Memo.Fields","SearchAttributes","AutoResetPoints","TaskQueue","StateTransitionCount"
('export TEMPORAL_CLI_SHOW_STACKS=1' to see stack traces)

After that the terminal input is going to be somewhat broken and not respond to majority of actions

Minimal Reproduction

• tctl config set versin next
• tctl w l --output table --fields notafield

Environment/Versions

• OS and processor: [e.g. M1 Mac, x86 Windows, Linux]
• Temporal Version: [e.g. 1.14.0?] and/or SDK version
• Are you using Docker or Kubernetes or building Temporal from source?

Additional context

Vulnerable Library - github.com/temporalio/tctl-kit-9c751176dd14802de54640c41001cdbbfe96d238

Found in HEAD commit: 6f6ebad8660634107adc1c457106cbb8c09792b6

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-28948	High	7.5	github.com/go-yaml/yaml-v2.4.0	Transitive	N/A	❌

Details

CVE-2022-28948

Vulnerable Library - github.com/go-yaml/yaml-v2.4.0

YAML support for the Go language.

Dependency Hierarchy:

• github.com/temporalio/tctl-kit-9c751176dd14802de54640c41001cdbbfe96d238 (Root Library)
  • github.com/spf13/viper-v1.11.0
    • ❌ github.com/go-yaml/yaml-v2.4.0 (Vulnerable Library)

Found in HEAD commit: 6f6ebad8660634107adc1c457106cbb8c09792b6

Found in base branch: main

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fm53-mpmp-7qw2

Release Date: 2022-05-19

Fix Resolution: v3.0.0

Is your feature request related to a problem? Please describe.

tctl only supports JSON encoding for arguments. Workflows/signals that have inputs of protobuf type cannot be started/sent through it.

Describe the solution you'd like

Support protobuf arguments. This might require passing protobuf file as an additional parameter.

Additional context

User request (from Slack):

I have a workflow that uses a protobuf generated objects for its arguments. I can start workflows fine using the Java client directly. However, when I attempt to start with tctl, I get an error that indicates it is using the Jackson data converter instead of the proto json data converter. It looks like the payloads get routed to data serializers based on json/plain or json/protobuf encoding. Is there a way to set the different JSON encoding via tctl? Are there other possible options here?
Caused By: io.temporal.common.converter.DataConverterException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Cannot find a (Map) Key deserializer for type [simple type, class com.google.protobuf.Descriptors$FieldDescriptor]

What are you really trying to do?

Request a better error message when a cert isn't provided when describing a namespace.

Describe the bug

The following command was run:

tctl --ns <namespace> -address <address> --tls_ca_path <ca_path> -tls_key_path <key_path> n desc

and I received the following error message:

Error: Operation DescribeNamespace failed.
Error Details: rpc error: code = Unavailable desc = connection closed before server preface received

When I provided the needed --tls_cert_path, this worked, but this was non-obvious based on the error message provided.

Minimal Reproduction

See above.

Environment/Versions

tctl version 1.16.1

Additional context

Please slack me with further questions

I tried passing the flag --only_non_deterministic, to the tctl reset command, but a workflow failing due to NonDeterministicException got skipped.

I think the issue is this line:
https://github.com/temporalio/temporal/blob/cbd1b5e2dde161328ce0b662a7fd94a27f9a97c2/tools/cli/workflowCommands.go#L1764

If my understanding is correct, it's checking whether the failure message contains the string "nondeterministic". In Java SDK, the capitalization will be "NonDeterministic" so the string match fails.

Example:

...
  {
    "Details": "{\u001b[35mDetails\u001b[0m:[nil], Identity:[email protected]}",
    "ID": "125",
    "Time": "2022-04-19T23:21:36Z",
    "Type": "WorkflowExecutionTerminated"
  }
]

Is your feature request related to a problem? Please describe.
We want to use the authorization plugin, to be able to authenticate cli requests to a locked down server.

Describe the solution you'd like
It would be nice if the tctl-authorization-plugin is added to the images that contian the tctl binary, so it could be easily enabled using the environment variables.

Describe alternatives you've considered
Our current solution is to rebuild the dockerimage adding the authorization plugin. Another solution we have considered is to build the plugin binary and mounting it when running the image, however that's a bit cumbersome.