Resolve merge conflicts

Signed-off-by: Gaziza Yestemirova <[email protected]>

Author: gazi-yestemirova

.gen/proto/sharddistributor/v1/executor.pb.go

@@ -58,10 +58,14 @@ func TestGetActiveClusterInfoByClusterAttribute(t *testing.T) {
 			name:             "nil cluster attribute - returns domain-level active cluster info",
 			clusterAttribute: nil,
 			activeClusterCfg: &types.ActiveClusters{
-				ActiveClustersByRegion: map[string]types.ActiveClusterInfo{
-					"us-west": {
-						ActiveClusterName: "cluster0",
-						FailoverVersion:   20,
+				AttributeScopes: map[string]types.ClusterAttributeScope{
+					"region": {
+						ClusterAttributes: map[string]types.ActiveClusterInfo{
+							"us-west": {
+								ActiveClusterName: "cluster0",
+								FailoverVersion:   20,
+							},
+						},
 					},
 				},
 			},

.gen/proto/sharddistributor/v1/executor.pb.yarpc.go

@@ -0,0 +1,63 @@
+## Cadence has two authorizer options:
+
+1. OAuthAuthorizer: validates JWTs issued by your Identity Provider and enforces permissions.
+2. NoopAuthorizer: turns authorization off.
+
+In order to configure, add an authorization section to Cadence server config [example](https://github.com/cadence-workflow/cadence/blob/master/config/development_oauth.yaml). These fields map 1:1 to the Go structs in [common/config](https://github.com/cadence-workflow/cadence/blob/master/common/config/authorization.go).
+
+### Option A for OAuth : Validate tokens via JWKS
+
+
+    authorization:
+        oauthAuthorizer:
+            enable: true 
+            # Reject tokens with excessively long TTL (seconds). Optional but recommended.
+            maxJwtTTL: 3600 
+    
+            # JWT verification config (algorithm + how to fetch public keys)
+            jwtCredentials:
+                algorithm: RS256         # supported: RS256
+            # publicKey is optional if you supply a JWKS URL (below)
+            # publicKey: /etc/cadence/keys/idp-public.pem
+
+            provider:
+                jwksURL: "https://YOUR_IDP/.well-known/jwks.json"
+                # Optional JSONPath-like claims locations used by Cadence:
+                groupsAttributePath: "groups"      
+                adminAttributePath: "admin"
+
+### Option B for OAuth : Validate tokens via a static public key
+
+
+    authorization:
+        oauthAuthorizer:
+            enable: true
+            maxJwtTTL: 3600
+            jwtCredentials:
+                algorithm: RS256
+                publicKey: /etc/cadence/keys/idp-public.pem
+
+### NoopAuthorizer: Turning authz off
+
+
+    authorization:
+        noopAuthorizer:
+            enable: true
+
+## Background
+
+The server constructs an authorization.Attributes object for each API call (actor, API name, domain, optional workflow/tasklist), evaluates the token, and returns an allow/deny Decision. JWTs are expected to contain Cadence-specific claims including groups and (optionally) an admin flag.
+
+### Key structs & functions:
+
+```
+authorization.Authorizer interface 
+
+authorization.Attributes 
+ 
+authorization.Decision
+
+authorization.JWTClaims
+```
+
+When OAuth authZ is enabled, clients must present a valid JWT to the frontend service on every call (Cadence uses the provided token to authorize the API/Domain access). The exact header/wire placement is handled by Cadence’s server middleware and the client transport; the important bit is that the token must validate against your jwksURL/publicKey, include expected claims (groups/admin), and not exceed maxJwtTTL. 

common/activecluster/manager_test.go

@@ -890,8 +890,9 @@ func (entry *DomainCacheEntry) NewDomainNotActiveError(currentCluster, activeClu
 
 // IsActive return whether the domain is active in the current cluster,
 // - for local domain, it is always active
-// - for active-passive domain, it is active if it is not pending active and active cluster is the current cluster
-// - for active-active domain, it is active if the current cluster is in the active clusters list
+// - for global domain, it is active if it is not pending active and the domain's active cluster is the current cluster or if the domain is active-active and the active cluster of one of the cluster attributes is the current cluster
+// TODO(active-active): for active-active domains, we should review this logic because now workflows can be active in different clusters based on the cluster attribute.
+// We should also revisit its usage in history service.
 func (entry *DomainCacheEntry) IsActiveIn(currentCluster string) bool {
 	if !entry.IsGlobalDomain() {
 		// domain is not a global domain, meaning domain is always "active" within each cluster
@@ -902,25 +903,22 @@ func (entry *DomainCacheEntry) IsActiveIn(currentCluster string) bool {
 		return false
 	}
 
-	// TODO(active-active): review this logic because cluster attribute might be an input
-	if entry.GetReplicationConfig().IsActiveActive() {
-		for _, scope := range entry.GetReplicationConfig().ActiveClusters.AttributeScopes {
+	activeCluster := entry.GetReplicationConfig().ActiveClusterName
+	if currentCluster == activeCluster {
+		return true
+	}
+
+	if activeClusters := entry.GetReplicationConfig().ActiveClusters; activeClusters != nil {
+		for _, scope := range activeClusters.AttributeScopes {
 			for _, cl := range scope.ClusterAttributes {
 				if cl.ActiveClusterName == currentCluster {
 					return true
 				}
 			}
 		}
-
-		return false
-	}
-
-	activeCluster := entry.GetReplicationConfig().ActiveClusterName
-	if currentCluster != activeCluster {
-		return false
 	}
 
-	return true
+	return false
 }
 
 // IsDomainPendingActive returns whether the domain is in pending active state

common/authorization/README.md

@@ -341,6 +341,23 @@ func Test_IsActiveIn(t *testing.T) {
 			},
 			expectIsActive: true,
 		},
+		{
+			msg:            "active-active domain on domain level active cluster",
+			isGlobalDomain: true,
+			currentCluster: "A",
+			activeCluster:  "A",
+			activeClusters: &types.ActiveClusters{
+				AttributeScopes: map[string]types.ClusterAttributeScope{
+					"region": {
+						ClusterAttributes: map[string]types.ActiveClusterInfo{
+							"region0": {ActiveClusterName: "B"},
+							"region1": {ActiveClusterName: "B"},
+						},
+					},
+				},
+			},
+			expectIsActive: true,
+		},
 		{
 			msg:            "active-active domain on passive cluster",
 			isGlobalDomain: true,

common/cache/domainCache.go

@@ -127,16 +127,17 @@ func (d *AttrValidatorImpl) validateDomainReplicationConfigForGlobalDomain(
 	if !isInClusters(activeCluster) {
 		return errActiveClusterNotInClusters
 	}
-
-	if replicationConfig.IsActiveActive() {
-		// For active-active domains, also validate that all clusters in ActiveClustersByRegion are valid
-		for _, cluster := range activeClusters.ActiveClustersByRegion {
-			if err := d.validateClusterName(cluster.ActiveClusterName); err != nil {
-				return err
-			}
-
-			if !isInClusters(cluster.ActiveClusterName) {
-				return errActiveClusterNotInClusters
+	// For active-active domains, also validate that all clusters in AttributeScopes are valid
+	if activeClusters != nil && activeClusters.AttributeScopes != nil {
+		for _, scope := range activeClusters.AttributeScopes {
+			for _, cluster := range scope.ClusterAttributes {
+				if err := d.validateClusterName(cluster.ActiveClusterName); err != nil {
+					return err
+				}
+
+				if !isInClusters(cluster.ActiveClusterName) {
+					return errActiveClusterNotInClusters
+				}
 			}
 		}
 	}
@@ -182,3 +183,33 @@ func (d *AttrValidatorImpl) validateClusterName(
 	}
 	return nil
 }
+
+func (d *AttrValidatorImpl) validateActiveActiveDomainReplicationConfig(
+	activeClusters *types.ActiveClusters,
+) error {
+
+	if activeClusters == nil || activeClusters.AttributeScopes == nil {
+		return nil
+	}
+
+	clusters := d.clusterMetadata.GetEnabledClusterInfo()
+
+	for _, scopeData := range activeClusters.AttributeScopes {
+		for _, activeCluster := range scopeData.ClusterAttributes {
+			_, ok := clusters[activeCluster.ActiveClusterName]
+			if !ok {
+				return &types.BadRequestError{Message: fmt.Sprintf(
+					"Invalid active cluster name: %v",
+					activeCluster.ActiveClusterName,
+				)}
+			}
+			if activeCluster.FailoverVersion < 0 {
+				return &types.BadRequestError{Message: fmt.Sprintf(
+					"invalid failover version: %d",
+					activeCluster.FailoverVersion,
+				)}
+			}
+		}
+	}
+	return nil
+}