Fix Java Proxy Feature Tests with tlsServerName set (#717)

* fix proxy not using tlsServerName to verify

* fixes for go features tests when overriding tls server name and ca cert

Author: kepe-temporal

cmd/run.go

@@ -3,7 +3,6 @@ package cmd
 import (
 	"bufio"
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -301,15 +300,16 @@ func (r *Runner) Run(ctx context.Context, patterns []string) error {
 				err = r.RunGoExternal(ctx, run)
 			}
 		} else {
-			err = cmd.NewRunner(cmd.RunConfig{
-				Server:         r.config.Server,
-				Namespace:      r.config.Namespace,
-				ClientCertPath: r.config.ClientCertPath,
-				ClientKeyPath:  r.config.ClientKeyPath,
-				TLSServerName:  r.config.TLSServerName,
-				SummaryURI:     r.config.SummaryURI,
-				HTTPProxyURL:   r.config.HTTPProxyURL,
-			}).Run(ctx, run)
+		err = cmd.NewRunner(cmd.RunConfig{
+			Server:         r.config.Server,
+			Namespace:      r.config.Namespace,
+			ClientCertPath: r.config.ClientCertPath,
+			ClientKeyPath:  r.config.ClientKeyPath,
+			CACertPath:     r.config.CACertPath,
+			TLSServerName:  r.config.TLSServerName,
+			SummaryURI:     r.config.SummaryURI,
+			HTTPProxyURL:   r.config.HTTPProxyURL,
+		}).Run(ctx, run)
 		}
 	case "java":
 		if r.config.DirName != "" {
@@ -428,14 +428,16 @@ func (r *Runner) handleHistory(ctx context.Context, run *cmd.Run, summary Summar
 				Namespace: r.config.Namespace,
 				Logger:    r.log,
 			}
-			if r.config.ClientCertPath != "" {
-				cert, err := tls.LoadX509KeyPair(r.config.ClientCertPath, r.config.ClientKeyPath)
-				if err != nil {
-					return fmt.Errorf("failed to load certs: %s", err)
-				}
-				opts.ConnectionOptions.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
+			tlsCfg, err := harness.LoadTLSConfig(
+				r.config.ClientCertPath,
+				r.config.ClientKeyPath,
+				r.config.CACertPath,
+				r.config.TLSServerName,
+			)
+			if err != nil {
+				return fmt.Errorf("failed to load TLS config: %w", err)
 			}
-			var err error
+			opts.ConnectionOptions.TLS = tlsCfg
 			if cl, err = client.Dial(opts); err != nil {
 				return fmt.Errorf("failed creating client: %w", err)
 			}

features/client/http_proxy/feature.java

@@ -40,14 +40,25 @@ public static Run execute(Runner runner, boolean useAuth) throws Exception {
       var proxyAddr = proxyAddrBuilder.build();
 
       // Build a client that uses the HTTP proxy
-      var service =
-          WorkflowServiceStubs.newServiceStubs(
-              WorkflowServiceStubsOptions.newBuilder()
-                  .setTarget(runner.config.serverHostPort)
-                  .setSslContext(runner.config.sslContext)
-                  .setMetricsScope(runner.config.metricsScope)
-                  .setChannelInitializer(builder -> builder.proxyDetector(addr -> proxyAddr))
-                  .build());
+      var serviceBuilder =
+          WorkflowServiceStubsOptions.newBuilder()
+              .setTarget(runner.config.serverHostPort)
+              .setSslContext(runner.config.sslContext)
+              .setMetricsScope(runner.config.metricsScope);
+
+      var tlsServerName = runner.config.tlsServerName;
+      serviceBuilder.setChannelInitializer(
+          builder -> {
+            builder.proxyDetector(addr -> proxyAddr);
+            // Override authority for TLS verification if server name is specified
+            if (runner.config.sslContext != null
+                && tlsServerName != null
+                && !tlsServerName.isEmpty()) {
+              builder.overrideAuthority(tlsServerName);
+            }
+          });
+
+      var service = WorkflowServiceStubs.newServiceStubs(serviceBuilder.build());
       var client =
           WorkflowClient.newInstance(
               service,

harness/go/cmd/run.go

@@ -235,6 +235,7 @@ func (r *Runner) Run(ctx context.Context, run *Run) error {
 				Namespace:      r.config.Namespace,
 				ClientCertPath: r.config.ClientCertPath,
 				ClientKeyPath:  r.config.ClientKeyPath,
+				CACertPath:     r.config.CACertPath,
 				TaskQueue:      runFeature.TaskQueue,
 				Log:            r.log,
 				HTTPProxyURL:   r.config.HTTPProxyURL,