enable TLS if api key provided

Author: THardy98

temporal-serviceclient/src/main/java/io/temporal/serviceclient/ServiceStubsOptions.java

@@ -419,6 +419,7 @@ public static class Builder<T extends Builder<T>> {
     private ManagedChannel channel;
     private SslContext sslContext;
     private boolean enableHttps;
+    private boolean enableHttpsExplicitlySet;
     private String target;
     private Consumer<ManagedChannelBuilder<?>> channelInitializer;
     private Duration healthCheckAttemptTimeout;
@@ -435,6 +436,7 @@ public static class Builder<T extends Builder<T>> {
     private Collection<GrpcMetadataProvider> grpcMetadataProviders;
     private Collection<ClientInterceptor> grpcClientInterceptors;
     private Scope metricsScope;
+    private boolean apiKeyProvided;
 
     protected Builder() {}
 
@@ -443,6 +445,7 @@ protected Builder(ServiceStubsOptions options) {
       this.target = options.target;
       this.channelInitializer = options.channelInitializer;
       this.enableHttps = options.enableHttps;
+      this.enableHttpsExplicitlySet = true;
       this.sslContext = options.sslContext;
       this.healthCheckAttemptTimeout = options.healthCheckAttemptTimeout;
       this.healthCheckTimeout = options.healthCheckTimeout;
@@ -542,6 +545,7 @@ public T setSslContext(SslContext sslContext) {
      */
     public T setEnableHttps(boolean enableHttps) {
       this.enableHttps = enableHttps;
+      this.enableHttpsExplicitlySet = true;
       return self();
     }
 
@@ -613,6 +617,7 @@ public T addGrpcMetadataProvider(GrpcMetadataProvider grpcMetadataProvider) {
      * @return {@code this}
      */
     public T addApiKey(AuthorizationTokenSupplier apiKey) {
+      this.apiKeyProvided = true;
       addGrpcMetadataProvider(
           new AuthorizationGrpcMetadataProvider(() -> "Bearer " + apiKey.supply()));
       return self();
@@ -851,6 +856,14 @@ public ServiceStubsOptions validateAndBuildWithDefaults() {
       Collection<ClientInterceptor> grpcClientInterceptors =
           MoreObjects.firstNonNull(this.grpcClientInterceptors, Collections.emptyList());
 
+      // Auto-enable TLS when API key is provided and TLS is not explicitly set
+      boolean enableHttps;
+      if (this.enableHttpsExplicitlySet) {
+        enableHttps = this.enableHttps;
+      } else {
+        enableHttps = this.apiKeyProvided;
+      }
+
       Scope metricsScope = this.metricsScope != null ? this.metricsScope : new NoopScope();
       Duration healthCheckAttemptTimeout =
           this.healthCheckAttemptTimeout != null
@@ -865,7 +878,7 @@ public ServiceStubsOptions validateAndBuildWithDefaults() {
           this.channel,
           target,
           this.channelInitializer,
-          this.enableHttps,
+          enableHttps,
           this.sslContext,
           healthCheckAttemptTimeout,
           healthCheckTimeout,

temporal-serviceclient/src/test/java/io/temporal/serviceclient/ServiceStubsOptionsTest.java

@@ -0,0 +1,57 @@
+package io.temporal.serviceclient;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+public class ServiceStubsOptionsTest {
+
+  @Test
+  public void testTLSEnabledByDefaultWhenAPIKeyProvided() {
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .addApiKey(() -> "test-api-key")
+            .validateAndBuildWithDefaults();
+
+    assertTrue(options.getEnableHttps());
+  }
+
+  @Test
+  public void testTLSCanBeExplicitlyDisabledWithAPIKey() {
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .addApiKey(() -> "test-api-key")
+            .setEnableHttps(false)
+            .validateAndBuildWithDefaults();
+
+    assertFalse(options.getEnableHttps());
+  }
+
+  @Test
+  public void testExplicitTLSDisableBeforeAPIKeyStillDisables() {
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .setEnableHttps(false)
+            .addApiKey(() -> "test-api-key")
+            .validateAndBuildWithDefaults();
+
+    // Explicit TLS=false should take precedence regardless of order
+    assertFalse(options.getEnableHttps());
+  }
+
+  @Test
+  public void testExplicitTLSDisableAfterAPIKeyStillDisables() {
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .addApiKey(() -> "test-api-key")
+            .setEnableHttps(false)
+            .validateAndBuildWithDefaults();
+
+    // Explicit TLS=false should take precedence regardless of order
+    assertFalse(options.getEnableHttps());
+  }
+}