enable TLS if api key provided

Author: THardy98

temporal-serviceclient/src/main/java/io/temporal/serviceclient/ServiceStubsOptions.java

@@ -418,7 +418,7 @@ public String toString() {
   public static class Builder<T extends Builder<T>> {
     private ManagedChannel channel;
     private SslContext sslContext;
-    private boolean enableHttps;
+    private Boolean enableHttps;
     private String target;
     private Consumer<ManagedChannelBuilder<?>> channelInitializer;
     private Duration healthCheckAttemptTimeout;
@@ -851,6 +851,18 @@ public ServiceStubsOptions validateAndBuildWithDefaults() {
       Collection<ClientInterceptor> grpcClientInterceptors =
           MoreObjects.firstNonNull(this.grpcClientInterceptors, Collections.emptyList());
 
+      // Auto-enable TLS when API key is provided and TLS is not explicitly set
+      boolean enableHttps = this.enableHttps != null ? this.enableHttps : false;
+      if (this.enableHttps == null && this.sslContext == null) {
+        // Check if an API key provider was added
+        boolean hasApiKey =
+            grpcMetadataProviders.stream()
+                .anyMatch(provider -> provider instanceof AuthorizationGrpcMetadataProvider);
+        if (hasApiKey) {
+          enableHttps = true;
+        }
+      }
+
       Scope metricsScope = this.metricsScope != null ? this.metricsScope : new NoopScope();
       Duration healthCheckAttemptTimeout =
           this.healthCheckAttemptTimeout != null
@@ -865,7 +877,7 @@ public ServiceStubsOptions validateAndBuildWithDefaults() {
           this.channel,
           target,
           this.channelInitializer,
-          this.enableHttps,
+          enableHttps,
           this.sslContext,
           healthCheckAttemptTimeout,
           healthCheckTimeout,

temporal-serviceclient/src/test/java/io/temporal/serviceclient/ServiceStubsOptionsTest.java

@@ -0,0 +1,61 @@
+package io.temporal.serviceclient;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+public class ServiceStubsOptionsTest {
+
+  @Test
+  public void testTLSEnabledByDefaultWhenAPIKeyProvided() {
+    // Test that TLS is enabled by default when API key is provided and TLS is not configured
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .addApiKey(() -> "test-api-key")
+            .validateAndBuildWithDefaults();
+
+    // TLS should be auto-enabled when api_key is provided and tls not explicitly set
+    assertTrue(options.getEnableHttps());
+  }
+
+  @Test
+  public void testTLSCanBeExplicitlyDisabledWithAPIKey() {
+    // Test that TLS can be explicitly disabled even when API key is provided
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .addApiKey(() -> "test-api-key")
+            .setEnableHttps(false)
+            .validateAndBuildWithDefaults();
+
+    // TLS should remain disabled when explicitly set to false
+    assertFalse(options.getEnableHttps());
+  }
+
+  @Test
+  public void testTLSDisabledByDefaultWithoutAPIKey() {
+    // Test that TLS is disabled by default when no API key is provided
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .validateAndBuildWithDefaults();
+
+    // TLS should remain disabled when no api_key is provided
+    assertFalse(options.getEnableHttps());
+  }
+
+  @Test
+  public void testExplicitTLSConfigPreservedWithAPIKey() {
+    // Test that explicit TLS configuration is preserved when API key is provided
+    ServiceStubsOptions options =
+        WorkflowServiceStubsOptions.newBuilder()
+            .setTarget("localhost:7233")
+            .addApiKey(() -> "test-api-key")
+            .setEnableHttps(true)
+            .validateAndBuildWithDefaults();
+
+    // Explicit TLS config should be preserved
+    assertTrue(options.getEnableHttps());
+  }
+}