Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -19,17 +19,17 @@ jobs:
- name: Cache Rust Build
uses: Swatinem/rust-cache@v2.9.1
with:
shared-key: backend/oidc-bff
shared-key: backend/auth-gateway
workspaces: backend

- name: Check Formatting
working-directory: backend/oidc-bff
working-directory: backend/auth-gateway
run: >
cargo fmt
--check

- name: Lint with Clippy
working-directory: backend/oidc-bff
working-directory: backend/auth-gateway
run: >
cargo clippy
--all-targets
Expand Down Expand Up @@ -59,11 +59,11 @@ jobs:
- name: Cache Rust Build
uses: Swatinem/rust-cache@v2.9.1
with:
shared-key: backend/oidc-bff
shared-key: backend/auth-gateway
workspaces: backend

- name: Run Tests
working-directory: backend/oidc-bff
working-directory: backend/auth-gateway
run: >
cargo test
--all-targets
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
uses: actions/checkout@v5

- name: Generate Image Name
run: echo IMAGE_REPOSITORY=ghcr.io/$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]' | tr '[_]' '[\-]')-oidc-bff >> $GITHUB_ENV
run: echo IMAGE_REPOSITORY=ghcr.io/$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]' | tr '[_]' '[\-]')-auth-gateway >> $GITHUB_ENV

- name: Log in to GitHub Docker Registry
if: github.event_name != 'pull_request'
Expand All @@ -25,7 +25,7 @@ jobs:

- name: Extract Version from Tag
id: tags
run: echo version=$(echo "${{ github.ref }}" | awk -F '[@v]' '{print $3}') >> $GITHUB_OUTPUT
run: echo version=$(echo "${{ github.ref }}" | awk -F '[@v]' '{print $3}') >> $GITHUB_OUTPUT

- name: Docker Metadata
id: meta
Expand All @@ -43,10 +43,10 @@ jobs:
uses: docker/build-push-action@v6.18.0
with:
context: backend
file: backend/Dockerfile.oidc-bff
file: backend/Dockerfile.auth-gateway
target: deploy
push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/oidc-bff@') }}
load: ${{ !(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/oidc-bff@')) }}
push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/auth-gateway@') }}
load: ${{ !(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/auth-gateway@')) }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -79,16 +79,16 @@ jobs:
contents: read
packages: write

oidc_bff_code:
auth_gateway_code:
# Deduplicate jobs from pull requests and branch pushes within the same repo.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
uses: ./.github/workflows/_oidc_bff_code.yaml
uses: ./.github/workflows/_auth_gateway_code.yaml

oidc_bff_container:
auth_gateway_container:
# Deduplicate jobs from pull requests and branch pushes within the same repo.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
needs: oidc_bff_code
uses: ./.github/workflows/_oidc_bff_container.yaml
needs: auth_gateway_code
uses: ./.github/workflows/_auth_gateway_container.yaml
permissions:
contents: read
packages: write
Expand Down
2 changes: 1 addition & 1 deletion backend/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions backend/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ members = [
"auth-core",
"auth-core/migration",
"auth-daemon",
"graph-proxy",
"oidc-bff",
"graph-proxy",
"auth-gateway",
"sessionspaces",
"telemetry",
]
Expand Down
6 changes: 3 additions & 3 deletions backend/Dockerfile.auth-daemon
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ RUN cargo install cargo-auditable
COPY argo-workflows-openapi/Cargo.toml argo-workflows-openapi/Cargo.toml
COPY graph-proxy/Cargo.toml graph-proxy/
COPY sessionspaces/Cargo.toml sessionspaces/
COPY oidc-bff/Cargo.toml oidc-bff/
COPY auth-gateway/Cargo.toml auth-gateway/
COPY auth-core/Cargo.toml auth-core/
COPY auth-core/migration/Cargo.toml auth-core/migration/
COPY auth-daemon/Cargo.toml auth-daemon/
Expand All @@ -21,8 +21,8 @@ RUN mkdir -p argo-workflows-openapi/src \
&& echo "fn main() {}" > graph-proxy/src/main.rs \
&& mkdir -p sessionspaces/src \
&& echo "fn main() {}" > sessionspaces/src/main.rs \
&& mkdir -p oidc-bff/src \
&& echo "fn main() {}" > oidc-bff/src/main.rs \
&& mkdir -p auth-gateway/src \
&& echo "fn main() {}" > auth-gateway/src/main.rs \
&& mkdir -p auth-daemon/src \
&& echo "fn main() {}" > auth-daemon/src/main.rs \
&& mkdir -p auth-core/src \
Expand Down
12 changes: 6 additions & 6 deletions backend/Dockerfile.oidc-bff → backend/Dockerfile.auth-gateway
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ COPY Cargo.toml Cargo.lock ./

COPY . .

RUN touch --date @0 oidc-bff/src/main.rs \
&& cargo build --release --package oidc-bff
RUN touch --date @0 auth-gateway/src/main.rs \
&& cargo build --release --package auth-gateway

RUN touch oidc-bff/src/main.rs \
&& cargo auditable build --release --package oidc-bff
RUN touch auth-gateway/src/main.rs \
&& cargo auditable build --release --package auth-gateway

FROM gcr.io/distroless/cc-debian12@sha256:d703b626ba455c4e6c6fbe5f36e6f427c85d51445598d564652a2f334179f96e AS deploy

COPY --from=build /app/target/release/oidc-bff /oidc-bff
COPY --from=build /app/target/release/auth-gateway /auth-gateway

ENTRYPOINT ["/oidc-bff"]
ENTRYPOINT ["/auth-gateway"]
6 changes: 3 additions & 3 deletions backend/Dockerfile.graph-proxy
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ COPY auth-core/Cargo.toml auth-core/
COPY auth-core/src/lib.rs auth-core/src/lib.rs
COPY auth-core/migration/Cargo.toml auth-core/migration/
COPY auth-daemon/Cargo.toml auth-daemon/
COPY oidc-bff/Cargo.toml oidc-bff/
COPY auth-gateway/Cargo.toml auth-gateway/
COPY graph-proxy/Cargo.toml graph-proxy/
COPY telemetry/build.rs telemetry/Cargo.toml telemetry/
COPY Cargo.toml Cargo.lock ./
Expand All @@ -24,8 +24,8 @@ RUN mkdir -p graph-proxy/src \
&& echo "fn main() {}" > graph-proxy/src/main.rs \
&& mkdir -p sessionspaces/src \
&& echo "fn main() {}" > sessionspaces/src/main.rs \
&& mkdir -p oidc-bff/src \
&& echo "fn main() {}" > oidc-bff/src/main.rs \
&& mkdir -p auth-gateway/src \
&& echo "fn main() {}" > auth-gateway/src/main.rs \
&& mkdir -p auth-core/src \
&& touch auth-core/src/lib.rs \
&& echo "fn main() {}" > auth-core/src/main.rs \
Expand Down
6 changes: 3 additions & 3 deletions backend/Dockerfile.sessionspaces
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ COPY argo-workflows-openapi/Cargo.toml argo-workflows-openapi/Cargo.toml
COPY graph-proxy/Cargo.toml graph-proxy/
COPY sessionspaces/Cargo.toml sessionspaces/
COPY auth-daemon/Cargo.toml auth-daemon/
COPY oidc-bff/Cargo.toml oidc-bff/
COPY auth-gateway/Cargo.toml auth-gateway/
COPY auth-core/Cargo.toml auth-core/
COPY auth-core/src/lib.rs auth-core/src/lib.rs
COPY auth-core/migration/Cargo.toml auth-core/migration/
Expand All @@ -26,8 +26,8 @@ RUN mkdir -p argo-workflows-openapi/src \
&& echo "fn main() {}" > sessionspaces/src/main.rs \
&& mkdir -p auth-daemon/src \
&& echo "fn prebuild() {}" > auth-daemon/src/main.rs \
&& mkdir -p oidc-bff/src \
&& echo "fn main() {}" > oidc-bff/src/main.rs \
&& mkdir -p auth-gateway/src \
&& echo "fn main() {}" > auth-gateway/src/main.rs \
&& mkdir -p telemetry/src \
&& echo "fn prebuild() {}" > telemetry/src/lib.rs

Expand Down
2 changes: 1 addition & 1 deletion backend/auth-core/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# auth-core

Shared Rust library providing OIDC authentication primitives for the Workflows auth services. Not deployed independently — consumed by `auth-daemon` and `oidc-bff` as a Cargo dependency.
Shared Rust library providing OIDC authentication primitives for the Workflows auth services. Not deployed independently — consumed by `auth-daemon` and `auth-gateway` as a Cargo dependency.

## What it provides

Expand Down
2 changes: 1 addition & 1 deletion backend/auth-core/src/middleware/inject_token.rs
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ use crate::request::{clone_request, prepare_headers};
/// Injects a token into the request, refreshing it if expired, and retries on auth failure.
/// Use this when the store cannot be expressed as a single `Arc<S>` in axum `State` — for
/// example, when it must be assembled per-request from multiple sources such as shared app
/// state and a per-request session (as in oidc-bff's `GatewayTokenContext`).
/// state and a per-request session (as in auth-gateway's `GatewayTokenContext`).
pub async fn inject_token_with<S>(
store: &S,
req: Request,
Expand Down
2 changes: 1 addition & 1 deletion backend/auth-core/src/oidc.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use sodiumoxide::crypto::box_::{PublicKey, SecretKey};

use crate::Result;

// Re-export types needed by downstream crates (oidc-bff, auth-daemon)
// Re-export types needed by downstream crates (auth-gateway, auth-daemon)
pub use reqwest::Client as HttpClient;
pub use sea_orm::DatabaseConnection as DbConnection;
pub use sodiumoxide::crypto::box_::PublicKey as SodiumPublicKey;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ services:
# Runs app on the same network as the database container, allows "forwardPorts" in devcontainer.json function.
network_mode: service:db

# Use "forwardPorts" in **devcontainer.json** to forward an app port locally.
# Use "forwardPorts" in **devcontainer.json** to forward an app port locally.
# (Adding the "ports" property to this file will not forward from a Codespace.)

db:
Expand All @@ -34,4 +34,4 @@ services:
- .env

# Add "forwardPorts": ["5432"] to **devcontainer.json** to forward PostgreSQL locally.
# (Adding the "ports" property to this file will not forward from a Codespace.)
# (Adding the "ports" property to this file will not forward from a Codespace.)
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[package]
name = "oidc-bff"
name = "auth-gateway"
version = "0.1.0"
edition = "2024"
default-run = "oidc-bff"
default-run = "auth-gateway"
license-file = "../../LICENSE"

[[bin]]
Expand All @@ -11,7 +11,7 @@ path = "src/bin/keygen.rs"
publish = false

[dependencies]
async-trait = {workspace = true }
async-trait = {workspace = true }
auth-core = { path = "../auth-core" }
anyhow = { workspace = true, features = ["backtrace"] }
axum = { workspace = true, features = ["macros"] }
Expand Down
6 changes: 3 additions & 3 deletions backend/oidc-bff/README.md → backend/auth-gateway/README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# oidc-bff
# Auth-Gateway

Backend-For-Frontend (BFF) authentication gateway for the Workflows UI. Handles OIDC login via Diamond Keycloak, manages browser session cookies, stores encrypted tokens, and proxies authenticated requests to the GraphQL backend.
Authentication gateway for the Workflows UI. Handles OIDC login via Diamond Keycloak, manages browser session cookies, stores encrypted tokens, and proxies authenticated requests to the GraphQL backend.

## Usage

```sh
WORKFLOWS_OIDC_BFF_CONFIG=config.yaml cargo run
WORKFLOWS_AUTH_GATEWAY_CONFIG=config.yaml cargo run
```

Serves on port `5173` by default (configurable in `config.yaml`).
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ pub async fn login(State(state): State<Arc<AppState>>, session: Session) -> Resu
// Set the URL the user will be redirected to after the authorization process.
// .set_redirect_uri(RedirectUrl::new("https://localhost/callback".to_string())?);
let oidc_client = state.oidc_client.clone().set_redirect_uri(RedirectUrl::new(
// "http://localhost:5173/auth/callback".to_string(),
"https://staging.workflows.diamond.ac.uk/auth/callback".to_string(),
)?);
// .set_redirect_uri(RedirectUrl::new("https://workflows.diamond.ac.uk".to_string())?)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,11 @@ struct Args {
#[arg(
short,
long,
env = "WORKFLOWS_OIDC_BFF_CONFIG",
env = "WORKFLOWS_AUTH_GATEWAY_CONFIG",
default_value = "config.yaml"
)]
config: String,
#[arg(
env = "GRAPH_URL",
default_value = "https://staging.workflows.diamond.ac.uk/graphql"
)]
#[arg(env = "GRAPH_URL")]
Comment thread
TBThomas56 marked this conversation as resolved.
graph_url: String,
}

Expand Down
File renamed without changes.
2 changes: 1 addition & 1 deletion charts/dashboard/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: dashboard
description: A dashboard for Diamond workflows
type: application
version: 0.2.19
version: 0.2.20
appVersion: 0.1.13
dependencies:
- name: common
Expand Down
15 changes: 8 additions & 7 deletions charts/dashboard/staging-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,26 +19,27 @@ ingress:
- path: /api
pathType: Prefix
service:
name: oidc-bff
name: auth-gateway
port: 80
- path: /auth
pathType: Prefix
service:
name: oidc-bff
name: auth-gateway
port: 80

tls: true
secretName: dashboard-tls-cert
host: staging.workflows.diamond.ac.uk

oidcBff:
authGateway:
enabled: true
image:
registry: ghcr.io
repository: diamondlightsource/workflows-oidc-bff
tag: "tbt"
digest: "sha256:568b03a69ed9dda9df5bd96470ebba46d0460b7703c71b8ae3333c723a615d89"
repository: diamondlightsource/workflows-auth-gateway
tag: "latest"
digest: "sha256:b4dd2991fc67bb13b432e48821351aefa6487c4f3417c74f2d86cb19634b7760"
pullPolicy: IfNotPresent
pullSecrets: []
graphUrl: https://staging.workflows.diamond.ac.uk/graphql
configuration:
secretName: oidc-bff-config
secretName: auth-gateway-config
Loading
Loading