feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth
Single-binary server exposing the WFE engine over gRPC (13 RPCs) with
HTTP webhook support (GitHub, Gitea, generic events).
Features:
- gRPC API: workflow CRUD, lifecycle event streaming, log streaming,
log search via OpenSearch
- HTTP webhooks: HMAC-SHA256 verified GitHub/Gitea webhooks with
configurable triggers that auto-start workflows
- OIDC/JWT auth: discovers JWKS from issuer, validates with asymmetric
algorithm allowlist to prevent algorithm confusion attacks
- Static bearer token auth with constant-time comparison
- Lifecycle event broadcasting via tokio::broadcast
- Log streaming: real-time stdout/stderr via LogSink trait, history
replay, follow mode
- Log search: full-text search via OpenSearch with workflow/step/stream
filters
- Layered config: CLI flags > env vars > TOML file
- Fail-closed on OIDC discovery failure, fail-loud on config parse errors
- 2MB webhook payload size limit
- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.)
2026-04-01 14:37:25 +01:00
|
|
|
use async_trait::async_trait;
|
|
|
|
|
use tokio::sync::broadcast;
|
|
|
|
|
use wfe_core::models::LifecycleEvent;
|
|
|
|
|
use wfe_core::traits::LifecyclePublisher;
|
|
|
|
|
|
|
|
|
|
/// Broadcasts lifecycle events to multiple subscribers via tokio broadcast channels.
|
|
|
|
|
pub struct BroadcastLifecyclePublisher {
|
|
|
|
|
sender: broadcast::Sender<LifecycleEvent>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl BroadcastLifecyclePublisher {
|
|
|
|
|
pub fn new(capacity: usize) -> Self {
|
|
|
|
|
let (sender, _) = broadcast::channel(capacity);
|
|
|
|
|
Self { sender }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn subscribe(&self) -> broadcast::Receiver<LifecycleEvent> {
|
|
|
|
|
self.sender.subscribe()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[async_trait]
|
|
|
|
|
impl LifecyclePublisher for BroadcastLifecyclePublisher {
|
|
|
|
|
async fn publish(&self, event: LifecycleEvent) -> wfe_core::Result<()> {
|
|
|
|
|
// Ignore send errors (no active subscribers).
|
|
|
|
|
let _ = self.sender.send(event);
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
mod tests {
|
|
|
|
|
use super::*;
|
|
|
|
|
use wfe_core::models::LifecycleEventType;
|
|
|
|
|
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn publish_and_receive() {
|
|
|
|
|
let bus = BroadcastLifecyclePublisher::new(16);
|
|
|
|
|
let mut rx = bus.subscribe();
|
|
|
|
|
|
|
|
|
|
let event = LifecycleEvent::new("wf-1", "def-1", 1, LifecycleEventType::Started);
|
|
|
|
|
bus.publish(event.clone()).await.unwrap();
|
|
|
|
|
|
|
|
|
|
let received = rx.recv().await.unwrap();
|
|
|
|
|
assert_eq!(received.workflow_instance_id, "wf-1");
|
|
|
|
|
assert_eq!(received.event_type, LifecycleEventType::Started);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn multiple_subscribers() {
|
|
|
|
|
let bus = BroadcastLifecyclePublisher::new(16);
|
|
|
|
|
let mut rx1 = bus.subscribe();
|
|
|
|
|
let mut rx2 = bus.subscribe();
|
|
|
|
|
|
2026-04-07 18:44:21 +01:00
|
|
|
bus.publish(LifecycleEvent::new(
|
|
|
|
|
"wf-1",
|
|
|
|
|
"def-1",
|
|
|
|
|
1,
|
|
|
|
|
LifecycleEventType::Completed,
|
|
|
|
|
))
|
|
|
|
|
.await
|
|
|
|
|
.unwrap();
|
feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth
Single-binary server exposing the WFE engine over gRPC (13 RPCs) with
HTTP webhook support (GitHub, Gitea, generic events).
Features:
- gRPC API: workflow CRUD, lifecycle event streaming, log streaming,
log search via OpenSearch
- HTTP webhooks: HMAC-SHA256 verified GitHub/Gitea webhooks with
configurable triggers that auto-start workflows
- OIDC/JWT auth: discovers JWKS from issuer, validates with asymmetric
algorithm allowlist to prevent algorithm confusion attacks
- Static bearer token auth with constant-time comparison
- Lifecycle event broadcasting via tokio::broadcast
- Log streaming: real-time stdout/stderr via LogSink trait, history
replay, follow mode
- Log search: full-text search via OpenSearch with workflow/step/stream
filters
- Layered config: CLI flags > env vars > TOML file
- Fail-closed on OIDC discovery failure, fail-loud on config parse errors
- 2MB webhook payload size limit
- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.)
2026-04-01 14:37:25 +01:00
|
|
|
|
|
|
|
|
let e1 = rx1.recv().await.unwrap();
|
|
|
|
|
let e2 = rx2.recv().await.unwrap();
|
|
|
|
|
assert_eq!(e1.event_type, LifecycleEventType::Completed);
|
|
|
|
|
assert_eq!(e2.event_type, LifecycleEventType::Completed);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn no_subscribers_does_not_error() {
|
|
|
|
|
let bus = BroadcastLifecyclePublisher::new(16);
|
|
|
|
|
// No subscribers — should not panic.
|
2026-04-07 18:44:21 +01:00
|
|
|
bus.publish(LifecycleEvent::new(
|
|
|
|
|
"wf-1",
|
|
|
|
|
"def-1",
|
|
|
|
|
1,
|
|
|
|
|
LifecycleEventType::Started,
|
|
|
|
|
))
|
|
|
|
|
.await
|
|
|
|
|
.unwrap();
|
feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth
Single-binary server exposing the WFE engine over gRPC (13 RPCs) with
HTTP webhook support (GitHub, Gitea, generic events).
Features:
- gRPC API: workflow CRUD, lifecycle event streaming, log streaming,
log search via OpenSearch
- HTTP webhooks: HMAC-SHA256 verified GitHub/Gitea webhooks with
configurable triggers that auto-start workflows
- OIDC/JWT auth: discovers JWKS from issuer, validates with asymmetric
algorithm allowlist to prevent algorithm confusion attacks
- Static bearer token auth with constant-time comparison
- Lifecycle event broadcasting via tokio::broadcast
- Log streaming: real-time stdout/stderr via LogSink trait, history
replay, follow mode
- Log search: full-text search via OpenSearch with workflow/step/stream
filters
- Layered config: CLI flags > env vars > TOML file
- Fail-closed on OIDC discovery failure, fail-loud on config parse errors
- 2MB webhook payload size limit
- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.)
2026-04-01 14:37:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn step_events_propagate() {
|
|
|
|
|
let bus = BroadcastLifecyclePublisher::new(16);
|
|
|
|
|
let mut rx = bus.subscribe();
|
|
|
|
|
|
|
|
|
|
bus.publish(LifecycleEvent::new(
|
|
|
|
|
"wf-1",
|
|
|
|
|
"def-1",
|
|
|
|
|
1,
|
|
|
|
|
LifecycleEventType::StepStarted {
|
|
|
|
|
step_id: 3,
|
|
|
|
|
step_name: Some("build".to_string()),
|
|
|
|
|
},
|
|
|
|
|
))
|
|
|
|
|
.await
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
let received = rx.recv().await.unwrap();
|
|
|
|
|
assert_eq!(
|
|
|
|
|
received.event_type,
|
|
|
|
|
LifecycleEventType::StepStarted {
|
|
|
|
|
step_id: 3,
|
|
|
|
|
step_name: Some("build".to_string()),
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn error_events_include_message() {
|
|
|
|
|
let bus = BroadcastLifecyclePublisher::new(16);
|
|
|
|
|
let mut rx = bus.subscribe();
|
|
|
|
|
|
|
|
|
|
bus.publish(LifecycleEvent::new(
|
|
|
|
|
"wf-1",
|
|
|
|
|
"def-1",
|
|
|
|
|
1,
|
|
|
|
|
LifecycleEventType::Error {
|
|
|
|
|
message: "step failed".to_string(),
|
|
|
|
|
},
|
|
|
|
|
))
|
|
|
|
|
.await
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
let received = rx.recv().await.unwrap();
|
|
|
|
|
assert_eq!(
|
|
|
|
|
received.event_type,
|
|
|
|
|
LifecycleEventType::Error {
|
|
|
|
|
message: "step failed".to_string(),
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|