Add workflow matrix

Author: yacchin1205

.github/scripts/generate_ci_config.sh

@@ -3,7 +3,7 @@ set -xeuo pipefail
 
 if [[ $# -lt 2 ]]; then
   cat >&2 <<'USAGE'
-Usage: generate_ci_config.sh <output_path> <base_config_yaml> [--minio] [--jupyterhub]
+Usage: generate_ci_config.sh <output_path> <base_config_yaml> [--minio] [--jupyterhub] [--weko] [--flowable]
 USAGE
   exit 1
 fi
@@ -14,6 +14,7 @@ shift 2
 MINIO=false
 JUPYTERHUB=false
 WEKO=false
+FLOWABLE=false
 
 for arg in "$@"; do
   case "$arg" in
@@ -26,6 +27,9 @@ for arg in "$@"; do
     --weko)
       WEKO=true
       ;;
+    --flowable)
+      FLOWABLE=true
+      ;;
     *)
       echo "Unknown argument: ${arg}" >&2
       exit 1
@@ -117,4 +121,22 @@ ignore_https_errors: ${IGNORE_HTTPS_ERRORS_VALUE}
 EOF
 fi
 
+if [[ "${FLOWABLE}" == "true" ]]; then
+  GATEWAY_BASE_URL_VALUE=${GATEWAY_BASE_URL:-http://192.168.168.167:8088/}
+  WORKFLOW_BATCH_PROJECT_COUNT_VALUE=${WORKFLOW_BATCH_PROJECT_COUNT:-50}
+
+  cat >> "${OUTPUT}" <<EOF
+
+# Flowable Workflow settings
+workflow_enabled: true
+gateway_base_url: '${GATEWAY_BASE_URL_VALUE}'
+workflow_batch_project_count: ${WORKFLOW_BATCH_PROJECT_COUNT_VALUE}
+EOF
+else
+  cat >> "${OUTPUT}" <<'EOF'
+
+workflow_enabled: false
+EOF
+fi
+
 cat "${OUTPUT}"

.github/scripts/setup_flowable.sh

@@ -0,0 +1,152 @@
+#!/bin/bash
+set -xeuo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+COMMAND=${1:-}
+FLOWABLE_ROOT=${2:-}
+RDM_ROOT=${3:-}
+
+if [[ -z "${COMMAND}" ]]; then
+  echo "Usage: $0 <prepare|install|down> <flowable_root_dir> [rdm_root_dir]" >&2
+  exit 1
+fi
+
+wait_for_url() {
+  local url="$1"
+  local attempts=30
+  local delay=10
+  for ((i=1; i<=attempts; i++)); do
+    if curl -f "$url" >/dev/null 2>&1; then
+      echo "${url} is reachable"
+      return 0
+    fi
+    echo "Attempt ${i}/${attempts} failed for ${url}" >&2
+    sleep "$delay"
+  done
+  echo "Timed out waiting for ${url}" >&2
+  return 1
+}
+
+case "$COMMAND" in
+  prepare)
+    if [[ -z "${FLOWABLE_ROOT}" || -z "${RDM_ROOT}" ]]; then
+      echo "Usage: $0 prepare <flowable_root_dir> <rdm_root_dir>" >&2
+      exit 1
+    fi
+
+    # Ensure RDM workflow keys directory exists
+    mkdir -p "${RDM_ROOT}/addons/workflow/tests/keys"
+
+    # Generate RSA key pair for RDM service (used by RDM to sign tokens to gateway)
+    openssl genrsa -out "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.key" 2048
+    openssl rsa -in "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.key" -pubout \
+      -out "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.pub"
+
+    # Generate RSA key pair for gateway (used by gateway to sign tokens back to RDM)
+    openssl genrsa -out "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.key" 2048
+    openssl rsa -in "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.key" -pubout \
+      -out "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.pub"
+
+    # Create workflow addon local.py for RDM
+    mkdir -p "${RDM_ROOT}/addons/workflow/settings"
+    cat > "${RDM_ROOT}/addons/workflow/settings/local.py" << 'EOF'
+RDM_TO_WORKFLOW_GATEWAY_KEYS = [
+    {
+        'kid': 'rdm-service-v1',
+        'alg': 'RS256',
+        'public_key_path': '/code/addons/workflow/tests/keys/rdm-service-v1.pub',
+        'private_key_path': '/code/addons/workflow/tests/keys/rdm-service-v1.key',
+    },
+]
+EOF
+
+    # Copy keys to gateway config
+    cp "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.key" "${FLOWABLE_ROOT}/config/rdm-service.key"
+    cp "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.key" "${FLOWABLE_ROOT}/config/gateway-dev-v1.key"
+
+    # Create keyset.json with the RDM public key for gateway
+    RDM_PUBLIC_KEY=$(cat "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.pub" | python3 -c "import sys, json; print(json.dumps(sys.stdin.read()))")
+    cat > "${FLOWABLE_ROOT}/config/keyset.json" << EOF
+{
+  "keys": [
+    {
+      "kid": "rdm-service-v1",
+      "alg": "RS256",
+      "public_key": ${RDM_PUBLIC_KEY}
+    }
+  ]
+}
+EOF
+
+    # Generate Fernet encryption key
+    ENCRYPTION_KEY=$(python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
+
+    # Create .env file for gateway CI environment
+    cat > "${FLOWABLE_ROOT}/.env" << EOF
+# Flowable REST admin credentials
+FLOWABLE_REST_APP_ADMIN_USER_ID=rest-admin
+FLOWABLE_REST_APP_ADMIN_PASSWORD=rest-admin
+
+# Gateway -> Flowable wiring
+FLOWABLE_REST_BASE_URL=http://flowable:8080/flowable-rest
+
+# RDM keyset configuration
+RDM_KEYSET_PATH=/app/config/keyset.json
+
+# Gateway internal wiring
+GATEWAY_INTERNAL_URL=http://gateway:8088
+RDM_ALLOWED_DOMAINS=http://192.168.168.167:5000
+RDM_ALLOWED_API_DOMAINS=http://192.168.168.167:8000
+RDM_ALLOWED_WATERBUTLER_URLS=http://192.168.168.167:7777
+
+# Database connection
+DATABASE_URL=postgresql://gateway:gateway@postgres:5432/gateway
+
+# Gateway signing key
+GATEWAY_SIGNING_KEY_ID=gateway-dev-v1
+GATEWAY_SIGNING_PRIVATE_KEY_PATH=/app/config/gateway-dev-v1.key
+
+# Encryption key for stored delegation tokens
+ENCRYPTION_KEY=${ENCRYPTION_KEY}
+EOF
+    echo "Flowable gateway configuration prepared"
+    ;;
+  install)
+    if [[ -z "${FLOWABLE_ROOT}" || ! -d "${FLOWABLE_ROOT}" ]]; then
+      echo "Flowable root directory not found: ${FLOWABLE_ROOT}" >&2
+      exit 1
+    fi
+
+    pushd "${FLOWABLE_ROOT}"
+
+    # Build and start the stack
+    docker compose up -d --build
+
+    popd
+
+    # Wait for gateway to be ready
+    wait_for_url "http://192.168.168.167:8088/healthz"
+
+    # Initialize database
+    pushd "${FLOWABLE_ROOT}"
+    docker compose run --rm gateway python -m gateway.init_db
+    popd
+
+    echo "Flowable gateway installed"
+    ;;
+  down)
+    if [[ -z "${FLOWABLE_ROOT}" || ! -d "${FLOWABLE_ROOT}" ]]; then
+      echo "Flowable root directory not found, skipping cleanup"
+      exit 0
+    fi
+
+    pushd "${FLOWABLE_ROOT}"
+    docker compose down -v || true
+    popd
+    ;;
+  *)
+    echo "Unknown command: ${COMMAND}" >&2
+    exit 1
+    ;;
+esac

.github/scripts/setup_test_data.py

@@ -23,6 +23,26 @@
         'family_name_ja': 'ユーザー2',
         'password': 'testpass456',
     },
+    {
+        'username': 'teststaff@example.com',
+        'fullname': 'Test Staff',
+        'given_name': 'Test',
+        'family_name': 'Staff',
+        'given_name_ja': 'テスト',
+        'family_name_ja': 'スタッフ',
+        'password': 'testpass789',
+        'is_staff': True,
+    },
+    {
+        'username': 'testuser3@example.com',
+        'fullname': 'Test User 3',
+        'given_name': 'Test',
+        'family_name': 'User 3',
+        'given_name_ja': 'テスト',
+        'family_name_ja': 'ユーザー3',
+        'password': 'testpass321',
+        'institution': 'Massachusetts Institute of Technology [Test]',
+    },
 ]
 
 for user_data in test_users:
@@ -47,10 +67,11 @@
         user.have_email = True
         # Set jobs for profile completion (required for is_full_account_required_info)
         # Structure must match unserialize_job in website/profile/views.py
+        user_institution = user_data.get('institution', INSTITUTION_NAME)
         user.jobs = [{
-            'institution': INSTITUTION_NAME,
+            'institution': user_institution,
             'department': None,
-            'institution_ja': INSTITUTION_NAME,
+            'institution_ja': user_institution,
             'department_ja': None,
             'title': None,
             'startMonth': None,
@@ -63,6 +84,9 @@
         if user_data.get('is_superuser', False):
             user.is_superuser = True
             user.is_staff = True
+        # Set staff if specified (without superuser)
+        elif user_data.get('is_staff', False):
+            user.is_staff = True
         user.save()
 
         # Create email for the user
@@ -101,9 +125,10 @@
         print(f"PROJECT_NAME_{username}: {project.title}")
 
 # Affiliate users with institution
-inst = Institution.objects.get(name=INSTITUTION_NAME)
 for user_data in test_users:
     user = OSFUser.objects.get(username=user_data['username'])
+    user_institution = user_data.get('institution', INSTITUTION_NAME)
+    inst = Institution.objects.get(name=user_institution)
     if inst not in user.affiliated_institutions.all():
         user.affiliated_institutions.add(inst)
         user.save()