[GRDM-57041] Workflow Matrixの追加

.github/patches/weko-oauth2-insecure-transport.patch

@@ -0,0 +1,19 @@
+--- a/modules/invenio-oauth2server/invenio_oauth2server/validators.py
++++ b/modules/invenio-oauth2server/invenio_oauth2server/validators.py
+@@ -10,6 +10,7 @@
+
+ from __future__ import absolute_import, print_function
+
++import os
+ from flask import current_app
+ from oauthlib.oauth2.rfc6749.errors import InsecureTransportError, \
+     InvalidRedirectURIError
+@@ -32,6 +33,8 @@ def validate_redirect_uri(value):
+     if sch != 'https':
+         if ':' in netloc:
+             netloc, port = netloc.split(':', 1)
++        if os.environ.get('OAUTHLIB_INSECURE_TRANSPORT'):
++            return
+         if not (netloc in ('localhost', '127.0.0.1') and sch == 'http'):
+             raise InsecureTransportError()
+

.github/scripts/generate_ci_config.sh

@@ -3,7 +3,7 @@ set -xeuo pipefail
 
 if [[ $# -lt 2 ]]; then
   cat >&2 <<'USAGE'
-Usage: generate_ci_config.sh <output_path> <base_config_yaml> [--minio]
+Usage: generate_ci_config.sh <output_path> <base_config_yaml> [--minio] [--jupyterhub] [--weko] [--flowable]
 USAGE
   exit 1
 fi
@@ -12,12 +12,24 @@ OUTPUT=$1
 BASE_CONFIG=$2
 shift 2
 MINIO=false
+JUPYTERHUB=false
+WEKO=false
+FLOWABLE=false
 
 for arg in "$@"; do
   case "$arg" in
     --minio)
       MINIO=true
       ;;
+    --jupyterhub)
+      JUPYTERHUB=true
+      ;;
+    --weko)
+      WEKO=true
+      ;;
+    --flowable)
+      FLOWABLE=true
+      ;;
     *)
       echo "Unknown argument: ${arg}" >&2
       exit 1
@@ -61,4 +73,70 @@ storages_s3: []
 EOF
 fi
 
+if [[ "${JUPYTERHUB}" == "true" ]]; then
+  if [[ -z "${TLJH_URL:-}" || -z "${TLJH_USERNAME:-}" || -z "${TLJH_PASSWORD:-}" ]]; then
+    echo "TLJH connection information is not set" >&2
+    exit 1
+  fi
+
+  cat >> "${OUTPUT}" <<EOF
+
+jupyterhub_enabled: true
+tljh_url: '${TLJH_URL}'
+tljh_username: '${TLJH_USERNAME}'
+tljh_password: '${TLJH_PASSWORD}'
+EOF
+else
+  cat >> "${OUTPUT}" <<'EOF'
+
+jupyterhub_enabled: false
+EOF
+fi
+
+if [[ "${WEKO}" == "true" ]]; then
+  WEKO_URL_VALUE=${WEKO_URL:-http://localhost}
+  WEKO_ADMIN_EMAIL_VALUE=${WEKO_ADMIN_EMAIL:-}
+  WEKO_ADMIN_PASSWORD_VALUE=${WEKO_ADMIN_PASSWORD:-}
+  WEKO_USER_EMAIL_VALUE=${WEKO_USER_EMAIL:-}
+  WEKO_USER_PASSWORD_VALUE=${WEKO_USER_PASSWORD:-}
+  WEKO_INSTITUTION_NAME_VALUE=${WEKO_INSTITUTION_NAME:-}
+  WEKO_INDEX_NAME_VALUE=${WEKO_INDEX_NAME:-'Sample Index'}
+  WEKO_DOCKER_COMPOSE_PATH_VALUE=${WEKO_DOCKER_COMPOSE_PATH:-}
+  SWORD_MAPPING_ID_VALUE=${SWORD_MAPPING_ID:-30002}
+  IGNORE_HTTPS_ERRORS_VALUE=${IGNORE_HTTPS_ERRORS:-false}
+
+  cat >> "${OUTPUT}" <<EOF
+
+# WEKO / JAIRO Cloud settings
+weko_url: '${WEKO_URL_VALUE}'
+weko_admin_email: '${WEKO_ADMIN_EMAIL_VALUE}'
+weko_admin_password: '${WEKO_ADMIN_PASSWORD_VALUE}'
+weko_user_email: '${WEKO_USER_EMAIL_VALUE}'
+weko_user_password: '${WEKO_USER_PASSWORD_VALUE}'
+weko_institution_name: '${WEKO_INSTITUTION_NAME_VALUE}'
+weko_index_name: '${WEKO_INDEX_NAME_VALUE}'
+weko_docker_compose_path: '${WEKO_DOCKER_COMPOSE_PATH_VALUE}'
+sword_mapping_id: ${SWORD_MAPPING_ID_VALUE}
+ignore_https_errors: ${IGNORE_HTTPS_ERRORS_VALUE}
+EOF
+fi
+
+if [[ "${FLOWABLE}" == "true" ]]; then
+  GATEWAY_BASE_URL_VALUE=${GATEWAY_BASE_URL:-http://192.168.168.167:8088/}
+  WORKFLOW_BATCH_PROJECT_COUNT_VALUE=${WORKFLOW_BATCH_PROJECT_COUNT:-50}
+
+  cat >> "${OUTPUT}" <<EOF
+
+# Flowable Workflow settings
+workflow_enabled: true
+gateway_base_url: '${GATEWAY_BASE_URL_VALUE}'
+workflow_batch_project_count: ${WORKFLOW_BATCH_PROJECT_COUNT_VALUE}
+EOF
+else
+  cat >> "${OUTPUT}" <<'EOF'
+
+workflow_enabled: false
+EOF
+fi
+
 cat "${OUTPUT}"

.github/scripts/setup_flowable.sh

@@ -0,0 +1,152 @@
+#!/bin/bash
+set -xeuo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+COMMAND=${1:-}
+FLOWABLE_ROOT=${2:-}
+RDM_ROOT=${3:-}
+
+if [[ -z "${COMMAND}" ]]; then
+  echo "Usage: $0 <prepare|install|down> <flowable_root_dir> [rdm_root_dir]" >&2
+  exit 1
+fi
+
+wait_for_url() {
+  local url="$1"
+  local attempts=30
+  local delay=10
+  for ((i=1; i<=attempts; i++)); do
+    if curl -f "$url" >/dev/null 2>&1; then
+      echo "${url} is reachable"
+      return 0
+    fi
+    echo "Attempt ${i}/${attempts} failed for ${url}" >&2
+    sleep "$delay"
+  done
+  echo "Timed out waiting for ${url}" >&2
+  return 1
+}
+
+case "$COMMAND" in
+  prepare)
+    if [[ -z "${FLOWABLE_ROOT}" || -z "${RDM_ROOT}" ]]; then
+      echo "Usage: $0 prepare <flowable_root_dir> <rdm_root_dir>" >&2
+      exit 1
+    fi
+
+    # Ensure RDM workflow keys directory exists
+    mkdir -p "${RDM_ROOT}/addons/workflow/tests/keys"
+
+    # Generate RSA key pair for RDM service (used by RDM to sign tokens to gateway)
+    openssl genrsa -out "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.key" 2048
+    openssl rsa -in "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.key" -pubout \
+      -out "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.pub"
+
+    # Generate RSA key pair for gateway (used by gateway to sign tokens back to RDM)
+    openssl genrsa -out "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.key" 2048
+    openssl rsa -in "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.key" -pubout \
+      -out "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.pub"
+
+    # Create workflow addon local.py for RDM
+    mkdir -p "${RDM_ROOT}/addons/workflow/settings"
+    cat > "${RDM_ROOT}/addons/workflow/settings/local.py" << 'EOF'
+RDM_TO_WORKFLOW_GATEWAY_KEYS = [
+    {
+        'kid': 'rdm-service-v1',
+        'alg': 'RS256',
+        'public_key_path': '/code/addons/workflow/tests/keys/rdm-service-v1.pub',
+        'private_key_path': '/code/addons/workflow/tests/keys/rdm-service-v1.key',
+    },
+]
+EOF
+
+    # Copy keys to gateway config
+    cp "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.key" "${FLOWABLE_ROOT}/config/rdm-service.key"
+    cp "${RDM_ROOT}/addons/workflow/tests/keys/gateway-dev-v1.key" "${FLOWABLE_ROOT}/config/gateway-dev-v1.key"
+
+    # Create keyset.json with the RDM public key for gateway
+    RDM_PUBLIC_KEY=$(cat "${RDM_ROOT}/addons/workflow/tests/keys/rdm-service-v1.pub" | python3 -c "import sys, json; print(json.dumps(sys.stdin.read()))")
+    cat > "${FLOWABLE_ROOT}/config/keyset.json" << EOF
+{
+  "keys": [
+    {
+      "kid": "rdm-service-v1",
+      "alg": "RS256",
+      "public_key": ${RDM_PUBLIC_KEY}
+    }
+  ]
+}
+EOF
+
+    # Generate Fernet encryption key
+    ENCRYPTION_KEY=$(python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
+
+    # Create .env file for gateway CI environment
+    cat > "${FLOWABLE_ROOT}/.env" << EOF
+# Flowable REST admin credentials
+FLOWABLE_REST_APP_ADMIN_USER_ID=rest-admin
+FLOWABLE_REST_APP_ADMIN_PASSWORD=rest-admin
+
+# Gateway -> Flowable wiring
+FLOWABLE_REST_BASE_URL=http://flowable:8080/flowable-rest
+
+# RDM keyset configuration
+RDM_KEYSET_PATH=/app/config/keyset.json
+
+# Gateway internal wiring
+GATEWAY_INTERNAL_URL=http://gateway:8088
+RDM_ALLOWED_DOMAINS=http://192.168.168.167:5000
+RDM_ALLOWED_API_DOMAINS=http://192.168.168.167:8000
+RDM_ALLOWED_WATERBUTLER_URLS=http://192.168.168.167:7777
+
+# Database connection
+DATABASE_URL=postgresql://gateway:gateway@postgres:5432/gateway
+
+# Gateway signing key
+GATEWAY_SIGNING_KEY_ID=gateway-dev-v1
+GATEWAY_SIGNING_PRIVATE_KEY_PATH=/app/config/gateway-dev-v1.key
+
+# Encryption key for stored delegation tokens
+ENCRYPTION_KEY=${ENCRYPTION_KEY}
+EOF
+    echo "Flowable gateway configuration prepared"
+    ;;
+  install)
+    if [[ -z "${FLOWABLE_ROOT}" || ! -d "${FLOWABLE_ROOT}" ]]; then
+      echo "Flowable root directory not found: ${FLOWABLE_ROOT}" >&2
+      exit 1
+    fi
+
+    pushd "${FLOWABLE_ROOT}"
+
+    # Build and start the stack
+    docker compose up -d --build
+
+    popd
+
+    # Wait for gateway to be ready
+    wait_for_url "http://192.168.168.167:8088/healthz"
+
+    # Initialize database
+    pushd "${FLOWABLE_ROOT}"
+    docker compose run --rm gateway python -m gateway.init_db
+    popd
+
+    echo "Flowable gateway installed"
+    ;;
+  down)
+    if [[ -z "${FLOWABLE_ROOT}" || ! -d "${FLOWABLE_ROOT}" ]]; then
+      echo "Flowable root directory not found, skipping cleanup"
+      exit 0
+    fi
+
+    pushd "${FLOWABLE_ROOT}"
+    docker compose down -v || true
+    popd
+    ;;
+  *)
+    echo "Unknown command: ${COMMAND}" >&2
+    exit 1
+    ;;
+esac