Integrates invenio-cern-sync and jobs

Pipfile

@@ -18,6 +18,7 @@ uwsgitop = ">=0.11"
 uwsgi-tools = ">=1.1.1"
 flask-mail = ">=0.9.0,<0.10.0"
 invenio-preservation-sync = "==0.1.0"
+invenio-cern-sync = {git = "https://github.com/cerndocumentserver/invenio-cern-sync.git", ref = "v0.1.0"}
 
 [requires]
 python_version = "3.9"

invenio.cfg

@@ -26,6 +26,9 @@ from invenio_records_resources.services.custom_fields import KeywordCF
 from invenio_rdm_records.config import RDM_RECORDS_IDENTIFIERS_SCHEMES, always_valid, RDM_RECORDS_PERSONORG_SCHEMES
 from invenio_rdm_records.proxies import current_rdm_records_service as record_service
 from invenio_preservation_sync.utils import preservation_info_render
+from invenio_cern_sync.users.profile import CERNUserProfileSchema
+from invenio_oauthclient.views.client import auto_redirect_login
+from invenio_cern_sync.sso import cern_remote_app_name, cern_keycloak
 
 
 def _(x):  # needed to avoid start time failure with lazy strings
@@ -125,9 +128,6 @@ THEME_SITENAME = 'CDS'
 # THEME_FOOTER_TEMPLATE = 'cds_rdm/footer.html'
 # THEME_HEADER_TEMPLATE = 'cds_rdm/header.html'
 
-# TEMPORAL FIX - to be removed once the js bundle loading issue on the macros
-# is fixed.
-BASE_TEMPLATE = "cds_rdm/page.html"
 
 # Invenio-App-RDM
 # ===============
@@ -167,7 +167,6 @@ APP_RDM_DEPOSIT_FORM_DEFAULTS = {
     ],
     "publisher": "CERN",
 }
-APP_RDM_RECORD_LANDING_PAGE_TEMPLATE = "cds_rdm/records/detail.html"
 
 # See https://github.com/inveniosoftware/invenio-app-rdm/blob/master/invenio_app_rdm/config.py
 APP_RDM_DEPOSIT_FORM_AUTOCOMPLETE_NAMES = 'search'  # "search_only" or "off"
@@ -191,6 +190,7 @@ DATACITE_DATACENTER_SYMBOL = ""
 # See https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/config.py
 ACCOUNTS_DEFAULT_USERS_VERIFIED = True  # ensure that users are verified by default
 ACCOUNTS_DEFAULT_USER_VISIBILITY = "public"  # enables users to be searchable for invites
+ACCOUNTS_DEFAULT_EMAIL_VISIBILITY = "public"
 ACCOUNTS_LOCAL_LOGIN_ENABLED = True  # enable local login
 PERMANENT_SESSION_LIFETIME = timedelta(days=10)
 SECURITY_REGISTERABLE = True  # local login: allow users to register
@@ -206,116 +206,51 @@ SECURITY_SEND_PASSWORD_RESET_EMAIL = False
 SECURITY_SEND_PASSWORD_RESET_NOTICE_EMAIL = False
 SECURITY_SEND_REGISTER_EMAIL = False
 
-# Invenio-OAuthclient
-# ===================
-# See https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/config.py
-from invenio_oauthclient.contrib.keycloak import KeycloakSettingsHelper
-from cds_rdm.oidc import (
-    cern_info_handler,
-    cern_info_serializer,
-    confirm_registration_form,
-    cern_groups_serializer,
-    cern_groups_handler,
-    cern_setup_handler,
-)
-from urllib.parse import quote
-
-CERN_KEYCLOAK_BASE_URL = os.environ.get("INVENIO_CERN_KEYCLOAK_BASE_URL",
-                                        "https://keycloak-qa.cern.ch/")
-
-_keycloak_helper = KeycloakSettingsHelper(
-    title="CERN",
-    description="CERN SSO authentication",
-    base_url=CERN_KEYCLOAK_BASE_URL,
-    realm="cern",
-    app_key="CERN_APP_CREDENTIALS",
-    logout_url="{}auth/realms/cern/protocol/openid-connect/logout?redirect_uri={}".format(
-        CERN_KEYCLOAK_BASE_URL,
-        quote(os.environ.get("INVENIO_SITE_UI_URL", SITE_UI_URL))
-    ),
-)
-OAUTHCLIENT_CERN_REALM_URL = _keycloak_helper.realm_url
-OAUTHCLIENT_CERN_USER_INFO_URL = _keycloak_helper.user_info_url
-OAUTHCLIENT_CERN_VERIFY_EXP = True
-OAUTHCLIENT_CERN_VERIFY_AUD = False
-OAUTHCLIENT_CERN_USER_INFO_FROM_ENDPOINT = True
-
-handlers = _keycloak_helper.get_handlers()
-handlers["signup_handler"] = {
-    **handlers["signup_handler"],
-    "info": cern_info_handler,
-    "info_serializer": cern_info_serializer,
-    "groups_serializer": cern_groups_serializer,
-    "groups": cern_groups_handler,
-    "setup": cern_setup_handler,
-}
-rest_handlers = _keycloak_helper.get_rest_handlers()
-rest_handlers["signup_handler"] = {
-    **rest_handlers["signup_handler"],
-    "info": cern_info_handler,
-    "info_serializer": cern_info_serializer,
-    "groups_serializer": cern_groups_serializer,
-    "groups": cern_groups_handler,
-    "setup": cern_setup_handler,
-}
-
-OAUTHCLIENT_SIGNUP_FORM = confirm_registration_form
-
-OAUTH_REMOTE_APP_NAME = "cern"
-
+# Invenio-CERN-Sync/CERN SSO
+# ==========================
 OAUTHCLIENT_REMOTE_APPS = {
-    OAUTH_REMOTE_APP_NAME: _keycloak_helper.remote_app,
+    cern_remote_app_name: cern_keycloak.remote_app,
 }
 
 CERN_APP_CREDENTIALS = {
     "consumer_key": "CHANGE ME",
     "consumer_secret": "CHANGE ME",
 }
+CERN_SYNC_KEYCLOAK_BASE_URL = "https://auth.cern.ch/"
+CERN_SYNC_AUTHZ_BASE_URL = "https://authorization-service-api.web.cern.ch/"
+INVENIO_CERN_SYNC_KEYCLOAK_BASE_URL = "https://auth.cern.ch/"  # set env var when testing
 
-from invenio_oauthclient.views.client import auto_redirect_login
+
+OAUTHCLIENT_CERN_REALM_URL = cern_keycloak.realm_url
+OAUTHCLIENT_CERN_USER_INFO_URL = cern_keycloak.user_info_url
+OAUTHCLIENT_CERN_VERIFY_EXP = True
+OAUTHCLIENT_CERN_VERIFY_AUD = False
+OAUTHCLIENT_CERN_USER_INFO_FROM_ENDPOINT = True
 
 ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login  # autoredirect to external login if enabled
 OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = True  # autoredirect to external login
 
+ACCOUNTS_USER_PROFILE_SCHEMA = CERNUserProfileSchema()
+
 # Invenio-UserProfiles
 # ====================
-USERPROFILES_READ_ONLY = False  # allow users to change profile info (name, email, etc...)
-USERPROFILES_EXTEND_SECURITY_FORMS = True
+USERPROFILES_READ_ONLY = True  # disable change of user profile
+USERPROFILES_EXTEND_SECURITY_FORMS = True  # automatically use user's email address as account email
 
 # OAI-PMH
 # =======
-# See https://github.com/inveniosoftware/invenio-oaiserver/blob/master/invenio_oaiserver/config.py
 OAISERVER_ID_PREFIX = "cds-rdm.com"
 """The prefix that will be applied to the generated OAI-PMH ids."""
 
 # Invenio-Search
 # ==============
 SEARCH_INDEX_PREFIX = "cds-rdm-"
 
-# Celery
-# ======
-CELERY_BEAT_SCHEDULE = {
-    **APP_RDM_CELERY_BEAT_SCHEDULE,
-    "user-sync": {
-        "task": "cds_rdm.tasks.sync_users",
-        "schedule": crontab(minute=0, hour=3),  # Every day at 03:00 UTC
-    },
-    "groups-sync": {
-        "task": "cds_rdm.tasks.sync_groups",
-        "schedule": crontab(minute=0, hour=2),  # Every day at 02:00 UTC
-    },
-}
-
 ###############################################################################
 # CDS-RDM configuration
 ###############################################################################
 CDS_SERVICE_ELEMENT_URL = "https://cern.service-now.com/service-portal?id=service_element&name=CDS-Service"
 
-# AUTH/LDAP
-CERN_LDAP_URL = "ldap://xldap.cern.ch"
-CERN_AUTHORIZATION_SERVICE_API = "https://authorization-service-api-qa.web.cern.ch/api/v1.0/"
-CERN_AUTHORIZATION_SERVICE_API_GROUP = "Group"
-
 # Permissions: define who can create new communities
 CDS_EMAILS_ALLOW_CREATE_COMMUNITIES = []
 CDS_GROUPS_ALLOW_CREATE_COMMUNITIES = []
@@ -513,6 +448,8 @@ RDM_CUSTOM_FIELDS_UI = [
         ]
     }
 ]
+RDM_FILES_DEFAULT_QUOTA_SIZE = 50 * 10**9     # 50GB
+RDM_FILES_DEFAULT_MAX_FILE_SIZE = 50 * 10**9  # 50GB
 
 JOBS_ADMINISTRATION_ENABLED = True