feat(vcs): support for new VCS integration

invenio.cfg

@@ -7,12 +7,13 @@ For the full list of settings and their values, see
 https://inveniordm.docs.cern.ch/reference/configuration/.
 """
 
-import os
-
 from copy import deepcopy
 from datetime import datetime, timedelta
 
 from cds_rdm import schemes
+from cds_rdm.clc_sync.services.components import ClcSyncComponent
+from cds_rdm.components import (CDSResourcePublication,
+                                SubjectsValidationComponent)
 from cds_rdm.custom_fields import CUSTOM_FIELDS, CUSTOM_FIELDS_UI, NAMESPACES
 from cds_rdm.permissions import (
     CDSCommunitiesPermissionPolicy,
@@ -60,14 +61,58 @@ from cds_rdm.components import SubjectsValidationComponent
 from cds_rdm.components import MintAlternateIdentifierComponent
 from cds_rdm.pids import validate_optional_doi_transitions
 from cds_rdm.views import frontpage_view_function, inspire_link_render
-
+from cds_rdm.vcs.handlers import gitlab_account_info_serializer
 from invenio_app_rdm.config import APP_RDM_RECORD_EXPORTERS as RECORD_EXPORTERS
+from invenio_vcs.contrib.gitlab import GitLabProviderFactory
 
 
 def _(x):  # needed to avoid start time failure with lazy strings
     return x
 
 
+CERN_APP_CREDENTIALS = {
+    "consumer_key": "CHANGEME",
+    "consumer_secret": "CHANGEME",
+}
+
+GITLAB_APP_CREDENTIALS = {
+    "consumer_key": "CHANGEME",
+    "consumer_secret": "CHANGEME",
+}
+
+_vcs_gitlab = GitLabProviderFactory(
+    id="gitlab",
+    name="GitLab",
+    base_url="https://gitlab-dev.cern.ch",
+    webhook_receiver_url="https://CHANGEME.cern.ch/api/hooks/receivers/gitlab/events/?access_token={token}",
+    config={"shared_validation_token": "CHANGEME"},
+)
+
+gitlab_remote_config = _vcs_gitlab.remote_config
+gitlab_remote_config["signup_handler"]["info_serializer"] = (
+    gitlab_account_info_serializer(
+        gitlab_remote_config["signup_handler"]["info_serializer"]
+    )
+)
+gitlab_remote_config["link_only"] = True
+
+OAUTHCLIENT_REMOTE_APPS = {
+    cern_remote_app_name: cern_keycloak.remote_app,
+    "gitlab": gitlab_remote_config,
+}
+
+OAUTHCLIENT_REST_REMOTE_APPS = {
+    "gitlab": gitlab_remote_config,
+}
+
+VCS_INTEGRATION_ENABLED = True
+VCS_PROVIDERS = [_vcs_gitlab]
+VCS_PROVIDER_CONFIG_DICT = {
+    "gitlab": {}
+}
+VCS_TEMPLATE_INDEX = "cds_rdm/vcs/index.html"
+
+
 # Flask
 # =====
 # See https://flask.palletsprojects.com/en/1.1.x/config/
@@ -87,7 +132,7 @@ SECRET_KEY = "CHANGE_ME"
 # provided, the allowed hosts variable is set to localhost. In production it
 # should be set to the correct host and it is strongly recommended to only
 # route correct hosts to the application.
-TRUSTED_HOSTS = ['0.0.0.0', 'localhost', '127.0.0.1', 'localhost.cern.ch']
+TRUSTED_HOSTS = ["0.0.0.0", "localhost", "127.0.0.1", "localhost.cern.ch"]
 
 # Flask-SQLAlchemy
 # ================
@@ -101,10 +146,10 @@ SQLALCHEMY_DATABASE_URI = "postgresql+psycopg2://cds-rdm:cds-rdm@localhost/cds-r
 # See https://invenio-app.readthedocs.io/en/latest/configuration.html
 
 APP_DEFAULT_SECURE_HEADERS = {
-    'content_security_policy': {
-        'default-src': [
+    "content_security_policy": {
+        "default-src": [
             "'self'",
-            'data:',  # for fonts
+            "data:",  # for fonts
             "'unsafe-inline'",  # for inline scripts and styles
             "blob:",  # for pdf preview
             "cdnjs.cloudflare.com",
@@ -113,29 +158,29 @@ APP_DEFAULT_SECURE_HEADERS = {
             "test-matomo-wf.web.cern.ch",
         ],
     },
-    'content_security_policy_report_only': False,
-    'content_security_policy_report_uri': None,
-    'force_file_save': False,
-    'force_https': True,
-    'force_https_permanent': False,
-    'frame_options': 'sameorigin',
-    'frame_options_allow_from': None,
-    'session_cookie_http_only': True,
-    'session_cookie_secure': True,
-    'strict_transport_security': True,
-    'strict_transport_security_include_subdomains': True,
-    'strict_transport_security_max_age': 31556926,  # One year in seconds
-    'strict_transport_security_preload': False,
+    "content_security_policy_report_only": False,
+    "content_security_policy_report_uri": None,
+    "force_file_save": False,
+    "force_https": True,
+    "force_https_permanent": False,
+    "frame_options": "sameorigin",
+    "frame_options_allow_from": None,
+    "session_cookie_http_only": True,
+    "session_cookie_secure": True,
+    "strict_transport_security": True,
+    "strict_transport_security_include_subdomains": True,
+    "strict_transport_security_max_age": 31556926,  # One year in seconds
+    "strict_transport_security_preload": False,
 }
 
 # Flask-Babel
 # ===========
 # See https://python-babel.github.io/flask-babel/#configuration
 
 # Default locale (language)
-BABEL_DEFAULT_LOCALE = 'en'
+BABEL_DEFAULT_LOCALE = "en"
 # Default time zone
-BABEL_DEFAULT_TIMEZONE = 'Europe/Zurich'
+BABEL_DEFAULT_TIMEZONE = "Europe/Zurich"
 
 # Invenio-I18N
 # ============
@@ -154,10 +199,10 @@ I18N_LANGUAGES = [
 # Frontpage title
 THEME_FRONTPAGE_TITLE = "CERN Document Server"
 # Header logo
-THEME_LOGO = 'images/invenio-rdm.svg'
+THEME_LOGO = "images/invenio-rdm.svg"
 THEME_SHOW_FRONTPAGE_INTRO_SECTION = False
 
-THEME_SITENAME = 'CDS'
+THEME_SITENAME = "CDS"
 # Templates
 # THEME_FRONTPAGE_TEMPLATE = 'cds_rdm/frontpage.html'
 # THEME_FOOTER_TEMPLATE = 'cds_rdm/footer.html'
@@ -172,7 +217,7 @@ THEME_TRACKINGCODE_TEMPLATE = "cds_rdm/matomo-test.html"
 # See https://invenio-app-rdm.readthedocs.io/en/latest/configuration.html
 
 # Instance's theme entrypoint file. Path relative to the ``assets/`` folder.
-INSTANCE_THEME_FILE = './less/theme.less'
+INSTANCE_THEME_FILE = "./less/theme.less"
 
 APP_RDM_ROUTES["index"] = ("/", frontpage_view_function)
 
@@ -199,18 +244,20 @@ APP_RDM_DEPOSIT_FORM_DEFAULTS = {
         {
             "id": "cc-by-4.0",
             "title": "Creative Commons Attribution 4.0 International",
-            "description": ("The Creative Commons Attribution license allows "
-                            "re-distribution and re-use of a licensed work "
-                            "on the condition that the creator is "
-                            "appropriately credited."),
+            "description": (
+                "The Creative Commons Attribution license allows "
+                "re-distribution and re-use of a licensed work "
+                "on the condition that the creator is "
+                "appropriately credited."
+            ),
             "link": "https://creativecommons.org/licenses/by/4.0/legalcode",
         }
     ],
     "publisher": "CERN",
 }
 
 # See https://github.com/inveniosoftware/invenio-app-rdm/blob/master/invenio_app_rdm/config.py
-APP_RDM_DEPOSIT_FORM_AUTOCOMPLETE_NAMES = 'search'  # "search_only" or "off"
+APP_RDM_DEPOSIT_FORM_AUTOCOMPLETE_NAMES = "search"  # "search_only" or "off"
 
 # Invenio-RDM-Records
 # ===================
@@ -230,15 +277,19 @@ DATACITE_DATACENTER_SYMBOL = ""
 # ================
 # See https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/config.py
 ACCOUNTS_DEFAULT_USERS_VERIFIED = True  # ensure that users are verified by default
-ACCOUNTS_DEFAULT_USER_VISIBILITY = "public"  # enables users to be searchable for invites
+ACCOUNTS_DEFAULT_USER_VISIBILITY = (
+    "public"  # enables users to be searchable for invites
+)
 ACCOUNTS_DEFAULT_EMAIL_VISIBILITY = "public"
 ACCOUNTS_LOCAL_LOGIN_ENABLED = True  # enable local login
 PERMANENT_SESSION_LIFETIME = timedelta(days=10)
 SECURITY_REGISTERABLE = True  # local login: allow users to register
 SECURITY_RECOVERABLE = False  # local login: allow users to reset the password
 SECURITY_CHANGEABLE = False  # local login: allow users to change psw
 SECURITY_CONFIRMABLE = False  # local login: users can confirm e-mail address
-SECURITY_LOGIN_WITHOUT_CONFIRMATION = True  # require users to confirm email before being able to login
+SECURITY_LOGIN_WITHOUT_CONFIRMATION = (
+    True  # require users to confirm email before being able to login
+)
 
 # Emails sending
 # Disable sending all account-related emails because of CERN SSO usage
@@ -249,33 +300,32 @@ SECURITY_SEND_REGISTER_EMAIL = False
 
 # Invenio-CERN-Sync/CERN SSO
 # ==========================
-OAUTHCLIENT_REMOTE_APPS = {
-    cern_remote_app_name: cern_keycloak.remote_app,
-}
 
-CERN_APP_CREDENTIALS = {
-    "consumer_key": "CHANGE ME",
-    "consumer_secret": "CHANGE ME",
-}
 CERN_SYNC_KEYCLOAK_BASE_URL = "https://auth.cern.ch/"
 CERN_SYNC_AUTHZ_BASE_URL = "https://authorization-service-api.web.cern.ch/"
-INVENIO_CERN_SYNC_KEYCLOAK_BASE_URL = "https://auth.cern.ch/"  # set env var when testing
+INVENIO_CERN_SYNC_KEYCLOAK_BASE_URL = (
+    "https://auth.cern.ch/"  # set env var when testing
+)
 
 OAUTHCLIENT_CERN_REALM_URL = cern_keycloak.realm_url
 OAUTHCLIENT_CERN_USER_INFO_URL = cern_keycloak.user_info_url
 OAUTHCLIENT_CERN_VERIFY_EXP = True
 OAUTHCLIENT_CERN_VERIFY_AUD = False
 OAUTHCLIENT_CERN_USER_INFO_FROM_ENDPOINT = True
 
-ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login  # autoredirect to external login if enabled
+ACCOUNTS_LOGIN_VIEW_FUNCTION = (
+    auto_redirect_login  # autoredirect to external login if enabled
+)
 OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = True  # autoredirect to external login
 
 ACCOUNTS_USER_PROFILE_SCHEMA = CERNUserProfileSchema()
 
 # Invenio-UserProfiles
 # ====================
 USERPROFILES_READ_ONLY = True  # disable change of user profile
-USERPROFILES_EXTEND_SECURITY_FORMS = True  # automatically use user's email address as account email
+USERPROFILES_EXTEND_SECURITY_FORMS = (
+    True  # automatically use user's email address as account email
+)
 
 # OAI-PMH
 # =======
@@ -295,7 +345,9 @@ SEARCH_INDEX_PREFIX = "cds-rdm-"
 ###############################################################################
 # CDS-RDM configuration
 ###############################################################################
-CDS_SERVICE_ELEMENT_URL = "https://cern.service-now.com/service-portal?id=service_element&name=CDS-Service"
+CDS_SERVICE_ELEMENT_URL = (
+    "https://cern.service-now.com/service-portal?id=service_element&name=CDS-Service"
+)
 
 # Permissions: define who can create new communities
 CDS_EMAILS_ALLOW_CREATE_COMMUNITIES = []
@@ -391,9 +443,7 @@ APP_RDM_PAGES = {
 }
 
 # Custom fields
-RDM_NAMESPACES = {
-    **NAMESPACES
-}
+RDM_NAMESPACES = {**NAMESPACES}
 RDM_CUSTOM_FIELDS = CUSTOM_FIELDS
 RDM_CUSTOM_FIELDS_UI = CUSTOM_FIELDS_UI
 
@@ -405,8 +455,8 @@ THEME_MATHJAX_CDN = (
     "?config=TeX-AMS-MML_HTMLorMML"
 )
 
-RDM_FILES_DEFAULT_QUOTA_SIZE = 50 * 10 ** 9  # 50GB
-RDM_FILES_DEFAULT_MAX_FILE_SIZE = 50 * 10 ** 9  # 50GB
+RDM_FILES_DEFAULT_QUOTA_SIZE = 50 * 10**9  # 50GB
+RDM_FILES_DEFAULT_MAX_FILE_SIZE = 50 * 10**9  # 50GB
 
 JOBS_ADMINISTRATION_ENABLED = True
 
@@ -472,7 +522,8 @@ RDM_RECORDS_SERVICE_COMPONENTS = [
 RDM_PERSISTENT_IDENTIFIERS["doi"]["required"] = False
 RDM_PARENT_PERSISTENT_IDENTIFIERS["doi"]["required"] = False
 RDM_PERSISTENT_IDENTIFIERS["doi"]["ui"][
-    "default_selected"] = "not_needed"  # "yes", "no" or "not_needed"
+    "default_selected"
+] = "not_needed"  # "yes", "no" or "not_needed"
 
 RDM_OPTIONAL_DOI_VALIDATOR = validate_optional_doi_transitions
 
@@ -559,9 +610,11 @@ VOCABULARIES_DATASTREAM_WRITERS = {
 
 # We override the templates to add new fields needed for the migrated statistic events
 _APP_RDM_STATS_EVENTS["file-download"][
-    "templates"] = "cds_rdm.stats.templates.events.file_download"
+    "templates"
+] = "cds_rdm.stats.templates.events.file_download"
 _APP_RDM_STATS_EVENTS["record-view"][
-    "templates"] = "cds_rdm.stats.templates.events.record_view"
+    "templates"
+] = "cds_rdm.stats.templates.events.record_view"
 
 # Add the yearly suffix
 _APP_RDM_STATS_EVENTS["file-download"]["params"]["suffix"] = "%Y"
@@ -573,7 +626,9 @@ _APP_RDM_STATS_AGGREGATIONS["record-view-agg"]["params"]["index_interval"] = "ye
 
 APP_RDM_RECORD_LANDING_PAGE_TEMPLATE = "cds_rdm/records/detail.html"
 
-RDM_DETAIL_SIDE_BAR_MANAGE_ATTRIBUTES_EXTENSION_TEMPLATE = "cds_rdm/records/manage_menu.html"
+RDM_DETAIL_SIDE_BAR_MANAGE_ATTRIBUTES_EXTENSION_TEMPLATE = (
+    "cds_rdm/records/manage_menu.html"
+)
 
 APP_RDM_RECORD_EXPORTERS = {
     **RECORD_EXPORTERS,

pyproject.toml

@@ -9,6 +9,7 @@ requires-python = ">=3.9"
 dependencies = [
     "invenio-app-rdm[opensearch2]~=14.0.0b3.dev0",
     "invenio-cern-sync",
+    "invenio-app-rdm[opensearch2]",
     "invenio-checks>=2.0.0,<3.0.0",
     "invenio-preservation-sync==0.2.0",
     "cds-rdm",

site/cds_rdm/errors.py

@@ -20,3 +20,41 @@ class RequestError(GroupSyncingError):
     def __init__(self, url, error_details):
         """Initialise error."""
         super().__init__(_(f"Request error on {url}.\n Error details: {error_details}"))
+
+
+class KeycloakIdentityNotFoundError(Exception):
+    """The user is missing the Keycloak OAuth identity."""
+
+    def __init__(self, user_id: str) -> None:
+        """Constructor."""
+        super().__init__(_(f"Could not find CERN SSO identity for user {user_id}"))
+
+
+class GitLabIdentityNotFoundError(Exception):
+    """The GitLab user did not have an OpenID or Kerberos identity so we cannot match it to the signed-in CDS user."""
+
+    def __init__(self, user_id: str) -> None:
+        """Constructor."""
+        super().__init__(
+            _(
+                f"GitLab user {user_id} did not have CERN OpenID or Kerberos identity (LDAP-only accounts are not supported)"
+            )
+        )
+
+
+class KeycloakGitLabMismatchError(Exception):
+    """The GitLab user has a different Keycloak ID to the signed in CDS user."""
+
+    def __init__(
+        self,
+        gitlab_user_id: str,
+        gl_cern_sso_id: str,
+        cds_user_id: str,
+        cds_cern_sso_id: str,
+    ) -> None:
+        """Constructor."""
+        super().__init__(
+            _(
+                f"GitLab user {gitlab_user_id} has a different CERN SSO identity ({gl_cern_sso_id}) to currently signed-in CDS user {cds_user_id} ({cds_cern_sso_id})"
+            )
+        )