fix(IDMS, user-data): Profiles API response handling and broker user-data fixes

- Correct Profiles API response handling
- Refactor user-data API parsing for safer debugging
- Align Profile pydantic model with API responses
- Syntax fix in user-data code

Also removes pre-broker merge artifacts erroneously reintroduced on main
(SAML account module, legacy SAML tests, obsolete fixture-stall doc).

Submodule: invenio-remote-user-data-kcworks updated to match staging.

Author: monotasker

.dockerignore

@@ -45,6 +45,12 @@ build/
 site/build
 site/kcworks.egg-info
 
+# Node modules (test-only installs in submodule translations folders that
+# would otherwise get copied into var/instance/assets/ and shadow the
+# hoisted i18next install)
+node_modules/
+**/node_modules/
+
 # Static files
 static/admin
 static/dist

.github/workflows/build.yml

@@ -19,10 +19,14 @@ on:
       - staging
 env:
   DOCKER_BUILDKIT: 1
+  TARGET_PLATFORMS: linux/amd64,linux/arm64
   DOCKERHUB_REGISTRY: docker.io
   GITHUB_REGISTRY: ghcr.io
   IMAGE_NAME: kcworks
   RELEASE_VERSION: unset
+  CILOGON_CLIENT_ID: ${{secrets.CILOGON_CLIENT_ID}}
+  CILOGON_CLIENT_SECRET: ${{secrets.CILOGON_CLIENT_SECRET}}
+  INVENIO_RECORD_IMPORTER_LOCAL_DATA_DSECRET: ${{vars.CILOGON_CLIENT_SECRET}}
   INVENIO_RECORD_IMPORTER_DATA_DIR: ${{vars.INVENIO_RECORD_IMPORTER_DATA_DIR}}
   INVENIO_SEARCH_DOMAIN: ${{vars.INVENIO_SEARCH_DOMAIN}}
   INVENIO_INSTANCE_PATH: ${{vars.INVENIO_INSTANCE_PATH}}
@@ -34,6 +38,8 @@ env:
   PGADMIN_DEFAULT_EMAIL: ${{secrets.PGADMIN_DEFAULT_EMAIL}}
   PGADMIN_DEFAULT_PASSWORD: ${{secrets.PGADMIN_DEFAULT_PASSWORD}}
   REDIS_DOMAIN: ${{vars.REDIS_DOMAIN}}
+  STATIC_API_BEARER: ${{secrets.STATIC_API_BEARER}}
+  WEBHOOK_TOKEN: ${{secrets.WEBHOOK_TOKEN}}
 jobs:
   build_and_release:
     runs-on: ubuntu-latest

.github/workflows/tests.yml

@@ -55,11 +55,22 @@ jobs:
           touch tests/.env
       - name: Run tests
         env:
+          CILOGON_CLIENT_ID: ${{ secrets.CILOGON_CLIENT_ID }}
+          CILOGON_CLIENT_SECRET: ${{ secrets.CILOGON_CLIENT_SECRET }}
           COMMONS_API_TOKEN: ${{ secrets.TEST_COMMONS_API_TOKEN }}
+          COMMONS_API_TOKEN_PROD: ${{ secrets.TEST_COMMONS_API_TOKEN_PROD }}
           COMMONS_PROFILES_API_TOKEN: ${{ secrets.TEST_COMMONS_PROFILES_API_TOKEN }}
+          COMMONS_SEARCH_API_TOKEN: ${{ secrets.TEST_COMMONS_SEARCH_API_TOKEN }}
+          INVENIO_SEARCH_DOMAIN: ${{ vars.INVENIO_SEARCH_DOMAIN }}
           INVENIO_ADMIN_EMAIL: ${{ secrets.TEST_INVENIO_ADMIN_EMAIL }}
           INVENIO_SITE_UI_URL: ${{ vars.INVENIO_SITE_UI_URL }}
           INVENIO_SITE_API_URL: ${{ vars.INVENIO_SITE_API_URL }}
+          INVENIO_STATIC_BEARER_TOKEN: ${{ secrets.INVENIO_STATIC_BEARER_TOKEN }}
+          SQLALCHEMY_DATABASE_URI: ${{ vars.TEST_SQLALCHEMY_DATABASE_URI }}
+          INVENIO_SQLALCHEMY_DATABASE_URI: ${{ vars.TEST_SQLALCHEMY_DATABASE_URI }}
+          POSTGRESQL_USER: ${{ vars.POSTGRES_USER }}
+          POSTGRESQL_PASSWORD: ${{ vars.POSTGRES_DB }}
+          POSTGRESQL_DB: ${{ vars.POSTGRES_DB }}
           INVENIO_COMMONS_API_REQUEST_PROTOCOL: https
           INVENIO_MAIL_SUPPRESS_SEND: False
           SPARKPOST_API_KEY: ${{ secrets.TEST_SPARKPOST_API_KEY }}

docs/fixture-install-stall-workaround.md

@@ -168,6 +168,8 @@ from invenio_stats_dashboard.records.communities.custom_fields.custom_fields imp
     COMMUNITIES_NAMESPACES as STATS_COMMUNITIES_NAMESPACES,
 )
 
+CELERY_WORKER_POOL_RESTARTS = True
+
 SITE_UI_URL = os.getenv("INVENIO_SITE_UI_URL", "https://localhost:5000")
 SITE_API_URL = os.getenv("INVENIO_SITE_API_URL", "https://localhost:5000/api")
 
@@ -1388,20 +1390,15 @@ STATIC_API_TOKEN_USER_ID = int(os.getenv("STATIC_API_TOKEN_USER_ID", 1))
 # See https://github.com/inveniosoftware/invenio-oauthclient/blob/
 # master/invenio_oauthclient/config.py
 
-# CILogon OAuth is no longer used directly. Authentication is delegated
-# to the KC Profiles microservice via the SSO broker.
-OAUTHCLIENT_REMOTE_APPS = {}
-
-# SSO Broker Authentication
-# -------------------------
-
 IDMS_TOKEN_UPDATE_TIMEOUT = 5
 
 IDMS_BASE_ASSOCIATION_URL = (
     f"{COMMONS_API_REQUEST_PROTOCOL}://{KC_PROFILES_DOMAIN}/associate/"
 )
 IDMS_BASE_API_URL = f"{COMMONS_API_REQUEST_PROTOCOL}://{KC_PROFILES_DOMAIN}/api/v1/"
 
+# SSO Broker Authentication
+# -------------------------
 SSO_BROKER_LOGIN_URL = f"{COMMONS_API_REQUEST_PROTOCOL}://{KC_PROFILES_DOMAIN}/login/"
 SSO_BROKER_SILENT_LOGIN_URL = (
     f"{COMMONS_API_REQUEST_PROTOCOL}://{KC_PROFILES_DOMAIN}/broker/silent-login/"
@@ -1413,8 +1410,13 @@ SSO_BROKER_VERIFY_NONCE_URL = (
 SSO_BROKER_RETRY_COOKIE_NAME = "_sso_checked"
 SSO_BROKER_COOKIE_TTL = 20
 
+# CILogon OAuth is no longer used directly. Authentication is delegated
+# to the KC Profiles microservice via the SSO broker.
+OAUTHCLIENT_REMOTE_APPS = {}
+
 KC_REMOTE_IDPS = ["cilogon"]
 
+
 ACCOUNTS_LOGIN_VIEW_FUNCTION = sso_broker_login  # broker-based SSO redirect
 
 # Invenio-UserProfiles
@@ -5475,35 +5477,6 @@ STATS_PERMISSION_FACTORY = permissions_policy_lookup_factory
 REMOTE_USER_DATA_API_TIMEOUT = 5
 
 REMOTE_USER_DATA_API_ENDPOINTS = {
-    # "knowledgeCommons": {
-    #     "users": {
-    #         "remote_endpoint": (
-    #             f"{COMMONS_API_REQUEST_PROTOCOL}://{KC_WORDPRESS_DOMAIN}/"
-    #             "wp-json/commons/v1/users/"
-    #         ),
-    #         "remote_identifier": "id",
-    #         "remote_method": "GET",
-    #         "token_env_variable_label": "COMMONS_API_TOKEN",
-    #     },
-    #     "groups": {
-    #         "remote_endpoint": (
-    #             f"{COMMONS_API_REQUEST_PROTOCOL}://{KC_WORDPRESS_DOMAIN}/"
-    #             "wp-json/commons/v1/groups/"
-    #         ),
-    #         "remote_identifier": "id",
-    #         "remote_method": "GET",
-    #         "token_env_variable_label": "COMMONS_API_TOKEN",
-    #         "group_roles": {
-    #             "owner": ["administrator", "admin"],
-    #             "curator": ["editor", "moderator"],
-    #             "reader": ["member"],
-    #         },
-    #     },
-    #     "entity_types": {
-    #         "users": {"events": ["created", "updated", "deleted"]},
-    #         "groups": {"events": ["created", "updated", "deleted"]},
-    #     },
-    # },
     "knowledgeCommons": {
         "title": "Knowledge Commons",
         "users": {