chore(master): merge maint-0.9 (reanahub#715)

chore(maint-0.9): release 0.9.4 (reanahub#666)
build(python): bump shared REANA packages as of 2024-11-28 (reanahub#714)
feat(ext): improve error message for db decryption error (reanahub#713)
feat(config): make ACCOUNTS_USERINFO_HEADERS customisable (reanahub#713)
feat(config): make APP_DEFAULT_SECURE_HEADERS customisable (reanahub#713)
feat(config): make PROXYFIX_CONFIG customisable (reanahub#713)
fix(config): do not set DEBUG programmatically (reanahub#713)
feat(config): support password-protected redis (reanahub#713)
fix(config): read secret key from env (reanahub#713)
chore(docker): pin setuptools 70 (reanahub#700)
fix(set_workflow_status): publish workflows to submission queue (reanahub#691)
ci(commitlint): improve checking of merge commits (reanahub#689)
fix(get_workflow_specification): avoid returning null parameters (reanahub#689)
fix(start): validate endpoint parameters (reanahub#689)
fix(reana-admin): respect service domain when cleaning sessions (reanahub#687)

Note: The merge commit removes the changes related to pinning
`setuptools` to version 70, because this was only necessary for the
`maint-0.9` branches, as well as other 0.9.4 release-related changes.

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.9.3"
+  ".": "0.9.4"
 }

CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## [0.9.4](https://github.com/reanahub/reana-server/compare/0.9.3...0.9.4) (2024-11-29)
+
+
+### Build
+
+* **python:** bump shared REANA packages as of 2024-11-28 ([#714](https://github.com/reanahub/reana-server/issues/714)) ([94fbf77](https://github.com/reanahub/reana-server/commit/94fbf7766218f4ffaf3f23be64ec6d46be1acb00))
+
+
+### Features
+
+* **config:** make ACCOUNTS_USERINFO_HEADERS customisable ([#713](https://github.com/reanahub/reana-server/issues/713)) ([8c01d51](https://github.com/reanahub/reana-server/commit/8c01d513c2365f337c26a2211c2ddb82df4186d4))
+* **config:** make APP_DEFAULT_SECURE_HEADERS customisable ([#713](https://github.com/reanahub/reana-server/issues/713)) ([1919358](https://github.com/reanahub/reana-server/commit/1919358cb3b05f09bceff9a904e9607760bc3fb1))
+* **config:** make PROXYFIX_CONFIG customisable ([#713](https://github.com/reanahub/reana-server/issues/713)) ([5b6c276](https://github.com/reanahub/reana-server/commit/5b6c276f57f642cc0965f096fa59875b9599df08))
+* **config:** support password-protected redis ([#713](https://github.com/reanahub/reana-server/issues/713)) ([a2aad8a](https://github.com/reanahub/reana-server/commit/a2aad8ac506b98e5c29d357cec65172b6437cc8f))
+* **ext:** improve error message for db decryption error ([#713](https://github.com/reanahub/reana-server/issues/713)) ([bbab1bf](https://github.com/reanahub/reana-server/commit/bbab1bf7338e9790e2195a02e320df16db1826f6))
+
+
+### Bug fixes
+
+* **config:** do not set DEBUG programmatically ([#713](https://github.com/reanahub/reana-server/issues/713)) ([c98cbc1](https://github.com/reanahub/reana-server/commit/c98cbc1d15afca9309e4839db543ac19cd2036ce))
+* **config:** read secret key from env ([#713](https://github.com/reanahub/reana-server/issues/713)) ([6ee6422](https://github.com/reanahub/reana-server/commit/6ee6422d87d38339b359ad7a306575b97f210440))
+* **get_workflow_specification:** avoid returning null parameters ([#689](https://github.com/reanahub/reana-server/issues/689)) ([46633d6](https://github.com/reanahub/reana-server/commit/46633d6bcc151c73880f9ecbd2c02d2246492794))
+* **reana-admin:** respect service domain when cleaning sessions ([#687](https://github.com/reanahub/reana-server/issues/687)) ([ede882d](https://github.com/reanahub/reana-server/commit/ede882d384ae0959eb8a9484b7d491baa628a1ee))
+* **set_workflow_status:** publish workflows to submission queue ([#691](https://github.com/reanahub/reana-server/issues/691)) ([6e35bd7](https://github.com/reanahub/reana-server/commit/6e35bd776e17c1bc04145c68c1f5ea3ce5143b7e)), closes [#690](https://github.com/reanahub/reana-server/issues/690)
+* **start:** validate endpoint parameters ([#689](https://github.com/reanahub/reana-server/issues/689)) ([d2d3673](https://github.com/reanahub/reana-server/commit/d2d3673dac8917d746ddafd84bb3660e7f83c9b6))
+
+
+### Continuous integration
+
+* **commitlint:** improve checking of merge commits ([#689](https://github.com/reanahub/reana-server/issues/689)) ([69f45fc](https://github.com/reanahub/reana-server/commit/69f45fc3aae9bc625ed733de9af13eb7c0111048))
+
 ## [0.9.3](https://github.com/reanahub/reana-server/compare/0.9.2...0.9.3) (2024-03-04)
 
 

Dockerfile

@@ -84,7 +84,7 @@ CMD ["uwsgi --ini uwsgi.ini"]
 
 # Set image labels
 LABEL org.opencontainers.image.authors="team@reanahub.io"
-LABEL org.opencontainers.image.created="2024-03-04"
+LABEL org.opencontainers.image.created="2024-11-29"
 LABEL org.opencontainers.image.description="REANA reproducible analysis platform - server component"
 LABEL org.opencontainers.image.documentation="https://reana-server.readthedocs.io/"
 LABEL org.opencontainers.image.licenses="MIT"

docs/openapi.json

@@ -4049,15 +4049,19 @@
             "schema": {
               "properties": {
                 "input_parameters": {
+                  "description": "Optional. Additional input parameters that override the ones from the workflow specification.",
                   "type": "object"
                 },
                 "operational_options": {
+                  "description": "Optional. Additional operational options for workflow execution.",
                   "type": "object"
                 },
                 "reana_specification": {
+                  "description": "Optional. Replace the original workflow specification with the given one. Only considered when restarting a workflow.",
                   "type": "object"
                 },
                 "restart": {
+                  "description": "Optional. If true, restart the given workflow.",
                   "type": "boolean"
                 }
               },
@@ -4446,6 +4450,11 @@
           },
           {
             "description": "Required. New workflow status.",
+            "enum": [
+              "start",
+              "stop",
+              "deleted"
+            ],
             "in": "query",
             "name": "status",
             "required": true,
@@ -4459,19 +4468,30 @@
             "type": "string"
           },
           {
-            "description": "Optional. Additional input parameters and operational options.",
+            "description": "Optional. Additional parameters to customise the workflow status change.",
             "in": "body",
             "name": "parameters",
             "required": false,
             "schema": {
               "properties": {
-                "CACHE": {
-                  "type": "string"
-                },
                 "all_runs": {
+                  "description": "Optional. If true, delete all runs of the workflow. Only allowed when status is `deleted`.",
+                  "type": "boolean"
+                },
+                "input_parameters": {
+                  "description": "Optional. Additional input parameters that override the ones from the workflow specification. Only allowed when status is `start`.",
+                  "type": "object"
+                },
+                "operational_options": {
+                  "description": "Optional. Additional operational options for workflow execution. Only allowed when status is `start`.",
+                  "type": "object"
+                },
+                "restart": {
+                  "description": "Optional. If true, the workflow is a restart of an earlier workflow execution. Only allowed when status is `start`.",
                   "type": "boolean"
                 },
                 "workspace": {
+                  "description": "Optional, but must be set to true if provided. If true, delete also the workspace of the workflow. Only allowed when status is `deleted`.",
                   "type": "boolean"
                 }
               },

reana_server/config.py

@@ -167,8 +167,10 @@ def _(x):
 # Accounts
 # ========
 #: Redis URL
-ACCOUNTS_SESSION_REDIS_URL = "redis://{host}:6379/1".format(
-    host=REANA_INFRASTRUCTURE_COMPONENTS_HOSTNAMES["cache"]
+REANA_CACHE_PASSWORD = os.getenv("REANA_CACHE_PASSWORD", "")
+ACCOUNTS_SESSION_REDIS_URL = "redis://:{password}@{host}:6379/1".format(
+    password=REANA_CACHE_PASSWORD,
+    host=REANA_INFRASTRUCTURE_COMPONENTS_HOSTNAMES["cache"],
 )
 #: Email address used as sender of account registration emails.
 SECURITY_EMAIL_SENDER = SUPPORT_EMAIL
@@ -179,7 +181,9 @@ def _(x):
 #: and X-User-ID headers to HTTP response. You MUST ensure that NGINX (or other
 #: proxies) removes these headers again before sending the response to the
 #: client. Set to False, in case of doubt.
-ACCOUNTS_USERINFO_HEADERS = True
+ACCOUNTS_USERINFO_HEADERS = bool(
+    strtobool(os.getenv("ACCOUNTS_USERINFO_HEADERS", "False"))
+)
 #: Disable password recovery by users.
 SECURITY_RECOVERABLE = False
 REANA_USER_EMAIL_CONFIRMATION = strtobool(
@@ -217,7 +221,9 @@ def _(x):
 
 #: Secret key - each installation (dev, production, ...) needs a separate key.
 #: It should be changed before deploying.
-SECRET_KEY = "CHANGE_ME"
+SECRET_KEY = os.getenv("REANA_SECRET_KEY", "CHANGE_ME")
+"""Secret key used for the application user sessions."""
+
 #: Sets cookie with the secure flag by default
 SESSION_COOKIE_SECURE = True
 #: Sets session to be samesite to avoid CSRF attacks
@@ -234,8 +240,17 @@ def _(x):
 
 # Security configuration
 # ======================
-PROXYFIX_CONFIG = {"x_proto": 1}
+PROXYFIX_CONFIG = json.loads(os.getenv("PROXYFIX_CONFIG", '{"x_proto": 1}'))
+
 APP_DEFAULT_SECURE_HEADERS["content_security_policy"] = {}
+APP_DEFAULT_SECURE_HEADERS.update(
+    json.loads(os.getenv("APP_DEFAULT_SECURE_HEADERS", "{}"))
+)
+if "REANA_FORCE_HTTPS" in os.environ:
+    APP_DEFAULT_SECURE_HEADERS["force_https"] = bool(
+        strtobool(os.getenv("REANA_FORCE_HTTPS"))
+    )
+
 APP_HEALTH_BLUEPRINT_ENABLED = False
 
 
@@ -347,8 +362,6 @@ def _get_rate_limit(env_variable: str, default: str) -> str:
 OAUTHCLIENT_REMOTE_APPS["cern_openid"] = OAUTH_REMOTE_REST_APP
 OAUTHCLIENT_REST_REMOTE_APPS["cern_openid"] = OAUTH_REMOTE_REST_APP
 
-DEBUG = True
-
 SECURITY_PASSWORD_SALT = "security-password-salt"
 
 SECURITY_SEND_REGISTER_EMAIL = False

reana_server/ext.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 # This file is part of REANA.
-# Copyright (C) 2019, 2020, 2021, 2022 CERN.
+# Copyright (C) 2019, 2020, 2021, 2022, 2024 CERN.
 #
 # REANA is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -14,6 +14,7 @@
 from flask_limiter.errors import RateLimitExceeded
 from marshmallow.exceptions import ValidationError
 from reana_commons.config import REANA_LOG_FORMAT, REANA_LOG_LEVEL
+from sqlalchemy_utils.types.encrypted.padding import InvalidPaddingError
 from werkzeug.exceptions import UnprocessableEntity
 
 from invenio_oauthclient.signals import account_info_received
@@ -60,6 +61,17 @@ def handle_args_validation_error(error: UnprocessableEntity):
     return jsonify({"message": error_message}), 400
 
 
+def handle_invalid_padding_error(error: InvalidPaddingError):
+    """Error handler for sqlalchemy_utils exception ``InvalidPaddingError``.
+
+    This error handler raises an exception with a more understandable message.
+    """
+    raise InvalidPaddingError(
+        "Error decrypting the database. Did you set the correct secret key? "
+        "If you changed the secret key, did you run the migration command?"
+    ) from error
+
+
 class REANA(object):
     """REANA Invenio app.
 
@@ -106,3 +118,4 @@ def init_error_handlers(self, app):
         """Initialize custom error handlers."""
         app.register_error_handler(RateLimitExceeded, handle_rate_limit_error)
         app.register_error_handler(UnprocessableEntity, handle_args_validation_error)
+        app.register_error_handler(InvalidPaddingError, handle_invalid_padding_error)

reana_server/factory.py

@@ -45,7 +45,6 @@ def create_minimal_app(config_mapping=None):
     app.config.from_object("reana_server.config")
     if config_mapping:
         app.config.from_mapping(config_mapping)
-    app.secret_key = "hyper secret key"
 
     app.session = Session
 

reana_server/reana_admin/cli.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 # This file is part of REANA.
-# Copyright (C) 2020, 2021, 2022 CERN.
+# Copyright (C) 2020, 2021, 2022, 2024 CERN.
 #
 # REANA is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -1089,7 +1089,7 @@ def interactive_session_cleanup(
 
         try:
             session_status = requests.get(
-                f"http://reana-run-session-{workflow_id}.{REANA_RUNTIME_KUBERNETES_NAMESPACE}.svc.cluster.local:8081/{workflow_id}/api/status",
+                f"http://reana-run-session-{workflow_id}.{REANA_RUNTIME_KUBERNETES_NAMESPACE}:8081/{workflow_id}/api/status",
                 headers={"Authorization": f"token {token}"},
             ).json()
         except Exception as e: