bstein-dev-home/backend/atlas_portal/provisioning.py

from __future__ import annotations

from dataclasses import dataclass
from datetime import datetime, timezone
import hashlib
import time

import httpx

from . import settings
from .db import connect
from .keycloak import admin_client
from .utils import random_password
from .vaultwarden import invite_user


MAILU_EMAIL_ATTR = "mailu_email"
MAILU_APP_PASSWORD_ATTR = "mailu_app_password"
REQUIRED_PROVISION_TASKS: tuple[str, ...] = (
    "keycloak_user",
    "keycloak_password",
    "keycloak_groups",
    "mailu_app_password",
    "mailu_sync",
    "vaultwarden_invite",
)


@dataclass(frozen=True)
class ProvisionResult:
    ok: bool
    status: str


def _advisory_lock_id(request_code: str) -> int:
    digest = hashlib.sha256(request_code.encode("utf-8")).digest()
    return int.from_bytes(digest[:8], "big", signed=True)


def _upsert_task(conn, request_code: str, task: str, status: str, detail: str | None = None) -> None:
    conn.execute(
        """
        INSERT INTO access_request_tasks (request_code, task, status, detail, updated_at)
        VALUES (%s, %s, %s, %s, NOW())
        ON CONFLICT (request_code, task)
        DO UPDATE SET status = EXCLUDED.status, detail = EXCLUDED.detail, updated_at = NOW()
        """,
        (request_code, task, status, detail),
    )


def _ensure_task_rows(conn, request_code: str, tasks: list[str]) -> None:
    if not tasks:
        return
    conn.execute(
        """
        INSERT INTO access_request_tasks (request_code, task, status, detail, updated_at)
        SELECT %s, task, 'pending', NULL, NOW()
        FROM UNNEST(%s::text[]) AS task
        ON CONFLICT (request_code, task) DO NOTHING
        """,
        (request_code, tasks),
    )


def _safe_error_detail(exc: Exception, fallback: str) -> str:
    if isinstance(exc, RuntimeError):
        msg = str(exc).strip()
        if msg:
            return msg
    if isinstance(exc, httpx.HTTPStatusError):
        return f"http {exc.response.status_code}"
    if isinstance(exc, httpx.TimeoutException):
        return "timeout"
    return fallback


def _task_statuses(conn, request_code: str) -> dict[str, str]:
    rows = conn.execute(
        "SELECT task, status FROM access_request_tasks WHERE request_code = %s",
        (request_code,),
    ).fetchall()
    output: dict[str, str] = {}
    for row in rows:
        task = row.get("task") if isinstance(row, dict) else None
        status = row.get("status") if isinstance(row, dict) else None
        if isinstance(task, str) and isinstance(status, str):
            output[task] = status
    return output


def _all_tasks_ok(conn, request_code: str, tasks: list[str]) -> bool:
    statuses = _task_statuses(conn, request_code)
    for task in tasks:
        if statuses.get(task) != "ok":
            return False
    return True


def provision_tasks_complete(conn, request_code: str) -> bool:
    return _all_tasks_ok(conn, request_code, list(REQUIRED_PROVISION_TASKS))


def provision_access_request(request_code: str) -> ProvisionResult:
    if not request_code:
        return ProvisionResult(ok=False, status="unknown")
    if not admin_client().ready():
        return ProvisionResult(ok=False, status="accounts_building")

    required_tasks = list(REQUIRED_PROVISION_TASKS)

    with connect() as conn:
        lock_id = _advisory_lock_id(request_code)
        lock_row = conn.execute(
            "SELECT pg_try_advisory_lock(%s) AS locked",
            (lock_id,),
        ).fetchone()
        if not lock_row or not lock_row.get("locked"):
            return ProvisionResult(ok=False, status="accounts_building")

        try:
            row = conn.execute(
                """
                SELECT username,
                       contact_email,
                       email_verified_at,
                       status,
                       initial_password,
                       initial_password_revealed_at,
                       provision_attempted_at
                FROM access_requests
                WHERE request_code = %s
                """,
                (request_code,),
            ).fetchone()
            if not row:
                return ProvisionResult(ok=False, status="unknown")

            username = str(row.get("username") or "")
            contact_email = str(row.get("contact_email") or "")
            email_verified_at = row.get("email_verified_at")
            status = str(row.get("status") or "")
            initial_password = row.get("initial_password")
            revealed_at = row.get("initial_password_revealed_at")
            attempted_at = row.get("provision_attempted_at")

            if status == "approved":
                conn.execute(
                    "UPDATE access_requests SET status = 'accounts_building' WHERE request_code = %s AND status = 'approved'",
                    (request_code,),
                )
                status = "accounts_building"

            if status not in {"accounts_building", "awaiting_onboarding", "ready"}:
                return ProvisionResult(ok=False, status=status or "unknown")

            _ensure_task_rows(conn, request_code, required_tasks)

            if status == "accounts_building":
                now = datetime.now(timezone.utc)
                if isinstance(attempted_at, datetime):
                    if attempted_at.tzinfo is None:
                        attempted_at = attempted_at.replace(tzinfo=timezone.utc)
                    age_sec = (now - attempted_at).total_seconds()
                    if age_sec < settings.ACCESS_REQUEST_PROVISION_RETRY_COOLDOWN_SEC:
                        return ProvisionResult(ok=False, status="accounts_building")
                conn.execute(
                    "UPDATE access_requests SET provision_attempted_at = NOW() WHERE request_code = %s",
                    (request_code,),
                )

            user_id = ""
            mailu_email = f"{username}@{settings.MAILU_DOMAIN}"

            # Task: ensure Keycloak user exists
            try:
                user = admin_client().find_user(username)
                if not user:
                    email = contact_email.strip()
                    if not email:
                        raise RuntimeError("missing verified email address")
                    payload = {
                        "username": username,
                        "enabled": True,
                        "email": email,
                        "emailVerified": bool(email_verified_at),
                        "requiredActions": ["CONFIGURE_TOTP"],
                        "attributes": {MAILU_EMAIL_ATTR: [mailu_email]},
                    }
                    created_id = admin_client().create_user(payload)
                    user = admin_client().get_user(created_id)
                user_id = str((user or {}).get("id") or "")
                if not user_id:
                    raise RuntimeError("user id missing")

                try:
                    full = admin_client().get_user(user_id)
                    attrs = full.get("attributes") or {}
                    mailu_from_attr: str | None = None
                    if isinstance(attrs, dict):
                        raw_mailu = attrs.get(MAILU_EMAIL_ATTR)
                        if isinstance(raw_mailu, list):
                            for item in raw_mailu:
                                if isinstance(item, str) and item.strip():
                                    mailu_from_attr = item.strip()
                                    break
                        elif isinstance(raw_mailu, str) and raw_mailu.strip():
                            mailu_from_attr = raw_mailu.strip()

                    if mailu_from_attr:
                        mailu_email = mailu_from_attr
                    else:
                        mailu_email = f"{username}@{settings.MAILU_DOMAIN}"
                        admin_client().set_user_attribute(username, MAILU_EMAIL_ATTR, mailu_email)
                except Exception:
                    mailu_email = f"{username}@{settings.MAILU_DOMAIN}"

                _upsert_task(conn, request_code, "keycloak_user", "ok", None)
            except Exception as exc:
                _upsert_task(conn, request_code, "keycloak_user", "error", _safe_error_detail(exc, "failed to ensure user"))

            if not user_id:
                return ProvisionResult(ok=False, status="accounts_building")

            # Task: set initial temporary password and store it for "show once" onboarding.
            try:
                if not user_id:
                    raise RuntimeError("missing user id")

                should_reset = status == "accounts_building" and revealed_at is None
                password_value: str | None = None

                if should_reset:
                    if isinstance(initial_password, str) and initial_password:
                        password_value = initial_password
                    elif initial_password is None:
                        password_value = random_password(20)
                        conn.execute(
                            """
                            UPDATE access_requests
                            SET initial_password = %s
                            WHERE request_code = %s AND initial_password IS NULL
                            """,
                            (password_value, request_code),
                        )
                        initial_password = password_value

                if password_value:
                    admin_client().reset_password(user_id, password_value, temporary=True)

                if isinstance(initial_password, str) and initial_password:
                    _upsert_task(conn, request_code, "keycloak_password", "ok", None)
                elif revealed_at is not None:
                    _upsert_task(conn, request_code, "keycloak_password", "ok", "initial password already revealed")
                else:
                    raise RuntimeError("initial password missing")
            except Exception as exc:
                _upsert_task(conn, request_code, "keycloak_password", "error", _safe_error_detail(exc, "failed to set password"))

            # Task: group membership (default dev)
            try:
                if not user_id:
                    raise RuntimeError("missing user id")
                groups = settings.DEFAULT_USER_GROUPS or ["dev"]
                for group_name in groups:
                    gid = admin_client().get_group_id(group_name)
                    if not gid:
                        raise RuntimeError("group missing")
                    admin_client().add_user_to_group(user_id, gid)
                _upsert_task(conn, request_code, "keycloak_groups", "ok", None)
            except Exception as exc:
                _upsert_task(conn, request_code, "keycloak_groups", "error", _safe_error_detail(exc, "failed to add groups"))

            # Task: ensure mailu_app_password attribute exists
            try:
                if not user_id:
                    raise RuntimeError("missing user id")
                full = admin_client().get_user(user_id)
                attrs = full.get("attributes") or {}
                existing = None
                if isinstance(attrs, dict):
                    raw = attrs.get(MAILU_APP_PASSWORD_ATTR)
                    if isinstance(raw, list) and raw and isinstance(raw[0], str):
                        existing = raw[0]
                    elif isinstance(raw, str) and raw:
                        existing = raw
                if not existing:
                    admin_client().set_user_attribute(username, MAILU_APP_PASSWORD_ATTR, random_password())
                _upsert_task(conn, request_code, "mailu_app_password", "ok", None)
            except Exception as exc:
                _upsert_task(conn, request_code, "mailu_app_password", "error", _safe_error_detail(exc, "failed to set mail password"))

            # Task: trigger Mailu sync if configured
            try:
                if not settings.MAILU_SYNC_URL:
                    _upsert_task(conn, request_code, "mailu_sync", "ok", "sync disabled")
                else:
                    with httpx.Client(timeout=30) as client:
                        resp = client.post(
                            settings.MAILU_SYNC_URL,
                            json={"ts": int(time.time()), "wait": True, "reason": "portal_access_approve"},
                        )
                        if resp.status_code != 200:
                            raise RuntimeError("mailu sync failed")
                    _upsert_task(conn, request_code, "mailu_sync", "ok", None)
            except Exception as exc:
                _upsert_task(conn, request_code, "mailu_sync", "error", _safe_error_detail(exc, "failed to sync mailu"))

            # Task: ensure Vaultwarden account exists (invite flow)
            try:
                if not user_id:
                    raise RuntimeError("missing user id")
                result = invite_user(mailu_email or f"{username}@{settings.MAILU_DOMAIN}")
                if result.ok:
                    _upsert_task(conn, request_code, "vaultwarden_invite", "ok", result.status)
                else:
                    _upsert_task(conn, request_code, "vaultwarden_invite", "error", result.detail or result.status)
            except Exception as exc:
                _upsert_task(
                    conn,
                    request_code,
                    "vaultwarden_invite",
                    "error",
                    _safe_error_detail(exc, "failed to provision vaultwarden"),
                )

            if _all_tasks_ok(conn, request_code, required_tasks):
                conn.execute(
                    """
                    UPDATE access_requests
                    SET status = 'awaiting_onboarding'
                    WHERE request_code = %s AND status = 'accounts_building'
                    """,
                    (request_code,),
                )
                return ProvisionResult(ok=True, status="awaiting_onboarding")

            return ProvisionResult(ok=False, status="accounts_building")
        finally:
            conn.execute("SELECT pg_advisory_unlock(%s)", (lock_id,))
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`from __future__ import annotations`

			`from dataclasses import dataclass`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`from datetime import datetime, timezone`
			`import hashlib`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`import time`

			`import httpx`

			`from . import settings`
			`from .db import connect`
			`from .keycloak import admin_client`
			`from .utils import random_password`
portal: provision vaultwarden accounts 2026-01-02 19:16:54 -03:00			`from .vaultwarden import invite_user`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00

portal: gate requests on verified email 2026-01-03 02:36:29 -03:00			`MAILU_EMAIL_ATTR = "mailu_email"`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`MAILU_APP_PASSWORD_ATTR = "mailu_app_password"`
			`REQUIRED_PROVISION_TASKS: tuple[str, ...] = (`
			`"keycloak_user",`
			`"keycloak_password",`
			`"keycloak_groups",`
			`"mailu_app_password",`
			`"mailu_sync",`
portal: provision vaultwarden accounts 2026-01-02 19:16:54 -03:00			`"vaultwarden_invite",`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`)`


			`@dataclass(frozen=True)`
			`class ProvisionResult:`
			`ok: bool`
			`status: str`


portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`def _advisory_lock_id(request_code: str) -> int:`
			`digest = hashlib.sha256(request_code.encode("utf-8")).digest()`
			`return int.from_bytes(digest[:8], "big", signed=True)`


portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`def _upsert_task(conn, request_code: str, task: str, status: str, detail: str \| None = None) -> None:`
			`conn.execute(`
			`"""`
			`INSERT INTO access_request_tasks (request_code, task, status, detail, updated_at)`
			`VALUES (%s, %s, %s, %s, NOW())`
			`ON CONFLICT (request_code, task)`
			`DO UPDATE SET status = EXCLUDED.status, detail = EXCLUDED.detail, updated_at = NOW()`
			`""",`
			`(request_code, task, status, detail),`
			`)`


portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`def _ensure_task_rows(conn, request_code: str, tasks: list[str]) -> None:`
			`if not tasks:`
			`return`
			`conn.execute(`
			`"""`
			`INSERT INTO access_request_tasks (request_code, task, status, detail, updated_at)`
			`SELECT %s, task, 'pending', NULL, NOW()`
			`FROM UNNEST(%s::text[]) AS task`
			`ON CONFLICT (request_code, task) DO NOTHING`
			`""",`
			`(request_code, tasks),`
			`)`


			`def _safe_error_detail(exc: Exception, fallback: str) -> str:`
			`if isinstance(exc, RuntimeError):`
			`msg = str(exc).strip()`
			`if msg:`
			`return msg`
			`if isinstance(exc, httpx.HTTPStatusError):`
			`return f"http {exc.response.status_code}"`
			`if isinstance(exc, httpx.TimeoutException):`
			`return "timeout"`
			`return fallback`


portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`def _task_statuses(conn, request_code: str) -> dict[str, str]:`
			`rows = conn.execute(`
			`"SELECT task, status FROM access_request_tasks WHERE request_code = %s",`
			`(request_code,),`
			`).fetchall()`
			`output: dict[str, str] = {}`
			`for row in rows:`
			`task = row.get("task") if isinstance(row, dict) else None`
			`status = row.get("status") if isinstance(row, dict) else None`
			`if isinstance(task, str) and isinstance(status, str):`
			`output[task] = status`
			`return output`


			`def _all_tasks_ok(conn, request_code: str, tasks: list[str]) -> bool:`
			`statuses = _task_statuses(conn, request_code)`
			`for task in tasks:`
			`if statuses.get(task) != "ok":`
			`return False`
			`return True`


			`def provision_tasks_complete(conn, request_code: str) -> bool:`
			`return _all_tasks_ok(conn, request_code, list(REQUIRED_PROVISION_TASKS))`


			`def provision_access_request(request_code: str) -> ProvisionResult:`
			`if not request_code:`
			`return ProvisionResult(ok=False, status="unknown")`
			`if not admin_client().ready():`
			`return ProvisionResult(ok=False, status="accounts_building")`

			`required_tasks = list(REQUIRED_PROVISION_TASKS)`

			`with connect() as conn:`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`lock_id = _advisory_lock_id(request_code)`
			`lock_row = conn.execute(`
			`"SELECT pg_try_advisory_lock(%s) AS locked",`
			`(lock_id,),`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`).fetchone()`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`if not lock_row or not lock_row.get("locked"):`
			`return ProvisionResult(ok=False, status="accounts_building")`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00
			`try:`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`row = conn.execute(`
			`"""`
			`SELECT username,`
			`contact_email,`
			`email_verified_at,`
			`status,`
			`initial_password,`
			`initial_password_revealed_at,`
			`provision_attempted_at`
			`FROM access_requests`
			`WHERE request_code = %s`
			`""",`
			`(request_code,),`
			`).fetchone()`
			`if not row:`
			`return ProvisionResult(ok=False, status="unknown")`

			`username = str(row.get("username") or "")`
			`contact_email = str(row.get("contact_email") or "")`
			`email_verified_at = row.get("email_verified_at")`
			`status = str(row.get("status") or "")`
			`initial_password = row.get("initial_password")`
			`revealed_at = row.get("initial_password_revealed_at")`
			`attempted_at = row.get("provision_attempted_at")`

portal: handle legacy approved requests 2026-01-03 04:27:26 -03:00			`if status == "approved":`
			`conn.execute(`
			`"UPDATE access_requests SET status = 'accounts_building' WHERE request_code = %s AND status = 'approved'",`
			`(request_code,),`
			`)`
			`status = "accounts_building"`

portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`if status not in {"accounts_building", "awaiting_onboarding", "ready"}:`
			`return ProvisionResult(ok=False, status=status or "unknown")`

portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`_ensure_task_rows(conn, request_code, required_tasks)`

portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`if status == "accounts_building":`
			`now = datetime.now(timezone.utc)`
			`if isinstance(attempted_at, datetime):`
			`if attempted_at.tzinfo is None:`
			`attempted_at = attempted_at.replace(tzinfo=timezone.utc)`
			`age_sec = (now - attempted_at).total_seconds()`
			`if age_sec < settings.ACCESS_REQUEST_PROVISION_RETRY_COOLDOWN_SEC:`
			`return ProvisionResult(ok=False, status="accounts_building")`
			`conn.execute(`
			`"UPDATE access_requests SET provision_attempted_at = NOW() WHERE request_code = %s",`
			`(request_code,),`
			`)`

			`user_id = ""`
			`mailu_email = f"{username}@{settings.MAILU_DOMAIN}"`

			`# Task: ensure Keycloak user exists`
portal: gate requests on verified email 2026-01-03 02:36:29 -03:00			`try:`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`user = admin_client().find_user(username)`
			`if not user:`
			`email = contact_email.strip()`
			`if not email:`
portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`raise RuntimeError("missing verified email address")`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`payload = {`
			`"username": username,`
			`"enabled": True,`
			`"email": email,`
			`"emailVerified": bool(email_verified_at),`
			`"requiredActions": ["CONFIGURE_TOTP"],`
			`"attributes": {MAILU_EMAIL_ATTR: [mailu_email]},`
			`}`
			`created_id = admin_client().create_user(payload)`
			`user = admin_client().get_user(created_id)`
			`user_id = str((user or {}).get("id") or "")`
			`if not user_id:`
			`raise RuntimeError("user id missing")`

			`try:`
			`full = admin_client().get_user(user_id)`
			`attrs = full.get("attributes") or {}`
			`mailu_from_attr: str \| None = None`
			`if isinstance(attrs, dict):`
			`raw_mailu = attrs.get(MAILU_EMAIL_ATTR)`
			`if isinstance(raw_mailu, list):`
			`for item in raw_mailu:`
			`if isinstance(item, str) and item.strip():`
			`mailu_from_attr = item.strip()`
			`break`
			`elif isinstance(raw_mailu, str) and raw_mailu.strip():`
			`mailu_from_attr = raw_mailu.strip()`

			`if mailu_from_attr:`
			`mailu_email = mailu_from_attr`
			`else:`
			`mailu_email = f"{username}@{settings.MAILU_DOMAIN}"`
			`admin_client().set_user_attribute(username, MAILU_EMAIL_ATTR, mailu_email)`
			`except Exception:`
portal: gate requests on verified email 2026-01-03 02:36:29 -03:00			`mailu_email = f"{username}@{settings.MAILU_DOMAIN}"`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00
			`_upsert_task(conn, request_code, "keycloak_user", "ok", None)`
portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`except Exception as exc:`
			`_upsert_task(conn, request_code, "keycloak_user", "error", _safe_error_detail(exc, "failed to ensure user"))`

			`if not user_id:`
			`return ProvisionResult(ok=False, status="accounts_building")`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`# Task: set initial temporary password and store it for "show once" onboarding.`
			`try:`
			`if not user_id:`
			`raise RuntimeError("missing user id")`

			`should_reset = status == "accounts_building" and revealed_at is None`
			`password_value: str \| None = None`

			`if should_reset:`
			`if isinstance(initial_password, str) and initial_password:`
			`password_value = initial_password`
			`elif initial_password is None:`
			`password_value = random_password(20)`
			`conn.execute(`
			`"""`
			`UPDATE access_requests`
			`SET initial_password = %s`
			`WHERE request_code = %s AND initial_password IS NULL`
			`""",`
			`(password_value, request_code),`
			`)`
			`initial_password = password_value`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00
			`if password_value:`
			`admin_client().reset_password(user_id, password_value, temporary=True)`

portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`if isinstance(initial_password, str) and initial_password:`
			`_upsert_task(conn, request_code, "keycloak_password", "ok", None)`
			`elif revealed_at is not None:`
			`_upsert_task(conn, request_code, "keycloak_password", "ok", "initial password already revealed")`
			`else:`
			`raise RuntimeError("initial password missing")`
portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`except Exception as exc:`
			`_upsert_task(conn, request_code, "keycloak_password", "error", _safe_error_detail(exc, "failed to set password"))`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00
			`# Task: group membership (default dev)`
			`try:`
			`if not user_id:`
			`raise RuntimeError("missing user id")`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`groups = settings.DEFAULT_USER_GROUPS or ["dev"]`
			`for group_name in groups:`
			`gid = admin_client().get_group_id(group_name)`
			`if not gid:`
			`raise RuntimeError("group missing")`
			`admin_client().add_user_to_group(user_id, gid)`
			`_upsert_task(conn, request_code, "keycloak_groups", "ok", None)`
portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`except Exception as exc:`
			`_upsert_task(conn, request_code, "keycloak_groups", "error", _safe_error_detail(exc, "failed to add groups"))`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`# Task: ensure mailu_app_password attribute exists`
			`try:`
			`if not user_id:`
			`raise RuntimeError("missing user id")`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00			`full = admin_client().get_user(user_id)`
			`attrs = full.get("attributes") or {}`
			`existing = None`
			`if isinstance(attrs, dict):`
			`raw = attrs.get(MAILU_APP_PASSWORD_ATTR)`
			`if isinstance(raw, list) and raw and isinstance(raw[0], str):`
			`existing = raw[0]`
			`elif isinstance(raw, str) and raw:`
			`existing = raw`
			`if not existing:`
			`admin_client().set_user_attribute(username, MAILU_APP_PASSWORD_ATTR, random_password())`
			`_upsert_task(conn, request_code, "mailu_app_password", "ok", None)`
portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`except Exception as exc:`
			`_upsert_task(conn, request_code, "mailu_app_password", "error", _safe_error_detail(exc, "failed to set mail password"))`
portal: provision Keycloak + Mailu on approve 2026-01-02 11:12:43 -03:00
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00			`# Task: trigger Mailu sync if configured`
			`try:`
			`if not settings.MAILU_SYNC_URL:`
			`_upsert_task(conn, request_code, "mailu_sync", "ok", "sync disabled")`
			`else:`
			`with httpx.Client(timeout=30) as client:`
			`resp = client.post(`
			`settings.MAILU_SYNC_URL,`
			`json={"ts": int(time.time()), "wait": True, "reason": "portal_access_approve"},`
			`)`
			`if resp.status_code != 200:`
			`raise RuntimeError("mailu sync failed")`
			`_upsert_task(conn, request_code, "mailu_sync", "ok", None)`
portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`except Exception as exc:`
			`_upsert_task(conn, request_code, "mailu_sync", "error", _safe_error_detail(exc, "failed to sync mailu"))`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00
			`# Task: ensure Vaultwarden account exists (invite flow)`
			`try:`
			`if not user_id:`
			`raise RuntimeError("missing user id")`
portal: gate requests on verified email 2026-01-03 02:36:29 -03:00			`result = invite_user(mailu_email or f"{username}@{settings.MAILU_DOMAIN}")`
portal: provision vaultwarden accounts 2026-01-02 19:16:54 -03:00			`if result.ok:`
			`_upsert_task(conn, request_code, "vaultwarden_invite", "ok", result.status)`
			`else:`
			`_upsert_task(conn, request_code, "vaultwarden_invite", "error", result.detail or result.status)`
portal: surface provisioning task status 2026-01-03 04:55:03 -03:00			`except Exception as exc:`
			`_upsert_task(`
			`conn,`
			`request_code,`
			`"vaultwarden_invite",`
			`"error",`
			`_safe_error_detail(exc, "failed to provision vaultwarden"),`
			`)`
portal: make provisioning retries safe 2026-01-03 04:08:13 -03:00
			`if _all_tasks_ok(conn, request_code, required_tasks):`
			`conn.execute(`
			`"""`
			`UPDATE access_requests`
			`SET status = 'awaiting_onboarding'`
			`WHERE request_code = %s AND status = 'accounts_building'`
			`""",`
			`(request_code,),`
			`)`
			`return ProvisionResult(ok=True, status="awaiting_onboarding")`

			`return ProvisionResult(ok=False, status="accounts_building")`
			`finally:`
			`conn.execute("SELECT pg_advisory_unlock(%s)", (lock_id,))`