portal: honor keycloak rotation completion

backend/atlas_portal/routes/access_requests.py

@@ -1056,18 +1056,23 @@ def register(app) -> None:
                 actions_list: list[str] = []
                 if isinstance(actions, list):
                     actions_list = [a for a in actions if isinstance(a, str)]
-                if "UPDATE_PASSWORD" not in actions_list:
-                    actions_list.append("UPDATE_PASSWORD")
-                    admin_client().update_user_safe(user_id, {"requiredActions": actions_list})
 
-                conn.execute(
-                    """
-                    INSERT INTO access_request_onboarding_artifacts (request_code, artifact, value_hash)
-                    VALUES (%s, %s, NOW()::text)
-                    ON CONFLICT (request_code, artifact) DO NOTHING
-                    """,
-                    (code, _KEYCLOAK_PASSWORD_ROTATION_REQUESTED_ARTIFACT),
-                )
+                rotation_requested = _password_rotation_requested(conn, code)
+                already_rotated = rotation_requested and "UPDATE_PASSWORD" not in actions_list
+
+                if not already_rotated:
+                    if "UPDATE_PASSWORD" not in actions_list:
+                        actions_list.append("UPDATE_PASSWORD")
+                        admin_client().update_user_safe(user_id, {"requiredActions": actions_list})
+                    if not rotation_requested:
+                        conn.execute(
+                            """
+                            INSERT INTO access_request_onboarding_artifacts (request_code, artifact, value_hash)
+                            VALUES (%s, %s, NOW()::text)
+                            ON CONFLICT (request_code, artifact) DO NOTHING
+                            """,
+                            (code, _KEYCLOAK_PASSWORD_ROTATION_REQUESTED_ARTIFACT),
+                        )
 
                 onboarding_payload = _onboarding_payload(conn, code, request_username)
         except Exception: