portal: provision vaultwarden accounts

2026-01-02 19:16:54 -03:00 · 2026-01-02 19:16:54 -03:00 · cd39e77d0c
commit cd39e77d0c
parent 4dd991bc30
5 changed files with 236 additions and 3 deletions
--- a/backend/atlas_portal/provisioning.py
+++ b/backend/atlas_portal/provisioning.py
@ -9,6 +9,7 @@ from . import settings
 from .db import connect
 from .keycloak import admin_client
 from .utils import random_password
 from .vaultwarden import invite_user
 MAILU_APP_PASSWORD_ATTR = "mailu_app_password"
@ -18,6 +19,7 @@ REQUIRED_PROVISION_TASKS: tuple[str, ...] = (
    "keycloak_groups",
    "mailu_app_password",
    "mailu_sync",
    "vaultwarden_invite",
 )
@ -195,6 +197,27 @@ def provision_access_request(request_code: str) -> ProvisionResult:
        except Exception:
            _upsert_task(conn, request_code, "mailu_sync", "error", "failed to sync mailu")
        # Task: ensure Vaultwarden account exists (invite flow)
        try:
            if user_id:
                full = admin_client().get_user(user_id)
                keycloak_email = str(full.get("email") or "")
                email = ""
                if keycloak_email.lower().endswith(f"@{settings.MAILU_DOMAIN.lower()}"):
                    email = keycloak_email
                else:
                    email = f"{username}@{settings.MAILU_DOMAIN}"
                result = invite_user(email)
                if result.ok:
                    _upsert_task(conn, request_code, "vaultwarden_invite", "ok", result.status)
                else:
                    _upsert_task(conn, request_code, "vaultwarden_invite", "error", result.detail or result.status)
            else:
                raise RuntimeError("missing user id")
        except Exception:
            _upsert_task(conn, request_code, "vaultwarden_invite", "error", "failed to provision vaultwarden")
        # If everything is OK, advance to awaiting_onboarding.
        if _all_tasks_ok(conn, request_code, required_tasks):
            conn.execute(
--- a/backend/atlas_portal/routes/account.py
+++ b/backend/atlas_portal/routes/account.py
@ -74,10 +74,10 @@ def register(app) -> None:
                            elif isinstance(raw_pw, str) and raw_pw:
                                mailu_app_password = raw_pw
            except Exception:
-                mailu_status = "keycloak admin error"
+                mailu_status = "unavailable"
-                jellyfin_status = "keycloak admin error"
+                jellyfin_status = "unavailable"
                jellyfin_sync_status = "unknown"
-                jellyfin_sync_detail = "keycloak admin error"
+                jellyfin_sync_detail = "unavailable"
        mailu_username = ""
        if keycloak_email and keycloak_email.lower().endswith(f"@{settings.MAILU_DOMAIN.lower()}"):
--- a/backend/atlas_portal/settings.py
+++ b/backend/atlas_portal/settings.py
@ -82,3 +82,11 @@ JELLYFIN_SYNC_URL = os.getenv("JELLYFIN_SYNC_URL", "").rstrip("/")
 JELLYFIN_LDAP_HOST = os.getenv("JELLYFIN_LDAP_HOST", "openldap.sso.svc.cluster.local").strip()
 JELLYFIN_LDAP_PORT = int(os.getenv("JELLYFIN_LDAP_PORT", "389"))
 JELLYFIN_LDAP_CHECK_TIMEOUT_SEC = float(os.getenv("JELLYFIN_LDAP_CHECK_TIMEOUT_SEC", "1"))
 VAULTWARDEN_NAMESPACE = os.getenv("VAULTWARDEN_NAMESPACE", "vaultwarden").strip()
 VAULTWARDEN_POD_LABEL = os.getenv("VAULTWARDEN_POD_LABEL", "app=vaultwarden").strip()
 VAULTWARDEN_POD_PORT = int(os.getenv("VAULTWARDEN_POD_PORT", "80"))
 VAULTWARDEN_SERVICE_HOST = os.getenv("VAULTWARDEN_SERVICE_HOST", "vaultwarden-service.vaultwarden.svc.cluster.local").strip()
 VAULTWARDEN_ADMIN_SECRET_NAME = os.getenv("VAULTWARDEN_ADMIN_SECRET_NAME", "vaultwarden-admin").strip()
 VAULTWARDEN_ADMIN_SECRET_KEY = os.getenv("VAULTWARDEN_ADMIN_SECRET_KEY", "ADMIN_TOKEN").strip()
 VAULTWARDEN_ADMIN_SESSION_TTL_SEC = float(os.getenv("VAULTWARDEN_ADMIN_SESSION_TTL_SEC", "300"))
--- a/backend/atlas_portal/vaultwarden.py
+++ b/backend/atlas_portal/vaultwarden.py
@ -0,0 +1,194 @@
 from __future__ import annotations
 import base64
 import threading
 import time
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
 import httpx
 from . import settings
 _K8S_BASE_URL = "https://kubernetes.default.svc"
 _SA_PATH = Path("/var/run/secrets/kubernetes.io/serviceaccount")
 def _read_service_account() -> tuple[str, str]:
    token_path = _SA_PATH / "token"
    ca_path = _SA_PATH / "ca.crt"
    if not token_path.exists() or not ca_path.exists():
        raise RuntimeError("kubernetes service account token missing")
    token = token_path.read_text().strip()
    if not token:
        raise RuntimeError("kubernetes service account token empty")
    return token, str(ca_path)
 def _k8s_get_json(path: str) -> dict[str, Any]:
    token, ca_path = _read_service_account()
    url = f"{_K8S_BASE_URL}{path}"
    with httpx.Client(
        verify=ca_path,
        timeout=settings.HTTP_CHECK_TIMEOUT_SEC,
        headers={"Authorization": f"Bearer {token}"},
    ) as client:
        resp = client.get(url)
        resp.raise_for_status()
        data = resp.json()
        if not isinstance(data, dict):
            raise RuntimeError("unexpected kubernetes response")
        return data
 def _k8s_find_pod_ip(namespace: str, label_selector: str) -> str:
    data = _k8s_get_json(f"/api/v1/namespaces/{namespace}/pods?labelSelector={label_selector}")
    items = data.get("items") or []
    if not isinstance(items, list) or not items:
        raise RuntimeError("no vaultwarden pods found")
    def _pod_ready(pod: dict[str, Any]) -> bool:
        status = pod.get("status") if isinstance(pod.get("status"), dict) else {}
        if status.get("phase") != "Running":
            return False
        ip = status.get("podIP")
        if not isinstance(ip, str) or not ip:
            return False
        conditions = status.get("conditions") if isinstance(status.get("conditions"), list) else []
        for cond in conditions:
            if not isinstance(cond, dict):
                continue
            if cond.get("type") == "Ready":
                return cond.get("status") == "True"
        return True
    ready = [p for p in items if isinstance(p, dict) and _pod_ready(p)]
    candidates = ready or [p for p in items if isinstance(p, dict)]
    status = candidates[0].get("status") or {}
    ip = status.get("podIP") if isinstance(status, dict) else None
    if not isinstance(ip, str) or not ip:
        raise RuntimeError("vaultwarden pod has no IP")
    return ip
 def _k8s_get_secret_value(namespace: str, name: str, key: str) -> str:
    data = _k8s_get_json(f"/api/v1/namespaces/{namespace}/secrets/{name}")
    blob = data.get("data") if isinstance(data.get("data"), dict) else {}
    raw = blob.get(key)
    if not isinstance(raw, str) or not raw:
        raise RuntimeError("secret key missing")
    try:
        decoded = base64.b64decode(raw).decode("utf-8").strip()
    except Exception as exc:
        raise RuntimeError("failed to decode secret") from exc
    if not decoded:
        raise RuntimeError("secret value empty")
    return decoded
@dataclass(frozen=True)
 class VaultwardenInvite:
    ok: bool
    status: str
    detail: str = ""
 _ADMIN_LOCK = threading.Lock()
 _ADMIN_SESSION: httpx.Client | None = None
 _ADMIN_SESSION_EXPIRES_AT: float = 0.0
 _ADMIN_SESSION_BASE_URL: str = ""
 def _admin_session(base_url: str) -> httpx.Client:
    global _ADMIN_SESSION, _ADMIN_SESSION_EXPIRES_AT, _ADMIN_SESSION_BASE_URL
    now = time.time()
    with _ADMIN_LOCK:
        if _ADMIN_SESSION and now < _ADMIN_SESSION_EXPIRES_AT and _ADMIN_SESSION_BASE_URL == base_url:
            return _ADMIN_SESSION
        if _ADMIN_SESSION:
            try:
                _ADMIN_SESSION.close()
            except Exception:
                pass
            _ADMIN_SESSION = None
        token = _k8s_get_secret_value(
            settings.VAULTWARDEN_NAMESPACE,
            settings.VAULTWARDEN_ADMIN_SECRET_NAME,
            settings.VAULTWARDEN_ADMIN_SECRET_KEY,
        )
        client = httpx.Client(
            base_url=base_url,
            timeout=settings.HTTP_CHECK_TIMEOUT_SEC,
            follow_redirects=True,
            headers={"User-Agent": "atlas-portal/1"},
        )
        # Authenticate to the admin UI to establish a session cookie.
        # Vaultwarden can rate-limit admin login attempts, so keep this session cached briefly.
        resp = client.post("/admin", data={"token": token})
        if resp.status_code == 429:
            raise RuntimeError("vaultwarden rate limited")
        resp.raise_for_status()
        _ADMIN_SESSION = client
        _ADMIN_SESSION_BASE_URL = base_url
        _ADMIN_SESSION_EXPIRES_AT = now + float(settings.VAULTWARDEN_ADMIN_SESSION_TTL_SEC)
        return client
 def invite_user(email: str) -> VaultwardenInvite:
    email = (email or "").strip()
    if not email or "@" not in email:
        return VaultwardenInvite(ok=False, status="invalid_email", detail="email invalid")
    # Prefer the service name when it works; fall back to pod IP because the Service can be misconfigured.
    base_url = f"http://{settings.VAULTWARDEN_SERVICE_HOST}"
    fallback_url = ""
    try:
        pod_ip = _k8s_find_pod_ip(settings.VAULTWARDEN_NAMESPACE, settings.VAULTWARDEN_POD_LABEL)
        fallback_url = f"http://{pod_ip}:{settings.VAULTWARDEN_POD_PORT}"
    except Exception:
        fallback_url = ""
    last_error = ""
    for candidate in [base_url, fallback_url]:
        if not candidate:
            continue
        try:
            session = _admin_session(candidate)
            resp = session.post("/admin/invite", json={"email": email})
            if resp.status_code == 429:
                return VaultwardenInvite(ok=False, status="rate_limited", detail="vaultwarden rate limited")
            if resp.status_code in {200, 201, 204}:
                return VaultwardenInvite(ok=True, status="invited", detail="invite created")
            # Treat "already exists/invited" as success for idempotency.
            body = ""
            try:
                body = resp.text or ""
            except Exception:
                body = ""
            if resp.status_code in {400, 409} and any(
                marker in body.lower()
                for marker in (
                    "already invited",
                    "already exists",
                    "already registered",
                    "user already exists",
                )
            ):
                return VaultwardenInvite(ok=True, status="already_present", detail="user already present")
            last_error = f"status {resp.status_code}"
        except Exception as exc:
            last_error = str(exc)
            continue
    return VaultwardenInvite(ok=False, status="error", detail=last_error or "failed to invite")
--- a/frontend/src/views/AccountView.vue
+++ b/frontend/src/views/AccountView.vue
@ -412,6 +412,14 @@ async function copy(key, text) {
  margin-bottom: 12px;
 }
 .hero-actions {
  display: flex;
  flex-wrap: wrap;
  align-items: center;
  justify-content: flex-end;
  gap: 10px;
 }
 .eyebrow {
  text-transform: uppercase;
  letter-spacing: 0.08em;