titan-iac/services/comms/bstein-force-leave-job.yaml

# services/comms/bstein-force-leave-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: bstein-leave-rooms-6
  namespace: comms
spec:
  backoffLimit: 0
  template:
    spec:
      restartPolicy: Never
      volumes:
        - name: mas-admin-client
          secret:
            secretName: mas-admin-client-runtime
            items:
              - key: client_secret
                path: client_secret
      containers:
        - name: leave
          image: python:3.11-slim
          volumeMounts:
            - name: mas-admin-client
              mountPath: /etc/mas-admin-client
              readOnly: true
          env:
            - name: MAS_ADMIN_CLIENT_ID
              value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
            - name: MAS_ADMIN_CLIENT_SECRET_FILE
              value: /etc/mas-admin-client/client_secret
            - name: MAS_TOKEN_URL
              value: http://matrix-authentication-service:8080/oauth2/token
            - name: MAS_ADMIN_API_BASE
              value: http://matrix-authentication-service:8081/api/admin/v1
            - name: SYNAPSE_BASE
              value: http://matrix-authentication-service:8080
            - name: TARGET_USERNAME
              value: bstein
            - name: TARGET_ROOMS
              value: "!OkltaJguODUnZrbcUp:live.bstein.dev,!pMKAVvSRheIOCPIjDM:live.bstein.dev"
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail
              python - <<'PY'
              import base64
              import json
              import os
              import urllib.error
              import urllib.parse
              import urllib.request
              import time

              MAS_ADMIN_CLIENT_ID = os.environ["MAS_ADMIN_CLIENT_ID"]
              MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"]
              MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"]
              MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/")
              SYNAPSE_BASE = os.environ["SYNAPSE_BASE"].rstrip("/")
              TARGET_USERNAME = os.environ["TARGET_USERNAME"]
              TARGET_ROOMS = [r.strip() for r in os.environ["TARGET_ROOMS"].split(",") if r.strip()]

              def http_json(method, url, *, headers=None, json_body=None, form=None, timeout=30):
                  req_headers = dict(headers or {})
                  data = None

                  if json_body is not None and form is not None:
                      raise ValueError("choose json_body or form, not both")

                  if json_body is not None:
                      data = json.dumps(json_body).encode()
                      req_headers.setdefault("Content-Type", "application/json")

                  if form is not None:
                      data = urllib.parse.urlencode(form).encode()
                      req_headers.setdefault("Content-Type", "application/x-www-form-urlencoded")

                  req = urllib.request.Request(url, data=data, method=method, headers=req_headers)
                  try:
                      with urllib.request.urlopen(req, timeout=timeout) as resp:
                          raw = resp.read()
                          payload = json.loads(raw.decode("utf-8")) if raw else None
                          return resp.status, payload
                  except urllib.error.HTTPError as e:
                      raw = e.read()
                      try:
                          payload = json.loads(raw.decode("utf-8")) if raw else None
                      except Exception:
                          payload = None
                      return e.code, payload
                  except urllib.error.URLError:
                      return 0, None

              with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f:
                  mas_admin_client_secret = f.read().strip()
              if not mas_admin_client_secret:
                  raise RuntimeError("MAS admin client secret file is empty")

              basic = base64.b64encode(f"{MAS_ADMIN_CLIENT_ID}:{mas_admin_client_secret}".encode()).decode()
              token_status = 0
              token_payload = None
              for attempt in range(1, 6):
                  token_status, token_payload = http_json(
                      "POST",
                      MAS_TOKEN_URL,
                      headers={"Authorization": f"Basic {basic}"},
                      form={"grant_type": "client_credentials", "scope": "urn:mas:admin"},
                      timeout=30,
                  )
                  if token_status == 200 and token_payload and "access_token" in token_payload:
                      break
                  time.sleep(attempt * 2)
              if token_status != 200 or not token_payload or "access_token" not in token_payload:
                  raise RuntimeError(f"MAS admin token request failed (HTTP {token_status})")
              mas_admin_token = token_payload["access_token"]

              user_status, user_payload = http_json(
                  "GET",
                  f"{MAS_ADMIN_API_BASE}/users/by-username/{urllib.parse.quote(TARGET_USERNAME)}",
                  headers={"Authorization": f"Bearer {mas_admin_token}"},
                  timeout=30,
              )
              if user_status != 200 or not user_payload or "data" not in user_payload or "id" not in user_payload["data"]:
                  raise RuntimeError(f"MAS user lookup failed (HTTP {user_status})")
              actor_user_id = user_payload["data"]["id"]

              sess_status, sess_payload = http_json(
                  "POST",
                  f"{MAS_ADMIN_API_BASE}/personal-sessions",
                  headers={"Authorization": f"Bearer {mas_admin_token}"},
                  json_body={
                      "actor_user_id": actor_user_id,
                      "human_name": "bstein room cleanup",
                      "scope": "urn:matrix:client:api:*",
                      "expires_in": 300,
                  },
                  timeout=30,
              )
              if sess_status != 201 or not sess_payload or "data" not in sess_payload:
                  raise RuntimeError(f"MAS personal session create failed (HTTP {sess_status})")

              personal_session_id = sess_payload["data"]["id"]
              personal_token = (sess_payload.get("data", {}).get("attributes", {}) or {}).get("access_token")
              if not personal_token:
                  raise RuntimeError("MAS personal session did not return an access token")

              results = {"rooms": {}, "revoke": None}
              failures = []

              try:
                  for room_id in TARGET_ROOMS:
                      room_q = urllib.parse.quote(room_id, safe="")
                      leave_status = 0
                      forget_status = 0
                      for attempt in range(1, 6):
                          leave_status, _ = http_json(
                              "POST",
                              f"{SYNAPSE_BASE}/_matrix/client/v3/rooms/{room_q}/leave",
                              headers={"Authorization": f"Bearer {personal_token}"},
                              json_body={},
                              timeout=30,
                          )
                          forget_status, _ = http_json(
                              "POST",
                              f"{SYNAPSE_BASE}/_matrix/client/v3/rooms/{room_q}/forget",
                              headers={"Authorization": f"Bearer {personal_token}"},
                              json_body={},
                              timeout=30,
                          )
                          if leave_status in (200, 404) and forget_status in (200, 404):
                              break
                          time.sleep(attempt * 2)
                      results["rooms"][room_id] = {"leave": leave_status, "forget": forget_status}
                      if leave_status not in (200, 404) or forget_status not in (200, 404):
                          failures.append(room_id)
              finally:
                  revoke_status, _ = http_json(
                      "POST",
                      f"{MAS_ADMIN_API_BASE}/personal-sessions/{urllib.parse.quote(personal_session_id)}/revoke",
                      headers={"Authorization": f"Bearer {mas_admin_token}"},
                      json_body={},
                      timeout=30,
                  )
                  results["revoke"] = revoke_status

              print(json.dumps(results, indent=2, sort_keys=True))
              if failures:
                  raise SystemExit(f"failed to leave/forget rooms: {', '.join(failures)}")
              PY
comms: consolidate stack manifests 2026-01-08 01:55:58 -03:00			`# services/comms/bstein-force-leave-job.yaml`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
comms: accept missing rooms in cleanup 2026-01-08 04:42:19 -03:00			`name: bstein-leave-rooms-6`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`namespace: comms`
			`spec:`
			`backoffLimit: 0`
			`template:`
			`spec:`
			`restartPolicy: Never`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`volumes:`
			`- name: mas-admin-client`
			`secret:`
			`secretName: mas-admin-client-runtime`
			`items:`
			`- key: client_secret`
			`path: client_secret`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`containers:`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`- name: leave`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`image: python:3.11-slim`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`volumeMounts:`
			`- name: mas-admin-client`
			`mountPath: /etc/mas-admin-client`
			`readOnly: true`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`env:`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`- name: MAS_ADMIN_CLIENT_ID`
			`value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM`
			`- name: MAS_ADMIN_CLIENT_SECRET_FILE`
			`value: /etc/mas-admin-client/client_secret`
			`- name: MAS_TOKEN_URL`
			`value: http://matrix-authentication-service:8080/oauth2/token`
			`- name: MAS_ADMIN_API_BASE`
			`value: http://matrix-authentication-service:8081/api/admin/v1`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`- name: SYNAPSE_BASE`
comms: use mas proxy for leave job 2026-01-08 04:37:33 -03:00			`value: http://matrix-authentication-service:8080`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`- name: TARGET_USERNAME`
			`value: bstein`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`- name: TARGET_ROOMS`
			`value: "!OkltaJguODUnZrbcUp:live.bstein.dev,!pMKAVvSRheIOCPIjDM:live.bstein.dev"`
			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
			`set -euo pipefail`
			`python - <<'PY'`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`import base64`
			`import json`
			`import os`
			`import urllib.error`
			`import urllib.parse`
			`import urllib.request`
comms: retry mas token for room cleanup 2026-01-08 04:29:29 -03:00			`import time`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00
			`MAS_ADMIN_CLIENT_ID = os.environ["MAS_ADMIN_CLIENT_ID"]`
			`MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"]`
			`MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"]`
			`MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/")`
			`SYNAPSE_BASE = os.environ["SYNAPSE_BASE"].rstrip("/")`
			`TARGET_USERNAME = os.environ["TARGET_USERNAME"]`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`TARGET_ROOMS = [r.strip() for r in os.environ["TARGET_ROOMS"].split(",") if r.strip()]`

comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`def http_json(method, url, *, headers=None, json_body=None, form=None, timeout=30):`
			`req_headers = dict(headers or {})`
			`data = None`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`if json_body is not None and form is not None:`
			`raise ValueError("choose json_body or form, not both")`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`if json_body is not None:`
			`data = json.dumps(json_body).encode()`
			`req_headers.setdefault("Content-Type", "application/json")`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`if form is not None:`
			`data = urllib.parse.urlencode(form).encode()`
			`req_headers.setdefault("Content-Type", "application/x-www-form-urlencoded")`
comms: force leave old rooms (v2) 2026-01-01 17:14:27 -03:00
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`req = urllib.request.Request(url, data=data, method=method, headers=req_headers)`
comms: force leave old rooms (v2) 2026-01-01 17:14:27 -03:00			`try:`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`with urllib.request.urlopen(req, timeout=timeout) as resp:`
			`raw = resp.read()`
			`payload = json.loads(raw.decode("utf-8")) if raw else None`
			`return resp.status, payload`
			`except urllib.error.HTTPError as e:`
			`raw = e.read()`
comms: debug bstein room cleanup 2026-01-01 17:22:55 -03:00			`try:`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`payload = json.loads(raw.decode("utf-8")) if raw else None`
			`except Exception:`
			`payload = None`
			`return e.code, payload`
comms: retry mas token for room cleanup 2026-01-08 04:29:29 -03:00			`except urllib.error.URLError:`
			`return 0, None`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00
			`with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f:`
			`mas_admin_client_secret = f.read().strip()`
			`if not mas_admin_client_secret:`
			`raise RuntimeError("MAS admin client secret file is empty")`

			`basic = base64.b64encode(f"{MAS_ADMIN_CLIENT_ID}:{mas_admin_client_secret}".encode()).decode()`
comms: retry mas token for room cleanup 2026-01-08 04:29:29 -03:00			`token_status = 0`
			`token_payload = None`
			`for attempt in range(1, 6):`
			`token_status, token_payload = http_json(`
			`"POST",`
			`MAS_TOKEN_URL,`
			`headers={"Authorization": f"Basic {basic}"},`
			`form={"grant_type": "client_credentials", "scope": "urn:mas:admin"},`
			`timeout=30,`
			`)`
			`if token_status == 200 and token_payload and "access_token" in token_payload:`
			`break`
			`time.sleep(attempt * 2)`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`if token_status != 200 or not token_payload or "access_token" not in token_payload:`
			`raise RuntimeError(f"MAS admin token request failed (HTTP {token_status})")`
			`mas_admin_token = token_payload["access_token"]`

			`user_status, user_payload = http_json(`
			`"GET",`
			`f"{MAS_ADMIN_API_BASE}/users/by-username/{urllib.parse.quote(TARGET_USERNAME)}",`
			`headers={"Authorization": f"Bearer {mas_admin_token}"},`
			`timeout=30,`
			`)`
			`if user_status != 200 or not user_payload or "data" not in user_payload or "id" not in user_payload["data"]:`
			`raise RuntimeError(f"MAS user lookup failed (HTTP {user_status})")`
			`actor_user_id = user_payload["data"]["id"]`

			`sess_status, sess_payload = http_json(`
			`"POST",`
			`f"{MAS_ADMIN_API_BASE}/personal-sessions",`
			`headers={"Authorization": f"Bearer {mas_admin_token}"},`
			`json_body={`
			`"actor_user_id": actor_user_id,`
			`"human_name": "bstein room cleanup",`
			`"scope": "urn:matrix:client:api:*",`
			`"expires_in": 300,`
			`},`
			`timeout=30,`
			`)`
			`if sess_status != 201 or not sess_payload or "data" not in sess_payload:`
			`raise RuntimeError(f"MAS personal session create failed (HTTP {sess_status})")`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`personal_session_id = sess_payload["data"]["id"]`
			`personal_token = (sess_payload.get("data", {}).get("attributes", {}) or {}).get("access_token")`
			`if not personal_token:`
			`raise RuntimeError("MAS personal session did not return an access token")`
comms: force leave old rooms (v2) 2026-01-01 17:14:27 -03:00
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`results = {"rooms": {}, "revoke": None}`
			`failures = []`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`try:`
			`for room_id in TARGET_ROOMS:`
			`room_q = urllib.parse.quote(room_id, safe="")`
comms: retry room leave actions 2026-01-08 04:32:05 -03:00			`leave_status = 0`
			`forget_status = 0`
			`for attempt in range(1, 6):`
			`leave_status, _ = http_json(`
			`"POST",`
			`f"{SYNAPSE_BASE}/_matrix/client/v3/rooms/{room_q}/leave",`
			`headers={"Authorization": f"Bearer {personal_token}"},`
			`json_body={},`
			`timeout=30,`
			`)`
			`forget_status, _ = http_json(`
			`"POST",`
			`f"{SYNAPSE_BASE}/_matrix/client/v3/rooms/{room_q}/forget",`
			`headers={"Authorization": f"Bearer {personal_token}"},`
			`json_body={},`
			`timeout=30,`
			`)`
comms: accept missing rooms in cleanup 2026-01-08 04:42:19 -03:00			`if leave_status in (200, 404) and forget_status in (200, 404):`
comms: retry room leave actions 2026-01-08 04:32:05 -03:00			`break`
			`time.sleep(attempt * 2)`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`results["rooms"][room_id] = {"leave": leave_status, "forget": forget_status}`
comms: accept missing rooms in cleanup 2026-01-08 04:42:19 -03:00			`if leave_status not in (200, 404) or forget_status not in (200, 404):`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`failures.append(room_id)`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`finally:`
comms: leave stuck rooms via MAS admin 2026-01-01 18:26:50 -03:00			`revoke_status, _ = http_json(`
			`"POST",`
			`f"{MAS_ADMIN_API_BASE}/personal-sessions/{urllib.parse.quote(personal_session_id)}/revoke",`
			`headers={"Authorization": f"Bearer {mas_admin_token}"},`
			`json_body={},`
			`timeout=30,`
			`)`
			`results["revoke"] = revoke_status`

			`print(json.dumps(results, indent=2, sort_keys=True))`
			`if failures:`
			`raise SystemExit(f"failed to leave/forget rooms: {', '.join(failures)}")`
comms: force leave old rooms 2026-01-01 17:01:55 -03:00			`PY`