keycloak: allow mailu_email + groups
This commit is contained in:
parent
5c618c6560
commit
0b211520cb
@ -2,7 +2,7 @@
|
|||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
name: keycloak-realm-settings-11
|
name: keycloak-realm-settings-12
|
||||||
namespace: sso
|
namespace: sso
|
||||||
spec:
|
spec:
|
||||||
backoffLimit: 0
|
backoffLimit: 0
|
||||||
@ -137,6 +137,56 @@ spec:
|
|||||||
if status not in (200, 204):
|
if status not in (200, 204):
|
||||||
raise SystemExit(f"Unexpected realm update response: {status}")
|
raise SystemExit(f"Unexpected realm update response: {status}")
|
||||||
|
|
||||||
|
# Ensure required custom user-profile attributes exist.
|
||||||
|
profile_url = f"{base_url}/admin/realms/{realm}/users/profile"
|
||||||
|
status, profile = http_json("GET", profile_url, access_token)
|
||||||
|
if status == 200 and isinstance(profile, dict):
|
||||||
|
attrs = profile.get("attributes")
|
||||||
|
if not isinstance(attrs, list):
|
||||||
|
attrs = []
|
||||||
|
has_mailu_email = any(
|
||||||
|
isinstance(item, dict) and item.get("name") == "mailu_email" for item in attrs
|
||||||
|
)
|
||||||
|
if not has_mailu_email:
|
||||||
|
attrs.append(
|
||||||
|
{
|
||||||
|
"name": "mailu_email",
|
||||||
|
"displayName": "Atlas Mailbox",
|
||||||
|
"multivalued": False,
|
||||||
|
"annotations": {"group": "user-metadata"},
|
||||||
|
"permissions": {"view": ["admin"], "edit": ["admin"]},
|
||||||
|
"validations": {"email": {}, "length": {"max": 255}},
|
||||||
|
}
|
||||||
|
)
|
||||||
|
profile["attributes"] = attrs
|
||||||
|
status, _ = http_json("PUT", profile_url, access_token, profile)
|
||||||
|
if status not in (200, 204):
|
||||||
|
raise SystemExit(f"Unexpected user-profile update response: {status}")
|
||||||
|
|
||||||
|
# Ensure basic realm groups exist for provisioning.
|
||||||
|
for group_name in ("dev", "admin"):
|
||||||
|
status, groups = http_json(
|
||||||
|
"GET",
|
||||||
|
f"{base_url}/admin/realms/{realm}/groups?search={urllib.parse.quote(group_name)}",
|
||||||
|
access_token,
|
||||||
|
)
|
||||||
|
exists = False
|
||||||
|
if status == 200 and isinstance(groups, list):
|
||||||
|
for item in groups:
|
||||||
|
if isinstance(item, dict) and item.get("name") == group_name:
|
||||||
|
exists = True
|
||||||
|
break
|
||||||
|
if exists:
|
||||||
|
continue
|
||||||
|
status, _ = http_json(
|
||||||
|
"POST",
|
||||||
|
f"{base_url}/admin/realms/{realm}/groups",
|
||||||
|
access_token,
|
||||||
|
{"name": group_name},
|
||||||
|
)
|
||||||
|
if status not in (201, 204):
|
||||||
|
raise SystemExit(f"Unexpected group create response for {group_name}: {status}")
|
||||||
|
|
||||||
# Ensure MFA is on by default for newly-created users.
|
# Ensure MFA is on by default for newly-created users.
|
||||||
status, required_actions = http_json(
|
status, required_actions = http_json(
|
||||||
"GET",
|
"GET",
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user