keycloak: enforce bstein group membership

2026-01-16 17:36:07 -03:00 · 2026-01-16 17:36:07 -03:00 · 1eb7d58259
commit 1eb7d58259
parent 401df4d68c
1 changed files with 48 additions and 39 deletions
--- a/services/keycloak/user-overrides-job.yaml
+++ b/services/keycloak/user-overrides-job.yaml
@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-user-overrides-6
+  name: keycloak-user-overrides-7
  namespace: sso
 spec:
  backoffLimit: 0
@ -150,53 +150,62 @@ spec:
              if not isinstance(attrs, dict):
                  attrs = {}
              existing = attrs.get("mailu_email")
              needs_update = True
              if isinstance(existing, list) and existing and existing[0] == override_mailu_email:
-                  raise SystemExit(0)
+                  needs_update = False
              if isinstance(existing, str) and existing == override_mailu_email:
-                  raise SystemExit(0)
+                  needs_update = False
-              attrs["mailu_email"] = [override_mailu_email]
+              if needs_update:
-              status, _ = http_json(
+                  attrs["mailu_email"] = [override_mailu_email]
-                  "PUT",
+                  status, _ = http_json(
-                  f"{base_url}/admin/realms/{realm}/users/{user_id}",
+                      "PUT",
-                  access_token,
+                      f"{base_url}/admin/realms/{realm}/users/{user_id}",
-                  {"attributes": attrs},
+                      access_token,
-              )
+                      {"attributes": attrs},
-              if status not in (200, 204):
+                  )
-                  raise SystemExit(f"Unexpected user update response: {status}")
+                  if status not in (200, 204):
                      raise SystemExit(f"Unexpected user update response: {status}")
-              # Ensure the user is in the admin group for Vault access.
+              # Ensure the user is in the admin and planka-users groups.
-              status, groups = http_json(
+              def ensure_group(group_name: str) -> None:
-                  "GET",
+                  status, groups = http_json(
-                  f"{base_url}/admin/realms/{realm}/groups?search=admin",
+                      "GET",
-                  access_token,
+                      f"{base_url}/admin/realms/{realm}/groups?search={urllib.parse.quote(group_name)}",
-              )
+                      access_token,
-              if status != 200 or not isinstance(groups, list):
+                  )
-                  raise SystemExit("Unable to fetch groups")
+                  if status != 200 or not isinstance(groups, list):
-              group_id = ""
+                      raise SystemExit("Unable to fetch groups")
-              for item in groups:
+                  group_id = ""
-                  if isinstance(item, dict) and item.get("name") == "admin":
+                  for item in groups:
-                      group_id = item.get("id") or ""
+                      if isinstance(item, dict) and item.get("name") == group_name:
-                      break
+                          group_id = item.get("id") or ""
-              if not group_id:
+                          break
-                  raise SystemExit("admin group not found")
+                  if not group_id:
-              status, memberships = http_json(
+                      raise SystemExit(f"{group_name} group not found")
-                  "GET",
+                  status, memberships = http_json(
-                  f"{base_url}/admin/realms/{realm}/users/{user_id}/groups",
+                      "GET",
-                  access_token,
+                      f"{base_url}/admin/realms/{realm}/users/{user_id}/groups",
-              )
+                      access_token,
-              if status != 200 or not isinstance(memberships, list):
+                  )
-                  raise SystemExit("Unable to read user groups")
+                  if status != 200 or not isinstance(memberships, list):
-              already = any(
+                      raise SystemExit("Unable to read user groups")
-                  isinstance(item, dict) and item.get("id") == group_id for item in memberships
+                  already = any(
-              )
+                      isinstance(item, dict) and item.get("id") == group_id for item in memberships
-              if not already:
+                  )
                  if already:
                      return
                  status, _ = http_json(
                      "PUT",
                      f"{base_url}/admin/realms/{realm}/users/{user_id}/groups/{group_id}",
                      access_token,
                  )
                  if status not in (200, 204):
-                      raise SystemExit(f"Unexpected group update response: {status}")
+                      raise SystemExit(
                          f"Unexpected group update response for {group_name}: {status}"
                      )
              for group in ("admin", "planka-users"):
                  ensure_group(group)
              PY
          volumeMounts: