comms/keycloak: add mailu email claim

2026-01-23 02:04:51 -03:00 · 2026-01-23 02:04:51 -03:00 · 3cacbad4c0
commit 3cacbad4c0
parent 3d633a5627
2 changed files with 48 additions and 1 deletions
--- a/services/comms/mas-configmap.yaml
+++ b/services/comms/mas-configmap.yaml
@ -72,7 +72,7 @@ data:
              template: "{{ user.name }}"
            email:
              action: force
-              template: "{{ user.email }}"
+              template: "{{ user.mailu_email }}"

    policy:
      data:
--- a/services/keycloak/realm-settings-job.yaml
+++ b/services/keycloak/realm-settings-job.yaml
@ -542,6 +542,53 @@ spec:
                          if status not in (201, 204):
                              raise SystemExit(f"Unexpected mailu email mapper create response: {status}")

+                      mailu_claim_mapper = {
+                          "name": "mailu-email-claim",
+                          "protocol": "openid-connect",
+                          "protocolMapper": "oidc-usermodel-attribute-mapper",
+                          "consentRequired": False,
+                          "config": {
+                              "user.attribute": "mailu_email",
+                              "claim.name": "mailu_email",
+                              "jsonType.label": "String",
+                              "id.token.claim": "true",
+                              "access.token.claim": "true",
+                              "userinfo.token.claim": "true",
+                              "multivalued": "false",
+                              "aggregate.attrs": "false",
+                          },
+                      }
+                      status, mappers = http_json(
+                          "GET",
+                          f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models",
+                          access_token,
+                      )
+                      existing_claim = None
+                      if status == 200 and isinstance(mappers, list):
+                          for item in mappers:
+                              if isinstance(item, dict) and item.get("name") == mailu_claim_mapper["name"]:
+                                  existing_claim = item
+                                  break
+                      if existing_claim and existing_claim.get("id"):
+                          mailu_claim_mapper["id"] = existing_claim["id"]
+                          status, _ = http_json(
+                              "PUT",
+                              f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models/{existing_claim['id']}",
+                              access_token,
+                              mailu_claim_mapper,
+                          )
+                          if status not in (200, 204):
+                              raise SystemExit(f"Unexpected mailu email claim mapper update response: {status}")
+                      else:
+                          status, _ = http_json(
+                              "POST",
+                              f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models",
+                              access_token,
+                              mailu_claim_mapper,
+                          )
+                          if status not in (201, 204):
+                              raise SystemExit(f"Unexpected mailu email claim mapper create response: {status}")
+
              # Ensure MFA is on by default for newly-created users.
              status, required_actions = http_json(
                  "GET",