comms: ensure synapse device for admin token

services/comms/oneoffs/synapse-admin-ensure-job.yaml

@@ -1,12 +1,12 @@
 # services/comms/oneoffs/synapse-admin-ensure-job.yaml
-# One-off job for comms/synapse-admin-ensure-8.
-# Purpose: synapse admin ensure 8 (see container args/env in this file).
+# One-off job for comms/synapse-admin-ensure-9.
+# Purpose: synapse admin ensure 9 (see container args/env in this file).
 # Run by setting spec.suspend to false, reconcile, then set it back to true.
 # Safe to delete the finished Job/pod; it should not run continuously.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-admin-ensure-8
+  name: synapse-admin-ensure-9
   namespace: comms
 spec:
   suspend: false
@@ -186,6 +186,21 @@ spec:
                       (token_id, user_id, token_value, "ariadne-admin"),
                   )
 
+              def ensure_device(cur, user_id, device_id):
+                  cur.execute(
+                      "SELECT 1 FROM devices WHERE user_id = %s AND device_id = %s",
+                      (user_id, device_id),
+                  )
+                  if cur.fetchone():
+                      return
+                  cur.execute(
+                      """
+                      INSERT INTO devices (user_id, device_id, display_name, last_seen, ip, user_agent, hidden)
+                      VALUES (%s, %s, %s, %s, NULL, NULL, FALSE)
+                      """,
+                      (user_id, device_id, "ariadne-admin", int(time.time() * 1000)),
+                  )
+
               def admin_token_valid(token: str, user_id: str) -> bool:
                   if not token or not SYNAPSE_ADMIN_URL:
                       return False
@@ -228,16 +243,20 @@ spec:
                   password=pg_password,
               )
               token_value = secrets.token_urlsafe(32)
+              device_id = "ariadne-admin"
               try:
                   with conn:
                       with conn.cursor() as cur:
                           cols = get_cols(cur)
                           ensure_user(cur, cols, user_id, admin_data["password"], True)
+                          ensure_device(cur, user_id, device_id)
                           ensure_access_token(cur, user_id, token_value)
               finally:
                   conn.close()
 
               admin_data["access_token"] = token_value
               vault_put(vault_token, "comms/synapse-admin", admin_data)
+              if not admin_token_valid(token_value, user_id):
+                  raise RuntimeError("synapse admin token validation failed")
               log("synapse admin token stored")
               PY