bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

comms: ensure synapse device for admin token

Browse Source
This commit is contained in:
Brad Stein 2026-01-28 18:10:55 -03:00
parent bb0acd4f60
commit 87c6e085a4
1 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
services/comms/oneoffs/synapse-admin-ensure-job.yaml
View File

@ -1,12 +1,12 @@
# services/comms/oneoffs/synapse-admin-ensure-job.yaml # services/comms/oneoffs/synapse-admin-ensure-job.yaml
# One-off job for comms/synapse-admin-ensure-8. # One-off job for comms/synapse-admin-ensure-9.
# Purpose: synapse admin ensure 8 (see container args/env in this file). # Purpose: synapse admin ensure 9 (see container args/env in this file).
# Run by setting spec.suspend to false, reconcile, then set it back to true. # Run by setting spec.suspend to false, reconcile, then set it back to true.
# Safe to delete the finished Job/pod; it should not run continuously. # Safe to delete the finished Job/pod; it should not run continuously.
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: synapse-admin-ensure-8 name: synapse-admin-ensure-9
namespace: comms namespace: comms
spec: spec:
suspend: false suspend: false
@ -186,6 +186,21 @@ spec:
(token_id, user_id, token_value, "ariadne-admin"), (token_id, user_id, token_value, "ariadne-admin"),
) )
def ensure_device(cur, user_id, device_id):
cur.execute(
"SELECT 1 FROM devices WHERE user_id = %s AND device_id = %s",
(user_id, device_id),
)
if cur.fetchone():
return
cur.execute(
"""
INSERT INTO devices (user_id, device_id, display_name, last_seen, ip, user_agent, hidden)
VALUES (%s, %s, %s, %s, NULL, NULL, FALSE)
""",
(user_id, device_id, "ariadne-admin", int(time.time() * 1000)),
)
def admin_token_valid(token: str, user_id: str) -> bool: def admin_token_valid(token: str, user_id: str) -> bool:
if not token or not SYNAPSE_ADMIN_URL: if not token or not SYNAPSE_ADMIN_URL:
return False return False
@ -228,16 +243,20 @@ spec:
password=pg_password, password=pg_password,
) )
token_value = secrets.token_urlsafe(32) token_value = secrets.token_urlsafe(32)
device_id = "ariadne-admin"
try: try:
with conn: with conn:
with conn.cursor() as cur: with conn.cursor() as cur:
cols = get_cols(cur) cols = get_cols(cur)
ensure_user(cur, cols, user_id, admin_data["password"], True) ensure_user(cur, cols, user_id, admin_data["password"], True)
ensure_device(cur, user_id, device_id)
ensure_access_token(cur, user_id, token_value) ensure_access_token(cur, user_id, token_value)
finally: finally:
conn.close() conn.close()
admin_data["access_token"] = token_value admin_data["access_token"] = token_value
vault_put(vault_token, "comms/synapse-admin", admin_data) vault_put(vault_token, "comms/synapse-admin", admin_data)
if not admin_token_valid(token_value, user_id):
raise RuntimeError("synapse admin token validation failed")
log("synapse admin token stored") log("synapse admin token stored")
PY PY