bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

comms: verify mas bot logins

Browse Source
This commit is contained in:
Brad Stein 2026-01-08 05:21:30 -03:00
parent fa6566ffc8
commit 94c1395c8c
1 changed files with 62 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
services/comms/mas-local-users-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: mas-local-users-ensure-1 name: mas-local-users-ensure-2
namespace: comms namespace: comms
spec: spec:
backoffLimit: 1 backoffLimit: 1
@ -64,6 +64,7 @@ spec:
MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"] MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"]
MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"] MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"]
MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/") MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/")
AUTH_BASE = "http://matrix-authentication-service:8080"
def admin_token(): def admin_token():
with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f: with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f:
@ -97,7 +98,8 @@ spec:
return r.json()["data"] return r.json()["data"]
def create_user(token, username, password): def create_user(token, username, password):
payload = { payloads = [
{
"data": { "data": {
"type": "user", "type": "user",
"attributes": { "attributes": {
@ -105,7 +107,10 @@ spec:
"password": password, "password": password,
}, },
} }
} },
{"username": username, "password": password},
]
for payload in payloads:
r = requests.post( r = requests.post(
f"{MAS_ADMIN_API_BASE}/users", f"{MAS_ADMIN_API_BASE}/users",
headers={"Authorization": f"Bearer {token}"}, headers={"Authorization": f"Bearer {token}"},
@ -113,14 +118,14 @@ spec:
timeout=30, timeout=30,
) )
if r.status_code in (200, 201): if r.status_code in (200, 201):
return r.json()["data"] return r.json().get("data") or {}
if r.status_code == 409: if r.status_code == 409:
return None return None
r.raise_for_status()
return None return None
def update_password(token, user_id, password): def update_password(token, user_id, password):
payload = { payloads = [
{
"data": { "data": {
"type": "user", "type": "user",
"id": user_id, "id": user_id,
@ -128,7 +133,10 @@ spec:
"password": password, "password": password,
}, },
} }
} },
{"password": password},
]
for payload in payloads:
r = requests.patch( r = requests.patch(
f"{MAS_ADMIN_API_BASE}/users/{urllib.parse.quote(user_id)}", f"{MAS_ADMIN_API_BASE}/users/{urllib.parse.quote(user_id)}",
headers={"Authorization": f"Bearer {token}"}, headers={"Authorization": f"Bearer {token}"},
@ -137,17 +145,33 @@ spec:
) )
if r.status_code in (200, 204): if r.status_code in (200, 204):
return True return True
return False r = requests.post(
f"{MAS_ADMIN_API_BASE}/users/{urllib.parse.quote(user_id)}/password",
headers={"Authorization": f"Bearer {token}"},
json={"password": password},
timeout=30,
)
return r.status_code in (200, 204)
def ensure_user(token, username, password): def ensure_user(token, username, password):
user = get_user(token, username) user = get_user(token, username)
if user is None: if user is None:
user = create_user(token, username, password) user = create_user(token, username, password)
if user is None:
user = get_user(token, username) user = get_user(token, username)
if user is None: if user is None:
raise RuntimeError(f"failed to ensure user {username}") raise RuntimeError(f"failed to ensure user {username}")
update_password(token, user["id"], password) update_password(token, user["id"], password)
r = requests.post(
f"{AUTH_BASE}/_matrix/client/v3/login",
json={
"type": "m.login.password",
"identifier": {"type": "m.id.user", "user": username},
"password": password,
},
timeout=30,
)
if r.status_code != 200:
raise RuntimeError(f"login failed for {username}: {r.status_code} {r.text}")
token = admin_token() token = admin_token()
ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"]) ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"])