From a6ac0c363ef736fc60ec83e7e84c064d7906f358 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sun, 18 Jan 2026 02:37:26 -0300 Subject: [PATCH] nextcloud-mail-sync: harden keycloak fetch --- services/nextcloud-mail-sync/cronjob.yaml | 2 +- .../scripts/nextcloud-mail-sync.sh | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/services/nextcloud-mail-sync/cronjob.yaml b/services/nextcloud-mail-sync/cronjob.yaml index 71aaef4..728bf98 100644 --- a/services/nextcloud-mail-sync/cronjob.yaml +++ b/services/nextcloud-mail-sync/cronjob.yaml @@ -57,7 +57,7 @@ spec: - -c env: - name: KC_BASE - value: https://sso.bstein.dev + value: http://keycloak.sso.svc.cluster.local - name: KC_REALM value: atlas - name: MAILU_DOMAIN diff --git a/services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh b/services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh index 6c883fc..681308e 100755 --- a/services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh +++ b/services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh @@ -81,7 +81,7 @@ list_mail_accounts() { } token=$( - curl -s -d "grant_type=password" \ + curl -fsS -d "grant_type=password" \ -d "client_id=admin-cli" \ -d "username=${KC_ADMIN_USER}" \ -d "password=${KC_ADMIN_PASS}" \ @@ -95,13 +95,17 @@ fi cd /var/www/html -kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000" +kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000&briefRepresentation=false" if [[ -n "${ONLY_USERNAME}" ]]; then username_q=$(jq -nr --arg v "${ONLY_USERNAME}" '$v|@uri') - kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?username=${username_q}&exact=true&max=1" + kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?username=${username_q}&exact=true&max=1&briefRepresentation=false" fi -users=$(curl -s -H "Authorization: Bearer ${token}" "${kc_users_url}") +users=$(curl -fsS -H "Authorization: Bearer ${token}" "${kc_users_url}") +if ! jq -e 'type == "array"' >/dev/null 2>&1 <<<"${users}"; then + echo "ERROR: Keycloak user list is not an array; aborting sync" >&2 + exit 1 +fi kc_set_user_mail_meta() { local user_id="${1}"