nextcloud-mail-sync: harden keycloak fetch

2026-01-18 02:37:26 -03:00 · 2026-01-18 02:37:26 -03:00 · a6ac0c363e
commit a6ac0c363e
parent 0d27107411
2 changed files with 9 additions and 5 deletions
--- a/services/nextcloud-mail-sync/cronjob.yaml
+++ b/services/nextcloud-mail-sync/cronjob.yaml
@ -57,7 +57,7 @@ spec:
                - -c
              env:
                - name: KC_BASE
-                  value: https://sso.bstein.dev
+                  value: http://keycloak.sso.svc.cluster.local
                - name: KC_REALM
                  value: atlas
                - name: MAILU_DOMAIN
--- a/services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh
+++ b/services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh
@ -81,7 +81,7 @@ list_mail_accounts() {
 }

 token=$(
-  curl -s -d "grant_type=password" \
+  curl -fsS -d "grant_type=password" \
    -d "client_id=admin-cli" \
    -d "username=${KC_ADMIN_USER}" \
    -d "password=${KC_ADMIN_PASS}" \
@ -95,13 +95,17 @@ fi

 cd /var/www/html

-kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000"
+kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000&briefRepresentation=false"
 if [[ -n "${ONLY_USERNAME}" ]]; then
  username_q=$(jq -nr --arg v "${ONLY_USERNAME}" '$v|@uri')
-  kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?username=${username_q}&exact=true&max=1"
+  kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?username=${username_q}&exact=true&max=1&briefRepresentation=false"
 fi

-users=$(curl -s -H "Authorization: Bearer ${token}" "${kc_users_url}")
+users=$(curl -fsS -H "Authorization: Bearer ${token}" "${kc_users_url}")
+if ! jq -e 'type == "array"' >/dev/null 2>&1 <<<"${users}"; then
+  echo "ERROR: Keycloak user list is not an array; aborting sync" >&2
+  exit 1
+fi

 kc_set_user_mail_meta() {
  local user_id="${1}"