From a7f68ddddb3fda52e5ab609c06f9460bdc77edc5 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sun, 4 Jan 2026 01:08:17 -0300
Subject: [PATCH] test: ensure smtp probe user has email

---
 .../test_keycloak_execute_actions_email.py    | 45 ++++++++++++++++---
 ...al-e2e-execute-actions-email-test-job.yaml |  2 +-
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/scripts/tests/test_keycloak_execute_actions_email.py b/scripts/tests/test_keycloak_execute_actions_email.py
index 2828f85..7d89a2e 100644
--- a/scripts/tests/test_keycloak_execute_actions_email.py
+++ b/scripts/tests/test_keycloak_execute_actions_email.py
@@ -130,13 +130,46 @@ def main() -> int:
     if not isinstance(user_id, str) or not user_id:
         raise SystemExit("probe user missing id")
 
-    # execute-actions-email requires the user to be enabled.
-    status, user = _request_json("GET", f"{admin_users_url}/{urllib.parse.quote(user_id)}", access_token, timeout_s=30)
-    if status == 200 and isinstance(user, dict) and user.get("enabled") is False:
+    # execute-actions-email requires the user to be enabled and have an email configured.
+    user_url = f"{admin_users_url}/{urllib.parse.quote(user_id)}"
+    user: dict | None = None
+    for attempt in range(1, 6):
+        status, body = _request_json("GET", user_url, access_token, timeout_s=30)
+        if status == 200 and isinstance(body, dict):
+            user = body
+            break
+        if status == 403 and attempt < 5:
+            time.sleep(3)
+            access_token = get_access_token()
+            continue
+        raise SystemExit(f"unexpected status fetching probe user: {status} body={body}")
+
+    if user is None:
+        raise SystemExit("probe user fetch did not return a user object")
+
+    needs_update = False
+    if user.get("enabled") is False:
         user["enabled"] = True
-        status, body = _request_json("PUT", f"{admin_users_url}/{urllib.parse.quote(user_id)}", access_token, user, timeout_s=30)
-        if status not in (200, 204):
-            raise SystemExit(f"unexpected status enabling probe user: {status} body={body}")
+        needs_update = True
+
+    if user.get("email") != probe_email:
+        user["email"] = probe_email
+        needs_update = True
+
+    if user.get("emailVerified") is not True:
+        user["emailVerified"] = True
+        needs_update = True
+
+    if needs_update:
+        for attempt in range(1, 6):
+            status, body = _request_json("PUT", user_url, access_token, user, timeout_s=30)
+            if status in (200, 204):
+                break
+            if status == 403 and attempt < 5:
+                time.sleep(3)
+                access_token = get_access_token()
+                continue
+            raise SystemExit(f"unexpected status updating probe user: {status} body={body}")
 
     # Trigger an email to validate Keycloak SMTP integration.
     query = urllib.parse.urlencode(
diff --git a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml
index 565aac8..877dd55 100644
--- a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml
+++ b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-portal-e2e-execute-actions-email-4
+  name: keycloak-portal-e2e-execute-actions-email-5
   namespace: sso
 spec:
   backoffLimit: 3