comms: make guest renamer MAS-only

2026-01-08 05:47:21 -03:00 · 2026-01-08 05:47:21 -03:00 · c909d45fda
commit c909d45fda
parent 0fc4b299da
1 changed files with 45 additions and 69 deletions
--- a/services/comms/guest-name-job.yaml
+++ b/services/comms/guest-name-job.yaml
@ -32,8 +32,6 @@ spec:
              env:
                - name: SYNAPSE_BASE
                  value: http://othrys-synapse-matrix-synapse:8008
                - name: AUTH_BASE
                  value: http://matrix-authentication-service:8080
                - name: MAS_ADMIN_CLIENT_ID
                  value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
                - name: MAS_ADMIN_CLIENT_SECRET_FILE
@ -44,11 +42,6 @@ spec:
                  value: http://matrix-authentication-service:8080/oauth2/token
                - name: SEEDER_USER
                  value: othrys-seeder
                - name: SEEDER_PASS
                  valueFrom:
                    secretKeyRef:
                      name: atlasbot-credentials-runtime
                      key: seeder-password
              command:
                - /bin/sh
                - -c
@ -75,13 +68,11 @@ spec:
                  ]
                  BASE = os.environ["SYNAPSE_BASE"]
                  AUTH_BASE = os.environ.get("AUTH_BASE", BASE)
                  MAS_ADMIN_CLIENT_ID = os.environ["MAS_ADMIN_CLIENT_ID"]
                  MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"]
                  MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/")
                  MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"]
                  SEEDER_USER = os.environ["SEEDER_USER"]
                  SEEDER_PASS = os.environ["SEEDER_PASS"]
                  ROOM_ALIAS = "#othrys:live.bstein.dev"
                  def mas_admin_token():
@ -137,19 +128,6 @@ spec:
                          timeout=30,
                      )
                  def login(user, password):
                      r = requests.post(
                          f"{AUTH_BASE}/_matrix/client/v3/login",
                          json={
                              "type": "m.login.password",
                              "identifier": {"type": "m.id.user", "user": user},
                              "password": password,
                          },
                          timeout=30,
                      )
                      r.raise_for_status()
                      return r.json()["access_token"]
                  def resolve_alias(token, alias):
                      headers = {"Authorization": f"Bearer {token}"}
                      enc = urllib.parse.quote(alias)
@ -269,25 +247,48 @@ spec:
                  try:
                      room_id = resolve_alias(seeder_token, ROOM_ALIAS)
                      members, existing = room_members(seeder_token, room_id)
-                  finally:
+                      users = mas_list_users(admin_token)
-                      mas_revoke_session(admin_token, seeder_session)
+                      mas_usernames = set()
                      for user in users:
                          attrs = user.get("attributes") or {}
                          username = attrs.get("username") or ""
                          if username:
                              mas_usernames.add(username)
                          legacy_guest = attrs.get("legacy_guest")
                          if not username:
                              continue
                          if not (legacy_guest or needs_rename_username(username)):
                              continue
                          user_id = user_id_for_username(username)
                          access_token, session_id = mas_personal_session(admin_token, user["id"])
                          try:
                              display = get_displayname(access_token, user_id)
                              if display and not needs_rename_display(display):
                                  continue
                              new = None
                              for _ in range(30):
                                  candidate = f"{random.choice(ADJ)}-{random.choice(NOUN)}"
                                  if candidate not in existing:
                                      new = candidate
                                      existing.add(candidate)
                                      break
                              if not new:
                                  continue
                              set_displayname(access_token, room_id, user_id, new, user_id in members)
                          finally:
                              mas_revoke_session(admin_token, session_id)
-                  users = mas_list_users(admin_token)
+                      for entry in synapse_list_users(seeder_token):
-                  mas_usernames = set()
+                          user_id = entry.get("name") or ""
-                  for user in users:
+                          if not user_id.startswith("@"):
-                      attrs = user.get("attributes") or {}
+                              continue
-                      username = attrs.get("username") or ""
+                          localpart = user_id.split(":", 1)[0].lstrip("@")
-                      if username:
+                          if localpart in mas_usernames:
-                          mas_usernames.add(username)
+                              continue
-                      legacy_guest = attrs.get("legacy_guest")
+                          is_guest = entry.get("is_guest")
-                      if not username:
+                          if not (is_guest or needs_rename_username(localpart)):
-                          continue
+                              continue
-                      if not (legacy_guest or needs_rename_username(username)):
+                          display = get_displayname_admin(seeder_token, user_id)
                          continue
                      user_id = user_id_for_username(username)
                      access_token, session_id = mas_personal_session(admin_token, user["id"])
                      try:
                          display = get_displayname(access_token, user_id)
                          if display and not needs_rename_display(display):
                              continue
                          new = None
@ -299,33 +300,8 @@ spec:
                                  break
                          if not new:
                              continue
-                          set_displayname(access_token, room_id, user_id, new, user_id in members)
+                          if not set_displayname_admin(seeder_token, user_id, new):
-                      finally:
+                              continue
-                          mas_revoke_session(admin_token, session_id)
+                  finally:
-
+                      mas_revoke_session(admin_token, seeder_session)
                  seeder_token = login(SEEDER_USER, SEEDER_PASS)
                  for entry in synapse_list_users(seeder_token):
                      user_id = entry.get("name") or ""
                      if not user_id.startswith("@"):
                          continue
                      localpart = user_id.split(":", 1)[0].lstrip("@")
                      if localpart in mas_usernames:
                          continue
                      is_guest = entry.get("is_guest")
                      if not (is_guest or needs_rename_username(localpart)):
                          continue
                      display = get_displayname_admin(seeder_token, user_id)
                      if display and not needs_rename_display(display):
                          continue
                      new = None
                      for _ in range(30):
                          candidate = f"{random.choice(ADJ)}-{random.choice(NOUN)}"
                          if candidate not in existing:
                              new = candidate
                              existing.add(candidate)
                              break
                      if not new:
                          continue
                      if not set_displayname_admin(seeder_token, user_id, new):
                          continue
                  PY