Skip to content

Key 77 runscripts set permissions#29

Merged
bsuttor merged 5 commits into
mainfrom
KEY-77_runscripts-set-permissions
Jun 17, 2026
Merged

Key 77 runscripts set permissions#29
bsuttor merged 5 commits into
mainfrom
KEY-77_runscripts-set-permissions

Conversation

@remdub

@remdub remdub commented Jun 16, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features
    • Added control panel actions to set SSO-app users’ local roles on municipality folders, including a dry-run preview/report.
    • Introduced municipality-group based syncing and role assignment, with configurable Keycloak realm for SSO-apps.
    • Added an executable run tool to apply (or report-only) SSO-app permissions from the command line.
  • Tests
    • Added coverage for municipality parsing, user import enrichment, and local-role assignment behaviors (including dry-run and conflict handling).
  • Chores
    • Updated the changelog for the upcoming release.

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 90c48fac-ce36-426d-bbf3-935680d1b02d

📥 Commits

Reviewing files that changed from the base of the PR and between 4e5866e and 0aa3e70.

📒 Files selected for processing (1)
  • src/pas/plugins/kimug/utils.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/pas/plugins/kimug/utils.py

📝 Walkthrough

Walkthrough

Adds SSO-apps municipality folder role assignment: utility functions parse Keycloak group names to municipality slugs, fetch enriched user data, and bulk-grant Contributor/Editor/Reader local roles on matching Plone root folders with dry-run support. A new browser view, control panel buttons, and a CLI runscript expose this operation.

Changes

SSO-apps local role assignment for municipality folders

Layer / File(s) Summary
Municipality slug parsing and user enrichment
src/pas/plugins/kimug/utils.py, tests/utils/test_utils.py
Updates get_keycloak_users_from_oidc_sso_apps() to use SSO_APPS_REALM env var. Adds _municipality_from_group_name to extract slugs from pl_-prefixed Keycloak group names; get_sso_apps_users_with_municipalities fetches per-user group memberships from Keycloak and attaches a deduplicated municipalities list to each user dict. Tests cover pl_ format variants, CPAS handling, path normalization, deduplication, empty results, and RequestException fallback.
Bulk local-role assignment and portal bootstrap
src/pas/plugins/kimug/utils.py, tests/utils/test_utils.py
SSO_APPS_LOCAL_ROLES constant defines Contributor, Editor, Reader roles; resolve_sso_apps_userid resolves Plone userid by username then keycloak_id; set_sso_apps_local_roles merges roles onto municipality root folders with dry_run and ConflictError handling, returning a summary dict; get_portal_from_zope_app bootstraps a Plone site context for CLI use. Tests cover role granting, dry_run, missing users/folders, role merging idempotency, and ConflictError abort.
Browser view, ZCML, control panel UI, CLI script, and changelog
src/pas/plugins/kimug/browser/configure.zcml, src/pas/plugins/kimug/browser/view.py, src/pas/plugins/kimug/controlpanel/controlpanel.pt, scripts/set_sso_apps_permissions.py, CHANGES.md
Registers SetSSOAppsPermissionsView via ZCML with cmf.ManagePortal permission; view reads dry-run request param, calls set_sso_apps_local_roles, and redirects with a status message. Two buttons (run and dry-run) added to the control panel template. CLI script bootstraps the portal and delegates to set_sso_apps_local_roles with --dry-run flag. Changelog entry added for 1.7.0.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

  • IMIO/pas.plugins.kimug#27: Adds oidc_sso_apps.municipality_groups property and updates get_keycloak_users_from_oidc_sso_apps, which this PR's role-assignment flow builds upon.
  • IMIO/pas.plugins.kimug#22: Modifies controlpanel.pt with _authenticator-tokenized action links, the same pattern extended here for the new @@set_sso_apps_permissions run/dry-run buttons.
  • IMIO/pas.plugins.kimug#18: Introduced the SSO-apps user import plumbing (utils/view/ZCML) that this PR extends with municipality-based role assignment.

Suggested reviewers

  • bsuttor

Poem

🐇 Hop, hop through the Keycloak groups I go,
Parsing pl_ slugs in a single row,
Contributor, Editor, Reader — roles I grant,
On each municipality folder, no rant!
Dry-run first, then commit with flair,
A bunny's work is beyond compare! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 57.58% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding runscripts to set SSO apps user permissions, which aligns with the new script file, browser view, and utility functions introduced.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch KEY-77_runscripts-set-permissions

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/pas/plugins/kimug/utils.py (1)

1197-1205: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make env-list parsing accept comma-separated values without spaces.

_parse_bracketed_env_list() currently splits on ", " only, so [group1,group2] is parsed as a single entry. That breaks municipality filtering for valid comma-separated env values.

💡 Proposed fix
-    return [v for v in value.split(", ") if v]
+    return [v.strip() for v in value.split(",") if v.strip()]

As per coding guidelines, environment list values use bracket format and comma-separated values must work.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pas/plugins/kimug/utils.py` around lines 1197 - 1205, The
_parse_bracketed_env_list() function currently splits on the literal string ", "
(comma followed by space), which fails to parse values like [group1,group2]
without spaces. Change the split operation to split on just "," (comma only) and
then strip whitespace from each resulting value. This approach will handle both
comma-space-separated values like [a, b] and comma-only-separated values like
[a,b] uniformly, ensuring the list comprehension correctly filters out empty
strings after splitting and stripping.

Source: Coding guidelines

🧹 Nitpick comments (1)
tests/utils/test_utils.py (1)

495-514: ⚡ Quick win

Add an underscore-format regression case for municipality parsing.

Please add a case like pl_belleville_ac -> belleville here. It will guard the format currently used in SSO-apps municipality group names and prevent parser regressions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/utils/test_utils.py` around lines 495 - 514, The
TestMunicipalityFromGroupName class lacks a regression test for the
underscore-formatted group names used in SSO-apps (such as pl_belleville_ac).
Add a new test method to the TestMunicipalityFromGroupName class that verifies
utils._municipality_from_group_name("pl_belleville_ac") correctly returns
"belleville". This test will guard against future parser regressions for this
specific format that is currently used in production.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pas/plugins/kimug/utils.py`:
- Around line 953-957: The realm is hardcoded to "sso-apps" which breaks when
the issuer points to a different realm or when SSO_APPS_REALM is set
differently. Replace the hardcoded realm assignment with one that reads from the
SSO_APPS_REALM environment variable (which defaults to "sso-apps"), then pass
this derived realm value to the get_client_access_token function call instead of
the hardcoded string literal. This ensures the realm derivation honors both the
SSO_APPS_REALM environment variable and the actual issuer configuration.
- Around line 920-923: The _municipality_from_group_name() function currently
only splits on hyphens when extracting the municipality name, but group names
like pl_belleville_ac contain underscores that should also be treated as
delimiters. Modify the split logic that processes name[3:] to split on both
hyphens and underscores (or replace underscores with hyphens before splitting),
ensuring that only the first segment before either character is returned as the
municipality name.

---

Outside diff comments:
In `@src/pas/plugins/kimug/utils.py`:
- Around line 1197-1205: The _parse_bracketed_env_list() function currently
splits on the literal string ", " (comma followed by space), which fails to
parse values like [group1,group2] without spaces. Change the split operation to
split on just "," (comma only) and then strip whitespace from each resulting
value. This approach will handle both comma-space-separated values like [a, b]
and comma-only-separated values like [a,b] uniformly, ensuring the list
comprehension correctly filters out empty strings after splitting and stripping.

---

Nitpick comments:
In `@tests/utils/test_utils.py`:
- Around line 495-514: The TestMunicipalityFromGroupName class lacks a
regression test for the underscore-formatted group names used in SSO-apps (such
as pl_belleville_ac). Add a new test method to the TestMunicipalityFromGroupName
class that verifies utils._municipality_from_group_name("pl_belleville_ac")
correctly returns "belleville". This test will guard against future parser
regressions for this specific format that is currently used in production.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c4664d9-1b30-473b-bcf4-3f4c346f0fd3

📥 Commits

Reviewing files that changed from the base of the PR and between c0c334d and 4e5866e.

📒 Files selected for processing (7)
  • CHANGES.md
  • scripts/set_sso_apps_permissions.py
  • src/pas/plugins/kimug/browser/configure.zcml
  • src/pas/plugins/kimug/browser/view.py
  • src/pas/plugins/kimug/controlpanel/controlpanel.pt
  • src/pas/plugins/kimug/utils.py
  • tests/utils/test_utils.py

Comment thread src/pas/plugins/kimug/utils.py
Comment thread src/pas/plugins/kimug/utils.py Outdated
@remdub remdub requested a review from bsuttor June 16, 2026 14:25

@bsuttor bsuttor left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, to be tested in staging :-)

@bsuttor bsuttor merged commit 66be4cf into main Jun 17, 2026
8 checks passed
@bsuttor bsuttor deleted the KEY-77_runscripts-set-permissions branch June 17, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants