From b2c2680392c7e32b37e6e1eb5ee56aceb7eb93f0 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Fri, 23 Aug 2024 21:36:40 +0800
Subject: [PATCH] fix: add view-users role to the service-api client

Later versions of Keycloak require view-users as well as query-groups
role permissions in order to query the groups in a realm.

This seems to be basically undocumented. :'(
---
 services/keycloak/lagoon-realm-base-import.json        |  3 ++-
 .../keycloak/startup-scripts/00-configure-lagoon.sh    | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/services/keycloak/lagoon-realm-base-import.json b/services/keycloak/lagoon-realm-base-import.json
index 5f588340d8..5d4f334682 100644
--- a/services/keycloak/lagoon-realm-base-import.json
+++ b/services/keycloak/lagoon-realm-base-import.json
@@ -536,7 +536,8 @@
       ],
       "clientRoles": {
         "realm-management": [
-          "query-groups"
+          "query-groups",
+          "view-users"
         ]
       },
       "notBefore": 0,
diff --git a/services/keycloak/startup-scripts/00-configure-lagoon.sh b/services/keycloak/startup-scripts/00-configure-lagoon.sh
index 0ccc69817a..0453677151 100755
--- a/services/keycloak/startup-scripts/00-configure-lagoon.sh
+++ b/services/keycloak/startup-scripts/00-configure-lagoon.sh
@@ -634,6 +634,15 @@ EOF
 EOF
 }
 
+function service-api_add_view-users_permission {
+	if /opt/keycloak/bin/kcadm.sh get-roles -r lagoon --uusername service-account-service-api --cclientid realm-management --config /tmp/kcadm.config | jq -e '.[].name|contains("view-users")' >/dev/null; then
+		echo "service-api already has view-users realm-management role"
+	else
+		echo "adding service-api view-users realm-management role"
+		/opt/keycloak/bin/kcadm.sh add-roles -r lagoon --uusername service-account-service-api --cclientid realm-management --rolename view-users --config $CONFIG_PATH
+	fi
+}
+
 ##################
 # Initialization #
 ##################
@@ -667,6 +676,7 @@ function configure_keycloak {
     migrate_remove_harbor_scan_permissions
     remove_deleteall_permissions_scopes
     add_update_platform_viewer_permissions
+    service-api_add_view-users_permission
 
     # always run last
     sync_client_secrets