From d1bd77afed4ccbd8086b7dd85910128c7bfc1e2a Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Fri, 10 May 2024 11:26:50 +0800
Subject: [PATCH 1/2] feat: add query-group permission to the service-api
 client

With the recent change in Lagoon to move project membership of groups
from Keycloak group annotations into the Lagoon API DB, the
ssh-portal-api can no longer rely on group annotations embedded in user
tokens to extract project-group membership.

Since v0.35.0, ssh-portal-api gets the project membership information
from the Lagoon API DB. But that is stored as group IDs, not group
names. So to map group IDs back to group names the ssh-portal-api now
queries Keycloak for a list of groups (IDs and names).

This new permission allows the service-api client used by ssh-portal-api
to query the Keycloak groups API.
---
 services/keycloak/lagoon-realm-2.16.0.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/services/keycloak/lagoon-realm-2.16.0.json b/services/keycloak/lagoon-realm-2.16.0.json
index 02fc0556a3..d63e818a60 100644
--- a/services/keycloak/lagoon-realm-2.16.0.json
+++ b/services/keycloak/lagoon-realm-2.16.0.json
@@ -528,6 +528,11 @@
       "realmRoles": [
         "default-roles-lagoon"
       ],
+      "clientRoles": {
+        "realm-management": [
+          "query-groups"
+        ]
+      },
       "notBefore": 0,
       "groups": []
     }

From 082ecc39a643cddc4258797615cde4ef23e43de5 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Fri, 10 May 2024 12:14:24 +0800
Subject: [PATCH 2/2] feat: ensure service-api has query-groups permissions

---
 .../keycloak/startup-scripts/00-configure-lagoon.sh    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/services/keycloak/startup-scripts/00-configure-lagoon.sh b/services/keycloak/startup-scripts/00-configure-lagoon.sh
index 65feb34349..08825dd19f 100755
--- a/services/keycloak/startup-scripts/00-configure-lagoon.sh
+++ b/services/keycloak/startup-scripts/00-configure-lagoon.sh
@@ -204,6 +204,15 @@ function migrate_to_custom_group_mapper {
 
 }
 
+function service-api_add_query-groups_permission {
+	if /opt/keycloak/bin/kcadm.sh get-roles -r lagoon --uusername service-account-service-api --cclientid realm-management --config /tmp/kcadm.config | jq -e '.[].name|contains("query-groups")' >/dev/null; then
+		echo "service-api already has query-groups realm-management role"
+	else
+		echo "adding service-api query-groups realm-management role"
+		/opt/keycloak/bin/kcadm.sh add-roles -r lagoon --uusername service-account-service-api --cclientid realm-management --rolename query-groups --config $CONFIG_PATH
+	fi
+}
+
 ##################
 # Initialization #
 ##################
@@ -231,6 +240,7 @@ function configure_keycloak {
     check_migrations_version
     migrate_to_custom_group_mapper
     #post 2.18.0+ migrations after this point
+    service-api_add_query-groups_permission
 
     # always run last
     sync_client_secrets