Init an admin user in prod closes #381 #409

Merged

moritz merged 14 commits from feature/381_init_admin into main

2026-02-04 20:53:02 +01:00

Author	SHA1	Message	Date
Moritz	ad42a53919	OIDC sign-in: robust after_action for get? result, non-bang role sync All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/promote/production Build is passing Details - sign_in_with_rauthy after_action normalizes result (nil/struct/list) to list before Enum.each. - OidcRoleSync.do_set_role uses Ash.update and swallows errors so auth is not blocked; skip update if role already correct.	2026-02-04 20:25:54 +01:00
Moritz	c5f1fdce0a	Code-review follow-ups: policy, docs, seed_admin behaviour All checks were successful continuous-integration/drone/push Build is passing Details - Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk. - seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test. - Fix DE translation for 'access this page'; add get? true comment in User.	2026-02-04 19:44:43 +01:00
Moritz	d573a22769	Tests: accept single user or list from read_sign_in_with_rauthy (get? true) All checks were successful continuous-integration/drone/push Build is passing Details Handle {:ok, user}, {:ok, nil} in addition to {:ok, [user]}, {:ok, []}.	2026-02-04 18:13:30 +01:00
Moritz	58a5b086ad	OIDC: pass oauth_tokens to role sync; get? true for sign_in; return record in register - sign_in_with_rauthy: get? true so Ash returns single user; pass oauth_tokens to OidcRoleSync. - register_with_rauthy: pass oauth_tokens to OidcRoleSync; return {:ok, record} to preserve token.	2026-02-04 18:13:30 +01:00
Moritz	d441009c8a	Refactor: remove debug instrumentation from OidcRoleSync Drop temporary logging used to diagnose OIDC groups sync in dev.	2026-02-04 18:13:30 +01:00
Moritz	d37fc03a37	Fix: load OIDC role sync config from ENV in all environments OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM were only set in prod block; in dev admin_group was nil so role sync never ran. Move config outside prod block so dev/test get ENV values.	2026-02-04 18:13:30 +01:00
Moritz	55fef5a993	Docs and .env.example for admin bootstrap and OIDC role sync Documents ADMIN_EMAIL/PASSWORD, seed_admin, entrypoint; OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM and role sync on register/sign-in.	2026-02-04 18:13:30 +01:00
Moritz	99722dee26	Add OidcRoleSync: apply Admin/Mitglied from OIDC groups Register and sign-in call apply_admin_role_from_user_info; users in configured admin group get Admin role, others get Mitglied. Internal User action + bypass policy.	2026-02-04 18:13:30 +01:00
Moritz	a6e35da0f7	Add OIDC role sync config (OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM) Mv.OidcRoleSyncConfig reads from config; runtime.exs overrides from ENV in prod.	2026-02-04 18:13:30 +01:00
Moritz	50c8a0dc9a	Seeds: call Mv.Release.seed_admin to avoid duplication Replaces inline admin creation with seed_admin(); exercises same path as entrypoint. Dev/test: set ADMIN_EMAIL default and ADMIN_PASSWORD fallback before calling.	2026-02-04 18:13:30 +01:00
Moritz	e065b39ed4	Add Mv.Release.seed_admin for admin bootstrap from ENV Creates/updates admin user from ADMIN_EMAIL and ADMIN_PASSWORD or ADMIN_PASSWORD_FILE. Idempotent; no fallback password in production. Called from docker entrypoint and seeds.	2026-02-04 18:13:30 +01:00
Moritz	b177e41882	Add Role.get_admin_role for Release.seed_admin Used by Mv.Release to resolve Admin role when creating/updating admin user from ENV.	2026-02-04 18:13:30 +01:00
Moritz	09a4b7c937	Seeds: use ADMIN_PASSWORD/ADMIN_PASSWORD_FILE; fallback only in dev/test No fallback in production; prod uses Release.seed_admin in entrypoint.	2026-02-04 18:13:30 +01:00
Moritz	7a56a0920b	Call seed_admin in docker entrypoint after migrate Ensures admin user is created/updated from ENV on every container start.	2026-02-04 18:13:30 +01:00