feat(keycloack): add configurable purge at upsert

shikanime · shikanime · commit f8fb77dd7175 · 2026-02-10T14:55:11.000+01:00
Signed-off-by: William Phetsinorath &lt;william.phetsinorath-open@interieur.gouv.fr&gt;
diff --git a/plugins/keycloak/src/functions.ts b/plugins/keycloak/src/functions.ts
@@ -1,5 +1,5 @@
 import type { AdminRole, Project, StepCall, UserEmail, ZoneObject, ProjectMemberPayload } from '@cpn-console/hooks'
-import type { ProjectRole } from '@cpn-console/shared'
+import { ENABLED, type ProjectRole } from '@cpn-console/shared'
 import { generateRandomPassword, parseError, PluginResultBuilder } from '@cpn-console/hooks'
 import type GroupRepresentation from '@keycloak/keycloak-admin-client/lib/defs/groupRepresentation.js'
 import type ClientRepresentation from '@keycloak/keycloak-admin-client/lib/defs/clientRepresentation.js'
@@ -60,27 +60,32 @@ export const deleteProject: StepCall<Project> = async ({ args: project }) => {
   }
 }
 
-export const upsertProject: StepCall<Project> = async ({ args: project }) => {
+export const upsertProject: StepCall<Project> = async ({ args: project, config }) => {
   const pluginResult = new PluginResultBuilder('Up-to-date')
   try {
     const kcClient = await getkcClient()
     const projectName = project.slug
+    const purgeEnabled = config.keycloak?.purge === ENABLED
     const projectGroup = await getOrCreateProjectGroup(kcClient, projectName)
 
     const groupMembers = await kcClient.groups.listMembers({ id: projectGroup.id })
 
     await Promise.all([
       ...groupMembers.map((member) => {
         if (!project.users.some(({ id }) => id === member.id)) {
-          return kcClient.users.delFromGroup({
-          // @ts-ignore id is present on user, bad typing in lib
-            id: member.id,
-            groupId: projectGroup.id,
-          })
-            .catch((err) => {
-              pluginResult.addKoMessage(`Can't remove ${member.email} from keycloak project group`)
-              pluginResult.addExtra(`remove-${member.id}`, err)
+          if (purgeEnabled) {
+            return kcClient.users.delFromGroup({
+            // @ts-ignore id is present on user, bad typing in lib
+              id: member.id,
+              groupId: projectGroup.id,
             })
+              .catch((err) => {
+                pluginResult.addKoMessage(`Can't remove ${member.email} from keycloak project group`)
+                pluginResult.addExtra(`remove-${member.id}`, err)
+              })
+          } else {
+            console.warn(`User ${member.email} is not in project ${projectName} anymore, but purge is disabled`)
+          }
         }
         return undefined
       }),
@@ -223,9 +228,10 @@ export const deleteZone: StepCall<ZoneObject> = async ({ args: zone }) => {
   }
 }
 
-export const upsertAdminRole: StepCall<AdminRole> = async ({ args: role }) => {
+export const upsertAdminRole: StepCall<AdminRole> = async ({ args: role, config }) => {
   if (!role.oidcGroup) return { status: { result: 'OK', message: 'No OIDC Group defined' } }
   const pluginResult = new PluginResultBuilder('Up-to-date')
+  const purgeEnabled = config.keycloak?.purge === ENABLED
   try {
     const kcClient = await getkcClient()
     const group = await getOrCreateGroupByPath(kcClient, role.oidcGroup)
@@ -234,14 +240,18 @@ export const upsertAdminRole: StepCall<AdminRole> = async ({ args: role }) => {
     await Promise.all([
       ...groupMembers.map((member) => {
         if (member.id && !role.members.some(({ id }) => id === member.id)) {
-          return kcClient.users.delFromGroup({
-            id: member.id,
-            groupId: group!.id!,
-          })
-            .catch((err) => {
-              pluginResult.addKoMessage(`Can't remove ${member.email} from keycloak admin group`)
-              pluginResult.addExtra(`remove-${member.id}`, err)
+          if (purgeEnabled) {
+            return kcClient.users.delFromGroup({
+              id: member.id,
+              groupId: group!.id!,
             })
+              .catch((err) => {
+                pluginResult.addKoMessage(`Can't remove ${member.email} from keycloak admin group`)
+                pluginResult.addExtra(`remove-${member.id}`, err)
+              })
+          } else {
+            console.warn(`User ${member.email} is not in admin role ${role.oidcGroup} anymore, but purge is disabled`)
+          }
         }
         return undefined
       }),
@@ -376,8 +386,9 @@ export const deleteProjectRole: StepCall<ProjectRole> = async ({ args: role }) =
   }
 }
 
-export const upsertProjectMember: StepCall<ProjectMemberPayload> = async ({ args: member }) => {
+export const upsertProjectMember: StepCall<ProjectMemberPayload> = async ({ args: member, config }) => {
   const pluginResult = new PluginResultBuilder('Synced')
+  const purgeEnabled = config.keycloak?.purge === ENABLED
   try {
     const kcClient = await getkcClient()
 
@@ -399,7 +410,11 @@ export const upsertProjectMember: StepCall<ProjectMemberPayload> = async ({ args
       if (shouldBeMember && !isMember) {
         await kcClient.users.addToGroup({ id: member.userId, groupId: roleGroup.id })
       } else if (!shouldBeMember && isMember) {
-        await kcClient.users.delFromGroup({ id: member.userId, groupId: roleGroup.id })
+        if (purgeEnabled) {
+          await kcClient.users.delFromGroup({ id: member.userId, groupId: roleGroup.id })
+        } else {
+          console.warn(`User ${member.email} is not in project ${member.project.slug} anymore, but purge is disabled`)
+        }
       }
     }
 
diff --git a/plugins/keycloak/src/infos.ts b/plugins/keycloak/src/infos.ts
@@ -1,8 +1,39 @@
 import type { ServiceInfos } from '@cpn-console/hooks'
+import { DISABLED } from '@cpn-console/shared'
 
 const infos: ServiceInfos = {
   name: 'keycloak',
   title: 'Keycloak',
+  config: {
+    global: [
+      {
+        kind: 'switch',
+        key: 'purge',
+        initialValue: DISABLED,
+        permissions: {
+          admin: { read: true, write: true },
+          user: { read: false, write: false },
+        },
+        title: 'Purger les utilisateurs non synchronisés',
+        value: DISABLED,
+        description: 'Purger les utilisateurs non synchronisés de Keycloak lors de la synchronisation',
+      },
+    ],
+    project: [
+      {
+        kind: 'switch',
+        key: 'purge',
+        initialValue: DISABLED,
+        permissions: {
+          admin: { read: true, write: true },
+          user: { read: false, write: false },
+        },
+        title: 'Purger les utilisateurs non synchronisés',
+        value: DISABLED,
+        description: 'Purger les utilisateurs non synchronisés de Keycloak lors de la synchronisation',
+      },
+    ],
+  },
 }
 
 export default infos
