From 3fe405896187eb48dd283690751295e4552e6822 Mon Sep 17 00:00:00 2001
From: Eduard Nitu <edi.nitu2000@yahoo.com>
Date: Mon, 12 Jan 2026 16:03:02 +0100
Subject: [PATCH] feat: add Keycloak details in CI run

---
 .github/workflows/docker.yml | 10 ++++++++++
 auth/kc-settings-pool.yaml   | 15 +++++++++++++++
 auth/yaml2py.py              | 34 ++++++++++++++++++++++++++++++++++
 themes/MUG/invenio.cfg       | 34 +++++-----------------------------
 4 files changed, 64 insertions(+), 29 deletions(-)
 create mode 100644 auth/kc-settings-pool.yaml
 create mode 100644 auth/yaml2py.py

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 0996666..28baee1 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -79,6 +79,16 @@ jobs:
       - name: Change pyproject.toml override MUG
         run: sed -i 's/-override ~/-override[marc21] ~/g' pyproject.toml
 
+      - name: Set keycloak in invenio.cfg via script
+        run: |
+          source .venv/bin/activate
+          if [[ ${{ !startsWith( github.ref, 'refs/tags') }}]]; then
+            KEYCLOAK_NODE="cyverse"
+          else
+            KEYCLOAK_NODE="meduni"
+          python auth/yaml2py.py --source-filename auth/kc-settings-pool.yaml --dest-filename themes/MUG/invenio.cfg --node $KEYCLOAK_NODE --placeholder "<insert_keycloak_config_via_ci>"
+          deactivate
+
       - name: Relock uv
         run: |
           source .venv/bin/activate
diff --git a/auth/kc-settings-pool.yaml b/auth/kc-settings-pool.yaml
new file mode 100644
index 0000000..8d3460d
--- /dev/null
+++ b/auth/kc-settings-pool.yaml
@@ -0,0 +1,15 @@
+cyverse:
+  title: "Cyverse SSO"
+  description: Cyverse SSO
+  base_url: https://keycloak.cyverse.at
+  realm: CyVerse
+  app_key: CYVERSE_KEYCLOAK_APP_CREDENTIALS
+  legacy_url_path: False
+
+meduni:
+  title: Meduni SSO
+  description: Meduni SSO
+  base_url: https://openid.medunigraz.at/
+  realm: invenioRDM
+  app_key: KEYCLOAK_APP_CREDENTIALS
+  legacy_url_path: False
diff --git a/auth/yaml2py.py b/auth/yaml2py.py
new file mode 100644
index 0000000..95c0b8c
--- /dev/null
+++ b/auth/yaml2py.py
@@ -0,0 +1,34 @@
+"""
+Script that injects a given yaml config into arguments of an invenio.cfg class.
+"""
+
+import yaml
+import sys
+import argparse
+
+parser = argparse.ArgumentParser()
+
+parser.add_argument('--source-filename', type=str, required=True)
+parser.add_argument('--dest-filename', type=str, required=True)
+parser.add_argument('--node', type=str, required=True)
+parser.add_argument('--placeholder', type=str, required=True)
+
+args = parser.parse_args()
+
+auth_config = ""
+with open(args.source_filename) as f:
+    data = yaml.safe_load(f)
+    for key, _ in data.items():
+        if key == args.node:
+            for node_key, val in data[key].items():
+                if isinstance(val, str):
+                    auth_config += f'{node_key}="{val}",\n'
+                else:
+                    auth_config += f'{node_key}={val},\n'
+
+with open(args.dest_filename, "r") as f:
+    config = f.read()
+    config = config.replace(args.placeholder, auth_config)
+
+with open(args.dest_filename, "w") as f:
+    f.write(config)
diff --git a/themes/MUG/invenio.cfg b/themes/MUG/invenio.cfg
index e751342..fec6afe 100644
--- a/themes/MUG/invenio.cfg
+++ b/themes/MUG/invenio.cfg
@@ -392,39 +392,15 @@ GLOBAL_SEARCH_SCHEMAS = {
 # Keycloak configurations
 # ============================================================================
 _keycloak_helper = KeycloakSettingsHelper(
-    title="Meduni SSO",
-    description="Meduni SSO",
-    base_url="https://openid.medunigraz.at/",
-    realm="invenioRDM",
-    app_key="KEYCLOAK_APP_CREDENTIALS",
-    legacy_url_path=False
+    <insert_keycloak_config_via_ci>
 )
-
-OAUTHCLIENT_KEYCLOAK_REALM_URL = _keycloak_helper.realm_url
-OAUTHCLIENT_KEYCLOAK_USER_INFO_URL = _keycloak_helper.user_info_url
-OAUTHCLIENT_KEYCLOAK_VERIFY_EXP = True  # whether to verify the expiration date of tokens
-OAUTHCLIENT_KEYCLOAK_VERIFY_AUD = True  # whether to verify the audience tag for tokens
-OAUTHCLIENT_KEYCLOAK_AUD = "inveniordm"  # probably the same as the client ID
-OAUTHCLIENT_KEYCLOAK_USER_INFO_FROM_ENDPOINT = True
-
-_cyverse_keycloak_helper = KeycloakSettingsHelper(
-    title="Cyverse SSO",
-    description="Cyverse SSO",
-    base_url="https://keycloak.cyverse.at",
-    realm="CyVerse",
-    app_key="CYVERSE_KEYCLOAK_APP_CREDENTIALS",
-)
-OAUTHCLIENT_CYVERSE_REALM_URL = _cyverse_keycloak_helper.realm_url
-OAUTHCLIENT_CYVERSE_USER_INFO_URL = _cyverse_keycloak_helper.user_info_url
-OAUTHCLIENT_CYVERSE_VERIFY_EXP = True
-OAUTHCLIENT_CYVERSE_VERIFY_AUD = True
-OAUTHCLIENT_CYVERSE_AUD = "inveniordm"
-OAUTHCLIENT_CYVERSE_USER_INFO_FROM_ENDPOINT = True
-
+"""
+Keycloak settings like base_url and realm should be set by CI by replacing for
+the placeholder this instance.
+"""
 
 OAUTHCLIENT_REMOTE_APPS = {
     "keycloak": _keycloak_helper.remote_app,
-     "cyverse": _cyverse_keycloak_helper.remote_app,
 }
 
 ## SET THE CREDENTIALS via .env