set different manage security groups based on user type

tomklapiscak · tomklapiscak · commit 141a8071112e · 2025-03-26T12:35:34.000Z
diff --git a/src/mas/devops/users.py b/src/mas/devops/users.py
@@ -326,6 +326,8 @@ def link_user_to_local_idp(self, user_id, email_password=False):
         if response.status_code != 200:
             raise Exception(response.text)
 
+        # Important: HTTP 200 output will contain generated user token; DO NOT LOG
+
         return None
 
     def get_user(self, user_id):
@@ -645,15 +647,12 @@ def get_manage_group_id(self, group_name):
             "Accept": "application/json",
             "apikey": self.manage_maxadmin_api_key["apikey"],  # <--- careful, don't log headers as-is (apikey is sensitive)
         }
-        self.logger.debug(f"  > {url} {querystring}")
-
         response = requests.get(
             url,
             headers=headers,
             params=querystring,
             verify=self.manage_internal_ca_pem_file_path,
         )
-        self.logger.debug(f"  < {response.status_code}")
         if response.status_code != 200:
             raise Exception(response.text)
 
@@ -885,6 +884,8 @@ def create_initial_user_for_saas(self, user, user_type):
             }
             is_workspace_admin = True
             application_role = "ADMINISTRATOR"
+            # TODO: check which security groups primary users should be members of
+            manage_security_groups = ["MAXADMIN"]
         elif user_type == "SECONDARY":
             permissions = {
                 "systemAdmin": False,
@@ -898,6 +899,8 @@ def create_initial_user_for_saas(self, user, user_type):
             }
             is_workspace_admin = False
             application_role = "USER"
+            # TODO: check which security groups secondary users should be members of
+            manage_security_groups = []
         else:
             raise Exception(f"Unsupported user_type: {user_type}")
 
@@ -930,13 +933,16 @@ def create_initial_user_for_saas(self, user, user_type):
         for mas_application_id in mas_application_ids:
             self.await_mas_application_availability(mas_application_id)
             if mas_application_id == "manage":
+                # special case for manage; role is always "MANAGEUSER"
                 role = "MANAGEUSER"
             else:
+                # otherwise grant the user the appropriate role for their user_type
                 role = application_role
             self.set_user_application_permission(user_id, mas_application_id, role)
 
         for mas_application_id in mas_application_ids:
             self.check_user_sync(user_id, mas_application_id)
 
         if "manage" in mas_application_ids:
-            self.add_user_to_manage_group(user_id, "MAXADMIN")
+            for manage_security_group in manage_security_groups:
+                self.add_user_to_manage_group(user_id, manage_security_group)
