From 9bfdbc71c2f8c02fb028b392960c6465e77d6c0f Mon Sep 17 00:00:00 2001
From: Helmut Merz <helmutm@cy55.de>
Date: Sat, 9 Aug 2025 15:24:31 +0200
Subject: [PATCH] Person: createExtUser (with zitadel) basically working

---
 config.py                         | 19 -------------------
 inst/loops/config.py              |  5 ++++-
 loops/organize/party.py           | 19 +++++++++++++++++--
 loops/tests/config.py             |  6 +++++-
 loops/tests/test-private-key.json |  1 +
 5 files changed, 27 insertions(+), 23 deletions(-)
 delete mode 100644 config.py
 create mode 100644 loops/tests/test-private-key.json

diff --git a/config.py b/config.py
deleted file mode 100644
index f48c302..0000000
--- a/config.py
+++ /dev/null
@@ -1,19 +0,0 @@
-# loops/config.py
-# (used for testing only)
-
-from dotenv import load_dotenv
-from os import getenv
-
-load_dotenv()
-
-server_port = getenv('SERVER_PORT', '8099')
-
-app_factory = zope_app_factory
-
-# storage settings
-dbengine = 'postgresql+psycopg'
-dbname = getenv('DBNAME', 'demo')
-dbuser = getenv('DBUSER', 'demo')
-dbpassword = getenv('DBPASSWORD', 'secret')
-dbschema = getenv('DBSCHEMA', 'demo')
-
diff --git a/inst/loops/config.py b/inst/loops/config.py
index 2d78ba9..d46425c 100644
--- a/inst/loops/config.py
+++ b/inst/loops/config.py
@@ -36,6 +36,9 @@ oidc_params = dict(
     cookie_name=getenv('OIDC_COOKIE_NAME', 'oidc_' + oidc_client_id),
     cookie_domain=getenv('OIDC_COOKIE_DOMAIN', None),
     cookie_lifetime=getenv('OIDC_COOKIE_LIFETIME', '86400'),
-    cookie_crypt=getenv('OIDC_COOKIE_CRYPT', None)
+    cookie_crypt=getenv('OIDC_COOKIE_CRYPT', None),
+    private_key_file=getenv('OIDC_SERVICE_USER_PRIVATE_KEY_FILE', '.private-key.json'),
+    organization_id=getenv('OIDC_ORGANIZATION_ID', '12346'),
+    project_id=getenv('OIDC_PROJECT_ID', '12347'),
 )
 
diff --git a/loops/organize/party.py b/loops/organize/party.py
index 8d3822f..e9e72a0 100644
--- a/loops/organize/party.py
+++ b/loops/organize/party.py
@@ -24,7 +24,7 @@ from loops.concept import Concept
 from loops.interfaces import IConcept
 from loops.organize.interfaces import IAddress, IPerson, IHasRole
 from loops.organize.interfaces import ANNOTATION_KEY
-from loops.organize.util import getPrincipalForUserId
+from loops.organize.util import getInternalPrincipal, getPrincipalForUserId
 from loops.predicate import RelationAdapter
 from loops.predicate import PredicateInterfaceSourceList
 from loops.security.common import assignOwner, removeOwner, allowEditingForOwner
@@ -81,8 +81,22 @@ class Person(AdapterBase, BasePerson):
     _contextAttributes = list(IPerson) + list(IConcept)
 
     def createExtUser(self, userId):
-        from scopes.org import user
+        import config
+        params = getattr(config, 'oidc_params', None)
+        if params is None:
+            return
         #print('*** Person.createExtUser', userId)
+        from scopes.org import user
+        try:
+            prc = getInternalPrincipal(userId, self.context)
+        except ValueError: # may happen during testing
+            #print('*** PAU not available, userId:', userId)
+            return
+        u = user.User(prc.login, self.email, #prc.password,
+                      firstName=self.firstName or '', 
+                      lastName=self.lastName or '')
+        xu = user.ExtUser(u, prc.__parent__.prefix)
+        xu.create(True)
 
     def getUserId(self):
         return getattr(self.context, '_userId', None)
@@ -116,6 +130,7 @@ class Person(AdapterBase, BasePerson):
         setter.propagateSecurity()
         allowEditingForOwner(self.context, revert=not userId)  # why this?
         if not oldUserId:
+            pass
             self.createExtUser(userId)
     userId = property(getUserId, setUserId)
 
diff --git a/loops/tests/config.py b/loops/tests/config.py
index 2698ba1..f4db938 100644
--- a/loops/tests/config.py
+++ b/loops/tests/config.py
@@ -33,12 +33,16 @@ oidc_params = dict(
     op_config_url=oidc_provider + '/.well-known/openid-configuration',
     op_uris=None,
     op_keys=None,
+    op_project_scope='urn:zitadel:iam:org:project:id:zitadel:aud',
     callback_url=getenv('OIDC_CALLBACK_URL', base_url + '/auth/callback'),
     client_id=oidc_client_id,
     principal_prefix=getenv('OIDC_PRINCIPAL_PREFIX', 'loops.'),
     cookie_name=getenv('OIDC_COOKIE_NAME', 'oidc_' + oidc_client_id),
     cookie_domain=getenv('OIDC_COOKIE_DOMAIN', None),
     cookie_lifetime=getenv('OIDC_COOKIE_LIFETIME', '86400'),
-    cookie_crypt=getenv('OIDC_COOKIE_CRYPT', None)
+    cookie_crypt=getenv('OIDC_COOKIE_CRYPT', None),
+    private_key_file=getenv('OIDC_SERVICE_USER_PRIVATE_KEY_FILE', 
+                            'loops/tests/test-private-key.json'),
+    organization_id=getenv('OIDC_ORGANIZATION_ID', '12346'),
 )
 
diff --git a/loops/tests/test-private-key.json b/loops/tests/test-private-key.json
new file mode 100644
index 0000000..40472b0
--- /dev/null
+++ b/loops/tests/test-private-key.json
@@ -0,0 +1 @@
+{"type":"serviceaccount","keyId":"314794985486606157","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA0dC8wcwu6Uefxx/shqsSTk//ATseeCy28RMAEa4NFGj/y8Ju\nOfVUj7pB5+6onjmsBAHXhCJ+fEWWAJdHnbvywrBNNhVx38f8v+90zUP2IzlT1UDp\ncTIYaehnf3+uqwgMcijnYJ6UgaHFMSecxnYD4adnw8J/FEMDgy2N+v5krp989VQ5\nT2kgrkb/l5z8dgLhmmcLKm7YCG1uXXP+g+qzEZ9Uhur5b+czjIalzC/tq2V2JoJB\nooH9w1iaRXRKel7FZPo0YGyQh/0a9Zn5JsXVc3YTHTKh9madr/yQqmk+6siTl/Ou\ntz9mvpY+AfFRaIWikoyB3W9rHd0b6WtQPflEPwIDAQABAoIBAAN64daZC2IlJPpJ\nhkPJjJkt7H3ZvCykGTiwZvzkFSV0hGGdzPQ7JHbp0PQG2lcdf8PlP+zaIZzwDofd\n+nscRe+CuxUdj/D1QTTxxM8uxGNbLQ/JbtXIzezbxPOxa3U8wfAWy5enqbDovPuO\nu6PzCydv/mGZ1T/ByMohNEyocYUP6mupHWwf2hN/lnrL264w8uvNjAw0xDtbtBJN\nX61u6vi/fiY37qKblN3irAePwK4LIhHZZoyJ1HrFYIkFf0Bviuzpw/ASVqbjizPV\nmTxGxghiQacAMvSSe+pcfJ7ip74rCFv7+6pzL+yW8df1lbSM9vS+86SDgY9RCc2E\n3h1/hUECgYEA/WqiWNXey25qCNB6WHo3SU5cZIZVNWzsT1zkwkXOUtEyU0/zEfT+\nEjW/vbxIBgZNV1tX2aXd7Ke5OCoQ1dqLnmDoO5d13xTeaWN3FR8ibTwbaDCwyg5d\njyIXK2k7IwtcpJFgJFGM/6udAdO/bPm1IPEslJXHBqZoGrKb+bTw6N8CgYEA0/RQ\nHtQluQYBtXNzEql0MaxBUxfHkwjL6Yo6dM+EJAomI+cccVy22s+z2aQX5GVQnbzs\nm9BGkJzzn7eGPy3i2LgStqUZ2W7VqfIJNCIDbC7OxBAaszh5/LEgv5pfp1Yr/HIf\nwHZz53rdV8H+oUfMJdlyrRyGOeGIDZCd94nTMKECgYAQOpT9BW1IL+EAgYFkSydh\nPXBzS5sHWdtkVbmcq2XELfuAFF2np73hoqmN2BHwuNSZJJNir9mffzpAW4lKeL16\nPhCBSHjW+Xoo26LTqnPE9RV4Pa4EspjRQsijEhEkdGTRcTHsAYD7Gp1qcYoPy4oK\n+wb02Qau6Vc/ZnLQsgK/lwKBgQDMLSGxUPQ11E95GAnWBF7mKuWSwemC/opQItRF\nClJk1VIAa/W+Tm3nQwYhti0920tZaFEVmAEh9c/KH+S2n+FSm5+LSmgoSNiSqZGs\nIsfhQwXzYQAXfWQlxAukB3X1oNEmkll78Z+dcYIfs8UyYBOMsngBwuSahWOmjZVe\ni+phgQKBgC0ozpbIcNg48M4/Rrev3qJB7XlU74MySsFJdBhlrzmK3+z02bXWbyaJ\nzQLwC6Dorw0PcWAKtcJcbBn6ZAoptcmG6wdQrYk1IC+82TDcNvAFL06y8OXHYLtu\ni5AiE4nK1waoDF/1I66VACyKI6hhISRW3bKaxHhrx5OsGKVurF4R\n-----END RSA PRIVATE KEY-----\n","expirationDate":"9999-12-31T23:59:59Z","userId":"311889729668833101"}