From 43cf4b44fdd8f9867184a78ffe22396b056a3fe2 Mon Sep 17 00:00:00 2001
From: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
Date: Wed, 11 Feb 2026 11:09:41 +0100
Subject: [PATCH 1/2] fix: hooks config is always undefined

For some reasons, the config is never passed down to the plugins hooks. Apparently the config is provided via the adminPlugin table of the database but is empty most of the time so for the moment let's just add default and fix the problem properly later.

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
---
 plugins/keycloak/src/functions.ts | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/plugins/keycloak/src/functions.ts b/plugins/keycloak/src/functions.ts
index c828ed679..f5940d00b 100644
--- a/plugins/keycloak/src/functions.ts
+++ b/plugins/keycloak/src/functions.ts
@@ -1,6 +1,6 @@
 import type { AdminRole, Project, StepCall, UserEmail, ZoneObject, ProjectMemberPayload } from '@cpn-console/hooks'
-import { ENABLED, type ProjectRole } from '@cpn-console/shared'
-import { generateRandomPassword, parseError, PluginResultBuilder } from '@cpn-console/hooks'
+import type { ProjectRole } from '@cpn-console/shared'
+import { generateRandomPassword, parseError, PluginResultBuilder, specificallyEnabled } from '@cpn-console/hooks'
 import type GroupRepresentation from '@keycloak/keycloak-admin-client/lib/defs/groupRepresentation.js'
 import type ClientRepresentation from '@keycloak/keycloak-admin-client/lib/defs/clientRepresentation.js'
 import type { CustomGroup } from './group.js'
@@ -65,7 +65,7 @@ export const upsertProject: StepCall<Project> = async ({ args: project, config }
   try {
     const kcClient = await getkcClient()
     const projectName = project.slug
-    const purgeEnabled = config.keycloak?.purge === ENABLED
+    const purge = config.keycloak?.purge
     const projectGroup = await getOrCreateProjectGroup(kcClient, projectName)
 
     const groupMembers = await kcClient.groups.listMembers({ id: projectGroup.id })
@@ -73,7 +73,7 @@ export const upsertProject: StepCall<Project> = async ({ args: project, config }
     await Promise.all([
       ...groupMembers.map((member) => {
         if (!project.users.some(({ id }) => id === member.id)) {
-          if (purgeEnabled) {
+          if (specificallyEnabled(purge)) {
             return kcClient.users.delFromGroup({
             // @ts-ignore id is present on user, bad typing in lib
               id: member.id,
@@ -231,7 +231,7 @@ export const deleteZone: StepCall<ZoneObject> = async ({ args: zone }) => {
 export const upsertAdminRole: StepCall<AdminRole> = async ({ args: role, config }) => {
   if (!role.oidcGroup) return { status: { result: 'OK', message: 'No OIDC Group defined' } }
   const pluginResult = new PluginResultBuilder('Up-to-date')
-  const purgeEnabled = config.keycloak?.purge === ENABLED
+  const purge = config.keycloak?.purge
   try {
     const kcClient = await getkcClient()
     const group = await getOrCreateGroupByPath(kcClient, role.oidcGroup)
@@ -240,7 +240,7 @@ export const upsertAdminRole: StepCall<AdminRole> = async ({ args: role, config
     await Promise.all([
       ...groupMembers.map((member) => {
         if (member.id && !role.members.some(({ id }) => id === member.id)) {
-          if (purgeEnabled) {
+          if (specificallyEnabled(purge)) {
             return kcClient.users.delFromGroup({
               id: member.id,
               groupId: group!.id!,
@@ -388,7 +388,7 @@ export const deleteProjectRole: StepCall<ProjectRole> = async ({ args: role }) =
 
 export const upsertProjectMember: StepCall<ProjectMemberPayload> = async ({ args: member, config }) => {
   const pluginResult = new PluginResultBuilder('Synced')
-  const purgeEnabled = config.keycloak?.purge === ENABLED
+  const purge = config.keycloak?.purge
   try {
     const kcClient = await getkcClient()
 
@@ -410,7 +410,7 @@ export const upsertProjectMember: StepCall<ProjectMemberPayload> = async ({ args
       if (shouldBeMember && !isMember) {
         await kcClient.users.addToGroup({ id: member.userId, groupId: roleGroup.id })
       } else if (!shouldBeMember && isMember) {
-        if (purgeEnabled) {
+        if (specificallyEnabled(purge)) {
           await kcClient.users.delFromGroup({ id: member.userId, groupId: roleGroup.id })
         } else {
           console.warn(`User ${member.email} is not in project ${member.project.slug} anymore, but purge is disabled`)

From b43be2d3cd97535ab07acd9764d36bb07069e26d Mon Sep 17 00:00:00 2001
From: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
Date: Wed, 11 Feb 2026 11:28:51 +0100
Subject: [PATCH 2/2] chore(keycloak): remove per project config

We don't want drift to be an option in the future, so we'll keep the purge option as an admin only.

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>
---
 plugins/keycloak/src/infos.ts | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/plugins/keycloak/src/infos.ts b/plugins/keycloak/src/infos.ts
index f6fa873fa..6162c251d 100644
--- a/plugins/keycloak/src/infos.ts
+++ b/plugins/keycloak/src/infos.ts
@@ -19,20 +19,7 @@ const infos: ServiceInfos = {
         description: 'Purger les utilisateurs non synchronisés de Keycloak lors de la synchronisation',
       },
     ],
-    project: [
-      {
-        kind: 'switch',
-        key: 'purge',
-        initialValue: DISABLED,
-        permissions: {
-          admin: { read: true, write: true },
-          user: { read: false, write: false },
-        },
-        title: 'Purger les utilisateurs non synchronisés',
-        value: DISABLED,
-        description: 'Purger les utilisateurs non synchronisés de Keycloak lors de la synchronisation',
-      },
-    ],
+    project: [],
   },
 }