fix(admin-roles): admin conflicting with existing admin group in Keycloack

The new AdminRole implementation introduced by #1893 changed the source of truth from Keycloak to Console, which overrides all existing data based on the state of Console.

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

apps/server/src/prisma/migrations/20260204150335_add_system_roles/migration.sql

@@ -1,6 +1,6 @@
 -- Update existing Admin role to be system role 'Administrateur Plateforme'
 UPDATE "AdminRole"
-SET 
+SET
   "name" = 'Administrateur Plateforme',
   "type" = 'system',
   "permissions" = 3, -- Assuming 3n means bit 0 and 1 (1 | 2 = 3)

apps/server/src/prisma/migrations/20260206105522_dso/migration.sql

@@ -0,0 +1,29 @@
+-- Update existing Admin role to be system role 'Root Administrateur Plateforme'
+UPDATE "AdminRole"
+SET
+  "name" = 'Root Administrateur Plateforme',
+  "oidcGroup" = '/admin',
+WHERE "id" = '76229c96-4716-45bc-99da-00498ec9018c'::uuid;
+
+-- Insert 'Administrateur Plateforme' system role if it doesn't exist
+INSERT INTO "AdminRole" ("id", "name", "permissions", "position", "oidcGroup", "type")
+VALUES (
+  '6bebe7b2-0f0a-456e-ab7f-b3d7640a7cbf'::uuid,
+  'Administrateur Plateforme',
+  3, -- Assuming 3n means bit 0 and 1 (1 | 2 = 3)
+  0,
+  '/console/admin',
+  'system'
+)
+ON CONFLICT ("id") DO UPDATE
+SET
+  "name" = 'Administrateur Plateforme',
+  "type" = 'system',
+  "permissions" = 3,
+  "oidcGroup" = '/console/admin';
+
+-- Update 'Lecture Seule Plateforme' system role
+UPDATE "AdminRole"
+SET
+  "oidcGroup" = '/console/readonly'
+WHERE "id" = '35848aa2-e881-4770-9844-0c5c3693e506'::uuid;

apps/server/src/resources/user/business.spec.ts

@@ -135,7 +135,7 @@ describe('test users business', () => {
     }, {
       id: faker.string.uuid(),
       name: faker.string.alphanumeric(),
-      oidcGroup: '/admin',
+      oidcGroup: '/console/admin',
       permissions: 0n,
       position: 0,
     }]

packages/shared/src/utils/const.ts

@@ -1,4 +1,4 @@
-export const adminGroupPath = '/admin'
+export const adminGroupPath = '/console/admin'
 export const deleteValidationInput = 'DELETE'
 export const forbiddenRepoNames = ['mirror', 'infra-apps', 'infra-observability']
 

packages/test-utils/src/imports/data.ts

@@ -24,6 +24,14 @@ export const data = {
       permissions: '3n',
       position: 0,
       oidcGroup: '/admin',
+      name: 'Root Administrateur Plateforme',
+      type: 'system',
+    },
+    {
+      id: '6bebe7b2-0f0a-456e-ab7f-b3d7640a7cbf',
+      permissions: '3n',
+      position: 0,
+      oidcGroup: '/console/admin',
       name: 'Administrateur Plateforme',
       type: 'system',
     },
@@ -39,7 +47,7 @@ export const data = {
       id: '35848aa2-e881-4770-9844-0c5c3693e506',
       permissions: '1n',
       position: 2,
-      oidcGroup: '/readonly',
+      oidcGroup: '/console/readonly',
       name: 'Lecture Seule Plateforme',
       type: 'system',
     },

playwright/e2e-tests/system-roles.spec.ts

@@ -20,10 +20,10 @@ test.describe('System Roles at Project Creation', () => {
 
     // Assert
     const systemRoles = [
-      { name: 'Administrateur', oidcGroup: '/admin' },
-      { name: 'DevOps', oidcGroup: '/devops' },
-      { name: 'Développeur', oidcGroup: '/developer' },
-      { name: 'Lecture seule', oidcGroup: '/readonly' },
+      { name: 'Administrateur', oidcGroup: '/console/admin' },
+      { name: 'DevOps', oidcGroup: '/console/devops' },
+      { name: 'Développeur', oidcGroup: '/console/developer' },
+      { name: 'Lecture seule', oidcGroup: '/console/readonly' },
     ]
 
     for (const role of systemRoles) {