From 4e493069ab212a215f24be0086dcd755ba0ced88 Mon Sep 17 00:00:00 2001
From: rasmus <rasmus@k-space.ee>
Date: Fri, 8 Aug 2025 05:40:45 +0300
Subject: [PATCH] groups doc

---
 README.md            | 6 +++++-
 app/doorboy-proxy.py | 6 ++----
 app/kube.py          | 2 +-
 docker-compose.yml   | 4 ++--
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 487033f..286e46d 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,8 @@ docker-compose -f docker-compose.yml up --build
 On kdoorpi override `KDOORPI_API_ALLOWED`, `KDOORPI_API_LONGPOLL` environment variables
 to redirect requests to your dev instance.
 
-# Slack bot
+# Deployment
+## Slack credentials
 1. https://api.slack.com/apps → Create new app → From scratch
 1. Verification Token as `SLACK_VERIFICATION_TOKEN`
 1. App home → Bot user
@@ -47,3 +48,6 @@ to redirect requests to your dev instance.
   <!-- `incoming-webhook` -->
 1. Add commands. Request URL `https://doorboy-proxy.k-space.ee/slack-open`
 1. Incoming Webhooks → assign to channel -> Webhook URL as `SLACK_DOORLOG_CALLBACK`
+
+## OIDC groups
+Assumes `k-space:floor` and `k-space:workshop`, same in inventory-app.
diff --git a/app/doorboy-proxy.py b/app/doorboy-proxy.py
index efbe163..8ebf515 100755
--- a/app/doorboy-proxy.py
+++ b/app/doorboy-proxy.py
@@ -21,8 +21,6 @@ monitor(app).expose_endpoint()
 DOORBOY_SECRET_FLOOR = os.environ["DOORBOY_SECRET_FLOOR"]
 # API key for godoor controllers authenticating to k-space:workshop
 DOORBOY_SECRET_WORKSHOP = os.environ["DOORBOY_SECRET_WORKSHOP"]
-FLOOR_ACCESS_GROUP = os.getenv("FLOOR_ACCESS_GROUP", "k-space:floor")
-WORKSHOP_ACCESS_GROUP = os.getenv("WORKSHOP_ACCESS_GROUP", "k-space:workshop")
 
 MONGO_URI = os.environ["MONGO_URI"]
 
@@ -61,9 +59,9 @@ async def view_doorboy_uids(request):
     # authorize
     key = request.headers.get("KEY")
     if key == DOORBOY_SECRET_FLOOR:
-        users = kube.users_with_group(FLOOR_ACCESS_GROUP)
+        users = kube.users_with_group("k-space:floor")
     elif key == DOORBOY_SECRET_WORKSHOP:
-        users = kube.users_with_group(WORKSHOP_ACCESS_GROUP)
+        users = kube.users_with_group("k-space:workshop")
     else:
         print("WARN: unknown door token in /allowed")
         return "unknown doorboy secret token", 403
diff --git a/app/kube.py b/app/kube.py
index fde7b76..5ad9290 100644
--- a/app/kube.py
+++ b/app/kube.py
@@ -3,7 +3,7 @@ from typing import List, Tuple
 
 from kubernetes import client, config
 
-OIDC_USERS_NAMESPACE = os.getenv("OIDC_USERS_NAMESPACE")
+OIDC_USERS_NAMESPACE = os.environ["OIDC_USERS_NAMESPACE"]
 
 
 def users_with_group(group: str) -> List[str]:
diff --git a/docker-compose.yml b/docker-compose.yml
index 5f76146..3ad4e70 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,10 +21,10 @@ services:
 
   doorboy_proxy:
     environment:
+      OIDC_USERS_NAMESPACE: passmower
       DOORBOY_SECRET_FLOOR: "0123456789"
       DOORBOY_SECRET_WORKSHOP: "9999999999"
-      FLOOR_ACCESS_GROUP: "k-space:floor"
-      WORKSHOP_ACCESS_GROUP: "k-space:workshop"
+      SLACK_VERIFICATION_TOKEN: DEV
       SLACK_DOORLOG_CALLBACK: DEV
       SLACK_CHANNEL_ID: CDL9H8Q9W
     env_file: .env