member-console/test/seed/fedwiki/render.sh

#!/usr/bin/env sh
# Renders FedWiki identity fixtures into /data using real Keycloak UUIDs.
#
# Designed to run inside the `fedwiki-render` compose service (alpine/curl
# with jq + gettext installed at entrypoint). Reads templates from /seed,
# resolves UUIDs from the Keycloak admin API, writes rendered files to
# /data. Runs as root in-container, so no host file-ownership workaround.
#
# Required env: KC_URL, KC_REALM, KC_ADMIN_USER, KC_ADMIN_PASSWORD.
# Required mounts: /seed (test/seed/fedwiki, ro), /data (test/testdata/fedwiki).

set -eu

: "${KC_URL:?KC_URL must be set}"
: "${KC_REALM:=master}"
: "${KC_ADMIN_USER:?KC_ADMIN_USER must be set}"
: "${KC_ADMIN_PASSWORD:?KC_ADMIN_PASSWORD must be set}"

echo "Fetching admin token from ${KC_URL}..."
TOKEN=$(curl -sf "${KC_URL}/realms/${KC_REALM}/protocol/openid-connect/token" \
  -d "grant_type=password" \
  -d "client_id=admin-cli" \
  -d "username=${KC_ADMIN_USER}" \
  -d "password=${KC_ADMIN_PASSWORD}" | jq -r '.access_token')

if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
  echo "ERROR: failed to obtain Keycloak admin token" >&2
  exit 1
fi

resolve_user_id() {
  username="$1"
  id=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
    "${KC_URL}/admin/realms/${KC_REALM}/users?username=${username}&exact=true" \
    | jq -r '.[0].id // empty')
  if [ -z "$id" ]; then
    echo "ERROR: user '${username}' not found in realm '${KC_REALM}' — keycloak-seed must run first" >&2
    exit 1
  fi
  echo "$id"
}

ALICE_ID="$(resolve_user_id alice)"
export ALICE_ID
echo "Resolved alice -> ${ALICE_ID}"

echo "Rendering templates into /data/"
find /seed -type f -name '*.tpl' | while read -r tpl; do
  rel="${tpl#/seed/}"
  out="/data/${rel%.tpl}"
  mkdir -p "$(dirname "$out")"
  envsubst '${ALICE_ID}' < "$tpl" > "$out"
  echo "  rendered ${rel%.tpl}"
done

# Hand /data back to uid 1000 so the fedwiki container's `node` user
# can mkdir runtime subdirs (pages/, recycle/, ...).
chown -R 1000:1000 /data

echo "Done."