From b714dfe239633dea0b8c02b023935e59ec61a257 Mon Sep 17 00:00:00 2001 From: waruneeauy Date: Fri, 27 Feb 2026 10:05:13 +0700 Subject: [PATCH] add script update org and sync keycloak, setup time run cronjob --- src/app.ts | 44 +- src/controllers/KeycloakSyncController.ts | 254 +++++ src/controllers/ScriptProfileOrgController.ts | 326 ++++++ src/keycloak/index.ts | 139 +++ src/middlewares/auth.ts | 10 + src/middlewares/user.ts | 8 + src/services/KeycloakAttributeService.ts | 928 ++++++++++++++++++ 7 files changed, 1694 insertions(+), 15 deletions(-) create mode 100644 src/controllers/KeycloakSyncController.ts create mode 100644 src/controllers/ScriptProfileOrgController.ts create mode 100644 src/services/KeycloakAttributeService.ts diff --git a/src/app.ts b/src/app.ts index 75d0bfea..06f76548 100644 --- a/src/app.ts +++ b/src/app.ts @@ -15,6 +15,7 @@ import { logMemoryStore } from "./utils/LogMemoryStore"; import { orgStructureCache } from "./utils/OrgStructureCache"; import { CommandController } from "./controllers/CommandController"; import { ProfileSalaryController } from "./controllers/ProfileSalaryController"; +import { ScriptProfileOrgController } from "./controllers/ScriptProfileOrgController"; import { DateSerializer } from "./interfaces/date-serializer"; import { initWebSocket } from "./services/webSocket"; @@ -52,19 +53,8 @@ async function main() { const APP_HOST = process.env.APP_HOST || "0.0.0.0"; const APP_PORT = +(process.env.APP_PORT || 3000); - const cronTime = "0 0 3 * * *"; // ตั้งเวลาทุกวันเวลา 03:00:00 - // const cronTime = "*/10 * * * * *"; - cron.schedule(cronTime, async () => { - try { - const orgController = new OrganizationController(); - await orgController.cronjobRevision(); - } catch (error) { - console.error("Error executing function from controller:", error); - } - }); - - const cronTime_command = "0 0 2 * * *"; - // const cronTime_command = "*/10 * * * * *"; + // Cron job for executing command - every day at 00:30:00 + const cronTime_command = "0 30 0 * * *"; cron.schedule(cronTime_command, async () => { try { const commandController = new CommandController(); @@ -74,7 +64,19 @@ async function main() { } }); - const cronTime_Oct = "0 0 1 10 *"; + // Cron job for updating org revision - every day at 01:00:00 + const cronTime = "0 0 1 * * *"; + cron.schedule(cronTime, async () => { + try { + const orgController = new OrganizationController(); + await orgController.cronjobRevision(); + } catch (error) { + console.error("Error executing function from controller:", error); + } + }); + + // Cron job for updating retirement status - every day at 02:00:00 on the 1st of October + const cronTime_Oct = "0 0 2 10 *"; cron.schedule(cronTime_Oct, async () => { try { const commandController = new CommandController(); @@ -84,7 +86,19 @@ async function main() { } }); - const cronTime_Tenure = "0 0 0 * * *"; + // Cron job for updating org DNA - every day at 03:00:00 + const cronTime_UpdateOrg = "0 0 3 * * *"; + cron.schedule(cronTime_UpdateOrg, async () => { + try { + const scriptProfileOrgController = new ScriptProfileOrgController(); + await scriptProfileOrgController.cronjobUpdateOrg({} as any); + } catch (error) { + console.error("Error executing cronjobUpdateOrg:", error); + } + }); + + // Cron job for updating tenure - every day at 04:00:00 + const cronTime_Tenure = "0 0 4 * * *"; cron.schedule(cronTime_Tenure, async () => { try { const profileSalaryController = new ProfileSalaryController(); diff --git a/src/controllers/KeycloakSyncController.ts b/src/controllers/KeycloakSyncController.ts new file mode 100644 index 00000000..81dbbf66 --- /dev/null +++ b/src/controllers/KeycloakSyncController.ts @@ -0,0 +1,254 @@ +import { + Controller, + Post, + Get, + Route, + Security, + Tags, + Path, + Request, + Response, + Query, + Body, +} from "tsoa"; +import { KeycloakAttributeService } from "../services/KeycloakAttributeService"; +import HttpSuccess from "../interfaces/http-success"; +import HttpStatus from "../interfaces/http-status"; +import HttpError from "../interfaces/http-error"; +import { RequestWithUser } from "../middlewares/user"; + +@Route("api/v1/org/keycloak-sync") +@Tags("Keycloak Sync") +@Security("bearerAuth") +@Response( + HttpStatus.INTERNAL_SERVER_ERROR, + "เกิดข้อผิดพลาด ไม่สามารถดำเนินการได้ กรุณาลองใหม่ในภายหลัง", +) +export class KeycloakSyncController extends Controller { + private keycloakAttributeService = new KeycloakAttributeService(); + + /** + * Sync attributes for the current logged-in user + * + * @summary Sync profileId and rootDnaId to Keycloak for current user + */ + @Post("sync-me") + async syncCurrentUser(@Request() request: RequestWithUser) { + const keycloakUserId = request.user.sub; + + if (!keycloakUserId) { + throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่พบ Keycloak user ID"); + } + + // Get attributes from database before sync + const dbAttrs = await this.keycloakAttributeService.getUserProfileAttributes(keycloakUserId); + + const success = await this.keycloakAttributeService.syncUserAttributes(keycloakUserId); + + if (!success) { + throw new HttpError( + HttpStatus.INTERNAL_SERVER_ERROR, + "ไม่สามารถ sync ข้อมูลไปยัง Keycloak ได้ กรุณาติดต่อผู้ดูแลระบบ", + ); + } + + // Verify sync by fetching attributes from Keycloak after update + const kcAttrsAfter = + await this.keycloakAttributeService.getCurrentKeycloakAttributes(keycloakUserId); + + return new HttpSuccess({ + message: "Sync ข้อมูลสำเร็จ", + syncedToKeycloak: !!kcAttrsAfter?.profileId, + databaseAttributes: dbAttrs, + keycloakAttributesAfter: kcAttrsAfter, + }); + } + + /** + * Get current attributes of the logged-in user + * + * @summary Get current profileId and rootDnaId from Keycloak + */ + @Get("my-attributes") + async getMyAttributes(@Request() request: RequestWithUser) { + const keycloakUserId = request.user.sub; + + if (!keycloakUserId) { + throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่พบ Keycloak user ID"); + } + + const keycloakAttributes = + await this.keycloakAttributeService.getCurrentKeycloakAttributes(keycloakUserId); + const dbAttributes = + await this.keycloakAttributeService.getUserProfileAttributes(keycloakUserId); + + return new HttpSuccess({ + keycloakAttributes, + databaseAttributes: dbAttributes, + }); + } + + /** + * Sync attributes for a specific profile (Admin only) + * + * @summary Sync profileId and rootDnaId to Keycloak by profile ID (ADMIN) + * + * @param {string} profileId Profile ID + * @param {string} profileType Profile type (PROFILE or PROFILE_EMPLOYEE) + */ + @Post("sync-profile/:profileId") + async syncByProfileId( + @Path() profileId: string, + @Query() profileType: "PROFILE" | "PROFILE_EMPLOYEE" = "PROFILE", + ) { + if (!["PROFILE", "PROFILE_EMPLOYEE"].includes(profileType)) { + throw new HttpError( + HttpStatus.BAD_REQUEST, + "profileType ต้องเป็น PROFILE หรือ PROFILE_EMPLOYEE เท่านั้น", + ); + } + + const success = await this.keycloakAttributeService.syncOnOrganizationChange( + profileId, + profileType, + ); + + if (!success) { + throw new HttpError( + HttpStatus.INTERNAL_SERVER_ERROR, + "ไม่สามารถ sync ข้อมูลไปยัง Keycloak ได้ หรือไม่พบข้อมูล profile", + ); + } + + return new HttpSuccess({ message: "Sync ข้อมูลสำเร็จ" }); + } + + /** + * Batch sync attributes for multiple profiles (Admin only) + * + * @summary Batch sync profileId and rootDnaId to Keycloak for multiple profiles (ADMIN) + * + * @param {request} request Request body containing profileIds array and profileType + */ + @Post("sync-profiles-batch") + async syncByProfileIds( + @Body() request: { profileIds: string[]; profileType: "PROFILE" | "PROFILE_EMPLOYEE" }, + ) { + const { profileIds, profileType } = request; + + // Validate profileIds + if (!profileIds || profileIds.length === 0) { + throw new HttpError(HttpStatus.BAD_REQUEST, "profileIds ต้องไม่ว่างเปล่า"); + } + + // Validate profileType + if (!["PROFILE", "PROFILE_EMPLOYEE"].includes(profileType)) { + throw new HttpError( + HttpStatus.BAD_REQUEST, + "profileType ต้องเป็น PROFILE หรือ PROFILE_EMPLOYEE เท่านั้น", + ); + } + + const result = { + total: profileIds.length, + success: 0, + failed: 0, + details: [] as Array<{ profileId: string; status: "success" | "failed"; error?: string }>, + }; + + // Process each profileId + for (const profileId of profileIds) { + try { + const success = await this.keycloakAttributeService.syncOnOrganizationChange( + profileId, + profileType, + ); + + if (success) { + result.success++; + result.details.push({ profileId, status: "success" }); + } else { + result.failed++; + result.details.push({ + profileId, + status: "failed", + error: "Sync returned false - ไม่พบข้อมูล profile หรือ Keycloak user ID", + }); + } + } catch (error: any) { + result.failed++; + result.details.push({ profileId, status: "failed", error: error.message }); + } + } + + return new HttpSuccess({ + message: "Batch sync เสร็จสิ้น", + ...result, + }); + } + + /** + * Batch sync all users (Admin only) + * + * @summary Batch sync all users to Keycloak without limit (ADMIN) + * + * @description Syncs profileId and orgRootDnaId to Keycloak for all users + * that have a keycloak ID. Uses parallel processing for better performance. + */ + @Post("sync-all") + async syncAll() { + const result = await this.keycloakAttributeService.batchSyncUsers(); + + return new HttpSuccess({ + message: "Batch sync เสร็จสิ้น", + total: result.total, + success: result.success, + failed: result.failed, + details: result.details, + }); + } + + /** + * Ensure Keycloak users exist for all profiles (Admin only) + * + * @summary Create or verify Keycloak users for all profiles in Profile and ProfileEmployee tables (ADMIN) + * + * @description + * This endpoint will: + * - Create new Keycloak users for profiles without a keycloak ID + * - Create new Keycloak users for profiles where the stored keycloak ID doesn't exist in Keycloak + * - Verify existing Keycloak users + * - Skip profiles without a citizenId + */ + @Post("ensure-users") + async ensureAllUsers() { + const result = await this.keycloakAttributeService.batchEnsureKeycloakUsers(); + return new HttpSuccess({ + message: "Batch ensure Keycloak users เสร็จสิ้น", + ...result, + }); + } + + /** + * Clear orphaned Keycloak users (Admin only) + * + * @summary Delete Keycloak users that are not in the database (ADMIN) + * + * @description + * This endpoint will: + * - Find users in Keycloak that are not referenced in Profile or ProfileEmployee tables + * - Delete those orphaned users from Keycloak + * - Skip protected users (super_admin, admin_issue) + * + * @param {request} request Request body containing skipUsernames array + */ + @Post("clear-orphaned-users") + async clearOrphanedUsers(@Body() request?: { skipUsernames?: string[] }) { + const skipUsernames = request?.skipUsernames || ["super_admin", "admin_issue"]; + const result = await this.keycloakAttributeService.clearOrphanedKeycloakUsers(skipUsernames); + return new HttpSuccess({ + message: "Clear orphaned Keycloak users เสร็จสิ้น", + ...result, + }); + } +} diff --git a/src/controllers/ScriptProfileOrgController.ts b/src/controllers/ScriptProfileOrgController.ts new file mode 100644 index 00000000..c8975e43 --- /dev/null +++ b/src/controllers/ScriptProfileOrgController.ts @@ -0,0 +1,326 @@ +import { Controller, Post, Route, Security, Tags, Request } from "tsoa"; +import { AppDataSource } from "../database/data-source"; +import HttpSuccess from "../interfaces/http-success"; +import HttpStatus from "../interfaces/http-status"; +import HttpError from "../interfaces/http-error"; +import { RequestWithUser } from "../middlewares/user"; +import { MoreThanOrEqual } from "typeorm"; +import { PosMaster } from "./../entities/PosMaster"; +import axios from "axios"; +import { KeycloakSyncController } from "./KeycloakSyncController"; +import { EmployeePosMaster } from "./../entities/EmployeePosMaster"; + +interface OrgUpdatePayload { + profileId: string; + rootDnaId: string | null; + child1DnaId: string | null; + child2DnaId: string | null; + child3DnaId: string | null; + child4DnaId: string | null; + profileType: "PROFILE" | "PROFILE_EMPLOYEE"; +} + +@Route("api/v1/org/script-profile-org") +@Tags("Keycloak Sync") +@Security("bearerAuth") +export class ScriptProfileOrgController extends Controller { + private posMasterRepo = AppDataSource.getRepository(PosMaster); + private employeePosMasterRepo = AppDataSource.getRepository(EmployeePosMaster); + + // Idempotency flag to prevent concurrent runs + private isRunning = false; + + // Configurable values + private readonly BATCH_SIZE = parseInt(process.env.CRONJOB_BATCH_SIZE || "100", 10); + private readonly UPDATE_WINDOW_HOURS = parseInt( + process.env.CRONJOB_UPDATE_WINDOW_HOURS || "24", + 10, + ); + + @Post("update-org") + public async cronjobUpdateOrg(@Request() request: RequestWithUser) { + // Idempotency check - prevent concurrent runs + if (this.isRunning) { + console.log("cronjobUpdateOrg: Job already running, skipping this execution"); + return new HttpSuccess({ + message: "Job already running", + skipped: true, + }); + } + + this.isRunning = true; + const startTime = Date.now(); + + try { + const windowStart = new Date(Date.now() - this.UPDATE_WINDOW_HOURS * 60 * 60 * 1000); + + console.log("cronjobUpdateOrg: Starting job", { + windowHours: this.UPDATE_WINDOW_HOURS, + windowStart: windowStart.toISOString(), + batchSize: this.BATCH_SIZE, + }); + + // Query with optimized select - only fetch required fields + const [posMasters, posMasterEmployee] = await Promise.all([ + this.posMasterRepo.find({ + where: { + lastUpdatedAt: MoreThanOrEqual(windowStart), + orgRevision: { + orgRevisionIsCurrent: true, + }, + }, + relations: [ + "orgRevision", + "orgRoot", + "orgChild1", + "orgChild2", + "orgChild3", + "orgChild4", + "current_holder", + ], + select: { + id: true, + current_holderId: true, + lastUpdatedAt: true, + orgRevision: { id: true }, + orgRoot: { ancestorDNA: true }, + orgChild1: { ancestorDNA: true }, + orgChild2: { ancestorDNA: true }, + orgChild3: { ancestorDNA: true }, + orgChild4: { ancestorDNA: true }, + current_holder: { id: true }, + }, + }), + this.employeePosMasterRepo.find({ + where: { + lastUpdatedAt: MoreThanOrEqual(windowStart), + orgRevision: { + orgRevisionIsCurrent: true, + }, + }, + relations: [ + "orgRevision", + "orgRoot", + "orgChild1", + "orgChild2", + "orgChild3", + "orgChild4", + "current_holder", + ], + select: { + id: true, + current_holderId: true, + lastUpdatedAt: true, + orgRevision: { id: true }, + orgRoot: { ancestorDNA: true }, + orgChild1: { ancestorDNA: true }, + orgChild2: { ancestorDNA: true }, + orgChild3: { ancestorDNA: true }, + orgChild4: { ancestorDNA: true }, + current_holder: { id: true }, + }, + }), + ]); + + console.log("cronjobUpdateOrg: Database query completed", { + posMastersCount: posMasters.length, + employeePosCount: posMasterEmployee.length, + totalRecords: posMasters.length + posMasterEmployee.length, + }); + + // Build payloads with proper profile type tracking + const payloads = this.buildPayloads(posMasters, posMasterEmployee); + + if (payloads.length === 0) { + console.log("cronjobUpdateOrg: No records to process"); + return new HttpSuccess({ + message: "No records to process", + processed: 0, + }); + } + + // Update profile's org structure in leave service by calling API + console.log("cronjobUpdateOrg: Calling leave service API", { + payloadCount: payloads.length, + }); + + await axios.put(`${process.env.API_URL}/leave-beginning/schedule/update-dna`, payloads, { + headers: { + "Content-Type": "application/json", + api_key: process.env.API_KEY, + }, + timeout: 30000, // 30 second timeout + }); + + console.log("cronjobUpdateOrg: Leave service API call successful"); + + // Group profile IDs by type for proper syncing + const profileIdsByType = this.groupProfileIdsByType(payloads); + + // Sync to Keycloak with batching + const keycloakSyncController = new KeycloakSyncController(); + const syncResults = { + total: 0, + success: 0, + failed: 0, + byType: {} as Record, + }; + + // Process each profile type separately + for (const [profileType, profileIds] of Object.entries(profileIdsByType)) { + console.log(`cronjobUpdateOrg: Syncing ${profileType} profiles`, { + count: profileIds.length, + }); + + const batches = this.chunkArray(profileIds, this.BATCH_SIZE); + const typeResult = { total: profileIds.length, success: 0, failed: 0 }; + + for (let i = 0; i < batches.length; i++) { + const batch = batches[i]; + console.log( + `cronjobUpdateOrg: Processing batch ${i + 1}/${batches.length} for ${profileType}`, + { + batchSize: batch.length, + batchRange: `${i * this.BATCH_SIZE + 1}-${Math.min( + (i + 1) * this.BATCH_SIZE, + profileIds.length, + )}`, + }, + ); + + try { + const batchResult: any = await keycloakSyncController.syncByProfileIds({ + profileIds: batch, + profileType: profileType as "PROFILE" | "PROFILE_EMPLOYEE", + }); + + // Extract result data if available + const resultData = (batchResult as any)?.data || batchResult; + typeResult.success += resultData.success || 0; + typeResult.failed += resultData.failed || 0; + + console.log(`cronjobUpdateOrg: Batch ${i + 1}/${batches.length} completed`, { + success: resultData.success || 0, + failed: resultData.failed || 0, + }); + } catch (error: any) { + console.error(`cronjobUpdateOrg: Batch ${i + 1}/${batches.length} failed`, { + error: error.message, + batchSize: batch.length, + }); + // Count all profiles in failed batch as failed + typeResult.failed += batch.length; + } + } + + syncResults.byType[profileType] = typeResult; + syncResults.total += typeResult.total; + syncResults.success += typeResult.success; + syncResults.failed += typeResult.failed; + } + + const duration = Date.now() - startTime; + console.log("cronjobUpdateOrg: Job completed", { + duration: `${duration}ms`, + processed: payloads.length, + syncResults, + }); + + return new HttpSuccess({ + message: "Update org completed", + processed: payloads.length, + syncResults, + duration: `${duration}ms`, + }); + } catch (error: any) { + const duration = Date.now() - startTime; + console.error("cronjobUpdateOrg: Job failed", { + duration: `${duration}ms`, + error: error.message, + stack: error.stack, + }); + throw new HttpError(HttpStatus.INTERNAL_SERVER_ERROR, "Internal server error"); + } finally { + this.isRunning = false; + } + } + + /** + * Build payloads from PosMaster and EmployeePosMaster records + * Includes proper profile type tracking for accurate Keycloak sync + */ + private buildPayloads( + posMasters: PosMaster[], + posMasterEmployee: EmployeePosMaster[], + ): OrgUpdatePayload[] { + const payloads: OrgUpdatePayload[] = []; + + // Process PosMaster records (PROFILE type) + for (const posMaster of posMasters) { + if (posMaster.current_holder && posMaster.current_holderId) { + payloads.push({ + profileId: posMaster.current_holderId, + rootDnaId: posMaster.orgRoot?.ancestorDNA || null, + child1DnaId: posMaster.orgChild1?.ancestorDNA || null, + child2DnaId: posMaster.orgChild2?.ancestorDNA || null, + child3DnaId: posMaster.orgChild3?.ancestorDNA || null, + child4DnaId: posMaster.orgChild4?.ancestorDNA || null, + profileType: "PROFILE", + }); + } + } + + // Process EmployeePosMaster records (PROFILE_EMPLOYEE type) + for (const employeePos of posMasterEmployee) { + if (employeePos.current_holder && employeePos.current_holderId) { + payloads.push({ + profileId: employeePos.current_holderId, + rootDnaId: employeePos.orgRoot?.ancestorDNA || null, + child1DnaId: employeePos.orgChild1?.ancestorDNA || null, + child2DnaId: employeePos.orgChild2?.ancestorDNA || null, + child3DnaId: employeePos.orgChild3?.ancestorDNA || null, + child4DnaId: employeePos.orgChild4?.ancestorDNA || null, + profileType: "PROFILE_EMPLOYEE", + }); + } + } + + return payloads; + } + + /** + * Group profile IDs by their type for separate Keycloak sync calls + */ + private groupProfileIdsByType(payloads: OrgUpdatePayload[]): Record { + const grouped: Record = { + PROFILE: [], + PROFILE_EMPLOYEE: [], + }; + + for (const payload of payloads) { + grouped[payload.profileType].push(payload.profileId); + } + + // Remove empty groups and deduplicate IDs within each group + const result: Record = {}; + for (const [type, ids] of Object.entries(grouped)) { + if (ids.length > 0) { + // Deduplicate while preserving order + result[type] = Array.from(new Set(ids)); + } + } + + return result; + } + + /** + * Split array into chunks of specified size + */ + private chunkArray(array: T[], chunkSize: number): T[][] { + const chunks: T[][] = []; + for (let i = 0; i < array.length; i += chunkSize) { + chunks.push(array.slice(i, i + chunkSize)); + } + return chunks; + } +} diff --git a/src/keycloak/index.ts b/src/keycloak/index.ts index a81e2af9..85724eec 100644 --- a/src/keycloak/index.ts +++ b/src/keycloak/index.ts @@ -832,3 +832,142 @@ export async function resetPassword(username: string) { return false; } } + +export async function updateUserAttributes( + userId: string, + attributes: Record, +): Promise { + try { + // Get existing user data to preserve other attributes + const existingUser = await getUser(userId); + + if (!existingUser) { + console.error(`User ${userId} not found in Keycloak`); + return false; + } + + // Merge existing attributes with new attributes + // IMPORTANT: Spread all existing user fields to preserve firstName, lastName, email, etc. + // The Keycloak PUT endpoint performs a full update, so we must include all fields + const updatedAttributes = { + ...existingUser, + attributes: { + ...(existingUser.attributes || {}), + ...attributes, + }, + }; + + console.log( + `[updateUserAttributes] Sending to Keycloak:`, + JSON.stringify(updatedAttributes, null, 2), + ); + + const res = await fetch(`${KC_URL}/admin/realms/${KC_REALMS}/users/${userId}`, { + headers: { + authorization: `Bearer ${await getToken()}`, + "content-type": "application/json", + }, + method: "PUT", + body: JSON.stringify(updatedAttributes), + }).catch((e) => { + console.error(`[updateUserAttributes] Network error:`, e); + return null; + }); + + if (!res) { + console.error(`[updateUserAttributes] No response from Keycloak`); + return false; + } + + if (!res.ok) { + const errorText = await res.text(); + console.error(`[updateUserAttributes] Keycloak Error (${res.status}):`, errorText); + return false; + } + + console.log(`[updateUserAttributes] Successfully updated attributes for user ${userId}`); + return true; + } catch (error) { + console.error(`[updateUserAttributes] Error updating attributes for user ${userId}:`, error); + return false; + } +} + +export async function getAllUsersPaginated( + search: string = "", + batchSize: number = 100, +): Promise< + | Array<{ + id: string; + username: string; + firstName?: string; + lastName?: string; + email?: string; + enabled: boolean; + }> + | false +> { + const allUsers: any[] = []; + let first = 0; + let hasMore = true; + + while (hasMore) { + const res = await fetch( + `${KC_URL}/admin/realms/${KC_REALMS}/users?first=${first}&max=${batchSize}${search ? `&search=${search}` : ""}`, + { + headers: { + authorization: `Bearer ${await getToken()}`, + "content-type": `application/json`, + }, + }, + ).catch((e) => console.log("Keycloak Error: ", e)); + + if (!res) return false; + if (!res.ok) { + const errorText = await res.text(); + console.error("Keycloak Error Response: ", errorText); + return false; + } + + const rawText = await res.text(); + + try { + const batch = JSON.parse(rawText) as any[]; + + if (batch.length === 0) { + hasMore = false; + } else { + allUsers.push(...batch); + first += batch.length; + hasMore = batch.length === batchSize; + + // Log progress for large datasets + if (allUsers.length % 500 === 0) { + console.log(`[getAllUsersPaginated] Fetched ${allUsers.length} users so far...`); + } + } + } catch (error) { + console.error(`[getAllUsersPaginated] Failed to parse JSON response at offset ${first}:`); + console.error( + `[getAllUsersPaginated] Response preview (first 500 chars):`, + rawText.substring(0, 500), + ); + console.error( + `[getAllUsersPaginated] Response preview (last 200 chars):`, + rawText.slice(-200), + ); + throw new Error(`Failed to parse Keycloak response as JSON at batch starting at ${first}.`); + } + } + + console.log(`[getAllUsersPaginated] Total users fetched: ${allUsers.length}`); + + return allUsers.map((v: any) => ({ + id: v.id, + username: v.username, + firstName: v.firstName, + lastName: v.lastName, + email: v.email, + enabled: v.enabled === true || v.enabled === "true", + })); +} diff --git a/src/middlewares/auth.ts b/src/middlewares/auth.ts index c27e6188..9a571572 100644 --- a/src/middlewares/auth.ts +++ b/src/middlewares/auth.ts @@ -75,6 +75,16 @@ export async function expressAuthentication( request.app.locals.logData.userName = payload.name; request.app.locals.logData.user = payload.preferred_username; + // เก็บค่า profileId และ orgRootDnaId จาก token (ใช้ค่าว่างถ้าไม่มี) + request.app.locals.logData.profileId = payload.profileId ?? ""; + request.app.locals.logData.orgRootDnaId = payload.orgRootDnaId ?? ""; + request.app.locals.logData.orgChild1DnaId = payload.orgChild1DnaId ?? ""; + request.app.locals.logData.orgChild2DnaId = payload.orgChild2DnaId ?? ""; + request.app.locals.logData.orgChild3DnaId = payload.orgChild3DnaId ?? ""; + request.app.locals.logData.orgChild4DnaId = payload.orgChild4DnaId ?? ""; + request.app.locals.logData.empType = payload.empType ?? ""; + request.app.locals.logData.prefix = payload.prefix ?? ""; + return payload; } diff --git a/src/middlewares/user.ts b/src/middlewares/user.ts index e5c48d9a..75c84d01 100644 --- a/src/middlewares/user.ts +++ b/src/middlewares/user.ts @@ -9,6 +9,14 @@ export type RequestWithUser = Request & { preferred_username: string; email: string; role: string[]; + profileId?: string; + prefix?: string; + orgRootDnaId?: string; + orgChild1DnaId?: string; + orgChild2DnaId?: string; + orgChild3DnaId?: string; + orgChild4DnaId?: string; + empType?: string; }; }; diff --git a/src/services/KeycloakAttributeService.ts b/src/services/KeycloakAttributeService.ts new file mode 100644 index 00000000..5b61e286 --- /dev/null +++ b/src/services/KeycloakAttributeService.ts @@ -0,0 +1,928 @@ +import { AppDataSource } from "../database/data-source"; +import { Profile } from "../entities/Profile"; +import { ProfileEmployee } from "../entities/ProfileEmployee"; +// import { PosMaster } from "../entities/PosMaster"; +// import { EmployeePosMaster } from "../entities/EmployeePosMaster"; +// import { OrgRoot } from "../entities/OrgRoot"; +import { + createUser, + getUser, + getUserByUsername, + updateUserAttributes, + deleteUser, + getRoles, + addUserRoles, + getAllUsersPaginated, +} from "../keycloak"; +import { OrgRevision } from "../entities/OrgRevision"; + +export interface UserProfileAttributes { + profileId: string | null; + orgRootDnaId: string | null; + orgChild1DnaId: string | null; + orgChild2DnaId: string | null; + orgChild3DnaId: string | null; + orgChild4DnaId: string | null; + empType: string | null; + prefix?: string | null; +} + +/** + * Keycloak Attribute Service + * Service for syncing profileId and orgRootDnaId to Keycloak user attributes + */ +export class KeycloakAttributeService { + private profileRepo = AppDataSource.getRepository(Profile); + private profileEmployeeRepo = AppDataSource.getRepository(ProfileEmployee); + // private posMasterRepo = AppDataSource.getRepository(PosMaster); + // private employeePosMasterRepo = AppDataSource.getRepository(EmployeePosMaster); + // private orgRootRepo = AppDataSource.getRepository(OrgRoot); + private orgRevisionRepo = AppDataSource.getRepository(OrgRevision); + + /** + * Get profile attributes (profileId and orgRootDnaId) from database + * Searches in Profile table first (ข้าราชการ), then ProfileEmployee (ลูกจ้าง) + * + * @param keycloakUserId - Keycloak user ID + * @returns UserProfileAttributes with profileId and orgRootDnaId + */ + async getUserProfileAttributes(keycloakUserId: string): Promise { + // First, try to find in Profile (ข้าราชการ) + const revisionCurrent = await this.orgRevisionRepo.findOne({ + where: { orgRevisionIsCurrent: true }, + }); + const revisionId = revisionCurrent ? revisionCurrent.id : null; + const profileResult = await this.profileRepo + .createQueryBuilder("p") + .leftJoinAndSelect("p.current_holders", "pm") + .leftJoinAndSelect("pm.orgRoot", "orgRoot") + .leftJoinAndSelect("pm.orgChild1", "orgChild1") + .leftJoinAndSelect("pm.orgChild2", "orgChild2") + .leftJoinAndSelect("pm.orgChild3", "orgChild3") + .leftJoinAndSelect("pm.orgChild4", "orgChild4") + .where("p.keycloak = :keycloakUserId", { keycloakUserId }) + .andWhere("orgRoot.orgRevisionId = :revisionId", { revisionId }) + .getOne(); + + if ( + profileResult && + profileResult.current_holders && + profileResult.current_holders.length > 0 + ) { + const currentPos = profileResult.current_holders[0]; + const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || ""; + const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || ""; + const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || ""; + const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || ""; + const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || ""; + return { + profileId: profileResult.id, + orgRootDnaId, + orgChild1DnaId, + orgChild2DnaId, + orgChild3DnaId, + orgChild4DnaId, + empType: "OFFICER", + prefix: profileResult.prefix, + }; + } + + // If not found in Profile, try ProfileEmployee (ลูกจ้าง) + const profileEmployeeResult = await this.profileEmployeeRepo + .createQueryBuilder("pe") + .leftJoinAndSelect("pe.current_holders", "epm") + .leftJoinAndSelect("epm.orgRoot", "org") + .leftJoinAndSelect("epm.orgChild1", "orgChild1") + .leftJoinAndSelect("epm.orgChild2", "orgChild2") + .leftJoinAndSelect("epm.orgChild3", "orgChild3") + .leftJoinAndSelect("epm.orgChild4", "orgChild4") + .where("pe.keycloak = :keycloakUserId", { keycloakUserId }) + .getOne(); + + if ( + profileEmployeeResult && + profileEmployeeResult.current_holders && + profileEmployeeResult.current_holders.length > 0 + ) { + const currentPos = profileEmployeeResult.current_holders[0]; + const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || ""; + const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || ""; + const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || ""; + const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || ""; + const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || ""; + return { + profileId: profileEmployeeResult.id, + orgRootDnaId, + orgChild1DnaId, + orgChild2DnaId, + orgChild3DnaId, + orgChild4DnaId, + empType: profileEmployeeResult.employeeClass, + prefix: profileEmployeeResult.prefix, + }; + } + + // Return null values if no profile found + return { + profileId: null, + orgRootDnaId: null, + orgChild1DnaId: null, + orgChild2DnaId: null, + orgChild3DnaId: null, + orgChild4DnaId: null, + empType: null, + prefix: null, + }; + } + + /** + * Get profile attributes by profile ID directly + * Used for syncing specific profiles + * + * @param profileId - Profile ID + * @param profileType - 'PROFILE' for ข้าราชการ or 'PROFILE_EMPLOYEE' for ลูกจ้าง + * @returns UserProfileAttributes with profileId and orgRootDnaId + */ + async getAttributesByProfileId( + profileId: string, + profileType: "PROFILE" | "PROFILE_EMPLOYEE", + ): Promise { + const revisionCurrent = await this.orgRevisionRepo.findOne({ + where: { orgRevisionIsCurrent: true }, + }); + const revisionId = revisionCurrent ? revisionCurrent.id : null; + if (profileType === "PROFILE") { + const profileResult = await this.profileRepo + .createQueryBuilder("p") + .leftJoinAndSelect("p.current_holders", "pm") + .leftJoinAndSelect("pm.orgRoot", "orgRoot") + .leftJoinAndSelect("pm.orgChild1", "orgChild1") + .leftJoinAndSelect("pm.orgChild2", "orgChild2") + .leftJoinAndSelect("pm.orgChild3", "orgChild3") + .leftJoinAndSelect("pm.orgChild4", "orgChild4") + .where("p.id = :profileId", { profileId }) + .andWhere("orgRoot.orgRevisionId = :revisionId", { revisionId }) + .getOne(); + + if ( + profileResult && + profileResult.current_holders && + profileResult.current_holders.length > 0 + ) { + const currentPos = profileResult.current_holders[0]; + const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || ""; + const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || ""; + const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || ""; + const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || ""; + const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || ""; + return { + profileId: profileResult.id, + orgRootDnaId, + orgChild1DnaId, + orgChild2DnaId, + orgChild3DnaId, + orgChild4DnaId, + empType: "OFFICER", + prefix: profileResult.prefix, + }; + } + } else { + const profileEmployeeResult = await this.profileEmployeeRepo + .createQueryBuilder("pe") + .leftJoinAndSelect("pe.current_holders", "epm") + .leftJoinAndSelect("epm.orgRoot", "org") + .leftJoinAndSelect("pm.orgChild1", "orgChild1") + .leftJoinAndSelect("pm.orgChild2", "orgChild2") + .leftJoinAndSelect("pm.orgChild3", "orgChild3") + .leftJoinAndSelect("pm.orgChild4", "orgChild4") + .where("pe.id = :profileId", { profileId }) + .getOne(); + + if ( + profileEmployeeResult && + profileEmployeeResult.current_holders && + profileEmployeeResult.current_holders.length > 0 + ) { + const currentPos = profileEmployeeResult.current_holders[0]; + const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || ""; + const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || ""; + const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || ""; + const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || ""; + const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || ""; + + return { + profileId: profileEmployeeResult.id, + orgRootDnaId, + orgChild1DnaId, + orgChild2DnaId, + orgChild3DnaId, + orgChild4DnaId, + empType: profileEmployeeResult.employeeClass, + prefix: profileEmployeeResult.prefix, + }; + } + } + + return { + profileId: null, + orgRootDnaId: null, + orgChild1DnaId: null, + orgChild2DnaId: null, + orgChild3DnaId: null, + orgChild4DnaId: null, + empType: null, + prefix: null, + }; + } + + /** + * Sync user attributes to Keycloak + * + * @param keycloakUserId - Keycloak user ID + * @returns true if sync successful, false otherwise + */ + async syncUserAttributes(keycloakUserId: string): Promise { + try { + const attributes = await this.getUserProfileAttributes(keycloakUserId); + + if (!attributes.profileId) { + console.log(`No profile found for Keycloak user ${keycloakUserId}`); + return false; + } + + // Prepare attributes for Keycloak (must be arrays) + const keycloakAttributes: Record = { + profileId: [attributes.profileId], + orgRootDnaId: [attributes.orgRootDnaId || ""], + orgChild1DnaId: [attributes.orgChild1DnaId || ""], + orgChild2DnaId: [attributes.orgChild2DnaId || ""], + orgChild3DnaId: [attributes.orgChild3DnaId || ""], + orgChild4DnaId: [attributes.orgChild4DnaId || ""], + empType: [attributes.empType || ""], + prefix: [attributes.prefix || ""], + }; + + const success = await updateUserAttributes(keycloakUserId, keycloakAttributes); + + if (success) { + console.log(`Synced attributes for Keycloak user ${keycloakUserId}:`, attributes); + } + + return success; + } catch (error) { + console.error(`Error syncing attributes for Keycloak user ${keycloakUserId}:`, error); + return false; + } + } + + /** + * Sync attributes when organization changes + * This is called when a user moves to a different organization + * + * @param profileId - Profile ID + * @param profileType - 'PROFILE' for ข้าราชการ or 'PROFILE_EMPLOYEE' for ลูกจ้าง + * @returns true if sync successful, false otherwise + */ + async syncOnOrganizationChange( + profileId: string, + profileType: "PROFILE" | "PROFILE_EMPLOYEE", + ): Promise { + try { + // Get the keycloak userId from the profile + let keycloakUserId: string | null = null; + + if (profileType === "PROFILE") { + const profile = await this.profileRepo.findOne({ where: { id: profileId } }); + keycloakUserId = profile?.keycloak || ""; + } else { + const profileEmployee = await this.profileEmployeeRepo.findOne({ + where: { id: profileId }, + }); + keycloakUserId = profileEmployee?.keycloak || ""; + } + + if (!keycloakUserId) { + console.log(`No Keycloak user ID found for profile ${profileId}`); + return false; + } + + return await this.syncUserAttributes(keycloakUserId); + } catch (error) { + console.error(`Error syncing organization change for profile ${profileId}:`, error); + return false; + } + } + + /** + * Batch sync multiple users with unlimited count and parallel processing + * Useful for initial sync or periodic updates + * + * @param options - Optional configuration (limit for testing, concurrency for parallel processing) + * @returns Object with success count and details + */ + async batchSyncUsers(options?: { + limit?: number; + concurrency?: number; + }): Promise<{ total: number; success: number; failed: number; details: any[] }> { + const limit = options?.limit; + const concurrency = options?.concurrency ?? 5; + + const result = { + total: 0, + success: 0, + failed: 0, + details: [] as any[], + }; + + try { + // Build query for profiles with keycloak IDs (ข้าราชการ) + const profileQuery = this.profileRepo + .createQueryBuilder("p") + .where("p.keycloak IS NOT NULL") + .andWhere("p.keycloak != :empty", { empty: "" }); + + // Build query for profileEmployees with keycloak IDs (ลูกจ้าง) + const profileEmployeeQuery = this.profileEmployeeRepo + .createQueryBuilder("pe") + .where("pe.keycloak IS NOT NULL") + .andWhere("pe.keycloak != :empty", { empty: "" }); + + // Apply limit if specified (for testing purposes) + if (limit !== undefined) { + profileQuery.take(limit); + profileEmployeeQuery.take(limit); + } + + // Get profiles from both tables + const [profiles, profileEmployees] = await Promise.all([ + profileQuery.getMany(), + profileEmployeeQuery.getMany(), + ]); + + const allProfiles = [ + ...profiles.map((p) => ({ profile: p, type: "PROFILE" as const })), + ...profileEmployees.map((p) => ({ profile: p, type: "PROFILE_EMPLOYEE" as const })), + ]; + + result.total = allProfiles.length; + + // Process in parallel with concurrency limit + const processedResults = await this.processInParallel( + allProfiles, + concurrency, + async ({ profile, type }, _index) => { + const keycloakUserId = profile.keycloak; + + try { + const success = await this.syncOnOrganizationChange(profile.id, type); + if (success) { + result.success++; + return { + profileId: profile.id, + keycloakUserId, + status: "success", + }; + } else { + result.failed++; + return { + profileId: profile.id, + keycloakUserId, + status: "failed", + error: "Sync returned false", + }; + } + } catch (error: any) { + result.failed++; + return { + profileId: profile.id, + keycloakUserId, + status: "error", + error: error.message, + }; + } + }, + ); + + // Separate results from errors + for (const resultItem of processedResults) { + if ("error" in resultItem) { + result.failed++; + result.details.push({ + profileId: "unknown", + keycloakUserId: "unknown", + status: "error", + error: JSON.stringify(resultItem.error), + }); + } else { + result.details.push(resultItem); + } + } + + console.log( + `Batch sync completed: total=${result.total}, success=${result.success}, failed=${result.failed}`, + ); + } catch (error) { + console.error("Error in batch sync:", error); + } + + return result; + } + + /** + * Get current Keycloak attributes for a user + * + * @param keycloakUserId - Keycloak user ID + * @returns Current attributes from Keycloak + */ + async getCurrentKeycloakAttributes( + keycloakUserId: string, + ): Promise { + try { + const user = await getUser(keycloakUserId); + + if (!user || !user.attributes) { + return null; + } + + return { + profileId: user.attributes.profileId?.[0] || "", + orgRootDnaId: user.attributes.orgRootDnaId?.[0] || "", + orgChild1DnaId: user.attributes.orgChild1DnaId?.[0] || "", + orgChild2DnaId: user.attributes.orgChild2DnaId?.[0] || "", + orgChild3DnaId: user.attributes.orgChild3DnaId?.[0] || "", + orgChild4DnaId: user.attributes.orgChild4DnaId?.[0] || "", + empType: user.attributes.empType?.[0] || "", + prefix: user.attributes.prefix?.[0] || "", + }; + } catch (error) { + console.error(`Error getting Keycloak attributes for user ${keycloakUserId}:`, error); + return null; + } + } + + /** + * Ensure Keycloak user exists for a profile + * Creates user if keycloak field is empty OR if stored keycloak ID doesn't exist in Keycloak + * + * @param profileId - Profile ID + * @param profileType - 'PROFILE' or 'PROFILE_EMPLOYEE' + * @returns Object with status and details + */ + async ensureKeycloakUser( + profileId: string, + profileType: "PROFILE" | "PROFILE_EMPLOYEE", + ): Promise<{ + success: boolean; + action: "created" | "verified" | "skipped" | "error"; + keycloakUserId?: string; + error?: string; + }> { + try { + // Get profile from database + let profile: Profile | ProfileEmployee | null = null; + + if (profileType === "PROFILE") { + profile = await this.profileRepo.findOne({ where: { id: profileId } }); + } else { + profile = await this.profileEmployeeRepo.findOne({ where: { id: profileId } }); + } + + if (!profile) { + return { + success: false, + action: "error", + error: `Profile ${profileId} not found in database`, + }; + } + + // Check if citizenId exists + if (!profile.citizenId) { + return { + success: false, + action: "skipped", + error: "No citizenId found", + }; + } + + // Case 1: keycloak field is empty -> create new user + if (!profile.keycloak || profile.keycloak.trim() === "") { + const result = await this.createKeycloakUserFromProfile(profile, profileType); + return result; + } + + // Case 2: keycloak field is not empty -> verify user exists in Keycloak + const existingUser = await getUser(profile.keycloak); + + if (!existingUser) { + // User doesn't exist in Keycloak, create new one + console.log( + `Keycloak user ${profile.keycloak} not found in Keycloak, creating new user for profile ${profileId}`, + ); + const result = await this.createKeycloakUserFromProfile(profile, profileType); + return result; + } + + // User exists in Keycloak, verified + return { + success: true, + action: "verified", + keycloakUserId: profile.keycloak, + }; + } catch (error: any) { + console.error(`Error ensuring Keycloak user for profile ${profileId}:`, error); + return { + success: false, + action: "error", + error: error.message || "Unknown error", + }; + } + } + + /** + * Create Keycloak user from profile data + * + * @param profile - Profile or ProfileEmployee entity + * @param profileType - 'PROFILE' or 'PROFILE_EMPLOYEE' + * @returns Object with status and details + */ + private async createKeycloakUserFromProfile( + profile: Profile | ProfileEmployee, + profileType: "PROFILE" | "PROFILE_EMPLOYEE", + ): Promise<{ + success: boolean; + action: "created" | "verified" | "skipped" | "error"; + keycloakUserId?: string; + error?: string; + }> { + try { + // Check if user already exists by username (citizenId) + const existingUserByUsername = await getUserByUsername(profile.citizenId); + if (Array.isArray(existingUserByUsername) && existingUserByUsername.length > 0) { + // User already exists with this username, update the keycloak field + const existingUserId = existingUserByUsername[0].id; + console.log( + `User with citizenId ${profile.citizenId} already exists in Keycloak with ID ${existingUserId}`, + ); + + // Update the keycloak field in database + if (profileType === "PROFILE") { + await this.profileRepo.update(profile.id, { keycloak: existingUserId }); + } else { + await this.profileEmployeeRepo.update(profile.id, { keycloak: existingUserId }); + } + + // Assign default USER role to existing user + const userRole = await getRoles("USER"); + if (userRole && typeof userRole === "object" && "id" in userRole && "name" in userRole) { + const roleAssigned = await addUserRoles(existingUserId, [ + { id: String(userRole.id), name: String(userRole.name) }, + ]); + if (roleAssigned) { + console.log(`Assigned USER role to existing user ${existingUserId}`); + } else { + console.warn(`Failed to assign USER role to existing user ${existingUserId}`); + } + } else { + console.warn(`USER role not found in Keycloak`); + } + + return { + success: true, + action: "verified", + keycloakUserId: existingUserId, + }; + } + + // Create new user in Keycloak + const createResult = await createUser(profile.citizenId, "P@ssw0rd", { + firstName: profile.firstName || "", + lastName: profile.lastName || "", + email: profile.email || undefined, + enabled: true, + }); + + if (!createResult || typeof createResult !== "string") { + return { + success: false, + action: "error", + error: "Failed to create user in Keycloak", + }; + } + + const keycloakUserId = createResult; + + // Update the keycloak field in database + if (profileType === "PROFILE") { + await this.profileRepo.update(profile.id, { keycloak: keycloakUserId }); + } else { + await this.profileEmployeeRepo.update(profile.id, { keycloak: keycloakUserId }); + } + + // Assign default USER role + const userRole = await getRoles("USER"); + if (userRole && typeof userRole === "object" && "id" in userRole && "name" in userRole) { + const roleAssigned = await addUserRoles(keycloakUserId, [ + { id: String(userRole.id), name: String(userRole.name) }, + ]); + if (roleAssigned) { + console.log(`Assigned USER role to user ${keycloakUserId}`); + } else { + console.warn(`Failed to assign USER role to user ${keycloakUserId}`); + } + } else { + console.warn(`USER role not found in Keycloak`); + } + + console.log( + `Created Keycloak user for profile ${profile.id} (citizenId: ${profile.citizenId}) with ID ${keycloakUserId}`, + ); + + return { + success: true, + action: "created", + keycloakUserId, + }; + } catch (error: any) { + console.error(`Error creating Keycloak user for profile ${profile.id}:`, error); + return { + success: false, + action: "error", + error: error.message || "Unknown error", + }; + } + } + + /** + * Process items in parallel with concurrency limit + */ + private async processInParallel( + items: T[], + concurrencyLimit: number, + processor: (item: T, index: number) => Promise, + ): Promise> { + const results: Array = []; + + // Process items in batches + for (let i = 0; i < items.length; i += concurrencyLimit) { + const batch = items.slice(i, i + concurrencyLimit); + + // Process batch in parallel with error handling + const batchResults = await Promise.all( + batch.map(async (item, batchIndex) => { + try { + return await processor(item, i + batchIndex); + } catch (error) { + return { error }; + } + }), + ); + + results.push(...batchResults); + + // Log progress after each batch + const completed = Math.min(i + concurrencyLimit, items.length); + console.log(`Progress: ${completed}/${items.length}`); + } + + return results; + } + + /** + * Batch ensure Keycloak users for all profiles + * Processes all rows in Profile and ProfileEmployee tables + * + * @returns Object with total, success, failed counts and details + */ + async batchEnsureKeycloakUsers(): Promise<{ + total: number; + created: number; + verified: number; + skipped: number; + failed: number; + details: Array<{ + profileId: string; + profileType: string; + action: string; + keycloakUserId?: string; + error?: string; + }>; + }> { + const result = { + total: 0, + created: 0, + verified: 0, + skipped: 0, + failed: 0, + details: [] as Array<{ + profileId: string; + profileType: string; + action: string; + keycloakUserId?: string; + error?: string; + }>, + }; + + try { + // Get all profiles from Profile table (ข้าราชการ) + const profiles = await this.profileRepo.find({ where: { isLeave: false } }); // Only active profiles + + // Get all profiles from ProfileEmployee table (ลูกจ้าง) + const profileEmployees = await this.profileEmployeeRepo.find({ where: { isLeave: false } }); // Only active profiles + + const allProfiles = [ + ...profiles.map((p) => ({ profile: p, type: "PROFILE" as const })), + ...profileEmployees.map((p) => ({ profile: p, type: "PROFILE_EMPLOYEE" as const })), + ]; + + result.total = allProfiles.length; + + // Process in parallel with concurrency limit + const CONCURRENCY_LIMIT = 5; // Adjust based on environment + + const processedResults = await this.processInParallel( + allProfiles, + CONCURRENCY_LIMIT, + async ({ profile, type }) => { + const ensureResult = await this.ensureKeycloakUser(profile.id, type); + + // Update counters + switch (ensureResult.action) { + case "created": + result.created++; + break; + case "verified": + result.verified++; + break; + case "skipped": + result.skipped++; + break; + case "error": + result.failed++; + break; + } + + return { + profileId: profile.id, + profileType: type, + action: ensureResult.action, + keycloakUserId: ensureResult.keycloakUserId, + error: ensureResult.error, + }; + }, + ); + + // Separate results from errors + for (const resultItem of processedResults) { + if ("error" in resultItem) { + result.failed++; + result.details.push({ + profileId: "unknown", + profileType: "unknown", + action: "error", + error: JSON.stringify(resultItem.error), + }); + } else { + result.details.push(resultItem); + } + } + + console.log( + `Batch ensure Keycloak users completed: total=${result.total}, created=${result.created}, verified=${result.verified}, skipped=${result.skipped}, failed=${result.failed}`, + ); + } catch (error) { + console.error("Error in batch ensure Keycloak users:", error); + } + + return result; + } + + /** + * Clear orphaned Keycloak users + * Deletes users in Keycloak that are not referenced in Profile or ProfileEmployee tables + * + * @param skipUsernames - Array of usernames to skip (e.g., ['super_admin']) + * @returns Object with counts and details + */ + async clearOrphanedKeycloakUsers(skipUsernames: string[] = []): Promise<{ + totalInKeycloak: number; + totalInDatabase: number; + orphanedCount: number; + deleted: number; + skipped: number; + failed: number; + details: Array<{ + keycloakUserId: string; + username: string; + action: "deleted" | "skipped" | "error"; + error?: string; + }>; + }> { + const result = { + totalInKeycloak: 0, + totalInDatabase: 0, + orphanedCount: 0, + deleted: 0, + skipped: 0, + failed: 0, + details: [] as Array<{ + keycloakUserId: string; + username: string; + action: "deleted" | "skipped" | "error"; + error?: string; + }>, + }; + + try { + // Get all keycloak IDs from database (Profile + ProfileEmployee) + const profiles = await this.profileRepo + .createQueryBuilder("p") + .where("p.keycloak IS NOT NULL") + .andWhere("p.keycloak != :empty", { empty: "" }) + .getMany(); + + const profileEmployees = await this.profileEmployeeRepo + .createQueryBuilder("pe") + .where("pe.keycloak IS NOT NULL") + .andWhere("pe.keycloak != :empty", { empty: "" }) + .getMany(); + + // Create a Set of all keycloak IDs in database for O(1) lookup + const databaseKeycloakIds = new Set(); + for (const p of profiles) { + if (p.keycloak) databaseKeycloakIds.add(p.keycloak); + } + for (const pe of profileEmployees) { + if (pe.keycloak) databaseKeycloakIds.add(pe.keycloak); + } + + result.totalInDatabase = databaseKeycloakIds.size; + + // Get all users from Keycloak with pagination to avoid response size limits + const keycloakUsers = await getAllUsersPaginated(); + if (!keycloakUsers || typeof keycloakUsers !== "object") { + throw new Error("Failed to get users from Keycloak"); + } + + result.totalInKeycloak = keycloakUsers.length; + + // Find orphaned users (in Keycloak but not in database) + const orphanedUsers = keycloakUsers.filter((user: any) => !databaseKeycloakIds.has(user.id)); + result.orphanedCount = orphanedUsers.length; + + // Delete orphaned users (skip protected ones) + for (const user of orphanedUsers) { + const username = user.username; + const userId = user.id; + + // Check if user should be skipped + if (skipUsernames.includes(username)) { + result.skipped++; + result.details.push({ + keycloakUserId: userId, + username, + action: "skipped", + }); + continue; + } + + // Delete user from Keycloak + try { + const deleteSuccess = await deleteUser(userId); + if (deleteSuccess) { + result.deleted++; + result.details.push({ + keycloakUserId: userId, + username, + action: "deleted", + }); + } else { + result.failed++; + result.details.push({ + keycloakUserId: userId, + username, + action: "error", + error: "Failed to delete user from Keycloak", + }); + } + } catch (error: any) { + result.failed++; + result.details.push({ + keycloakUserId: userId, + username, + action: "error", + error: error.message || "Unknown error", + }); + } + } + + console.log( + `Clear orphaned Keycloak users completed: totalInKeycloak=${result.totalInKeycloak}, totalInDatabase=${result.totalInDatabase}, orphaned=${result.orphanedCount}, deleted=${result.deleted}, skipped=${result.skipped}, failed=${result.failed}`, + ); + } catch (error) { + console.error("Error in clear orphaned Keycloak users:", error); + throw error; + } + + return result; + } +}