feat: Add anonymization option for user migration script

Contributes to openfoodfacts/openfoodfacts-auth#35
openfoodfacts · Sep 15, 2024 · 389d8a8 · 389d8a8
1 parent 54ff395
commit 389d8a8
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/scripts/migrate_users_to_keycloak.pl b/scripts/migrate_users_to_keycloak.pl
@@ -101,8 +101,8 @@ ($users_ref)
 	return;
 }
 
-sub migrate_user ($user_file) {
-	my $keycloak_user_ref = convert_to_keycloak_user($user_file);
+sub migrate_user ($user_file, $anonymize) {
+	my $keycloak_user_ref = convert_to_keycloak_user($user_file, $anonymize);
 	if (not(defined $keycloak_user_ref)) {
 		$log->warn('unable to convert user_ref');
 		return;
@@ -113,23 +113,24 @@ ($user_file)
 	return;
 }
 
-sub convert_to_keycloak_user ($user_file) {
+sub convert_to_keycloak_user ($user_file, $anonymize) {
 	my $user_ref = retrieve($user_file);
 	if (not(defined $user_ref)) {
 		$log->warn('undefined $user_ref');
 		return;
 	}
 
-	my $credential = convert_scrypt_password_to_keycloak_credentials($user_ref->{'encrypted_password'}) // {};
+	my $credential
+		= $anonymize ? {} : convert_scrypt_password_to_keycloak_credentials($user_ref->{'encrypted_password'}) // {};
 	my $keycloak_user_ref = {
-		email => $user_ref->{email},
+		email => ($anonymize ? 'off.' . $user_ref->{userid} . '@example.org' : $user_ref->{email}),
 		# Currently, the assumption is that all users have verified their email address. This is not true, but it's better than forcing all existing users to verify their email address.
 		emailVerified => $JSON::PP::true,
 		enabled => $JSON::PP::true,
 		username => $user_ref->{userid},
 		credentials => [$credential],
 		attributes => [
-			name => [$user_ref->{name}],
+			name => [($anonymize ? $user_ref->{userid} : $user_ref->{name})],
 			locale => [$user_ref->{initial_lc}],
 			country => [$user_ref->{initial_cc}],
 			importTimestamp => time(),
@@ -183,14 +184,21 @@ ($hashed_password)
 	$importtype = $ARGV[0];
 }
 
+my $anonymize = 0;
+if ((scalar @ARGV) > 0 and ('anonymize' eq $ARGV[-1])) {
+	# Anonymize the user data by removing the email address, name, and password.
+	# This is useful for testing the migration script and for adding production data to the test server.
+	$anonymize = 1;
+}
+
 if ($importtype eq 'realm-batch') {
 	my @users = ();
 
 	if (opendir(my $dh, "$BASE_DIRS{USERS}/")) {
 
 		foreach my $file (readdir($dh)) {
 			if (($file =~ /.+\.sto$/) and ($file ne 'users_emails.sto')) {
-				my $keycloak_user = convert_to_keycloak_user("$BASE_DIRS{USERS}/$file");
+				my $keycloak_user = convert_to_keycloak_user("$BASE_DIRS{USERS}/$file", $anonymize);
 				push(@users, $keycloak_user) if defined $keycloak_user;
 			}
 
@@ -211,7 +219,7 @@ ($hashed_password)
 	if (opendir(my $dh, "$BASE_DIRS{USERS}/")) {
 		foreach my $file (readdir($dh)) {
 			if (($file =~ /.+\.sto$/) and ($file ne 'users_emails.sto')) {
-				migrate_user("$BASE_DIRS{USERS}/$file");
+				migrate_user("$BASE_DIRS{USERS}/$file", $anonymize);
 			}
 		}
 
@@ -220,7 +228,7 @@ ($hashed_password)
 }
 elsif ($importtype eq 'api-single') {
 	if ((scalar @ARGV) == 2 and (length($ARGV[1]) > 0)) {
-		migrate_user($ARGV[1]);
+		migrate_user($ARGV[1], $anonymize);
 	}
 }
 else {