# Ultimail — claim OIDC `groups` pour RBAC backend (contacts, calendar, drive, photos)
version: 1
metadata:
  name: Ultimail suite groups
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_core.group
    id: ulti-admins-group
    identifiers:
      name: ulti-admins
    attrs:
      name: ulti-admins
      is_superuser: false

  - model: authentik_providers_oauth2.scopemapping
    id: ulti-suite-groups-mapping
    identifiers:
      name: ulti-suite-groups
    attrs:
      name: ulti-suite-groups
      scope_name: profile
      description: Suite RBAC groups for Ultimail API
      expression: |
        groups = [
            "role:user",
            "contacts:write",
            "calendar:write",
            "drive:write",
            "photos:write",
        ]
        for group in user.ak_groups.all():
            if group.name == "ulti-admins":
                groups.extend(["admin", "admin:write"])
                break
        return {"groups": groups}

  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      name: ulti-backend-provider
    attrs:
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
        - !KeyOf ulti-suite-groups-mapping