granny-devops 0.9.0__tar.gz → 0.9.1__tar.gz

{granny_devops-0.9.0 → granny_devops-0.9.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.9.0
+Version: 0.9.1
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License
@@ -288,10 +288,9 @@ granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
 
 # Authentik admin (provider + application + group plumbing)
-granny authentik provision-stoz3n-dash development     # idempotent per-stage setup
 granny authentik list providers
-granny authentik rotate-secret stoz3n-dash-staging
-granny authentik add-user-to-group martin              # defaults to dash_admins
+granny authentik rotate-secret my-oauth-provider
+granny authentik add-user-to-group user@example.com     # defaults to dash_admins
 granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
@@ -309,7 +308,7 @@ granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
-| SSO / IdP | Authentik (provider + application + group provisioning, per-stage stoz3n-dash workflow) |
+| SSO / IdP | Authentik (provider, application, group, and user operations) |
 
 ## As a library
 

{granny_devops-0.9.0 → granny_devops-0.9.1}/README.md

@@ -156,10 +156,9 @@ granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
 
 # Authentik admin (provider + application + group plumbing)
-granny authentik provision-stoz3n-dash development     # idempotent per-stage setup
 granny authentik list providers
-granny authentik rotate-secret stoz3n-dash-staging
-granny authentik add-user-to-group martin              # defaults to dash_admins
+granny authentik rotate-secret my-oauth-provider
+granny authentik add-user-to-group user@example.com     # defaults to dash_admins
 granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
@@ -177,7 +176,7 @@ granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
-| SSO / IdP | Authentik (provider + application + group provisioning, per-stage stoz3n-dash workflow) |
+| SSO / IdP | Authentik (provider, application, group, and user operations) |
 
 ## As a library
 

{granny_devops-0.9.0 → granny_devops-0.9.1}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.8.0"
+__version__ = "0.9.1"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

granny_devops-0.9.1/granny/authentik/__init__.py

@@ -0,0 +1,8 @@
+"""Authentik management — REST API wrapper."""
+
+from granny.authentik.client import AuthentikClient, AuthentikError
+
+__all__ = [
+    "AuthentikClient",
+    "AuthentikError",
+]

{granny_devops-0.9.0 → granny_devops-0.9.1}/granny/authentik/client.py

@@ -256,3 +256,82 @@ class AuthentikClient:
             f"/api/v3/providers/oauth2/{provider['pk']}/",
             body={"client_secret": ""},
         )
+
+    def create_user(
+        self,
+        username: str,
+        *,
+        name: str | None = None,
+        email: str | None = None,
+        path: str = "users",
+        user_type: str = "internal",
+        is_active: bool = True,
+        attributes: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        """Create an internal Authentik user (idempotent on ``username``).
+
+        If a user with the same ``username`` already exists it is returned
+        unmodified — call ``request("PATCH", …)`` separately if you need to
+        update fields. The default ``path="users"`` puts the user in the
+        regular Authentik directory (not under any LDAP source path), so
+        the user can authenticate against an internal password rather than
+        being bound to Kanidm.
+        """
+        existing = self.find_user_by_username(username)
+        if existing:
+            return existing
+        body: dict[str, Any] = {
+            "username": username,
+            "name": name or username,
+            "is_active": is_active,
+            "type": user_type,
+            "path": path,
+            "groups": [],
+        }
+        if email is not None:
+            body["email"] = email
+        if attributes:
+            body["attributes"] = attributes
+        return self.request("POST", "/api/v3/core/users/", body=body)
+
+    def set_user_password(self, username: str, password: str) -> None:
+        """Set a user's password directly (admin reset, no email)."""
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        self.request(
+            "POST",
+            f"/api/v3/core/users/{user['pk']}/set_password/",
+            body={"password": password},
+        )
+
+    def delete_user(self, username: str) -> None:
+        """Delete a user by username. No-op if absent."""
+        user = self.find_user_by_username(username)
+        if not user:
+            return
+        self.request("DELETE", f"/api/v3/core/users/{user['pk']}/")
+
+    def generate_recovery_link(self, username: str) -> str:
+        """Mint a one-shot recovery URL for the given user.
+
+        Returns the absolute URL the user opens to set their own password
+        (and enroll MFA if the recovery flow is configured to require it).
+        Authentik invalidates the token after a single use; default TTL is
+        short, set in the recovery flow's stage configuration.
+        """
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        result = self.request(
+            "POST",
+            f"/api/v3/core/users/{user['pk']}/recovery/",
+        )
+        # Authentik returns {"link": "https://..."} on this endpoint.
+        if isinstance(result, dict) and "link" in result:
+            return result["link"]
+        raise AuthentikError(
+            500,
+            f"Unexpected recovery payload for {username!r}: {result!r}. "
+            "Make sure a recovery flow is configured on the tenant.",
+        )

{granny_devops-0.9.0 → granny_devops-0.9.1}/granny/cli/authentik.py

@@ -1,8 +1,4 @@
-"""``granny authentik`` — manage the pseekoo Authentik instance via API.
-
-Wraps :mod:`granny.authentik` so the common Authentik ops (per-stage
-stoz3n-dash provisioning, group plumbing, secret rotation) work from the
-command line without dropping to the admin UI.
+"""``granny authentik`` — manage an Authentik instance via API.
 
 Auth resolution: ``AUTHENTIK_API_TOKEN`` (env / .env / vault) or
 ``AK_TOKEN`` (env / .env). See :meth:`AuthentikClient.from_environment`.
@@ -16,18 +12,14 @@ from typing import Any
 
 import click
 
-from granny.authentik import (
-    ADMIN_GROUP_NAME,
-    STOZ3N_DASH_STAGES,
-    AuthentikClient,
-    AuthentikError,
-    provision_stoz3n_dash,
-)
+from granny.authentik import AuthentikClient, AuthentikError
+
+ADMIN_GROUP_NAME = "dash_admins"
 
 
 @click.group()
 def authentik() -> None:
-    """Manage Authentik (auth.pseekoo.io) via its REST API."""
+    """Manage Authentik via its REST API."""
 
 
 def _client() -> AuthentikClient:
@@ -38,62 +30,6 @@ def _client() -> AuthentikClient:
         sys.exit(1)
 
 
-def _print_provision_report(result: Any) -> None:
-    """Pretty-print a ProvisionResult and the paste-ready JSON snippets."""
-    click.echo("", err=True)
-    click.echo("─" * 72)
-    click.echo(f"Stage              : {result.stage}")
-    click.echo(f"Authentik URL      : {result.base_url}")
-    click.echo(f"Issuer             : {result.issuer}")
-    click.echo(f"client_id          : {result.client_id}")
-    click.echo(
-        f"client_secret      : {result.client_secret or '(not echoed — rotate-secret to see)'}"
-    )
-    click.echo(f"redirect_uri       : {result.redirect_uri}")
-    click.echo(f"admin_group        : {result.admin_group}")
-    click.echo(f"scopes             : {result.scopes}")
-    flags = [
-        f"provider={'NEW' if result.created_provider else 'EXISTS'}",
-        f"application={'NEW' if result.created_application else 'EXISTS'}",
-        f"binding={'NEW' if result.created_binding else 'EXISTS'}",
-        f"group={'NEW' if result.created_group else 'EXISTS'}",
-    ]
-    click.echo(f"state              : {', '.join(flags)}")
-    click.echo("─" * 72)
-    click.echo("")
-    click.echo(f"# Paste into dotfiles/stoz3n-chat-agent/config.{result.stage}.json")
-    click.echo(json.dumps(result.chat_agent_oidc_block(), indent=2))
-    click.echo("")
-    click.echo(f"# Paste into dotfiles/stoz3n-agent-dash/config.{result.stage}.json")
-    click.echo(json.dumps(result.dashboard_oidc_block(), indent=2))
-    if not result.client_secret:
-        click.echo("", err=True)
-        click.echo(
-            "WARN: Authentik did not echo client_secret in the response. "
-            "Run `granny authentik rotate-secret " + result.application_slug
-            + "` to mint a fresh secret you can copy.",
-            err=True,
-        )
-
-
-@authentik.command("provision-stoz3n-dash")
-@click.argument("stage", type=click.Choice(sorted(STOZ3N_DASH_STAGES.keys())))
-@click.option(
-    "--rotate",
-    is_flag=True,
-    help="Force a fresh client_secret if the provider already exists.",
-)
-def provision_stoz3n_dash_cmd(stage: str, rotate: bool) -> None:
-    """End-to-end per-stage stoz3n-dashboard provisioning (idempotent)."""
-    client = _client()
-    try:
-        result = provision_stoz3n_dash(client, stage=stage, rotate_secret=rotate)
-    except AuthentikError as exc:
-        click.echo(f"Authentik error: {exc}", err=True)
-        sys.exit(1)
-    _print_provision_report(result)
-
-
 _LIST_ENDPOINTS = {
     "providers": "/api/v3/providers/oauth2/",
     "applications": "/api/v3/core/applications/",
@@ -203,6 +139,104 @@ def remove_user_from_group_cmd(user: str, group: str) -> None:
     click.echo(f"Removed {user} from {group}")
 
 
+@authentik.command("create-user")
+@click.argument("username")
+@click.option("--name", default=None, help="Display name (defaults to username).")
+@click.option("--email", default=None, help="Email address.")
+@click.option(
+    "--group",
+    default=None,
+    help="Group to add the new user to after creation (e.g. dash_admins).",
+)
+@click.option(
+    "--password",
+    default=None,
+    help="Set this password directly. Suppresses --recovery-link.",
+)
+@click.option(
+    "--recovery-link/--no-recovery-link",
+    default=True,
+    help="Print a one-shot recovery URL the user opens to set their own password (default: yes).",
+)
+def create_user_cmd(
+    username: str,
+    name: str | None,
+    email: str | None,
+    group: str | None,
+    password: str | None,
+    recovery_link: bool,
+) -> None:
+    """Create an internal Authentik user (idempotent on username).
+
+    Defaults to printing a one-shot recovery URL so the user sets their
+    own password — pass ``--password`` to skip that and set one inline.
+    """
+    if password is not None:
+        recovery_link = False
+    client = _client()
+    try:
+        existed_before = client.find_user_by_username(username) is not None
+        user = client.create_user(username, name=name, email=email)
+        click.echo(
+            f"User {username} {'already exists' if existed_before else 'created'} (pk={user['pk']})"
+        )
+        if group:
+            client.add_user_to_group(username, group)
+            click.echo(f"Added {username} to {group}")
+        if password is not None:
+            client.set_user_password(username, password)
+            click.echo(f"Password set for {username}")
+        if recovery_link:
+            link = client.generate_recovery_link(username)
+            click.echo("")
+            click.echo("Recovery link (single-use, share over a secure channel):")
+            click.echo(f"  {link}")
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+
+
+@authentik.command("recovery-link")
+@click.argument("username")
+def recovery_link_cmd(username: str) -> None:
+    """Mint a one-shot recovery URL the user opens to set a password."""
+    client = _client()
+    try:
+        link = client.generate_recovery_link(username)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(link)
+
+
+@authentik.command("set-password")
+@click.argument("username")
+@click.option("--password", required=True, help="New password to set.")
+def set_password_cmd(username: str, password: str) -> None:
+    """Set a user's password directly (admin reset)."""
+    client = _client()
+    try:
+        client.set_user_password(username, password)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"Password updated for {username}")
+
+
+@authentik.command("delete-user")
+@click.argument("username")
+@click.confirmation_option(prompt="Really delete this Authentik user?")
+def delete_user_cmd(username: str) -> None:
+    """Delete an Authentik user. No-op if the user doesn't exist."""
+    client = _client()
+    try:
+        client.delete_user(username)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"User {username} deleted (or already absent)")
+
+
 @authentik.command("api")
 @click.argument("method")
 @click.argument("path")

{granny_devops-0.9.0 → granny_devops-0.9.1}/granny/cli/serverless.py

@@ -213,11 +213,11 @@ def deploy(
     """Zip ``--source-dir``, upload, sync env vars, and deploy.
 
     Example:
-        granny serverless deploy bessa-wissa-api \\
+        granny serverless deploy my-api \\
             --source-dir backend/dist-bundle \\
-            --namespace bessa-wissa \\
+            --namespace my-app \\
             --env NODE_ENV=production \\
-            --secret STOZ3N_API_TOKEN=$STOZ3N_API_TOKEN
+            --secret API_TOKEN=$API_TOKEN
     """
     c = _client(region)
 

{granny_devops-0.9.0 → granny_devops-0.9.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "granny-devops"
-version = "0.9.0"
+version = "0.9.1"
 description = "Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation"
 readme = "README.md"
 license = { file = "LICENSE" }

granny_devops-0.9.0/granny/authentik/__init__.py

@@ -1,33 +0,0 @@
-"""Authentik management — REST API wrapper + per-stage stoz3n-dash provisioning.
-
-Powered by the ``AUTHENTIK_API_TOKEN`` secret (resolves via env var or
-Vaultwarden under ``granny/infra/authentik-api-token``) and the
-non-secret ``AUTHENTIK_URL`` (default ``https://auth.pseekoo.io``).
-
-Public API::
-
-    from granny.authentik import AuthentikClient, STOZ3N_DASH_STAGES, provision_stoz3n_dash
-
-    client = AuthentikClient.from_environment()
-    result = provision_stoz3n_dash(client, stage="development")
-    print(result.client_id, result.client_secret)
-"""
-
-from granny.authentik.client import AuthentikClient, AuthentikError
-from granny.authentik.provision import (
-    ADMIN_GROUP_NAME,
-    OIDC_SCOPES,
-    STOZ3N_DASH_STAGES,
-    ProvisionResult,
-    provision_stoz3n_dash,
-)
-
-__all__ = [
-    "ADMIN_GROUP_NAME",
-    "AuthentikClient",
-    "AuthentikError",
-    "OIDC_SCOPES",
-    "ProvisionResult",
-    "STOZ3N_DASH_STAGES",
-    "provision_stoz3n_dash",
-]

granny_devops-0.9.0/granny/authentik/provision.py

@@ -1,235 +0,0 @@
-"""Per-stage stoz3n-dash app provisioning in Authentik.
-
-The :data:`STOZ3N_DASH_STAGES` map defines the slug + redirect_uri + launch
-URL for each environment. Keep this synchronised with the canonical doc at
-``stoz3n-agent-dash/docs/authentik-sso.md``.
-"""
-
-from __future__ import annotations
-
-from dataclasses import dataclass
-
-from granny.authentik.client import AuthentikClient
-
-STOZ3N_DASH_STAGES: dict[str, dict[str, str]] = {
-    "development": {
-        "slug": "stoz3n-dash-dev",
-        "name": "Stoz3n Dashboard (dev)",
-        "redirect_uri": "http://localhost:8000/api/auth/oidc/callback",
-        "launch_url": "http://localhost:5173",
-    },
-    "staging": {
-        "slug": "stoz3n-dash-staging",
-        "name": "Stoz3n Dashboard (staging)",
-        "redirect_uri": "https://facts-dev.stozn.ai/api/auth/oidc/callback",
-        "launch_url": "https://dash-dev.stozn.ai",
-    },
-    "production": {
-        "slug": "stoz3n-dash",
-        "name": "Stoz3n Dashboard",
-        "redirect_uri": "https://facts.stozn.ai/api/auth/oidc/callback",
-        "launch_url": "https://dash.stozn.ai",
-    },
-}
-
-ADMIN_GROUP_NAME = "dash_admins"
-AUTHORIZATION_FLOW_SLUG = "default-provider-authorization-explicit-consent"
-INVALIDATION_FLOW_SLUG = "default-provider-invalidation-flow"
-OIDC_SCOPES: tuple[str, ...] = ("openid", "profile", "email")
-
-
-@dataclass
-class ProvisionResult:
-    """Outcome of :func:`provision_stoz3n_dash`."""
-
-    stage: str
-    base_url: str
-    issuer: str
-    client_id: str
-    client_secret: str  # empty string if Authentik didn't echo it back
-    redirect_uri: str
-    admin_group: str
-    scopes: str
-    provider_pk: str
-    application_slug: str
-    group_pk: str
-    created_provider: bool
-    created_application: bool
-    created_binding: bool
-    created_group: bool
-
-    @property
-    def authorization_endpoint(self) -> str:
-        return f"{self.base_url}/application/o/authorize/"
-
-    @property
-    def token_endpoint(self) -> str:
-        return f"{self.base_url}/application/o/token/"
-
-    @property
-    def userinfo_endpoint(self) -> str:
-        return f"{self.base_url}/application/o/userinfo/"
-
-    def chat_agent_oidc_block(self) -> dict[str, dict[str, str]]:
-        """JSON snippet to paste into the chat-agent's encrypted config."""
-        return {
-            "oidc": {
-                "issuer": self.issuer,
-                "authorization_endpoint": self.authorization_endpoint,
-                "token_endpoint": self.token_endpoint,
-                "userinfo_endpoint": self.userinfo_endpoint,
-                "client_id": self.client_id,
-                "client_secret": self.client_secret
-                or "<rerun with --rotate or run granny authentik rotate-secret>",
-                "redirect_uri": self.redirect_uri,
-                "admin_group": self.admin_group,
-                "scopes": self.scopes,
-            }
-        }
-
-    def dashboard_oidc_block(self) -> dict[str, dict[str, str]]:
-        """JSON snippet to paste into the dashboard repo's encrypted config."""
-        return {
-            "oidc": {
-                "client_secret": self.client_secret
-                or "<rerun with --rotate or run granny authentik rotate-secret>"
-            }
-        }
-
-
-def provision_stoz3n_dash(
-    client: AuthentikClient,
-    *,
-    stage: str,
-    rotate_secret: bool = False,
-) -> ProvisionResult:
-    """End-to-end idempotent provisioning of one stoz3n-dashboard stage.
-
-    Steps:
-
-    1. Resolve authorization flow + signing key + OIDC scope mappings.
-    2. Ensure the ``dash_admins`` group exists.
-    3. Create or PATCH the OAuth2 provider.
-    4. Create or PATCH the application.
-    5. Create the application→group policy binding if absent.
-
-    Re-running is safe; nothing is destroyed. ``rotate_secret=True`` forces
-    a new ``client_secret`` to be minted on an existing provider.
-    """
-    if stage not in STOZ3N_DASH_STAGES:
-        raise ValueError(
-            f"Unknown stage {stage!r}; choose one of {sorted(STOZ3N_DASH_STAGES)}"
-        )
-    cfg = STOZ3N_DASH_STAGES[stage]
-    provider_name = cfg["slug"]
-    app_slug = cfg["slug"]
-
-    # 1. Foreign keys
-    authorization_flow = client.find_flow_pk(AUTHORIZATION_FLOW_SLUG)
-    invalidation_flow = client.find_flow_pk(INVALIDATION_FLOW_SLUG)
-    signing_key = client.find_signing_key_pk()
-    scope_mappings = client.find_scope_mappings(OIDC_SCOPES)
-
-    # 2. Admin group
-    existing_group = client.find_group_by_name(ADMIN_GROUP_NAME)
-    created_group = existing_group is None
-    group = existing_group or client.ensure_group(ADMIN_GROUP_NAME)
-
-    # 3. Provider — three reconciliation paths:
-    #   a. App+provider already exist under our slug → adopt them. We honor
-    #      the existing provider's pk so its client_id stays stable; only
-    #      rename + reconfigure fields. This is the production path where
-    #      a pre-existing app may already be live with consumers.
-    #   b. Provider exists by name (our convention) but no app → PATCH it
-    #      in place.
-    #   c. Nothing exists → POST a fresh provider.
-    existing_app_for_adoption = client.find_application_by_slug(app_slug)
-    adopt_pk: int | str | None = None
-    if existing_app_for_adoption is not None:
-        adopt_pk = existing_app_for_adoption.get("provider")
-    existing_provider = (
-        client.find_provider_by_pk(adopt_pk) if adopt_pk is not None else None
-    ) or client.find_provider_by_name(provider_name)
-
-    provider_body: dict[str, object] = {
-        "name": provider_name,
-        "authorization_flow": authorization_flow,
-        "invalidation_flow": invalidation_flow,
-        "client_type": "confidential",
-        "redirect_uris": [{"matching_mode": "strict", "url": cfg["redirect_uri"]}],
-        "signing_key": signing_key,
-        "property_mappings": scope_mappings,
-        "sub_mode": "user_username",
-        "include_claims_in_id_token": True,
-        "access_token_validity": "minutes=10",
-        "refresh_token_validity": "days=30",
-    }
-    if existing_provider:
-        if rotate_secret:
-            provider_body["client_secret"] = ""  # empty → Authentik regenerates
-        provider = client.request(
-            "PATCH",
-            f"/api/v3/providers/oauth2/{existing_provider['pk']}/",
-            body=provider_body,
-        )
-        created_provider = False
-    else:
-        provider = client.request("POST", "/api/v3/providers/oauth2/", body=provider_body)
-        created_provider = True
-
-    # 4. Application
-    app_body = {
-        "name": cfg["name"],
-        "slug": app_slug,
-        "provider": provider["pk"],
-        "meta_launch_url": cfg["launch_url"],
-        "policy_engine_mode": "any",
-    }
-    if existing_app_for_adoption:
-        client.request("PATCH", f"/api/v3/core/applications/{app_slug}/", body=app_body)
-        created_application = False
-        target_pk = existing_app_for_adoption["pk"]
-    else:
-        new_app = client.request("POST", "/api/v3/core/applications/", body=app_body)
-        created_application = True
-        target_pk = new_app["pk"]
-
-    # 5. Group → application policy binding
-    bindings = client.request(
-        "GET", "/api/v3/policies/bindings/", params={"target": target_pk}
-    ).get("results", [])
-    has_binding = any(b.get("group") == group["pk"] for b in bindings)
-    if has_binding:
-        created_binding = False
-    else:
-        client.request(
-            "POST",
-            "/api/v3/policies/bindings/",
-            body={
-                "target": target_pk,
-                "group": group["pk"],
-                "enabled": True,
-                "order": 0,
-                "negate": False,
-                "timeout": 30,
-            },
-        )
-        created_binding = True
-
-    return ProvisionResult(
-        stage=stage,
-        base_url=client.base_url,
-        issuer=f"{client.base_url}/application/o/{app_slug}",
-        client_id=provider["client_id"],
-        client_secret=provider.get("client_secret") or "",
-        redirect_uri=cfg["redirect_uri"],
-        admin_group=ADMIN_GROUP_NAME,
-        scopes=" ".join(OIDC_SCOPES),
-        provider_pk=str(provider["pk"]),
-        application_slug=app_slug,
-        group_pk=str(group["pk"]),
-        created_provider=created_provider,
-        created_application=created_application,
-        created_binding=created_binding,
-        created_group=created_group,
-    )