From c1a2646c2ee7ef1ee28651da67e2a4ec39a037b9 Mon Sep 17 00:00:00 2001 From: oddlama Date: Thu, 28 Nov 2024 16:27:33 +0100 Subject: [PATCH] nixos/kanidm: rename options to match upstream nomenclature --- .../manual/release-notes/rl-2505.section.md | 2 + nixos/modules/services/security/kanidm.nix | 41 ++++++++++++++++--- nixos/tests/kanidm-provisioning.nix | 24 +++++------ 3 files changed, 49 insertions(+), 18 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 5ce521657c936..f9ddb69340634 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -90,6 +90,8 @@ After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797). PostgreSQL 13 is no longer supported in TimescaleDB v2.16. +- Some `kanidm` provisioning options were renamed to match upstream nomenclature. In particular, this affects the two oauth2 options `originUrl` and `originLanding` which are now called `redirectUri` and `landingUrl` respectively. + - Support for CUDA 10 has been dropped, as announced in the 24.11 release notes. - `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL. diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index a54471c0b9568..3d489ad3f400b 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -23,6 +23,7 @@ let hasPrefix isStorePath last + mapAttrs mapAttrsToList mkEnableOption mkForce @@ -30,9 +31,10 @@ let mkMerge mkOption mkPackageOption + mkRenamedOptionModule optional - optionals optionalString + optionals splitString subtractLists types @@ -139,9 +141,31 @@ let filterPresent = filterAttrs (_: v: v.present); - provisionStateJson = pkgs.writeText "provision-state.json" ( - builtins.toJSON { inherit (cfg.provision) groups persons systems; } - ); + provisionStateJson = + let + # Make sure the resulting state json does not contain any of our renamed options. + applyRenames = + state: + state + // { + systems.oauth2 = mapAttrs ( + _: x: + removeAttrs x [ + "redirectUri" + "landingUrl" + ] + // { + originUrl = x.redirectUri; + originLanding = x.landingUrl; + } + ) state.systems.oauth2; + }; + in + pkgs.writeText "provision-state.json" ( + builtins.toJSON { + inherit (applyRenames cfg.provision) groups persons systems; + } + ); # Only recover the admin account if a password should explicitly be provisioned # for the account. Otherwise it is not needed for provisioning. @@ -502,6 +526,11 @@ in default = { }; type = types.attrsOf ( types.submodule { + imports = [ + (mkRenamedOptionModule [ "originUrl" ] [ "redirectUri" ]) + (mkRenamedOptionModule [ "originLanding" ] [ "landingUrl" ]) + ]; + options = { present = mkPresentOption "oauth2 resource server"; @@ -517,7 +546,7 @@ in example = "Some Service"; }; - originUrl = mkOption { + redirectUri = mkOption { description = "The redirect URL of the service. These need to exactly match the OAuth2 redirect target"; type = let @@ -527,7 +556,7 @@ in example = "https://someservice.example.com/auth/login"; }; - originLanding = mkOption { + landingUrl = mkOption { description = "When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions."; type = types.str; example = "https://someservice.example.com/home"; diff --git a/nixos/tests/kanidm-provisioning.nix b/nixos/tests/kanidm-provisioning.nix index b45b972fe4498..c4252e7ade3e4 100644 --- a/nixos/tests/kanidm-provisioning.nix +++ b/nixos/tests/kanidm-provisioning.nix @@ -95,8 +95,8 @@ import ./make-test-python.nix ( groups.service1-admin = { }; systems.oauth2.service1 = { displayName = "Service One"; - originUrl = "https://one.example.com/"; - originLanding = "https://one.example.com/landing"; + redirectUri = "https://one.example.com/"; + landingUrl = "https://one.example.com/landing"; basicSecretFile = pkgs.writeText "bs-service1" "very-strong-secret-for-service1"; scopeMaps.service1-access = [ "openid" @@ -111,8 +111,8 @@ import ./make-test-python.nix ( systems.oauth2.service2 = { displayName = "Service Two"; - originUrl = "https://two.example.com/"; - originLanding = "https://landing2.example.com/"; + redirectUri = "https://two.example.com/"; + landingUrl = "https://landing2.example.com/"; # Test not setting secret # basicSecretFile = allowInsecureClientDisablePkce = true; @@ -159,11 +159,11 @@ import ./make-test-python.nix ( systems.oauth2.service1 = { displayName = "Service One (changed)"; # multiple origin urls - originUrl = [ + redirectUri = [ "https://changed-one.example.com/" "https://changed-one.example.org/" ]; - originLanding = "https://changed-one.example.com/landing-changed"; + landingUrl = "https://changed-one.example.com/landing-changed"; basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1"; scopeMaps.service1-access = [ "openid" @@ -178,8 +178,8 @@ import ./make-test-python.nix ( systems.oauth2.service2 = { displayName = "Service Two (changed)"; - originUrl = "https://changed-two.example.com/"; - originLanding = "https://changed-landing2.example.com/"; + redirectUri = "https://changed-two.example.com/"; + landingUrl = "https://changed-landing2.example.com/"; # Test not setting secret # basicSecretFile = allowInsecureClientDisablePkce = false; @@ -210,8 +210,8 @@ import ./make-test-python.nix ( groups.service1-admin = { }; systems.oauth2.service1 = { displayName = "Service One (changed)"; - originUrl = "https://changed-one.example.com/"; - originLanding = "https://changed-one.example.com/landing-changed"; + redirectUri = "https://changed-one.example.com/"; + landingUrl = "https://changed-one.example.com/landing-changed"; basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1"; # Removing maps requires setting them to the empty list scopeMaps.service1-access = [ ]; @@ -220,8 +220,8 @@ import ./make-test-python.nix ( systems.oauth2.service2 = { displayName = "Service Two (changed)"; - originUrl = "https://changed-two.example.com/"; - originLanding = "https://changed-landing2.example.com/"; + redirectUri = "https://changed-two.example.com/"; + landingUrl = "https://changed-landing2.example.com/"; }; }; };