NixOS · oddlama · Nov 28, 2024
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -90,6 +90,8 @@
     After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
     PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
 
+- Some `kanidm` provisioning options were renamed to match upstream nomenclature. In particular, this affects the two oauth2 options `originUrl` and `originLanding` which are now called `redirectUri` and `landingUrl` respectively.
+
 - Support for CUDA 10 has been dropped, as announced in the 24.11 release notes.
 
 - `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.

diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
@@ -23,16 +23,18 @@ let
     hasPrefix
     isStorePath
     last
+    mapAttrs
     mapAttrsToList
     mkEnableOption
     mkForce
     mkIf
     mkMerge
     mkOption
     mkPackageOption
+    mkRenamedOptionModule
     optional
-    optionals
     optionalString
+    optionals
     splitString
     subtractLists
     types
@@ -139,9 +141,31 @@ let
 
   filterPresent = filterAttrs (_: v: v.present);
 
-  provisionStateJson = pkgs.writeText "provision-state.json" (
-    builtins.toJSON { inherit (cfg.provision) groups persons systems; }
-  );
+  provisionStateJson =
+    let
+      # Make sure the resulting state json does not contain any of our renamed options.
+      applyRenames =
+        state:
+        state
+        // {
+          systems.oauth2 = mapAttrs (
+            _: x:
+            removeAttrs x [
+              "redirectUri"
+              "landingUrl"
+            ]
+            // {
+              originUrl = x.redirectUri;
+              originLanding = x.landingUrl;
+            }
+          ) state.systems.oauth2;
+        };
+    in
+    pkgs.writeText "provision-state.json" (
+      builtins.toJSON {
+        inherit (applyRenames cfg.provision) groups persons systems;
+      }
+    );
 
   # Only recover the admin account if a password should explicitly be provisioned
   # for the account. Otherwise it is not needed for provisioning.
@@ -502,6 +526,11 @@ in
         default = { };
         type = types.attrsOf (
           types.submodule {
+            imports = [
+              (mkRenamedOptionModule [ "originUrl" ] [ "redirectUri" ])
+              (mkRenamedOptionModule [ "originLanding" ] [ "landingUrl" ])
+            ];
+
             options = {
               present = mkPresentOption "oauth2 resource server";
 
@@ -517,7 +546,7 @@ in
                 example = "Some Service";
               };
 
-              originUrl = mkOption {
+              redirectUri = mkOption {
                 description = "The redirect URL of the service. These need to exactly match the OAuth2 redirect target";
                 type =
                   let
@@ -527,7 +556,7 @@ in
                 example = "https://someservice.example.com/auth/login";
               };
 
-              originLanding = mkOption {
+              landingUrl = mkOption {
                 description = "When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions.";
                 type = types.str;
                 example = "https://someservice.example.com/home";

diff --git a/nixos/tests/kanidm-provisioning.nix b/nixos/tests/kanidm-provisioning.nix
@@ -95,8 +95,8 @@ import ./make-test-python.nix (
               groups.service1-admin = { };
               systems.oauth2.service1 = {
                 displayName = "Service One";
-                originUrl = "https://one.example.com/";
-                originLanding = "https://one.example.com/landing";
+                redirectUri = "https://one.example.com/";
+                landingUrl = "https://one.example.com/landing";
                 basicSecretFile = pkgs.writeText "bs-service1" "very-strong-secret-for-service1";
                 scopeMaps.service1-access = [
                   "openid"
@@ -111,8 +111,8 @@ import ./make-test-python.nix (
 
               systems.oauth2.service2 = {
                 displayName = "Service Two";
-                originUrl = "https://two.example.com/";
-                originLanding = "https://landing2.example.com/";
+                redirectUri = "https://two.example.com/";
+                landingUrl = "https://landing2.example.com/";
                 # Test not setting secret
                 # basicSecretFile =
                 allowInsecureClientDisablePkce = true;
@@ -159,11 +159,11 @@ import ./make-test-python.nix (
               systems.oauth2.service1 = {
                 displayName = "Service One (changed)";
                 # multiple origin urls
-                originUrl = [
+                redirectUri = [
                   "https://changed-one.example.com/"
                   "https://changed-one.example.org/"
                 ];
-                originLanding = "https://changed-one.example.com/landing-changed";
+                landingUrl = "https://changed-one.example.com/landing-changed";
                 basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1";
                 scopeMaps.service1-access = [
                   "openid"
@@ -178,8 +178,8 @@ import ./make-test-python.nix (
 
               systems.oauth2.service2 = {
                 displayName = "Service Two (changed)";
-                originUrl = "https://changed-two.example.com/";
-                originLanding = "https://changed-landing2.example.com/";
+                redirectUri = "https://changed-two.example.com/";
+                landingUrl = "https://changed-landing2.example.com/";
                 # Test not setting secret
                 # basicSecretFile =
                 allowInsecureClientDisablePkce = false;
@@ -210,8 +210,8 @@ import ./make-test-python.nix (
               groups.service1-admin = { };
               systems.oauth2.service1 = {
                 displayName = "Service One (changed)";
-                originUrl = "https://changed-one.example.com/";
-                originLanding = "https://changed-one.example.com/landing-changed";
+                redirectUri = "https://changed-one.example.com/";
+                landingUrl = "https://changed-one.example.com/landing-changed";
                 basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1";
                 # Removing maps requires setting them to the empty list
                 scopeMaps.service1-access = [ ];
@@ -220,8 +220,8 @@ import ./make-test-python.nix (
 
               systems.oauth2.service2 = {
                 displayName = "Service Two (changed)";
-                originUrl = "https://changed-two.example.com/";
-                originLanding = "https://changed-landing2.example.com/";
+                redirectUri = "https://changed-two.example.com/";
+                landingUrl = "https://changed-landing2.example.com/";
               };
             };
           };