nixos/kanidm: rename options to match upstream nomenclature

NixOS · Dec 22, 2024 · bed941a · bed941a
1 parent cee3b71
commit bed941a
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 18 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -25,6 +25,8 @@
 - `binwalk` was updated to 3.1.0, which has been rewritten in rust. The python module is no longer available.
   See the release notes of [3.1.0](https://github.com/ReFirmLabs/binwalk/releases/tag/v3.1.0) for more information.
 
+- Some `kanidm` provisioning options were renamed to match upstream nomenclature. In particular, this affects the two oauth2 options `originUrl` and `originLanding` which are now called `redirectUri` and `landingUrl` respectively.
+
 - `buildGoPackage` has been removed. Use `buildGoModule` instead. See the [Go section in the nixpkgs manual](https://nixos.org/manual/nixpkgs/unstable/#sec-language-go) for details.
 
 - `timescaledb` requires manual upgrade steps.

diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
@@ -23,16 +23,18 @@ let
     hasPrefix
     isStorePath
     last
+    mapAttrs
     mapAttrsToList
     mkEnableOption
     mkForce
     mkIf
     mkMerge
     mkOption
     mkPackageOption
+    mkRenamedOptionModule
     optional
-    optionals
     optionalString
+    optionals
     splitString
     subtractLists
     types
@@ -139,9 +141,31 @@ let
 
   filterPresent = filterAttrs (_: v: v.present);
 
-  provisionStateJson = pkgs.writeText "provision-state.json" (
-    builtins.toJSON { inherit (cfg.provision) groups persons systems; }
-  );
+  provisionStateJson =
+    let
+      # Make sure the resulting state json does not contain any of our renamed options.
+      applyRenames =
+        state:
+        state
+        // {
+          systems.oauth2 = mapAttrs (
+            _: x:
+            removeAttrs x [
+              "redirectUri"
+              "landingUrl"
+            ]
+            // {
+              originUrl = x.redirectUri;
+              originLanding = x.landingUrl;
+            }
+          ) state.systems.oauth2;
+        };
+    in
+    pkgs.writeText "provision-state.json" (
+      builtins.toJSON {
+        inherit (applyRenames cfg.provision) groups persons systems;
+      }
+    );
 
   # Only recover the admin account if a password should explicitly be provisioned
   # for the account. Otherwise it is not needed for provisioning.
@@ -499,6 +523,11 @@ in
         default = { };
         type = types.attrsOf (
           types.submodule {
+            imports = [
+              (mkRenamedOptionModule [ "originUrl" ] [ "redirectUri" ])
+              (mkRenamedOptionModule [ "originLanding" ] [ "landingUrl" ])
+            ];
+
             options = {
               present = mkPresentOption "oauth2 resource server";
 
@@ -514,7 +543,7 @@ in
                 example = "Some Service";
               };
 
-              originUrl = mkOption {
+              redirectUri = mkOption {
                 description = "The redirect URL of the service. These need to exactly match the OAuth2 redirect target";
                 type =
                   let
@@ -524,7 +553,7 @@ in
                 example = "https://someservice.example.com/auth/login";
               };
 
-              originLanding = mkOption {
+              landingUrl = mkOption {
                 description = "When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions.";
                 type = types.str;
                 example = "https://someservice.example.com/home";

diff --git a/nixos/tests/kanidm-provisioning.nix b/nixos/tests/kanidm-provisioning.nix
@@ -95,8 +95,8 @@ import ./make-test-python.nix (
               groups.service1-admin = { };
               systems.oauth2.service1 = {
                 displayName = "Service One";
-                originUrl = "https://one.example.com/";
-                originLanding = "https://one.example.com/landing";
+                redirectUri = "https://one.example.com/";
+                landingUrl = "https://one.example.com/landing";
                 basicSecretFile = pkgs.writeText "bs-service1" "very-strong-secret-for-service1";
                 scopeMaps.service1-access = [
                   "openid"
@@ -111,8 +111,8 @@ import ./make-test-python.nix (
 
               systems.oauth2.service2 = {
                 displayName = "Service Two";
-                originUrl = "https://two.example.com/";
-                originLanding = "https://landing2.example.com/";
+                redirectUri = "https://two.example.com/";
+                landingUrl = "https://landing2.example.com/";
                 # Test not setting secret
                 # basicSecretFile =
                 allowInsecureClientDisablePkce = true;
@@ -159,11 +159,11 @@ import ./make-test-python.nix (
               systems.oauth2.service1 = {
                 displayName = "Service One (changed)";
                 # multiple origin urls
-                originUrl = [
+                redirectUri = [
                   "https://changed-one.example.com/"
                   "https://changed-one.example.org/"
                 ];
-                originLanding = "https://changed-one.example.com/landing-changed";
+                landingUrl = "https://changed-one.example.com/landing-changed";
                 basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1";
                 scopeMaps.service1-access = [
                   "openid"
@@ -178,8 +178,8 @@ import ./make-test-python.nix (
 
               systems.oauth2.service2 = {
                 displayName = "Service Two (changed)";
-                originUrl = "https://changed-two.example.com/";
-                originLanding = "https://changed-landing2.example.com/";
+                redirectUri = "https://changed-two.example.com/";
+                landingUrl = "https://changed-landing2.example.com/";
                 # Test not setting secret
                 # basicSecretFile =
                 allowInsecureClientDisablePkce = false;
@@ -210,8 +210,8 @@ import ./make-test-python.nix (
               groups.service1-admin = { };
               systems.oauth2.service1 = {
                 displayName = "Service One (changed)";
-                originUrl = "https://changed-one.example.com/";
-                originLanding = "https://changed-one.example.com/landing-changed";
+                redirectUri = "https://changed-one.example.com/";
+                landingUrl = "https://changed-one.example.com/landing-changed";
                 basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1";
                 # Removing maps requires setting them to the empty list
                 scopeMaps.service1-access = [ ];
@@ -220,8 +220,8 @@ import ./make-test-python.nix (
 
               systems.oauth2.service2 = {
                 displayName = "Service Two (changed)";
-                originUrl = "https://changed-two.example.com/";
-                originLanding = "https://changed-landing2.example.com/";
+                redirectUri = "https://changed-two.example.com/";
+                landingUrl = "https://changed-landing2.example.com/";
               };
             };
           };