diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index be4351684fdbd4..532467fc09e995 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -25,6 +25,8 @@ - `binwalk` was updated to 3.1.0, which has been rewritten in rust. The python module is no longer available. See the release notes of [3.1.0](https://github.com/ReFirmLabs/binwalk/releases/tag/v3.1.0) for more information. +- Some `kanidm` provisioning options were renamed to match upstream nomenclature. In particular, this affects the two oauth2 options `originUrl` and `originLanding` which are now called `redirectUri` and `landingUrl` respectively. + - `buildGoPackage` has been removed. Use `buildGoModule` instead. See the [Go section in the nixpkgs manual](https://nixos.org/manual/nixpkgs/unstable/#sec-language-go) for details. - `timescaledb` requires manual upgrade steps. diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 67218eb29880b5..fa7eaeb2c25eef 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -23,6 +23,7 @@ let hasPrefix isStorePath last + mapAttrs mapAttrsToList mkEnableOption mkForce @@ -30,9 +31,10 @@ let mkMerge mkOption mkPackageOption + mkRenamedOptionModule optional - optionals optionalString + optionals splitString subtractLists types @@ -139,9 +141,31 @@ let filterPresent = filterAttrs (_: v: v.present); - provisionStateJson = pkgs.writeText "provision-state.json" ( - builtins.toJSON { inherit (cfg.provision) groups persons systems; } - ); + provisionStateJson = + let + # Make sure the resulting state json does not contain any of our renamed options. + applyRenames = + state: + state + // { + systems.oauth2 = mapAttrs ( + _: x: + removeAttrs x [ + "redirectUri" + "landingUrl" + ] + // { + originUrl = x.redirectUri; + originLanding = x.landingUrl; + } + ) state.systems.oauth2; + }; + in + pkgs.writeText "provision-state.json" ( + builtins.toJSON { + inherit (applyRenames cfg.provision) groups persons systems; + } + ); # Only recover the admin account if a password should explicitly be provisioned # for the account. Otherwise it is not needed for provisioning. @@ -499,6 +523,11 @@ in default = { }; type = types.attrsOf ( types.submodule { + imports = [ + (mkRenamedOptionModule [ "originUrl" ] [ "redirectUri" ]) + (mkRenamedOptionModule [ "originLanding" ] [ "landingUrl" ]) + ]; + options = { present = mkPresentOption "oauth2 resource server"; @@ -514,7 +543,7 @@ in example = "Some Service"; }; - originUrl = mkOption { + redirectUri = mkOption { description = "The redirect URL of the service. These need to exactly match the OAuth2 redirect target"; type = let @@ -524,7 +553,7 @@ in example = "https://someservice.example.com/auth/login"; }; - originLanding = mkOption { + landingUrl = mkOption { description = "When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions."; type = types.str; example = "https://someservice.example.com/home"; diff --git a/nixos/tests/kanidm-provisioning.nix b/nixos/tests/kanidm-provisioning.nix index 27176c2086fec0..f66afd6974245b 100644 --- a/nixos/tests/kanidm-provisioning.nix +++ b/nixos/tests/kanidm-provisioning.nix @@ -95,8 +95,8 @@ import ./make-test-python.nix ( groups.service1-admin = { }; systems.oauth2.service1 = { displayName = "Service One"; - originUrl = "https://one.example.com/"; - originLanding = "https://one.example.com/landing"; + redirectUri = "https://one.example.com/"; + landingUrl = "https://one.example.com/landing"; basicSecretFile = pkgs.writeText "bs-service1" "very-strong-secret-for-service1"; scopeMaps.service1-access = [ "openid" @@ -111,8 +111,8 @@ import ./make-test-python.nix ( systems.oauth2.service2 = { displayName = "Service Two"; - originUrl = "https://two.example.com/"; - originLanding = "https://landing2.example.com/"; + redirectUri = "https://two.example.com/"; + landingUrl = "https://landing2.example.com/"; # Test not setting secret # basicSecretFile = allowInsecureClientDisablePkce = true; @@ -159,11 +159,11 @@ import ./make-test-python.nix ( systems.oauth2.service1 = { displayName = "Service One (changed)"; # multiple origin urls - originUrl = [ + redirectUri = [ "https://changed-one.example.com/" "https://changed-one.example.org/" ]; - originLanding = "https://changed-one.example.com/landing-changed"; + landingUrl = "https://changed-one.example.com/landing-changed"; basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1"; scopeMaps.service1-access = [ "openid" @@ -178,8 +178,8 @@ import ./make-test-python.nix ( systems.oauth2.service2 = { displayName = "Service Two (changed)"; - originUrl = "https://changed-two.example.com/"; - originLanding = "https://changed-landing2.example.com/"; + redirectUri = "https://changed-two.example.com/"; + landingUrl = "https://changed-landing2.example.com/"; # Test not setting secret # basicSecretFile = allowInsecureClientDisablePkce = false; @@ -210,8 +210,8 @@ import ./make-test-python.nix ( groups.service1-admin = { }; systems.oauth2.service1 = { displayName = "Service One (changed)"; - originUrl = "https://changed-one.example.com/"; - originLanding = "https://changed-one.example.com/landing-changed"; + redirectUri = "https://changed-one.example.com/"; + landingUrl = "https://changed-one.example.com/landing-changed"; basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1"; # Removing maps requires setting them to the empty list scopeMaps.service1-access = [ ]; @@ -220,8 +220,8 @@ import ./make-test-python.nix ( systems.oauth2.service2 = { displayName = "Service Two (changed)"; - originUrl = "https://changed-two.example.com/"; - originLanding = "https://changed-landing2.example.com/"; + redirectUri = "https://changed-two.example.com/"; + landingUrl = "https://changed-landing2.example.com/"; }; }; };