nixos/kanidm: update provisioning to allow multiple origin urls

2024-11-18 11:40:45 +00:00 · 2024-08-23 20:46:53 +02:00 · 2024-08-23 20:46:53 +02:00 · 391d05ce95
parent a9d176d029
commit 391d05ce95
2 changed files with 11 additions and 2 deletions
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@ -423,7 +423,10 @@ in

            originUrl = lib.mkOption {
              description = "The origin URL of the service. OAuth2 redirects will only be allowed to sites under this origin. Must end with a slash.";
-              type = lib.types.strMatching ".*://.*/$";
+              type = let
+                originStrType = lib.types.strMatching ".*://.*/$";
+              in
+                lib.types.either originStrType (lib.types.nonEmptyListOf originStrType);
              example = "https://someservice.example.com/";
            };

--- a/nixos/tests/kanidm-provisioning.nix
+++ b/nixos/tests/kanidm-provisioning.nix
@ -158,7 +158,11 @@ import ./make-test-python.nix (
              groups.service1-admin = { };
              systems.oauth2.service1 = {
                displayName = "Service One (changed)";
-                originUrl = "https://changed-one.example.com/";
+                  # multiple origin urls
+                originUrl = [
+                  "https://changed-one.example.com/"
+                  "https://changed-one.example.org/"
+                ];
                originLanding = "https://changed-one.example.com/landing-changed";
                basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1";
                scopeMaps.service1-access = [
@ -405,6 +409,7 @@ import ./make-test-python.nix (
            assert_contains(out, "name: service1")
            assert_contains(out, "displayname: Service One (changed)")
            assert_contains(out, "oauth2_rs_origin: https://changed-one.example.com/")
+            assert_contains(out, "oauth2_rs_origin: https://changed-one.example.org/")
            assert_contains(out, "oauth2_rs_origin_landing: https://changed-one.example.com/landing")
            assert_matches(out, 'oauth2_rs_scope_map: service1-access.*{"email", "openid"}')
            assert_matches(out, 'oauth2_rs_sup_scope_map: service1-admin.*{"adminchanged"}')
@ -460,6 +465,7 @@ import ./make-test-python.nix (
            assert_contains(out, "name: service1")
            assert_contains(out, "displayname: Service One (changed)")
            assert_contains(out, "oauth2_rs_origin: https://changed-one.example.com/")
+            assert_lacks(out, "oauth2_rs_origin: https://changed-one.example.org/")
            assert_contains(out, "oauth2_rs_origin_landing: https://changed-one.example.com/landing")
            assert_lacks(out, "oauth2_rs_scope_map")
            assert_lacks(out, "oauth2_rs_sup_scope_map")