From eb9327a99fcb18ecc763644a0ce2b0068a7b0dd9 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sun, 19 Apr 2026 03:43:57 -0700 Subject: [PATCH] Map Burrow admins to Zulip owners --- Scripts/authentik-sync-zulip-saml.sh | 16 +++++++++++++++- nixos/modules/burrow-authentik.nix | 1 + nixos/modules/burrow-zulip.nix | 8 ++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/Scripts/authentik-sync-zulip-saml.sh b/Scripts/authentik-sync-zulip-saml.sh index 6767991..cd18752 100644 --- a/Scripts/authentik-sync-zulip-saml.sh +++ b/Scripts/authentik-sync-zulip-saml.sh @@ -10,6 +10,7 @@ acs_url="${AUTHENTIK_ZULIP_ACS_URL:-https://chat.burrow.net/complete/saml/}" audience="${AUTHENTIK_ZULIP_AUDIENCE:-https://chat.burrow.net}" launch_url="${AUTHENTIK_ZULIP_LAUNCH_URL:-https://chat.burrow.net/}" access_group="${AUTHENTIK_ZULIP_ACCESS_GROUP:-}" +admin_group="${AUTHENTIK_ZULIP_ADMIN_GROUP:-}" issuer="${AUTHENTIK_ZULIP_ISSUER:-$authentik_url}" usage() { @@ -28,6 +29,7 @@ Optional environment: AUTHENTIK_ZULIP_AUDIENCE AUTHENTIK_ZULIP_LAUNCH_URL AUTHENTIK_ZULIP_ACCESS_GROUP + AUTHENTIK_ZULIP_ADMIN_GROUP AUTHENTIK_ZULIP_ISSUER EOF } @@ -257,6 +259,17 @@ last_name_mapping_pk="$( $'parts = (request.user.name or "").rsplit(" ", 1)\nif len(parts) == 2 and parts[1]:\n return parts[1]\nreturn request.user.username' )" +role_mapping_pk="" +if [[ -n "$admin_group" ]]; then + role_mapping_pk="$( + reconcile_property_mapping \ + "Burrow Zulip SAML Role" \ + "zulip_role" \ + "zulip_role" \ + $'admin_group = "'$admin_group$'"\nif any(group.name == admin_group for group in request.user.ak_groups.all()):\n return "owner"\nreturn None' + )" +fi + if [[ -z "$email_mapping_pk" || -z "$name_mapping_pk" || -z "$first_name_mapping_pk" || -z "$last_name_mapping_pk" ]]; then echo "error: failed to reconcile Zulip SAML property mappings" >&2 exit 1 @@ -276,6 +289,7 @@ provider_payload="$( --arg name_mapping "$name_mapping_pk" \ --arg first_name_mapping "$first_name_mapping_pk" \ --arg last_name_mapping "$last_name_mapping_pk" \ + --arg role_mapping "$role_mapping_pk" \ '{ name: $name, authorization_flow: $authorization_flow, @@ -293,7 +307,7 @@ provider_payload="$( $name_mapping, $first_name_mapping, $last_name_mapping - ] + ] + (if $role_mapping != "" then [$role_mapping] else [] end) }' )" diff --git a/nixos/modules/burrow-authentik.nix b/nixos/modules/burrow-authentik.nix index acf76ce..977b641 100644 --- a/nixos/modules/burrow-authentik.nix +++ b/nixos/modules/burrow-authentik.nix @@ -956,6 +956,7 @@ EOF ${lib.optionalString (cfg.zulipAccessGroupName != null) '' export AUTHENTIK_ZULIP_ACCESS_GROUP=${lib.escapeShellArg cfg.zulipAccessGroupName} ''} + export AUTHENTIK_ZULIP_ADMIN_GROUP=${lib.escapeShellArg cfg.adminGroupName} ${pkgs.bash}/bin/bash ${zulipSamlSyncScript} ''; diff --git a/nixos/modules/burrow-zulip.nix b/nixos/modules/burrow-zulip.nix index ef1f190..a7adb48 100644 --- a/nixos/modules/burrow-zulip.nix +++ b/nixos/modules/burrow-zulip.nix @@ -374,6 +374,7 @@ services: "url": "https://${cfg.authentikDomain}/application/saml/${cfg.authentikProviderSlug}/sso/binding/redirect/", "display_name": "burrow.net", "auto_signup": True, + "extra_attrs": ["zulip_role"], "x509cert": """$saml_cert""", "attr_user_permanent_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "attr_username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", @@ -382,6 +383,13 @@ services: "attr_last_name": "lastName", }, } + SOCIAL_AUTH_SYNC_ATTRS_DICT = { + "authentik": { + "saml": { + "role": "zulip_role", + }, + }, + } EOF ''; };