hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Map Burrow admins to Zulip owners
Some checks failed
Build Site / Next.js Build (push) Failing after 2s
Details
Lint Governance / BEP Metadata (push) Successful in 0s
Details
Build Rust / Cargo Test (push) Successful in 4m2s
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-04-19 03:43:57 -07:00
parent 5598fc18fc
commit eb9327a99f
3 changed files with 24 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Scripts/authentik-sync-zulip-saml.sh
View file

@ -10,6 +10,7 @@ acs_url="${AUTHENTIK_ZULIP_ACS_URL:-https://chat.burrow.net/complete/saml/}"
audience="${AUTHENTIK_ZULIP_AUDIENCE:-https://chat.burrow.net}" audience="${AUTHENTIK_ZULIP_AUDIENCE:-https://chat.burrow.net}"
launch_url="${AUTHENTIK_ZULIP_LAUNCH_URL:-https://chat.burrow.net/}" launch_url="${AUTHENTIK_ZULIP_LAUNCH_URL:-https://chat.burrow.net/}"
access_group="${AUTHENTIK_ZULIP_ACCESS_GROUP:-}" access_group="${AUTHENTIK_ZULIP_ACCESS_GROUP:-}"
admin_group="${AUTHENTIK_ZULIP_ADMIN_GROUP:-}"
issuer="${AUTHENTIK_ZULIP_ISSUER:-$authentik_url}" issuer="${AUTHENTIK_ZULIP_ISSUER:-$authentik_url}"
usage() { usage() {
@ -28,6 +29,7 @@ Optional environment:
AUTHENTIK_ZULIP_AUDIENCE AUTHENTIK_ZULIP_AUDIENCE
AUTHENTIK_ZULIP_LAUNCH_URL AUTHENTIK_ZULIP_LAUNCH_URL
AUTHENTIK_ZULIP_ACCESS_GROUP AUTHENTIK_ZULIP_ACCESS_GROUP
AUTHENTIK_ZULIP_ADMIN_GROUP
AUTHENTIK_ZULIP_ISSUER AUTHENTIK_ZULIP_ISSUER
EOF EOF
} }
@ -257,6 +259,17 @@ last_name_mapping_pk="$(
$'parts = (request.user.name or "").rsplit(" ", 1)\nif len(parts) == 2 and parts[1]:\n return parts[1]\nreturn request.user.username' $'parts = (request.user.name or "").rsplit(" ", 1)\nif len(parts) == 2 and parts[1]:\n return parts[1]\nreturn request.user.username'
)" )"
role_mapping_pk=""
if [[ -n "$admin_group" ]]; then
role_mapping_pk="$(
reconcile_property_mapping \
"Burrow Zulip SAML Role" \
"zulip_role" \
"zulip_role" \
$'admin_group = "'$admin_group$'"\nif any(group.name == admin_group for group in request.user.ak_groups.all()):\n return "owner"\nreturn None'
)"
fi
if [[ -z "$email_mapping_pk" || -z "$name_mapping_pk" || -z "$first_name_mapping_pk" || -z "$last_name_mapping_pk" ]]; then if [[ -z "$email_mapping_pk" || -z "$name_mapping_pk" || -z "$first_name_mapping_pk" || -z "$last_name_mapping_pk" ]]; then
echo "error: failed to reconcile Zulip SAML property mappings" >&2 echo "error: failed to reconcile Zulip SAML property mappings" >&2
exit 1 exit 1
@ -276,6 +289,7 @@ provider_payload="$(
--arg name_mapping "$name_mapping_pk" \ --arg name_mapping "$name_mapping_pk" \
--arg first_name_mapping "$first_name_mapping_pk" \ --arg first_name_mapping "$first_name_mapping_pk" \
--arg last_name_mapping "$last_name_mapping_pk" \ --arg last_name_mapping "$last_name_mapping_pk" \
--arg role_mapping "$role_mapping_pk" \
'{ '{
name: $name, name: $name,
authorization_flow: $authorization_flow, authorization_flow: $authorization_flow,
@ -293,7 +307,7 @@ provider_payload="$(
$name_mapping, $name_mapping,
$first_name_mapping, $first_name_mapping,
$last_name_mapping $last_name_mapping
] ] + (if $role_mapping != "" then [$role_mapping] else [] end)
}' }'
)" )"

1
nixos/modules/burrow-authentik.nix
View file

@ -956,6 +956,7 @@ EOF
${lib.optionalString (cfg.zulipAccessGroupName != null) '' ${lib.optionalString (cfg.zulipAccessGroupName != null) ''
export AUTHENTIK_ZULIP_ACCESS_GROUP=${lib.escapeShellArg cfg.zulipAccessGroupName} export AUTHENTIK_ZULIP_ACCESS_GROUP=${lib.escapeShellArg cfg.zulipAccessGroupName}
''} ''}
export AUTHENTIK_ZULIP_ADMIN_GROUP=${lib.escapeShellArg cfg.adminGroupName}
${pkgs.bash}/bin/bash ${zulipSamlSyncScript} ${pkgs.bash}/bin/bash ${zulipSamlSyncScript}
''; '';

8
nixos/modules/burrow-zulip.nix
View file

@ -374,6 +374,7 @@ services:
"url": "https://${cfg.authentikDomain}/application/saml/${cfg.authentikProviderSlug}/sso/binding/redirect/", "url": "https://${cfg.authentikDomain}/application/saml/${cfg.authentikProviderSlug}/sso/binding/redirect/",
"display_name": "burrow.net", "display_name": "burrow.net",
"auto_signup": True, "auto_signup": True,
"extra_attrs": ["zulip_role"],
"x509cert": """$saml_cert""", "x509cert": """$saml_cert""",
"attr_user_permanent_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "attr_user_permanent_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"attr_username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "attr_username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
@ -382,6 +383,13 @@ services:
"attr_last_name": "lastName", "attr_last_name": "lastName",
}, },
} }
SOCIAL_AUTH_SYNC_ATTRS_DICT = {
"authentik": {
"saml": {
"role": "zulip_role",
},
},
}
EOF EOF
''; '';
}; };