3 changed files with 1 additions and 25 deletions
--- a/Scripts/authentik-sync-zulip-saml.sh
+++ b/Scripts/authentik-sync-zulip-saml.sh
@ -10,7 +10,6 @@ acs_url="${AUTHENTIK_ZULIP_ACS_URL:-https://chat.burrow.net/complete/saml/}"
 audience="${AUTHENTIK_ZULIP_AUDIENCE:-https://chat.burrow.net}"
 launch_url="${AUTHENTIK_ZULIP_LAUNCH_URL:-https://chat.burrow.net/}"
 access_group="${AUTHENTIK_ZULIP_ACCESS_GROUP:-}"
 admin_group="${AUTHENTIK_ZULIP_ADMIN_GROUP:-}"
 issuer="${AUTHENTIK_ZULIP_ISSUER:-$authentik_url}"
 usage() {
@ -29,7 +28,6 @@ Optional environment:
  AUTHENTIK_ZULIP_AUDIENCE
  AUTHENTIK_ZULIP_LAUNCH_URL
  AUTHENTIK_ZULIP_ACCESS_GROUP
  AUTHENTIK_ZULIP_ADMIN_GROUP
  AUTHENTIK_ZULIP_ISSUER
 EOF
 }
@ -259,17 +257,6 @@ last_name_mapping_pk="$(
    $'parts = (request.user.name or "").rsplit(" ", 1)\nif len(parts) == 2 and parts[1]:\n    return parts[1]\nreturn request.user.username'
 )"
 role_mapping_pk=""
 if [[ -n "$admin_group" ]]; then
  role_mapping_pk="$(
    reconcile_property_mapping \
      "Burrow Zulip SAML Role" \
      "zulip_role" \
      "zulip_role" \
      $'admin_group = "'$admin_group$'"\nif any(group.name == admin_group for group in request.user.ak_groups.all()):\n    return "owner"\nreturn None'
  )"
 fi
 if [[ -z "$email_mapping_pk" || -z "$name_mapping_pk" || -z "$first_name_mapping_pk" || -z "$last_name_mapping_pk" ]]; then
  echo "error: failed to reconcile Zulip SAML property mappings" >&2
  exit 1
@ -289,7 +276,6 @@ provider_payload="$(
    --arg name_mapping "$name_mapping_pk" \
    --arg first_name_mapping "$first_name_mapping_pk" \
    --arg last_name_mapping "$last_name_mapping_pk" \
    --arg role_mapping "$role_mapping_pk" \
    '{
      name: $name,
      authorization_flow: $authorization_flow,
@ -307,7 +293,7 @@ provider_payload="$(
        $name_mapping,
        $first_name_mapping,
        $last_name_mapping
-      ] + (if $role_mapping != "" then [$role_mapping] else [] end)
+      ]
    }'
 )"
--- a/nixos/modules/burrow-authentik.nix
+++ b/nixos/modules/burrow-authentik.nix
@ -956,7 +956,6 @@ EOF
        ${lib.optionalString (cfg.zulipAccessGroupName != null) ''
          export AUTHENTIK_ZULIP_ACCESS_GROUP=${lib.escapeShellArg cfg.zulipAccessGroupName}
        ''}
        export AUTHENTIK_ZULIP_ADMIN_GROUP=${lib.escapeShellArg cfg.adminGroupName}
        ${pkgs.bash}/bin/bash ${zulipSamlSyncScript}
      '';
--- a/nixos/modules/burrow-zulip.nix
+++ b/nixos/modules/burrow-zulip.nix
@ -373,8 +373,6 @@ services:
                "entity_id": "https://${cfg.authentikDomain}",
                "url": "https://${cfg.authentikDomain}/application/saml/${cfg.authentikProviderSlug}/sso/binding/redirect/",
                "display_name": "burrow.net",
                "auto_signup": True,
                "extra_attrs": ["zulip_role"],
                "x509cert": """$saml_cert""",
                "attr_user_permanent_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
                "attr_username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
@ -383,13 +381,6 @@ services:
                "attr_last_name": "lastName",
            },
        }
        SOCIAL_AUTH_SYNC_ATTRS_DICT = {
            "authentik": {
                "saml": {
                    "role": "zulip_role",
                },
            },
        }
 EOF
      '';
    };