chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(Zitadel): filter out empty roles

Browse source
This commit is contained in:
Chris Kruining 2025-11-04 15:08:54 +01:00
parent fab1df76c7
commit e7cedfb639
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
1 changed files with 43 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

78
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, namespace, system, inputs, ... }: { config, lib, pkgs, namespace, system, inputs, ... }:
let let
inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length;
inherit (lib.${namespace}.strings) toSnakeCase; inherit (lib.${namespace}.strings) toSnakeCase;
cfg = config.${namespace}.services.authentication.zitadel; cfg = config.${namespace}.services.authentication.zitadel;
@ -340,7 +340,7 @@ in
# Organizations # Organizations
zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }:
{ inherit name isDefault; } { inherit name isDefault; }
|> toResource name |> toResource name
); );
# Projects per organization # Projects per organization
@ -348,8 +348,8 @@ in
{ {
inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck;
} }
|> withRef "org" org |> withRef "org" org
|> toResource "${org}_${name}" |> toResource "${org}_${name}"
); );
# Each OIDC app per project # Each OIDC app per project
@ -361,26 +361,26 @@ in
idTokenRoleAssertion = true; idTokenRoleAssertion = true;
accessTokenType = "JWT"; accessTokenType = "JWT";
} }
|> withRef "org" org |> withRef "org" org
|> withRef "project" "${org}_${project}" |> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}" |> toResource "${org}_${project}_${name}"
); );
# Each project role # Each project role
zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value:
{ inherit (value) displayName group; roleKey = name; } { inherit (value) displayName group; roleKey = name; }
|> withRef "org" org |> withRef "org" org
|> withRef "project" "${org}_${project}" |> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}" |> toResource "${org}_${project}_${name}"
); );
# Each project role assignment # Each project role assignment
zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles:
{ roleKeys = roles; } { roleKeys = roles; }
|> withRef "org" org |> withRef "org" org
|> withRef "project" "${org}_${project}" |> withRef "project" "${org}_${project}"
|> withRef "user" "${org}_${user}" |> withRef "user" "${org}_${user}"
|> toResource "${org}_${project}_${user}" |> toResource "${org}_${project}_${user}"
); );
# Users # Users
@ -390,24 +390,30 @@ in
isEmailVerified = true; isEmailVerified = true;
} }
|> withRef "org" org |> withRef "org" org
|> toResource "${org}_${name}" |> toResource "${org}_${name}"
); );
# Global user roles # Global user roles
zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: zitadel_instance_member =
{ roles = value.instanceRoles; } cfg.organization
|> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0))
|> select [ "user" ] (org: name: { instanceRoles, ... }:
{ roles = instanceRoles; }
|> withRef "user" "${org}_${name}" |> withRef "user" "${org}_${name}"
|> toResource "${org}_${name}" |> toResource "${org}_${name}"
); );
# Organazation specific roles # Organazation specific roles
zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: zitadel_org_member =
{ inherit roles; } cfg.organization
|> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0))
|> select [ "user" ] (org: name: { roles, ... }:
{ inherit roles; }
|> withRef "org" org |> withRef "org" org
|> withRef "user" "${org}_${name}" |> withRef "user" "${org}_${name}"
|> toResource "${org}_${name}" |> toResource "${org}_${name}"
); );
# Organazation's actions # Organazation's actions
zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}:
@ -416,25 +422,27 @@ in
timeout = "${toString timeout}s"; timeout = "${toString timeout}s";
script = "const ${name} = ${script}"; script = "const ${name} = ${script}";
} }
|> withRef "org" org |> withRef "org" org
|> toResource "${org}_${name}" |> toResource "${org}_${name}"
); );
# Organazation's action assignments # Organazation's action assignments
zitadel_trigger_actions = cfg.organization zitadel_trigger_actions =
cfg.organization
|> concatMapAttrs (org: { triggers, ... }: |> concatMapAttrs (org: { triggers, ... }:
triggers triggers
|> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in
{ {
inherit flowType triggerType; inherit flowType triggerType;
actionIds = actions actionIds =
|> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); actions
} |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id"));
|> withRef "org" org }
|> toResource "${org}_${name}" |> withRef "org" org
)) |> toResource "${org}_${name}"
|> listToAttrs ))
|> listToAttrs
); );
# SMTP config # SMTP config