fix(build): update nix flake to work with current NixOS unstable

[ThinkChaos]

Niv appears to work too, but I haven't tested that as much.

Changes (sorry single big commit, but this was hard enough as is):

• don't use the overlay for nixpkgs since it's not used ATM
• when using a flake, respect the given inputs instead of using Niv ones
• update dependencies to Qt6 to match pyproject.toml
• fix coredump on Wayland because of missing runtime dependency
• fix build-system to use the newer poetry-core
• update poetry.lock
• make flake inputs and Niv sources poetry2nix versions match

Fixes #144 #156 Might fix #112 #109

[unode]

A big thank you for all this effort! As AnyConnect is far from usable on NixOS, this contribution is precious.

With this and given my first try resulted in an error, how are you using this recipe?

On NixOS-23.11 I'm seeing:

error:
       … while calling the 'head' builtin

         at /var/nixpkgs-channels/nixos-23.11/lib/attrsets.nix:850:11:

          849|         || pred here (elemAt values 1) (head values) then
          850|           head values
             |           ^
          851|         else

       … while evaluating the attribute 'value'

         at /var/nixpkgs-channels/nixos-23.11/lib/modules.nix:807:9:

          806|     in warnDeprecation opt //
          807|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
             |         ^
          808|         inherit (res.defsFinal') highestPrio;

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: poetry2nix is now maintained out-of-tree. Please use https://github.com/nix-community/poetry2nix/

when I enable the code in this PR via:

  nixpkgs.overlays = [
    (import "${builtins.fetchTarball https://github.com/ThinkChaos/openconnect-sso/archive/refs/heads/fix/nix-flake.tar.gz}/overlay.nix")
  ];

[ThinkChaos]

I pushed a fix for the overlay! Let me know if that works for you.

fix(build): don't override poetry2nix in overlay

prev.callPackage auto-detects the given closure's args and sets them to prev.${arg}. So poetry2nix was getting overriden with prev.poetry2nix giving us the "poetry2nix is now maintained out-of-tree" error.

Not sure why that was using callPackage in the first place, seems like an oversight.

Just for reference, I'm using it via the flake so that all inputs are pinned. And if needed I can change openconnect-sso.inputs.nixpkgs.follows to point to an older nixpkgs than my system if it becomes incompatible again in the future.
I had that setup for a while but since the package used to depend on the wrong Qt libs, and not use propagatedBuildInputs it stopped working after a while. Hopefully with this PR it's truly self contained.

flake.nix:

inputs = {
    openconnect-sso = {
      url = github:ThinkChaos/openconnect-sso/fix/nix-flake;
      inputs.flake-utils.follows = "utils";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.systems.follows = "systems";
    };
}

configuration.nix:

environment.systemPackages = [
  inputs.openconnect-sso.packages.${config.nixpkgs.localSystem.system}.default
];

[PhDyellow]

I can confirm that this PR works when I use the flake. I tested it by accessing PDFs from major publishers that I can only access when I am inside my institution's VPN.

[bast]

Confirming that this works. It seems to be a good workaround/solution for my troubles in #156. Thank you!

[XenGi]

This needs an addition to configuration.nix:

nixpkgs.config.permittedInsecurePackages = [
  "electron-25.9.0"
];

But even then, this seems to not work anymore. I'm getting this when starting openconnect-sso:

$ env OPENSSL_CONF=$HOME/.openconnect-sso-openssl.cnf openconnect-sso --server "myvpn.com/my-vpn"
[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=myvpn.com/my-vpn name=
Traceback (most recent call last):
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/bin/.openconnect-sso-wrapped", line 9, in <module>
    sys.exit(main())
             ^^^^^^
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/lib/python3.11/site-packages/openconnect_sso/cli.py", line 175, in main
    return app.run(args)
           ^^^^^^^^^^^^^
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/lib/python3.11/site-packages/openconnect_sso/app.py", line 35, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/qp5zys77biz7imbk6yy85q5pdv7qk84j-python3-3.11.6/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/lib/python3.11/site-packages/openconnect_sso/app.py", line 152, in _run
    auth_response = await authenticate_to(
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/lib/python3.11/site-packages/openconnect_sso/authenticator.py", line 23, in authenticate
    response = self._start_authentication()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/lib/python3.11/site-packages/openconnect_sso/authenticator.py", line 68, in _start_authentication
    return parse_response(response)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/lib/python3.11/site-packages/openconnect_sso/authenticator.py", line 141, in parse_response
    return parse_auth_request_response(xml)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/9pv6l1ilz5fxmiixk4qy2b6h2b2c9sq9-python3.11-openconnect-sso-0.8.1/lib/python3.11/site-packages/openconnect_sso/authenticator.py", line 147, in parse_auth_request_response
    assert xml.auth.get("id") == "main"
           ^^^^^^^^
  File "src/lxml/objectify.pyx", line 234, in lxml.objectify.ObjectifiedElement.__getattr__
  File "src/lxml/objectify.pyx", line 453, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: auth

The custom ssl config fixes the UNSAFE_LEGACY_RENEGOTIATION_DISABLED issue.

[unode]

Also confirming that the latest changes now solve the installation issue I mentioned above.

[ThinkChaos]

@XenGi to the best of my knowledge both your issues are unrelated to this PR:

• openconnect-sso doesn't depend on electron (the web view is Qt based). You can confirm that with nix derivation show -r github:ThinkChaos/openconnect-sso/20c0015c4264c72cc19ac272de0dc534309bd21b#openconnect-sso. I'm guessing another package you have installed is triggering this since you're updating your config's nixpkgs.
• AttributeError: no such child: auth is openconnect-sso not getting the XML it expects. Simply searching for the error brings up a couple issues that seem related, please contribute there instead:
  https://github.com/vlaci/openconnect-sso/issues/17 https://github.com/vlaci/openconnect-sso/issues/35 https://github.com/vlaci/openconnect-sso/issues/47 https://github.com/vlaci/openconnect-sso/issues/56 https://github.com/vlaci/openconnect-sso/issues/57

[XenGi]

ah ok. Thx for checking. I wasn't sure about that. Then I'll check for some other explanation.

[adminy]

building '/nix/store/dxlmqg8p8m7gz3wmqmclp8gkwb4incra-python3.11-trio-0.25.0.drv'...
error: builder for '/nix/store/dxlmqg8p8m7gz3wmqmclp8gkwb4incra-python3.11-trio-0.25.0.drv' failed with exit code 1;
       last 10 log lines:
       > adding 'trio-0.25.0.dist-info/top_level.txt'
       > adding 'trio-0.25.0.dist-info/RECORD'
       > removing build/bdist.linux-x86_64/wheel
       > Successfully built trio-0.25.0-py3-none-any.whl
       > Finished creating a wheel...
       > Finished executing pypaBuildPhase
       > Running phase: pythonRuntimeDepsCheckHook
       > Executing pythonRuntimeDepsCheck
       > Checking runtime dependencies for trio-0.25.0-py3-none-any.whl
       >   - attrs>=23.2.0 not satisfied by version 23.1.0
       For full logs, run 'nix log /nix/store/dxlmqg8p8m7gz3wmqmclp8gkwb4incra-python3.11-trio-0.25.0.drv'.
error: 1 dependencies of derivation '/nix/store/c0c9af576nf8xqpfrnbxzn3nv2h9k3dw-python3.11-jeepney-0.8.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/az8p80zvg3dl16hx8x3wmyw3j4x8w25p-python3.11-keyring-23.13.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/gwapvssizki5b7zp4hm8m6c1j5nqwy61-python3.11-openconnect-sso-0.8.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/2f1y8gixqjag5fwsjii6ia2bm1fwy1aj-system-path.drv' failed to build
error: 1 dependencies of derivation '/nix/store/152lzb82a0z6hp7bnjii0hc31g14isla-nixos-system-box-24.11.20240605.437e3a2.drv' failed to build

In case anyone wants a working version, you can find it here also created a PR to address all these issues: https://github.com/vlaci/openconnect-sso/pull/181

[ThinkChaos]

Thanks, I'll give it a shot! I haven't bothered trying to update the derivation and am just using an old nixpkgs just for this flake.

[ThinkChaos]

I updated the PR to use latest nixpkgs as now (2893f56de08021cffd9b6b6dfc70fd9ccd51eb60). Everything builds and works fine for me.

I didn't use all your changes @adminy since a lot of it seemed like separate concerns and not just fixing the build. I did add you as co-author though because I cherry-picked one hunk in nix/default.nix. Also, please rebase your PR on mine, because using my work without attribution is not cool!

[ThinkChaos]

Pushed a commit to fix building with more recent nixpkgs that updated lxml to 5.x.
Also just uses nixpkgs' version instead of rebuilding it.

[adminy]

So sorry, not sure what happened.

PR is rebased.

I'm no longer using the vpn client. So any further changes I won't be able to test. Its all up to you now :)

[benys]

It works for me. Maybe you should consider merging it?

[adminy]

I'm afraid its not up to us @benys

[turbotimon]

I can also confirm this fix work on nixos. A huge thank you to @ThinkChaos !!!

@vlaci any change this gets merged soon?

[thunze]

Not using this anymore since network manager also seems to support this type of auth now. But thanks for the hard work, it really helped a lot throughout the past years!

[ThinkChaos]

Thanks for the kind words @thunze!

Can you link what you use with network manager?
I found https://github.com/grahamwhiteuk/Networkmanager-anyconnect but it doesn't do SSO from a quick look.

I also know about https://github.com/yuezk/GlobalProtect-openconnect but it doesn't just work out of the box for me and I haven't put work into getting it functional cause openconnect-sso is still good enough.
(Plus globalprotect's nixpkgs build is broken ATM since it depends on an outdated & insecure qtwebengine version).

[thunze]

@ThinkChaos Sure!

networkmanager-openconnect works perfectly fine for me, under the condition that I explicitly set the user agent to some string starting with AnyConnect (just AnyConnect does the trick as well). Trying to connect to the VPN will then prompt me to complete the authentication process in a browser window. Not sure if whether this works varies from VPN host to VPN host or if this is missing some features openconnect-sso provides, but my use case is covered.

I found out that this works through an AUR comment. Here are some more related links:

• https://gitlab.com/openconnect/openconnect/-/issues/665
• https://gitlab.com/openconnect/openconnect/-/merge_requests/497
• https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/119

[ThinkChaos]

Thanks for the reply and the tips!
It seems the external auth flow is not working for me right now. I did some static debugging by reading code on GitLab but will need more time and an actual debugger to figure it out, but I'm hopeful I can switch at some point :)

[thunze]

Of course, hope you'll get it sorted out! Plain openconnect might work, too.