Implement reserved username handling for users, LDAP and Keycloak

Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic. Changes: - Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator. - cli/build/defaults/users.py: propagate flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved. - Add reserved_users filter plugin with and helpers for Ansible templates and tasks. - Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator. - group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks. - svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning. - svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict. - networks: assign dedicated subnet for web-app-roulette-wheel. - web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames. - web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field. - web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging. - web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED. - user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names. - svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter. - sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper. - sys-daemon handlers: quote handler name for consistency. Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9
2025-12-02 15:39:57 +00:00 · 2025-11-29 17:40:45 +01:00
parent 3b3725cbd1
commit 26dfab147d
20 changed files with 400 additions and 36 deletions
--- a/filter_plugins/reserved_users.py
+++ b/filter_plugins/reserved_users.py
@@ -0,0 +1,53 @@
+from ansible.errors import AnsibleFilterError
+import re
+
+
+def reserved_usernames(users_dict):
+    """
+    Return a list of usernames where reserved: true.
+    Usernames are regex-escaped to be safely embeddable.
+    """
+    if not isinstance(users_dict, dict):
+        raise AnsibleFilterError("reserved_usernames expects a dictionary.")
+
+    results = []
+
+    for _key, user in users_dict.items():
+        if not isinstance(user, dict):
+            continue
+        if not user.get("reserved", False):
+            continue
+        username = user.get("username")
+        if username:
+            results.append(re.escape(str(username)))
+
+    return results
+
+
+def non_reserved_users(users_dict):
+    """
+    Return a dict of users where reserved != true.
+    """
+    if not isinstance(users_dict, dict):
+        raise AnsibleFilterError("non_reserved_users expects a dictionary.")
+
+    results = {}
+
+    for key, user in users_dict.items():
+        if not isinstance(user, dict):
+            continue
+        if user.get("reserved", False):
+            continue
+        results[key] = user
+
+    return results
+
+
+class FilterModule(object):
+    """User filters for extracting reserved and non-reserved subsets."""
+
+    def filters(self):
+        return {
+            "reserved_usernames": reserved_usernames,
+            "non_reserved_users": non_reserved_users,
+        }