Implement reserved username handling for users, LDAP and Keycloak

Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic. Changes: - Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator. - cli/build/defaults/users.py: propagate flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved. - Add reserved_users filter plugin with and helpers for Ansible templates and tasks. - Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator. - group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks. - svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning. - svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict. - networks: assign dedicated subnet for web-app-roulette-wheel. - web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames. - web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field. - web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging. - web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED. - user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names. - svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter. - sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper. - sys-daemon handlers: quote handler name for consistency. Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9
2025-12-03 07:59:42 +00:00 · 2025-11-29 17:40:45 +01:00
parent 3b3725cbd1
commit 26dfab147d
20 changed files with 400 additions and 36 deletions
--- a/roles/svc-db-openldap/config/main.yml
+++ b/roles/svc-db-openldap/config/main.yml
@@ -18,12 +18,13 @@ docker:
    data:         "openldap_data"
 features:
  ldap:           true
-provisioning:           
+provision:           
 # Here it's possible to define what should be imported and updated.
 # It doesn't make sense to let  the import run everytime because its very time consuming
-  configuration:  true # E.g. MemberOf and Hashed Password Configuration
-  credentials:    true # Administrator Password
-  schemas:        true # E.g. Nextcloud, Openssl
-  users:          true # E.g. User, group and role entries
-  groups:         true # Roles and Groups import
-  update:         true # User Class updates
+  configuration:  true    # E.g. MemberOf and Hashed Password Configuration
+  credentials:    true    # Administrator Password
+  schemas:        true    # E.g. Nextcloud, Openssl
+  users:          true    # E.g. User, group and role entries
+  groups:         true    # Roles and Groups import
+  update:         true    # User Class updates
+  reserved:       false   # Reserved Users aren't provisioned
--- a/roles/svc-db-openldap/tasks/03_users.yml
+++ b/roles/svc-db-openldap/tasks/03_users.yml
@@ -20,7 +20,7 @@
    state: present            # ↳ creates but never updates
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  loop: "{{ users | dict2items }}"
+  loop: "{{ OPERNLDAP_USERS | dict2items }}"
  loop_control:
    label: "{{ item.key }}"

@@ -39,7 +39,7 @@
    state: exact
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  loop: "{{ users | dict2items }}"
+  loop: "{{ OPERNLDAP_USERS | dict2items }}"
  loop_control:
    label: "{{ item.key }}"

--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@@ -38,7 +38,7 @@
  include_tasks: 01_credentials.yml
  when:
    - OPENLDAP_NETWORK_SWITCH_LOCAL | bool
-    - applications | get_app_conf(application_id, 'provisioning.credentials')
+    - OPENLDAP_PROVISION_CREDENTIALS | bool

 - name: "create directory {{ OPENLDAP_LDIF_PATH_HOST }}{{ item }}"
  file:
@@ -53,7 +53,7 @@
    - configuration
  loop_control:
    loop_var: folder
-  when: applications | get_app_conf(application_id, 'provisioning.configuration')
+  when: OPENLDAP_PROVISION_CONFIGURATION | bool

 - name: flush LDIF handlers
  meta: flush_handlers
@@ -66,11 +66,11 @@

 - name: "Include Schemas (if enabled)"
  include_tasks: 02_schemas.yml
-  when: applications | get_app_conf(application_id, 'provisioning.schemas')
+  when: OPENLDAP_PROVISION_SCHEMAS | bool

 - name: "Import LDAP Entries (if enabled)"
  include_tasks: 03_users.yml
-  when: applications | get_app_conf(application_id, 'provisioning.users')
+  when: OPENLDAP_PROVISION_USERS | bool

 - name: "Import LDIF Data (if enabled)"
  include_tasks: _ldifs_creation.yml
@@ -78,10 +78,10 @@
    - groups
  loop_control:
    loop_var: folder
-  when: applications | get_app_conf(application_id, 'provisioning.groups')
+  when: OPENLDAP_PROVISION_GROUPS | bool

 - meta: flush_handlers

 - name: "Add Objects to all users"
  include_tasks: 04_update.yml
-  when: applications | get_app_conf(application_id, 'provisioning.update')
+  when: OPENLDAP_PROVISION_UPDATE | bool
--- a/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
+++ b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
@@ -1,4 +1,4 @@
-{% for dn, entry in (applications | build_ldap_role_entries(users, LDAP)).items() %}
+{% for dn, entry in (applications | build_ldap_role_entries(OPERNLDAP_USERS, LDAP)).items() %}

 dn: {{ dn }}
 {% for oc in entry.objectClass %}
--- a/roles/svc-db-openldap/vars/main.yml
+++ b/roles/svc-db-openldap/vars/main.yml
@@ -24,4 +24,16 @@ OPENLDAP_NETWORK:               "{{ applications | get_app_conf(application_id,
 # Network
 OPENLDAP_NETWORK_SWITCH_PUBLIC: "{{ applications | get_app_conf(application_id, 'network.public') }}"
 OPENLDAP_NETWORK_SWITCH_LOCAL:  "{{ applications | get_app_conf(application_id, 'network.local') }}"
-OPENLDAP_NETWORK_EXPOSE_LOCAL:  "{{ OPENLDAP_NETWORK_SWITCH_PUBLIC | bool or OPENLDAP_NETWORK_SWITCH_LOCAL | bool }}"
+OPENLDAP_NETWORK_EXPOSE_LOCAL:  "{{ OPENLDAP_NETWORK_SWITCH_PUBLIC | bool or OPENLDAP_NETWORK_SWITCH_LOCAL | bool }}"
+
+# Provision
+OPENLDAP_PROVISION_CONFIGURATION: "{{ applications | get_app_conf(application_id, 'provision.configuration') }}"
+OPENLDAP_PROVISION_CREDENTIALS:   "{{ applications | get_app_conf(application_id, 'provision.credentials') }}"
+OPENLDAP_PROVISION_SCHEMAS:       "{{ applications | get_app_conf(application_id, 'provision.schemas') }}"
+OPENLDAP_PROVISION_USERS:         "{{ applications | get_app_conf(application_id, 'provision.users') }}"
+OPENLDAP_PROVISION_GROUPS:        "{{ applications | get_app_conf(application_id, 'provision.groups') }}"
+OPENLDAP_PROVISION_UPDATE:        "{{ applications | get_app_conf(application_id, 'provision.update') }}"
+OPENLDAP_PROVISION_RESERVED:      "{{ applications | get_app_conf(application_id, 'provision.reserved') }}"
+
+# Users to be processed by LDAP
+OPERNLDAP_USERS:                  "{{ users if OPENLDAP_PROVISION_RESERVED else users | non_reserved_users }}"