Implement reserved username handling for users, LDAP and Keycloak

Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic. Changes: - Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator. - cli/build/defaults/users.py: propagate flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved. - Add reserved_users filter plugin with and helpers for Ansible templates and tasks. - Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator. - group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks. - svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning. - svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict. - networks: assign dedicated subnet for web-app-roulette-wheel. - web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames. - web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field. - web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging. - web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED. - user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names. - svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter. - sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper. - sys-daemon handlers: quote handler name for consistency. Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9
2025-12-02 15:39:57 +00:00 · 2025-11-29 17:40:45 +01:00
parent 3b3725cbd1
commit 26dfab147d
20 changed files with 400 additions and 36 deletions
--- a/roles/web-app-keycloak/tasks/main.yml
+++ b/roles/web-app-keycloak/tasks/main.yml
@@ -5,6 +5,7 @@

 - name: "Load cleanup routine for '{{ application_id }}'"
  include_tasks: 02_cleanup.yml
+  when: MODE_CLEANUP | bool

 - name: "Load init routine for '{{ application_id }}'"
  include_tasks: 03_init.yml
@@ -35,3 +36,4 @@
 - name: "Load reCAPTCHA Update routines for '{{ application_id }}'"
  include_tasks: update/06_recaptcha.yml
  when: KEYCLOAK_RECAPTCHA_ENABLED | bool
+
--- a/roles/web-app-keycloak/tasks/update/_update.yml
+++ b/roles/web-app-keycloak/tasks/update/_update.yml
@@ -146,6 +146,19 @@
      }}
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

+- name: Drop unsupported fields for components (e.g. subComponents)
+  when: kc_object_kind == 'component'
+  set_fact:
+    desired_obj: >-
+      {{
+        desired_obj
+        | dict2items
+        | rejectattr('key', 'equalto', 'subComponents')
+        | list
+        | items2dict
+      }}
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
 - name: Preserve immutable fields for client-scope
  when: kc_object_kind == 'client-scope'
  set_fact:
@@ -181,5 +194,5 @@
    {{ desired_obj | to_json }}
    JSON
    {%- endif %}
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  #async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  #poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
--- a/roles/web-app-keycloak/templates/import/components/org.keycloak.userprofile.UserProfileProvider.json.j2
+++ b/roles/web-app-keycloak/templates/import/components/org.keycloak.userprofile.UserProfileProvider.json.j2
@@ -3,7 +3,13 @@
    {
      "name": "username",
      "displayName": "${username}",
-      "validations": {"length": {"min": 3, "max": 255}, "pattern": {"pattern": "^[a-z0-9]+$", "error-message": ""}},
+      "validations": {
+        "length": { "min": 3, "max": 255 },
+        "pattern": {
+          "pattern": "^(?!(?:" ~ KEYCLOAK_RESERVED_USERNAMES_REGEX | replace('\\', '\\\\') ~ ")$)[a-z0-9]+$",
+          "error-message": "Username is reserved or contains invalid characters. Only lowercase letters (a–z) and digits (0–9) are allowed."
+        }
+      },
      "annotations": {},
      "permissions": {"view": ["admin","user"], "edit": ["admin","user"]},
      "multivalued": false
@@ -33,7 +39,7 @@
      "multivalued": false
    },
    {
-      "name": "{{ LDAP.USER.ATTRIBUTES.SSH_PUBLIC_KEY }}",
+      "name": LDAP.USER.ATTRIBUTES.SSH_PUBLIC_KEY,
      "displayName": "SSH Public Key",
      "validations": {},
      "annotations": {},
@@ -53,6 +59,7 @@
 "org.keycloak.userprofile.UserProfileProvider": [
  {
    "providerId": "declarative-user-profile",
+    "name": "declarative-user-profile",
    "subComponents": {},
    "config": {
      "kc.user.profile.config": [{{ (user_profile | to_json) | to_json }}]
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@@ -18,6 +18,10 @@ KEYCLOAK_DOMAIN:                    "{{ domains | get_domain('web-app-keycloak')
 KEYCLOAK_RBAC_GROUP_CLAIM:          "{{ RBAC.GROUP.CLAIM }}"
 KEYCLOAK_RBAC_GROUP_NAME:           "{{ RBAC.GROUP.NAME }}"

+# Users
+KEYCLOAK_RESERVED_USERNAMES_LIST:   "{{ users | reserved_usernames }}"
+KEYCLOAK_RESERVED_USERNAMES_REGEX:  "{{ KEYCLOAK_RESERVED_USERNAMES_LIST | join('|') }}"
+
 ## Health
 KEYCLOAK_HEALTH_ENABLED:            true