feat: added machanism for not allowing users to sign up with forbidden/restricted usernames.

Names will be added to the nixos config. Closes #23
2023-09-16 14:56:16 +01:00 · 2023-09-16 14:56:16 +01:00 · dadaf73c78
commit dadaf73c78
parent 35952a2030
3 changed files with 26 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -55,10 +55,11 @@
          SSH_ROOT        = "skynet_old";
          
          # special categories of users
-          USERS_ADMIN     = lib.strings.concatStringsSep "," cfg.users.admin;
-          USERS_COMMITTEE = lib.strings.concatStringsSep "," cfg.users.committee;
-          USERS_LIFETIME  = lib.strings.concatStringsSep "," cfg.users.lifetime;
-          USERS_BANNED    = lib.strings.concatStringsSep "," cfg.users.banned;
+          USERS_ADMIN       = lib.strings.concatStringsSep "," cfg.users.admin;
+          USERS_COMMITTEE   = lib.strings.concatStringsSep "," cfg.users.committee;
+          USERS_LIFETIME    = lib.strings.concatStringsSep "," cfg.users.lifetime;
+          USERS_BANNED      = lib.strings.concatStringsSep "," cfg.users.banned;
+          USERS_RESTRICTED  = lib.strings.concatStringsSep "," cfg.users.restricted;
        };
        
        service_name = script: lib.strings.sanitizeDerivationName("${cfg.user}@${script}");
@ -146,6 +147,11 @@
              default     = [];
              description = "array of banned users";
            };
+            restricted = mkOption rec {
+              type        = types.listOf types.str;
+              default     = [];
+              description = "array of restricted user accounts";
+            };
          };
          
          host_port = mkOption rec {
--- a/src/lib.rs
+++ b/src/lib.rs
@ -190,6 +190,7 @@ pub struct Config {
  pub mail_pass: String,
  pub ssh_root: String,
  pub auth_discord: String,
+  pub users_restricted: Vec<String>,
 }

 pub fn get_config() -> Config {
@ -209,6 +210,7 @@ pub fn get_config() -> Config {
    mail_pass: "".to_string(),
    ssh_root: "skynet_old".to_string(),
    auth_discord: "".to_string(),
+    users_restricted: vec![],
  };

  if let Ok(x) = env::var("LDAP_HOST") {
@ -248,6 +250,13 @@ pub fn get_config() -> Config {
    config.auth_discord = x.trim().to_string();
  }

+  if let Ok(x) = env::var("USERS_RESTRICTED") {
+    // usernames that are restricted
+    for user in x.split(',').collect::<Vec<&str>>() {
+      config.users_restricted.push(user.to_string());
+    }
+  }
+
  config
 }

--- a/src/methods/account_new.rs
+++ b/src/methods/account_new.rs
@ -269,6 +269,13 @@ pub mod account {
      return Ok(json!({"result": "error", "error": error}).into());
    }

+    // check against forbidden names first
+    for name in &config.users_restricted {
+      if user.contains(name) {
+        return Ok(json!({"result": "error", "error": "username not available"}).into());
+      }
+    }
+
    // easier to give each request its own connection
    let mut ldap = LdapConn::new(&config.ldap_host)?;