diff --git a/flake.nix b/flake.nix index 102f3ed..4d913f4 100644 --- a/flake.nix +++ b/flake.nix @@ -55,10 +55,11 @@ SSH_ROOT = "skynet_old"; # special categories of users - USERS_ADMIN = lib.strings.concatStringsSep "," cfg.users.admin; - USERS_COMMITTEE = lib.strings.concatStringsSep "," cfg.users.committee; - USERS_LIFETIME = lib.strings.concatStringsSep "," cfg.users.lifetime; - USERS_BANNED = lib.strings.concatStringsSep "," cfg.users.banned; + USERS_ADMIN = lib.strings.concatStringsSep "," cfg.users.admin; + USERS_COMMITTEE = lib.strings.concatStringsSep "," cfg.users.committee; + USERS_LIFETIME = lib.strings.concatStringsSep "," cfg.users.lifetime; + USERS_BANNED = lib.strings.concatStringsSep "," cfg.users.banned; + USERS_RESTRICTED = lib.strings.concatStringsSep "," cfg.users.restricted; }; service_name = script: lib.strings.sanitizeDerivationName("${cfg.user}@${script}"); @@ -146,6 +147,11 @@ default = []; description = "array of banned users"; }; + restricted = mkOption rec { + type = types.listOf types.str; + default = []; + description = "array of restricted user accounts"; + }; }; host_port = mkOption rec { diff --git a/src/lib.rs b/src/lib.rs index 3647826..f649a20 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -190,6 +190,7 @@ pub struct Config { pub mail_pass: String, pub ssh_root: String, pub auth_discord: String, + pub users_restricted: Vec, } pub fn get_config() -> Config { @@ -209,6 +210,7 @@ pub fn get_config() -> Config { mail_pass: "".to_string(), ssh_root: "skynet_old".to_string(), auth_discord: "".to_string(), + users_restricted: vec![], }; if let Ok(x) = env::var("LDAP_HOST") { @@ -248,6 +250,13 @@ pub fn get_config() -> Config { config.auth_discord = x.trim().to_string(); } + if let Ok(x) = env::var("USERS_RESTRICTED") { + // usernames that are restricted + for user in x.split(',').collect::>() { + config.users_restricted.push(user.to_string()); + } + } + config } diff --git a/src/methods/account_new.rs b/src/methods/account_new.rs index e98ce6f..94aaddd 100644 --- a/src/methods/account_new.rs +++ b/src/methods/account_new.rs @@ -269,6 +269,13 @@ pub mod account { return Ok(json!({"result": "error", "error": error}).into()); } + // check against forbidden names first + for name in &config.users_restricted { + if user.contains(name) { + return Ok(json!({"result": "error", "error": "username not available"}).into()); + } + } + // easier to give each request its own connection let mut ldap = LdapConn::new(&config.ldap_host)?;