chore(passport): add username validators

Author: duanhongyi

charts/passport/templates/_helpers.tpl

@@ -90,7 +90,6 @@ volumeMounts:
     readOnly: true
 {{- end }}
 
-
 {{/* Generate passport deployment volumes */}}
 {{- define "passport.volumes" }}
 volumes:
@@ -101,3 +100,77 @@ volumes:
     configMap:
       name: passport-config
 {{- end }}
+
+{{/* Generate passport default reserved usernames */}}
+{{- define "passport.defaultReservedUsernames" }}
+admin
+administrator
+anonymous
+asshole
+bastard
+billing
+callback
+cancer
+cocaine
+contact
+coronavirus
+cracker
+database
+developer
+doopai
+drycc
+email
+explore
+faggot
+feedback
+hacker
+helpdesk
+hentai
+heroin
+hitler
+homophobic
+horny
+idiot
+killer
+login
+logout
+moderator
+murder
+nigger
+nigga
+official
+payment
+pedophile
+pornhub
+profile
+racist
+rapist
+recovery
+register
+retard
+scammer
+security
+service
+settings
+sexist
+signup
+signin
+slave
+spammer
+staff
+suicide
+support
+system
+terrorism
+trending
+undefined
+update
+username
+verification
+verify
+webmaster
+webhook
+wetback
+whore
+xvideos
+{{- end }}

charts/passport/templates/passport-configmap.yaml

@@ -5,6 +5,11 @@ metadata:
   labels:
     heritage: drycc
 data:
-data:
+  reserved-usernames.txt: |-
+{{- if .Values.reservedUsernames }}
+{{- (tpl .Values.reservedUsernames $) | nindent 4 }}
+{{- else}}
+{{- include "passport.defaultReservedUsernames" . | nindent 4 }}
+{{- end }}
   init-applications.json: |-
 {{ toPrettyJson .Values.initApplications | indent 4 }}

charts/passport/values.yaml

@@ -86,7 +86,8 @@ environment:
 adminUsername: "admin"
 adminPassword: "admin"
 adminEmail: "admin@email.com"
-
+# Reserved usernames
+reservedUsernames: ""
 # The following configurations to initialize oauth2 application
 # Names are all lowercase letters
 # The key and secret are generated automatically if they are empty

rootfs/api/models.py

@@ -1,32 +1,14 @@
 from django.db import models
-from django.conf import settings
-from django.contrib.auth import validators
 from django.contrib.auth.models import AbstractUser
 from django.utils.translation import gettext_lazy as _
-
 from oauth2_provider.models import AbstractApplication
+from .validators import UsernameValidator
 
 
 class User(AbstractUser):
-    username_validator = validators.UnicodeUsernameValidator(
-        regex=settings.USERNAME_REGEX,
-        message=_("Enter a valid username. This value may match the regex {}.".format(
-            settings.USERNAME_REGEX
-        ))
-    )
+    username_validator = UsernameValidator()
     email = models.EmailField(_('email address'), unique=True)
 
-    @property
-    def roles(self) -> list[str]:
-        results = []
-        if self.is_superuser:
-            results.append("admin")
-        if self.is_staff:
-            results.append("staff")
-        if self.is_active:
-            results.append("users")
-        return results
-
 
 class Application(AbstractApplication):
 

rootfs/api/oauth2_validators.py

@@ -9,7 +9,6 @@ class CustomOAuth2Validator(OAuth2Validator):
         "name": "profile",
         "username": "profile",
         "email": "email",
-        "roles": "profile",
         "first_name": "profile",
         "last_name": "profile",
         "is_staff": "profile",
@@ -24,7 +23,6 @@ def get_additional_claims(self, request):
         claims["name"] = request.user.username
         claims["username"] = request.user.username
         claims["email"] = request.user.email
-        claims["roles"] = request.user.roles
         claims["first_name"] = request.user.first_name
         claims["last_name"] = request.user.last_name
         claims["is_staff"] = request.user.is_staff

rootfs/api/serializers.py

@@ -17,9 +17,9 @@
 class UserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
-        fields = ('id', 'username', 'email', 'roles', 'first_name', 'last_name',
+        fields = ('id', 'username', 'email', 'first_name', 'last_name',
                   'is_staff', 'is_active', 'is_superuser')
-        read_only_fields = ('id', 'username', 'roles', 'is_staff', 'is_active',
+        read_only_fields = ('id', 'username', 'is_staff', 'is_active',
                             'is_superuser')
 
 

rootfs/api/settings/production.py

@@ -401,6 +401,16 @@
 
 # username regex
 USERNAME_REGEX = os.environ.get('USERNAME_REGEX', '^[a-z][a-z0-9]{4,}$')
+
+# reserved username
+RESERVED_USERNAMES_PATH = os.environ.get(
+    'RESERVED_USERNAMES_PATH', '/etc/drycc/passport/reserved-usernames.txt')
+if os.path.exists(RESERVED_USERNAMES_PATH):
+    with open(RESERVED_USERNAMES_PATH) as f:
+        RESERVED_USERNAMES = [line.strip() for line in f if line]
+else:
+    RESERVED_USERNAMES = ["drycc", "admin", "doopai"]
+
 # hcaptcha config
 H_CAPTCHA_KEY = os.environ.get("H_CAPTCHA_KEY")
 H_CAPTCHA_SECRET = os.environ.get("H_CAPTCHA_SECRET")

rootfs/api/validators.py

@@ -0,0 +1,20 @@
+from django.contrib.auth import validators
+from django.utils.translation import gettext_lazy as _
+from django.conf import settings
+from django.core.exceptions import ValidationError
+
+
+class UsernameValidator(validators.UnicodeUsernameValidator):
+    regex = settings.USERNAME_REGEX
+    message = _(
+        f"Enter a valid username. This value may match the regex {regex}."
+    )
+
+    def __call__(self, value):
+        if value in settings.RESERVED_USERNAMES:
+            raise ValidationError(
+                _("The current username is on the blocklist."),
+                code=self.code,
+                params={"value": value}
+            )
+        super().__call__(value)