Merge branch 'main' into quenting/dynamic-policy-data

Author: sandhose

.github/workflows/build.yaml

@@ -222,7 +222,7 @@ jobs:
     steps:
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5.6.1
+        uses: docker/metadata-action@v5.7.0
         with:
           images: "${{ env.IMAGE }}"
           bake-target: docker-metadata-action
@@ -238,7 +238,7 @@ jobs:
 
       - name: Docker meta (debug variant)
         id: meta-debug
-        uses: docker/metadata-action@v5.6.1
+        uses: docker/metadata-action@v5.7.0
         with:
           images: "${{ env.IMAGE }}"
           bake-target: docker-metadata-action-debug
@@ -255,7 +255,7 @@ jobs:
 
       - name: Docker meta (syn2mas)
         id: meta-syn2mas
-        uses: docker/metadata-action@v5.6.1
+        uses: docker/metadata-action@v5.7.0
         with:
           images: "${{ env.IMAGE_SYN2MAS }}"
           bake-target: docker-metadata-action-syn2mas
@@ -273,7 +273,7 @@ jobs:
         uses: sigstore/[email protected]
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.9.0
+        uses: docker/setup-buildx-action@v3.10.0
         with:
           buildkitd-config-inline: |
             [registry."docker.io"]
@@ -288,7 +288,7 @@ jobs:
 
       - name: Build and push
         id: bake
-        uses: docker/bake-action@v6.4.0
+        uses: docker/bake-action@v6.5.0
         with:
           files: |
             ./docker-bake.hcl

.github/workflows/coverage.yaml

@@ -33,7 +33,7 @@ jobs:
         run: make coverage
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@v5.3.1
+        uses: codecov/codecov-action@v5.4.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: policies/coverage.json
@@ -60,7 +60,7 @@ jobs:
         run: npm run coverage
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@v5.3.1
+        uses: codecov/codecov-action@v5.4.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: frontend/coverage/
@@ -127,7 +127,7 @@ jobs:
           grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@v5.3.1
+        uses: codecov/codecov-action@v5.4.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: target/coverage/*.lcov

crates/policy/src/model.rs

@@ -32,6 +32,12 @@ pub enum Code {
     /// The username contains only numeric characters.
     UsernameAllNumeric,
 
+    /// The username is banned.
+    UsernameBanned,
+
+    /// The username is not allowed.
+    UsernameNotAllowed,
+
     /// The email domain is not allowed.
     EmailDomainNotAllowed,
 
@@ -54,6 +60,8 @@ impl Code {
             Self::UsernameTooLong => "username-too-long",
             Self::UsernameInvalidChars => "username-invalid-chars",
             Self::UsernameAllNumeric => "username-all-numeric",
+            Self::UsernameBanned => "username-banned",
+            Self::UsernameNotAllowed => "username-not-allowed",
             Self::EmailDomainNotAllowed => "email-domain-not-allowed",
             Self::EmailDomainBanned => "email-domain-banned",
             Self::EmailNotAllowed => "email-not-allowed",

docs/reference/configuration.md

@@ -382,6 +382,35 @@ policy:
       # don't require clients to provide a client_uri. default: false
       allow_missing_client_uri: false
 
+    # Restrictions on user registration
+    registration:
+      # If specified, the username (localpart) *must* match one of the allowed
+      # usernames. If unspecified, all usernames are allowed.
+      allowed_usernames:
+        # Exact usernames that are allowed
+        literals: ["alice", "bob"]
+        # Substrings that match allowed usernames
+        substrings: ["user"]
+        # Regular expressions that match allowed usernames
+        regexes: ["^[a-z]+$"]
+        # Prefixes that match allowed usernames
+        prefixes: ["user-"]
+        # Suffixes that match allowed usernames
+        suffixes: ["-corp"]
+      # If specified, the username (localpart) *must not* match one of the
+      # banned usernames. If unspecified, all usernames are allowed.
+      banned_usernames:
+        # Exact usernames that are banned
+        literals: ["admin", "root"]
+        # Substrings that match banned usernames
+        substrings: ["admin", "root"]
+        # Regular expressions that match banned usernames
+        regexes: ["^admin$", "^root$"]
+        # Prefixes that match banned usernames
+        prefixes: ["admin-", "root-"]
+        # Suffixes that match banned usernames
+        suffixes: ["-admin", "-root"]
+
     # Restrict what email addresses can be added to a user
     emails:
       # If specified, the email address *must* match one of the allowed addresses.