From 449b5988d0269d788210839968d0867f8b9eac96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 27 Sep 2019 18:21:04 +0200
Subject: [PATCH] Take some precautions against misuse of the rabbit roles
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/rabbit/queue/tasks/main.yml |  9 +++++++++
 roles/rabbit/user/tasks/main.yml  | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/roles/rabbit/queue/tasks/main.yml b/roles/rabbit/queue/tasks/main.yml
index f616dd049c..7259984f6e 100644
--- a/roles/rabbit/queue/tasks/main.yml
+++ b/roles/rabbit/queue/tasks/main.yml
@@ -28,6 +28,15 @@
     fail_msg: "Your queue name must be prefixed with your username"
   tags: fedora-messaging
 
+- name: Validate the user parameter
+  assert:
+    that:
+    - username != "admin"
+    - username != "guest"
+    - username != "nagios-monitoring"
+    fail_msg: "This user name is reserved"
+  tags: fedora-messaging
+
 # See https://www.rabbitmq.com/access-control.html#permissions for details on
 # the RabbitMQ permissions configuration.
 - name: Create the {{ username }} user in RabbitMQ
diff --git a/roles/rabbit/user/tasks/main.yml b/roles/rabbit/user/tasks/main.yml
index 9333fb70bf..6d0b67a91c 100644
--- a/roles/rabbit/user/tasks/main.yml
+++ b/roles/rabbit/user/tasks/main.yml
@@ -11,6 +11,16 @@
 
 # See https://www.rabbitmq.com/access-control.html#permissions for details on
 # the RabbitMQ permissions configuration.
+
+- name: Validate parameters
+  assert:
+    that:
+    - username != "admin"
+    - username != "guest"
+    - username != "nagios-monitoring"
+    fail_msg: "This user name is reserved"
+  tags: fedora-messaging
+
 - name: Create the user in RabbitMQ
   delegate_to: "{{ rabbitmq_server }}"
   rabbitmq_user: