Allow banning/alllowing usernames patterns during registration

policies/register/register.rego

@@ -14,6 +14,14 @@ allow if {
 	count(violation) == 0
 }
 
+username_allowed if {
+	not data.registration.allowed_usernames
+}
+
+username_allowed if {
+	common.matches_string_constraints(input.username, data.registration.allowed_usernames)
+}
+
 # METADATA
 # entrypoint: true
 violation contains {"field": "username", "code": "username-too-short", "msg": "username too short"} if {
@@ -39,6 +47,20 @@ violation contains {
 	not regex.match(`^[a-z0-9.=_/-]+$`, input.username)
 }
 
+violation contains {
+	"field": "username", "code": "username-banned",
+	"msg": "username is banned",
+} if {
+	common.matches_string_constraints(input.username, data.registration.banned_usernames)
+}
+
+violation contains {
+	"field": "username", "code": "username-not-allowed",
+	"msg": "username is not allowed",
+} if {
+	not username_allowed
+}
+
 violation contains {"msg": "unspecified registration method"} if {
 	not input.registration_method
 }

policies/register/register_test.rego

@@ -75,6 +75,20 @@ test_numeric_username if {
 	not register.allow with input as {"username": "1234", "registration_method": "upstream-oauth2"}
 }
 
+test_allowed_username if {
+	register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.allowed_usernames.literals as ["hello"]
+	not register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.allowed_usernames.literals as ["world"]
+}
+
+test_banned_username if {
+	not register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.banned_usernames.literals as ["hello"]
+	register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.banned_usernames.literals as ["world"]
+}
+
 test_ip_ban if {
 	not register.allow with input as {
 		"username": "hello",