YDA-6198: add all users internal option

Add a way to make the ruleset consider all users to be internal,
by setting the external domain filter to "*". This is useful
in situations where all users are to be authenticated using OIDC.

Also make the PAM stack use the ruleset script for determining
whether a user is external, so that the PAM stack and ruleset
use the same logic.

docker/images/yoda_irods_icat/Dockerfile

@@ -99,10 +99,8 @@ RUN install -m 0644 -o root -g root /tmp/irods_completion.sh /etc/profile.d/irod
 # Set up PAM authentication
 # hadolint ignore=DL3033
 COPY external-auth.py /tmp/external-auth.py
-COPY is-user-external.sh /tmp/is-user-external.sh
 COPY token-auth.py /tmp/token-auth.py
 RUN install -m 0750 -o root -g irods /tmp/external-auth.py /usr/local/bin/external-auth.py && \
-    install -m 0750 -o root -g irods /tmp/is-user-external.sh /usr/local/bin/is-user-external.sh && \
     install -m 0750 -o root -g irods /tmp/token-auth.py /usr/local/bin/token-auth.py && \
     chmod 04755 /usr/sbin/irodsPamAuthCheck
 COPY irods.pam /tmp/irods.pam

docker/images/yoda_irods_icat/irods.pam

@@ -9,7 +9,7 @@ auth        sufficient      pam_python3.so /usr/local/bin/token-auth.py
 
 auth        sufficient      pam_python3.so /var/lib/irods/msiExecCmd_bin/oidc.py
 
-auth [success=ignore default=1] pam_exec.so /usr/local/bin/is-user-external.sh
+auth [success=ignore default=1] pam_exec.so /etc/irods/yoda-ruleset/tools/is-user-external.py
 auth [success=done default=die] pam_exec.so expose_authtok /usr/local/bin/external-auth.py
 
 auth        required    pam_unix.so

docs/administration/configuring-yoda.md

@@ -464,7 +464,7 @@ eus_smtp_replyto_name        | External User Service email reply-to name
 eus_smtp_replyto_address     | External User Service email reply-to address
 eus_mail_template            | External User Service mail template
 eus_mail_validate_address    | External User Service: validate email address before sending email. If this option is enabled, EUS will only send emails to users if their username is a valid email address. It is intended to be used on environments where admins want to use an iRODS user with a non-email username to invite external users. This parameter is not meant to be enabled if the test data set installed by the test playbook has been loaded. Default value: false.
-external_users_domain_filter | Domains to filter, separated by | and wildcard character *
+external_users_domain_filter | This parameter takes a list of domains that are considered to be internal (not managed by EUS). Entries need to be separated by '|'. Entries can be literal domains (e.g. 'uu.nl'), wildcard subdomains (e.g. '\*.uu.nl'), or '\*' to set all domains to be internal.
 
 ### OpenID Connect (OIDC) configuration
 

roles/irods_icat/tasks/setup_pam.yml

@@ -17,14 +17,11 @@
     state: absent
 
 
-- name: Ensure external user check is present
-  ansible.builtin.template:
-    src: is-user-external.sh.j2
-    dest: /usr/local/bin/is-user-external.sh
-    owner: root
-    group: "{{ irods_service_account }}"
-    mode: '0750'
-  when: external_users
+# The new version of this script is part of the ruleset
+- name: Ensure old user type check script is absent
+  ansible.builtin.file:
+    path: /usr/local/bin/is-user-external.sh
+    state: absent
 
 
 - name: Ensure external user authentication is present

roles/irods_icat/templates/irods_pam.j2

@@ -17,7 +17,7 @@ auth        sufficient      pam_python3.so /var/lib/irods/msiExecCmd_bin/oidc.py
 {% endif %}
 
 {% if external_users %}
-auth [success=ignore default=1] pam_exec.so /usr/local/bin/is-user-external.sh
+auth [success=ignore default=1] pam_exec.so /etc/irods/yoda-ruleset/tools/is-user-external.py
 auth [success=done default=die] pam_exec.so expose_authtok /usr/local/bin/external-auth.py
 {% endif %}