Add option to control the case sensitivity of user restriction check

microsoft · Nov 12, 2020 · 1b71763 · 1b71763
1 parent 9642b80
commit 1b71763
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/classes/loginflow/base.php b/classes/loginflow/base.php
@@ -393,14 +393,17 @@ protected function checkrestrictions(\auth_oidc\jwt $idtoken) {
             if (empty($tomatch)) {
                 $tomatch = $idtoken->claim('sub');
             }
-            $tomatch= strtolower($tomatch);
             foreach ($restrictions as $restriction) {
                 $restriction = trim($restriction);
                 if ($restriction !== '') {
                     $hasrestrictions = true;
                     ob_start();
                     try {
-                        $count = @preg_match('/'.$restriction.'/', $tomatch, $matches);
+                        $pattern = '/'.$restriction.'/';
+                        if (isset($this->config->userrestrictionscasesensitive) && $this->config->userrestrictionscasesensitive) {
+                            $pattern .= 'i';
+                        }
+                        $count = @preg_match($pattern, $tomatch, $matches);
                         if (!empty($count)) {
                             $userpassed = true;
                             break;

diff --git a/lang/en/auth_oidc.php b/lang/en/auth_oidc.php
@@ -78,6 +78,8 @@
 $string['cfg_tokenendpoint_desc'] = 'The URI of the token endpoint from your identity provider to use.';
 $string['cfg_userrestrictions_key'] = 'User Restrictions';
 $string['cfg_userrestrictions_desc'] = 'Only allow users to log in that meet certain restrictions. <br /><b>How to use user restrictions: </b> <ul><li>Enter a <a href="https://en.wikipedia.org/wiki/Regular_expression">regular expression</a> pattern that matches the usernames of users you want to allow.</li><li>Enter one pattern per line</li><li>If you enter multiple patterns a user will be allowed if they match ANY of the patterns.</li><li>The character "/" should be escaped with "\".</li><li>If you don\'t enter any restrictions above, all users that can log in to the OpenID Connect provider will be accepted by Moodle.</li><li>Any user that does not match any entered pattern(s) will be prevented from logging in using OpenID Connect.</li></ul>';
+$string['cfg_userrestrictionscasesensitive_key'] = 'User Restrictions Case Sensitive';
+$string['cfg_userrestrictioncasesensitive_desc'] = 'This controls if the "/i" option in regular expression is used in the user restriction match.<br/>If enabled, all user restriction checks will be performed as with case sensitive. Note if this is disabled, any patterns on letter cases will be ignored.';
 $string['event_debug'] = 'Debug message';
 
 $string['errorauthdisconnectemptypassword'] = 'Password cannot be empty';

diff --git a/settings.php b/settings.php
@@ -85,6 +85,10 @@
 $configdefault = '';
 $settings->add(new admin_setting_configtextarea('auth_oidc/userrestrictions', $configkey, $configdesc, $configdefault, PARAM_TEXT));
 
+$configkey = new lang_string('cfg_userrestrictionscasesensitive_key', 'auth_oidc');
+$configdesc = new lang_string('cfg_userrestrictioncasesensitive_desc', 'auth_oidc');
+$settings->add(new admin_setting_configcheckbox('auth_oidc/userrestrictionscasesensitive', $configkey, $configdesc, '1'));
+
 $label = new lang_string('cfg_debugmode_key', 'auth_oidc');
 $desc = new lang_string('cfg_debugmode_desc', 'auth_oidc');
 $settings->add(new \admin_setting_configcheckbox('auth_oidc/debugmode', $label, $desc, '0'));

diff --git a/version.php b/version.php
@@ -23,7 +23,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2020071500;
+$plugin->version = 2020071501;
 $plugin->requires = 2020061500;
 $plugin->release = '3.9.0';
 $plugin->component = 'auth_oidc';