option to enforce oauth for some users

Author: splitbrain

OAuthManager.php

@@ -195,7 +195,7 @@ protected function validateUserData($userdata, $servicename)
         /** @var \helper_plugin_oauth $hlp */
         $hlp = plugin_load('helper', 'oauth');
 
-        if (!$hlp->checkMail($userdata['mail'])) {
+        if (!$hlp->checkMail($userdata['mail'], $hlp->getValidDomains())) {
             throw new Exception('rejectedEMail', [implode(', ', $hlp->getValidDomains())]);
         }
 

_test/CheckMailTest.php

@@ -46,6 +46,6 @@ public function testCheckMail($restriction, $input, $expected)
 
         /** @var \helper_plugin_oauth $hlp */
         $hlp = plugin_load('helper', 'oauth');
-        $this->assertSame($expected, $hlp->checkMail($input));
+        $this->assertSame($expected, $hlp->checkMail($input, $hlp->getValidDomains()));
     }
 }

auth.php

@@ -54,6 +54,28 @@ public function trustExternal($user, $pass, $sticky = false)
         }
     }
 
+    /**
+     * Enforce oauth login for certain email domains
+     *
+     * @inheritdoc
+     */
+    public function checkPass($user, $pass)
+    {
+        $ok = parent::checkPass($user, $pass);
+        if(!$ok) return $ok;
+        $domains = $this->hlp->getEnforcedDomains();
+        if($domains === []) return $ok;
+
+        if($this->hlp->checkMail($this->getUserData($user)['mail'], $domains)) {
+            global $lang;
+            // we overwrite the standard bad password message with our own
+            $lang['badlogin'] = $this->getLang('eMailEnforced');
+            return false;
+        }
+        return $ok;
+    }
+
+
     /**
      * Enhance function to check against duplicate emails
      *

conf/default.php

@@ -9,6 +9,7 @@
 $conf['info'] = '';
 $conf['custom-redirectURI']  = '';
 $conf['mailRestriction']     = '';
+$conf['mailEnforcement']     = '';
 $conf['singleService']       = '';
 $conf['register-on-auth']    = 0;
 $conf['overwrite-groups']    = 0;

conf/metadata.php

@@ -10,6 +10,7 @@
 $meta['custom-redirectURI']  = array('string','_caution' => 'warning');
 // https://regex101.com/r/mG4aL5/3
 $meta['mailRestriction']     = array('string','_pattern' => '!^(@[^,@]+(\.[^,@]+)+(,|$))*$!');
+$meta['mailEnforcement']     = array('string','_pattern' => '!^(@[^,@]+(\.[^,@]+)+(,|$))*$!');
 $meta['singleService']       = array('onoff');
 $meta['register-on-auth']    = array('onoff','_caution' => 'security');
 $meta['overwrite-groups']    = array('onoff','_caution' => 'danger');

helper.php

@@ -81,21 +81,33 @@ public function getValidDomains()
         if ($this->getConf('mailRestriction') === '') {
             return [];
         }
-        $validDomains = explode(',', trim($this->getConf('mailRestriction'), ','));
-        return array_map('trim', $validDomains);
+        $domains = explode(',', trim($this->getConf('mailRestriction'), ','));
+        return array_map('trim', $domains);
+    }
+
+    /**
+     * @return array
+     */
+    public function getEnforcedDomains()
+    {
+        if ($this->getConf('mailEnforcement') === '') {
+            return [];
+        }
+        $domains = explode(',', trim($this->getConf('mailEnforcement'), ','));
+        return array_map('trim', $domains);
     }
 
     /**
      * @param string $mail
+     * @param array $domains List of domains to check against (from getValidDomains or getEnforcedDomains)
      *
      * @return bool
      */
-    public function checkMail($mail)
+    public function checkMail($mail, array $domains)
     {
-        $validDomains = $this->getValidDomains();
-        if (empty($validDomains)) return true;
+        if (empty($domains)) return true;
 
-        foreach ($validDomains as $validDomain) {
+        foreach ($domains as $validDomain) {
             if (str_ends_with($mail, $validDomain)) {
                 return true;
             }

lang/en/lang.php

@@ -12,6 +12,7 @@
 $lang['loginButton'] = 'Log in with ';//... i.e. Google (on SingleAuth)
 $lang['rejectedEMail'] = 'Invalid eMail-Account used. Only email accounts from the following domain(s) are allowed: %s!';
 $lang['eMailRestricted'] = 'Only email accounts from the following domain(s) are allowed: %s';
+$lang['eMailEnforced'] = 'Sorry, accounts from your domain have to login via oAuth.';
 $lang['noEmail'] = '%s service did not provide the an email address. Can\'t log you in.';
 $lang['addUser not possible'] = 'Self-Registration is currently disabled or conf/users.auth.php is not writable. Please ask your DokuWiki administrator to create your account manually.';
 $lang['oauth login failed'] = 'Your (re)login has failed.';

lang/en/settings.php

@@ -6,10 +6,11 @@
  */
 
 
-$lang['info']            = 'Redirect URI to use when configuring the applications';
+$lang['info'] = 'Redirect URI to use when configuring the applications';
 $lang['custom-redirectURI'] = 'Use the following custom redirect URI';
-$lang['mailRestriction']   = "Limit authentification to users from this domain (optional, must start with an <code>@</code>)";
-$lang['singleService']            = 'Login with single oAuth service only (disables local logins!)';
+$lang['mailRestriction'] = "Limit oAuth authentification to users from this domain (optional, must start with an <code>@</code>). Multiple domains can be separated by commas.";
+$lang['mailEnforcement'] = "Enforce oAuth authentification for users from this domain (optional, must start with an <code>@</code>). Multiple domains can be separated by commas.";
+$lang['singleService'] = 'Login with single oAuth service only (disables local logins!)';
 $lang['singleService_o_'] = 'Allow all services';
 $lang['register-on-auth'] = 'Register authenticated users even if self-registration is disabled in main configuration';
 $lang['overwrite-groups'] = 'Overwrite all DokuWiki user groups by those supplied by provider';