From 6e46f7cca83063c307c84fcb54cad81cf1da37c8 Mon Sep 17 00:00:00 2001
From: Vincent Rioux <vrioux@ctech.ca>
Date: Thu, 18 Aug 2016 09:01:54 -0400
Subject: [PATCH] Add support for regex in consent.disable

Add support for regular expressions in consent.disable to make it easy to disable consent requirement for an entire domain or for trusted domains.  We have over 100 SP defines internally and would like to have consent disabled for all of them easily and without having to update the IDP metadata each time we add a new SP.

Example consent.disable in IDP metadata :
	// Disable consent for our SPs
	'consent.disable' => array(
		'https://mysp.mypartner.com',
		array('type'=>'regex', 'pattern'=>'/.*\.mycompany\.com.*/i'),
	),
---
 modules/consent/lib/Auth/Process/Consent.php | 25 ++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/modules/consent/lib/Auth/Process/Consent.php b/modules/consent/lib/Auth/Process/Consent.php
index 572bb3550..33cc0e9fd 100644
--- a/modules/consent/lib/Auth/Process/Consent.php
+++ b/modules/consent/lib/Auth/Process/Consent.php
@@ -144,13 +144,34 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
     /**
      * Helper function to check whether consent is disabled.
      *
-     * @param mixed $option  The consent.disable option. Either an array or a boolean.
+     * @param mixed $option  The consent.disable option. Either an array of array, an array or a boolean.
      * @param string $entityIdD  The entityID of the SP/IdP.
      * @return boolean  TRUE if disabled, FALSE if not.
      */
     private static function checkDisable($option, $entityId) {
         if (is_array($option)) {
-            return in_array($entityId, $option, TRUE);
+            // Check if consent.disable array has one element that is an array
+            if (count($option) == count($option, COUNT_RECURSIVE)) {
+                // Array is not multidimensional.  Simple in_array search suffices
+                return in_array($entityId, $option, TRUE);
+            } else {
+                // Array contains at least one element that is an array, verify both possibilities
+                if (in_array($entityId, $option, TRUE)) {
+                    return true;
+                } else {
+                    // Search in multidimensional arrays
+                    foreach($optionToTest in $option) {
+                        if (is_array($optionToTest)) {
+                            if ($optionToTest['type'] == 'regex') {
+                                // Evaluate regular expression and return true if entityId matches
+                                if (preg_match($optionToTest['pattern'], $entityId) === 1) return true;
+                            }
+                        }
+                    }
+                    // Base case : no match
+                    return false;
+                }
+            }
         } else {
             return (boolean)$option;
         }
-- 
GitLab