enh: regex pattern support for groups

2025-12-12 04:15:25 +00:00 · 2025-09-03 18:50:02 +04:00 · 2025-09-03 18:50:02 +04:00 · df66e21472
commit df66e21472
parent 51fc792501
1 changed files with 49 additions and 2 deletions
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -5,6 +5,9 @@ import sys
 import uuid
 import json

+import re
+import fnmatch
+
 import aiohttp
 from authlib.integrations.starlette_client import OAuth
 from authlib.oidc.core import UserInfo
@ -79,6 +82,50 @@ auth_manager_config.JWT_EXPIRES_IN = JWT_EXPIRES_IN
 auth_manager_config.OAUTH_UPDATE_PICTURE_ON_LOGIN = OAUTH_UPDATE_PICTURE_ON_LOGIN


+def is_in_blocked_groups(group_name: str, groups: list) -> bool:
+    """
+    Check if a group name matches any blocked pattern.
+    Supports exact matches, shell-style wildcards (*, ?), and regex patterns.
+
+    Args:
+        group_name: The group name to check
+        groups: List of patterns to match against
+
+    Returns:
+        True if the group is blocked, False otherwise
+    """
+    if not groups:
+        return False
+
+    for group_pattern in groups:
+        if not group_pattern:  # Skip empty patterns
+            continue
+
+        # Exact match
+        if group_name == group_pattern:
+            return True
+
+        # Try as regex pattern first if it contains regex-specific characters
+        if any(
+            char in group_pattern
+            for char in ["^", "$", "[", "]", "(", ")", "{", "}", "+", "\\", "|"]
+        ):
+            try:
+                # Use the original pattern as-is for regex matching
+                if re.search(group_pattern, group_name):
+                    return True
+            except re.error:
+                # If regex is invalid, fall through to wildcard check
+                pass
+
+        # Shell-style wildcard match (supports * and ?)
+        if "*" in group_pattern or "?" in group_pattern:
+            if fnmatch.fnmatch(group_name, group_pattern):
+                return True
+
+    return False
+
+
 class OAuthManager:
    def __init__(self, app):
        self.oauth = OAuth()
@ -238,7 +285,7 @@ class OAuthManager:
            if (
                user_oauth_groups
                and group_model.name not in user_oauth_groups
-                and group_model.name not in blocked_groups
+                and not is_in_blocked_groups(group_model.name, blocked_groups)
            ):
                # Remove group from user
                log.debug(
@ -269,7 +316,7 @@ class OAuthManager:
                user_oauth_groups
                and group_model.name in user_oauth_groups
                and not any(gm.name == group_model.name for gm in user_current_groups)
-                and group_model.name not in blocked_groups
+                and not is_in_blocked_groups(group_model.name, blocked_groups)
            ):
                # Add user to group
                log.debug(