From ee25f5a93748b650105c6cea45f251bc4477a332 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Mon, 3 Mar 2025 10:31:14 +0100
Subject: [PATCH] Allow banning/alllowing usernames patterns during
 registration

---
 policies/register/register.rego      | 22 ++++++++++++++++++++++
 policies/register/register_test.rego | 14 ++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/policies/register/register.rego b/policies/register/register.rego
index 6189c3926..6a36f9611 100644
--- a/policies/register/register.rego
+++ b/policies/register/register.rego
@@ -14,6 +14,14 @@ allow if {
 	count(violation) == 0
 }
 
+username_allowed if {
+	not data.registration.allowed_usernames
+}
+
+username_allowed if {
+	common.matches_string_constraints(input.username, data.registration.allowed_usernames)
+}
+
 # METADATA
 # entrypoint: true
 violation contains {"field": "username", "code": "username-too-short", "msg": "username too short"} if {
@@ -39,6 +47,20 @@ violation contains {
 	not regex.match(`^[a-z0-9.=_/-]+$`, input.username)
 }
 
+violation contains {
+	"field": "username", "code": "username-banned",
+	"msg": "username is banned",
+} if {
+	common.matches_string_constraints(input.username, data.registration.banned_usernames)
+}
+
+violation contains {
+	"field": "username", "code": "username-not-allowed",
+	"msg": "username is not allowed",
+} if {
+	not username_allowed
+}
+
 violation contains {"msg": "unspecified registration method"} if {
 	not input.registration_method
 }
diff --git a/policies/register/register_test.rego b/policies/register/register_test.rego
index 51105ea39..040cdcc5d 100644
--- a/policies/register/register_test.rego
+++ b/policies/register/register_test.rego
@@ -75,6 +75,20 @@ test_numeric_username if {
 	not register.allow with input as {"username": "1234", "registration_method": "upstream-oauth2"}
 }
 
+test_allowed_username if {
+	register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.allowed_usernames.literals as ["hello"]
+	not register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.allowed_usernames.literals as ["world"]
+}
+
+test_banned_username if {
+	not register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.banned_usernames.literals as ["hello"]
+	register.allow with input as {"username": "hello", "registration_method": "upstream-oauth2"}
+		with data.registration.banned_usernames.literals as ["world"]
+}
+
 test_ip_ban if {
 	not register.allow with input as {
 		"username": "hello",