You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

247 lines
7.4 KiB

  1. // File contains DN parsing functionality
  2. //
  3. // https://tools.ietf.org/html/rfc4514
  4. //
  5. // distinguishedName = [ relativeDistinguishedName
  6. // *( COMMA relativeDistinguishedName ) ]
  7. // relativeDistinguishedName = attributeTypeAndValue
  8. // *( PLUS attributeTypeAndValue )
  9. // attributeTypeAndValue = attributeType EQUALS attributeValue
  10. // attributeType = descr / numericoid
  11. // attributeValue = string / hexstring
  12. //
  13. // ; The following characters are to be escaped when they appear
  14. // ; in the value to be encoded: ESC, one of <escaped>, leading
  15. // ; SHARP or SPACE, trailing SPACE, and NULL.
  16. // string = [ ( leadchar / pair ) [ *( stringchar / pair )
  17. // ( trailchar / pair ) ] ]
  18. //
  19. // leadchar = LUTF1 / UTFMB
  20. // LUTF1 = %x01-1F / %x21 / %x24-2A / %x2D-3A /
  21. // %x3D / %x3F-5B / %x5D-7F
  22. //
  23. // trailchar = TUTF1 / UTFMB
  24. // TUTF1 = %x01-1F / %x21 / %x23-2A / %x2D-3A /
  25. // %x3D / %x3F-5B / %x5D-7F
  26. //
  27. // stringchar = SUTF1 / UTFMB
  28. // SUTF1 = %x01-21 / %x23-2A / %x2D-3A /
  29. // %x3D / %x3F-5B / %x5D-7F
  30. //
  31. // pair = ESC ( ESC / special / hexpair )
  32. // special = escaped / SPACE / SHARP / EQUALS
  33. // escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE
  34. // hexstring = SHARP 1*hexpair
  35. // hexpair = HEX HEX
  36. //
  37. // where the productions <descr>, <numericoid>, <COMMA>, <DQUOTE>,
  38. // <EQUALS>, <ESC>, <HEX>, <LANGLE>, <NULL>, <PLUS>, <RANGLE>, <SEMI>,
  39. // <SPACE>, <SHARP>, and <UTFMB> are defined in [RFC4512].
  40. //
  41. package ldap
  42. import (
  43. "bytes"
  44. enchex "encoding/hex"
  45. "errors"
  46. "fmt"
  47. "strings"
  48. "gopkg.in/asn1-ber.v1"
  49. )
  50. // AttributeTypeAndValue represents an attributeTypeAndValue from https://tools.ietf.org/html/rfc4514
  51. type AttributeTypeAndValue struct {
  52. // Type is the attribute type
  53. Type string
  54. // Value is the attribute value
  55. Value string
  56. }
  57. // RelativeDN represents a relativeDistinguishedName from https://tools.ietf.org/html/rfc4514
  58. type RelativeDN struct {
  59. Attributes []*AttributeTypeAndValue
  60. }
  61. // DN represents a distinguishedName from https://tools.ietf.org/html/rfc4514
  62. type DN struct {
  63. RDNs []*RelativeDN
  64. }
  65. // ParseDN returns a distinguishedName or an error
  66. func ParseDN(str string) (*DN, error) {
  67. dn := new(DN)
  68. dn.RDNs = make([]*RelativeDN, 0)
  69. rdn := new(RelativeDN)
  70. rdn.Attributes = make([]*AttributeTypeAndValue, 0)
  71. buffer := bytes.Buffer{}
  72. attribute := new(AttributeTypeAndValue)
  73. escaping := false
  74. unescapedTrailingSpaces := 0
  75. stringFromBuffer := func() string {
  76. s := buffer.String()
  77. s = s[0 : len(s)-unescapedTrailingSpaces]
  78. buffer.Reset()
  79. unescapedTrailingSpaces = 0
  80. return s
  81. }
  82. for i := 0; i < len(str); i++ {
  83. char := str[i]
  84. switch {
  85. case escaping:
  86. unescapedTrailingSpaces = 0
  87. escaping = false
  88. switch char {
  89. case ' ', '"', '#', '+', ',', ';', '<', '=', '>', '\\':
  90. buffer.WriteByte(char)
  91. continue
  92. }
  93. // Not a special character, assume hex encoded octet
  94. if len(str) == i+1 {
  95. return nil, errors.New("got corrupted escaped character")
  96. }
  97. dst := []byte{0}
  98. n, err := enchex.Decode([]byte(dst), []byte(str[i:i+2]))
  99. if err != nil {
  100. return nil, fmt.Errorf("failed to decode escaped character: %s", err)
  101. } else if n != 1 {
  102. return nil, fmt.Errorf("expected 1 byte when un-escaping, got %d", n)
  103. }
  104. buffer.WriteByte(dst[0])
  105. i++
  106. case char == '\\':
  107. unescapedTrailingSpaces = 0
  108. escaping = true
  109. case char == '=':
  110. attribute.Type = stringFromBuffer()
  111. // Special case: If the first character in the value is # the
  112. // following data is BER encoded so we can just fast forward
  113. // and decode.
  114. if len(str) > i+1 && str[i+1] == '#' {
  115. i += 2
  116. index := strings.IndexAny(str[i:], ",+")
  117. data := str
  118. if index > 0 {
  119. data = str[i : i+index]
  120. } else {
  121. data = str[i:]
  122. }
  123. rawBER, err := enchex.DecodeString(data)
  124. if err != nil {
  125. return nil, fmt.Errorf("failed to decode BER encoding: %s", err)
  126. }
  127. packet, err := ber.DecodePacketErr(rawBER)
  128. if err != nil {
  129. return nil, fmt.Errorf("failed to decode BER packet: %s", err)
  130. }
  131. buffer.WriteString(packet.Data.String())
  132. i += len(data) - 1
  133. }
  134. case char == ',' || char == '+':
  135. // We're done with this RDN or value, push it
  136. if len(attribute.Type) == 0 {
  137. return nil, errors.New("incomplete type, value pair")
  138. }
  139. attribute.Value = stringFromBuffer()
  140. rdn.Attributes = append(rdn.Attributes, attribute)
  141. attribute = new(AttributeTypeAndValue)
  142. if char == ',' {
  143. dn.RDNs = append(dn.RDNs, rdn)
  144. rdn = new(RelativeDN)
  145. rdn.Attributes = make([]*AttributeTypeAndValue, 0)
  146. }
  147. case char == ' ' && buffer.Len() == 0:
  148. // ignore unescaped leading spaces
  149. continue
  150. default:
  151. if char == ' ' {
  152. // Track unescaped spaces in case they are trailing and we need to remove them
  153. unescapedTrailingSpaces++
  154. } else {
  155. // Reset if we see a non-space char
  156. unescapedTrailingSpaces = 0
  157. }
  158. buffer.WriteByte(char)
  159. }
  160. }
  161. if buffer.Len() > 0 {
  162. if len(attribute.Type) == 0 {
  163. return nil, errors.New("DN ended with incomplete type, value pair")
  164. }
  165. attribute.Value = stringFromBuffer()
  166. rdn.Attributes = append(rdn.Attributes, attribute)
  167. dn.RDNs = append(dn.RDNs, rdn)
  168. }
  169. return dn, nil
  170. }
  171. // Equal returns true if the DNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
  172. // Returns true if they have the same number of relative distinguished names
  173. // and corresponding relative distinguished names (by position) are the same.
  174. func (d *DN) Equal(other *DN) bool {
  175. if len(d.RDNs) != len(other.RDNs) {
  176. return false
  177. }
  178. for i := range d.RDNs {
  179. if !d.RDNs[i].Equal(other.RDNs[i]) {
  180. return false
  181. }
  182. }
  183. return true
  184. }
  185. // AncestorOf returns true if the other DN consists of at least one RDN followed by all the RDNs of the current DN.
  186. // "ou=widgets,o=acme.com" is an ancestor of "ou=sprockets,ou=widgets,o=acme.com"
  187. // "ou=widgets,o=acme.com" is not an ancestor of "ou=sprockets,ou=widgets,o=foo.com"
  188. // "ou=widgets,o=acme.com" is not an ancestor of "ou=widgets,o=acme.com"
  189. func (d *DN) AncestorOf(other *DN) bool {
  190. if len(d.RDNs) >= len(other.RDNs) {
  191. return false
  192. }
  193. // Take the last `len(d.RDNs)` RDNs from the other DN to compare against
  194. otherRDNs := other.RDNs[len(other.RDNs)-len(d.RDNs):]
  195. for i := range d.RDNs {
  196. if !d.RDNs[i].Equal(otherRDNs[i]) {
  197. return false
  198. }
  199. }
  200. return true
  201. }
  202. // Equal returns true if the RelativeDNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
  203. // Relative distinguished names are the same if and only if they have the same number of AttributeTypeAndValues
  204. // and each attribute of the first RDN is the same as the attribute of the second RDN with the same attribute type.
  205. // The order of attributes is not significant.
  206. // Case of attribute types is not significant.
  207. func (r *RelativeDN) Equal(other *RelativeDN) bool {
  208. if len(r.Attributes) != len(other.Attributes) {
  209. return false
  210. }
  211. return r.hasAllAttributes(other.Attributes) && other.hasAllAttributes(r.Attributes)
  212. }
  213. func (r *RelativeDN) hasAllAttributes(attrs []*AttributeTypeAndValue) bool {
  214. for _, attr := range attrs {
  215. found := false
  216. for _, myattr := range r.Attributes {
  217. if myattr.Equal(attr) {
  218. found = true
  219. break
  220. }
  221. }
  222. if !found {
  223. return false
  224. }
  225. }
  226. return true
  227. }
  228. // Equal returns true if the AttributeTypeAndValue is equivalent to the specified AttributeTypeAndValue
  229. // Case of the attribute type is not significant
  230. func (a *AttributeTypeAndValue) Equal(other *AttributeTypeAndValue) bool {
  231. return strings.EqualFold(a.Type, other.Type) && a.Value == other.Value
  232. }