<?php /* vim: set expandtab tabstop=4 shiftwidth=4: */ /** * File containing the Net_LDAP2_Util interface class. * * PHP version 5 * * @category Net * @package Net_LDAP2 * @author Benedikt Hallinger <beni@php.net> * @copyright 2009 Benedikt Hallinger * @license http://www.gnu.org/licenses/lgpl-3.0.txt LGPLv3 * @version SVN: $Id: Util.php 286718 2009-08-03 07:30:49Z beni $ * @link http://pear.php.net/package/Net_LDAP2/ */ /** * Includes */ require_once 'PEAR.php'; /** * Utility Class for Net_LDAP2 * * This class servers some functionality to the other classes of Net_LDAP2 but most of * the methods can be used separately as well. * * @category Net * @package Net_LDAP2 * @author Benedikt Hallinger <beni@php.net> * @license http://www.gnu.org/copyleft/lesser.html LGPL * @link http://pear.php.net/package/Net_LDAP22/ */ class Net_LDAP2_Util extends PEAR { /** * Constructor * * @access public */ public function __construct() { // We do nothing here, since all methods can be called statically. // In Net_LDAP <= 0.7, we needed a instance of Util, because // it was possible to do utf8 encoding and decoding, but this // has been moved to the LDAP class. The constructor remains only // here to document the downward compatibility of creating an instance. } /** * Explodes the given DN into its elements * * {@link http://www.ietf.org/rfc/rfc2253.txt RFC 2253} says, a Distinguished Name is a sequence * of Relative Distinguished Names (RDNs), which themselves * are sets of Attributes. For each RDN a array is constructed where the RDN part is stored. * * For example, the DN 'OU=Sales+CN=J. Smith,DC=example,DC=net' is exploded to: * <kbd>array( [0] => array([0] => 'OU=Sales', [1] => 'CN=J. Smith'), [2] => 'DC=example', [3] => 'DC=net' )</kbd> * * [NOT IMPLEMENTED] DNs might also contain values, which are the bytes of the BER encoding of * the X.500 AttributeValue rather than some LDAP string syntax. These values are hex-encoded * and prefixed with a #. To distinguish such BER values, ldap_explode_dn uses references to * the actual values, e.g. '1.3.6.1.4.1.1466.0=#04024869,DC=example,DC=com' is exploded to: * [ { '1.3.6.1.4.1.1466.0' => "\004\002Hi" }, { 'DC' => 'example' }, { 'DC' => 'com' } ]; * See {@link http://www.vijaymukhi.com/vmis/berldap.htm} for more information on BER. * * It also performs the following operations on the given DN: * - Unescape "\" followed by ",", "+", """, "\", "<", ">", ";", "#", "=", " ", or a hexpair * and strings beginning with "#". * - Removes the leading 'OID.' characters if the type is an OID instead of a name. * - If an RDN contains multiple parts, the parts are re-ordered so that the attribute type names are in alphabetical order. * * OPTIONS is a list of name/value pairs, valid options are: * casefold Controls case folding of attribute types names. * Attribute values are not affected by this option. * The default is to uppercase. Valid values are: * lower Lowercase attribute types names. * upper Uppercase attribute type names. This is the default. * none Do not change attribute type names. * reverse If TRUE, the RDN sequence is reversed. * onlyvalues If TRUE, then only attributes values are returned ('foo' instead of 'cn=foo') * * @param string $dn The DN that should be exploded * @param array $options Options to use * * @static * @return array Parts of the exploded DN * @todo implement BER */ public static function ldap_explode_dn($dn, $options = array('casefold' => 'upper')) { if (!isset($options['onlyvalues'])) $options['onlyvalues'] = false; if (!isset($options['reverse'])) $options['reverse'] = false; if (!isset($options['casefold'])) $options['casefold'] = 'upper'; // Escaping of DN and stripping of "OID." $dn = self::canonical_dn($dn, array('casefold' => $options['casefold'])); // splitting the DN $dn_array = preg_split('/(?<=[^\\\\]),/', $dn); // clear wrong splitting (possibly we have split too much) // /!\ Not clear, if this is neccessary here //$dn_array = self::correct_dn_splitting($dn_array, ','); // construct subarrays for multivalued RDNs and unescape DN value // also convert to output format and apply casefolding foreach ($dn_array as $key => $value) { $value_u = self::unescape_dn_value($value); $rdns = self::split_rdn_multival($value_u[0]); if (count($rdns) > 1) { // MV RDN! foreach ($rdns as $subrdn_k => $subrdn_v) { // Casefolding if ($options['casefold'] == 'upper') $subrdn_v = preg_replace("/^(\w+=)/e", "''.strtoupper('\\1').''", $subrdn_v); if ($options['casefold'] == 'lower') $subrdn_v = preg_replace("/^(\w+=)/e", "''.strtolower('\\1').''", $subrdn_v); if ($options['onlyvalues']) { preg_match('/(.+?)(?<!\\\\)=(.+)/', $subrdn_v, $matches); $rdn_ocl = $matches[1]; $rdn_val = $matches[2]; $unescaped = self::unescape_dn_value($rdn_val); $rdns[$subrdn_k] = $unescaped[0]; } else { $unescaped = self::unescape_dn_value($subrdn_v); $rdns[$subrdn_k] = $unescaped[0]; } } $dn_array[$key] = $rdns; } else { // normal RDN // Casefolding if ($options['casefold'] == 'upper') $value = preg_replace("/^(\w+=)/e", "''.strtoupper('\\1').''", $value); if ($options['casefold'] == 'lower') $value = preg_replace("/^(\w+=)/e", "''.strtolower('\\1').''", $value); if ($options['onlyvalues']) { preg_match('/(.+?)(?<!\\\\)=(.+)/', $value, $matches); $dn_ocl = $matches[1]; $dn_val = $matches[2]; $unescaped = self::unescape_dn_value($dn_val); $dn_array[$key] = $unescaped[0]; } else { $unescaped = self::unescape_dn_value($value); $dn_array[$key] = $unescaped[0]; } } } if ($options['reverse']) { return array_reverse($dn_array); } else { return $dn_array; } } /** * Escapes a DN value according to RFC 2253 * * Escapes the given VALUES according to RFC 2253 so that they can be safely used in LDAP DNs. * The characters ",", "+", """, "\", "<", ">", ";", "#", "=" with a special meaning in RFC 2252 * are preceeded by ba backslash. Control characters with an ASCII code < 32 are represented as \hexpair. * Finally all leading and trailing spaces are converted to sequences of \20. * * @param array $values An array containing the DN values that should be escaped * * @static * @return array The array $values, but escaped */ public static function escape_dn_value($values = array()) { // Parameter validation if (!is_array($values)) { $values = array($values); } foreach ($values as $key => $val) { // Escaping of filter meta characters $val = str_replace('\\', '\\\\', $val); $val = str_replace(',', '\,', $val); $val = str_replace('+', '\+', $val); $val = str_replace('"', '\"', $val); $val = str_replace('<', '\<', $val); $val = str_replace('>', '\>', $val); $val = str_replace(';', '\;', $val); $val = str_replace('#', '\#', $val); $val = str_replace('=', '\=', $val); // ASCII < 32 escaping $val = self::asc2hex32($val); // Convert all leading and trailing spaces to sequences of \20. if (preg_match('/^(\s*)(.+?)(\s*)$/', $val, $matches)) { $val = $matches[2]; for ($i = 0; $i < strlen($matches[1]); $i++) { $val = '\20'.$val; } for ($i = 0; $i < strlen($matches[3]); $i++) { $val = $val.'\20'; } } if (null === $val) $val = '\0'; // apply escaped "null" if string is empty $values[$key] = $val; } return $values; } /** * Undoes the conversion done by escape_dn_value(). * * Any escape sequence starting with a baskslash - hexpair or special character - * will be transformed back to the corresponding character. * * @param array $values Array of DN Values * * @return array Same as $values, but unescaped * @static */ public static function unescape_dn_value($values = array()) { // Parameter validation if (!is_array($values)) { $values = array($values); } foreach ($values as $key => $val) { // strip slashes from special chars $val = str_replace('\\\\', '\\', $val); $val = str_replace('\,', ',', $val); $val = str_replace('\+', '+', $val); $val = str_replace('\"', '"', $val); $val = str_replace('\<', '<', $val); $val = str_replace('\>', '>', $val); $val = str_replace('\;', ';', $val); $val = str_replace('\#', '#', $val); $val = str_replace('\=', '=', $val); // Translate hex code into ascii $values[$key] = self::hex2asc($val); } return $values; } /** * Returns the given DN in a canonical form * * Returns false if DN is not a valid Distinguished Name. * DN can either be a string or an array * as returned by ldap_explode_dn, which is useful when constructing a DN. * The DN array may have be indexed (each array value is a OCL=VALUE pair) * or associative (array key is OCL and value is VALUE). * * It performs the following operations on the given DN: * - Removes the leading 'OID.' characters if the type is an OID instead of a name. * - Escapes all RFC 2253 special characters (",", "+", """, "\", "<", ">", ";", "#", "="), slashes ("/"), and any other character where the ASCII code is < 32 as \hexpair. * - Converts all leading and trailing spaces in values to be \20. * - If an RDN contains multiple parts, the parts are re-ordered so that the attribute type names are in alphabetical order. * * OPTIONS is a list of name/value pairs, valid options are: * casefold Controls case folding of attribute type names. * Attribute values are not affected by this option. The default is to uppercase. * Valid values are: * lower Lowercase attribute type names. * upper Uppercase attribute type names. This is the default. * none Do not change attribute type names. * [NOT IMPLEMENTED] mbcescape If TRUE, characters that are encoded as a multi-octet UTF-8 sequence will be escaped as \(hexpair){2,*}. * reverse If TRUE, the RDN sequence is reversed. * separator Separator to use between RDNs. Defaults to comma (','). * * Note: The empty string "" is a valid DN, so be sure not to do a "$can_dn == false" test, * because an empty string evaluates to false. Use the "===" operator instead. * * @param array|string $dn The DN * @param array $options Options to use * * @static * @return false|string The canonical DN or FALSE * @todo implement option mbcescape */ public static function canonical_dn($dn, $options = array('casefold' => 'upper', 'separator' => ',')) { if ($dn === '') return $dn; // empty DN is valid! // options check if (!isset($options['reverse'])) { $options['reverse'] = false; } else { $options['reverse'] = true; } if (!isset($options['casefold'])) $options['casefold'] = 'upper'; if (!isset($options['separator'])) $options['separator'] = ','; if (!is_array($dn)) { // It is not clear to me if the perl implementation splits by the user defined // separator or if it just uses this separator to construct the new DN $dn = preg_split('/(?<=[^\\\\])'.$options['separator'].'/', $dn); // clear wrong splitting (possibly we have split too much) $dn = self::correct_dn_splitting($dn, $options['separator']); } else { // Is array, check, if the array is indexed or associative $assoc = false; foreach ($dn as $dn_key => $dn_part) { if (!is_int($dn_key)) { $assoc = true; } } // convert to indexed, if associative array detected if ($assoc) { $newdn = array(); foreach ($dn as $dn_key => $dn_part) { if (is_array($dn_part)) { ksort($dn_part, SORT_STRING); // we assume here, that the rdn parts are also associative $newdn[] = $dn_part; // copy array as-is, so we can resolve it later } else { $newdn[] = $dn_key.'='.$dn_part; } } $dn =& $newdn; } } // Escaping and casefolding foreach ($dn as $pos => $dnval) { if (is_array($dnval)) { // subarray detected, this means very surely, that we had // a multivalued dn part, which must be resolved $dnval_new = ''; foreach ($dnval as $subkey => $subval) { // build RDN part if (!is_int($subkey)) { $subval = $subkey.'='.$subval; } $subval_processed = self::canonical_dn($subval); if (false === $subval_processed) return false; $dnval_new .= $subval_processed.'+'; } $dn[$pos] = substr($dnval_new, 0, -1); // store RDN part, strip last plus } else { // try to split multivalued RDNS into array $rdns = self::split_rdn_multival($dnval); if (count($rdns) > 1) { // Multivalued RDN was detected! // The RDN value is expected to be correctly split by split_rdn_multival(). // It's time to sort the RDN and build the DN! $rdn_string = ''; sort($rdns, SORT_STRING); // Sort RDN keys alphabetically foreach ($rdns as $rdn) { $subval_processed = self::canonical_dn($rdn); if (false === $subval_processed) return false; $rdn_string .= $subval_processed.'+'; } $dn[$pos] = substr($rdn_string, 0, -1); // store RDN part, strip last plus } else { // no multivalued RDN! // split at first unescaped "=" $dn_comp = preg_split('/(?<=[^\\\\])=/', $rdns[0], 2); $ocl = ltrim($dn_comp[0]); // trim left whitespaces 'cause of "cn=foo, l=bar" syntax (whitespace after comma) $val = $dn_comp[1]; // strip 'OID.', otherwise apply casefolding and escaping if (substr(strtolower($ocl), 0, 4) == 'oid.') { $ocl = substr($ocl, 4); } else { if ($options['casefold'] == 'upper') $ocl = strtoupper($ocl); if ($options['casefold'] == 'lower') $ocl = strtolower($ocl); $ocl = self::escape_dn_value(array($ocl)); $ocl = $ocl[0]; } // escaping of dn-value $val = self::escape_dn_value(array($val)); $val = str_replace('/', '\/', $val[0]); $dn[$pos] = $ocl.'='.$val; } } } if ($options['reverse']) $dn = array_reverse($dn); return implode($options['separator'], $dn); } /** * Escapes the given VALUES according to RFC 2254 so that they can be safely used in LDAP filters. * * Any control characters with an ACII code < 32 as well as the characters with special meaning in * LDAP filters "*", "(", ")", and "\" (the backslash) are converted into the representation of a * backslash followed by two hex digits representing the hexadecimal value of the character. * * @param array $values Array of values to escape * * @static * @return array Array $values, but escaped */ public static function escape_filter_value($values = array()) { // Parameter validation if (!is_array($values)) { $values = array($values); } foreach ($values as $key => $val) { // Escaping of filter meta characters $val = str_replace('\\', '\5c', $val); $val = str_replace('*', '\2a', $val); $val = str_replace('(', '\28', $val); $val = str_replace(')', '\29', $val); // ASCII < 32 escaping $val = self::asc2hex32($val); if (null === $val) $val = '\0'; // apply escaped "null" if string is empty $values[$key] = $val; } return $values; } /** * Undoes the conversion done by {@link escape_filter_value()}. * * Converts any sequences of a backslash followed by two hex digits into the corresponding character. * * @param array $values Array of values to escape * * @static * @return array Array $values, but unescaped */ public static function unescape_filter_value($values = array()) { // Parameter validation if (!is_array($values)) { $values = array($values); } foreach ($values as $key => $value) { // Translate hex code into ascii $values[$key] = self::hex2asc($value); } return $values; } /** * Converts all ASCII chars < 32 to "\HEX" * * @param string $string String to convert * * @static * @return string */ public static function asc2hex32($string) { for ($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); if (ord($char) < 32) { $hex = dechex(ord($char)); if (strlen($hex) == 1) $hex = '0'.$hex; $string = str_replace($char, '\\'.$hex, $string); } } return $string; } /** * Converts all Hex expressions ("\HEX") to their original ASCII characters * * @param string $string String to convert * * @static * @author beni@php.net, heavily based on work from DavidSmith@byu.net * @return string */ public static function hex2asc($string) { $string = preg_replace("/\\\([0-9A-Fa-f]{2})/e", "''.chr(hexdec('\\1')).''", $string); return $string; } /** * Split an multivalued RDN value into an Array * * A RDN can contain multiple values, spearated by a plus sign. * This function returns each separate ocl=value pair of the RDN part. * * If no multivalued RDN is detected, an array containing only * the original rdn part is returned. * * For example, the multivalued RDN 'OU=Sales+CN=J. Smith' is exploded to: * <kbd>array([0] => 'OU=Sales', [1] => 'CN=J. Smith')</kbd> * * The method trys to be smart if it encounters unescaped "+" characters, but may fail, * so ensure escaped "+"es in attr names and attr values. * * [BUG] If you have a multivalued RDN with unescaped plus characters * and there is a unescaped plus sign at the end of an value followed by an * attribute name containing an unescaped plus, then you will get wrong splitting: * $rdn = 'OU=Sales+C+N=J. Smith'; * returns: * array('OU=Sales+C', 'N=J. Smith'); * The "C+" is treaten as value of the first pair instead as attr name of the second pair. * To prevent this, escape correctly. * * @param string $rdn Part of an (multivalued) escaped RDN (eg. ou=foo OR ou=foo+cn=bar) * * @static * @return array Array with the components of the multivalued RDN or Error */ public static function split_rdn_multival($rdn) { $rdns = preg_split('/(?<!\\\\)\+/', $rdn); $rdns = self::correct_dn_splitting($rdns, '+'); return array_values($rdns); } /** * Splits a attribute=value syntax into an array * * The split will occur at the first unescaped '=' character. * * @param string $attr Attribute and Value Syntax * * @return array Indexed array: 0=attribute name, 1=attribute value */ public static function split_attribute_string($attr) { return preg_split('/(?<!\\\\)=/', $attr, 2); } /** * Corrects splitting of dn parts * * @param array $dn Raw DN array * @param array $separator Separator that was used when splitting * * @return array Corrected array * @access protected */ protected static function correct_dn_splitting($dn = array(), $separator = ',') { foreach ($dn as $key => $dn_value) { $dn_value = $dn[$key]; // refresh value (foreach caches!) // if the dn_value is not in attr=value format, then we had an // unescaped separator character inside the attr name or the value. // We assume, that it was the attribute value. // [TODO] To solve this, we might ask the schema. Keep in mind, that UTIL class // must remain independent from the other classes or connections. if (!preg_match('/.+(?<!\\\\)=.+/', $dn_value)) { unset($dn[$key]); if (array_key_exists($key-1, $dn)) { $dn[$key-1] = $dn[$key-1].$separator.$dn_value; // append to previous attr value } else { $dn[$key+1] = $dn_value.$separator.$dn[$key+1]; // first element: prepend to next attr name } } } return array_values($dn); } } ?>