Add function to escape distinguished names (#393)

* Add function to escape distinguished names
* Test if escaping of trailing space works with multi-byte characters

Author: tsschaffert

ldap.go

@@ -5,6 +5,7 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
+	"strings"
 
 	ber "github.com/go-asn1-ber/asn1-ber"
 )
@@ -345,3 +346,43 @@ func EscapeFilter(filter string) string {
 	}
 	return string(buf)
 }
+
+// EscapeDN escapes distinguished names as described in RFC4514. Characters in the
+// set `"+,;<>\` are escaped by prepending a backslash, which is also done for trailing
+// spaces or a leading `#`. Null bytes are replaced with `\00`.
+func EscapeDN(dn string) string {
+	if dn == "" {
+		return ""
+	}
+
+	builder := strings.Builder{}
+
+	for i, r := range dn {
+		// Escape leading and trailing spaces
+		if (i == 0 || i == len(dn)-1) && r == ' ' {
+			builder.WriteRune('\\')
+			builder.WriteRune(r)
+			continue
+		}
+
+		// Escape leading '#'
+		if i == 0 && r == '#' {
+			builder.WriteRune('\\')
+			builder.WriteRune(r)
+			continue
+		}
+
+		// Escape characters as defined in RFC4514
+		switch r {
+		case '"', '+', ',', ';', '<', '>', '\\':
+			builder.WriteRune('\\')
+			builder.WriteRune(r)
+		case '\x00': // Null byte may not be escaped by a leading backslash
+			builder.WriteString("\\00")
+		default:
+			builder.WriteRune(r)
+		}
+	}
+
+	return builder.String()
+}

ldap_test.go

@@ -320,3 +320,27 @@ func Test_addControlDescriptions(t *testing.T) {
 		})
 	}
 }
+
+func TestEscapeDN(t *testing.T) {
+	tests := []struct {
+		name string
+		dn   string
+		want string
+	}{
+		{name: "emptyString", dn: "", want: ""},
+		{name: "comma", dn: "test,user", want: "test\\,user"},
+		{name: "numberSign", dn: "#test#user#", want: "\\#test#user#"},
+		{name: "backslash", dn: "\\test\\user\\", want: "\\\\test\\\\user\\\\"},
+		{name: "whitespaces", dn: "  test user  ", want: "\\  test user \\ "},
+		{name: "nullByte", dn: "\u0000te\x00st\x00user" + string(rune(0)), want: "\\00te\\00st\\00user\\00"},
+		{name: "variousCharacters", dn: "test\"+,;<>\\-_user", want: "test\\\"\\+\\,\\;\\<\\>\\\\-_user"},
+		{name: "multiByteRunes", dn: "test\u0391user ", want: "test\u0391user\\ "},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := EscapeDN(tt.dn); got != tt.want {
+				t.Errorf("EscapeDN(%s) = %s, expected %s", tt.dn, got, tt.want)
+			}
+		})
+	}
+}

v3/ldap.go

@@ -5,6 +5,7 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
+	"strings"
 
 	ber "github.com/go-asn1-ber/asn1-ber"
 )
@@ -345,3 +346,43 @@ func EscapeFilter(filter string) string {
 	}
 	return string(buf)
 }
+
+// EscapeDN escapes distinguished names as described in RFC4514. Characters in the
+// set `"+,;<>\` are escaped by prepending a backslash, which is also done for trailing
+// spaces or a leading `#`. Null bytes are replaced with `\00`.
+func EscapeDN(dn string) string {
+	if dn == "" {
+		return ""
+	}
+
+	builder := strings.Builder{}
+
+	for i, r := range dn {
+		// Escape leading and trailing spaces
+		if (i == 0 || i == len(dn)-1) && r == ' ' {
+			builder.WriteRune('\\')
+			builder.WriteRune(r)
+			continue
+		}
+
+		// Escape leading '#'
+		if i == 0 && r == '#' {
+			builder.WriteRune('\\')
+			builder.WriteRune(r)
+			continue
+		}
+
+		// Escape characters as defined in RFC4514
+		switch r {
+		case '"', '+', ',', ';', '<', '>', '\\':
+			builder.WriteRune('\\')
+			builder.WriteRune(r)
+		case '\x00': // Null byte may not be escaped by a leading backslash
+			builder.WriteString("\\00")
+		default:
+			builder.WriteRune(r)
+		}
+	}
+
+	return builder.String()
+}

v3/ldap_test.go

@@ -320,3 +320,27 @@ func Test_addControlDescriptions(t *testing.T) {
 		})
 	}
 }
+
+func TestEscapeDN(t *testing.T) {
+	tests := []struct {
+		name string
+		dn   string
+		want string
+	}{
+		{name: "emptyString", dn: "", want: ""},
+		{name: "comma", dn: "test,user", want: "test\\,user"},
+		{name: "numberSign", dn: "#test#user#", want: "\\#test#user#"},
+		{name: "backslash", dn: "\\test\\user\\", want: "\\\\test\\\\user\\\\"},
+		{name: "whitespaces", dn: "  test user  ", want: "\\  test user \\ "},
+		{name: "nullByte", dn: "\u0000te\x00st\x00user" + string(rune(0)), want: "\\00te\\00st\\00user\\00"},
+		{name: "variousCharacters", dn: "test\"+,;<>\\-_user", want: "test\\\"\\+\\,\\;\\<\\>\\\\-_user"},
+		{name: "multiByteRunes", dn: "test\u0391user ", want: "test\u0391user\\ "},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := EscapeDN(tt.dn); got != tt.want {
+				t.Errorf("EscapeDN(%s) = %s, expected %s", tt.dn, got, tt.want)
+			}
+		})
+	}
+}