vendor/adldap2/adldap2/src/Objects/AccountControl.php

   1 <?php
   2
   3 namespace Adldap\Objects;
   4
   5 /**
   6  * The Account Control class.
   7  *
   8  * This class is for easily building a user account control value.
   9  *
  10  * https://support.microsoft.com/en-us/kb/305144
  11  */
  12 class AccountControl
  13 {
  14     const SCRIPT = 1;
  15
  16     const ACCOUNTDISABLE = 2;
  17
  18     const HOMEDIR_REQUIRED = 8;
  19
  20     const LOCKOUT = 16;
  21
  22     const PASSWD_NOTREQD = 32;
  23
  24     const ENCRYPTED_TEXT_PWD_ALLOWED = 128;
  25
  26     const TEMP_DUPLICATE_ACCOUNT = 256;
  27
  28     const NORMAL_ACCOUNT = 512;
  29
  30     const INTERDOMAIN_TRUST_ACCOUNT = 2048;
  31
  32     const WORKSTATION_TRUST_ACCOUNT = 4096;
  33
  34     const SERVER_TRUST_ACCOUNT = 8192;
  35
  36     const DONT_EXPIRE_PASSWORD = 65536;
  37
  38     const MNS_LOGON_ACCOUNT = 131072;
  39
  40     const SMARTCARD_REQUIRED = 262144;
  41
  42     const TRUSTED_FOR_DELEGATION = 524288;
  43
  44     const NOT_DELEGATED = 1048576;
  45
  46     const USE_DES_KEY_ONLY = 2097152;
  47
  48     const DONT_REQ_PREAUTH = 4194304;
  49
  50     const PASSWORD_EXPIRED = 8388608;
  51
  52     const TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216;
  53
  54     const PARTIAL_SECRETS_ACCOUNT = 67108864;
  55
  56     /**
  57      * Stores the values to be added together to
  58      * build the user account control integer.
  59      *
  60      * @var array
  61      */
  62     protected $values = [];
  63
  64     /**
  65      * Constructor.
  66      *
  67      * @param int $flag
  68      */
  69     public function __construct($flag = null)
  70     {
  71         if (!is_null($flag)) {
  72             $this->apply($flag);
  73         }
  74     }
  75
  76     /**
  77      * Returns the account control integer as a string
  78      * when the object is casted as a string.
  79      *
  80      * @return string
  81      */
  82     public function __toString()
  83     {
  84         return (string) $this->getValue();
  85     }
  86
  87     /**
  88      * Returns the account control integer when
  89      * the object is casted as an integer.
  90      *
  91      * @return int
  92      */
  93     public function __toInt()
  94     {
  95         return $this->getValue();
  96     }
  97
  98     /**
  99      * Applies the specified flag.
 100      *
 101      * @param int $flag
 102      */
 103     public function apply($flag)
 104     {
 105         $flags = [];
 106
 107         for ($i = 0; $i <= 26; $i++) {
 108             if ((int) $flag & (1 << $i)) {
 109                 array_push($flags, 1 << $i);
 110             }
 111         }
 112
 113         $this->setValues($flags);
 114     }
 115
 116     /**
 117      * The logon script will be run.
 118      *
 119      * @return AccountControl
 120      */
 121     public function runLoginScript()
 122     {
 123         return $this->add(static::SCRIPT);
 124     }
 125
 126     /**
 127      * The user account is locked.
 128      *
 129      * @return AccountControl
 130      */
 131     public function accountIsLocked()
 132     {
 133         return $this->add(static::LOCKOUT);
 134     }
 135
 136     /**
 137      * The user account is disabled.
 138      *
 139      * @return AccountControl
 140      */
 141     public function accountIsDisabled()
 142     {
 143         return $this->add(static::ACCOUNTDISABLE);
 144     }
 145
 146     /**
 147      * This is an account for users whose primary account is in another domain.
 148      *
 149      * This account provides user access to this domain, but not to any domain that
 150      * trusts this domain. This is sometimes referred to as a local user account.
 151      *
 152      * @return AccountControl
 153      */
 154     public function accountIsTemporary()
 155     {
 156         return $this->add(static::TEMP_DUPLICATE_ACCOUNT);
 157     }
 158
 159     /**
 160      * This is a default account type that represents a typical user.
 161      *
 162      * @return AccountControl
 163      */
 164     public function accountIsNormal()
 165     {
 166         return $this->add(static::NORMAL_ACCOUNT);
 167     }
 168
 169     /**
 170      * This is a permit to trust an account for a system domain that trusts other domains.
 171      *
 172      * @return AccountControl
 173      */
 174     public function accountIsForInterdomain()
 175     {
 176         return $this->add(static::INTERDOMAIN_TRUST_ACCOUNT);
 177     }
 178
 179     /**
 180      * This is a computer account for a computer that is running Microsoft
 181      * Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft
 182      * Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
 183      *
 184      * @return AccountControl
 185      */
 186     public function accountIsForWorkstation()
 187     {
 188         return $this->add(static::WORKSTATION_TRUST_ACCOUNT);
 189     }
 190
 191     /**
 192      * This is a computer account for a domain controller that is a member of this domain.
 193      *
 194      * @return AccountControl
 195      */
 196     public function accountIsForServer()
 197     {
 198         return $this->add(static::SERVER_TRUST_ACCOUNT);
 199     }
 200
 201     /**
 202      * This is an MNS logon account.
 203      *
 204      * @return AccountControl
 205      */
 206     public function accountIsMnsLogon()
 207     {
 208         return $this->add(static::MNS_LOGON_ACCOUNT);
 209     }
 210
 211     /**
 212      * (Windows 2000/Windows Server 2003) This account does
 213      * not require Kerberos pre-authentication for logging on.
 214      *
 215      * @return AccountControl
 216      */
 217     public function accountDoesNotRequirePreAuth()
 218     {
 219         return $this->add(static::DONT_REQ_PREAUTH);
 220     }
 221
 222     /**
 223      * When this flag is set, it forces the user to log on by using a smart card.
 224      *
 225      * @return AccountControl
 226      */
 227     public function accountRequiresSmartCard()
 228     {
 229         return $this->add(static::SMARTCARD_REQUIRED);
 230     }
 231
 232     /**
 233      * (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC).
 234      *
 235      * This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.
 236      *
 237      * @return AccountControl
 238      */
 239     public function accountIsReadOnly()
 240     {
 241         return $this->add(static::PARTIAL_SECRETS_ACCOUNT);
 242     }
 243
 244     /**
 245      * The home folder is required.
 246      *
 247      * @return AccountControl
 248      */
 249     public function homeFolderIsRequired()
 250     {
 251         return $this->add(static::HOMEDIR_REQUIRED);
 252     }
 253
 254     /**
 255      * No password is required.
 256      *
 257      * @return AccountControl
 258      */
 259     public function passwordIsNotRequired()
 260     {
 261         return $this->add(static::PASSWD_NOTREQD);
 262     }
 263
 264     /**
 265      * The user cannot change the password. This is a permission on the user's object.
 266      *
 267      * For information about how to programmatically set this permission, visit the following Web site:
 268      * http://msdn2.microsoft.com/en-us/library/aa746398.aspx
 269      *
 270      * @return AccountControl
 271      */
 272     public function passwordCannotBeChanged()
 273     {
 274         return $this->add(static::PASSWD_NOTREQD);
 275     }
 276
 277     /**
 278      * Represents the password, which should never expire on the account.
 279      *
 280      * @return AccountControl
 281      */
 282     public function passwordDoesNotExpire()
 283     {
 284         return $this->add(static::DONT_EXPIRE_PASSWORD);
 285     }
 286
 287     /**
 288      * (Windows 2000/Windows Server 2003) The user's password has expired.
 289      *
 290      * @return AccountControl
 291      */
 292     public function passwordIsExpired()
 293     {
 294         return $this->add(static::PASSWORD_EXPIRED);
 295     }
 296
 297     /**
 298      * The user can send an encrypted password.
 299      *
 300      * @return AccountControl
 301      */
 302     public function allowEncryptedTextPassword()
 303     {
 304         return $this->add(static::ENCRYPTED_TEXT_PWD_ALLOWED);
 305     }
 306
 307     /**
 308      * When this flag is set, the service account (the user or computer account)
 309      * under which a service runs is trusted for Kerberos delegation.
 310      *
 311      * Any such service can impersonate a client requesting the service.
 312      *
 313      * To enable a service for Kerberos delegation, you must set this
 314      * flag on the userAccountControl property of the service account.
 315      *
 316      * @return AccountControl
 317      */
 318     public function trustForDelegation()
 319     {
 320         return $this->add(static::TRUSTED_FOR_DELEGATION);
 321     }
 322
 323     /**
 324      * (Windows 2000/Windows Server 2003) The account is enabled for delegation.
 325      *
 326      * This is a security-sensitive setting. Accounts that have this option enabled
 327      * should be tightly controlled. This setting lets a service that runs under the
 328      * account assume a client's identity and authenticate as that user to other remote
 329      * servers on the network.
 330      *
 331      * @return AccountControl
 332      */
 333     public function trustToAuthForDelegation()
 334     {
 335         return $this->add(static::TRUSTED_TO_AUTH_FOR_DELEGATION);
 336     }
 337
 338     /**
 339      * When this flag is set, the security context of the user is not delegated to a
 340      * service even if the service account is set as trusted for Kerberos delegation.
 341      *
 342      * @return AccountControl
 343      */
 344     public function doNotTrustForDelegation()
 345     {
 346         return $this->add(static::NOT_DELEGATED);
 347     }
 348
 349     /**
 350      * (Windows 2000/Windows Server 2003) Restrict this principal to
 351      * use only Data Encryption Standard (DES) encryption types for keys.
 352      *
 353      * @return AccountControl
 354      */
 355     public function useDesKeyOnly()
 356     {
 357         return $this->add(static::USE_DES_KEY_ONLY);
 358     }
 359
 360     /**
 361      * Returns the complete account control value.
 362      *
 363      * @return int
 364      */
 365     public function getValue()
 366     {
 367         $total = 0;
 368
 369         foreach ($this->values as $value) {
 370             $total = $total + $value;
 371         }
 372
 373         return $total;
 374     }
 375
 376     /**
 377      * Returns the account control's values.
 378      *
 379      * @return array
 380      */
 381     public function getValues()
 382     {
 383         return $this->values;
 384     }
 385
 386     /**
 387      * Sets the account control values.
 388      *
 389      * @param array $flags
 390      */
 391     public function setValues(array $flags)
 392     {
 393         $this->values = $flags;
 394     }
 395
 396     /**
 397      * Applies the inserted value to the values property array.
 398      *
 399      * @param int $value
 400      *
 401      * @return AccountControl
 402      */
 403     protected function add($value)
 404     {
 405         // Use the value as a key so if the same value
 406         // is used, it will always be overwritten
 407         $this->values[$value] = $value;
 408
 409         return $this;
 410     }
 411 }