diff options
| author | Russ Allbery <rra@stanford.edu> | 2008-02-06 21:29:51 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2008-02-06 21:29:51 +0000 |
| commit | 5cd3a6fe3988677d865d666aeefd3ed2f2e549c5 (patch) | |
| tree | bf905e412ecefecf09d36ffc3b4633260f584d46 | |
| parent | 431ece2b824bd4c77703a2b8ecbc3e8eca184ecb (diff) | |
Check naming policy on wallet object creation before checking the
default ACLs to avoid creating and stranding an ACL when the naming
policy check fails.
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | perl/Wallet/Server.pm | 8 | ||||
| -rwxr-xr-x | perl/t/server.t | 6 |
3 files changed, 13 insertions, 5 deletions
@@ -5,6 +5,10 @@ wallet 0.7 (unreleased) keytab-backend now passes kadmin.local ktadd its options in a specific order to satisfy the picky option parser. + Check naming policy on wallet object creation before checking the + default ACLs to avoid creating and stranding an ACL when the naming + policy check fails. + Fix the example remctl configuration for keytab-backend to use the correct script name. diff --git a/perl/Wallet/Server.pm b/perl/Wallet/Server.pm index e0c0f29..b5b76fe 100644 --- a/perl/Wallet/Server.pm +++ b/perl/Wallet/Server.pm @@ -186,10 +186,6 @@ sub create { my $dbh = $self->{dbh}; my $user = $self->{user}; my $host = $self->{host}; - my $acl = $self->create_check ($type, $name); - unless ($acl) { - return unless $self->{admin}->check ($user); - } if (defined (&Wallet::Config::verify_name)) { my $error = Wallet::Config::verify_name ($type, $name, $user); if ($error) { @@ -197,6 +193,10 @@ sub create { return; } } + my $acl = $self->create_check ($type, $name); + unless ($acl) { + return unless $self->{admin}->check ($user); + } my $object = eval { $class->create ($type, $name, $dbh, $user, $host) }; if ($@) { $self->error ($@); diff --git a/perl/t/server.t b/perl/t/server.t index a7b3cc5..39e1090 100755 --- a/perl/t/server.t +++ b/perl/t/server.t @@ -8,7 +8,7 @@ # # See LICENSE for licensing terms. -use Test::More tests => 332; +use Test::More tests => 334; use POSIX qw(strftime); use Wallet::Admin; @@ -771,6 +771,8 @@ sub default_owner { return ('user2', [ 'krb5', $user2 ]); } elsif ($type eq 'base' and $name eq 'service/default-admin') { return ('auto-admin', [ 'krb5', $admin ]); + } elsif ($type eq 'base' and $name eq 'host/default') { + return ('auto-host', [ 'krb5', $admin ]); } else { return; } @@ -928,6 +930,8 @@ is ($server->create ('base', 'host/default'), undef, ' but an unqualified host fails'); is ($server->error, 'base:host/default rejected: host default must be fully' . ' qualified (add .example.edu)', ' with the right error'); +is ($server->acl_show ('auto-host'), undef, ' and the ACL is not present'); +is ($server->error, 'ACL auto-host not found', ' with the right error'); is ($server->create ('base', 'host/default.stanford.edu'), undef, ' and a host in the wrong domain fails'); is ($server->error, 'base:host/default.stanford.edu rejected: host' |