The current version of Net::Remctl can't handle explicit undef or the

empty string as a principal argument.  Be careful not to provide a
principal argument if no principal was set.  This workaround can be
removed once we depend on a later version of Net::Remctl.

5 files changed, 71 insertions, 12 deletions

diff --git a/Makefile.am b/Makefile.am
index 7e5a5ba..389c1b7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -22,12 +22,12 @@ EXTRA_DIST = LICENSE autogen client/wallet.pod config/allow-extract \
 	perl/t/data/keytab.conf perl/t/data/netdb.conf \
 	perl/t/data/netdb-fake perl/t/init.t perl/t/keytab.t \
 	perl/t/lib/Util.pm perl/t/object.t perl/t/pod.t perl/t/schema.t \
-	perl/t/server.t perl/t/verifier.t tests/TESTS tests/data/README \
-	tests/data/allow-extract tests/data/cmd-fake tests/data/fake-data \
-	tests/data/fake-kadmin tests/data/fake-keytab \
-	tests/data/fake-keytab-2 tests/data/fake-keytab-merge \
-	tests/data/fake-keytab-old tests/data/fake-srvtab \
-	tests/data/wallet.conf tests/libtest.sh
+	perl/t/server.t perl/t/verifier-netdb.t perl/t/verifier.t \
+	tests/TESTS tests/data/README tests/data/allow-extract \
+	tests/data/cmd-fake tests/data/fake-data tests/data/fake-kadmin \
+	tests/data/fake-keytab tests/data/fake-keytab-2 \
+	tests/data/fake-keytab-merge tests/data/fake-keytab-old \
+	tests/data/fake-srvtab tests/data/wallet.conf tests/libtest.sh
 
 noinst_LIBRARIES = portable/libportable.a util/libutil.a
 portable_libportable_a_SOURCES = portable/dummy.c
diff --git a/NEWS b/NEWS
index 73844fb..7a59805 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,11 @@ wallet 0.7 (unreleased)
     default ACLs to avoid creating and stranding an ACL when the naming
     policy check fails.
 
+    The current version of Net::Remctl can't handle explicit undef or the
+    empty string as a principal argument.  Be careful not to provide a
+    principal argument if no principal was set.  This workaround can be
+    removed once we depend on a later version of Net::Remctl.
+
     Fix the example remctl configuration for keytab-backend to use the
     correct script name.
 
diff --git a/perl/Wallet/ACL/NetDB.pm b/perl/Wallet/ACL/NetDB.pm
index ad706b3..cc7121b 100644
--- a/perl/Wallet/ACL/NetDB.pm
+++ b/perl/Wallet/ACL/NetDB.pm
@@ -24,7 +24,7 @@ use Wallet::Config;
 # This version should be increased on any code change to this module.  Always
 # use two digits for the minor version with a leading zero if necessary so
 # that it will sort properly.
-$VERSION = '0.02';
+$VERSION = '0.03';
 
 ##############################################################################
 # Interface
@@ -46,10 +46,20 @@ sub new {
         die "NetDB ACL support not available: $error\n";
     }
     local $ENV{KRB5CCNAME} = $Wallet::Config::NETDB_REMCTL_CACHE;
-    my $port = $Wallet::Config::NETDB_REMCTL_PORT;
-    my $principal = $Wallet::Config::NETDB_REMCTL_PRINCIPAL;
     my $remctl = Net::Remctl->new;
-    unless ($remctl->open ($host, $port, $principal)) {
+
+    # Net::Remctl 2.12 and later will support passing in an empty string for
+    # the principal.  Until then, be careful not to pass principal unless it
+    # was specified.
+    my $port = $Wallet::Config::NETDB_REMCTL_PORT || 0;
+    my $principal = $Wallet::Config::NETDB_REMCTL_PRINCIPAL;
+    my $status;
+    if (defined $principal) {
+        $status = $remctl->open ($host, $port, $principal);
+    } else {
+        $status = $remctl->open ($host, $port);
+    }
+    unless ($status) {
         die "cannot connect to NetDB remctl interface: ", $remctl->error, "\n";
     }
     my $self = { remctl => $remctl };
diff --git a/perl/Wallet/Object/Keytab.pm b/perl/Wallet/Object/Keytab.pm
index e2c21a4..34fa12d 100644
--- a/perl/Wallet/Object/Keytab.pm
+++ b/perl/Wallet/Object/Keytab.pm
@@ -511,8 +511,8 @@ sub keytab_retrieve {
         $keytab .= '@' . $Wallet::Config::KEYTAB_REALM;
     }
     local $ENV{KRB5CCNAME} = $Wallet::Config::KEYTAB_REMCTL_CACHE;
-    my $port = $Wallet::Config::KEYTAB_REMCTL_PORT;
-    my $principal = $Wallet::Config::KEYTAB_REMCTL_PRINCIPAL;
+    my $port = $Wallet::Config::KEYTAB_REMCTL_PORT || 0;
+    my $principal = $Wallet::Config::KEYTAB_REMCTL_PRINCIPAL || '';
     my @command = ('keytab', 'retrieve', $keytab);
     my $result = Net::Remctl::remctl ($host, $port, $principal, @command);
     if ($result->error) {
diff --git a/perl/t/verifier-netdb.t b/perl/t/verifier-netdb.t
new file mode 100755
index 0000000..12d018f
--- /dev/null
+++ b/perl/t/verifier-netdb.t
@@ -0,0 +1,44 @@
+#!/usr/bin/perl -w
+# $Id$
+#
+# t/verifier-netdb.t -- Tests for the NetDB wallet ACL verifiers.
+#
+# Written by Russ Allbery <rra@stanford.edu>
+# Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+#
+# See LICENSE for licensing terms.
+#
+# This test can only be run by someone local to Stanford with appropriate
+# access to the NetDB role server and will be skipped in all other
+# environments.
+
+use Test::More tests => 4;
+
+use Wallet::ACL::NetDB;
+
+use lib 't/lib';
+use Util;
+
+my $netdb = 'netdb-node-roles-rc.stanford.edu';
+my $host  = 'windlord.stanford.edu';
+my $user  = 'rra@stanford.edu';
+
+# Determine the local principal.
+my $klist = `klist 2>&1`;
+SKIP: {
+    skip "tests useful only with Stanford Kerberos tickets", 4
+        unless $klist =~ /^Default principal: \S+\@stanford\.edu$/m;
+
+    # Set up our configuration.
+    $Wallet::Config::NETDB_REALM = 'stanford.edu';
+    $Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME};
+    $Wallet::Config::NETDB_REMCTL_HOST  = $netdb;
+
+    # Finally, we can test.
+    $verifier = eval { Wallet::ACL::NetDB->new };
+    ok (defined $verifier, ' and now creation succeeds');
+    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class');
+    is ($verifier->check ($user, $host), 1, "Checking $host succeeds");
+    is ($verifier->check ('test-user@stanford.edu', $host), 0,
+        ' but fails with another user');
+}