Update stanford.conf to latest production version

Update the example wallet.conf from Stanford's configuration to our
latest production version.

Change-Id: Ic652b7a2fadb53a688a0c0c16b5ea7e429cff79e
Reviewed-on: https://gerrit.stanford.edu/1024
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>

1 files changed, 87 insertions, 32 deletions

diff --git a/examples/stanford.conf b/examples/stanford.conf
index 1d14796..b0533bd 100644
--- a/examples/stanford.conf
+++ b/examples/stanford.conf
@@ -1,12 +1,12 @@
 # /etc/wallet/wallet.conf -- Wallet system configuration.  -*- perl -*-
 #
-# Configuration for the wallet system as used at Stanford University.
-# Interesting features to note are loading the database password from an
-# external file and full implementations of a naming policy check and default
-# ACL rules.
+# Configuration for the wallet system as used at Stanford University.  See
+# Wallet::Config(3) for complete details.  Interesting features to note are
+# loading the database password from an external file and full implementations
+# of a naming policy check and default ACL rules.
 #
 # Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2007, 2008
+# Copyright 2007, 2008, 2009, 2010, 2012, 2013
 #     The Board of Trustees of the Leland Stanford Junior University
 #
 # See LICENSE for licensing terms.
@@ -27,7 +27,12 @@ $DB_PASSWORD = <PASS>;
 close PASS;
 chomp $DB_PASSWORD;
 
-$KEYTAB_KRBTYPE      = 'MIT';
+# The maximum file object size is arbitrary, just something to keep anyone
+# from filling the disk.
+$FILE_BUCKET         = '/srv/wallet/files';
+$FILE_MAX_SIZE       = 512 * 1024;
+
+$KEYTAB_KRBTYPE      = 'Heimdal';
 $KEYTAB_FILE         = '/etc/wallet/keytab';
 $KEYTAB_FLAGS        = '-clearpolicy';
 $KEYTAB_HOST         = 'krb5-admin.stanford.edu';
@@ -42,9 +47,6 @@ $NETDB_REALM         = 'stanford.edu';
 $NETDB_REMCTL_CACHE  = '/var/lib/wallet/krb5cc_wallet';
 $NETDB_REMCTL_HOST   = 'netdb-node-roles-rc.stanford.edu';
 
-# Work around a bug in Net::Remctl.
-$NETDB_REMCTL_PRINCIPAL = 'host/netdb-node-roles-rc.stanford.edu';
-
 # Retrieve an existing ACL and check whether it contains a netdb-root member.
 # This is used to check if a default ACL is already present with a netdb-root
 # member so that we can return a default owner that matches.  We only ever
@@ -64,28 +66,62 @@ sub acl_has_netdb_root {
     return;
 }
 
-# The default owner of a host should be the host keytab and the NetDB ACL for
-# that host, with one twist.  If the creator of a new node is using a root
-# instance, we want to require everyone managing that node be using root
-# instances by default (this will do the right thing for Unix Systems hosts).
-sub default_owner {
-    my ($type, $name) = @_;
+# Map a file object name to a hostname and return it.  Returns undef if this
+# file object name doesn't map to a hostname.
+sub _host_for_file {
+    my ($name) = @_;
     my %allowed = map { $_ => 1 }
-        qw(HTTP afpserver cifs ftp host ident imap ldap lpr nfs pop sieve smtp
-           uniengd webauth xmpp);
-    my $realm = 'stanford.edu';
-    return unless $type eq 'keytab';
+        qw(htpasswd ssh-rsa ssh-dsa ssl-key tivoli-key);
+    my $allowed_regex = '(?:' . join ('|', sort keys %allowed) . ')';
+    if ($name !~ /^[^-]+-(.*)-$allowed_regex(?:-.*)?$/) {
+        return;
+    }
+    my $host = $1;
+    if ($host !~ /\./) {
+        $host .= '.stanford.edu';
+    }
+    return $host;
+}
+
+# Map a keytab object name to a hostname and return it.  Returns undef if this
+# keytab principal name doesn't map to a hostname.
+sub _host_for_keytab {
+    my ($name) = @_;
+    my %allowed = map { $_ => 1 }
+        qw(HTTP afpserver cifs ftp host imap ipp ldap lpr nfs pop postgres
+           sieve smtp webauth xmpp);
     return unless $name =~ m,/,;
-    my ($service, $instance) = split ('/', $name, 2);
+    my ($service, $host) = split ('/', $name, 2);
     return unless $allowed{$service};
-    my $acl_name = "host/$instance";
+    if ($host !~ /\./) {
+        $host .= '.stanford.edu';
+    }
+    return $host;
+}
+
+# The default owner of host-based objects should be the host keytab and the
+# NetDB ACL for that host, with one twist.  If the creator of a new node is
+# using a root instance, we want to require everyone managing that node be
+# using root instances by default (this will do the right thing for Unix
+# Systems hosts).
+sub default_owner {
+    my ($type, $name) = @_;
+    my $realm = 'stanford.edu';
+    my %host_for = (
+        keytab => \&_host_for_keytab,
+        file   => \&_host_for_file,
+    );
+    return unless defined $host_for{$type};
+    my $host = $host_for{$type}->($name);
+    return unless $host;
+    my $acl_name = "host/$host";
     my @acl;
     if ($ENV{REMOTE_USER} =~ m,/root, or acl_has_netdb_root ($acl_name)) {
-        @acl = ([ 'netdb-root', $instance ],
-                [ 'krb5', "host/$instance\@$realm" ]);
+        @acl = ([ 'netdb-root', $host ],
+                [ 'krb5', "host/$host\@$realm" ]);
     } else {
-        @acl = ([ 'netdb', $instance ],
-                [ 'krb5', "host/$instance\@$realm" ]);
+        @acl = ([ 'netdb', $host ],
+                [ 'krb5', "host/$host\@$realm" ]);
     }
     return ($acl_name, @acl);
 }
@@ -94,15 +130,15 @@ sub default_owner {
 # hostnames, limit the acceptable characters for service/* keytabs, and
 # enforce our naming constraints on */cgi principals.
 #
-# Also use this function to require that Unix systems staff always do implicit
-# object creation using a */root instance.
+# Also use this function to require that IDG staff always do implicit object
+# creation using a */root instance.
 sub verify_name {
     my ($type, $name, $user) = @_;
     my %host = map { $_ => 1 }
-        qw(HTTP afpserver cifs ftp host ident imap ldap lpr nfs pop sieve smtp
-           uniengd webauth xmpp);
+        qw(HTTP afpserver cifs ftp http host ident imap ipp ldap lpr nfs pop
+           postgres sieve smtp uniengd webauth xmpp);
     my %staff;
-    if (open (STAFF, '<', '/etc/remctl/acl/systems')) {
+    if (open (STAFF, '<', '/etc/remctl/acl/its-idg')) {
         local $_;
         while (<STAFF>) {
             s/^\s+//;
@@ -114,7 +150,7 @@ sub verify_name {
     }
 
     # Check for a staff member not using their root instance.
-    if ($staff{$user}) {
+    if (defined ($user) && $staff{$user}) {
         return 'use a */root instance for wallet object creation';
     }
 
@@ -128,7 +164,7 @@ sub verify_name {
         unless (defined ($principal) && defined ($instance)) {
             return "invalid principal name $name";
         }
-        if ($host{$principal}) {
+        if ($host{$principal} and $principal ne 'http') {
             if ($instance !~ /^[a-z0-9-]+\.[a-z0-9.-]+$/) {
                 return "host name $instance is not fully qualified";
             }
@@ -144,6 +180,25 @@ sub verify_name {
         }
     }
 
+    # Check file object naming conventions.
+    if ($type eq 'file') {
+        my %groups = map { $_ => 1 }
+            qw(apps crcsg gsb idg sysadmin sulair unix vast);
+        my %types  = map { $_ => 1 }
+            qw(config db gpg-key htpasswd password properties ssh-rsa ssh-dsa
+               ssl-key ssl-keystore ssl-pkcs12 tivoli-key);
+        if ($name !~ m,^[a-zA-Z0-9_.-]+$,) {
+            return "invalid file object $name";
+        }
+        my $group_regex = '(?:' . join ('|', sort keys %groups) . ')';
+        my $type_regex  = '(?:' . join ('|', sort keys %types)  . ')';
+        if ($name !~ /^$group_regex-/) {
+            return "no recognized owning group in $name";
+        } elsif ($name !~ /^$group_regex-.*-$type_regex(-.*)?$/) {
+            return "invalid file object name $name";
+        }
+    }
+
     # Success.
     return;
 }