Update stanford.conf example to use Wallet::Policy::Stanford

Eliminate all the verification code that moved into the policy object. Update coding style and remove some settings that were no longer used at Stanford. Change-Id: I3a098bc318abe4bc9dd82e86186da012e5c2cd27 Reviewed-on: https://gerrit.stanford.edu/1025 Reviewed-by: Russ Allbery <rra@stanford.edu> Tested-by: Russ Allbery <rra@stanford.edu>
author: Russ Allbery <rra@stanford.edu> 2013-04-08 13:02:04 -0700
committer: Russ Allbery <rra@stanford.edu> 2013-04-08 15:29:37 -0700
commit: d30091cd5148cd79f584d4448914da70b1b8592d (patch)
tree: 04cff792c655f57dbb3548b59d1b2be134c595d5 /examples
parent: af82c5fa7f8defe809305bf18fbe75bb2cd83811 (diff)
1 files changed, 28 insertions, 184 deletions
diff --git a/examples/stanford.conf b/examples/stanford.conf
index b0533bd..cc550a3 100644
--- a/examples/stanford.conf
+++ b/examples/stanford.conf
@@ -11,196 +11,40 @@
 #
 # See LICENSE for licensing terms.
 
-use Wallet::ACL;
-use Wallet::Database;
+# default_owner and verify_name come from our policy module.
+use Wallet::Policy::Stanford qw(default_owner verify_name);
 
-$DB_DRIVER = 'mysql';
-$DB_NAME   = 'wallet';
-$DB_HOST   = 'localhost';
-$DB_USER   = 'wallet';
+$DB_DDL_DIRECTORY = '/usr/share/wallet';
+$DB_DRIVER        = 'mysql';
+$DB_NAME          = 'wallet';
+$DB_HOST          = 'localhost';
+$DB_USER          = 'wallet';
 
 # Read the MySQL password from a separate file so that we don't have to commit
 # it to the Puppet repository.
-open (PASS, '<', '/etc/wallet/mysql-password')
-    or die "cannot open /etc/wallet/mysql-password: $!\n";
-$DB_PASSWORD = <PASS>;
-close PASS;
-chomp $DB_PASSWORD;
+open(my $password_file, '<', '/etc/wallet/mysql-password')
+  or die "cannot open /etc/wallet/mysql-password: $!\n";
+$DB_PASSWORD = <$password_file>;
+close($password_file);
+chomp($DB_PASSWORD);
 
 # The maximum file object size is arbitrary, just something to keep anyone
 # from filling the disk.
-$FILE_BUCKET         = '/srv/wallet/files';
-$FILE_MAX_SIZE       = 512 * 1024;
-
-$KEYTAB_KRBTYPE      = 'Heimdal';
-$KEYTAB_FILE         = '/etc/wallet/keytab';
-$KEYTAB_FLAGS        = '-clearpolicy';
-$KEYTAB_HOST         = 'krb5-admin.stanford.edu';
-$KEYTAB_PRINCIPAL    = 'service/wallet@stanford.edu';
-$KEYTAB_REALM        = 'stanford.edu';
-$KEYTAB_TMP          = '/var/lib/wallet';
-
-$KEYTAB_REMCTL_CACHE = '/var/lib/wallet/krb5cc_wallet';
-$KEYTAB_REMCTL_HOST  = 'kerberos1.stanford.edu';
-
-$NETDB_REALM         = 'stanford.edu';
-$NETDB_REMCTL_CACHE  = '/var/lib/wallet/krb5cc_wallet';
-$NETDB_REMCTL_HOST   = 'netdb-node-roles-rc.stanford.edu';
-
-# Retrieve an existing ACL and check whether it contains a netdb-root member.
-# This is used to check if a default ACL is already present with a netdb-root
-# member so that we can return a default owner that matches.  We only ever
-# increase the ACL from netdb to netdb-root, never degrade it, so this doesn't
-# pose a security problem.
-#
-# On any failure, just return an empty ACL to use the default.
-sub acl_has_netdb_root {
-    my ($name) = @_;
-    my $dbh = eval { Wallet::Database->connect };
-    return unless ($dbh and not $@);
-    my $acl = eval { Wallet::ACL->new ($name, $dbh) };
-    return unless ($acl and not $@);
-    for my $line ($acl->list) {
-        return 1 if $line->[0] eq 'netdb-root';
-    }
-    return;
-}
-
-# Map a file object name to a hostname and return it.  Returns undef if this
-# file object name doesn't map to a hostname.
-sub _host_for_file {
-    my ($name) = @_;
-    my %allowed = map { $_ => 1 }
-        qw(htpasswd ssh-rsa ssh-dsa ssl-key tivoli-key);
-    my $allowed_regex = '(?:' . join ('|', sort keys %allowed) . ')';
-    if ($name !~ /^[^-]+-(.*)-$allowed_regex(?:-.*)?$/) {
-        return;
-    }
-    my $host = $1;
-    if ($host !~ /\./) {
-        $host .= '.stanford.edu';
-    }
-    return $host;
-}
-
-# Map a keytab object name to a hostname and return it.  Returns undef if this
-# keytab principal name doesn't map to a hostname.
-sub _host_for_keytab {
-    my ($name) = @_;
-    my %allowed = map { $_ => 1 }
-        qw(HTTP afpserver cifs ftp host imap ipp ldap lpr nfs pop postgres
-           sieve smtp webauth xmpp);
-    return unless $name =~ m,/,;
-    my ($service, $host) = split ('/', $name, 2);
-    return unless $allowed{$service};
-    if ($host !~ /\./) {
-        $host .= '.stanford.edu';
-    }
-    return $host;
-}
-
-# The default owner of host-based objects should be the host keytab and the
-# NetDB ACL for that host, with one twist.  If the creator of a new node is
-# using a root instance, we want to require everyone managing that node be
-# using root instances by default (this will do the right thing for Unix
-# Systems hosts).
-sub default_owner {
-    my ($type, $name) = @_;
-    my $realm = 'stanford.edu';
-    my %host_for = (
-        keytab => \&_host_for_keytab,
-        file   => \&_host_for_file,
-    );
-    return unless defined $host_for{$type};
-    my $host = $host_for{$type}->($name);
-    return unless $host;
-    my $acl_name = "host/$host";
-    my @acl;
-    if ($ENV{REMOTE_USER} =~ m,/root, or acl_has_netdb_root ($acl_name)) {
-        @acl = ([ 'netdb-root', $host ],
-                [ 'krb5', "host/$host\@$realm" ]);
-    } else {
-        @acl = ([ 'netdb', $host ],
-                [ 'krb5', "host/$host\@$realm" ]);
-    }
-    return ($acl_name, @acl);
-}
-
-# Enforce a naming policy.  Host-based keytabs must have fully-qualified
-# hostnames, limit the acceptable characters for service/* keytabs, and
-# enforce our naming constraints on */cgi principals.
-#
-# Also use this function to require that IDG staff always do implicit object
-# creation using a */root instance.
-sub verify_name {
-    my ($type, $name, $user) = @_;
-    my %host = map { $_ => 1 }
-        qw(HTTP afpserver cifs ftp http host ident imap ipp ldap lpr nfs pop
-           postgres sieve smtp uniengd webauth xmpp);
-    my %staff;
-    if (open (STAFF, '<', '/etc/remctl/acl/its-idg')) {
-        local $_;
-        while (<STAFF>) {
-            s/^\s+//;
-            s/\s+$//;
-            next if m,/root\@,;
-            $staff{$_} = 1;
-        }
-        close STAFF;
-    }
-
-    # Check for a staff member not using their root instance.
-    if (defined ($user) && $staff{$user}) {
-        return 'use a */root instance for wallet object creation';
-    }
-
-    # Check keytab naming conventions.
-    if ($type eq 'keytab') {
-        if ($name !~ m,^[a-zA-Z0-9_-]+/[a-z0-9.-]+$,) {
-            return "invalid principal name $name";
-        }
-        my ($principal, $instance)
-            = ($name =~ m,^([a-zA-Z0-9_-]+)/([a-z0-9.-]+)$,);
-        unless (defined ($principal) && defined ($instance)) {
-            return "invalid principal name $name";
-        }
-        if ($host{$principal} and $principal ne 'http') {
-            if ($instance !~ /^[a-z0-9-]+\.[a-z0-9.-]+$/) {
-                return "host name $instance is not fully qualified";
-            }
-        } elsif ($principal eq 'service') {
-            if ($instance !~ /^[a-z0-9-]+$/) {
-                return "invalid service principal name $name";
-            }
-        } elsif ($instance eq 'cgi') {
-            if ($principal !~ /^[a-z][a-z0-9]{1,7}$/
-                and $principal !~ /^(class|dept|group)-[a-z0-9_-]+$/) {
-                return "invalid CGI principal name $name";
-            }
-        }
-    }
-
-    # Check file object naming conventions.
-    if ($type eq 'file') {
-        my %groups = map { $_ => 1 }
-            qw(apps crcsg gsb idg sysadmin sulair unix vast);
-        my %types  = map { $_ => 1 }
-            qw(config db gpg-key htpasswd password properties ssh-rsa ssh-dsa
-               ssl-key ssl-keystore ssl-pkcs12 tivoli-key);
-        if ($name !~ m,^[a-zA-Z0-9_.-]+$,) {
-            return "invalid file object $name";
-        }
-        my $group_regex = '(?:' . join ('|', sort keys %groups) . ')';
-        my $type_regex  = '(?:' . join ('|', sort keys %types)  . ')';
-        if ($name !~ /^$group_regex-/) {
-            return "no recognized owning group in $name";
-        } elsif ($name !~ /^$group_regex-.*-$type_regex(-.*)?$/) {
-            return "invalid file object name $name";
-        }
-    }
-
-    # Success.
-    return;
-}
+$FILE_BUCKET   = '/srv/wallet/files';
+$FILE_MAX_SIZE = 512 * 1024;
+
+# Kerberos keytab backend confguration.
+$KEYTAB_KRBTYPE   = 'Heimdal';
+$KEYTAB_FILE      = '/etc/wallet/keytab';
+$KEYTAB_FLAGS     = '-clearpolicy';
+$KEYTAB_HOST      = 'krb5-admin.stanford.edu';
+$KEYTAB_PRINCIPAL = 'service/wallet@stanford.edu';
+$KEYTAB_REALM     = 'stanford.edu';
+$KEYTAB_TMP       = '/var/lib/wallet';
+
+# NetDB ACL type configuration.
+$NETDB_REALM        = 'stanford.edu';
+$NETDB_REMCTL_CACHE = '/var/lib/wallet/krb5cc_wallet';
+$NETDB_REMCTL_HOST  = 'netdb-node-roles-rc.stanford.edu';
 
 1;
author	Russ Allbery <rra@stanford.edu>	2013-04-08 13:02:04 -0700
committer	Russ Allbery <rra@stanford.edu>	2013-04-08 15:29:37 -0700
commit	d30091cd5148cd79f584d4448914da70b1b8592d (patch)
tree	04cff792c655f57dbb3548b59d1b2be134c595d5 /examples
parent	af82c5fa7f8defe809305bf18fbe75bb2cd83811 (diff)