Refactor Wallet::Kadmin keytab_rekey to return keytab

Change the API for keytab_rekey to match keytab, returning the keytab
as data instead of writing it to a file.  This simplifies the wallet
object implementation and moves the logic for reading the temporary
file into Wallet::Kadmin and its child classes.  (Eventually, there may
be a kadmin backend that doesn't require using a temporary file.)

Setting KEYTAB_TMP is now required to instantiate either the ::MIT or
::Heimdal Wallet::Kadmin classes.

2 files changed, 40 insertions, 40 deletions

diff --git a/perl/Wallet/Kadmin/Heimdal.pm b/perl/Wallet/Kadmin/Heimdal.pm
index e066006..d1eecda 100644
--- a/perl/Wallet/Kadmin/Heimdal.pm
+++ b/perl/Wallet/Kadmin/Heimdal.pm
@@ -39,23 +39,6 @@ sub canonicalize_principal {
     return $principal;
 }
 
-# Read the entirety of a possibly binary file and return the contents.  If
-# reading the file fails, set the error message and return undef.
-sub slurp_file {
-    my ($self, $file) = @_;
-    unless (open (TMPFILE, '<', $file)) {
-        $self->error ("cannot open temporary file $file: $!");
-        return;
-    }
-    local $/;
-    my $data = <TMPFILE>;
-    unless (close TMPFILE) {
-        $self->error ("cannot read temporary file $file: $!");
-        return;
-    }
-    return $data;
-}
-
 ##############################################################################
 # Public interfaces
 ##############################################################################
@@ -132,17 +115,15 @@ sub keytab {
         $self->error ("error creating keytab for principal: $@");
         return;
     }
-    my $data = $self->slurp_file ($file);
-    unlink $file;
-    return $data;
+    return $self->read_keytab ($file);
 }
 
 # Create a keytab for a principal, randomizing the keys for that principal at
-# the same time.  Takes the principal, the file, and optionally a list of
-# encryption types to which to limit the keytab.  Return true if successful,
-# false otherwise.  If the keytab creation fails, sets the error.
+# the same time.  Takes the principal and an optional list of encryption types
+# to which to limit the keytab.  Return the keytab data on success and undef
+# on failure.  If the keytab creation fails, sets the error.
 sub keytab_rekey {
-    my ($self, $principal, $file, @enctypes) = @_;
+    my ($self, $principal, @enctypes) = @_;
     $principal = $self->canonicalize_principal ($principal);
 
     # The way Heimdal works, you can only remove enctypes from a principal,
@@ -188,12 +169,14 @@ sub keytab_rekey {
     }
 
     # Create the keytab.
+    my $file = $Wallet::Config::KEYTAB_TMP . "/keytab.$$";
+    unlink $file;
     eval { $kadmin->extractKeytab ($princdata, $file) };
     if ($@) {
         $self->error ("error creating keytab for principal: $@");
         return;
     }
-    return 1;
+    return $self->read_keytab ($file);
 }
 
 # Delete a principal from Kerberos.  Return true if successful, false
@@ -227,6 +210,9 @@ sub new {
             and defined ($Wallet::Config::KEYTAB_REALM)) {
         die "keytab object implementation not configured\n";
     }
+    unless (defined ($Wallet::Config::KEYTAB_TMP)) {
+        die "KEYTAB_TMP configuration variable not set\n";
+    }
     my @options = (RaiseError => 1,
                    Principal  => $Wallet::Config::KEYTAB_PRINCIPAL,
                    Realm      => $Wallet::Config::KEYTAB_REALM,
@@ -270,9 +256,8 @@ Wallet::Kadmin::Heimdal implements the Wallet::Kadmin API for Heimdal,
 providing an interface to create and delete principals and create keytabs.
 It provides the API documented in Wallet::Kadmin(3) for a Heimdal KDC.
 
-To use this object, several configuration parameters must be set.  See
-Wallet::Config(3) for details on those configuration parameters and
-information about how to set wallet configuration.
+To use this class, several configuration parameters must be set.  See
+L<Wallet::Config/"KEYTAB OBJECT CONFIGURATION"> for details.
 
 =head1 FILES
 
diff --git a/perl/Wallet/Kadmin/MIT.pm b/perl/Wallet/Kadmin/MIT.pm
index 1c6d2c1..434e93d 100644
--- a/perl/Wallet/Kadmin/MIT.pm
+++ b/perl/Wallet/Kadmin/MIT.pm
@@ -178,12 +178,11 @@ sub keytab {
 }
 
 # Create a keytab for a principal, randomizing the keys for that principal
-# in the process.  Takes the principal, the file, and optionally a list of
-# encryption types to which to limit the keytab.  Return true if
-# successful, false otherwise.  If the keytab creation fails, sets the
-# error.
+# in the process.  Takes the principal and an optional list of encryption
+# types to which to limit the keytab.  Return the keytab data on success
+# and undef otherwise.  If the keytab creation fails, sets the error.
 sub keytab_rekey {
-    my ($self, $principal, $file, @enctypes) = @_;
+    my ($self, $principal, @enctypes) = @_;
     unless ($self->valid_principal ($principal)) {
         $self->error ("invalid principal name: $principal");
         return;
@@ -191,6 +190,8 @@ sub keytab_rekey {
     if ($Wallet::Config::KEYTAB_REALM) {
         $principal .= '@' . $Wallet::Config::KEYTAB_REALM;
     }
+    my $file = $Wallet::Config::KEYTAB_TMP . "/keytab.$$";
+    unlink $file;
     my $command = "ktadd -q -k $file";
     if (@enctypes) {
         @enctypes = map { /:/ ? $_ : "$_:normal" } @enctypes;
@@ -203,7 +204,7 @@ sub keytab_rekey {
         $self->error ("error creating keytab for $principal: $1");
         return;
     }
-    return 1;
+    return $self->read_keytab ($file);
 }
 
 # Delete a principal from Kerberos.  Return true if successful, false
@@ -238,6 +239,9 @@ sub destroy {
 # kadmin directly.
 sub new {
     my ($class) = @_;
+    unless (defined ($Wallet::Config::KEYTAB_TMP)) {
+        die "KEYTAB_TMP configuration variable not set\n";
+    }
     my $self = {};
     bless ($self, $class);
     return $self;
@@ -261,9 +265,9 @@ Wallet::Kadmin::MIT - Wallet Kerberos administration API for MIT
 
     my $kadmin = Wallet::Kadmin::MIT->new;
     $kadmin->create ('host/foo.example.com');
-    $kadmin->keytab_rekey ('host/foo.example.com', 'keytab',
-                           'aes256-cts-hmac-sha1-96');
-    my $data = $kadmin->keytab ('host/foo.example.com');
+    my $data = $kadmin->keytab_rekey ('host/foo.example.com',
+                                      'aes256-cts-hmac-sha1-96');
+    $data = $kadmin->keytab ('host/foo.example.com');
     my $exists = $kadmin->exists ('host/oldshell.example.com');
     $kadmin->destroy ('host/oldshell.example.com') if $exists;
 
@@ -281,9 +285,20 @@ implemented using a remctl backend.  For that method (used for unchanging
 keytab objects) to work, the necessary wallet configuration and remctl
 interface on the KDC must be set up.
 
-To use this object, several configuration parameters must be set.  See
-Wallet::Config(3) for details on those configuration parameters and
-information about how to set wallet configuration.
+To use this class, several configuration parameters must be set.  See
+L<Wallet::Config/"KEYTAB OBJECT CONFIGURATION"> for details.
+
+=head1 FILES
+
+=over 4
+
+=item KEYTAB_TMP/keytab.<pid>
+
+The keytab is created in this file and then read into memory.  KEYTAB_TMP
+is set in the wallet configuration, and <pid> is the process ID of the
+current process.  The file is unlinked after being read.
+
+=back
 
 =head1 LIMITATIONS