The current version of Net::Remctl can't handle explicit undef or the

empty string as a principal argument.  Be careful not to provide a
principal argument if no principal was set.  This workaround can be
removed once we depend on a later version of Net::Remctl.

3 files changed, 60 insertions, 6 deletions

diff --git a/perl/Wallet/ACL/NetDB.pm b/perl/Wallet/ACL/NetDB.pm
index ad706b3..cc7121b 100644
--- a/perl/Wallet/ACL/NetDB.pm
+++ b/perl/Wallet/ACL/NetDB.pm
@@ -24,7 +24,7 @@ use Wallet::Config;
 # This version should be increased on any code change to this module.  Always
 # use two digits for the minor version with a leading zero if necessary so
 # that it will sort properly.
-$VERSION = '0.02';
+$VERSION = '0.03';
 
 ##############################################################################
 # Interface
@@ -46,10 +46,20 @@ sub new {
         die "NetDB ACL support not available: $error\n";
     }
     local $ENV{KRB5CCNAME} = $Wallet::Config::NETDB_REMCTL_CACHE;
-    my $port = $Wallet::Config::NETDB_REMCTL_PORT;
-    my $principal = $Wallet::Config::NETDB_REMCTL_PRINCIPAL;
     my $remctl = Net::Remctl->new;
-    unless ($remctl->open ($host, $port, $principal)) {
+
+    # Net::Remctl 2.12 and later will support passing in an empty string for
+    # the principal.  Until then, be careful not to pass principal unless it
+    # was specified.
+    my $port = $Wallet::Config::NETDB_REMCTL_PORT || 0;
+    my $principal = $Wallet::Config::NETDB_REMCTL_PRINCIPAL;
+    my $status;
+    if (defined $principal) {
+        $status = $remctl->open ($host, $port, $principal);
+    } else {
+        $status = $remctl->open ($host, $port);
+    }
+    unless ($status) {
         die "cannot connect to NetDB remctl interface: ", $remctl->error, "\n";
     }
     my $self = { remctl => $remctl };
diff --git a/perl/Wallet/Object/Keytab.pm b/perl/Wallet/Object/Keytab.pm
index e2c21a4..34fa12d 100644
--- a/perl/Wallet/Object/Keytab.pm
+++ b/perl/Wallet/Object/Keytab.pm
@@ -511,8 +511,8 @@ sub keytab_retrieve {
         $keytab .= '@' . $Wallet::Config::KEYTAB_REALM;
     }
     local $ENV{KRB5CCNAME} = $Wallet::Config::KEYTAB_REMCTL_CACHE;
-    my $port = $Wallet::Config::KEYTAB_REMCTL_PORT;
-    my $principal = $Wallet::Config::KEYTAB_REMCTL_PRINCIPAL;
+    my $port = $Wallet::Config::KEYTAB_REMCTL_PORT || 0;
+    my $principal = $Wallet::Config::KEYTAB_REMCTL_PRINCIPAL || '';
     my @command = ('keytab', 'retrieve', $keytab);
     my $result = Net::Remctl::remctl ($host, $port, $principal, @command);
     if ($result->error) {
diff --git a/perl/t/verifier-netdb.t b/perl/t/verifier-netdb.t
new file mode 100755
index 0000000..12d018f
--- /dev/null
+++ b/perl/t/verifier-netdb.t
@@ -0,0 +1,44 @@
+#!/usr/bin/perl -w
+# $Id$
+#
+# t/verifier-netdb.t -- Tests for the NetDB wallet ACL verifiers.
+#
+# Written by Russ Allbery <rra@stanford.edu>
+# Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University
+#
+# See LICENSE for licensing terms.
+#
+# This test can only be run by someone local to Stanford with appropriate
+# access to the NetDB role server and will be skipped in all other
+# environments.
+
+use Test::More tests => 4;
+
+use Wallet::ACL::NetDB;
+
+use lib 't/lib';
+use Util;
+
+my $netdb = 'netdb-node-roles-rc.stanford.edu';
+my $host  = 'windlord.stanford.edu';
+my $user  = 'rra@stanford.edu';
+
+# Determine the local principal.
+my $klist = `klist 2>&1`;
+SKIP: {
+    skip "tests useful only with Stanford Kerberos tickets", 4
+        unless $klist =~ /^Default principal: \S+\@stanford\.edu$/m;
+
+    # Set up our configuration.
+    $Wallet::Config::NETDB_REALM = 'stanford.edu';
+    $Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME};
+    $Wallet::Config::NETDB_REMCTL_HOST  = $netdb;
+
+    # Finally, we can test.
+    $verifier = eval { Wallet::ACL::NetDB->new };
+    ok (defined $verifier, ' and now creation succeeds');
+    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class');
+    is ($verifier->check ($user, $host), 1, "Checking $host succeeds");
+    is ($verifier->check ('test-user@stanford.edu', $host), 0,
+        ' but fails with another user');
+}