diff options
Diffstat (limited to 'perl/Wallet')
| -rw-r--r-- | perl/Wallet/Admin.pm | 28 | ||||
| -rw-r--r-- | perl/Wallet/Kadmin.pm | 7 | ||||
| -rw-r--r-- | perl/Wallet/Kadmin/Heimdal.pm | 68 | ||||
| -rw-r--r-- | perl/Wallet/Object/Keytab.pm | 2 | 
4 files changed, 42 insertions, 63 deletions
| diff --git a/perl/Wallet/Admin.pm b/perl/Wallet/Admin.pm index c86cbba..ff87b94 100644 --- a/perl/Wallet/Admin.pm +++ b/perl/Wallet/Admin.pm @@ -477,11 +477,11 @@ actions on the object it returns.  =item list_acls(TYPE, SEARCH) -Returns a list of all ACLs matching a search type and string in the  -database, or all ACLs if no search information is given.  The return value  -is a list of references to pairs of ACL ID and name.  For example, if  -there are two ACLs in the database, one with name "ADMIN" and ID 1 and one  -with name "group/admins" and ID 3, list_acls() with no arguments would  +Returns a list of all ACLs matching a search type and string in the +database, or all ACLs if no search information is given.  The return value +is a list of references to pairs of ACL ID and name.  For example, if +there are two ACLs in the database, one with name "ADMIN" and ID 1 and one +with name "group/admins" and ID 3, list_acls() with no arguments would  return:      ([ 1, 'ADMIN' ], [ 3, 'group/admins' ]) @@ -492,18 +492,18 @@ database with no ACLs by calling error().  error() is guaranteed to return  the error message if there was an error and undef if there was no error.  There are currently two search types.  'empty' takes no arguments, and will -return only those acls that have no entries within them.  'entry' takes two  -arguments -- an entry scheme and an entry identifier -- and will return  +return only those acls that have no entries within them.  'entry' takes two +arguments -- an entry scheme and an entry identifier -- and will return  any ACLs with an entry that matches the given scheme and contains the  given identifier.  =item list_objects(TYPE, SEARCH) -Returns a list of all objects matching a search type and string in the  -database, or all objects in the database if no search information is  -given.  The return value is a list of references to pairs of type and  -name.  For example, if two objects existed in the database, both of type  -"keytab" and with values "host/example.com" and "foo", list_objects()  +Returns a list of all objects matching a search type and string in the +database, or all objects in the database if no search information is +given.  The return value is a list of references to pairs of type and +name.  For example, if two objects existed in the database, both of type +"keytab" and with values "host/example.com" and "foo", list_objects()  with no arguments would return:      ([ 'keytab', 'host/example.com' ], [ 'keytab', 'foo' ]) @@ -516,8 +516,8 @@ if there was no error.  There are four types of searches currently.  'type' (with a given type)  will return only those entries where the type matches the given type.  'owner', with a given owner, will only return those objects owned by the -given acl name.  'flag', with a given flag name, will only return those  -items with a flag set to the given value.  'acl' operates like 'owner',  +given acl name.  'flag', with a given flag name, will only return those +items with a flag set to the given value.  'acl' operates like 'owner',  but will return only those objects that have the given acl name on any  of the possible acl settings, not just owner. diff --git a/perl/Wallet/Kadmin.pm b/perl/Wallet/Kadmin.pm index 501bc37..b3a630e 100644 --- a/perl/Wallet/Kadmin.pm +++ b/perl/Wallet/Kadmin.pm @@ -32,15 +32,14 @@ $VERSION = '0.03';  sub new {      my ($class) = @_;      my ($kadmin); -    if (!defined $Wallet::Config::KEYTAB_KRBTYPE  -        || !$Wallet::Config::KEYTAB_KRBTYPE) { +    if (not $Wallet::Config::KEYTAB_KRBTYPE) {          die "keytab object implementation not configured\n";      } elsif ($Wallet::Config::KEYTAB_KRBTYPE eq 'MIT') {          require Wallet::Kadmin::MIT; -        $kadmin = Wallet::Kadmin::MIT->new (); +        $kadmin = Wallet::Kadmin::MIT->new;      } elsif ($Wallet::Config::KEYTAB_KRBTYPE eq 'Heimdal') {          require Wallet::Kadmin::Heimdal; -        $kadmin = Wallet::Kadmin::Heimdal->new (); +        $kadmin = Wallet::Kadmin::Heimdal->new;      } else {          die "keytab krb server type not set to a valid value\n";      } diff --git a/perl/Wallet/Kadmin/Heimdal.pm b/perl/Wallet/Kadmin/Heimdal.pm index b0010a5..d046162 100644 --- a/perl/Wallet/Kadmin/Heimdal.pm +++ b/perl/Wallet/Kadmin/Heimdal.pm @@ -98,40 +98,27 @@ sub addprinc {      my $exists = eval { $self->exists ($principal) };      if ($@) {          $self->error ("error adding principal $principal: $@"); -        return undef; +        return;      }      return 1 if $exists;      # The way Heimdal::Kadm5 works, we create a principal object, create the      # actual principal set inactive, then randomize it and activate it. +    #      # TODO - Paranoia makes me want to set the password to something random      #        on creation even if it is inactive until after randomized by      #        module.      my $kadmin = $self->{client}; -    my $princdata = eval { $kadmin->makePrincipal ($principal) }; -    if ($@) { -        $self->error ("error adding principal $principal: $@"); -        return; -    } - -    # Disable the principal before creating, until we've randomized the -    # password. -    my $attrs = eval { $princdata->getAttributes }; -    if ($@) { -        $self->error ("error adding principal $principal: $@"); -        return; +    eval { +        my $princdata = $kadmin->makePrincipal ($principal); +        my $attrs = $princdata->getAttributes; +        $attrs |= KRB5_KDB_DISALLOW_ALL_TIX; +        $princdata->setAttributes ($attrs); +        my $password = 'inactive'; +        $kadmin->createPrincipal ($princdata, $password, 0); +        $kadmin->randKeyPrincipal ($principal); +        $kadmin->enablePrincipal ($principal);      } -    $attrs |= KRB5_KDB_DISALLOW_ALL_TIX; -    eval { $princdata->setAttributes ($attrs) }; -    if ($@) { -        $self->error ("error adding principal $principal: $@"); -        return; -    } - -    my $password = 'inactive'; -    my $test = eval { $kadmin->createPrincipal ($princdata, $password, 0) }; -    eval { $kadmin->randKeyPrincipal ($principal) } unless $@; -    eval { $kadmin->enablePrincipal ($principal) } unless $@;      if ($@) {          $self->error ("error adding principal $principal: $@");          return; @@ -156,8 +143,8 @@ sub ktadd {      my $kadmin = $self->{client};      eval { $kadmin->randKeyPrincipal ($principal) };      if ($@) { -        $self->error ("error creating keytab for $principal: could not " -                      ."reinit enctypes: $@"); +        $self->error ("error creating keytab for $principal: could not" +                      . " reinit enctypes: $@");          return;      }      my $princdata = eval { $kadmin->getPrincipal ($principal) }; @@ -165,23 +152,22 @@ sub ktadd {          $self->error ("error creating keytab for $principal: $@");          return;      } elsif (!$princdata) { -        $self->error ("error creating keytab for $principal: principal does " -                      ."not exist"); +        $self->error ("error creating keytab for $principal: principal does" +                      . " not exist");          return;      }      # Now actually remove any non-requested enctypes, if we requested any.      if (@enctypes) { -        my (%wanted); -        my $alltypes = $princdata->getKeytypes (); -        foreach (@enctypes) { $wanted{$_} = 1 } -        foreach my $key (@{$alltypes}) { -            my $keytype = ${$key}[0]; +        my $alltypes = $princdata->getKeytypes; +        my %wanted = map { $_ => 1 } @enctypes; +        for my $key (@{ $alltypes }) { +            my $keytype = $key->[0];              next if exists $wanted{$keytype};              eval { $princdata->delKeytypes ($keytype) };              if ($@) { -                $self->error ("error removing keytype $keytype from the ". -                              "keytab: $@"); +                $self->error ("error removing keytype $keytype from the" +                              . " keytab: $@");                  return;              }          } @@ -192,12 +178,12 @@ sub ktadd {          }      } +    # Create the keytab.      eval { $kadmin->extractKeytab ($princdata, $file) };      if ($@) {          $self->error ("error creating keytab for principal: $@");          return;      } -      return 1;  } @@ -226,20 +212,14 @@ sub delprinc {      return 1;  } -############################################################################## -# Documentation -############################################################################## - -# Create a new MIT kadmin object.  Very empty for the moment, but later it -# will probably fill out if we go to using a module rather than calling -# kadmin directly. +# Create a new Heimdal kadmin object.  sub new {      my ($class) = @_;      my $self = {          client => undef,      };      bless ($self, $class); -    $self->{client} = kadmin_client (); +    $self->{client} = $self->kadmin_client;      return $self;  } diff --git a/perl/Wallet/Object/Keytab.pm b/perl/Wallet/Object/Keytab.pm index 22598f1..9fece80 100644 --- a/perl/Wallet/Object/Keytab.pm +++ b/perl/Wallet/Object/Keytab.pm @@ -497,7 +497,7 @@ sub create {      if (not $kadmin->addprinc ($name)) {          die $kadmin->error, "\n"; -    }     +    }      $self = $class->SUPER::create ($type, $name, $dbh, $creator, $host, $time);      $self->{kadmin} = $kadmin;      return $self; | 
