From b63cd1c55861194c84e8efd8fa713d96c651b43a Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Sat, 4 Sep 2021 13:03:36 -0700
Subject: Fix Stanford policy for password default owner

In Wallet::Policy::Stanford, fix the default_owner logic for password
objects that are group-based rather than host-based.  Thanks,
macrotex.

Fixes #82
---
 NEWS                               |  4 ++++
 perl/lib/Wallet/Policy/Stanford.pm | 14 +++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index 1a21c1a..cb78486 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ wallet 1.5 (unreleased)
     Fix the table drop order for wallet-admin destroy to avoid violating
     foreign key constraints.  Patch from macrotex.
 
+    In Wallet::Policy::Stanford, fix the default_owner logic for password
+    objects that are group-based rather than host-based.  Thanks,
+    macrotex.  (#82)
+
     Update to rra-c-util 8.2:
 
     * Implement explicit_bzero with memset if it is not available.
diff --git a/perl/lib/Wallet/Policy/Stanford.pm b/perl/lib/Wallet/Policy/Stanford.pm
index 3aeea1c..3094294 100644
--- a/perl/lib/Wallet/Policy/Stanford.pm
+++ b/perl/lib/Wallet/Policy/Stanford.pm
@@ -1,7 +1,7 @@
 # Wallet::Policy::Stanford -- Stanford's wallet naming and ownership policy
 #
 # Written by Russ Allbery <eagle@eyrie.org>
-# Copyright 2016 Russ Allbery <eagle@eyrie.org>
+# Copyright 2016, 2021 Russ Allbery <eagle@eyrie.org>
 # Copyright 2013-2015
 #     The Board of Trustees of the Leland Stanford Junior University
 #
@@ -260,15 +260,19 @@ sub default_owner {
     }
 
     # We have no open if this is not a file object.
-    return if $type ne 'file';
+    return if ($type ne 'file' && $type ne 'password');
 
     # Parse the name of the file object only far enough to get type and group
     # (if there is a group).
     my ($file_type, $group) = split('/', $name);
 
-    # Host-based file objects should be caught by the above.  We certainly
-    # can't do anything about them here.
-    return if $FILE_TYPE{$file_type}{host};
+    # Host-based file and password objects should be caught by the above.  We
+    # certainly can't do anything about them here.
+    if ($type eq 'file') {
+        return if $FILE_TYPE{$file_type}{host};
+    } elsif ($type eq 'password') {
+        return if $PASSWORD_TYPE{$file_type}{host};
+    }
 
     # If we have a mapping for this group, retrieve the ACL contents.  We
     # would like to just return the ACL name, but wallet currently requires we
-- 
cgit v1.2.3