From b658b799cb10b48d1a5aca19a7e63fe91d2af77a Mon Sep 17 00:00:00 2001
From: Jon Robertson <jonrober@stanford.edu>
Date: Tue, 14 Oct 2014 13:23:40 -0700
Subject: Added Duo to the Stanford policy module

Duo object types currently all assume that the name of the object is the
hostname of the server it's for.

Change-Id: Ieb5ba144cd39d6aeb3a20466c75a2836a170744f
---
 perl/lib/Wallet/Policy/Stanford.pm | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

(limited to 'perl/lib/Wallet/Policy/Stanford.pm')

diff --git a/perl/lib/Wallet/Policy/Stanford.pm b/perl/lib/Wallet/Policy/Stanford.pm
index 5ac29e0..07d32a4 100644
--- a/perl/lib/Wallet/Policy/Stanford.pm
+++ b/perl/lib/Wallet/Policy/Stanford.pm
@@ -174,6 +174,13 @@ sub _host_for_keytab {
     return $host;
 }
 
+# Map a duo-type object name to a hostname.  Currently all Duo objects are
+# named just for the hostname, so this is easy.
+sub _host_for_file {
+    my ($name) = @_;
+    return $name;
+}
+
 # The default owner of host-based objects should be the host keytab and the
 # NetDB ACL for that host, with one twist.  If the creator of a new node is
 # using a root instance, we want to require everyone managing that node be
@@ -183,8 +190,13 @@ sub default_owner {
 
     # How to determine the host for host-based objects.
     my %host_for = (
-        keytab => \&_host_for_keytab,
-        file   => \&_host_for_file,
+        'keytab'     => \&_host_for_keytab,
+        'file'       => \&_host_for_file,
+        'duo'        => \&_host_for_duo,
+        'duo-pam'    => \&_host_for_duo,
+        'duo-radius' => \&_host_for_duo,
+        'duo-ldap'   => \&_host_for_duo,
+        'duo-rdp'    => \&_host_for_duo,
     );
 
     # If we have a possible host mapping, see if we can use that.
@@ -368,6 +380,14 @@ sub verify_name {
         }
     }
 
+    # Check the naming conventions for all Duo object types.  The object
+    # should simply be the host name for now.
+    if ($type =~ m{^duo(-\w+)?$}) {
+        if ($name !~ m{ [.] }xms) {
+            return "host name $name is not fully qualified";
+        }
+    }
+
     # Success.
     return;
 }
-- 
cgit v1.2.3


From 49f5b0d38e96d13b6cfb329b21599f9d6ff853d6 Mon Sep 17 00:00:00 2001
From: Jon Robertson <jonrober@stanford.edu>
Date: Thu, 6 Nov 2014 15:37:23 -0800
Subject: Stanford.pm: Fixed incorrect name for new duo host parsing function

Change-Id: Ica75f6614476088a9952cd7d97749d27811aed7e
---
 perl/lib/Wallet/Policy/Stanford.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'perl/lib/Wallet/Policy/Stanford.pm')

diff --git a/perl/lib/Wallet/Policy/Stanford.pm b/perl/lib/Wallet/Policy/Stanford.pm
index 07d32a4..a392476 100644
--- a/perl/lib/Wallet/Policy/Stanford.pm
+++ b/perl/lib/Wallet/Policy/Stanford.pm
@@ -176,7 +176,7 @@ sub _host_for_keytab {
 
 # Map a duo-type object name to a hostname.  Currently all Duo objects are
 # named just for the hostname, so this is easy.
-sub _host_for_file {
+sub _host_for_duo {
     my ($name) = @_;
     return $name;
 }
-- 
cgit v1.2.3