From 23a6b180f975c24c8ee4190467c74b78fde0d084 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Sun, 3 Jan 2016 19:29:20 -0800
Subject: Add Wallet::ACL::External ACL type

A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal and the ACL identifier to that command.  To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.

Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602
---
 perl/t/data/acl-command    | 43 +++++++++++++++++++++++++++++++++++++++++++
 perl/t/verifier/external.t | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100755 perl/t/data/acl-command
 create mode 100755 perl/t/verifier/external.t

(limited to 'perl/t')

diff --git a/perl/t/data/acl-command b/perl/t/data/acl-command
new file mode 100755
index 0000000..e368118
--- /dev/null
+++ b/perl/t/data/acl-command
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# An external ACL implementation.  Checks that the first argument is
+# eagle@eyrie.org, the second argument is "test", and then returns success,
+# failure, or reports an error based on whether the second argument is
+# success, failure, or error.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016 Russ Allbery <eagle@eyrie.org>
+#
+# See LICENSE for licensing terms.
+
+set -e
+
+# Check the initial principal argument.
+if [ "$1" != 'eagle@eyrie.org' ]; then
+    echo 'incorrect principal' >&2
+    exit 1
+fi
+
+# Check that the second argument is test.
+if [ "$2" != 'test' ]; then
+    echo 'incorrect second argument' >&2
+    exit 1
+fi
+
+# Process the third argument.
+case $3 in
+    success)
+        exit 0
+        ;;
+    failure)
+        exit 1
+        ;;
+    error)
+        echo 'some error' >&2
+        exit 1
+        ;;
+    *)
+        echo 'unknown third argument' >&2
+        exit 1
+        ;;
+esac
diff --git a/perl/t/verifier/external.t b/perl/t/verifier/external.t
new file mode 100755
index 0000000..3e7e776
--- /dev/null
+++ b/perl/t/verifier/external.t
@@ -0,0 +1,32 @@
+#!/usr/bin/perl
+#
+# Tests for the external wallet ACL verifier.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016 Russ Allbery <eagle@eyrie.org>
+#
+# See LICENSE for licensing terms.
+
+use strict;
+use warnings;
+
+use Test::More tests => 9;
+
+use Wallet::ACL::External;
+use Wallet::Config;
+
+# Configure the external ACL verifier.
+$Wallet::Config::EXTERNAL_COMMAND = 't/data/acl-command';
+
+# Check a few verifications.
+my $verifier = Wallet::ACL::External->new;
+ok (defined $verifier, 'Wallet::ACL::External creation');
+ok ($verifier->isa ('Wallet::ACL::External'), ' and class verification');
+is ($verifier->check ('eagle@eyrie.org', 'test success'), 1, 'Success');
+is ($verifier->check ('eagle@eyrie.org', 'test failure'), 0, 'Failure');
+is ($verifier->error, undef, 'No error set');
+is ($verifier->check ('eagle@eyrie.org', 'test error'), undef, 'Error');
+is ($verifier->error, 'some error', ' and right error');
+is ($verifier->check (undef, 'eagle@eyrie.org'), undef,
+    'Undefined principal');
+is ($verifier->error, 'no principal specified', ' and right error');
-- 
cgit v1.2.3


From 423792510f017d36580eb6d96342f6d09433a078 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Sun, 3 Jan 2016 21:25:40 -0800
Subject: Fix t/object/keytab.t MIT enctype recognition

New versions of MIT now use the actual enctype in klist -ke output.
Also add 128-bit AES.

Also add some additional debugging that was useful when chasing
another problem.
---
 perl/t/object/keytab.t | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

(limited to 'perl/t')

diff --git a/perl/t/object/keytab.t b/perl/t/object/keytab.t
index 69db438..111b7d0 100755
--- a/perl/t/object/keytab.t
+++ b/perl/t/object/keytab.t
@@ -12,7 +12,7 @@ use strict;
 use warnings;
 
 use POSIX qw(strftime);
-use Test::More tests => 141;
+use Test::More tests => 142;
 
 BEGIN { $Wallet::Config::KEYTAB_TMP = '.' }
 
@@ -25,15 +25,28 @@ use Wallet::Object::Keytab;
 use lib 't/lib';
 use Util;
 
-# Mapping of klist -ke encryption type names to the strings that Kerberos uses
-# internally.  It's very annoying to have to maintain this, and it probably
-# breaks with Heimdal.
+# Mapping of klist -ke output from old MIT Kerberos implementations to to the
+# strings that Kerberos uses internally.  It's very annoying to have to
+# maintain this, and it probably breaks with Heimdal.
+#
+# Newer versions of MIT Kerberos just print out the canonical enctype names
+# and don't need this logic, but the current test requires that they still
+# have entries.  That's why the second set where the key and value are the
+# same.
 my %enctype =
     ('triple des cbc mode with hmac/sha1'      => 'des3-cbc-sha1',
      'des cbc mode with crc-32'                => 'des-cbc-crc',
      'des cbc mode with rsa-md5'               => 'des-cbc-md5',
+     'aes-128 cts mode with 96-bit sha-1 hmac' => 'aes128-cts-hmac-sha1-96',
      'aes-256 cts mode with 96-bit sha-1 hmac' => 'aes256-cts-hmac-sha1-96',
-     'arcfour with hmac/md5'                   => 'rc4-hmac');
+     'arcfour with hmac/md5'                   => 'rc4-hmac',
+
+     'des3-cbc-sha1'                           => 'des3-cbc-sha1',
+     'des-cbc-crc'                             => 'des-cbc-crc',
+     'des-cbc-md5'                             => 'des-cbc-md5',
+     'aes128-cts-hmac-sha1-96'                 => 'aes128-cts-hmac-sha1-96',
+     'aes256-cts-hmac-sha1-96'                 => 'aes256-cts-hmac-sha1-96',
+     'rc4-hmac'                                => 'rc4-hmac');
 
 # Some global defaults to use.
 my $user = 'admin@EXAMPLE.COM';
@@ -159,7 +172,7 @@ my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]);
 
 # Basic keytab creation and manipulation tests.
 SKIP: {
-    skip 'no keytab configuration', 52 unless -f 't/data/test.keytab';
+    skip 'no keytab configuration', 53 unless -f 't/data/test.keytab';
 
     # Set up our configuration.
     $Wallet::Config::KEYTAB_FILE      = 't/data/test.keytab';
@@ -296,6 +309,7 @@ EOO
                                         @trace)
       };
     ok (defined ($object), 'Creating good principal succeeds');
+    is ($@, '', ' with no error');
     ok (created ('wallet/one'), ' and the principal was created');
   SKIP: {
         skip 'no kadmin program test for Heimdal', 2
-- 
cgit v1.2.3


From 802e47e8d84530d191817b2d86978a0b09803186 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Sun, 3 Jan 2016 21:32:55 -0800
Subject: Clean up test-files directory after object/password test

---
 perl/t/object/password.t | 1 +
 1 file changed, 1 insertion(+)

(limited to 'perl/t')

diff --git a/perl/t/object/password.t b/perl/t/object/password.t
index 4fe6b50..306d82b 100644
--- a/perl/t/object/password.t
+++ b/perl/t/object/password.t
@@ -120,5 +120,6 @@ like ($pwd, qr{^.{$Wallet::Config::PWD_LENGTH_MIN}$},
 # Clean up.
 $admin->destroy;
 END {
+    system ('rm -r test-files') == 0 or die "cannot remove test-files\n";
     unlink ('wallet-db');
 }
-- 
cgit v1.2.3