Skip to content

Commit

Permalink
New port for wallet @1.3
Browse files Browse the repository at this point in the history 
wallet is a Kerberos-authenticated file storage & retrieval engine, which has
support for automatically generating things like Kerberos keytabs and random
passwords. Authentication is via Kerberos, and client-server communication is
via remctl. The client is written in C, the server is Perl, and there is also
a Perl script that can be placed on Kerberos 5 KDCs to aid in keytab
retrieval.

I am attaching the proposed Portfile and twelve patch files. The patches are
needed because wallet's build & install process does not allow setting custom
Perl paths. All of the patches have been submitted upstream.

Closes: https://trac.macports.org/ticket/50421
  • Loading branch information
@akkornel @neverpanic
akkornel authored and neverpanic committed Nov 3, 2016
1 parent 1b27bb4 commit a2792f4
Show file tree
Hide file tree
Showing 13 changed files with 3,458 additions and 0 deletions.
245 changes: 245 additions & 0 deletions net/wallet/Portfile
View file
@@ -0,0 +1,245 @@
# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4

PortSystem 1.0
PortGroup perl5 1.0
perl5.branches 5.24

name wallet
version 1.3
revision 0
categories net security
license MIT
maintainers kornel.us:karl openmaintainer
description Kerberos-authenticated secure data management
long_description The wallet is a system for managing secure data, \
authorization rules to retrieve or change that data, \
and audit rules for documenting actions taken on that \
data. Objects of various types may be stored in the \
wallet or generated on request and retrieved by \
authorized users. The wallet tracks ACLs, metadata, \
and trace information. It uses Kerberos \
authentication. One of the object types it supports \
is Kerberos keytabs, making it suitable as a \
user-accessible front-end to Kerberos kadmind with \
richer ACL and metadata operations.
homepage http://eyrie.org/~eagle/software/wallet/

platforms darwin
master_sites http://archives.eyrie.org/software/kerberos/ \
http://archives.eyrie.org/software/ARCHIVE/wallet/
checksums rmd160 188b3561fcffe99342fcfb1312b58df3f3d919b5 \
sha256 676d3d6e407509fc9da1dd87d98fadc71920dabfbc4bdeb8cde5e2bc937268b8

# Start with the dependencies we know we need
depends_lib-append port:kerberos5 \
port:remctl

# Add a dependency on Module::Build
if {${perl5.major} != ""} {
depends_lib-append port:p${perl5.major}-module-build
}

# wallet 1.3 does not support Perl paths other than /usr/bin/perl, nor does it
# support perl binaries not named "perl". The perl/Build.PL script is also
# missing some testing prerequisites.
# Since we are patching autoconf and automake files, we need autoreconf.
patchfiles patch-autogen.diff \
patch-configure.ac.diff \
patch-Makefile.am.diff \
patch-README.diff \
patch-perl-Build.PL.diff \
patch-portable-system.h.diff \
patch-rename-server-keytab-backend.diff \
patch-rename-server-wallet-admin.diff \
patch-rename-server-wallet-backend.diff \
patch-rename-server-wallet-report.diff \
patch-tests-client-full-t.in.diff \
patch-tests-client-prompt-t.in.diff
use_autoreconf yes

# Use configure, and pass in the paths to MacPorts kerberos5, remctl, and perl.
configure.args --enable-reduced-depends \
--with-remctl=${prefix} \
PATH_KRB5_CONFIG=${prefix}/bin/krb5-config \
PERL=${prefix}/bin/perl${perl5.major}

# Our top-level port installs the Wallet client.
# The Wallet client is just a couple of binaries, plus man pages and docs.
# We override the destroot to just install client stuff.
destroot {
# First, install common files from the distribution
xinstall -d ${destroot}${prefix}/share/doc/wallet
xinstall -m 644 ${worksrcpath}/LICENSE \
${worksrcpath}/NEWS \
${worksrcpath}/README \
${worksrcpath}/TODO \
${destroot}${prefix}/share/doc/wallet

# Install the wallet client executables
# ${destroot}${prefix}/bin already exists
xinstall -m 755 ${worksrcpath}/client/wallet \
${worksrcpath}/client/wallet-rekey \
${destroot}${prefix}/bin

# Install the wallet client man pages
xinstall -d ${destroot}${prefix}/share/man/man1
xinstall -m 644 ${worksrcpath}/client/wallet.1 \
${worksrcpath}/client/wallet-rekey.1 \
${destroot}${prefix}/share/man/man1
}

# The Wallet server is entirely Perl, spawned by the remctl daemon.
# TODO: Patch wallet remctl config files to use ${destroot}${prefix}
subport wallet-server {
# We can't use perl5.setup because it overrides alot of settings that
# we need.
#perl5.setup Wallet 1.003

long_description-append The wallet server, run by remctld, maintains \
the database of object metadata and secure \
objects, and responds to requests from the \
wallet client.

if {${perl5.major} != ""} {
depends_lib-append port:p${perl5.major}-datetime \
port:p${perl5.major}-dbi \
port:p${perl5.major}-dbix-class \
port:p${perl5.major}-digest-md5 \
port:p${perl5.major}-sql-translator \
port:p${perl5.major}-timedate
depends_build-append port:p${perl5.major}-crypt-generatepassword \
port:p${perl5.major}-datetime-format-sqlite
}

# TODO: Tests have a Stanford-specific part, and a NetDB-verifier part,
# which need to be disabled.
# test.run yes
# test.target check

# We have our own destroot process, to install just server bits.
destroot {
# First, install common files from the distribution
xinstall -d ${destroot}${prefix}/share/doc/${subport}
xinstall -m 644 ${worksrcpath}/LICENSE \
${worksrcpath}/NEWS \
${worksrcpath}/README \
${worksrcpath}/TODO \
${destroot}${prefix}/share/doc/${subport}

# If installing the server or kdc variants, make common directories
# These are also created by wallet-kdc
xinstall -d ${destroot}${prefix}/etc/remctl/acl
xinstall -d ${destroot}${prefix}/etc/remctl/conf.d

# Install a set of starter remctl ACLs and configurations
# ${destroot}${prefix}/etc/remctl/acl is created above
xinstall -m 644 ${worksrcpath}/config/wallet-report.acl \
${destroot}${prefix}/etc/remctl/acl/wallet-report

# ${destroot}${prefix}/etc/remctl/conf.d is created above
xinstall -m 644 ${worksrcpath}/config/wallet \
${destroot}${prefix}/etc/remctl/conf.d/wallet

# Install the wallet server executables
# ${destroot}${prefix}/sbin already exists
xinstall -m 755 ${worksrcpath}/server/wallet-admin \
${worksrcpath}/server/wallet-backend \
${worksrcpath}/server/wallet-report \
${destroot}${prefix}/sbin

# Install the wallet server man pages
# ${destroot}${prefix}/share/man/man8 already exists
xinstall -m 644 ${worksrcpath}/server/wallet-admin.8 \
${worksrcpath}/server/wallet-backend.8 \
${worksrcpath}/server/wallet-report.8 \
${destroot}${prefix}/share/man/man8

# Install protocol documentataion
xinstall -m 644 {*}[glob ${worksrcpath}/docs/*] \
${destroot}${prefix}/share/doc/${subport}

# The Perl components of Wallet server are installed by a
# Module::Build installer that is normally run by the Makefile.
# PERL_INSTALL_ROOT is used to set the destroot path; we don't
# set a prefix because that is already configured into MacPorts
# Perl, and so Module::Build uses it automatically.
system "env 'PERL_INSTALL_ROOT=${destroot}' '${prefix}/bin/perl${perl5.major}' '${worksrcpath}/perl/Build' 'install'"
}

# We have some post-activation setup that the user needs to do.
notes-append "
Before using the Wallet server, you will need to choose a database
backend to use. MySQL, Postgres, and SQLite are known to work.
Then you will need to install the p5-datetime-format-* and p5-dbd-*
ports that match the database backend you chose.
If you want to support getting keytabs through Wallet, then your KDC
will need to have the wallet port installed with the +kdc variant.
Other Perl modules may be required, depending on what you want to
support. Read ${prefix}/share/doc/wallet/setup
for additional server configuration instructions.
Wallet server runs via remctl, so be sure that remctld is running,
and is configured correctly!
"
}

# wallet-kdc just installs a couple of helper files that a Kerberos 5 KDC
# can use to generate unchanging keytabs for a Wallet server.
# TODO: Patch keytab and wallet remctl config files to use ${destroot}${prefix}
subport wallet-kdc {
long_description-append This port contains a remctl script, to be \
run on the Kerberos 5 KDC, that will generate \
keytabs at the request of a Wallet server. This \
variant is only meant to be installed on a KDC, \
and does not include Wallet server or client.

# We have our own destroot process, to install just KDC bits.
destroot {
# First, install common files from the distribution
xinstall -d ${destroot}${prefix}/share/doc/${subport}
xinstall -m 644 ${worksrcpath}/LICENSE \
${worksrcpath}/NEWS \
${worksrcpath}/README \
${worksrcpath}/TODO \
${destroot}${prefix}/share/doc/${subport}

# Create some common directories.
# (These are also created by wallet-server)
xinstall -d ${destroot}${prefix}/etc/remctl/acl
xinstall -d ${destroot}${prefix}/etc/remctl/conf.d

# Install a stub KDC ACL that keytab-backend will use
xinstall -d ${destroot}${prefix}/etc/krb5kdc
xinstall -m 640 ${worksrcpath}/config/allow-extract \
${destroot}${prefix}/etc/krb5kdc/allow-extract

# Install example remctl ACLs and configurations
# ${destroot}${prefix}/etc/remctl/acl is created above
xinstall -m 644 ${worksrcpath}/config/keytab.acl \
${destroot}${prefix}/etc/remctl/acl/keytab

# ${destroot}${prefix}/etc/remctl/conf.d is created above
xinstall -m 644 ${worksrcpath}/config/keytab \
${destroot}${prefix}/etc/remctl/conf.d/keytab

# Install the keytab-backend executable
# ${destroot}${prefix}/sbin already exists
xinstall -m 755 ${worksrcpath}/server/keytab-backend \
${destroot}${prefix}/sbin

# Install the keytab-backend man page
# ${destroot}${prefix}/share/man/man8 already exists
xinstall -m 644 ${worksrcpath}/server/keytab-backend.8 \
${destroot}${prefix}/share/man/man8/keytab-backend.8
}

# We have soe post-activation setup that the user needs to do.
notes-append "
To configure your KDC to generate keytabs for the Wallet server,
you will need to configure etc/krb5kdc/allow-extract, as well as
/etc/remctl/acl/keytab. This uses remctl, so remctld must also
be running and configured properly.
"
}
118 changes: 118 additions & 0 deletions net/wallet/files/patch-Makefile.am.diff
View file
@@ -0,0 +1,118 @@
--- Makefile.am.orig
+++ Makefile.am
@@ -100,34 +100,36 @@ PERL_DIRECTORIES = perl perl/lib perl/lib/Wallet perl/lib/Wallet/ACL \
perl/t/policy perl/t/style perl/t/util perl/t/verifier

ACLOCAL_AMFLAGS = -I m4
-EXTRA_DIST = .gitignore .travis.yml LICENSE autogen client/wallet.pod \
- client/wallet-rekey.pod config/allow-extract config/keytab \
- config/keytab.acl config/wallet config/wallet-report.acl \
- docs/design contrib/README contrib/commerzbank/wallet-history \
- contrib/convert-srvtab-db contrib/used-principals \
- contrib/wallet-contacts contrib/wallet-rekey-periodic \
- contrib/wallet-rekey-periodic.8 contrib/wallet-summary \
- contrib/wallet-summary.8 contrib/wallet-unknown-hosts \
- contrib/wallet-unknown-hosts.8 docs/design-acl docs/design-api \
- docs/netdb-role-api docs/notes docs/objects-and-schemes docs/setup \
- docs/stanford-naming examples/stanford.conf tests/HOWTO tests/TESTS \
- tests/config/README tests/data/allow-extract tests/data/basic.conf \
- tests/data/cmd-fake tests/data/cmd-wrapper tests/data/fake-data \
- tests/data/fake-kadmin tests/data/fake-keytab \
- tests/data/fake-keytab-2 tests/data/fake-keytab-foreign \
- tests/data/fake-keytab-merge tests/data/fake-keytab-old \
- tests/data/fake-keytab-partial \
- tests/data/fake-keytab-partial-result tests/data/fake-keytab-rekey \
- tests/data/fake-keytab-unknown tests/data/fake-srvtab \
- tests/data/full.conf tests/data/perl.conf tests/data/wallet.conf \
- tests/docs/pod-spelling-t tests/docs/pod-t \
- tests/perl/minimum-version-t tests/perl/module-version-t \
- tests/perl/strict-t tests/server/admin-t tests/server/backend-t \
- tests/server/keytab-t tests/server/report-t tests/tap/kerberos.sh \
- tests/tap/libtap.sh tests/tap/perl/Test/RRA.pm \
- tests/tap/perl/Test/RRA/Automake.pm \
- tests/tap/perl/Test/RRA/Config.pm \
- tests/tap/perl/Test/RRA/ModuleVersion.pm tests/tap/remctl.sh \
+EXTRA_DIST = .gitignore .travis.yml LICENSE autogen client/wallet.pod \
+ client/wallet-rekey.pod config/allow-extract config/keytab \
+ config/keytab.acl config/wallet config/wallet-report.acl \
+ docs/design contrib/README contrib/commerzbank/wallet-history \
+ contrib/convert-srvtab-db contrib/used-principals \
+ contrib/wallet-contacts contrib/wallet-rekey-periodic \
+ contrib/wallet-rekey-periodic.8 contrib/wallet-summary \
+ contrib/wallet-summary.8 contrib/wallet-unknown-hosts \
+ contrib/wallet-unknown-hosts.8 docs/design-acl docs/design-api \
+ docs/netdb-role-api docs/notes docs/objects-and-schemes docs/setup \
+ docs/stanford-naming examples/stanford.conf \
+ server/keytab-backend.in server/wallet-admin.in \
+ server/wallet-backend.in server/wallet-report.in tests/HOWTO \
+ tests/TESTS tests/config/README tests/data/allow-extract \
+ tests/data/basic.conf tests/data/cmd-fake tests/data/cmd-wrapper \
+ tests/data/fake-data tests/data/fake-kadmin tests/data/fake-keytab \
+ tests/data/fake-keytab-2 tests/data/fake-keytab-foreign \
+ tests/data/fake-keytab-merge tests/data/fake-keytab-old \
+ tests/data/fake-keytab-partial \
+ tests/data/fake-keytab-partial-result tests/data/fake-keytab-rekey \
+ tests/data/fake-keytab-unknown tests/data/fake-srvtab \
+ tests/data/full.conf tests/data/perl.conf tests/data/wallet.conf \
+ tests/docs/pod-spelling-t tests/docs/pod-t \
+ tests/perl/minimum-version-t tests/perl/module-version-t \
+ tests/perl/strict-t tests/server/admin-t tests/server/backend-t \
+ tests/server/keytab-t tests/server/report-t tests/tap/kerberos.sh \
+ tests/tap/libtap.sh tests/tap/perl/Test/RRA.pm \
+ tests/tap/perl/Test/RRA/Automake.pm \
+ tests/tap/perl/Test/RRA/Config.pm \
+ tests/tap/perl/Test/RRA/ModuleVersion.pm tests/tap/remctl.sh \
tests/util/xmalloc-t $(PERL_FILES)

# Supporting convenience libraries used by other targets.
@@ -150,7 +152,7 @@ client_libwallet_a_CPPFLAGS = $(REMCTL_CPPFLAGS) $(KRB5_CPPFLAGS)

# The client and server programs.
bin_PROGRAMS = client/wallet client/wallet-rekey
-dist_sbin_SCRIPTS = server/keytab-backend server/wallet-admin \
+sbin_SCRIPTS = server/keytab-backend server/wallet-admin \
server/wallet-backend server/wallet-report
client_wallet_CPPFLAGS = $(REMCTL_CPPFLAGS) $(KRB5_CPPFLAGS)
client_wallet_LDFLAGS = $(REMCTL_LDFLAGS) $(KRB5_LDFLAGS)
@@ -209,14 +211,30 @@ warnings:
KRB5_CPPFLAGS='$(KRB5_CPPFLAGS_GCC)' $(check_PROGRAMS)

# Remove some additional files.
-CLEANFILES = perl/t/lib/Test/RRA.pm perl/t/lib/Test/RRA/Automake.pm \
- perl/t/lib/Test/RRA/Config.pm
+CLEANFILES = perl/t/lib/Test/RRA.pm perl/t/lib/Test/RRA/Automake.pm \
+ perl/t/lib/Test/RRA/Config.pm server/keytab-backend \
+ server/wallet-admin server/wallet-backend server/wallet-report
MAINTAINERCLEANFILES = Makefile.in aclocal.m4 build-aux/compile \
build-aux/depcomp build-aux/install-sh build-aux/missing \
client/wallet.1 config.h.in config.h.in~ configure \
contrib/wallet-report.8 server/keytab-backend.8 \
server/wallet-admin.8 server/wallet-backend.8 server/wallet-report.8

+# For each of the Perl scripts, we need to fill in the path to the Perl
+# binary that was located during configuration.
+server/keytab-backend: $(srcdir)/server/keytab-backend.in Makefile
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/keytab-backend.in >$@
+ chmod a+x $@
+server/wallet-admin: $(srcdir)/server/wallet-admin.in Makefile
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/wallet-admin.in >$@
+ chmod a+x $@
+server/wallet-backend: $(srcdir)/server/wallet-backend.in Makefile
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/wallet-backend.in >$@
+ chmod a+x $@
+server/wallet-report: $(srcdir)/server/wallet-report.in Makefile
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/wallet-report.in >$@
+ chmod a+x $@
+
# Take appropriate actions in the Perl directory as well. We don't want to
# always build the Perl directory in all-local, since otherwise Automake does
# this for every target, which overrides some hacks we have to do for Debian
@@ -236,7 +254,7 @@ perl/blib/lib/Wallet/Config.pm: $(srcdir)/perl/lib/Wallet/Config.pm
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA.pm perl/t/lib/Test/
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA/Config.pm \
perl/t/lib/Test/RRA/
- cd perl && perl Build.PL $(WALLET_PERL_FLAGS)
+ cd perl && $(PERL) Build.PL $(WALLET_PERL_FLAGS)
cd perl && ./Build

# This is a really ugly hack to only honor prefix when running make install
28 changes: 28 additions & 0 deletions net/wallet/files/patch-README.diff
View file
@@ -0,0 +1,28 @@
--- README.orig
+++ README
@@ -183,14 +183,21 @@ BUILD AND INSTALLATION
must be specified either in krb5.conf configuration or on the wallet
command line or the client will exit with an error.

+ By default, wallet uses whatever perl executable exists in the current $PATH.
+ That Perl's path is what the server scripts will use, and that Perl's
+ configuration will be used to determine where the server Perl modules will be
+ installed.
+
+ To specify a particular Perl executable to use, either set the PERL
+ environment variable or pass it to configure like:
+
+ ./configure PERL=/path/to/my/perl
+
By default, wallet installs itself under /usr/local except for the
server Perl modules, which are installed into whatever default site
module path is used by your Perl installation. To change the
installation location of the files other than the Perl modules, pass the
- --prefix=DIR argument to configure. To change the Perl module
- installation location, you will need to run perl on Makefile.PL in the
- perl subdirectory of the build tree with appropriate options and rebuild
- the module after running make and before running make install.
+ --prefix=DIR argument to configure.

If remctl was installed in a path not normally searched by your
compiler, you must specify its installation prefix to configure with the

0 comments on commit a2792f4

Please sign in to comment.