Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
wallet is a Kerberos-authenticated file storage & retrieval engine, which has support for automatically generating things like Kerberos keytabs and random passwords. Authentication is via Kerberos, and client-server communication is via remctl. The client is written in C, the server is Perl, and there is also a Perl script that can be placed on Kerberos 5 KDCs to aid in keytab retrieval. I am attaching the proposed Portfile and twelve patch files. The patches are needed because wallet's build & install process does not allow setting custom Perl paths. All of the patches have been submitted upstream. Closes: https://trac.macports.org/ticket/50421
- Loading branch information
1 parent
1b27bb4
commit a2792f4
Showing
13 changed files
with
3,458 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,245 @@ | ||
# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 | ||
|
||
PortSystem 1.0 | ||
PortGroup perl5 1.0 | ||
perl5.branches 5.24 | ||
|
||
name wallet | ||
version 1.3 | ||
revision 0 | ||
categories net security | ||
license MIT | ||
maintainers kornel.us:karl openmaintainer | ||
description Kerberos-authenticated secure data management | ||
long_description The wallet is a system for managing secure data, \ | ||
authorization rules to retrieve or change that data, \ | ||
and audit rules for documenting actions taken on that \ | ||
data. Objects of various types may be stored in the \ | ||
wallet or generated on request and retrieved by \ | ||
authorized users. The wallet tracks ACLs, metadata, \ | ||
and trace information. It uses Kerberos \ | ||
authentication. One of the object types it supports \ | ||
is Kerberos keytabs, making it suitable as a \ | ||
user-accessible front-end to Kerberos kadmind with \ | ||
richer ACL and metadata operations. | ||
homepage http://eyrie.org/~eagle/software/wallet/ | ||
|
||
platforms darwin | ||
master_sites http://archives.eyrie.org/software/kerberos/ \ | ||
http://archives.eyrie.org/software/ARCHIVE/wallet/ | ||
checksums rmd160 188b3561fcffe99342fcfb1312b58df3f3d919b5 \ | ||
sha256 676d3d6e407509fc9da1dd87d98fadc71920dabfbc4bdeb8cde5e2bc937268b8 | ||
|
||
# Start with the dependencies we know we need | ||
depends_lib-append port:kerberos5 \ | ||
port:remctl | ||
|
||
# Add a dependency on Module::Build | ||
if {${perl5.major} != ""} { | ||
depends_lib-append port:p${perl5.major}-module-build | ||
} | ||
|
||
# wallet 1.3 does not support Perl paths other than /usr/bin/perl, nor does it | ||
# support perl binaries not named "perl". The perl/Build.PL script is also | ||
# missing some testing prerequisites. | ||
# Since we are patching autoconf and automake files, we need autoreconf. | ||
patchfiles patch-autogen.diff \ | ||
patch-configure.ac.diff \ | ||
patch-Makefile.am.diff \ | ||
patch-README.diff \ | ||
patch-perl-Build.PL.diff \ | ||
patch-portable-system.h.diff \ | ||
patch-rename-server-keytab-backend.diff \ | ||
patch-rename-server-wallet-admin.diff \ | ||
patch-rename-server-wallet-backend.diff \ | ||
patch-rename-server-wallet-report.diff \ | ||
patch-tests-client-full-t.in.diff \ | ||
patch-tests-client-prompt-t.in.diff | ||
use_autoreconf yes | ||
|
||
# Use configure, and pass in the paths to MacPorts kerberos5, remctl, and perl. | ||
configure.args --enable-reduced-depends \ | ||
--with-remctl=${prefix} \ | ||
PATH_KRB5_CONFIG=${prefix}/bin/krb5-config \ | ||
PERL=${prefix}/bin/perl${perl5.major} | ||
|
||
# Our top-level port installs the Wallet client. | ||
# The Wallet client is just a couple of binaries, plus man pages and docs. | ||
# We override the destroot to just install client stuff. | ||
destroot { | ||
# First, install common files from the distribution | ||
xinstall -d ${destroot}${prefix}/share/doc/wallet | ||
xinstall -m 644 ${worksrcpath}/LICENSE \ | ||
${worksrcpath}/NEWS \ | ||
${worksrcpath}/README \ | ||
${worksrcpath}/TODO \ | ||
${destroot}${prefix}/share/doc/wallet | ||
|
||
# Install the wallet client executables | ||
# ${destroot}${prefix}/bin already exists | ||
xinstall -m 755 ${worksrcpath}/client/wallet \ | ||
${worksrcpath}/client/wallet-rekey \ | ||
${destroot}${prefix}/bin | ||
|
||
# Install the wallet client man pages | ||
xinstall -d ${destroot}${prefix}/share/man/man1 | ||
xinstall -m 644 ${worksrcpath}/client/wallet.1 \ | ||
${worksrcpath}/client/wallet-rekey.1 \ | ||
${destroot}${prefix}/share/man/man1 | ||
} | ||
|
||
# The Wallet server is entirely Perl, spawned by the remctl daemon. | ||
# TODO: Patch wallet remctl config files to use ${destroot}${prefix} | ||
subport wallet-server { | ||
# We can't use perl5.setup because it overrides alot of settings that | ||
# we need. | ||
#perl5.setup Wallet 1.003 | ||
|
||
long_description-append The wallet server, run by remctld, maintains \ | ||
the database of object metadata and secure \ | ||
objects, and responds to requests from the \ | ||
wallet client. | ||
|
||
if {${perl5.major} != ""} { | ||
depends_lib-append port:p${perl5.major}-datetime \ | ||
port:p${perl5.major}-dbi \ | ||
port:p${perl5.major}-dbix-class \ | ||
port:p${perl5.major}-digest-md5 \ | ||
port:p${perl5.major}-sql-translator \ | ||
port:p${perl5.major}-timedate | ||
depends_build-append port:p${perl5.major}-crypt-generatepassword \ | ||
port:p${perl5.major}-datetime-format-sqlite | ||
} | ||
|
||
# TODO: Tests have a Stanford-specific part, and a NetDB-verifier part, | ||
# which need to be disabled. | ||
# test.run yes | ||
# test.target check | ||
|
||
# We have our own destroot process, to install just server bits. | ||
destroot { | ||
# First, install common files from the distribution | ||
xinstall -d ${destroot}${prefix}/share/doc/${subport} | ||
xinstall -m 644 ${worksrcpath}/LICENSE \ | ||
${worksrcpath}/NEWS \ | ||
${worksrcpath}/README \ | ||
${worksrcpath}/TODO \ | ||
${destroot}${prefix}/share/doc/${subport} | ||
|
||
# If installing the server or kdc variants, make common directories | ||
# These are also created by wallet-kdc | ||
xinstall -d ${destroot}${prefix}/etc/remctl/acl | ||
xinstall -d ${destroot}${prefix}/etc/remctl/conf.d | ||
|
||
# Install a set of starter remctl ACLs and configurations | ||
# ${destroot}${prefix}/etc/remctl/acl is created above | ||
xinstall -m 644 ${worksrcpath}/config/wallet-report.acl \ | ||
${destroot}${prefix}/etc/remctl/acl/wallet-report | ||
|
||
# ${destroot}${prefix}/etc/remctl/conf.d is created above | ||
xinstall -m 644 ${worksrcpath}/config/wallet \ | ||
${destroot}${prefix}/etc/remctl/conf.d/wallet | ||
|
||
# Install the wallet server executables | ||
# ${destroot}${prefix}/sbin already exists | ||
xinstall -m 755 ${worksrcpath}/server/wallet-admin \ | ||
${worksrcpath}/server/wallet-backend \ | ||
${worksrcpath}/server/wallet-report \ | ||
${destroot}${prefix}/sbin | ||
|
||
# Install the wallet server man pages | ||
# ${destroot}${prefix}/share/man/man8 already exists | ||
xinstall -m 644 ${worksrcpath}/server/wallet-admin.8 \ | ||
${worksrcpath}/server/wallet-backend.8 \ | ||
${worksrcpath}/server/wallet-report.8 \ | ||
${destroot}${prefix}/share/man/man8 | ||
|
||
# Install protocol documentataion | ||
xinstall -m 644 {*}[glob ${worksrcpath}/docs/*] \ | ||
${destroot}${prefix}/share/doc/${subport} | ||
|
||
# The Perl components of Wallet server are installed by a | ||
# Module::Build installer that is normally run by the Makefile. | ||
# PERL_INSTALL_ROOT is used to set the destroot path; we don't | ||
# set a prefix because that is already configured into MacPorts | ||
# Perl, and so Module::Build uses it automatically. | ||
system "env 'PERL_INSTALL_ROOT=${destroot}' '${prefix}/bin/perl${perl5.major}' '${worksrcpath}/perl/Build' 'install'" | ||
} | ||
|
||
# We have some post-activation setup that the user needs to do. | ||
notes-append " | ||
Before using the Wallet server, you will need to choose a database | ||
backend to use. MySQL, Postgres, and SQLite are known to work. | ||
Then you will need to install the p5-datetime-format-* and p5-dbd-* | ||
ports that match the database backend you chose. | ||
If you want to support getting keytabs through Wallet, then your KDC | ||
will need to have the wallet port installed with the +kdc variant. | ||
Other Perl modules may be required, depending on what you want to | ||
support. Read ${prefix}/share/doc/wallet/setup | ||
for additional server configuration instructions. | ||
Wallet server runs via remctl, so be sure that remctld is running, | ||
and is configured correctly! | ||
" | ||
} | ||
|
||
# wallet-kdc just installs a couple of helper files that a Kerberos 5 KDC | ||
# can use to generate unchanging keytabs for a Wallet server. | ||
# TODO: Patch keytab and wallet remctl config files to use ${destroot}${prefix} | ||
subport wallet-kdc { | ||
long_description-append This port contains a remctl script, to be \ | ||
run on the Kerberos 5 KDC, that will generate \ | ||
keytabs at the request of a Wallet server. This \ | ||
variant is only meant to be installed on a KDC, \ | ||
and does not include Wallet server or client. | ||
|
||
# We have our own destroot process, to install just KDC bits. | ||
destroot { | ||
# First, install common files from the distribution | ||
xinstall -d ${destroot}${prefix}/share/doc/${subport} | ||
xinstall -m 644 ${worksrcpath}/LICENSE \ | ||
${worksrcpath}/NEWS \ | ||
${worksrcpath}/README \ | ||
${worksrcpath}/TODO \ | ||
${destroot}${prefix}/share/doc/${subport} | ||
|
||
# Create some common directories. | ||
# (These are also created by wallet-server) | ||
xinstall -d ${destroot}${prefix}/etc/remctl/acl | ||
xinstall -d ${destroot}${prefix}/etc/remctl/conf.d | ||
|
||
# Install a stub KDC ACL that keytab-backend will use | ||
xinstall -d ${destroot}${prefix}/etc/krb5kdc | ||
xinstall -m 640 ${worksrcpath}/config/allow-extract \ | ||
${destroot}${prefix}/etc/krb5kdc/allow-extract | ||
|
||
# Install example remctl ACLs and configurations | ||
# ${destroot}${prefix}/etc/remctl/acl is created above | ||
xinstall -m 644 ${worksrcpath}/config/keytab.acl \ | ||
${destroot}${prefix}/etc/remctl/acl/keytab | ||
|
||
# ${destroot}${prefix}/etc/remctl/conf.d is created above | ||
xinstall -m 644 ${worksrcpath}/config/keytab \ | ||
${destroot}${prefix}/etc/remctl/conf.d/keytab | ||
|
||
# Install the keytab-backend executable | ||
# ${destroot}${prefix}/sbin already exists | ||
xinstall -m 755 ${worksrcpath}/server/keytab-backend \ | ||
${destroot}${prefix}/sbin | ||
|
||
# Install the keytab-backend man page | ||
# ${destroot}${prefix}/share/man/man8 already exists | ||
xinstall -m 644 ${worksrcpath}/server/keytab-backend.8 \ | ||
${destroot}${prefix}/share/man/man8/keytab-backend.8 | ||
} | ||
|
||
# We have soe post-activation setup that the user needs to do. | ||
notes-append " | ||
To configure your KDC to generate keytabs for the Wallet server, | ||
you will need to configure etc/krb5kdc/allow-extract, as well as | ||
/etc/remctl/acl/keytab. This uses remctl, so remctld must also | ||
be running and configured properly. | ||
" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
--- Makefile.am.orig | ||
+++ Makefile.am | ||
@@ -100,34 +100,36 @@ PERL_DIRECTORIES = perl perl/lib perl/lib/Wallet perl/lib/Wallet/ACL \ | ||
perl/t/policy perl/t/style perl/t/util perl/t/verifier | ||
|
||
ACLOCAL_AMFLAGS = -I m4 | ||
-EXTRA_DIST = .gitignore .travis.yml LICENSE autogen client/wallet.pod \ | ||
- client/wallet-rekey.pod config/allow-extract config/keytab \ | ||
- config/keytab.acl config/wallet config/wallet-report.acl \ | ||
- docs/design contrib/README contrib/commerzbank/wallet-history \ | ||
- contrib/convert-srvtab-db contrib/used-principals \ | ||
- contrib/wallet-contacts contrib/wallet-rekey-periodic \ | ||
- contrib/wallet-rekey-periodic.8 contrib/wallet-summary \ | ||
- contrib/wallet-summary.8 contrib/wallet-unknown-hosts \ | ||
- contrib/wallet-unknown-hosts.8 docs/design-acl docs/design-api \ | ||
- docs/netdb-role-api docs/notes docs/objects-and-schemes docs/setup \ | ||
- docs/stanford-naming examples/stanford.conf tests/HOWTO tests/TESTS \ | ||
- tests/config/README tests/data/allow-extract tests/data/basic.conf \ | ||
- tests/data/cmd-fake tests/data/cmd-wrapper tests/data/fake-data \ | ||
- tests/data/fake-kadmin tests/data/fake-keytab \ | ||
- tests/data/fake-keytab-2 tests/data/fake-keytab-foreign \ | ||
- tests/data/fake-keytab-merge tests/data/fake-keytab-old \ | ||
- tests/data/fake-keytab-partial \ | ||
- tests/data/fake-keytab-partial-result tests/data/fake-keytab-rekey \ | ||
- tests/data/fake-keytab-unknown tests/data/fake-srvtab \ | ||
- tests/data/full.conf tests/data/perl.conf tests/data/wallet.conf \ | ||
- tests/docs/pod-spelling-t tests/docs/pod-t \ | ||
- tests/perl/minimum-version-t tests/perl/module-version-t \ | ||
- tests/perl/strict-t tests/server/admin-t tests/server/backend-t \ | ||
- tests/server/keytab-t tests/server/report-t tests/tap/kerberos.sh \ | ||
- tests/tap/libtap.sh tests/tap/perl/Test/RRA.pm \ | ||
- tests/tap/perl/Test/RRA/Automake.pm \ | ||
- tests/tap/perl/Test/RRA/Config.pm \ | ||
- tests/tap/perl/Test/RRA/ModuleVersion.pm tests/tap/remctl.sh \ | ||
+EXTRA_DIST = .gitignore .travis.yml LICENSE autogen client/wallet.pod \ | ||
+ client/wallet-rekey.pod config/allow-extract config/keytab \ | ||
+ config/keytab.acl config/wallet config/wallet-report.acl \ | ||
+ docs/design contrib/README contrib/commerzbank/wallet-history \ | ||
+ contrib/convert-srvtab-db contrib/used-principals \ | ||
+ contrib/wallet-contacts contrib/wallet-rekey-periodic \ | ||
+ contrib/wallet-rekey-periodic.8 contrib/wallet-summary \ | ||
+ contrib/wallet-summary.8 contrib/wallet-unknown-hosts \ | ||
+ contrib/wallet-unknown-hosts.8 docs/design-acl docs/design-api \ | ||
+ docs/netdb-role-api docs/notes docs/objects-and-schemes docs/setup \ | ||
+ docs/stanford-naming examples/stanford.conf \ | ||
+ server/keytab-backend.in server/wallet-admin.in \ | ||
+ server/wallet-backend.in server/wallet-report.in tests/HOWTO \ | ||
+ tests/TESTS tests/config/README tests/data/allow-extract \ | ||
+ tests/data/basic.conf tests/data/cmd-fake tests/data/cmd-wrapper \ | ||
+ tests/data/fake-data tests/data/fake-kadmin tests/data/fake-keytab \ | ||
+ tests/data/fake-keytab-2 tests/data/fake-keytab-foreign \ | ||
+ tests/data/fake-keytab-merge tests/data/fake-keytab-old \ | ||
+ tests/data/fake-keytab-partial \ | ||
+ tests/data/fake-keytab-partial-result tests/data/fake-keytab-rekey \ | ||
+ tests/data/fake-keytab-unknown tests/data/fake-srvtab \ | ||
+ tests/data/full.conf tests/data/perl.conf tests/data/wallet.conf \ | ||
+ tests/docs/pod-spelling-t tests/docs/pod-t \ | ||
+ tests/perl/minimum-version-t tests/perl/module-version-t \ | ||
+ tests/perl/strict-t tests/server/admin-t tests/server/backend-t \ | ||
+ tests/server/keytab-t tests/server/report-t tests/tap/kerberos.sh \ | ||
+ tests/tap/libtap.sh tests/tap/perl/Test/RRA.pm \ | ||
+ tests/tap/perl/Test/RRA/Automake.pm \ | ||
+ tests/tap/perl/Test/RRA/Config.pm \ | ||
+ tests/tap/perl/Test/RRA/ModuleVersion.pm tests/tap/remctl.sh \ | ||
tests/util/xmalloc-t $(PERL_FILES) | ||
|
||
# Supporting convenience libraries used by other targets. | ||
@@ -150,7 +152,7 @@ client_libwallet_a_CPPFLAGS = $(REMCTL_CPPFLAGS) $(KRB5_CPPFLAGS) | ||
|
||
# The client and server programs. | ||
bin_PROGRAMS = client/wallet client/wallet-rekey | ||
-dist_sbin_SCRIPTS = server/keytab-backend server/wallet-admin \ | ||
+sbin_SCRIPTS = server/keytab-backend server/wallet-admin \ | ||
server/wallet-backend server/wallet-report | ||
client_wallet_CPPFLAGS = $(REMCTL_CPPFLAGS) $(KRB5_CPPFLAGS) | ||
client_wallet_LDFLAGS = $(REMCTL_LDFLAGS) $(KRB5_LDFLAGS) | ||
@@ -209,14 +211,30 @@ warnings: | ||
KRB5_CPPFLAGS='$(KRB5_CPPFLAGS_GCC)' $(check_PROGRAMS) | ||
|
||
# Remove some additional files. | ||
-CLEANFILES = perl/t/lib/Test/RRA.pm perl/t/lib/Test/RRA/Automake.pm \ | ||
- perl/t/lib/Test/RRA/Config.pm | ||
+CLEANFILES = perl/t/lib/Test/RRA.pm perl/t/lib/Test/RRA/Automake.pm \ | ||
+ perl/t/lib/Test/RRA/Config.pm server/keytab-backend \ | ||
+ server/wallet-admin server/wallet-backend server/wallet-report | ||
MAINTAINERCLEANFILES = Makefile.in aclocal.m4 build-aux/compile \ | ||
build-aux/depcomp build-aux/install-sh build-aux/missing \ | ||
client/wallet.1 config.h.in config.h.in~ configure \ | ||
contrib/wallet-report.8 server/keytab-backend.8 \ | ||
server/wallet-admin.8 server/wallet-backend.8 server/wallet-report.8 | ||
|
||
+# For each of the Perl scripts, we need to fill in the path to the Perl | ||
+# binary that was located during configuration. | ||
+server/keytab-backend: $(srcdir)/server/keytab-backend.in Makefile | ||
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/keytab-backend.in >$@ | ||
+ chmod a+x $@ | ||
+server/wallet-admin: $(srcdir)/server/wallet-admin.in Makefile | ||
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/wallet-admin.in >$@ | ||
+ chmod a+x $@ | ||
+server/wallet-backend: $(srcdir)/server/wallet-backend.in Makefile | ||
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/wallet-backend.in >$@ | ||
+ chmod a+x $@ | ||
+server/wallet-report: $(srcdir)/server/wallet-report.in Makefile | ||
+ sed 's|\@PERL\@|$(PERL)|' <$(srcdir)/server/wallet-report.in >$@ | ||
+ chmod a+x $@ | ||
+ | ||
# Take appropriate actions in the Perl directory as well. We don't want to | ||
# always build the Perl directory in all-local, since otherwise Automake does | ||
# this for every target, which overrides some hacks we have to do for Debian | ||
@@ -236,7 +254,7 @@ perl/blib/lib/Wallet/Config.pm: $(srcdir)/perl/lib/Wallet/Config.pm | ||
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA.pm perl/t/lib/Test/ | ||
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA/Config.pm \ | ||
perl/t/lib/Test/RRA/ | ||
- cd perl && perl Build.PL $(WALLET_PERL_FLAGS) | ||
+ cd perl && $(PERL) Build.PL $(WALLET_PERL_FLAGS) | ||
cd perl && ./Build | ||
|
||
# This is a really ugly hack to only honor prefix when running make install |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
--- README.orig | ||
+++ README | ||
@@ -183,14 +183,21 @@ BUILD AND INSTALLATION | ||
must be specified either in krb5.conf configuration or on the wallet | ||
command line or the client will exit with an error. | ||
|
||
+ By default, wallet uses whatever perl executable exists in the current $PATH. | ||
+ That Perl's path is what the server scripts will use, and that Perl's | ||
+ configuration will be used to determine where the server Perl modules will be | ||
+ installed. | ||
+ | ||
+ To specify a particular Perl executable to use, either set the PERL | ||
+ environment variable or pass it to configure like: | ||
+ | ||
+ ./configure PERL=/path/to/my/perl | ||
+ | ||
By default, wallet installs itself under /usr/local except for the | ||
server Perl modules, which are installed into whatever default site | ||
module path is used by your Perl installation. To change the | ||
installation location of the files other than the Perl modules, pass the | ||
- --prefix=DIR argument to configure. To change the Perl module | ||
- installation location, you will need to run perl on Makefile.PL in the | ||
- perl subdirectory of the build tree with appropriate options and rebuild | ||
- the module after running make and before running make install. | ||
+ --prefix=DIR argument to configure. | ||
|
||
If remctl was installed in a path not normally searched by your | ||
compiler, you must specify its installation prefix to configure with the |
Oops, something went wrong.