Commit 51f5d9fb authored by Alex Tayts's avatar Alex Tayts
Browse files

add a check for corrupted keytab

parent bcc73fad
......@@ -20,13 +20,38 @@ Puppet::Type.type(:wallet).provide(:wallet) do
# is destined to deletion
return true if @resource[:ensure] == :absent
if @resource[:verify]
# if file is a keytab, read what's in it
begin
if File.file?("/usr/bin/heimtools")
# Heimdal Kerberos is installed
princs = ktutil("-k", @resource[:path], "list").split("/n")
else
# MIT Kerberos is installed
princs = klist("-k", @resource[:path]).split("/n")
end
# Check if a principal we need is present. If absent,
# we do not need further verification
return (princs.any? { |s| s.include?(@resource[:name])})
rescue
# Keytab is damaged, get it out of the way
# and require a refresh from wallet.
Puppet.notice("#{@resource.instance_variable_get(:@path)}: keytab '#{@resource[:path]}' is damaged. Renaming to '#{@resource[:path]}.bad'")
File.rename(@resource[:path], "#{@resource[:path]}.bad")
return false
end
if (@resource[:verify] == :true)
if @resource[:type].to_s == "keytab"
# try to get TGT with the keytab
kstart("-Uqf", @resource[:path])
exists = ($?.exitstatus == 0)
# cleanup the ticket after we got it
kdestroy() if exists
begin
# try to get a ticket with the keytab
kstart("-q", "-f", @resource[:path], @resource[:name])
# cleanup the keytab
kdestroy()
exists = true
rescue
exists = false
end
else
# checksum the wallet object and compare to a
# local file
......@@ -45,24 +70,8 @@ Puppet::Type.type(:wallet).provide(:wallet) do
exists = (object_md5.to_s == local_md5.to_s)
end
else
# if a file is a keytab, make sure it has a key for
# the principal we need. For other types of objects existence
# of a file is enough.
if @resource[:type].to_s == "keytab"
# Determine whether MIT Kerberos is intalled or Heimdal
# Check for one of the files which comes with heimdal-clients package
if File.file?("/usr/bin/heimtools")
# heimdal Kerberos is installed
princs = ktutil("-k", @resource[:path], "list").split("/n")
exists = (princs.any? { |s| s.include?(@resource[:name])})
else
# MIT Kerberos is installed
princs = klist("-k", @resource[:path]).split("/n")
exists = (princs.any? { |s| s.include?(@resource[:name])})
end
else
exists = true
end
# Verification not requested. Existence of a file is enough.
exists = true
end
else
# file doesn't exist
......@@ -73,6 +82,7 @@ Puppet::Type.type(:wallet).provide(:wallet) do
end
#### create resource
##############################
......@@ -87,11 +97,11 @@ Puppet::Type.type(:wallet).provide(:wallet) do
raise Puppet::Error, "Failed to acquire wallet object. #{@resource.class.name} #{@resource.name}: #{detail}", detail.backtrace
end
# set initial permissions and ownership as requested
File.chmod(Integer("0" + @resource[:mode].to_s), @resource[:path]) unless @resource[:mode].nil?
File.chown(arg_to_uid(@resource[:owner]), arg_to_gid(@resource[:group]), @resource[:path]) unless (@resource[:owner].nil? or @resource[:group].nil?)
File.chown(arg_to_uid(@resource[:owner]), arg_to_gid(@resource[:group]), @resource[:path]) unless (@resource[:owner].nil? and @resource[:group].nil?)
end
#### destroy resource
##############################
......@@ -101,6 +111,7 @@ Puppet::Type.type(:wallet).provide(:wallet) do
end
#### manage properties
##############################
......@@ -129,6 +140,7 @@ Puppet::Type.type(:wallet).provide(:wallet) do
end
#### helper functions
##############################
......@@ -158,4 +170,5 @@ Puppet::Type.type(:wallet).provide(:wallet) do
end
end
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment