Add password charset, add checksum, allow quilt

debian/changelog

@@ -1,3 +1,114 @@
+wallet (1.4-14) unstable; urgency=medium
+
+  * Disable depreciation warning for opensslv1. This is an emergency
+    patch to support the opensslv1 warning for the default encryption
+    message.  This warning is affecting production systems negatively.
+    To resolve this problem a method will be implemented that allows
+    the transition to any encryption method supported by Crypt::CBC.
+
+ -- Bill MacAllister <whm@dropbox.com>  Mon, 28 Aug 2023 23:35:39 -0700
+
+wallet (1.4-13) unstable; urgency=medium
+
+  * Expand the allow ldap-attr ACL specification to include a full
+    ldap filter.  At the same time remove the compare search and
+    perform the access test in a single LDAP search.
+
+ -- Bill MacAllister <bill@ca-zephyr.org>  Fri, 18 Nov 2022 08:05:41 +0000
+
+wallet (1.4-12) unstable; urgency=medium
+
+  * Correct double encryption problem when transitioning to encrypted
+    password storage.
+
+ -- Bill MacAllister <whm@dropbox.com>  Thu, 23 Jun 2022 06:33:15 +0000
+
+wallet (1.4-11) unstable; urgency=medium
+
+  * Remove support for WebAuth keyrings.
+
+ -- Bill MacAllister <bill@ca-zephyr.org>  Sat, 18 Jun 2022 02:42:15 +0000
+
+wallet (1.4-10) unstable; urgency=medium
+
+  * Correct problem with transition of unencrypted file and password
+    objects to encrypted objected.
+
+ -- Bill MacAllister <whm@dropbox.com>  Sun, 12 Jun 2022 18:28:16 +0000
+
+wallet (1.4-9) unstable; urgency=medium
+
+  * Correct the default value used for the maximum of a "computer
+    name" used when creating AD keytabs.
+
+ -- Bill MacAllister <whm@dropbox.com>  Mon, 16 Aug 2021 18:17:30 +0000
+
+wallet (1.4-8) unstable; urgency=medium
+
+  * Updates to checkfile support.
+    - The POD was updated with the original checkfile changes, but a
+      new man page was not generated.  This change updates the man page
+      for the client.
+    - When issuing a checkfile command against an password object that
+      exists but has not been stored yet a warning message was being
+      generated.  This warning is confusing since the command succeeds
+      since the password is generated and downloaded.
+
+ -- Bill MacAllister <whm@dropbox.com>  Mon, 14 Dec 2020 19:39:40 +0000
+
+wallet (1.4-7) unstable; urgency=medium
+
+  * Add the checkfile command to the wallet client.  checkfile uses
+    md5 checksums to determine if a file/password object has changed
+    and performs a get only if the object has changed.
+
+ -- Bill MacAllister <whm@dropbox.com>  Thu, 16 Jul 2020 16:55:34 +0000
+
+wallet (1.4-6) unstable; urgency=medium
+
+  * Rename the configuratiion variable LDAP_SECRET_PREFIX to
+    ENCRYPTION_PREFIX.
+  * Improve error messaging when attempting to retrieve the encryption
+    secret from LDAP.
+  * Trap the case when ENCRYPTION_PREFIX is specified and the required
+    LDAP variables are not.
+
+ -- Bill MacAllister <whm@dropbox.com>  Wed, 10 Jun 2020 23:16:34 +0000
+
+wallet (1.4-5) unstable; urgency=medium
+
+  * Add password generation options supporting generation of password
+    using selected Crypt::HSXKPasswd presets or a custom routine.
+  * Add encryption of password objects.
+  * Add support for custom encryption methods.
+
+ -- Bill MacAllister <whm@dropbox.com>  Sat, 23 May 2020 01:15:25 +0000
+
+wallet (1.4-4) unstable; urgency=medium
+
+  * Add support for encrypting file objects.
+  * Update object class error reporting to make it more obvious when
+    an object is not defined correctly in the wallet database.
+  * Request the presence of the GSSAPI module is either LDAP ACL
+    support or encrypted object support is enabled.
+
+ -- Bill MacAllister <whm@dropbox.com>  Thu, 23 Apr 2020 22:25:13 +0000
+
+wallet (1.4-3) unstable; urgency=medium
+
+  * Allow the specification of valid characters to be used when
+    generating passwords.
+  * Add the command checksum to return the checksum of file objects.
+  * Patches to allow the use of quilt.
+
+ -- Bill MacAllister <whm@dropbox.com>  Mon, 30 Sep 2019 18:39:21 +0000
+
+wallet (1.4-2) unstable; urgency=medium
+
+  * Dropbox only release
+
+ -- Bill MacAllister <whm@dropbox.com>  Sun, 06 Jan 2019 19:49:07 +0000
+
 wallet (1.4-1) unstable; urgency=medium
 
   * New upstream release.

debian/control

@@ -6,12 +6,16 @@ Bugs: mailto:rra@debian.org
 Build-Depends:
  debhelper (>= 11),
  libauthen-sasl-perl,
+ libcrypt-blowfish-perl,
+ libcrypt-cbc-perl,
  libcrypt-generatepassword-perl,
  libdatetime-format-sqlite-perl,
  libdatetime-perl,
  libdbd-sqlite3-perl,
  libdbi-perl,
  libdbix-class-perl,
+ libfile-slurp-perl,
+ libgssapi-perl,
  libheimdal-kadm5-perl,
  libipc-run-perl,
  libjson-perl,
@@ -23,12 +27,12 @@ Build-Depends:
  libnet-remctl-perl,
  libperl6-slurp-perl,
  libremctl-dev,
+ libssl-dev,
  libsql-translator-perl,
  libtest-minimumversion-perl,
  libtest-pod-perl,
  libtest-strict-perl,
  libtimedate-perl,
- libwebauth-perl,
  perl,
  sqlite3,
 Rules-Requires-Root: no
@@ -82,6 +86,7 @@ Depends:
  libdbd-sqlite3-perl | libdbd-mysql-perl | libdbd-pg-perl,
  libdbi-perl,
  libdbix-class-perl,
+ libfile-slurp-perl,
  libsql-translator-perl,
  libtimedate-perl,
  remctl-server,
@@ -92,14 +97,16 @@ Recommends:
  remctl-server (>= 2.14),
 Suggests:
  libauthen-sasl-perl,
+ libcrypt-blowfish-perl,
+ libcrypt-cbc-perl,
  libcrypt-generatepassword-perl,
+ libgssapi-perl,
  libipc-run-perl,
  libjson-perl,
  libnet-duo-perl,
  libnet-ldap-perl,
  libnet-remctl-perl,
  libperl6-slurp-perl,
- libwebauth-perl (>= 4.4.0),
 Description: Kerberos-authenticated secure data management server
  The wallet is a system for managing secure data, authorization rules to
  retrieve or change that data, and audit rules for documenting actions

debian/patches/0001-allow-quilt.patch

@@ -0,0 +1,25 @@
+diff --git a/tests/docs/spdx-license-t b/tests/docs/spdx-license-t
+index 91072bf..a55b054 100755
+--- a/tests/docs/spdx-license-t
++++ b/tests/docs/spdx-license-t
+@@ -72,6 +72,7 @@ my @IGNORE_PATHS = (
+     qr{ \A php/ltmain [.] sh \z }xms,          # Created by phpize
+     qr{ \A php/run-tests [.] php \z }xms,      # Created by phpize
+     qr{ [.] l?a \z }xms,                       # Created by libtool
++    qr{ [.] pc/ }xms,                          # Created by quilt
+ );
+ ## use critic
+
+diff --git a/tests/tap/perl/Test/RRA/Automake.pm b/tests/tap/perl/Test/RRA/Automake.pm
+index 69fff6a..1a785ff 100644
+--- a/tests/tap/perl/Test/RRA/Automake.pm
++++ b/tests/tap/perl/Test/RRA/Automake.pm
+@@ -74,7 +74,7 @@ BEGIN {
+ # Directories to skip globally when looking for all files, or for directories
+ # that could contain Perl files.
+ my @GLOBAL_SKIP = qw(
+-  .git _build autom4te.cache build-aux perl/_build perl/blib
++  .git _build autom4te.cache build-aux perl/_build perl/blib debian .pc
+ );
+
+ # Additional paths to skip when building a list of all files in the

debian/patches/0002-password-charset.patch

@@ -0,0 +1,40 @@
+diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm
+index 60f0e10..66d433f 100644
+--- a/perl/lib/Wallet/Config.pm
++++ b/perl/lib/Wallet/Config.pm
+@@ -298,6 +298,15 @@ is run before data is stored.
+
+ our $PWD_LENGTH_MAX = 21;
+
++=item PWD_CHARACTERS
++
++A string that contains valid characters to be used in generating
++passwords.  The default is to allow any printable character.
++
++=cut
++
++our $PWD_CHARACTERS = '';
++
+ =back
+
+ =head1 KEYTAB OBJECT CONFIGURATION
+diff --git a/perl/lib/Wallet/Object/Password.pm b/perl/lib/Wallet/Object/Password.pm
+index 336aa9d..f581c18 100644
+--- a/perl/lib/Wallet/Object/Password.pm
++++ b/perl/lib/Wallet/Object/Password.pm
+@@ -81,6 +81,15 @@ sub retrieve {
+         }
+         my $pass = chars ($Wallet::Config::PWD_LENGTH_MIN,
+                           $Wallet::Config::PWD_LENGTH_MAX);
++        if ($Wallet::Config::PWD_CHARACTERS) {
++            my @pw_chars = ();
++            for (my $i=0; $i<length($Wallet::Config::PWD_CHARACTERS); $i++) {
++                push @pw_chars, substr($Wallet::Config::PWD_CHARACTERS, $i, 1);
++            }
++            $pass = chars ($Wallet::Config::PWD_LENGTH_MIN,
++                           $Wallet::Config::PWD_LENGTH_MAX,
++                           \@pw_chars);
++        }
+         print FILE $pass;
+         $self->log_action ('store', $user, $host, $time);
+         unless (close FILE) {

debian/patches/0003-checksum.patch

@@ -0,0 +1,124 @@
+--- a/perl/lib/Wallet/Config.pm
++++ b/perl/lib/Wallet/Config.pm
+@@ -1038,6 +1038,25 @@ Obvious improvements could be made, such
+ the slash for a C<host/> ACL looked like a host name and the part after a
+ slash for a C<user/> ACL look like a user name.
+
++=head1 FILE CHECKSUMS
++
++By default a file objects checksum some will be calculated using the
++perl function md5_hex of the Digest::MD5 module.  This behavior can be
++overriden by defining a perl function in the configuration file named
++file_checksum that returns a checksum for the file.
++
++For example, the following file_checksub function returns the MD5 hash
++as a base64 string.
++
++    sub file_checksum {
++        my ($path) = @_;
++        open(my $fh, '<', $path) or die "ERROR: reading $filename";
++        binmode($fh);
++        my $cs = Digest::MD5->new->addfile($fh)->b64digest, "\n";
++        close $fh;
++        return $cs;
++    }
++
+ =head1 ENVIRONMENT
+
+ =over 4
+--- a/perl/lib/Wallet/Object/File.pm
++++ b/perl/lib/Wallet/Object/File.pm
+@@ -19,6 +19,7 @@ use warnings;
+
+ use Digest::MD5 qw(md5_hex);
+ use File::Copy qw(move);
++use File::Slurp;
+ use Wallet::Config;
+ use Wallet::Object::Base;
+
+@@ -146,6 +147,26 @@ sub get {
+     return $data;
+ }
+
++# Return an check sum of a file
++sub checksum {
++    my ($self, $user, $host, $time) = @_;
++    $time ||= time;
++    my $id = $self->{type} . ':' . $self->{name};
++    if ($self->flag_check ('locked')) {
++        $self->error ("cannot get $id: object is locked");
++        return;
++    }
++    my $path = $self->file_path;
++    my $this_checksum;
++    if (defined (&Wallet::Config::file_checksum)) {
++        $this_checksum = Wallet::Config::file_checksum($path);
++    } else {
++        $this_checksum = md5_hex(read_file($path));
++    }
++    $self->log_action ('checksum', $user, $host, $time);
++    return $this_checksum;
++}
++
+ # Store the file on the wallet server.
+ sub store {
+     my ($self, $data, $user, $host, $time) = @_;
+@@ -242,6 +263,13 @@ HOSTNAME, and DATETIME are stored as his
+ should be the user who is downloading the keytab.  If DATETIME isn't
+ given, the current time is used.
+
++=item checksum(PRINCIPAL, HOSTNAME [, DATETIME])
++
++Retrieves the checksum for contents of the file object or undef on
++error.  PRINCIPAL, HOSTNAME, and DATETIME are stored as history
++information.  PRINCIPAL should be the user who is downloading the
++keytab.  If DATETIME isn't given, the current time is used.
++
+ =item store(DATA, PRINCIPAL, HOSTNAME [, DATETIME])
+
+ Store DATA as the current contents of the file object.  Any existing data
+--- a/server/wallet-backend.in
++++ b/server/wallet-backend.in
+@@ -196,6 +196,14 @@ sub command {
+         } else {
+             print $status ? "yes\n" : "no\n";
+         }
++    } elsif ($command eq 'checksum') {
++        check_args (2, 2, [], @args);
++        my $output = $server->checksum (@args);
++        if (defined $output) {
++            print $output;
++        } else {
++            failure ($server->error, @_);
++        }
+     } elsif ($command eq 'comment') {
+         check_args (2, 3, [3], @args);
+         if (@args > 2) {
+--- a/perl/lib/Wallet/Server.pm
++++ b/perl/lib/Wallet/Server.pm
+@@ -499,6 +499,25 @@ sub check {
+     return 1;
+ }
+
++# Returns the checksum for a file or password object.
++sub checksum {
++    my ($self, $type, $name) = @_;
++    if ($type ne 'file' && $type ne 'password') {
++        $self->error ("Invalid type ${type}");
++        return;
++    }
++    my $object = $self->retrieve ($type, $name);
++    if (!defined $object) {
++	return;
++    }
++    if (!$self->acl_verify ($object, 'get')) {
++	return;
++    }
++    my $result = $object->checksum($self->{user}, $self->{host});
++    $self->error ($object->error) unless defined $result;
++    return $result;
++}
++
+ # Retrieve the information associated with an object, or returns undef and
+ # sets the internal error if the retrieval fails or if the user isn't
+ # authorized.  If the object doesn't exist, attempts dynamic creation of the

debian/patches/0004-news.patch

@@ -0,0 +1,24 @@
+diff --git a/NEWS b/NEWS
+index be636b4..a5f310b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,19 @@
+                        User-Visible wallet Changes
+
++wallet 1.4-3 (2019-09-30)
++
++    Two new features have been added to wallet with this release.
++
++    A valid set of characters to be used when generating a password
++    can be specified.  This allows for a variety of password policies
++    include use of only lower case characters, excluding the use of
++    upper case O, etc.
++
++    The checksum command had been added that returns the checksum of
++    a file object.  This makes it simpler to integrate the use of
++    wallet with configuration management systems such as puppet and
++    chef.
++
+ wallet 1.4 (2018-06-03)
+
+     Substantial improvements to Active Directory support: Add a