# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
PortSystem 1.0
PortGroup perl5 1.0
perl5.branches 5.26
name wallet
version 1.3
revision 1
categories net security
license MIT
maintainers kornel.us:karl openmaintainer
description Kerberos-authenticated secure data management
long_description The wallet is a system for managing secure data, \
authorization rules to retrieve or change that data, \
and audit rules for documenting actions taken on that \
data. Objects of various types may be stored in the \
wallet or generated on request and retrieved by \
authorized users. The wallet tracks ACLs, metadata, \
and trace information. It uses Kerberos \
authentication. One of the object types it supports \
is Kerberos keytabs, making it suitable as a \
user-accessible front-end to Kerberos kadmind with \
richer ACL and metadata operations.
homepage http://eyrie.org/~eagle/software/wallet/
platforms darwin
master_sites http://archives.eyrie.org/software/kerberos/ \
http://archives.eyrie.org/software/ARCHIVE/wallet/
checksums rmd160 188b3561fcffe99342fcfb1312b58df3f3d919b5 \
sha256 676d3d6e407509fc9da1dd87d98fadc71920dabfbc4bdeb8cde5e2bc937268b8
# Start with the dependencies we know we need
depends_lib-append port:kerberos5 \
port:remctl
# Add a dependency on Module::Build
if {${perl5.major} != ""} {
depends_lib-append port:p${perl5.major}-module-build
}
# wallet 1.3 does not support Perl paths other than /usr/bin/perl, nor does it
# support perl binaries not named "perl". The perl/Build.PL script is also
# missing some testing prerequisites.
# Since we are patching autoconf and automake files, we need autoreconf.
patchfiles patch-autogen.diff \
patch-configure.ac.diff \
patch-Makefile.am.diff \
patch-README.diff \
patch-perl-Build.PL.diff \
patch-portable-system.h.diff \
patch-rename-server-keytab-backend.diff \
patch-rename-server-wallet-admin.diff \
patch-rename-server-wallet-backend.diff \
patch-rename-server-wallet-report.diff \
patch-tests-client-full-t.in.diff \
patch-tests-client-prompt-t.in.diff
use_autoreconf yes
# Use configure, and pass in the paths to MacPorts kerberos5, remctl, and perl.
configure.args --enable-reduced-depends \
--with-remctl=${prefix} \
PATH_KRB5_CONFIG=${prefix}/bin/krb5-config \
PERL=${prefix}/bin/perl${perl5.major}
# Our top-level port installs the Wallet client.
# The Wallet client is just a couple of binaries, plus man pages and docs.
# We override the destroot to just install client stuff.
destroot {
# First, install common files from the distribution
xinstall -d ${destroot}${prefix}/share/doc/wallet
xinstall -m 644 ${worksrcpath}/LICENSE \
${worksrcpath}/NEWS \
${worksrcpath}/README \
${worksrcpath}/TODO \
${destroot}${prefix}/share/doc/wallet
# Install the wallet client executables
# ${destroot}${prefix}/bin already exists
xinstall -m 755 ${worksrcpath}/client/wallet \
${worksrcpath}/client/wallet-rekey \
${destroot}${prefix}/bin
# Install the wallet client man pages
xinstall -d ${destroot}${prefix}/share/man/man1
xinstall -m 644 ${worksrcpath}/client/wallet.1 \
${worksrcpath}/client/wallet-rekey.1 \
${destroot}${prefix}/share/man/man1
}
# The Wallet server is entirely Perl, spawned by the remctl daemon.
# TODO: Patch wallet remctl config files to use ${destroot}${prefix}
subport wallet-server {
# We can't use perl5.setup because it overrides alot of settings that
# we need.
#perl5.setup Wallet 1.003
long_description-append The wallet server, run by remctld, maintains \
the database of object metadata and secure \
objects, and responds to requests from the \
wallet client.
if {${perl5.major} != ""} {
depends_lib-append port:p${perl5.major}-datetime \
port:p${perl5.major}-dbi \
port:p${perl5.major}-dbix-class \
port:p${perl5.major}-digest-md5 \
port:p${perl5.major}-sql-translator \
port:p${perl5.major}-timedate
depends_build-append port:p${perl5.major}-crypt-generatepassword \
port:p${perl5.major}-datetime-format-sqlite
}
# TODO: Tests have a Stanford-specific part, and a NetDB-verifier part,
# which need to be disabled.
# test.run yes
# test.target check
# We have our own destroot process, to install just server bits.
destroot {
# First, install common files from the distribution
xinstall -d ${destroot}${prefix}/share/doc/${subport}
xinstall -m 644 ${worksrcpath}/LICENSE \
${worksrcpath}/NEWS \
${worksrcpath}/README \
${worksrcpath}/TODO \
${destroot}${prefix}/share/doc/${subport}
# If installing the server or kdc variants, make common directories
# These are also created by wallet-kdc
xinstall -d ${destroot}${prefix}/etc/remctl/acl
xinstall -d ${destroot}${prefix}/etc/remctl/conf.d
# Install a set of starter remctl ACLs and configurations
# ${destroot}${prefix}/etc/remctl/acl is created above
xinstall -m 644 ${worksrcpath}/config/wallet-report.acl \
${destroot}${prefix}/etc/remctl/acl/wallet-report
# ${destroot}${prefix}/etc/remctl/conf.d is created above
xinstall -m 644 ${worksrcpath}/config/wallet \
${destroot}${prefix}/etc/remctl/conf.d/wallet
# Install the wallet server executables
# ${destroot}${prefix}/sbin already exists
xinstall -m 755 ${worksrcpath}/server/wallet-admin \
${worksrcpath}/server/wallet-backend \
${worksrcpath}/server/wallet-report \
${destroot}${prefix}/sbin
# Install the wallet server man pages
# ${destroot}${prefix}/share/man/man8 already exists
xinstall -m 644 ${worksrcpath}/server/wallet-admin.8 \
${worksrcpath}/server/wallet-backend.8 \
${worksrcpath}/server/wallet-report.8 \
${destroot}${prefix}/share/man/man8
# Install protocol documentataion
xinstall -m 644 {*}[glob ${worksrcpath}/docs/*] \
${destroot}${prefix}/share/doc/${subport}
# The Perl components of Wallet server are installed by a
# Module::Build installer that is normally run by the Makefile.
# PERL_INSTALL_ROOT is used to set the destroot path; we don't
# set a prefix because that is already configured into MacPorts
# Perl, and so Module::Build uses it automatically.
system "env 'PERL_INSTALL_ROOT=${destroot}' '${prefix}/bin/perl${perl5.major}' '${worksrcpath}/perl/Build' 'install'"
}
# We have some post-activation setup that the user needs to do.
notes-append "
Before using the Wallet server, you will need to choose a database\
backend to use. MySQL, Postgres, and SQLite are known to work.\
Then you will need to install the p5-datetime-format-* and p5-dbd-*\
ports that match the database backend you chose.
If you want to support getting keytabs through Wallet, then your KDC\
will need to have the wallet-kdc port installed.
Other Perl modules may be required, depending on what you want to\
support. Read ${prefix}/share/doc/wallet/setup\
for additional server configuration instructions.
Wallet server runs via remctl, so be sure that remctld is running,\
and is configured correctly!
"
}
# wallet-kdc just installs a couple of helper files that a Kerberos 5 KDC
# can use to generate unchanging keytabs for a Wallet server.
# TODO: Patch keytab and wallet remctl config files to use ${destroot}${prefix}
subport wallet-kdc {
long_description-append This port contains a remctl script, to be \
run on the Kerberos 5 KDC, that will generate \
keytabs at the request of a Wallet server. This \
variant is only meant to be installed on a KDC, \
and does not include Wallet server or client.
# We have our own destroot process, to install just KDC bits.
destroot {
# First, install common files from the distribution
xinstall -d ${destroot}${prefix}/share/doc/${subport}
xinstall -m 644 ${worksrcpath}/LICENSE \
${worksrcpath}/NEWS \
${worksrcpath}/README \
${worksrcpath}/TODO \
${destroot}${prefix}/share/doc/${subport}
# Create some common directories.
# (These are also created by wallet-server)
xinstall -d ${destroot}${prefix}/etc/remctl/acl
xinstall -d ${destroot}${prefix}/etc/remctl/conf.d
# Install a stub KDC ACL that keytab-backend will use
xinstall -d ${destroot}${prefix}/etc/krb5kdc
xinstall -m 640 ${worksrcpath}/config/allow-extract \
${destroot}${prefix}/etc/krb5kdc/allow-extract
# Install example remctl ACLs and configurations
# ${destroot}${prefix}/etc/remctl/acl is created above
xinstall -m 644 ${worksrcpath}/config/keytab.acl \
${destroot}${prefix}/etc/remctl/acl/keytab
# ${destroot}${prefix}/etc/remctl/conf.d is created above
xinstall -m 644 ${worksrcpath}/config/keytab \
${destroot}${prefix}/etc/remctl/conf.d/keytab
# Install the keytab-backend executable
# ${destroot}${prefix}/sbin already exists
xinstall -m 755 ${worksrcpath}/server/keytab-backend \
${destroot}${prefix}/sbin
# Install the keytab-backend man page
# ${destroot}${prefix}/share/man/man8 already exists
xinstall -m 644 ${worksrcpath}/server/keytab-backend.8 \
${destroot}${prefix}/share/man/man8/keytab-backend.8
}
# We have some post-activation setup that the user needs to do.
notes-append "
To configure your KDC to generate keytabs for the Wallet server,\
you will need to configure etc/krb5kdc/allow-extract, as well as\
/etc/remctl/acl/keytab. This uses remctl, so remctld must also\
be running and configured properly.
"
}