Fix POD stopwords for heimdal-history

[kerberos/krb5-strength.git] / tools / heimdal-history

diff --git a/tools/heimdal-history b/tools/heimdal-history
index 9eb7ba7f272019007591c4e83061d370683d6958..e0d3ec93d2f87f5b7edff26dbf3fccd47e65dae4 100755 (executable)
--- a/tools/heimdal-history
+++ b/tools/heimdal-history
@@ -72,6 +72,10 @@ Readonly my $STRENGTH_PROGRAM => '/usr/bin/heimdal-strength';
 Readonly my $STRENGTH_USER  => 'nobody';
 Readonly my $STRENGTH_GROUP => 'nogroup';
 
+# Global boolean variable saying whether to log with syslog.  This is set
+# based on the presence of the -q (--quiet) command-line option.
+my $SYSLOG = 1;
+
 ##############################################################################
 # Utility functions
 ##############################################################################
@@ -152,7 +156,8 @@ sub encode_log_message {
 # - error:     an error message explaining the anomalous situation
 #
 # Values containing whitespace are quoted with double quotes, with any
-# internal double quotes doubled.
+# internal double quotes doubled.  No logging will be done if $SYSLOG is
+# false.
 #
 # $principal - Principal for which we checked a password
 # $error     - The error message
@@ -160,6 +165,9 @@ sub encode_log_message {
 # Returns: undef
 sub log_error {
     my ($principal, $error) = @_;
+    if (!$SYSLOG) {
+        return;
+    }
     my $message = encode_log_message(
         action    => 'check',
         principal => $principal,
@@ -179,7 +187,8 @@ sub log_error {
 # - reason:    the reason for a rejection
 #
 # Values containing whitespace are quoted with double quotes, with any
-# internal double quotes doubled.
+# internal double quotes doubled.  No logging will be done if $SYSLOG is
+# false.
 #
 # $principal - Principal for which we checked a password
 # $result    - "accepted" or "rejected" per above
@@ -188,6 +197,9 @@ sub log_error {
 # Returns: undef
 sub log_result {
     my ($principal, $result, $reason) = @_;
+    if (!$SYSLOG) {
+        return;
+    }
 
     # Create the message.
     my %message = (
@@ -474,6 +486,7 @@ sub update_length_counts {
 # allows us to chain to another program that handles the actual strength
 # checking prior to handling history.
 #
+# $path      - Password quality check program to run
 # $principal - Principal attempting to change their password
 # $password  - The new password
 #
@@ -484,14 +497,14 @@ sub update_length_counts {
 #  Throws: Text exception on failure to execute the program, or read or write
 #          from it or to it, or if it fails without an error
 sub strength_check {
-    my ($principal, $password) = @_;
+    my ($path, $principal, $password) = @_;
 
     # Run the external quality checking program.  If we're root, we'll run it
     # as the strength checking user and group.
     my $in = "principal: $principal\nnew-password: $password\nend\n";
     my $init = sub { drop_privileges($STRENGTH_USER, $STRENGTH_GROUP) };
     my ($out, $err);
-    run([$STRENGTH_PROGRAM, $principal], \$in, \$out, \$err, init => $init);
+    run([$path, $principal], \$in, \$out, \$err, init => $init);
     my $status = ($? >> 8);
 
     # Check the results.
@@ -582,6 +595,7 @@ my ($opt, $usage) = describe_options(
     ['database|d=s',  'Path to the history database, overriding the default'],
     ['help|h',        'Print usage message and exit'],
     ['manual|man|m',  'Print full manual and exit'],
+    ['quiet|q',       'Suppress logging to syslog'],
     ['stats|S=s',     'Path to hash of length statistics'],
     ['strength|s=s',  'Path to strength checking program to run'],
 );
@@ -596,6 +610,7 @@ if ($opt->help) {
 }
 my $database = $opt->database || $HISTORY_PATH;
 my $stats_db = $opt->stats    || $LENGTH_STATS_PATH;
+my $strength = $opt->strength || $STRENGTH_PROGRAM;
 
 # If asked to do benchmarking, ignore other arguments and just do that.
 # Currently, we hard-code a 0.005-second granularity on our binary search.
@@ -605,13 +620,17 @@ if ($opt->benchmark) {
 }
 
 # Open syslog for result reporting.
-openlog($0, 'pid', LOG_AUTH);
+if ($opt->quiet) {
+    $SYSLOG = 0;
+} else {
+    openlog($0, 'pid', LOG_AUTH);
+}
 
 # Read the principal and password that we're supposed to check.
 my ($password, $principal) = read_change_data(\*STDIN);
 
 # Delegate to the external strength checking program.
-my ($okay, $error, $status) = strength_check($principal, $password);
+my ($okay, $error, $status) = strength_check($strength, $principal, $password);
 if (!$okay) {
     log_result($principal, 'rejected', $error);
     warn "$error\n";
@@ -644,7 +663,7 @@ __END__
 ##############################################################################
 
 =for stopwords
-heimdal-history heimdal-strength Heimdal -hm BerkeleyDB timestamps POSIX
+heimdal-history heimdal-strength Heimdal -hmq BerkeleyDB timestamps POSIX
 whitespace API Allbery sublicense MERCHANTABILITY NONINFRINGEMENT syslog
 pseudorandom JSON LDAP-compatible PBKDF2 SHA-256
 
@@ -654,7 +673,7 @@ heimdal-history - Password history via Heimdal external strength checking
 
 =head1 SYNOPSIS
 
-B<heimdal-history> [B<-hm>] [B<-b> I<target-time>] [B<-d> I<database>]
+B<heimdal-history> [B<-hmq>] [B<-b> I<target-time>] [B<-d> I<database>]
     [B<-S> I<length-stats-db>] [B<-s> I<strength-program>] [B<principal>]
 
 =head1 DESCRIPTION
@@ -763,6 +782,12 @@ Print a short usage message and exit.
 
 Display this manual and exit.
 
+=item B<-q>, B<--quiet>
+
+Suppress logging to syslog and only return the results on standard output
+and standard error.  Primarily used for testing, since Heimdal won't pass
+this argument.
+
 =item B<-S> I<length-stats-db>, B<--stats>=I<length-stats-db>
 
 Use I<length-stats-db> as the database file for password length statistics