diff options
| author | Russ Allbery <rra@stanford.edu> | 2010-08-18 23:28:29 -0700 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2010-08-18 23:28:29 -0700 |
| commit | 107448a9c7eb1e1fbe93e58221f67ae047baed56 (patch) | |
| tree | 5f8728856d4f9666040c22529589e1c1fc0baa96 /contrib/wallet-unknown-hosts | |
| parent | 3799716680711302580b698f6d7c5796df8444b2 (diff) | |
Add reporting and purge functions to wallet-unknown-hosts
Add the report of purge-eligible keytabs and the command to do the
purge. The command-line parsing still needs work.
Diffstat (limited to 'contrib/wallet-unknown-hosts')
| -rwxr-xr-x | contrib/wallet-unknown-hosts | 107 |
1 files changed, 87 insertions, 20 deletions
diff --git a/contrib/wallet-unknown-hosts b/contrib/wallet-unknown-hosts index 3f94cbe..5655aed 100755 --- a/contrib/wallet-unknown-hosts +++ b/contrib/wallet-unknown-hosts @@ -20,6 +20,12 @@ # and hammer out the data and then add it there later. our $HISTORY = '/var/lib/wallet/hosts.db'; +# Default thresholds for reporting or purging. $MIN is the number of times we +# see the keytab in a row eligible for purge, and $THRESHOLD is the newest +# that the first time can be and still be eligible. +our $MIN = 3; +our $THRESHOLD = time - 30 * 24 * 60 * 60; + # Set up a Net::DNS resolver that will be used by local_check_keytab. BEGIN { use Net::DNS; @@ -65,7 +71,7 @@ use DB_File (); use Wallet::Report (); ############################################################################## -# Database queries +# Utility functions ############################################################################## # Return a list of host-based keytab objects in the wallet database. The @@ -80,10 +86,6 @@ sub list_keytabs { return grep { m%/.+\..+% } map { $$_[1] } @objects; } -############################################################################## -# DNS queries -############################################################################## - # Given a host, look it up in DNS and see if it exists. Returns true if the # host exists and false otherwise. sub check_host { @@ -93,24 +95,89 @@ sub check_host { } ############################################################################## -# Main routine +# Main functions ############################################################################## -tie %history, 'DB_File', $HISTORY; -my @keytabs = list_keytabs; -for my $keytab (@keytabs) { - my ($host) = (split '/', $keytab)[1]; - my $result = local_check_keytab ($keytab, $host); - unless (defined $result) { - $result = check_host ($host); +# Do a scan of all host-based keytabs in wallet and record those that are not +# found in DNS or which should not be used according to site configuration. +sub check { + tie %history, 'DB_File', $HISTORY; + my @keytabs = list_keytabs; + for my $keytab (@keytabs) { + my ($host) = (split '/', $keytab)[1]; + my $result = local_check_keytab ($keytab, $host); + unless (defined $result) { + $result = check_host ($host); + } + if ($result) { + delete $history{$keytab}; + } elsif ($history{$keytab}) { + my ($count, $time) = split (',', $history{$keytab}); + $count++; + $history{$keytab} = "$count,$time"; + } else { + $history{$keytab} = '1,' . time; + } } - if ($result) { - delete $history{$keytab}; - } elsif ($history{$keytab}) { + untie %history; +} + +# Report on all keytabs that are eligible to be deleted. Takes two values: +# the threshold for the number of times the keytab had to show up as eligible +# for purge, and the threshold for how long the keytab must have been on that +# list (given as a threshold time in seconds since epoch). +sub report { + my ($min, $threshold) = @_; + tie %history, 'DB_File', $HISTORY; + for my $keytab (sort keys %history) { my ($count, $time) = split (',', $history{$keytab}); - $count++; - $history{$keytab} = "$count,$time"; - } else { - $history{$keytab} = '1,' . time; + if ($count > $min && $time < $threshold) { + print $keytab, "\n"; + } } + untie %history; +} + +# Purge eligible keytabs. Takes three values: the user to authenticate as, +# the threshold for the number of times the keytab had to show up as eligible +# for purge, and the threshold for the first date when the keytab was seen +# eligible for purge. Rather than listing the keytabs, this deletes them +# immediately. +sub purge { + my ($user, $min, $threshold) = @_; + my $wallet = Wallet::Server->new ($user, 'localhost'); + tie %history, 'DB_File', $HISTORY; + for my $keytab (sort keys %history) { + my ($count, $time) = split (',', $history{$keytab}); + if ($count > $min && $time < $threshold) { + unless ($wallet->destroy ('keytab', $keytab)) { + warn "$0: cannot destroy keytab $keytab: ", + $wallet->error, "\n"; + } + } + } + untie %history; +} + +############################################################################## +# Main routine +############################################################################## + +my $command = shift or die "Usage: $0 (check | report | purge)\n"; +if ($command eq 'check') { + check; +} elsif ($command eq 'report') { + my ($min, $threshold) = @_; + $min = $MIN unless defined ($min); + die "$0: minimum count must be at least 1\n" if $min < 1; + $threshold = $THRESHOLD unless defined ($threshold); + report ($min, $threshold); +} elsif ($command eq 'purge') { + my $user = $ENV{REMOTE_USER} or die "$0: REMOTE_USER must be set\n"; + $min = $MIN unless defined ($min); + die "$0: minimum count must be at least 1\n" if $min < 1; + $threshold = $THRESHOLD unless defined ($threshold); + purge ($min, $threshold); +} else { + die "$0: unknown command $command\n"; } |