diff options
| author | Russ Allbery <rra@stanford.edu> | 2010-03-03 22:37:18 -0800 | 
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2010-03-03 22:37:18 -0800 | 
| commit | a131c767d1eee7b98170962f7f9d4063be69e576 (patch) | |
| tree | a1c5a182764adc50faca2f804387c081ef22ee27 /perl/Wallet | |
| parent | 6c1f7d325239f305b9bf6a4503165cefae1ee3d8 (diff) | |
Add auditing for names that violate the naming policy
Add an audit command to wallet-report and one audit: objects name,
which returns all objects that do not pass the local naming policy.
The corresponding Wallet::Report method is audit().
Wallet::Config::verify_name may now be called with an undefined third
argument (normally the user attempting to create an object).  This
calling convention is used when auditing, and the local policy
function should select the correct policy to apply for useful audit
results.
Diffstat (limited to 'perl/Wallet')
| -rw-r--r-- | perl/Wallet/Config.pm | 11 | ||||
| -rw-r--r-- | perl/Wallet/Report.pm | 54 | 
2 files changed, 63 insertions, 2 deletions
| diff --git a/perl/Wallet/Config.pm b/perl/Wallet/Config.pm index 396bf7d..2991361 100644 --- a/perl/Wallet/Config.pm +++ b/perl/Wallet/Config.pm @@ -14,7 +14,7 @@ use vars qw($PATH $VERSION);  # This version should be increased on any code change to this module.  Always  # use two digits for the minor version with a leading zero if necessary so  # that it will sort properly. -$VERSION = '0.04'; +$VERSION = '0.05';  # Path to the config file to load.  $PATH = $ENV{WALLET_CONFIG} || '/etc/wallet/wallet.conf'; @@ -519,6 +519,15 @@ creation.  If it returns undef or the empty string, object creation will  be allowed.  If it returns anything else, object creation is rejected and  the return value is used as the error message. +This function is also called for naming audits done via Wallet::Report +to find any existing objects that violate a (possibly updated) naming +policy.  In this case, the third argument (the identity of the person +creating the object) will be undef.  As a general rule, if the third +argument is undef, the function should apply the most liberal accepted +naming policy so that the audit returns only objects that violate all +naming policies, but some sites may wish different results for their audit +reports. +  Please note that this return status is backwards from what one would  normally expect.  A false value is success; a true value is failure with  an error message. diff --git a/perl/Wallet/Report.pm b/perl/Wallet/Report.pm index 7cd8653..ff4fa8b 100644 --- a/perl/Wallet/Report.pm +++ b/perl/Wallet/Report.pm @@ -20,7 +20,7 @@ use Wallet::Database;  # This version should be increased on any code change to this module.  Always  # use two digits for the minor version with a leading zero if necessary so  # that it will sort properly. -$VERSION = '0.01'; +$VERSION = '0.02';  ##############################################################################  # Constructor, destructor, and accessors @@ -290,6 +290,43 @@ sub owners {      return @lines;  } +############################################################################## +# Auditing +############################################################################## + +# Audit the database for violations of local policy.  Returns a list of +# objects (as type and name pairs) or a list of ACLs.  On error and for no +# matching entries, the empty list will be returned.  To distinguish between +# an empty return and an error, call error(), which will return undef if there +# was no error. +sub audit { +    my ($self, $type, $audit) = @_; +    undef $self->{error}; +    unless (defined ($type) and defined ($audit)) { +        $self->error ("type and audit not specified"); +        return; +    } +    if ($type eq 'objects') { +        if ($audit eq 'name') { +            return unless defined &Wallet::Config::verify_name; +            my @objects = $self->objects; +            my @results; +            for my $object (@objects) { +                my ($type, $name) = @$object; +                my $error = Wallet::Config::verify_name ($type, $name); +                push (@results, $object) if $error; +            } +            return @results; +        } else { +            $self->error ("unknown object audit: $audit"); +            return; +        } +    } else { +        $self->error ("unknown audit type: $type"); +        return; +    } +} +  1;  __DATA__ @@ -312,6 +349,7 @@ ACL ACLs wildcard Allbery SQL tuples      for my $object (@objects) {          print "@$object\n";      } +    @objects = $report->audit ('objects', 'name');  =head1 DESCRIPTION @@ -366,6 +404,20 @@ Returns the empty list on failure.  An error can be distinguished from  empty search results by calling error().  error() is guaranteed to return  the error message if there was an error and undef if there was no error. +=item audit(TYPE, AUDIT) + +Audits the wallet database for violations of local policy.  TYPE is the +general class of thing to audit, and AUDIT is the specific audit to +perform.  Currently, the only implemented type is C<objects> and the only +audit is C<name>.  This returns a list of all objects, as references to +pairs of type and name, that are not accepted by the verify_name() +function defined in the wallet configuration.  See L<Wallet::Config> for +more information. + +Returns the empty list on failure.  An error can be distinguished from +empty search results by calling error().  error() is guaranteed to return +the error message if there was an error and undef if there was no error. +  =item error()  Returns the error of the last failing operation or undef if no operations | 
