Imported Upstream version 1.3upstream/1.3

8 files changed, 152 insertions, 31 deletions

diff --git a/server/keytab-backend b/server/keytab-backend
index bd5a3f9..6e47331 100755
--- a/server/keytab-backend
+++ b/server/keytab-backend
@@ -16,10 +16,7 @@
 #
 # The keytab for the extracted principal will be printed to standard output.
 
-##############################################################################
-# Declarations and site configuration
-##############################################################################
-
+use 5.008;
 use strict;
 use warnings;
 
diff --git a/server/keytab-backend.8 b/server/keytab-backend.8
index b143e46..aaeabab 100644
--- a/server/keytab-backend.8
+++ b/server/keytab-backend.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "KEYTAB-BACKEND 8"
-.TH KEYTAB-BACKEND 8 "2014-12-08" "1.2" "wallet"
+.TH KEYTAB-BACKEND 8 "2016-01-18" "1.3" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/server/wallet-admin b/server/wallet-admin
index 7ba1021..e74b2f1 100755
--- a/server/wallet-admin
+++ b/server/wallet-admin
@@ -1,12 +1,11 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl
 #
 # Wallet server administrative commands.
 
-##############################################################################
-# Declarations and site configuration
-##############################################################################
-
+use 5.008;
 use strict;
+use warnings;
+
 use Wallet::Admin;
 
 ##############################################################################
diff --git a/server/wallet-admin.8 b/server/wallet-admin.8
index cc35d0e..1b0b3bc 100644
--- a/server/wallet-admin.8
+++ b/server/wallet-admin.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-ADMIN 8"
-.TH WALLET-ADMIN 8 "2014-12-08" "1.2" "wallet"
+.TH WALLET-ADMIN 8 "2016-01-18" "1.3" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/server/wallet-backend b/server/wallet-backend
index 8dfc952..aa83a96 100755
--- a/server/wallet-backend
+++ b/server/wallet-backend
@@ -2,10 +2,7 @@
 #
 # Wallet server for storing and retrieving secure data.
 
-##############################################################################
-# Declarations and site configuration
-##############################################################################
-
+use 5.008;
 use strict;
 use warnings;
 
@@ -173,6 +170,9 @@ sub command {
         } elsif ($action eq 'rename') {
             check_args (2, 2, [], @args);
             $server->acl_rename (@args) or failure ($server->error, @_);
+        } elsif ($action eq 'replace') {
+            check_args (2, 2, [], @args);
+            $server->acl_replace (@args) or failure ($server->error, @_);
         } elsif ($action eq 'show') {
             check_args (1, 1, [], @args);
             my $output = $server->acl_show (@args);
@@ -312,6 +312,14 @@ sub command {
         }
         splice (@_, 3);
         $server->store (@args) or failure ($server->error, @_);
+    } elsif ($command eq 'update') {
+        check_args (2, 2, [], @args);
+        my $output = $server->update (@args);
+        if (defined $output) {
+            print $output;
+        } else {
+            failure ($server->error, @_);
+        }
     } else {
         error "unknown command $command";
     }
@@ -449,6 +457,25 @@ accidental lockout, but administrators can remove themselves from the
 C<ADMIN> ACL and can leave only a non-functioning entry on the ACL.  Use
 caution when removing entries from the C<ADMIN> ACL.
 
+=item acl rename <id> <name>
+
+Renames the ACL identified by <id> to <name>.  This changes the
+human-readable name, not the underlying numeric ID, so the ACL's
+associations with objects will be unchanged.  The C<ADMIN> ACL may not be
+renamed.  <id> may be either the current name or the numeric ID.  <name>
+must not be all-numeric.  To rename an ACL, the current user must be
+authorized by the C<ADMIN> ACL.
+
+=item acl replace <id> <new-id>
+
+Find any objects owned by <id>, and then change their ownership to
+<new_id> instead.  <new-id> should already exist, and may already have
+some objects owned by it.  <id> is not deleted afterwards, though in
+most cases that is probably your next step.  The C<ADMIN> ACL may not be
+replaced from.  <id> and <new-id> may be either the current name or the
+numeric ID.  To replace an ACL, the current user must be authorized by
+the C<ADMIN> ACL.
+
 =item acl show <id>
 
 Display the name, numeric ID, and entries of the ACL <id>.
@@ -589,6 +616,14 @@ Stores <data> for the object identified by <type> and <name> for later
 retrieval with C<get>.  Not all object types support this.  If <data> is
 not given as an argument, it will be read from standard input.
 
+=item update <type> <name>
+
+Prints to standard output the data associated with the object identified
+by <type> and <name>.  If the object is one that can have changing
+information, such as a keytab or password, then we generate new data for
+that object regardless of whether there is current data or the unchanging
+flag is set.
+
 =back
 
 =head1 ATTRIBUTES
diff --git a/server/wallet-backend.8 b/server/wallet-backend.8
index f1544ac..96b5b29 100644
--- a/server/wallet-backend.8
+++ b/server/wallet-backend.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-BACKEND 8"
-.TH WALLET-BACKEND 8 "2014-12-08" "1.2" "wallet"
+.TH WALLET-BACKEND 8 "2016-01-18" "1.3" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -228,6 +228,23 @@ entry in the special \s-1ACL \s0\f(CW\*(C`ADMIN\*(C'\fR cannot be removed to pro
 accidental lockout, but administrators can remove themselves from the
 \&\f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0 and can leave only a non-functioning entry on the \s-1ACL. \s0 Use
 caution when removing entries from the \f(CW\*(C`ADMIN\*(C'\fR \s-1ACL.\s0
+.IP "acl rename <id> <name>" 4
+.IX Item "acl rename <id> <name>"
+Renames the \s-1ACL\s0 identified by <id> to <name>.  This changes the
+human-readable name, not the underlying numeric \s-1ID,\s0 so the \s-1ACL\s0's
+associations with objects will be unchanged.  The \f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0 may not be
+renamed.  <id> may be either the current name or the numeric \s-1ID. \s0 <name>
+must not be all-numeric.  To rename an \s-1ACL,\s0 the current user must be
+authorized by the \f(CW\*(C`ADMIN\*(C'\fR \s-1ACL.\s0
+.IP "acl replace <id> <new\-id>" 4
+.IX Item "acl replace <id> <new-id>"
+Find any objects owned by <id>, and then change their ownership to
+<new_id> instead.  <new\-id> should already exist, and may already have
+some objects owned by it.  <id> is not deleted afterwards, though in
+most cases that is probably your next step.  The \f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0 may not be
+replaced from.  <id> and <new\-id> may be either the current name or the
+numeric \s-1ID. \s0 To replace an \s-1ACL,\s0 the current user must be authorized by
+the \f(CW\*(C`ADMIN\*(C'\fR \s-1ACL.\s0
 .IP "acl show <id>" 4
 .IX Item "acl show <id>"
 Display the name, numeric \s-1ID,\s0 and entries of the \s-1ACL\s0 <id>.
@@ -349,6 +366,13 @@ stored, and last downloaded.
 Stores <data> for the object identified by <type> and <name> for later
 retrieval with \f(CW\*(C`get\*(C'\fR.  Not all object types support this.  If <data> is
 not given as an argument, it will be read from standard input.
+.IP "update <type> <name>" 4
+.IX Item "update <type> <name>"
+Prints to standard output the data associated with the object identified
+by <type> and <name>.  If the object is one that can have changing
+information, such as a keytab or password, then we generate new data for
+that object regardless of whether there is current data or the unchanging
+flag is set.
 .SH "ATTRIBUTES"
 .IX Header "ATTRIBUTES"
 Object attributes store additional properties and configuration
diff --git a/server/wallet-report b/server/wallet-report
index b5a2247..6508227 100755
--- a/server/wallet-report
+++ b/server/wallet-report
@@ -1,12 +1,11 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl
 #
 # Wallet server reporting interface.
 
-##############################################################################
-# Declarations and globals
-##############################################################################
-
+use 5.008;
 use strict;
+use warnings;
+
 use Wallet::Report;
 
 # The help output, sent in reply to the help command.  Lists each supported
@@ -17,16 +16,22 @@ Wallet reporting help:
   acls duplicate                ACLs that duplicate another
   acls empty                    All empty ACLs
   acls entry <scheme> <id>      ACLs containing this entry (wildcarded)
+  acls nesting <acl>            ACLs containing this ACL as a nested entry
   acls unused                   ACLs that are not referenced by any object
   audit acls name               ACLs failing the naming policy
   audit objects name            Objects failing the naming policy
   objects                       All objects
   objects acl <acl>             Objects granting permissions to that ACL
   objects flag <flag>           Objects with that flag set
+  objects history               History of all objects
+  objects host <hostname>       All host-based objects for a specific host
   objects owner <owner>         Objects owned by that owner
   objects type <type>           Objects of that type
-  objects unused                Objects that have never been stored/gotten
+  objects unused                Objects that have never been gotten
+  objects unstored              Objects that have never been stored
   owners <type> <name>          All ACL entries owning matching objects
+  schemes                       All configured ACL schemes
+  types                         All configured wallet types
 EOH
 
 ##############################################################################
@@ -74,7 +79,14 @@ sub command {
         print $HELP;
     } elsif ($command eq 'objects') {
         die "too many arguments to objects\n" if @args > 2;
-        my @objects = $report->objects (@args);
+        my @objects;
+        if (@args && $args[0] eq 'history') {
+            @objects = $report->objects_history (@args);
+        } elsif (@args && $args[0] eq 'host') {
+            @objects = $report->objects_hostname (@args);
+        } else {
+            @objects = $report->objects (@args);
+        }
         if (!@objects and $report->error) {
             die $report->error, "\n";
         }
@@ -91,6 +103,20 @@ sub command {
         for my $entry (@entries) {
             print join (' ', @$entry), "\n";
         }
+    } elsif ($command eq 'schemes') {
+        die "too many arguments to schemes\n" if @args > 0;
+        my @schemes = $report->acl_schemes;
+        for my $entry (@schemes) {
+            print join (' ', @$entry), "\n";
+        }
+
+    } elsif ($command eq 'types') {
+        die "too many arguments to types\n" if @args > 0;
+        my @types = $report->types;
+        for my $entry (@types) {
+            print join (' ', @$entry), "\n";
+        }
+
     } else {
         die "unknown command $command\n";
     }
@@ -108,7 +134,7 @@ wallet-report - Wallet server reporting interface
 
 =for stopwords
 metadata ACL hostname backend acl acls wildcard SQL Allbery remctl
-MERCHANTABILITY NONINFRINGEMENT sublicense
+MERCHANTABILITY NONINFRINGEMENT sublicense unstored
 
 =head1 SYNOPSIS
 
@@ -180,6 +206,10 @@ Returns all ACLs containing an entry with given scheme and identifier.
 The scheme must be an exact match, but the <identifier> string will match
 any identifier containing that string.
 
+=item acls nested <acl>
+
+Returns all ACLs that contain this ACL as a nested entry.
+
 =item acls unused
 
 Returns all ACLs that are not referenced by any of the objects in the
@@ -220,6 +250,8 @@ Displays a summary of all available commands.
 
 =item objects unused
 
+=item objects unstored
+
 Returns a list of objects in the database.  Objects will be listed in the
 form:
 
@@ -245,6 +277,12 @@ those where that ACL has any other, more limited permissions.
 
 Returns all objects which have the given flag set.
 
+=item objects host <hostname>
+
+Returns all objects that belong to the given host.  This requires adding
+local configuration to identify objects that belong to a given host.  See
+L<Wallet::Config/"OBJECT HOST-BASED NAMES"> for more information.
+
 =item objects owner <acl>
 
 Returns all objects owned by the given ACL name or ID.
@@ -273,6 +311,14 @@ The output will be one line per ACL line in the form:
 
 with duplicates suppressed.
 
+=item schemes
+
+Returns a list of all registered ACL schemes.
+
+=item types
+
+Returns a list of all registered object types.
+
 =back
 
 =head1 AUTHOR
@@ -281,7 +327,9 @@ Russ Allbery <eagle@eyrie.org>
 
 =head1 COPYRIGHT AND LICENSE
 
-Copyright 2008, 2009, 2010, 2013 The Board of Trustees of the Leland
+Copyright 2016 Russ Allbery <eagle@eyrie.org>
+
+Copyright 2008, 2009, 2010, 2013, 2015 The Board of Trustees of the Leland
 Stanford Junior University
 
 Permission is hereby granted, free of charge, to any person obtaining a
diff --git a/server/wallet-report.8 b/server/wallet-report.8
index ac3714f..4cb759d 100644
--- a/server/wallet-report.8
+++ b/server/wallet-report.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-REPORT 8"
-.TH WALLET-REPORT 8 "2014-12-08" "1.2" "wallet"
+.TH WALLET-REPORT 8 "2016-01-18" "1.3" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -204,6 +204,9 @@ can be destroyed.
 Returns all ACLs containing an entry with given scheme and identifier.
 The scheme must be an exact match, but the <identifier> string will match
 any identifier containing that string.
+.IP "acls nested <acl>" 4
+.IX Item "acls nested <acl>"
+Returns all ACLs that contain this \s-1ACL\s0 as a nested entry.
 .IP "acls unused" 4
 .IX Item "acls unused"
 Returns all ACLs that are not referenced by any of the objects in the
@@ -249,6 +252,8 @@ Displays a summary of all available commands.
 .IX Item "objects type <type>"
 .IP "objects unused" 4
 .IX Item "objects unused"
+.IP "objects unstored" 4
+.IX Item "objects unstored"
 .PD
 Returns a list of objects in the database.  Objects will be listed in the
 form:
@@ -273,6 +278,11 @@ those where that \s-1ACL\s0 has any other, more limited permissions.
 .IP "objects flag <flag>" 4
 .IX Item "objects flag <flag>"
 Returns all objects which have the given flag set.
+.IP "objects host <hostname>" 4
+.IX Item "objects host <hostname>"
+Returns all objects that belong to the given host.  This requires adding
+local configuration to identify objects that belong to a given host.  See
+\&\*(L"\s-1OBJECT\s0 HOST-BASED \s-1NAMES\*(R"\s0 in Wallet::Config for more information.
 .IP "objects owner <acl>" 4
 .IX Item "objects owner <acl>"
 Returns all objects owned by the given \s-1ACL\s0 name or \s-1ID.\s0
@@ -300,12 +310,20 @@ The output will be one line per \s-1ACL\s0 line in the form:
 .Ve
 .Sp
 with duplicates suppressed.
+.IP "schemes" 4
+.IX Item "schemes"
+Returns a list of all registered \s-1ACL\s0 schemes.
+.IP "types" 4
+.IX Item "types"
+Returns a list of all registered object types.
 .SH "AUTHOR"
 .IX Header "AUTHOR"
 Russ Allbery <eagle@eyrie.org>
 .SH "COPYRIGHT AND LICENSE"
 .IX Header "COPYRIGHT AND LICENSE"
-Copyright 2008, 2009, 2010, 2013 The Board of Trustees of the Leland
+Copyright 2016 Russ Allbery <eagle@eyrie.org>
+.PP
+Copyright 2008, 2009, 2010, 2013, 2015 The Board of Trustees of the Leland
 Stanford Junior University
 .PP
 Permission is hereby granted, free of charge, to any person obtaining a