Imported Upstream version 0.11upstream/0.11

6 files changed, 83 insertions, 213 deletions

diff --git a/server/keytab-backend.8 b/server/keytab-backend.8
index 41f9a89..7a08ede 100644
--- a/server/keytab-backend.8
+++ b/server/keytab-backend.8
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "KEYTAB-BACKEND 8"
-.TH KEYTAB-BACKEND 8 "2010-02-21" "0.10" "wallet"
+.TH KEYTAB-BACKEND 8 "2010-03-08" "0.11" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/server/wallet-admin b/server/wallet-admin
index 828cfc5..f81c195 100755
--- a/server/wallet-admin
+++ b/server/wallet-admin
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# wallet-backend -- Wallet server administrative commands.
+# wallet-admin -- Wallet server administrative commands.
 #
 # Written by Russ Allbery <rra@stanford.edu>
 # Copyright 2008, 2009, 2010 Board of Trustees, Leland Stanford Jr. University
@@ -41,45 +41,6 @@ sub command {
         die "invalid admin principal $args[0]\n"
             unless $args[0] =~ /^[^\@\s]+\@\S+$/;
         $admin->initialize (@args) or die $admin->error, "\n";
-    } elsif ($command eq 'list') {
-        die "too many arguments to list\n" if @args > 4;
-        die "too few arguments to list\n" if @args < 1;
-        my ($type, $subtype, @search) = @args;
-        if ($type eq 'objects') {
-            my @objects = $admin->list_objects ($subtype, @search);
-            if (!@objects and $admin->error) {
-                die $admin->error, "\n";
-            }
-            for my $object (@objects) {
-                print join (' ', @$object), "\n";
-            }
-        } elsif ($type eq 'acls') {
-            my @acls = $admin->list_acls ($subtype, @search);
-            if (!@acls and $admin->error) {
-                die $admin->error, "\n";
-            }
-            for my $acl (sort { $$a[1] cmp $$b[1] } @acls) {
-                print "$$acl[1] (ACL ID: $$acl[0])\n";
-            }
-        } else {
-            die "only objects or acls are supported for list\n";
-        }
-    } elsif ($command eq 'report') {
-        die "too few arguments to report\n" if @args < 1;
-        my $report = shift @args;
-        if ($report eq 'owners') {
-            die "too many arguments to report owners\n" if @args > 2;
-            die "too few arguments to report owners\n" if @args < 2;
-            my @lines = $admin->report_owners (@args);
-            if (!@lines and $admin->error) {
-                die $admin->error, "\n";
-            }
-            for my $line (@lines) {
-                print join (' ', @$line), "\n";
-            }
-        } else {
-            die "unknown report type $report\n";
-        }
     } elsif ($command eq 'register') {
         die "too many arguments to register\n" if @args > 3;
         die "too few arguments to register\n" if @args < 3;
@@ -159,66 +120,6 @@ Before running C<initialize>, the wallet system has to be configured.  See
 Wallet::Config(3) for more details.  Depending on the database backend
 used, the database may also have to be created in advance.
 
-=item list (acls | objects) [ <searchtype> [ <arg> ... ] ]
-
-Returns a list of ACLs or objects in the database.  ACLs will be listed
-in the form:
-
-    <name> (ACL ID: <id>)
-
-where <name> is the human-readable name and <id> is the numeric ID.  The
-numeric ID is what's used internally by the wallet system.  Objects will
-be listed in the form:
-
-    <type> <name>
-
-In both cases, there will be one line per ACL or object.
-
-If no search type is given, all the ACLs or objects in the database will
-be returned.  If a search type (and possible search arguments) are given,
-then the ACLs or objects will be limited to those that match the search.
-
-The currently supported object search types are:
-
-=over 4
-
-=item list objects type <type>
-
-Returns all objects of the given type.
-
-=item list objects flag <flag>
-
-Returns all objects which have the given flag set.
-
-=item list objects owner <acl name>
-
-Returns all objects owned by the given ACL name.
-
-=item list objects acl <acl name>
-
-Returns all objects for which the given ACL name has any permissions.
-This includes those objects owned by the ACL, but also those for which the
-ACL has get permissions, for example.
-
-=back
-
-The currently supported ACL search types are:
-
-=over 4
-
-=item list acls empty
-
-Returns all ACLs which have no entries, generally so that abandoned ACLs
-can be destroyed.
-
-=item list acls entry <schema> <identifier>
-
-Returns all ACLs containing an entry with given schema and identifier.
-The schema is used for an exact search, while the identifier given will
-match any identifier containing that text, for flexibility.
-
-=back
-
 =item register (object | verifier) <type> <class>
 
 Registers an implementation of a wallet object or ACL verifier in the
@@ -232,27 +133,6 @@ default as part of database initialization, so this command is used
 primarily to register local implementations of additional object types or
 ACL schemes.
 
-=item report <type> [ <arg> ... ]
-
-Runs a wallet report.  The currently supported report types are:
-
-=over 4
-
-=item report owners <type-pattern> <name-pattern>
-
-Returns a list of all ACL lines in owner ACLs for all objects matching
-both <type-pattern> and <name-pattern>.  These can be the type or name of
-objects or they can be patterns using C<%> as the wildcard character
-following the normal rules of SQL patterns.
-
-The output will be one line per ACL line in the form:
-
-    <scheme> <identifier>
-
-with duplicates suppressed.
-
-=back
-
 =back
 
 =head1 SEE ALSO
diff --git a/server/wallet-admin.8 b/server/wallet-admin.8
index 8e1ad12..bc5c7ea 100644
--- a/server/wallet-admin.8
+++ b/server/wallet-admin.8
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-ADMIN 8"
-.TH WALLET-ADMIN 8 "2010-02-21" "0.10" "wallet"
+.TH WALLET-ADMIN 8 "2010-03-08" "0.11" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -170,61 +170,6 @@ and for any subsequent actions required to initialize the database.
 Before running \f(CW\*(C`initialize\*(C'\fR, the wallet system has to be configured.  See
 \&\fIWallet::Config\fR\|(3) for more details.  Depending on the database backend
 used, the database may also have to be created in advance.
-.IP "list (acls | objects) [ <searchtype> [ <arg> ... ] ]" 4
-.IX Item "list (acls | objects) [ <searchtype> [ <arg> ... ] ]"
-Returns a list of ACLs or objects in the database.  ACLs will be listed
-in the form:
-.Sp
-.Vb 1
-\&    <name> (ACL ID: <id>)
-.Ve
-.Sp
-where <name> is the human-readable name and <id> is the numeric \s-1ID\s0.  The
-numeric \s-1ID\s0 is what's used internally by the wallet system.  Objects will
-be listed in the form:
-.Sp
-.Vb 1
-\&    <type> <name>
-.Ve
-.Sp
-In both cases, there will be one line per \s-1ACL\s0 or object.
-.Sp
-If no search type is given, all the ACLs or objects in the database will
-be returned.  If a search type (and possible search arguments) are given,
-then the ACLs or objects will be limited to those that match the search.
-.Sp
-The currently supported object search types are:
-.RS 4
-.IP "list objects type <type>" 4
-.IX Item "list objects type <type>"
-Returns all objects of the given type.
-.IP "list objects flag <flag>" 4
-.IX Item "list objects flag <flag>"
-Returns all objects which have the given flag set.
-.IP "list objects owner <acl name>" 4
-.IX Item "list objects owner <acl name>"
-Returns all objects owned by the given \s-1ACL\s0 name.
-.IP "list objects acl <acl name>" 4
-.IX Item "list objects acl <acl name>"
-Returns all objects for which the given \s-1ACL\s0 name has any permissions.
-This includes those objects owned by the \s-1ACL\s0, but also those for which the
-\&\s-1ACL\s0 has get permissions, for example.
-.RE
-.RS 4
-.Sp
-The currently supported \s-1ACL\s0 search types are:
-.IP "list acls empty" 4
-.IX Item "list acls empty"
-Returns all ACLs which have no entries, generally so that abandoned ACLs
-can be destroyed.
-.IP "list acls entry <schema> <identifier>" 4
-.IX Item "list acls entry <schema> <identifier>"
-Returns all ACLs containing an entry with given schema and identifier.
-The schema is used for an exact search, while the identifier given will
-match any identifier containing that text, for flexibility.
-.RE
-.RS 4
-.RE
 .IP "register (object | verifier) <type> <class>" 4
 .IX Item "register (object | verifier) <type> <class>"
 Registers an implementation of a wallet object or \s-1ACL\s0 verifier in the
@@ -237,27 +182,6 @@ All object and \s-1ACL\s0 implementations that come with wallet are registered b
 default as part of database initialization, so this command is used
 primarily to register local implementations of additional object types or
 \&\s-1ACL\s0 schemes.
-.IP "report <type> [ <arg> ... ]" 4
-.IX Item "report <type> [ <arg> ... ]"
-Runs a wallet report.  The currently supported report types are:
-.RS 4
-.IP "report owners <type\-pattern> <name\-pattern>" 4
-.IX Item "report owners <type-pattern> <name-pattern>"
-Returns a list of all \s-1ACL\s0 lines in owner ACLs for all objects matching
-both <type\-pattern> and <name\-pattern>.  These can be the type or name of
-objects or they can be patterns using \f(CW\*(C`%\*(C'\fR as the wildcard character
-following the normal rules of \s-1SQL\s0 patterns.
-.Sp
-The output will be one line per \s-1ACL\s0 line in the form:
-.Sp
-.Vb 1
-\&    <scheme> <identifier>
-.Ve
-.Sp
-with duplicates suppressed.
-.RE
-.RS 4
-.RE
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIWallet::Admin\fR\|(3), \fIWallet::Config\fR\|(3), \fIwallet\-backend\fR\|(8)
diff --git a/server/wallet-backend.8 b/server/wallet-backend.8
index 2283da0..47b3e3b 100644
--- a/server/wallet-backend.8
+++ b/server/wallet-backend.8
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-BACKEND 8"
-.TH WALLET-BACKEND 8 "2010-02-21" "0.10" "wallet"
+.TH WALLET-BACKEND 8 "2010-03-08" "0.11" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/server/wallet-report b/server/wallet-report
index a6b3b8d..435fb73 100755
--- a/server/wallet-report
+++ b/server/wallet-report
@@ -35,6 +35,20 @@ sub command {
         for my $acl (sort { $$a[1] cmp $$b[1] } @acls) {
             print "$$acl[1] (ACL ID: $$acl[0])\n";
         }
+    } elsif ($command eq 'audit') {
+        die "too many arguments to audit\n" if @args > 2;
+        die "too few arguments to audit\n" if @args < 2;
+        my @result = $report->audit (@args);
+        if (!@result and $report->error) {
+            die $report->error, "\n";
+        }
+        for my $item (@result) {
+            if ($args[0] eq 'acls') {
+                print "$$item[1] (ACL ID: $$item[0])\n";
+            } else {
+                print join (' ', @$item), "\n";
+            }
+        }
     } elsif ($command eq 'objects') {
         die "too many arguments to objects\n" if @args > 2;
         my @objects = $report->objects (@args);
@@ -100,6 +114,8 @@ B<wallet-report> takes no traditional options.
 
 =item acls entry <scheme> <identifier>
 
+=item acls unused
+
 Returns a list of ACLs in the database.  ACLs will be listed in the form:
 
     <name> (ACL ID: <id>)
@@ -127,8 +143,30 @@ Returns all ACLs containing an entry with given scheme and identifier.
 The scheme must be an exact match, but the <identifier> string will match
 any identifier containing that string.
 
+=item acls unused
+
+Returns all ACLs that are not referenced by any of the objects in the
+wallet database, either as an owner or on one of the more specific ACLs.
+
 =back
 
+=item audit acls name
+
+=item audit objects name
+
+Returns all ACLs or objects that violate the current site naming policy.
+Objects will be listed in the form:
+
+    <type> <name>
+
+and ACLs in the form:
+
+    <name> (ACL ID: <id>)
+
+where <name> is the human-readable name and <id> is the numeric ID.  The
+numeric ID is what's used internally by the wallet system.  There will be
+one line per object or ACL.
+
 =item objects
 
 =item objects acl <acl>
@@ -154,21 +192,21 @@ The currently supported object search types are:
 
 =over 4
 
-=item list objects acl <acl>
+=item objects acl <acl>
 
 Returns all objects for which the given ACL name or ID has any
 permissions.  This includes those objects owned by the ACL as well as
 those where that ACL has any other, more limited permissions.
 
-=item list objects flag <flag>
+=item objects flag <flag>
 
 Returns all objects which have the given flag set.
 
-=item list objects owner <acl>
+=item objects owner <acl>
 
 Returns all objects owned by the given ACL name or ID.
 
-=item list objects type <type>
+=item objects type <type>
 
 Returns all objects of the given type.
 
diff --git a/server/wallet-report.8 b/server/wallet-report.8
index 106f47d..cd56501 100644
--- a/server/wallet-report.8
+++ b/server/wallet-report.8
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-REPORT 8"
-.TH WALLET-REPORT 8 "2010-02-21" "0.10" "wallet"
+.TH WALLET-REPORT 8 "2010-03-08" "0.11" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -155,6 +155,8 @@ translates command strings into method calls and returns the results.
 .IX Item "acls empty"
 .IP "acls entry <scheme> <identifier>" 4
 .IX Item "acls entry <scheme> <identifier>"
+.IP "acls unused" 4
+.IX Item "acls unused"
 .PD
 Returns a list of ACLs in the database.  ACLs will be listed in the form:
 .Sp
@@ -181,9 +183,35 @@ can be destroyed.
 Returns all ACLs containing an entry with given scheme and identifier.
 The scheme must be an exact match, but the <identifier> string will match
 any identifier containing that string.
+.IP "acls unused" 4
+.IX Item "acls unused"
+Returns all ACLs that are not referenced by any of the objects in the
+wallet database, either as an owner or on one of the more specific ACLs.
 .RE
 .RS 4
 .RE
+.IP "audit acls name" 4
+.IX Item "audit acls name"
+.PD 0
+.IP "audit objects name" 4
+.IX Item "audit objects name"
+.PD
+Returns all ACLs or objects that violate the current site naming policy.
+Objects will be listed in the form:
+.Sp
+.Vb 1
+\&    <type> <name>
+.Ve
+.Sp
+and ACLs in the form:
+.Sp
+.Vb 1
+\&    <name> (ACL ID: <id>)
+.Ve
+.Sp
+where <name> is the human-readable name and <id> is the numeric \s-1ID\s0.  The
+numeric \s-1ID\s0 is what's used internally by the wallet system.  There will be
+one line per object or \s-1ACL\s0.
 .IP "objects" 4
 .IX Item "objects"
 .PD 0
@@ -211,19 +239,19 @@ will be limited to those that match the search.
 .Sp
 The currently supported object search types are:
 .RS 4
-.IP "list objects acl <acl>" 4
-.IX Item "list objects acl <acl>"
+.IP "objects acl <acl>" 4
+.IX Item "objects acl <acl>"
 Returns all objects for which the given \s-1ACL\s0 name or \s-1ID\s0 has any
 permissions.  This includes those objects owned by the \s-1ACL\s0 as well as
 those where that \s-1ACL\s0 has any other, more limited permissions.
-.IP "list objects flag <flag>" 4
-.IX Item "list objects flag <flag>"
+.IP "objects flag <flag>" 4
+.IX Item "objects flag <flag>"
 Returns all objects which have the given flag set.
-.IP "list objects owner <acl>" 4
-.IX Item "list objects owner <acl>"
+.IP "objects owner <acl>" 4
+.IX Item "objects owner <acl>"
 Returns all objects owned by the given \s-1ACL\s0 name or \s-1ID\s0.
-.IP "list objects type <type>" 4
-.IX Item "list objects type <type>"
+.IP "objects type <type>" 4
+.IX Item "objects type <type>"
 Returns all objects of the given type.
 .RE
 .RS 4