diff options
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | client/wallet.pod | 6 | ||||
| -rw-r--r-- | docs/design | 6 | ||||
| -rw-r--r-- | docs/notes | 12 | ||||
| -rw-r--r-- | perl/Wallet/Server.pm | 19 | ||||
| -rwxr-xr-x | perl/t/server.t | 20 | ||||
| -rwxr-xr-x | server/keytab-backend | 2 | ||||
| -rwxr-xr-x | server/wallet-backend | 8 | 
8 files changed, 44 insertions, 34 deletions
| @@ -2,6 +2,11 @@  wallet 1.0 (unreleased) +    Owners of wallet objects are now allowed to destroy them.  In previous +    versions, a special destroy ACL had to be set and the owner ACL wasn't +    used for destroy actions, but operational experience at Stanford has +    shown that letting owners destroy their own objects is a better model. +      wallet-admin has a new sub-command, upgrade, which upgrades the wallet      database to the latest schema version.  This command should be run      when deploying any new version of the wallet server. diff --git a/client/wallet.pod b/client/wallet.pod index 32d81ad..214a157 100644 --- a/client/wallet.pod +++ b/client/wallet.pod @@ -159,9 +159,9 @@ C<getattr> and C<history>, which use the C<show> ACL, C<setattr>, which  uses the C<store> ACL, and C<comment>, which uses the owner or C<show> ACL  depending on whether one is setting or retrieving the comment.  If the  appropriate ACL is set, it alone is checked to see if the user has access. -Otherwise, C<get>, C<store>, C<show>, C<getattr>, C<setattr>, C<history>, -and C<comment> access is permitted if the user is authorized by the owner -ACL of the object. +Otherwise, C<destroy>, C<get>, C<store>, C<show>, C<getattr>, C<setattr>, +C<history>, and C<comment> access is permitted if the user is authorized +by the owner ACL of the object.  Administrators can run any command on any object or ACL except for C<get>  and C<store>.  For C<get> and C<store>, they must still be authorized by diff --git a/docs/design b/docs/design index 4bb5587..8f4b20d 100644 --- a/docs/design +++ b/docs/design @@ -148,9 +148,9 @@ Server Design      * Optional ACLs for get, store, show, destroy, and flag operations.        If there is an ACL for get, store, or show, that overrides the -      normal permissions of the owner.  In the absence of an ACL for -      destroy or flag, only wallet administrators can destroy an object or -      set flags on that object.  This entry would need no special ACLs. +      normal permissions of the owner.  In the absence of an ACL for flag, +      only wallet administrators can set flags on that object.  This entry +      would need no special ACLs.      * Trace fields storing the user, remote host, and timestamp for when        this object was last created, stored, and downloaded. @@ -46,7 +46,7 @@ Server Issues    ACL Management -    Supported operations are:  get, store, create (possibly triggered by a +    Supported operations are: get, store, create (possibly triggered by a      get or store of something that didn't already exist), destroy, show,      and setting or clearing flags.  Each of these need a separate ACL      potentially.  Not sure if we're going to need separate ACLs for each @@ -62,10 +62,9 @@ Server Issues      that returns a default ACL given the object type and name if the      object doesn't already exist. -    Owner rights provides get, store, and show, but not destroy or setting -    or clearing flags (not destroy because it's too destructive and we -    don't want it done accidentally).  This can be overridden by more -    precise ACL settings.  So the ACL logic would go like this: +    Owner rights provides get, store, show, and destroy, but not setting +    or clearing flags.  This can be overridden by more precise ACL +    settings.  So the ACL logic would go like this:       * If the user is an administrator and the operation isn't get or         store, operation is permitted. @@ -74,7 +73,8 @@ Server Issues         that specific ACL, apply that ACL.       * If the object exists but with no specific ACL setting and the -       operation is one of get, store, or show, apply the owner ACL. +       operation is one of get, store, show, or destroy, apply the owner +       ACL.       * If the object doesn't exist and the action is get, store, or         create, punt to a local policy if it exists and see if it returns a diff --git a/perl/Wallet/Server.pm b/perl/Wallet/Server.pm index db53f6c..6d67e17 100644 --- a/perl/Wallet/Server.pm +++ b/perl/Wallet/Server.pm @@ -1,7 +1,7 @@  # Wallet::Server -- Wallet system server implementation.  #  # Written by Russ Allbery <rra@stanford.edu> -# Copyright 2007, 2008, 2010, 2011 +# Copyright 2007, 2008, 2010, 2011, 2013  #     The Board of Trustees of the Leland Stanford Junior University  #  # See LICENSE for licensing terms. @@ -301,7 +301,7 @@ sub acl_verify {      } elsif ($action ne 'comment') {          $id = $object->acl ($action);      } -    if (! defined ($id) and $action ne 'flags' and $action ne 'destroy') { +    if (! defined ($id) and $action ne 'flags') {          $id = $object->owner;      }      unless (defined $id) { @@ -970,9 +970,10 @@ owner as determined by the wallet configuration.  Destroys the object identified by TYPE and NAME.  This destroys any data  that the wallet had saved about the object, may remove the underlying  object from other external systems, and destroys the wallet database entry -for the object.  To destroy an object, the current user must be authorized -by the ADMIN ACL or the destroy ACL on the object; the owner ACL is not -sufficient.  Returns true on success and false on failure. +for the object.  To destroy an object, the current user must be a member +of the ADMIN ACL, authorized by the destroy ACL, or authorized by the +owner ACL; however, if the destroy ACL is set, the owner ACL will not be +checked.  Returns true on success and false on failure.  =item dbh() @@ -981,10 +982,6 @@ mostly for testing; normally, clients should perform all actions through  the Wallet::Server object to ensure that authorization and history logging  is done properly. -=item schema() - -Returns the DBIx::Class schema object. -  =item error()  Returns the error of the last failing operation or undef if no operations @@ -1058,6 +1055,10 @@ The owner of an object is permitted to get, store, and show that object,  but cannot destroy or set flags on that object without being listed on  those ACLs as well. +=item schema() + +Returns the DBIx::Class schema object. +  =item show(TYPE, NAME)  Returns (as a string) a human-readable representation of the metadata diff --git a/perl/t/server.t b/perl/t/server.t index 8474989..4afda51 100755 --- a/perl/t/server.t +++ b/perl/t/server.t @@ -3,12 +3,12 @@  # Tests for the wallet server API.  #  # Written by Russ Allbery <rra@stanford.edu> -# Copyright 2007, 2008, 2010, 2011, 2012 +# Copyright 2007, 2008, 2010, 2011, 2012, 2013  #     The Board of Trustees of the Leland Stanford Junior University  #  # See LICENSE for licensing terms. -use Test::More tests => 381; +use Test::More tests => 382;  use POSIX qw(strftime);  use Wallet::Admin; @@ -497,10 +497,6 @@ is ($server->create ('base', 'service/test'), undef,      ' nor can we create objects');  is ($server->error, "$user1 not authorized to create base:service/test",      ' with error'); -is ($server->destroy ('base', 'service/user1'), undef, -    ' or destroy objects'); -is ($server->error, "$user1 not authorized to destroy base:service/user1", -    ' with error');  is ($server->owner ('base', 'service/user1', 'user2'), undef,      ' or set the owner');  is ($server->error, @@ -801,6 +797,12 @@ is ($server->store ('base', 'service/both', 'stuff'), undef,      ' or store it');  is ($server->error, 'cannot find base:service/both', ' because it is gone'); +# Switch back to user1 and test destroy. +$server = eval { Wallet::Server->new ($user1, $host) }; +is ($@, '', 'Switching users works'); +is ($server->destroy ('base', 'service/user1'), 1, +    'Destroy of an object we own with no destroy ACLs works'); +  # Test default ACLs on object creation.  #  # Create a default_acl sub that permits $user2 to create service/default with @@ -836,8 +838,10 @@ sub default_owner {  }  package main; -# We're still user2, so we should now be able to create service/default.  Make -# sure we can and that the ACLs all look good. +# Switch back to user2, so we should now be able to create service/default. +# Make sure we can and that the ACLs all look good. +$server = eval { Wallet::Server->new ($user2, $host) }; +is ($@, '', 'Switching users works');  is ($server->create ('base', 'service/default'), undef,      'Creating an object with the default ACL fails');  is ($server->error, "$user2 not authorized to create base:service/default", diff --git a/server/keytab-backend b/server/keytab-backend index e45aba2..b0116c7 100755 --- a/server/keytab-backend +++ b/server/keytab-backend @@ -152,7 +152,7 @@ __END__  =for stopwords  keytab-backend keytabs KDC keytab kadmin.local -norandkey ktadd remctld -auth Allbery rekeying +auth Allbery rekeying MERCHANTABILITY NONINFRINGEMENT sublicense  =head1 NAME diff --git a/server/wallet-backend b/server/wallet-backend index 9d45982..fc3434e 100755 --- a/server/wallet-backend +++ b/server/wallet-backend @@ -335,7 +335,7 @@ __END__  =for stopwords  wallet-backend backend backend-specific remctld ACL acl timestamp getacl  setacl metadata keytab keytabs enctypes enctype ktadd KDC Allbery -autocreate +autocreate MERCHANTABILITY NONINFRINGEMENT sublicense  =head1 NAME @@ -386,9 +386,9 @@ C<getattr> and C<history>, which use the C<show> ACL, C<setattr>, which  uses the C<store> ACL, and C<comment>, which uses the owner or C<show> ACL  depending on whether one is setting or retrieving the comment.  If the  appropriate ACL is set, it alone is checked to see if the user has access. -Otherwise, C<get>, C<store>, C<show>, C<getattr>, C<setattr>, C<history>, -and C<comment> access is permitted if the user is authorized by the owner -ACL of the object. +Otherwise, C<destroy>, C<get>, C<store>, C<show>, C<getattr>, C<setattr>, +C<history>, and C<comment> access is permitted if the user is authorized +by the owner ACL of the object.  Administrators can run any command on any object or ACL except for C<get>  and C<store>.  For C<get> and C<store>, they must still be authorized by | 
