diff options
Diffstat (limited to 'perl/lib/Wallet')
40 files changed, 447 insertions, 295 deletions
diff --git a/perl/lib/Wallet/ACL.pm b/perl/lib/Wallet/ACL.pm index ad0eb2c..948b71c 100644 --- a/perl/lib/Wallet/ACL.pm +++ b/perl/lib/Wallet/ACL.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2007, 2008, 2010, 2013, 2014, 2015 +# Copyright 2007-2008, 2010, 2013-2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -20,7 +20,7 @@ use warnings; use DateTime; use Wallet::Object::Base; -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Constructors @@ -732,7 +732,7 @@ caller should call error() to get the error message. Wallet::ACL::Base(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/Base.pm b/perl/lib/Wallet/ACL/Base.pm index 235a9cb..320a731 100644 --- a/perl/lib/Wallet/ACL/Base.pm +++ b/perl/lib/Wallet/ACL/Base.pm @@ -5,7 +5,7 @@ # Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -17,7 +17,7 @@ use 5.008; use strict; use warnings; -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -127,7 +127,7 @@ error string. Wallet::ACL(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/External.pm b/perl/lib/Wallet/ACL/External.pm index caed80e..2285469 100644 --- a/perl/lib/Wallet/ACL/External.pm +++ b/perl/lib/Wallet/ACL/External.pm @@ -2,7 +2,7 @@ # # Copyright 2016 Russ Allbery <eagle@eyrie.org> # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -19,7 +19,7 @@ use Wallet::ACL::Base; use Wallet::Config; our @ISA = qw(Wallet::ACL::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -183,7 +183,7 @@ remctld(8), Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::Config(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/Krb5.pm b/perl/lib/Wallet/ACL/Krb5.pm index e0e9a61..3309274 100644 --- a/perl/lib/Wallet/ACL/Krb5.pm +++ b/perl/lib/Wallet/ACL/Krb5.pm @@ -5,7 +5,7 @@ # Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -20,7 +20,7 @@ use warnings; use Wallet::ACL::Base; our @ISA = qw(Wallet::ACL::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -113,7 +113,7 @@ The PRINCIPAL parameter to check() was undefined or the empty string. Wallet::ACL(3), Wallet::ACL::Base(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/Krb5/Regex.pm b/perl/lib/Wallet/ACL/Krb5/Regex.pm index f3b9a06..be6c5e1 100644 --- a/perl/lib/Wallet/ACL/Krb5/Regex.pm +++ b/perl/lib/Wallet/ACL/Krb5/Regex.pm @@ -5,7 +5,7 @@ # Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -20,7 +20,7 @@ use warnings; use Wallet::ACL::Krb5; our @ISA = qw(Wallet::ACL::Krb5); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -121,7 +121,7 @@ The ACL parameter to check() was undefined or the empty string. Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::ACL::Krb5(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/LDAP/Attribute.pm b/perl/lib/Wallet/ACL/LDAP/Attribute.pm index fcb8447..65e0208 100644 --- a/perl/lib/Wallet/ACL/LDAP/Attribute.pm +++ b/perl/lib/Wallet/ACL/LDAP/Attribute.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2012, 2013, 2014 +# Copyright 2012-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -23,7 +23,7 @@ use Wallet::ACL::Base; use Wallet::Config; our @ISA = qw(Wallet::ACL::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -251,7 +251,7 @@ The PRINCIPAL parameter to check() was undefined or the empty string. Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::Config(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/LDAP/Attribute/Root.pm b/perl/lib/Wallet/ACL/LDAP/Attribute/Root.pm index 8451394..5ebece6 100644 --- a/perl/lib/Wallet/ACL/LDAP/Attribute/Root.pm +++ b/perl/lib/Wallet/ACL/LDAP/Attribute/Root.pm @@ -1,12 +1,11 @@ # Wallet::ACL::LDAP::Attribute::Root -- Wallet root instance LDAP ACL verifier # # Written by Jon Robertson <jonrober@stanford.edu> -# Based on Wallet::ACL::NetDB::Root by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> # Copyright 2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -21,7 +20,7 @@ use warnings; use Wallet::ACL::LDAP::Attribute; our @ISA = qw(Wallet::ACL::LDAP::Attribute); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -113,7 +112,7 @@ Net::Remctl(3), Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::ACL::LDAP::Attribute(3), Wallet::Config(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHORS diff --git a/perl/lib/Wallet/ACL/Nested.pm b/perl/lib/Wallet/ACL/Nested.pm index da42286..a6b6655 100644 --- a/perl/lib/Wallet/ACL/Nested.pm +++ b/perl/lib/Wallet/ACL/Nested.pm @@ -5,7 +5,7 @@ # Copyright 2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -20,7 +20,7 @@ use warnings; use Wallet::ACL::Base; our @ISA = qw(Wallet::ACL::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -177,7 +177,7 @@ will generally come from the nested child ACL. Wallet::ACL(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/NetDB.pm b/perl/lib/Wallet/ACL/NetDB.pm index a4c7fb0..c5fdc39 100644 --- a/perl/lib/Wallet/ACL/NetDB.pm +++ b/perl/lib/Wallet/ACL/NetDB.pm @@ -5,7 +5,7 @@ # Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -21,7 +21,7 @@ use Wallet::ACL::Base; use Wallet::Config; our @ISA = qw(Wallet::ACL::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -252,10 +252,10 @@ wallet-backend(8) NetDB is a free software system for managing DNS, DHCP, and related machine information for large organizations. For more information on -NetDB, see L<http://www.stanford.edu/group/networking/netdb/>. +NetDB, see L<https://web.stanford.edu/group/networking/netdb/>. This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/ACL/NetDB/Root.pm b/perl/lib/Wallet/ACL/NetDB/Root.pm index bfd13b4..2dd1562 100644 --- a/perl/lib/Wallet/ACL/NetDB/Root.pm +++ b/perl/lib/Wallet/ACL/NetDB/Root.pm @@ -5,7 +5,7 @@ # Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -20,7 +20,7 @@ use warnings; use Wallet::ACL::NetDB; our @ISA = qw(Wallet::ACL::NetDB); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Interface @@ -112,10 +112,10 @@ Wallet::ACL::NetDB(3), Wallet::Config(3), wallet-backend(8) NetDB is a free software system for managing DNS, DHCP, and related machine information for large organizations. For more information on -NetDB, see L<http://www.stanford.edu/group/networking/netdb/>. +NetDB, see L<https://web.stanford.edu/group/networking/netdb/>. This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Admin.pm b/perl/lib/Wallet/Admin.pm index 9b63174..707f410 100644 --- a/perl/lib/Wallet/Admin.pm +++ b/perl/lib/Wallet/Admin.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2008, 2009, 2010, 2011, 2012, 2013, 2014 +# Copyright 2008-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -20,7 +20,7 @@ use warnings; use Wallet::ACL; use Wallet::Schema; -our $VERSION = '1.03'; +our $VERSION = '1.04'; # The last non-DBIx::Class version of Wallet::Schema. If a database has no # DBIx::Class versioning, we artificially install this version number before @@ -375,7 +375,7 @@ much as possible. Returns true on success and false on failure. wallet-admin(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm index b8771c3..60f0e10 100644 --- a/perl/lib/Wallet/Config.pm +++ b/perl/lib/Wallet/Config.pm @@ -1,11 +1,11 @@ # Wallet::Config -- Configuration handling for the wallet server # # Written by Russ Allbery <eagle@eyrie.org> -# Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2007, 2008, 2010, 2013, 2014, 2015 +# Copyright 2016, 2018 Russ Allbery <eagle@eyrie.org> +# Copyright 2007-2008, 2010, 2013-2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Config; @@ -13,7 +13,7 @@ use 5.008; use strict; use warnings; -our $VERSION = '1.03'; +our $VERSION = '1.04'; # Path to the config file to load. our $PATH = $ENV{WALLET_CONFIG} || '/etc/wallet/wallet.conf'; @@ -26,7 +26,7 @@ Wallet::Config - Configuration handling for the wallet server DBI DSN SQLite subdirectories KEYTAB keytab kadmind KDC add-ons kadmin DNS SRV kadmin keytabs remctl backend lowercased NETDB ACL NetDB unscoped usernames rekey hostnames Allbery wallet-backend keytab-backend Heimdal -rekeys WebAuth WEBAUTH keyring LDAP DN GSS-API integrations msktutil +rekeys WebAuth WEBAUTH keyring LDAP DN GSS-API integrations msktutil CN DIT =head1 SYNOPSIS @@ -415,40 +415,48 @@ our $KEYTAB_TMP; =back -The following parameters are specific to generating keytabs from Active -Directory (KEYTAB_KRBTYPE is set to C<AD>). +The following parameters are specific to generating keytabs from +Active Directory (KEYTAB_KRBTYPE is set to C<AD>). =over 4 +=item AD_BASE_DN + +The base distinguished name of the Active Directory instance. This is used +when Wallet uses LDAP directly to examine objects in Active Directory. + +=cut + +our $AD_BASE_DN; + =item AD_CACHE Specifies the ticket cache to use when manipulating Active Directory objects. The ticket cache must be for a principal able to bind to Active Directory and run B<msktutil>. -AD_CACHE must be set to use Active Directory support. - =cut our $AD_CACHE; -=item AD_COMPUTER_DN +=item AD_COMPUTER_RDN -The LDAP base DN for computer objects inside Active Directory. All keytabs of -the form host/<hostname> will be mapped to objects with a C<samAccountName> of -the <hostname> portion under this DN. +The LDAP base DN for computer objects inside Active Directory. All +keytabs of the form host/<hostname> will be mapped to objects with a +C<samAccountName> of the <hostname> portion under this DN. -AD_COMPUTER_DN must be set if using Active Directory as the keytab backend. +AD_COMPUTER_RDN must be set if using Active Directory as the keytab +backend. =cut -our $AD_COMPUTER_DN; +our $AD_COMPUTER_RDN; =item AD_DEBUG -If set to true, asks for some additional debugging information, such as the -B<msktutil> command, to be logged to syslog. These debugging messages will be -logged to the C<local3> facility. +If set to true, asks for some additional debugging information, such +as the B<msktutil> command, to be logged to syslog. These debugging +messages will be logged to the C<local3> facility. =cut @@ -464,17 +472,64 @@ default PATH. our $AD_MSKTUTIL = 'msktutil'; -=item AD_USER_DN +=item AD_SERVICE_LENGTH + +The maximum length of a unique identifier, C<samAccountName>, for Active +Directory keytab objects. If the identifier exceeds this length then it will +be truncated and an integer will be appended to the end of the identifier. +This parameter is here in hopes that at some point in the future Microsoft +will remove the limitation. + +=cut + +our $AD_SERVICE_LENGTH = '20'; + +=item AD_SERVICE_LIMIT + +Used to limit the number of iterations used in attempting to find a +unique account name for principals. Defaults to 999. + +=cut + +our $AD_SERVICE_LIMIT = '999'; + +=item AD_SERVICE_PREFIX + +For service principals the AD_SERVICE_PREFIX will be combined with the +principal identifier to form the account name, i.e. the CN, used to +store the keytab entry in the Active Directory. Active Directory +limits these CN's to a maximum of 20 characters. If the resulting CN +is greater than 20 characters the CN will be truncated and an integer +will be appended to it. The integer will be incremented until a +unique CN is found. + +The AD_SERVICE_PREFIX is generally useful only prevent name collisions +when the service keytabs are store in branch of the DIT that also +contains other similar objects. + +=cut + +our $AD_SERVICE_PREFIX; + +=item AD_SERVER + +The hostname of the Active Directory Domain Controller. + +=cut + +our $AD_SERVER; + +=item AD_USER_RDN The LDAP base DN for user objects inside Active Directory. All keytabs of the form service/<user> will be mapped to objects with a C<servicePrincipalName> matching the wallet object name under this DN. -AD_USER_DN must be set if using Active Directory as the keytab backend. +AD_USER_RDN must be set if using Active Directory as the keytab backend. =cut -our $AD_USER_DN; +our $AD_USER_RDN; =back @@ -482,8 +537,9 @@ our $AD_USER_DN; Heimdal provides the choice, over the network protocol, of either downloading the existing keys for a principal or generating new random -keys. MIT Kerberos does not; downloading a keytab over the kadmin -protocol always rekeys the principal. +keys. Neither MIT Kerberos or Active Directory support retrieving an +existing keytab; downloading a keytab over the kadmin protocol or +using msktutil always rekeys the principal. For MIT Kerberos, the keytab object backend therefore optionally supports retrieving existing keys, and hence keytabs, for Kerberos principals by @@ -491,6 +547,11 @@ contacting the KDC via remctl and talking to B<keytab-backend>. This is enabled by setting the C<unchanging> flag on keytab objects. To configure that support, set the following variables. +For Active Directory Kerberos, the keytab object backend supports +storing the keytabs on the wallet server. This functionality is +enabled by setting the configuration variable AD_KEYTAB_BUCKET. (This +had not been implemented yet.) + This is not required for Heimdal; for Heimdal, setting the C<unchanging> flag is all that's needed. @@ -542,6 +603,16 @@ will be used. our $KEYTAB_REMCTL_PORT; +=item AD_KEYTAB_BUCKET + +The path to store a copy of keytabs created. This is required for the +support of unchanging keytabs with an Active Directory KDC. (This has +not been implemented yet.) + +=cut + +our $AD_KEYTAB_BUCKET = '/var/lib/wallet/keytabs'; + =back =head1 WEBAUTH KEYRING OBJECT CONFIGURATION @@ -984,7 +1055,7 @@ __END__ DBI(3), Wallet::Object::Keytab(3), Wallet::Server(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Database.pm b/perl/lib/Wallet/Database.pm index 23b059f..83b8dfc 100644 --- a/perl/lib/Wallet/Database.pm +++ b/perl/lib/Wallet/Database.pm @@ -7,10 +7,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2008, 2009, 2010, 2012, 2013, 2014 +# Copyright 2008-2010, 2012-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -26,7 +26,7 @@ use Wallet::Config; use Wallet::Schema; our @ISA = qw(Wallet::Schema); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Core overrides @@ -111,7 +111,7 @@ configuration. DBI(3), Wallet::Config(3) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Kadmin.pm b/perl/lib/Wallet/Kadmin.pm index 8851c7e..150c188 100644 --- a/perl/lib/Wallet/Kadmin.pm +++ b/perl/lib/Wallet/Kadmin.pm @@ -2,10 +2,10 @@ # # Written by Jon Robertson <jonrober@stanford.edu> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2009, 2010, 2014 +# Copyright 2009-2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -19,7 +19,7 @@ use warnings; use Wallet::Config; -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Utility functions for child classes @@ -232,7 +232,7 @@ as binary data. On failure, returns undef and sets the object error. kadmin(8), Wallet::Config(3), Wallet::Object::Keytab(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHORS diff --git a/perl/lib/Wallet/Kadmin/AD.pm b/perl/lib/Wallet/Kadmin/AD.pm index 5b71d41..f2f86b9 100644 --- a/perl/lib/Wallet/Kadmin/AD.pm +++ b/perl/lib/Wallet/Kadmin/AD.pm @@ -1,12 +1,12 @@ # Wallet::Kadmin::AD -- Wallet Kerberos administration API for AD # -# Written by Bill MacAllister <bill@ca-zephyr.org> -# Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2015 Dropbox, Inc. -# Copyright 2007, 2008, 2009, 2010, 2014 +# Written by Bill MacAllister <whm@dropbox.com> +# Copyright 2016, 2018 Russ Allbery <eagle@eyrie.org> +# Copyright 2015-2016 Dropbox, Inc. +# Copyright 2007-2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -26,7 +26,9 @@ use Wallet::Config; use Wallet::Kadmin; our @ISA = qw(Wallet::Kadmin); -our $VERSION = '1.03'; +our $VERSION = '1.04'; + +my $LDAP; ############################################################################## # kadmin Interaction @@ -34,33 +36,47 @@ our $VERSION = '1.03'; # Send debugging output to syslog. -sub ad_debug { +sub ad_syslog { my ($self, $l, $m) = @_; if (!$self->{SYSLOG}) { openlog('wallet-server', 'ndelay,nofatal', 'local3'); $self->{SYSLOG} = 1; } + if ($l !~ /^(debug|info|err|warning)$/xms) { + $l = 'err'; + } syslog($l, $m); return; } +# Return a string given an array whose elements are command line arguments +# passws to IPC::Run. Quote any strings that have embedded spaces. Replace +# null elements with the string #NULL#. + +sub ad_cmd_string { + my ($self, $cmd_ref) = @_; + my $z = ''; + my $ws = ' '; + for my $e (@{ $cmd_ref }) { + if (!$e) { + $z .= $ws . '#NULL#'; + } elsif ($e =~ /\s/xms) { + $z .= $ws . '"' . $e . '"'; + } else { + $z .= $ws . $e; + } + $ws = ' '; + } + return $z; +} + # Make sure that principals are well-formed and don't contain # characters that will cause us problems when talking to kadmin. # Takes a principal and returns true if it's okay, false otherwise. # Note that we do not permit realm information here. sub valid_principal { my ($self, $principal) = @_; - my $valid = 0; - if ($principal =~ m,^(host|service)(/[\w_.-]+)?\z,) { - my $k_type = $1; - my $k_id = $2; - if ($k_type eq 'host') { - $valid = 1 if $k_id =~ m/[.]/xms; - } elsif ($k_type eq 'service') { - $valid = 1 if length($k_id) < 19; - } - } - return $valid; + return scalar ($principal =~ m,^[\w-]+(/[\w_.-]+)?\z,); } # Connect to the Active Directory server using LDAP. The connection is @@ -69,48 +85,111 @@ sub valid_principal { sub ldap_connect { my ($self) = @_; - if (!-e $Wallet::Config::AD_CACHE) { - die 'Missing kerberos ticket cache ' . $Wallet::Config::AD_CACHE; - } - - my $ldap; - eval { - local $ENV{KRB5CCNAME} = $Wallet::Config::AD_CACHE; - my $sasl = Authen::SASL->new(mechanism => 'GSSAPI'); - $ldap = Net::LDAP->new($Wallet::Config::KEYTAB_HOST, onerror => 'die'); - my $mesg = eval { $ldap->bind(undef, sasl => $sasl) }; - }; - if ($@) { - my $error = $@; - chomp $error; - 1 while ($error =~ s/ at \S+ line \d+\.?\z//); - die "LDAP bind to AD failed: $error\n"; + if (!$LDAP) { + eval { + local $ENV{KRB5CCNAME} = $Wallet::Config::AD_CACHE; + my $sasl = Authen::SASL->new(mechanism => 'GSSAPI'); + $LDAP = Net::LDAP->new($Wallet::Config::KEYTAB_HOST, + onerror => 'die'); + my $mesg = eval { $LDAP->bind(undef, sasl => $sasl) }; + }; + if ($@) { + my $error = $@; + chomp $error; + 1 while ($error =~ s/ at \S+ line \d+\.?\z//); + die "LDAP bind to AD failed: $error\n"; + } } - - return $ldap; + return $LDAP; } # Construct a base filter for searching Active Directory. sub ldap_base_filter { my ($self, $principal) = @_; + my $base; my $filter; - if ($principal =~ m,^host/(\S+),xms) { - my $fqdn = $1; - my $host = $fqdn; - $host =~ s/[.].*//xms; - $base = $Wallet::Config::AD_COMPUTER_DN; - $filter = "(samAccountName=${host}\$)"; - } elsif ($principal =~ m,^service/(\S+),xms) { - my $id = $1; - $base = $Wallet::Config::AD_USER_DN; - $filter = "(servicePrincipalName=service/${id})"; + my $this_type; + my $this_id; + + if ($principal =~ m,^(.*?)/(\S+),xms) { + $this_type = $1; + $this_id = $2; + } else { + $this_id = $principal; + } + + # Create a filter to find the objects we create + if ($this_id =~ s/@(.*)//xms) { + $filter = "(userPrincipalName=${principal})"; + } elsif ($Wallet::Config::KEYTAB_REALM) { + $filter = '(userPrincipalName=' . $principal + . '@' . $Wallet::Config::KEYTAB_REALM . ')'; + } else { + $filter = "(userPrincipalName=${principal}\@*)"; + } + + # Set the base distinguished name + if ($this_type && $this_type eq 'host') { + $base = $Wallet::Config::AD_COMPUTER_RDN; + } else { + $base = $Wallet::Config::AD_USER_RDN; } + $base .= ',' . $Wallet::Config::AD_BASE_DN; + return ($base, $filter); } -# TODO: Get a keytab from the keytab cache. +# Take in a base and a filter and return the assoicated DN or return +# null if there is no matching entry. +sub ldap_get_dn { + my ($self, $base, $filter) = @_; + my $dn; + + if ($Wallet::Config::AD_DEBUG) { + $self->ad_syslog('debug', "base:$base filter:$filter scope:subtree\n"); + } + + $self->ldap_connect(); + my @attrs = ('objectclass'); + my $result; + eval { + $result = $LDAP->search( + base => $base, + scope => 'subtree', + filter => $filter, + attrs => \@attrs + ); + }; + if ($@) { + my $error = $@; + die "LDAP search error: $error\n"; + } + if ($result->code) { + $self->ad_syslog('info', "base:$base filter:$filter scope:subtree\n"); + die $result->error; + } + if ($Wallet::Config::AD_DEBUG) { + $self->ad_syslog('debug', 'returned: ' . $result->count); + } + + if ($result->count == 1) { + for my $entry ($result->entries) { + $dn = $entry->dn; + } + } elsif ($result->count > 1) { + $self->ad_syslog('err', 'too many AD entries for this keytab'); + for my $entry ($result->entries) { + $self->ad_syslog('info', 'dn found: ' . $entry->dn . "\n"); + } + die("INFO: use show to examine the problem\n"); + } + + return $dn; +} + +# TODO: Get a keytab from the keytab bucket. sub get_ad_keytab { my ($self, $principal) = @_; return; @@ -125,13 +204,16 @@ sub get_ad_keytab { sub msktutil { my ($self, $args_ref) = @_; unless (defined($Wallet::Config::KEYTAB_HOST) + and defined($Wallet::Config::KEYTAB_PRINCIPAL) + and defined($Wallet::Config::KEYTAB_FILE) and defined($Wallet::Config::KEYTAB_REALM)) { die "keytab object implementation not configured\n"; } - unless (defined($Wallet::Config::AD_CACHE) - and defined($Wallet::Config::AD_COMPUTER_DN) - and defined($Wallet::Config::AD_USER_DN)) + unless (-e $Wallet::Config::AD_MSKTUTIL + and defined($Wallet::Config::AD_BASE_DN) + and defined($Wallet::Config::AD_COMPUTER_RDN) + and defined($Wallet::Config::AD_USER_RDN)) { die "Active Directory support not configured\n"; } @@ -139,7 +221,7 @@ sub msktutil { my @cmd = ($Wallet::Config::AD_MSKTUTIL); push @cmd, @args; if ($Wallet::Config::AD_DEBUG) { - $self->ad_debug('debug', join(' ', @cmd)); + $self->ad_syslog('debug', $self->ad_cmd_string(\@cmd)); } my $in; @@ -162,6 +244,7 @@ sub msktutil { $err_msg .= "ERROR: $err\n"; $err_msg .= 'Problem command: ' . join(' ', @cmd) . "\n"; } + $self->ad_syslog('err', $err_msg); die $err_msg; } else { if ($err) { @@ -169,49 +252,107 @@ sub msktutil { } } if ($Wallet::Config::AD_DEBUG) { - $self->ad_debug('debug', $out); + $self->ad_syslog('debug', $out); } return $out; } +# The unique identifier that Active Directory used to store keytabs +# has a maximum length of 20 characters. This routine takes a +# principal name an generates a unique ID based on the principal name. +sub get_account_id { + my ($self, $this_princ) = @_; + + my $this_id; + my ($this_base, $this_filter) = $self->ldap_base_filter($this_princ); + my $real_dn = $self->ldap_get_dn($this_base, $this_filter); + if ($real_dn) { + $this_id = $real_dn; + $this_id =~ s/,.*//xms; + $this_id =~ s/.*?=//xms; + } else { + my ($this_type, $this_cn) = split '/', $this_princ, 2; + my $max_len; + if ($this_type eq 'host') { + $max_len = $Wallet::Config::AD_SERVICE_LENGTH - 1; + } else { + $max_len = $Wallet::Config::AD_SERVICE_LENGTH; + if ($Wallet::Config::AD_SERVICE_PREFIX) { + $this_cn = $Wallet::Config::AD_SERVICE_PREFIX . $this_cn; + } + } + my $loop_limit = $Wallet::Config::AD_SERVICE_LIMIT; + if (length($this_cn)>$max_len) { + my $cnt = 0; + my $this_dn; + my $suffix_size = length("$loop_limit"); + my $this_prefix = substr($this_cn, 0, $max_len - $suffix_size); + my $this_format = "%0${suffix_size}i"; + while ($cnt<$loop_limit) { + $this_cn = $this_prefix . sprintf($this_format, $cnt); + $this_dn = $self->ldap_get_dn($this_base, "cn=$this_cn"); + if (!$this_dn) { + $this_id = $this_cn; + last; + } + $cnt++; + } + } else { + $this_id = $this_cn; + } + } + return $this_id; +} + # Either create or update a keytab for the principal. Return the # name of the keytab file created. sub ad_create_update { my ($self, $principal, $action) = @_; + return unless $self->valid_principal($principal); my $keytab = $Wallet::Config::KEYTAB_TMP . "/keytab.$$"; if (-e $keytab) { unlink $keytab or die "Problem deleting $keytab\n"; } my @cmd = ('--' . $action); push @cmd, '--server', $Wallet::Config::AD_SERVER; - push @cmd, '--enctypes', '0x4'; - push @cmd, '--enctypes', '0x8'; - push @cmd, '--enctypes', '0x10'; + push @cmd, '--enctypes', '0x1C'; push @cmd, '--keytab', $keytab; push @cmd, '--realm', $Wallet::Config::KEYTAB_REALM; - - if ($principal =~ m,^host/(\S+),xms) { - my $fqdn = $1; - my $host = $fqdn; - $host =~ s/[.].*//xms; - push @cmd, '--dont-expire-password'; - push @cmd, '--computer-name', $host; - push @cmd, '--upn', "host/$fqdn"; - push @cmd, '--hostname', $fqdn; - } elsif ($principal =~ m,^service/(\S+),xms) { - my $service_id = $1; - push @cmd, '--use-service-account'; - push @cmd, '--service', "service/$service_id"; - push @cmd, '--account-name', "srv-${service_id}"; - push @cmd, '--no-pac'; - } - my $out = $self->msktutil(\@cmd); - if ($out =~ /Error:\s+\S+\s+failed/xms) { - $self->ad_delete($principal); - my $m = "ERROR: problem creating keytab:\n" . $out; - $m .= 'INFO: the keytab used to by wallet probably has' - . " insufficient access to AD\n"; - die $m; + push @cmd, '--upn', $principal; + + my $this_type; + my $this_id; + if ($principal =~ m,^(.*?)/(\S+),xms) { + $this_type = $1; + $this_id = $2; + my $account_id = $self->get_account_id($principal); + if ($this_type eq 'host') { + my $host = $this_id; + $host =~ s/[.].*//xms; + push @cmd, '--base', $Wallet::Config::AD_COMPUTER_RDN; + push @cmd, '--dont-expire-password'; + push @cmd, '--computer-name', $account_id; + push @cmd, '--hostname', $this_id; + } else { + push @cmd, '--base', $Wallet::Config::AD_USER_RDN; + push @cmd, '--use-service-account'; + push @cmd, '--service', $principal; + push @cmd, '--account-name', $account_id; + push @cmd, '--no-pac'; + } + my $out = $self->msktutil(\@cmd); + if ($out =~ /Error:\s+\S+\s+failed/xms + || !$self->exists($principal)) + { + $self->ad_delete($principal); + my $m = "ERROR: problem creating keytab for $principal"; + $self->ad_syslog('err', $m); + $self->ad_syslog('err', + 'Problem command:' . ad_cmd_string(\@cmd)); + die "$m\n"; + } + } else { + die "ERROR: Invalid principal format ($principal)\n"; } return $keytab; @@ -234,45 +375,9 @@ sub exists { my ($self, $principal) = @_; return unless $self->valid_principal($principal); - my $ldap = $self->ldap_connect(); my ($base, $filter) = $self->ldap_base_filter($principal); - my @attrs = ('objectClass', 'msds-KeyVersionNumber'); - my $result; - eval { - $result = $ldap->search( - base => $base, - scope => 'subtree', - filter => $filter, - attrs => \@attrs - ); - }; - - if ($@) { - my $error = $@; - die "LDAP search error: $error\n"; - } - if ($result->code) { - my $m; - $m .= "INFO base:$base filter:$filter scope:subtree\n"; - $m .= 'ERROR:' . $result->error . "\n"; - die $m; - } - if ($result->count > 1) { - my $m = "ERROR: too many AD entries for this keytab\n"; - for my $entry ($result->entries) { - $m .= 'INFO: dn found ' . $entry->dn . "\n"; - } - die $m; - } - if ($result->count) { - for my $entry ($result->entries) { - return $entry->get_value('msds-KeyVersionNumber'); - } - } else { - return 0; - } - return; + return $self->ldap_get_dn($base, $filter); } # Call msktutil to Create a principal in Kerberos. Sets the error and @@ -287,7 +392,7 @@ sub create { } if ($self->exists($principal)) { if ($Wallet::Config::AD_DEBUG) { - $self->ad_debug('debug', "$principal exists"); + $self->ad_syslog('debug', "$principal exists"); } return 1; } @@ -345,7 +450,7 @@ sub destroy { } my $exists = $self->exists($principal); if (!defined $exists) { - return; + return 1; } elsif (not $exists) { return 1; } @@ -358,27 +463,16 @@ sub destroy { sub ad_delete { my ($self, $principal) = @_; - my $k_type; - my $k_id; - my $dn; - if ($principal =~ m,^(host|service)/(\S+),xms) { - $k_type = $1; - $k_id = $2; - if ($k_type eq 'host') { - my $host = $k_id; - $host =~ s/[.].*//; - $dn = "cn=${host}," . $Wallet::Config::AD_COMPUTER_DN; - } elsif ($k_type eq 'service') { - $dn = "cn=srv-${k_id}," . $Wallet::Config::AD_USER_DN; - } - } + my ($base, $filter) = $self->ldap_base_filter($principal); + my $dn = $self->ldap_get_dn($base, $filter); - my $ldap = $self->ldap_connect(); - my $msgid = $ldap->delete($dn); + $self->ldap_connect(); + my $msgid = $LDAP->delete($dn); if ($msgid->code) { my $m; $m .= "ERROR: Problem deleting $dn\n"; $m .= $msgid->error; + $self->ad_syslog('err', $m); die $m; } return 1; @@ -437,18 +531,6 @@ using a local keytab cache. To use this class, several configuration parameters must be set. See L<Wallet::Config/"KEYTAB OBJECT CONFIGURATION"> for details. -=head1 FILES - -=over 4 - -=item KEYTAB_TMP/keytab.<pid> - -The keytab is created in this file and then read into memory. KEYTAB_TMP -is set in the wallet configuration, and <pid> is the process ID of the -current process. The file is unlinked after being read. - -=back - =head1 LIMITATIONS Currently, this implementation calls an external B<msktutil> program rather @@ -461,7 +543,7 @@ msktutil, Wallet::Config(3), Wallet::Kadmin(3), Wallet::Object::Keytab(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHORS diff --git a/perl/lib/Wallet/Kadmin/Heimdal.pm b/perl/lib/Wallet/Kadmin/Heimdal.pm index 22bdd59..57013de 100644 --- a/perl/lib/Wallet/Kadmin/Heimdal.pm +++ b/perl/lib/Wallet/Kadmin/Heimdal.pm @@ -2,10 +2,10 @@ # # Written by Jon Robertson <jonrober@stanford.edu> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2009, 2010, 2014 +# Copyright 2009-2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -22,7 +22,7 @@ use Wallet::Config; use Wallet::Kadmin; our @ISA = qw(Wallet::Kadmin); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Utility functions @@ -302,7 +302,7 @@ kadmin(8), Wallet::Config(3), Wallet::Kadmin(3), Wallet::Object::Keytab(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHORS diff --git a/perl/lib/Wallet/Kadmin/MIT.pm b/perl/lib/Wallet/Kadmin/MIT.pm index 9f0f50f..373d4cf 100644 --- a/perl/lib/Wallet/Kadmin/MIT.pm +++ b/perl/lib/Wallet/Kadmin/MIT.pm @@ -3,10 +3,10 @@ # Written by Russ Allbery <eagle@eyrie.org> # Pulled into a module by Jon Robertson <jonrober@stanford.edu> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2007, 2008, 2009, 2010, 2014 +# Copyright 2007-2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -23,7 +23,7 @@ use Wallet::Config; use Wallet::Kadmin; our @ISA = qw(Wallet::Kadmin); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # kadmin Interaction @@ -312,7 +312,7 @@ kadmin(8), Wallet::Config(3), Wallet::Kadmin(3), Wallet::Object::Keytab(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHORS diff --git a/perl/lib/Wallet/Object/Base.pm b/perl/lib/Wallet/Object/Base.pm index 221031f..bf535e9 100644 --- a/perl/lib/Wallet/Object/Base.pm +++ b/perl/lib/Wallet/Object/Base.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2007, 2008, 2010, 2011, 2014 +# Copyright 2007-2008, 2010-2011, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -22,7 +22,7 @@ use Date::Parse qw(str2time); use Text::Wrap qw(wrap); use Wallet::ACL; -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Constructors @@ -1048,7 +1048,7 @@ the change in the setting. wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Object/Duo.pm b/perl/lib/Wallet/Object/Duo.pm index 1aca979..1ec527e 100644 --- a/perl/lib/Wallet/Object/Duo.pm +++ b/perl/lib/Wallet/Object/Duo.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2014, 2015 +# Copyright 2014-2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -23,7 +23,7 @@ use Wallet::Config; use Wallet::Object::Base; our @ISA = qw(Wallet::Object::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; # Mappings from our types into what Duo calls the integration types. our %DUO_TYPES = ( @@ -449,7 +449,7 @@ Only one Duo account is supported for a given wallet implementation. Net::Duo(3), Wallet::Config(3), Wallet::Object::Base(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Object/File.pm b/perl/lib/Wallet/Object/File.pm index 9452ff4..bef8981 100644 --- a/perl/lib/Wallet/Object/File.pm +++ b/perl/lib/Wallet/Object/File.pm @@ -5,7 +5,7 @@ # Copyright 2008, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -23,7 +23,7 @@ use Wallet::Config; use Wallet::Object::Base; our @ISA = qw(Wallet::Object::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # File naming @@ -284,7 +284,7 @@ impose a length limitation on the file object name. remctld(8), Wallet::Config(3), Wallet::Object::Base(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Object/Keytab.pm b/perl/lib/Wallet/Object/Keytab.pm index f276b3f..498e657 100644 --- a/perl/lib/Wallet/Object/Keytab.pm +++ b/perl/lib/Wallet/Object/Keytab.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2007, 2008, 2009, 2010, 2013, 2014 +# Copyright 2007-2010, 2013-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -22,7 +22,7 @@ use Wallet::Kadmin; use Wallet::Object::Base; our @ISA = qw(Wallet::Object::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Shared methods @@ -522,7 +522,7 @@ wallet database do not have realm information. kadmin(8), Wallet::Config(3), Wallet::Object::Base(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Object/Password.pm b/perl/lib/Wallet/Object/Password.pm index 1db53f3..336aa9d 100644 --- a/perl/lib/Wallet/Object/Password.pm +++ b/perl/lib/Wallet/Object/Password.pm @@ -5,7 +5,7 @@ # Copyright 2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -23,7 +23,7 @@ use Wallet::Config; use Wallet::Object::File; our @ISA = qw(Wallet::Object::File); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # File naming @@ -215,7 +215,7 @@ remctld(8), Wallet::Config(3), Wallet::Object::File(3), wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Object/WAKeyring.pm b/perl/lib/Wallet/Object/WAKeyring.pm index 3c99785..a64b376 100644 --- a/perl/lib/Wallet/Object/WAKeyring.pm +++ b/perl/lib/Wallet/Object/WAKeyring.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2012, 2013, 2014 +# Copyright 2012-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -24,7 +24,7 @@ use Wallet::Object::Base; use WebAuth 3.06 qw(WA_KEY_AES WA_AES_128); our @ISA = qw(Wallet::Object::Base); -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # File naming @@ -358,7 +358,7 @@ underscores, and dashes replaced by "%" and the hex code of the character. Wallet::Config(3), Wallet::Object::Base(3), wallet-backend(8), WebAuth(3) This module is part of the wallet system. The current version is available -from <http://www.eyrie.org/~eagle/software/wallet/>. +from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Policy/Stanford.pm b/perl/lib/Wallet/Policy/Stanford.pm index efb9d28..2c761bb 100644 --- a/perl/lib/Wallet/Policy/Stanford.pm +++ b/perl/lib/Wallet/Policy/Stanford.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2013, 2014, 2015 +# Copyright 2013-2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -26,7 +26,7 @@ our (@EXPORT_OK, $VERSION); # against circular module loading (not that we load any modules, but # consistency is good). BEGIN { - $VERSION = '1.03'; + $VERSION = '1.04'; @EXPORT_OK = qw(default_owner verify_name is_for_host); } @@ -538,11 +538,11 @@ configuration file from this module or wrapped to apply additional rules. Wallet::Config(3) -The L<Stanford policy|http://www.eyrie.org/~eagle/software/wallet/naming.html> +The L<Stanford policy|https://www.eyrie.org/~eagle/software/wallet/naming.html> implemented by this module. This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Report.pm b/perl/lib/Wallet/Report.pm index 3d59bf8..151a285 100644 --- a/perl/lib/Wallet/Report.pm +++ b/perl/lib/Wallet/Report.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2008, 2009, 2010, 2013, 2014 +# Copyright 2008-2010, 2013-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -20,7 +20,7 @@ use warnings; use Wallet::ACL; use Wallet::Schema; -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Constructor, destructor, and accessors @@ -869,7 +869,7 @@ the error message if there was an error and undef if there was no error. Wallet::Config(3), Wallet::Server(3) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Schema.pm b/perl/lib/Wallet/Schema.pm index 6b3de39..f75fda8 100644 --- a/perl/lib/Wallet/Schema.pm +++ b/perl/lib/Wallet/Schema.pm @@ -2,10 +2,10 @@ # # Written by Jon Robertson <jonrober@stanford.edu> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2012, 2013, 2014 +# Copyright 2012-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema; @@ -351,7 +351,7 @@ configuration. wallet-backend(8), Wallet::Config(3) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR diff --git a/perl/lib/Wallet/Schema/Result/Acl.pm b/perl/lib/Wallet/Schema/Result/Acl.pm index 59a628a..9a73b18 100644 --- a/perl/lib/Wallet/Schema/Result/Acl.pm +++ b/perl/lib/Wallet/Schema/Result/Acl.pm @@ -1,10 +1,10 @@ # Wallet schema for an ACL. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013 +# Copyright 2012-2013 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::Acl; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =for stopwords ACL diff --git a/perl/lib/Wallet/Schema/Result/AclEntry.pm b/perl/lib/Wallet/Schema/Result/AclEntry.pm index ea531bd..1737084 100644 --- a/perl/lib/Wallet/Schema/Result/AclEntry.pm +++ b/perl/lib/Wallet/Schema/Result/AclEntry.pm @@ -1,10 +1,10 @@ # Wallet schema for an entry in an ACL. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013 +# Copyright 2012-2013 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::AclEntry; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =for stopwords ACL diff --git a/perl/lib/Wallet/Schema/Result/AclHistory.pm b/perl/lib/Wallet/Schema/Result/AclHistory.pm index dc6bed7..48aed49 100644 --- a/perl/lib/Wallet/Schema/Result/AclHistory.pm +++ b/perl/lib/Wallet/Schema/Result/AclHistory.pm @@ -1,10 +1,10 @@ # Wallet schema for ACL history. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013, 2014 +# Copyright 2012-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::AclHistory; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; __PACKAGE__->load_components("InflateColumn::DateTime"); diff --git a/perl/lib/Wallet/Schema/Result/AclScheme.pm b/perl/lib/Wallet/Schema/Result/AclScheme.pm index 004e5d2..abdd541 100644 --- a/perl/lib/Wallet/Schema/Result/AclScheme.pm +++ b/perl/lib/Wallet/Schema/Result/AclScheme.pm @@ -1,10 +1,10 @@ # Wallet schema for ACL scheme. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013 +# Copyright 2012-2013 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::AclScheme; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; __PACKAGE__->load_components (qw//); diff --git a/perl/lib/Wallet/Schema/Result/Duo.pm b/perl/lib/Wallet/Schema/Result/Duo.pm index b5328bb..def9dce 100644 --- a/perl/lib/Wallet/Schema/Result/Duo.pm +++ b/perl/lib/Wallet/Schema/Result/Duo.pm @@ -4,7 +4,7 @@ # Copyright 2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::Duo; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =for stopwords keytab enctype diff --git a/perl/lib/Wallet/Schema/Result/Enctype.pm b/perl/lib/Wallet/Schema/Result/Enctype.pm index f1f42a9..24fa897 100644 --- a/perl/lib/Wallet/Schema/Result/Enctype.pm +++ b/perl/lib/Wallet/Schema/Result/Enctype.pm @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =for stopwords Kerberos diff --git a/perl/lib/Wallet/Schema/Result/Flag.pm b/perl/lib/Wallet/Schema/Result/Flag.pm index 84e3ee3..4ed8dcb 100644 --- a/perl/lib/Wallet/Schema/Result/Flag.pm +++ b/perl/lib/Wallet/Schema/Result/Flag.pm @@ -1,10 +1,10 @@ # Wallet schema for object flags. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013 +# Copyright 2012-2013 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::Flag; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =head1 NAME diff --git a/perl/lib/Wallet/Schema/Result/KeytabEnctype.pm b/perl/lib/Wallet/Schema/Result/KeytabEnctype.pm index 2a16af8..abb465e 100644 --- a/perl/lib/Wallet/Schema/Result/KeytabEnctype.pm +++ b/perl/lib/Wallet/Schema/Result/KeytabEnctype.pm @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =for stopwords keytab enctype diff --git a/perl/lib/Wallet/Schema/Result/KeytabSync.pm b/perl/lib/Wallet/Schema/Result/KeytabSync.pm index bd57310..1939e74 100644 --- a/perl/lib/Wallet/Schema/Result/KeytabSync.pm +++ b/perl/lib/Wallet/Schema/Result/KeytabSync.pm @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =for stopwords keytab diff --git a/perl/lib/Wallet/Schema/Result/Object.pm b/perl/lib/Wallet/Schema/Result/Object.pm index fdec3b8..b4bc46f 100644 --- a/perl/lib/Wallet/Schema/Result/Object.pm +++ b/perl/lib/Wallet/Schema/Result/Object.pm @@ -1,10 +1,10 @@ # Wallet schema for an object. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013 +# Copyright 2012-2013 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::Object; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; __PACKAGE__->load_components("InflateColumn::DateTime"); diff --git a/perl/lib/Wallet/Schema/Result/ObjectHistory.pm b/perl/lib/Wallet/Schema/Result/ObjectHistory.pm index 2fe687e..c6c6225 100644 --- a/perl/lib/Wallet/Schema/Result/ObjectHistory.pm +++ b/perl/lib/Wallet/Schema/Result/ObjectHistory.pm @@ -1,10 +1,10 @@ # Wallet schema for object history. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013, 2014 +# Copyright 2012-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::ObjectHistory; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; __PACKAGE__->load_components("InflateColumn::DateTime"); diff --git a/perl/lib/Wallet/Schema/Result/SyncTarget.pm b/perl/lib/Wallet/Schema/Result/SyncTarget.pm index ab8ea47..ff6e3f3 100644 --- a/perl/lib/Wallet/Schema/Result/SyncTarget.pm +++ b/perl/lib/Wallet/Schema/Result/SyncTarget.pm @@ -1,10 +1,10 @@ # Wallet schema for synchronization targets. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013 +# Copyright 2012-2013 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::SyncTarget; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =head1 NAME diff --git a/perl/lib/Wallet/Schema/Result/Type.pm b/perl/lib/Wallet/Schema/Result/Type.pm index abc7017..a9238e6 100644 --- a/perl/lib/Wallet/Schema/Result/Type.pm +++ b/perl/lib/Wallet/Schema/Result/Type.pm @@ -1,10 +1,10 @@ # Wallet schema for object types. # # Written by Jon Robertson <jonrober@stanford.edu> -# Copyright 2012, 2013 +# Copyright 2012-2013 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT package Wallet::Schema::Result::Type; @@ -13,7 +13,7 @@ use warnings; use base 'DBIx::Class::Core'; -our $VERSION = '1.03'; +our $VERSION = '1.04'; =for stopwords APIs diff --git a/perl/lib/Wallet/Server.pm b/perl/lib/Wallet/Server.pm index 552ba9d..af0d8a8 100644 --- a/perl/lib/Wallet/Server.pm +++ b/perl/lib/Wallet/Server.pm @@ -2,10 +2,10 @@ # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2016 Russ Allbery <eagle@eyrie.org> -# Copyright 2007, 2008, 2010, 2011, 2013, 2014 +# Copyright 2007-2008, 2010-2014 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations @@ -21,7 +21,7 @@ use Wallet::ACL; use Wallet::Config; use Wallet::Schema; -our $VERSION = '1.03'; +our $VERSION = '1.04'; ############################################################################## # Utility methods @@ -1183,7 +1183,7 @@ failure. wallet-backend(8) This module is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. +available from L<https://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR |