| Age | Commit message (Collapse) | Author |
|---|
|
This has to use rra@stanford.edu to work at all (and badly needs
some sort of mock LDAP environment rather than what it's doing now).
Change-Id: I0961c7f97633eb7e29e391804a6803195564d74b
Reviewed-on: https://gerrit.stanford.edu/1521
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
For some reason, two keytabs are comparing inequal even after
masking the timestamp but both keytabs work for authentication.
Stop doing a data comparison and instead attempt authentications
with both keytabs as a more reliable test.
Change-Id: I4bd0712d492b78f09e95ffbed3461d97613d9d0a
Reviewed-on: https://gerrit.stanford.edu/1520
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
We now have a 0.09 schema, so test upgrading from 0.07 to 0.09
in two steps.
Change-Id: I0e7af4371ba78aa69a9b7be59239f10c86e1fade
Reviewed-on: https://gerrit.stanford.edu/1519
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Similar to server, the ID of the last ACL created may vary
depending on whether SQLite reuses the last autoincrement key
when the highest-numbered record is deleted. Accept either
possibility.
Change-Id: I2dd3b3cbbdf32931820ff799ca06f751c37a4cbd
Reviewed-on: https://gerrit.stanford.edu/1518
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
SQLite now, when the highest-numbered record with an autoincrement
key is deleted, will reuse that number instead of incrementing
further. Adjust the test suite so that this ambiguity is never
encountered, since it's not part of what we're testing.
Change-Id: I08c0c1c3fae82556d0f016b95db2992bdded1775
Reviewed-on: https://gerrit.stanford.edu/1517
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
A new object type, duo (Wallet::Object::Duo), is now supported. This
creates an integration with the Duo Security cloud multifactor
authentication service and allows retrieval of the integration key,
secret key, and admin hostname. Currently, only UNIX integration
types are supported. The Net::Duo Perl module is required to use this
object type. New configuration settings are required as well; see
Wallet::Config for more information. To enable this object type for
an existing wallet database, use wallet-admin to register the new
object.
Change-Id: I2c0dac75e81f526b34d6b509c4bdaecb43dd4a9d
Reviewed-on: https://gerrit.stanford.edu/1516
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I64dcd9fc393edba60f3a8d17ff2b59f8d51e131f
Reviewed-on: https://gerrit.stanford.edu/1515
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
cron principals were being rejected due to not being a part of the
Stanford Policy module.
Change-Id: Ic67a8e2bce8474431163b74d97c2bf1fb184a4b7
Reviewed-on: https://gerrit.stanford.edu/1488
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I4c2b5d7c807d6c27dd18a3b92eef66d21287d21e
Reviewed-on: https://gerrit.stanford.edu/1481
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
When creating new principals in a Heimdal KDC, generate a long, random
password as the temporary password of the disabled principal before
randomizing keys. This is necessary if password quality is being
enforced on create calls. Since the principal is always inactive
until the keys have been randomized, the password should not need to
be secure (and indeed is not cryptographically random).
Change-Id: If519a82475bb0d387a19d16ef1e024b0da64779a
Reviewed-on: https://gerrit.stanford.edu/1374
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
When the correct Kerberos tickets aren't available, this test
skipped the wrong number of tests.
Change-Id: Icf27178fe88027f38764285bb671560e051f9105
Reviewed-on: https://gerrit.stanford.edu/1373
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I7eefcb5eab2e35e8d45baa6e868f1f00867c6b62
Reviewed-on: https://gerrit.stanford.edu/1372
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Further documentation of the changes will come later when the rest
of rra-c-util files have been updated and the package makes more
use of these modules, but this fixes a spelling error test failure.
Change-Id: Ia885c4ab103235a1f6a2bf2b86d5a32c93751d89
Reviewed-on: https://gerrit.stanford.edu/1371
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I422a014c3a2611324c2cdebd364d81f2e91aadd7
Reviewed-on: https://gerrit.stanford.edu/1370
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix wallet-rekey on keytabs containing multiple principals. Previous
versions assumed one could concatenate keytab files together to make a
valid keytab file, which doesn't work with some Kerberos libraries.
This caused new keys downloaded for principals after the first to be
discarded. As a side effect of this fix, wallet-rekey always appends
new keys directly to the existing keytab file, and never creates a
backup copy of that file.
Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359
Reviewed-on: https://gerrit.stanford.edu/1369
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I8f63cfd9692039f37ecfd46ab6072aa2f71c344d
Reviewed-on: https://gerrit.stanford.edu/1328
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
The acl_history table needed to get the DateTime object rather than the
raw epoch timestamp in one place. This was causing errors adding new
lines to the history.
Change-Id: I9c971819484cd0b26cb2561549246c284afc55a1
Reviewed-on: https://gerrit.stanford.edu/1325
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
The reference from object_history to the objects table needed to be
removed. We still want the relationship in the DBIx::Class files, but
we don't want the relationship enforced as we want to keep history
entries for deleted objects.
Change-Id: Id927404b996fe171a8f5fc0747ccb0abddcbe1f2
Reviewed-on: https://gerrit.stanford.edu/1324
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
tivoli-key used to always contain the entirety of the TSM.PWD file,
but it's more useful to store only the encryption key in password
form.
Change-Id: Id770691fb756b7675ec0fe2eee1308a8974c9c3f
Reviewed-on: https://gerrit.stanford.edu/1309
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Normally this will already be loaded, but since we use it directly,
make sure it is loaded.
Change-Id: Ibc4ca874b659f316268957cbf77ead9d49bc3ca0
Reviewed-on: https://gerrit.stanford.edu/1205
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix the Wallet::Config documentation for the ldap-attr verifier to
reference an ldap_map_principal hook, not ldap_map_attribute, matching
the implementation.
Change-Id: I258edcf69d4dcb3d2ec8dc66db4b768d91645fc4
Reviewed-on: https://gerrit.stanford.edu/1204
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
There was a missing resultset() call in one place and the wrong
resultset used in a different place, causing the enctype management
code to not work.
Change-Id: I796169c5968ec164f90f3cd75541dd346dd50fdf
Reviewed-on: https://gerrit.stanford.edu/1070
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix recognition of the syntax error from Heimdal's klist -ke, which
doesn't exit with status 1. Assume that if we didn't see any known
enctypes, we're dealing with Heimdal. Remove the code to populate the
enctype table, since we do that in Wallet::Admin now. Show the error
if adding an enctype fails.
Change-Id: I40da967ef6868e5cd51a1238e1c6324386468134
Reviewed-on: https://gerrit.stanford.edu/1069
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
We actually know the enctypes that are in most common use, so rather
than making the user poke them into the database manually, save them
a step and put them in. We still need some mechanism to remove the
DES enctype and add new ones, though.
Change-Id: I2eda7e29897ec16a04a10f0c7289878c853b7531
Reviewed-on: https://gerrit.stanford.edu/1068
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I59db1e8638a602d9c118ac01da17280c9ed7d005
Reviewed-on: https://gerrit.stanford.edu/1067
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Adam requested some clarification on whether the name of the object
should be fully-qualified or not (since we didn't in the legacy
naming scheme).
Change-Id: I52fcab71e54aee38f0c03eff774f927c5836ad03
Reviewed-on: https://gerrit.stanford.edu/1054
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Eliminate all the verification code that moved into the policy
object. Update coding style and remove some settings that were
no longer used at Stanford.
Change-Id: I3a098bc318abe4bc9dd82e86186da012e5c2cd27
Reviewed-on: https://gerrit.stanford.edu/1025
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Update the example wallet.conf from Stanford's configuration to our
latest production version.
Change-Id: Ic652b7a2fadb53a688a0c0c16b5ea7e429cff79e
Reviewed-on: https://gerrit.stanford.edu/1024
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: Ie4c0af7b218fcd00fc6f39514967c9e38e12b1be
Reviewed-on: https://gerrit.stanford.edu/1023
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
If we can't find the sqlite3 binary, just skip the upgrade test.
Change-Id: I20e9ad1978a189cf059756e15794ea4d954f3867
Reviewed-on: https://gerrit.stanford.edu/994
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Since we were reinstalling a fresh database via the same DBIx::Class
functions, the database we installed to upgrade from a non-versioned
setup was still getting a version table. Switched to delete the
database and reload it fresh from the sqlite3 command itself.
Change-Id: Ia09bbc279ab834b5d17453b4282e18dd3a36f857
Reviewed-on: https://gerrit.stanford.edu/993
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I171722d03bebc812bb113d1366457d75a94e468a
Reviewed-on: https://gerrit.stanford.edu/991
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
The module wasn't always returning a true value when loaded.
Change-Id: I998ab25509cb9079034cae6aca467024ec6b4949
Reviewed-on: https://gerrit.stanford.edu/990
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
It's nice to have spaces and other special characters in comments,
so allow any character rather than applying the normal argument
filtering.
Change-Id: Iec8584f1f6893906db7245fbe571d62ebc60f72a
Reviewed-on: https://gerrit.stanford.edu/989
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: If833e4a6434362e04e738274a6f7fb276a9efe51
Reviewed-on: https://gerrit.stanford.edu/988
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
If the WebAuth module is too old, don't just fail the tests. Skip
them instead. This will let the Debian package build in unstable.
Change-Id: I84c97f23ff7fbf89f2fd797898ebb4ab5e58eee6
Reviewed-on: https://gerrit.stanford.edu/987
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
In Wallet::Admin, add the wa-keyring object handler to the list
of initializations when creating a new database.
Change-Id: I804b47ae712ce3d96c57699fb2ba05c45f687881
Reviewed-on: https://gerrit.stanford.edu/986
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Add a mention to NEWS and to the REQUIREMENTS section of README.
Change-Id: I560f737e9cb899046f7fe3c8d2c8c648d31041e7
Reviewed-on: https://gerrit.stanford.edu/985
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I17a6661d8088de66dbdab04c0a3dc6e10a7913ca
Reviewed-on: https://gerrit.stanford.edu/984
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: Ic0f33bf01936a093a645bedd5adfa771fd4e3574
Reviewed-on: https://gerrit.stanford.edu/983
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: Ia131200709531645b47d3bbab065d688e94f211f
Reviewed-on: https://gerrit.stanford.edu/982
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Used by the new POD tests (and eventually by other things).
Change-Id: I9704bc287f8d61fb87af99d53d836900f589c557
Reviewed-on: https://gerrit.stanford.edu/981
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Also fix some of the Makefile.am formatting of escaped multi-line
commands.
Change-Id: I024b5a8836cb8c8e3c4154e87c83be8d05a0e5f0
Reviewed-on: https://gerrit.stanford.edu/980
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I316a35a9ca7c1305650f7bd4d90b31caf9e054f9
Reviewed-on: https://gerrit.stanford.edu/979
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: Iaaacf0df45f9ac5f2158d7c9bb695a856bcffd81
Reviewed-on: https://gerrit.stanford.edu/978
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Remove tests/data/README (now moved to tests/config) and perl/t/schema.t
(rolled into admin.t). Add tests/config/README.
Change-Id: I632c5c97064299ac5a63c53b78c5abbd1dd364d6
Reviewed-on: https://gerrit.stanford.edu/977
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: Idf9876ef781340ec45e113fd555a0f2c5f05a3a9
Reviewed-on: https://gerrit.stanford.edu/976
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: Ie8ee7f8b2f430ca9b5f38d2e060659f48dacc35f
Reviewed-on: https://gerrit.stanford.edu/975
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Now that we're using DBIx::Class, we need several new modules. Take
a first cut at documenting them in README.
Change-Id: I98e796091258633daaad4049d14bf3c5ea1e55fa
Reviewed-on: https://gerrit.stanford.edu/974
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Owners of wallet objects are now allowed to destroy them. In previous
versions, a special destroy ACL had to be set and the owner ACL wasn't
used for destroy actions, but operational experience at Stanford has
shown that letting owners destroy their own objects is a better model.
Change-Id: I0e97d7a000e62cf5321add7b44140db6edc6769f
Reviewed-on: https://gerrit.stanford.edu/973
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
