| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
Also create the Wallet/ACL/Krb5 directory when copying the Perl
files for srcdir != builddir builds.
|
|
|
|
Add -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement
-Wshadow to the set of gcc warnings. Stop passing -DDEBUG=1 since I no
longer use that define anywhere. Change -W to -Wextra since I'm
requiring a fairly new GCC anyway.
|
|
Update to C TAP Harness 1.5:
* Better reporting of fatal errors in the test suite.
* Summarize results at the end of test execution.
* Add tests/HOWTO from docs/writing-tests in C TAP Harness.
Update to rra-c-util 2.6:
* Fix portability to bundled Heimdal on OpenBSD.
* Improve checking for krb5_kt_free_entry with older MIT Kerberos.
* Fix portability for missing krb5_get_init_creds_opt_free.
* Fix header guard for util/xwrite.h.
* Restore default compiler configuration after GSS-API library probe.
|
|
|
|
Add the report of purge-eligible keytabs and the command to do the
purge. The command-line parsing still needs work.
|
|
|
|
This script now uses Wallet::Report, not Wallet::Admin.
|
|
Test partial rekeying, aboring due to failure to rekey, and skipping
a keytab because all principals were foreign.
|
|
Rekey the keytab in the same principal order as what's stored in the
keytab rather than reversing it, since that makes it easier to test.
Suppress the error message about no data from the server if the server
sent an error. Fix some coding style and spelling errors.
|
|
In wallet-rekey, if the keytab we're supposed to rekey has no rekeyable
principals, die rather than sysdie since there's no errno error to
report.
|
|
If we get a failure to rekey a principal before we've succeeded with
any principal, abort rather than continuing.
|
|
The loop handling finding principals to rekey was not correctly
coping with principals from foreign realms.
|
|
|
|
This confirms basic functionality, but doesn't test more interesting
things like rekeying multiple keys in the same keytab or skipping
principals that aren't from the local realm.
|
|
fake-keytab-old had a higher kvno than fake-keytab, which is going to
confuse matters for future tests. Rework them so that kvnos increase.
|
|
The check for whether we got the right keytab data was not being done
on Heimdal since it only knew how to run klist. Add a new ktutil_list
function to kerberos.sh that runs klist or ktutil list as appropriate.
|
|
|
|
|
|
Build a separate wallet-rekey client that rekeys every keytab given
on the command-line. Fix some coding style issues and add internal
prototypes. Build the shared source for both clients into an
uninstalled library to save compilation time.
|
|
|
|
Cleaned up several bugs preventing the rekey command from working (bad
calls to variables, matching on version of principal name already stripped
of realm), and removed debugging code.
|
|
First, testing version of wallet rekey code, committed in order to get
feedback from Russ. This code will eventually take an existing keytab
file, and for every principal belonging to our default realm in it, get
new versions of that keytab and merge them into the file. This allows
for quietly rekeying principals automatically.
|
|
|
|
|
|
Add a help command to wallet-report, which returns a summary of all
available commands.
|
|
|
|
|
|
|
|
Add the krb5-regex ACL type and corresponding Wallet::ACL::Krb5::Regex
module. This ACL is identical to krb5 except that it takes a regular
expression matching principals instead of a string that must match
exactly.
|
|
|
|
|
|
The check for the enctypes of created keytabs tries klist for MIT
first and then Heimdal ktutil. The klist options are invalid for
Heimdal. Suppress the resulting complaining to standard error.
|
|
Add an acls duplicate report to wallet-report and Wallet::Report,
returning sets of ACLs that have exactly the same entries.
|
|
Add a objects unused report to wallet-report and Wallet::Report,
returning all objects that have never been downloaded (in other words,
have never been the target of a get command).
|
|
The previous wording implied that <group>-<server>-tivoli-key was only
used for encryption keys. Allow for either passwords or encryption keys,
and remove the note that it should be base64-encoded since wallet now
supports binary files.
|
|
|
|
|
|
|
|
|
|
We got lucky since client/internal.h includes this anyway, but include
the portability layer properly.
|
|
Parallel to objects name, add an acls name audit that returns all ACLs
that do not follow the site naming standard.
|
|
|
|
Wallet::Config now supports an additional local function,
verify_acl_name, which can be used to enforce ACL naming policies. If
set, it is called for any ACL creation or rename and can reject the
new ACL name.
|
|
Add the acls unused report to wallet-report and Wallet::Report,
returning all ACLs not referenced by any database objects.
|
|
|
|
|
|
|
