| Age | Commit message (Collapse) | Author |
|---|
|
Used currently by MDM to store both the certificate and the key in
the same file for convenience.
Change-Id: I38901ac93fe3022c2e00f735a0f995500841d709
Reviewed-on: https://gerrit.stanford.edu/784
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
In Wallet::Policy::Stanford, add support for setting a default owner
of file objects whose names are based on a group that has an ACL
mapping.
Change-Id: I4f63815621d81e26ba4779d10f249cb31eef2b5e
Reviewed-on: https://gerrit.stanford.edu/759
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Add all the new group names for the Stanford naming policy and
associate them with default ACLs (not yet used). Distinguish
them from the legacy group names, and use the appropriate ones
for naming policy enforcement.
Change-Id: I4b87ff48d34d82195245798f41afefff26efa95d
Reviewed-on: https://gerrit.stanford.edu/758
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Add support for a default owner for host-based file objects to
Wallet::Policy::Stanford.
Change-Id: I1a9bf07def1356788fbd0acf9910a2e86c9e8f08
Reviewed-on: https://gerrit.stanford.edu/757
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Refactor the Wallet::Policy::Stanford module to pull some of the
constants out, and then add data and support in the naming policy
for the new file object naming scheme.
Change-Id: Iba0c24c119ce529a1d3fd8cd3332335c4433df09
Reviewed-on: https://gerrit.stanford.edu/756
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
To make it easier to revise and test revisions to the Stanford
wallet naming policy, convert the code to a module and include it
in the distribution. Add a test suite for the current policy.
Change-Id: I73b888fa8d18401a239144c2e9f810ad4692c44b
Reviewed-on: https://gerrit.stanford.edu/755
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
If there are multiple SSL private keys for the same host-based CN,
an application name can be added as an additional component of the
name.
Change-Id: I06e25359b291a77a7dbca1a7f3db84afb2b16ddd
Reviewed-on: https://gerrit.stanford.edu/754
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
In moving from DBI to DBIx::Class, we at first left the various
variables the same. This goes through to update them for the proper
names.
* Wallet::Admin::schema was created to return the schema object (and
similarly for Wallet::Server and Wallet::Report).
* Wallet::Admin::dbh was modified to return the actual DBI handle again
(and similarly for Wallet::Server and Wallet::Report).
* Various places that used $admin->{dbh} were moved to $admin->{schema}.
* Various places using $dbh for the schema object were changed to
$schema.
Change-Id: I00914866e9a8250855a7828474aa9ce0f37b914f
Reviewed-on: https://gerrit.stanford.edu/733
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
perl/Wallet/Object/Keytab.pm was using the wrong value for the database
handle in some places (trying to load as a subroutine rather than part
of the object). Also, the keytab.t tests were attempting to run against
the DBIx::Class object rather than a direct dbh handle that they
expected.
Change-Id: Ifbb8b110d559f3ba867fc5b0dc3933fd2d4fd484
Reviewed-on: https://gerrit.stanford.edu/731
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
DBIx::Class::Schema::Versioned uses carp to send a few warnings that are
more just informational messages. Use a local warning handler to skip
the warnings we'll always get for normal upgrades.
Change-Id: I4f987b290ec17b95d737150dd106e7bb0f62a264
Reviewed-on: https://gerrit.stanford.edu/730
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: If4bd4a62517572fed6fe911bc39a0e5c6be36e76
Reviewed-on: https://gerrit.stanford.edu/732
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
wallet-admin is solely a thin wrapper around Wallet::Admin, but it
gained specific code for initialize and update, which caused the
server/admin test to fail.
Move the update code to set a default version into into Wallet::Admin
instead. The initialize code appears to be unnecessary; it was
setting a default for a parameter that was already handled by
Wallet::Config.
Change-Id: I1a7e5dbbfd005e4f60e89e50a91019295e44df99
Reviewed-on: https://gerrit.stanford.edu/729
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
We attempt to create a new SQLite database, which requires the schema
directory be configured. Add that directory to the test wallet
configuration.
Change-Id: Id17fd10056760fe8efd5ef89cea134bca17e1abb
Reviewed-on: https://gerrit.stanford.edu/728
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Moved all the Perl code to use DBIx::Class for the database interface.
This includes updating all database calls, how the schema is generated
and maintained, and the tests in places where some output has changed.
We also remove the schema.t test, as the tests for it are more covered
in the admin.t tests now.
Change-Id: Ie5083432d09a0d9fe364a61c31378b77aa7b3cb7
Reviewed-on: https://gerrit.stanford.edu/598
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Remove the group for host-based file object names. Move the group
to the second component for non-host-based names so that the first
component is always the object type. Add some additional object
types and clarify wording based on feedback from Adam.
Change-Id: I5db7b23d2b004c69afb869df5624d455b751c0d5
Reviewed-on: https://gerrit.stanford.edu/724
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Recommend slash-separated names by default. Remove some obsolete
bits and update a lot of the recommendations and wording.
Change-Id: I44cbf8116e7529b00a61261248ff9daecacdb910
Reviewed-on: https://gerrit.stanford.edu/723
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: Id360aebe8f0a3911a7d628feafef9b3110801124
Reviewed-on: https://gerrit.stanford.edu/715
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Be sure that we don't purge keys if that would leave us with fewer
than three keys. Fix a few other error reporting issues and one
syntax error in a WebAuth call.
Change-Id: I9bb75de56da3542f8c26ca8eab0814afea06c16a
Reviewed-on: https://gerrit.stanford.edu/714
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
We need at least version 3.06 to have the encode and decode
WebAuth::Keyring functions.
Change-Id: Ia4e3ed74cc038c06e3ba6ab13b37ea3cdb06c032
Reviewed-on: https://gerrit.stanford.edu/713
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
A copy/paste error from the file object configuration.
Change-Id: Ie3ee48ed7adcf3fa50a510f085e664c5b0c91300
Reviewed-on: https://gerrit.stanford.edu/712
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I12e430acd089de5ac50f62ebbdeb869be31eeeec
Reviewed-on: https://gerrit.stanford.edu/711
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Add a new acl check command which, given an ACL ID, prints yes if that
ACL already exists and no otherwise. This is parallel to the check
command for objects.
Also fix some documentation errors in the wallet client documentation,
saying that the check command doesn't require any ACL and fixing one
place where "show" was used instead of "store".
|
|
|
|
|
|
|
|
|
|
|
|
Fix a formatting error in Wallet::ACL::LDAP::Attribute and add new
stopwords required by the latest aspell.
|
|
|
|
Some database drivers, such as current SQLite, will return undef
for a data column that is set to NULL instead of the empty string.
Skip past those data columns without attempting to examine the
length of the resulting data.
|
|
|
|
Avoid tromping on the user's AFS credentials if using Heimdal
user space.
|
|
|
|
This is very preliminary. There is no test suite yet, no
documentation, and the test suite currently doesn't pass for other
reasons.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
supported. This ACL type grants access if the LDAP entry
corresponding to the principal contains the attribute name and value
specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are
required to use this ACL type. New configuration settings are
required as well; see Wallet::Config for more information. To enable
this ACL type for an existing wallet database, use wallet-admin to
register the new verifier.
|
|
|
|
|
|
|
|
Add a missing TODO item for purging host-related objects that was
filed in JIRA.
|
|
|
|
Add a comment field to objects and corresponding commands to
wallet-backend and wallet to set and retrieve it. The comment field
can only be set by the owner or wallet administrators but can be seen
by anyone on the show ACL.
|
|
|
|
|
