| Age | Commit message (Collapse) | Author |
|---|
|
Change the API for keytab_rekey to match keytab, returning the keytab
as data instead of writing it to a file. This simplifies the wallet
object implementation and moves the logic for reading the temporary
file into Wallet::Kadmin and its child classes. (Eventually, there may
be a kadmin backend that doesn't require using a temporary file.)
Setting KEYTAB_TMP is now required to instantiate either the ::MIT or
::Heimdal Wallet::Kadmin classes.
|
|
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol. Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't. Implement the non-rekeying interface for Heimdal. Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
|
|
Pull the sync code out into separate methods to avoid a really long and
awkward attr method. Document the limited object support for the sync
attribute.
|
|
Now that we support multiple versions of Kerberos, use generic names
for the functions in the Wallet::Kadmin interface rather than the
commands from the MIT kadmin interface.
|
|
Also update the POD syntax check to the current version of that check
I use elsewhere. Since I'm touching all the POD anyway, also rewrap
all of the POD to 74 columns. Fix some references to MIT in the
Wallet::Kadmin::Heimdal module documentation.
|
|
Remove kaserver synchronization support. It is no longer tested, and
retaining the code was increasing the complexity of wallet, and some
specific requirements (such as different realm names between kaserver
and Kerberos v5 and the kvno handling) were Stanford-specific. Rather
than using this support, AFS sites running kaserver will probably find
deploying Heimdal with its internal kaserver compatibility is probably
an easier transition approach.
|
|
Combine a long series of eval blocks into a single block and a single
error check. Remove trailing whitespace, and in some cases remove
trailing () on method calls where the parens aren't useful.
|
|
The MIT kadmin module currently directly runs the MIT kadmin program. Some
data needs to be cleaned during the forks for this. This provides a
callback that can be registered and is called during the fork process,
currently just to mark database handles inactive. It was added to both the
MIT and Heimdal modules, though it's only a stub in the Heimdal module.
Heimdal is not forking kadmin, but the stub is there in order to allow the
caller to not care which module is being used and just always register the
callbacks.
|
|
Improved error handling by adding an error function to the Kadmin sub-modules
which will copy errors down to the Wallet::Object::Keytab error function
rather than relying on too many dies and evals. There still needs to be more
cleanup here, but that will rely on work on Heimdal::Kadm5 as well, to clean
up its own error handling to not spam warnings when called without RaiseError.
Also caught a few more un-evaled error cases where Heimdal::Kadm5 was called,
and fixed an error where RaiseErrors was being set rather than RaiseError due
to an error in Heimdal::Kadm5 docs.
|
|
valid_principal has been removed from Wallet::Kadmin and
Wallet::Kadmin::Heimdal. An accessor for it in Wallet::Object::Keytab
has also been removed, as have the tests in perl/t/keytab.t for the
function. It still remains within Wallet::Kadmin::MIT and is used there,
but only as a private method for flagging what the kadmin command-line
interface cannot handle.
|
|
Strip trailing whitespace, convert tabs to spaces, add newlines to
exceptions, and remove a few stray blank lines and a few other minor
coding style oddities. Make the SQL style consistent.
|
|
valid_principal used to reside in Wallet::Object::Keytab, but was moved to
the individual Wallet::Kadmin::* modules. This isn't necessary currently
and may not ever be, but it's there just in case we do ever need to
differentiate. To simplify testing, a way to still call it directly from
Wallet::Object::Keytab has been added.
|
|
Added support for Heimdal as an alternative to MIT Kerberos. This involved
separating out the kadmin-specific code into its own set of modules, and
changing the existing Wallet::Object::Keytab code to branch based on
which module is loaded.
|
|
|
|
keytab object.
|
|
|
|
|
|
empty string as a principal argument. Be careful not to provide a
principal argument if no principal was set. This workaround can be
removed once we depend on a later version of Net::Remctl.
|
|
|
|
|
|
containing periods. Otherwise, it's hard to manage host keytabs. Add
a missing test suite for that method.
|
|
code audit by Simon Cozens. I didn't take all of his advise, and he
shouldn't be blamed for any remaining issues.
|
|
|
|
|
|
handle when calling kadmin so that we can do our database handle
mangling.
|
|
database connection on a failed fork.
|
|
|
|
Add a drop() method to Wallet::Schema to destroy the wallet database. Add
a test suite for it. Add a reinitialize() method to Wallet;:Server that
drops the database before creating it.
Modify the wallet object test cases to call reinitialize() to create the
initial database and drop() to clean up the database after the test is
complete.
Fix a bug preventing Wallet::Schema from being initialized multiple times.
We now stash the schema in a class static variable and reuse it for
subsequent initializations, since re-reading DATA doesn't work.
|
|
and can be tested.
|
|
|
|
of the enctypes attribute when the unchanging flag is set.
|
|
that the enctype must be in the database in the keytab object API
documentation.
The README and NEWS files are now done.
|
|
enforce referential integrity.
|
|
Still needs a more comprehensive test suite.
Remove all attributes for a keytab object when it is destroyed so that
when the object is recreated, it doesn't inherit attributes from its
previous self. Add a test case for that for the sync attribute.
|
|
and license statements in all files. Make sure that some files that were
missing copyright information now have them. Reference LICENSE rather
than README in all notices.
|
|
|
|
new object method that subclasses can override to add attribute
information to show() and remove the documentation about overriding
show().
|
|
tests of the machinery around kaserver synchronization even if we don't
have a full configuration.
|
|
if synchronization is not set.
|
|
keytab object is destroyed.
|
|
object implementation, extracting the DES key with Authen::Krb5 (since
ktutil doesn't work).
Rename the KEYTAB_CACHE variable to KEYTAB_REMCTL_CACHE to match the
rest of the keytab retrieval configuration and reorganize the
Wallet::Config documentation to group related configuration options for
the keytab backend.
Fix a column name in the keytab_enctypes table to be more consistent
with the rest of the schema.
|
|
keytabs via remctl from the KDC.
|
|
Catch more errors when checking the existence of a principal. Add a
test for creating a principal for which we don't have permissions.
|
|
that convention elsewhere.
|
|
|
|
adjusts for trailing newlines and exception detritus, saving duplicate
code. Standardize the documentation of the error() method and document
using this in child classes of the generic ACL and Object classes.
Disable printing of errors during connect in Wallet::Server since we're
going to throw our own exception.
|
|
our configuration and die if it isn't correct. Catch all the exceptions
thrown by the _kadmin method and do something with them. Print a warning
and then rethrow the exception in the parent when running a non-existent
kadmin binary rather than throwing an exception in the child, which
doesn't close things down cleanly. Be robust against an undefined
KEYTAB_FLAGS setting. Ensure KEYTAB_TMP is set. Also some minor doc
improvements.
|
|
ALSO references.
|
|
|
|
principals in all the kadmin functions. Pass the realm to the kadmin
command. Parse ktadd errors properly. Call _kadmin_ktadd with the
correct arguments.
|
