summaryrefslogtreecommitdiff
path: root/perl/Wallet
AgeCommit message (Collapse)Author
2010-06-29Give credit to the right author for krb5-regexRuss Allbery
2010-06-29Add a krb5-regex ACL typeIan Durkacz
Add the krb5-regex ACL type and corresponding Wallet::ACL::Krb5::Regex module. This ACL is identical to krb5 except that it takes a regular expression matching principals instead of a string that must match exactly.
2010-05-18Add acls duplicate reportRuss Allbery
Add an acls duplicate report to wallet-report and Wallet::Report, returning sets of ACLs that have exactly the same entries.
2010-05-12Add a report of all objects that have never been downloadedRuss Allbery
Add a objects unused report to wallet-report and Wallet::Report, returning all objects that have never been downloaded (in other words, have never been the target of a get command).
2010-03-08Add an ACL name audit to wallet-report and Wallet::ReportRuss Allbery
Parallel to objects name, add an acls name audit that returns all ACLs that do not follow the site naming standard.
2010-03-05Allow naming policy enforcement for ACL namesRuss Allbery
Wallet::Config now supports an additional local function, verify_acl_name, which can be used to enforce ACL naming policies. If set, it is called for any ACL creation or rename and can reject the new ACL name.
2010-03-05Add a report of unused ACLsRuss Allbery
Add the acls unused report to wallet-report and Wallet::Report, returning all ACLs not referenced by any database objects.
2010-03-05Document how to clear an ACL in Wallet::ServerRuss Allbery
2010-03-03Use L<> links instead of man page references for modulesRuss Allbery
Do this only in the main text, not in the SEE ALSO section, since the latter is more for conventional man pages. This will produce better results for some POD to HTML converters (although not mine, yet).
2010-03-03Add auditing for names that violate the naming policyRuss Allbery
Add an audit command to wallet-report and one audit: objects name, which returns all objects that do not pass the local naming policy. The corresponding Wallet::Report method is audit(). Wallet::Config::verify_name may now be called with an undefined third argument (normally the user attempting to create an object). This calling convention is used when auditing, and the local policy function should select the correct policy to apply for useful audit results.
2010-03-03Verify that an ACL to be deleted is not referencedRuss Allbery
When deleting an ACL on the server, verify that the ACL is not referenced by any object first. Database referential integrity should also catch this, but not all database backends may enforce referential integrity. This also allows us to return a better error message naming an object that's still using that ACL.
2010-02-20Update documentation for support for storing nul dataRuss Allbery
Update the wallet client, wallet-backend, and Wallet::Object::File documentation for the support for storing data containing nul characters using the new stdin support in remctld. Add this to NEWS.
2010-02-19Refactor reporting into a separate module and scriptRuss Allbery
Move all reporting from Wallet::Admin to Wallet::Report and simplify the method names since they're now part of a dedicated reporting class. Similarly, create a new wallet-report script to wrap Wallet::Report, moving all reporting commands to it from wallet-admin, and simplify the commands since they're for a dedicated reporting script. Remove the contrib script wallet-report to wallet-summary so that it doesn't conflict with the new reporting backend script.
2010-02-18Refactor Wallet::Kadmin keytab_rekey to return keytabRuss Allbery
Change the API for keytab_rekey to match keytab, returning the keytab as data instead of writing it to a file. This simplifies the wallet object implementation and moves the logic for reading the temporary file into Wallet::Kadmin and its child classes. (Eventually, there may be a kadmin backend that doesn't require using a temporary file.) Setting KEYTAB_TMP is now required to instantiate either the ::MIT or ::Heimdal Wallet::Kadmin classes.
2010-02-18Support unchanging keytabs with Heimdal without remctlRuss Allbery
Heimdal supports retrieving a keytab containing the existing keys over the kadmin protocol. Move the support for using remctl to retrieve an existing keytab into Wallet::Kadmin::MIT and provide two separate methods in the Wallet::Kadmin interface: one which rekeys and one which doesn't. Implement the non-rekeying interface for Heimdal. Expand the test suite for the unchanging keytabs to include tests for the Heimdal method.
2010-02-18Refactor sync handling in Wallet::Object::KeytabRuss Allbery
Pull the sync code out into separate methods to avoid a really long and awkward attr method. Document the limited object support for the sync attribute.
2010-02-18Tiny coding style fix in Wallet::KadminRuss Allbery
2010-02-18Rename functions in Wallet::Kadmin APIRuss Allbery
Now that we support multiple versions of Kerberos, use generic names for the functions in the Wallet::Kadmin interface rather than the commands from the MIT kadmin interface.
2010-02-18Move Wallet::Kadmin documentation into the parent classRuss Allbery
Rather than duplicating the API documentation in both ::Heimdal and ::MIT, move it into Wallet::Kadmin and just reference that from the subclasses. Add documentation for exists(), since that's part of the public API. Move a few methods around and fix a few other minor documentation differences.
2010-02-18Refactor Wallet::Kadmin::Heimdal constructorRuss Allbery
Remove the separate kadmin_client method by combining it with the constructor, since that was the only place it was called.
2010-02-18Lift the error method into Wallet::KadminRuss Allbery
Take advantage of inheritance by providing the error method in Wallet::Kadmin rather than separately in both the subclasses.
2010-02-18Call fork_callback conditionallyRuss Allbery
Only call fork_callback in Wallet::Kadmin::MIT if it's set, allowing the module to work without setting it.
2010-02-18Move stub fork_callback() into parent classRuss Allbery
Move the stub fork_callback method into Wallet::Kadmin and make both Wallet::Kadmin::Heimdal and Wallet::Kadmin::MIT inherit from Wallet::Kadmin. Add POD documentation for fork_callback.
2010-02-09Check spelling of server API POD and tweak server docsRuss Allbery
Also update the POD syntax check to the current version of that check I use elsewhere. Since I'm touching all the POD anyway, also rewrap all of the POD to 74 columns. Fix some references to MIT in the Wallet::Kadmin::Heimdal module documentation.
2010-02-09Use the long enctype name for aes256-cts-hmac-sha1-96Russ Allbery
Heimdal requires the full name and doesn't support the short name that MIT has as an alias. Change the documentation to use the long name uniformly.
2010-02-09Document and make case-insensitive KEYTAB_KRBTYPERuss Allbery
KEYTAB_KRBTYPE wasn't documented in Wallet::Config. Add it and the variable declaration. Also document the new mandatory setting in NEWS and add the Heimdal::Kadm5 requirement to README. Remove some of the language in README that implies that only MIT Kerberos is supported. Make the setting case-insensitive and improve the error message from Wallet::Kadmin if it isn't set.
2010-02-09Remove kaserver synchronization support from the wallet backendRuss Allbery
Remove kaserver synchronization support. It is no longer tested, and retaining the code was increasing the complexity of wallet, and some specific requirements (such as different realm names between kaserver and Kerberos v5 and the kvno handling) were Stanford-specific. Rather than using this support, AFS sites running kaserver will probably find deploying Heimdal with its internal kaserver compatibility is probably an easier transition approach.
2010-02-08Fix canonicalization of principals for HeimdalRuss Allbery
All the Wallet::Kadmin::Heimdal functions were canonicalizing principals using duplicate code, and that code assumed that all principal names would be unqualified. Centralize that code in one helper routine and support already-qualified principals so that we can use these functions easily from the test suite.
2010-02-08Don't default the Heimdal kadmin server to localhostRuss Allbery
If there is no kadmin host set in the configuration, it's supposed to fall back on the krb5.conf setting, not hard-code localhost.
2010-02-08Fix syntax error in Wallet::Kadmin::HeimdalRuss Allbery
Introduced accidentally during the coding style cleanup.
2010-02-08Coding style and whitespace fixesRuss Allbery
Combine a long series of eval blocks into a single block and a single error check. Remove trailing whitespace, and in some cases remove trailing () on method calls where the parens aren't useful.
2010-01-28Improved and fixed tests related to Pod and KDC typeJon Robertson
Added a fix to the Pod tests to change the order of the arguments in a skip statement to the correct order. Also added tests for the KEYTAB_KRBTYPE value in the keytab tests, and changed the Wallet::Kadmin module to standardize the errors returned with no keytab set and add new error for keytab set but not a valid value.
2010-01-26Added way to clean things during a fork for kadminJon Robertson
The MIT kadmin module currently directly runs the MIT kadmin program. Some data needs to be cleaned during the forks for this. This provides a callback that can be registered and is called during the fork process, currently just to mark database handles inactive. It was added to both the MIT and Heimdal modules, though it's only a stub in the Heimdal module. Heimdal is not forking kadmin, but the stub is there in order to allow the caller to not care which module is being used and just always register the callbacks.
2010-01-26Improved error handling for Kadmin sub-modulesJon Robertson
Improved error handling by adding an error function to the Kadmin sub-modules which will copy errors down to the Wallet::Object::Keytab error function rather than relying on too many dies and evals. There still needs to be more cleanup here, but that will rely on work on Heimdal::Kadm5 as well, to clean up its own error handling to not spam warnings when called without RaiseError. Also caught a few more un-evaled error cases where Heimdal::Kadm5 was called, and fixed an error where RaiseErrors was being set rather than RaiseError due to an error in Heimdal::Kadm5 docs.
2010-01-21Removed valid_principal as a Kadmin API functionJon Robertson
valid_principal has been removed from Wallet::Kadmin and Wallet::Kadmin::Heimdal. An accessor for it in Wallet::Object::Keytab has also been removed, as have the tests in perl/t/keytab.t for the function. It still remains within Wallet::Kadmin::MIT and is used there, but only as a private method for flagging what the kadmin command-line interface cannot handle.
2010-01-21Documentation additions and fixesJon Robertson
Added documentation for the new object and acl list searches to perl/Wallet/Admin.pm and server/wallet-admin. Also fixed a POD error in perl/Wallet/Kadmin.pm's docs.
2010-01-19Coding style fixes for Perl wallet codeRuss Allbery
Strip trailing whitespace, convert tabs to spaces, add newlines to exceptions, and remove a few stray blank lines and a few other minor coding style oddities. Make the SQL style consistent.
2010-01-07Added ACL name to object history entriesJon Robertson
When listing an object history, ACLs were only shown as the ACL id. This changes that behavior to show the ACL name as well as ID. Where before it might say "set owner to 1", now it would say "set owner to ADMIN (1)".
2010-01-07Added ability to list only ACLs with no membersJon Robertson
Added new option to the 'wallet-admin list acls' command, 'empty', which will only return those ACLs which have no members. This will help maintenance in the long term by pointing out ACLs in error or no longer needed.
2010-01-05Added randKeyPrincipal to the keytab creation processJon Robertson
randKeyPrincipal was added to the keytab file creation process, in order to reset a principal to first have all possible enctypes. There is no way for us to specify that we only want a specific number of fresh enctypes, so we must reset to have all enctypes first, and then pare down from there each time we create the keytab.
2009-12-16Provided path to call valid_principal directlyJon Robertson
valid_principal used to reside in Wallet::Object::Keytab, but was moved to the individual Wallet::Kadmin::* modules. This isn't necessary currently and may not ever be, but it's there just in case we do ever need to differentiate. To simplify testing, a way to still call it directly from Wallet::Object::Keytab has been added.
2009-12-16Improvements for keytab existance checks and keytab creationJon Robertson
* Fixed keytab existence check to avoid failures when called by a principal with permissions only on specific principals. * Better error cases for non-existant keytabs in several places. * Skipped limiting keytabs to certain enctypes when no enctypes are given.
2009-12-10Added support for Heimdal KDCJon Robertson
Added support for Heimdal as an alternative to MIT Kerberos. This involved separating out the kadmin-specific code into its own set of modules, and changing the existing Wallet::Object::Keytab code to branch based on which module is loaded.
2009-12-03Improved wallet-admin list command with searchesJon Robertson
wallet-admin's list command now has additional searches added for objects and acls that match certain specifiers. For objects these include searching for objects owned by a specific ACL, objects owned by no one, objects of a specific type, objects with a specific flag, and objects for which a specific ACL has any privileges at all. For acls, this includes the ability to search for any ACL with an entry with given type and identifier.
2009-06-09Add owners reportRuss Allbery
Add a new report owners command to wallet-admin and corresponding report_owners() method to Wallet::Admin, which returns all ACL lines on owner ACLs for matching objects.
2009-06-09Remove Subversion Id stringsRuss Allbery
2008-02-20Report the correct error message when addprinc fails while creating aRuss Allbery
keytab object.
2008-02-13Remove the restriction that all object implementations must have classRuss Allbery
names of Wallet::Object::* and all ACL verifier implementations must have class names of Wallet::ACL::*.
2008-02-13Fix the signature of register_verifier in the documentation.Russ Allbery
2008-02-13Move register_object and register_verifier into Wallet::Admin.Russ Allbery