| Age | Commit message (Collapse) | Author |
|---|
|
In moving from DBI to DBIx::Class, we at first left the various
variables the same. This goes through to update them for the proper
names.
* Wallet::Admin::schema was created to return the schema object (and
similarly for Wallet::Server and Wallet::Report).
* Wallet::Admin::dbh was modified to return the actual DBI handle again
(and similarly for Wallet::Server and Wallet::Report).
* Various places that used $admin->{dbh} were moved to $admin->{schema}.
* Various places using $dbh for the schema object were changed to
$schema.
Change-Id: I00914866e9a8250855a7828474aa9ce0f37b914f
Reviewed-on: https://gerrit.stanford.edu/733
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
perl/Wallet/Object/Keytab.pm was using the wrong value for the database
handle in some places (trying to load as a subroutine rather than part
of the object). Also, the keytab.t tests were attempting to run against
the DBIx::Class object rather than a direct dbh handle that they
expected.
Change-Id: Ifbb8b110d559f3ba867fc5b0dc3933fd2d4fd484
Reviewed-on: https://gerrit.stanford.edu/731
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
DBIx::Class::Schema::Versioned uses carp to send a few warnings that are
more just informational messages. Use a local warning handler to skip
the warnings we'll always get for normal upgrades.
Change-Id: I4f987b290ec17b95d737150dd106e7bb0f62a264
Reviewed-on: https://gerrit.stanford.edu/730
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
wallet-admin is solely a thin wrapper around Wallet::Admin, but it
gained specific code for initialize and update, which caused the
server/admin test to fail.
Move the update code to set a default version into into Wallet::Admin
instead. The initialize code appears to be unnecessary; it was
setting a default for a parameter that was already handled by
Wallet::Config.
Change-Id: I1a7e5dbbfd005e4f60e89e50a91019295e44df99
Reviewed-on: https://gerrit.stanford.edu/729
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Moved all the Perl code to use DBIx::Class for the database interface.
This includes updating all database calls, how the schema is generated
and maintained, and the tests in places where some output has changed.
We also remove the schema.t test, as the tests for it are more covered
in the admin.t tests now.
Change-Id: Ie5083432d09a0d9fe364a61c31378b77aa7b3cb7
Reviewed-on: https://gerrit.stanford.edu/598
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Be sure that we don't purge keys if that would leave us with fewer
than three keys. Fix a few other error reporting issues and one
syntax error in a WebAuth call.
Change-Id: I9bb75de56da3542f8c26ca8eab0814afea06c16a
Reviewed-on: https://gerrit.stanford.edu/714
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
We need at least version 3.06 to have the encode and decode
WebAuth::Keyring functions.
Change-Id: Ia4e3ed74cc038c06e3ba6ab13b37ea3cdb06c032
Reviewed-on: https://gerrit.stanford.edu/713
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
A copy/paste error from the file object configuration.
Change-Id: Ie3ee48ed7adcf3fa50a510f085e664c5b0c91300
Reviewed-on: https://gerrit.stanford.edu/712
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I12e430acd089de5ac50f62ebbdeb869be31eeeec
Reviewed-on: https://gerrit.stanford.edu/711
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Add a new acl check command which, given an ACL ID, prints yes if that
ACL already exists and no otherwise. This is parallel to the check
command for objects.
Also fix some documentation errors in the wallet client documentation,
saying that the check command doesn't require any ACL and fixing one
place where "show" was used instead of "store".
|
|
|
|
Fix a formatting error in Wallet::ACL::LDAP::Attribute and add new
stopwords required by the latest aspell.
|
|
Some database drivers, such as current SQLite, will return undef
for a data column that is set to NULL instead of the empty string.
Skip past those data columns without attempting to examine the
length of the resulting data.
|
|
This is very preliminary. There is no test suite yet, no
documentation, and the test suite currently doesn't pass for other
reasons.
|
|
A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
supported. This ACL type grants access if the LDAP entry
corresponding to the principal contains the attribute name and value
specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are
required to use this ACL type. New configuration settings are
required as well; see Wallet::Config for more information. To enable
this ACL type for an existing wallet database, use wallet-admin to
register the new verifier.
|
|
Add a comment field to objects and corresponding commands to
wallet-backend and wallet to set and retrieve it. The comment field
can only be set by the owner or wallet administrators but can be seen
by anyone on the show ACL.
|
|
Hook the new upgrade method of Wallet::Schema into Wallet::Admin
and the wallet-admin wrapper script.
|
|
Version 0 is the version without the metadata table. Add a new
upgrade method to Wallet::Schema and support upgrading the database
to version 1. (Version 1 is not yet finalized.)
|
|
Add a metadata table whose only column, currently, is a version number.
We will store the version of the schema in this table and use that to
know what to do during upgrades.
|
|
|
|
|
|
Add the krb5-regex ACL type and corresponding Wallet::ACL::Krb5::Regex
module. This ACL is identical to krb5 except that it takes a regular
expression matching principals instead of a string that must match
exactly.
|
|
Add an acls duplicate report to wallet-report and Wallet::Report,
returning sets of ACLs that have exactly the same entries.
|
|
Add a objects unused report to wallet-report and Wallet::Report,
returning all objects that have never been downloaded (in other words,
have never been the target of a get command).
|
|
Parallel to objects name, add an acls name audit that returns all ACLs
that do not follow the site naming standard.
|
|
Wallet::Config now supports an additional local function,
verify_acl_name, which can be used to enforce ACL naming policies. If
set, it is called for any ACL creation or rename and can reject the
new ACL name.
|
|
Add the acls unused report to wallet-report and Wallet::Report,
returning all ACLs not referenced by any database objects.
|
|
|
|
Do this only in the main text, not in the SEE ALSO section, since the
latter is more for conventional man pages. This will produce better
results for some POD to HTML converters (although not mine, yet).
|
|
Add an audit command to wallet-report and one audit: objects name,
which returns all objects that do not pass the local naming policy.
The corresponding Wallet::Report method is audit().
Wallet::Config::verify_name may now be called with an undefined third
argument (normally the user attempting to create an object). This
calling convention is used when auditing, and the local policy
function should select the correct policy to apply for useful audit
results.
|
|
When deleting an ACL on the server, verify that the ACL is not
referenced by any object first. Database referential integrity should
also catch this, but not all database backends may enforce referential
integrity. This also allows us to return a better error message
naming an object that's still using that ACL.
|
|
Update the wallet client, wallet-backend, and Wallet::Object::File
documentation for the support for storing data containing nul
characters using the new stdin support in remctld. Add this to NEWS.
|
|
Move all reporting from Wallet::Admin to Wallet::Report and simplify
the method names since they're now part of a dedicated reporting
class. Similarly, create a new wallet-report script to wrap
Wallet::Report, moving all reporting commands to it from wallet-admin,
and simplify the commands since they're for a dedicated reporting
script.
Remove the contrib script wallet-report to wallet-summary so that it
doesn't conflict with the new reporting backend script.
|
|
Change the API for keytab_rekey to match keytab, returning the keytab
as data instead of writing it to a file. This simplifies the wallet
object implementation and moves the logic for reading the temporary
file into Wallet::Kadmin and its child classes. (Eventually, there may
be a kadmin backend that doesn't require using a temporary file.)
Setting KEYTAB_TMP is now required to instantiate either the ::MIT or
::Heimdal Wallet::Kadmin classes.
|
|
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol. Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't. Implement the non-rekeying interface for Heimdal. Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
|
|
Pull the sync code out into separate methods to avoid a really long and
awkward attr method. Document the limited object support for the sync
attribute.
|
|
|
|
Now that we support multiple versions of Kerberos, use generic names
for the functions in the Wallet::Kadmin interface rather than the
commands from the MIT kadmin interface.
|
|
Rather than duplicating the API documentation in both ::Heimdal and
::MIT, move it into Wallet::Kadmin and just reference that from the
subclasses. Add documentation for exists(), since that's part of the
public API. Move a few methods around and fix a few other minor
documentation differences.
|
|
Remove the separate kadmin_client method by combining it with the
constructor, since that was the only place it was called.
|
|
Take advantage of inheritance by providing the error method in
Wallet::Kadmin rather than separately in both the subclasses.
|
|
Only call fork_callback in Wallet::Kadmin::MIT if it's set, allowing
the module to work without setting it.
|
|
Move the stub fork_callback method into Wallet::Kadmin and make both
Wallet::Kadmin::Heimdal and Wallet::Kadmin::MIT inherit from
Wallet::Kadmin. Add POD documentation for fork_callback.
|
|
Also update the POD syntax check to the current version of that check
I use elsewhere. Since I'm touching all the POD anyway, also rewrap
all of the POD to 74 columns. Fix some references to MIT in the
Wallet::Kadmin::Heimdal module documentation.
|
|
Heimdal requires the full name and doesn't support the short name that
MIT has as an alias. Change the documentation to use the long name
uniformly.
|
|
KEYTAB_KRBTYPE wasn't documented in Wallet::Config. Add it and the
variable declaration. Also document the new mandatory setting in
NEWS and add the Heimdal::Kadm5 requirement to README. Remove some
of the language in README that implies that only MIT Kerberos is
supported.
Make the setting case-insensitive and improve the error message from
Wallet::Kadmin if it isn't set.
|
|
Remove kaserver synchronization support. It is no longer tested, and
retaining the code was increasing the complexity of wallet, and some
specific requirements (such as different realm names between kaserver
and Kerberos v5 and the kvno handling) were Stanford-specific. Rather
than using this support, AFS sites running kaserver will probably find
deploying Heimdal with its internal kaserver compatibility is probably
an easier transition approach.
|
|
All the Wallet::Kadmin::Heimdal functions were canonicalizing principals
using duplicate code, and that code assumed that all principal names
would be unqualified. Centralize that code in one helper routine and
support already-qualified principals so that we can use these functions
easily from the test suite.
|
|
If there is no kadmin host set in the configuration, it's supposed to
fall back on the krb5.conf setting, not hard-code localhost.
|
|
Introduced accidentally during the coding style cleanup.
|
