| Age | Commit message (Collapse) | Author |
|---|
|
In Wallet::Policy::Stanford, fix the default_owner logic for password
objects that are group-based rather than host-based. Thanks,
macrotex.
Fixes #82
|
|
In Wallet::Report, sort the results of acl_membership(). This is
only used for the duplicate ACLs report currently, but it may help
external callers as well as produce reliable results for testing.
Patch from macrotex.
|
|
Fix the table drop order for wallet-admin destroy to avoid violating
foreign key constraints. Patch from macrotex.
|
|
If multiple ACL changes were made in the same second, the order of
results could be unstable. Sort by unique key after date to avoid
this. Based on work by macrotex.
|
|
Update to rra-c-util 8.2:
* Implement explicit_bzero with memset if it is not available.
* Reformat all C source using clang-format 10.
* Work around Test::Strict not skipping .git directories.
* Fix warnings with perltidy 20190601 and Perl::Critic 1.134.
* Fix warnings with Clang 10, GCC 10, and the Clang static analyzer.
Update to C TAP Harness 4.7:
* Fix warnings with GCC 10.
* Reformat all C source using clang-format 10.
* Fixed malloc error checking in bstrndup.
|
|
Add SPDX-License-Identifier headers to all substantial source files.
Collapse copyright years. Add some Emacs configuration for files
where the copyright notice is at the end. Add a test that every
file has SPDX-License-Identifier.
|
|
Mostly changing http eyrie.org URLs to https, but also remove my
old email address in one place and switch some tests away from my
old RRA_MAINTAINER_TESTS environment variable to use the Lancaster
Consensus variables properly. This uncovered a bug in skipping one
test unless Stanford Kerberos credentials existed.
|
|
|
|
|
|
|
|
Move options up with other keytab backend options except for the
bucket for keytabs, which does belong in the section on retrieving
existing keytabs.
|
|
|
|
|
|
It turns out that the length limitations apply to all keytabs, not
just service keytabs. This change creates unique ids for hostnames
that exceed the AD length limit.
|
|
The account name for a service keytab cannot exceed 20 characters.
The routine that was generating a unique id incorrectly attempted to
perform an LDAP query. This change fixes that problem.
|
|
The account name for a service keytab cannot exceed 20 characters.
The routine that was generating a unique id incorrectly attempted to
perform an LDAP query. This change fixes that problem.
|
|
* Make sure userPrincipalName is created for all keytabs and use it to
search for entries in AD.
* Allow the creation of any service principal. This requires making
sure that the cn used to create AD entries for service accounts not
be any longer than 20 characters.
|
|
Correct a variable reference that was causing AD keytab creation to
fail. Update the debugging for shell command execution that makes
debugging more rebust and highlights problems.
|
|
* This ad-keytab is useful in the initial setup of AD as a keytab
store for wallet.
* Change configuration variables to correctly reflect that some values
are relative distinguished names.
* Add a configuration variable for the base distinguished name for
ActiveDirectory.
|
|
with multiple enctypes specified, only the last one will actually take effect. If you wish to provide support for more then one, you need to add the values (0x04 + 0x08 + 0x10 = 0x1C).
replacing the 3 lines with one line to enable all three. Note that the keytabs generated will have 3 line for each principal (one for each enctypes).
See msktutil man page for further details on enctypes.
|
|
|
|
The versions of all of the wallet Perl modules now match the overall
package version except for Wallet::Schema, which is used to version
the database schema.
Import the test from rra-c-util 5.10 and exclude Wallet::Schema from
the tests.
Go through all Perl modules and standardize the syntax for setting the
version and indicating the required version of Perl. Fix a few other
syntax issues while I'm in there.
|
|
|
|
Also remove some configuration checks that aren't required, and
unify handling of some configuration options.
|
|
This requires changing the ACL verifier plumbing to pass object
type and name all the way through when verifying ACLs. Hopefully
I caught everything.
|
|
Conflicts:
NEWS
|
|
Failed kadmin commands were deleting the wallet database in the
test suite due to an END block in the test programs. Use _exit
to avoid this.
|
|
Ubuntu precise and trusty don't have Net::Duo packages. Delay
loading to the constructor so that the modules will still pass
strictness tests. This also fixes Travis-CI testing.
Change-Id: I23f1fe6dbdddaac2040f459410a74be4a13b6755
|
|
Change-Id: I3a8b13a8b255522cff92910f8d99ec94dc020e6f
|
|
A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal and the ACL identifier to that command. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602
|
|
|
|
The msktutil script does not always signal error conditions. This
change implements a check that examines the output from msktutil
and reports and error when the keytab creation fails to create
the keytab but does create a computer entry in the directory. If
an error is detected the directory entry is deleted leaving the
directory in a clean state.
Also, support has been added for output of debugging information
to syslog using the AD_DEBUG configuration variable.
Finally perltidy suggested changes were made to AD.pm.
|
|
Conflicts:
NEWS
|
|
|
|
When adding a new ACL, if creation of the verifier failed, we
reported a pretty minimal error message claiming that the
identifier was the problem. It can't possibly be the problem
when the constructor fails. Report the actual failure more
directly.
|
|
This version implements Active Directory as the store for keytabs.
The interface to Active Directory uses a combination of direct LDAP
queries and the msktutil utility. This version does not support the
wallet unchanging flag. Unchanging requires that a keytab be
retrieved without changing the password/kvno which is not supported by
msktutil.
|
|
Added a version of the LDAP attribute ACL. Like the root version for
NetDB, this requires that the principal end in /root, and then strips
off /root before doing matching against the given LDAP attribute.
Change-Id: I23119ef9c9ce3e0556f5d71a509815f2efc1bbe6
|
|
We needed a way to report on where all a specific ACL might be nested,
since we can't destroy an ACL until it's no longer being nested. For
the immediate this is part of wallet-report.
Change-Id: I41c11b73325d1eb3a28289eac3505bf965877be1
|
|
When destroying an ACL nested in other ACLs, we now fail with an
explanation rather than going through to remove all the places it's
nested. That's more in line with how we handle trying to destroy ACLs
that own things.
Change-Id: I8bc0530e37c54369ec52d9b369f8fabe98def77a
|
|
Removed some default text and explained why we grab the database handle
for future use.
Change-Id: I50b3ae06c1761453de3140d501830c245d550c04
|
|
There was an older mistake in sorting ACLs and entries, using && instead
of || when sorting.
Problem and fix pointed out to Chris Law.
Change-Id: Iab46b4bcbd842978f88a7d9f63958ebea4806413
|
|
This verifier will allow embedding one ACL in another for more flexible
ACL handling. As part of thise we've also added the ability for each
verifier to do a syntax check to see if a given name is valid for that
verifier. For the moment this returns true for everything but Nested.
Nested will check to make sure the given name is an existing group.
Change-Id: Iacdf146d46ed882d57b7534058d34db6e6ec1de4
|
|
All error messages should now use the ACL name rather than the ADL id,
for readability.
Change-Id: I2d1cfe806b459ef083293df4fa0b83cb4cef673b
|
|
To handle local proliferation of Duo integration type requests, all Duo
types have been merged into one module that will pick up and decide
integration specifics off of the object type.
If you are using the Duo types locally already, you'll want to load
perl/sql/wallet-1.3-update-duo.sql to your database to update the old
object types to all use the Duo module.
All existing Duo integrations have been added to the module for
handling, but nothing new has been added to the wallet object types.
Since there are a lot of Duo integrations, sites should only manually
add the ones they're interested in to the wallet types table.
Change-Id: If9c9a0a3e77923354f31d8f9c98a519c93df200b
|
|
Change-Id: I9e4632f3ff81f916f9157ef8128b20915ecded08
|
|
"wallet-report objects host <hostname>" reports on all objects that
belong to the given host. This can be used to query things for retiring
systems.
Change-Id: Ib1c8e5978fed141d54ecc8504b56b43c037f9b17
|
|
update will work generally like get, but only for objects that have a
concept of updating content automatically, like keytabs and passwords.
For these, the content will be updated before sending to the client.
In a later release get for keytabs will be modified to never update the
kvno before sending to the user, and so the unchanging flag will be
phased out in lieu of explicitly using the method that does what you
want.
Change-Id: I96a84416c5e50278eb29fe07052dde6e063bc071
|
|
Two new reports, 'types' and 'schemes'. These will print out all
configured types and acl schemes.
Change-Id: Ib06d37755fe80c168a6f723c9a1e683fdf5dfcde
|
|
Added for SSL files including the root cert as well, used in splunk.
Change-Id: I1faaa840d309ae4370ae26da5b51c0cee84d7558
|
|
Added to the password object type a new naming set for service/*,
specifically for things that belong to a non-host-specific service.
Change-Id: I1481d48319a5833f00eae940a6d2ca912874bb01
|
