| Age | Commit message (Collapse) | Author |
|---|
|
The check for the enctypes of created keytabs tries klist for MIT
first and then Heimdal ktutil. The klist options are invalid for
Heimdal. Suppress the resulting complaining to standard error.
|
|
Add an acls duplicate report to wallet-report and Wallet::Report,
returning sets of ACLs that have exactly the same entries.
|
|
Add a objects unused report to wallet-report and Wallet::Report,
returning all objects that have never been downloaded (in other words,
have never been the target of a get command).
|
|
Parallel to objects name, add an acls name audit that returns all ACLs
that do not follow the site naming standard.
|
|
Wallet::Config now supports an additional local function,
verify_acl_name, which can be used to enforce ACL naming policies. If
set, it is called for any ACL creation or rename and can reject the
new ACL name.
|
|
Add the acls unused report to wallet-report and Wallet::Report,
returning all ACLs not referenced by any database objects.
|
|
|
|
Add an audit command to wallet-report and one audit: objects name,
which returns all objects that do not pass the local naming policy.
The corresponding Wallet::Report method is audit().
Wallet::Config::verify_name may now be called with an undefined third
argument (normally the user attempting to create an object). This
calling convention is used when auditing, and the local policy
function should select the correct policy to apply for useful audit
results.
|
|
When deleting an ACL on the server, verify that the ACL is not
referenced by any object first. Database referential integrity should
also catch this, but not all database backends may enforce referential
integrity. This also allows us to return a better error message
naming an object that's still using that ACL.
|
|
Coding style update. Don't prefix the file short description with the
file name; it's not needed.
|
|
|
|
|
|
Move all reporting from Wallet::Admin to Wallet::Report and simplify
the method names since they're now part of a dedicated reporting
class. Similarly, create a new wallet-report script to wrap
Wallet::Report, moving all reporting commands to it from wallet-admin,
and simplify the commands since they're for a dedicated reporting
script.
Remove the contrib script wallet-report to wallet-summary so that it
doesn't conflict with the new reporting backend script.
|
|
Change the API for keytab_rekey to match keytab, returning the keytab
as data instead of writing it to a file. This simplifies the wallet
object implementation and moves the logic for reading the temporary
file into Wallet::Kadmin and its child classes. (Eventually, there may
be a kadmin backend that doesn't require using a temporary file.)
Setting KEYTAB_TMP is now required to instantiate either the ::MIT or
::Heimdal Wallet::Kadmin classes.
|
|
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol. Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't. Implement the non-rekeying interface for Heimdal. Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
|
|
Now that we support multiple versions of Kerberos, use generic names
for the functions in the Wallet::Kadmin interface rather than the
commands from the MIT kadmin interface.
|
|
|
|
Also update the POD syntax check to the current version of that check
I use elsewhere. Since I'm touching all the POD anyway, also rewrap
all of the POD to 74 columns. Fix some references to MIT in the
Wallet::Kadmin::Heimdal module documentation.
|
|
|
|
Remove kaserver synchronization support. It is no longer tested, and
retaining the code was increasing the complexity of wallet, and some
specific requirements (such as different realm names between kaserver
and Kerberos v5 and the kvno handling) were Stanford-specific. Rather
than using this support, AFS sites running kaserver will probably find
deploying Heimdal with its internal kaserver compatibility is probably
an easier transition approach.
|
|
Map the AES enctype to the full enctype name, which will work for both
MIT and Heimdal. Fix the test count. Really test rollback from invalid
enctypes (what we did before made no sense). Skip tests that will just
fail if the enctype stuff is not working, since otherwise it confuses
matters.
|
|
We may have a different userspace than the Kerberos type, so always
try klist -ke first and then fall back on ktutil if it fails.
Also display the error message in a few more places if things fail,
discovered as useful when debugging other problems.
|
|
Now that we have Wallet::Kadmin, use it, rather than running the kadmin
client program. We may not have the same kadmin client program as the
server that we're testing against.
|
|
Don't use kadmin to check for principal existence. We want to verify
that we can get tickets, not just look at kadmin. Use whatever is found
on the user's PATH, not something based on the Kerberos type, since our
userspace may not match the server implementation.
|
|
Combine a long series of eval blocks into a single block and a single
error check. Remove trailing whitespace, and in some cases remove
trailing () on method calls where the parens aren't useful.
|
|
Added a fix to the Pod tests to change the order of the arguments in a
skip statement to the correct order. Also added tests for the
KEYTAB_KRBTYPE value in the keytab tests, and changed the Wallet::Kadmin
module to standardize the errors returned with no keytab set and add new
error for keytab set but not a valid value.
|
|
Made kadmin.t skip loading the Wallet::Kadmin::Heimdal module if its
requirement, Heimdal::Kadm5, is not installed on the system.
|
|
The MIT kadmin module currently directly runs the MIT kadmin program. Some
data needs to be cleaned during the forks for this. This provides a
callback that can be registered and is called during the fork process,
currently just to mark database handles inactive. It was added to both the
MIT and Heimdal modules, though it's only a stub in the Heimdal module.
Heimdal is not forking kadmin, but the stub is there in order to allow the
caller to not care which module is being used and just always register the
callbacks.
|
|
Created perl/t/kadmin.t, which performs tests against the Wallet::Kadmin
basic API. We only test that Wallet::Kadmin->new () works for both MIT
and Heimdal (though doesn't make a connection), and the MIT
valid_principal private method.
|
|
valid_principal has been removed from Wallet::Kadmin and
Wallet::Kadmin::Heimdal. An accessor for it in Wallet::Object::Keytab
has also been removed, as have the tests in perl/t/keytab.t for the
function. It still remains within Wallet::Kadmin::MIT and is used there,
but only as a private method for flagging what the kadmin command-line
interface cannot handle.
|
|
Added the new ACL format to perl/t/object.t's idea of what an object's
history was meant to be. This involved switching from acl id to acl
name plus id -- ie: '1' to 'ADMIN (1)'.
|
|
Several tests were removed in an earlier edit that should not have been.
As far as I can tell, they were removed completely by accident. These
missing tests were causing the test suite to fail.
|
|
Strip trailing whitespace, convert tabs to spaces, add newlines to
exceptions, and remove a few stray blank lines and a few other minor
coding style oddities. Make the SQL style consistent.
|
|
When listing an object history, ACLs were only shown as the ACL id. This
changes that behavior to show the ACL name as well as ID. Where before
it might say "set owner to 1", now it would say "set owner to ADMIN (1)".
|
|
Added cases to handle the Wallet::Object::Keytab module using a Heimdal
KDC as well as an MIT KDC. In most cases this is transparent, but some
tests are skipped for Heimdal, and the commands run to test that the
created principals and keytabs are correct are different for Heimdal.
The code now branches based on the value of
$Wallet::Config::KEYTAB_KRBTYPE.
|
|
Added cases to handle the Wallet::Object::Keytab module using a Heimdal
KDC as well as an MIT KDC. In most cases this is transparent, but some
tests are skipped for Heimdal, and the commands run to test that the
created principals and keytabs are correct are different for Heimdal.
The code now branches based on the value of
$Wallet::Config::KEYTAB_KRBTYPE.
|
|
wallet-admin's list command now has additional searches added for objects
and acls that match certain specifiers. For objects these include
searching for objects owned by a specific ACL, objects owned by no one,
objects of a specific type, objects with a specific flag, and objects for
which a specific ACL has any privileges at all. For acls, this includes
the ability to search for any ACL with an entry with given type and
identifier.
|
|
Add a new report owners command to wallet-admin and corresponding
report_owners() method to Wallet::Admin, which returns all ACL lines
on owner ACLs for matching objects.
|
|
|
|
can run in AFS.
|
|
|
|
empty string is valid object content.
Add a full end-to-end test suite to catch protocol mismatches between
the client and server, such as the one fixed in this release.
|
|
|
|
|
|
|
|
|
|
environment variable WALLET_CONFIG and loads configuration from the
file specified there instead of /etc/wallet/wallet.conf if it is set.
|
|
|
|
|
|
empty string as a principal argument. Be careful not to provide a
principal argument if no principal was set. This workaround can be
removed once we depend on a later version of Net::Remctl.
|
