| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
Flesh out recommends for more accurate dependencies for the Perl
modules. Pull the version from one of the Perl modules, now that
we have another test that ensures that those versions are all
consistent.
|
|
The versions of all of the wallet Perl modules now match the overall
package version except for Wallet::Schema, which is used to version
the database schema.
Import the test from rra-c-util 5.10 and exclude Wallet::Schema from
the tests.
Go through all Perl modules and standardize the syntax for setting the
version and indicating the required version of Perl. Fix a few other
syntax issues while I'm in there.
|
|
|
|
Also remove some configuration checks that aren't required, and
unify handling of some configuration options.
|
|
This requires changing the ACL verifier plumbing to pass object
type and name all the way through when verifying ACLs. Hopefully
I caught everything.
|
|
Conflicts:
NEWS
|
|
|
|
Failed kadmin commands were deleting the wallet database in the
test suite due to an END block in the test programs. Use _exit
to avoid this.
|
|
New versions of MIT now use the actual enctype in klist -ke output.
Also add 128-bit AES.
Also add some additional debugging that was useful when chasing
another problem.
|
|
Ubuntu precise and trusty don't have Net::Duo packages. Delay
loading to the constructor so that the modules will still pass
strictness tests. This also fixes Travis-CI testing.
Change-Id: I23f1fe6dbdddaac2040f459410a74be4a13b6755
|
|
Change-Id: I3a8b13a8b255522cff92910f8d99ec94dc020e6f
|
|
A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal and the ACL identifier to that command. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602
|
|
|
|
The msktutil script does not always signal error conditions. This
change implements a check that examines the output from msktutil
and reports and error when the keytab creation fails to create
the keytab but does create a computer entry in the directory. If
an error is detected the directory entry is deleted leaving the
directory in a clean state.
Also, support has been added for output of debugging information
to syslog using the AD_DEBUG configuration variable.
Finally perltidy suggested changes were made to AD.pm.
|
|
Conflicts:
NEWS
|
|
|
|
When adding a new ACL, if creation of the verifier failed, we
reported a pretty minimal error message claiming that the
identifier was the problem. It can't possibly be the problem
when the constructor fails. Report the actual failure more
directly.
|
|
We need a fake NetDB server to test this stuff properly, but until
then, just avoid running the tests.
|
|
This version implements Active Directory as the store for keytabs.
The interface to Active Directory uses a combination of direct LDAP
queries and the msktutil utility. This version does not support the
wallet unchanging flag. Unchanging requires that a keytab be
retrieved without changing the password/kvno which is not supported by
msktutil.
|
|
Added a version of the LDAP attribute ACL. Like the root version for
NetDB, this requires that the principal end in /root, and then strips
off /root before doing matching against the given LDAP attribute.
Change-Id: I23119ef9c9ce3e0556f5d71a509815f2efc1bbe6
|
|
Change-Id: I842a7335a4b50c9c20b921ae2efc63aab571635e
|
|
Since we now check to see if something is a valid netdb node entry for
the ACL verifiers, we need to have a valid netdb setup to run.
Change-Id: Ic2651f8b8b306dfa1f426d91f329b5100a9a1d64
|
|
We needed a way to report on where all a specific ACL might be nested,
since we can't destroy an ACL until it's no longer being nested. For
the immediate this is part of wallet-report.
Change-Id: I41c11b73325d1eb3a28289eac3505bf965877be1
|
|
When destroying an ACL nested in other ACLs, we now fail with an
explanation rather than going through to remove all the places it's
nested. That's more in line with how we handle trying to destroy ACLs
that own things.
Change-Id: I8bc0530e37c54369ec52d9b369f8fabe98def77a
|
|
Removed some default text and explained why we grab the database handle
for future use.
Change-Id: I50b3ae06c1761453de3140d501830c245d550c04
|
|
There was an older mistake in sorting ACLs and entries, using && instead
of || when sorting.
Problem and fix pointed out to Chris Law.
Change-Id: Iab46b4bcbd842978f88a7d9f63958ebea4806413
|
|
This verifier will allow embedding one ACL in another for more flexible
ACL handling. As part of thise we've also added the ability for each
verifier to do a syntax check to see if a given name is valid for that
verifier. For the moment this returns true for everything but Nested.
Nested will check to make sure the given name is an existing group.
Change-Id: Iacdf146d46ed882d57b7534058d34db6e6ec1de4
|
|
All error messages should now use the ACL name rather than the ADL id,
for readability.
Change-Id: I2d1cfe806b459ef083293df4fa0b83cb4cef673b
|
|
To handle local proliferation of Duo integration type requests, all Duo
types have been merged into one module that will pick up and decide
integration specifics off of the object type.
If you are using the Duo types locally already, you'll want to load
perl/sql/wallet-1.3-update-duo.sql to your database to update the old
object types to all use the Duo module.
All existing Duo integrations have been added to the module for
handling, but nothing new has been added to the wallet object types.
Since there are a lot of Duo integrations, sites should only manually
add the ones they're interested in to the wallet types table.
Change-Id: If9c9a0a3e77923354f31d8f9c98a519c93df200b
|
|
Change-Id: I9e4632f3ff81f916f9157ef8128b20915ecded08
|
|
"wallet-report objects host <hostname>" reports on all objects that
belong to the given host. This can be used to query things for retiring
systems.
Change-Id: Ib1c8e5978fed141d54ecc8504b56b43c037f9b17
|
|
update will work generally like get, but only for objects that have a
concept of updating content automatically, like keytabs and passwords.
For these, the content will be updated before sending to the client.
In a later release get for keytabs will be modified to never update the
kvno before sending to the user, and so the unchanging flag will be
phased out in lieu of explicitly using the method that does what you
want.
Change-Id: I96a84416c5e50278eb29fe07052dde6e063bc071
|
|
Two new reports, 'types' and 'schemes'. These will print out all
configured types and acl schemes.
Change-Id: Ib06d37755fe80c168a6f723c9a1e683fdf5dfcde
|
|
Added for SSL files including the root cert as well, used in splunk.
Change-Id: I1faaa840d309ae4370ae26da5b51c0cee84d7558
|
|
Added to the password object type a new naming set for service/*,
specifically for things that belong to a non-host-specific service.
Change-Id: I1481d48319a5833f00eae940a6d2ca912874bb01
|
|
Took code from Commerzbank AG and refactored to add to wallet-report.
This does a complete dump of all object history for searching on.
Change-Id: Id22c51d2938ad90e0c6a19aaa016501a1ba333b3
|
|
Change-Id: I6198f4247f589e94beced128504dd086194b1983
|
|
The password type inherits almost everything from the file object, but
if you try to get a password object that has never been stored, we
generate a random string to put in the object rather than just
erroring out. The maximum and minimum length of the string can be set
in the wallet config.
If a password object was stored earlier and then cleared out, we don't
generate another random string.
Change-Id: I17a65ca7dac9d4430e8a731f417297890ee612bb
|
|
New command for replacing the ownership of anything owned by a specific
ACL with another ACL. This differs from acl rename in that it's to be
used when the destination ACL already exists and potentially already
owns some objects.
Change-Id: I765bebf499fe0f861abc2ffe1873990590beed36
|
|
Report on all file objects that have never had data stored in them.
Also clean up the text around the 'objects unused' report which said
that it did this plus things that were never gotten, but in reality only
reported on the objects that were never gotten.
Change-Id: I30c9585ac6f3744fbea2f94b3d6874a64c0109ad
|
|
Change-Id: Ic575c22c741c29e814749d334e9ed40eb83014e5
|
|
|
|
Change-Id: Ie1d2bcee19ace444f6f7083814133593b160d97d
|
|
Change-Id: I2180daf5055a90ae52b8a851f514993004da5303
|
|
Change-Id: Ica75f6614476088a9952cd7d97749d27811aed7e
|
|
File objects now support a rename command, which will rename the object
and move the file to the right spot in the file store under its new
name.
Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418
|
