| Age | Commit message (Collapse) | Author |
|---|
|
This verifier will allow embedding one ACL in another for more flexible
ACL handling. As part of thise we've also added the ability for each
verifier to do a syntax check to see if a given name is valid for that
verifier. For the moment this returns true for everything but Nested.
Nested will check to make sure the given name is an existing group.
Change-Id: Iacdf146d46ed882d57b7534058d34db6e6ec1de4
|
|
All error messages should now use the ACL name rather than the ADL id,
for readability.
Change-Id: I2d1cfe806b459ef083293df4fa0b83cb4cef673b
|
|
To handle local proliferation of Duo integration type requests, all Duo
types have been merged into one module that will pick up and decide
integration specifics off of the object type.
If you are using the Duo types locally already, you'll want to load
perl/sql/wallet-1.3-update-duo.sql to your database to update the old
object types to all use the Duo module.
All existing Duo integrations have been added to the module for
handling, but nothing new has been added to the wallet object types.
Since there are a lot of Duo integrations, sites should only manually
add the ones they're interested in to the wallet types table.
Change-Id: If9c9a0a3e77923354f31d8f9c98a519c93df200b
|
|
Change-Id: I9e4632f3ff81f916f9157ef8128b20915ecded08
|
|
"wallet-report objects host <hostname>" reports on all objects that
belong to the given host. This can be used to query things for retiring
systems.
Change-Id: Ib1c8e5978fed141d54ecc8504b56b43c037f9b17
|
|
update will work generally like get, but only for objects that have a
concept of updating content automatically, like keytabs and passwords.
For these, the content will be updated before sending to the client.
In a later release get for keytabs will be modified to never update the
kvno before sending to the user, and so the unchanging flag will be
phased out in lieu of explicitly using the method that does what you
want.
Change-Id: I96a84416c5e50278eb29fe07052dde6e063bc071
|
|
Two new reports, 'types' and 'schemes'. These will print out all
configured types and acl schemes.
Change-Id: Ib06d37755fe80c168a6f723c9a1e683fdf5dfcde
|
|
Added for SSL files including the root cert as well, used in splunk.
Change-Id: I1faaa840d309ae4370ae26da5b51c0cee84d7558
|
|
Added to the password object type a new naming set for service/*,
specifically for things that belong to a non-host-specific service.
Change-Id: I1481d48319a5833f00eae940a6d2ca912874bb01
|
|
Took code from Commerzbank AG and refactored to add to wallet-report.
This does a complete dump of all object history for searching on.
Change-Id: Id22c51d2938ad90e0c6a19aaa016501a1ba333b3
|
|
Change-Id: I6198f4247f589e94beced128504dd086194b1983
|
|
The password type inherits almost everything from the file object, but
if you try to get a password object that has never been stored, we
generate a random string to put in the object rather than just
erroring out. The maximum and minimum length of the string can be set
in the wallet config.
If a password object was stored earlier and then cleared out, we don't
generate another random string.
Change-Id: I17a65ca7dac9d4430e8a731f417297890ee612bb
|
|
New command for replacing the ownership of anything owned by a specific
ACL with another ACL. This differs from acl rename in that it's to be
used when the destination ACL already exists and potentially already
owns some objects.
Change-Id: I765bebf499fe0f861abc2ffe1873990590beed36
|
|
Report on all file objects that have never had data stored in them.
Also clean up the text around the 'objects unused' report which said
that it did this plus things that were never gotten, but in reality only
reported on the objects that were never gotten.
Change-Id: I30c9585ac6f3744fbea2f94b3d6874a64c0109ad
|
|
Change-Id: Ic575c22c741c29e814749d334e9ed40eb83014e5
|
|
|
|
Change-Id: Ie1d2bcee19ace444f6f7083814133593b160d97d
|
|
Change-Id: I2180daf5055a90ae52b8a851f514993004da5303
|
|
Change-Id: Ica75f6614476088a9952cd7d97749d27811aed7e
|
|
File objects now support a rename command, which will rename the object
and move the file to the right spot in the file store under its new
name.
Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418
|
|
File objects now support a rename command, which will rename the object
and move the file to the right spot in the file store under its new
name.
Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418
|
|
Duo object types currently all assume that the name of the object is the
hostname of the server it's for.
Change-Id: Ieb5ba144cd39d6aeb3a20466c75a2836a170744f
|
|
Make all the searches and creations for the Duo table add or search for
the type field as well. This avoids one Duo type clobbering another
for the same object name.
Change-Id: I62192c3616f43c7acd8ce3f94db8a0e43e77e317
|
|
Change-Id: Ic728297fa830ffdd40c1580e32a81f8c5123f66a
|
|
Change-Id: I54edbb543be8bfcf0de355da3cef82c6ac1bf27f
|
|
New column is required to differentiate the Duo table entries now that
we have more than one Duo object type. Added the new field and rebuilt
schema definitions and upgrade files.
Change-Id: Icf538eaded93f4f2820984c087d4850a586a7db1
|
|
Change-Id: I818be125f3195316b44e650ba6e05b8e0b831ea6
|
|
The existing functionality is now in the duo-pam object type. The old
duo type now returns output in a generic config file, and new types for
the Duo auth proxy in LDAP and Radius proxies are added.
Change-Id: I1525d79b44dafcf3ef85368297baefafcb5dc179
|
|
Change-Id: I1c53e0503b29d7add289d26e67b11f9789ba8ad8
Reviewed-on: https://gerrit.stanford.edu/1576
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
This turned out to not be necessary for testing since I was already
using sqlite3 to load an unversioned schema. Remove the offending
line and restore the old code with some cleanup.
Change-Id: I282b6f3b4754e4899222be6366b77a47f0cb7189
Reviewed-on: https://gerrit.stanford.edu/1575
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
When reading the Duo object configuration to retrieve the Duo
admin server, parse the JSON in relaxed mode to match the behavior
of Net::Duo itself. Otherwise, we get hung up on trailing commas
that Net::Duo doesn't care about.
Change-Id: I0a7347b22e379fe5dfe5fdabaec3e23420cf9a63
Reviewed-on: https://gerrit.stanford.edu/1574
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Eventually, there will be multiple object types for different Duo
integrations, and they will need to have unique names. Add the
Duo type in parentheses after the name to help ensure this.
Change-Id: I679130f9136077fc6bf5d8c6c9ad98ec83b400d0
Reviewed-on: https://gerrit.stanford.edu/1573
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Also set module_name (uselessly) to avoid warnings from
Module::Build.
Change-Id: I53426a096f4133f27aa3315b4be24385a3476793
Reviewed-on: https://gerrit.stanford.edu/1571
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I984f48d667acab4cfcb7e0c115773e34e6335d65
Reviewed-on: https://gerrit.stanford.edu/1570
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I5143d487d6b3623bc2be1724ed766b8709feb506
Reviewed-on: https://gerrit.stanford.edu/1565
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I518a175998aa77920b08c43e3a6b890bbab59280
Reviewed-on: https://gerrit.stanford.edu/1561
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
The owner and getacl commands now return the current name of the ACL
instead of its numeric ID, matching the documentation of owner.
Change-Id: Ic47aad48bd1454ed4bffff7030b0492d74eee4fa
Reviewed-on: https://gerrit.stanford.edu/1559
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix the ordering of table drops during a wallet-admin destroy action
to remove tables with foreign key references before the tables they
are referencing. Should fix destroy in MySQL and other database
engines that enforce referential integrity.
Change-Id: I9b37c516f67acdf1d9e25222f067df6749e8c769
Reviewed-on: https://gerrit.stanford.edu/1558
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Always use DateTime objects for every date field in the database,
and translate them into the local time zone for display when
pulling them out of the database. This should provide better
portability to different database backends.
Change the parsing of expires arguments to use Date::Parse, thus
supporting a much broader variety of possible date and time
formats and allowing easy conversion to a DateTime object.
Document the new dependency.
Change-Id: I2ee8eaa6aa6ae9925ac419e49234ec9880d4fe95
Reviewed-on: https://gerrit.stanford.edu/1555
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I0d7a088bb34dda2fc554b9f104c2a33e5faf879e
Reviewed-on: https://gerrit.stanford.edu/1554
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Store the current name of the ACL with each history row, and index
the name. This will eventually allow retrieval of history by name
for ACLs that have been deleted, although the rest of the code is
not yet in place.
The initial creation and membership of the ADMIN ACL during database
initialization or reinitialization is no longer recorded in the
acl_history table, since otherwise it produces errors due to the
missing ah_name field when building the database with schema 0.07.
There should be some better solution to this, but this will be okay
for the time being.
Change-Id: I015a00c972e0c2730c3d449952fcfe9b79c6e54f
Reviewed-on: https://gerrit.stanford.edu/1553
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Now needs a use lib 'lib' in order to run out of the source
directory.
Change-Id: Ia8645eae6c6699db919968d42f057b06e42150a2
Reviewed-on: https://gerrit.stanford.edu/1552
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Pass in DateTime objects for the date fields in the database instead
of formatted time strings. This provides better compatibility with
different database engines. Document in README the need to install
the DateTime::Format::* module corresponding to the DBD::* module used
for the server database.
Change-Id: Id25796da718d734ac96ca27ccea9045b0c80c03f
Reviewed-on: https://gerrit.stanford.edu/1551
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I61379e8963569d26c9b9c31d1727f3cca4567f8e
Reviewed-on: https://gerrit.stanford.edu/1550
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
In Wallet::Admin, add duo to the list of tables to drop when
either destroying or reinitializing the database.
Change-Id: I78790927f7d53b8d596e6ccb7c2340a341e404ae
Reviewed-on: https://gerrit.stanford.edu/1549
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix strictness issues across the whole code base, and ensure that
all Perl scripts enable warnings. (Hopefully enabling warnings
won't cause problems for the server.)
Change-Id: I4dee49f7a6bcbeeee21d74bf61a1fd26514f832c
Reviewed-on: https://gerrit.stanford.edu/1532
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Now that the Perl directory has been reorganized, it's easier to
synchronize with the standard rra-c-util tests.
Change-Id: I97a03d06ff964edcc85ab8788af281b7bc321235
Reviewed-on: https://gerrit.stanford.edu/1531
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
The wallet server now requires Perl 5.8 or later (instead of 5.006 in
previous versions) and is now built with Module::Build instead of
ExtUtils::MakeMaker. This should be transparent to anyone not working
with the source code, since Perl 5.8 was released in 2002, but
Module::Build is now required to build the wallet server. It is
included in some versions of Perl, or can be installed separately from
CPAN, distribution packages, or other sources.
Also reorganize the test suite to use subdirectories.
Change-Id: Id06120ba2bad1ebbfee3d8a48ca2f25869463165
Reviewed-on: https://gerrit.stanford.edu/1530
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I1acd7894316fc96943b9eda5e3a9abb9d229646c
Reviewed-on: https://gerrit.stanford.edu/1528
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Previous versions had erroneous foreign key constraints between the
object history table and the objects table. Remove those constraints,
and an incorrect linkage in the schema for the ACL history, and add
indices for the object type, name, and ACL instead.
Change-Id: Ie0ff2448caa82c7a533a1b9ff5c13029bb6ae4ef
Reviewed-on: https://gerrit.stanford.edu/1526
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
