From 45fa535256e8272511d1f6769069536248b565dd Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 3 Jan 2016 15:16:19 -0800 Subject: Remove Stanford-internal JIRA identifiers from TODO Change-Id: I97f466b2221b71ffcc60dd4f1b48e5986496ff46 --- TODO | 375 +++++++++++++++++++++++++++++++++---------------------------------- 1 file changed, 182 insertions(+), 193 deletions(-) (limited to 'TODO') diff --git a/TODO b/TODO index 4babbca..f235a37 100644 --- a/TODO +++ b/TODO @@ -2,290 +2,279 @@ Client: - * KERB-94: Handle duplicate kvnos in a newly returned keytab and an - existing keytab (such as when downloading an unchanging keytab and - merging it into an existing one) in some reasonable fashion. + * Handle duplicate kvnos in a newly returned keytab and an existing + keytab (such as when downloading an unchanging keytab and merging it + into an existing one) in some reasonable fashion. - * KERB-90: Support removing old kvnos from a merged keytab (similar to - kadmin ktremove old). + * Support removing old kvnos from a merged keytab (similar to kadmin + ktremove old). - * KERB-88: When reading configuration from krb5.conf, we should first try - to determine our principal from any existing Kerberos ticket cache - (after obtaining tickets if -u was given) and extract the realm from - that principal, using it as the default realm when reading - configuration information. + * When reading configuration from krb5.conf, we should first try to + determine our principal from any existing Kerberos ticket cache (after + obtaining tickets if -u was given) and extract the realm from that + principal, using it as the default realm when reading configuration + information. - * KERB-89: Add readline support to the wallet client to make it easier to - issue multiple commands. + * Add readline support to the wallet client to make it easier to issue + multiple commands. - * KERB-115: Support authenticating with a keytab. + * Support authenticating with a keytab. - * KERB-97: When obtaining tickets in the wallet client with -u, directly - obtain the service ticket we're going to use for remctl. + * When obtaining tickets in the wallet client with -u, directly obtain + the service ticket we're going to use for remctl. - * KERB-95: Provide a way to refresh a file object if and only if what's - stored on the server is different than what's on disk. This will - require server support as well for returning the checksum of a file. + * Provide a way to refresh a file object if and only if what's stored on + the server is different than what's on disk. This will require server + support as well for returning the checksum of a file. - * KERB-104: Incorporate the wallet-rekey-periodic script (currently in - contrib) into the package and teach it how to ignore foreign - credentials. + * Incorporate the wallet-rekey-periodic script (currently in contrib) + into the package and teach it how to ignore foreign credentials. Server Interface: - * KERB-126: Provide a way to get history for deleted objects and ACLs. + * Provide a way to get history for deleted objects and ACLs. - * KERB-66: Provide an interface to mass-change all instances of one ACL - to another. + * Provide an interface to mass-change all instances of one ACL to + another. - * KERB-96: Add help functions to wallet-backend, wallet-report, and - wallet-admin listing the commands. + * Add help functions to wallet-backend, wallet-report, and wallet-admin + listing the commands. - * KERB-52: Catch exceptions on object creation in wallet-backend so that - we can log those as well. + * Catch exceptions on object creation in wallet-backend so that we can + log those as well. - * KERB-114: Provide a way to list all objects for which the connecting - user has ACLs. + * Provide a way to list all objects for which the connecting user has + ACLs. - * KERB-101: Support limiting returned history information by timestamp. + * Support limiting returned history information by timestamp. - * KERB-128: Provide a REST implementation of the wallet server. + * Provide a REST implementation of the wallet server. - * KERB-79: Provide a CGI implementation of the wallet server. + * Provide a CGI implementation of the wallet server. - * KERB-111: Support setting flags and attributes on autocreate. In - general, work out a Wallet::Object::Template Perl object that I can - return that specifies things other than just the ACL. + * Support setting flags and attributes on autocreate. In general, work + out a Wallet::Object::Template Perl object that I can return that + specifies things other than just the ACL. - * KERB-93: Remove the hard-coded ADMIN ACL in the server with something - more configurable, perhaps a global ACL table or something. + * Remove the hard-coded ADMIN ACL in the server with something more + configurable, perhaps a global ACL table or something. - * KERB-68: Support leap-of-faith keying of systems by registering an - object for one-time download (ideally from a specific IP address) and - then allowing that object to be downloaded anonymously from that IP. - Relies on support for Kerberos anonymous authentication. + * Support leap-of-faith keying of systems by registering an object for + one-time download (ideally from a specific IP address) and then + allowing that object to be downloaded anonymously from that IP. Relies + on support for Kerberos anonymous authentication. - * KERB-84: Split "get" and "update" in semantics, and only do keytab - rekeying on update. "get" would not be permitted unless the keytab was - flagged as unchanging, and update would still change even an unchanging - keytab (maybe). Or, alternately, maybe we allow get of any keytab? - Requires more thought. + * Split "get" and "update" in semantics, and only do keytab rekeying on + update. "get" would not be permitted unless the keytab was flagged as + unchanging, and update would still change even an unchanging keytab + (maybe). Or, alternately, maybe we allow get of any keytab? Requires + more thought. - * KERB-118: Add command to list available types and schemes. + * Add command to list available types and schemes. - * KERB-75: Add a mechanism to automate owner updates based on - default_owner. + * Add a mechanism to automate owner updates based on default_owner. - * KERB-64: Partially merge create and autocreate. create and autocreate - should do the same thing provided there is an autocreation - configuration available. If not, autocreate should fail and create - should fall back on checking for ADMIN privileges. + * Partially merge create and autocreate. create and autocreate should do + the same thing provided there is an autocreation configuration + available. If not, autocreate should fail and create should fall back + on checking for ADMIN privileges. - * KERB-116: Support file object renaming. + * Support file object renaming. - * KERB-131: Rewrite server backends to use Net::Remctl::Backend. + * Rewrite server backends to use Net::Remctl::Backend. - * KERB-132: Merge the Wallet::Logger support written by Commerzbank AG: - create a new class that handles logging, probably based on - Log::Log4perl, and add logging points to all of the core classes. + * Merge the Wallet::Logger support written by Commerzbank AG: create a + new class that handles logging, probably based on Log::Log4perl, and + add logging points to all of the core classes. - * KERB-133: Support an authorization hook to determine whether or not to - permit autocreate. One requested example feature is to limit - autocreate of keytab objects to certain hosts involved in deployment. - It should be possible to write a hook that takes the information about - what object is being autocreated and can accept or decline. + * Support an authorization hook to determine whether or not to permit + autocreate. One requested example feature is to limit autocreate of + keytab objects to certain hosts involved in deployment. It should be + possible to write a hook that takes the information about what object + is being autocreated and can accept or decline. ACLs: - * KERB-119: Error messages from ACL operations should refer to the ACLs - by name instead of by ID. + * Error messages from ACL operations should refer to the ACLs by name + instead of by ID. - * KERB-121: Write the PTS ACL verifier. + * Write the PTS ACL verifier. - * KERB-123: Rename Wallet::ACL::* to Wallet::Verifier::*. Add - Wallet::ACL as a generic interface with Wallet::ACL::Database and - Wallet::ACL::List implementations (or some similar name) so that we can - create and check an ACL without having to write it into the database. - Redo default ACL creation using that functionality. + * Rename Wallet::ACL::* to Wallet::Verifier::*. Add Wallet::ACL as a + generic interface with Wallet::ACL::Database and Wallet::ACL::List + implementations (or some similar name) so that we can create and check + an ACL without having to write it into the database. Redo default ACL + creation using that functionality. - * KERB-67: Pass a reference to the object for which the ACL is - interpreted to the ACL API so that ACL APIs can make more complex - decisions. + * Pass a reference to the object for which the ACL is interpreted to the + ACL API so that ACL APIs can make more complex decisions. - * KERB-109: A group-in-groups ACL schema. + * A group-in-groups ACL schema. - * KERB-113: Provide an API for verifiers to syntax-check the values - before an ACL is set and implement syntax checking for the krb5 and - ldap-attr verifiers. + * Provide an API for verifiers to syntax-check the values before an ACL + is set and implement syntax checking for the krb5 and ldap-attr + verifiers. - * KERB-60: Investigate how best to support client authentication using - anonymous PKINIT for things like initial system keying. + * Investigate how best to support client authentication using anonymous + PKINIT for things like initial system keying. - * KERB-72: Generalize the current NetDB ACL type to allow a generic - remctl query for whether a particular user is authorized to create - host-based objects for a particular host. + * Generalize the current NetDB ACL type to allow a generic remctl query + for whether a particular user is authorized to create host-based + objects for a particular host. - * KERB-78: Add ldap-group ACL scheme. + * Add ldap-group ACL scheme. - * KERB-63: Provide a root-instance version of the ldap-attr (and possibly - the ldap-group) ACL schemes. + * Provide a root-instance version of the ldap-attr (and possibly the + ldap-group) ACL schemes. - * KERB-86: Add a comment field to ACLs. + * Add a comment field to ACLs. Database: - * KERB-55: Fix case-insensitivity bug in unique keys with MySQL for - objects. When creating an http/ principal when an HTTP/ - principal already existed, MySQL rejected the row entry as a duplicate. - The name should be case-sensitive. + * Fix case-insensitivity bug in unique keys with MySQL for objects. When + creating an http/ principal when an HTTP/ principal already + existed, MySQL rejected the row entry as a duplicate. The name should + be case-sensitive. - * KERB-103: On upgrades, support adding new object types and ACL - verifiers to the class tables. + * On upgrades, support adding new object types and ACL verifiers to the + class tables. Objects: - * KERB-120: Check whether we can just drop the realm restriction on - keytabs and allow the name to contain the realm if the Kerberos type is - Heimdal. + * Check whether we can just drop the realm restriction on keytabs and + allow the name to contain the realm if the Kerberos type is Heimdal. - * KERB-59: Use the Perl Authen::Krb5::Admin module instead of rolling our - own kadmin code with Expect now that MIT Kerberos has made the kadmin - API public. + * Use the Perl Authen::Krb5::Admin module instead of rolling our own + kadmin code with Expect now that MIT Kerberos has made the kadmin API + public. - * KERB-85: Implement an ssh keypair wallet object. The server can run - ssh-keygen to generate a public/private key pair and return both to the - client, which would split them apart. Used primarily for host keys. - May need a side table to store key types, or a naming convention. + * Implement an ssh keypair wallet object. The server can run ssh-keygen + to generate a public/private key pair and return both to the client, + which would split them apart. Used primarily for host keys. May need + a side table to store key types, or a naming convention. - * KERB-124: Implement an X.509 certificate object. I expect this would - store the public and private key as a single file in the same format - that Apache can read for combined public and private keys. There were - requests for storing the CSR, but I don't see why you'd want to do - that. Start with store support. The file code is mostly sufficient - here, but it would be nice to automatically support object expiration - based on the expiration time for the certificate. + * Implement an X.509 certificate object. I expect this would store the + public and private key as a single file in the same format that Apache + can read for combined public and private keys. There were requests for + storing the CSR, but I don't see why you'd want to do that. Start with + store support. The file code is mostly sufficient here, but it would + be nice to automatically support object expiration based on the + expiration time for the certificate. - * KERB-106: Implement an X.509 CA so that you can get certificate objects - without storing them first. Need to resolve naming conventions if you - want to run multiple CAs on the same wallet server (but why?). Should - this be a different type than stored certificates? Consider using - hxtool as the underlying CA mechanism. + * Implement an X.509 CA so that you can get certificate objects without + storing them first. Need to resolve naming conventions if you want to + run multiple CAs on the same wallet server (but why?). Should this be + a different type than stored certificates? Consider using hxtool as + the underlying CA mechanism. - * KERB-77: Support returning the checksum of a file object stored in - wallet so that one can determine whether the version stored on disk is - identical. + * Support returning the checksum of a file object stored in wallet so + that one can determine whether the version stored on disk is identical. - * KERB-108: Implement new password wallet object, which is like file - except that it generates a random, strong password when retrieved the - first time without being stored. + * Implement new password wallet object, which is like file except that it + generates a random, strong password when retrieved the first time + without being stored. - * KERB-71: Support interrogating objects to find all host-based objects - for a particular host, allowing cleanup of all of those host's objects - after retiring the host. + * Support interrogating objects to find all host-based objects for a + particular host, allowing cleanup of all of those host's objects after + retiring the host. - * KERB-127: Support setting the disallow-svr flag on created principals. - In general, support setting arbitrary principal flags. + * Support setting the disallow-svr flag on created principals. In + general, support setting arbitrary principal flags. Reports: - * KERB-117: Add audit for references to unknown ACLs, possibly introduced - by previous versions before ACL deletion was checked with database + * Add audit for references to unknown ACLs, possibly introduced by + previous versions before ACL deletion was checked with database backends that don't do referential integrity. - * KERB-105: Add report for all objects that have never been stored. + * Add report for all objects that have never been stored. - * KERB-122: For objects tied to hostnames, report on objects referring to - hosts which do not exist. For the initial pass, this is probably only - keytab objects with names containing a slash where the part after the - slash looks like a hostname. This may need some configuration help. + * For objects tied to hostnames, report on objects referring to hosts + which do not exist. For the initial pass, this is probably only keytab + objects with names containing a slash where the part after the slash + looks like a hostname. This may need some configuration help. - * KERB-102: Make contrib/wallet-summary generic and include it in - wallet-report, with additional configuration in Wallet::Config. - Enhance it to report on any sort of object, not just on keytabs, and to - give numbers on downloaded versus not downloaded objects. + * Make contrib/wallet-summary generic and include it in wallet-report, + with additional configuration in Wallet::Config. Enhance it to report + on any sort of object, not just on keytabs, and to give numbers on + downloaded versus not downloaded objects. - * KERB-69: Write a tool to mail the owners of wallet objects, taking the - list of objects and the mail message to send as inputs. This could - possibly use the notification service, although a version that sends - mail directly would be useful external to Stanford. + * Write a tool to mail the owners of wallet objects, taking the list of + objects and the mail message to send as inputs. This could possibly + use the notification service, although a version that sends mail + directly would be useful external to Stanford. - * KERB-134: Merge the Commerzbank AG work to dump all the object history, - applying various search criteria to it, or clear parts of the object - history. + * Merge the Commerzbank AG work to dump all the object history, applying + various search criteria to it, or clear parts of the object history. Administrative Interface: - * KERB-80: Add a function to wallet-admin to purge expired entries. - Possibly also check expiration before allowing anyone to get or store - objects. + * Add a function to wallet-admin to purge expired entries. Possibly also + check expiration before allowing anyone to get or store objects. - * KERB-58: Add a function or separate script to automate removal of - DNS-based objects for which the hosts no longer exist. Will need to - support a site-specific callout to determine whether the host exists. + * Add a function or separate script to automate removal of DNS-based + objects for which the hosts no longer exist. Will need to support a + site-specific callout to determine whether the host exists. - * KERB-54: Database creation appears not to work without the SQL files, - but it's supposed to work directly from the classes. Double-check - this. + * Database creation appears not to work without the SQL files, but it's + supposed to work directly from the classes. Double-check this. Documentation: - * KERB-82: Write a conventions document for ACL naming, object naming, - and similar issues. + * Write a conventions document for ACL naming, object naming, and similar + issues. - * KERB-125: Write a future design and roadmap document to collect notes - about how unimplemented features should be handled. + * Write a future design and roadmap document to collect notes about how + unimplemented features should be handled. - * KERB-65: Document using the wallet system over something other than - remctl. + * Document using the wallet system over something other than remctl. - * KERB-112: Document all diagnostics for all wallet APIs. + * Document all diagnostics for all wallet APIs. - * KERB-135: Document configuration with an Oracle database. + * Document configuration with an Oracle database. Code Style and Cleanup: - * KERB-98: There is a lot of duplicate code in wallet-backend. Convert - that to use some sort of data-driven model with argument count and - flags so that the method calls can be written only once. Convert - wallet-admin to use the same code. + * There is a lot of duplicate code in wallet-backend. Convert that to + use some sort of data-driven model with argument count and flags so + that the method calls can be written only once. Convert wallet-admin + to use the same code. - * KERB-100: There's a lot of code duplication in the dispatch functions - in the Wallet::Server class. Find a way to rewrite that so that the - dispatch doesn't duplicate the same code patterns. + * There's a lot of code duplication in the dispatch functions in the + Wallet::Server class. Find a way to rewrite that so that the dispatch + doesn't duplicate the same code patterns. - * KERB-73: The wallet-backend and wallet documentation share the COMMANDS - section. Work out some means to assemble the documentation without - duplicating content. + * The wallet-backend and wallet documentation share the COMMANDS section. + Work out some means to assemble the documentation without duplicating + content. - * KERB-110: The Wallet::Config class is very ugly and could use some - better internal API to reference the variables in it. + * The Wallet::Config class is very ugly and could use some better + internal API to reference the variables in it. - * KERB-76: Consider using Class::Accessor to get rid of the scaffolding - code to access object data. Alternately, consider using Moose. + * Consider using Class::Accessor to get rid of the scaffolding code to + access object data. Alternately, consider using Moose. - * KERB-130: Rewrite the error handling to use exceptions instead of the - C-style return value and separate error call. + * Rewrite the error handling to use exceptions instead of the C-style + return value and separate error call. Test Suite: - * KERB-92: The ldap-attr verifier test case is awful and completely - specific to people with admin access to the Stanford LDAP tree. Write - a real test. + * The ldap-attr verifier test case is awful and completely specific to + people with admin access to the Stanford LDAP tree. Write a real test. - * KERB-87: Rename the tests to use a subdirectory organization. + * Rename the tests to use a subdirectory organization. - * KERB-61: Add POD coverage testing using Test::POD::Coverage for the - server modules. + * Add POD coverage testing using Test::POD::Coverage for the server + modules. - * KERB-91: Rewrite the client test suite to use Perl and to make better - use of shared code so that it can be broken into function components. + * Rewrite the client test suite to use Perl and to make better use of + shared code so that it can be broken into function components. - * KERB-74: Refactor the test suite for the wallet backend to try to - reduce the duplicated code. Using a real mock infrastructure should - make this test suite much easier to write. + * Refactor the test suite for the wallet backend to try to reduce the + duplicated code. Using a real mock infrastructure should make this + test suite much easier to write. - * KERB-81: Pull common test suite code into a Perl library that can be - reused. + * Pull common test suite code into a Perl library that can be reused. - * KERB-99: Write a test suite to scan all wallet code looking for - diagnostics that aren't in the documentation and warn about them. + * Write a test suite to scan all wallet code looking for diagnostics that + aren't in the documentation and warn about them. -- cgit v1.2.3 From 3b8a786a0e4d77bfc63cc8d4373972ef578115ea Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 3 Jan 2016 15:21:30 -0800 Subject: Flesh out NEWS and update TODO for merged changes Change-Id: I714a6298c36e6fd7eca6ee3acb01637a96773647 --- NEWS | 35 +++++++++++++++++++++++++++++++---- TODO | 28 +++++----------------------- 2 files changed, 36 insertions(+), 27 deletions(-) (limited to 'TODO') diff --git a/NEWS b/NEWS index 3afbd2c..48ab131 100644 --- a/NEWS +++ b/NEWS @@ -2,10 +2,27 @@ wallet 1.3 (unreleased) - A new object type, password (Wallet::Object::Password), is now - supported. This is a subclass of the file object that will randomly + A new ACL type, nested (Wallet::ACL::Nested), is now supported. The + identifier of this ACL names another ACL, and access is granted if + that ACL would grant access. This lets one combine multiple other + ACLs and apply the union to an object. To enable this ACL type for an + existing wallet database, use wallet-admin to register the new + verifier. + + A new variation on the ldap-attr ACL type, ldap-attr-root + (Wallet::ACL::LDAP::Attribute::Root), is now supported. This is + similar to netdb-root (compared to netdb): the authenticated principal + must end in /root, and the LDAP entry checked will be for the same + principal without the /root component. This is useful for limiting + access to certain privileged objects to Kerberos root instances. To + enable this ACL type for an existing wallet database, use wallet-admin + to register the new verifier. + + A new object type, password (Wallet::Object::Password), is now + supported. This is a subclass of the file object that will randomly generate content for the object if you do a get before storing any - content inside it. + content inside it. To enable this object type for an existing + database, use wallet-admin to register the new object. Add a new command to wallet-backend, update. This will update the contents of an object before running a get on it, and is only valid @@ -17,7 +34,8 @@ wallet 1.3 (unreleased) warrants. Add an acl replace command, to change all objects owned by one ACL to - be owned by another. + be owned by another. This currently only handles owner, not any of + the more specific ACLs. All ACL operations now refer to the ACL by name rather than ID. @@ -25,11 +43,20 @@ wallet 1.3 (unreleased) help for the existing unused report that implied it showed unstored as well as unused. + Add reports that list all object types (types) and all ACL schemes + (schemes) currently registered in the wallet database. + + Add a report of all ACLs that nest a given ACL. This requires some + additional local configuration (and probably some code). See + Wallet::Config for more information. + Took contributions from Commerzbank AG to improve wallet history. Add a command to dump all object history for searching on to wallet-report, and add a new script for more detailed object history operations to the contrib directory. + Displays of ACLs and ACL entries are now sorted correctly. + wallet 1.2 (2014-12-08) The duo object type has been split into several sub-types, each for a diff --git a/TODO b/TODO index f235a37..24514d8 100644 --- a/TODO +++ b/TODO @@ -35,10 +35,11 @@ Server Interface: * Provide a way to get history for deleted objects and ACLs. * Provide an interface to mass-change all instances of one ACL to - another. + another. (Owner changes are currently supported, but not the other + ACLs.) - * Add help functions to wallet-backend, wallet-report, and wallet-admin - listing the commands. + * Add help functions to wallet-backend and wallet-admin listing the + commands. * Catch exceptions on object creation in wallet-backend so that we can log those as well. @@ -70,8 +71,6 @@ Server Interface: (maybe). Or, alternately, maybe we allow get of any keytab? Requires more thought. - * Add command to list available types and schemes. - * Add a mechanism to automate owner updates based on default_owner. * Partially merge create and autocreate. create and autocreate should do @@ -79,8 +78,6 @@ Server Interface: available. If not, autocreate should fail and create should fall back on checking for ADMIN privileges. - * Support file object renaming. - * Rewrite server backends to use Net::Remctl::Backend. * Merge the Wallet::Logger support written by Commerzbank AG: create a @@ -109,8 +106,6 @@ ACLs: * Pass a reference to the object for which the ACL is interpreted to the ACL API so that ACL APIs can make more complex decisions. - * A group-in-groups ACL schema. - * Provide an API for verifiers to syntax-check the values before an ACL is set and implement syntax checking for the krb5 and ldap-attr verifiers. @@ -122,10 +117,7 @@ ACLs: for whether a particular user is authorized to create host-based objects for a particular host. - * Add ldap-group ACL scheme. - - * Provide a root-instance version of the ldap-attr (and possibly the - ldap-group) ACL schemes. + * Add ldap-group ACL scheme (and possibly a root-only version). * Add a comment field to ACLs. @@ -170,14 +162,6 @@ Objects: * Support returning the checksum of a file object stored in wallet so that one can determine whether the version stored on disk is identical. - * Implement new password wallet object, which is like file except that it - generates a random, strong password when retrieved the first time - without being stored. - - * Support interrogating objects to find all host-based objects for a - particular host, allowing cleanup of all of those host's objects after - retiring the host. - * Support setting the disallow-svr flag on created principals. In general, support setting arbitrary principal flags. @@ -187,8 +171,6 @@ Reports: previous versions before ACL deletion was checked with database backends that don't do referential integrity. - * Add report for all objects that have never been stored. - * For objects tied to hostnames, report on objects referring to hosts which do not exist. For the initial pass, this is probably only keytab objects with names containing a slash where the part after the slash -- cgit v1.2.3 From 23a6b180f975c24c8ee4190467c74b78fde0d084 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 3 Jan 2016 19:29:20 -0800 Subject: Add Wallet::ACL::External ACL type A new ACL type, external (Wallet::ACL::External), is now supported. This ACL runs an external command to check if access is allowed, and passes the principal and the ACL identifier to that command. To enable this ACL type for an existing wallet database, use wallet-admin to register the new verifier. Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602 --- NEWS | 6 ++ TODO | 4 + docs/design-acl | 6 ++ perl/lib/Wallet/ACL/External.pm | 197 ++++++++++++++++++++++++++++++++++++++++ perl/lib/Wallet/Config.pm | 35 ++++++- perl/t/data/acl-command | 43 +++++++++ perl/t/verifier/external.t | 32 +++++++ 7 files changed, 321 insertions(+), 2 deletions(-) create mode 100644 perl/lib/Wallet/ACL/External.pm create mode 100755 perl/t/data/acl-command create mode 100755 perl/t/verifier/external.t (limited to 'TODO') diff --git a/NEWS b/NEWS index 48ab131..3185b5b 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,12 @@ wallet 1.3 (unreleased) existing wallet database, use wallet-admin to register the new verifier. + A new ACL type, external (Wallet::ACL::External), is now supported. + This ACL runs an external command to check if access is allowed, and + passes the principal and the ACL identifier to that command. To + enable this ACL type for an existing wallet database, use wallet-admin + to register the new verifier. + A new variation on the ldap-attr ACL type, ldap-attr-root (Wallet::ACL::LDAP::Attribute::Root), is now supported. This is similar to netdb-root (compared to netdb): the authenticated principal diff --git a/TODO b/TODO index 24514d8..18b68eb 100644 --- a/TODO +++ b/TODO @@ -121,6 +121,10 @@ ACLs: * Add a comment field to ACLs. + * Support external ACLs under a backend other than remctl. This will + require some way of re-exporting the authenticated user identity + instead of relying on the existence of the remctl variables. + Database: * Fix case-insensitivity bug in unique keys with MySQL for objects. When diff --git a/docs/design-acl b/docs/design-acl index 32ac508..b8bb8b3 100644 --- a/docs/design-acl +++ b/docs/design-acl @@ -50,6 +50,12 @@ Semantics ACL Schemes + external + + The is arguments to an external command. Access is + granted if the external command returns success. The standard remctl + environment variables are exposed to the external command. + krb5 The is a fully-qualified Kerberos principal. Access is diff --git a/perl/lib/Wallet/ACL/External.pm b/perl/lib/Wallet/ACL/External.pm new file mode 100644 index 0000000..da013aa --- /dev/null +++ b/perl/lib/Wallet/ACL/External.pm @@ -0,0 +1,197 @@ +# Wallet::ACL::External -- Wallet external ACL verifier +# +# Written by Russ Allbery +# Copyright 2016 Russ Allbery +# +# See LICENSE for licensing terms. + +############################################################################## +# Modules and declarations +############################################################################## + +package Wallet::ACL::External; +require 5.008; + +use strict; +use warnings; +use vars qw(@ISA $VERSION); + +use Wallet::ACL::Base; +use Wallet::Config; + +@ISA = qw(Wallet::ACL::Base); + +# This version should be increased on any code change to this module. Always +# use two digits for the minor version with a leading zero if necessary so +# that it will sort properly. +$VERSION = '0.01'; + +############################################################################## +# Interface +############################################################################## + +# Creates a new persistent verifier. This just checks if the configuration +# is in place. +sub new { + my $type = shift; + unless ($Wallet::Config::EXTERNAL_COMMAND) { + die "external ACL support not configured\n"; + } + my $self = {}; + bless ($self, $type); + return $self; +} + +# The most trivial ACL verifier. Returns true if the provided principal +# matches the ACL. +sub check { + my ($self, $principal, $acl) = @_; + unless ($principal) { + $self->error ('no principal specified'); + return; + } + my @args = split (' ', $acl); + unshift @args, $principal; + my $pid = open (EXTERNAL, '-|'); + if (not defined $pid) { + $self->error ("cannot fork: $!"); + return; + } elsif ($pid == 0) { + unless (open (STDERR, '>&STDOUT')) { + warn "wallet: cannot dup stdout: $!\n"; + exit 1; + } + unless (exec ($Wallet::Config::EXTERNAL_COMMAND, @args)) { + warn "wallet: cannot run $Wallet::Config::EXTERNAL_COMMAND: $!\n"; + exit 1; + } + } + local $_; + my @output = ; + close EXTERNAL; + if ($? == 0) { + return 1; + } else { + if (@output) { + $self->error ($output[0]); + return; + } else { + return 0; + } + } +} + +1; +__END__ + +############################################################################## +# Documentation +############################################################################## + +=for stopwords +ACL Allbery verifier + +=head1 NAME + +Wallet::ACL::External - Wallet ACL verifier using an external command + +=head1 SYNOPSIS + + my $verifier = Wallet::ACL::External->new; + my $status = $verifier->check ($principal, $acl); + if (not defined $status) { + die "Something failed: ", $verifier->error, "\n"; + } elsif ($status) { + print "Access granted\n"; + } else { + print "Access denied\n"; + } + +=head1 DESCRIPTION + +Wallet::ACL::External runs an external command to determine whether access is +granted. The command configured via $EXTERNAL_COMMAND in L +will be run. The first argument to the command will be the principal +requesting access. The identifier of the ACL will be split on whitespace and +passed in as the remaining arguments to this command. + +No other arguments are passed to the command, but the command will have access +to all of the remctl environment variables seen by the wallet server (such as +REMOTE_USER). For a full list of environment variables, see +L. + +The external command should exit with a non-zero status but no output to +indicate a normal failure to satisfy the ACL. Any output will be treated as +an error. + +=head1 METHODS + +=over 4 + +=item new() + +Creates a new ACL verifier. For this verifier, this just confirms that +the wallet configuration sets an external command. + +=item check(PRINCIPAL, ACL) + +Returns true if the external command returns success when run with that +PRINCIPAL and ACL. ACL will be split on whitespace and passed as multiple +arguments. So, for example, the ACL C will, when +triggered by a request from rra@EXAMPLE.COM, result in the command: + + $Wallet::Config::EXTERNAL_COMMAND rra@EXAMPLE.COM mdbset shell + +=item error() + +Returns the error if check() returned undef. + +=back + +=head1 DIAGNOSTICS + +The new() method may fail with one of the following exceptions: + +=over 4 + +=item external ACL support not configured + +The required configuration parameters were not set. See L +for the required configuration parameters and how to set them. + +=back + +Verifying an external ACL may fail with the following errors (returned by +the error() method): + +=over 4 + +=item cannot fork: %s + +The attempt to fork in order to execute the external ACL verifier +command failed, probably due to a lack of system resources. + +=item no principal specified + +The PRINCIPAL parameter to check() was undefined or the empty string. + +=back + +In addition, if the external command fails and produces some output, +that will be considered a failure and the first line of its output will +be returned as the error message. The external command should exit +with a non-zero status but no error to indicate a normal failure. + +=head1 SEE ALSO + +remctld(8), Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::Config(3), +wallet-backend(8) + +This module is part of the wallet system. The current version is +available from L. + +=head1 AUTHOR + +Russ Allbery + +=cut diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm index b3e1931..98b5dc9 100644 --- a/perl/lib/Wallet/Config.pm +++ b/perl/lib/Wallet/Config.pm @@ -1,7 +1,8 @@ # Wallet::Config -- Configuration handling for the wallet server. # # Written by Russ Allbery -# Copyright 2007, 2008, 2010, 2013, 2014 +# Copyright 2016 Russ Allbery +# Copyright 2007, 2008, 2010, 2013, 2014, 2015 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -16,7 +17,7 @@ use vars qw($PATH $VERSION); # This version should be increased on any code change to this module. Always # use two digits for the minor version with a leading zero if necessary so # that it will sort properly. -$VERSION = '0.05'; +$VERSION = '0.06'; # Path to the config file to load. $PATH = $ENV{WALLET_CONFIG} || '/etc/wallet/wallet.conf'; @@ -540,6 +541,36 @@ our $WAKEYRING_PURGE_INTERVAL = 60 * 60 * 24 * 90; =back +=head1 EXTERNAL ACL CONFIGURATION + +This configuration variable is only needed if you intend to use the +C ACL type (the Wallet::ACL::External class). This ACL type +runs an external command to determine if access is granted. + +=over 4 + +=item EXTERNAL_COMMAND + +Path to the command to run to determine whether access is granted. The +first argument to the command will be the principal requesting access. +The identifier of the ACL will be split on whitespace and passed in as the +remaining arguments to this command. + +No other arguments are passed to the command, but the command will have +access to all of the remctl environment variables seen by the wallet +server (such as REMOTE_USER). For a full list of environment variables, +see L. + +The external command should exit with a non-zero status but no output to +indicate a normal failure to satisfy the ACL. Any output will be treated +as an error. + +=cut + +our $EXTERNAL_COMMAND; + +=back + =head1 LDAP ACL CONFIGURATION These configuration variables are only needed if you intend to use the diff --git a/perl/t/data/acl-command b/perl/t/data/acl-command new file mode 100755 index 0000000..e368118 --- /dev/null +++ b/perl/t/data/acl-command @@ -0,0 +1,43 @@ +#!/bin/sh +# +# An external ACL implementation. Checks that the first argument is +# eagle@eyrie.org, the second argument is "test", and then returns success, +# failure, or reports an error based on whether the second argument is +# success, failure, or error. +# +# Written by Russ Allbery +# Copyright 2016 Russ Allbery +# +# See LICENSE for licensing terms. + +set -e + +# Check the initial principal argument. +if [ "$1" != 'eagle@eyrie.org' ]; then + echo 'incorrect principal' >&2 + exit 1 +fi + +# Check that the second argument is test. +if [ "$2" != 'test' ]; then + echo 'incorrect second argument' >&2 + exit 1 +fi + +# Process the third argument. +case $3 in + success) + exit 0 + ;; + failure) + exit 1 + ;; + error) + echo 'some error' >&2 + exit 1 + ;; + *) + echo 'unknown third argument' >&2 + exit 1 + ;; +esac diff --git a/perl/t/verifier/external.t b/perl/t/verifier/external.t new file mode 100755 index 0000000..3e7e776 --- /dev/null +++ b/perl/t/verifier/external.t @@ -0,0 +1,32 @@ +#!/usr/bin/perl +# +# Tests for the external wallet ACL verifier. +# +# Written by Russ Allbery +# Copyright 2016 Russ Allbery +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use Test::More tests => 9; + +use Wallet::ACL::External; +use Wallet::Config; + +# Configure the external ACL verifier. +$Wallet::Config::EXTERNAL_COMMAND = 't/data/acl-command'; + +# Check a few verifications. +my $verifier = Wallet::ACL::External->new; +ok (defined $verifier, 'Wallet::ACL::External creation'); +ok ($verifier->isa ('Wallet::ACL::External'), ' and class verification'); +is ($verifier->check ('eagle@eyrie.org', 'test success'), 1, 'Success'); +is ($verifier->check ('eagle@eyrie.org', 'test failure'), 0, 'Failure'); +is ($verifier->error, undef, 'No error set'); +is ($verifier->check ('eagle@eyrie.org', 'test error'), undef, 'Error'); +is ($verifier->error, 'some error', ' and right error'); +is ($verifier->check (undef, 'eagle@eyrie.org'), undef, + 'Undefined principal'); +is ($verifier->error, 'no principal specified', ' and right error'); -- cgit v1.2.3