User-Visible wallet Changes wallet 1.0 (unreleased) wallet-admin has a new sub-command, upgrade, which upgrades the wallet database to the latest schema version. This command should be run when deploying any new version of the wallet server. A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now supported. This ACL type grants access if the LDAP entry corresponding to the principal contains the attribute name and value specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are required to use this ACL type. New configuration settings are required as well; see Wallet::Config for more information. To enable this ACL type for an existing wallet database, use wallet-admin to register the new verifier. Add a new acl check command which, given an ACL ID, prints yes if that ACL already exists and no otherwise. This is parallel to the check command for objects. Add a comment field to objects and corresponding commands to wallet-backend and wallet to set and retrieve it. The comment field can only be set by the owner or wallet administrators but can be seen by anyone on the show ACL. Add docs/objects-and-schemes, which provides a brief summary of the current supported object types and ACL schemes. wallet 0.12 (2010-08-25) New client program wallet-rekey that, given a list of keytabs on the command line, requests new keytab objects for each principal in the local realm and then merges the new objects into that keytab. The current implementation only acquires new keys and doesn't purge any old keys. A new ACL type, krb5-regex, is now supported. This ACL type is the same as krb5 except that the identifier is interpreted as a Perl regular expression and matched against the authenticated identity attempting to run a wallet command. Patch from Ian Durkacz. Add a objects unused report to wallet-report and Wallet::Report, returning all objects that have never been downloaded (in other words, have never been the target of a get command). Add an acls duplicate report to wallet-report and Wallet::Report, returning sets of ACLs that have exactly the same entries. Add a help command to wallet-report, which returns a summary of all available commands. Update to C TAP Harness 1.5: * Better reporting of fatal errors in the test suite. * Summarize results at the end of test execution. * Add tests/HOWTO from docs/writing-tests in C TAP Harness. Update to rra-c-util 2.6: * Fix portability to bundled Heimdal on OpenBSD. * Improve checking for krb5_kt_free_entry with older MIT Kerberos. * Fix portability for missing krb5_get_init_creds_opt_free. * Fix header guard for util/xwrite.h. * Restore default compiler configuration after GSS-API library probe. wallet 0.11 (2010-03-08) When deleting an ACL on the server, verify that the ACL is not referenced by any object first. Database referential integrity should also catch this, but not all database backends may enforce referential integrity. This also allows us to return a better error message naming an object that's still using that ACL. Wallet::Config now supports an additional local function, verify_acl_name, which can be used to enforce ACL naming policies. If set, it is called for any ACL creation or rename and can reject the new ACL name. Add an audit command to wallet-report and two audits: acls name, which returns all ACLs that do not pass the local naming policy, and objects name, which does the same for objects. The corresponding Wallet::Report method is audit(). Add the acls unused report to wallet-report and Wallet::Report, returning all ACLs not referenced by any database objects. Wallet::Config::verify_name may now be called with an undefined third argument (normally the user attempting to create an object). This calling convention is used when auditing, and the local policy function should select the correct policy to apply for useful audit results. Fix portability to older Kerberos libraries without krb5_free_error_message. wallet 0.10 (2010-02-21) Add support for Heimdal KDCs as well as MIT Kerberos KDCs. There is now a mandatory new setting in Wallet::Config: $KEYTAB_KRBTYPE. It should be set to either "MIT" or "Heimdal" depending on the Kerberos KDC implementation used. The Heimdal support requires the Heimdal::Kadm5 Perl module. Remove kaserver synchronization support. It is no longer tested, and retaining the code was increasing the complexity of wallet, and some specific requirements (such as different realm names between kaserver and Kerberos v5 and the kvno handling) were Stanford-specific. Rather than using this support, AFS sites running kaserver will probably find deploying Heimdal with its internal kaserver compatibility is probably an easier transition approach. Remove the kasetkey client for setting keys in an AFS kaserver. The wallet client no longer enables kaserver synchronization when a srvtab is requested with -S. Instead, it just extracts the DES key from the keytab and writes it to a srvtab. It no longer forces the kvno of the srvtab to 0 (a Stanford-specific action) and instead preserves the kvno from the key in the keytab. This should now do the right thing for sites that use a KDC that serves both Kerberos v4 and Kerberos v5 from the same database. The wallet client can now store data containing nul characters and wallet-backend will accept it if passed on standard input instead of as a command-line argument. See config/wallet for the new required remctld configuration. Storing data containing nul characters requires remctl 2.14 or later. Correctly handle storing of data that begins with a dash and don't parse it as an argument to wallet-backend. Fix logging in wallet-backend and the remctl configuration to not log the data passed to store. Move all reporting from Wallet::Admin to Wallet::Report and simplify the method names since they're now part of a dedicated reporting class. Similarly, create a new wallet-report script to wrap Wallet::Report, moving all reporting commands to it from wallet-admin, and simplify the commands since they're for a dedicated reporting script. Add additional reports for wallet-report: objects owned by a specific ACL, objects owned by no one, objects of a specific type, objects with a specific flag, objects for which a specific ACL has privileges, ACLs with an entry with a given type and identifier, and ACLs with no members. Add a new owners command to wallet-report and corresponding owners() method to Wallet::Report, which returns all ACL lines on owner ACLs for matching objects. Report ACL names as well as numbers in object history. The wallet client now uses a temporary disk ticket cache when obtaining tickets with the -u option rather than an in-memory cache, allowing for a libremctl built against a different Kerberos implementation than the wallet client. This primarily helps with testing. Update to rra-c-util 2.3: * Use Kerberos portability layer to support Heimdal. * Avoid Kerberos API calls deprecated on Heimdal. * Sanity-check the results of krb5-config before proceeding. * Fall back on manual probing if krb5-config results don't work. * Add --with-krb5-include and --with-krb5-lib configure options. * Add --with-remctl-include and --with-remctl-lib configure options. * Add --with-gssapi-include and --with-gssapi-lib configure options. * Don't break if the user clobbers CPPFLAGS at build time. * Suppress error output from krb5-config probes. * Prefer KRB5_CONFIG over a path constructed from --with-*. * Update GSS-API probes for Solaris 10's native implementation. * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf. * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]). * Provide a proper bool type with Sun Studio 12 on Solaris 10. * Break util/util.h into separate header files per module. * Update portable and util tests for C TAP Harness 1.1. Update to C TAP Harness 1.1: * Remove the need for Autoconf substitution in test programs. * Support running a single test program with runtests -o. * Properly handle test cases that are skipped in their entirety. * Much improved C TAP library more closely matching Test::More. wallet 0.9 (2008-04-24) The wallet command-line client now reads the data for store from a file (using -f) or from standard input (if -f wasn't given) when the data isn't specified on the command line. The data still must not contain nul characters. Add support for enabling and disabling principals (clearing or setting the NOTGS flag) and examining principals to kasetkey. This functionality isn't used by wallet (and probably won't be) but is convenient for other users of kasetkey such as kadmin-remctl. Report the correct error message when addprinc fails while creating a keytab object. The configure option requesting AFS kaserver support (and thus building kasetkey) is now --with-kaserver instead of --with-afs. If KRB5_CONFIG was explicitly set in the environment, don't use a different krb5-config based on --with-krb4 or --with-krb5. If krb5-config isn't executable, don't use it. This allows one to force library probing by setting KRB5_CONFIG to point to a nonexistent file. Sanity-check the results of krb5-config before proceeding and error out in configure if they don't work. Fix Autoconf syntax error when probing for libkrb5support. Thanks, Mike Garrison. wallet can now be built in a different directory than the source directory. Stop setting Stanford-specific compile-time defaults for the wallet server and port. Perl 5.8 is required to run the test suite, but IO::String is not. Include Stanford's wallet.conf as an example (examples/stanford.conf). wallet 0.8 (2008-02-13) Fix the wallet client to use check instead of exists. Add file object support to the wallet server. Correctly handle get of an empty object in the wallet client. The empty string is valid object content. Wallet::Config and hence the wallet server now checks for the environment variable WALLET_CONFIG and loads configuration from the file specified there instead of /etc/wallet/wallet.conf if it is set. wallet-backend now supports a -q flag, which disables syslog logging. wallet-admin now supports registering new object or ACL verifier implementations in the database. Remove the restriction that all object implementations must have class names of Wallet::Object::* and all ACL verifier implementations must have class names of Wallet::ACL::*. Add a full end-to-end test suite to catch protocol mismatches between the client and server, such as the one fixed in this release. Update the design documentation to reflect the current protocol and implementation. wallet 0.7 (2008-02-08) Add new exists and autocreate wallet server interfaces. The first states whether a given object exists and the second attempts to create the object using the default owner rules. Remove default owner handling from the create interface, which is now for administrators only. Remove server-side auto-creation of objects on get or store and instead have the client check for object existence and call autocreate if necessary. This removes confusion between default ACLs and administrative object creation for users who are also on the ADMIN ACL. When creating a srvtab based on a just-downloaded keytab, extract the srvtab key before merging the keytab into an existing file. Otherwise, if the new keys had a lower kvno than the old keys (possible after deleting and recreating the object), the wrong key would be extracted for the srvtab. keytab-backend now passes kadmin.local ktadd its options in a specific order to satisfy the picky option parser. Check naming policy on wallet object creation before checking the default ACLs to avoid creating and stranding an ACL when the naming policy check fails. The current version of Net::Remctl can't handle explicit undef or the empty string as a principal argument. Be careful not to provide a principal argument if no principal was set. This workaround can be removed once we depend on a later version of Net::Remctl. Correctly enable syslog logging in wallet-backend. Fix the example remctl configuration for keytab-backend to use the correct script name. wallet 0.6 (2008-01-28) SECURITY: If -f is used and the output file name with ".new" appended already exists, unlink it first and then create it safely rather than truncating it. This is much safer when creating files in a world-writable directory. The wallet client can now get the server, port, principal, and remctl type from krb5.conf as well as from compile-time defaults and command-line options. When getting a keytab with the client with no -f option, correctly write the keytab to standard output rather than dying with a cryptic error. When downloading a keytab to a file that already exists, merge the new keytab keys into that file rather than moving aside the old keytab and creating a new keytab with only the new keys. The wallet client now supports a -u option, saying to obtain Kerberos credentials for the given user and use those for authentication rather than using an existing ticket cache. Add a wallet-admin program which can initialize and destroy the database and list all objects and ACLs in the database. Support enforcing a naming policy for wallet objects via a Perl function in the wallet server configuration file. The build system now probes for GSS-API, Kerberos v5 and v4, and AFS libraries as necessary rather than hard-coding libraries. Building on systems without strong shared library dependencies and building against static libraries should now work. Building kasetkey (for AFS kaserver synchronization) is now optional and not enabled by default. Pass --with-afs to configure to enable it. This allows wallet to be easily built in an environment without AFS. Add a sample script (contrib/wallet-report) showing one way of reporting on the contents of the wallet database. This will eventually become more general. wallet 0.5 (2007-12-06) Allow the empty string in wallet-backend arguments. Allow @ in wallet-backend arguments so that principal names can be passed in. Load the Perl modules for ACL verifiers and object types dynamically now that we're reading the class from the database. Correctly implement the documented intention that setting an attribute to the empty string clears the attribute values. Fix the keytab principal validation regex to allow instances containing periods. Otherwise, it's hard to manage host keytabs. Add a missing test suite for that method. When writing to a file in the wallet client program, remove an old backup file before creating a new backup and don't fail if the backup already exists. Check a default creation ACL first before the ADMIN ACL when deciding whether we can auto-create a non-existent ACL, since creating one with the ADMIN ACL doesn't create a useful object. wallet 0.4 (2007-12-05) Maintain a global cache of ACL verifiers in Wallet::ACL and reuse them over the life of the process if we see another ACL line from the same scheme, rather than only reusing ACL verifiers within a single ACL. Add a subclass of the NetDB ACL verifier that requires the principal have an instance of "root" and strips that instance before checking NetDB roles. Determine the class for object and ACL schema implementations from the database rather than a hard-coded list and provide Wallet::Schema methods for adding new class mappings. Add a missing class mapping for the netdb ACL schema verifier. Various coding style fixes and cleanup based on a much-appreciated code audit by Simon Cozens. I didn't take all of his advise, and he shouldn't be blamed for any remaining issues. wallet 0.3 (2007-12-03) MySQL is now a supported database backend and the full test suite passes with MySQL. Add support for running a user-defined function whenever an object is created by a non-ADMIN user and using the default owner ACL returned by that function provided that the calling user is authorized by that ACL. This permits dynamic creation of new objects based on a default owner ACL programmatically determined from the name of the object. Attempt to create the object with a default owner on get and store when the object doesn't exist. Add support for displaying the history of objects and ACLs. Add an ACL verifier that checks access against NetDB roles using the NetDB remctl interface. The wallet backend script now logs all commands and errors to syslog. The keytab backend now supports limiting generated keytabs to particular enctypes by setting an attribute on the object. Expiration dates are now expressed in YYYY-MM-DD HH:MM:SS instead of seconds since epoch and returned the same way. Timestamps are now stored in the database as correct date and time types rather than seconds since epoch to work properly with MySQL. The wallet backend test suite now supports using a database other than SQLite for testing. wallet 0.2 (2007-10-08) First public alpha release. Only tested with SQLite 3, no history support, no object list support, and only keytab object and krb5 ACL support. wallet 0.1 (2007-03-08) Internal release containing only kasetkey, a stub client, and design documentation.