#!/usr/bin/perl -w # # wallet-backend -- Wallet server administrative commands. # # Written by Russ Allbery # Copyright 2008, 2009, 2010 Board of Trustees, Leland Stanford Jr. University # # See LICENSE for licensing terms. ############################################################################## # Declarations and site configuration ############################################################################## use strict; use Wallet::Admin; ############################################################################## # Implementation ############################################################################## # Parse and execute a command. We wrap this in a subroutine call for easier # testing. sub command { die "Usage: wallet-admin [ ...]\n" unless @_; my $admin = Wallet::Admin->new; # Parse command-line options and dispatch to the appropriate calls. my ($command, @args) = @_; if ($command eq 'destroy') { die "too many arguments to destroy\n" if @args; print 'This will delete all data in the wallet database. Are you' . ' sure (N/y)? '; my $response = ; unless ($response and $response =~ /^y/i) { die "Aborted\n"; } $admin->destroy or die $admin->error, "\n"; } elsif ($command eq 'initialize') { die "too many arguments to initialize\n" if @args > 1; die "too few arguments to initialize\n" if @args < 1; die "invalid admin principal $args[0]\n" unless $args[0] =~ /^[^\@\s]+\@\S+$/; $admin->initialize (@args) or die $admin->error, "\n"; } elsif ($command eq 'list') { die "too many arguments to list\n" if @args > 4; die "too few arguments to list\n" if @args < 1; my ($type, $subtype, @search) = @args; if ($type eq 'objects') { my @objects = $admin->list_objects ($subtype, @search); if (!@objects and $admin->error) { die $admin->error, "\n"; } for my $object (@objects) { print join (' ', @$object), "\n"; } } elsif ($type eq 'acls') { my @acls = $admin->list_acls ($subtype, @search); if (!@acls and $admin->error) { die $admin->error, "\n"; } for my $acl (sort { $$a[1] cmp $$b[1] } @acls) { print "$$acl[1] (ACL ID: $$acl[0])\n"; } } else { die "only objects or acls are supported for list\n"; } } elsif ($command eq 'report') { die "too few arguments to report\n" if @args < 1; my $report = shift @args; if ($report eq 'owners') { die "too many arguments to report owners\n" if @args > 2; die "too few arguments to report owners\n" if @args < 2; my @lines = $admin->report_owners (@args); if (!@lines and $admin->error) { die $admin->error, "\n"; } for my $line (@lines) { print join (' ', @$line), "\n"; } } else { die "unknown report type $report\n"; } } elsif ($command eq 'register') { die "too many arguments to register\n" if @args > 3; die "too few arguments to register\n" if @args < 3; my ($object, $type, $class) = @args; if ($object eq 'object') { unless ($admin->register_object ($type, $class)) { die $admin->error, "\n"; } } elsif ($object eq 'verifier') { unless ($admin->register_verifier ($type, $class)) { die $admin->error, "\n"; } } else { die "only object or verifier is supported for register\n"; } } else { die "unknown command $command\n"; } } command (@ARGV); __END__ ############################################################################## # Documentation ############################################################################## =head1 NAME wallet-admin - Wallet server administrative commands =for stopwords metadata ACL hostname backend acl acls wildcard SQL Allbery =head1 SYNOPSIS B I [I ...] =head1 DESCRIPTION B provides a command-line interface for performing administrative actions for the wallet system, such as setting up a new database or running reports. It is intended to be run on the wallet server as a user with access to the wallet database and configuration. This program is a fairly thin wrapper around Wallet::Admin that translates command strings into method calls and returns the results. =head1 OPTIONS B takes no traditional options. =head1 COMMANDS =over 4 =item destroy Deletes all data in the wallet database and drops all of the wallet-created tables, restoring the database to its state prior to an C command. Since this command is destructive and cannot be easily recovered from, B will prompt first to be sure the user intends to do this. =item initialize Given an empty database, initializes it for use with the wallet server by creating the necessary tables and initial metadata. Also creates an ACL with the name ADMIN, used for administrative privileges to the wallet system, and adds an ACL entry to it with a scheme of C and an instance of . This bootstraps the authentication system and allows that user to make further changes to the ADMIN ACL and the rest of the wallet database. C uses C as the hostname and as the user when logging the history of the ADMIN ACL creation and for any subsequent actions required to initialize the database. Before running C, the wallet system has to be configured. See Wallet::Config(3) for more details. Depending on the database backend used, the database may also have to be created in advance. =item list (acls | objects) [ [ ... ] ] Returns a list of ACLs or objects in the database. ACLs will be listed in the form: (ACL ID: ) where is the human-readable name and is the numeric ID. The numeric ID is what's used internally by the wallet system. Objects will be listed in the form: In both cases, there will be one line per ACL or object. If no search type is given, all the ACLs or objects in the database will be returned. If a search type (and possible search arguments) are given, then the ACLs or objects will be limited to those that match the search. The currently supported object search types are: =over 4 =item list objects type Returns all objects of the given type. =item list objects flag Returns all objects which have the given flag set. =item list objects owner Returns all objects owned by the given ACL name. =item list objects acl Returns all objects for which the given ACL name has any permissions. This includes those objects owned by the ACL, but also those for which the ACL has get permissions, for example. =back The currently supported ACL search types are: =over 4 =item list acls empty Returns all ACLs which have no entries, generally so that abandoned ACLs can be destroyed. =item list acls entry Returns all ACLs containing an entry with given schema and identifier. The schema is used for an exact search, while the identifier given will match any identifier containing that text, for flexibility. =back =item register (object | verifier) Registers an implementation of a wallet object or ACL verifier in the wallet database. The Perl class is registered as the implementation of an object of type or an ACL verifier of scheme , allowing creation of objects with that type or ACL lines with that scheme. All object and ACL implementations that come with wallet are registered by default as part of database initialization, so this command is used primarily to register local implementations of additional object types or ACL schemes. =item report [ ... ] Runs a wallet report. The currently supported report types are: =over 4 =item report owners

Returns a list of all ACL lines in owner ACLs for all objects matching both and . These can be the type or name of objects or they can be patterns using C<%> as the wildcard character following the normal rules of SQL patterns. The output will be one line per ACL line in the form: with duplicates suppressed. =back =back =head1 SEE ALSO Wallet::Admin(3), Wallet::Config(3), wallet-backend(8) This program is part of the wallet system. The current version is available from L. =head1 AUTHOR Russ Allbery =cut