1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
Wallet Server API
Introduction
Here is the specification for the API that components of the wallet
server will implement. There are two pluggable components in the
wallet server: the implementation of a particular object type (which
amounts mostly to storage and retrieval), and the ACL implementation.
Object API
new(NAME, TYPE, DBH)
Creates a new object with the given object name and type based on
data already in the database. Takes a database handle, which should
be stored with the object and used for any further operations. This
method should inherit from the generic Wallet::Object object, which
implements the following methods:
new(NAME, DBH)
create(NAME, DBH)
owner([ACL-ID, PRINCIPAL, HOSTNAME [, DATETIME]])
acl(TYPE [, ACL-ID, PRINCIPAL, HOSTNAME [, DATETIME]])
expires([DATETIME, PRINCIPAL, HOSTNAME [, DATETIME]])
store(DATA, PRINCIPAL, HOSTNAME [, DATETIME])
show()
destroy(PRINCIPAL, HOSTNAME [, DATETIME])
error()
that manipulate the basic object data. Generally all this function
needs to do is call the parent new() constructor.
create(NAME, TYPE, DBH, PRINCIPAL, HOSTNAME [, DATETIME])
Like new(), but instead creates a new entry in the database with the
given name. As with new(), the generic function will normally do all
of the work. Takes some additional information to put into the
created fields in the database.
destroy(PRINCIPAL, HOSTNAME [, DATETIME])
Destroys the given object. This should include destroying any
representation of the object in other systems as well (such as
deleting Kerberos principals out of a KDC). Takes the information
about who is doing the deletion to store log entries. The result is
true on success and false on failure. On error, the caller should
call error() to get the error text.
get(PRINCIPAL, HOSTNAME [, DATETIME])
Applied to a returned object, retrieves the data contained in the
object in question. Takes the information about who is doing the
retrieval so that the database metadata can be updated. The result is
either the relevant data or undef in the event of an error. On error,
the caller should call error() to get the error text.
store(DATA, PRINCIPAL, HOSTNAME [, DATETIME])
Store user-supplied data into the given object. This may not be
supported by all backends (for instance, backends that automatically
generate the data will not support this). Takes the information about
who is doing the store so that the database metadata can be updated.
The result is true on success and false on failure. On error, the
caller should call error() to get the error text.
show()
Returns a formatted text description of the object suitable for human
display, or undef on error. On error, the caller should call error()
to get the error text.
default_check(OPERATION, PRINCIPAL)
Applies the default authorization rules for this object type, if any,
and returns 1 if those default authorization rules allow access. If
there are no authorization rules or if they don't allow access,
returns 0. On error, returns undef; the caller should call error() to
get the error text. Operation should be one of get, store, destroy,
show, and flags.
error()
Returns the error text from the last failed get(), store(), show(), or
default_check() call.
ACL API
new(DBH)
Creates a persistant ACL verifier for the given ACL type. This may do
nothing, but some ACL verifiers require some persistant data, like a
persistant LDAP connection. The database handle should be provided to
the constructor, but a given ACL implementation may not use it.
check(PRINCIPAL, ACL)
Checks whether the given PRINCIPAL should be allowed access given ACL.
Returns 1 if access is granted, 0 if access is declined, and undef on
error. On error, the caller should call error() to get the error text
but generally should continue with checking other ACLs.
error()
Returns the error text of the last error.
|
