5 * Handle duplicate kvnos in a newly returned keytab and an existing
6 keytab (such as when downloading an unchanging keytab and merging it
7 into an existing one) in some reasonable fashion.
9 * Support removing old kvnos from a merged keytab (similar to kadmin
12 * When reading configuration from krb5.conf, we should first try to
13 determine our principal from any existing Kerberos ticket cache (after
14 obtaining tickets if -u was given) and extract the realm from that
15 principal, using it as the default realm when reading configuration
18 * Add readline support to the wallet client to make it easier to issue
21 * Support authenticating with a keytab.
23 * When obtaining tickets in the wallet client with -u, directly obtain
24 the service ticket we're going to use for remctl.
26 * Provide a way to refresh a file object if and only if what's stored on
27 the server is different than what's on disk. This will require server
28 support as well for returning the checksum of a file.
30 * Incorporate the wallet-rekey-periodic script (currently in contrib)
31 into the package and teach it how to ignore foreign credentials.
33 * Pass realm into krb5_appdefault_* functions.
37 * Provide a way to get history for deleted objects and ACLs.
39 * Provide an interface to mass-change all instances of one ACL to
40 another. (Owner changes are currently supported, but not the other
43 * Add help functions to wallet-backend and wallet-admin listing the
46 * Catch exceptions on object creation in wallet-backend so that we can
49 * Provide a way to list all objects for which the connecting user has
52 * Support limiting returned history information by timestamp.
54 * Provide a REST implementation of the wallet server.
56 * Provide a CGI implementation of the wallet server.
58 * Support setting flags and attributes on autocreate. In general, work
59 out a Wallet::Object::Template Perl object that I can return that
60 specifies things other than just the ACL.
62 * Remove the hard-coded ADMIN ACL in the server with something more
63 configurable, perhaps a global ACL table or something.
65 * Support leap-of-faith keying of systems by registering an object for
66 one-time download (ideally from a specific IP address) and then
67 allowing that object to be downloaded anonymously from that IP. Relies
68 on support for Kerberos anonymous authentication.
70 * Split "get" and "update" in semantics, and only do keytab rekeying on
71 update. "get" would not be permitted unless the keytab was flagged as
72 unchanging, and update would still change even an unchanging keytab
73 (maybe). Or, alternately, maybe we allow get of any keytab? Requires
76 * Add a mechanism to automate owner updates based on default_owner.
78 * Partially merge create and autocreate. create and autocreate should do
79 the same thing provided there is an autocreation configuration
80 available. If not, autocreate should fail and create should fall back
81 on checking for ADMIN privileges.
83 * Rewrite server backends to use Net::Remctl::Backend.
85 * Merge the Wallet::Logger support written by Commerzbank AG: create a
86 new class that handles logging, probably based on Log::Log4perl, and
87 add logging points to all of the core classes.
89 * Support an authorization hook to determine whether or not to permit
90 autocreate. One requested example feature is to limit autocreate of
91 keytab objects to certain hosts involved in deployment. It should be
92 possible to write a hook that takes the information about what object
93 is being autocreated and can accept or decline.
97 * Error messages from ACL operations should refer to the ACLs by name
100 * Write the PTS ACL verifier.
102 * Rename Wallet::ACL::* to Wallet::Verifier::*. Add Wallet::ACL as a
103 generic interface with Wallet::ACL::Database and Wallet::ACL::List
104 implementations (or some similar name) so that we can create and check
105 an ACL without having to write it into the database. Redo default ACL
106 creation using that functionality.
108 * Pass a reference to the object for which the ACL is interpreted to the
109 ACL API so that ACL APIs can make more complex decisions.
111 * Provide an API for verifiers to syntax-check the values before an ACL
112 is set and implement syntax checking for the krb5 and ldap-attr
115 * Investigate how best to support client authentication using anonymous
116 PKINIT for things like initial system keying.
118 * Generalize the current NetDB ACL type to allow a generic remctl query
119 for whether a particular user is authorized to create host-based
120 objects for a particular host.
122 * Add ldap-group ACL scheme (and possibly a root-only version).
124 * Add a comment field to ACLs.
126 * Support external ACLs under a backend other than remctl. This will
127 require some way of re-exporting the authenticated user identity
128 instead of relying on the existence of the remctl variables.
132 * Fix case-insensitivity bug in unique keys with MySQL for objects. When
133 creating an http/<host> principal when an HTTP/<host> principal already
134 existed, MySQL rejected the row entry as a duplicate. The name should
137 * On upgrades, support adding new object types and ACL verifiers to the
142 * Check whether we can just drop the realm restriction on keytabs and
143 allow the name to contain the realm if the Kerberos type is Heimdal.
145 * Use the Perl Authen::Krb5::Admin module instead of rolling our own
146 kadmin code with Expect now that MIT Kerberos has made the kadmin API
149 * Implement an ssh keypair wallet object. The server can run ssh-keygen
150 to generate a public/private key pair and return both to the client,
151 which would split them apart. Used primarily for host keys. May need
152 a side table to store key types, or a naming convention.
154 * Implement an X.509 certificate object. I expect this would store the
155 public and private key as a single file in the same format that Apache
156 can read for combined public and private keys. There were requests for
157 storing the CSR, but I don't see why you'd want to do that. Start with
158 store support. The file code is mostly sufficient here, but it would
159 be nice to automatically support object expiration based on the
160 expiration time for the certificate.
162 * Implement an X.509 CA so that you can get certificate objects without
163 storing them first. Need to resolve naming conventions if you want to
164 run multiple CAs on the same wallet server (but why?). Should this be
165 a different type than stored certificates? Consider using hxtool as
166 the underlying CA mechanism.
168 * Support returning the checksum of a file object stored in wallet so
169 that one can determine whether the version stored on disk is identical.
171 * Support setting the disallow-svr flag on created principals. In
172 general, support setting arbitrary principal flags.
176 * Add audit for references to unknown ACLs, possibly introduced by
177 previous versions before ACL deletion was checked with database
178 backends that don't do referential integrity.
180 * For objects tied to hostnames, report on objects referring to hosts
181 which do not exist. For the initial pass, this is probably only keytab
182 objects with names containing a slash where the part after the slash
183 looks like a hostname. This may need some configuration help.
185 * Make contrib/wallet-summary generic and include it in wallet-report,
186 with additional configuration in Wallet::Config. Enhance it to report
187 on any sort of object, not just on keytabs, and to give numbers on
188 downloaded versus not downloaded objects.
190 * Write a tool to mail the owners of wallet objects, taking the list of
191 objects and the mail message to send as inputs. This could possibly
192 use the notification service, although a version that sends mail
193 directly would be useful external to Stanford.
195 * Merge the Commerzbank AG work to dump all the object history, applying
196 various search criteria to it, or clear parts of the object history.
198 Administrative Interface:
200 * Add a function to wallet-admin to purge expired entries. Possibly also
201 check expiration before allowing anyone to get or store objects.
203 * Add a function or separate script to automate removal of DNS-based
204 objects for which the hosts no longer exist. Will need to support a
205 site-specific callout to determine whether the host exists.
207 * Database creation appears not to work without the SQL files, but it's
208 supposed to work directly from the classes. Double-check this.
212 * Write a conventions document for ACL naming, object naming, and similar
215 * Write a future design and roadmap document to collect notes about how
216 unimplemented features should be handled.
218 * Document using the wallet system over something other than remctl.
220 * Document all diagnostics for all wallet APIs.
222 * Document configuration with an Oracle database.
224 Code Style and Cleanup:
226 * There is a lot of duplicate code in wallet-backend. Convert that to
227 use some sort of data-driven model with argument count and flags so
228 that the method calls can be written only once. Convert wallet-admin
229 to use the same code.
231 * There's a lot of code duplication in the dispatch functions in the
232 Wallet::Server class. Find a way to rewrite that so that the dispatch
233 doesn't duplicate the same code patterns.
235 * The wallet-backend and wallet documentation share the COMMANDS section.
236 Work out some means to assemble the documentation without duplicating
239 * The Wallet::Config class is very ugly and could use some better
240 internal API to reference the variables in it.
242 * Consider using Class::Accessor to get rid of the scaffolding code to
243 access object data. Alternately, consider using Moose.
245 * Rewrite the error handling to use exceptions instead of the C-style
246 return value and separate error call.
250 * The ldap-attr verifier test case is awful and completely specific to
251 people with admin access to the Stanford LDAP tree. Write a real test.
253 * Rename the tests to use a subdirectory organization.
255 * Add POD coverage testing using Test::POD::Coverage for the server
258 * Rewrite the client test suite to use Perl and to make better use of
259 shared code so that it can be broken into function components.
261 * Refactor the test suite for the wallet backend to try to reduce the
262 duplicated code. Using a real mock infrastructure should make this
263 test suite much easier to write.
265 * Pull common test suite code into a Perl library that can be reused.
267 * Write a test suite to scan all wallet code looking for diagnostics that
268 aren't in the documentation and warn about them.