Russ Allbery [Mon, 18 Jan 2016 04:02:29 +0000 (20:02 -0800)]
Add new dependencies, run wrap-and-sort -ast
New wallet object types, ACLs, and kadmin backends require new
modules. Flesh out the build dependencies and suggests, and then
clean up all the control files with wrap-and-sort -ast.
Russ Allbery [Mon, 18 Jan 2016 00:56:59 +0000 (16:56 -0800)]
Fix version source and prerequisites in Build.PL
Flesh out recommends for more accurate dependencies for the Perl
modules. Pull the version from one of the Perl modules, now that
we have another test that ensures that those versions are all
consistent.
Russ Allbery [Sun, 17 Jan 2016 22:30:53 +0000 (14:30 -0800)]
Update to rra-c-util 5.10 and C TAP Harness 3.4
Update to rra-c-util 5.10:
* Add missing va_end to xasprintf implementation.
* Fix Perl test suite framework for new Automake relative paths.
* Improve portability to Kerberos included in Solaris 10.
* Use appropriate warning flags with Clang (currently not warning clean).
Update to C TAP Harness 3.4:
* Fix segfault in runtests with an empty test list.
* Display verbose test results with -v or C_TAP_VERBOSE.
* Test infrastructure builds cleanly with Clang warnings.
* Support comments and blank lines in test lists.
Russ Allbery [Sun, 17 Jan 2016 20:25:15 +0000 (12:25 -0800)]
Standardize Perl module versions
The versions of all of the wallet Perl modules now match the overall
package version except for Wallet::Schema, which is used to version
the database schema.
Import the test from rra-c-util 5.10 and exclude Wallet::Schema from
the tests.
Go through all Perl modules and standardize the syntax for setting the
version and indicating the required version of Perl. Fix a few other
syntax issues while I'm in there.
Russ Allbery [Mon, 4 Jan 2016 03:57:04 +0000 (19:57 -0800)]
Fix Wallet::Object::Duo to pass strict.t test w/o Net::Duo
Ubuntu precise and trusty don't have Net::Duo packages. Delay
loading to the constructor so that the modules will still pass
strictness tests. This also fixes Travis-CI testing.
Russ Allbery [Mon, 4 Jan 2016 03:29:20 +0000 (19:29 -0800)]
Add Wallet::ACL::External ACL type
A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal and the ACL identifier to that command. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
Bill MacAllister [Tue, 29 Dec 2015 20:03:02 +0000 (20:03 +0000)]
Add error check for partially created AD keytabs
The msktutil script does not always signal error conditions. This
change implements a check that examines the output from msktutil
and reports and error when the keytab creation fails to create
the keytab but does create a computer entry in the directory. If
an error is detected the directory entry is deleted leaving the
directory in a clean state.
Also, support has been added for output of debugging information
to syslog using the AD_DEBUG configuration variable.
Finally perltidy suggested changes were made to AD.pm.
Russ Allbery [Tue, 15 Dec 2015 06:38:46 +0000 (22:38 -0800)]
Better error reporting on verifier failure during add
When adding a new ACL, if creation of the verifier failed, we
reported a pretty minimal error message claiming that the
identifier was the problem. It can't possibly be the problem
when the constructor fails. Report the actual failure more
directly.
Implement support for managed Active Directory keytabs
This version implements Active Directory as the store for keytabs.
The interface to Active Directory uses a combination of direct LDAP
queries and the msktutil utility. This version does not support the
wallet unchanging flag. Unchanging requires that a keytab be
retrieved without changing the password/kvno which is not supported by
msktutil.
Jon Robertson [Thu, 27 Aug 2015 17:34:22 +0000 (10:34 -0700)]
Added Wallet::ACL::LDAP::Attribute::Root
Added a version of the LDAP attribute ACL. Like the root version for
NetDB, this requires that the principal end in /root, and then strips
off /root before doing matching against the given LDAP attribute.
Jon Robertson [Tue, 9 Jun 2015 22:04:14 +0000 (15:04 -0700)]
Added wallet report for nested ACL
We needed a way to report on where all a specific ACL might be nested,
since we can't destroy an ACL until it's no longer being nested. For
the immediate this is part of wallet-report.
Jon Robertson [Tue, 9 Jun 2015 20:06:56 +0000 (13:06 -0700)]
ACL.pm: Destroying a nested ACL will now fail
When destroying an ACL nested in other ACLs, we now fail with an
explanation rather than going through to remove all the places it's
nested. That's more in line with how we handle trying to destroy ACLs
that own things.
Jon Robertson [Mon, 8 Jun 2015 18:15:37 +0000 (11:15 -0700)]
Added nested acl verifier
This verifier will allow embedding one ACL in another for more flexible
ACL handling. As part of thise we've also added the ability for each
verifier to do a syntax check to see if a given name is valid for that
verifier. For the moment this returns true for everything but Nested.
Nested will check to make sure the given name is an existing group.
Jon Robertson [Fri, 17 Apr 2015 20:41:52 +0000 (13:41 -0700)]
Merged all Duo objects into one module
To handle local proliferation of Duo integration type requests, all Duo
types have been merged into one module that will pick up and decide
integration specifics off of the object type.
If you are using the Duo types locally already, you'll want to load
perl/sql/wallet-1.3-update-duo.sql to your database to update the old
object types to all use the Duo module.
All existing Duo integrations have been added to the module for
handling, but nothing new has been added to the wallet object types.
Since there are a lot of Duo integrations, sites should only manually
add the ones they're interested in to the wallet types table.
Jon Robertson [Wed, 18 Feb 2015 23:17:51 +0000 (15:17 -0800)]
Added new method for wallet-backend, update
update will work generally like get, but only for objects that have a
concept of updating content automatically, like keytabs and passwords.
For these, the content will be updated before sending to the client.
In a later release get for keytabs will be modified to never update the
kvno before sending to the user, and so the unchanging flag will be
phased out in lieu of explicitly using the method that does what you
want.
Jon Robertson [Tue, 17 Feb 2015 20:30:27 +0000 (12:30 -0800)]
Added a contrib script for history actions
Commerzbank offered a script for searching and editing the wallet
history. The coding style is very different from our own, so I'm
including this as a contrib script for now.
Jon Robertson [Tue, 17 Feb 2015 20:27:04 +0000 (12:27 -0800)]
Updated documentation for duo and password objects
The documentation now includes information about the Duo file types, and
the new password types. This is both the general information, and the
Stanford-specific naming docs.