Commit 7856dc7c authored by Russ Allbery's avatar Russ Allbery
Browse files

Imported Upstream version 1.2

parents dd295a55 e73a80c6
......@@ -26,8 +26,11 @@ PERL_FILES = perl/Build.PL perl/MANIFEST perl/MANIFEST.SKIP perl/create-ddl \
perl/lib/Wallet/Config.pm perl/lib/Wallet/Database.pm \
perl/lib/Wallet/Kadmin.pm perl/lib/Wallet/Kadmin/Heimdal.pm \
perl/lib/Wallet/Kadmin/MIT.pm perl/lib/Wallet/Object/Base.pm \
perl/lib/Wallet/Object/Duo.pm perl/lib/Wallet/Object/File.pm \
perl/lib/Wallet/Object/Keytab.pm \
perl/lib/Wallet/Object/Duo.pm \
perl/lib/Wallet/Object/Duo/LDAPProxy.pm \
perl/lib/Wallet/Object/Duo/PAM.pm perl/lib/Wallet/Object/Duo/RDP.pm \
perl/lib/Wallet/Object/Duo/RadiusProxy.pm \
perl/lib/Wallet/Object/File.pm perl/lib/Wallet/Object/Keytab.pm \
perl/lib/Wallet/Object/WAKeyring.pm \
perl/lib/Wallet/Policy/Stanford.pm perl/lib/Wallet/Report.pm \
perl/lib/Wallet/Schema.pm perl/lib/Wallet/Server.pm \
......@@ -56,15 +59,26 @@ PERL_FILES = perl/Build.PL perl/MANIFEST perl/MANIFEST.SKIP perl/create-ddl \
perl/sql/Wallet-Schema-0.08-SQLite.sql \
perl/sql/Wallet-Schema-0.09-MySQL.sql \
perl/sql/Wallet-Schema-0.09-PostgreSQL.sql \
perl/sql/Wallet-Schema-0.09-SQLite.sql perl/t/data/README \
perl/t/data/duo/integration.json perl/t/data/duo/keys.json \
perl/sql/Wallet-Schema-0.09-SQLite.sql \
perl/sql/Wallet-Schema-0.09-0.10-MySQL.sql \
perl/sql/Wallet-Schema-0.09-0.10-PostgreSQL.sql \
perl/sql/Wallet-Schema-0.09-0.10-SQLite.sql \
perl/sql/Wallet-Schema-0.10-MySQL.sql \
perl/sql/Wallet-Schema-0.10-PostgreSQL.sql \
perl/sql/Wallet-Schema-0.10-SQLite.sql perl/t/data/README \
perl/t/data/duo/integration.json \
perl/t/data/duo/integration-ldap.json \
perl/t/data/duo/integration-radius.json \
perl/t/data/duo/integration-rdp.json perl/t/data/duo/keys.json \
perl/t/data/keytab-fake perl/t/data/keytab.conf \
perl/t/data/netdb-fake perl/t/data/netdb.conf perl/t/data/perl.conf \
perl/t/docs/pod-spelling.t perl/t/docs/pod.t perl/t/general/acl.t \
perl/t/general/admin.t perl/t/general/config.t \
perl/t/general/init.t perl/t/general/report.t \
perl/t/general/server.t perl/t/lib/Util.pm perl/t/object/base.t \
perl/t/object/duo.t perl/t/object/file.t perl/t/object/keytab.t \
perl/t/object/duo.t perl/t/object/duo-ldap.t \
perl/t/object/duo-pam.t perl/t/object/duo-radius.t \
perl/t/object/duo-rdp.t perl/t/object/file.t perl/t/object/keytab.t \
perl/t/object/wa-keyring.t perl/t/policy/stanford.t \
perl/t/style/minimum-version.t perl/t/style/strict.t \
perl/t/util/kadmin.t perl/t/verifier/basic.t \
......@@ -72,14 +86,14 @@ PERL_FILES = perl/Build.PL perl/MANIFEST perl/MANIFEST.SKIP perl/create-ddl \
# Directories that have to be created in builddir != srcdir builds before
# copying PERL_FILES over.
PERL_DIRECTORIES = perl perl/lib perl/lib/Wallet perl/lib/Wallet/ACL \
perl/lib/Wallet/ACL/Krb5 perl/lib/Wallet/ACL/LDAP \
perl/lib/Wallet/ACL/NetDB perl/lib/Wallet/Kadmin \
perl/lib/Wallet/Object perl/lib/Wallet/Policy \
perl/lib/Wallet/Schema perl/lib/Wallet/Schema/Result perl/sql \
perl/t perl/t/data perl/t/data/duo perl/t/docs perl/t/general \
perl/t/lib perl/t/object perl/t/policy perl/t/style perl/t/util \
perl/t/verifier
PERL_DIRECTORIES = perl perl/lib perl/lib/Wallet perl/lib/Wallet/ACL \
perl/lib/Wallet/ACL/Krb5 perl/lib/Wallet/ACL/LDAP \
perl/lib/Wallet/ACL/NetDB perl/lib/Wallet/Kadmin \
perl/lib/Wallet/Object perl/lib/Wallet/Object/Duo \
perl/lib/Wallet/Policy perl/lib/Wallet/Schema \
perl/lib/Wallet/Schema/Result perl/sql perl/t perl/t/data \
perl/t/data/duo perl/t/docs perl/t/general perl/t/lib perl/t/object \
perl/t/policy perl/t/style perl/t/util perl/t/verifier
ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = .gitignore LICENSE autogen client/wallet.pod \
......@@ -205,9 +219,8 @@ perl/blib/lib/Wallet/Config.pm: $(srcdir)/perl/lib/Wallet/Config.pm
cp "$(srcdir)/$$f" "$(builddir)/$$f" ; \
done ; \
fi
mkdir perl/t/lib/Test
$(MKDIR_P) perl/t/lib/Test/RRA
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA.pm perl/t/lib/Test/
mkdir perl/t/lib/Test/RRA
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA/Config.pm \
perl/t/lib/Test/RRA/
cd perl && perl Build.PL $(WALLET_PERL_FLAGS)
......
......@@ -105,12 +105,12 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/tests/client/prompt-t.in \
$(top_srcdir)/tests/client/rekey-t.in \
$(top_srcdir)/portable/setenv.c \
$(top_srcdir)/portable/mkstemp.c \
$(top_srcdir)/portable/reallocarray.c \
$(top_srcdir)/portable/strlcpy.c \
$(top_srcdir)/portable/snprintf.c \
$(top_srcdir)/portable/asprintf.c \
$(top_srcdir)/portable/reallocarray.c \
$(top_srcdir)/portable/strlcat.c \
$(top_srcdir)/portable/strlcpy.c $(dist_sbin_SCRIPTS) \
$(top_srcdir)/portable/asprintf.c \
$(top_srcdir)/portable/mkstemp.c $(dist_sbin_SCRIPTS) \
$(top_srcdir)/build-aux/depcomp $(dist_man_MANS) \
$(dist_pkgdata_DATA) NEWS README TODO build-aux/ar-lib \
build-aux/compile build-aux/depcomp build-aux/install-sh \
......@@ -502,8 +502,11 @@ PERL_FILES = perl/Build.PL perl/MANIFEST perl/MANIFEST.SKIP perl/create-ddl \
perl/lib/Wallet/Config.pm perl/lib/Wallet/Database.pm \
perl/lib/Wallet/Kadmin.pm perl/lib/Wallet/Kadmin/Heimdal.pm \
perl/lib/Wallet/Kadmin/MIT.pm perl/lib/Wallet/Object/Base.pm \
perl/lib/Wallet/Object/Duo.pm perl/lib/Wallet/Object/File.pm \
perl/lib/Wallet/Object/Keytab.pm \
perl/lib/Wallet/Object/Duo.pm \
perl/lib/Wallet/Object/Duo/LDAPProxy.pm \
perl/lib/Wallet/Object/Duo/PAM.pm perl/lib/Wallet/Object/Duo/RDP.pm \
perl/lib/Wallet/Object/Duo/RadiusProxy.pm \
perl/lib/Wallet/Object/File.pm perl/lib/Wallet/Object/Keytab.pm \
perl/lib/Wallet/Object/WAKeyring.pm \
perl/lib/Wallet/Policy/Stanford.pm perl/lib/Wallet/Report.pm \
perl/lib/Wallet/Schema.pm perl/lib/Wallet/Server.pm \
......@@ -532,15 +535,26 @@ PERL_FILES = perl/Build.PL perl/MANIFEST perl/MANIFEST.SKIP perl/create-ddl \
perl/sql/Wallet-Schema-0.08-SQLite.sql \
perl/sql/Wallet-Schema-0.09-MySQL.sql \
perl/sql/Wallet-Schema-0.09-PostgreSQL.sql \
perl/sql/Wallet-Schema-0.09-SQLite.sql perl/t/data/README \
perl/t/data/duo/integration.json perl/t/data/duo/keys.json \
perl/sql/Wallet-Schema-0.09-SQLite.sql \
perl/sql/Wallet-Schema-0.09-0.10-MySQL.sql \
perl/sql/Wallet-Schema-0.09-0.10-PostgreSQL.sql \
perl/sql/Wallet-Schema-0.09-0.10-SQLite.sql \
perl/sql/Wallet-Schema-0.10-MySQL.sql \
perl/sql/Wallet-Schema-0.10-PostgreSQL.sql \
perl/sql/Wallet-Schema-0.10-SQLite.sql perl/t/data/README \
perl/t/data/duo/integration.json \
perl/t/data/duo/integration-ldap.json \
perl/t/data/duo/integration-radius.json \
perl/t/data/duo/integration-rdp.json perl/t/data/duo/keys.json \
perl/t/data/keytab-fake perl/t/data/keytab.conf \
perl/t/data/netdb-fake perl/t/data/netdb.conf perl/t/data/perl.conf \
perl/t/docs/pod-spelling.t perl/t/docs/pod.t perl/t/general/acl.t \
perl/t/general/admin.t perl/t/general/config.t \
perl/t/general/init.t perl/t/general/report.t \
perl/t/general/server.t perl/t/lib/Util.pm perl/t/object/base.t \
perl/t/object/duo.t perl/t/object/file.t perl/t/object/keytab.t \
perl/t/object/duo.t perl/t/object/duo-ldap.t \
perl/t/object/duo-pam.t perl/t/object/duo-radius.t \
perl/t/object/duo-rdp.t perl/t/object/file.t perl/t/object/keytab.t \
perl/t/object/wa-keyring.t perl/t/policy/stanford.t \
perl/t/style/minimum-version.t perl/t/style/strict.t \
perl/t/util/kadmin.t perl/t/verifier/basic.t \
......@@ -549,14 +563,14 @@ PERL_FILES = perl/Build.PL perl/MANIFEST perl/MANIFEST.SKIP perl/create-ddl \
# Directories that have to be created in builddir != srcdir builds before
# copying PERL_FILES over.
PERL_DIRECTORIES = perl perl/lib perl/lib/Wallet perl/lib/Wallet/ACL \
perl/lib/Wallet/ACL/Krb5 perl/lib/Wallet/ACL/LDAP \
perl/lib/Wallet/ACL/NetDB perl/lib/Wallet/Kadmin \
perl/lib/Wallet/Object perl/lib/Wallet/Policy \
perl/lib/Wallet/Schema perl/lib/Wallet/Schema/Result perl/sql \
perl/t perl/t/data perl/t/data/duo perl/t/docs perl/t/general \
perl/t/lib perl/t/object perl/t/policy perl/t/style perl/t/util \
perl/t/verifier
PERL_DIRECTORIES = perl perl/lib perl/lib/Wallet perl/lib/Wallet/ACL \
perl/lib/Wallet/ACL/Krb5 perl/lib/Wallet/ACL/LDAP \
perl/lib/Wallet/ACL/NetDB perl/lib/Wallet/Kadmin \
perl/lib/Wallet/Object perl/lib/Wallet/Object/Duo \
perl/lib/Wallet/Policy perl/lib/Wallet/Schema \
perl/lib/Wallet/Schema/Result perl/sql perl/t perl/t/data \
perl/t/data/duo perl/t/docs perl/t/general perl/t/lib perl/t/object \
perl/t/policy perl/t/style perl/t/util perl/t/verifier
ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = .gitignore LICENSE autogen client/wallet.pod \
......@@ -1899,9 +1913,8 @@ perl/blib/lib/Wallet/Config.pm: $(srcdir)/perl/lib/Wallet/Config.pm
cp "$(srcdir)/$$f" "$(builddir)/$$f" ; \
done ; \
fi
mkdir perl/t/lib/Test
$(MKDIR_P) perl/t/lib/Test/RRA
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA.pm perl/t/lib/Test/
mkdir perl/t/lib/Test/RRA
$(INSTALL_DATA) $(srcdir)/tests/tap/perl/Test/RRA/Config.pm \
perl/t/lib/Test/RRA/
cd perl && perl Build.PL $(WALLET_PERL_FLAGS)
......
User-Visible wallet Changes
wallet 1.2 (2014-12-08)
The duo object type has been split into several sub-types, each for a
specific type of Duo integration. The old type's functionality has
been moved to duo-pam (Wallet::Object::Duo::PAM), and new types are
supported for Duo's auth proxy configurations for LDAP and Radius, and
their RDP configuration. These types are duo-radius, duo-ldap, and
duo-rdp (Wallet::Object::Duo::RadiusProxy,
Wallet::Object::Duo::LDAPProxy, and Wallet::Object::Duo::RDP). The
old duo type still exists for compatability. To enable these object
types for an existing wallet database, use wallet-admin to register the
new object.
New rename command for file type objects. This will change the name
of the object itself and move any stored data for the file to the
correct location for the new name. Currently, rename is only
supported for file objects, but may be supported by other backends in
the future.
wallet 1.1 (2014-07-16)
A new object type, duo (Wallet::Object::Duo), is now supported. This
......
wallet release 1.1
wallet release 1.2
(secure data management system)
Written by Russ Allbery <eagle@eyrie.org>
......
......@@ -2,163 +2,162 @@
Client:
* WALLET-5: Handle duplicate kvnos in a newly returned keytab and an
* KERB-94: Handle duplicate kvnos in a newly returned keytab and an
existing keytab (such as when downloading an unchanging keytab and
merging it into an existing one) in some reasonable fashion.
* WALLET-6: Support removing old kvnos from a merged keytab (similar to
* KERB-90: Support removing old kvnos from a merged keytab (similar to
kadmin ktremove old).
* WALLET-7: When reading configuration from krb5.conf, we should first
try to determine our principal from any existing Kerberos ticket cache
* KERB-88: When reading configuration from krb5.conf, we should first try
to determine our principal from any existing Kerberos ticket cache
(after obtaining tickets if -u was given) and extract the realm from
that principal, using it as the default realm when reading
configuration information.
* WALLET-8: Add readline support to the wallet client to make it easier
to issue multiple commands.
* KERB-89: Add readline support to the wallet client to make it easier to
issue multiple commands.
* WALLET-9: Support authenticating with a keytab.
* KERB-115: Support authenticating with a keytab.
* WALLET-10: When obtaining tickets in the wallet client with -u,
directly obtain the service ticket we're going to use for remctl.
* KERB-97: When obtaining tickets in the wallet client with -u, directly
obtain the service ticket we're going to use for remctl.
* WALLET-11: Provide a way to refresh a file object if and only if what's
* KERB-95: Provide a way to refresh a file object if and only if what's
stored on the server is different than what's on disk. This will
require server support as well for returning the checksum of a file.
* WALLET-80: Incorporate the wallet-rekey-periodic script (currently in
* KERB-104: Incorporate the wallet-rekey-periodic script (currently in
contrib) into the package and teach it how to ignore foreign
credentials.
Server Interface:
* WALLET-13: Provide a way to get history for deleted objects and ACLs.
* KERB-126: Provide a way to get history for deleted objects and ACLs.
* WALLET-14: Provide an interface to mass-change all instances of one ACL
* KERB-66: Provide an interface to mass-change all instances of one ACL
to another.
* WALLET-15: Add help functions to wallet-backend, wallet-report, and
* KERB-96: Add help functions to wallet-backend, wallet-report, and
wallet-admin listing the commands.
* WALLET-16: Catch exceptions on object creation in wallet-backend so
that we can log those as well.
* KERB-52: Catch exceptions on object creation in wallet-backend so that
we can log those as well.
* WALLET-17: Provide a way to list all objects for which the connecting
* KERB-114: Provide a way to list all objects for which the connecting
user has ACLs.
* WALLET-18: Support limiting returned history information by timestamp.
* KERB-101: Support limiting returned history information by timestamp.
* WALLET-19: Provide a REST implementation of the wallet server.
* KERB-128: Provide a REST implementation of the wallet server.
* WALLET-20: Provide a CGI implementation of the wallet server.
* KERB-79: Provide a CGI implementation of the wallet server.
* WALLET-21: Support setting flags and attributes on autocreate. In
* KERB-111: Support setting flags and attributes on autocreate. In
general, work out a Wallet::Object::Template Perl object that I can
return that specifies things other than just the ACL.
* WALLET-22: Remove the hard-coded ADMIN ACL in the server with something
* KERB-93: Remove the hard-coded ADMIN ACL in the server with something
more configurable, perhaps a global ACL table or something.
* WALLET-63: Support leap-of-faith keying of systems by registering an
* KERB-68: Support leap-of-faith keying of systems by registering an
object for one-time download (ideally from a specific IP address) and
then allowing that object to be downloaded anonymously from that IP.
Relies on support for Kerberos anonymous authentication.
* WALLET-64: Split "get" and "update" in semantics, and only do keytab
* KERB-84: Split "get" and "update" in semantics, and only do keytab
rekeying on update. "get" would not be permitted unless the keytab was
flagged as unchanging, and update would still change even an unchanging
keytab (maybe). Or, alternately, maybe we allow get of any keytab?
Requires more thought.
* WALLET-69: "owner" should print the name as well as the number of the
ACL. Also check "getacl".
* KERB-118: Add command to list available types and schemes.
* WALLET-70: Add command to list available types and schemes.
* WALLET-72: Add a mechanism to automate owner updates based on
* KERB-75: Add a mechanism to automate owner updates based on
default_owner.
* WALLET-79: Partially merge create and autocreate. create and autocreate
should do the same thing provided there is an autocreation configuration
available. If not, autocreate should fail and create should fall back on
checking for ADMIN privileges.
* KERB-64: Partially merge create and autocreate. create and autocreate
should do the same thing provided there is an autocreation
configuration available. If not, autocreate should fail and create
should fall back on checking for ADMIN privileges.
* WALLET-83: Support file object renaming.
* KERB-116: Support file object renaming.
* Rewrite server backends to use Net::Remctl::Backend.
* KERB-131: Rewrite server backends to use Net::Remctl::Backend.
* Merge the Wallet::Logger support written by Commerzbank AG: create a
new class that handles logging, probably based on Log::Log4perl, and
add logging points to all of the core classes.
* KERB-132: Merge the Wallet::Logger support written by Commerzbank AG:
create a new class that handles logging, probably based on
Log::Log4perl, and add logging points to all of the core classes.
* Support an authorization hook to determine whether or not to permit
autocreate. One requested example feature is to limit autocreate of
keytab objects to certain hosts involved in deployment. It should be
possible to write a hook that takes the information about what object
is being autocreated and can accept or decline.
* KERB-133: Support an authorization hook to determine whether or not to
permit autocreate. One requested example feature is to limit
autocreate of keytab objects to certain hosts involved in deployment.
It should be possible to write a hook that takes the information about
what object is being autocreated and can accept or decline.
ACLs:
* WALLET-23: Error messages from ACL operations should refer to the ACLs
* KERB-119: Error messages from ACL operations should refer to the ACLs
by name instead of by ID.
* WALLET-24: Write the PTS ACL verifier.
* KERB-121: Write the PTS ACL verifier.
* WALLET-25: Rename Wallet::ACL::* to Wallet::Verifier::*. Add
* KERB-123: Rename Wallet::ACL::* to Wallet::Verifier::*. Add
Wallet::ACL as a generic interface with Wallet::ACL::Database and
Wallet::ACL::List implementations (or some similar name) so that we can
create and check an ACL without having to write it into the database.
Redo default ACL creation using that functionality.
* WALLET-26: Pass a reference to the object for which the ACL is
* KERB-67: Pass a reference to the object for which the ACL is
interpreted to the ACL API so that ACL APIs can make more complex
decisions.
* WALLET-27: A group-in-groups ACL schema.
* KERB-109: A group-in-groups ACL schema.
* WALLET-28: Provide an API for verifiers to syntax-check the values
* KERB-113: Provide an API for verifiers to syntax-check the values
before an ACL is set and implement syntax checking for the krb5 and
ldap-attr verifiers.
* WALLET-29: Investigate how best to support client authentication using
* KERB-60: Investigate how best to support client authentication using
anonymous PKINIT for things like initial system keying.
* WALLET-68: Generalize the current NetDB ACL type to allow a generic
* KERB-72: Generalize the current NetDB ACL type to allow a generic
remctl query for whether a particular user is authorized to create
host-based objects for a particular host.
* WALLET-71: Add ldap-group ACL scheme.
* KERB-78: Add ldap-group ACL scheme.
* WALLET-75: Provide a root-instance version of the ldap-attr (and
possibly the ldap-group) ACL schemes.
* KERB-63: Provide a root-instance version of the ldap-attr (and possibly
the ldap-group) ACL schemes.
* WALLET-81: Add a comment field to ACLs.
* KERB-86: Add a comment field to ACLs.
Database:
* WALLET-30: Fix case-insensitivity bug in unique keys with MySQL for
objects.
* KERB-55: Fix case-insensitivity bug in unique keys with MySQL for
objects. When creating an http/<host> principal when an HTTP/<host>
principal already existed, MySQL rejected the row entry as a duplicate.
The name should be case-sensitive.
* WALLET-31: On upgrades, support adding new object types and ACL
* KERB-103: On upgrades, support adding new object types and ACL
verifiers to the class tables.
Objects:
* WALLET-32: Check whether we can just drop the realm restriction on
* KERB-120: Check whether we can just drop the realm restriction on
keytabs and allow the name to contain the realm if the Kerberos type is
Heimdal.
* WALLET-33: Use the Perl Authen::Krb5::Admin module instead of rolling
our own kadmin code with Expect now that MIT Kerberos has made the
kadmin API public.
* KERB-59: Use the Perl Authen::Krb5::Admin module instead of rolling our
own kadmin code with Expect now that MIT Kerberos has made the kadmin
API public.
* WALLET-34: Implement an ssh keypair wallet object. The server can run
* KERB-85: Implement an ssh keypair wallet object. The server can run
ssh-keygen to generate a public/private key pair and return both to the
client, which would split them apart. Used primarily for host keys.
May need a side table to store key types, or a naming convention.
* WALLET-35: Implement an X.509 certificate object. I expect this would
* KERB-124: Implement an X.509 certificate object. I expect this would
store the public and private key as a single file in the same format
that Apache can read for combined public and private keys. There were
requests for storing the CSR, but I don't see why you'd want to do
......@@ -166,127 +165,127 @@ Objects:
here, but it would be nice to automatically support object expiration
based on the expiration time for the certificate.
* WALLET-36: Implement an X.509 CA so that you can get certificate
objects without storing them first. Need to resolve naming conventions
if you want to run multiple CAs on the same wallet server (but why?).
Should this be a different type than stored certificates? Consider
using hxtool as the underlying CA mechanism.
* KERB-106: Implement an X.509 CA so that you can get certificate objects
without storing them first. Need to resolve naming conventions if you
want to run multiple CAs on the same wallet server (but why?). Should
this be a different type than stored certificates? Consider using
hxtool as the underlying CA mechanism.
* WALLET-37: Support returning the checksum of a file object stored in
* KERB-77: Support returning the checksum of a file object stored in
wallet so that one can determine whether the version stored on disk is
identical.
* WALLET-60: Implement new password wallet object, which is like file
* KERB-108: Implement new password wallet object, which is like file
except that it generates a random, strong password when retrieved the
first time without being stored.
* WALLET-61: Support interrogating objects to find all host-based objects
* KERB-71: Support interrogating objects to find all host-based objects
for a particular host, allowing cleanup of all of those host's objects
after retiring the host.
* WALLET-76: Support setting the disallow-svr flag on created principals.
* KERB-127: Support setting the disallow-svr flag on created principals.
In general, support setting arbitrary principal flags.
Reports:
* WALLET-38: Add audit for references to unknown ACLs, possibly
introduced by previous versions before ACL deletion was checked with
database backends that don't do referential integrity.
* KERB-117: Add audit for references to unknown ACLs, possibly introduced
by previous versions before ACL deletion was checked with database
backends that don't do referential integrity.
* WALLET-39: Add report for all objects that have never been stored.
* KERB-105: Add report for all objects that have never been stored.
* WALLET-40: For objects tied to hostnames, report on objects referring
to hosts which do not exist. For the initial pass, this is probably
only keytab objects with names containing a slash where the part after
the slash looks like a hostname. This may need some configuration
help.
* KERB-122: For objects tied to hostnames, report on objects referring to
hosts which do not exist. For the initial pass, this is probably only
keytab objects with names containing a slash where the part after the
slash looks like a hostname. This may need some configuration help.
* WALLET-41: Make contrib/wallet-summary generic and include it in
* KERB-102: Make contrib/wallet-summary generic and include it in
wallet-report, with additional configuration in Wallet::Config.
Enhance it to report on any sort of object, not just on keytabs, and to
give numbers on downloaded versus not downloaded objects.
* WALLET-62: Write a tool to mail the owners of wallet objects, taking
the list of objects and the mail message to send as inputs. This could
* KERB-69: Write a tool to mail the owners of wallet objects, taking the
list of objects and the mail message to send as inputs. This could
possibly use the notification service, although a version that sends
mail directly would be useful external to Stanford.
* Merge the Commerzbank AG work to dump all the object history, applying
various search criteria to it, or clear parts of the object history.
* KERB-134: Merge the Commerzbank AG work to dump all the object history,
applying various search criteria to it, or clear parts of the object
history.
Administrative Interface:
* WALLET-42: Add a function to wallet-admin to purge expired entries.
* KERB-80: Add a function to wallet-admin to purge expired entries.
Possibly also check expiration before allowing anyone to get or store
objects.
* WALLET-3: Add a function or separate script to automate removal of
* KERB-58: Add a function or separate script to automate removal of
DNS-based objects for which the hosts no longer exist. Will need to
support a site-specific callout to determine whether the host exists.
* WALLET-66: Database creation appears not to work without the SQL files,
* KERB-54: Database creation appears not to work without the SQL files,
but it's supposed to work directly from the classes. Double-check
this.
Documentation:
* WALLET-43: Write a conventions document for ACL naming, object naming,
* KERB-82: Write a conventions document for ACL naming, object naming,
and similar issues.
* WALLET-44: Write a future design and roadmap document to collect notes
* KERB-125: Write a future design and roadmap document to collect notes
about how unimplemented features should be handled.
* WALLET-45: Document using the wallet system over something other than
* KERB-65: Document using the wallet system over something other than
remctl.
* WALLET-46: Document all diagnostics for all wallet APIs.
* KERB-112: Document all diagnostics for all wallet APIs.
* Document configuration with an Oracle database.
* KERB-135: Document configuration with an Oracle database.
Code Style and Cleanup:
* WALLET-47: There is a lot of duplicate code in wallet-backend. Convert
* KERB-98: There is a lot of duplicate code in wallet-backend. Convert
that to use some sort of data-driven model with argument count and
flags so that the method calls can be written only once. Convert
wallet-admin to use the same code.
* WALLET-48: There's a lot of code duplication in the dispatch functions
* KERB-100: There's a lot of code duplication in the dispatch functions
in the Wallet::Server class. Find a way to rewrite that so that the
dispatch doesn't duplicate the same code patterns.
* WALLET-49: The wallet-backend and wallet documentation share the
COMMANDS section. Work out some means to assemble the documentation
without duplicating content.
* KERB-73: The wallet-backend and wallet documentation share the COMMANDS
section. Work out some means to assemble the documentation without
duplicating content.
* WALLET-50: The Wallet::Config class is very ugly and could use some
* KERB-110: The Wallet::Config class is very ugly and could use some
better internal API to reference the variables in it.
* WALLET-52: Consider using Class::Accessor to get rid of the scaffolding
* KERB-76: Consider using Class::Accessor to get rid of the scaffolding
code to access object data. Alternately, consider using Moose.
* Rewrite the error handling to use exceptions instead of the C-style
return value and separate error call.
* KERB-130: Rewrite the error handling to use exceptions instead of the
C-style return value and separate error call.
Test Suite:
* WALLET-53: The ldap-attr verifier test case is awful and completely
* KERB-92: The ldap-attr verifier test case is awful and completely
specific to people with admin access to the Stanford LDAP tree. Write
a real test.
* WALLET-54: Rename the tests to use a subdirectory organization.
* KERB-87: Rename the tests to use a subdirectory organization.
* WALLET-55: Add POD coverage testing using Test::POD::Coverage for the
* KERB-61: Add POD coverage testing using Test::POD::Coverage for the
server modules.
* WALLET-56: Rewrite the client test suite to use Perl and to make better
* KERB-91: Rewrite the client test suite to use Perl and to make better
use of shared code so that it can be broken into function components.
* WALLET-57: Refactor the test suite for the wallet backend to try to
* KERB-74: Refactor the test suite for the wallet backend to try to
reduce the duplicated code. Using a real mock infrastructure should
make this test suite much easier to write.
* WALLET-58: Pull common test suite code into a Perl library that can be
* KERB-81: Pull common test suite code into a Perl library that can be
reused.
* WALLET-59: Write a test suite to scan all wallet code looking for
* KERB-99: Write a test suite to scan all wallet code looking for
diagnostics that aren't in the documentation and warn about them.
......@@ -21,7 +21,7 @@ If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically 'autoreconf'.])])
# longlong.m4 serial 17
dnl Copyright (C) 1999-2007, 2009-2013 Free Software Foundation, Inc.
dnl Copyright (C) 1999-2007, 2009-2014 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
......@@ -277,10 +277,9 @@ AC_SUBST([AR])dnl
# configured tree to be moved without reconfiguration.
AC_DEFUN([AM_AUX_DIR_EXPAND],
[dnl Rely on autoconf to set up CDPATH properly.
AC_PREREQ([2.50])dnl
# expand $ac_aux_dir to an absolute path
am_aux_dir=`cd $ac_aux_dir && pwd`
[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
# Expand $ac_aux_dir to an absolute path.
am_aux_dir=`cd "$ac_aux_dir" && pwd`
])
# AM_CONDITIONAL -*- Autoconf -*-
......
.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
......@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "WALLET-REKEY 1"
.TH WALLET-REKEY 1 "2014-07-16" "1.1" "wallet"
.TH WALLET-REKEY 1 "2014-12-08" "1.2" "wallet"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
......@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "WALLET 1"
.TH WALLET 1 "2014-07-16" "1.1" "wallet"