Commit 9e1b2108 authored by Bill MacAllister's avatar Bill MacAllister
Browse files

Merge branch 'master' into ad-keytabs

Conflicts:
	NEWS
parents 2a03ce35 802e47e8
sudo: required
dist: trusty
language: c
compiler:
- gcc
before_install:
- sudo apt-get update -qq
- sudo apt-get install -y libauthen-sasl-perl libcrypt-generatepassword-perl libdatetime-perl libdatetime-format-sqlite-perl libdbd-sqlite3-perl libdbi-perl libdbix-class-perl libheimdal-kadm5-perl libjson-perl libkrb5-dev libnet-dns-perl libnet-ldap-perl libnet-remctl-perl libperl6-slurp-perl libremctl-dev libsql-translator-perl libtest-minimumversion-perl libtest-pod-perl libtest-strict-perl libtimedate-perl libwebauth-perl perl sqlite3
env: AUTHOR_TESTING=1
script: ./autogen && ./configure && make warnings && make check
branches:
only:
- master
...@@ -2,10 +2,33 @@ ...@@ -2,10 +2,33 @@
wallet 1.3 (unreleased) wallet 1.3 (unreleased)
A new ACL type, nested (Wallet::ACL::Nested), is now supported. The
identifier of this ACL names another ACL, and access is granted if
that ACL would grant access. This lets one combine multiple other
ACLs and apply the union to an object. To enable this ACL type for an
existing wallet database, use wallet-admin to register the new
verifier.
A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal and the ACL identifier to that command. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
A new variation on the ldap-attr ACL type, ldap-attr-root
(Wallet::ACL::LDAP::Attribute::Root), is now supported. This is
similar to netdb-root (compared to netdb): the authenticated principal
must end in /root, and the LDAP entry checked will be for the same
principal without the /root component. This is useful for limiting
access to certain privileged objects to Kerberos root instances. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
A new object type, password (Wallet::Object::Password), is now A new object type, password (Wallet::Object::Password), is now
supported. This is a subclass of the file object that will randomly supported. This is a subclass of the file object that will randomly
generate content for the object if you do a get before storing any generate content for the object if you do a get before storing any
content inside it. content inside it. To enable this object type for an existing
database, use wallet-admin to register the new object.
Add a new command to wallet-backend, update. This will update the Add a new command to wallet-backend, update. This will update the
contents of an object before running a get on it, and is only valid contents of an object before running a get on it, and is only valid
...@@ -17,7 +40,8 @@ wallet 1.3 (unreleased) ...@@ -17,7 +40,8 @@ wallet 1.3 (unreleased)
warrants. warrants.
Add an acl replace command, to change all objects owned by one ACL to Add an acl replace command, to change all objects owned by one ACL to
be owned by another. be owned by another. This currently only handles owner, not any of
the more specific ACLs.
All ACL operations now refer to the ACL by name rather than ID. All ACL operations now refer to the ACL by name rather than ID.
...@@ -25,11 +49,20 @@ wallet 1.3 (unreleased) ...@@ -25,11 +49,20 @@ wallet 1.3 (unreleased)
help for the existing unused report that implied it showed unstored as help for the existing unused report that implied it showed unstored as
well as unused. well as unused.
Add reports that list all object types (types) and all ACL schemes
(schemes) currently registered in the wallet database.
Add a report of all ACLs that nest a given ACL. This requires some
additional local configuration (and probably some code). See
Wallet::Config for more information.
Took contributions from Commerzbank AG to improve wallet history. Add Took contributions from Commerzbank AG to improve wallet history. Add
a command to dump all object history for searching on to a command to dump all object history for searching on to
wallet-report, and add a new script for more detailed object history wallet-report, and add a new script for more detailed object history
operations to the contrib directory. operations to the contrib directory.
Displays of ACLs and ACL entries are now sorted correctly.
Initial support for using Active Directory as the KDC for keytab Initial support for using Active Directory as the KDC for keytab
creation. The interface to Active Directory uses a combination of creation. The interface to Active Directory uses a combination of
direct LDAP queries and the msktutil utility. This version does direct LDAP queries and the msktutil utility. This version does
......
...@@ -109,7 +109,10 @@ REQUIREMENTS ...@@ -109,7 +109,10 @@ REQUIREMENTS
WebAuth Perl module from WebAuth 4.4.0 or later. WebAuth Perl module from WebAuth 4.4.0 or later.
The Duo integration object support in the wallet server requires the The Duo integration object support in the wallet server requires the
Net::Duo Perl module. Net::Duo, JSON, and Perl6::Slurp Perl modules.
The password object support in the wallet server requires the
Crypt::GeneratePassword Perl module.
To support the LDAP attribute ACL verifier, the Authen::SASL and To support the LDAP attribute ACL verifier, the Authen::SASL and
Net::LDAP Perl modules must be installed on the server. This verifier Net::LDAP Perl modules must be installed on the server. This verifier
......
...@@ -2,290 +2,265 @@ ...@@ -2,290 +2,265 @@
Client: Client:
* KERB-94: Handle duplicate kvnos in a newly returned keytab and an * Handle duplicate kvnos in a newly returned keytab and an existing
existing keytab (such as when downloading an unchanging keytab and keytab (such as when downloading an unchanging keytab and merging it
merging it into an existing one) in some reasonable fashion. into an existing one) in some reasonable fashion.
* KERB-90: Support removing old kvnos from a merged keytab (similar to * Support removing old kvnos from a merged keytab (similar to kadmin
kadmin ktremove old). ktremove old).
* KERB-88: When reading configuration from krb5.conf, we should first try * When reading configuration from krb5.conf, we should first try to
to determine our principal from any existing Kerberos ticket cache determine our principal from any existing Kerberos ticket cache (after
(after obtaining tickets if -u was given) and extract the realm from obtaining tickets if -u was given) and extract the realm from that
that principal, using it as the default realm when reading principal, using it as the default realm when reading configuration
configuration information. information.
* KERB-89: Add readline support to the wallet client to make it easier to * Add readline support to the wallet client to make it easier to issue
issue multiple commands. multiple commands.
* KERB-115: Support authenticating with a keytab. * Support authenticating with a keytab.
* KERB-97: When obtaining tickets in the wallet client with -u, directly * When obtaining tickets in the wallet client with -u, directly obtain
obtain the service ticket we're going to use for remctl. the service ticket we're going to use for remctl.
* KERB-95: Provide a way to refresh a file object if and only if what's * Provide a way to refresh a file object if and only if what's stored on
stored on the server is different than what's on disk. This will the server is different than what's on disk. This will require server
require server support as well for returning the checksum of a file. support as well for returning the checksum of a file.
* KERB-104: Incorporate the wallet-rekey-periodic script (currently in * Incorporate the wallet-rekey-periodic script (currently in contrib)
contrib) into the package and teach it how to ignore foreign into the package and teach it how to ignore foreign credentials.
credentials.
Server Interface: Server Interface:
* KERB-126: Provide a way to get history for deleted objects and ACLs. * Provide a way to get history for deleted objects and ACLs.
* KERB-66: Provide an interface to mass-change all instances of one ACL * Provide an interface to mass-change all instances of one ACL to
to another. another. (Owner changes are currently supported, but not the other
ACLs.)
* KERB-96: Add help functions to wallet-backend, wallet-report, and * Add help functions to wallet-backend and wallet-admin listing the
wallet-admin listing the commands. commands.
* KERB-52: Catch exceptions on object creation in wallet-backend so that * Catch exceptions on object creation in wallet-backend so that we can
we can log those as well. log those as well.
* KERB-114: Provide a way to list all objects for which the connecting * Provide a way to list all objects for which the connecting user has
user has ACLs. ACLs.
* KERB-101: Support limiting returned history information by timestamp. * Support limiting returned history information by timestamp.
* KERB-128: Provide a REST implementation of the wallet server. * Provide a REST implementation of the wallet server.
* KERB-79: Provide a CGI implementation of the wallet server. * Provide a CGI implementation of the wallet server.
* KERB-111: Support setting flags and attributes on autocreate. In * Support setting flags and attributes on autocreate. In general, work
general, work out a Wallet::Object::Template Perl object that I can out a Wallet::Object::Template Perl object that I can return that
return that specifies things other than just the ACL. specifies things other than just the ACL.
* KERB-93: Remove the hard-coded ADMIN ACL in the server with something * Remove the hard-coded ADMIN ACL in the server with something more
more configurable, perhaps a global ACL table or something. configurable, perhaps a global ACL table or something.
* KERB-68: Support leap-of-faith keying of systems by registering an * Support leap-of-faith keying of systems by registering an object for
object for one-time download (ideally from a specific IP address) and one-time download (ideally from a specific IP address) and then
then allowing that object to be downloaded anonymously from that IP. allowing that object to be downloaded anonymously from that IP. Relies
Relies on support for Kerberos anonymous authentication. on support for Kerberos anonymous authentication.
* KERB-84: Split "get" and "update" in semantics, and only do keytab * Split "get" and "update" in semantics, and only do keytab rekeying on
rekeying on update. "get" would not be permitted unless the keytab was update. "get" would not be permitted unless the keytab was flagged as
flagged as unchanging, and update would still change even an unchanging unchanging, and update would still change even an unchanging keytab
keytab (maybe). Or, alternately, maybe we allow get of any keytab? (maybe). Or, alternately, maybe we allow get of any keytab? Requires
Requires more thought. more thought.
* KERB-118: Add command to list available types and schemes. * Add a mechanism to automate owner updates based on default_owner.
* KERB-75: Add a mechanism to automate owner updates based on * Partially merge create and autocreate. create and autocreate should do
default_owner. the same thing provided there is an autocreation configuration
available. If not, autocreate should fail and create should fall back
on checking for ADMIN privileges.
* KERB-64: Partially merge create and autocreate. create and autocreate * Rewrite server backends to use Net::Remctl::Backend.
should do the same thing provided there is an autocreation
configuration available. If not, autocreate should fail and create
should fall back on checking for ADMIN privileges.
* KERB-116: Support file object renaming. * Merge the Wallet::Logger support written by Commerzbank AG: create a
new class that handles logging, probably based on Log::Log4perl, and
add logging points to all of the core classes.
* KERB-131: Rewrite server backends to use Net::Remctl::Backend. * Support an authorization hook to determine whether or not to permit
autocreate. One requested example feature is to limit autocreate of
* KERB-132: Merge the Wallet::Logger support written by Commerzbank AG: keytab objects to certain hosts involved in deployment. It should be
create a new class that handles logging, probably based on possible to write a hook that takes the information about what object
Log::Log4perl, and add logging points to all of the core classes. is being autocreated and can accept or decline.
* KERB-133: Support an authorization hook to determine whether or not to
permit autocreate. One requested example feature is to limit
autocreate of keytab objects to certain hosts involved in deployment.
It should be possible to write a hook that takes the information about
what object is being autocreated and can accept or decline.
ACLs: ACLs:
* KERB-119: Error messages from ACL operations should refer to the ACLs * Error messages from ACL operations should refer to the ACLs by name
by name instead of by ID. instead of by ID.
* KERB-121: Write the PTS ACL verifier.
* KERB-123: Rename Wallet::ACL::* to Wallet::Verifier::*. Add * Write the PTS ACL verifier.
Wallet::ACL as a generic interface with Wallet::ACL::Database and
Wallet::ACL::List implementations (or some similar name) so that we can
create and check an ACL without having to write it into the database.
Redo default ACL creation using that functionality.
* KERB-67: Pass a reference to the object for which the ACL is * Rename Wallet::ACL::* to Wallet::Verifier::*. Add Wallet::ACL as a
interpreted to the ACL API so that ACL APIs can make more complex generic interface with Wallet::ACL::Database and Wallet::ACL::List
decisions. implementations (or some similar name) so that we can create and check
an ACL without having to write it into the database. Redo default ACL
creation using that functionality.
* KERB-109: A group-in-groups ACL schema. * Pass a reference to the object for which the ACL is interpreted to the
ACL API so that ACL APIs can make more complex decisions.
* KERB-113: Provide an API for verifiers to syntax-check the values * Provide an API for verifiers to syntax-check the values before an ACL
before an ACL is set and implement syntax checking for the krb5 and is set and implement syntax checking for the krb5 and ldap-attr
ldap-attr verifiers. verifiers.
* KERB-60: Investigate how best to support client authentication using * Investigate how best to support client authentication using anonymous
anonymous PKINIT for things like initial system keying. PKINIT for things like initial system keying.
* KERB-72: Generalize the current NetDB ACL type to allow a generic * Generalize the current NetDB ACL type to allow a generic remctl query
remctl query for whether a particular user is authorized to create for whether a particular user is authorized to create host-based
host-based objects for a particular host. objects for a particular host.
* KERB-78: Add ldap-group ACL scheme. * Add ldap-group ACL scheme (and possibly a root-only version).
* KERB-63: Provide a root-instance version of the ldap-attr (and possibly * Add a comment field to ACLs.
the ldap-group) ACL schemes.
* KERB-86: Add a comment field to ACLs. * Support external ACLs under a backend other than remctl. This will
require some way of re-exporting the authenticated user identity
instead of relying on the existence of the remctl variables.
Database: Database:
* KERB-55: Fix case-insensitivity bug in unique keys with MySQL for * Fix case-insensitivity bug in unique keys with MySQL for objects. When
objects. When creating an http/<host> principal when an HTTP/<host> creating an http/<host> principal when an HTTP/<host> principal already
principal already existed, MySQL rejected the row entry as a duplicate. existed, MySQL rejected the row entry as a duplicate. The name should
The name should be case-sensitive. be case-sensitive.
* KERB-103: On upgrades, support adding new object types and ACL * On upgrades, support adding new object types and ACL verifiers to the
verifiers to the class tables. class tables.
Objects: Objects:
* KERB-120: Check whether we can just drop the realm restriction on * Check whether we can just drop the realm restriction on keytabs and
keytabs and allow the name to contain the realm if the Kerberos type is allow the name to contain the realm if the Kerberos type is Heimdal.
Heimdal.
* KERB-59: Use the Perl Authen::Krb5::Admin module instead of rolling our * Use the Perl Authen::Krb5::Admin module instead of rolling our own
own kadmin code with Expect now that MIT Kerberos has made the kadmin kadmin code with Expect now that MIT Kerberos has made the kadmin API
API public. public.
* KERB-85: Implement an ssh keypair wallet object. The server can run * Implement an ssh keypair wallet object. The server can run ssh-keygen
ssh-keygen to generate a public/private key pair and return both to the to generate a public/private key pair and return both to the client,
client, which would split them apart. Used primarily for host keys. which would split them apart. Used primarily for host keys. May need
May need a side table to store key types, or a naming convention. a side table to store key types, or a naming convention.
* KERB-124: Implement an X.509 certificate object. I expect this would * Implement an X.509 certificate object. I expect this would store the
store the public and private key as a single file in the same format public and private key as a single file in the same format that Apache
that Apache can read for combined public and private keys. There were can read for combined public and private keys. There were requests for
requests for storing the CSR, but I don't see why you'd want to do storing the CSR, but I don't see why you'd want to do that. Start with
that. Start with store support. The file code is mostly sufficient store support. The file code is mostly sufficient here, but it would
here, but it would be nice to automatically support object expiration be nice to automatically support object expiration based on the
based on the expiration time for the certificate. expiration time for the certificate.
* KERB-106: Implement an X.509 CA so that you can get certificate objects * Implement an X.509 CA so that you can get certificate objects without
without storing them first. Need to resolve naming conventions if you storing them first. Need to resolve naming conventions if you want to
want to run multiple CAs on the same wallet server (but why?). Should run multiple CAs on the same wallet server (but why?). Should this be
this be a different type than stored certificates? Consider using a different type than stored certificates? Consider using hxtool as
hxtool as the underlying CA mechanism. the underlying CA mechanism.
* KERB-77: Support returning the checksum of a file object stored in * Support returning the checksum of a file object stored in wallet so
wallet so that one can determine whether the version stored on disk is that one can determine whether the version stored on disk is identical.
identical.
* KERB-108: Implement new password wallet object, which is like file * Support setting the disallow-svr flag on created principals. In
except that it generates a random, strong password when retrieved the general, support setting arbitrary principal flags.
first time without being stored.
* KERB-71: Support interrogating objects to find all host-based objects
for a particular host, allowing cleanup of all of those host's objects
after retiring the host.
* KERB-127: Support setting the disallow-svr flag on created principals.
In general, support setting arbitrary principal flags.
Reports: Reports:
* KERB-117: Add audit for references to unknown ACLs, possibly introduced * Add audit for references to unknown ACLs, possibly introduced by
by previous versions before ACL deletion was checked with database previous versions before ACL deletion was checked with database
backends that don't do referential integrity. backends that don't do referential integrity.
* KERB-105: Add report for all objects that have never been stored. * For objects tied to hostnames, report on objects referring to hosts
which do not exist. For the initial pass, this is probably only keytab
* KERB-122: For objects tied to hostnames, report on objects referring to objects with names containing a slash where the part after the slash
hosts which do not exist. For the initial pass, this is probably only looks like a hostname. This may need some configuration help.
keytab objects with names containing a slash where the part after the
slash looks like a hostname. This may need some configuration help.
* KERB-102: Make contrib/wallet-summary generic and include it in * Make contrib/wallet-summary generic and include it in wallet-report,
wallet-report, with additional configuration in Wallet::Config. with additional configuration in Wallet::Config. Enhance it to report
Enhance it to report on any sort of object, not just on keytabs, and to on any sort of object, not just on keytabs, and to give numbers on
give numbers on downloaded versus not downloaded objects. downloaded versus not downloaded objects.
* KERB-69: Write a tool to mail the owners of wallet objects, taking the * Write a tool to mail the owners of wallet objects, taking the list of
list of objects and the mail message to send as inputs. This could objects and the mail message to send as inputs. This could possibly
possibly use the notification service, although a version that sends use the notification service, although a version that sends mail
mail directly would be useful external to Stanford. directly would be useful external to Stanford.
* KERB-134: Merge the Commerzbank AG work to dump all the object history, * Merge the Commerzbank AG work to dump all the object history, applying
applying various search criteria to it, or clear parts of the object various search criteria to it, or clear parts of the object history.
history.
Administrative Interface: Administrative Interface:
* KERB-80: Add a function to wallet-admin to purge expired entries. * Add a function to wallet-admin to purge expired entries. Possibly also
Possibly also check expiration before allowing anyone to get or store check expiration before allowing anyone to get or store objects.
objects.
* KERB-58: Add a function or separate script to automate removal of * Add a function or separate script to automate removal of DNS-based
DNS-based objects for which the hosts no longer exist. Will need to objects for which the hosts no longer exist. Will need to support a
support a site-specific callout to determine whether the host exists. site-specific callout to determine whether the host exists.
* KERB-54: Database creation appears not to work without the SQL files, * Database creation appears not to work without the SQL files, but it's
but it's supposed to work directly from the classes. Double-check supposed to work directly from the classes. Double-check this.
this.
Documentation: Documentation:
* KERB-82: Write a conventions document for ACL naming, object naming, * Write a conventions document for ACL naming, object naming, and similar
and similar issues. issues.
* KERB-125: Write a future design and roadmap document to collect notes * Write a future design and roadmap document to collect notes about how
about how unimplemented features should be handled. unimplemented features should be handled.
* KERB-65: Document using the wallet system over something other than * Document using the wallet system over something other than remctl.
remctl.
* KERB-112: Document all diagnostics for all wallet APIs. * Document all diagnostics for all wallet APIs.
* KERB-135: Document configuration with an Oracle database. * Document configuration with an Oracle database.
Code Style and Cleanup: Code Style and Cleanup:
* KERB-98: There is a lot of duplicate code in wallet-backend. Convert * There is a lot of duplicate code in wallet-backend. Convert that to
that to use some sort of data-driven model with argument count and use some sort of data-driven model with argument count and flags so
flags so that the method calls can be written only once. Convert that the method calls can be written only once. Convert wallet-admin
wallet-admin to use the same code. to use the same code.
* KERB-100: There's a lot of code duplication in the dispatch functions * There's a lot of code duplication in the dispatch functions in the
in the Wallet::Server class. Find a way to rewrite that so that the Wallet::Server class. Find a way to rewrite that so that the dispatch
dispatch doesn't duplicate the same code patterns. doesn't duplicate the same code patterns.
* KERB-73: The wallet-backend and wallet documentation share the COMMANDS * The wallet-backend and wallet documentation share the COMMANDS section.
section. Work out some means to assemble the documentation without Work out some means to assemble the documentation without duplicating
duplicating content. content.
* KERB-110: The Wallet::Config class is very ugly and could use some * The Wallet::Config class is very ugly and could use some better
better internal API to reference the variables in it. internal API to reference the variables in it.
* KERB-76: Consider using Class::Accessor to get rid of the scaffolding * Consider using Class::Accessor to get rid of the scaffolding code to
code to access object data. Alternately, consider using Moose. access object data. Alternately, consider using Moose.
* KERB-130: Rewrite the error handling to use exceptions instead of the * Rewrite the error handling to use exceptions instead of the C-style
C-style return value and separate error call. return value and separate error call.
Test Suite: Test Suite:
* KERB-92: The ldap-attr verifier test case is awful and completely * The ldap-attr verifier test case is awful and completely specific to
specific to people with admin access to the Stanford LDAP tree. Write people with admin access to the Stanford LDAP tree. Write a real test.
a real test.
* KERB-87: Rename the tests to use a subdirectory organization. * Rename the tests to use a subdirectory organization.
* KERB-61: Add POD coverage testing using Test::POD::Coverage for the * Add POD coverage testing using Test::POD::Coverage for the server
server modules. modules.
* KERB-91: Rewrite the client test suite to use Perl and to make better * Rewrite the client test suite to use Perl and to make better use of
use of shared code so that it can be broken into function components. shared code so that it can be broken into function components.
* KERB-74: Refactor the test suite for the wallet backend to try to * Refactor the test suite for the wallet backend to try to reduce the
reduce the duplicated code. Using a real mock infrastructure should duplicated code. Using a real mock infrastructure should make this
make this test suite much easier to write. test suite much easier to write.
* KERB-81: Pull common test suite code into a Perl library that can be * Pull common test suite code into a Perl library that can be reused.
reused.
* KERB-99: Write a test suite to scan all wallet code looking for * Write a test suite to scan all wallet code looking for diagnostics that
diagnostics that aren't in the documentation and warn about them. aren't in the documentation and warn about them.
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
# Modules and declarations # Modules and declarations
############################################################################## ##############################################################################
use 5.010; use 5.008;
use autodie; use autodie;
use strict; use strict;
use warnings; use warnings;
...@@ -174,7 +174,7 @@ if ($mail) { ...@@ -174,7 +174,7 @@ if ($mail) {
############################################################################## ##############################################################################
=for stopwords =for stopwords
ACL NetDB SQL hostname lookup swhois whois Allbery ACL NetDB SQL hostname lookup swhois whois Allbery -dryrun
=head1 NAME =head1 NAME
......
...@@ -13,7 +13,7 @@ Introduction ...@@ -13,7 +13,7 @@ Introduction
Syntax Syntax
An ACL entry in the wallet consists of two pieces of data, a <scheme>