NEWS

                       User-Visible wallet Changes

wallet 1.3 (xxxx-xx-xx)

    A new object type, password (Wallet::Object::Password), is now 
    supported.  This is a subclass of the file object that will randomly 
    generate content for the object if you do a get before storing any
    content inside it.

    Added a new command to wallet-backend, update.  This will update the
    contents of an object before running a get on it, and is only valid
    for objects that can automatically get new content, such as keytab
    and password objects.  A keytab will get a new kvno regardless of 
    the unchanging flag if called with update.  In a future release get
    will be changed to never update a keytab, and the unchanging flag
    will be ignored.  Please start moving to use get or update as the
    situation warrants.

    Added an acl replace command, to change all objects owned by one ACL
    to be owned by another.

    All ACL operations now refer to the ACL by name rather than ID.

    Added a report for unstored objects to wallet-report, and cleaned up
    the help for the existing unused report that implied it showed
    unstored as well as unused.

    Took contributions from Commerzbank AG on the wallet history.  Added 
    a command to dump all object history for searching on to 
    wallet-report, and added a new script for more detailed object 
    history operations to the contrib directory.

wallet 1.2 (2014-12-08)

    The duo object type has been split into several sub-types, each for a
    specific type of Duo integration.  The old type's functionality has
    been moved to duo-pam (Wallet::Object::Duo::PAM), and new types are
    supported for Duo's auth proxy configurations for LDAP and Radius, and
    their RDP configuration.  These types are duo-radius, duo-ldap, and
    duo-rdp (Wallet::Object::Duo::RadiusProxy,
    Wallet::Object::Duo::LDAPProxy, and Wallet::Object::Duo::RDP).  The
    old duo type still exists for compatability.  To enable these object
    types for an existing wallet database, use wallet-admin to register the
    new object.

    New rename command for file type objects.  This will change the name
    of the object itself and move any stored data for the file to the
    correct location for the new name.  Currently, rename is only
    supported for file objects, but may be supported by other backends in
    the future.

wallet 1.1 (2014-07-16)

    A new object type, duo (Wallet::Object::Duo), is now supported.  This
    creates an integration with the Duo Security cloud multifactor
    authentication service and allows retrieval of the integration key,
    secret key, and admin hostname.  Currently, only UNIX integration
    types are supported.  The Net::Duo Perl module is required to use this
    object type.  New configuration settings are required as well; see
    Wallet::Config for more information.  To enable this object type for
    an existing wallet database, use wallet-admin to register the new
    object.

    The owner and getacl commands now return the current name of the ACL
    instead of its numeric ID, matching the documentation of owner.

    The date passed to expires can now be any date format understood by
    Date::Parse, and Date::Parse (part of the TimeDate CPAN distribution)
    is now a required prerequisite for the wallet server.

    Fix wallet-rekey on keytabs containing multiple principals.  Previous
    versions assumed one could concatenate keytab files together to make a
    valid keytab file, which doesn't work with some Kerberos libraries.
    This caused new keys downloaded for principals after the first to be
    discarded.  As a side effect of this fix, wallet-rekey always appends
    new keys directly to the existing keytab file, and never creates a
    backup copy of that file.

    Fix the code to set enctype restrictions for keytab objects in the
    wallet server and populate the reference table for valid enctypes on
    initial database creation.

    Fix the Wallet::Config documentation for the ldap-attr verifier to
    reference an ldap_map_principal hook, not ldap_map_attribute, matching
    the implementation.

    When creating new principals in a Heimdal KDC, generate a long, random
    password as the temporary password of the disabled principal before
    randomizing keys.  This is necessary if password quality is being
    enforced on create calls.  Since the principal is always inactive
    until the keys have been randomized, the password should not need to
    be secure (and indeed is not cryptographically random).

    Previous versions had erroneous foreign key constraints between the
    object history table and the objects table.  Remove those constraints,
    and an incorrect linkage in the schema for the ACL history, and add
    indices for the object type, name, and ACL instead.

    Pass in DateTime objects for the date fields in the database instead
    of formatted time strings.  This provides better compatibility with
    different database engines.  Document in README the need to install
    the DateTime::Format::* module corresponding to the DBD::* module used
    for the server database.

    ACL renames are now recorded in the ACL history.

    Fix wallet-backend parsing of the expires command to expect only one
    argument as the expiration.  This was correctly documented in the
    wallet client man page, but not in wallet-backend, and it accepted two
    arguments (a date and time).  However, Wallet::Server did not and
    would just ignore the time.  Now wallet-backend correctly requires the
    date and time be passed as a single argument.

    Fix the ordering of table drops during a wallet-admin destroy action
    to remove tables with foreign key references before the tables they
    are referencing.  Should fix destroy in MySQL and other database
    engines that enforce referential integrity.

    The wallet server now requires Perl 5.8 or later (instead of 5.006 in
    previous versions) and is now built with Module::Build instead of
    ExtUtils::MakeMaker.  This should be transparent to anyone not working
    with the source code, since Perl 5.8 was released in 2002, but
    Module::Build is now required to build the wallet server.  It is
    included in some versions of Perl, or can be installed separately from
    CPAN, distribution packages, or other sources.

    Add a new contrib script, wallet-rekey-periodic, which is used at
    Stanford to periodically rekey hosts from cron.

    Update to rra-c-util 5.5:

    * Use Lancaster Consensus environment variables to control tests.
    * Use calloc or reallocarray for protection against integer overflows.
    * Suppress warnings from Kerberos headers in non-system paths.
    * Assume calloc initializes pointers to NULL.
    * Assume free(NULL) is properly ignored.
    * Improve error handling in xasprintf and xvasprintf.
    * Check the return status of snprintf and vsnprintf properly.
    * Preserve errno if snprintf fails in vasprintf replacement.

    Update to C TAP Harness 3.1:

    * Reopen standard input to /dev/null when running a test list.
    * Don't leak extraneous file descriptors to tests.
    * Suppress lazy plans and test summaries if the test failed with bail.
    * runtests now treats the command line as a list of tests by default.
    * The full test executable path can now be passed to runtests -o.
    * Improved harness output for tests with lazy plans.
    * Improved harness output to a terminal for some abort cases.
    * Flush harness output after each test even when not on a terminal.

wallet 1.0 (2013-03-27)

    Owners of wallet objects are now allowed to destroy them.  In previous
    versions, a special destroy ACL had to be set and the owner ACL wasn't
    used for destroy actions, but operational experience at Stanford has
    shown that letting owners destroy their own objects is a better model.

    wallet-admin has a new sub-command, upgrade, which upgrades the wallet
    database to the latest schema version.  This command should be run
    when deploying any new version of the wallet server.

    A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
    supported.  This ACL type grants access if the LDAP entry
    corresponding to the principal contains the attribute name and value
    specified in the ACL.  The Net::LDAP and Authen::SASL Perl modules are
    required to use this ACL type.  New configuration settings are
    required as well; see Wallet::Config for more information.  To enable
    this ACL type for an existing wallet database, use wallet-admin to
    register the new verifier.

    A new object type, wa-keyring (Wallet::Object::WAKeyring), is now
    supported.  This stores a WebAuth keyring and handles both key
    rotation and garbage collection of old keys on retrieval of the
    keyring.  The WebAuth Perl module is required to use this object
    type.  To enable this object type for an existing wallet database, use
    wallet-admin to register the new object.

    Add a new acl check command which, given an ACL ID, prints yes if that
    ACL already exists and no otherwise.  This is parallel to the check
    command for objects.

    Add a comment field to objects and corresponding commands to
    wallet-backend and wallet to set and retrieve it.  The comment field
    can only be set by the owner or wallet administrators but can be seen
    by anyone on the show ACL.

    The wallet server backend now uses DBIx::Class for the database layer,
    which means that DBIx::Class and SQL::Translator and all of their
    dependencies now have to be installed for the server to work.  If the
    database in use is SQLite 3, DateTime::Format::SQLite should also be
    installed.

    Add docs/objects-and-schemes, which provides a brief summary of the
    current supported object types and ACL schemes.

    The Stanford wallet object and ACL naming policy is now available in
    code form as the Wallet::Policy::Stanford module, which is installed
    as part of the server.  As-is, it is only useful for sites that want
    to adopt an identical naming policy (and will still require overriding
    some of the internal data, like group names), but it may provide a
    useful code example for others wanting to do something similar.

    Update to rra-c-util 4.8:

    * Look for krb5-config in /usr/kerberos/bin after the user's PATH.
    * Kerberos library probing fixes without transitive shared libraries.
    * Fix Autoconf warnings when probing for AIX's bundled Kerberos.
    * Avoid using krb5-config if --with-{krb5,gssapi}-{include,lib} given.
    * Correctly remove -I/usr/include from Kerberos and GSS-API flags.
    * Build on systems where krb5/krb5.h exists but krb5.h does not.
    * Pass --deps to krb5-config unless --enable-reduced-depends was used.
    * Do not use krb5-config results unless gssapi is supported.
    * Fix probing for Heimdal's libroken to work with older versions.
    * Update warning flags for GCC 4.6.1.
    * Update utility library and test suite for newer GCC warnings.
    * Fix broken GCC attribute markers causing compilation problems.
    * Suppress warnings on compilers that support gcc's __attribute__.
    * Add notices to all files copied over from rra-c-util.
    * Fix warnings when reporting memory allocation failure in messages.c.
    * Fix message utility library compiler warnings on 64-bit systems.
    * Include strings.h for additional POSIX functions where found.
    * Use an atexit handler to clean up after Kerberos tests.
    * Kerberos test configuration now goes in tests/config.
    * The principal of the test keytab is determined automatically.
    * Simplify the test suite calls for Kerberos and remctl tests.
    * Check for a missing ssize_t.
    * Improve the xstrndup utility function.
    * Checked asprintf variants are now void functions and cannot fail.
    * Fix use of long long in portable/mkstemp.c.
    * Fix test suite portability to Solaris.
    * Substantial improvements to the POD syntax and spelling checks.

    Update to C TAP Harness 1.12:

    * Fix compliation of runtests with more aggressive warnings.
    * Add a more complete usage message and a -h command-line flag.
    * Flush stderr before printing output from tests.
    * Better handle running shell tests without BUILD and SOURCE set.
    * Fix runtests to honor -s even if BUILD and -b aren't given.
    * runtests now frees all allocated resources on exit.
    * Only use feature-test macros when requested or built with gcc -ansi.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell libtap.sh library.
    * Suppress warnings on compilers that support gcc's __attribute__.

wallet 0.12 (2010-08-25)

    New client program wallet-rekey that, given a list of keytabs on the
    command line, requests new keytab objects for each principal in the
    local realm and then merges the new objects into that keytab.  The
    current implementation only acquires new keys and doesn't purge any
    old keys.

    A new ACL type, krb5-regex, is now supported.  This ACL type is the
    same as krb5 except that the identifier is interpreted as a Perl
    regular expression and matched against the authenticated identity
    attempting to run a wallet command.  Patch from Ian Durkacz.

    Add a objects unused report to wallet-report and Wallet::Report,
    returning all objects that have never been downloaded (in other words,
    have never been the target of a get command).

    Add an acls duplicate report to wallet-report and Wallet::Report,
    returning sets of ACLs that have exactly the same entries.

    Add a help command to wallet-report, which returns a summary of all
    available commands.

    Update to C TAP Harness 1.5:

    * Better reporting of fatal errors in the test suite.
    * Summarize results at the end of test execution.
    * Add tests/HOWTO from docs/writing-tests in C TAP Harness.

    Update to rra-c-util 2.6:

    * Fix portability to bundled Heimdal on OpenBSD.
    * Improve checking for krb5_kt_free_entry with older MIT Kerberos.
    * Fix portability for missing krb5_get_init_creds_opt_free.
    * Fix header guard for util/xwrite.h.
    * Restore default compiler configuration after GSS-API library probe.

wallet 0.11 (2010-03-08)

    When deleting an ACL on the server, verify that the ACL is not
    referenced by any object first.  Database referential integrity should
    also catch this, but not all database backends may enforce referential
    integrity.  This also allows us to return a better error message
    naming an object that's still using that ACL.

    Wallet::Config now supports an additional local function,
    verify_acl_name, which can be used to enforce ACL naming policies.  If
    set, it is called for any ACL creation or rename and can reject the
    new ACL name.

    Add an audit command to wallet-report and two audits: acls name, which
    returns all ACLs that do not pass the local naming policy, and objects
    name, which does the same for objects.  The corresponding
    Wallet::Report method is audit().

    Add the acls unused report to wallet-report and Wallet::Report,
    returning all ACLs not referenced by any database objects.

    Wallet::Config::verify_name may now be called with an undefined third
    argument (normally the user attempting to create an object).  This
    calling convention is used when auditing, and the local policy
    function should select the correct policy to apply for useful audit
    results.

    Fix portability to older Kerberos libraries without
    krb5_free_error_message.

wallet 0.10 (2010-02-21)

    Add support for Heimdal KDCs as well as MIT Kerberos KDCs.  There is
    now a mandatory new setting in Wallet::Config: $KEYTAB_KRBTYPE.  It
    should be set to either "MIT" or "Heimdal" depending on the Kerberos
    KDC implementation used.  The Heimdal support requires the
    Heimdal::Kadm5 Perl module.

    Remove kaserver synchronization support.  It is no longer tested, and
    retaining the code was increasing the complexity of wallet, and some
    specific requirements (such as different realm names between kaserver
    and Kerberos v5 and the kvno handling) were Stanford-specific.  Rather
    than using this support, AFS sites running kaserver will probably find
    deploying Heimdal with its internal kaserver compatibility is probably
    an easier transition approach.

    Remove the kasetkey client for setting keys in an AFS kaserver.

    The wallet client no longer enables kaserver synchronization when a
    srvtab is requested with -S.  Instead, it just extracts the DES key
    from the keytab and writes it to a srvtab.  It no longer forces the
    kvno of the srvtab to 0 (a Stanford-specific action) and instead
    preserves the kvno from the key in the keytab.  This should now do the
    right thing for sites that use a KDC that serves both Kerberos v4 and
    Kerberos v5 from the same database.

    The wallet client can now store data containing nul characters and
    wallet-backend will accept it if passed on standard input instead of
    as a command-line argument.  See config/wallet for the new required
    remctld configuration.  Storing data containing nul characters
    requires remctl 2.14 or later.

    Correctly handle storing of data that begins with a dash and don't
    parse it as an argument to wallet-backend.

    Fix logging in wallet-backend and the remctl configuration to not log
    the data passed to store.

    Move all reporting from Wallet::Admin to Wallet::Report and simplify
    the method names since they're now part of a dedicated reporting
    class.  Similarly, create a new wallet-report script to wrap
    Wallet::Report, moving all reporting commands to it from wallet-admin,
    and simplify the commands since they're for a dedicated reporting
    script.

    Add additional reports for wallet-report: objects owned by a specific
    ACL, objects owned by no one, objects of a specific type, objects with
    a specific flag, objects for which a specific ACL has privileges, ACLs
    with an entry with a given type and identifier, and ACLs with no
    members.

    Add a new owners command to wallet-report and corresponding owners()
    method to Wallet::Report, which returns all ACL lines on owner ACLs
    for matching objects.

    Report ACL names as well as numbers in object history.

    The wallet client now uses a temporary disk ticket cache when
    obtaining tickets with the -u option rather than an in-memory cache,
    allowing for a libremctl built against a different Kerberos
    implementation than the wallet client.  This primarily helps with
    testing.

    Update to rra-c-util 2.3:

    * Use Kerberos portability layer to support Heimdal.
    * Avoid Kerberos API calls deprecated on Heimdal.
    * Sanity-check the results of krb5-config before proceeding.
    * Fall back on manual probing if krb5-config results don't work.
    * Add --with-krb5-include and --with-krb5-lib configure options.
    * Add --with-remctl-include and --with-remctl-lib configure options.
    * Add --with-gssapi-include and --with-gssapi-lib configure options.
    * Don't break if the user clobbers CPPFLAGS at build time.
    * Suppress error output from krb5-config probes.
    * Prefer KRB5_CONFIG over a path constructed from --with-*.
    * Update GSS-API probes for Solaris 10's native implementation.
    * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
    * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]).
    * Provide a proper bool type with Sun Studio 12 on Solaris 10.
    * Break util/util.h into separate header files per module.
    * Update portable and util tests for C TAP Harness 1.1.

    Update to C TAP Harness 1.1:

    * Remove the need for Autoconf substitution in test programs.
    * Support running a single test program with runtests -o.
    * Properly handle test cases that are skipped in their entirety.
    * Much improved C TAP library more closely matching Test::More.

wallet 0.9 (2008-04-24)

    The wallet command-line client now reads the data for store from a
    file (using -f) or from standard input (if -f wasn't given) when the
    data isn't specified on the command line.  The data still must not
    contain nul characters.

    Add support for enabling and disabling principals (clearing or setting
    the NOTGS flag) and examining principals to kasetkey.  This
    functionality isn't used by wallet (and probably won't be) but is
    convenient for other users of kasetkey such as kadmin-remctl.

    Report the correct error message when addprinc fails while creating a
    keytab object.

    The configure option requesting AFS kaserver support (and thus
    building kasetkey) is now --with-kaserver instead of --with-afs.

    If KRB5_CONFIG was explicitly set in the environment, don't use a
    different krb5-config based on --with-krb4 or --with-krb5.  If
    krb5-config isn't executable, don't use it.  This allows one to
    force library probing by setting KRB5_CONFIG to point to a
    nonexistent file.

    Sanity-check the results of krb5-config before proceeding and error
    out in configure if they don't work.

    Fix Autoconf syntax error when probing for libkrb5support.  Thanks,
    Mike Garrison.

    wallet can now be built in a different directory than the source
    directory.

    Stop setting Stanford-specific compile-time defaults for the wallet
    server and port.

    Perl 5.8 is required to run the test suite, but IO::String is not.

    Include Stanford's wallet.conf as an example (examples/stanford.conf).

wallet 0.8 (2008-02-13)

    Fix the wallet client to use check instead of exists.

    Add file object support to the wallet server.

    Correctly handle get of an empty object in the wallet client.  The
    empty string is valid object content.

    Wallet::Config and hence the wallet server now checks for the
    environment variable WALLET_CONFIG and loads configuration from the
    file specified there instead of /etc/wallet/wallet.conf if it is set.

    wallet-backend now supports a -q flag, which disables syslog logging.

    wallet-admin now supports registering new object or ACL verifier
    implementations in the database.

    Remove the restriction that all object implementations must have class
    names of Wallet::Object::* and all ACL verifier implementations must
    have class names of Wallet::ACL::*.

    Add a full end-to-end test suite to catch protocol mismatches between
    the client and server, such as the one fixed in this release.

    Update the design documentation to reflect the current protocol and
    implementation.

wallet 0.7 (2008-02-08)

    Add new exists and autocreate wallet server interfaces.  The first
    states whether a given object exists and the second attempts to create
    the object using the default owner rules.  Remove default owner
    handling from the create interface, which is now for administrators
    only.  Remove server-side auto-creation of objects on get or store and
    instead have the client check for object existence and call autocreate
    if necessary.  This removes confusion between default ACLs and
    administrative object creation for users who are also on the ADMIN
    ACL.

    When creating a srvtab based on a just-downloaded keytab, extract the
    srvtab key before merging the keytab into an existing file.
    Otherwise, if the new keys had a lower kvno than the old keys
    (possible after deleting and recreating the object), the wrong key
    would be extracted for the srvtab.

    keytab-backend now passes kadmin.local ktadd its options in a specific
    order to satisfy the picky option parser.

    Check naming policy on wallet object creation before checking the
    default ACLs to avoid creating and stranding an ACL when the naming
    policy check fails.

    The current version of Net::Remctl can't handle explicit undef or the
    empty string as a principal argument.  Be careful not to provide a
    principal argument if no principal was set.  This workaround can be
    removed once we depend on a later version of Net::Remctl.

    Correctly enable syslog logging in wallet-backend.

    Fix the example remctl configuration for keytab-backend to use the
    correct script name.

wallet 0.6 (2008-01-28)

    SECURITY: If -f is used and the output file name with ".new" appended
    already exists, unlink it first and then create it safely rather than
    truncating it.  This is much safer when creating files in a
    world-writable directory.

    The wallet client can now get the server, port, principal, and remctl
    type from krb5.conf as well as from compile-time defaults and
    command-line options.

    When getting a keytab with the client with no -f option, correctly
    write the keytab to standard output rather than dying with a cryptic
    error.

    When downloading a keytab to a file that already exists, merge the new
    keytab keys into that file rather than moving aside the old keytab and
    creating a new keytab with only the new keys.

    The wallet client now supports a -u option, saying to obtain Kerberos
    credentials for the given user and use those for authentication rather
    than using an existing ticket cache.

    Add a wallet-admin program which can initialize and destroy the
    database and list all objects and ACLs in the database.

    Support enforcing a naming policy for wallet objects via a Perl
    function in the wallet server configuration file.

    The build system now probes for GSS-API, Kerberos v5 and v4, and AFS
    libraries as necessary rather than hard-coding libraries.  Building
    on systems without strong shared library dependencies and building
    against static libraries should now work.

    Building kasetkey (for AFS kaserver synchronization) is now optional
    and not enabled by default.  Pass --with-afs to configure to enable
    it.  This allows wallet to be easily built in an environment without
    AFS.

    Add a sample script (contrib/wallet-report) showing one way of
    reporting on the contents of the wallet database.  This will
    eventually become more general.

wallet 0.5 (2007-12-06)

    Allow the empty string in wallet-backend arguments.

    Allow @ in wallet-backend arguments so that principal names can be
    passed in.

    Load the Perl modules for ACL verifiers and object types dynamically
    now that we're reading the class from the database.

    Correctly implement the documented intention that setting an attribute
    to the empty string clears the attribute values.

    Fix the keytab principal validation regex to allow instances
    containing periods.  Otherwise, it's hard to manage host keytabs.  Add
    a missing test suite for that method.

    When writing to a file in the wallet client program, remove an old
    backup file before creating a new backup and don't fail if the backup
    already exists.

    Check a default creation ACL first before the ADMIN ACL when deciding
    whether we can auto-create a non-existent ACL, since creating one with
    the ADMIN ACL doesn't create a useful object.

wallet 0.4 (2007-12-05)

    Maintain a global cache of ACL verifiers in Wallet::ACL and reuse them
    over the life of the process if we see another ACL line from the same
    scheme, rather than only reusing ACL verifiers within a single ACL.

    Add a subclass of the NetDB ACL verifier that requires the principal
    have an instance of "root" and strips that instance before checking
    NetDB roles.

    Determine the class for object and ACL schema implementations from the
    database rather than a hard-coded list and provide Wallet::Schema
    methods for adding new class mappings.

    Add a missing class mapping for the netdb ACL schema verifier.

    Various coding style fixes and cleanup based on a much-appreciated
    code audit by Simon Cozens.  I didn't take all of his advise, and he
    shouldn't be blamed for any remaining issues.

wallet 0.3 (2007-12-03)

    MySQL is now a supported database backend and the full test suite
    passes with MySQL.

    Add support for running a user-defined function whenever an object is
    created by a non-ADMIN user and using the default owner ACL returned
    by that function provided that the calling user is authorized by that
    ACL.  This permits dynamic creation of new objects based on a default
    owner ACL programmatically determined from the name of the object.

    Attempt to create the object with a default owner on get and store
    when the object doesn't exist.

    Add support for displaying the history of objects and ACLs.

    Add an ACL verifier that checks access against NetDB roles using the
    NetDB remctl interface.

    The wallet backend script now logs all commands and errors to syslog.

    The keytab backend now supports limiting generated keytabs to
    particular enctypes by setting an attribute on the object.

    Expiration dates are now expressed in YYYY-MM-DD HH:MM:SS instead of
    seconds since epoch and returned the same way.  Timestamps are now
    stored in the database as correct date and time types rather than
    seconds since epoch to work properly with MySQL.

    The wallet backend test suite now supports using a database other than
    SQLite for testing.

wallet 0.2 (2007-10-08)

    First public alpha release.  Only tested with SQLite 3, no history
    support, no object list support, and only keytab object and krb5 ACL
    support.

wallet 0.1 (2007-03-08)

    Internal release containing only kasetkey, a stub client, and design
    documentation.