This test is meant to intentionally trigger an exception in the cryptography library
by creating a CMAC with a non-block cipher algorithm, IDEA.
That doesn't work any more because IDEA is now treated as a block cipher algorithm.
To fix this, we now use the ARC4 algorithm instead,
which does trigger the expected exception.
I'm not *entirely* sure what's going on here, but it seems that when we
do something like
obj = OpaqueObject(...)
Session = sessionmaker(...)
session = Session()
...
session.add(obj)
session.commit()
the primary key (and maybe some foreign relations?) aren't automatically
populated on `obj` following the commit, and will attempt to lazy-load
on next reference. Since expire_on_commit defaults to True, the session
attached to `obj` (which is no longer the `session` in locals!) is closed
out when we later do
session = Session()
get_obj = session.query(OpaqueObject).filter(
ManagedObject.unique_identifier == obj.unique_identifier).one()
leading to a DetachedInstanceError.
There seem to be a few different ways we can fix this:
* Set expire_on_commit=False so the old session is still useful for the
lazy-loading.
* Re-use the same session instead of creating a new one.
* Explicitly refresh added objects post-commit.
Generally prefer the first one; there's some prior art to follow in
services/server/test_engine.py. Curiously, that same file runs into
trouble despite already setting expire_on_commit=False -- so do the
explicit refresh, on the assumption that there was a reason we went to
the trouble of creating a fresh session.
Closes#649
This changes fixes a minor bug with proper attribute index range
checking in the server implementation of ModifyAttribute. A corner
case that previously slipped through index checking and testing
has been closed. An existing unit test has been modified to fix
this bug.
Partially implements #547
This change adds ModifyAttribute operation support to the PyKMIP
server, including additional attribute policy functionality to
check for certain attribute characteristics that preclude
ModifyAttribute operation functionality. New unit tests have been
added to cover these changes.
Partially implements #547
This change adds ModifyAttribute support to the ProxyKmipClient,
leveraging the new generic request capability in the underlying
KMIPProxy client. New unit tests have been added to cover the new
client additions.
Partially implements #547
This change adds SetAttribute support to the ProxyKmipClient,
leveraging the new generic request capability in the underlying
KMIPProxy client. New unit tests have been added to cover the new
client additions.
Partially implements #547
This change adds SetAttribute operation support to the PyKMIP
server, including additional attribute policy functionality to
check for certain attribute characteristics that preclude
SetAttribute operation functionality. Specifically, the operation
cannot set the value of any multivalued attribute nor the value
of any attribute not modifiable by the client. New unit tests
have been added to cover these changes.
Partially implements #547
This change adds support for the Sensitive attribute, adding it to
the attribute factory, the SQLAlchemy object hierarchy, and to the
server attribute handling methods. The intent is to use this new
attribute to test the new SetAttribute and ModifyAttribute
operations coming in future commits. Unit tests have been added
and modified to support the new additions.
This change adds DeleteAttribute support to the ProxyKmipClient,
leveraging the new generic request capability in the underlying
KMIPProxy client. Going forward all new attribute support will
leverage the new request capability and older supported operations
will be migrated to use it as well, with the ultimate vision
being a final merger of the two client classes into one easy to
use architecture. New unit tests have been added to cover the new
client additions.
Partially implements #547
This change adds DeleteAttribute operation support to the PyKMIP
server, supporting functionality unique to KMIP 1.0 - 1.4 and the
newer KMIP 2.0. Due to the current list of attributes supported
by the server, only multivalued attributes can currently be
deleted from a stored KMIP object. Over a dozen unit tests have
been added to verify the functionality of the new additions.
Partially implements #547
This change ObjectGroup attribute support to the server, allowing
for the storage and retrieval of the new attribute in addition to
object filtering based on its value. New unit tests have been
added to cover the new changes.
This change adds ApplicationSpecificInformation attribute support
to the server, allowing for the storage and retrieval of the new
attribute in addition to object filtering based on its value. New
unit tests have been added to cover the new changes.
This change adds integration tests that test registering,
retrieving, and destroying SplitKey objects with the server.
Minor updates are included for the client and server to ensure
that SplitKey operations function as expected.
Partially implements #545
This change adds conversion utilities for SplitKey objects,
allowing for conversions between the Pie and Core object spaces.
The server is also updated to recognize the new Pie SplitKey
object. Unit tests have been added and tweaked to accommodate
these changes.
Partially implements #545
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's
Certificate Type. Unit tests and integration tests have
been added to test and verify the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support Certificate Type filtering. Simply use the
"--certificate-type" flag to specify a Certificate Type
enumeration values for the Locate script to filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's
Cryptographic Usage Masks. Unit tests and integration tests have
been added to test and verify the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support Cryptographic Usage Mask filtering. Simply use the
"--cryptographic-usage-mask" flag to specify one or more
Cryptographic Usage Mask enumeration values for the Locate script
to filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects using the offset and maximum item
constraints. The offset constraint tells the server how many
matching items should be skipped before results are returned. The
maximum items constraint tells the server how many matching items
should be returned. Unit tests and integration tests have been
added to test and verify the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support offset and maximum item filtering. Simply use the
"--offset-items" and "--maximum-items" flags to specify offset and
maximum item values for the Locate script to filter on.
Fixes#562
This change fixes a bug in the server engine unit tests that
check the debug logs for Locate filtering on the Initial Date
attribute. Specifically, time.asctime does not use the default
'%d' notation for stringifying numerical day values. This change
updates the string notation to match the format produced by
time.asctime.
Impacts #572
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's Operation
Policy Name. Unit tests and integration tests have been added to
test and verify the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support Operation Policy Name filtering. Simply use the
"--operation-policy-name" flag to specify an Operation Policy Name
string value for the Locate script to filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's Unique
Identifier. Unit tests and integration tests have been added to
test and verify the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support Unique Identifier filtering. Simply use the
"--unique-identifier" flag to specify a Unique Identifier string
value for the Locate script to filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's
Cryptographic Length. If an object's type does not support the
Cryptographic Length attribute, the object is not a match. Unit
tests and integration tests have been added to test and verify
the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support Cryptographic Length filtering. Simply use the
"--cryptographic-length" flag to specify a Cryptographic Length
integer value for the Locate script to filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's
Cryptographic Algorithm. If an object's type does not support the
Cryptographic Algorithm attribute, that object is not a match.
Unit tests and integration tests have been added to test and
verify the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support Cryptographic Algorithm filtering. Simply use the
"--cryptographic-algorithm" flag to specify a Cryptographic
Algorithm enumeration for the Locate script to filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's Object Type.
Unit tests and integration tests have been added to test and verify
the correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support Object Type filtering. Simply use the "--object-type" flag
to specify an Object Type enumeration for the Locate script to
filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the object's State. Unit
tests and integration tests have been added to test and verify the
correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support State filtering. Simply use the "--state" flag to specify
a State enumeration for the Locate script to filter on.
This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the objects InitialDate
attribute value. Specifying a single InitialDate attribute in the
Locate request will perform an exact match on objects; specifying
two InitialDate attributes will perform a ranged match. Unit tests
and integration tests have been added to test and verify the
correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support InitialDate filtering. Simply use the "--initial-date"
flag to provide one or more InitialDate values to the Locate
script to filter on those dates.
This change upgrades the Query payloads, fixing error messages,
comments, local variables, and internal payload structure to
bring Query support up to KMIP 1.4 standards, in addition to
compliance with the current payload format. The corresponding
unit test suite has been completely rewritten to reflect these
changes.
This change prepares the Query payloads for future updates to
support KMIP 2.0.
This change moves the KMIPProtocol class from the server module
to the services module. Because the client uses KMIPProtocol, and
KMIPProtocol lived in the server module, the client would end up
importing server libraries whenever it was used. If there are any
issues with server dependencies, this would cause the client to
fail for no good reason. This change now insulates the client from
the server code base and prevents this case from happening.
See #509
This change updates the CreateKeyPair payloads to the current
payload format, adding properties for different payload attributes
and adding comparison and string operators. Changes are also made
to the PyKMIP clients and the surrounding testing infrastructure
to reflect the payload changes. The official unit test suite for
the CreateKeyPair payloads has been updated to also reflect these
changes.
This change prepares the CreateKeyPair payloads for future
updates to support KMIP 2.0.
This change updates the Locate payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Locate payloads has also been included, which will eventually
replace the existing Locate message tests elsewhere in the test
suite.
This change prepares the Locate payloads for future updates to
support KMIP 2.0.
This change updates the Register payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Register payloads has also been included, which will eventually
replace the existing Register message tests elsewhere in the test
suite.
This change prepares the Register payloads for future updates to
support KMIP 2.0.
This change updates the Create payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Create payloads has also been included, which will eventually
replace the existing Create message tests elsewhere in the test
suite.
This change prepares the Create payloads for future updates to
support KMIP 2.0.
This change updates the PyKMIP object hierarchy's read/write
method signatures to support propagation of the KMIP version. The
introduction of KMIP 2.0 introduces future KMIP message encodings
that break backwards compatibility; to support this, PyKMIP must
know what KMIP version is being used when encoding or decoding an
object; the KMIP version residing in the client or server alone
is now insufficient. Prior versions of KMIP, namely 1.0 - 1.4,
have been backwards compatible, obviating the need for the KMIP
version at encode/decode time. Going forward, this is no longer
true.
The PyKMIP client and server have been updated to include the
KMIP version when making calls to read/write, as have the
associated test cases covering this functionality.
This change fixes a bug in the KMIPProxy client's support for the
Rekey operation. Specifically, if the operation fails and does not
return a payload, the client will still try to reference the
payload object when checking for TemplateAttribute data. This
causes an AttributeError since the payload is None. This change
fixes this and adds a unit test that covers this specific case.
Fixes#474
This change updates the PyKMIP clients, adding support for getting
and setting the KMIP version they use when making KMIP requests.
You can now do:
>>> client.kmip_version
to get the KMIP version enumeration the client is using. Use:
>>> client.kmip_version = enums.KMIPVersion.KMIP_1_1
to set the KMIP version the client uses.
The client unit tests have been updated to check and cover these
changes.
Fixes#470
This change updates the list of KMIP versions supported by the
server. While the server does not support any specific KMIP 1.3
or 1.4 features, the protocol formats are compatible across KMIP
1.0 to 1.4. Without this change, KMIP 1.3 and 1.4 requests for
older operations, like Create, Get, and Destroy, would fail.
This change also updates the server unit tests impacted by this
change.
Closes#451
This change fixes various pending deprecation warnings throughout
the library caused by recent updates to different dependencies.
While PyKMIP no longer directly triggers these warnings, some
dependencies still do when run through the test suite.
A recent style update to Python 3.6 adds deprecation W605, which
tightens the usage of invalid escape sequences. This patch removes
any instances of invalid escape sequences from the PyKMIP code
base, bringing the library back up to compliance with Python style.
This change changes the error the server uses when access control
violations occur, specifically swapping from the more agnostic
ItemNotFound to the more explicit PermissionDenied. This change
better conforms with the expected behavior of a KMIP server.
This change tweaks the format of operation policy files, renaming
the 'default' section of each policy to 'preset'. This reinforces
the idea that this section of the policy is used only when group-
based access control is disabled. It also removes any ambiguity
between this section of the policy and the actual 'default'
policy built into the server.
This change fixes a potential denial-of-service bug with the
server, setting a default timeout for all server sockets. This
allows the server to drop hung connections without blocking
forever. The interrupt triggered during accept calls is expected
and is now handled appropriately. Server unit tests have been
updated to reflect this change.
Closes#430
This change adds client support for setting custom configuration
file paths, allowing users and developers to place their settings
file wherever they want. All client demo scripts have been updated
to support a '-s' flag that can be used to set the configuration
file for the demo. Client unit tests have also been updated to
include this change.
