This change adds a new Attributes object to the object hierarchy,
which replaces TemplateAttributes in KMIP 2.0. The old attribute
components, like the AttributeName and AttributeIndex, are no
longer used and are instead replaced with the KMIP TTLV tag for
the attributes in question. This brings the attribute encoding
process in line with the rest of the KMIP specification.
To support this change, additional attribute and enumeration
utility functions have been added to simply attribute building
and attribute/enumeration validity checking. New test cases
covering this new functionality are also included.
This change updates the PyKMIP object hierarchy's read/write
method signatures to support propagation of the KMIP version. The
introduction of KMIP 2.0 introduces future KMIP message encodings
that break backwards compatibility; to support this, PyKMIP must
know what KMIP version is being used when encoding or decoding an
object; the KMIP version residing in the client or server alone
is now insufficient. Prior versions of KMIP, namely 1.0 - 1.4,
have been backwards compatible, obviating the need for the KMIP
version at encode/decode time. Going forward, this is no longer
true.
The PyKMIP client and server have been updated to include the
KMIP version when making calls to read/write, as have the
associated test cases covering this functionality.
This change fixes a bug in the KMIPProxy client's support for the
Rekey operation. Specifically, if the operation fails and does not
return a payload, the client will still try to reference the
payload object when checking for TemplateAttribute data. This
causes an AttributeError since the payload is None. This change
fixes this and adds a unit test that covers this specific case.
Fixes#474
This change updates the PyKMIP clients, adding support for getting
and setting the KMIP version they use when making KMIP requests.
You can now do:
>>> client.kmip_version
to get the KMIP version enumeration the client is using. Use:
>>> client.kmip_version = enums.KMIPVersion.KMIP_1_1
to set the KMIP version the client uses.
The client unit tests have been updated to check and cover these
changes.
Fixes#470
This change updates the list of KMIP versions supported by the
server. While the server does not support any specific KMIP 1.3
or 1.4 features, the protocol formats are compatible across KMIP
1.0 to 1.4. Without this change, KMIP 1.3 and 1.4 requests for
older operations, like Create, Get, and Destroy, would fail.
This change also updates the server unit tests impacted by this
change.
Closes#451
This change fixes various pending deprecation warnings throughout
the library caused by recent updates to different dependencies.
While PyKMIP no longer directly triggers these warnings, some
dependencies still do when run through the test suite.
A recent style update to Python 3.6 adds deprecation W605, which
tightens the usage of invalid escape sequences. This patch removes
any instances of invalid escape sequences from the PyKMIP code
base, bringing the library back up to compliance with Python style.
This change changes the error the server uses when access control
violations occur, specifically swapping from the more agnostic
ItemNotFound to the more explicit PermissionDenied. This change
better conforms with the expected behavior of a KMIP server.
This change tweaks the format of operation policy files, renaming
the 'default' section of each policy to 'preset'. This reinforces
the idea that this section of the policy is used only when group-
based access control is disabled. It also removes any ambiguity
between this section of the policy and the actual 'default'
policy built into the server.
This change adds a new integration test suite, named 'functional',
that is specifically intended to test third-party authentication
and group-based access control with the PyKMIP server. A new tox
environment is added to handle running these tests separately from
the existing 'integration' test suite. New Travis CI configuration
and setup files have also been added to facilitate running these
tests automatically.
This change fixes a potential denial-of-service bug with the
server, setting a default timeout for all server sockets. This
allows the server to drop hung connections without blocking
forever. The interrupt triggered during accept calls is expected
and is now handled appropriately. Server unit tests have been
updated to reflect this change.
Closes#430
This change adds client support for setting custom configuration
file paths, allowing users and developers to place their settings
file wherever they want. All client demo scripts have been updated
to support a '-s' flag that can be used to set the configuration
file for the demo. Client unit tests have also been updated to
include this change.
This change updates the server, adding in support for customizing
the backend storage file used to store all server data. The server
currently uses a simple SQLite database for storage. Prior versions
of the server kept this database file in /tmp, to emphasize the
testing focus of the server. This change loosens that restriction,
now allowing users to customize where the database file lives. A
new configuration option, 'database_path', has been added that will
override the default /tmp location for the database file. This
value can also be passed in if invoking the server via script using
the '-d' flag.
This change adds Rekey operation support to the KMIPProxy client.
The client unit test suite has been updated to cover the new
additions.
Partially addresses #405
This change adds the request/response payloads for the Rekey
operation. Unit tests are included to cover the new payloads. The
payloads package is also updated to allow direct import of the
Rekey payloads going forward.
Partially addresses #405
This change fixes how the ProxyKmipClient handles cryptographic
usage mask values for the CreateKeyPair operation. Originally,
both Encrypt and Decrypt were set by default for both public and
private keys. This is incorrect behavior for certain algorithms.
Now, only the masks specified by the caller are set on the key
pair.
Fixes#412
This change updates the ProxyKmipClient support for the DeriveKey
operation, now allowing the caller to specify a list of
CryptographicUsageMask enumerations to set on the newly derived
key.
Fixes#417
This change updates the server, integrating policy file monitoring
and restructuring the engine. The top-level server entity now
handles loading policy files using the PolicyDirectoryMonitor
subprocess. A shared memory dictionary is used to share newly
modified policy data across the session threads managed by the
server and used by the engine. The legacy policy loading code in
the engine has been removed.
Unit tests have been added and modified for both the server and
engine to verify the functionality of these modifications.
This change adds a PolicyDirectoryMonitor subprocess that can be
used by the server to continuously monitor and load operation
policies from the configured operation policy directory. The
monitor tracks policy file modifications, file creation, and file
deletion, restoring legacy policies from existing policy files
should the current file backing a policy get deleted. Changes to
existing policies are detected and updated as soon as the backing
policy file is saved to disk.
An extensive unit test is included to exercise the different
operating conditions the monitor may encounter.
This change adds Check operation support to the ProxyKmipClient.
The client unit test suite has been updated to cover the new code.
Partially addresses #405
This change adds Check operation support to the KMIPProxy client.
The client unit test suite has been updated to cover the new
additions.
Partially addresses #405
This change fixes a bug with the ProxyKmipClient handling of
cryptographic parameters, specifically handling the case where
no cryptographic parameters are provided for an operation method
call. When no parameters are specified, None is now correctly
propagated through to request handling. A client unit test has
been added to cover this fix.
Fixes#406
This change updates how the server session handles message
processing, adding support for the new authentication plugin
framework. Session unit tests have been updated to account for
this change.
This change updates the ProxyKmipClient support for the Register
operation, adding the ability to register Name attributes with
the managed object being registered. This matches the functionality
available when using the Create operation.
Fixes#400
This change updates server configuration handling, allowing the
server to parse and store configuration settings for authentication
plugins. Unit tests have been added to cover the new functionality.
This change adds an authentication plugin framework to be used by
the PyKMIP server. This framework will allow the server to query
third-party authentication systems for user identity information,
improving the access control model for the server. The initial
plugin provided queries an instance of the new SLUGS library.
This change adds an implementation of the AttestationCredential
introduced in KMIP 1.2. The underlying Nonce struct is included.
Unit test suites for both objects are provided. Finally, the
Credential struct has also been updated to support the new
credential type.
This change updates the Authentication object, taking into account
the recent changes made to the Credential object hierarchy. A new
comprehensive unit test suite has been added for the Authentication
object. Usage of the object in the PyKMIP server has also been
updated to reflect these changes.
This change updates the implementation of the Credential objects.
The UsernamePassword and Device credentials are now first-class
objects and, along with the base Credential, have been restructured
to match the current struct style. Comprehensive unit test suites
for each class have been added. Additionally, the credential
factory code and its usage in the KMIPProxy class and associated
test suites have been updated to reflect this change.
This change updates the implementation of the ProtocolVersion
struct, bringing it inline with the current struct style. All
uses of the struct have been updated to reflect these changes,
as have the struct unit tests.
This change updates the PyKMIP server, allowing it to process and
use group-based operation policies. The server still supports the
original operation policy file format, so no immediate difference
should be apparent to users. Future documentation changes will
explain group-based policy files and how they should be used.
This change adds the request payload for the Poll operation. A unit
test suite for the payload is included. The payload can be imported
directly from the payloads package.
This change adds request and response payloads for the ObtainLease
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change adds request and response payloads for the Recover
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change adds request and response payloads for the
GetUsageAllocation operation. Unit test suites are included for
both payloads and both payloads can be imported directly from the
payloads package.
This change adds request and response payloads for the Cancel
operation. Unit test suites are included for both payloads. Both
payloads can be imported directly from the payloads package.
This change removes unused exceptions defined in core/errors.py,
along with the errors.py module itself. The few used items from
this file are migrated over to core/exceptions.py. Any dependent
code is updated, dropping the use of errors.py and adding in the
use of exceptions.py.
This change adds request and response payloads for the Archive
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change fixes violations of E722, the use of except without
specifying an exception type. For now the high-level Exception
class is used as a generic catchall. In the future these cases
will be updated to handle the specific exceptions expected.
Peter Hamilton
Peter Hamilton