This change loosens the constraints on including attributes in
Locate messages for KMIP 2.0 clients. An early version of the KMIP
2.0 specification made attributes a required field for the Locate
payloads, breaking backwards compatibility with earlier versions
of the specification. A newer version of KMIP 2.0 reverses this
change. The library has been updated to reflect this newer version
of the specification. All relevant Locate unit tests have been
modified or removed to reflect this change.
Fixes#556
This update includes a library wide upgrade to support KMIP 2.0
for all currently supported KMIP operations. Additional changes
include documentation improvements, testing upgrades, and various
quality of life enhancements:
* Add support for Python 3.7
* Add KMIP 2.0 enumerations
* Add a new OrderedEnum subclass to handle sortable enumerations
* Add KMIP 2.0-style attribute handling
* Add utilities to convert TemplateAttributes and Attributes
* Add utilities to handle bit mask style enumerations
* Add positional argument handling for pytest calls when using tox
* Update the library documentation to include KMIP 2.0 information
* Update client exception handling / logging to simplify debugging
* Update library logging defaults to log at INFO but support DEBUG
* Update the Travis CI configuration to support Ubuntu 16.04
* Update the Travis CI configuration to output logs on failures
* Update the server to support KMIP 1.3, 1.4, and 2.0
* Update the PyKMIP clients to support changing their KMIP version
* Update server session logging for authentication failures
* Update the PyKMIP object hierarchy to propagate the KMIP version
* Update the server TLS handshake handling to avoid thread hanging
* Update the Create and Register payloads to support KMIP 2.0
* Update the Locate and CreateKeyPair payloads to support KMIP 2.0
* Update the DeriveKey / GetAttributes payloads to support KMIP 2.0
* Update the GetAttributeList / Query payloads to support KMIP 2.0
* Update attribute policy to handle KMIP 2.0 deprecated attributes
* Remove escape sequences to comply with Python 3.6 deprecations
* Fix various deprecation warnings caused by dependency upgrades
* Fix a bug decoding revocation messages for the Revoke operation
* Fix a bug specifying the function list in the Query demo script
This change fixes a bug in the server attribute handling logic
that manifests when attributes are deprecated and removed in KMIP
2.0. Now these attributes are effectively ignored for KMIP 2.0
messages, complying with the KMIP 2.0 specification.
This changes adds all of the final core updates necessary to allow
KMIP 2.0 message encoding/decoding support for the PyKMIP server.
Request and responses now dynamically adjust the KMIP version they
encode/decode under based on the KMIP version included in their
header segments. Extra server logging has also been added to show
the KMIP version specified by the client request.
Message tests have been updated to reflect these changes.
This change fixes a bug with revocation message decoding that
would cause client and server failures if the revocation message
was included in a Revoke operation call. With this fix, the client
can now send a revocation message with a Revoke request and the
revocation will occur as expected.
A ProxyKmipClient demo script for the Revoke operation has been
included to help test Revoke functionality.
Finally, an argument ordering bug with the original KMIPProxy demo
Revoke script has also been fixed.
Fixes#546
This change updates the Register payloads to properly use the new
ProtectionStorageMasks structure. Unit tests have been updated to
reflect this change.
This change updates the CreateKeyPair payloads to support the new
protection storage masks fields introduced in KMIP 2.0. The payload
unit tests have been updated to reflect these changes.
This change updates the ResponseHeader to support the new server
hashed password field added in KMIP 2.0. Unit tests have been
added to cover the change.
A recent regression in bandit 1.6.0 permits the scanning of test
files for vulnerabilities even when those files should be excluded
using the '-x' flag. This change temporarily pins bandit to 1.5.1
in test-requirements.txt to get around this issue in the short
term.
This patch should be undone once bandit 1.6.1 is released, fixing
this issue.
This change adds support for the ProtectionStorageMasks structure
which is a new addition in KMIP 2.0. A unit test suite has been
added for the new structure.
This change makes a simple renaming update to the Query response
payload, correcting how Protection Storage Masks are used and
referenced. All related unit tests have been updated to reflect
this change.
This change updates the Register payloads, adding support for
Protection Storage Masks which were added in KMIP 2.0. The
payload unit tests have been updated to reflect this change.
This change updates the Create payloads, adding support for
Protection Storage Masks which were added in KMIP 2.0. The
payload unit tests have been updated to reflect this change.
This change updates the Query payloads to support KMIP 2.0, adding
in new response components including server default information
and storage protection masks. Unit tests have been added and
updated to cover these changes.
This change upgrades the Query payloads, fixing error messages,
comments, local variables, and internal payload structure to
bring Query support up to KMIP 1.4 standards, in addition to
compliance with the current payload format. The corresponding
unit test suite has been completely rewritten to reflect these
changes.
This change prepares the Query payloads for future updates to
support KMIP 2.0.
This change adds the CapabilityInformation structure, a KMIP 1.3
addition that is used to specify details on capabilities supported
by a KMIP server. A unit test suite is included to cover the new
structure.
This change adds the ValidationInformation structure, a KMIP 1.3
addition that is used to specify details on formal validation
methods supported by a KMIP server. A unit test suite is included
to cover the new structure.
This change updates requirements, pinning cryptography>=1.4. This
is due to the use of kbkdf in the server's cryptography engine,
which was not introduced until cryptography 1.4.
Fixes#525
This change adds the ProfileInformation structure, a KMIP 1.3
addition that is used to specify details for supported KMIP
profiles. A unit test suite is included to cover the new
structure.
This change adds the RNGParameters structure, a KMIP 1.3 addition
that is used to specify parameters and settings associated with a
specific random number generator. A unit test suite is included
to cover the new structure.
This change adds the DefaultsInformation structure, a KMIP 2.0
addition that is used to specify default attribute values for
KMIP managed objects. A unit test suite is included to cover the
new structure.
This change adds the ObjectDefaults structure, a KMIP 2.0 addition
that is used to specify default attribute values for KMIP managed
objects. A unit test suite is included to cover the new structure.
This change updates the GetAttributeList payloads to support KMIP
2.0 features, including swapping out Attribute Names for the
Attribute Reference structure in the response payload. Unit tests
have been added to cover these changes.
This change makes minor updates to the GetAttributeList payloads,
fixing error messages, comments, and local variable names to
comply with the current payload format. The corresponding unit
test suite has been updated to reflect these changes.
This change prepares the GetAttributeList payloads for future
updates to support KMIP 2.0.
This change adds a posargs argument to the call to pytest that is
used when invoking unit tests for individual Python versions. This
allows developers to specify which tests or test suites they want
to invoke. For example, use the following to run the unit test
suites related to the GetAttributeList payloads for Python 2.7:
tox -r -e py27 -- -k TestGetAttributeList
Developers can still use tox to run the entire test suite, like
before:
tox -r -e py27
This change updates the GetAttributes payloads to support KMIP 2.0
features, including swapping out Attribute Names for the Attribute
Reference structure in the request payload and the Attribute list
for the Attributes structure in the response payload. Unit tests
have been added to cover these changes.
This change makes minor updates to the GetAttributes payloads,
fixing error messages, comments, and local variable names to
comply with the current payload format. The corresponding unit
test suite has been updated to reflect these changes.
This change prepares the GetAttributes payloads for future updates
to support KMIP 2.0.
This change adds the AttributeReference structure, a KMIP 2.0
addition that is used by several attribute-related operations.
A unit test suite is included to cover the new structure.
This change updates the DeriveKey payloads to support KMIP 2.0
features, including swapping out TemplateAttributes for the new
Attributes structure in the request payload and removing all
attribute-related encodings from the response payload. Unit tests
have been added to cover these changes.
This change makes minor updates to the DeriveKey payloads, fixing
error messages, comments, and local variable names to comply with
the current payload format. The corresponding unit test suite has
been updated to reflect these changes.
This change prepares the DeriveKey payloads for future updates to
support KMIP 2.0.
This change moves the KMIPProtocol class from the server module
to the services module. Because the client uses KMIPProtocol, and
KMIPProtocol lived in the server module, the client would end up
importing server libraries whenever it was used. If there are any
issues with server dependencies, this would cause the client to
fail for no good reason. This change now insulates the client from
the server code base and prevents this case from happening.
See #509
This change updates the CreateKeyPair payloads to support KMIP 2.0
features, including swapping out TemplateAttributes for the new
Attributes structure in the request payload and removing all
attribute-related encodings from the response payload. Unit tests
have been added to cover these changes.
This change updates the TemplateAttribute conversion utilities to
remove use of various TemplateAttribute subclasses. This reflects
the usage updates added for CreateKeyPair support. All related
unit tests have been updated to reflect this change.
This change updates the CreateKeyPair payloads to the current
payload format, adding properties for different payload attributes
and adding comparison and string operators. Changes are also made
to the PyKMIP clients and the surrounding testing infrastructure
to reflect the payload changes. The official unit test suite for
the CreateKeyPair payloads has been updated to also reflect these
changes.
This change prepares the CreateKeyPair payloads for future
updates to support KMIP 2.0.
This change updates the Locate payloads to support KMIP 2.0
features, including swapping out individual Attribute structures
for the new Attributes structure in the request payload. Unit
tests have been added to cover these changes.
This change updates the Locate payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Locate payloads has also been included, which will eventually
replace the existing Locate message tests elsewhere in the test
suite.
This change prepares the Locate payloads for future updates to
support KMIP 2.0.
This changes adds several utilities for working with bit mask
enumerations, including functions to compute bit masks from lists
of enumeration values and vice versa. Unit tests have been added
to cover these new utilities.
This change updates the Register payloads to support KMIP 2.0
features, including swapping out TemplateAttributes for the new
Attributes structure in the request payload and removing all
attribute-related encodings from the response payload. Unit tests
have been added to cover these changes.
This change updates the Register payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Register payloads has also been included, which will eventually
replace the existing Register message tests elsewhere in the test
suite.
This change prepares the Register payloads for future updates to
support KMIP 2.0.
When TLS handshake is performed while in `accept()` call, main thread
might blocked up to network timeout effectively locking out other
clients from being able to establish connection with PyKMIP server.
Easy way to reproduce the problem:
1. Start PyKMIP server
2. Establish TCP connection with `nc -v 127.0.0.1 5696`
3. Attempt to connect (concurrently):
`openssl s_client -host 127.0.0.1 -port 5696`
Without the fix, `openssl` would be blocked (won't even do initial TLS
handshake) until `nc` connection times out.
This change updates the Create payloads to support KMIP 2.0
features, including swapping out TemplateAttributes for the new
Attributes structure in the request payload and removing all
attribute-related encodings from the response payload. Unit tests
have been added to cover these changes.
Peter Hamilton
Andrey Smirnov