This change updates the Travis CI configuration file to output the
contents of the PyKMIP server and SLUGS log files if:
* a test failure occurred, and
* the log files exist in the test environment
This makes debugging server and service failures much easier in
Travis CI, specifically during integration and functional test
suite runs.
This change fixes a bug in the KMIPProxy client's support for the
Rekey operation. Specifically, if the operation fails and does not
return a payload, the client will still try to reference the
payload object when checking for TemplateAttribute data. This
causes an AttributeError since the payload is None. This change
fixes this and adds a unit test that covers this specific case.
Fixes#474
This change updates the PyKMIP clients, adding support for getting
and setting the KMIP version they use when making KMIP requests.
You can now do:
>>> client.kmip_version
to get the KMIP version enumeration the client is using. Use:
>>> client.kmip_version = enums.KMIPVersion.KMIP_1_1
to set the KMIP version the client uses.
The client unit tests have been updated to check and cover these
changes.
Fixes#470
This change updates the list of KMIP versions supported by the
server. While the server does not support any specific KMIP 1.3
or 1.4 features, the protocol formats are compatible across KMIP
1.0 to 1.4. Without this change, KMIP 1.3 and 1.4 requests for
older operations, like Create, Get, and Destroy, would fail.
This change also updates the server unit tests impacted by this
change.
Closes#451
This change fixes various pending deprecation warnings throughout
the library caused by recent updates to different dependencies.
While PyKMIP no longer directly triggers these warnings, some
dependencies still do when run through the test suite.
This change adds official library support for Python 3.7, including
updating the testing infrastructure for both tox and Travis CI and
updating the library package metadata in setup.py.
This change adds Ubuntu 16.04 LTS (Xenial Xerus) as a target test
platform in the Travis CI configuration file. New test builds for
all unit, integration, functional, style, security, and doc checks
should now be built for Xenial during continuous integration runs.
A recent style update to Python 3.6 adds deprecation W605, which
tightens the usage of invalid escape sequences. This patch removes
any instances of invalid escape sequences from the PyKMIP code
base, bringing the library back up to compliance with Python style.
As an application developer, you might expect to be able to turn on
debug logging at the root logger with something like
logging.basicConfig(level=logging.DEBUG)
However, if the application needed to fetch any secrets from a KMIP
server, these previously would be logged as part of the wire protocol.
Further, any passwords in configs would also get logged at DEBUG.
Applications would need to proactively silence such logging, as in
https://github.com/openstack/swift/commit/12b6d46
Now, we will default the logger level to INFO to suppress the debug
logging. However, seeing the on-wire data may still be useful, for
example when developing a new KMIP server. So, allow developers to
consciously set the logger level to DEBUG.
The old text made perfect sense when in a server context, trying to
read requests from clients, but KMIPProtocol is also used by *clients*
to read *responses*. Let's change it to something a little more
request/response agnostic.
Otherwise, you don't get much insight into why you had to settle for
your third configured host. Now, you can get information like
An error occurred while connecting to appliance foo.bar:
[Errno -5] No address associated with hostname
An error occurred while connecting to appliance localhost:
[Errno 111] Connection refused
even when we ultimately succeed in creating a client.
At that point, it's up to the caller to decide whether a stack trace is
appropriate; if the caller decides the connection error is recoverable,
us logging a traceback will only confuse things.
Also, prevent a TypeError during log interpolation by actually using the
argument we were providing.
Otherwise, you can hit errors with tracebacks like
Traceback (most recent call last):
...
File ".../kmip/pie/client.py", line 1573, in __enter__
self.open()
File ".../kmip/pie/client.py", line 135, in open
raise e
IOError: [Errno 2] No such file or directory
... which isn't terribly useful; it doesn't give you any information
about *what* file wasn't found. By using a bare `raise`, you preserve
the rest of the stack and get
Traceback (most recent call last):
...
File ".../kmip/pie/client.py", line 1573, in __enter__
self.open()
File ".../kmip/pie/client.py", line 131, in open
self.proxy.open()
File ".../kmip/services/kmip_client.py", line 221, in open
self._create_socket(sock)
File ".../kmip/services/kmip_client.py", line 246, in _create_socket
suppress_ragged_eofs=self.suppress_ragged_eofs)
File ".../eventlet/green/ssl.py", line 379, in wrap_socket
return GreenSSLSocket(sock, *a, **kw)
File ".../eventlet/green/ssl.py", line 68, in __init__
ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
File ".../ssl.py", line 558, in __init__
self._context.load_verify_locations(ca_certs)
IOError: [Errno 2] No such file or directory
... which makes it clear that it was a problem with the CA certificate
bundle.
This change updates the server and FAQ documentation, fully
describing the changes made to the server authentication and
access control systems. Specifically, the new third-party auth
plugin system is described, along with the new group-based
operation policy structure and policy file active monitoring.
Information on running the integration and functional tests testing
these changes is included.
The FAQ is updated to point to these changes in the server docs.
The original relevant FAQ content has been removed.
This update includes new operations and features for the client
and server, in addition to other minor updates and bug fixes:
* Add Sphinx-based client and server library documentation
* Add server support for third-party authentication systems
* Add client support for the Check operation
* Add client support for the Rekey operation
* Add client support for attestation credentials
* Add functional tests for server auth. and access control
* Add payloads for the Archive and Cancel operations
* Add payloads for the GetUsageAllocation and Poll operations
* Add payloads for the ObtainLease and Recover operations
* Update the server to support group-based operation policies
* Update the server to support live loading of policy files
* Update the server to support custom database file paths
* Update the server to raise PermissionDenied on violations
* Update the client to support custom configuration file paths
* Update the ProxyKmipClient to support Registering names
* Update the ProxyKmipClient to set usage masks for Derived keys
* Update the README to reference the new documentation
* Update the Travis CI config to test building the docs
* Update the Travis CI config to run integration tests
* Remove support for Python 3.3
* Fix a DOS bug by setting the server socket timeout
* Fix a ProxyKmipClient bug with cryptographic parameter handling
* Fix a ProxyKmipClient bug with usage mask processing
This change changes the error the server uses when access control
violations occur, specifically swapping from the more agnostic
ItemNotFound to the more explicit PermissionDenied. This change
better conforms with the expected behavior of a KMIP server.
This change tweaks the format of operation policy files, renaming
the 'default' section of each policy to 'preset'. This reinforces
the idea that this section of the policy is used only when group-
based access control is disabled. It also removes any ambiguity
between this section of the policy and the actual 'default'
policy built into the server.
This change adds a basic error message that gets raised when
attempting to read an unparseable attribute (i.e., an attribute
that is not supported by the library).
Fixes#429
This change adds a new integration test suite, named 'functional',
that is specifically intended to test third-party authentication
and group-based access control with the PyKMIP server. A new tox
environment is added to handle running these tests separately from
the existing 'integration' test suite. New Travis CI configuration
and setup files have also been added to facilitate running these
tests automatically.
This change fixes a potential denial-of-service bug with the
server, setting a default timeout for all server sockets. This
allows the server to drop hung connections without blocking
forever. The interrupt triggered during accept calls is expected
and is now handled appropriately. Server unit tests have been
updated to reflect this change.
Closes#430
This change adds client support for setting custom configuration
file paths, allowing users and developers to place their settings
file wherever they want. All client demo scripts have been updated
to support a '-s' flag that can be used to set the configuration
file for the demo. Client unit tests have also been updated to
include this change.
Peter Hamilton
Peter Hamilton
Tim Burke