This change adds an authentication plugin framework to be used by
the PyKMIP server. This framework will allow the server to query
third-party authentication systems for user identity information,
improving the access control model for the server. The initial
plugin provided queries an instance of the new SLUGS library.
This change adds an implementation of the AttestationCredential
introduced in KMIP 1.2. The underlying Nonce struct is included.
Unit test suites for both objects are provided. Finally, the
Credential struct has also been updated to support the new
credential type.
This change updates the Authentication object, taking into account
the recent changes made to the Credential object hierarchy. A new
comprehensive unit test suite has been added for the Authentication
object. Usage of the object in the PyKMIP server has also been
updated to reflect these changes.
This change updates the implementation of the Credential objects.
The UsernamePassword and Device credentials are now first-class
objects and, along with the base Credential, have been restructured
to match the current struct style. Comprehensive unit test suites
for each class have been added. Additionally, the credential
factory code and its usage in the KMIPProxy class and associated
test suites have been updated to reflect this change.
This change updates the implementation of the ProtocolVersion
struct, bringing it inline with the current struct style. All
uses of the struct have been updated to reflect these changes,
as have the struct unit tests.
This change updates the PyKMIP server, allowing it to process and
use group-based operation policies. The server still supports the
original operation policy file format, so no immediate difference
should be apparent to users. Future documentation changes will
explain group-based policy files and how they should be used.
This change adds the request payload for the Poll operation. A unit
test suite for the payload is included. The payload can be imported
directly from the payloads package.
This change adds request and response payloads for the ObtainLease
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change adds request and response payloads for the Recover
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change adds request and response payloads for the
GetUsageAllocation operation. Unit test suites are included for
both payloads and both payloads can be imported directly from the
payloads package.
This change adds request and response payloads for the Cancel
operation. Unit test suites are included for both payloads. Both
payloads can be imported directly from the payloads package.
This change removes unused exceptions defined in core/errors.py,
along with the errors.py module itself. The few used items from
this file are migrated over to core/exceptions.py. Any dependent
code is updated, dropping the use of errors.py and adding in the
use of exceptions.py.
This change adds request and response payloads for the Archive
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change fixes violations of E722, the use of except without
specifying an exception type. For now the high-level Exception
class is used as a generic catchall. In the future these cases
will be updated to handle the specific exceptions expected.
This change removes the redundant KmipClient API class from the
pie package. The ProxyKmipClient is the main client going forward
and there is no need for a generic API against which to develop
new clients. If this is needed in the future, it is trivial to
restore.
This change renames the CertificateTypeEnum enumeration to
CertificateType, matching the naming schemes of all other
enumerations. This is a backwards incompatible change and
will break any scripts or programs that use the current
CertificateTypeEnum name.
This change adds a ProxyKmipClient integration test that verifies
that a wrapped key can be registered with the server and can then
be retrieved, along with all of its key wrapping metadata. Minor
updates to the underlying metadata handling are included.
This change makes several minor updates to different structs
pertaining to key wrapping, allowing these structs to accept and
process dict arguments. Unit tests have been updated to reflect
this change.
This change adds an integration test for the ProxyKmipClient that
verifies that Get can be used with a key wrapping specification
to retrieve a key cryptographically wrapped with another key.
This change updates the KMIP object model to support explicitly
storing key wrapping data attributes. Key wrapping data is treated
externally as a dictionary and is stored as individual fields in
the back end. Various unit tests have been updated and added to
support these additions.
This change updates the ProxyKmipClient, allowing Get operation
calls to retrieve wrapped keys by providing key wrapping
specification information with the request. Unit tests have been
added and updated to reflect this change.
This change adds a logging level configuration option for the
server, allowing the admin to control what server activity gets
collected for logging. Unit tests have been added and updated to
cover this new configuration setting.
This change updates ProxyKmipClient support for the CreateKeyPair
operation, adding in optional arguments allowing the user to
specify the cryptographic usage masks for the public and private
keys that will be created. Unit tests have been added to cover
this change.
This change updates how private key bytes are loaded when signing
data. The prior approach required binascii to unhexlify the byte
string. The current approach removes this requirement, matching
the rest of the library. All unit tests have been updated to
reflect this change.
This change updates payload management, streamlining the import
process for kmip.core.messages.payloads. Now any request or
response payload is accessible by importing payloads. All code
importing and using individual payload modules has been updated
to use this new approach.
This change updates the ProxyKmipClient close method, allowing
it to be called without error even when the client connection is
not open. The client unit tests have been updated to reflect this.
This change adds a server configuration option, tls_cipher_suites,
allowing the server admin to specify a list of cipher suites to be
used when establishing TLS connections with clients. The custom
list supports both cipher suite specification and OpenSSL suite
naming conventions. The list is filtered through a KMIP-approved
set of cipher suites, and then through a set of cipher suites
suitable for the configured authentication suite. Additional debug
logging has been added to the server to provide transparency on
this process.
This change adds a server configuration option to control the
enforcement of TLS certificate client authentication. Before,
client TLS certificates had to include the extended key usage
extension with the clientAuth bit set to be used as sources of
client identity. The new configuration option,
enable_tls_client_auth, allows server admins to enable/disable
this requirement. The configuration setting is optional and the
server defaults to the original enforcing behavior if it is not
set. Admins must explicitly set the option to False to disable
enforcement.
This change adds the SignatureVerify operation to the server. Unit
tests covering the additions are included. The Query operation has
been updated to reflect this addition.
This change adds signature verification support to the server
cryptography engine. Only RSA-based signatures are currently
supported. Unit tests have been added to verify the new
functionality.
This change adds request and response payloads for the
SignatureVerify operation. Payload factories have been updated to
support SignatureVerify and new unit test suites have been added
to cover the new payload code.
This change adds demos for the ProxyKmipClient, demonstrating how
to encrypt and decrypt messages. Demo utilities have been updated
to support the new demo scripts and the KMIPProxy client has been
updated to correctly return operation results.
Peter Hamilton
Peter Hamilton
Dane
alishamayor
Edward Betts