This change updates Locate operation support in the PyKMIP server,
allowing users to filter objects based on the objects InitialDate
attribute value. Specifying a single InitialDate attribute in the
Locate request will perform an exact match on objects; specifying
two InitialDate attributes will perform a ranged match. Unit tests
and integration tests have been added to test and verify the
correctness of this feature.
Additionally, the Locate demo scripts have also been updated to
support InitialDate filtering. Simply use the "--initial-date"
flag to provide one or more InitialDate values to the Locate
script to filter on those dates.
This change fixes a bug in the server attribute handling logic
that manifests when attributes are deprecated and removed in KMIP
2.0. Now these attributes are effectively ignored for KMIP 2.0
messages, complying with the KMIP 2.0 specification.
This changes adds all of the final core updates necessary to allow
KMIP 2.0 message encoding/decoding support for the PyKMIP server.
Request and responses now dynamically adjust the KMIP version they
encode/decode under based on the KMIP version included in their
header segments. Extra server logging has also been added to show
the KMIP version specified by the client request.
Message tests have been updated to reflect these changes.
This change upgrades the Query payloads, fixing error messages,
comments, local variables, and internal payload structure to
bring Query support up to KMIP 1.4 standards, in addition to
compliance with the current payload format. The corresponding
unit test suite has been completely rewritten to reflect these
changes.
This change prepares the Query payloads for future updates to
support KMIP 2.0.
This change updates the CreateKeyPair payloads to the current
payload format, adding properties for different payload attributes
and adding comparison and string operators. Changes are also made
to the PyKMIP clients and the surrounding testing infrastructure
to reflect the payload changes. The official unit test suite for
the CreateKeyPair payloads has been updated to also reflect these
changes.
This change prepares the CreateKeyPair payloads for future
updates to support KMIP 2.0.
This change updates the Locate payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Locate payloads has also been included, which will eventually
replace the existing Locate message tests elsewhere in the test
suite.
This change prepares the Locate payloads for future updates to
support KMIP 2.0.
This change updates the Register payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Register payloads has also been included, which will eventually
replace the existing Register message tests elsewhere in the test
suite.
This change prepares the Register payloads for future updates to
support KMIP 2.0.
This change updates the Create payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Create payloads has also been included, which will eventually
replace the existing Create message tests elsewhere in the test
suite.
This change prepares the Create payloads for future updates to
support KMIP 2.0.
This change updates the PyKMIP object hierarchy's read/write
method signatures to support propagation of the KMIP version. The
introduction of KMIP 2.0 introduces future KMIP message encodings
that break backwards compatibility; to support this, PyKMIP must
know what KMIP version is being used when encoding or decoding an
object; the KMIP version residing in the client or server alone
is now insufficient. Prior versions of KMIP, namely 1.0 - 1.4,
have been backwards compatible, obviating the need for the KMIP
version at encode/decode time. Going forward, this is no longer
true.
The PyKMIP client and server have been updated to include the
KMIP version when making calls to read/write, as have the
associated test cases covering this functionality.
This change updates the list of KMIP versions supported by the
server. While the server does not support any specific KMIP 1.3
or 1.4 features, the protocol formats are compatible across KMIP
1.0 to 1.4. Without this change, KMIP 1.3 and 1.4 requests for
older operations, like Create, Get, and Destroy, would fail.
This change also updates the server unit tests impacted by this
change.
Closes#451
A recent style update to Python 3.6 adds deprecation W605, which
tightens the usage of invalid escape sequences. This patch removes
any instances of invalid escape sequences from the PyKMIP code
base, bringing the library back up to compliance with Python style.
This change changes the error the server uses when access control
violations occur, specifically swapping from the more agnostic
ItemNotFound to the more explicit PermissionDenied. This change
better conforms with the expected behavior of a KMIP server.
This change tweaks the format of operation policy files, renaming
the 'default' section of each policy to 'preset'. This reinforces
the idea that this section of the policy is used only when group-
based access control is disabled. It also removes any ambiguity
between this section of the policy and the actual 'default'
policy built into the server.
This change updates the server, adding in support for customizing
the backend storage file used to store all server data. The server
currently uses a simple SQLite database for storage. Prior versions
of the server kept this database file in /tmp, to emphasize the
testing focus of the server. This change loosens that restriction,
now allowing users to customize where the database file lives. A
new configuration option, 'database_path', has been added that will
override the default /tmp location for the database file. This
value can also be passed in if invoking the server via script using
the '-d' flag.
This change updates the server, integrating policy file monitoring
and restructuring the engine. The top-level server entity now
handles loading policy files using the PolicyDirectoryMonitor
subprocess. A shared memory dictionary is used to share newly
modified policy data across the session threads managed by the
server and used by the engine. The legacy policy loading code in
the engine has been removed.
Unit tests have been added and modified for both the server and
engine to verify the functionality of these modifications.
This change updates how the server session handles message
processing, adding support for the new authentication plugin
framework. Session unit tests have been updated to account for
this change.
This change updates the Authentication object, taking into account
the recent changes made to the Credential object hierarchy. A new
comprehensive unit test suite has been added for the Authentication
object. Usage of the object in the PyKMIP server has also been
updated to reflect these changes.
This change updates the implementation of the ProtocolVersion
struct, bringing it inline with the current struct style. All
uses of the struct have been updated to reflect these changes,
as have the struct unit tests.
This change updates the PyKMIP server, allowing it to process and
use group-based operation policies. The server still supports the
original operation policy file format, so no immediate difference
should be apparent to users. Future documentation changes will
explain group-based policy files and how they should be used.
This change adds a ProxyKmipClient integration test that verifies
that a wrapped key can be registered with the server and can then
be retrieved, along with all of its key wrapping metadata. Minor
updates to the underlying metadata handling are included.
This change updates payload management, streamlining the import
process for kmip.core.messages.payloads. Now any request or
response payload is accessible by importing payloads. All code
importing and using individual payload modules has been updated
to use this new approach.
This change adds the SignatureVerify operation to the server. Unit
tests covering the additions are included. The Query operation has
been updated to reflect this addition.
This change updates DeriveKey support in the software server to
enforce key truncation. If the derived key is longer than the
requested cryptographic length, the derived key is truncated to
fit the requested length. A unit test has been added to cover
this update.
This change adds the Decrypt operation to the server. Support is
currently limited to symmetric decryption only. The decryption key
used with the operation must be in the Active state and it must
have the Decrypt bit set in its cryptographic usage mask.
This change adds the DeriveKey operation to the server. Unit tests
covering the new additions are included. The Query operation has
also been updated to reflect this addition.
This change adds support for retrieving wrapped keys from the KMIP
server. The only supported key wrapping algorithm currently is
the AES-based NIST Key Wrap algorithm (RFC 3394). MAC/signing is
not supported for key wrapping. Attribute-bundling with the wrapped
key value is not supported. Wrapping of the entire key block TTLV
encoding is not supported. Various additional error cases are
included and checked for.
Unit tests covering the additions to Get are included.
This change updates the Get payloads to reflect current coding
styles. It streamlines payload usage and makes it easier to create
and access payload fields. A new unit test suite dedicated to the
Get payloads is added. Surrounding code in the client/server and
associated utilities and unit tests are updated to reflect these
changes.
This change adds the Encrypt operation to the server. Support is
currently limited to symmetric encryption only. The encryption key
used with the operation must be in the Active state and it must
have the Encrypt bit set in its cryptographic usage mask.
This change updates the CryptographicParameters struct, removing the
primitive class wrappers that it used to use for attribute values
and replacing them with struct properties that internally manage the
primitive objects directly. This gutting and regutting necessitates
cascading changes to every part of the library that used these
internal primitive class wrappers, including unit tests, client and
client tests, and attribute factory handlers. All of these have been
updated to reflect the correct usage of the CryptographicParameters
struct.
This change also adds in additional attribute members for the
CryptographicParameters struct to bring it up to spec with KMIP 1.2.
This change updates the server results returned by the Query
operation to match the current set of supported features. The tests
for Query have been updated to better reflect testing across KMIP
versions.
This change restructures how access controls are enforced for
different server operations, pulling common code into a shared
method for reuse. The server unit tests have been updated to
reflect this change.
This change updates the server and managed object set to support
the InitialDate attribute. The InitialDate is set when the Create,
CreateKeyPair, and Register operations are invoked and can be
listed and retrieved with the GetAttributeList and GetAttributes
operations respectively. The server unit tests have been updated
to reflect these changes.
This change adds support for the GetAttributeList operation. The
user can specify the ID of a managed object and get back a list
containing the names of all attributes currently set on the object.
The user can also omit the ID and the server will default to using
the ID placeholder for the object ID. New server tests have been
added to cover this feature. The GetAttributeList payloads have
also been updated for consistency with other payloads, requiring
minor updates in other clients and unit tests.
This change fixes a bug that could occur when accessing the server
with multiple threads or processes. The SQLite backend by default
does not support multithreading. This change updates how the
SQLite backend is instantiated, preventing error generation when
using multiple clients simultaenously. The server unit test suite
has been updated to cover the change.
This change updates the server to better handle exceptions thrown
while looking up the value of different attributes on managed
objects. Some managed objects in PyKMIP don't currently support
attributes they are supposed to. This can cause lookup errors
when using GetAttributes. This change suppresses any exceptions
and simply returns None for the missing attribute value. The
server unit tests have been updated to account for this change.
