jgaunt/pykmip
2
0
Fork 0
mirror of https://github.com/openkmip/pykmip synced 2025-12-15 07:43:26 +00:00
Code Issues Releases Wiki Activity

Integrate policy file monitoring with the server

Browse Source 
This change updates the server, integrating policy file monitoring
and restructuring the engine. The top-level server entity now
handles loading policy files using the PolicyDirectoryMonitor
subprocess. A shared memory dictionary is used to share newly
modified policy data across the session threads managed by the
server and used by the engine. The legacy policy loading code in
the engine has been removed.

Unit tests have been added and modified for both the server and
engine to verify the functionality of these modifications.
This commit is contained in:
Peter Hamilton
2018-04-11 11:39:50 -04:00
parent 3c59dcf61a
commit 05b5b8411a
7 changed files with 413 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
kmip/services/server/engine.py
View File

@@ -15,7 +15,6 @@
import copy
import logging
import os
import six
import sqlalchemy
@@ -42,8 +41,6 @@ from kmip.core.messages import payloads
from kmip.core import misc
from kmip.core import policy as operation_policy
from kmip.pie import factory
from kmip.pie import objects
from kmip.pie import sqltypes
@@ -77,7 +74,7 @@ class KmipEngine(object):
* Cryptographic usage mask enforcement per object type
"""
def __init__(self, policy_path=None):
def __init__(self, policies=None):
"""
Create a KmipEngine.
@@ -124,69 +121,9 @@ class KmipEngine(object):
}
self._attribute_policy = policy.AttributePolicy(self._protocol_version)
self._operation_policies = copy.deepcopy(operation_policy.policies)
self._load_operation_policies(policy_path)
self._operation_policies = policies
self._client_identity = [None, None]
def _load_operation_policies(self, policy_path):
if (policy_path is None) or (not os.path.isdir(policy_path)):
self._logger.warning(
"The specified operation policy directory{0} is not "
"valid. No user-defined policies will be loaded.".format(
" (" + policy_path + ")" if policy_path else ''
)
)
return dict()
else:
self._logger.info(
"Loading user-defined operation policy files from: {0}".format(
policy_path
)
)
for filename in os.listdir(policy_path):
file_path = os.path.join(policy_path, filename)
if os.path.isfile(file_path):
self._logger.info(
"Loading user-defined operation policies "
"from file: {0}".format(file_path)
)
try:
policies = operation_policy.read_policy_from_file(
file_path
)
except ValueError as e:
self._logger.error(
"A failure occurred while loading policies."
)
self._logger.exception(e)
continue
reserved_policies = ['default', 'public']
for policy_name in six.iterkeys(policies):
if policy_name in reserved_policies:
self._logger.warning(
"Loaded policy '{0}' overwrites a reserved "
"policy and will be thrown out.".format(
policy_name
)
)
elif policy_name in six.iterkeys(
self._operation_policies
):
self._logger.warning(
"Loaded policy '{0}' overwrites a "
"preexisting policy and will be thrown "
"out.".format(policy_name)
)
else:
self._operation_policies.update([(
policy_name,
policies.get(policy_name)
)])
def _get_enum_string(self, e):
return ''.join([x.capitalize() for x in e.name.split('_')])
@@ -982,6 +919,8 @@ class KmipEngine(object):
object_type.unique_identifier == uid
).one()
# TODO (peter-hamilton) Add debug log with policy contents?
# Determine if the request should be carried out under the object's
# operation policy. If not, feign ignorance of the object.
is_allowed = self._is_allowed_by_operation_policy(