def test_ciphers(self):
suite = auth.TLS12AuthenticationSuite()
ciphers = suite.ciphers
self.assertIsInstance(ciphers, str)
cipher_string = ':'.join((
'AES128-SHA256',
'AES256-SHA256',
'DH-DSS-AES256-SHA256',
'DH-DSS-AES128-SHA256',
'DH-RSA-AES128-SHA256',
'DHE-DSS-AES128-SHA256',
'DHE-RSA-AES128-SHA256',
'DH-DSS-AES256-SHA256',
'DH-RSA-AES256-SHA256',
'DHE-DSS-AES256-SHA256',
'DHE-RSA-AES256-SHA256',
'ECDH-ECDSA-AES128-SHA256',
'ECDH-ECDSA-AES256-SHA256',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384',
'ECDH-RSA-AES128-SHA256',
'ECDH-RSA-AES256-SHA384',
'ECDHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384',
))
self.assertEqual(cipher_string, ciphers)
def test_protocol(self):
suite = auth.TLS12AuthenticationSuite()
protocol = suite.protocol
self.assertIsInstance(protocol, int)
self.assertEqual(ssl.PROTOCOL_TLSv1_2, suite.protocol)
def __init__(self,
hostname=None,
port=None,
certificate_path=None,
key_path=None,
ca_path=None,
auth_suite=None,
config_path='/etc/pykmip/server.conf',
log_path='/var/log/pykmip/server.log',
policy_path=None,
enable_tls_client_auth=None,
tls_cipher_suites=None,
logging_level=None,
live_policies=False,
database_path=None):
"""
Create a KmipServer.
Settings are loaded initially from the configuration file located at
config_path, if specified. All other configuration options listed
below, if specified, will override the settings loaded from the
configuration file.
A rotating file logger will be set up with the base log file located
at log_path. The server itself will handle rotating the log files as
the logs grow. The server process must have permission to read/write
to the specified log directory.
The main KmipEngine request processor is created here, along with all
information required to manage KMIP client connections and sessions.
Args:
hostname (string): The host address the server will be bound to
(e.g., '127.0.0.1'). Optional, defaults to None.
port (int): The port number the server will be bound to
(e.g., 5696). Optional, defaults to None.
certificate_path (string): The path to the server certificate file
(e.g., '/etc/pykmip/certs/server.crt'). Optional, defaults to
None.
key_path (string): The path to the server certificate key file
(e.g., '/etc/pykmip/certs/server.key'). Optional, defaults to
None.
ca_path (string): The path to the certificate authority (CA)
certificate file (e.g., '/etc/pykmip/certs/ca.crt'). Optional,
defaults to None.
auth_suite (string): A string value indicating the type of
authentication suite to use for establishing TLS connections.
Accepted values are: 'Basic', 'TLS1.2'. Optional, defaults to
None.
config_path (string): The path to the server configuration file
(e.g., '/etc/pykmip/server.conf'). Optional, defaults to
'/etc/pykmip/server.conf'.
log_path (string): The path to the base server log file
(e.g., '/var/log/pykmip/server.log'). Optional, defaults to
'/var/log/pykmip/server.log'.
policy_path (string): The path to the filesystem directory
containing PyKMIP server operation policy JSON files.
Optional, defaults to None.
enable_tls_client_auth (boolean): A boolean indicating if the TLS
certificate client auth flag should be required for client
certificates when establishing a new client session. Optional,
defaults to None.
tls_cipher_suites (string): A comma-delimited list of cipher suite
names (e.g., TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_
128_CBC_SHA256), indicating which specific cipher suites should
be used by the server when establishing a TLS connection with
a client. Optional, defaults to None. If None, the default set
of TLS cipher suites will be used.
logging_level (string): A logging level enumeration defined by the
logging package (e.g., DEBUG, INFO). Sets the base logging
level for the server. All log messages logged at this level or
higher in criticality will be logged. All log messages lower
in criticality will not be logged. Optional, defaults to None.
live_policies (boolean): A boolean indicating if the operation
policy directory should be actively monitored to autoload any
policy changes while the server is running. Optional, defaults
to False.
database_path (string): The path to the server's SQLite database
file. Optional, defaults to None.
"""
self._logger = logging.getLogger('kmip.server')
self._setup_logging(log_path)
self.config = config.KmipServerConfig()
self._setup_configuration(config_path, hostname, port,
certificate_path, key_path, ca_path,
auth_suite, policy_path,
enable_tls_client_auth, tls_cipher_suites,
logging_level, database_path)
self.live_policies = live_policies
self.policies = {}
self._logger.setLevel(self.config.settings.get('logging_level'))
cipher_suites = self.config.settings.get('tls_cipher_suites')
if self.config.settings.get('auth_suite') == 'TLS1.2':
self.auth_suite = auth.TLS12AuthenticationSuite(cipher_suites)
else:
self.auth_suite = auth.BasicAuthenticationSuite(cipher_suites)
self._session_id = 1
self._is_serving = False
def test_init(self):
auth.TLS12AuthenticationSuite()
def __init__(self,
hostname=None,
port=None,
certificate_path=None,
key_path=None,
ca_path=None,
auth_suite=None,
config_path='/etc/pykmip/server.conf',
log_path='/var/log/pykmip/server.log',
policy_path=None):
"""
Create a KmipServer.
Settings are loaded initially from the configuration file located at
config_path, if specified. All other configuration options listed
below, if specified, will override the settings loaded from the
configuration file.
A rotating file logger will be set up with the base log file located
at log_path. The server itself will handle rotating the log files as
the logs grow. The server process must have permission to read/write
to the specified log directory.
The main KmipEngine request processor is created here, along with all
information required to manage KMIP client connections and sessions.
Args:
hostname (string): The host address the server will be bound to
(e.g., '127.0.0.1'). Optional, defaults to None.
port (int): The port number the server will be bound to
(e.g., 5696). Optional, defaults to None.
certificate_path (string): The path to the server certificate file
(e.g., '/etc/pykmip/certs/server.crt'). Optional, defaults to
None.
key_path (string): The path to the server certificate key file
(e.g., '/etc/pykmip/certs/server.key'). Optional, defaults to
None.
ca_path (string): The path to the certificate authority (CA)
certificate file (e.g., '/etc/pykmip/certs/ca.crt'). Optional,
defaults to None.
auth_suite (string): A string value indicating the type of
authentication suite to use for establishing TLS connections.
Accepted values are: 'Basic', 'TLS1.2'. Optional, defaults to
None.
config_path (string): The path to the server configuration file
(e.g., '/etc/pykmip/server.conf'). Optional, defaults to
'/etc/pykmip/server.conf'.
log_path (string): The path to the base server log file
(e.g., '/var/log/pykmip/server.log'). Optional, defaults to
'/var/log/pykmip/server.log'.
policy_path (string): The path to the filesystem directory
containing PyKMIP server operation policy JSON files.
Optional, defaults to None.
"""
self._logger = logging.getLogger('kmip.server')
self._setup_logging(log_path)
self.config = config.KmipServerConfig()
self._setup_configuration(config_path, hostname, port,
certificate_path, key_path, ca_path,
auth_suite, policy_path)
if self.config.settings.get('auth_suite') == 'TLS1.2':
self.auth_suite = auth.TLS12AuthenticationSuite()
else:
self.auth_suite = auth.BasicAuthenticationSuite()
self._engine = engine.KmipEngine(
self.config.settings.get('policy_path'))
self._session_id = 1
self._is_serving = False