def test_set_certificate_path(self): """ Test that the certificate_path configuration property can be set correctly. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() self.assertNotIn('certificate_path', c.settings.keys()) # Test that the setting is set correctly with a valid value. with mock.patch('os.path.exists') as os_mock: os_mock.return_value = True c._set_certificate_path('/test/path/server.crt') self.assertIn('certificate_path', c.settings.keys()) self.assertEqual( '/test/path/server.crt', c.settings.get('certificate_path') ) c._set_certificate_path(None) self.assertIn('certificate_path', c.settings.keys()) self.assertEqual(None, c.settings.get('certificate_path')) # Test that a ConfigurationError is generated when setting the wrong # value. c = config.KmipServerConfig() c._logger = mock.MagicMock() args = (0, ) regex = ( "The certificate path value, if specified, must be a valid " "string path to a certificate file." ) self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._set_certificate_path, *args ) self.assertNotEqual(0, c.settings.get('certificate_path')) args = ('/test/path/server.crt', ) regex = ( "The certificate path value, if specified, must be a valid " "string path to a certificate file." ) with mock.patch('os.path.exists') as os_mock: os_mock.return_value = False self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._set_certificate_path, *args ) self.assertNotEqual( '/test/path/server.crt', c.settings.get('certificate_path') )
def test_set_auth_suite(self): """ Test that the auth_suite configuration property can be set correctly. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() # Test that the setting is set correctly with a valid value. c._set_auth_suite('Basic') self.assertIn('auth_suite', c.settings.keys()) self.assertEqual('Basic', c.settings.get('auth_suite')) c._set_auth_suite('TLS1.2') self.assertIn('auth_suite', c.settings.keys()) self.assertEqual('TLS1.2', c.settings.get('auth_suite')) # Test that a ConfigurationError is generated when setting the wrong # value. args = ('invalid', ) regex = ( "The authentication suite must be one of the following: " "Basic, TLS1.2" ) self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._set_auth_suite, *args ) self.assertNotEqual('invalid', c.settings.get('auth_suite'))
def test_load_settings(self): """ Test that the right calls are made and the right errors generated when loading configuration settings from a configuration file specified by a path string. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._parse_settings = mock.MagicMock() c.parse_auth_settings = mock.MagicMock() # Test that the right calls are made when correctly processing the # configuration file. with mock.patch('os.path.exists') as os_mock: os_mock.return_value = True with mock.patch('six.moves.configparser.SafeConfigParser.read' ) as parser_mock: c.load_settings("/test/path/server.conf") c._logger.info.assert_any_call( "Loading server configuration settings from: " "/test/path/server.conf") parser_mock.assert_called_with("/test/path/server.conf") self.assertTrue(c._parse_settings.called) self.assertTrue(c.parse_auth_settings.called) # Test that a ConfigurationError is generated when the path is invalid. c._logger.reset_mock() with mock.patch('os.path.exists') as os_mock: os_mock.return_value = False args = ('/test/path/server.conf', ) self.assertRaises(exceptions.ConfigurationError, c.load_settings, *args)
def test_set_tls_cipher_suites_preparsed(self): """ Test that the tls_cipher_suites configuration property can be set correctly with a preparsed list of TLS cipher suites, the value expected if the cipher suites were provided via constructor. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._set_tls_cipher_suites( [ 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384', 'DH-DSS-AES128-SHA' ] ) self.assertEqual(3, len(c.settings.get('tls_cipher_suites'))) self.assertIn( 'DH-DSS-AES128-SHA', c.settings.get('tls_cipher_suites') ) self.assertIn( 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', c.settings.get('tls_cipher_suites') ) self.assertIn( 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384', c.settings.get('tls_cipher_suites') )
def test_set_enable_tls_client_auth(self): """ Test that the enable_tls_client_auth configuration property can be set correctly. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() # Test that the setting is set correctly with a valid value c._set_enable_tls_client_auth(False) self.assertEqual(False, c.settings.get('enable_tls_client_auth')) c._set_enable_tls_client_auth(None) self.assertEqual(True, c.settings.get('enable_tls_client_auth')) c._set_enable_tls_client_auth(True) self.assertEqual(True, c.settings.get('enable_tls_client_auth')) # Test that a ConfigurationError is generated when setting the wrong # value. args = ('invalid', ) self.assertRaisesRegexp( exceptions.ConfigurationError, "The flag enabling the TLS certificate client auth flag check " "must be a boolean.", c._set_enable_tls_client_auth, *args)
def test_set_port(self): """ Test that the port configuration property can be set correctly. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() # Test that the setting is set correctly with a valid value. c._set_port(5696) self.assertIn('port', c.settings.keys()) self.assertEqual(5696, c.settings.get('port')) # Test that a ConfigurationError is generated when setting the wrong # value. args = ('invalid', ) regex = "The port value must be an integer in the range 0 - 65535." self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._set_port, *args ) self.assertNotEqual('invalid', c.settings.get('port')) args = (65536, ) regex = "The port value must be an integer in the range 0 - 65535." self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._set_port, *args ) self.assertNotEqual(65536, c.settings.get('port'))
def test_set_setting(self): """ Test that the right errors are raised and methods are called when setting individual settings. """ c = config.KmipServerConfig() c._set_auth_suite = mock.MagicMock() c._set_ca_path = mock.MagicMock() c._set_certificate_path = mock.MagicMock() c._set_hostname = mock.MagicMock() c._set_key_path = mock.MagicMock() c._set_port = mock.MagicMock() c._set_policy_path = mock.MagicMock() c._set_enable_tls_client_auth = mock.MagicMock() c._set_tls_cipher_suites = mock.MagicMock() c._set_logging_level = mock.MagicMock() c._set_database_path = mock.MagicMock() # Test the right error is generated when setting an unsupported # setting. args = ('invalid', None) regex = "Setting 'invalid' is not supported." self.assertRaisesRegexp(exceptions.ConfigurationError, regex, c.set_setting, *args) # Test the right methods are called when setting supported settings. c.set_setting('hostname', '127.0.0.1') c._set_hostname.assert_called_once_with('127.0.0.1') c.set_setting('port', 5696) c._set_port.assert_called_once_with(5696) c.set_setting('certificate_path', '/etc/pykmip/certs/server.crt') c._set_certificate_path.assert_called_once_with( '/etc/pykmip/certs/server.crt') c.set_setting('key_path', '/etc/pykmip/certs/server.key') c._set_key_path.assert_called_once_with('/etc/pykmip/certs/server.key') c.set_setting('ca_path', '/etc/pykmip/certs/ca.crt') c._set_ca_path.assert_called_once_with('/etc/pykmip/certs/ca.crt') c.set_setting('auth_suite', 'Basic') c._set_auth_suite.assert_called_once_with('Basic') c.set_setting('policy_path', '/etc/pykmip/policies') c._set_policy_path.assert_called_once_with('/etc/pykmip/policies') c.set_setting('enable_tls_client_auth', False) c._set_enable_tls_client_auth.assert_called_once_with(False) c.set_setting('tls_cipher_suites', []) c._set_tls_cipher_suites.assert_called_once_with([]) c.set_setting('logging_level', 'WARNING') c._set_logging_level.assert_called_once_with('WARNING') c.set_setting('database_path', '/var/pykmip/pykmip.db') c._set_database_path.assert_called_once_with('/var/pykmip/pykmip.db')
def test_set_policy_path(self): """ Test that the policy_path configuration property can be set correctly. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() self.assertNotIn('policy_path', c.settings.keys()) # Test that the setting is set correctly with a valid value. with mock.patch('os.path.exists') as os_mock: os_mock.return_value = True c._set_policy_path('/test/path/policies') self.assertIn('policy_path', c.settings.keys()) self.assertEqual( '/test/path/policies', c.settings.get('policy_path') ) c._set_policy_path(None) self.assertIn('policy_path', c.settings.keys()) self.assertEqual(None, c.settings.get('policy_path')) # Test that a ConfigurationError is generated when setting the wrong # value. c._logger.reset_mock() args = (1, ) self.assertRaises( exceptions.ConfigurationError, c._set_policy_path, *args ) self.assertNotEqual(1, c.settings.get('policy_path'))
def test_set_tls_cipher_suites_empty(self): """ Test that the tls_cipher_suites configuration property can be set correctly with an empty value. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._set_tls_cipher_suites(None) self.assertEqual([], c.settings.get('tls_cipher_suites'))
def test_set_logging_level_enum(self): """ Test that the logging_level configuration property can be set correctly with a value expected from the server constructor. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._set_logging_level(logging.DEBUG) self.assertEqual(logging.DEBUG, c.settings.get('logging_level'))
def test_init(self): """ Test that a KmipServerConfig object can be created without error. """ c = config.KmipServerConfig() self.assertIn('enable_tls_client_auth', c.settings.keys()) self.assertEqual(True, c.settings.get('enable_tls_client_auth')) self.assertIn('tls_cipher_suites', c.settings.keys()) self.assertEqual([], c.settings.get('tls_cipher_suites'))
def test_set_database_path_default(self): """ Test that the database_path configuration property can be set correctly without specifying a value. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() self.assertNotIn('database_path', c.settings.keys()) c._set_database_path(None) self.assertIn('database_path', c.settings.keys()) self.assertEqual(None, c.settings.get('database_path'))
def test_set_logging_level_default(self): """ Test that the logging_level configuration property can be set correctly without specifying a value. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._set_logging_level(logging.DEBUG) self.assertEqual(logging.DEBUG, c.settings.get('logging_level')) c._set_logging_level(None) self.assertEqual(logging.INFO, c.settings.get('logging_level'))
def test_set_tls_cipher_suites_invalid_list_value(self): """ Test that the right error is raised when an invalid list value is used to set the tls_cipher_suites configuration property. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() args = ([0], ) self.assertRaisesRegexp( exceptions.ConfigurationError, "The TLS cipher suites must be a set of strings representing " "cipher suite names.", c._set_tls_cipher_suites, *args)
def test_set_database_path_invalid_value(self): """ Test that the right error is raised when an invalid value is used to set the database_path configuration property. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() self.assertNotIn('database_path', c.settings.keys()) args = (1, ) self.assertRaises(exceptions.ConfigurationError, c._set_database_path, *args) self.assertNotEqual(1, c.settings.get('database_path'))
def test_set_setting(self): """ Test that the right errors are raised and methods are called when setting individual settings. """ c = config.KmipServerConfig() c._set_auth_suite = mock.MagicMock() c._set_ca_path = mock.MagicMock() c._set_certificate_path = mock.MagicMock() c._set_hostname = mock.MagicMock() c._set_key_path = mock.MagicMock() c._set_port = mock.MagicMock() # Test the right error is generated when setting an unsupported # setting. args = ('invalid', None) regex = "Setting 'invalid' is not supported." self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c.set_setting, *args ) # Test the right methods are called when setting supported settings. c.set_setting('hostname', '127.0.0.1') c._set_hostname.assert_called_once_with('127.0.0.1') c.set_setting('port', 5696) c._set_port.assert_called_once_with(5696) c.set_setting('certificate_path', '/etc/pykmip/certs/server.crt') c._set_certificate_path.assert_called_once_with( '/etc/pykmip/certs/server.crt' ) c.set_setting('key_path', '/etc/pykmip/certs/server.key') c._set_key_path.assert_called_once_with( '/etc/pykmip/certs/server.key' ) c.set_setting('ca_path', '/etc/pykmip/certs/ca.crt') c._set_ca_path.assert_called_once_with('/etc/pykmip/certs/ca.crt') c.set_setting('auth_suite', 'Basic') c._set_auth_suite.assert_called_once_with('Basic')
def test_set_tls_cipher_suites(self): """ Test that the tls_cipher_suites configuration property can be set correctly with a value expected from the config file. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._set_tls_cipher_suites(""" TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 """) self.assertEqual(2, len(c.settings.get('tls_cipher_suites'))) self.assertIn('TLS_RSA_WITH_AES_256_CBC_SHA256', c.settings.get('tls_cipher_suites')) self.assertIn('TLS_RSA_WITH_AES_128_CBC_SHA256', c.settings.get('tls_cipher_suites'))
def test_set_database_path(self): """ Test that the database_path configuration property can be set correctly. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() self.assertNotIn('database_path', c.settings.keys()) with mock.patch('os.path.exists') as os_mock: os_mock.return_value = True c._set_database_path('/test/path/database.db') self.assertIn('database_path', c.settings.keys()) self.assertEqual('/test/path/database.db', c.settings.get('database_path'))
def test_parse_auth_settings_no_config(self): """ Test that server authentication plugin settings are parsed correctly, even when not specified. """ parser = configparser.SafeConfigParser() parser.add_section('server') c = config.KmipServerConfig() c._logger = mock.MagicMock() self.assertEqual([], c.settings['auth_plugins']) c.parse_auth_settings(parser) configs = c.settings['auth_plugins'] self.assertIsInstance(configs, list) self.assertEqual(0, len(configs))
def test_set_logging_level_invalid_value(self): """ Test that the right error is raised when an invalid value is used to set the tls_cipher_suites configuration property. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() args = (0, ) self.assertRaisesRegexp( exceptions.ConfigurationError, "The logging level must be a string representing a valid logging " "level.", c._set_logging_level, *args) args = ('invalid', ) self.assertRaisesRegexp( exceptions.ConfigurationError, "The logging level must be a string representing a valid logging " "level.", c._set_logging_level, *args)
def test_set_hostname(self): """ Test that the hostname configuration property can be set correctly. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() # Test that the setting is set correctly with a valid value. c._set_hostname('127.0.0.1') self.assertIn('hostname', c.settings.keys()) self.assertEqual('127.0.0.1', c.settings.get('hostname')) # Test that a ConfigurationError is generated when setting the wrong # value. args = (0, ) regex = "The hostname value must be a string." self.assertRaisesRegexp(exceptions.ConfigurationError, regex, c._set_hostname, *args) self.assertNotEqual(0, c.settings.get('hostname'))
def test_parse_auth_settings(self): """ Test that server authentication plugin settings are parsed correctly. """ parser = configparser.SafeConfigParser() parser.add_section('server') parser.add_section('auth:slugs') parser.set('auth:slugs', 'enabled', 'True') parser.set('auth:slugs', 'url', 'http://127.0.0.1:8080/slugs/') parser.add_section('auth:ldap') parser.set('auth:ldap', 'enabled', 'False') parser.set('auth:ldap', 'url', 'http://127.0.0.1:8080/ldap/') c = config.KmipServerConfig() c._logger = mock.MagicMock() self.assertEqual([], c.settings['auth_plugins']) c.parse_auth_settings(parser) configs = c.settings['auth_plugins'] self.assertIsInstance(configs, list) self.assertEqual(2, len(configs)) for c in configs: self.assertIsInstance(c, tuple) self.assertEqual(2, len(c)) self.assertIn(c[0], ['auth:slugs', 'auth:ldap']) self.assertIsInstance(c[1], dict) if c[0] == 'auth:slugs': self.assertIn('enabled', six.iterkeys(c[1])) self.assertEqual('True', c[1]['enabled']) self.assertIn('url', six.iterkeys(c[1])) self.assertEqual('http://127.0.0.1:8080/slugs/', c[1]['url']) elif c[0] == 'auth:ldap': self.assertIn('enabled', six.iterkeys(c[1])) self.assertEqual('False', c[1]['enabled']) self.assertIn('url', six.iterkeys(c[1])) self.assertEqual('http://127.0.0.1:8080/ldap/', c[1]['url'])
def test_parse_settings(self): """ Test that the right methods are called and the right errors generated when parsing the configuration settings. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._set_auth_suite = mock.MagicMock() c._set_ca_path = mock.MagicMock() c._set_certificate_path = mock.MagicMock() c._set_hostname = mock.MagicMock() c._set_key_path = mock.MagicMock() c._set_port = mock.MagicMock() c._set_policy_path = mock.MagicMock() c._set_enable_tls_client_auth = mock.MagicMock() c._set_tls_cipher_suites = mock.MagicMock() c._set_logging_level = mock.MagicMock() c._set_database_path = mock.MagicMock() # Test that the right calls are made when correctly parsing settings. parser = configparser.SafeConfigParser() parser.add_section('server') parser.set('server', 'hostname', '127.0.0.1') parser.set('server', 'port', '5696') parser.set('server', 'certificate_path', '/test/path/server.crt') parser.set('server', 'key_path', '/test/path/server.key') parser.set('server', 'ca_path', '/test/path/ca.crt') parser.set('server', 'auth_suite', 'Basic') parser.set('server', 'policy_path', '/test/path/policies') parser.set('server', 'enable_tls_client_auth', 'False') parser.set('server', 'tls_cipher_suites', "\n TLS_RSA_WITH_AES_256_CBC_SHA256") parser.set('server', 'logging_level', 'ERROR') parser.set('server', 'database_path', '/var/pykmip/pykmip.db') c._parse_settings(parser) c._set_hostname.assert_called_once_with('127.0.0.1') c._set_port.assert_called_once_with(5696) c._set_certificate_path.assert_called_once_with( '/test/path/server.crt') c._set_key_path.assert_called_once_with('/test/path/server.key') c._set_ca_path.assert_called_once_with('/test/path/ca.crt') c._set_auth_suite.assert_called_once_with('Basic') c._set_policy_path.assert_called_once_with('/test/path/policies') c._set_enable_tls_client_auth.assert_called_once_with(False) c._set_tls_cipher_suites.assert_called_once_with( "\n TLS_RSA_WITH_AES_256_CBC_SHA256") c._set_logging_level.assert_called_once_with('ERROR') c._set_database_path.assert_called_once_with('/var/pykmip/pykmip.db') # Test that a ConfigurationError is generated when the expected # section is missing. parser = configparser.SafeConfigParser() args = (parser, ) regex = ( "The server configuration file does not have a 'server' section.") self.assertRaisesRegexp(exceptions.ConfigurationError, regex, c._parse_settings, *args) # Test that a ConfigurationError is generated when an unexpected # setting is provided. parser = configparser.SafeConfigParser() parser.add_section('server') parser.set('server', 'invalid', 'invalid') args = (parser, ) regex = ( "Setting 'invalid' is not a supported setting. Please remove it " "from the configuration file.") self.assertRaisesRegexp(exceptions.ConfigurationError, regex, c._parse_settings, *args) # Test that a ConfigurationError is generated when an expected # setting is missing. parser = configparser.SafeConfigParser() parser.add_section('server') args = (parser, ) regex = ("Setting 'hostname' is missing from the configuration file.") self.assertRaisesRegexp(exceptions.ConfigurationError, regex, c._parse_settings, *args) # Test that a ConfigurationError is generated when an expected # setting is missing. parser = configparser.SafeConfigParser() parser.add_section('server') args = (parser, ) regex = ("Setting 'hostname' is missing from the configuration file.") self.assertRaisesRegexp(exceptions.ConfigurationError, regex, c._parse_settings, *args)
def test_init(self): """ Test that a KmipServerConfig object can be created without error. """ config.KmipServerConfig()
def test_parse_settings(self): """ Test that the right methods are called and the right errors generated when parsing the configuration settings. """ c = config.KmipServerConfig() c._logger = mock.MagicMock() c._set_auth_suite = mock.MagicMock() c._set_ca_path = mock.MagicMock() c._set_certificate_path = mock.MagicMock() c._set_hostname = mock.MagicMock() c._set_key_path = mock.MagicMock() c._set_port = mock.MagicMock() # Test that the right calls are made when correctly parsing settings. parser = configparser.SafeConfigParser() parser.add_section('server') parser.set('server', 'hostname', '127.0.0.1') parser.set('server', 'port', '5696') parser.set('server', 'certificate_path', '/test/path/server.crt') parser.set('server', 'key_path', '/test/path/server.key') parser.set('server', 'ca_path', '/test/path/ca.crt') parser.set('server', 'auth_suite', 'Basic') c._parse_settings(parser) c._set_hostname.assert_called_once_with('127.0.0.1') c._set_port.assert_called_once_with(5696) c._set_certificate_path.assert_called_once_with( '/test/path/server.crt' ) c._set_key_path.assert_called_once_with('/test/path/server.key') c._set_ca_path.assert_called_once_with('/test/path/ca.crt') c._set_auth_suite.assert_called_once_with('Basic') # Test that a ConfigurationError is generated when the expected # section is missing. parser = configparser.SafeConfigParser() args = (parser, ) regex = ( "The server configuration file does not have a 'server' section." ) self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._parse_settings, *args ) # Test that a ConfigurationError is generated when an unexpected # setting is provided. parser = configparser.SafeConfigParser() parser.add_section('server') parser.set('server', 'invalid', 'invalid') args = (parser, ) regex = ( "Setting 'invalid' is not a supported setting. Please remove it " "from the configuration file." ) self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._parse_settings, *args ) # Test that a ConfigurationError is generated when an expected # setting is missing. parser = configparser.SafeConfigParser() parser.add_section('server') args = (parser, ) regex = ( "Setting 'hostname' is missing from the configuration file." ) self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._parse_settings, *args ) # Test that a ConfigurationError is generated when an expected # setting is missing. parser = configparser.SafeConfigParser() parser.add_section('server') args = (parser, ) regex = ( "Setting 'hostname' is missing from the configuration file." ) self.assertRaisesRegexp( exceptions.ConfigurationError, regex, c._parse_settings, *args )
def __init__(self, hostname=None, port=None, certificate_path=None, key_path=None, ca_path=None, auth_suite=None, config_path='/etc/pykmip/server.conf', log_path='/var/log/pykmip/server.log', policy_path=None, enable_tls_client_auth=None, tls_cipher_suites=None, logging_level=None, live_policies=False, database_path=None): """ Create a KmipServer. Settings are loaded initially from the configuration file located at config_path, if specified. All other configuration options listed below, if specified, will override the settings loaded from the configuration file. A rotating file logger will be set up with the base log file located at log_path. The server itself will handle rotating the log files as the logs grow. The server process must have permission to read/write to the specified log directory. The main KmipEngine request processor is created here, along with all information required to manage KMIP client connections and sessions. Args: hostname (string): The host address the server will be bound to (e.g., '127.0.0.1'). Optional, defaults to None. port (int): The port number the server will be bound to (e.g., 5696). Optional, defaults to None. certificate_path (string): The path to the server certificate file (e.g., '/etc/pykmip/certs/server.crt'). Optional, defaults to None. key_path (string): The path to the server certificate key file (e.g., '/etc/pykmip/certs/server.key'). Optional, defaults to None. ca_path (string): The path to the certificate authority (CA) certificate file (e.g., '/etc/pykmip/certs/ca.crt'). Optional, defaults to None. auth_suite (string): A string value indicating the type of authentication suite to use for establishing TLS connections. Accepted values are: 'Basic', 'TLS1.2'. Optional, defaults to None. config_path (string): The path to the server configuration file (e.g., '/etc/pykmip/server.conf'). Optional, defaults to '/etc/pykmip/server.conf'. log_path (string): The path to the base server log file (e.g., '/var/log/pykmip/server.log'). Optional, defaults to '/var/log/pykmip/server.log'. policy_path (string): The path to the filesystem directory containing PyKMIP server operation policy JSON files. Optional, defaults to None. enable_tls_client_auth (boolean): A boolean indicating if the TLS certificate client auth flag should be required for client certificates when establishing a new client session. Optional, defaults to None. tls_cipher_suites (string): A comma-delimited list of cipher suite names (e.g., TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_ 128_CBC_SHA256), indicating which specific cipher suites should be used by the server when establishing a TLS connection with a client. Optional, defaults to None. If None, the default set of TLS cipher suites will be used. logging_level (string): A logging level enumeration defined by the logging package (e.g., DEBUG, INFO). Sets the base logging level for the server. All log messages logged at this level or higher in criticality will be logged. All log messages lower in criticality will not be logged. Optional, defaults to None. live_policies (boolean): A boolean indicating if the operation policy directory should be actively monitored to autoload any policy changes while the server is running. Optional, defaults to False. database_path (string): The path to the server's SQLite database file. Optional, defaults to None. """ self._logger = logging.getLogger('kmip.server') self._setup_logging(log_path) self.config = config.KmipServerConfig() self._setup_configuration(config_path, hostname, port, certificate_path, key_path, ca_path, auth_suite, policy_path, enable_tls_client_auth, tls_cipher_suites, logging_level, database_path) self.live_policies = live_policies self.policies = {} self._logger.setLevel(self.config.settings.get('logging_level')) cipher_suites = self.config.settings.get('tls_cipher_suites') if self.config.settings.get('auth_suite') == 'TLS1.2': self.auth_suite = auth.TLS12AuthenticationSuite(cipher_suites) else: self.auth_suite = auth.BasicAuthenticationSuite(cipher_suites) self._session_id = 1 self._is_serving = False
def __init__(self, hostname=None, port=None, certificate_path=None, key_path=None, ca_path=None, auth_suite=None, config_path='/etc/pykmip/server.conf', log_path='/var/log/pykmip/server.log', policy_path=None): """ Create a KmipServer. Settings are loaded initially from the configuration file located at config_path, if specified. All other configuration options listed below, if specified, will override the settings loaded from the configuration file. A rotating file logger will be set up with the base log file located at log_path. The server itself will handle rotating the log files as the logs grow. The server process must have permission to read/write to the specified log directory. The main KmipEngine request processor is created here, along with all information required to manage KMIP client connections and sessions. Args: hostname (string): The host address the server will be bound to (e.g., '127.0.0.1'). Optional, defaults to None. port (int): The port number the server will be bound to (e.g., 5696). Optional, defaults to None. certificate_path (string): The path to the server certificate file (e.g., '/etc/pykmip/certs/server.crt'). Optional, defaults to None. key_path (string): The path to the server certificate key file (e.g., '/etc/pykmip/certs/server.key'). Optional, defaults to None. ca_path (string): The path to the certificate authority (CA) certificate file (e.g., '/etc/pykmip/certs/ca.crt'). Optional, defaults to None. auth_suite (string): A string value indicating the type of authentication suite to use for establishing TLS connections. Accepted values are: 'Basic', 'TLS1.2'. Optional, defaults to None. config_path (string): The path to the server configuration file (e.g., '/etc/pykmip/server.conf'). Optional, defaults to '/etc/pykmip/server.conf'. log_path (string): The path to the base server log file (e.g., '/var/log/pykmip/server.log'). Optional, defaults to '/var/log/pykmip/server.log'. policy_path (string): The path to the filesystem directory containing PyKMIP server operation policy JSON files. Optional, defaults to None. """ self._logger = logging.getLogger('kmip.server') self._setup_logging(log_path) self.config = config.KmipServerConfig() self._setup_configuration(config_path, hostname, port, certificate_path, key_path, ca_path, auth_suite, policy_path) if self.config.settings.get('auth_suite') == 'TLS1.2': self.auth_suite = auth.TLS12AuthenticationSuite() else: self.auth_suite = auth.BasicAuthenticationSuite() self._engine = engine.KmipEngine( self.config.settings.get('policy_path')) self._session_id = 1 self._is_serving = False