All notable changes to this project will be documented in this file.
- [Storage] New
RedisStorage
.
- [Storage]
MemoryStorage
update
method now doesn't add new policy to Storage if it did not exist prior to the call.
- [vakt] Audit log functionality.
- [Guard] Optional
audit_policies_cls
argument toGuard
constructor that is responsible for defining class which forms policies collection message in audit logs.
- [Guard] Method
is_allowed_no_audit
was renamed tois_allowed_check
because it reveals its purpose better and also in order not to confuse it with audit functionality. - [Guard] If Storage returns None instead of an empty list it will be logged as error. Previously it was treated the same as empty list.
- [Storage] Generic
retrieve_all
method that retrieves all the existing Policies from the storage. Compared toget_all
you don't need to iterate now with shifting the fetch window manually. Concrete storages don't need to implement it manually. - [Storage] Added
storage.observable.ObservableMutationStorage
as a Storage whose modify interface is observable. - [Rules]
SubjectMatch
,ActionMatch
,ResourceMatch
rules for matching value against the whole value or specific attribute in Inquiry's subject, action or resource respectively. - [Cache] Added various cache mechanisms inside
cache
module:EnfoldCache
.AllowanceCache
. - [Policy] Added
PolicyAllow
andPolicyDeny
for more convenient Policy effects declaration. - [Guard] Added method
is_allowed_no_audit
that is the same asis_allowed
, but doesn't perform audit log.
- [MongoStorage]
find_for_inquiry
now uses regex match on DB-server side for string-based policies which increases performance drastically. Works only for MongoDB v >=4.2. For older MongoDB versions the behaviour hasn't changed. - [Checker] All checkers now accept optional attribute
inquiry
in theirfits
method in order to support InquiryMatch rules. Generally it was needed only forRulesChecker
, so others just ignore it. - [Inquiry] Inquiry objects equality is now based on their contents equality. Same for its hash value.
- [Storage]
get_all
for MongoStorage and SQLStorage now always returns policies sorted byuid
in ascending order.
- Removed deprecated rules: SubjectEqualRule, ActionEqualRule, ResourceInRule.
- [Storage] SQLStorage implementation with support for all RDBMS backed by SQL Alchemy.
- [Storage]
MongoStorage
andMemoryStorage
now return empty list ifget_all
is called with limit=0. From this version all storages must have this behaviour for consistency.
- [vakt]
MongoStorage
is not imported into vakt package by default.
- [Rules] List-based
Rules
: (In, NotIn, AllIn, AllNotIn, AnyIn, AnyNotIn) invakt.rules.list
. - [Rules] Comparison operator
Rules
:(Eq, NotEq, Greater, Less, GreaterOrEqual, LessOrEqual) invakt.rules.operator
. - [Rules] Logic-related operator
Rules
:(Truthy, Falsy, Not, And, Or, Any, Neither) invakt.rules.logic
. - [Rules] Substring-related
Rules
:(StartsWith, EndsWith, Contains) invakt.rules.string
. - [Policy] Policy now checks field type on it's creation or setting.
- [Checker]
RulesChecker
based on definition of attributes via dictionaries w/ various Rules. - [Storage]
vakt.storage.migration.Migrator
class. Is used for migrations execution. - [Storage]
vakt.storage.migration.MigrationSet
class. Represents a collection of migrations for a particular storage.
- Drop Python 3.3 support. Minimal Python version is 3.4 now.
- [Rules] String-based
Rule
Equal now has flagci
(case_insensitive). If set toTrue
, string case-insensitive comparison is performed. - [Logging] Rename logging message "Conflicting ID" -> "Conflicting UID".
- [Logging] Changed several exception logs to error level.
- [Guard] Guard's method
are_rules_satisfied
is nowcheck_context_restriction
. - [Policy] Policy constructor signature now is:
Policy(uid, subjects, effect, resources, actions, context, rules, description)
. - [Policy]
Policy()
is now polymorphic class. Based on given attributes it can represent string-based policy (used for RegexChecker, all StringCheckers) and rules-based policy (used for RulesChecker). - [Storage]
vakt.storage.abc.Migration
abstract class was moved tovakt.storage.migration.Migration
for scope consistency. - [vakt] Enhanced imports. Now all the basic components like
Policy
,Guard
,Rule
s can be imported directly fromvakt
package.
- [Rules]
Rules
fromstring
,net
,inquiry
were renamed to their shorter equivalents. Old-named Rules are now deprecated for usage and will be removed in the next major version. Deprecated rules are: SubjectEqualRule, ActionEqualRule, ResourceInRule, CIDRRule, StringEqualRule, RegexMatchRule, StringPairsEqualRule. - [Policy]
rules
argument is now deprecated. Use 'context' argument for the same purpose.
- [Storage] Irreversible exception for migrations.
- [Storage] MongoStorage migration between 1.1.0 and 1.1.1
- [Rules] Failing JSON deserialization of some Rules.
- [Storage] Migration Migration0To1x0x3 was properly renamed to Migration0To1x1x0.
- [Util] Objects are now serialized via
jsonpickle
library. This affects Rule JSON representation as JSON string.
- [Storage] MongoDB storage implementation.
- [Storage]
Migration
interface for specifying storage migrations actions. - [Storage]
Storage:_check_limit_and_offset
method for generic limit and offset validation. - [Checker]
UnknownCheckerType
exception.
- [Util]
JsonDumper
is now called JsonSerializer. - [Storage]
Storage:find_for_inquiry
now accepts Checker object as the 3-rd optional argument.
- Only small documentation bits.
- Initial implementation of Vakt. Only in-memory policies storage available.