All notable changes to this project will be documented in this file.
- [Storage] New
RedisStorage. - Added Python 3.9, 3.10 and 3.11 support.
- [Storage]
MemoryStorageupdatemethod now doesn't add new policy to Storage if it did not exist prior to the call. - [Storage]
SQLStorageregex checks are now performed withREGEXPoperator instead of aREGEXP BINARY. This is done to support MySQL 8. However this change doesn't affect the the expected and previous behavior of the storage.
- Dropped Python 3.4 and 3.5 support. Minimal Python version is 3.6 now.
- [vakt] Audit log functionality.
- [Guard] Optional
audit_policies_clsargument toGuardconstructor that is responsible for defining class which forms policies collection message in audit logs.
- [Guard] Method
is_allowed_no_auditwas renamed tois_allowed_checkbecause it reveals its purpose better and also in order not to confuse it with audit functionality. - [Guard] If Storage returns None instead of an empty list it will be logged as error. Previously it was treated the same as empty list.
- [Storage] Generic
retrieve_allmethod that retrieves all the existing Policies from the storage. Compared toget_allyou don't need to iterate now with shifting the fetch window manually. Concrete storages don't need to implement it manually. - [Storage] Added
storage.observable.ObservableMutationStorageas a Storage whose modify interface is observable. - [Rules]
SubjectMatch,ActionMatch,ResourceMatchrules for matching value against the whole value or specific attribute in Inquiry's subject, action or resource respectively. - [Cache] Added various cache mechanisms inside
cachemodule:EnfoldCache.AllowanceCache. - [Policy] Added
PolicyAllowandPolicyDenyfor more convenient Policy effects declaration. - [Guard] Added method
is_allowed_no_auditthat is the same asis_allowed, but doesn't perform audit log.
- [MongoStorage]
find_for_inquirynow uses regex match on DB-server side for string-based policies which increases performance drastically. Works only for MongoDB v >=4.2. For older MongoDB versions the behaviour hasn't changed. - [Checker] All checkers now accept optional attribute
inquiryin theirfitsmethod in order to support InquiryMatch rules. Generally it was needed only forRulesChecker, so others just ignore it. - [Inquiry] Inquiry objects equality is now based on their contents equality. Same for its hash value.
- [Storage]
get_allfor MongoStorage and SQLStorage now always returns policies sorted byuidin ascending order.
- Removed deprecated rules: SubjectEqualRule, ActionEqualRule, ResourceInRule.
- [Storage] SQLStorage implementation with support for all RDBMS backed by SQL Alchemy.
- [Storage]
MongoStorageandMemoryStoragenow return empty list ifget_allis called with limit=0. From this version all storages must have this behaviour for consistency.
- [vakt]
MongoStorageis not imported into vakt package by default.
- [Rules] List-based
Rules: (In, NotIn, AllIn, AllNotIn, AnyIn, AnyNotIn) invakt.rules.list. - [Rules] Comparison operator
Rules:(Eq, NotEq, Greater, Less, GreaterOrEqual, LessOrEqual) invakt.rules.operator. - [Rules] Logic-related operator
Rules:(Truthy, Falsy, Not, And, Or, Any, Neither) invakt.rules.logic. - [Rules] Substring-related
Rules:(StartsWith, EndsWith, Contains) invakt.rules.string. - [Policy] Policy now checks field type on it's creation or setting.
- [Checker]
RulesCheckerbased on definition of attributes via dictionaries w/ various Rules. - [Storage]
vakt.storage.migration.Migratorclass. Is used for migrations execution. - [Storage]
vakt.storage.migration.MigrationSetclass. Represents a collection of migrations for a particular storage.
- Drop Python 3.3 support. Minimal Python version is 3.4 now.
- [Rules] String-based
RuleEqual now has flagci(case_insensitive). If set toTrue, string case-insensitive comparison is performed. - [Logging] Rename logging message "Conflicting ID" -> "Conflicting UID".
- [Logging] Changed several exception logs to error level.
- [Guard] Guard's method
are_rules_satisfiedis nowcheck_context_restriction. - [Policy] Policy constructor signature now is:
Policy(uid, subjects, effect, resources, actions, context, rules, description). - [Policy]
Policy()is now polymorphic class. Based on given attributes it can represent string-based policy (used for RegexChecker, all StringCheckers) and rules-based policy (used for RulesChecker). - [Storage]
vakt.storage.abc.Migrationabstract class was moved tovakt.storage.migration.Migrationfor scope consistency. - [vakt] Enhanced imports. Now all the basic components like
Policy,Guard,Rules can be imported directly fromvaktpackage.
- [Rules]
Rulesfromstring,net,inquirywere renamed to their shorter equivalents. Old-named Rules are now deprecated for usage and will be removed in the next major version. Deprecated rules are: SubjectEqualRule, ActionEqualRule, ResourceInRule, CIDRRule, StringEqualRule, RegexMatchRule, StringPairsEqualRule. - [Policy]
rulesargument is now deprecated. Use 'context' argument for the same purpose.
- [Storage] Irreversible exception for migrations.
- [Storage] MongoStorage migration between 1.1.0 and 1.1.1
- [Rules] Failing JSON deserialization of some Rules.
- [Storage] Migration Migration0To1x0x3 was properly renamed to Migration0To1x1x0.
- [Util] Objects are now serialized via
jsonpicklelibrary. This affects Rule JSON representation as JSON string.
- [Storage] MongoDB storage implementation.
- [Storage]
Migrationinterface for specifying storage migrations actions. - [Storage]
Storage:_check_limit_and_offsetmethod for generic limit and offset validation. - [Checker]
UnknownCheckerTypeexception.
- [Util]
JsonDumperis now called JsonSerializer. - [Storage]
Storage:find_for_inquirynow accepts Checker object as the 3-rd optional argument.
- Only small documentation bits.
- Initial implementation of Vakt. Only in-memory policies storage available.