version rev to 1.3.3

jgarman · jgarman · commit 11e5fb9fc8c7 · 2017-09-01T15:57:24.000-04:00
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Python bindings for Carbon Black REST API
 
-**Current version: 1.3.2**
+**Current version: 1.3.3**
 
 [![Build Status](https://travis-ci.org/carbonblack/cbapi-python.svg?branch=master)](https://travis-ci.org/carbonblack/cbapi-python)
 
@@ -29,8 +29,8 @@ Backwards compatibility with old scripts is maintained through the `cbapi.legacy
 `cbapi.CbApi` directly will continue to work. Once cbapi 2.0.0 is released, the old `CbApi` will be deprecated and
 removed entirely no earlier than January 2017.
 
-New scripts should use the `cbapi.CbEnterpriseResponseAPI` (for Carbon Black "Enterprise Response") and 
-`cbapi.CbEnterpriseProtectionAPI` (for Carbon Black "Enterprise Protection" / former Bit9) API entry points.
+New scripts should use the `cbapi.CbResponseAPI` (for Cb Response) and 
+`cbapi.CbProtectionAPI` (for Cb Protection / former Bit9) API entry points.
 
 ## Getting Started
 
diff --git a/bin/cbapi b/bin/cbapi
@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+
+import argparse
+import contextlib
+
+from cbapi.six import iteritems
+import sys
+from cbapi.utils import check_python_tls_compatibility
+
+
+def check_tls(opts):
+    print("Newest TLS version supported by this platform is: {0}.".format(check_python_tls_compatibility()))
+
+
+command_map = {
+    "check-tls": {
+        "extra_args": {},
+        "help": "Return the latest version of TLS supported by this version of Python and OpenSSL. "
+            "Cb Response versions 6.1+ now require TLSv1.2 support.",
+        "method": check_tls
+    }
+}
+
+
+def main(args):
+    parser = argparse.ArgumentParser()
+    commands = parser.add_subparsers(dest="command_name", help="CbAPI subcommand")
+
+    for cmd_name, cmd_config in iteritems(command_map):
+        cmd_parser = commands.add_parser(cmd_name, help=cmd_config.get("help", None))
+        for cmd_arg_name, cmd_arg_config in iteritems(cmd_config.get("extra_args", {})):
+            cmd_parser.add_argument(cmd_arg_name, **cmd_arg_config)
+
+    opts = parser.parse_args(args)
+    command = command_map.get(opts.command_name)
+    if not command:
+        parser.print_usage()
+        return
+
+    command_method = command.get("method", None)
+    if command_method:
+        return command_method(opts)
+    else:
+        parser.print_usage()
+
+
+if __name__ == '__main__':
+    sys.exit(main(sys.argv[1:]))
diff --git a/bin/cbapi-response b/bin/cbapi-response
@@ -93,21 +93,11 @@ def configure(opts):
     print("Successfully wrote credentials to {0}.".format(credential_file))
 
 
-def check_tls(opts):
-    print("Newest TLS version supported by this install is: {0}.".format(check_python_tls_compatibility()))
-
-
 command_map = {
     "configure": {
         "extra_args": {},
         "help": "Configure CbAPI",
         "method": configure
-    },
-    "check-tls": {
-        "extra_args": {},
-        "help": "Return the latest version of TLS supported by this version of Python and OpenSSL. "
-            "Cb Response versions 6.1+ now require TLSv1.2 support.",
-        "method": check_tls
     }
 }
 
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -1,6 +1,53 @@
 CbAPI Changelog
 ===============
 
+CbAPI 1.3.3 - Released September 1, 2017
+----------------------------------------
+
+This release includes security improvements and bugfixes.
+
+Security changes:
+
+* CbAPI enforces the use of HTTPS when connecting to on-premise Cb Response servers.
+* CbAPI can optionally require TLSv1.2 when connecting to Carbon Black servers.
+
+  * Note that some versions of Python and OpenSSL, notably the version of OpenSSL packaged with Mac OS X, do not support
+    TLSv1.2. This will cause CbAPI to fail to connect to Cb Response 6.1+ servers which require TLSv1.2 cipher suites.
+  * A new command, ``cbapi check-tls``, will report the TLS version supported by your platform.
+  * To enforce the use of TLSv1.2 when connecting to a server, add ``ssl_force_tls_1_2=True`` to that server's
+    credential profile.
+
+* Add the ability to "pin" a specific server certificate to a credential profile.
+
+  * You can now force TLS certificate verification on self-signed, on-premise installations of Cb Response or Protection
+    through the ``ssl_cert_file`` option in the credential profile.
+  * To "pin" a server certificate, save the PEM-formatted server certificate to a file, and put the full path to that
+    PEM file in the ``ssl_cert_file`` option of that server's credential profile.
+  * When using this option with on-premise Cb Response servers, you may also have to set
+    ``ssl_verify_hostname=False`` as the hostname in the certificate generated at install time is ``localhost`` and
+    will not match the server's hostname or IP address. This option will still validate that the server's certificate
+    is valid and matches the copy in the ``ssl_cert_file`` option.
+
+Changes for Cb Protection:
+
+* The API now sets the appropriate "GET" query fields when changing fields such as the ``debugFlags`` on the Computer
+  object.
+* The ``.template`` attribute on the Computer model object has been renamed ``.templateComputer``.
+* Remove AppCatalog and AppTemplate model objects.
+
+Changes for Cb Response:
+
+* Added ``.webui_link`` property to Cb Response Query objects.
+
+Bug Fixes:
+
+* Error handling is improved on Python 3. Live Response auto-reconnect functionality is now fixed on Python 3 as
+  a result.
+* Workaround implemented for Cb Response 6.1 where segment_ids are truncated on Alerts. The ``.process`` attribute on
+  an Alert now ignores the ``segment_id`` and links to the first Process segment.
+* Fixed issue with ``Binary.signed`` and ``CbModLoadEvent.is_signed``.
+
+
 CbAPI 1.3.2 - Released August 10, 2017
 --------------------------------------
 
diff --git a/docs/conf.py b/docs/conf.py
@@ -61,7 +61,7 @@
 # The short X.Y version.
 version = u'1.3'
 # The full version, including alpha/beta/rc tags.
-release = u'1.3.2'
+release = u'1.3.3'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/setup.py b/setup.py
@@ -28,7 +28,7 @@
 
 setup(
     name='cbapi',
-    version='1.3.2',
+    version='1.3.3',
     url='https://github.com/carbonblack/cbapi-python',
     license='MIT',
     author='Carbon Black',
@@ -47,5 +47,5 @@
         'Programming Language :: Python',
         'Topic :: Software Development :: Libraries :: Python Modules'
     ],
-    scripts=['bin/cbapi-response', 'bin/cbapi-protection', 'bin/cbapi-defense']
+    scripts=['bin/cbapi-response', 'bin/cbapi-protection', 'bin/cbapi-defense', 'bin/cbapi']
 )
diff --git a/src/cbapi/protection/models.py b/src/cbapi/protection/models.py
@@ -20,14 +20,6 @@ class EnforcementLevel:
     LevelNone = 80
 
 
-class AppCatalog(NewBaseModel):
-    urlobject = "/api/bit9platform/v1/appCatalog"
-
-    @classmethod
-    def _minimum_server_version(cls):
-        return LooseVersion("8.0")
-
-
 class ApprovalRequest(MutableModel):
     urlobject = "/api/bit9platform/v1/approvalRequest"
 
@@ -64,14 +56,6 @@ def computer(self):
         return self._join(Computer, "computerId")
 
 
-class AppTemplate(MutableBaseModel):
-    urlobject = "/api/bit9platform/v1/appTemplate"
-
-    @classmethod
-    def _minimum_server_version(cls):
-        return LooseVersion("8.0")
-
-
 class Certificate(MutableModel):
     urlobject = "/api/bit9platform/v1/certificate"
 
