Skip to content

Kc 1364#2212

Draft
jpkeepersecurity wants to merge 1 commit into
releasefrom
KC-1364
Draft

Kc 1364#2212
jpkeepersecurity wants to merge 1 commit into
releasefrom
KC-1364

Conversation

@jpkeepersecurity

Copy link
Copy Markdown
Contributor

Sync pam cnapp commands with current krouter CNAPP endpoints

Summary

Krouter's CNAPP REST surface (CnappConfigurationRest.kt, CnappQueueRest.kt) moved ahead of Commander's pam cnapp CLI. All 10 endpoints already had commands, but the queue/remediate wire contract changed and CnappQueueItem gained a field. This PR regenerates the CNAPP protobuf and updates the remediate and list commands so Commander covers the full endpoint functionality again.

Proto drift being fixed (cnapp.proto)

  • CnappRemediateRequest.groupName (string, field 9) was replaced by encryptedRemediations (bytes, field 9)
  • CnappRemediateRequest.autoRemediateInFuture (bool, field 10) was added
  • CnappRemediateRequest.provider (field 6) and cnappConfigurationRecordUid (field 3) are now deprecated — krouter reads both from its own DB and clients must stop sending them
  • CnappQueueItem.controlHash (string, field 9) was added
  • Krouter now dispatches REMOVE_STANDING_PRIVILEGE in addition to ROTATE_CREDENTIALS; manage_access/jit_access are rejected

Changes

keepercommander/proto/cnapp_pb2.py

  • Regenerated from keeperapp-protobuf/cnapp.proto with protoc 3.19.6 (no imports in the proto, so no relative-import rewrite needed).

keepercommander/commands/pam/cnapp_helper.py

  • remediate_cnapp_queue_item(): new signature — accepts encrypted_remediations: bytes and auto_remediate: bool; drops provider, cnapp_config_record_uid, and group_name. The deprecated proto fields are never set on the wire.
  • New build_encrypted_remediations(params, network_uid, group_names, role_names): encrypts the JSON map {"groupNames": [...], "roleNames": [...]} with AES-256-GCM under the PAM configuration (network) record key (params.record_cache[uid]['record_key_unencrypted'] + crypto.encrypt_aes_v2, same convention as credential_provision.py). Krouter relays the ciphertext opaquely — group/role names never transit in the clear. Raises a ValueError with a sync-down hint when the record isn't cached.

keepercommander/commands/pam/cnapp_commands.py

  • pam cnapp queue remediate:
    • Removed: --group-name, --provider/-p, --config-record (obsolete/deprecated on the wire)
    • Added:
      • --group / --role — repeatable; targets for remove_standing_privilege, encrypted client-side
      • --network-uid/-n — PAM configuration record UID whose key encrypts the targets; required when --group/--role is given
      • --auto-remediate — registers an auto-remediation rule for the item's control hash (rotate_credentials only; item must carry a control hash)
    • Pre-flight validation mirroring krouter's rules, raised as CommandError before any network call:
      • --auto-remediate with any action other than rotate_credentials → error
      • --group/--role with any action other than remove_standing_privilege → error
      • --group/--role without --network-uid → error
      • remove_standing_privilege with no targets → proceeds with a note that the gateway falls back to the record's JIT settings
    • Updated --action help text (two dispatchable actions; the rest are frontend-only)
  • pam cnapp queue list: new Control Hash table column and controlHash field in --format json output.

unit-tests/pam/test_cnapp.py

  • Updated remediate helper tests for the new signature, including asserting the deprecated fields stay unset on the wire (rq.provider == 0, rq.cnappConfigurationRecordUid == b'')
  • New TestBuildEncryptedRemediations: AES-256-GCM round-trip via crypto.decrypt_aes_v2, empty-list encoding, missing-record error cases
  • 7 new command-level tests covering the validation matrix, encrypted-bytes passthrough, and the JIT-fallback note
  • _queue_item factory extended with controlHash; asserted in both table and JSON output

docs/pam-cnapp.md

  • Remediate flag table and action-type notes rewritten (client-side encryption, JIT fallback, auto-remediate precondition)
  • Queue list docs mention the Control Hash column / controlHash JSON field
  • New examples: remove_standing_privilege with --group/--role, and rotate_credentials --auto-remediate

Testing

  • python -m pytest unit-tests/pam/test_cnapp.py85 passed
  • python -m pytest unit-tests — 1533 passed, 59 skipped; the only 2 failures (test_command_enterprise_api_keys.py) fail identically on a clean tree and are unrelated
  • Import smoke test (recordksm cycle guard) and argparse smoke test of the new remediate flags pass
  • Descriptor check confirms the regenerated proto exposes encryptedRemediations, autoRemediateInFuture, and controlHash, with groupName gone

Notes for reviewers

  • The encryptedRemediations ciphertext convention (raw encrypt_aes_v2 output: nonce(12) ‖ ciphertext ‖ tag(16), no envelope/base64 — krouter base64-encodes when relaying) follows the credential_provision.py precedent and krouter's relay behavior, but the gateway-side decrypt handler wasn't available to verify end-to-end.
  • --provider/--config-record were removed from remediate outright rather than kept as deprecated no-ops, since the proto comments mandate clients stop sending them and the CLI surface is pre-GA.

@jpkeepersecurity
jpkeepersecurity changed the base branch from master to release July 14, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant