Kc 1364#2212
Draft
jpkeepersecurity wants to merge 1 commit into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sync
pam cnappcommands with current krouter CNAPP endpointsSummary
Krouter's CNAPP REST surface (
CnappConfigurationRest.kt,CnappQueueRest.kt) moved ahead of Commander'spam cnappCLI. All 10 endpoints already had commands, but thequeue/remediatewire contract changed andCnappQueueItemgained a field. This PR regenerates the CNAPP protobuf and updates the remediate and list commands so Commander covers the full endpoint functionality again.Proto drift being fixed (
cnapp.proto)CnappRemediateRequest.groupName(string, field 9) was replaced byencryptedRemediations(bytes, field 9)CnappRemediateRequest.autoRemediateInFuture(bool, field 10) was addedCnappRemediateRequest.provider(field 6) andcnappConfigurationRecordUid(field 3) are now deprecated — krouter reads both from its own DB and clients must stop sending themCnappQueueItem.controlHash(string, field 9) was addedREMOVE_STANDING_PRIVILEGEin addition toROTATE_CREDENTIALS;manage_access/jit_accessare rejectedChanges
keepercommander/proto/cnapp_pb2.pykeeperapp-protobuf/cnapp.protowith protoc 3.19.6 (no imports in the proto, so no relative-import rewrite needed).keepercommander/commands/pam/cnapp_helper.pyremediate_cnapp_queue_item(): new signature — acceptsencrypted_remediations: bytesandauto_remediate: bool; dropsprovider,cnapp_config_record_uid, andgroup_name. The deprecated proto fields are never set on the wire.build_encrypted_remediations(params, network_uid, group_names, role_names): encrypts the JSON map{"groupNames": [...], "roleNames": [...]}with AES-256-GCM under the PAM configuration (network) record key (params.record_cache[uid]['record_key_unencrypted']+crypto.encrypt_aes_v2, same convention ascredential_provision.py). Krouter relays the ciphertext opaquely — group/role names never transit in the clear. Raises aValueErrorwith async-downhint when the record isn't cached.keepercommander/commands/pam/cnapp_commands.pypam cnapp queue remediate:--group-name,--provider/-p,--config-record(obsolete/deprecated on the wire)--group/--role— repeatable; targets forremove_standing_privilege, encrypted client-side--network-uid/-n— PAM configuration record UID whose key encrypts the targets; required when--group/--roleis given--auto-remediate— registers an auto-remediation rule for the item's control hash (rotate_credentialsonly; item must carry a control hash)CommandErrorbefore any network call:--auto-remediatewith any action other thanrotate_credentials→ error--group/--rolewith any action other thanremove_standing_privilege→ error--group/--rolewithout--network-uid→ errorremove_standing_privilegewith no targets → proceeds with a note that the gateway falls back to the record's JIT settings--actionhelp text (two dispatchable actions; the rest are frontend-only)pam cnapp queue list: newControl Hashtable column andcontrolHashfield in--format jsonoutput.unit-tests/pam/test_cnapp.pyrq.provider == 0,rq.cnappConfigurationRecordUid == b'')TestBuildEncryptedRemediations: AES-256-GCM round-trip viacrypto.decrypt_aes_v2, empty-list encoding, missing-record error cases_queue_itemfactory extended withcontrolHash; asserted in both table and JSON outputdocs/pam-cnapp.mdcontrolHashJSON fieldremove_standing_privilegewith--group/--role, androtate_credentials --auto-remediateTesting
python -m pytest unit-tests/pam/test_cnapp.py— 85 passedpython -m pytest unit-tests— 1533 passed, 59 skipped; the only 2 failures (test_command_enterprise_api_keys.py) fail identically on a clean tree and are unrelatedrecord↔ksmcycle guard) and argparse smoke test of the new remediate flags passencryptedRemediations,autoRemediateInFuture, andcontrolHash, withgroupNamegoneNotes for reviewers
encryptedRemediationsciphertext convention (rawencrypt_aes_v2output:nonce(12) ‖ ciphertext ‖ tag(16), no envelope/base64 — krouter base64-encodes when relaying) follows thecredential_provision.pyprecedent and krouter's relay behavior, but the gateway-side decrypt handler wasn't available to verify end-to-end.--provider/--config-recordwere removed fromremediateoutright rather than kept as deprecated no-ops, since the proto comments mandate clients stop sending them and the CLI surface is pre-GA.