Kc 1364#2212
Draft
jpkeepersecurity wants to merge 9 commits into
Draft
Conversation
Use DOMAIN\username for icacls /grant instead of bare os.getlogin(), which fails when the machine name and username are the same string.
* KC-1290: CNAPP integration commands and PAM graph migration Re-applied on top of origin/release after sync-branch. Includes CNAPP command helpers, PAM graph endpoint migration, and related unit test updates. * Fix time-dependent enterprise API key list tests for UTC CI Move SIEM Tool mock expiration to 2030 so status detection tests remain deterministic when CI runs in UTC after the token expiry date. --------- Co-authored-by: Ivan Dimov <[email protected]>
* Fix docker startup multiple syncs * Remove sync from 'service-status' and keep it in 'this-device'
…#2168) * Fix share-folder record expiration removing owner records and breaking re-shares When share-folder was used with -r and --expire-in, expiration was applied to SharedFolderUpdateRecord, which caused the record to be removed from the owner's vault when the timer expired. Route per-record expiration and -roe through the record share API (revoke then re-grant) instead, keep folder user updates for access only, sync before granting, and skip redundant user updates when sharing additional records to the same recipient. * Share-folder: expire folder and record access together; log expiry in output * updated test file * Fix share-folder remove vault deletion; clean up access grant/remove logs * Fix share folder expire in and -r combination * Separate folder and record flag usage to fix multiple remove related issue * Fix -p and -o flags and 1mi expiry * Restrict outside records to be shared via -r * Update help --------- Co-authored-by: amangalampalli-ks <[email protected]>
DR-1295 Add pamGitHubConfiguration record support Test fixes unrelated to pamGitHubConfiguration changes.
sk-keeper
force-pushed
the
release
branch
2 times, most recently
from
July 17, 2026 14:18
0da055d to
a8dd3f3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sync
pam cnappcommands with current krouter CNAPP endpointsSummary
Krouter's CNAPP REST surface (
CnappConfigurationRest.kt,CnappQueueRest.kt) moved ahead of Commander'spam cnappCLI. All 10 endpoints already had commands, but thequeue/remediatewire contract changed andCnappQueueItemgained a field. This PR regenerates the CNAPP protobuf and updates the remediate and list commands so Commander covers the full endpoint functionality again.Proto drift being fixed (
cnapp.proto)CnappRemediateRequest.groupName(string, field 9) was replaced byencryptedRemediations(bytes, field 9)CnappRemediateRequest.autoRemediateInFuture(bool, field 10) was addedCnappRemediateRequest.provider(field 6) andcnappConfigurationRecordUid(field 3) are now deprecated — krouter reads both from its own DB and clients must stop sending themCnappQueueItem.controlHash(string, field 9) was addedREMOVE_STANDING_PRIVILEGEin addition toROTATE_CREDENTIALS;manage_access/jit_accessare rejectedChanges
keepercommander/proto/cnapp_pb2.pykeeperapp-protobuf/cnapp.protowith protoc 3.19.6 (no imports in the proto, so no relative-import rewrite needed).keepercommander/commands/pam/cnapp_helper.pyremediate_cnapp_queue_item(): new signature — acceptsencrypted_remediations: bytesandauto_remediate: bool; dropsprovider,cnapp_config_record_uid, andgroup_name. The deprecated proto fields are never set on the wire.build_encrypted_remediations(params, network_uid, group_names, role_names): encrypts the JSON map{"groupNames": [...], "roleNames": [...]}with AES-256-GCM under the PAM configuration (network) record key (params.record_cache[uid]['record_key_unencrypted']+crypto.encrypt_aes_v2, same convention ascredential_provision.py). Krouter relays the ciphertext opaquely — group/role names never transit in the clear. Raises aValueErrorwith async-downhint when the record isn't cached.keepercommander/commands/pam/cnapp_commands.pypam cnapp queue remediate:--group-name,--provider/-p,--config-record(obsolete/deprecated on the wire)--group/--role— repeatable; targets forremove_standing_privilege, encrypted client-side--network-uid/-n— PAM configuration record UID whose key encrypts the targets; required when--group/--roleis given--auto-remediate— registers an auto-remediation rule for the item's control hash (rotate_credentialsonly; item must carry a control hash)CommandErrorbefore any network call:--auto-remediatewith any action other thanrotate_credentials→ error--group/--rolewith any action other thanremove_standing_privilege→ error--group/--rolewithout--network-uid→ errorremove_standing_privilegewith no targets → proceeds with a note that the gateway falls back to the record's JIT settings--actionhelp text (two dispatchable actions; the rest are frontend-only)pam cnapp queue list: newControl Hashtable column andcontrolHashfield in--format jsonoutput.unit-tests/pam/test_cnapp.pyrq.provider == 0,rq.cnappConfigurationRecordUid == b'')TestBuildEncryptedRemediations: AES-256-GCM round-trip viacrypto.decrypt_aes_v2, empty-list encoding, missing-record error cases_queue_itemfactory extended withcontrolHash; asserted in both table and JSON outputdocs/pam-cnapp.mdcontrolHashJSON fieldremove_standing_privilegewith--group/--role, androtate_credentials --auto-remediateTesting
python -m pytest unit-tests/pam/test_cnapp.py— 85 passedpython -m pytest unit-tests— 1533 passed, 59 skipped; the only 2 failures (test_command_enterprise_api_keys.py) fail identically on a clean tree and are unrelatedrecord↔ksmcycle guard) and argparse smoke test of the new remediate flags passencryptedRemediations,autoRemediateInFuture, andcontrolHash, withgroupNamegoneNotes for reviewers
encryptedRemediationsciphertext convention (rawencrypt_aes_v2output:nonce(12) ‖ ciphertext ‖ tag(16), no envelope/base64 — krouter base64-encodes when relaying) follows thecredential_provision.pyprecedent and krouter's relay behavior, but the gateway-side decrypt handler wasn't available to verify end-to-end.--provider/--config-recordwere removed fromremediateoutright rather than kept as deprecated no-ops, since the proto comments mandate clients stop sending them and the CLI surface is pre-GA.