Skip to content

Kc 1364#2212

Draft
jpkeepersecurity wants to merge 9 commits into
releasefrom
KC-1364
Draft

Kc 1364#2212
jpkeepersecurity wants to merge 9 commits into
releasefrom
KC-1364

Conversation

@jpkeepersecurity

Copy link
Copy Markdown
Contributor

Sync pam cnapp commands with current krouter CNAPP endpoints

Summary

Krouter's CNAPP REST surface (CnappConfigurationRest.kt, CnappQueueRest.kt) moved ahead of Commander's pam cnapp CLI. All 10 endpoints already had commands, but the queue/remediate wire contract changed and CnappQueueItem gained a field. This PR regenerates the CNAPP protobuf and updates the remediate and list commands so Commander covers the full endpoint functionality again.

Proto drift being fixed (cnapp.proto)

  • CnappRemediateRequest.groupName (string, field 9) was replaced by encryptedRemediations (bytes, field 9)
  • CnappRemediateRequest.autoRemediateInFuture (bool, field 10) was added
  • CnappRemediateRequest.provider (field 6) and cnappConfigurationRecordUid (field 3) are now deprecated — krouter reads both from its own DB and clients must stop sending them
  • CnappQueueItem.controlHash (string, field 9) was added
  • Krouter now dispatches REMOVE_STANDING_PRIVILEGE in addition to ROTATE_CREDENTIALS; manage_access/jit_access are rejected

Changes

keepercommander/proto/cnapp_pb2.py

  • Regenerated from keeperapp-protobuf/cnapp.proto with protoc 3.19.6 (no imports in the proto, so no relative-import rewrite needed).

keepercommander/commands/pam/cnapp_helper.py

  • remediate_cnapp_queue_item(): new signature — accepts encrypted_remediations: bytes and auto_remediate: bool; drops provider, cnapp_config_record_uid, and group_name. The deprecated proto fields are never set on the wire.
  • New build_encrypted_remediations(params, network_uid, group_names, role_names): encrypts the JSON map {"groupNames": [...], "roleNames": [...]} with AES-256-GCM under the PAM configuration (network) record key (params.record_cache[uid]['record_key_unencrypted'] + crypto.encrypt_aes_v2, same convention as credential_provision.py). Krouter relays the ciphertext opaquely — group/role names never transit in the clear. Raises a ValueError with a sync-down hint when the record isn't cached.

keepercommander/commands/pam/cnapp_commands.py

  • pam cnapp queue remediate:
    • Removed: --group-name, --provider/-p, --config-record (obsolete/deprecated on the wire)
    • Added:
      • --group / --role — repeatable; targets for remove_standing_privilege, encrypted client-side
      • --network-uid/-n — PAM configuration record UID whose key encrypts the targets; required when --group/--role is given
      • --auto-remediate — registers an auto-remediation rule for the item's control hash (rotate_credentials only; item must carry a control hash)
    • Pre-flight validation mirroring krouter's rules, raised as CommandError before any network call:
      • --auto-remediate with any action other than rotate_credentials → error
      • --group/--role with any action other than remove_standing_privilege → error
      • --group/--role without --network-uid → error
      • remove_standing_privilege with no targets → proceeds with a note that the gateway falls back to the record's JIT settings
    • Updated --action help text (two dispatchable actions; the rest are frontend-only)
  • pam cnapp queue list: new Control Hash table column and controlHash field in --format json output.

unit-tests/pam/test_cnapp.py

  • Updated remediate helper tests for the new signature, including asserting the deprecated fields stay unset on the wire (rq.provider == 0, rq.cnappConfigurationRecordUid == b'')
  • New TestBuildEncryptedRemediations: AES-256-GCM round-trip via crypto.decrypt_aes_v2, empty-list encoding, missing-record error cases
  • 7 new command-level tests covering the validation matrix, encrypted-bytes passthrough, and the JIT-fallback note
  • _queue_item factory extended with controlHash; asserted in both table and JSON output

docs/pam-cnapp.md

  • Remediate flag table and action-type notes rewritten (client-side encryption, JIT fallback, auto-remediate precondition)
  • Queue list docs mention the Control Hash column / controlHash JSON field
  • New examples: remove_standing_privilege with --group/--role, and rotate_credentials --auto-remediate

Testing

  • python -m pytest unit-tests/pam/test_cnapp.py85 passed
  • python -m pytest unit-tests — 1533 passed, 59 skipped; the only 2 failures (test_command_enterprise_api_keys.py) fail identically on a clean tree and are unrelated
  • Import smoke test (recordksm cycle guard) and argparse smoke test of the new remediate flags pass
  • Descriptor check confirms the regenerated proto exposes encryptedRemediations, autoRemediateInFuture, and controlHash, with groupName gone

Notes for reviewers

  • The encryptedRemediations ciphertext convention (raw encrypt_aes_v2 output: nonce(12) ‖ ciphertext ‖ tag(16), no envelope/base64 — krouter base64-encodes when relaying) follows the credential_provision.py precedent and krouter's relay behavior, but the gateway-side decrypt handler wasn't available to verify end-to-end.
  • --provider/--config-record were removed from remediate outright rather than kept as deprecated no-ops, since the proto comments mandate clients stop sending them and the CLI surface is pre-GA.

idimov-keeper and others added 9 commits July 8, 2026 09:25
Use DOMAIN\username for icacls /grant instead of bare os.getlogin(), which
fails when the machine name and username are the same string.
* KC-1290: CNAPP integration commands and PAM graph migration

Re-applied on top of origin/release after sync-branch. Includes CNAPP command helpers, PAM graph endpoint migration, and related unit test updates.

* Fix time-dependent enterprise API key list tests for UTC CI

Move SIEM Tool mock expiration to 2030 so status detection tests remain deterministic when CI runs in UTC after the token expiry date.

---------
Co-authored-by: Ivan Dimov <[email protected]>
* Fix docker startup multiple syncs

* Remove sync from 'service-status' and keep it in 'this-device'
…#2168)

* Fix share-folder record expiration removing owner records and breaking re-shares

When share-folder was used with -r and --expire-in, expiration was applied to
SharedFolderUpdateRecord, which caused the record to be removed from the
owner's vault when the timer expired. Route per-record expiration and -roe
through the record share API (revoke then re-grant) instead, keep folder user
updates for access only, sync before granting, and skip redundant user updates
when sharing additional records to the same recipient.

* Share-folder: expire folder and record access together; log expiry in output

* updated test file

* Fix share-folder remove vault deletion; clean up access grant/remove logs

* Fix share folder expire in and -r combination

* Separate folder and record flag usage to fix multiple remove related issue

* Fix -p and -o flags and 1mi expiry

* Restrict outside records to be shared via -r

* Update help

---------

Co-authored-by: amangalampalli-ks <[email protected]>
DR-1295 Add pamGitHubConfiguration record support
Test fixes unrelated to pamGitHubConfiguration changes.
@jpkeepersecurity
jpkeepersecurity changed the base branch from master to release July 14, 2026 15:42
@sk-keeper
sk-keeper force-pushed the release branch 2 times, most recently from 0da055d to a8dd3f3 Compare July 17, 2026 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants