PM-947 privileged cloud management support#1918
Closed
erinlewis-keeper wants to merge 63 commits intoreleasefrom
Closed
PM-947 privileged cloud management support#1918erinlewis-keeper wants to merge 63 commits intoreleasefrom
erinlewis-keeper wants to merge 63 commits intoreleasefrom
Conversation
Bugfix: jit/ai encryption settings
Records created via Commander were missing field label metadata because the record-add command used an empty string as default when the schema field had no explicit label override. This caused blank field names when records were retrieved via KSM. Use the field $ref type as the default label when no explicit label is defined in the record type schema, matching the behavior of the web vault which consistently populates labels for all schema-defined fields. Affected paths: - RecordAddCommand.execute() in commands/record_edit.py - prepare_record_add_or_update() in importer/imp_exp.py Refs: KC-1163
…1849) * Create kcm_export.py Add folder and script to convert KCM resources to PAM Project Extend template * Create KCM_mappings.json Add mapping dictionary of KCM parameters, to use in conjunction with the kcm_export.py script * Added comment about KCM_mappings * Fixed syntax for f strings with older python version Older versions of python don't support using the same quote characters on f strings - fixed * Updated naming scheme for resource
…ements (#1854) * Create kcm_export.py Add folder and script to convert KCM resources to PAM Project Extend template * Create KCM_mappings.json Add mapping dictionary of KCM parameters, to use in conjunction with the kcm_export.py script * Added comment about KCM_mappings * Fixed syntax for f strings with older python version Older versions of python don't support using the same quote characters on f strings - fixed * Updated naming scheme for resource * Add support for template file to PAM KCM import script + general improvements - A prompt now exists to collect a template JSON file. - Added deepcopies to ensure no reference problem - Improved nested dictionary function - Support for adding file path encapsulated in quotes
initial implementation of credential request, notifications not working
* KC-1116: Bugfix changes * Kepm Pr review changes
…key' (#1862) # Conflicts: # keepercommander/commands/enterprise_api_keys.py # unit-tests/test_command_enterprise_api_keys.py
Change List: - Added GatewayActionIdpInputs and 5 GatewayAction subclasses for IdP operations in pam_dto.py - Added pam_idp.py with resolve_idp_config helper and full command hierarchy (pam idp user/group) - Added PAMIdpCommand registration in discoveryrotation.py under PAMControllerCommand - Added 27 unit tests for DTOs, config resolution, and command structure in test_pam_idp.py
…om/Keeper-Security/Commander into PM-947-privileged-cloud-management
Change List: - Added GatewayActionIdpValidateDomain DTO for rm-validate-domain action - Updated pam request-access to validate user domain against IdP before sending approval notification - Uncommented notification API call in pam request-access
Change List: - Added field encryption for user/meta fields sent to gateway using record key - Added gateway response decryption for group list and provision commands - Added --domain flag to provision with validation for username format - Added --save-record flag to save provisioned user as pamUser record with Azure User ID - Added --delete-record flag to deprovision to remove associated pamUser record - Added friendly error message parsing for Azure API errors - Updated all IdP commands to check data.success in gateway responses
Change List: - Fix GCP user provisioning response parsing (handle dict name field) - Add dynamic IdP User ID labels based on provider type (Azure, GCP, Okta, AWS, Domain) - Fix pamUser record lookup to support prefix login matching (username without domain) - Generalize IdP User ID custom field labels in deprovision flow
Change List: - Rewrote pam request-access to use krouter workflow API instead of keeperapp notifications - Added workflow_pb2.py protobuf definitions for workflow messages - Added pam access-state command to list active access requests - Added pam approval-requests command to list pending approvals - Added pam approve-access command to approve or deny workflow requests - Added pam revoke-access command to end active access sessions - Added pam workflow-config command to read and configure workflow settings - Registered all new commands in discoveryrotation.py
Change List: - Add pam access-state command with optional record UID and time remaining display - Add pam workflow-config command for reading and setting workflow configuration - Fix accessLength to use milliseconds (proto field is in ms, CLI accepts seconds) - Update workflow_pb2.py with full WorkflowStatus fields (startedOn, expiresOn, approvedBy)
Corrects logic in needs_security_audit: remove the erroneous "or None" that forced password mismatch to always be true, and determine alignment by comparing stored score and breach-watch revisions only when a current password exists. Adds retrieval of score_revision and sec_revision and updates needs_alignment accordingly. Includes new unit and integration tests (unit-tests/test_security_audit.py and tests/test_security_audit_refresh.py) to validate revision-based alignment, password removal, and other audit-refresh scenarios.
* Added "Connect As" options allowing for aditional records to provide credentials and host:port * Added keeper webrtc version to SDP attribute a=keeper-webrtc:X.Y.Z
The execute_rest() function previously retried throttled (403) responses every 10 seconds with no maximum retry count. This caused Commander to hang indefinitely when throttled, and the 10-second retry interval prevented the server's cooldown timer from expiring. Changes: - Add max retry count (3 attempts) before raising KeeperApiError - Parse the server's "try again in X minutes/seconds" message - Use exponential backoff (30s, 60s, 120s) capped at server's suggestion - Cap server wait time at 300s to prevent excessive delays - Log throttle attempts as warnings instead of debug - After max retries, raise KeeperApiError so callers can handle it The --fail-on-throttle flag continues to work as before (immediate error). Unit tests (9 cases): - Normal request unaffected by throttle logic - Throttle twice then succeed (backoff 30s, 60s) - KeeperApiError raised after 3 retries - --fail-on-throttle skips retries entirely - Parses "try again in X seconds" correctly - Parses "try again in X minutes" correctly - Caps server wait at 300s - Exponential backoff progression (30s, 60s, 120s) - Missing message defaults to 60s
- Make record argument optional; session-only probes run without it
- Add Python-side network probes: DNS, HTTPS, WebSocket, TCP/UDP STUN,
TURN Allocate, UDP port sweep across ephemeral range
- Add PAM Configuration section (record required): DAG load, config
linkage, gateway registered/online, connections/portForwards
- Add --verbose flag for DAG allowedSettings table and record typed fields
* Added key-event input to pam launch (for session recording) * Fixed broken tests (after disabling legacy records)
Change List:
- Add AD user creation via Gateway (rm-create-user, rm-add-user-to-group actions)
- Add Gateway action DTOs (GatewayActionRmCreateUser, RmAddUserToGroup, RmDeleteUser)
- Add username template engine ({first_initial}{last_name}.adm pattern)
- Add direct vault sharing delivery method (independent from email)
- Add -c/--pam-config CLI argument for PAM Configuration UID
- Add resource_uid support for pamDirectory AD operations
- Add ad_groups support for AD group membership assignment
- Add transfer_ownership option with rotation incompatibility validation
- Add encrypted field communication with Gateway (AES-GCM)
- Flatten rotation config from pam.rotation to top-level rotation section
- Make delivery and email sections independent (use either, both, or neither)
- Make email section optional (only required when present)
- Add unit tests and mocked integration tests (40 tests)
- Add E2E test infrastructure (Samba AD Docker, test configs)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a full suite of Privileged Cloud Management commands to Keeper Commander, covering two major areas: