feat(pam): add KCM database import command with auto-detect and group filtering#1926
Closed
jlima8900 wants to merge 12 commits intoKeeper-Security:masterfrom
Closed
feat(pam): add KCM database import command with auto-detect and group filtering#1926jlima8900 wants to merge 12 commits intoKeeper-Security:masterfrom
jlima8900 wants to merge 12 commits intoKeeper-Security:masterfrom
Conversation
* Added full terminal reset after ssh session exit (clears scrollback etc.) * Fixes randomly eaten first characters typed after ssh session exit (stdin race condition) * Fixed random duplicate typed characters (echo)
Keeper-Security#1908) - Added `move` to the list of `apply-action` choices, which will move all returned users to a node - specified with `target-node` - Added `all` to the list of `status` choices, returning invited, active and locked users with `d=0` - Fixed an issue where the users updated with `apply-action` are not the same as those filtered with the `node` argument. - Fixed a potential unwanted behavior where the `node` argument returns a recursive node and subnodes search, preventing you from applying actions to a specific node if it has subnodes. By default, using the `node` argument will only return result from the specified node. - Added a `recursive` argument to replicate the old behavior with `node` filter.
Import KCM (Guacamole) connections and users into PAM projects with full connection-group hierarchy preserved as vault subfolders. Key capabilities: - Extract connections, users, and groups from PostgreSQL/MySQL via SQL - Auto-detect Docker container credentials (POSTGRES_*/MYSQL_* env vars) - Map all 19 KCM/Guacamole parameters to Keeper PAM fields (SSH, RDP, VNC, Kubernetes, RBI with autofill) - 2-phase import: skeleton via edit.py, records via extend.py - Phase 2a/2b batching: external users first, then resources with nested users, with auto-scaled batch sizes based on volume - Convert SFTP to connection settings (never separate records) - Handle RBI autofill: parse double-escaped JSON from KCM database, convert legacy username-field/password-field to JSON array format - Pre-import confirmation with record counts - Credential redaction in --dry-run and --output modes - Progress logging with ETA and throttle detection - --estimate flag for pre-import migration scan - --include-disabled to import disabled connections - Incomplete record flagging (missing host/credentials → special folder) - Gateway resolution and pool-size configuration Test coverage: 126 unit tests covering parameter mapping, folder paths, TOTP conversion, autofill formats, batch scaling, Docker detection, gateway resolution, error paths, and E2E delegation flow.
Add AdaptiveThrottler with probe-based batch sizing and per-type delays to avoid API rate limiting during bulk imports. Add kcm-cleanup command to remove imported projects. Refactor import to 2-phase skeleton+extend flow for proper folder hierarchy preservation. Remove debug instrumentation.
- Prevent docker argument injection (add '--' separator) - Remove raw exception messages from user-facing errors - Fix SSRF vector in _is_local_host (no DNS resolution) - Fix _redact_for_display skipping dict/list sensitive values - Guard _set_nested against non-dict intermediate values - Warn when encrypted private keys imported without passphrase - Validate all required Guacamole schema tables - Remove socket import (no longer needed) - Fix duplicate gateway_helper call in cleanup command - Sanitize debug log output (no raw parameter values) - Add cleanup command unit tests (4 tests) - Add max_connections to test helper
…g, docker auto-detect Major improvements to pam project kcm-import: - Capture gateway access_token during project creation for report - Per-record pass/fail tracking with nested user support - Enhanced report: breakdown table, failed records, throttle stats - Report saved as vault record with copyable fields (Deploy Gateway command, token, config UID, gateway UID, folder names) + MD file attachment - --groups, --exclude-groups, --list-groups for selective import - Interactive group picker when no --groups flag - Docker auto-detect: container IP resolution, tiered container selection (kcm+db > guacamole+db > guacamole > interactive prompt) - Suppress noisy warnings (pamRemoteBrowser host, extend extra data) - Missing password count in pre-import validation - 172 tests passing
…etails Document --groups, --exclude-groups, --list-groups, interactive behaviors, docker auto-detect improvements, report record custom fields, and expanded usage examples.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
pam project kcm-import— a new command that imports connections directly from a KCM/Guacamole database into Keeper PAM, andpam project kcm-cleanupto reverse imports.Key features
--docker-detect--groups,--exclude-groups,--list-groupswith wildcard support for selective import--yespam project kcm-cleanupdeletes all imported records, folders, gateway, and KSM appFiles changed
keepercommander/commands/pam_import/kcm_import.py— new (3665 lines)keepercommander/commands/pam_import/kcm_mappings.json— new (KCM-to-PAM parameter mappings)keepercommander/commands/pam_import/commands.py— register new commandskeepercommander/commands/pam_import/base.py— minor addition for pamUser validationkeepercommander/commands/pam_import/edit.py— minor addition for pamUser validationkeepercommander/commands/pam_import/README.md— updated with new flags and examplesunit-tests/pam/test_kcm_import.py— new (170 tests, 3691 lines)Test plan
--docker-detectagainst live KCM PostgreSQL container--groups/--exclude-groupsfiltering (216→65 resources)--yesbatch mode (no interactive prompts)