Skip to content

KC-1315, KC-1329: Fix share-folder record expiration and ROE handling#2168

Open
sshrushanth-ks wants to merge 5 commits into
share-folder-roe-fixfrom
share-folder-roe-fix-int
Open

KC-1315, KC-1329: Fix share-folder record expiration and ROE handling#2168
sshrushanth-ks wants to merge 5 commits into
share-folder-roe-fixfrom
share-folder-roe-fix-int

Conversation

@sshrushanth-ks

Copy link
Copy Markdown
Contributor

Summary

Fixes share-folder when used with -r, --expire-in/--expire-at, and -roe. Expiration is no longer set on SharedFolderUpdateRecord (which removed records from the owner’s vault). Timers are applied to both folder user access and per-record shares via the record share API, with revoke/re-grant when needed. Success logs now show folder and record expiration times.

Changes

  • Stopped applying expiration/ROE on SharedFolderUpdateRecord; only update can_edit/can_share there
  • Added prepare_record_share_request() to set per-record expiration and ROE via records_share_update (addSharedRecord with sharedFolderUid)
  • Revoke then re-grant record shares when setting a positive expiration (server only applies timers on create)
  • Apply expiration to folder user/team shares as well when -r and --expire-in are used together
  • Run sync-down before record-share updates when expiration is set
  • Skip redundant sharedFolderUpdateUser when sharing another record to the same user with unchanged permissions and no new expiration
  • Log folder and record expiration timestamps on successful share-folder/share-record responses
  • Added/updated unit tests in test_command_register.py

@datadog-keeper-security

This comment has been minimized.

@sshrushanth-ks sshrushanth-ks marked this pull request as ready for review June 24, 2026 10:48
@sshrushanth-ks sshrushanth-ks self-assigned this Jun 24, 2026
Comment thread keepercommander/commands/register.py Outdated
ro.expiration = -1

def build_shared_record(email, record_uid, rec, existing=None):
# type: (str, str, dict, Optional[dict]) -> Optional[record_pb2.SharedRecord]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docstring

@sshrushanth-ks sshrushanth-ks changed the title KC-1315: Fix share-folder record expiration and ROE handling KC-1315, KC-1329: Fix share-folder record expiration and ROE handling Jun 28, 2026
sshrushanth-ks and others added 5 commits June 30, 2026 21:04
…g re-shares

When share-folder was used with -r and --expire-in, expiration was applied to
SharedFolderUpdateRecord, which caused the record to be removed from the
owner's vault when the timer expired. Route per-record expiration and -roe
through the record share API (revoke then re-grant) instead, keep folder user
updates for access only, sync before granting, and skip redundant user updates
when sharing additional records to the same recipient.
@amangalampalli-ks amangalampalli-ks force-pushed the share-folder-roe-fix-int branch from dab69fd to 7e06b51 Compare June 30, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants