Import command: incorrect shortcuts with update flag#2169
Closed
lthievenaz-keeper wants to merge 22 commits into
Closed
Conversation
* Add support for port mapping If connection has empty port, it will default to the ports defined in this file (can be customized for custom default ports) Also added new parameter allow-file-uploads for RBI * Support empty user/ports and other improvements If a KCM connection has no user, the export will log the record for future process. If a KCM connection has no port, it will default to the port mapping defined in KCM_mappings.json Fixed a duplication issue of SFTP parameters caused by a reference error. Set the autodocker docker-file location as default Reworked how logged records are displayed on output file.
* Add secret-ids argument for thycotic import Add secret-ids arg to import command, to use for debugging Thycotic secret IDs * Pass secret-ids arg from import command to thycotic import Pass secret-ids arg from import command to thycotic import so it can be handled in the Thycotic import * Add handling for secret-ids arg in Thycotic import If user sets secret-ids, the import will: - Check if any of those IDs have come up in the lookup and would have been imported. - Import only the secret-ids set This is useful for debugging, because the lookup API may not return all Thycotic secrets - eg if there a security policy on them, but they may still be fetched. Usage: String (comma separated IDs) `import --format thycotic server_name --secret-ids "123, 124,125"` Python List (strings or integers) `secret_ids=[123, 124, 125]` * Correct secret_ids check Fix conditional logic so import continues if no secret ids are specified --------- Co-authored-by: lthievenaz-keeper <lthievenaz@keepersecurity.com>
…f-record-add/update (Keeper-Security#2132)
…, rename Supershell Drive folder labels, and standardize list record_category Fixed nsf-share-folder and nsf-share-record expiration updates, enforced a one-minute minimum on NSF and classic share commands, standardized list/search record_category to lowercase classic/nested, and renamed Supershell Drive folder labels to Nested Shared Folder (Shared) and (NonShared).
* Fix SQL injection in MSSQL password rotation and reject unsafe --password input * allow / and . in login regex
…curity#2159) KeeperApp and krouter require configurationUid on set_record_rotation; include PAM config UID, matching revision for existing rotation rows, and an explicit empty resourceUid so IAM semantics are not overridden by stale cache data. Co-authored-by: Cursor <cursoragent@cursor.com>
* Add --online filter to pam gateway list with gateway totals. Co-authored-by: Cursor <cursoragent@cursor.com> * Add -o short option for pam gateway list --online. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
* Add secret-ids argument for thycotic import Add secret-ids arg to import command, to use for debugging Thycotic secret IDs * Pass secret-ids arg from import command to thycotic import Pass secret-ids arg from import command to thycotic import so it can be handled in the Thycotic import * Add handling for secret-ids arg in Thycotic import If user sets secret-ids, the import will: - Check if any of those IDs have come up in the lookup and would have been imported. - Import only the secret-ids set This is useful for debugging, because the lookup API may not return all Thycotic secrets - eg if there a security policy on them, but they may still be fetched. Usage: String (comma separated IDs) `import --format thycotic server_name --secret-ids "123, 124,125"` Python List (strings or integers) `secret_ids=[123, 124, 125]`
…Keeper-Security#2160) * Add pam connection ai command for KeeperAI settings on PAM resources. Implements show, set/unset, and remove with sparse DAG merges, configure_resource meta bootstrap, GSE_DELETION removal, and CLI warnings for duplicate or mirrored options. Co-authored-by: Cursor <cursoragent@cursor.com> * Extend pam connection ai to pamRemoteBrowser records. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
Adds --enabled/-e and --session-terminate/-st for resource-level aiEnabled and aiSessionTerminate. Routes on/off/default default resets through legacy DAG write because krouter mergeJson does not remove keys omitted from Layer-B payloads. Co-authored-by: Cursor <cursoragent@cursor.com>
…er-Security#2164) * Add vault-style passphrase generation with CLI overrides and validation Introduce KeeperPassphraseGenerator using the bundled EFF word list and wire it into generate --passphrase and :passphrase on record-add, record-update, and nsf-record commands. Honor enterprise passphrase-* policy fields with CLI/ overrides for word count, separator, capitals, and digit. Add Vault-aligned passphrase validation in PasswordComplexityEnforcer so passphrases that meet passphrase policy pass record commands without --force, even when random password rules (upper-min, digit-min) would reject them. Includes unit tests for generation, enforcement, and existing NSF coverage. * Fix passphrase separator handling and document allowed separator characters * Made capitals + digit on the first word as default * addressed review comment
…lse parameters; reject unknown algorithms, trailing commas, and invalid separators instead of silently falling back. Block record-add/update on errors even with --force.
Consider this CSV:
`,Administrator,administrator,pass123,,,INFRA`
Which imports this content:
```
INFRA/
└ Administrator
├ login: administrator
└ password: pass123
```
I wish to run an import that updates this record + adds another administrator login in a different path:
```
DEV/
└ Administrator
├ login: administrator
└ password: pass789
```
`,Administrator,administrator,pass456,,,INFRA`
`,Administrator,administrator,pass789,,,DEV`
So I run:
`import --format csv --update my_csv.csv`
However this causes the following problems:
- Because the DEV admin has the same hash as the INFRA admin, we don't create a new record but instead a shortcut from INFRA to DEV
- This leads to the INFRA admin and DEV admin records having the same record (`pass789`)
This commit introduces change to the import process so that:
- If the --update flag is used, the record will only be updated if it's in the same folder
- If it's in a different folder and doesn't match, a new record is created
- If it's in a different folder and is the same, a shortcut is still created.
…ct-shortcuts-with-update-flag
Contributor
Author
|
Closed - new code submitted in #2176 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consider this CSV:
,Administrator,administrator,pass123,,,INFRAWhich imports this content:
I wish to run an import that updates this record + adds another administrator login in a different path:
,Administrator,administrator,pass456,,,INFRA,Administrator,administrator,pass789,,,DEVSo I run:
import --format csv --update my_csv.csvHowever this causes the following problems:
pass789)This commit introduces change to the import process so that: