Skip to content

Import command: incorrect shortcuts with update flag#2169

Closed
lthievenaz-keeper wants to merge 22 commits into
Keeper-Security:releasefrom
lthievenaz-keeper:fix-import-command/incorrect-shortcuts-with-update-flag
Closed

Import command: incorrect shortcuts with update flag#2169
lthievenaz-keeper wants to merge 22 commits into
Keeper-Security:releasefrom
lthievenaz-keeper:fix-import-command/incorrect-shortcuts-with-update-flag

Conversation

@lthievenaz-keeper

Copy link
Copy Markdown
Contributor

Consider this CSV:
,Administrator,administrator,pass123,,,INFRA
Which imports this content:

INFRA/
  └ Administrator
        ├ login: administrator
        └ password: pass123

I wish to run an import that updates this record + adds another administrator login in a different path:

DEV/
  └ Administrator
        ├ login: administrator
        └ password: pass789

,Administrator,administrator,pass456,,,INFRA
,Administrator,administrator,pass789,,,DEV
So I run:
import --format csv --update my_csv.csv
However this causes the following problems:

  • Because the DEV admin has the same hash as the INFRA admin, we don't create a new record but instead a shortcut from INFRA to DEV
  • This leads to the INFRA admin and DEV admin records having the same record (pass789)

This commit introduces change to the import process so that:

  • If the --update flag is used, the record will only be updated if it's in the same folder
  • If it's in a different folder and doesn't match, a new record is created
  • If it's in a different folder and is the same, a shortcut is still created.

lthievenaz-keeper and others added 21 commits June 12, 2026 20:36
* Add support for port mapping

If connection has empty port, it will default to the ports defined in this file (can be customized for custom default ports)
Also added new parameter allow-file-uploads for RBI

* Support empty user/ports and other improvements

If a KCM connection has no user, the export will log the record for future process.
If a KCM connection has no port, it will default to the port mapping defined in KCM_mappings.json
Fixed a duplication issue of SFTP parameters caused by a reference error.
Set the autodocker docker-file location as default
Reworked how logged records are displayed on output file.
* Add secret-ids argument for thycotic import

Add secret-ids arg to import command, to use for debugging Thycotic secret IDs

* Pass secret-ids arg from import command to thycotic import

Pass secret-ids arg from import command to thycotic import so it can be handled in the Thycotic import

* Add handling for secret-ids arg in Thycotic import

If user sets secret-ids, the import will:
- Check if any of those IDs have come up in the lookup and would have been imported.
- Import only the secret-ids set

This is useful for debugging, because the lookup API may not return all Thycotic secrets - eg if there a security policy on them, but they may still be fetched.

Usage:
String (comma separated IDs)
`import --format thycotic server_name --secret-ids "123, 124,125"`
Python List (strings or integers)
`secret_ids=[123, 124, 125]`

* Correct secret_ids check

Fix conditional logic so import continues if no secret ids are specified

---------

Co-authored-by: lthievenaz-keeper <lthievenaz@keepersecurity.com>
…, rename Supershell Drive folder labels, and standardize list record_category

Fixed nsf-share-folder and nsf-share-record expiration updates, enforced a
one-minute minimum on NSF and classic share commands, standardized list/search
record_category to lowercase classic/nested, and renamed Supershell Drive
folder labels to Nested Shared Folder (Shared) and (NonShared).
* Fix SQL injection in MSSQL password rotation and reject unsafe --password input

* allow / and . in login regex
…curity#2159)

KeeperApp and krouter require configurationUid on set_record_rotation; include PAM config UID, matching revision for existing rotation rows, and an explicit empty resourceUid so IAM semantics are not overridden by stale cache data.

Co-authored-by: Cursor <cursoragent@cursor.com>
* Add --online filter to pam gateway list with gateway totals.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Add -o short option for pam gateway list --online.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
* Add secret-ids argument for thycotic import

Add secret-ids arg to import command, to use for debugging Thycotic secret IDs

* Pass secret-ids arg from import command to thycotic import

Pass secret-ids arg from import command to thycotic import so it can be handled in the Thycotic import

* Add handling for secret-ids arg in Thycotic import

If user sets secret-ids, the import will:
- Check if any of those IDs have come up in the lookup and would have been imported.
- Import only the secret-ids set

This is useful for debugging, because the lookup API may not return all Thycotic secrets - eg if there a security policy on them, but they may still be fetched.

Usage:
String (comma separated IDs)
`import --format thycotic server_name --secret-ids "123, 124,125"`
Python List (strings or integers)
`secret_ids=[123, 124, 125]`
…Keeper-Security#2160)

* Add pam connection ai command for KeeperAI settings on PAM resources.

Implements show, set/unset, and remove with sparse DAG merges, configure_resource meta bootstrap, GSE_DELETION removal, and CLI warnings for duplicate or mirrored options.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Extend pam connection ai to pamRemoteBrowser records.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Adds --enabled/-e and --session-terminate/-st for resource-level aiEnabled and aiSessionTerminate. Routes on/off/default default resets through legacy DAG write because krouter mergeJson does not remove keys omitted from Layer-B payloads.

Co-authored-by: Cursor <cursoragent@cursor.com>
…er-Security#2164)

* Add vault-style passphrase generation with CLI overrides and validation

Introduce KeeperPassphraseGenerator using the bundled EFF word list and
wire it into generate --passphrase and :passphrase on record-add,
record-update, and nsf-record commands. Honor enterprise passphrase-* policy
fields with CLI/ overrides for word count, separator, capitals, and digit.

Add Vault-aligned passphrase validation in PasswordComplexityEnforcer so
passphrases that meet passphrase policy pass record commands without --force,
even when random password rules (upper-min, digit-min) would reject them.
Includes unit tests for generation, enforcement, and existing NSF coverage.

* Fix passphrase separator handling and document allowed separator characters

* Made capitals + digit on the first word as default

* addressed review comment
…lse parameters;

reject unknown  algorithms, trailing commas, and invalid separators instead of
silently falling back. Block record-add/update on  errors even with --force.
Consider this CSV:
`,Administrator,administrator,pass123,,,INFRA`
Which imports this content:  
```
INFRA/
  └ Administrator
        ├ login: administrator
        └ password: pass123
```
I wish to run an import that updates this record + adds another administrator login in a different path:  
```
DEV/
  └ Administrator
        ├ login: administrator
        └ password: pass789
```
`,Administrator,administrator,pass456,,,INFRA`
`,Administrator,administrator,pass789,,,DEV`
So I run:
`import --format csv --update my_csv.csv`
However this causes the following problems:
- Because the DEV admin has the same hash as the INFRA admin, we don't create a new record but instead a shortcut from INFRA to DEV
- This leads to the INFRA admin and DEV admin records having the same record (`pass789`)

This commit introduces change to the import process so that:
- If the --update flag is used, the record will only be updated if it's in the same folder
- If it's in a different folder and doesn't match, a new record is created
- If it's in a different folder and is the same, a shortcut is still created.
@lthievenaz-keeper

Copy link
Copy Markdown
Contributor Author

Closed - new code submitted in #2176

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants