Add CNAPP integration commands and helpers#2102
Open
jpkeepersecurity wants to merge 5 commits into
Open
Conversation
|
Hope to review this week, since not a priority today. |
sk-keeper
force-pushed
the
release
branch
2 times, most recently
from
b1183b7 to
b384cf6
Compare
- Introduced `PAMCnappCommand` to manage Cloud-Native Application Protection Platform (CNAPP) integration. - Added `cnapp_commands.py` for CNAPP user-facing commands, including configuration and queue management. - Implemented `cnapp_helper.py` for CNAPP REST endpoint interactions. - Created protocol buffer definitions in `cnapp_pb2.py` for CNAPP data structures. - Added unit tests for CNAPP commands and helpers in `test_cnapp.py` to ensure functionality and reliability.
- Introduced a lazy import for `router_helper` within the `_post_request_to_router` function to avoid circular import issues during module loading. - Updated documentation to clarify the purpose of the lazy import and its implications for testing and production code paths.
…test assertions - Pre-load `keepercommander.commands.record` to avoid circular import problems when running tests in isolation. - Adjusted import order for clarity and compliance with linting rules. - Updated test assertions in `test_decrypt_failure_keeps_other_rows_and_reports` to ensure accurate validation of output, including checks for 'good-resource' and '<encrypted>' in the output.
…proved key validation logic, and expanded unit tests for better coverage.
- Introduced `PAMCnappCommand` to manage Cloud-Native Application Protection Platform (CNAPP) integration. - Added `cnapp_commands.py` for CNAPP user-facing commands, including configuration and queue management. - Implemented `cnapp_helper.py` for CNAPP REST endpoint interactions. - Created protocol buffer definitions in `cnapp_pb2.py` for CNAPP data structures. - Added unit tests for CNAPP commands and helpers in `test_cnapp.py` to ensure functionality and reliability.
jpkeepersecurity
force-pushed
the
KC-1290-2
branch
from
fb233de to
e0e43d2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title
Add CNAPP integration commands and helpersSummary
Adds a new
pam cnapp ...command tree to Commander that drives the krouter CNAPP (Cloud-Native Application Protection Platform) REST endpoints, giving CLI parity with the vault's Cloud Security view. The initial provider is Wiz; the wire/proto layer is provider-agnostic so additional CNAPP vendors can be added without further CLI changes.Includes the protobuf definitions, a thin helper layer that owns the wire contract, the argparse-driven command surface, and a unit-test suite that exercises the real proto serializers against a mocked router transport.
Changes
keepercommander/commands/discoveryrotation.py— registerPAMCnappCommandunder thepamgroup with aliascn.keepercommander/commands/pam/cnapp_commands.py(new, 608 lines) — fullpam cnappcommand tree:pam cnapp config set | test | test-encrypter | read | delete— manage the provider configuration and health-check the customer-deployed Encrypter.pam cnapp queue list | associate | remediate | set-status | delete— drive the issue queue (list with optional payload decryption, attach a vault record, dispatch remediation to the gateway, update status, delete).decryptCnappQueueIteminvault/cloudSecurityUtils.tsso the CLI and vault see the same plaintext.--format table|jsonon read/list commands for scripting.keepercommander/commands/pam/cnapp_helper.py(new, 241 lines) — single source of truth for the krouter wire contract. One Python function per endpoint under/api/user/cnapp/, plus enum parsers (provider_from_name,action_from_name) and UID conversion utilities. Callers pass parsed Python types; the helper builds the proto, dispatches via_post_request_to_router, and returns the typed response.keepercommander/proto/cnapp_pb2.py(new, 181 lines) — generated protobuf bindings forcnapp.proto, coveringCnappConfiguration, queue request/response messages,CnappProvider(currentlyWIZ), andCnappRemediationAction(ROTATE_CREDENTIALS,MANAGE_ACCESS,JIT_ACCESS,REMOVE_STANDING_PRIVILEGE).unit-tests/pam/test_cnapp.py(new, 837 lines) — coverage for enum parsing, helper-level request shaping for every endpoint, command-level argument validation and output rendering (table + JSON), payload decryption (happy path + bad-key + missing-key fallback), and status-name → id resolution.Cross-references
/api/user/cnapp/...(configuration/{set,test,test-encrypter,read,delete},queue,queue/{associate,remediate,set-status,delete}).vault/cloudSecurityUtils.ts(CNAPP_ENCRYPTION_KEY_FIELD_LABEL = "Encryption Key",AES-256-GCMwithnonce(12) || ciphertext || tag(16)).CnappQueueStatusfromCnappModels.kt/keeper.cnapp_queue_status— new statuses must be added in both places.Notes / limitations
ROTATE_CREDENTIALS; the other remediation actions are wired through the proto but returnRRC_BAD_REQUESTserver-side until those flows are implemented.config readnever returnsclientSecret; passing an empty--client-secrettoconfig setinstructs krouter to keep the previously stored value.queue listfalls back to showing payloads asencrypted(with a warning) when no Encrypter key can be resolved from the linked vault record;--no-decryptopts out explicitly.Test plan
python -m unittest unit-tests.pam.test_cnapp -vpasses locally.pam cnapp config setpersists;pam cnapp config readreturns the same network/provider/endpoint/client-id (and no secret).pam cnapp config testsucceeds with valid creds and fails cleanly with the provider's reason on bad creds.pam cnapp config test-encrypter --url https://...returns OK for a healthy Encrypter and surfaces a clear error otherwise.pam cnapp queue list --network-uid ...renders the table with decrypted summaries (severity · title · resource) when the Encrypter record is in the vault; the same call with--no-decryptshowsencryptedand a warning.pam cnapp queue list --format jsonemits valid JSON withdecryptedPayloadpopulated and the rawpayloadfield stripped.pam cnapp queue associatethenpam cnapp queue remediate ... rotate_credentialsround-trips through the gateway andqueue listreflects the new status.pam cnapp queue set-status pending|in_progress|resolved|failed|cancelledand numeric ids both work; unknown names raise aCommandErrorlisting the valid options.pam cnapp config deleteandpam cnapp queue deletesucceed and subsequent reads return the expected empty/RRC_BAD_STATEresponses.