Skip to content

Kc 907 public api implementation #1518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jul 23, 2025
Merged

Kc 907 public api implementation #1518

merged 9 commits into from
Jul 23, 2025

Conversation

jpkeepersecurity
Copy link

Enterprise API Keys Management Implementation

📋 Overview

This PR implements a comprehensive enterprise API keys management system for Keeper Commander, providing three core operations: list, generate, and revoke API keys. The implementation follows the existing codebase patterns and includes extensive testing coverage.

🔑 Features Implemented

Core Operations

  • public-api-key list - Display all enterprise API keys with comprehensive filtering and output options
  • public-api-key generate - Create new API keys with role-based permissions and flexible expiration settings
  • public-api-key revoke - Revoke existing API keys with confirmation workflow

Key Capabilities

  • Multiple Output Formats: Table (default), JSON, CSV with file export support
  • Flexible Expiration Options: 24h, 7d, 30d, 1y, or never expires
  • Role-Based Access Control: Support for SIEM, CSPM, BILLING roles with READ/READ_WRITE permissions
  • Status Detection: Automatic expired vs active status based on expiration dates
  • Interactive Confirmations: User-friendly prompts with force override options
  • Comprehensive Help System: Detailed examples and usage guides for each operation

🛠 Implementation Details

File Structure

keepercommander/commands/enterprise_api_keys.py  # Main implementation
unit-tests/test_command_enterprise_api_keys.py    # Comprehensive test suite

Architecture

  • ApiKeyCommand - Main group command following GroupCommand pattern
  • ApiKeyListCommand - Handles listing operations with filtering and formatting
  • ApiKeyGenerateCommand - Manages API key creation with validation and role assignment
  • ApiKeyRevokeCommand - Handles revocation with user confirmation workflows

Integration

  • Follows existing enterprise command patterns from scim.py and enterprise.py
  • Integrates with existing REST API infrastructure via communicate_rest()
  • Uses protobuf message types from publicapi_pb2 module
  • Registered in enterprise commands via base.py registration system

📊 Command Usage Examples

List API Keys

# Basic table view
public-api-key list

# JSON output with file export  
public-api-key list --format json --output api_keys.json

# CSV export
public-api-key list --format csv --output api_keys.csv

Generate API Keys

# Basic API key with 30-day expiration
public-api-key generate --name "SIEM Integration" --roles "SIEM:2" --expires 30d

# Multiple roles with different permissions
public-api-key generate --name "Multi-Role Key" --roles "SIEM:2,CSPM:1,BILLING:2" --expires 1y

# Permanent API key (never expires)
public-api-key generate --name "Permanent Tool" --roles "SIEM:1" --expires never

# JSON output to file
public-api-key generate --name "Backup Tool" --roles "CSPM:2" --format json --output backup_key.json

Revoke API Keys

# Interactive revocation with confirmation
public-api-key revoke 12345

# Force revocation without confirmation
public-api-key revoke 12345 --force

🎯 Role and Permission System

Supported Roles

  • SIEM (ID: 1) - Security Information and Event Management
  • CSPM (ID: 2) - Cloud Security Posture Management
  • BILLING (ID: 3) - Billing and usage management

Action Types

  • 1 = READ - Read-only access
  • 2 = READ_WRITE - Full read/write access

Expiration Options

  • 24h - 24 hours from creation
  • 7d - 7 days from creation
  • 30d - 30 days from creation
  • 1y - 1 year from creation
  • never - No expiration (permanent access)

🧪 Comprehensive Testing

Test Coverage Statistics

  • Total Tests: 27 comprehensive test scenarios
  • Success Rate: 100% (all tests passing)
  • Coverage Areas: All operations, error handling, edge cases, output formats

Test Categories

📋 List Operations (8 tests)

  • test_api_key_list_success - Basic table format output validation
  • test_api_key_list_json_format - JSON output structure validation
  • test_api_key_list_json_comprehensive_fields - Complete field validation with expected data
  • test_api_key_main_command_default_list_behavior - Default command behavior
  • test_api_key_status_detection_expired_vs_active - Status logic validation

🔑 Generate Operations (10 tests)

  • test_api_key_generate_success_matching_terminal_example - Exact Commander output matching
  • test_api_key_generate_success_7d_expiration - 7-day expiration validation
  • test_api_key_generate_success_30d_expiration - 30-day expiration validation
  • test_api_key_generate_success_1y_expiration - 1-year expiration validation
  • test_api_key_generate_success_never_expires - Never expires validation
  • test_api_key_generate_multiple_roles - Multi-role support
  • test_api_key_generate_multiple_roles_comprehensive - Complex role combinations
  • test_api_key_generate_json_output - JSON format validation
  • test_api_key_generate_json_comprehensive_fields - Complete JSON structure validation
  • test_api_key_generate_json_with_output_file - File export functionality

🗑️ Revoke Operations (5 tests)

  • test_api_key_revoke_matching_terminal_example - Exact Commander output matching
  • test_api_key_revoke_cancelled_by_user - User cancellation workflow
  • test_api_key_revoke_force_flag - Force revocation without confirmation
  • test_api_key_revoke_success - Basic revocation success

❌ Error Handling (4 tests)

  • test_api_key_generate_missing_name - Required parameter validation
  • test_api_key_generate_missing_roles - Role requirement validation
  • test_api_key_generate_invalid_role_format - Input format validation
  • test_api_key_generate_invalid_role_name - Role name validation
  • test_api_key_revoke_missing_token_id - Token ID requirement validation
  • test_api_key_revoke_invalid_token_id - Token ID format validation

Mock Data Validation

The test suite uses realistic mock data that matches actual Commander terminal output:

# Sample tokens matching real terminal examples
Token ID: 43, 44, 45 (Expired) - "Token Test", "Token Test 2"
Token ID: 53, 54 (Active) - "CSPM Tool", "Token For My Tests 111"
Enterprise ID: 8560
Roles: "SIEM:2, CSPM:2", "SIEM:2, CSPM:1", "SIEM:2, CSPM:2, Billing:2"

Field Validation

Each test validates all output fields:

  • ✅ Token ID, Enterprise ID, Name, Status
  • ✅ Issued Date, Expiration Date formatting
  • ✅ Role assignments and action types
  • ✅ Status logic (Active/Expired/Never)
  • ✅ JSON structure completeness
  • ✅ File I/O operations

🔄 Command Name Evolution

Initially implemented as api-key, the command was renamed to public-api-key for better specificity:

Updated References

  • ✅ Command registration: commands['public-api-key']
  • ✅ All argument parsers: prog='public-api-key <operation>'
  • ✅ Help documentation and examples
  • ✅ Test suite assertions
  • ✅ Interactive help system

🎨 Code Quality & Standards

Follows Existing Patterns

  • Command Structure: Mirrors scim.py implementation patterns
  • Error Handling: Consistent with enterprise.py standards
  • REST API Integration: Uses existing communicate_rest() infrastructure
  • Argument Parsing: Follows Commander argparse conventions
  • Output Formatting: Leverages existing dump_report_data() utilities

Enterprise Integration

  • ✅ Inherits from EnterpriseCommand base class
  • ✅ Registered in register_enterprise_commands() function
  • ✅ Uses enterprise protobuf message types
  • ✅ Follows enterprise authentication patterns

📈 Testing Infrastructure

Mock System

  • REST API Mocking: Complete communicate_rest() simulation
  • Protobuf Integration: Realistic publicapi_pb2 message generation
  • File I/O Testing: Temporary file creation and cleanup
  • User Interaction: Input/confirmation workflow simulation

Test Execution

# Run all enterprise API key tests
python -m pytest unit-tests/test_command_enterprise_api_keys.py -v

# Results: 27 passed, 1 warning in 2.48s

🚀 Ready for Production

This implementation provides:

  • Complete Functionality: All three core operations fully implemented
  • Robust Testing: 27 comprehensive test scenarios with 100% pass rate
  • Error Handling: Comprehensive validation and user-friendly error messages
  • Documentation: Extensive help system with practical examples
  • Integration: Seamless integration with existing Commander infrastructure
  • Code Quality: Follows established patterns and best practices

The enterprise API keys management system is ready for immediate use with full confidence in its reliability and maintainability.

idimov-keeper and others added 9 commits April 30, 2025 12:09
@idimov-keeper @sk-keeper
added parent folder UID to folder details
ed3e799 
added new PAM field types (RBI)
@idimov-keeper @sk-keeper
Fix router URL generation for GovCloud environments
7fafc7b
@sajida-metron @sk-keeper
Stroing config as plain text at remote
28424f2
@sajida-metron @sk-keeper
changed record type to login
4bfccd8
@sajida-metron @sk-keeper
Fixed path issue
8d0de19
@sk-keeper
Add RESTRICT_TOTP_FIELD enforcement support
a926b67
@jpkeepersecurity
Merge branch 'release' of https://github.com/Keeper-Security/Commander
fab3f4f 
…into release
@jpkeepersecurity
Add enterprise API key management commands
ec9b5e2 
- Introduced `public-api-key` command group for managing enterprise API keys, including listing, generating, and revoking keys.
- Implemented command parsers for listing (`list`), generating (`generate`), and revoking (`revoke`) API keys with detailed help and examples.
- Added support for JSON output format and file saving options for generated keys.
- Created unit tests to validate the functionality of the new commands and ensure expected behavior in various scenarios.
@jpkeepersecurity
Merge branch 'release' of https://github.com/Keeper-Security/Commander
0d4e844 
…into KC-907-public-api-implementation
@jpkeepersecurity jpkeepersecurity changed the base branch from master to release July 10, 2025 21:26
sk-keeper
sk-keeper reviewed Jul 16, 2025
View reviewed changes
keepercommander/commands/enterprise_api_keys.py
def execute(self, params, **kwargs):
token_id = kwargs.get('token_id')
if not token_id:
print("Token ID is required")
Copy link
Collaborator

@sk-keeper sk-keeper Jul 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this line can be replaced with
raise CommandError("Token ID is required")

Generally the Commander code uses print function to intentionally write some information to stdout.
In most cases it targets using commander in customer's scripts. Any other use of print is suspicious.

Any user information, especially warnings and errors, will generally use logging.*

raise CommandError is used to abnormally stop any command. This exception expects the message is clear and customer can correct command input.

Any other exception is not expected. These exceptions show standard message to switch to debug mode and repeat the command.
debug mode prints call stack that helps developers to identify the crash.

@sk-keeper sk-keeper merged commit 71b94bc into release Jul 23, 2025
6 checks passed
@sk-keeper sk-keeper deleted the KC-907-public-api-implementation branch July 23, 2025 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sk-keeper sk-keeper sk-keeper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jpkeepersecurity @sk-keeper @idimov-keeper @sajida-metron