DR-1120: Google Cloud Platform support #1628
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mfordkeeper
requested review from
idimov-keeper,
jwalstra-keeper,
maksimu and
miroberts
# Conflicts: # keepercommander/params.py
…es, audit-alert' to help and update logger name as keepercommander
…rvice mode when no data is found
mfordkeeper
force-pushed
the
gcp-experimental
branch
from
e2283bf to
fcc58cc
Compare
…nt_recovery_setup event type
idimov-keeper
approved these changes
Oct 16, 2025
| print('-----------------------------------------------') | ||
|
|
||
| # TUNNELING | ||
| class PAMTunnelListCommand(Command): |
There was a problem hiding this comment.
please re-base on latest release branch and resolve any conflicts (some time ago tunneling stuff was moved to .../keepercommander/commands/tunnel_and_connections.py)
WIP copied over a bunch of discovery_common stuff WIP Adding new json field type. WIP Fixed gcp config field type setting so the auth fields match. WIP added json field type Fix for region name setting in gcp config. Added pamGoogleAdminEmail field to gcp support. Update SaaS config creation to allow field type multiline Fix list-team duplication bug and add sort option - Fixed team deduplication bug when 500+ teams exist (was checking 'uid' instead of 'team_uid') - Added --sort option to list-team command with choices: company, team_uid, name - Default sort remains 'company' to maintain backward compatibility - All sorting is case-insensitive for better UX Update 'warning' color for better readability Make allows_remote_management flag optional in SaasCatalog structure. download-membership command: ignore Lastpass shared folders with empty names For `pam action saas add`, if required field has default value, don't complain about missing value Improve SSL certificate handling for corporate environments - Modified SSL certificate detection to prefer system CA store over certifi bundle - Added support for KEEPER_SSL_CERT_FILE environment variable for configuration - Enables compatibility with corporate SSL inspection proxies like Zscaler - Maintains backward compatibility with existing installations - Includes automatic detection of system certificate paths on macOS and Linux This resolves issues where GitHub API calls (and other HTTPS requests) would fail in corporate environments that use SSL inspection proxies. Fix PAM SaaS SSL certificate handling for corporate environments - Added ssl_aware_get() utility function that uses system CA certificates - Updated all PAM SaaS direct requests.get() calls to use SSL-aware requests - Fixes SSL errors with corporate proxies like Zscaler when downloading plugins - Ensures consistent SSL certificate handling across all HTTP requests This resolves SSL certificate verification errors when downloading SaaS catalog and plugin files from GitHub objects.githubusercontent.com in corporate environments with SSL inspection proxies. Prioritize Homebrew certificates for better Zscaler compatibility - Updated SSL certificate selection to prefer Homebrew CA bundle on macOS - Homebrew certificates (/opt/homebrew/etc/ca-certificates/cert.pem) work better with corporate SSL inspection proxies like Zscaler - Fixes objects.githubusercontent.com SSL verification errors - Maintains fallback to system certificates for non-Homebrew environments This resolves the specific SSL certificate verification issues with GitHub asset downloads in corporate environments using SSL inspection. Fix logging configuration to prevent unwanted INFO:root messages - Removed logging calls from utils.py that were interfering with main logging config - Moved SSL certificate logging to after logging configuration is set up - Changed warning messages to use stderr print instead of logging - Prevents INFO:root messages from appearing in normal command output - SSL certificate functionality remains unchanged This resolves the issue where SSL certificate changes were causing unwanted debug output to appear in normal command execution. Add line continuation support and comprehensive record-add documentation Features added: - Line continuation support using backslash (\) in CLI commands - Enhanced argument parsing with whitespace normalization - Empty field filtering to handle copy-paste issues gracefully - Comprehensive unit tests for line continuation functionality Documentation improvements: - Complete record-add command documentation with 200+ examples - Covers all record types (login, contact, bankCard, etc.) - Shows correct syntax: dot notation, $JSON:, $GEN, file attachments - Includes record-update comparison and self-destruct features - Provides troubleshooting and best practices Technical details: - Enhanced read_command_with_continuation() function in cli.py - Added empty string filtering in record_edit.py commands - Comprehensive test coverage for edge cases - Handles trailing spaces and formatting issues from copy-paste Fixes user experience issues with multi-line commands and provides complete reference documentation for record management. Added simple PAM environment setup section to record-add --synatx-help KSM app-sharing: grant minimal user-access to app-shares regardless of app-user's membership type Fix Yubikey 'largeBlob' login issue Prevent cretion of V2 records KSM app-sharing: disable sharing app w/ admin permissions Fix unit tests Release 17.1.3 KSM app-sharing: prevent sharing of app-secret when relevant current-user permissions don't allow Match enterprise user report to Admin Console. KC-910 Fixed - TypeError: object of type 'TypedRecord' has no len() Fix unit tests Trickle Ice with passing candidates, structured close reasons, refactor tunneling configuration: update imports, remove unused parameters, and enhance cleanup logic Add is_authorised function to whoami and keep-alive commands added parent folder UID to folder details added new PAM field types (RBI) Fix router URL generation for GovCloud environments changed record type to login Fixed path issue Add enterprise API key management commands - Introduced `public-api-key` command group for managing enterprise API keys, including listing, generating, and revoking keys. - Implemented command parsers for listing (`list`), generating (`generate`), and revoking (`revoke`) API keys with detailed help and examples. - Added support for JSON output format and file saving options for generated keys. - Created unit tests to validate the functionality of the new commands and ensure expected behavior in various scenarios. Update dependencies to use keeper_pam_webrtc_rs Update dependencies to use keeper_pam_webrtc_rs refactoring - no code changes Examples: Convert Lastpass membership file to Keeper format Import from Lastpass: UTF-8 issue Examples: Convert Lastpass membership file to Keeper format Release 17.1.4 Enterprise node: prevent creation of nodes with empty names Suppress certificate check errors in file upload Implement Biometric Authentication Feature Change log type for an error message Update display name and time formats Fixed the GovCloud endpoint subdomain Add websockets dependency Fixed unlink_user_from_resource Improve 'audit-alert view' command Improve audit-alert delete command Remove ID from biometric list and update-name added windows hello check using winrt Added --schedule-only option to batch update only existing shedules Release 17.1.5 Initial CyberArk User Portal import support. Add 'diagnose' command for network connectivity testing to krelay server Implement audit-alert enable/disable with --all flag (#1548) Add more compatibility for websockets library versions in WebSocket connection handling Refactor tunnel stop command and improve WebSocket connection handling Changes biometric login info from print to logging Update BreachWatch command messages for clarity - Clarify that breachwatch scan generates security audit data for unscanned records - Update command descriptions to be more precise about functionality - Improve error message to suggest contacting support - Fix grammar in informational messages fixed pam rotation edit folder command Release 17.1.6 Initial CyberArk User Portal import support. Add 'diagnose' command for network connectivity testing to krelay server Implement audit-alert enable/disable with --all flag (#1548) Add more compatibility for websockets library versions in WebSocket connection handling Refactor tunnel stop command and improve WebSocket connection handling Changes biometric login info from print to logging Update BreachWatch command messages for clarity - Clarify that breachwatch scan generates security audit data for unscanned records - Update command descriptions to be more precise about functionality - Improve error message to suggest contacting support - Fix grammar in informational messages fixed pam rotation edit folder command Release 17.1.6 Implement Service Mode Request Queue Update README.md DR-949 Add IIS pools to services Add `iis` to type of service rotation for PAM password rotation. Implement API versioning for service mode based on queue enabling (#1560) * Implement both v1 and v2 versions of service mode with request queue enable option * Handle server busy response messages * Update unit-tests * Implement review comments - fix race condition, add validations, add return types. Add "editable" flag to one-time-share feature switched all imports of keepercommander sub/modules to local paths pam project import fixes Add SSO login, Passwords and Tags; improve output - Enable federated login, e.g., Okta using OAuth2 w/ PKCE - Import the Password SecuredItemType as a login record - Import tags as a comma-separated list - Output a table of the data to be imported - Improve error messages made compatible with Python 3.7 Release 17.1.7 Update setup.cfg import for winrt Add --format json to commands and audit-report params fix Add fallback logic for node display names Fix docker build run as non-root user and import issue in background-mode pam import improvements (#1572) * Added allow_supply_user * Added allow_supply_host Release 17.1.8 Revise README for Keeper Commander details and links Added pam rbi edit command (#1576) Add login-status command (#1578) * Add login-status command Fix ls -l command to exclude ANSI color codes from JSON output - Modified FolderListCommand.execute() to only apply color formatting for non-JSON/CSV formats - Added unit test to verify JSON output contains no ANSI escape sequences - Preserves colored terminal output while ensuring clean JSON for programmatic parsing Fixes issue where ls -l command was including escape sequences like \u001b[35m in JSON output Add support for file input parameters in service mode (#1581) * Add support for file input parameters in service mode (#1575) * Implement File input parameters * Implement support for file input parameter in Service Mode * Update parser response with sanitization and for enterprise-push command * Handle response for commands with no output and Raise exception for Add method with invalid options * Update output to display errors (if any) Device Management Commands (#1579) Update description for lock action KC-942: Publish Commander container on new builds feat: Improve service mode functionality and CLI usability This commit addresses several issues and enhancements in the Keeper Commander service mode and CLI functionality: - **CLI Argument Parsing**: Fixed main argument parser that was incorrectly reconstructing command arguments, causing service-create to fail with 'argument -p/--port: expected one argument'. The parser now preserves original argument order instead of splitting and reordering them. - **Service Startup URL**: Fixed service startup message to correctly display http:// when SSL is disabled and https:// when SSL is enabled, based on the actual SSL certificate configuration. - **SSL Error Messages**: Improved user experience by replacing ugly SSL handshake error messages ('Bad request version À\x13À') with clear, user-friendly messages when HTTPS requests are made to HTTP services. - **Service Mode JSON Parsing**: Added comprehensive JSON parser for whoami command in service mode, converting text output to structured JSON with proper type conversion (booleans for Yes/No, integers for counts). - **CLI JSON Output**: Added --json flag to whoami command, allowing users to get structured JSON output directly from CLI for automation and scripting purposes. - keepercommander/__main__.py: Fixed argument parsing logic - keepercommander/service/core/service_manager.py: SSL protocol detection and logging filters - keepercommander/service/app.py: SSL handshake error filtering - keepercommander/service/util/parse_keeper_response.py: Whoami JSON parser - keepercommander/commands/utils.py: CLI --json option implementation - Verified service-create command works with all argument combinations - Confirmed correct protocol display (http/https) based on SSL config - Validated JSON output consistency between CLI and service modes - Tested error message improvements for SSL mismatches Fix user-statuses in admin console (#1584) Persist API params in global state for reuse in subsequent requests Release 17.1.9 Added --connections-recording, -cr option to pam rbi command (#1594) Refactor API key terminology and enhance command structure - Updated variable names and help text to use "Token" instead of "Token ID" for clarity. - Modified API key revoke command to accept 'token' instead of 'token_id'. - Adjusted related output messages to reflect the new terminology. - Enhanced the public API protocol buffer definitions to include new response types. - Updated unit tests to align with the changes in terminology and command structure. This improves consistency and usability across the API key management commands. Update unit tests to use a consistent token placeholder for API key generation - Replaced hardcoded token values in test assertions with a generic placeholder 'token_generated_for_test' to enhance test reliability and maintainability. - Ensured that all relevant test cases reflect this change for consistency across the test suite. Improve CLI help menu organization and fix missing commands • Fix missing commands in help menu (upload-attachment, one-time-share, verify-*, run-as) • Reorganize commands into logical categories (Record, Sharing, Import/Export, etc.) • Add colorful category headers with semantic color coding • Implement proper table alignment (eliminate sloppy pipe separators) • Add --legacy flag to hide deprecated commands by default • Create Service Mode REST API section for service-* commands • Add special formatting for PAM sub-commands (pam action, pam config, etc.) • Eliminate 'Other' category by properly categorizing all commands The help menu now provides better command discovery with professional formatting and logical organization by functionality. Complete CLI help menu improvements - Fix remaining missing commands (verify-records, run-as, one-time-share) - Add proper table alignment and colorful category headers - Implement --legacy flag to hide deprecated commands - Add special PAM sub-command formatting - Update all command registration files Reduced language strings Fixed the REST API command parser with the new help menu settings. Removed warning in log Modified the help menu strings to be clearer. Help menu strings continued Added --key-events option to pam rbi edit command (#1596) Release 17.1.10 Improved pam legacy command to toggle Legacy mode ON/OFF (#1599) * Improved pam legacy command to toggle legacy mode ON/OFF * Added --status option to print current state * Improved keeper_dag vertex logging Commands tag placement fix in entrypoint script (#1600) Fixed IAM User rotation (#1602) IAM User rotation should not convert to General rotation on update Normalize server URL to handle servers with or without scheme/port (#1603) Service Mode Response Updates (#1601) * Update error responses to be consistent * Update response for commands where logs are generated and flags are mandatory * Update readme with correct errors handled and Code clean/ refactor. * Update service-mode unit-tests Docker - KSM based authentication support (#1598) fix: Complete argument parsing fix for commands with global arguments This commit fixes the argument parsing issue introduced in commit 8100dc2 where global arguments (like --config, --server, --debug) appearing after command names were incorrectly passed to subcommand parsers. The fix: - Preserves original argument order to maintain proper flag/value pairing - Filters out all main parser arguments before reconstruction - Handles both --arg=value and --arg value formats - Properly quotes all arguments using shlex.quote() Fixes commands like: - keeper record-add --config='config.json' -t 'Title' -rt login ... - keeper record-add --debug --server='host' -t 'Title' ... This resolves the 'unrecognized arguments' errors while maintaining the original fix for service-create command issues. Added Support for Cloudflare in Service Mode Added --key-events toggle to pam connection edit command (#1609) lambda_handler.py overhaul Our Lambda handler script returns an error in production, due to two problems with the script: By default, Lambda file system cannot file to → We import keepercommander without setting HOME, TMPDIR and TEMP environment variables, which would cause an issue as it would create pycache in user directory. → We call api.login(), which will attempt to create a .keeper/config.json file in user directory - which Lambda isn't allowed to do. This change request introduces the following: Complete overhaul of the lambda handler script -Added HOME, TMPDIR and TEMP environment variables before import -Added code that creates custom /tmp/.keeper/ dir to store the config file. -Added code that leverages the get_params_from_config() function to store the config file in custom /tmp/.keeper/ dir. -Removed email handler function as it was useful but not on topic for Keeper SDK. Replaced it with more basic functions specific to Keeper SDK. Reworked the step by step explanation of the program to fit the overhaul. The Layer Content script is also outdated by hoping to get some help from Commander contributors for this. Added new Domain PAM Configuration option to pam config commands (#1613) Add --file flag for logging debug logs (#1612) KC-942: Docker KSM Utility with upload support Enhance Rust WebRTC logging, ICE restart functionality, and adding non trickle flag. Release 17.1.11 PEDM Fixed rotation CRON style schedules (#1623) KC-762: Respect "MASTER_PASSWORD_REENTRY" enforcement. KC-963: Added format json support to search, totp and ls commands improve search results display and code organization Add missing commands 'find-password, file-report, rm, load-record-types, audit-alert' to help and update logger name as keepercommander Move audit-alert in reporting commands ice restart support (#1625) updated rotation settings print PEDM: Python3.9 compatibility Unit tests: Python3.7 KC-973: Ensure list and other commands produces proper response in service mode when no data is found Added KSM Config Base64 support for docker (#1629) `audit-report`: Add support for regex + multi keyword row filter Fixed DAG logger custom log levels (#1631) One more merge conflict resolution.
mfordkeeper
force-pushed
the
gcp-experimental
branch
from
f5ba1fc to
a9e1199
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First cut at adding support for Google Cloud Platform.
Using this I was able to execute the following commands to create the GCP Pam Config to discover resources and rotate passwords: