feat(pam): add KCM database connector for pam project import#1889
Open
jlima8900 wants to merge 5 commits intoKeeper-Security:releasefrom
Open
feat(pam): add KCM database connector for pam project import#1889jlima8900 wants to merge 5 commits intoKeeper-Security:releasefrom
jlima8900 wants to merge 5 commits intoKeeper-Security:releasefrom
Conversation
jlima8900
force-pushed
the
feat/pam-kcm-import
branch
2 times, most recently
from
6ee680b to
f01cab6
Compare
jlima8900
changed the title
…tion Adds `pam project kcm-import` command that connects to a KCM/Guacamole database, extracts connections/users/groups, maps 150+ parameters, and imports into Keeper PAM via the existing import/extend engine. Features: --db-ssl, --docker-detect, --db-password-record, --gateway (interactive selection), --max-instances (pool sizing), --dry-run, --output, --folder-mode, --skip-users, --include-disabled. Prints Docker/K8s deploy commands after gateway creation.
jlima8900
force-pushed
the
feat/pam-kcm-import
branch
from
f01cab6 to
588d1d4
Compare
Same pattern as Keeper-Security#1873 — os.open mode only applies on creation, not existing files. Add os.fchmod(fd, 0o600) to ensure owner-only permissions regardless.
Security improvements: - Block remote connections without SSL by default (require --db-ssl or --allow-cleartext to override) - Clear connector.password and db_password after use - Clear docker inspect stdout after parsing (contains all container env vars including other secrets) - Remove db username from docker detect log output - Add os.fchmod for existing output files - Use e.__class__.__name__ instead of type(e).__name__ for consistency Add 8 tests for SSL enforcement, credential cleanup, and log sanitization.
Live E2E tests (skip when DB offline): - Real DB connection, schema validation, data extraction - Parameter mapping with real KCM data (SSH + RDP connections) - All 3 folder modes (ksm/exact/flat) against real groups - Docker detect against real guacamole-postgres container - Full execute() pipeline: dry-run, output file, skip-users, include-disabled, custom project name, all folder modes - Error paths: wrong password, wrong db name, wrong port - Remote SSL enforcement, nonexistent Docker container Unit tests: - Gateway resolution: not found, found by name, offline warning - _find_config_for_gateway: match and no-match paths - Deploy instructions output verification - _is_local_host: localhost, IPv4/IPv6, RFC1918, public IPs - Docker container name passthrough (custom + default) - DB flag passthrough: port, db_name, db_user, default ports - Error paths: connection failure, schema failure, invalid port, Docker timeout, Docker not installed
Bugs found during live E2E testing against real vault: - PAMController protobuf has no `isOnline` attribute — replaced with router_get_connected_gateways() cross-reference to determine online status - PAMController has no `version` attribute — removed from display - Unused import (pam_configurations_get_all) replaced with router_helper Verified full E2E: DB connect → extract → transform → vault import → gateway creation → folder structure → shared folders → PAM config → KSM app. 8 records created successfully (3 resources, 3 users, 1 config, 1 app).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
pam project kcm-importcommand for migrating KCM/Guacamole connections into Keeper PAM.--dry-run,--output,--docker-detect,--db-ssl,--db-password-recordTest plan