fix(workflow): credential redaction, strict enforcement deny, HHMM decode fix#2013
Open
msawczynk wants to merge 1 commit intoKeeper-Security:releasefrom
Open
fix(workflow): credential redaction, strict enforcement deny, HHMM decode fix#2013msawczynk wants to merge 1 commit intoKeeper-Security:releasefrom
msawczynk wants to merge 1 commit intoKeeper-Security:releasefrom
Conversation
HIGH: narrow transport fail-open to 404-only (endpoint not deployed); all other errors (5xx, 401, timeout, parse) now fail closed in WorkflowAccessValidator.validate() via re-raise + BLOCKED_RESULT guard HIGH: strict-deny enforcement for empty enterprise boolean lists in is_pam_action_allowed_by_enforcement (helpers.py) and _is_rotation_allowed_by_enforcement (discoveryrotation.py); booleans=[] in enterprise context now falls through to key-absent deny instead of returning allow HIGH: redact credentials/private-keys/tokens from debug logs in terminal_connection.py (turn_password, callback_token, guacd_params password/private-key/passphrase/client-key) MEDIUM: strict boolean arg parser for pam workflow update flags; rejects non-true/false with argparse.ArgumentTypeError MEDIUM: HHMM table decode fix divmod(100) instead of divmod(60) MEDIUM: backward-compat migration for legacy minutes-since-midnight workflow configs; values >= 1440 converted to HHMM in _check_allowed_times MEDIUM: warn on auto check-in failure with pam workflow end hint MEDIUM: fix --auto-checkout help text in both launch and tunnel to state that the lease is NOT released automatically MEDIUM: pam workflow delete pre-check now surfaces read failures as a warning instead of silently treating them as "nothing to delete" LOW: validate --wait-timeout > 0 before polling loop in both launch and tunnel paths; raises CommandError if invalid LOW: remove dead _print_transport_error helper (unreachable post HIGH-1) Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three targeted security fixes in the PAM workflow stack, identified during internal code review. Each change is surgical — only the minimum lines needed.
HIGH: Credential redaction in debug logs (
terminal_connection.py)turn_password,callback_token, and all guacd secret fields (password,private-key,passphrase,client-key) are redacted to***redacted***beforelogging.debug(). Prevents secret leakage into log files and SIEM streams when debug logging is enabled.HIGH: Strict deny for empty enforcement boolean lists (
helpers.py,discoveryrotation.py)is_pam_action_allowed_by_enforcementand_is_rotation_allowed_by_enforcementpreviously treatedbooleans=[](enterprise context, no boolean enforcements set) as allow. Corrected to fall through to key-absent deny — matching web-vault behaviour.MEDIUM: Strict boolean arg parser for
pam workflow updateflags (config_commands.py)--enabled,--skip-mfa, etc. now raiseargparse.ArgumentTypeErroron non-true/falseinput instead of silently coercing.MEDIUM: HHMM divmod fix (
helpers.py)_parse_time_to_hhmmuseddivmod(value, 60)for hours — corrected todivmod(value, 100)to match the server's HHMM integer encoding (17:30→1730).Files changed
keepercommander/commands/pam_launch/terminal_connection.pykeepercommander/commands/workflow/helpers.pykeepercommander/commands/discoveryrotation.pykeepercommander/commands/workflow/config_commands.pyTesting
44 existing workflow tests pass. Tested against lab tenant.
Made with Cursor