Open
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
integration/keeper_secrets_manager_cli/keeper_secrets_manager_cli/keyring_config.py
Fixed
Show fixed
Hide fixed
integration/keeper_secrets_manager_cli/keeper_secrets_manager_cli/keyring_config.py
Fixed
Show fixed
Hide fixed
integration/keeper_secrets_manager_cli/keeper_secrets_manager_cli/keyring_config.py
Dismissed
Show dismissed
Hide dismissed
stas-schaller
force-pushed
the
release/tool/cli/v1.3.0
branch
2 times, most recently
from
acffcd5 to
31e606c
Compare
- Update prompt-toolkit from ~=2.0 to >=3.0 (fixes pip backtracking) - Pin boto3>=1.20.0 for IMDSFetcher support in AWS integrations - Update keeper-secrets-manager-storage to >=1.0.3 - Raise minimum Python version from 3.7 to 3.9 - Bump CLI version to 1.3.0 This fixes the test-cli (3.9) failure caused by pip resolving to ancient boto3 1.7.84 due to prompt-toolkit~=2.0 dependency conflict.
Revert minimum Python version from 3.9 back to 3.7 to give clients time to migrate. Python SDK v17.1.0 is researching deprecation timeline for EOL Python versions with migration guidance coming soon. This aligns CLI deprecation timeline with the Python SDK v17.1.0 approach of providing advance notice before removing support. Related: Python SDK v17.1.0 release (PR #886)
Version 1.0.3 is not published to PyPI. CLI already has boto3>=1.20.0 pinned directly.
Ansible tests are broken on master due to PSModulePath detection. Fix already exists on release/integration/ansible/v1.2.7. Skip ansible tests for CLI releases until ansible v1.2.7 merges.
- Upgrade jaraco.context dependency to fix CVE-2026-23949 path traversal vulnerability - Add clarifying comments for SHA-256 usage in keyring config (change detection, not password hashing) - Update CLI README changelog with CVE fix details
CLI publishing now happens via secrets-manager-cli-binaries repo using publish.ksm.cli.yml workflow. This workflow is no longer used. style: restore blank line in storage.py to match master
- Update keeper-secrets-manager-core from >=17.0.0 to >=17.1.0 - Requires Python SDK v17.1.0 for security fixes and compatibility - Includes CVE-2026-23949, CVE-2026-24049, duplicate UID fix (KSM-732) - Includes file upload/download SSL/proxy fixes (KSM-763) needed by CLI - Includes transmission key #18 (KSM-740)
stas-schaller
force-pushed
the
release/tool/cli/v1.3.0
branch
from
de67025 to
fd8c787
Compare
KSM-804: warn on stderr when keyring empty and legacy keeper.ini found
… config Persist a SHA-256 integrity hash as a separate Keychain entry on every save and verify it on every load. Tampered entries raise KsmCliIntegrityException with a recovery hint. Deletion bypasses the check so compromised profiles can always be removed. Backward compatible: existing entries without an integrity key load silently; the key is bootstrapped on the next save.
KSM-805: add SHA-256 cross-session integrity verification for keyring config
integration/keeper_secrets_manager_cli/keeper_secrets_manager_cli/keyring_config.py
Dismissed
Show dismissed
Hide dismissed
Use os.open() for atomic 0600 creation on POSIX, and always call set_config_mode() so Windows icacls runs on both new and existing files. Adds unit tests covering new file creation, bad-permission correction, and the Windows set_config_mode call path.
_reload_config fell through to _find_ini_file when config was loaded from KSM_CONFIG or KSM_CONFIG_BASE64_* env vars, causing profile list to load from a keeper.ini on disk instead of the env var config.
Add missing `ksm profile delete <name>` subcommand. Fix `KeyringConfigStorage.delete_profile()` to clear `active_profile` when the deleted profile was active, preventing a broken-keychain state on subsequent CLI invocations. Also fix profile command handlers to reuse the already-initialised `Profile` instance from `KeeperCli` instead of creating a second one, eliminating duplicate upgrade-path warnings on macOS Keychain systems. Changes: - keyring_config.py: clear active_profile after removing profile from list - profile.py: add delete() method routing keyring vs INI storage - __main__.py: add profile_delete_command; reuse ctx.obj["cli"].profile in all five profile sub-command handlers - keyring_test.py: extend test_delete_profile() as failing regression test - profile_test.py: add test_delete_command_clears_active_profile()
…ommand KSM-810: add ksm profile delete command and fix active profile clearing
…name-validation KSM-815: validate profile name before redeeming one-time token
KSM-814: fix --ini-file flag ignored by profile and config subcommands
KSM-818: pin click-repl<0.3.0 to fix shell crash with click>=8.2
Add _reload_config() to show_config, set_color, set_cache, set_record_type_dir, and set_editor so they read/write the correct storage (ini file or keyring) rather than stale in-memory state. Forward global --ini-file to profile_setup_command when no subcommand flag is set, matching the fix already applied to profile_init_command. Add 7 regression/coverage tests covering: - profile setup, profile active, profile delete, profile import - config show, config color, config cache all with global --ini-file only (no subcommand flag)
…payload Python Core SDK to_dict() uses `if self.custom:` which treats an empty list as falsy, dropping the custom key even after the null guard sets it to []. Monkey-patch to_dict() at the class level to inject custom:[] when absent. Updated test now asserts on the serialized payload rather than the object attribute, correctly catching the serialization-layer bug. Remove patch when keeper-secrets-manager-core >= 17.2.1 is released.
…y-fix KSM-820: fix JSON output key custom_fields → custom
…lation KSM-828: prevent unit tests from writing mock data to real system keyring
Python 3.10+ includes importlib.metadata in the standard library, making the importlib_metadata backport unnecessary.
…cial characters before OTT redemption
Comment on lines
+72
to
+129
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.10", "3.11", "3.12", "3.13"] | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Install system deps (dbus + gnome-keyring) | ||
| run: sudo apt-get install -y gnome-keyring dbus-x11 | ||
|
|
||
| ########## KSM Python SDK (from source) | ||
|
|
||
| - name: Install SDK dependencies | ||
| working-directory: ./sdk/python/core | ||
| run: | | ||
| python3 -m pip install --upgrade pip | ||
| python3 -m pip install setuptools | ||
| python3 -m pip install -r requirements.txt | ||
| python3 -m pip install -e . | ||
|
|
||
| - name: Install SDK for integrations | ||
| working-directory: ./sdk/python/core | ||
| run: | | ||
| python3 setup.py build install | ||
|
|
||
| ########## KSM Python Helper (from source) | ||
|
|
||
| - name: Install SDK Helper dependencies | ||
| working-directory: ./sdk/python/helper | ||
| run: | | ||
| python3 -m pip install --upgrade pip | ||
| python3 -m pip install -r requirements.txt | ||
| python3 -m pip install -e . | ||
|
|
||
| - name: Install SDK Helper for integrations | ||
| working-directory: ./sdk/python/helper | ||
| run: | | ||
| python3 setup.py build install | ||
|
|
||
| ########## CLI with keyring extra | ||
|
|
||
| - name: Install CLI with keyring extra | ||
| working-directory: ./integration/keeper_secrets_manager_cli | ||
| run: pip install -e ".[keyring]" pytest | ||
|
|
||
| - name: Run keyring integration tests | ||
| working-directory: ./integration/keeper_secrets_manager_cli | ||
| run: | | ||
| dbus-run-session -- bash -c " | ||
| echo '' | gnome-keyring-daemon --unlock --components=secrets,keyring | ||
| KSM_KEYRING_INTEGRATION=1 python -m pytest tests/keyring_integration_test.py -v --tb=short | ||
| " |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To fix the problem, explicitly define a permissions block that limits GITHUB_TOKEN to the minimal required rights. In this workflow, the jobs only need to check out code and run Python tests, so read access to repository contents is sufficient; no write or PR/issue permissions are needed.
The best minimal change is to add a workflow-level permissions block near the top of .github/workflows/test.cli.yml, just after the name (or before on:). This block will apply to both test-cli and test-cli-keyring since they do not define their own permissions. We’ll set contents: read, which is the recommended minimal baseline and matches CodeQL’s suggested starting point.
Concretely:
- Edit
.github/workflows/test.cli.yml. - Insert:
permissions:
contents: read- Place it between line 2 and line 3 (after
name: Test-CLIand the blank line), keeping indentation at the root level. - No imports, methods, or other definitions are needed because this is a YAML configuration change only.
Suggested changeset
1
.github/workflows/test.cli.yml
| @@ -1,5 +1,8 @@ | ||
| name: Test-CLI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [ master ] |
Copilot is powered by AI and may make mistakes. Always verify output.
…le-import KSM-831: fix boto3 import error for non-AWS --ini-file profiles
Two related fixes in keyring_config.py: 1. KeyringConfigStorage.is_available(): was returning False when keyring was installed but returned fail.Keyring (no Secret Service daemon), preventing lkru from being detected. Now falls through to lkru check on both ImportError and fail.Keyring backend. 2. KeyringUtilityStorage.__init__(): was setting use_python_keyring=True unconditionally on successful import, even when get_keyring() returned fail.Keyring. The lkru detection block (except ImportError) was never reached. Now raises ImportError when fail.Keyring is detected, routing into the existing lkru detection path. Broadened to except Exception for consistency with is_available(). Also adds: - 3 regression tests in keyring_test.py (mocked, ImportError path) - keyring_lkru_headless_test.py: 5 unmocked integration tests that run in Docker with real fail.Keyring backend, including test_storage_routes_to_lkru_not_fail_backend which catches the __init__ bug independently of is_available() - test-cli-lkru-headless CI job in test.cli.yml using Docker to guarantee a headless environment (no D-Bus) - Dockerfile.keyring-test moved to tests/docker/ - README and docs/keyring.md updated
lkru communicates with the D-Bus Secret Service API — the same daemon required by the Python keyring library. It provides no benefit when the daemon is absent and solves a scenario (daemon running, keyring library not installed) that pip install keeper-secrets-manager-cli[keyring] trivially handles. The repo has 1 star and 0 forks. Removes: - lkru detection from KeyringConfigStorage.is_available() - KSM_CONFIG_KEYRING_UTILITY_PATH env var support - keyring_utility / keyring_utility_path params from KeyringUtilityStorage - use_python_keyring flag and __run_keyring_utility() method - subprocess import (no longer used) - keyring_lkru_headless_test.py and 3 lkru unit tests - test-cli-lkru-headless CI job Also skips test_config_mode_access_denied when running as root (Docker), where chmod 0o0000 does not restrict file access.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release branch for CLI v1.3.0 — adds OS-native keyring storage as the default credential store, with security hardening and dependency fixes.
Changes
New Features
keyringis an optional install (pip install keeper-secrets-manager-cli[keyring]);--ini-fileflag opts into explicit file-based storageksm profile delete <name>subcommand; completes the recovery path referenced byKsmCliIntegrityExceptionBug Fixes
--ini-fileflag respected by all subcommands (KSM-814): allprofileandconfigsubcommands now correctly use the--ini-filepath —profile list,profile active,profile export,profile import,profile init,profile setup;config show,config color,config cache,config record-type-dir,config editorKsmCliIntegrityExceptionwith aksm profile deleterecovery hint; backward-compatible (existing entries bootstrap silently on next save)delete_profile()now clearsactive_profilein the common config when the active profile is deleted, preventing a broken-keychain state on subsequent invocationskeeper.iniexists, with a--ini-filerecovery hint; fixed duplicate warnings from redundantProfileinstantiation in command handlerskeeper.inicreated atomically at 0600 viaos.open()(eliminates TOCTOU window on Unix);set_config_modealways runs on every write so Windows ACLs (icacls) are applied to new files and pre-existing bad permissions are corrected on re-save_reload_config()now correctly re-appliesKSM_CONFIGandKSM_CONFIG_BASE64_*environment variable configs on reload instead of falling through to disk discoverycustom: []now always included when creating records with no custom fields; previously the key was silently omitted, causing schema inconsistency with Vault and Commander[a-zA-Z0-9_-]{1,64}pattern as keyring storage; previously path-traversal characters and special characters passed the early check, consuming the one-time token before the stricter validator firedksm shellcrashed on any command when click-repl==0.3.0 was resolved alongside click>=8.2 (protected_argsbecame read-only in Click 8.2); pinned click-repl to <0.3.0ksm secret get --jsonnow outputs custom fields under"custom"(was"custom_fields"), matching the canonical V3 record format used by Commander and the Keeper VaultKeyringConfigStorage.is_availablemock to all 19Profile.init()call sites used as test scaffolding insecret_test.py,exec_test.py, andsecret_inflate_test.py--ini-fileprofiles (KSM-831):AwsConfigProviderimport deferred to inside theelif storage == "aws":branch; users without[aws]extra no longer hitMissing import dependencies: boto3when loading any non-AWS profile via--ini-fileKSM_CONFIG_KEYRING_UTILITY_PATHenvironment variable; lkru requires the same D-Bus Secret Service daemon as the Pythonkeyringlibrary and is not a headless alternative;is_available()now correctly returnsFalsewhenkeyringis not installed or no Secret Service daemon is running, falling back tokeeper.inifile storage in both casesMaintenance
~=2.0to>=3.0(fixes pip dependency resolution conflicts)>=17.2.0, keeper-secrets-manager-helper to>=1.1.0test-cli-keyringCI job across Python 3.10–3.13;test.cli.ymlpath-filtered to CLI and Python SDK pathsBreaking Changes
[aws]extra:pip install keeper-secrets-manager-cli[aws]Related Issues