Skip to content

KC-1353: Add PAM recording list-by-user and download commands#2204

Open
jeremy-london wants to merge 5 commits into
releasefrom
feat/add-get-recordings-for-users
Open

KC-1353: Add PAM recording list-by-user and download commands#2204
jeremy-london wants to merge 5 commits into
releasefrom
feat/add-get-recordings-for-users

Conversation

@jeremy-london

@jeremy-london jeremy-london commented Jul 9, 2026

Copy link
Copy Markdown
Member

Ticket KC-1353

Summary

Implements PR-212 (get_recordings_for_users KRouter endpoint) with full download support in Commander CLI.

  • pam rec lbu <username...> — List PAM session recordings for one or more users with flexible filtering, output formats (table/JSON/CSV/markdown), and optional inline download.
  • pam rec dl — Download and decrypt recording files by username or specific connection UIDs.
  • Parallel downloads (4 workers, respecting the KRouter 50 req/5s rate limit).
  • Full AES-GCM decryption using the wire format from session-recordings-util.ts (HKDF key derivation + per-file recording secret).
  • 100% test coverage — 54 unit tests covering all code paths including error cases, legacy salt fallback, and all output formats.

Files Changed

File Change
keepercommander/commands/pam/recording_commands.py New — full implementation of both commands + helpers
keepercommander/commands/pam/router_helper.py Added router_get_recordings_for_users and router_download_recording
keepercommander/commands/discoveryrotation.py Registered PAMRecordingCommand group (pam rec / pam recording)
keepercommander/proto/pam_pb2.py Added PAMRecordingsForUsersRequest protobuf message
tests/test_pam_recording_commands.py New — 54 tests, 100% line coverage

QA Test Guide

Prerequisites

  1. Login with a PAM-enabled account that has RBI + KCM enforcements active.
  2. Run sync-down to populate the vault cache (needed for record key lookup / decryption).

1. List recordings for a user (table)

pam rec lbu user@example.com

Expected: table with columns ConnUID, RecordUID, User, Type, Protocol, Started, Duration, Risk.

2. List with filters

pam rec lbu user@example.com --risks critical --types session --protocols ssh --max-count 10

Expected: only SSH session recordings with critical AI risk level.

3. Date range filter

pam rec lbu user@example.com --range-start 2026-01-01 --range-end 2026-06-30

4. JSON output (stdout)

pam rec lbu user@example.com --format json --max-count 5

Expected: JSON with recordings array and hasMore bool. Use connectionUid and recordUid values for download commands.

5. Save listing to file (format auto-detected from extension)

pam rec lbu user@example.com --output listings.csv        # CSV
pam rec lbu user@example.com --output listings.md         # Markdown table
pam rec lbu user@example.com --output listings.json       # JSON

6. List and download in one step

pam rec lbu user@example.com --risks critical --types session --max-count 5 --download-dir ./downloads

Expected: table printed, then files downloaded + decrypted into ./downloads/. Filenames are <base64url-connection-uid>.<ext>.

7. Download all file types for a specific session (by connection UID)

Get the full connection UID from --format json above, then:

pam rec dl \
  --connection-uid <connectionUid hex> \
  --record-uid <recordUid hex> \
  --output-dir ./downloads

Expected: up to 4 files per session — .ses (session), .tys (typescript), .tim (timing), .sum (AI summary). 404s are silently logged and mean that file type doesn't exist for that session (normal).

8. Download all recordings for a user (bulk)

pam rec dl --usernames user@example.com --output-dir ./downloads

9. Download with type filter

pam rec dl --usernames user@example.com --types session typescript --output-dir ./downloads

10. Multiple users or connection UIDs

pam rec lbu user1@example.com user2@example.com --format json
pam rec dl --connection-uid <uid1> <uid2> <uid3> --record-uid <recordUid> --output-dir ./downloads

Decryption verification

Decrypted .ses files are raw terminal session data (text). You can inspect them:

cat downloads/<filename>.ses | head -100

The .sum file contains the AI-generated session summary as JSON.

Test Results (live against dev)

All 8 test scenarios run against jlondon+keeperai@keepersecurity.com on dev:

  • Listed hundreds of recordings with correct timestamps, risk levels, and protocols
  • Filtered by risk=critical, type=session, protocol=ssh
  • Downloaded and decrypted .ses (62,724 bytes), .tys, .tim, .sum files
  • All 4 file types decrypted correctly end-to-end

Unit tests: 54/54 passing, 100% line coverage

idimov-keeper and others added 5 commits July 8, 2026 09:25
Use DOMAIN\username for icacls /grant instead of bare os.getlogin(), which
fails when the machine name and username are the same string.
* KC-1290: CNAPP integration commands and PAM graph migration

Re-applied on top of origin/release after sync-branch. Includes CNAPP command helpers, PAM graph endpoint migration, and related unit test updates.

* Fix time-dependent enterprise API key list tests for UTC CI

Move SIEM Tool mock expiration to 2030 so status detection tests remain deterministic when CI runs in UTC after the token expiry date.

---------
Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com>
* Fix docker startup multiple syncs

* Remove sync from 'service-status' and keep it in 'this-device'
…#2168)

* Fix share-folder record expiration removing owner records and breaking re-shares

When share-folder was used with -r and --expire-in, expiration was applied to
SharedFolderUpdateRecord, which caused the record to be removed from the
owner's vault when the timer expired. Route per-record expiration and -roe
through the record share API (revoke then re-grant) instead, keep folder user
updates for access only, sync before granting, and skip redundant user updates
when sharing additional records to the same recipient.

* Share-folder: expire folder and record access together; log expiry in output

* updated test file

* Fix share-folder remove vault deletion; clean up access grant/remove logs

* Fix share folder expire in and -r combination

* Separate folder and record flag usage to fix multiple remove related issue

* Fix -p and -o flags and 1mi expiry

* Restrict outside records to be shared via -r

* Update help

---------

Co-authored-by: amangalampalli-ks <amangalampalli@keepersecurity.com>
@jeremy-london jeremy-london changed the title KC-212: Add PAM recording list-by-user and download commands Add PAM recording list-by-user and download commands Jul 9, 2026
@jeremy-london jeremy-london changed the title Add PAM recording list-by-user and download commands KC-1353: Add PAM recording list-by-user and download commands Jul 9, 2026
@jeremy-london
jeremy-london requested a review from sk-keeper July 9, 2026 23:36
@jeremy-london jeremy-london self-assigned this Jul 9, 2026
@sk-keeper
sk-keeper force-pushed the release branch 2 times, most recently from 0da055d to a8dd3f3 Compare July 17, 2026 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants