PM-947 privileged cloud management development

[erinlewis-keeper]

Adds a full suite of Privileged Cloud Management commands to Keeper Commander, covering two major areas:

1. Privileged Access Commands (pam access)

• pam access user list/provision/deprovision — manage users in cloud IdPs (Azure, GCP, Okta, AWS)
• pam access group list/add/remove — manage IdP group membership
• Field encryption for user/meta data sent to gateway, with response decryption
• Domain validation against IdP before sending approval notifications
• --save-record / --delete-record flags to create/remove pamUser records on provision/deprovision

2. Workflow Access Commands (pam_privileged_workflow.py)

• pam workflow request — request elevated access to a resource (with krouter workflow API)
• pam workflow status — list active access requests with time remaining
• pam workflow requests — list pending approvals
• pam workflow approve — approve or deny workflow requests
• pam workflow revoke — end active access sessions
• pam workflow config — read and configure workflow settings (access length, approvers, etc.)

3. Supporting changes

• New protobuf definitions (workflow_pb2.py) for workflow messages
• New DTO classes for gateway IdP actions
• IdP config UID field added to PAM config records
• Supershell and terminal connection bugfixes

coauthored by @tbjones-ks