Skip to content

Commit 43e457b

Browse files
phrockerphrocker
committed
Fix issue with ztats not reloading
1 parent da1446d commit 43e457b

File tree

3 files changed

+112
-64
lines changed

3 files changed

+112
-64
lines changed

api/src/main/java/io/sentrius/sso/controllers/api/ZeroTrustATApiController.java

Lines changed: 60 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
import io.sentrius.sso.core.services.security.KeycloakService;
3434
import io.sentrius.sso.core.services.security.ZeroTrustAccessTokenService;
3535
import io.sentrius.sso.core.services.security.ZtatTokenService;
36+
import io.sentrius.sso.core.utils.AccessUtil;
3637
import jakarta.servlet.http.HttpServletRequest;
3738
import jakarta.servlet.http.HttpServletResponse;
3839
import lombok.extern.slf4j.Slf4j;
@@ -273,28 +274,27 @@ public ResponseEntity<?> getRequest(HttpServletRequest request, HttpServletRespo
273274

274275
@GetMapping("/list/{type}")
275276
@LimitAccess(ztatAccess = {ZeroTrustAccessTokenEnum.CAN_VIEW_ZTATS})
276-
public ResponseEntity<?> listZtatRequests(@RequestHeader("Authorization") String token,
277+
public ResponseEntity<?> listZtatRequests(@RequestHeader(name= "Authorization", required=false) String token,
277278
@PathVariable("type") String type,
278279
HttpServletRequest request, HttpServletResponse response) {
279-
String compactJwt = token.startsWith("Bearer ") ? token.substring(7) : token;
280+
var operatingUser = getOperatingUser(request, response );
281+
if (null != token) {
282+
String compactJwt = token.startsWith("Bearer ") ? token.substring(7) : token;
280283

281284

282-
log.info("Received ZTAT request from agent: {}", compactJwt);
283-
if (!keycloakService.validateJwt(compactJwt)) {
284-
log.warn("Invalid Keycloak token");
285-
return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("Invalid Keycloak token");
286-
}
285+
log.info("Received ZTAT request from agent: {}", compactJwt);
286+
if (!keycloakService.validateJwt(compactJwt)) {
287+
log.warn("Invalid Keycloak token");
288+
return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("Invalid Keycloak token");
289+
}
290+
String agentId = keycloakService.extractAgentId(compactJwt);
287291

288-
// Extract agent identity from the JWT
289-
var operatingUser = getOperatingUser(request, response );
292+
if (null == operatingUser) {
293+
log.warn("No operating user found for agent: {}", agentId);
294+
var username = keycloakService.extractUsername(compactJwt);
295+
operatingUser = userService.getUserByUsername(username);
290296

291-
// Extract agent identity from the JWT
292-
String agentId = keycloakService.extractAgentId(compactJwt);
293-
294-
if (null == operatingUser) {
295-
log.warn("No operating user found for agent: {}", agentId);
296-
var username = keycloakService.extractUsername(compactJwt);
297-
operatingUser = userService.getUserByUsername(username);
297+
}
298298

299299
}
300300
List<ZtatDTO> ztatTracker = new ArrayList<ZtatDTO>();
@@ -324,36 +324,42 @@ public ResponseEntity<?> listZtatRequests(@RequestHeader("Authorization") String
324324
default:
325325
log.warn("Invalid type: {}", type);
326326
}
327+
ztatTracker = decorateTats(ztatTracker, operatingUser);
327328
return ResponseEntity.ok(ztatTracker);
328329
}
329330

330331
@GetMapping("/list/{state}/{type}")
331332
@LimitAccess(ztatAccess = {ZeroTrustAccessTokenEnum.CAN_VIEW_ZTATS})
332-
public ResponseEntity<?> listTypedZtatRequests(@RequestHeader("Authorization") String token,
333+
public ResponseEntity<?> listTypedZtatRequests(@RequestHeader(name= "Authorization", required=false) String token,
333334
@PathVariable("type") String type,
334335
@PathVariable("state") String state,
335336
HttpServletRequest request, HttpServletResponse response) {
336-
String compactJwt = token.startsWith("Bearer ") ? token.substring(7) : token;
337337

338+
var operatingUser = getOperatingUser(request, response );
339+
if (null != token) {
340+
String compactJwt = token.startsWith("Bearer ") ? token.substring(7) : token;
338341

339-
log.info("Received ZTAT request from agent: {}", compactJwt);
340-
if (!keycloakService.validateJwt(compactJwt)) {
341-
log.warn("Invalid Keycloak token");
342-
return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("Invalid Keycloak token");
343-
}
344342

345-
// Extract agent identity from the JWT
346-
var operatingUser = getOperatingUser(request, response );
343+
log.info("Received ZTAT request from agent: {}", compactJwt);
344+
if (!keycloakService.validateJwt(compactJwt)) {
345+
log.warn("Invalid Keycloak token");
346+
return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("Invalid Keycloak token");
347+
}
348+
String agentId = keycloakService.extractAgentId(compactJwt);
347349

348-
// Extract agent identity from the JWT
349-
String agentId = keycloakService.extractAgentId(compactJwt);
350+
if (null == operatingUser) {
351+
log.warn("No operating user found for agent: {}", agentId);
352+
var username = keycloakService.extractUsername(compactJwt);
353+
operatingUser = userService.getUserByUsername(username);
350354

351-
if (null == operatingUser) {
352-
log.warn("No operating user found for agent: {}", agentId);
353-
var username = keycloakService.extractUsername(compactJwt);
354-
operatingUser = userService.getUserByUsername(username);
355+
}
355356

356357
}
358+
// Extract agent identity from the JWT
359+
360+
361+
// Extract agent identity from the JWT
362+
357363
List<ZtatDTO> ztatTracker = new ArrayList<ZtatDTO>();
358364
switch(type){
359365
case "terminal":
@@ -399,6 +405,7 @@ public ResponseEntity<?> listTypedZtatRequests(@RequestHeader("Authorization") S
399405
default:
400406
log.warn("Invalid type: {}", type);
401407
}
408+
ztatTracker = decorateTats(ztatTracker, operatingUser);
402409
return ResponseEntity.ok(ztatTracker);
403410
}
404411

@@ -439,4 +446,26 @@ public ResponseEntity<Boolean> verifyZtat(@RequestBody ZtatChallengeRequest requ
439446
}
440447
}
441448

449+
List<ZtatDTO> decorateTats(List<ZtatDTO> tats, User operatingUser){
450+
boolean canApprove = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_APPROVE_ZTATS);
451+
boolean canDeny = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_DENY_ZTATS);
452+
if (canApprove || canDeny) {
453+
for (var tat : tats) {
454+
455+
if (tat.getUserName().equals(operatingUser.getUsername())) {
456+
tat.setCurrentUser(true);
457+
if (systemOptions.getCanApproveOwnZtat()) {
458+
tat.setCanApprove(canApprove);
459+
tat.setCanDeny(canDeny);
460+
}
461+
}
462+
else {
463+
tat.setCanApprove(canApprove);
464+
tat.setCanDeny(canDeny);
465+
}
466+
467+
}
468+
}
469+
return tats;
470+
}
442471
}

api/src/main/resources/templates/sso/ztats/view_ztats.html

Lines changed: 48 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
8686
<tr><th>Operation</th><th>User</th><th>System</th><th>Actions</th></tr>
8787
</thead>
8888
<tbody>
89+
<!--
8990
<tr th:each="s : ${openTerminalTats}">
9091
<td th:text="${s.command}"></td>
9192
<td th:text="${s.userName}"></td>
@@ -96,9 +97,10 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
9697
<button th:id="'den_btn_' + ${s.id}" class="btn-secondary den_btn"
9798
th:if="${s.canDeny}">Deny</button>
9899
<button th:id="'rev_btn_' + ${s.id}" class="btn-secondary rev_btn"
99-
th:if="${s.isCurrentUser}">Revoke</button>
100+
th:if="${s.currentUser}">Revoke</button>
100101
</td>
101102
</tr>
103+
-->
102104
</tbody>
103105
</table>
104106
</div>
@@ -110,6 +112,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
110112
<tr><th>Operation</th><th>User</th><th>Actions</th></tr>
111113
</thead>
112114
<tbody>
115+
<!--
113116
<tr th:each="s : ${openOpsTats}">
114117
<td th:text="${s.summary}"></td>
115118
<td th:text="${s.userName}"></td>
@@ -122,10 +125,11 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
122125
</button>
123126
<button th:id="'ops_rev_btn_' + ${s.id}"
124127
class="btn-secondary ops_rev_btn"
125-
th:if="${s.isCurrentUser}">Revoke
128+
th:if="${s.currentUser}">Revoke
126129
</button>
127130
</td>
128131
</tr>
132+
-->
129133
</tbody>
130134
</table>
131135
</div>
@@ -150,6 +154,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
150154
Remaining</th><th>Actions</th></tr>
151155
</thead>
152156
<tbody>
157+
<!--
153158
<tr th:each="s : ${approvedTerminalTats}">
154159
<td th:text="${s.command}"></td>
155160
<td th:text="${s.userName}"></td>
@@ -160,6 +165,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
160165
th:if="${s.canDeny}">Deny</button>
161166
</td>
162167
</tr>
168+
-->
163169
</tbody>
164170
</table>
165171
</div>
@@ -172,6 +178,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
172178
</th></tr>
173179
</thead>
174180
<tbody>
181+
<!--
175182
<tr th:each="s : ${approvedOpsTats}">
176183
<td th:text="${s.summary}"></td>
177184
<td th:text="${s.userName}"></td>
@@ -182,15 +189,16 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
182189
</button>
183190
</td>
184191
</tr>
192+
-->
185193
</tbody>
186194
</table>
187195
</div>
188196

189197
</div>
190198

191199

192-
</div>
193-
</div>
200+
</div>
201+
</div>
194202

195203
<!-- Denied TATs -->
196204
<div id="deniedTats" class="tab-pane fade">
@@ -207,6 +215,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
207215
<tr><th>Operation</th><th>User</th><th>System</th><th>Actions</th></tr>
208216
</thead>
209217
<tbody>
218+
<!--
210219
<tr th:each="s : ${deniedTerminalTats}">
211220
<td th:text="${s.command}"></td>
212221
<td th:text="${s.userName}"></td>
@@ -216,6 +225,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
216225
th:if="${s.canApprove}">Approve</button>
217226
</td>
218227
</tr>
228+
-->
219229
</tbody>
220230
</table>
221231
</div>
@@ -227,6 +237,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
227237
<tr><th>Operation</th><th>User</th><th>Actions</th></tr>
228238
</thead>
229239
<tbody>
240+
<!--
230241
<tr th:each="s : ${deniedOpsTats}">
231242
<td th:text="${s.summary}"></td>
232243
<td th:text="${s.userName}"></td>
@@ -237,6 +248,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
237248
</button>
238249
</td>
239250
</tr>
251+
-->
240252
</tbody>
241253
</table>
242254
</div>
@@ -247,10 +259,10 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
247259
</div>
248260
</div>
249261

262+
</div>
263+
</div>
250264
</div>
251265
</div>
252-
</div>
253-
</div>
254266

255267
<!-- DataTables Initialization -->
256268
<script>
@@ -267,7 +279,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
267279
if (s.canDeny) {
268280
actions += `<button id="den_btn_${s.id}" class="btn-secondary den_btn">Deny</button>`;
269281
}
270-
if (s.isCurrentUser) {
282+
if (s.currentUser) {
271283
actions += `<button id="rev_btn_${s.id}" class="btn-secondary rev_btn">Revoke</button>`;
272284
}
273285

@@ -295,7 +307,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
295307
if (s.canDeny) {
296308
actions += `<button id="den_btn_${s.id}" class="btn-secondary den_btn">Deny</button>`;
297309
}
298-
if (s.isCurrentUser) {
310+
if (s.currentUser) {
299311
actions += `<button id="rev_btn_${s.id}" class="btn-secondary rev_btn">Revoke</button>`;
300312
}
301313

@@ -351,7 +363,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
351363
if (s.canDeny) {
352364
actions += `<button id="ops_den_btn_${s.id}" class="btn-secondary ops_den_btn">Deny</button>`;
353365
}
354-
if (s.isCurrentUser) {
366+
if (s.currentUser) {
355367
actions += `<button id="ops_rev_btn_${s.id}" class="btn-secondary ops_rev_btn">Revoke</button>`;
356368
}
357369

@@ -378,7 +390,7 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
378390
if (s.canDeny) {
379391
actions += `<button id="ops_den_btn_${s.id}" class="btn-secondary ops_den_btn">Deny</button>`;
380392
}
381-
if (s.isCurrentUser) {
393+
if (s.currentUser) {
382394
actions += `<button id="ops_rev_btn_${s.id}" class="btn-secondary ops_rev_btn">Revoke</button>`;
383395
}
384396

@@ -469,57 +481,60 @@ <h2 class="toast-header">Trust AT (TAT) Management</h2>
469481
$(document).ready(function () {
470482
openTerminalTable = $('#open-terminal-table').DataTable({
471483
columns: [
472-
{ title: "Operation" },
473-
{ title: "User" },
474-
{ title: "System" },
475-
{ title: "Actions" }
484+
{ title: "Operation", data: 0 }, // Explicitly map column 0 to array element 0
485+
{ title: "User", data: 1 }, // Explicitly map column 1 to array element 1
486+
{ title: "System", data: 2 },
487+
{ title: "Actions", data: 3 }
476488
]
477489
});
478490

491+
479492
openOpsTable = $('#open-ops-table').DataTable({
480493
columns: [
481-
{ title: "Operation" },
482-
{ title: "User" },
483-
{ title: "Actions" }
494+
{ title: "Summary", data: 0 },
495+
{ title: "User" , data: 1},
496+
{ title: "Actions", data: 2 }
484497
]
485498
});
486499

487500
approvedTerminalTable = $('#approved-terminal-table').DataTable({
488501
columns: [
489-
{ title: "Operation" },
490-
{ title: "User" },
491-
{ title: "System" },
492-
{ title: "Uses Remaining" },
493-
{ title: "Actions" }
502+
{ title: "Operation", data: 0 },
503+
{ title: "User", data: 1 },
504+
{ title: "System", data: 2 },
505+
{ title: "Uses Remaining", data: 3 },
506+
{ title: "Actions", data: 4 }
494507
]
495508
});
496509

510+
497511
approvedOpsTable = $('#approved-ops-table').DataTable({
498512
columns: [
499-
{ title: "Operation" },
500-
{ title: "User" },
501-
{ title: "Uses Remaining" },
502-
{ title: "Actions" }
513+
{ title: "Operation", data: 0 },
514+
{ title: "User", data: 1 },
515+
{ title: "Uses Remaining", data: 2 },
516+
{ title: "Actions", data: 3 }
503517
]
504518
});
505519

506520
deniedTerminalTable = $('#denied-terminal-table').DataTable({
507521
columns: [
508-
{ title: "Operation" },
509-
{ title: "User" },
510-
{ title: "System" },
511-
{ title: "Actions" }
522+
{ title: "Operation", data: 0 },
523+
{ title: "User", data: 1 },
524+
{ title: "System", data: 2 },
525+
{ title: "Actions", data: 3 }
512526
]
513527
});
514528

515529
deniedOpsTable = $('#denied-ops-table').DataTable({
516530
columns: [
517-
{ title: "Operation" },
518-
{ title: "User" },
519-
{ title: "Actions" }
531+
{ title: "Operation", data: 0 },
532+
{ title: "User", data: 1 },
533+
{ title: "Actions", data: 2 }
520534
]
521535
});
522536

537+
523538
attachZtatButtonHandlers();
524539
reloadTerminalTATs();
525540
reloadOpsTATs();

0 commit comments

Comments
 (0)