Rdpfactory (#7)

* Implement RDP proxy module with Sentrius integration

Author: phrocker

.gitignore

@@ -60,4 +60,5 @@ api/node
 .generated/
 # Ignore Generated keys if they exist
 docker/dev-certs/sentrius-ca.crt
-docker/dev-certs/sentrius-ca.key
+docker/dev-certs/sentrius-ca.key
+docker/*/dev-certs/sentrius-ca.crt

.local.env

@@ -1,9 +1,10 @@
-SENTRIUS_VERSION=1.1.411
-SENTRIUS_SSH_VERSION=1.1.41
-SENTRIUS_KEYCLOAK_VERSION=1.1.53
-SENTRIUS_AGENT_VERSION=1.1.42
-SENTRIUS_AI_AGENT_VERSION=1.1.284
-LLMPROXY_VERSION=1.0.84
-LAUNCHER_VERSION=1.0.88
-AGENTPROXY_VERSION=1.0.85
-SSHPROXY_VERSION=1.0.88
+SENTRIUS_VERSION=1.1.413
+SENTRIUS_SSH_VERSION=1.1.43
+SENTRIUS_KEYCLOAK_VERSION=1.1.55
+SENTRIUS_AGENT_VERSION=1.1.43
+SENTRIUS_AI_AGENT_VERSION=1.1.285
+LLMPROXY_VERSION=1.0.85
+LAUNCHER_VERSION=1.0.89
+AGENTPROXY_VERSION=1.0.86
+SSHPROXY_VERSION=1.0.89
+RDPPROXY_VERSION=1.0.2

.local.env.bak

@@ -1,9 +1,10 @@
-SENTRIUS_VERSION=1.1.411
-SENTRIUS_SSH_VERSION=1.1.41
-SENTRIUS_KEYCLOAK_VERSION=1.1.53
-SENTRIUS_AGENT_VERSION=1.1.42
-SENTRIUS_AI_AGENT_VERSION=1.1.284
-LLMPROXY_VERSION=1.0.84
-LAUNCHER_VERSION=1.0.88
-AGENTPROXY_VERSION=1.0.85
-SSHPROXY_VERSION=1.0.88
+SENTRIUS_VERSION=1.1.413
+SENTRIUS_SSH_VERSION=1.1.43
+SENTRIUS_KEYCLOAK_VERSION=1.1.55
+SENTRIUS_AGENT_VERSION=1.1.43
+SENTRIUS_AI_AGENT_VERSION=1.1.285
+LLMPROXY_VERSION=1.0.85
+LAUNCHER_VERSION=1.0.89
+AGENTPROXY_VERSION=1.0.86
+SSHPROXY_VERSION=1.0.89
+RDPPROXY_VERSION=1.0.2

dataplane/src/main/java/io/sentrius/sso/core/model/HostSystem.java

@@ -101,7 +101,26 @@ public class HostSystem implements Host {
     @Column(name = "proxied_ssh_port")
     private Integer proxiedSSHPort = 0;
 
+    // RDP Support fields
+    @Builder.Default
+    @Column(name = "rdp_enabled")
+    private boolean rdpEnabled = false;
+
+    @Builder.Default
+    @Column(name = "rdp_user")
+    private String rdpUser = "Administrator";
+
+    @Builder.Default
+    @Column(name = "rdp_password")
+    private String rdpPassword = "";
+
+    @Builder.Default
+    @Column(name = "rdp_port")
+    private Integer rdpPort = 3389;
 
+    @Builder.Default
+    @Column(name = "rdp_domain")
+    private String rdpDomain = "";
 
     @OneToMany(mappedBy = "hostSystem", cascade = CascadeType.ALL,orphanRemoval = true, fetch = FetchType.LAZY)
     private List<ProxyHost> proxies;

dataplane/src/main/java/io/sentrius/sso/core/services/RdpListenerService.java

@@ -0,0 +1,199 @@
+package io.sentrius.sso.core.services;
+
+import io.sentrius.sso.automation.auditing.Trigger;
+import io.sentrius.sso.automation.auditing.TriggerAction;
+import io.sentrius.sso.core.integrations.ssh.DataSession;
+import io.sentrius.sso.core.model.ConnectedSystem;
+import io.sentrius.sso.core.services.security.CryptoService;
+import io.sentrius.sso.core.services.terminal.SessionTrackingService;
+import io.sentrius.sso.protobuf.Session;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.scheduling.annotation.Async;
+import org.springframework.stereotype.Service;
+import org.springframework.web.socket.TextMessage;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.Executor;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * RDP listener service that monitors and manages RDP sessions.
+ * Similar to SshListenerService but adapted for RDP protocol.
+ */
+@Slf4j
+@Service
+@RequiredArgsConstructor
+public class RdpListenerService {
+
+    private final SessionTrackingService sessionTrackingService;
+    private final CryptoService cryptoService;
+
+    @Qualifier("rdpTaskExecutor") // Use RDP-specific executor
+    private final Executor taskExecutor;
+
+    private final ConcurrentMap<String, DataSession> activeSessions = new ConcurrentHashMap<>();
+
+    public void startAuditingSession(String terminalSessionId, DataSession session) throws GeneralSecurityException {
+        var sessionIdStr = cryptoService.decrypt(terminalSessionId);
+        var sessionIdLong = Long.parseLong(sessionIdStr);
+
+        log.info("Starting to audit RDP session: {}", terminalSessionId);
+        activeSessions.putIfAbsent(terminalSessionId, session);
+    }
+
+    public void endAuditingSession(String terminalSessionId) throws GeneralSecurityException {
+        log.info("Ending RDP audit session: {}", terminalSessionId);
+        activeSessions.remove(terminalSessionId);
+    }
+
+    public void startListeningToRdpServer(String terminalSessionId, DataSession session) throws GeneralSecurityException {
+        var sessionIdStr = cryptoService.decrypt(terminalSessionId);
+        var sessionIdLong = Long.parseLong(sessionIdStr);
+
+        var connectedSystem = sessionTrackingService.getConnectedSession(sessionIdLong);
+
+        log.info("Starting to listen to RDP server for session: {}", terminalSessionId);
+
+        activeSessions.putIfAbsent(terminalSessionId, session);
+        connectedSystem.setWebsocketSessionId(session.getId());
+
+        taskExecutor.execute(() -> {
+            log.info("Listening to RDP server for session: {}", terminalSessionId);
+            while (!Thread.currentThread().isInterrupted() && 
+                   activeSessions.get(terminalSessionId) != null &&
+                   !connectedSystem.getSession().getClosed()) {
+                try {
+                    // Logic for receiving data from RDP server
+                    var rdpData = sessionTrackingService.getOutput(connectedSystem, 1L, TimeUnit.SECONDS,
+                        output -> (!connectedSystem.getSession().getClosed() && 
+                                 (activeSessions.get(terminalSessionId) != null && 
+                                  activeSessions.get(terminalSessionId).isOpen())));
+
+                    // Send data to the specific terminal session
+                    if (rdpData != null) {
+                        for (Session.TerminalMessage terminalMessage : rdpData) {
+                            if (terminalMessage.getTrigger() == null) {
+                                sendToTerminalSession(terminalSessionId, connectedSystem, terminalMessage);
+                            }
+                        }
+                        for (Session.TerminalMessage terminalMessage : rdpData) {
+                            if (terminalMessage.getTrigger() != null) {
+                                sendToTerminalSession(terminalSessionId, connectedSystem, terminalMessage);
+                            }
+                        }
+                    } else {
+                        log.trace("No RDP data to return");
+                    }
+
+                } catch (Exception e) {
+                    log.error("Error while listening to RDP server: ", e);
+                    Thread.currentThread().interrupt(); // Ensure the thread can exit cleanly on exception
+                }
+            }
+            log.trace("***Leaving RDP thread");
+        });
+    }
+
+    public void stopListeningToRdpServer(ConnectedSystem connectedSystem) {
+        sessionTrackingService.closeSession(connectedSystem);
+    }
+
+    private Session.TerminalMessage getTrigger(Trigger trigger) {
+        var terminalMessage = Session.TerminalMessage.newBuilder();
+        if (trigger.getAsk() != null) {
+            terminalMessage.setType(Session.MessageType.PROMPT_DATA);
+        } else {
+            terminalMessage.setType(Session.MessageType.USER_DATA);
+        }
+        Session.Trigger.Builder triggerBuilder = Session.Trigger.newBuilder();
+        switch(trigger.getAction()){
+            case DENY_ACTION:
+                triggerBuilder.setAction(Session.TriggerAction.DENY_ACTION);
+                break;
+            case JIT_ACTION:
+                triggerBuilder.setAction(Session.TriggerAction.JIT_ACTION);
+                break;
+            case RECORD_ACTION:
+                triggerBuilder.setAction(Session.TriggerAction.RECORD_ACTION);
+                break;
+            case APPROVE_ACTION:
+                triggerBuilder.setAction(Session.TriggerAction.APPROVE_ACTION);
+                break;
+            case WARN_ACTION:
+                triggerBuilder.setAction(Session.TriggerAction.WARN_ACTION);
+                break;
+            case PERSISTENT_MESSAGE:
+                triggerBuilder.setAction(Session.TriggerAction.PERSISTENT_MESSAGE);
+                break;
+            case PROMPT_ACTION:
+                triggerBuilder.setAction(Session.TriggerAction.PROMPT_ACTION);
+                break;
+            default:
+                break;
+        }
+        triggerBuilder.setDescription(trigger.getDescription().isEmpty() ? "" : trigger.getDescription());
+        terminalMessage.setTrigger(triggerBuilder.build());
+        return terminalMessage.build();
+    }
+
+    @Async
+    public void sendToTerminalSession(String terminalSessionId, ConnectedSystem connectedSystem,
+                                      Session.TerminalMessage rdpData) {
+        DataSession session = activeSessions.get(terminalSessionId);
+        log.info("Sending RDP message to session: {}", terminalSessionId);
+        if (session != null && session.isOpen()) {
+            try {
+                byte[] messageBytes = rdpData.toByteArray();
+                String base64Message = Base64.getEncoder().encodeToString(messageBytes);
+                log.trace("Sending RDP message to session: {}", rdpData);
+                session.sendMessage(new TextMessage(base64Message));
+            } catch (IOException e) {
+                log.error("Error sending RDP data to terminal session: " + terminalSessionId, e);
+            }
+        } else {
+            log.debug("RDP Session {} is not available or closed", terminalSessionId);
+        }
+    }
+
+    public void processTerminalMessage(
+        String sessionId, ConnectedSystem connectedSystem, String message) {
+        
+        try {
+            log.debug("Processing RDP terminal message for session: {}", sessionId);
+            
+            // Process RDP-specific commands and data
+            if (message.startsWith("RDP_COMMAND:")) {
+                handleRdpCommand(connectedSystem, message.substring(12));
+            } else {
+                // Regular RDP data
+                handleRdpData(connectedSystem, message);
+            }
+            
+        } catch (Exception e) {
+            log.error("Error processing RDP terminal message", e);
+        }
+    }
+
+    private void handleRdpCommand(ConnectedSystem connectedSystem, String command) {
+        log.info("Handling RDP command: {} for session: {}", command, connectedSystem.getSession().getId());
+        // TODO: Implement RDP-specific command handling
+    }
+
+    private void handleRdpData(ConnectedSystem connectedSystem, String data) {
+        log.debug("Handling RDP data for session: {}", connectedSystem.getSession().getId());
+        // TODO: Implement RDP data processing and forwarding
+    }
+
+    public void removeSession(String sessionId) {
+        log.trace("Removing RDP session: {}", sessionId);
+        activeSessions.remove(sessionId);
+    }
+}

docker/rdp-proxy/Dockerfile

@@ -0,0 +1,39 @@
+# Use an OpenJDK image as the base
+FROM eclipse-temurin:17-jdk-jammy
+
+# Declare the argument
+ARG INCLUDE_DEV_CERTS=false
+
+# Set environment so you can use in RUN
+ENV INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS}
+
+
+# Set working directory
+WORKDIR /app
+
+# Copy the pre-built API JAR into the container
+COPY rdpproxy.jar /app/rdpproxy.jar
+
+
+COPY dev-certs/sentrius-ca.crt /tmp/sentrius-ca.crt
+
+RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -f /tmp/sentrius-ca.crt ]; then \
+      echo "Importing dev CA cert..." && \
+      keytool -import -noprompt -trustcacerts \
+        -alias sentrius-local-ca \
+        -file /tmp/sentrius-ca.crt \
+        -keystore "$JAVA_HOME/lib/security/cacerts" \
+        -storepass changeit ; \
+    else \
+      echo "Skipping cert import"; \
+    fi
+
+
+# Expose the port the app runs on
+EXPOSE 8080
+
+RUN apt-get update && apt-get install -y curl
+
+
+# Command to run the app
+CMD ["java","-XX:+UseContainerSupport", "-jar", "/app/rdpproxy.jar", "--spring.config.location=/config/rdpproxy-application.properties"]

docker/rdp-proxy/dev-certs/sentrius-ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIUDvcfbY2leSeMSnrsrJo2zv0ue/kwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc2VudHJpdXMtZGV2LWNhMB4XDTI1MDcwMjIxNDk0MloX
+DTI2MDcwMjIxNDk0MlowGjEYMBYGA1UEAwwPc2VudHJpdXMtZGV2LWNhMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DDoRTDzG6QhQNy9tthyVnFIfBvS
+issnqzmpT3XrDdpHT0BIgYIBXWZzQbnhfnM1abCzZtn1ozmzUp84/PJbFYcupjNZ
+YUwul0C7BTAm8oN1vhQFbZ6u5iixHUsIbvxNb9IW8Yu003dtP1iXiaMcNZPr9xz7
+INgYigJuoSxtIEuzSBOFNYaXuUfn4r4GIlzF9lDnxeltvQqHTS5j4cdzXdis2e6k
+Gy+9OYZZp62WRHWTuhRfOakL1b+voTU8udyIS++mmxXy+AjHlzPuRB8L7wi3HoAM
+hBUxCzzJB3+mYNzyOd75bccbiWbMu1ay7WhOxxN2hxWJg+8u05bgAi4EPQIDAQAB
+o2MwYTAdBgNVHQ4EFgQU63Fomh1GrbWOavtqFoOhcboMAxMwHwYDVR0jBBgwFoAU
+63Fomh1GrbWOavtqFoOhcboMAxMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBAIu5heYvdV0r33avCMg82txjWvv7mXA5
+8BwU2GUsHqbh/0bS3Sxwc2KRsEh77NcgGo5Lr0gEftTzexGBjCikzhTL1+cWf6Ay
+b04NTr7E/EigZlZs/Ceoav5Mw7zElwDhtAr35OoQKTKBUHJgPKUAr5i2Ijwj8HYw
+ua/zUKU3RxRiuMTfsZmnzTJEtrTkgMbQN4HNRXTSmVPYNpYhVS+cPM9Xvy5QVaIR
+F2RxiywKSSzRY88w2c3sGXjDYs9wmxIWKbjNX51q2ZxwpF9E4c2s48eTjiVS5kVA
+/frlToZdVeLORjTtVw24RN4DTqsbOB3SkybylkopF8YjlkvEQNNZZ3c=
+-----END CERTIFICATE-----

ops-scripts/base/build-images.sh

@@ -150,6 +150,8 @@ update_integrationproxy=false
 update_launcher=false
 update_agent_proxy=false
 update_ssh_proxy=false
+update_rdp_proxy=false
+
 
 while [[ "$#" -gt 0 ]]; do
     case $1 in
@@ -162,7 +164,8 @@ while [[ "$#" -gt 0 ]]; do
         --sentrius-integration-proxy) update_integrationproxy=true ;;
         --sentrius-agent-proxy) update_agent_proxy=true ;;
         --sentrius-ssh-proxy) update_ssh_proxy=true ;;
-        --all) update_sentrius=true; update_sentrius_ssh=true; update_sentrius_keycloak=true; update_sentrius_agent=true; update_sentrius_ai_agent=true; update_integrationproxy=true; update_launcher=true; update_agent_proxy=true; update_ssh_proxy=true; ;;
+        --sentrius-rdp-proxy) update_rdp_proxy=true ;;
+        --all) update_sentrius=true; update_sentrius_ssh=true; update_sentrius_keycloak=true; update_sentrius_agent=true; update_sentrius_ai_agent=true; update_integrationproxy=true; update_launcher=true; update_agent_proxy=true; update_ssh_proxy=true; update_rdp_proxy=true; ;;
         --no-cache) NO_CACHE=true ;;
         --include-dev-certs) INCLUDE_DEV_CERTS=true ;;
         *) echo "Unknown flag: $1"; exit 1 ;;
@@ -247,4 +250,12 @@ if $update_ssh_proxy; then
     build_image "sentrius-ssh-proxy" "$SSHPROXY_VERSION" "${SCRIPT_DIR}/../../docker/ssh-proxy"
     rm docker/ssh-proxy/sshproxy.jar
     update_env_var "SSHPROXY_VERSION" "$SSHPROXY_VERSION"
+fi
+
+if $update_rdp_proxy; then
+    cp rdp-proxy/target/rdp-proxy-*.jar docker/rdp-proxy/rdpproxy.jar
+    RDPPROXY_VERSION=$(increment_patch_version $RDPPROXY_VERSION)
+    build_image "sentrius-rdp-proxy" "$RDPPROXY_VERSION" "${SCRIPT_DIR}/../../docker/rdp-proxy"
+    rm docker/rdp-proxy/rdpproxy.jar
+    update_env_var "RDPPROXY_VERSION" "$RDPPROXY_VERSION"
 fi

ops-scripts/local/deploy-helm.sh

@@ -261,6 +261,7 @@ helm upgrade --install sentrius ./sentrius-chart --namespace ${TENANT} \
     --set launcherservice.image.pullPolicy="Never" \
     --set launcherservice.image.tag=${LAUNCHER_VERSION} \
     --set sshproxy.image.tag=${SSHPROXY_VERSION} \
+    --set rdpproxy.image.tag=${RDPPROXY_VERSION} \
     --set neo4j.env.NEO4J_server_config_strict__validation__enabled="\"false\"" \
     --set sentriusagent.image.tag=${SENTRIUS_AGENT_VERSION} || { echo "Failed to deploy Sentrius with Helm"; exit 1; }
 

pom.xml

@@ -20,6 +20,7 @@
     <module>ai-agent</module>
     <module>agent-launcher</module>
     <module>ssh-proxy</module>
+    <module>rdp-proxy</module>
   </modules>
   <properties>
     <java.version>17</java.version>