Merge pull request #35 from SentriusLLC/chatdialog

Chatdialog

Author: phrocker

.gcp.env

@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.0.44
+SENTRIUS_VERSION=1.0.45
 SENTRIUS_SSH_VERSION=1.0.4
 SENTRIUS_KEYCLOAK_VERSION=1.0.7
 SENTRIUS_AGENT_VERSION=1.0.18

.gitignore

@@ -33,9 +33,9 @@ replay_pid*
 target/*
 api/target/**
 core/target/**
-analyagents/target/**
+java-agent/target/**
 core/target/
-analyagents/target/
+java-agent/target/
 node/*
 node_modules/*
 api/node_modules/*

api/dynamic.properties

@@ -7,6 +7,7 @@ sshEnabled=true
 systemLogoName=Sentrius
 AccessTokenAuditor.rule.4=io.sentrius.sso.automation.auditing.rules.OpenAISessionRule;Malicious AI Monitoring
 AccessTokenAuditor.rule.5=io.sentrius.sso.automation.auditing.rules.TwoPartyAIMonitor;AI Second Party Monitor
+AccessTokenAuditor.rule.6=io.sentrius.sso.automation.auditing.rules.SudoApproval;Sudo Approval
 allowProxies=true
 AccessTokenAuditor.rule.2=io.sentrius.sso.automation.auditing.rules.DeletePrevention;Delete Prevention
 AccessTokenAuditor.rule.3=io.sentrius.sso.automation.auditing.rules.TwoPartySessionRule;Require Second Party Monitoring

api/src/main/java/io/sentrius/sso/controllers/api/ChatApiController.java

@@ -0,0 +1,93 @@
+package io.sentrius.sso.controllers.api;
+
+import java.security.GeneralSecurityException;
+import java.time.ZoneOffset;
+import java.util.List;
+import java.util.stream.Collectors;
+import io.sentrius.sso.core.utils.AccessUtil;
+import io.sentrius.sso.protobuf.Session.ChatMessage;
+import io.sentrius.sso.core.config.SystemOptions;
+import io.sentrius.sso.core.controllers.BaseController;
+import io.sentrius.sso.core.model.security.enums.SSHAccessEnum;
+import io.sentrius.sso.core.model.sessions.SessionLog;
+import io.sentrius.sso.core.repository.ChatLogRepository;
+import io.sentrius.sso.core.security.service.CryptoService;
+import io.sentrius.sso.core.services.ErrorOutputService;
+import io.sentrius.sso.core.services.UserService;
+import io.sentrius.sso.core.services.auditing.AuditService;
+import io.sentrius.sso.core.services.terminal.SessionTrackingService;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@Slf4j
+@RestController
+@RequestMapping("/api/v1/chat")
+public class ChatApiController extends BaseController {
+    private final AuditService auditService;
+    final CryptoService cryptoService;
+    final SessionTrackingService sessionTrackingService;
+    final ChatLogRepository chatLogRepository;
+
+    public ChatApiController(
+        UserService userService,
+        SystemOptions systemOptions,
+        ErrorOutputService errorOutputService,
+        AuditService auditService,
+        CryptoService cryptoService, SessionTrackingService sessionTrackingService, ChatLogRepository chatLogRepository
+    ) {
+        super(userService, systemOptions, errorOutputService);
+        this.auditService = auditService;
+        this.cryptoService = cryptoService;
+        this.sessionTrackingService = sessionTrackingService;
+        this.chatLogRepository = chatLogRepository;
+    }
+
+    public SessionLog createSession(@RequestParam String username, @RequestParam String ipAddress) {
+        return auditService.createSession(username, ipAddress);
+    }
+
+    @GetMapping("/history")
+    public ResponseEntity<List<ChatMessage>> getChatHistory(
+        HttpServletRequest request,
+        HttpServletResponse response,
+        @RequestParam(name="sessionId") String sessionIdEncrypted,
+                                                                    @RequestParam(name="chatGroupId") String chatGroupIdEncrypted)
+        throws GeneralSecurityException {
+
+        Long sessionId = Long.parseLong(cryptoService.decrypt(sessionIdEncrypted));
+
+        // Check if the user has access to this session
+        var myConnectedSystem = sessionTrackingService.getConnectedSession(sessionId);
+
+        var user = getOperatingUser(request, response);
+
+        if (myConnectedSystem == null ||
+            (
+            !myConnectedSystem.getUser().getId().equals(user.getId()) &&
+            !AccessUtil.canAccess(user, SSHAccessEnum.CAN_MANAGE_SYSTEMS))) {
+            return ResponseEntity.status(403).body(null); // Forbidden access
+        }
+
+
+        String chatGroupId = cryptoService.decrypt(chatGroupIdEncrypted);
+        List<ChatMessage> messages = chatLogRepository.findBySessionIdAndChatGroupId(sessionId, chatGroupId)
+            .stream()
+            .map(chatLog -> ChatMessage.newBuilder()
+                .setSessionId(sessionId)
+                .setChatGroupId(chatGroupId)
+                .setSender(chatLog.getSender())
+                .setMessage(chatLog.getMessage())
+                .setTimestamp(chatLog.getMessageTimestamp().toEpochSecond(ZoneOffset.UTC)).build())
+            .collect(Collectors.toList());
+
+        return ResponseEntity.ok(messages);
+    }
+
+
+}

api/src/main/java/io/sentrius/sso/controllers/view/HostController.java

@@ -202,7 +202,7 @@ public String connectSSHServer(
 
         model.addAttribute("enclaveConfiguration", config);
 
-        return "sso/ssh/secure_shell";
+        return "sso/ssh/sso";
 
     }
 
@@ -243,7 +243,7 @@ public String attachSession(
 
         model.addAttribute("enclaveConfiguration", config);
 
-        return "sso/ssh/secure_shell";
+        return "sso/ssh/sso";
 
     }
 

api/src/main/java/io/sentrius/sso/controllers/view/ZeroTrustATController.java

@@ -1,13 +1,17 @@
 package io.sentrius.sso.controllers.view;
 
+import java.util.List;
 import io.sentrius.sso.core.annotations.LimitAccess;
 import io.sentrius.sso.core.config.SystemOptions;
 import io.sentrius.sso.core.controllers.BaseController;
+import io.sentrius.sso.core.model.dto.JITTrackerDTO;
 import io.sentrius.sso.core.model.security.enums.ZeroTrustAccessTokenEnum;
 import io.sentrius.sso.core.model.users.User;
 import io.sentrius.sso.core.services.ErrorOutputService;
 import io.sentrius.sso.core.services.ZeroTrustRequestService;
 import io.sentrius.sso.core.services.UserService;
+import io.sentrius.sso.core.utils.AccessUtil;
+import io.sentrius.sso.core.utils.ZTATUtils;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.http.ResponseEntity;
@@ -53,13 +57,38 @@ public String viewMyTats(HttpServletRequest request, HttpServletResponse respons
         return "sso/ztats/view_my_ztats";
     }
 
+
+    List<JITTrackerDTO> decorateTats(List<JITTrackerDTO> tats, User operatingUser){
+        boolean canApprove = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_APPROVE_ZTATS);
+        boolean canDeny = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_DENY_ZTATS);
+        if (canApprove || canDeny) {
+            for (var tat : tats) {
+
+                if (tat.getUserName().equals(operatingUser.getUsername())) {
+                    tat.setCurrentUser(true);
+                    if (systemOptions.getCanApproveOwnZtat()) {
+                        tat.setCanApprove(canApprove);
+                        tat.setCanDeny(canDeny);
+                    }
+                }
+                else {
+                    tat.setCanApprove(canApprove);
+                    tat.setCanDeny(canDeny);
+                }
+
+            }
+        }
+        return tats;
+    }
+
     private void modelTATs(Model model, User operatingUser){
-        model.addAttribute("openTerminalTats", ztatRequestService.getOpenAccessTokenRequests(operatingUser));
-        model.addAttribute("openOpsTats", ztatRequestService.getOpenOpsRequests(operatingUser));
-        model.addAttribute("approvedTerminalTats", ztatRequestService.getApprovedTerminalAccessTokenRequests(operatingUser));
-        model.addAttribute("approvedOpsTats", ztatRequestService.getApprovedOpsAccessTokenRequests(operatingUser));
-        model.addAttribute("deniedOpsTats", ztatRequestService.getDeniedOpsAccessTokenRequests(operatingUser));
-        model.addAttribute("deniedTerminalTats", ztatRequestService.getDeniedTerminalAccessTokenRequests(operatingUser));
+        model.addAttribute("openTerminalTats",
+            decorateTats(ztatRequestService.getOpenAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("openOpsTats", decorateTats(ztatRequestService.getOpenOpsRequests(operatingUser),operatingUser));
+        model.addAttribute("approvedTerminalTats", decorateTats(ztatRequestService.getApprovedTerminalAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("approvedOpsTats", decorateTats(ztatRequestService.getApprovedOpsAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("deniedOpsTats",decorateTats( ztatRequestService.getDeniedOpsAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("deniedTerminalTats", decorateTats(ztatRequestService.getDeniedTerminalAccessTokenRequests(operatingUser),operatingUser));
     }
 
 }