Final update

phrocker · phrocker · commit 5aec8b703e57 · 2025-07-06T20:57:56.000-04:00
diff --git a/.local.env b/.local.env
@@ -1,8 +1,8 @@
-SENTRIUS_VERSION=1.1.188
+SENTRIUS_VERSION=1.1.193
 SENTRIUS_SSH_VERSION=1.1.35
 SENTRIUS_KEYCLOAK_VERSION=1.1.47
 SENTRIUS_AGENT_VERSION=1.1.34
-SENTRIUS_AI_AGENT_VERSION=1.1.63
+SENTRIUS_AI_AGENT_VERSION=1.1.64
 LLMPROXY_VERSION=1.0.46
 LAUNCHER_VERSION=1.0.51
 AGENTPROXY_VERSION=1.0.66
diff --git a/.local.env.bak b/.local.env.bak
@@ -1,8 +1,8 @@
-SENTRIUS_VERSION=1.1.188
+SENTRIUS_VERSION=1.1.193
 SENTRIUS_SSH_VERSION=1.1.35
 SENTRIUS_KEYCLOAK_VERSION=1.1.47
 SENTRIUS_AGENT_VERSION=1.1.34
-SENTRIUS_AI_AGENT_VERSION=1.1.63
+SENTRIUS_AI_AGENT_VERSION=1.1.64
 LLMPROXY_VERSION=1.0.46
 LAUNCHER_VERSION=1.0.51
 AGENTPROXY_VERSION=1.0.66
diff --git a/ai-agent/src/main/java/io/sentrius/agent/analysis/agents/agents/RegisteredAgent.java b/ai-agent/src/main/java/io/sentrius/agent/analysis/agents/agents/RegisteredAgent.java
@@ -102,33 +102,6 @@ public void onApplicationEvent(final ApplicationReadyEvent event) {
 
                 log.error(e.getMessage());
                 log.info("Registering v1.0.2 agent failed. Retrying in 10 seconds...");
-
-                try {
-                    var agentName = execution.getUser().getUsername();
-                    var base64PublicKey = agentKeyService.getBase64PublicKey(keyPair.getPublic());
-                    var agentRegistrationDTO = agentClientService.bootstrap(
-                        agentName, base64PublicKey
-                        , keyPair.getPublic().getAlgorithm()
-                    );
-
-                    var encryptedSecret = agentRegistrationDTO.getClientSecret();
-                    var decryptedSecret = agentKeyService.
-                        decryptWithPrivateKey(encryptedSecret, keyPair.getPrivate());
-                    keycloakService.createKeycloakClient(
-                        agentName,
-                        decryptedSecret
-                    );
-
-                    user = UserDTO.builder()
-                        .username(zeroTrustClientService.getUsername())
-                        .build();
-
-                    execution = agentExecutionService.getAgentExecution(user);
-                } catch (Exception e1) {
-                    log.error("Failed to bootstrap agent", e1);
-                } catch (ZtatException ex) {
-                    log.error("Failed to bootstrap agent", ex);
-                }
                 try {
                     Thread.sleep(10_000);
                 } catch (InterruptedException ex) {
diff --git a/core/src/main/java/io/sentrius/sso/core/services/security/JwtUtil.java b/core/src/main/java/io/sentrius/sso/core/services/security/JwtUtil.java
@@ -1,5 +1,6 @@
 package io.sentrius.sso.core.services.security;
 
+import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.Optional;
 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -87,26 +88,33 @@ public static Optional<String> getUserTypeName(ObjectNode jwt) {
 
     }
 
-    /**
-     * Extract the 'kid' (Key ID) from a JWT header.
-     */
-    public static String extractKid(String jwt)  {
-        // JWT structure: header.payload.signature
+    public static String extractKid(String jwt) {
         try {
+            // Strip "Bearer " prefix if present
+            if (jwt.startsWith("Bearer ")) {
+                jwt = jwt.substring(7);
+            }
             String[] parts = jwt.split("\\.");
+            log.info("JWT parts: header={}, payload={}, signaturePresent={}",
+                parts.length > 0 ? parts[0] : "null",
+                parts.length > 1 ? parts[1] : "null",
+                parts.length == 3);
             if (parts.length != 3) {
                 throw new IllegalArgumentException("Invalid JWT token format");
             }
 
-            var part = parts[0].trim();
-            String headerJson = new String(Base64.getDecoder().decode(part));
+            String headerJson = new String(Base64.getUrlDecoder().decode(parts[0]), StandardCharsets.UTF_8);
             var headerNode = JsonUtil.MAPPER.readTree(headerJson);
 
-            return headerNode.has("kid") ? headerNode.get("kid").asText() : null;
+            if (!headerNode.has("kid")) {
+                throw new RuntimeException("Missing 'kid' in JWT header");
+            }
+
+            return headerNode.get("kid").asText();
         } catch (Exception e) {
-            e.printStackTrace();
-            log.info("Failed to extract 'kid' from JWT {}", jwt);
+            log.error("Failed to extract 'kid' from JWT: {}", jwt, e);
             throw new RuntimeException("Failed to extract 'kid' from JWT", e);
         }
     }
+
 }
diff --git a/core/src/main/java/io/sentrius/sso/core/services/security/KeycloakService.java b/core/src/main/java/io/sentrius/sso/core/services/security/KeycloakService.java
@@ -60,6 +60,11 @@ public Map<String, List<String>> getUserAttributes(String userId) {
      */
     public boolean validateJwt(String token) {
         try {
+            if (token.startsWith("Bearer ")) {
+                token = token.substring(7);
+            }
+
+            token = token.trim().replaceAll("\\s+", ""); // remove all whitespace
             var kid = JwtUtil.extractKid(token);
             Objects.requireNonNull(kid, "No 'kid' found in JWT header");
             var publicKey = keycloak.getPublicKey(kid);
@@ -79,6 +84,11 @@ public boolean validateJwt(String token) {
      * Extract the client ID (agent identity) from a valid JWT.
      */
     public String extractAgentId(String token) {
+        if (token.startsWith("Bearer ")) {
+            token = token.substring(7);
+        }
+
+        token = token.trim().replaceAll("\\s+", ""); // remove all whitespace
         var kid = JwtUtil.extractKid(token);
         Objects.requireNonNull(kid, "No 'kid' found in JWT header");
         var publicKey = keycloak.getPublicKey(kid);
@@ -93,6 +103,11 @@ public String extractAgentId(String token) {
     }
 
     public String extractUsername(String token) {
+        if (token.startsWith("Bearer ")) {
+            token = token.substring(7);
+        }
+
+        token = token.trim().replaceAll("\\s+", ""); // remove all whitespace
         var kid = JwtUtil.extractKid(token);
         Objects.requireNonNull(kid, "No 'kid' found in JWT header");
         var publicKey = keycloak.getPublicKey(kid);
@@ -119,6 +134,13 @@ public void removeAgentClient(String clientId) {
     public AgentRegistrationDTO registerAgentClient(AgentRegistrationDTO agent) {
         ClientsResource clients = keycloak.getKeycloak().realm(realm).clients();
 
+        List<ClientRepresentation> existingClients = clients.findByClientId(agent.getAgentName());
+        if (!existingClients.isEmpty()) {
+            String existingClientId = existingClients.get(0).getId();
+            log.warn("Client with ID '{}' already exists. Removing before re-registration.", agent.getAgentName());
+            clients.get(existingClientId).remove();
+        }
+
         // Step 1: Build client representation
         ClientRepresentation client = new ClientRepresentation();
         client.setClientId(agent.getAgentName());
