Updates. Next will include ability for agents to approve ztats

Author: phrocker

.gcp.env

@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.0.44
+SENTRIUS_VERSION=1.0.45
 SENTRIUS_SSH_VERSION=1.0.4
 SENTRIUS_KEYCLOAK_VERSION=1.0.7
 SENTRIUS_AGENT_VERSION=1.0.18

api/dynamic.properties

@@ -7,6 +7,7 @@ sshEnabled=true
 systemLogoName=Sentrius
 AccessTokenAuditor.rule.4=io.sentrius.sso.automation.auditing.rules.OpenAISessionRule;Malicious AI Monitoring
 AccessTokenAuditor.rule.5=io.sentrius.sso.automation.auditing.rules.TwoPartyAIMonitor;AI Second Party Monitor
+AccessTokenAuditor.rule.6=io.sentrius.sso.automation.auditing.rules.SudoApproval;Sudo Approval
 allowProxies=true
 AccessTokenAuditor.rule.2=io.sentrius.sso.automation.auditing.rules.DeletePrevention;Delete Prevention
 AccessTokenAuditor.rule.3=io.sentrius.sso.automation.auditing.rules.TwoPartySessionRule;Require Second Party Monitoring

api/src/main/java/io/sentrius/sso/controllers/view/HostController.java

@@ -202,7 +202,7 @@ public String connectSSHServer(
 
         model.addAttribute("enclaveConfiguration", config);
 
-        return "sso/ssh/secure_shell";
+        return "sso/ssh/sso";
 
     }
 
@@ -243,7 +243,7 @@ public String attachSession(
 
         model.addAttribute("enclaveConfiguration", config);
 
-        return "sso/ssh/secure_shell";
+        return "sso/ssh/sso";
 
     }
 

api/src/main/java/io/sentrius/sso/controllers/view/ZeroTrustATController.java

@@ -1,13 +1,17 @@
 package io.sentrius.sso.controllers.view;
 
+import java.util.List;
 import io.sentrius.sso.core.annotations.LimitAccess;
 import io.sentrius.sso.core.config.SystemOptions;
 import io.sentrius.sso.core.controllers.BaseController;
+import io.sentrius.sso.core.model.dto.JITTrackerDTO;
 import io.sentrius.sso.core.model.security.enums.ZeroTrustAccessTokenEnum;
 import io.sentrius.sso.core.model.users.User;
 import io.sentrius.sso.core.services.ErrorOutputService;
 import io.sentrius.sso.core.services.ZeroTrustRequestService;
 import io.sentrius.sso.core.services.UserService;
+import io.sentrius.sso.core.utils.AccessUtil;
+import io.sentrius.sso.core.utils.ZTATUtils;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.http.ResponseEntity;
@@ -53,13 +57,38 @@ public String viewMyTats(HttpServletRequest request, HttpServletResponse respons
         return "sso/ztats/view_my_ztats";
     }
 
+
+    List<JITTrackerDTO> decorateTats(List<JITTrackerDTO> tats, User operatingUser){
+        boolean canApprove = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_APPROVE_ZTATS);
+        boolean canDeny = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_DENY_ZTATS);
+        if (canApprove || canDeny) {
+            for (var tat : tats) {
+
+                if (tat.getUserName().equals(operatingUser.getUsername())) {
+                    tat.setCurrentUser(true);
+                    if (systemOptions.getCanApproveOwnZtat()) {
+                        tat.setCanApprove(canApprove);
+                        tat.setCanDeny(canDeny);
+                    }
+                }
+                else {
+                    tat.setCanApprove(canApprove);
+                    tat.setCanDeny(canDeny);
+                }
+
+            }
+        }
+        return tats;
+    }
+
     private void modelTATs(Model model, User operatingUser){
-        model.addAttribute("openTerminalTats", ztatRequestService.getOpenAccessTokenRequests(operatingUser));
-        model.addAttribute("openOpsTats", ztatRequestService.getOpenOpsRequests(operatingUser));
-        model.addAttribute("approvedTerminalTats", ztatRequestService.getApprovedTerminalAccessTokenRequests(operatingUser));
-        model.addAttribute("approvedOpsTats", ztatRequestService.getApprovedOpsAccessTokenRequests(operatingUser));
-        model.addAttribute("deniedOpsTats", ztatRequestService.getDeniedOpsAccessTokenRequests(operatingUser));
-        model.addAttribute("deniedTerminalTats", ztatRequestService.getDeniedTerminalAccessTokenRequests(operatingUser));
+        model.addAttribute("openTerminalTats",
+            decorateTats(ztatRequestService.getOpenAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("openOpsTats", decorateTats(ztatRequestService.getOpenOpsRequests(operatingUser),operatingUser));
+        model.addAttribute("approvedTerminalTats", decorateTats(ztatRequestService.getApprovedTerminalAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("approvedOpsTats", decorateTats(ztatRequestService.getApprovedOpsAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("deniedOpsTats",decorateTats( ztatRequestService.getDeniedOpsAccessTokenRequests(operatingUser),operatingUser));
+        model.addAttribute("deniedTerminalTats", decorateTats(ztatRequestService.getDeniedTerminalAccessTokenRequests(operatingUser),operatingUser));
     }
 
 }