SentriusLLC
diff --git a/‎.env‎
Lines changed: 6 additions & 6 deletions b/‎.env‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎README.md‎
Lines changed: 33 additions & 7 deletions b/‎README.md‎
Lines changed: 33 additions & 7 deletions
diff --git a/‎api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java‎
Lines changed: 186 additions & 12 deletions b/‎api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java‎
Lines changed: 186 additions & 12 deletions
diff --git a/‎api/src/main/resources/application.properties‎
Lines changed: 9 additions & 1 deletion b/‎api/src/main/resources/application.properties‎
Lines changed: 9 additions & 1 deletion
@@ -1,6 +1,6 @@
-SENTRIUS_VERSION=1.1.38
-SENTRIUS_SSH_VERSION=1.1.4
-SENTRIUS_KEYCLOAK_VERSION=1.1.6
-SENTRIUS_AGENT_VERSION=1.1.4
-SENTRIUS_AI_AGENT_VERSION=1.1.18
-LLMPROXY_VERSION=1.0.4
+SENTRIUS_VERSION=1.1.61
+SENTRIUS_SSH_VERSION=1.1.16
+SENTRIUS_KEYCLOAK_VERSION=1.1.18
+SENTRIUS_AGENT_VERSION=1.1.16
+SENTRIUS_AI_AGENT_VERSION=1.1.30
+LLMPROXY_VERSION=1.0.16
@@ -3,14 +3,18 @@ Sentrius
 ![image](docs/images/mainscreen.png)
 
 Sentrius is zero trust (and if you want AI assisted) management system. to protect your infrastructure. It is split 
-into 
-two primary Maven. Currently we only support SSH, but RDP is in the works.
+into several maven projects. Currently we only support SSH, but RDP is in the works. Agents can be leveraged to monitor and control SSH sessions, ensuring that all connections are secure and compliant with your organization's policies.
 sub-projects:
 
     core – Handles the core functionalities (e.g., SSH session management, RDP, zero trust policy enforcement).
     api – Provides a RESTful API layer to interface with the core module.
-    java-agent -- java based agent to monitor and control the ssh sessions.
-    python-agent -- python based agent to monitor and control the ssh sessions.
+    dataplane -- offers dataplane functionality for secure data transfer and processing.
+    llm-proxy -- A proxy service that integrates with large language models (LLMs) to enhance security and compliance in SSH sessions.
+    llm-dataplane -- A data processing layer that leverages LLMs for advanced analysis and decision-making in SSH 
+sessions.
+    ops-scripts -- Contains operational scripts for deployment and management tasks.
+    ai-agent -- java based agent to monitor and control the ssh sessions.
+    python-agent -- python based agent to monitor and control the ssh sessions and act on behalf of user  (TBD).
 
 Internally, Sentrius may still be referenced by its former name, SSO (SecureShellOps), in certain scripts or configurations.
 Table of Contents
@@ -74,7 +78,7 @@ sentrius/
 
 Prerequisites
 
-    Java 11 or later
+    Java 17 or later
     Apache Maven 3.6+
     Database (PostgreSQL, MySQL, etc.) for storing session and configuration data
     Keycloak for user authentication and authorization
@@ -90,10 +94,32 @@ cd sentrius
 
 Running Sentrius
 
-For convenience the ops/local directory contains a "run-sentrius.sh" script which will start the core and api modules. You can run this script from the project root:
+Build the projects from root ( mvn clean install ) to ensure all dependencies are resolved and the modules are compiled.
+
+For convenience the ops/local directory contains a "run-sentrius.sh" script which will start the core and api 
+modules. You can run this script from the project root.
+This assumes you have a database available, keycloak running, and the necessary configurations. We now require an 
+OTEL endpoint, along with neo4j and kafka (but these are optional).:
 
 ./ops/local/run-sentrius.sh
 
+It is simpler to run a kubernetes deployment, which is described in the Deployment. To do this, build as you would 
+above.
+
+Build the images in your local Docker registry (note this builds all images, including core, api, and any other modules):
+
+    /build-images-local.sh --all --no-cache
+
+Run the Helm deployment script to deploy Sentrius to your local Kubernetes cluster:
+
+    ./ops-scripts/local/deploy-helm.sh
+
+There is a GCP deployment that is hasn't been tested in some time. You can find it in the ops-scripts/gcp directory.
+
+You will need to ensure you link to your GKE cluster and have the necessary permissions to deploy resources.
+
+    ./ops-scripts/gcp/deploy-helm.sh <helm-release-name> <gcp-project-id> <any-other-key-or-params>
+
 You are welcome to run the core and api modules separately, as needed. You can start the core module by running:
 
     mvn install
@@ -190,6 +216,6 @@ Contact
 
 Questions, feedback, or need commercial support? Reach out to the project maintainers:
 
-Email: support@sentrius.io
+Email: marc@sentrius.io
 
 We’re always happy to help you secure your infrastructure with Sentrius!
@@ -23,6 +23,7 @@
 import io.sentrius.sso.automation.sideeffects.SideEffect;
 import io.sentrius.sso.automation.sideeffects.SideEffectType;
 import io.sentrius.sso.core.config.SystemOptions;
+import io.sentrius.sso.core.model.ATPLPolicyEntity;
 import io.sentrius.sso.core.model.ConfigurationOption;
 import io.sentrius.sso.core.model.HostSystem;
 import io.sentrius.sso.core.dto.HostGroupDTO;
@@ -202,27 +203,30 @@ public List<SideEffect> initialize(InstallConfiguration installConfiguration, bo
 
         var profiles = createHostGroups(sideEffects, rules, installConfiguration, action);
 
-        createUsers(sideEffects, installConfiguration, userTypes, profiles, action);
+        // get the policies
+        var policyList = createPolicies(installConfiguration, action);
+
+        createUsers(sideEffects, installConfiguration, userTypes, profiles, action, policyList);
 
 
 
         // create automation assignments
 
         //AppConfig.encryptProperty("initialized", Instant.now().toString());
 
-        // get the policies
-        createPolicies(installConfiguration, action);
+
 
         return sideEffects;
     }
 
-    private void createPolicies(InstallConfiguration installConfiguration, boolean action) {
+    private List<ATPLPolicyEntity> createPolicies(InstallConfiguration installConfiguration, boolean action) {
 
+            List<ATPLPolicyEntity> policyList = new ArrayList<>();
             installConfiguration.getAtplDefinitions().forEach( policy -> {
-                atplPolicyService.savePolicy(policy);
+                policyList.add( atplPolicyService.savePolicy(policy) );
 
             });
-
+            return policyList;
     }
 
     @Transactional
@@ -241,6 +245,137 @@ protected Map<String,ProfileRule> createRules(
         return rules;
     }
 
+
+    @Transactional
+    protected List<HostGroup> createHostGroups(
+        List<SideEffect> sideEffects,
+        Map<String, ProfileRule> rules,
+        InstallConfiguration installConfiguration,
+        boolean action
+    ) throws JSchException, GeneralSecurityException, IOException {
+
+        List<HostGroup> profiles = new ArrayList<>();
+
+        if (installConfiguration.getManagementGroups() == null) {
+            return profiles;
+        }
+
+        for (HostGroupConfigurationDTO hostGroupDto : installConfiguration.getManagementGroups()) {
+
+            HostGroup hostGroup = HostGroup.builder()
+                .name(hostGroupDto.getDisplayName())
+                .description(hostGroupDto.getDescription())
+                .hostSystems(new ArrayList<>())
+                .rules(new HashSet<>())
+                .build();
+
+            if (action) {
+                hostGroup.setApplicationKey(cryptoService.generateKeyPair(UUID.randomUUID().toString()));
+                hostGroup = hostGroupRepository.save(hostGroup); // 🔑 Persist early
+            }
+
+            List<HostSystem> associatedSystems = new ArrayList<>();
+
+            if (hostGroupDto.getSystems() != null) {
+                for (String systemName : hostGroupDto.getSystems()) {
+                    for (var hostSystemDto : installConfiguration.getSystems()) {
+                        if (hostSystemDto.getDisplayName().equals(systemName)) {
+
+                            List<HostSystem> existingSystems = systemRepository.findByDisplayNameAndHost(
+                                hostSystemDto.getDisplayName(),
+                                hostSystemDto.getHost()
+                            );
+
+                            if (!existingSystems.isEmpty()) {
+                                for (HostSystem existing : existingSystems) {
+                                    if (existing.getHostGroups() == null) {
+                                        existing.setHostGroups(new ArrayList<>());
+                                    }
+
+                                    HostGroup finalHostGroup = hostGroup;
+                                    boolean alreadyLinked = existing.getHostGroups().stream()
+                                        .anyMatch(g -> g.getName().equals(finalHostGroup.getName()));
+
+                                    if (!alreadyLinked) {
+                                        existing.getHostGroups().add(hostGroup);
+                                        associatedSystems.add(existing); // Add only if new relationship
+                                    }
+                                }
+                            } else {
+                                HostSystem newSystem = HostSystem.fromDTO(hostSystemDto);
+                                newSystem.setHostGroups(new ArrayList<>(List.of(hostGroup)));
+                                associatedSystems.add(newSystem);
+                            }
+
+                            break; // stop after match
+                        }
+                    }
+                }
+            }
+
+            // Assign rules
+            if (hostGroupDto.getAssignedRules() != null) {
+                for (String ruleName : hostGroupDto.getAssignedRules()) {
+                    ProfileRule rule = rules.get(ruleName);
+                    if (rule != null) {
+                        hostGroup.getRules().add(rule);
+                        rule.getHostGroups().add(hostGroup);
+                    }
+                }
+            }
+
+            List<HostGroup> existingGroups = hostGroupService.getHostGroupsByName(hostGroup.getName());
+
+            if (existingGroups.isEmpty()) {
+                if (action) {
+                    hostGroup = hostGroupRepository.save(hostGroup);
+                    profiles.add(hostGroup);
+
+                    // Save all systems that were linked above
+                    systemRepository.saveAll(associatedSystems);
+                    log.info("Created Host Enclave {} with {}", hostGroup.getId(), hostGroupDto.getDisplayName());
+                }
+
+                sideEffects.add(SideEffect.builder()
+                    .sideEffectDescription("Creating Host Enclave " + hostGroupDto.getDisplayName())
+                    .type(SideEffectType.UPDATE_DATABASE)
+                    .asset("HostGroups")
+                    .build());
+
+            } else {
+                for (HostGroup existingGroup : existingGroups) {
+                    profiles.add(existingGroup);
+                    for (HostSystem hs : associatedSystems) {
+                        if (hs.getHostGroups() == null) {
+                            hs.setHostGroups(new ArrayList<>());
+                        }
+
+                        boolean alreadyAssigned = hs.getHostGroups().stream()
+                            .anyMatch(g -> g.getId().equals(existingGroup.getId()));
+
+                        if (!alreadyAssigned) {
+                            hs.getHostGroups().add(existingGroup);
+                            if (action) {
+                                systemRepository.save(hs);
+                                log.info("Updated Host Enclave {} with {}", existingGroup.getId(), hs.getId());
+                            }
+                            sideEffects.add(SideEffect.builder()
+                                .sideEffectDescription("Updating Host Enclave " + hostGroupDto.getDisplayName())
+                                .type(SideEffectType.UPDATE_DATABASE)
+                                .asset("HostGroups")
+                                .build());
+                        }
+                    }
+                }
+            }
+        }
+
+        return profiles;
+    }
+
+
+
+    /*
     @Transactional
     protected List<HostGroup> createHostGroups(List<SideEffect> sideEffects, Map<String,ProfileRule> rules, InstallConfiguration installConfiguration,
                                              boolean action)
@@ -313,6 +448,23 @@ protected List<HostGroup> createHostGroups(List<SideEffect> sideEffects, Map<Str
                                 log.info("Updating Host Enclave {} with {}", hg.getId(), hg.getId());
                                 profiles.add(hg);
 
+                                for (var hs : hostGroup.getHostSystems()) {
+                                    boolean alreadyAssigned = hs.getHostGroups().stream().anyMatch(g -> g.getId().equals(hg.getId()));
+                                    if (!alreadyAssigned) {
+                                        if (action) {
+                                            hs.getHostGroups().add(hg);
+                                            systemRepository.save(hs);
+                                            log.info("Updating Host Enclave {} with {}", hg.getId(), hs.getId());
+                                        }
+
+                                        sideEffects.add(SideEffect.builder()
+                                            .sideEffectDescription("Updating Host Enclave " + hostGroupDto.getDisplayName())
+                                            .type(SideEffectType.UPDATE_DATABASE)
+                                            .asset("HostGroups")
+                                            .build());
+                                    }
+                                }
+                                /*
                                 for(var hs : hostGroup.getHostSystems()) {
                                     if (!systemRepository.isAssignedToHostGroups(hs.getId(), List.of( hg.getId()))) {
                                         if (action) {
@@ -334,7 +486,7 @@ protected List<HostGroup> createHostGroups(List<SideEffect> sideEffects, Map<Str
         }
         return profiles;
     }
-
+*/
     @Transactional
     protected List<SideEffect> createSystems(InstallConfiguration installConfiguration, boolean action) throws SQLException,
         GeneralSecurityException {
@@ -423,13 +575,17 @@ protected List<UserType> createUserTypes(List<SideEffect> sideEffects, InstallCo
     @Transactional
     protected List<User> createUsers(
         List<SideEffect> sideEffects, InstallConfiguration installConfiguration, List<UserType> userTypes,
-        List<HostGroup> profiles, boolean action)
+        List<HostGroup> profiles, boolean action, List<ATPLPolicyEntity> policyList
+    )
         throws SQLException, GeneralSecurityException {
         List<User> users = new ArrayList<>();
         Map<Long, Set<Long>> assignments = new HashMap<>();
         if (null != installConfiguration.getUsers()) {
             for (var userDTO : installConfiguration.getUsers()) {
-
+                if (userDTO.getPassword() == null || userDTO.getPassword().isEmpty()) {
+                    log.warn("User {} has no password");
+                    userDTO.setPassword(UUID.randomUUID().toString());
+                }
                 // set the UserType from the configuration
                 if (null != userDTO.getAuthorizationType()) {
                     for (UserType type : userTypes) {
@@ -448,15 +604,18 @@ protected List<User> createUsers(
                     userService.getUserType(UserType.builder().id(userDTO.getAuthorizationType().getId()).build());
 
                 User user = User.from(userDTO, type.get());
+
+                
+
                 User finalUser = user;
                 userService.findByUsername(user.getUsername()).ifPresentOrElse(
                     user1 -> {
                         finalUser.setId(user1.getId());
                     },
                     () -> {
                         if (action) {
-                            var usr  = userService.addUscer(user);
-                            user.setId(usr.getId());
+                            var usr  = userService.addUscer(finalUser);
+                            finalUser.setId(usr.getId());
                         }
                         sideEffects.add(SideEffect.builder().sideEffectDescription("Creating user " + userDTO.getUsername()).type(
                             SideEffectType.UPDATE_DATABASE).asset("Users").build());
@@ -513,6 +672,21 @@ protected List<User> createUsers(
                         }
                     }
                 }
+                if (action){
+                    user = userService.getUser(user.getId());
+                    var definition = userDTO.getAtlpDefinition();
+                    if (null != definition && !definition.isEmpty()) {
+                    Optional<ATPLPolicyEntity> policy = policyList.stream()
+                        .filter(p -> p.getPolicyId().equals(definition))
+                        .findFirst();
+                    if (policy.isPresent()) {
+                        atplPolicyService.assignPolicyToUser(user, policy.get());
+                    } else {
+                        log.warn("No ATPL policy found for user {} with policy id {}", user.getUsername(),
+                            definition);
+                    }
+                }
+                }
             }
         }
         for (var entry : assignments.entrySet()) {
@@ -577,7 +751,7 @@ protected void createSystemUser(InstallConfiguration connection) throws NoSuchAl
             .id(0L)
             .authorizationType(UserType.createSuperUser())
             .username("SYSTEM")
-            .password(UUID.randomUUID().toString() + "." + UUID.randomUUID().toString())
+            .password(UUID.randomUUID() + UUID.randomUUID().toString())
             .build();
 
         if (null == user) {
 
@@ -91,11 +91,19 @@ otel.exporter.otlp.timeout=10s
 
 sentrius.agent.register.bootstrap.allow=true
 sentrius.agent.bootstrap.policy=default-policy.yaml
+# Optional: set the identity lifetime
+sentrius.agent.register.bootstrap.identity.recreate
 
 provenance.kafka.topic=sentrius-provenance
 spring.kafka.bootstrap-servers=home.guard.local:9092
 spring.kafka.producer.key-serializer=org.apache.kafka.common.serialization.StringSerializer
 spring.kafka.producer.value-serializer=org.springframework.kafka.support.serializer.JsonSerializer
 
 # Optional: trust package to avoid class cast issues with JSON
-spring.kafka.producer.properties.spring.json.trusted.packages=io.sentrius.*
+spring.kafka.producer.properties.spring.json.trusted.packages=io.sentrius.*
+
+spring.kafka.producer.retries=0
+spring.kafka.producer.acks=1
+spring.kafka.producer.request-timeout-ms=500
+spring.kafka.producer.delivery-timeout-ms=1000
+spring.kafka.properties.max.block.ms=500