add ztat uses

phrocker · phrocker · commit 7e7d0035056f · 2025-02-23T06:56:54.000-05:00
diff --git a/api/src/main/resources/db/migration/V18_approval_history.sql b/api/src/main/resources/db/migration/V18_approval_history.sql
@@ -0,0 +1,21 @@
+ALTER TABLE ztat_approvals ADD COLUMN rationale TEXT;
+ALTER TABLE ops_approvals ADD COLUMN rationale TEXT;
+
+CREATE TABLE IF NOT EXISTS ztat_uses (
+                                         id BIGSERIAL PRIMARY KEY,
+                                         ztat_approval_id BIGINT NOT NULL,
+                                         user_id BIGINT NOT NULL,
+                                         used_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                                         FOREIGN KEY (ztat_approval_id) REFERENCES ztat_approvals(id),
+    FOREIGN KEY (user_id) REFERENCES users(id)
+    );
+
+
+CREATE TABLE IF NOT EXISTS ops_uses (
+                                         id BIGSERIAL PRIMARY KEY,
+                                         ops_approval_id BIGINT NOT NULL,
+                                         user_id BIGINT NOT NULL,
+                                         used_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                                         FOREIGN KEY (ops_approval_id) REFERENCES ops_approvals(id),
+    FOREIGN KEY (user_id) REFERENCES users(id)
+    );
diff --git a/core/src/main/java/io/sentrius/sso/core/model/zt/OpsUse.java b/core/src/main/java/io/sentrius/sso/core/model/zt/OpsUse.java
@@ -0,0 +1,39 @@
+package io.sentrius.sso.core.model.zt;
+
+import java.time.LocalDateTime;
+import io.sentrius.sso.core.model.users.User;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+import lombok.Getter;
+import lombok.Setter;
+import org.hibernate.annotations.CreationTimestamp;
+
+@Entity
+@Setter
+@Getter
+@Table(name = "ops_uses")
+public class OpsUse {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "ztat_approval_id", nullable = false)
+    private ZeroTrustAccessTokenApproval ztatApproval;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "user_id", nullable = false)
+    private User user;
+
+    @CreationTimestamp
+    @Column(name = "used_at", nullable = false, updatable = false)
+    private LocalDateTime usedAt;
+}
diff --git a/core/src/main/java/io/sentrius/sso/core/model/zt/ZeroTrustApprovalHistory.java b/core/src/main/java/io/sentrius/sso/core/model/zt/ZeroTrustApprovalHistory.java
@@ -0,0 +1,46 @@
+package io.sentrius.sso.core.model.zt;
+
+
+import java.time.LocalDateTime;
+import io.sentrius.sso.core.model.users.User;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+import lombok.Getter;
+import lombok.Setter;
+import org.hibernate.annotations.CreationTimestamp;
+
+@Entity
+@Setter
+@Getter
+@Table(name = "ztat_approval_history")
+public class ZeroTrustApprovalHistory {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "ztat_request_id", nullable = false)
+    private ZeroTrustAccessTokenRequest ztatRequest;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "approver_id", nullable = false)
+    private User approver;
+
+    @Column(name = "approved", nullable = false)
+    private boolean approved;
+
+    @Column(name = "rationale", columnDefinition = "TEXT")
+    private String rationale;
+
+    @CreationTimestamp
+    @Column(name = "decision_timestamp", nullable = false, updatable = false)
+    private LocalDateTime decisionTimestamp;
+}
diff --git a/core/src/main/java/io/sentrius/sso/core/model/zt/ZtatApprovalHistory.java b/core/src/main/java/io/sentrius/sso/core/model/zt/ZtatApprovalHistory.java
@@ -0,0 +1,46 @@
+package io.sentrius.sso.core.model.zt;
+
+import io.sentrius.sso.core.model.users.User;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+import lombok.Getter;
+import lombok.Setter;
+import org.hibernate.annotations.CreationTimestamp;
+
+import java.time.LocalDateTime;
+
+@Entity
+@Setter
+@Getter
+@Table(name = "ztat_approval_history")
+public class ZtatApprovalHistory {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "ztat_request_id", nullable = false)
+    private ZeroTrustAccessTokenRequest ztatRequest;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "approver_id", nullable = false)
+    private User approver;
+
+    @Column(name = "approved", nullable = false)
+    private boolean approved;
+
+    @Column(name = "rationale", columnDefinition = "TEXT")
+    private String rationale;
+
+    @CreationTimestamp
+    @Column(name = "decision_timestamp", nullable = false, updatable = false)
+    private LocalDateTime decisionTimestamp;
+}
diff --git a/core/src/main/java/io/sentrius/sso/core/model/zt/ZtatUse.java b/core/src/main/java/io/sentrius/sso/core/model/zt/ZtatUse.java
@@ -0,0 +1,45 @@
+package io.sentrius.sso.core.model.zt;
+
+import java.time.LocalDateTime;
+import io.sentrius.sso.core.model.users.User;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import org.hibernate.annotations.CreationTimestamp;
+
+@Entity
+@Setter
+@Builder
+@Getter
+@NoArgsConstructor
+@AllArgsConstructor
+@Table(name = "ztat_uses")
+public class ZtatUse {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "ztat_approval_id", nullable = false)
+    private ZeroTrustAccessTokenApproval ztatApproval;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "user_id", nullable = false)
+    private User user;
+
+    @CreationTimestamp
+    @Column(name = "used_at", nullable = false, updatable = false)
+    private LocalDateTime usedAt;
+}
diff --git a/core/src/main/java/io/sentrius/sso/core/repository/OpsUseRepository.java b/core/src/main/java/io/sentrius/sso/core/repository/OpsUseRepository.java
@@ -0,0 +1,9 @@
+package io.sentrius.sso.core.repository;
+
+import io.sentrius.sso.core.model.zt.OpsUse;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface OpsUseRepository extends JpaRepository<OpsUse, Long> {
+}
diff --git a/core/src/main/java/io/sentrius/sso/core/repository/ZtatUseRepository.java b/core/src/main/java/io/sentrius/sso/core/repository/ZtatUseRepository.java
@@ -0,0 +1,16 @@
+package io.sentrius.sso.core.repository;
+
+import java.util.List;
+import io.sentrius.sso.core.model.zt.ZeroTrustAccessTokenApproval;
+import io.sentrius.sso.core.model.zt.ZtatUse;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface ZtatUseRepository extends JpaRepository<ZtatUse, Long> {
+
+
+    @Query("SELECT ztu FROM ZtatUse ztu WHERE ztu.ztatApproval = :ztatApproval")
+    List<ZtatUse> getUses(ZeroTrustAccessTokenApproval ztatApproval);
+}
diff --git a/core/src/main/java/io/sentrius/sso/core/services/ZeroTrustRequestService.java b/core/src/main/java/io/sentrius/sso/core/services/ZeroTrustRequestService.java
@@ -8,11 +8,13 @@
 import io.sentrius.sso.core.model.zt.ZeroTrustAccessTokenRequest;
 import io.sentrius.sso.core.model.zt.OpsApproval;
 import io.sentrius.sso.core.model.zt.OpsZeroTrustAcessTokenRequest;
+import io.sentrius.sso.core.model.zt.ZtatUse;
 import io.sentrius.sso.core.repository.ZeroTrustAccessTokenApprovalRepository;
 import io.sentrius.sso.core.repository.JITReasonRepository;
 import io.sentrius.sso.core.repository.ZeroTrustAccessTokenRequestRepository;
 import io.sentrius.sso.core.repository.OpsApprovalRepository;
 import io.sentrius.sso.core.repository.OpsJITRequestRepository;
+import io.sentrius.sso.core.repository.ZtatUseRepository;
 import io.sentrius.sso.core.utils.ZTATUtils;
 import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
@@ -45,6 +47,9 @@ public class ZeroTrustRequestService {
     @Autowired
     private SystemOptions systemOptions;
 
+    @Autowired
+    private ZtatUseRepository ztatUseRepository;
+
 
     @Transactional(readOnly = true)
     public List<ZeroTrustAccessTokenRequest> getAllJITRequests() {
@@ -210,7 +215,8 @@ public void incrementAccessTokenUses(ZeroTrustAccessTokenRequest request) {
                 if (approval.getUses() >= systemOptions.maxJitUses) {
                     throw new RuntimeException("JIT uses exceeded");
                 }
-                approval.setUses(approval.getUses() + 1);
+                ;
+                ztatUseRepository.save(ZtatUse.builder().ztatApproval(approval).user(request.getUser()).build());
                 log.info("Incrementing uses for JITRequest: {}", request.getId());
                 ztatApprovalRepository.save(approval);
             });
@@ -339,7 +345,8 @@ private Integer getUsesRemaining(ZeroTrustAccessTokenRequest request) {
              // get the latest approval
             List<ZeroTrustAccessTokenApproval> approval = request.getApprovals();
             if (!approval.isEmpty()) {
-                return systemOptions.maxJitUses - approval.get(0).getUses();
+                var uses = ztatUseRepository.getUses(approval.get(0));
+                return systemOptions.maxJitUses - uses.size();
             }
 
         return systemOptions.maxJitUses; // Update as needed based on your logic
@@ -349,6 +356,7 @@ private Integer getUsesRemaining(OpsZeroTrustAcessTokenRequest request) {
 
             List<OpsApproval> approval = request.getApprovals();
             if (!approval.isEmpty()) {
+
                 return systemOptions.maxJitUses - approval.get(0).getUses();
             }
 
