|
33 | 33 | import io.sentrius.sso.core.services.security.KeycloakService; |
34 | 34 | import io.sentrius.sso.core.services.security.ZeroTrustAccessTokenService; |
35 | 35 | import io.sentrius.sso.core.services.security.ZtatTokenService; |
| 36 | +import io.sentrius.sso.core.utils.AccessUtil; |
36 | 37 | import jakarta.servlet.http.HttpServletRequest; |
37 | 38 | import jakarta.servlet.http.HttpServletResponse; |
38 | 39 | import lombok.extern.slf4j.Slf4j; |
@@ -273,28 +274,27 @@ public ResponseEntity<?> getRequest(HttpServletRequest request, HttpServletRespo |
273 | 274 |
|
274 | 275 | @GetMapping("/list/{type}") |
275 | 276 | @LimitAccess(ztatAccess = {ZeroTrustAccessTokenEnum.CAN_VIEW_ZTATS}) |
276 | | - public ResponseEntity<?> listZtatRequests(@RequestHeader("Authorization") String token, |
| 277 | + public ResponseEntity<?> listZtatRequests(@RequestHeader(name= "Authorization", required=false) String token, |
277 | 278 | @PathVariable("type") String type, |
278 | 279 | HttpServletRequest request, HttpServletResponse response) { |
279 | | - String compactJwt = token.startsWith("Bearer ") ? token.substring(7) : token; |
| 280 | + var operatingUser = getOperatingUser(request, response ); |
| 281 | + if (null != token) { |
| 282 | + String compactJwt = token.startsWith("Bearer ") ? token.substring(7) : token; |
280 | 283 |
|
281 | 284 |
|
282 | | - log.info("Received ZTAT request from agent: {}", compactJwt); |
283 | | - if (!keycloakService.validateJwt(compactJwt)) { |
284 | | - log.warn("Invalid Keycloak token"); |
285 | | - return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("Invalid Keycloak token"); |
286 | | - } |
287 | | - |
288 | | - // Extract agent identity from the JWT |
289 | | - var operatingUser = getOperatingUser(request, response ); |
| 285 | + log.info("Received ZTAT request from agent: {}", compactJwt); |
| 286 | + if (!keycloakService.validateJwt(compactJwt)) { |
| 287 | + log.warn("Invalid Keycloak token"); |
| 288 | + return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("Invalid Keycloak token"); |
| 289 | + } |
| 290 | + String agentId = keycloakService.extractAgentId(compactJwt); |
290 | 291 |
|
291 | | - // Extract agent identity from the JWT |
292 | | - String agentId = keycloakService.extractAgentId(compactJwt); |
| 292 | + if (null == operatingUser) { |
| 293 | + log.warn("No operating user found for agent: {}", agentId); |
| 294 | + var username = keycloakService.extractUsername(compactJwt); |
| 295 | + operatingUser = userService.getUserByUsername(username); |
293 | 296 |
|
294 | | - if (null == operatingUser) { |
295 | | - log.warn("No operating user found for agent: {}", agentId); |
296 | | - var username = keycloakService.extractUsername(compactJwt); |
297 | | - operatingUser = userService.getUserByUsername(username); |
| 297 | + } |
298 | 298 |
|
299 | 299 | } |
300 | 300 | List<ZtatDTO> ztatTracker = new ArrayList<ZtatDTO>(); |
@@ -324,6 +324,88 @@ public ResponseEntity<?> listZtatRequests(@RequestHeader("Authorization") String |
324 | 324 | default: |
325 | 325 | log.warn("Invalid type: {}", type); |
326 | 326 | } |
| 327 | + ztatTracker = decorateTats(ztatTracker, operatingUser); |
| 328 | + return ResponseEntity.ok(ztatTracker); |
| 329 | + } |
| 330 | + |
| 331 | + @GetMapping("/list/{state}/{type}") |
| 332 | + @LimitAccess(ztatAccess = {ZeroTrustAccessTokenEnum.CAN_VIEW_ZTATS}) |
| 333 | + public ResponseEntity<?> listTypedZtatRequests(@RequestHeader(name= "Authorization", required=false) String token, |
| 334 | + @PathVariable("type") String type, |
| 335 | + @PathVariable("state") String state, |
| 336 | + HttpServletRequest request, HttpServletResponse response) { |
| 337 | + |
| 338 | + var operatingUser = getOperatingUser(request, response ); |
| 339 | + if (null != token) { |
| 340 | + String compactJwt = token.startsWith("Bearer ") ? token.substring(7) : token; |
| 341 | + |
| 342 | + |
| 343 | + log.info("Received ZTAT request from agent: {}", compactJwt); |
| 344 | + if (!keycloakService.validateJwt(compactJwt)) { |
| 345 | + log.warn("Invalid Keycloak token"); |
| 346 | + return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("Invalid Keycloak token"); |
| 347 | + } |
| 348 | + String agentId = keycloakService.extractAgentId(compactJwt); |
| 349 | + |
| 350 | + if (null == operatingUser) { |
| 351 | + log.warn("No operating user found for agent: {}", agentId); |
| 352 | + var username = keycloakService.extractUsername(compactJwt); |
| 353 | + operatingUser = userService.getUserByUsername(username); |
| 354 | + |
| 355 | + } |
| 356 | + |
| 357 | + } |
| 358 | + // Extract agent identity from the JWT |
| 359 | + |
| 360 | + |
| 361 | + // Extract agent identity from the JWT |
| 362 | + |
| 363 | + List<ZtatDTO> ztatTracker = new ArrayList<ZtatDTO>(); |
| 364 | + switch(type){ |
| 365 | + case "terminal": |
| 366 | + if ("denied".equalsIgnoreCase(state)) { |
| 367 | + ztatTracker = ztatService.getDeniedJITRequests(operatingUser); |
| 368 | + } else if ("approved".equalsIgnoreCase(state)) { |
| 369 | + ztatTracker = ztatService.getApprovedJITRequests(operatingUser); |
| 370 | + } else { |
| 371 | + ztatTracker = ztatService.getOpenJITRequests(operatingUser); |
| 372 | + } |
| 373 | + break; |
| 374 | + case "ops": |
| 375 | + if ("denied".equalsIgnoreCase(state)) { |
| 376 | + ztatTracker = ztatService.getDeniedOpsJITRequests(operatingUser); |
| 377 | + } else if ("approved".equalsIgnoreCase(state)) { |
| 378 | + ztatTracker = ztatService.getApprovedOpsJITRequests(operatingUser); |
| 379 | + } else { |
| 380 | + ztatTracker = ztatService.getOpenOpsRequests(operatingUser); |
| 381 | + } |
| 382 | + break; |
| 383 | + case "atat": |
| 384 | + if ("denied".equalsIgnoreCase(state)) { |
| 385 | + ztatTracker = ztatService.getDeniedOpsJITRequests(operatingUser); |
| 386 | + } else if ("approved".equalsIgnoreCase(state)) { |
| 387 | + ztatTracker = ztatService.getApprovedOpsJITRequests(operatingUser); |
| 388 | + } else { |
| 389 | + ztatTracker = ztatService.getOpenOpsRequests(operatingUser); |
| 390 | + } |
| 391 | + ztatTracker = ztatTracker.stream().filter(dto -> { |
| 392 | + if (dto.getCommand().equals("register")) { |
| 393 | + return false; |
| 394 | + } |
| 395 | + try { |
| 396 | + if (userService.isNPE(dto.getUserName())){ |
| 397 | + return true; |
| 398 | + } |
| 399 | + } catch (Exception e) { |
| 400 | + throw new RuntimeException(e); |
| 401 | + } |
| 402 | + return false; |
| 403 | + }).toList(); |
| 404 | + break; |
| 405 | + default: |
| 406 | + log.warn("Invalid type: {}", type); |
| 407 | + } |
| 408 | + ztatTracker = decorateTats(ztatTracker, operatingUser); |
327 | 409 | return ResponseEntity.ok(ztatTracker); |
328 | 410 | } |
329 | 411 |
|
@@ -364,4 +446,29 @@ public ResponseEntity<Boolean> verifyZtat(@RequestBody ZtatChallengeRequest requ |
364 | 446 | } |
365 | 447 | } |
366 | 448 |
|
| 449 | + List<ZtatDTO> decorateTats(List<ZtatDTO> tats, User operatingUser){ |
| 450 | + boolean canApprove = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_APPROVE_ZTATS); |
| 451 | + boolean canDeny = AccessUtil.canAccess(operatingUser, ZeroTrustAccessTokenEnum.CAN_DENY_ZTATS); |
| 452 | + if (canApprove || canDeny) { |
| 453 | + for (var tat : tats) { |
| 454 | + |
| 455 | + if (tat.getUserName().equals(operatingUser.getUsername())) { |
| 456 | + tat.setCurrentUser(true); |
| 457 | + if (systemOptions.getCanApproveOwnZtat()) { |
| 458 | + if (tat.getUsesRemaining() > 0) { |
| 459 | + tat.setCanApprove(canApprove); |
| 460 | + } |
| 461 | + tat.setCanDeny(canDeny); |
| 462 | + } |
| 463 | + } |
| 464 | + else { |
| 465 | + if (tat.getUsesRemaining() > 0) { |
| 466 | + tat.setCanApprove(canApprove); |
| 467 | + } |
| 468 | + tat.setCanDeny(canDeny); |
| 469 | + } |
| 470 | + } |
| 471 | + } |
| 472 | + return tats; |
| 473 | + } |
367 | 474 | } |
0 commit comments