Fix issue with abac

phrocker · phrocker · commit c3e9dac8f46a · 2026-01-03T08:02:12.000-05:00
diff --git a/.azure.env b/.azure.env
@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.1.109
+SENTRIUS_VERSION=1.1.113
 SENTRIUS_SSH_VERSION=1.1.12
 SENTRIUS_KEYCLOAK_VERSION=1.1.15
 SENTRIUS_AGENT_VERSION=1.1.24
diff --git a/api/src/main/java/io/sentrius/sso/controllers/api/documents/DocumentController.java b/api/src/main/java/io/sentrius/sso/controllers/api/documents/DocumentController.java
@@ -377,12 +377,20 @@ public ResponseEntity<DocumentDTO> retrieveFromExternal(
             String documentType = (String) retrievalRequest.get("documentType");
             String classification = (String) retrievalRequest.get("classification");
             String markings = (String) retrievalRequest.get("markings");
+
+            if (null == classification || classification.trim().isEmpty() || "UNCLASSIFIED".equalsIgnoreCase(classification)) {
+                if (null == markings || markings.trim().isEmpty()) {
+                    classification = "PUBLIC";
+                } else {
+                    classification = "PRIVATE";
+                }
+            }
             
             @SuppressWarnings("unchecked")
             Map<String, String> options = (Map<String, String>) retrievalRequest.get("options");
 
-            log.info("Retrieving document from external source via integration-proxy: {}, store={}, user={}", 
-                    sourceUrl, storeDocument, userId);
+            log.info("Retrieving document from external source via integration-proxy: {}, store={}, user={}, classification={}, markings={}",
+                    sourceUrl, storeDocument, userId, classification, markings);
 
             Document document = documentService.retrieveFromExternalSource(
                     sourceUrl, options, storeDocument, documentName, 
diff --git a/api/src/main/java/io/sentrius/sso/controllers/view/UserController.java b/api/src/main/java/io/sentrius/sso/controllers/view/UserController.java
@@ -177,7 +177,7 @@ public String listUsers(Model model) {
     @GetMapping("/edit")
     public String editUser(Model model, HttpServletRequest request, HttpServletResponse response,
                            @RequestParam("userId") String userId) throws GeneralSecurityException {
-        model.addAttribute("globalAccessSet", UserType.createSuperUser().getAccessSet());
+        model.addAttribute("globalAccessSet", UserType.createSuperUser().getAccessSet().stream().filter(x -> !x.startsWith("CANNOT")).collect(Collectors.toSet()));
         var decryptedUserId = cryptoService.decrypt(userId);
         Long id = Long.parseLong(decryptedUserId);
         User user = userService.getUserById(id);
diff --git a/api/src/main/resources/templates/sso/data/sources.html b/api/src/main/resources/templates/sso/data/sources.html
@@ -349,7 +349,7 @@ <h5 class="modal-title" id="retrieveExternalModalLabel">Retrieve External Data S
                 <span class="tag-badge">${source.documentType}</span>
                 ${source.markings ? `<span class="marking-badge"><i class="fas fa-shield-alt"></i> ${escapeHtml(source.markings)}</span>` : ''}
             </div>
-            ${source.summary ? `<div class="source-summary">${escapeHtml(source.summary)}</div>` : ''}
+            ${source.summary ? `<div class="source-summary">${escapeHtmlLimitLength(source.summary, 50)}</div>` : ''}
             <div class="source-tags">
                 ${(source.tags || []).map(tag => `<span class="tag-badge"><i class="fas fa-tag"></i> ${escapeHtml(tag)}</span>`).join('')}
             </div>
@@ -483,6 +483,20 @@ <h5 class="modal-title" id="retrieveExternalModalLabel">Retrieve External Data S
         return div.innerHTML;
     }
 
+    function escapeHtmlLimitLength(text, maxLength = 50) {
+        if (text == null) return "";
+
+        // Convert to string and trim to length
+        const truncated =
+            String(text).length > maxLength
+                ? String(text).slice(0, maxLength) + "…"
+                : String(text);
+
+        const div = document.createElement("div");
+        div.textContent = truncated;   // safely escapes HTML
+        return div.innerHTML;
+    }
+
     function formatDate(dateString) {
         if (!dateString) return '';
         const date = new Date(dateString);
diff --git a/dataplane/src/main/java/io/sentrius/sso/core/model/documents/Document.java b/dataplane/src/main/java/io/sentrius/sso/core/model/documents/Document.java
@@ -50,8 +50,10 @@ public class Document {
     @Column(name = "tags")
     private String tags; // Comma-separated tags for categorization
 
+    // previously classified as UNCLASSIFIED, which are documents we assume are public or markings
+    // that are nothing more than tags. If not PUBLIC, then we must enforce markings-based access control.
     @Column(name = "classification")
-    private String classification = "UNCLASSIFIED";
+    private String classification = "PUBLIC";
 
     @Column(name = "markings")
     private String markings;
diff --git a/dataplane/src/main/java/io/sentrius/sso/core/services/documents/DocumentService.java b/dataplane/src/main/java/io/sentrius/sso/core/services/documents/DocumentService.java
@@ -89,7 +89,7 @@ public Document storeDocument(String documentName, String documentType, String c
                 .content(content)
                 .contentType(contentType != null ? contentType : "text/plain")
                 .summary(summary)
-                .classification(classification != null ? classification : "UNCLASSIFIED")
+                .classification(classification != null ? classification : markings != null ? "PRIVATE" : "PUBLIC")
                 .markings(markings)
                 .createdBy(createdBy)
                 .checksum(checksum)
@@ -671,12 +671,7 @@ public Document retrieveFromExternalSource(String sourceUrl, Map<String, String>
             log.info("Calling integration-proxy at: {}", url);
 
             ResponseEntity<Map> response = (ResponseEntity<Map>) forwardRequest(url,HttpMethod.POST, request,
-                Map.class); /*restTemplate.exchange(
-                    url,
-                    HttpMethod.POST,
-                    entity,
-                    Map.class
-            );*/
+                Map.class);
 
             if (!response.getStatusCode().is2xxSuccessful() || response.getBody() == null) {
                 throw new RuntimeException("Failed to retrieve document from integration-proxy");
@@ -709,7 +704,7 @@ public Document retrieveFromExternalSource(String sourceUrl, Map<String, String>
                         finalContentType,
                         "Retrieved from " + sourceUrl,
                         null, // tags can be added later
-                        classification != null ? classification : "UNCLASSIFIED",
+                        classification != null ? classification : markings != null ? "PRIVATE" : "PUBLIC",
                         markings,
                         createdBy
                 );
diff --git a/docs/DOCUMENT_RETRIEVAL_INTEGRATION.md b/docs/DOCUMENT_RETRIEVAL_INTEGRATION.md

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-SENTRIUS_VERSION=1.1.109`
	`1`	`+SENTRIUS_VERSION=1.1.113`
`2`	`2`	`SENTRIUS_SSH_VERSION=1.1.12`
`3`	`3`	`SENTRIUS_KEYCLOAK_VERSION=1.1.15`
`4`	`4`	`SENTRIUS_AGENT_VERSION=1.1.24`