dry run of gcp deploy with automated domain creation

.gcp.env

@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.0.9
+SENTRIUS_VERSION=1.0.15
 SENTRIUS_SSH_VERSION=1.0.2
-SENTRIUS_KEYCLOAK_VERSION=1.0.2
-SENTRIUS_AGENT_VERSION=1.0.10
+SENTRIUS_KEYCLOAK_VERSION=1.0.4
+SENTRIUS_AGENT_VERSION=1.0.11

Dockerfile

@@ -15,4 +15,4 @@ RUN apt-get update && apt-get install -y curl
 
 
 # Command to run the app
-CMD ["java", "-jar", "/app/sentrius.jar", "--spring.config.location=/config/application.properties", "--dynamic.properties.path=/config/dynamic.properties"]
+CMD ["java", "-jar", "/app/sentrius.jar", "--spring.config.location=/config/api-application.properties", "--dynamic.properties.path=/config/dynamic.properties"]

analyagents/pom.xml

@@ -48,6 +48,12 @@
       <artifactId>junit-jupiter-params</artifactId>
       <scope>test</scope>
     </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-actuator</artifactId>
+      <version>${spring.boot.version}</version>
+    </dependency>
     <dependency>
       <groupId>org.postgresql</groupId>
       <artifactId>postgresql</artifactId>

analyagents/src/main/resources/application.properties

@@ -59,4 +59,6 @@ spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
 spring.security.oauth2.resourceserver.jwt.issuer-uri=http://192.168.1.162:8180/realms/sentrius
 spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
 # for testing analytics agents
-agents.session-analytics.enabled=true
+agents.session-analytics.enabled=true
+management.endpoints.web.exposure.include=health
+management.endpoint.health.show-details=always

api/pom.xml

@@ -63,6 +63,17 @@
             <version>${spring.boot.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+            <version>${spring.boot.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-webflux</artifactId>
+            <version>${spring.boot.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-devtools</artifactId>

api/src/main/java/io/sentrius/sso/config/HttpsRedirectConfig.java

@@ -0,0 +1,29 @@
+package io.sentrius.sso.config;
+
+import java.net.URI;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.server.WebFilter;
+
+@Configuration
+public class HttpsRedirectConfig {
+
+    @Value("${https.redirect.enabled:true}") // Default is true
+    private boolean httpsRedirectEnabled;
+
+    @Bean
+    public WebFilter httpsRedirectFilter() {
+        return (exchange, chain) -> {
+            if (httpsRedirectEnabled &&
+                exchange.getRequest().getHeaders().containsKey("X-Forwarded-Proto") &&
+                "http".equals(exchange.getRequest().getHeaders().getFirst("X-Forwarded-Proto"))) {
+                URI httpsUri = exchange.getRequest()
+                    .getURI()
+                    .resolve(exchange.getRequest().getURI().toString().replace("http://", "https://"));
+                return exchange.getResponse().setComplete();
+            }
+            return chain.filter(exchange);
+        };
+    }
+}

api/src/main/java/io/sentrius/sso/config/SecurityConfig.java

@@ -42,56 +42,10 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 
-       /* http
-            .authorizeRequests(authorize -> authorize
-                .requestMatchers("/sso/v1/**", "/api/v1/**").authenticated() // Pages that need authentication
-                .requestMatchers("/node/**", "/js/**", "/css/**", "/images/**", "/error", "/sso/login", "/api/v1/login/authenticate").permitAll() // Public endpoints
-                .anyRequest().authenticated() // Other pages need authentication
-            )
-            .logout(logout -> logout
-                .logoutSuccessUrl("/sso/login?logout") // Redirect after logout
-            )
-            .sessionManagement(session -> session
-                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            )
-            .oauth2Login(oauth2 -> oauth2             // Enable OAuth2 login
-                .loginPage("/oauth2/authorization/keycloak") // Redirect to Keycloak
-            )
-            .oauth2ResourceServer(oauth2 -> oauth2
-                .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverterForKeycloak()))
-            )
-            .csrf(csrf -> csrf
-                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
-            )
-
-            .cors(Customizer.withDefaults())
-            .exceptionHandling(exception -> exception
-                .accessDeniedPage("/error") // Handle access denied with error page
-            );*/
-        /*
         http
-            .authorizeRequests(authorize -> authorize
-                .requestMatchers("/sso/v1/**", "/api/v1/**").authenticated()
-                .requestMatchers("/node/**", "/js/**", "/css/**", "/images/**", "/error", "/sso/login", "/api/v1/login/authenticate").permitAll()
-                .anyRequest().authenticated()
-            )
-            .sessionManagement(session -> session
-                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            )
-            .oauth2Login(oauth2 -> oauth2
-                .loginPage("/oauth2/authorization/keycloak")
-            )
-            .oauth2ResourceServer(oauth2 -> oauth2
-                .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverterForKeycloak()))
-            )
-            .csrf(csrf -> csrf
-                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
-            )
-            .cors(Customizer.withDefaults())
-            .exceptionHandling(exception -> exception
-                .accessDeniedPage("/error")
-            );*/
-        http.authorizeHttpRequests(auth -> auth.requestMatchers("/**").fullyAuthenticated())
+            .authorizeHttpRequests(auth -> auth.
+                requestMatchers("/actuator/**").permitAll() // Public endpoints
+                .requestMatchers("/**").fullyAuthenticated())
             .oauth2ResourceServer(oauth2 -> oauth2
                 .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverterForKeycloak()))
             )
@@ -104,12 +58,6 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         return http.build();
     }
 
-    /*
-    @Bean
-    public JwtDecoder jwtDecoder(OAuth2ResourceServerProperties properties) {
-        return JwtDecoders.fromIssuerLocation("http://localhost:8180/realms/sentrius");
-    }
-*/
     @Bean
     public JwtAuthenticationConverter jwtAuthenticationConverterForKeycloak() {
         JwtAuthenticationConverter converter = new JwtAuthenticationConverter();

api/src/main/java/io/sentrius/sso/controllers/api/RuleApiController.java

@@ -77,14 +77,15 @@ public ResponseEntity<List<ProfileRuleDTO>> listRules(HttpServletRequest request
         boolean canEditRules = AccessUtil.canAccess(user, RuleAccessEnum.CAN_EDIT_RULES);
         boolean canDeleteRules = AccessUtil.canAccess(user, RuleAccessEnum.CAN_MANAGE_RULES);
         if (AccessUtil.canAccess(user, ApplicationAccessEnum.CAN_MANAGE_APPLICATION)) {
-
+            log.info("User can manage rules {}", user.getAuthorizationType());
             for(ProfileRule rule: ruleService.getAllRules()) {
                 var dto = new ProfileRuleDTO(rule, rule.getHostGroups().stream().toList(), canViewRules, canEditRules,
                     canDeleteRules);
                 rules.add(dto);
                 log.info("Adding {}", dto);
             }
         } else {
+            log.info("User can manage own rules");
             var groups = hostGroupService.getAllHostGroups(user);
             for (HostGroup group : groups) {
                 for(ProfileRule rule : group.getRules()) {

api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java

@@ -29,6 +29,7 @@
 import io.sentrius.sso.core.model.dto.UserTypeDTO;
 import io.sentrius.sso.core.model.hostgroup.HostGroup;
 import io.sentrius.sso.core.model.security.UserType;
+import io.sentrius.sso.core.model.security.enums.ApplicationAccessEnum;
 import io.sentrius.sso.core.model.security.enums.AutomationAccessEnum;
 import io.sentrius.sso.core.model.security.enums.RuleAccessEnum;
 import io.sentrius.sso.core.model.security.enums.SSHAccessEnum;
@@ -337,6 +338,10 @@ protected List<UserType> createUserTypes(List<SideEffect> sideEffects, InstallCo
                     builder.ztAccessTokenAccess(ZeroTrustAccessTokenEnum.of(List.of(type.getZtAccessTokenAccess())));
                 }
 
+                if (null != type.getApplicationAccess()){
+                    builder.applicationAccess(ApplicationAccessEnum.of(List.of(type.getApplicationAccess())));
+                }
+
                 UserType newType = builder.userTypeName(type.getUserTypeName()).build();
                 userTypeRepository.findByUserTypeName(type.getUserTypeName())
                     .ifPresentOrElse(

api/src/main/resources/application.properties

@@ -72,4 +72,7 @@ spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.
 spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
 
 spring.security.oauth2.resourceserver.jwt.issuer-uri=http://192.168.1.162:8180/realms/sentrius
-spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
+spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
+
+management.endpoints.web.exposure.include=health
+management.endpoint.health.show-details=always

api/src/main/resources/templates/sso/errors/list_errors.html

@@ -111,7 +111,7 @@
                         </div>
                     </div>
                     <div th:replace="~{fragments/alerts}"></div>
-                    <div  th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_MANAGE_USERS')}">
+                    <div  th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_MANAGE_SYSTEMS')}">
 
     <h3>Errors</h3>
     <table id="error-table" class="display" style="width:100%">

core/src/main/java/io/sentrius/sso/core/services/RuleService.java

@@ -32,7 +32,9 @@ public void deleteRule(ProfileRule rule) {
     public ProfileRule saveRule(ProfileRule rule) {
         try {
             log.info("Saving rule with id: {}", rule.getId());
-            return ruleRepository.save(rule);
+            var newRule = ruleRepository.save(rule);
+            log.info("Saving rule with id: {}", newRule.getId());
+            return newRule;
         } catch (Exception e) {
             log.error("Error while saving Rule", e);
             throw new RuntimeException("Failed to save Rule", e);

docker/keycloak/Dockerfile

@@ -19,5 +19,5 @@ COPY ./realms/sentrius-realm.json /opt/keycloak/data/import/sentrius-realm.json
 RUN ls -l /opt/keycloak/data/import/sentrius-realm.json
 
 ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
-CMD ["start-dev", "--proxy=passthrough", "--import-realm"]
+CMD ["start-dev", "--proxy=passthrough", "--import-realm", "--health-enabled=true"]
 

docker/keycloak/realms/sentrius-realm.json

@@ -7,9 +7,9 @@
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
       "secret": "nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0",
-      "rootUrl": "http://sentrius-keycloak:30080/",
-      "baseUrl": "http://sentrius-keycloak:30080/",
-      "redirectUris": ["http://sentrius-keycloak:30080/*"],
+      "rootUrl": "${ROOT_URL}",
+      "baseUrl": "${ROOT_URL}",
+      "redirectUris": ["${REDIRECT_URIS}/*"],
       "protocol": "openid-connect"
     }
   ],

docker/sentrius-agent/Dockerfile

@@ -14,4 +14,4 @@ RUN apt-get update && apt-get install -y curl
 
 
 # Command to run the app
-CMD ["java", "-jar", "/app/agent.jar", "--spring.config.location=/config/application.properties"]
+CMD ["java", "-jar", "/app/agent.jar", "--spring.config.location=/config/agent-application.properties"]

ops-scripts/gcp/base.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
 NAMESPACE=sentrius
 CLUSTER=sentrius-autopilot-cluster-1
-REGION=us-east1
+REGION=us-east1
+ZONE=sentrius-cloud

ops-scripts/gcp/create-subdomain.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+
+TENANT=$1
+
+gcloud dns record-sets transaction start --zone=${ZONE}
+gcloud dns record-sets transaction add --zone=${ZONE} \
+  --name=${TENANT}.sentrius.cloud. \
+  --type=CNAME \
+  --ttl=300 \
+  app-loadbalancer.region.cloud.goog &&
+gcloud dns record-sets transaction execute --zone=${ZONE}

ops-scripts/gcp/deploy-helm.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+source ${SCRIPT_DIR}/../../.gcp.env
+
+TENANT=$1
+
+if [[ -z "$TENANT" ]]; then
+    echo "Must provide single argument for tenant name" 1>&2
+    exit 1
+fi
+
+# Check if namespace exists
+kubectl get namespace ${TENANT} >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+    echo "Namespace ${TENANT} does not exist. Creating..."
+    kubectl create namespace ${TENANT} || { echo "Failed to create namespace ${TENANT}"; exit 1; }
+fi
+
+
+
+helm upgrade --install sentrius ./sentrius-gcp-chart --namespace ${TENANT} \
+    --set tenant=${TENANT} \
+    --set subdomain=${TENANT}.sentrius.cloud \
+    --set sentrius.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius \
+    --set sentrius.image.tag=${SENTRIUS_VERSION} \
+    --set ssh.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-ssh \
+    --set ssh.image.tag=${SENTRIUS_SSH_VERSION} \
+    --set keycloak.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-keycloak \
+    --set keycloak.image.tag=${SENTRIUS_KEYCLOAK_VERSION} \
+    --set sentriusagent.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-agent \
+    --set sentriusagent.image.tag=${SENTRIUS_AGENT_VERSION} || { echo "Failed to deploy Sentrius with Helm"; exit 1; }
+
+
+# Wait for LoadBalancer IPs to be ready
+echo "Waiting for LoadBalancer IPs to be assigned..."
+RETRIES=30
+SLEEP_INTERVAL=10
+
+for ((i=1; i<=RETRIES; i++)); do
+    # Retrieve LoadBalancer IP
+    # Retrieve LoadBalancer IP
+    INGRESS_IP=$(kubectl get ingress managed-cert-ingress-${TENANT} -n ${TENANT} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+
+
+    if [[ -n "$INGRESS_IP" ]]; then
+        echo "INGRESS_IP IP: $INGRESS_IP"
+        break
+    fi
+
+    echo "Attempt $i: Waiting for IPs to be assigned..."
+    sleep $SLEEP_INTERVAL
+done
+
+if [[ -z "$INGRESS_IP" ]]; then
+    echo "Failed to retrieve LoadBalancer IPs after $((RETRIES * SLEEP_INTERVAL)) seconds."
+    exit 1
+fi
+
+# Check if subdomain exists
+if gcloud dns record-sets list --zone=${ZONE} --name=${TENANT}.sentrius.cloud. | grep -q ${TENANT}.sentrius.cloud.; then
+    echo "Subdomain ${TENANT}.sentrius.cloud already exists. Skipping creation."
+else
+    echo "Creating subdomain ${TENANT}.sentrius.cloud..."
+    gcloud dns record-sets transaction start --zone=${ZONE}
+
+    gcloud dns record-sets transaction add --zone=${ZONE} \
+          --name=${TENANT}.sentrius.cloud. \
+          --type=A \
+          --ttl=300 \
+          $INGRESS_IP
+
+    gcloud dns record-sets transaction add --zone=${ZONE} \
+      --name=keycloak.${TENANT}.sentrius.cloud. \
+      --type=A \
+      --ttl=300 \
+      $INGRESS_IP
+
+    gcloud dns record-sets transaction execute --zone=${ZONE}
+fi