Implement SSH Server proxy with dynamic HostSystem integration, comprehensive testing, and production roadmap

.local.env

@@ -1,8 +1,9 @@
-SENTRIUS_VERSION=1.1.341
+SENTRIUS_VERSION=1.1.345
 SENTRIUS_SSH_VERSION=1.1.41
 SENTRIUS_KEYCLOAK_VERSION=1.1.53
 SENTRIUS_AGENT_VERSION=1.1.42
 SENTRIUS_AI_AGENT_VERSION=1.1.263
 LLMPROXY_VERSION=1.0.78
 LAUNCHER_VERSION=1.0.82
-AGENTPROXY_VERSION=1.0.85
+AGENTPROXY_VERSION=1.0.85
+SSHPROXY_VERSION=1.0.40

.local.env.bak

@@ -1,8 +1,9 @@
-SENTRIUS_VERSION=1.1.341
+SENTRIUS_VERSION=1.1.345
 SENTRIUS_SSH_VERSION=1.1.41
 SENTRIUS_KEYCLOAK_VERSION=1.1.53
 SENTRIUS_AGENT_VERSION=1.1.42
 SENTRIUS_AI_AGENT_VERSION=1.1.263
 LLMPROXY_VERSION=1.0.78
 LAUNCHER_VERSION=1.0.82
-AGENTPROXY_VERSION=1.0.85
+AGENTPROXY_VERSION=1.0.85
+SSHPROXY_VERSION=1.0.40

api/src/main/java/io/sentrius/sso/websocket/AuditSocketHandler.java

@@ -8,8 +8,10 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
+import io.sentrius.sso.core.integrations.ssh.DataWebSession;
 import io.sentrius.sso.core.services.security.CryptoService;
 import io.sentrius.sso.core.services.terminal.SessionTrackingService;
+import io.sentrius.sso.core.services.SshListenerService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Component;
@@ -43,7 +45,7 @@ public void afterConnectionEstablished(WebSocketSession session) throws Exceptio
                 // Store the WebSocket session using the session ID from the query parameter
                 sessions.put(sessionId, session);
                 log.trace("*AUDITING New connection established, session ID: " + sessionId);
-                sshListenerService.startAuditingSession(sessionId, session);
+                sshListenerService.startAuditingSession(sessionId, new DataWebSession(session));
             } else {
                 log.trace("Session ID not found in query parameters.");
                 session.close(); // Close the session if no valid session ID is provided

api/src/main/java/io/sentrius/sso/websocket/ChatListenerService.java

@@ -19,6 +19,7 @@
 import io.sentrius.sso.core.services.security.IntegrationSecurityTokenService;
 import io.sentrius.sso.core.services.terminal.SessionTrackingService;
 import io.sentrius.sso.core.utils.JsonUtil;
+import io.sentrius.sso.core.services.SshListenerService;
 import io.sentrius.sso.genai.ChatConversation;
 import io.sentrius.sso.genai.GenerativeAPI;
 import io.sentrius.sso.genai.GeneratorConfiguration;

api/src/main/java/io/sentrius/sso/websocket/TerminalWSHandler.java

@@ -3,10 +3,12 @@
 
 import io.sentrius.sso.automation.auditing.Trigger;
 import io.sentrius.sso.automation.auditing.TriggerAction;
+import io.sentrius.sso.core.integrations.ssh.DataWebSession;
 import io.sentrius.sso.core.model.chat.ChatLog;
 import io.sentrius.sso.core.services.ChatService;
 import io.sentrius.sso.core.services.metadata.TerminalSessionMetadataService;
 import io.sentrius.sso.core.services.security.CryptoService;
+import io.sentrius.sso.core.services.SshListenerService;
 import io.sentrius.sso.core.utils.StringUtils;
 import io.sentrius.sso.protobuf.Session;
 import io.sentrius.sso.core.services.terminal.SessionTrackingService;
@@ -57,7 +59,7 @@ public void afterConnectionEstablished(WebSocketSession session) throws Exceptio
                 // Store the WebSocket session using the session ID from the query parameter
                 sessions.put(sessionId, session);
                 log.debug("New connection established, session ID: " + sessionId);
-                sshListenerService.startListeningToSshServer(sessionId, session);
+                sshListenerService.startListeningToSshServer(sessionId, new DataWebSession(session));
             } else {
                 log.trace("Session ID not found in query parameters.");
                 session.close(); // Close the session if no valid session ID is provided

api/src/main/resources/db/migration/V19__alter_hostsystems.sql

@@ -0,0 +1,3 @@
+ALTER TABLE host_systems
+    ADD COLUMN proxied_ssh_server BOOLEAN DEFAULT FALSE,
+ADD COLUMN proxied_ssh_port INTEGER DEFAULT 0;

api/src/main/resources/db/migration/V20__alter_hostgroups.sql

@@ -0,0 +1,2 @@
+ALTER TABLE host_groups
+ADD COLUMN proxied_ssh_port INTEGER DEFAULT 0;

core/src/main/java/io/sentrius/sso/core/dto/HostGroupDTO.java

@@ -18,6 +18,8 @@ public class HostGroupDTO {
     private String displayName;
     private String description;
     private int hostCount = 0;
+    @Builder.Default
+    private int proxiedSSHPort = 0;
     private ProfileConfiguration configuration;
     List<UserDTO> users = new ArrayList<>();
 

dataplane/src/main/java/io/sentrius/sso/automation/auditing/BaseAccessTokenAuditor.java

@@ -7,11 +7,7 @@
 import io.sentrius.sso.core.model.users.User;
 
 public abstract class BaseAccessTokenAuditor {
-/*
-  protected final Long userId;
-  protected final Long sessionId;
 
-  protected final Long systemId;*/
   protected final HostSystem system;
   protected final SessionLog session;
   protected final User user;

dataplane/src/main/java/io/sentrius/sso/core/integrations/ssh/DataSession.java

@@ -0,0 +1,13 @@
+package io.sentrius.sso.core.integrations.ssh;
+
+import java.io.IOException;
+import org.springframework.web.socket.WebSocketMessage;
+
+public interface DataSession {
+
+    String getId();
+
+    boolean isOpen();
+
+    void sendMessage(WebSocketMessage<?> message) throws IOException;
+}

dataplane/src/main/java/io/sentrius/sso/core/integrations/ssh/DataWebSession.java

@@ -0,0 +1,111 @@
+package io.sentrius.sso.core.integrations.ssh;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.URI;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+import org.springframework.http.HttpHeaders;
+import org.springframework.web.socket.CloseStatus;
+import org.springframework.web.socket.WebSocketExtension;
+import org.springframework.web.socket.WebSocketSession;
+
+public class DataWebSession implements DataSession, WebSocketSession {
+
+    private final WebSocketSession webSocketSession;
+
+    public DataWebSession(WebSocketSession webSocketSession) {
+        this.webSocketSession = webSocketSession;
+    }
+
+    @Override
+    public String getId() {
+        return webSocketSession.getId();
+    }
+
+    @Override
+    public URI getUri() {
+        return webSocketSession.getUri();
+    }
+
+    @Override
+    public HttpHeaders getHandshakeHeaders() {
+        return webSocketSession.getHandshakeHeaders();
+    }
+
+    @Override
+    public Map<String, Object> getAttributes() {
+        return webSocketSession.getAttributes();
+    }
+
+    @Override
+    public Principal getPrincipal() {
+        return webSocketSession.getPrincipal();
+    }
+
+    @Override
+    public InetSocketAddress getLocalAddress() {
+        return webSocketSession.getLocalAddress();
+    }
+
+    @Override
+    public InetSocketAddress getRemoteAddress() {
+        return webSocketSession.getRemoteAddress();
+    }
+
+    @Override
+    public String getAcceptedProtocol() {
+        return webSocketSession.getAcceptedProtocol();
+    }
+
+    @Override
+    public void setTextMessageSizeLimit(int messageSizeLimit) {
+        webSocketSession.setTextMessageSizeLimit(messageSizeLimit);
+    }
+
+    @Override
+    public int getTextMessageSizeLimit() {
+        return webSocketSession.getTextMessageSizeLimit();
+    }
+
+    @Override
+    public void setBinaryMessageSizeLimit(int messageSizeLimit) {
+        webSocketSession.setBinaryMessageSizeLimit(messageSizeLimit);
+    }
+
+    @Override
+    public int getBinaryMessageSizeLimit() {
+        return webSocketSession.getBinaryMessageSizeLimit();
+    }
+
+    @Override
+    public List<WebSocketExtension> getExtensions() {
+        return webSocketSession.getExtensions();
+    }
+
+    @Override
+    public boolean isOpen() {
+        return webSocketSession.isOpen();
+    }
+
+    @Override
+    public void close() throws IOException {
+        webSocketSession.close();
+    }
+
+    @Override
+    public void close(CloseStatus status) throws IOException {
+        webSocketSession.close(status);
+    }
+
+    // Delegate other WebSocketSession methods as needed
+    // For example:
+    @Override
+    public void sendMessage(org.springframework.web.socket.WebSocketMessage<?> message) throws java.io.IOException {
+        webSocketSession.sendMessage(message);
+    }
+
+    // Add more methods as required by your application logic
+
+}

dataplane/src/main/java/io/sentrius/sso/core/model/HostSystem.java

@@ -93,6 +93,16 @@ public class HostSystem implements Host {
     @Column(name = "locked")
     private boolean locked = false;
 
+    @Builder.Default
+    @Column(name = "proxied_ssh_server")
+    private boolean proxiedSSHServer = false;
+
+    @Builder.Default
+    @Column(name = "proxied_ssh_port")
+    private Integer proxiedSSHPort = 0;
+
+
+
     @OneToMany(mappedBy = "hostSystem", cascade = CascadeType.ALL,orphanRemoval = true, fetch = FetchType.LAZY)
     private List<ProxyHost> proxies;
 

dataplane/src/main/java/io/sentrius/sso/core/model/hostgroup/HostGroup.java

@@ -70,6 +70,10 @@ public class HostGroup {
   @Transient
   private boolean selected = false;
 
+    @Builder.Default
+    @Column(name = "proxied_ssh_port")
+    private Integer proxiedSSHPort = 0;
+
   @ManyToMany(fetch = FetchType.LAZY)
   @JoinTable(
       name = "user_hostgroups",
@@ -139,6 +143,7 @@ public HostGroupDTO toDTO(boolean setUsers){
     builder.description(this.getDescription());
     builder.hostCount(this.getHostSystems().size());
     builder.configuration(this.getConfiguration());
+    builder.proxiedSSHPort(this.getProxiedSSHPort());
     if (setUsers){
       builder.users(this.getUsers().stream().map(x -> x.toDto()).toList());
     }

dataplane/src/main/java/io/sentrius/sso/core/model/sessions/SessionOutput.java

@@ -146,7 +146,7 @@ public Trigger getNextDenial() {
         return deny.isEmpty() ? null : deny.pop();
     }
 */
-    public void addJIT(Trigger trg) {
+    public void addZtat(Trigger trg) {
         String message =
             "This command will require approval. Your command will not execute until approval is"
                 + " garnered.If approval is not already submitted you will be notified when it is"