Skip to content

Commit

Permalink
Merge pull request #1220 from akto-api-security/revert-1217-develop
Browse files Browse the repository at this point in the history
Revert "Develop"
  • Loading branch information
notshivansh authored Jun 24, 2024
2 parents ba270cc + 7af41af commit 3a8227f
Show file tree
Hide file tree
Showing 31 changed files with 247 additions and 3,360 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -268,15 +268,16 @@ public String createNewAccount() {
}
}

User user = initializeAccount(email, newAccountId, newAccountName,true, RBAC.Role.ADMIN);
User user = initializeAccount(email, newAccountId, newAccountName,true);
getSession().put("user", user);
getSession().put("accountId", newAccountId);
return Action.SUCCESS.toUpperCase();
}

public static User initializeAccount(String email, int newAccountId, String newAccountName, boolean isNew, RBAC.Role role) {
public static User initializeAccount(String email, int newAccountId,String newAccountName, boolean isNew) {
UsersDao.addAccount(email, newAccountId, newAccountName);
User user = UsersDao.instance.findOne(eq(User.LOGIN, email));
RBAC.Role role = isNew ? RBAC.Role.ADMIN : RBAC.Role.MEMBER;
RBACDao.instance.insertOne(new RBAC(user.getId(), role, newAccountId));
Context.accountId.set(newAccountId);
try {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,13 @@ public String toggleNewMergingEnabled() {
public String toggleTelemetry() {
if (!DashboardMode.isOnPremDeployment()) return Action.ERROR.toUpperCase();

User user = getSUser();
if (user == null) return ERROR.toUpperCase();
boolean isAdmin = RBACDao.instance.isAdmin(user.getId(), Context.accountId.get());
if (!isAdmin) {
addActionError("Only admin can add change this setting");
return Action.ERROR.toUpperCase();
}
AccountSettings accountSettings = AccountSettingsDao.instance.findOne(AccountSettingsDao.generateFilter());
TelemetrySettings telemetrySettings = accountSettings.getTelemetrySettings();
telemetrySettings.setCustomerEnabled(enableTelemetry);
Expand Down Expand Up @@ -134,6 +141,10 @@ public String updateTrafficAlertThresholdSeconds() {

private boolean redactPayload;
public String toggleRedactFeature() {
User user = getSUser();
if (user == null) return ERROR.toUpperCase();
boolean isAdmin = RBACDao.instance.isAdmin(user.getId(), Context.accountId.get());
if (!isAdmin) return ERROR.toUpperCase();

AccountSettingsDao.instance.getMCollection().updateOne(
AccountSettingsDao.generateFilter(),
Expand Down
27 changes: 3 additions & 24 deletions apps/dashboard/src/main/java/com/akto/action/InviteUserAction.java
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
package com.akto.action;

import com.akto.dao.PendingInviteCodesDao;
import com.akto.dao.RBACDao;
import com.akto.dao.UsersDao;
import com.akto.dao.context.Context;
import com.akto.dto.PendingInviteCode;
import com.akto.dto.RBAC;
import com.akto.dto.User;
import com.akto.notifications.email.SendgridEmail;
import com.akto.util.DashboardMode;
Expand All @@ -30,7 +28,6 @@ public class InviteUserAction extends UserAction{

public static final String INVALID_EMAIL_ERROR = "Invalid email";
public static final String DIFFERENT_ORG_EMAIL_ERROR = "Email must belong to same organisation";
public static final String NOT_ALLOWED_TO_INVITE = "you're not authorised to invite for this role";
public static final String AKTO_DOMAIN = "akto.io";

public static String validateEmail(String email, String adminLogin) {
Expand All @@ -55,7 +52,6 @@ public static String validateEmail(String email, String adminLogin) {
}

private String finalInviteCode;
private RBAC.Role inviteeRole;

@Override
public String execute() {
Expand All @@ -69,17 +65,6 @@ public String execute() {
return ERROR.toUpperCase();
}

RBAC userRbac = RBACDao.instance.findOne(Filters.and(
Filters.eq(RBAC.USER_ID, user_id),
Filters.eq(RBAC.ACCOUNT_ID, Context.accountId.get())
));

RBAC.Role userRole = userRbac.getRole();
if (!Arrays.asList(userRole.getRoleHierarchy()).contains(this.inviteeRole)) {
addActionError("User not allowed to invite for this role");
return ERROR.toUpperCase();
}

Map<String,Object> claims = new HashMap<>();
claims.put("email", inviteeEmail);

Expand All @@ -104,8 +89,10 @@ public String execute() {
try {
Jws<Claims> jws = JWT.parseJwt(inviteCode,"");
PendingInviteCodesDao.instance.insertOne(
new PendingInviteCode(inviteCode, user_id, inviteeEmail,jws.getBody().getExpiration().getTime(),Context.accountId.get(), this.inviteeRole)
new PendingInviteCode(inviteCode, user_id, inviteeEmail,jws.getBody().getExpiration().getTime(),Context.accountId.get())
);


} catch (NoSuchAlgorithmException | InvalidKeySpecException | IOException e) {
e.printStackTrace();
return ERROR.toUpperCase();
Expand Down Expand Up @@ -151,12 +138,4 @@ public void setWebsiteHostName(String websiteHostName) {
public String getFinalInviteCode() {
return finalInviteCode;
}

public RBAC.Role getInviteeRole() {
return inviteeRole;
}

public void setInviteeRole(RBAC.Role inviteeRole) {
this.inviteeRole = inviteeRole;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,12 @@
import com.akto.dao.AccountSettingsDao;
import com.akto.dao.AccountsDao;
import com.akto.dao.JiraIntegrationDao;
import com.akto.dao.RBACDao;
import com.akto.dao.UsersDao;
import com.akto.dao.billing.OrganizationsDao;
import com.akto.dao.context.Context;
import com.akto.dto.Account;
import com.akto.dto.AccountSettings;
import com.akto.dto.JiraIntegration;
import com.akto.dto.RBAC;
import com.akto.dto.User;
import com.akto.dto.UserAccountEntry;
import com.akto.dto.ApiToken.Utility;
Expand Down Expand Up @@ -113,7 +111,6 @@ public static void executeMeta1(Utility utility, User user, HttpServletRequest r
String dashboardVersion = accountSettings.getDashboardVersion();
String[] versions = dashboardVersion.split(" - ");
User userFromDB = UsersDao.instance.findOne(Filters.eq(Constants.ID, user.getId()));
RBAC.Role userRole = RBACDao.getCurrentRoleForUser(user.getId(), Context.accountId.get());

boolean jiraIntegrated = false;
try {
Expand All @@ -134,8 +131,7 @@ public static void executeMeta1(Utility utility, User user, HttpServletRequest r
.append("cloudType", Utils.getCloudType())
.append("accountName", accountName)
.append("aktoUIMode", userFromDB.getAktoUIMode().name())
.append("jiraIntegrated", jiraIntegrated)
.append("userRole", userRole.toString().toUpperCase());
.append("jiraIntegrated", jiraIntegrated);;

if (DashboardMode.isOnPremDeployment()) {
userDetails.append("userHash", Intercom.getUserHash(user.getLogin()));
Expand Down
13 changes: 3 additions & 10 deletions apps/dashboard/src/main/java/com/akto/action/SignupAction.java
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,7 @@ public String registerViaAuth0() throws Exception {
if(user != null){
AccountAction.addUserToExistingAccount(email, pendingInviteCode.getAccountId());
}
createUserAndRedirect(email, name, auth0SignupInfo, pendingInviteCode.getAccountId(), Config.ConfigType.AUTH0.toString(), pendingInviteCode.getInviteeRole());
createUserAndRedirect(email, name, auth0SignupInfo, pendingInviteCode.getAccountId(), Config.ConfigType.AUTH0.toString());

return SUCCESS.toUpperCase();
} else if(pendingInviteCode == null){
Expand Down Expand Up @@ -367,7 +367,6 @@ public String registerViaEmail() {
return ERROR.toUpperCase();
}
int invitedToAccountId = 0;
RBAC.Role inviteeRole = null;
if (!invitationCode.isEmpty()) {
Jws<Claims> jws;
try {
Expand All @@ -394,7 +393,6 @@ public String registerViaEmail() {
// deleting the invitation code
PendingInviteCodesDao.instance.getMCollection().deleteOne(filter);
invitedToAccountId = pendingInviteCode.getAccountId();
inviteeRole = pendingInviteCode.getInviteeRole();
} else {
if (!InitializerListener.isSaas) {
long countUsers = UsersDao.instance.getMCollection().countDocuments();
Expand Down Expand Up @@ -427,7 +425,7 @@ public String registerViaEmail() {

try {
shouldLogin = "true";
createUserAndRedirect(email, email, signupInfo, invitedToAccountId, "email", inviteeRole);
createUserAndRedirect(email, email, signupInfo, invitedToAccountId, "email");
} catch (IOException e) {
e.printStackTrace();
return ERROR.toUpperCase();
Expand Down Expand Up @@ -692,11 +690,6 @@ public static String validatePassword(String password) {

private void createUserAndRedirect(String userEmail, String username, SignupInfo signupInfo,
int invitationToAccount, String method) throws IOException {
createUserAndRedirect(userEmail, username, signupInfo, invitationToAccount, method, null);
}

private void createUserAndRedirect(String userEmail, String username, SignupInfo signupInfo,
int invitationToAccount, String method, RBAC.Role invitedRole) throws IOException {
User user = UsersDao.instance.findOne(eq("login", userEmail));
if (user == null && "false".equalsIgnoreCase(shouldLogin)) {
SignupUserInfo signupUserInfo = SignupDao.instance.insertSignUp(userEmail, username, signupInfo, invitationToAccount);
Expand Down Expand Up @@ -746,7 +739,7 @@ private void createUserAndRedirect(String userEmail, String username, SignupInfo
return;
}

user = AccountAction.initializeAccount(userEmail, accountId, "My account",invitationToAccount == 0, invitedRole == null ? RBAC.Role.MEMBER : invitedRole);
user = AccountAction.initializeAccount(userEmail, accountId, "My account",invitationToAccount == 0);

servletRequest.getSession().setAttribute("user", user);
servletRequest.getSession().setAttribute("accountId", accountId);
Expand Down
141 changes: 47 additions & 94 deletions apps/dashboard/src/main/java/com/akto/action/TeamAction.java
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public String fetchTeamData() {
for(Object obj: users) {
BasicDBObject userObj = (BasicDBObject) obj;
RBAC rbac = userToRBAC.get(userObj.getInt("id"));
String status = rbac == null ? "Guest" : rbac.getRole().name();
String status = rbac == null ? "Member" : rbac.getRole().name();
userObj.append("role", status);
}

Expand All @@ -60,125 +60,86 @@ public String fetchTeamData() {
if (pendingInviteCode.getAccountId() == 0) {//case where account id doesn't exists belonged to older 1_000_000 account
pendingInviteCode.setAccountId(1_000_000);
}
Role inviteeRole = pendingInviteCode.getInviteeRole();
String roleText = "Invitation sent";
if (inviteeRole == null) {
roleText += "for Security Engineer";
} else {
roleText += "for " + inviteeRole.name();
}
if (pendingInviteCode.getAccountId() == accountId) {
users.add(
new BasicDBObject("id", pendingInviteCode.getIssuer())
.append("login", pendingInviteCode.getInviteeEmailId())
.append("name", "-")
.append("role", roleText)
.append("role", "Invitation sent")
);
}
}

return SUCCESS.toUpperCase();
}

private enum ActionType {
REMOVE_USER,
UPDATE_USER_ROLE
MAKE_ADMIN
}

String email;
public String performAction(ActionType action, String reqUserRole) {
public String performAction(ActionType action) {
int currUserId = getSUser().getId();
int accId = Context.accountId.get();

Bson findQ = Filters.eq(User.LOGIN, email);
User userDetails = UsersDao.instance.findOne(findQ);
boolean userExists = userDetails != null;

Bson filterRbac = Filters.and(
Filters.eq(RBAC.USER_ID, userDetails.getId()),
Filters.eq(RBAC.ACCOUNT_ID, accId));

if (userExists && userDetails.getId() == currUserId) {
addActionError("You cannot perform this action on yourself");
boolean isAdmin = RBACDao.instance.isAdmin(currUserId, Context.accountId.get());
if (!isAdmin) {
addActionError("You are not authorized to perform this action");
return Action.ERROR.toUpperCase();
}
} else {
int accId = Context.accountId.get();

Bson findQ = Filters.eq(User.LOGIN, email);
User userDetails = UsersDao.instance.findOne(findQ);
boolean userExists = userDetails != null;
if (userExists && userDetails.getId() == currUserId) {
addActionError("You cannot perform this action on yourself");
return Action.ERROR.toUpperCase();
}

Role currentUserRole = RBACDao.getCurrentRoleForUser(currUserId, accId);
Role userRole = RBACDao.getCurrentRoleForUser(userDetails.getId(), accId); // current role of the user whose role is changing
switch (action) {
case REMOVE_USER:
if (userExists) {
UsersDao.instance.updateOne(findQ, Updates.unset("accounts." + accId));
RBACDao.instance.deleteAll(filterRbac);
return Action.SUCCESS.toUpperCase();
} else {
DeleteResult delResult = PendingInviteCodesDao.instance.getMCollection().deleteMany(Filters.eq("inviteeEmailId", email));
if (delResult.getDeletedCount() > 0) {
switch (action) {
case REMOVE_USER:
if (userExists) {
UsersDao.instance.updateOne(findQ, Updates.unset("accounts." + accId));
RBACDao.instance.deleteAll(
Filters.and(
Filters.eq(RBAC.USER_ID, userDetails.getId()),
Filters.eq(RBAC.ACCOUNT_ID, accId)));
return Action.SUCCESS.toUpperCase();
} else {
return Action.ERROR.toUpperCase();
}
}

case UPDATE_USER_ROLE:
if (userExists) {
try {
Role[] rolesHierarchy = currentUserRole.getRoleHierarchy();
boolean isValidUpdateRole = false;
for(Role role: rolesHierarchy){
if(role == userRole){
isValidUpdateRole = true;
break;
}
}
if(isValidUpdateRole){
RBACDao.instance.updateOne(
filterRbac,
Updates.set(RBAC.ROLE, Role.valueOf(reqUserRole)));
DeleteResult delResult = PendingInviteCodesDao.instance.getMCollection().deleteMany(Filters.eq("inviteeEmailId", email));
if (delResult.getDeletedCount() > 0) {
return Action.SUCCESS.toUpperCase();
}else{
addActionError("User doesn't have access to modify this role.");
} else {
return Action.ERROR.toUpperCase();
}
} catch (Exception e) {
addActionError("User role doesn't exist.");
}

case MAKE_ADMIN:
if (userExists) {
RBACDao.instance.updateOne(
Filters.and(
Filters.eq(RBAC.USER_ID, userDetails.getId()),
Filters.eq(RBAC.ACCOUNT_ID, accId)),
Updates.set(RBAC.ROLE, Role.ADMIN));
return Action.SUCCESS.toUpperCase();
} else {
addActionError("User doesn't exist");
return Action.ERROR.toUpperCase();
}

} else {
addActionError("User doesn't exist");
return Action.ERROR.toUpperCase();
}

default:
break;

default:
break;
}
}
return Action.SUCCESS.toUpperCase();
}

public String removeUser() {
return performAction(ActionType.REMOVE_USER, null);
return performAction(ActionType.REMOVE_USER);
}

private String userRole;

public String makeAdmin(){
return performAction(ActionType.UPDATE_USER_ROLE, this.userRole.toUpperCase());
}

private Role[] userRoleHierarchy;

public String getRoleHierarchy(){
if(this.userRole == null || this.userRole.isEmpty()){
addActionError("Role cannot be null or empty");
return Action.ERROR.toUpperCase();
}
try {
this.userRoleHierarchy = Role.valueOf(userRole).getRoleHierarchy();
return Action.SUCCESS.toUpperCase();
} catch (Exception e) {
addActionError("User role doesn't exist.");
return Action.ERROR.toUpperCase();
}
return performAction(ActionType.MAKE_ADMIN);
}

public int getId() {
Expand All @@ -205,12 +166,4 @@ public String getEmail() {
return this.email;
}

public void setUserRole(String userRole) {
this.userRole = userRole;
}

public Role[] getUserRoleHierarchy() {
return userRoleHierarchy;
}

}
Loading

0 comments on commit 3a8227f

Please sign in to comment.