Skip to content

Commit

Permalink
Merge pull request #1002 from akto-api-security/fix_vulnerable_collec…
Browse files Browse the repository at this point in the history
…tion_updation

update vuln col on login
  • Loading branch information
ayushaga14 authored Apr 15, 2024
2 parents e66f1f3 + 7b046ae commit 461f196
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
Expand All @@ -52,6 +53,7 @@ public class AccountAction extends UserAction {

public static final int MAX_NUM_OF_LAMBDAS_TO_FETCH = 50;
private static final ScheduledExecutorService executorService = Executors.newSingleThreadScheduledExecutor();
private static final ExecutorService service = Executors.newFixedThreadPool(1);

@Override
public String execute() {
Expand Down Expand Up @@ -309,7 +311,11 @@ public void run() {
DaoInit.createIndices();
Main.insertRuntimeFilters();
RuntimeListener.initialiseDemoCollections();
RuntimeListener.addSampleData();
service.submit(() ->{
Context.accountId.set(newAccountId);
loggerMaker.infoAndAddToDb("updating vulnerable api's collection for new account " + newAccountId, LogDb.DASHBOARD);
RuntimeListener.addSampleData();
});
AccountSettingsDao.instance.updateOnboardingFlag(true);
InitializerListener.insertPiiSources();

Expand Down
34 changes: 34 additions & 0 deletions apps/dashboard/src/main/java/com/akto/action/LoginAction.java
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
package com.akto.action;

import com.akto.dao.BackwardCompatibilityDao;
import com.akto.dao.SignupDao;
import com.akto.dao.SingleTypeInfoDao;
import com.akto.dao.UsersDao;
import com.akto.dao.context.Context;
import com.akto.dto.BackwardCompatibility;
import com.akto.dto.Config;
import com.akto.dto.SignupInfo;
import com.akto.dto.SignupUserInfo;
import com.akto.dto.User;
import com.akto.listener.RuntimeListener;
import com.akto.log.LoggerMaker.LogDb;
import com.akto.utils.Token;
import com.akto.utils.JWT;
import com.mongodb.BasicDBObject;
Expand All @@ -29,6 +33,8 @@
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.*;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

import static com.akto.filter.UserDetailsFilter.LOGIN_URI;

Expand All @@ -42,6 +48,7 @@ public class LoginAction implements Action, ServletResponseAware, ServletRequest
private static final Logger logger = LoggerFactory.getLogger(LoginAction.class);

public static final String REFRESH_TOKEN_COOKIE_NAME = "refreshToken";
private static final ExecutorService service = Executors.newFixedThreadPool(1);
public BasicDBObject getLoginResult() {
return loginResult;
}
Expand Down Expand Up @@ -93,10 +100,37 @@ public String execute() throws IOException {
//For the case when no account exists, the user will get access to 1_000_000 account
String accountIdStr = user.getAccounts().keySet().isEmpty() ? "1000000" : user.getAccounts().keySet().iterator().next();
int accountId = StringUtils.isNumeric(accountIdStr) ? Integer.parseInt(accountIdStr) : 1_000_000;
try {
service.submit(() ->{
triggerVulnColUpdation(user);
});
} catch (Exception e) {
logger.error("error updating vuln collection ", e);
}
decideFirstPage(loginResult, accountId);
return result;
}

private void triggerVulnColUpdation(User user) {
for (String accountIdStr: user.getAccounts().keySet()) {
int accountId = Integer.parseInt(accountIdStr);
Context.accountId.set(accountId);
logger.info("updating vulnerable api's collection for account " + accountId);
try {
BackwardCompatibility backwardCompatibility = BackwardCompatibilityDao.instance.findOne(new BasicDBObject());
if (backwardCompatibility.getVulnerableApiUpdationVersionV1() == 0) {
RuntimeListener.addSampleData();
}
BackwardCompatibilityDao.instance.updateOne(
Filters.eq("_id", backwardCompatibility.getId()),
Updates.set(BackwardCompatibility.VULNERABLE_API_UPDATION_VERSION_V1, Context.now())
);
} catch (Exception e) {
logger.error("error updating vulnerable api's collection for account " + accountId + " " + e.getMessage());
}
}
}

private void decideFirstPage(BasicDBObject loginResult, int accountId){
Context.accountId.set(accountId);
long count = SingleTypeInfoDao.instance.getEstimatedCount();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ public void accept(Account account) {

try {
initialiseDemoCollections();
addSampleData();
//addSampleData();
} catch (Exception e) {
loggerMaker.errorAndAddToDb(e,"Error while initialising demo collections: " + e, LoggerMaker.LogDb.DASHBOARD);
}
Expand Down
14 changes: 13 additions & 1 deletion libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java
Original file line number Diff line number Diff line change
Expand Up @@ -59,12 +59,15 @@ public class BackwardCompatibility {
public static final String DEFAULT_TELEMETRY_SETTINGS = "defaultTelemetrySettings";
private int defaultTelemetrySettings;

public static final String VULNERABLE_API_UPDATION_VERSION_V1 = "vulnerableApiUpdationVersionV1";
private int vulnerableApiUpdationVersionV1;

public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTypeInfoCount, int dropWorkflowTestResult,
int readyForNewTestingFramework,int addAktoDataTypes, boolean deploymentStatusUpdated,
int authMechanismData, boolean mirroringLambdaTriggered, int deleteAccessListFromApiToken,
int deleteNullSubCategoryIssues, int enableNewMerging,
int aktoDefaultNewUI, int initializeOrganizationAccountBelongsTo, int orgsInBilling,
int computeIntegratedConnections, int deleteLastCronRunInfo) {
int computeIntegratedConnections, int deleteLastCronRunInfo, int vulnerableApiUpdationVersionV1) {
this.id = id;
this.dropFilterSampleData = dropFilterSampleData;
this.resetSingleTypeInfoCount = resetSingleTypeInfoCount;
Expand All @@ -83,6 +86,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy
this.initializeOrganizationAccountBelongsTo = initializeOrganizationAccountBelongsTo;
this.orgsInBilling = orgsInBilling;
this.deleteLastCronRunInfo = deleteLastCronRunInfo;
this.vulnerableApiUpdationVersionV1 = vulnerableApiUpdationVersionV1;
}

public BackwardCompatibility() {
Expand Down Expand Up @@ -247,4 +251,12 @@ public int getDefaultTelemetrySettings() {
public void setDefaultTelemetrySettings(int defaultTelemetrySettings) {
this.defaultTelemetrySettings = defaultTelemetrySettings;
}

public int getVulnerableApiUpdationVersionV1() {
return vulnerableApiUpdationVersionV1;
}

public void setVulnerableApiUpdationVersionV1(int vulnerableApiUpdationVersionV1) {
this.vulnerableApiUpdationVersionV1 = vulnerableApiUpdationVersionV1;
}
}

0 comments on commit 461f196

Please sign in to comment.