diff --git a/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java b/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java index 719c9a01d9..94632d8006 100644 --- a/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java @@ -2,12 +2,16 @@ import java.util.ArrayList; +import org.bson.conversions.Bson; + import com.akto.action.UserAction; import com.akto.dao.ConfigsDao; import com.akto.dao.UsersDao; import com.akto.dao.context.Context; import com.akto.dto.Config; import com.akto.dto.User; +import com.akto.dto.Config.OktaConfig; +import com.akto.util.Constants; import com.akto.util.DashboardMode; import com.akto.utils.sso.SsoUtils; import com.mongodb.BasicDBObject; @@ -29,7 +33,9 @@ public String addOktaSso() { return ERROR.toUpperCase(); } - Config.OktaConfig oktaConfig = new Config.OktaConfig(); + int accountId = Context.accountId.get(); + + Config.OktaConfig oktaConfig = new Config.OktaConfig(accountId); oktaConfig.setClientId(clientId); oktaConfig.setClientSecret(clientSecret); oktaConfig.setAuthorisationServerId(authorisationServerId); @@ -47,17 +53,9 @@ public String addOktaSso() { } public String deleteOktaSso() { - DeleteResult result; - if(DashboardMode.isOnPremDeployment()) { - result = ConfigsDao.instance.deleteAll(Filters.eq("_id", "OKTA-ankush")); - } else { - result = ConfigsDao.instance.deleteAll( - Filters.and( - Filters.eq("_id", "OKTA-ankush"), - Filters.eq(Config.OktaConfig.ACCOUNT_ID, Context.accountId.get()) - ) - ); - } + int accountId = Context.accountId.get(); + Bson idFilter = Filters.eq(Constants.ID, OktaConfig.getOktaId(accountId)); + DeleteResult result = ConfigsDao.instance.deleteAll(idFilter); if (result.getDeletedCount() > 0) { for (Object obj : UsersDao.instance.getAllUsersInfoForTheAccount(Context.accountId.get())) { @@ -72,13 +70,9 @@ public String deleteOktaSso() { @Override public String execute() throws Exception { - Config.OktaConfig oktaConfig; - if(DashboardMode.isOnPremDeployment()) { - oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne("_id", "OKTA-ankush"); - } else { - String email = getSUser().getLogin(); - oktaConfig = Config.getOktaConfig(email); - } + int accountId = Context.accountId.get(); + Config.OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne(Constants.ID, OktaConfig.getOktaId(accountId)); + if (SsoUtils.isAnySsoActive() && oktaConfig == null) { addActionError("A different SSO Integration already exists."); return ERROR.toUpperCase(); diff --git a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java index eab2ec43ae..6e7a7e78c7 100644 --- a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java +++ b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java @@ -33,6 +33,7 @@ import com.akto.dto.ApiCollectionUsers.CollectionType; import com.akto.dto.Config.AzureConfig; import com.akto.dto.Config.ConfigType; +import com.akto.dto.Config.OktaConfig; import com.akto.dto.RBAC.Role; import com.akto.dto.User.AktoUIMode; import com.akto.dto.data_types.Conditions; @@ -136,6 +137,7 @@ import org.bouncycastle.jcajce.provider.asymmetric.dsa.DSASigner.stdDSA; import org.bson.conversions.Bson; import org.bson.types.ObjectId; +import org.checkerframework.checker.units.qual.C; import org.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -2922,6 +2924,27 @@ private static void deleteOptionsAPIs(BackwardCompatibility backwardCompatibilit } } + private static void moveOktaOidcSSO(BackwardCompatibility backwardCompatibility){ + if(backwardCompatibility.getMoveOktaOidcSSO() == 0){ + String saltId = ConfigType.OKTA.name() + Config.CONFIG_SALT; + Config.OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne( + Filters.eq(Constants.ID, saltId) + ); + if(oktaConfig != null){ + int accountId = Context.accountId.get(); + oktaConfig.setId(OktaConfig.getOktaId(accountId)); + ConfigsDao.instance.insertOne(oktaConfig); + ConfigsDao.instance.deleteAll( + Filters.eq(Constants.ID, saltId) + ); + } + BackwardCompatibilityDao.instance.updateOne( + Filters.eq("_id", backwardCompatibility.getId()), + Updates.set(BackwardCompatibility.MOVE_OKTA_OIDC_SSO, Context.now()) + ); + } + } + public static void setBackwardCompatibilities(BackwardCompatibility backwardCompatibility){ if (DashboardMode.isMetered()) { initializeOrganizationAccountBelongsTo(backwardCompatibility); @@ -2953,6 +2976,7 @@ public static void setBackwardCompatibilities(BackwardCompatibility backwardComp dropSpecialCharacterApiCollections(backwardCompatibility); addDefaultAdvancedFilters(backwardCompatibility); moveAzureSamlConfig(backwardCompatibility); + moveOktaOidcSSO(backwardCompatibility); } public static void printMultipleHosts(int apiCollectionId) { diff --git a/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java b/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java index 317690ae59..320040d9fa 100644 --- a/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java +++ b/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java @@ -8,6 +8,7 @@ import com.akto.dao.context.Context; import com.akto.dto.Config; import com.akto.dto.Config.OktaConfig; +import com.akto.util.Constants; import com.akto.utils.sso.SsoUtils; public class OktaLogin { @@ -23,7 +24,7 @@ public static OktaLogin getInstance() { } if (shouldProbeAgain) { - OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne("_id", "OKTA-ankush"); + OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne(Constants.ID, OktaConfig.getOktaId(Context.accountId.get())); if (instance == null) { instance = new OktaLogin(); } diff --git a/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java b/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java index 986e11ba89..b2e4b89254 100644 --- a/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java +++ b/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java @@ -35,18 +35,19 @@ public static boolean isAnySsoActive(int accountId){ } public static boolean isAnySsoActive(){ + int accountId = Context.accountId.get(); + String oktaIdString = OktaConfig.getOktaId(accountId); if(DashboardMode.isMetered() && !DashboardMode.isOnPremDeployment()){ - int accountId = Context.accountId.get(); if(!isAnySsoActive(accountId)){ return ConfigsDao.instance.count(Filters.and( - Filters.eq(Constants.ID, "OKTA-ankush"), + Filters.eq(Constants.ID, oktaIdString), Filters.eq(OktaConfig.ACCOUNT_ID, accountId) )) > 0; }else{ return true; } }else{ - List ssoList = Arrays.asList("OKTA-ankush", "GITHUB-ankush", "AZURE-ankush"); + List ssoList = Arrays.asList(oktaIdString, "GITHUB-ankush", "AZURE-ankush"); Bson filter = Filters.in("_id", ssoList); return ConfigsDao.instance.count(filter) > 0; } diff --git a/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java b/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java index 7378433d99..b4b3a83f9a 100644 --- a/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java +++ b/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java @@ -100,6 +100,9 @@ public class BackwardCompatibility { public static final String DELETE_OPTIONS_API = "deleteOptionsAPIs"; private int deleteOptionsAPIs; + public static final String MOVE_OKTA_OIDC_SSO = "moveOktaOidcSSO"; + private int moveOktaOidcSSO; + public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTypeInfoCount, int dropWorkflowTestResult, int readyForNewTestingFramework,int addAktoDataTypes, boolean deploymentStatusUpdated, int authMechanismData, boolean mirroringLambdaTriggered, int deleteAccessListFromApiToken, @@ -109,7 +112,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy int loginSignupGroups, int vulnerableApiUpdationVersionV1, int riskScoreGroups, int deactivateCollections, int disableAwsSecretPii, int apiCollectionAutomatedField, int automatedApiGroups, int addAdminRoleIfAbsent, int dropSpecialCharacterApiCollections, int fixApiAccessType, - int addDefaultFilters, int moveAzureSamlToNormalSaml, int deleteOptionsAPIs) { + int addDefaultFilters, int moveAzureSamlToNormalSaml, int deleteOptionsAPIs, int moveOktaOidcSSO) { this.id = id; this.dropFilterSampleData = dropFilterSampleData; this.resetSingleTypeInfoCount = resetSingleTypeInfoCount; @@ -141,6 +144,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy this.fixApiAccessType = fixApiAccessType; this.moveAzureSamlToNormalSaml = moveAzureSamlToNormalSaml; this.deleteOptionsAPIs = deleteOptionsAPIs; + this.moveOktaOidcSSO = moveOktaOidcSSO; } public BackwardCompatibility() { @@ -425,4 +429,12 @@ public int getDeleteOptionsAPIs() { public void setDeleteOptionsAPIs(int deleteOptionsAPIs) { this.deleteOptionsAPIs = deleteOptionsAPIs; } + + public int getMoveOktaOidcSSO() { + return moveOktaOidcSSO; + } + + public void setMoveOktaOidcSSO(int moveOktaOidcSSO) { + this.moveOktaOidcSSO = moveOktaOidcSSO; + } } diff --git a/libs/dao/src/main/java/com/akto/dto/Config.java b/libs/dao/src/main/java/com/akto/dto/Config.java index 570346bed7..63c67da9da 100644 --- a/libs/dao/src/main/java/com/akto/dto/Config.java +++ b/libs/dao/src/main/java/com/akto/dto/Config.java @@ -365,9 +365,17 @@ public static class OktaConfig extends Config { public static final String CONFIG_ID = ConfigType.OKTA.name() + CONFIG_SALT; - public OktaConfig() { + public OktaConfig(){ this.configType = ConfigType.OKTA; - this.id = CONFIG_ID; + } + + public static String getOktaId(int accountId){ + return CONFIG_ID + "_" + accountId; + } + + public OktaConfig(int id) { + this.configType = ConfigType.OKTA; + this.id = CONFIG_ID + "_" + id; } public String getClientId() { @@ -686,9 +694,10 @@ public static boolean isConfigSSOType(ConfigType configType){ } public static OktaConfig getOktaConfig(int accountId) { + String id = OktaConfig.getOktaId(accountId); OktaConfig config = (OktaConfig) ConfigsDao.instance.findOne( Filters.and( - Filters.eq("_id", "OKTA-ankush"), + Filters.eq("_id", id), Filters.eq(OktaConfig.ACCOUNT_ID, accountId) ) );