From 4710d704a25c1f1206a2958771a5e1b6458e107b Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Fri, 3 Jan 2025 21:10:29 +0530 Subject: [PATCH 1/3] moving okta-sso for new id --- .../com/akto/action/user/OktaSsoAction.java | 7 +++++- .../akto/listener/InitializerListener.java | 22 +++++++++++++++++++ .../com/akto/dto/BackwardCompatibility.java | 14 +++++++++++- .../src/main/java/com/akto/dto/Config.java | 5 +++-- 4 files changed, 44 insertions(+), 4 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java b/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java index 719c9a01d9..ca5c7d88e6 100644 --- a/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java @@ -2,12 +2,16 @@ import java.util.ArrayList; +import org.yaml.snakeyaml.scanner.Constant; + import com.akto.action.UserAction; import com.akto.dao.ConfigsDao; import com.akto.dao.UsersDao; import com.akto.dao.context.Context; import com.akto.dto.Config; import com.akto.dto.User; +import com.akto.dto.Config.ConfigType; +import com.akto.util.Constants; import com.akto.util.DashboardMode; import com.akto.utils.sso.SsoUtils; import com.mongodb.BasicDBObject; @@ -74,7 +78,8 @@ public String deleteOktaSso() { public String execute() throws Exception { Config.OktaConfig oktaConfig; if(DashboardMode.isOnPremDeployment()) { - oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne("_id", "OKTA-ankush"); + int accountId = Context.accountId.get(); + oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne(Constants.ID, ConfigType.OKTA.name() + "_" + accountId); } else { String email = getSUser().getLogin(); oktaConfig = Config.getOktaConfig(email); diff --git a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java index eab2ec43ae..c0b1307546 100644 --- a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java +++ b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java @@ -136,6 +136,7 @@ import org.bouncycastle.jcajce.provider.asymmetric.dsa.DSASigner.stdDSA; import org.bson.conversions.Bson; import org.bson.types.ObjectId; +import org.checkerframework.checker.units.qual.C; import org.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -2922,6 +2923,26 @@ private static void deleteOptionsAPIs(BackwardCompatibility backwardCompatibilit } } + private static void moveOktaOidcSSO(BackwardCompatibility backwardCompatibility){ + if(backwardCompatibility.getMoveOktaOidcSSO() == 0){ + String saltId = ConfigType.OKTA.name() + Config.CONFIG_SALT; + Config.OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne( + Filters.eq(Constants.ID, saltId) + ); + int accountId = Context.accountId.get(); + oktaConfig.setId(saltId + "_" + accountId); + ConfigsDao.instance.deleteAll( + Filters.eq(Constants.ID, saltId) + ); + + ConfigsDao.instance.insertOne(oktaConfig); + BackwardCompatibilityDao.instance.updateOne( + Filters.eq("_id", backwardCompatibility.getId()), + Updates.set(BackwardCompatibility.MOVE_OKTA_OIDC_SSO, Context.now()) + ); + } + } + public static void setBackwardCompatibilities(BackwardCompatibility backwardCompatibility){ if (DashboardMode.isMetered()) { initializeOrganizationAccountBelongsTo(backwardCompatibility); @@ -2953,6 +2974,7 @@ public static void setBackwardCompatibilities(BackwardCompatibility backwardComp dropSpecialCharacterApiCollections(backwardCompatibility); addDefaultAdvancedFilters(backwardCompatibility); moveAzureSamlConfig(backwardCompatibility); + moveOktaOidcSSO(backwardCompatibility); } public static void printMultipleHosts(int apiCollectionId) { diff --git a/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java b/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java index 7378433d99..b4b3a83f9a 100644 --- a/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java +++ b/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java @@ -100,6 +100,9 @@ public class BackwardCompatibility { public static final String DELETE_OPTIONS_API = "deleteOptionsAPIs"; private int deleteOptionsAPIs; + public static final String MOVE_OKTA_OIDC_SSO = "moveOktaOidcSSO"; + private int moveOktaOidcSSO; + public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTypeInfoCount, int dropWorkflowTestResult, int readyForNewTestingFramework,int addAktoDataTypes, boolean deploymentStatusUpdated, int authMechanismData, boolean mirroringLambdaTriggered, int deleteAccessListFromApiToken, @@ -109,7 +112,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy int loginSignupGroups, int vulnerableApiUpdationVersionV1, int riskScoreGroups, int deactivateCollections, int disableAwsSecretPii, int apiCollectionAutomatedField, int automatedApiGroups, int addAdminRoleIfAbsent, int dropSpecialCharacterApiCollections, int fixApiAccessType, - int addDefaultFilters, int moveAzureSamlToNormalSaml, int deleteOptionsAPIs) { + int addDefaultFilters, int moveAzureSamlToNormalSaml, int deleteOptionsAPIs, int moveOktaOidcSSO) { this.id = id; this.dropFilterSampleData = dropFilterSampleData; this.resetSingleTypeInfoCount = resetSingleTypeInfoCount; @@ -141,6 +144,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy this.fixApiAccessType = fixApiAccessType; this.moveAzureSamlToNormalSaml = moveAzureSamlToNormalSaml; this.deleteOptionsAPIs = deleteOptionsAPIs; + this.moveOktaOidcSSO = moveOktaOidcSSO; } public BackwardCompatibility() { @@ -425,4 +429,12 @@ public int getDeleteOptionsAPIs() { public void setDeleteOptionsAPIs(int deleteOptionsAPIs) { this.deleteOptionsAPIs = deleteOptionsAPIs; } + + public int getMoveOktaOidcSSO() { + return moveOktaOidcSSO; + } + + public void setMoveOktaOidcSSO(int moveOktaOidcSSO) { + this.moveOktaOidcSSO = moveOktaOidcSSO; + } } diff --git a/libs/dao/src/main/java/com/akto/dto/Config.java b/libs/dao/src/main/java/com/akto/dto/Config.java index 570346bed7..c11d04d60d 100644 --- a/libs/dao/src/main/java/com/akto/dto/Config.java +++ b/libs/dao/src/main/java/com/akto/dto/Config.java @@ -367,7 +367,7 @@ public static class OktaConfig extends Config { public OktaConfig() { this.configType = ConfigType.OKTA; - this.id = CONFIG_ID; + this.id = CONFIG_ID + "_" + this.accountId; } public String getClientId() { @@ -686,9 +686,10 @@ public static boolean isConfigSSOType(ConfigType configType){ } public static OktaConfig getOktaConfig(int accountId) { + String id = ConfigType.OKTA.name() + CONFIG_SALT + "_" + accountId; OktaConfig config = (OktaConfig) ConfigsDao.instance.findOne( Filters.and( - Filters.eq("_id", "OKTA-ankush"), + Filters.eq("_id", id), Filters.eq(OktaConfig.ACCOUNT_ID, accountId) ) ); From 66c867dc82d4307eb0a644ef64ee9c4fc3eaf38e Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Fri, 3 Jan 2025 22:37:15 +0530 Subject: [PATCH 2/3] Fixing saving of id --- .../com/akto/action/user/OktaSsoAction.java | 33 +++++++------------ .../akto/listener/InitializerListener.java | 3 +- .../java/com/akto/utils/sso/SsoUtils.java | 5 +-- .../src/main/java/com/akto/dto/Config.java | 14 ++++++-- 4 files changed, 27 insertions(+), 28 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java b/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java index ca5c7d88e6..94632d8006 100644 --- a/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/user/OktaSsoAction.java @@ -2,7 +2,7 @@ import java.util.ArrayList; -import org.yaml.snakeyaml.scanner.Constant; +import org.bson.conversions.Bson; import com.akto.action.UserAction; import com.akto.dao.ConfigsDao; @@ -10,7 +10,7 @@ import com.akto.dao.context.Context; import com.akto.dto.Config; import com.akto.dto.User; -import com.akto.dto.Config.ConfigType; +import com.akto.dto.Config.OktaConfig; import com.akto.util.Constants; import com.akto.util.DashboardMode; import com.akto.utils.sso.SsoUtils; @@ -33,7 +33,9 @@ public String addOktaSso() { return ERROR.toUpperCase(); } - Config.OktaConfig oktaConfig = new Config.OktaConfig(); + int accountId = Context.accountId.get(); + + Config.OktaConfig oktaConfig = new Config.OktaConfig(accountId); oktaConfig.setClientId(clientId); oktaConfig.setClientSecret(clientSecret); oktaConfig.setAuthorisationServerId(authorisationServerId); @@ -51,17 +53,9 @@ public String addOktaSso() { } public String deleteOktaSso() { - DeleteResult result; - if(DashboardMode.isOnPremDeployment()) { - result = ConfigsDao.instance.deleteAll(Filters.eq("_id", "OKTA-ankush")); - } else { - result = ConfigsDao.instance.deleteAll( - Filters.and( - Filters.eq("_id", "OKTA-ankush"), - Filters.eq(Config.OktaConfig.ACCOUNT_ID, Context.accountId.get()) - ) - ); - } + int accountId = Context.accountId.get(); + Bson idFilter = Filters.eq(Constants.ID, OktaConfig.getOktaId(accountId)); + DeleteResult result = ConfigsDao.instance.deleteAll(idFilter); if (result.getDeletedCount() > 0) { for (Object obj : UsersDao.instance.getAllUsersInfoForTheAccount(Context.accountId.get())) { @@ -76,14 +70,9 @@ public String deleteOktaSso() { @Override public String execute() throws Exception { - Config.OktaConfig oktaConfig; - if(DashboardMode.isOnPremDeployment()) { - int accountId = Context.accountId.get(); - oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne(Constants.ID, ConfigType.OKTA.name() + "_" + accountId); - } else { - String email = getSUser().getLogin(); - oktaConfig = Config.getOktaConfig(email); - } + int accountId = Context.accountId.get(); + Config.OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne(Constants.ID, OktaConfig.getOktaId(accountId)); + if (SsoUtils.isAnySsoActive() && oktaConfig == null) { addActionError("A different SSO Integration already exists."); return ERROR.toUpperCase(); diff --git a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java index c0b1307546..5bf7a2bcc1 100644 --- a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java +++ b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java @@ -33,6 +33,7 @@ import com.akto.dto.ApiCollectionUsers.CollectionType; import com.akto.dto.Config.AzureConfig; import com.akto.dto.Config.ConfigType; +import com.akto.dto.Config.OktaConfig; import com.akto.dto.RBAC.Role; import com.akto.dto.User.AktoUIMode; import com.akto.dto.data_types.Conditions; @@ -2930,7 +2931,7 @@ private static void moveOktaOidcSSO(BackwardCompatibility backwardCompatibility) Filters.eq(Constants.ID, saltId) ); int accountId = Context.accountId.get(); - oktaConfig.setId(saltId + "_" + accountId); + oktaConfig.setId(OktaConfig.getOktaId(accountId)); ConfigsDao.instance.deleteAll( Filters.eq(Constants.ID, saltId) ); diff --git a/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java b/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java index 986e11ba89..4f3e3de1e9 100644 --- a/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java +++ b/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java @@ -35,8 +35,8 @@ public static boolean isAnySsoActive(int accountId){ } public static boolean isAnySsoActive(){ + int accountId = Context.accountId.get(); if(DashboardMode.isMetered() && !DashboardMode.isOnPremDeployment()){ - int accountId = Context.accountId.get(); if(!isAnySsoActive(accountId)){ return ConfigsDao.instance.count(Filters.and( Filters.eq(Constants.ID, "OKTA-ankush"), @@ -46,7 +46,8 @@ public static boolean isAnySsoActive(){ return true; } }else{ - List ssoList = Arrays.asList("OKTA-ankush", "GITHUB-ankush", "AZURE-ankush"); + String oktaIdString = OktaConfig.getOktaId(accountId); + List ssoList = Arrays.asList(oktaIdString, "GITHUB-ankush", "AZURE-ankush"); Bson filter = Filters.in("_id", ssoList); return ConfigsDao.instance.count(filter) > 0; } diff --git a/libs/dao/src/main/java/com/akto/dto/Config.java b/libs/dao/src/main/java/com/akto/dto/Config.java index c11d04d60d..63c67da9da 100644 --- a/libs/dao/src/main/java/com/akto/dto/Config.java +++ b/libs/dao/src/main/java/com/akto/dto/Config.java @@ -365,9 +365,17 @@ public static class OktaConfig extends Config { public static final String CONFIG_ID = ConfigType.OKTA.name() + CONFIG_SALT; - public OktaConfig() { + public OktaConfig(){ this.configType = ConfigType.OKTA; - this.id = CONFIG_ID + "_" + this.accountId; + } + + public static String getOktaId(int accountId){ + return CONFIG_ID + "_" + accountId; + } + + public OktaConfig(int id) { + this.configType = ConfigType.OKTA; + this.id = CONFIG_ID + "_" + id; } public String getClientId() { @@ -686,7 +694,7 @@ public static boolean isConfigSSOType(ConfigType configType){ } public static OktaConfig getOktaConfig(int accountId) { - String id = ConfigType.OKTA.name() + CONFIG_SALT + "_" + accountId; + String id = OktaConfig.getOktaId(accountId); OktaConfig config = (OktaConfig) ConfigsDao.instance.findOne( Filters.and( Filters.eq("_id", id), From b321ba6308a7069d57a4c538f50ccef27d7d8f51 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Fri, 3 Jan 2025 23:09:27 +0530 Subject: [PATCH 3/3] Fixing npe --- .../com/akto/listener/InitializerListener.java | 15 ++++++++------- .../src/main/java/com/akto/utils/OktaLogin.java | 3 ++- .../main/java/com/akto/utils/sso/SsoUtils.java | 4 ++-- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java index 5bf7a2bcc1..6e7a7e78c7 100644 --- a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java +++ b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java @@ -2930,13 +2930,14 @@ private static void moveOktaOidcSSO(BackwardCompatibility backwardCompatibility) Config.OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne( Filters.eq(Constants.ID, saltId) ); - int accountId = Context.accountId.get(); - oktaConfig.setId(OktaConfig.getOktaId(accountId)); - ConfigsDao.instance.deleteAll( - Filters.eq(Constants.ID, saltId) - ); - - ConfigsDao.instance.insertOne(oktaConfig); + if(oktaConfig != null){ + int accountId = Context.accountId.get(); + oktaConfig.setId(OktaConfig.getOktaId(accountId)); + ConfigsDao.instance.insertOne(oktaConfig); + ConfigsDao.instance.deleteAll( + Filters.eq(Constants.ID, saltId) + ); + } BackwardCompatibilityDao.instance.updateOne( Filters.eq("_id", backwardCompatibility.getId()), Updates.set(BackwardCompatibility.MOVE_OKTA_OIDC_SSO, Context.now()) diff --git a/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java b/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java index 317690ae59..320040d9fa 100644 --- a/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java +++ b/apps/dashboard/src/main/java/com/akto/utils/OktaLogin.java @@ -8,6 +8,7 @@ import com.akto.dao.context.Context; import com.akto.dto.Config; import com.akto.dto.Config.OktaConfig; +import com.akto.util.Constants; import com.akto.utils.sso.SsoUtils; public class OktaLogin { @@ -23,7 +24,7 @@ public static OktaLogin getInstance() { } if (shouldProbeAgain) { - OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne("_id", "OKTA-ankush"); + OktaConfig oktaConfig = (Config.OktaConfig) ConfigsDao.instance.findOne(Constants.ID, OktaConfig.getOktaId(Context.accountId.get())); if (instance == null) { instance = new OktaLogin(); } diff --git a/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java b/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java index 4f3e3de1e9..b2e4b89254 100644 --- a/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java +++ b/apps/dashboard/src/main/java/com/akto/utils/sso/SsoUtils.java @@ -36,17 +36,17 @@ public static boolean isAnySsoActive(int accountId){ public static boolean isAnySsoActive(){ int accountId = Context.accountId.get(); + String oktaIdString = OktaConfig.getOktaId(accountId); if(DashboardMode.isMetered() && !DashboardMode.isOnPremDeployment()){ if(!isAnySsoActive(accountId)){ return ConfigsDao.instance.count(Filters.and( - Filters.eq(Constants.ID, "OKTA-ankush"), + Filters.eq(Constants.ID, oktaIdString), Filters.eq(OktaConfig.ACCOUNT_ID, accountId) )) > 0; }else{ return true; } }else{ - String oktaIdString = OktaConfig.getOktaId(accountId); List ssoList = Arrays.asList(oktaIdString, "GITHUB-ankush", "AZURE-ankush"); Bson filter = Filters.in("_id", ssoList); return ConfigsDao.instance.count(filter) > 0;