From 010f93b0c1098d2e959f8f506e2b0a230e78fad7 Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Fri, 12 Apr 2024 16:18:36 +0530 Subject: [PATCH 1/4] update vuln col on login --- .../main/java/com/akto/action/LoginAction.java | 16 ++++++++++++++++ .../java/com/akto/listener/RuntimeListener.java | 2 +- .../java/com/akto/dto/BackwardCompatibility.java | 14 +++++++++++++- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java index 47643a12ed..9693fcb356 100644 --- a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java @@ -1,13 +1,16 @@ package com.akto.action; +import com.akto.dao.BackwardCompatibilityDao; import com.akto.dao.SignupDao; import com.akto.dao.SingleTypeInfoDao; import com.akto.dao.UsersDao; import com.akto.dao.context.Context; +import com.akto.dto.BackwardCompatibility; import com.akto.dto.Config; import com.akto.dto.SignupInfo; import com.akto.dto.SignupUserInfo; import com.akto.dto.User; +import com.akto.listener.RuntimeListener; import com.akto.utils.Token; import com.akto.utils.JWT; import com.mongodb.BasicDBObject; @@ -99,6 +102,19 @@ public String execute() throws IOException { private void decideFirstPage(BasicDBObject loginResult, int accountId){ Context.accountId.set(accountId); + try { + // add backward compatibility check + BackwardCompatibility backwardCompatibility = BackwardCompatibilityDao.instance.findOne(new BasicDBObject()); + if (backwardCompatibility.getVulnerableApiUpdationVersionV1() == 0) { + RuntimeListener.addSampleData(); + } + BackwardCompatibilityDao.instance.updateOne( + Filters.eq("_id", backwardCompatibility.getId()), + Updates.set(BackwardCompatibility.VULNERABLE_API_UPDATION_VERSION_V1, Context.now()) + ); + } catch (Exception e) { + logger.error("error updating vulnerable api's collection" + e.getMessage()); + } long count = SingleTypeInfoDao.instance.getEstimatedCount(); if(count == 0){ logger.info("New user, showing quick start page"); diff --git a/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java b/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java index 5bc00da003..f94467cede 100644 --- a/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java +++ b/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java @@ -79,7 +79,7 @@ public void accept(Account account) { try { initialiseDemoCollections(); - addSampleData(); + //addSampleData(); } catch (Exception e) { loggerMaker.errorAndAddToDb(e,"Error while initialising demo collections: " + e, LoggerMaker.LogDb.DASHBOARD); } diff --git a/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java b/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java index b4066eff8c..1d19d9456f 100644 --- a/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java +++ b/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java @@ -59,12 +59,15 @@ public class BackwardCompatibility { public static final String DEFAULT_TELEMETRY_SETTINGS = "defaultTelemetrySettings"; private int defaultTelemetrySettings; + public static final String VULNERABLE_API_UPDATION_VERSION_V1 = "vulnerableApiUpdationVersionV1"; + private int vulnerableApiUpdationVersionV1; + public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTypeInfoCount, int dropWorkflowTestResult, int readyForNewTestingFramework,int addAktoDataTypes, boolean deploymentStatusUpdated, int authMechanismData, boolean mirroringLambdaTriggered, int deleteAccessListFromApiToken, int deleteNullSubCategoryIssues, int enableNewMerging, int aktoDefaultNewUI, int initializeOrganizationAccountBelongsTo, int orgsInBilling, - int computeIntegratedConnections, int deleteLastCronRunInfo) { + int computeIntegratedConnections, int deleteLastCronRunInfo, int vulnerableApiUpdationVersionV1) { this.id = id; this.dropFilterSampleData = dropFilterSampleData; this.resetSingleTypeInfoCount = resetSingleTypeInfoCount; @@ -83,6 +86,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy this.initializeOrganizationAccountBelongsTo = initializeOrganizationAccountBelongsTo; this.orgsInBilling = orgsInBilling; this.deleteLastCronRunInfo = deleteLastCronRunInfo; + this.vulnerableApiUpdationVersionV1 = vulnerableApiUpdationVersionV1; } public BackwardCompatibility() { @@ -247,4 +251,12 @@ public int getDefaultTelemetrySettings() { public void setDefaultTelemetrySettings(int defaultTelemetrySettings) { this.defaultTelemetrySettings = defaultTelemetrySettings; } + + public int getVulnerableApiUpdationVersionV1() { + return vulnerableApiUpdationVersionV1; + } + + public void setVulnerableApiUpdationVersionV1(int vulnerableApiUpdationVersionV1) { + this.vulnerableApiUpdationVersionV1 = vulnerableApiUpdationVersionV1; + } } From d3c039fe8f1ddba3eb0c6190df72c1b9da4e90af Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Fri, 12 Apr 2024 16:52:44 +0530 Subject: [PATCH 2/4] run addsampleapi call in different thread --- .../java/com/akto/action/AccountAction.java | 7 ++++ .../java/com/akto/action/LoginAction.java | 32 ++++++++++++------- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/AccountAction.java b/apps/dashboard/src/main/java/com/akto/action/AccountAction.java index f572eb31f0..3135d0a908 100644 --- a/apps/dashboard/src/main/java/com/akto/action/AccountAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/AccountAction.java @@ -37,6 +37,7 @@ import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; @@ -52,6 +53,7 @@ public class AccountAction extends UserAction { public static final int MAX_NUM_OF_LAMBDAS_TO_FETCH = 50; private static final ScheduledExecutorService executorService = Executors.newSingleThreadScheduledExecutor(); + private static final ExecutorService service = Executors.newFixedThreadPool(1); @Override public String execute() { @@ -309,6 +311,11 @@ public void run() { DaoInit.createIndices(); Main.insertRuntimeFilters(); RuntimeListener.initialiseDemoCollections(); + service.submit(() ->{ + Context.accountId.set(newAccountId); + loggerMaker.infoAndAddToDb("updating vulnerable api's collection for new account " + newAccountId, LogDb.DASHBOARD); + RuntimeListener.addSampleData(); + }); RuntimeListener.addSampleData(); AccountSettingsDao.instance.updateOnboardingFlag(true); InitializerListener.insertPiiSources(); diff --git a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java index 9693fcb356..09e87df79e 100644 --- a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java @@ -11,6 +11,7 @@ import com.akto.dto.SignupUserInfo; import com.akto.dto.User; import com.akto.listener.RuntimeListener; +import com.akto.log.LoggerMaker.LogDb; import com.akto.utils.Token; import com.akto.utils.JWT; import com.mongodb.BasicDBObject; @@ -32,6 +33,8 @@ import java.security.NoSuchAlgorithmException; import java.security.spec.InvalidKeySpecException; import java.util.*; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; import static com.akto.filter.UserDetailsFilter.LOGIN_URI; @@ -45,6 +48,7 @@ public class LoginAction implements Action, ServletResponseAware, ServletRequest private static final Logger logger = LoggerFactory.getLogger(LoginAction.class); public static final String REFRESH_TOKEN_COOKIE_NAME = "refreshToken"; + private static final ExecutorService service = Executors.newFixedThreadPool(1); public BasicDBObject getLoginResult() { return loginResult; } @@ -102,19 +106,23 @@ public String execute() throws IOException { private void decideFirstPage(BasicDBObject loginResult, int accountId){ Context.accountId.set(accountId); - try { - // add backward compatibility check - BackwardCompatibility backwardCompatibility = BackwardCompatibilityDao.instance.findOne(new BasicDBObject()); - if (backwardCompatibility.getVulnerableApiUpdationVersionV1() == 0) { - RuntimeListener.addSampleData(); + service.submit(() ->{ + Context.accountId.set(accountId); + logger.info("updating vulnerable api's collection for account " + accountId); + try { + // add backward compatibility check + BackwardCompatibility backwardCompatibility = BackwardCompatibilityDao.instance.findOne(new BasicDBObject()); + if (backwardCompatibility.getVulnerableApiUpdationVersionV1() == 0) { + RuntimeListener.addSampleData(); + } + BackwardCompatibilityDao.instance.updateOne( + Filters.eq("_id", backwardCompatibility.getId()), + Updates.set(BackwardCompatibility.VULNERABLE_API_UPDATION_VERSION_V1, Context.now()) + ); + } catch (Exception e) { + logger.error("error updating vulnerable api's collection for account " + accountId + " " + e.getMessage()); } - BackwardCompatibilityDao.instance.updateOne( - Filters.eq("_id", backwardCompatibility.getId()), - Updates.set(BackwardCompatibility.VULNERABLE_API_UPDATION_VERSION_V1, Context.now()) - ); - } catch (Exception e) { - logger.error("error updating vulnerable api's collection" + e.getMessage()); - } + }); long count = SingleTypeInfoDao.instance.getEstimatedCount(); if(count == 0){ logger.info("New user, showing quick start page"); From 48dd0f7255c4326fe82a6ffb5d4e9b25bf10a8f9 Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Sat, 13 Apr 2024 11:24:14 +0530 Subject: [PATCH 3/4] handle updation on multiple accounts on login --- .../java/com/akto/action/LoginAction.java | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java index 09e87df79e..132afc8980 100644 --- a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java @@ -100,17 +100,23 @@ public String execute() throws IOException { //For the case when no account exists, the user will get access to 1_000_000 account String accountIdStr = user.getAccounts().keySet().isEmpty() ? "1000000" : user.getAccounts().keySet().iterator().next(); int accountId = StringUtils.isNumeric(accountIdStr) ? Integer.parseInt(accountIdStr) : 1_000_000; + try { + service.submit(() ->{ + triggerVulnColUpdation(user); + }); + } catch (Exception e) { + logger.error("error updating vuln collection ", e); + } decideFirstPage(loginResult, accountId); return result; } - private void decideFirstPage(BasicDBObject loginResult, int accountId){ - Context.accountId.set(accountId); - service.submit(() ->{ + private void triggerVulnColUpdation(User user) { + for (String accountIdStr: user.getAccounts().keySet()) { + int accountId = Integer.parseInt(accountIdStr); Context.accountId.set(accountId); logger.info("updating vulnerable api's collection for account " + accountId); try { - // add backward compatibility check BackwardCompatibility backwardCompatibility = BackwardCompatibilityDao.instance.findOne(new BasicDBObject()); if (backwardCompatibility.getVulnerableApiUpdationVersionV1() == 0) { RuntimeListener.addSampleData(); @@ -122,7 +128,11 @@ private void decideFirstPage(BasicDBObject loginResult, int accountId){ } catch (Exception e) { logger.error("error updating vulnerable api's collection for account " + accountId + " " + e.getMessage()); } - }); + } + } + + private void decideFirstPage(BasicDBObject loginResult, int accountId){ + Context.accountId.set(accountId); long count = SingleTypeInfoDao.instance.getEstimatedCount(); if(count == 0){ logger.info("New user, showing quick start page"); From 7b046aeca0887ed530ea796652ec7cb56f5aba28 Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Sat, 13 Apr 2024 11:26:14 +0530 Subject: [PATCH 4/4] remove duplicate call --- apps/dashboard/src/main/java/com/akto/action/AccountAction.java | 1 - 1 file changed, 1 deletion(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/AccountAction.java b/apps/dashboard/src/main/java/com/akto/action/AccountAction.java index 3135d0a908..4da16dd73c 100644 --- a/apps/dashboard/src/main/java/com/akto/action/AccountAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/AccountAction.java @@ -316,7 +316,6 @@ public void run() { loggerMaker.infoAndAddToDb("updating vulnerable api's collection for new account " + newAccountId, LogDb.DASHBOARD); RuntimeListener.addSampleData(); }); - RuntimeListener.addSampleData(); AccountSettingsDao.instance.updateOnboardingFlag(true); InitializerListener.insertPiiSources();