Merge pull request akto-api-security#381 from akto-api-security/develop

Develop

apps/api-runtime/src/main/java/com/akto/runtime/Main.java

@@ -291,8 +291,7 @@ public void run() {
  }
 
  if (!aktoPolicyMap.containsKey(accountId)) {
- APICatalogSync apiCatalogSync = httpCallParserMap.get(accountId).apiCatalogSync;
- AktoPolicies aktoPolicy = new AktoPolicies(apiCatalogSync, fetchAllSTI);
+ AktoPolicies aktoPolicy = new AktoPolicies(fetchAllSTI);
  aktoPolicyMap.put(accountId, aktoPolicy);
  }
 

apps/api-runtime/src/main/java/com/akto/runtime/policies/AktoPolicies.java

@@ -6,33 +6,17 @@
 import com.akto.runtime.APICatalogSync;
 
 public class AktoPolicies {
- private AktoPolicy aktoPolicy;
- private AktoPolicyNew aktoPolicyNew;
+ private final AktoPolicyNew aktoPolicyNew;
 
- public AktoPolicies(APICatalogSync apiCatalogSync, boolean fetchAllSTI) {
- if (APICatalogSync.mergeAsyncOutside) {
- this.aktoPolicyNew = new AktoPolicyNew(fetchAllSTI);;
- } else {
- this.aktoPolicy = new AktoPolicy(apiCatalogSync, fetchAllSTI);
- }
- } 
-
-
- public AktoPolicy getAktoPolicy() {
- return this.aktoPolicy;
+ public AktoPolicies(boolean fetchAllSTI) {
+ this.aktoPolicyNew = new AktoPolicyNew(fetchAllSTI);;
  }
 
  public AktoPolicyNew getAktoPolicyNew() {
  return this.aktoPolicyNew;
  }
 
  public void main(List<HttpResponseParams> httpResponseParamsList, APICatalogSync apiCatalogSync, boolean fetchAllSTI) throws Exception {
- if (this.aktoPolicy != null) {
- this.aktoPolicy.main(httpResponseParamsList, apiCatalogSync, fetchAllSTI);
- } 
-
- if (this.aktoPolicyNew != null) {
- this.aktoPolicyNew.main(httpResponseParamsList, apiCatalogSync != null, fetchAllSTI);
- }
+ this.aktoPolicyNew.main(httpResponseParamsList, apiCatalogSync != null, fetchAllSTI);
  }
 }

apps/api-runtime/src/main/java/com/akto/runtime/policies/AktoPolicyNew.java

@@ -88,7 +88,7 @@ public void buildFromDb(boolean fetchAllSTI) {
  public void syncWithDb(boolean initialising, boolean fetchAllSTI) {
  loggerMaker.infoAndAddToDb("Syncing with db", LogDb.RUNTIME);
  if (!initialising) {
- AktoPolicy.UpdateReturn updateReturn = AktoPolicy.getUpdates(apiInfoCatalogMap);
+ UpdateReturn updateReturn = getUpdates(apiInfoCatalogMap);
  List<WriteModel<ApiInfo>> writesForApiInfo = updateReturn.updatesForApiInfo;
  List<WriteModel<FilterSampleData>> writesForSampleData = updateReturn.updatesForSampleData;
  loggerMaker.infoAndAddToDb("Writing to db: " + "writesForApiInfoSize="+writesForApiInfo.size() + " writesForSampleData="+ writesForSampleData.size(), LogDb.RUNTIME);
@@ -164,13 +164,19 @@ public void process(HttpResponseParams httpResponseParams) throws Exception {
  boolean saveSample = false;
  switch (useCase) {
  case AUTH_TYPE:
- saveSample = AuthPolicy.findAuthType(httpResponseParams, apiInfo, filter, customAuthTypes);
+ try {
+ saveSample = AuthPolicy.findAuthType(httpResponseParams, apiInfo, filter, customAuthTypes);
+ } catch (Exception ignored) {}
  break;
  case SET_CUSTOM_FIELD:
- saveSample = SetFieldPolicy.setField(httpResponseParams, apiInfo, filter);
+ try {
+ saveSample = SetFieldPolicy.setField(httpResponseParams, apiInfo, filter);
+ } catch (Exception ignored) {}
  break;
  case DETERMINE_API_ACCESS_TYPE:
- saveSample = apiAccessTypePolicy.findApiAccessType(httpResponseParams, apiInfo, filter);
+ try {
+ saveSample = apiAccessTypePolicy.findApiAccessType(httpResponseParams, apiInfo, filter);
+ } catch (Exception ignored) {}
  break;
  default:
  throw new Exception("Function for use case not defined");
@@ -235,7 +241,7 @@ public PolicyCatalog getApiInfoFromMap(ApiInfo.ApiInfoKey apiInfoKey) {
  return newPolicyCatalog;
  }
 
- public static AktoPolicy.UpdateReturn getUpdates(Map<Integer, ApiInfoCatalog> apiInfoCatalogMap) {
+ public static UpdateReturn getUpdates(Map<Integer, ApiInfoCatalog> apiInfoCatalogMap) {
  List<ApiInfo> apiInfoList = new ArrayList<>();
  List<FilterSampleData> filterSampleDataList = new ArrayList<>();
  for (ApiInfoCatalog apiInfoCatalog: apiInfoCatalogMap.values()) {
@@ -262,7 +268,7 @@ public static AktoPolicy.UpdateReturn getUpdates(Map<Integer, ApiInfoCatalog> ap
  List<WriteModel<ApiInfo>> updatesForApiInfo = getUpdatesForApiInfo(apiInfoList);
  List<WriteModel<FilterSampleData>> updatesForSampleData = getUpdatesForSampleData(filterSampleDataList);
 
- return new AktoPolicy.UpdateReturn(updatesForApiInfo, updatesForSampleData);
+ return new UpdateReturn(updatesForApiInfo, updatesForSampleData);
  }
 
  public static class UpdateReturn {

apps/api-runtime/src/test/java/com/akto/runtime/policies/TestAktoPolicy.java

@@ -93,7 +93,7 @@ public void testRestart() throws Exception {
  List<ApiInfo> apiInfoList = ApiInfoDao.instance.findAll(Filters.eq("_id.apiCollectionId", 0));
  Assertions.assertEquals(5,apiInfoList.size());
  List<FilterSampleData> filterSampleDataList = FilterSampleDataDao.instance.findAll(new BasicDBObject());
- Assertions.assertEquals(5, filterSampleDataList.size());
+ Assertions.assertEquals(0, filterSampleDataList.size());
 
  // restart server means new httpCallParser and aktoPolicy
  HttpCallParser httpCallParser1 = new HttpCallParser("user", 1, 1,1, true);
@@ -109,7 +109,7 @@ public void testRestart() throws Exception {
  apiInfoList = ApiInfoDao.instance.findAll(Filters.eq("_id.apiCollectionId", 0));
  Assertions.assertEquals(5,apiInfoList.size());
  filterSampleDataList = FilterSampleDataDao.instance.findAll(Filters.eq("_id.apiInfoKey.apiCollectionId", 0));
- Assertions.assertEquals(5, filterSampleDataList.size());
+ Assertions.assertEquals(0, filterSampleDataList.size());
  }
 
 
@@ -146,7 +146,7 @@ public void test1() throws Exception {
  assertEquals(hrpList.size(), apiInfoList.size());
 
  List<FilterSampleData> filterSampleDataList = FilterSampleDataDao.instance.findAll(new BasicDBObject());
- assertEquals(3, filterSampleDataList.size());
+ assertEquals(0, filterSampleDataList.size());
 
  // created a dummy AktoPolicy to use buildFromDb without touching the original AktoPolicy
  AktoPolicyNew dummyAktoPolicy = new AktoPolicyNew(true);
@@ -169,18 +169,10 @@ public void test1() throws Exception {
  apiInfoList = ApiInfoDao.instance.findAll(new BasicDBObject());
  assertEquals(hrpList.size() - 1, apiInfoList.size()); // 2 urls got merged to 1
  filterSampleDataList = FilterSampleDataDao.instance.findAll(new BasicDBObject());
- assertEquals(2, filterSampleDataList.size()); // 2 urls got merged to 1
+ assertEquals(0, filterSampleDataList.size()); // 2 urls got merged to 1
  dummyAktoPolicy.buildFromDb(true);
  Assertions.assertEquals(dummyAktoPolicy.getApiInfoCatalogMap().get(0).getTemplateURLToMethods().size(), 1 );
 
- FilterSampleData filterSampleData = FilterSampleDataDao.instance.findOne(
- Filters.and(
- Filters.eq("_id.apiInfoKey.apiCollectionId", 0),
- Filters.eq("_id.apiInfoKey.url", "/api/toys/INTEGER"),
- Filters.eq("_id.apiInfoKey.method", urlStatic6.getMethod().name())
- )
- );
- assertEquals(1, filterSampleData.getSamples().getElements().size());
 
  URLStatic urlStatic8 = new URLStatic("/api/toys/3", URLMethods.Method.PUT);
  HttpResponseParams hrp8 = generateHttpResponseParams(urlStatic8.getUrl(), urlStatic8.getMethod(),0, Collections.singletonList(ApiInfo.AuthType.UNAUTHENTICATED),false) ;
@@ -189,16 +181,17 @@ public void test1() throws Exception {
  apiInfoList = ApiInfoDao.instance.findAll(new BasicDBObject());
  assertEquals(hrpList.size() - 1, apiInfoList.size()); // 2 urls got merged to 1
  filterSampleDataList = FilterSampleDataDao.instance.findAll(new BasicDBObject());
- assertEquals(2, filterSampleDataList.size()); // 2 urls got merged to 1
+ assertEquals(0, filterSampleDataList.size()); // 2 urls got merged to 1
 
- filterSampleData = FilterSampleDataDao.instance.findOne(
+ FilterSampleData filterSampleData = FilterSampleDataDao.instance.findOne(
  Filters.and(
  Filters.eq("_id.apiInfoKey.apiCollectionId", 0),
  Filters.eq("_id.apiInfoKey.url", "/api/toys/INTEGER"),
  Filters.eq("_id.apiInfoKey.method", urlStatic6.getMethod().name())
  )
  );
- assertEquals(2, filterSampleData.getSamples().getElements().size());
+
+ assertNull(filterSampleData);
 
  HttpResponseParams hrp10 = generateHttpResponseParams(urlStatic6.getUrl(), urlStatic6.getMethod(),0,Collections.singletonList(ApiInfo.AuthType.JWT), false);
 

apps/dashboard/src/main/java/com/akto/action/growth_tools/PublicApiAction.java

@@ -1,37 +1,182 @@
 package com.akto.action.growth_tools;
 
-import com.akto.action.UserAction;
-import com.akto.dao.AccountsDao;
-import com.akto.dto.Account;
+import com.akto.dao.context.Context;
+import com.akto.dto.HttpResponseParams;
+import com.akto.dto.traffic.Key;
+import com.akto.dto.traffic.SampleData;
+import com.akto.dto.type.URLMethods;
+import com.google.gson.Gson;
+import com.opensymphony.xwork2.Action;
+import com.opensymphony.xwork2.ActionSupport;
+import org.apache.struts2.interceptor.ServletRequestAware;
+import org.apache.struts2.interceptor.ServletResponseAware;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
-public class PublicApiAction extends UserAction {
+public class PublicApiAction extends ActionSupport implements Action, ServletResponseAware, ServletRequestAware {
+ protected HttpServletRequest request;
+ protected HttpServletResponse response;
+ private List<SampleData> sampleDataList;
 
- private String check;
- private List<Account> accounts;
+ private static Gson gson = new Gson();
+ private String sampleRequestString;
+ private String sampleResponseString;
+
+ public static final String PATH = "path";
+ public static final String TYPE = "type";
+ public static final String METHOD = "method";
+ public static final String REQUEST_PAYLOAD = "requestPayload";
+ public static final String REQUEST_HEADERS = "requestHeaders";
+ public static final String RESPONSE_PAYLOAD = "responsePayload";
+ public static final String RESPONSE_HEADERS = "responseHeaders";
+ public static final String AKTO_VXLAN_ID = "akto_vxlan_id";
+ public static final String STATUS = "status";
+ public static final String STATUS_CODE = "statusCode";
 
  @Override
- public String execute() throws Exception{
- check = "abcd";
- accounts = AccountsDao.instance.getAllAccounts();
- //curl api/createTest
+ public String execute() throws Exception {
+ return SUCCESS.toUpperCase();
+ }
+
+ /*
+ * Request and Response Sample Data
+ *
+ * Request and response folling burp's format
+ *
+ * First line METHOD URL PROTOCOL
+ * Second line host
+ * Third line headers
+ * Fourth line empty
+ * Fifth line body
+ *
+ * Response format is
+ * First line PROTOCOL STATUS_CODE STATUS_MESSAGE
+ * Second line headers
+ * Third line empty
+ * Fourth line body
+ *
+ * */
+
+ public String createSampleDataJson() {
+ try {
+ if (sampleResponseString == null || sampleRequestString == null) {
+ addActionError("request and response cannot be null");
+ return ERROR.toUpperCase();
+ }
+ String[] requestLines = sampleRequestString.split("\n");
+ Map<String, Object> map = new HashMap<>();
+ int requestIndex = 0;
+ String[] requestURL = requestLines[requestIndex].split(" ");
+ map.put(METHOD, requestURL[0].trim());
+ map.put(TYPE, requestURL[2].trim());
+
+ String[] requestHost = requestLines[++requestIndex].split(":");
+ String host = requestHost[1].trim();
+ map.put(PATH, host + requestURL[1].trim());
+
+ Map<String, String> requestHeaders = new HashMap<>();
+ for (requestIndex = requestIndex+1; requestIndex < requestLines.length; requestIndex++) {
+ String[] requestHeader = requestLines[requestIndex].split(":",2);
+ if (requestHeader.length == 2) {
+ requestHeaders.put(requestHeader[0].trim(), requestHeader[1].trim());
+ } else {
+ break;
+ }
+ }
+ map.put(REQUEST_HEADERS, gson.toJson(requestHeaders));
+ if (requestIndex + 1 < requestLines.length) {
+ StringBuilder requestPayload = new StringBuilder();
+ for (int i = requestIndex + 1; i < requestLines.length; i++) {
+ requestPayload.append(requestLines[i].trim()).append("\n");
+ }
+ map.put(REQUEST_PAYLOAD, requestPayload.toString());
+ } else {
+ map.put(REQUEST_PAYLOAD, "");
+ }
+ map.put(AKTO_VXLAN_ID, 0);
+
+ String[] responseLines = sampleResponseString.split("\n");
+ int responseIndex = 0;
+ String[] responseStatus = responseLines[responseIndex].split(" ",3);
+
+ map.put(STATUS_CODE, responseStatus[1].trim());
+ map.put(STATUS, responseStatus[2].trim());
+
+ Map<String, String> responseHeaders = new HashMap<>();
+ for (responseIndex = responseIndex+1; responseIndex < responseLines.length; responseIndex++) {
+ String[] responseHeader = responseLines[responseIndex].split(":",2);
+ if (responseHeader.length == 2) {
+ responseHeaders.put(responseHeader[0].trim(), responseHeader[1].trim());
+ } else {
+ break;
+ }
+ }
+ map.put(RESPONSE_HEADERS, gson.toJson(responseHeaders));
+ if (responseIndex + 1 < responseLines.length) {
+ StringBuilder builder = new StringBuilder();
+ for (responseIndex = responseIndex+1; responseIndex < responseLines.length; responseIndex++) {
+ builder.append(responseLines[responseIndex].trim()).append("\n");
+ }
+ map.put(RESPONSE_PAYLOAD, builder.toString());
+ } else {
+ map.put(RESPONSE_PAYLOAD, "");
+ }
+ map.put("source", HttpResponseParams.Source.OTHER);
+ map.put("time", Context.now());
+ map.put("ip", "null");
+ map.put("akto_account_id", "1000000");
+
+ SampleData sampleData = new SampleData();
+ Key key = new Key(0, (String) map.get(PATH), URLMethods.Method.fromString((String) map.get(METHOD)),
+ Integer.parseInt((String) map.get(STATUS_CODE)),0,0);
+
+ sampleData.setId(key);
+ sampleData.setSamples(Collections.singletonList(gson.toJson(map)));
+ sampleDataList = Collections.singletonList(sampleData);
+ } catch (Exception e) {
+ addActionError("Please check your request and response format");
+ return ERROR.toUpperCase();
+ }
  return SUCCESS.toUpperCase();
  }
 
- public String getCheck() {
- return check;
+ @Override
+ public void setServletRequest(HttpServletRequest request) {
+ this.request = request;
+ }
+
+ @Override
+ public void setServletResponse(HttpServletResponse response) {
+ this.response = response;
+ }
+
+ public List<SampleData> getSampleDataList() {
+ return sampleDataList;
+ }
+
+ public void setSampleDataList(List<SampleData> sampleDataList) {
+ this.sampleDataList = sampleDataList;
+ }
+
+
+ public void setSampleRequestString(String sampleRequestString) {
+ this.sampleRequestString = sampleRequestString;
  }
 
- public void setCheck(String check) {
- this.check = check;
+ public void setSampleResponseString(String sampleResponseString) {
+ this.sampleResponseString = sampleResponseString;
  }
 
- public List<Account> getAccounts() {
- return accounts;
+ public String getSampleRequestString() {
+ return sampleRequestString;
  }
 
- public void setAccounts(List<Account> accounts) {
- this.accounts = accounts;
+ public String getSampleResponseString() {
+ return sampleResponseString;
  }
 }