Merge pull request #1221 from akto-api-security/feature/rbac_for_mult…

…iple_roles_final_fix

Feature/rbac for multiple roles final fix

apps/api-runtime/src/main/java/com/akto/runtime/Main.java

@@ -450,7 +450,7 @@ public static void initializeRuntime(){
 
     public static void initializeRuntimeHelper() {
         SingleTypeInfoDao.instance.getMCollection().updateMany(Filters.exists("apiCollectionId", false), Updates.set("apiCollectionId", 0));
-        DaoInit.createIndices();
+        // DaoInit.createIndices();
         insertRuntimeFilters();
         try {
             AccountSettingsDao.instance.updateVersion(AccountSettings.API_RUNTIME_VERSION);

apps/dashboard/src/main/java/com/akto/action/AccountAction.java

@@ -268,16 +268,15 @@ public String createNewAccount() {
             }
         }
 
-        User user = initializeAccount(email, newAccountId, newAccountName,true);
+        User user = initializeAccount(email, newAccountId, newAccountName,true, RBAC.Role.ADMIN);
         getSession().put("user", user);
         getSession().put("accountId", newAccountId);
         return Action.SUCCESS.toUpperCase();
     }
 
-    public static User initializeAccount(String email, int newAccountId,String newAccountName,  boolean isNew) {
+    public static User initializeAccount(String email, int newAccountId, String newAccountName, boolean isNew, RBAC.Role role) {
         UsersDao.addAccount(email, newAccountId, newAccountName);
         User user = UsersDao.instance.findOne(eq(User.LOGIN, email));
-        RBAC.Role role = isNew ? RBAC.Role.ADMIN : RBAC.Role.MEMBER;
         RBACDao.instance.insertOne(new RBAC(user.getId(), role, newAccountId));
         Context.accountId.set(newAccountId);
         try {

apps/dashboard/src/main/java/com/akto/action/AdminSettingsAction.java

@@ -91,13 +91,6 @@ public String toggleNewMergingEnabled() {
     public String toggleTelemetry() {
         if (!DashboardMode.isOnPremDeployment()) return Action.ERROR.toUpperCase();
 
-        User user = getSUser();
-        if (user == null) return ERROR.toUpperCase();
-        boolean isAdmin = RBACDao.instance.isAdmin(user.getId(), Context.accountId.get());
-        if (!isAdmin) {
-            addActionError("Only admin can add change this setting");
-            return Action.ERROR.toUpperCase();
-        }
         AccountSettings accountSettings = AccountSettingsDao.instance.findOne(AccountSettingsDao.generateFilter());
         TelemetrySettings telemetrySettings = accountSettings.getTelemetrySettings();
         telemetrySettings.setCustomerEnabled(enableTelemetry);
@@ -141,10 +134,6 @@ public String updateTrafficAlertThresholdSeconds() {
 
     private boolean redactPayload;
     public String toggleRedactFeature() {
-        User user = getSUser();
-        if (user == null) return ERROR.toUpperCase();
-        boolean isAdmin = RBACDao.instance.isAdmin(user.getId(), Context.accountId.get());
-        if (!isAdmin) return ERROR.toUpperCase();
 
         AccountSettingsDao.instance.getMCollection().updateOne(
                 AccountSettingsDao.generateFilter(),

apps/dashboard/src/main/java/com/akto/action/InviteUserAction.java

@@ -1,9 +1,11 @@
 package com.akto.action;
 
 import com.akto.dao.PendingInviteCodesDao;
+import com.akto.dao.RBACDao;
 import com.akto.dao.UsersDao;
 import com.akto.dao.context.Context;
 import com.akto.dto.PendingInviteCode;
+import com.akto.dto.RBAC;
 import com.akto.dto.User;
 import com.akto.notifications.email.SendgridEmail;
 import com.akto.util.DashboardMode;
@@ -28,6 +30,7 @@ public class InviteUserAction extends UserAction{
 
     public static final String INVALID_EMAIL_ERROR = "Invalid email";
     public static final String DIFFERENT_ORG_EMAIL_ERROR = "Email must belong to same organisation";
+    public static final String NOT_ALLOWED_TO_INVITE = "you're not authorised to invite for this role";
     public static final String AKTO_DOMAIN = "akto.io";
 
     public static String validateEmail(String email, String adminLogin) {
@@ -52,6 +55,7 @@ public static String validateEmail(String email, String adminLogin) {
     }
 
     private String finalInviteCode;
+    private RBAC.Role inviteeRole;
 
     @Override
     public String execute() {
@@ -65,6 +69,13 @@ public String execute() {
             return ERROR.toUpperCase();
         }
 
+        RBAC.Role userRole = RBACDao.getCurrentRoleForUser(user_id, Context.accountId.get());
+
+        if (!Arrays.asList(userRole.getRoleHierarchy()).contains(this.inviteeRole)) {
+            addActionError("User not allowed to invite for this role");
+            return ERROR.toUpperCase();
+        }
+
         Map<String,Object> claims = new HashMap<>();
         claims.put("email", inviteeEmail);
 
@@ -89,10 +100,8 @@ public String execute() {
         try {
             Jws<Claims> jws = JWT.parseJwt(inviteCode,"");
             PendingInviteCodesDao.instance.insertOne(
-                    new PendingInviteCode(inviteCode, user_id, inviteeEmail,jws.getBody().getExpiration().getTime(),Context.accountId.get())
+                    new PendingInviteCode(inviteCode, user_id, inviteeEmail,jws.getBody().getExpiration().getTime(),Context.accountId.get(), this.inviteeRole)
             );
-
-
         } catch (NoSuchAlgorithmException | InvalidKeySpecException | IOException e) {
             e.printStackTrace();
             return ERROR.toUpperCase();
@@ -138,4 +147,12 @@ public void setWebsiteHostName(String websiteHostName) {
     public String getFinalInviteCode() {
         return finalInviteCode;
     }
+
+    public RBAC.Role getInviteeRole() {
+        return inviteeRole;
+    }
+
+    public void setInviteeRole(RBAC.Role inviteeRole) {
+        this.inviteeRole = inviteeRole;
+    }
 }

apps/dashboard/src/main/java/com/akto/action/ProfileAction.java

@@ -5,12 +5,14 @@
 import com.akto.dao.AccountSettingsDao;
 import com.akto.dao.AccountsDao;
 import com.akto.dao.JiraIntegrationDao;
+import com.akto.dao.RBACDao;
 import com.akto.dao.UsersDao;
 import com.akto.dao.billing.OrganizationsDao;
 import com.akto.dao.context.Context;
 import com.akto.dto.Account;
 import com.akto.dto.AccountSettings;
 import com.akto.dto.JiraIntegration;
+import com.akto.dto.RBAC;
 import com.akto.dto.User;
 import com.akto.dto.UserAccountEntry;
 import com.akto.dto.ApiToken.Utility;
@@ -111,6 +113,7 @@ public static void executeMeta1(Utility utility, User user, HttpServletRequest r
         String dashboardVersion = accountSettings.getDashboardVersion();
         String[] versions = dashboardVersion.split(" - ");
         User userFromDB = UsersDao.instance.findOne(Filters.eq(Constants.ID, user.getId()));
+        RBAC.Role userRole = RBACDao.getCurrentRoleForUser(user.getId(), Context.accountId.get());
 
         boolean jiraIntegrated = false;
         try {
@@ -131,7 +134,8 @@ public static void executeMeta1(Utility utility, User user, HttpServletRequest r
                 .append("cloudType", Utils.getCloudType())
                 .append("accountName", accountName)
                 .append("aktoUIMode", userFromDB.getAktoUIMode().name())
-                .append("jiraIntegrated", jiraIntegrated);;
+                .append("jiraIntegrated", jiraIntegrated)
+                .append("userRole", userRole.toString().toUpperCase());
 
         if (DashboardMode.isOnPremDeployment()) {
             userDetails.append("userHash", Intercom.getUserHash(user.getLogin()));

apps/dashboard/src/main/java/com/akto/action/SignupAction.java

@@ -277,7 +277,7 @@ public String registerViaAuth0() throws Exception {
                 if(user != null){
                     AccountAction.addUserToExistingAccount(email, pendingInviteCode.getAccountId());
                 }
-                createUserAndRedirect(email, name, auth0SignupInfo, pendingInviteCode.getAccountId(), Config.ConfigType.AUTH0.toString());
+                createUserAndRedirect(email, name, auth0SignupInfo, pendingInviteCode.getAccountId(), Config.ConfigType.AUTH0.toString(), pendingInviteCode.getInviteeRole());
 
                 return SUCCESS.toUpperCase();
             } else if(pendingInviteCode == null){
@@ -367,6 +367,7 @@ public String registerViaEmail() {
             return ERROR.toUpperCase();
         }
         int invitedToAccountId = 0;
+        RBAC.Role inviteeRole = null;
         if (!invitationCode.isEmpty()) {
             Jws<Claims> jws;
             try {
@@ -393,6 +394,7 @@ public String registerViaEmail() {
             // deleting the invitation code
             PendingInviteCodesDao.instance.getMCollection().deleteOne(filter);
             invitedToAccountId = pendingInviteCode.getAccountId();
+            inviteeRole = pendingInviteCode.getInviteeRole();
         } else {
             if (!InitializerListener.isSaas) {
                 long countUsers = UsersDao.instance.getMCollection().countDocuments();
@@ -425,7 +427,7 @@ public String registerViaEmail() {
 
         try {
             shouldLogin = "true";
-            createUserAndRedirect(email, email, signupInfo, invitedToAccountId, "email");
+            createUserAndRedirect(email, email, signupInfo, invitedToAccountId, "email", inviteeRole);
         } catch (IOException e) {
             e.printStackTrace();
             return ERROR.toUpperCase();
@@ -690,6 +692,11 @@ public static String validatePassword(String password) {
 
     private void createUserAndRedirect(String userEmail, String username, SignupInfo signupInfo,
                                        int invitationToAccount, String method) throws IOException {
+        createUserAndRedirect(userEmail, username, signupInfo, invitationToAccount, method, null);
+    }
+
+    private void createUserAndRedirect(String userEmail, String username, SignupInfo signupInfo,
+                                       int invitationToAccount, String method, RBAC.Role invitedRole) throws IOException {
         User user = UsersDao.instance.findOne(eq("login", userEmail));
         if (user == null && "false".equalsIgnoreCase(shouldLogin)) {
             SignupUserInfo signupUserInfo = SignupDao.instance.insertSignUp(userEmail, username, signupInfo, invitationToAccount);
@@ -739,7 +746,7 @@ private void createUserAndRedirect(String userEmail, String username, SignupInfo
                 return;
             }
 
-            user = AccountAction.initializeAccount(userEmail, accountId, "My account",invitationToAccount == 0);
+            user = AccountAction.initializeAccount(userEmail, accountId, "My account",invitationToAccount == 0, invitedRole == null ? RBAC.Role.MEMBER : invitedRole);
 
             servletRequest.getSession().setAttribute("user", user);
             servletRequest.getSession().setAttribute("accountId", accountId);