Merge pull request #1255 from akto-api-security/hotfix/fix_first_user

Fixing rbac user roles for first user
akto-api-security · Jul 8, 2024 · 9f4bafc · 9f4bafc
2 parents fc3b8bf + 71f38f4
commit 9f4bafc
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 7 deletions.
diff --git a/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java b/apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java
@@ -1628,8 +1628,11 @@ public static void createOrg(int accountId) {
                 loggerMaker.errorAndAddToDb("Admin is still missing in DB, making first user as admin", LogDb.DASHBOARD);
                 User firstUser = UsersDao.instance.getFirstUser(accountId);
                 if(firstUser != null){
-                    rbac = new RBAC(firstUser.getId(), Role.ADMIN, accountId);
-                    RBACDao.instance.insertOne(rbac);
+                    RBACDao.instance.updateOne(
+                        Filters.and(
+                            Filters.eq(RBAC.ACCOUNT_ID,Context.accountId.get()),
+                            Filters.eq(RBAC.USER_ID, firstUser.getId())
+                        ),Updates.set(RBAC.ROLE, RBAC.Role.ADMIN.name()));
                 } else {
                     loggerMaker.errorAndAddToDb("First user is also missing in DB, unable to make org.", LogDb.DASHBOARD);
                     return;
@@ -2168,9 +2171,34 @@ private static void dropLastCronRunInfoField(BackwardCompatibility backwardCompa
         }
     }
 
+    private static void makeFirstUserAdmin(BackwardCompatibility backwardCompatibility){
+        if(backwardCompatibility.getAddAdminRoleIfAbsent() == 0){
+
+            User firstUser = UsersDao.instance.getFirstUser(Context.accountId.get());
+
+            RBAC firstUserAdminRbac = RBACDao.instance.findOne(Filters.and(
+                Filters.eq(RBAC.USER_ID, firstUser.getId()),
+                Filters.eq(RBAC.ROLE, Role.ADMIN.name())
+            ));
+
+            if(firstUserAdminRbac != null){
+                loggerMaker.infoAndAddToDb("Found admin rbac for first user: " + firstUser.getLogin() + " , thus deleting it's member role RBAC", LogDb.DASHBOARD);
+                RBACDao.instance.deleteAll(Filters.and(
+                    Filters.eq(RBAC.USER_ID, firstUser.getId()),
+                    Filters.eq(RBAC.ROLE, Role.MEMBER.name())
+                ));
+            }
+
+            BackwardCompatibilityDao.instance.updateOne(
+                        Filters.eq("_id", backwardCompatibility.getId()),
+                        Updates.set(BackwardCompatibility.ADD_ADMIN_ROLE, Context.now())
+                );
+        }
+    }
+
     public static void setBackwardCompatibilities(BackwardCompatibility backwardCompatibility){
-        initializeOrganizationAccountBelongsTo(backwardCompatibility);
         if (DashboardMode.isMetered()) {
+            initializeOrganizationAccountBelongsTo(backwardCompatibility);
             setOrganizationsInBilling(backwardCompatibility);
         }
         setAktoDefaultNewUI(backwardCompatibility);
@@ -2194,9 +2222,7 @@ public static void setBackwardCompatibilities(BackwardCompatibility backwardComp
         enableNewMerging(backwardCompatibility);
         setDefaultTelemetrySettings(backwardCompatibility);
         disableAwsSecretPiiType(backwardCompatibility);
-        if (DashboardMode.isMetered()) {
-            initializeOrganizationAccountBelongsTo(backwardCompatibility);
-        }
+        makeFirstUserAdmin(backwardCompatibility);
     }
 
     public static void printMultipleHosts(int apiCollectionId) {

diff --git a/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java b/libs/dao/src/main/java/com/akto/dto/BackwardCompatibility.java
@@ -81,6 +81,9 @@ public class BackwardCompatibility {
     public static final String DROP_API_DEPENDENCIES = "dropApiDependencies";
     private int dropApiDependencies;
 
+    public static final String ADD_ADMIN_ROLE = "addAdminRoleIfAbsent";
+    private int addAdminRoleIfAbsent;
+
     public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTypeInfoCount, int dropWorkflowTestResult,
                                  int readyForNewTestingFramework,int addAktoDataTypes, boolean deploymentStatusUpdated,
                                  int authMechanismData, boolean mirroringLambdaTriggered, int deleteAccessListFromApiToken,
@@ -89,7 +92,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy
                                  int computeIntegratedConnections, int deleteLastCronRunInfo, int moveAuthMechanismToRole,
                                  int loginSignupGroups, int vulnerableApiUpdationVersionV1, int riskScoreGroups,
                                  int deactivateCollections, int disableAwsSecretPii, int apiCollectionAutomatedField, 
-                                 int automatedApiGroups) {
+                                 int automatedApiGroups, int addAdminRoleIfAbsent) {
         this.id = id;
         this.dropFilterSampleData = dropFilterSampleData;
         this.resetSingleTypeInfoCount = resetSingleTypeInfoCount;
@@ -116,6 +119,7 @@ public BackwardCompatibility(int id, int dropFilterSampleData, int resetSingleTy
         this.disableAwsSecretPii = disableAwsSecretPii;
         this.apiCollectionAutomatedField = apiCollectionAutomatedField;
         this.automatedApiGroups = automatedApiGroups;
+        this.addAdminRoleIfAbsent = addAdminRoleIfAbsent;
     }
 
     public BackwardCompatibility() {
@@ -352,4 +356,12 @@ public int getDropApiDependencies() {
     public void setDropApiDependencies(int dropApiDependencies) {
         this.dropApiDependencies = dropApiDependencies;
     }
+
+    public int getAddAdminRoleIfAbsent() {
+        return addAdminRoleIfAbsent;
+    }
+
+    public void setAddAdminRoleIfAbsent(int addAdminRoleIfAbsent) {
+        this.addAdminRoleIfAbsent = addAdminRoleIfAbsent;
+    }
 }