Merge pull request #3417 from akto-api-security/fix/login_session_by_key_pairs

Fix/login session by key pairs

Author: notshivansh

apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java

@@ -217,6 +217,7 @@
 import com.akto.util.tasks.OrganizationTask;
 import com.akto.utils.Auth0;
 import com.akto.utils.AutomatedApiGroupsUtils;
+import com.akto.utils.RSAKeyPairUtils;
 import com.akto.utils.TestTemplateUtils;
 import com.akto.utils.billing.OrganizationUtils;
 import com.akto.utils.crons.Crons;

libs/dao/src/main/java/com/akto/dto/Config.java

@@ -37,7 +37,7 @@ public void setId(String id) {
     public String id;
 
     public enum ConfigType {
-        SLACK, GOOGLE, WEBPUSH, PASSWORD, SALESFORCE, SENDGRID, AUTH0, GITHUB, STIGG, MIXPANEL, SLACK_ALERT, OKTA, AZURE, HYBRID_SAAS, SLACK_ALERT_USAGE, GOOGLE_SAML, AWS_WAF, SPLUNK_SIEM, AKTO_DASHBOARD_HOST_URL, CLOUDFLARE_WAF;
+        SLACK, GOOGLE, WEBPUSH, PASSWORD, SALESFORCE, SENDGRID, AUTH0, GITHUB, STIGG, MIXPANEL, SLACK_ALERT, OKTA, AZURE, HYBRID_SAAS, SLACK_ALERT_USAGE, GOOGLE_SAML, AWS_WAF, SPLUNK_SIEM, AKTO_DASHBOARD_HOST_URL, CLOUDFLARE_WAF, RSA_KP;
     }
 
     public ConfigType configType;
@@ -938,6 +938,40 @@ public AktoHostUrlConfig() {
         }
     }
 
+    @Getter
+    @Setter
+    @BsonDiscriminator
+    public static class RSAKeyPairConfig extends Config {
+
+        public static final String PRIVATE_KEY = "privateKey";
+        public static final String PUBLIC_KEY = "publicKey";
+        public static final String CREATED_AT = "createdAt";
+
+        private String privateKey;
+        private String publicKey;
+        private int createdAt;
+
+        public RSAKeyPairConfig() {
+            this.configType = ConfigType.RSA_KP;
+            this.id = ConfigType.RSA_KP.name() + CONFIG_SALT;
+        }
+
+        public RSAKeyPairConfig(String privateKey, String publicKey) {
+            this.configType = ConfigType.RSA_KP;
+            this.id = ConfigType.RSA_KP.name() + CONFIG_SALT;
+            this.privateKey = privateKey;
+            this.publicKey = publicKey;
+        }
+
+        public RSAKeyPairConfig(String privateKey, String publicKey, int createdAt) {
+            this.configType = ConfigType.RSA_KP;
+            this.id = ConfigType.RSA_KP.name() + CONFIG_SALT;
+            this.privateKey = privateKey;
+            this.publicKey = publicKey;
+            this.createdAt = createdAt;
+        }
+    }
+
     public static boolean isConfigSSOType(ConfigType configType){
         if(configType == null){
             return false;

libs/utils/src/main/java/com/akto/onprem/Constants.java

@@ -1,9 +1,13 @@
 package com.akto.onprem;
 
+import com.akto.DaoInit;
 import com.akto.dao.ConfigsDao;
+import com.akto.dao.MCollection;
 import com.akto.dao.context.Context;
 import com.akto.dto.Config;
 import com.akto.util.DashboardMode;
+import com.akto.utils.RSAKeyPairUtils;
+import com.mongodb.ConnectionString;
 import com.mongodb.client.model.Filters;
 
 import java.security.KeyPair;
@@ -28,22 +32,72 @@ public class Constants {
 
     public static final String SLACK_ALERT_USAGE_URL = "";
 
-    private static final byte[] privateKey, publicKey;
+    private static final byte[] privateKey;
+    private static final byte[] publicKey;
 
     static {
-        KeyPairGenerator kpg;
-        KeyPair kp = null;
+        byte[] tempPrivateKey = null;
+        byte[] tempPublicKey = null;
+
+        // Try to initialize DB connection and fetch keys from database
         try {
-            kpg = KeyPairGenerator.getInstance("RSA");
-            kpg.initialize(2048);
-            kp = kpg.generateKeyPair();
+            // Check if DB client is not already initialized
+            if (!MCollection.checkConnection()) {
+                String mongoURI = System.getenv("AKTO_MONGO_CONN");
+                if (mongoURI != null && !mongoURI.isEmpty()) {
+                    DaoInit.init(new ConnectionString(mongoURI));
+                }
+            }
 
-        } catch (NoSuchAlgorithmException e) {
-            ;
+            // Now try to fetch keys if DB is connected
+            if (MCollection.checkConnection()) {
+                byte[][] keys = RSAKeyPairUtils.fetchKeysFromDb();
+                if (keys != null && keys.length == 2) {
+                    tempPrivateKey = keys[0];
+                    tempPublicKey = keys[1];
+                }
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        // If keys weren't found in database, generate new ones and save them
+        if (tempPrivateKey == null || tempPublicKey == null) {
+            KeyPairGenerator kpg;
+            KeyPair kp = null;
+            try {
+                kpg = KeyPairGenerator.getInstance("RSA");
+                kpg.initialize(2048);
+                kp = kpg.generateKeyPair();
+            } catch (NoSuchAlgorithmException e) {
+                ;
+            }
+
+            tempPrivateKey = kp == null ? null : kp.getPrivate().getEncoded();
+            tempPublicKey = kp == null ? null : kp.getPublic().getEncoded();
+
+            // Save generated keys to database
+            if (tempPrivateKey != null && tempPublicKey != null && MCollection.checkConnection()) {
+                try {
+                    String pemPrivateKey = "-----BEGIN PRIVATE KEY-----\n" +
+                            Base64.getEncoder().encodeToString(tempPrivateKey) + "\n" +
+                            "-----END PRIVATE KEY-----";
+
+                    String pemPublicKey = "-----BEGIN PUBLIC KEY-----\n" +
+                            Base64.getEncoder().encodeToString(tempPublicKey) + "\n" +
+                            "-----END PUBLIC KEY-----";
+
+                    int now = Context.now();
+                    Config.RSAKeyPairConfig newConfig = new Config.RSAKeyPairConfig(pemPrivateKey, pemPublicKey, now);
+                    ConfigsDao.instance.insertOne(newConfig);
+                } catch (Exception e) {
+                    e.printStackTrace();
+                }
+            }
         }
 
-        privateKey = kp == null ? null : kp.getPrivate().getEncoded();
-        publicKey = kp == null ? null : kp.getPublic().getEncoded();
+        privateKey = tempPrivateKey;
+        publicKey = tempPublicKey;
     }
 
     public static byte[] getPrivateKey() {

libs/utils/src/main/java/com/akto/utils/RSAKeyPairUtils.java

@@ -0,0 +1,81 @@
+package com.akto.utils;
+
+import java.util.Base64;
+
+import com.akto.dao.ConfigsDao;
+import com.akto.dto.Config;
+import com.akto.log.LoggerMaker;
+import com.akto.log.LoggerMaker.LogDb;
+import com.akto.util.Constants;
+
+import static com.akto.dto.Config.CONFIG_SALT;
+
+public class RSAKeyPairUtils {
+
+    private static final LoggerMaker logger = new LoggerMaker(RSAKeyPairUtils.class, LogDb.DASHBOARD);
+
+    public static byte[] parsePEMPrivateKey(String key) {
+        String pemKey = key;
+        byte[] decodedKey;
+
+        pemKey = pemKey.replace("-----BEGIN PRIVATE KEY-----","");
+        pemKey = pemKey.replace("-----END PRIVATE KEY-----","");
+        pemKey = pemKey.replace("\n","");
+
+        decodedKey = Base64.getDecoder().decode(pemKey);
+
+        return decodedKey;
+    }
+
+    public static byte[] parsePEMPublicKey(String key) {
+        String pemKey = key;
+        byte[] decodedKey;
+
+        pemKey = pemKey.replace("-----BEGIN PUBLIC KEY-----","");
+        pemKey = pemKey.replace("-----END PUBLIC KEY-----","");
+        pemKey = pemKey.replace("\n","");  
+
+        decodedKey = Base64.getDecoder().decode(pemKey);
+    
+        return decodedKey;
+    }
+
+    /**
+     * Fetches RSA key pair from database and returns them as byte arrays.
+     * Returns null if keys are not found or if an error occurs.
+     * This method is called from Constants static block.
+     *
+     * @return byte[][] array where [0] is private key and [1] is public key, or null if not found
+     */
+    public static byte[][] fetchKeysFromDb() {
+        logger.info("Fetching RSA keys from db");
+
+        try {
+            Config.RSAKeyPairConfig rsaKeyPairConfig = (Config.RSAKeyPairConfig) ConfigsDao.instance.findOne(Constants.ID, Config.ConfigType.RSA_KP.name() + CONFIG_SALT);
+
+            if (rsaKeyPairConfig != null) {
+                logger.info("Found RSA keys config in db");
+
+                String pemPrivateKey = rsaKeyPairConfig.getPrivateKey();
+                String pemPublicKey = rsaKeyPairConfig.getPublicKey();
+
+                if (pemPrivateKey == null || pemPublicKey == null) {
+                    logger.error("RSA keys not present in config");
+                    return null;
+                }
+
+                byte[] privateKey = RSAKeyPairUtils.parsePEMPrivateKey(pemPrivateKey);
+                byte[] publicKey = RSAKeyPairUtils.parsePEMPublicKey(pemPublicKey);
+
+                logger.info("Successfully fetched RSA keys from db");
+                return new byte[][] { privateKey, publicKey };
+            } else {
+                logger.info("RSA keys config not found in db");
+            }
+        } catch (Exception e) {
+            logger.error("Error while fetching RSA keys from db", e);
+        }
+
+        return null;
+    }
+}