Merge pull request #636 from akto-api-security/develop

Develop

apps/dashboard/web/src/apps/dashboard/views/settings/components/auth_types/AuthTypeDetails.vue

@@ -57,7 +57,7 @@
                 <v-row
                     style="padding: 12px 12px 12px 12px"
                 >
-                    <operator-component :operator="auth_type_copy.operator" :onlyEqual="true"/>
+                    <operator-component :operators="operators" :operator="auth_type_copy.operator" :onlyEqual="true"/>
                 </v-row>
             <v-row style="padding: 12px"  >
                     <conditions-table
@@ -102,6 +102,9 @@ export default {
         OperatorComponent,
     },
     data() {
+        var operators = [
+                "OR"
+            ]
         return {
             auth_type_copy: null,
             saveLoading: false,
@@ -113,6 +116,7 @@ export default {
                         return true
                     },
                 ],
+            operators
         }
     },
     methods: {

apps/testing/src/main/java/com/akto/rules/NoAuthTest.java

@@ -20,7 +20,7 @@ public class NoAuthTest extends AuthRequiredTestPlugin {
     public Result exec(ApiInfo.ApiInfoKey apiInfoKey, TestingUtil testingUtil, List<RawApi> filteredMessages) {
         RawApi rawApi = filteredMessages.get(0).copy();
 
-        OriginalHttpRequest testRequest = rawApi.getRequest();
+        OriginalHttpRequest testRequest = rawApi.getRequest().copy();
 
         testingUtil.getAuthMechanism().removeAuthFromRequest(testRequest);
 

apps/testing/src/main/java/com/akto/testing/TestExecutor.java

@@ -2,9 +2,11 @@
 
 import com.akto.DaoInit;
 import com.akto.dao.AuthMechanismsDao;
+import com.akto.dao.CustomAuthTypeDao;
 import com.akto.dao.context.Context;
 import com.akto.dao.testing.*;
 import com.akto.dto.ApiInfo;
+import com.akto.dto.CustomAuthType;
 import com.akto.dto.OriginalHttpRequest;
 import com.akto.dto.RawApi;
 import com.akto.dto.testing.*;
@@ -121,6 +123,35 @@ public void apiWiseInit(TestingRun testingRun, ObjectId summaryId) {
         List<TestRoles> testRoles = SampleMessageStore.fetchTestRoles();
         AuthMechanism authMechanism = AuthMechanismsDao.instance.findOne(new BasicDBObject());
 
+        List<CustomAuthType> customAuthTypes = CustomAuthTypeDao.instance.findAll(CustomAuthType.ACTIVE,true);
+
+        List<AuthParam> authParams = authMechanism.getAuthParams();
+
+        Set<String> authParamKeys = new HashSet<>();
+
+        for (AuthParam authParam : authParams) {
+            authParamKeys.add(authParam.getKey());
+        }
+
+        for (CustomAuthType customAuthType : customAuthTypes) {
+            List<String> customAuthTypeHeaderKeys = customAuthType.getHeaderKeys();
+            for (String headerAuthKey: customAuthTypeHeaderKeys) {
+                if (authParamKeys.contains(headerAuthKey)) {
+                    continue;
+                }
+                authParams.add(new HardcodedAuthParam(AuthParam.Location.HEADER, headerAuthKey, null, true));
+            }
+            List<String> customAuthTypePayloadKeys = customAuthType.getPayloadKeys();
+            for (String payloadAuthKey: customAuthTypePayloadKeys) {
+                if (authParamKeys.contains(payloadAuthKey)) {
+                    continue;
+                }
+                authParams.add(new HardcodedAuthParam(AuthParam.Location.BODY, payloadAuthKey, null, true));
+            }
+        }
+
+        authMechanism.setAuthParams(authParams);
+
         TestingUtil testingUtil = new TestingUtil(authMechanism, sampleMessages, singleTypeInfoMap, testRoles);
 
         try {

libs/dao/src/main/java/com/akto/dto/testing/AuthMechanism.java

@@ -45,9 +45,9 @@ public boolean removeAuthFromRequest(OriginalHttpRequest request) {
     }
 
     public boolean authTokenPresent(OriginalHttpRequest request) {
-        boolean result = true;
+        boolean result = false;
         for (AuthParam authParamPair : authParams) {
-            result = result && authParamPair.authTokenPresent(request);
+            result = result || authParamPair.authTokenPresent(request);
         }
         return result;
     }

libs/dao/src/main/java/com/akto/dto/testing/AuthParam.java

@@ -13,6 +13,8 @@ public abstract class AuthParam {
 
     public abstract String getValue();
 
+    public abstract String getKey();
+
     public abstract void setValue(String value);
 
     public enum Location {

libs/dao/src/main/java/com/akto/util/JsonStringPayloadModifier.java

@@ -24,7 +24,11 @@ public static String jsonStringPayloadModifier(String data, String path, String
                 throw new Exception("key not found in request payload");
             }
 
-            ((ObjectNode) parentNode).put(keys[keys.length-1], newVal);
+            if (newVal == null || newVal == "null") {
+                ((ObjectNode) parentNode).remove(keys[keys.length-1]);
+            } else {
+                ((ObjectNode) parentNode).put(keys[keys.length-1], newVal);
+            }
             return origRequestNode.toString();
 
         } catch (Exception e) {

libs/dao/src/main/java/com/akto/util/TokenPayloadModifier.java

@@ -22,8 +22,11 @@ public static Boolean tokenPayloadModifier(OriginalHttpRequest request, String k
         else {
             Map<String, List<String>> headers = request.getHeaders();
             String k = key.toLowerCase().trim();
-            if (!headers.containsKey(k)) return false;
-            headers.put(k, Collections.singletonList(value));
+            if (value == null || value == "null") {
+                headers.remove(k);
+            } else {
+                headers.put(k, Collections.singletonList(value));
+            }
         }
         return true;
     }